Monday, October 30, 2006

maybe I should've stayed in bed

Within the past hour I have managed to:

1. forget that my laptop case was sitting on the trunk of the car
2. run over the laptop with the car, after it fell off
3. lock the keys in the car while cussing about the laptop
4. ... with the lights on

EDIT: the laptop was not actually hit by the wheels of the car; the car's body passed harmlessly over it. The laptop is being used to write this update.

Thursday, October 26, 2006 Why SiteKey Can't Save You

Saturday, October 21, 2006

half time report

You know I don't often watch football, not even Alabama football. But today is one of those days when I think even I am being sucked in, owing to:

1. grilling
2. having earlier today thrown a party for 2-year-olds, which leads to..
3. drinking
4. the presence of my father

Wednesday, October 18, 2006

Web Application Security Mailing Lists 101

The web application security "community" has always been based primarily on email interaction. Right now, the somewhat annoying situation exists that there is no one "main" mailing list that you can just join, there are several. The only way to get as many experts as possible to read your emails, is to cross-post.

This is the original web application security list. It is so old that it was originally called "mobile code" because it predates any of the modern terminology of web applications. This is the place where OWASP was incubated. Unfortunately, in recent years the list has suffered from long posting delays (due to inconsistent moderation), and tons and tons of crap bouncing back at your every time you post, and alleged lack of responsiveness on the part of the hosting company.

Started in 2005, and took some of momentum and users away from the first list. Smart people almost immediately subscribed to both lists.
subscribe using web form:

This is the newest list, and is the result of OWASP finally getting fed up with the problems with the old list, and creating their own. So now you need to subscribe to THREE lists.

your local OWASP chapter

You probably also want to join the mailing list for your local OWASP chapter, assuming you have one in your city. All of them are listed here:

What if Clippy came to PHP?


Saturday, October 14, 2006

The Advertising Artwork of Dr. Seuss

This is the kind of website which, when you run across it, makes you glad the WWW exists.

Thursday, October 12, 2006

i am a lucky man

Yesterday, I left a laptop bag, containing a laptop, sitting on the trunk of my car, in plain view of the street, unattended, for about an hour, and no one stole it.

This morning, I discover my house and car keys in the lock of the front door of my house. Outside, also in plain view of the street. They'd been there all night. And no one used them to either break into my house, or steal my car.

Saturday, October 07, 2006


I just saw the 1978 movie "FM". Other than being like a 2-hour episode of WKRP, the most striking thing about this movie is how similar the soundtrack is to certain current radio stations.

I don't mean the same styles of music, I mean the exact same songs. Right now, in 2006, in Atlanta, at least three radio stations could be playing any of the songs from this movie. Probably at least two stations are playing the same one of these songs at the same time.

The kids of today should defend themselves against the seventies.

Friday, October 06, 2006

ESR on password encryption in fetchmail

A Few More Lessons from Fetchmail:
Another lesson is about security by obscurity. Some fetchmail users asked me to change the software to store passwords encrypted in the rc file, so snoopers wouldn't be able to casually see them.

I didn't do it, because this doesn't actually add protection. Anyone who's acquired permissions to read your rc file will be able to run fetchmail as you anyway—and if it's your password they're after, they'd be able to rip the necessary decoder out of the fetchmail code itself to get it.

All .fetchmailrc password encryption would have done is give a false sense of security to people who don't think very hard.

Thursday, October 05, 2006

todo: read every post in this blog's archives

Design patterns of 1972

Patterns are signs of weakness in programming languages.

When we identify and document one, that should not be the end of the story. Rather, we should have the long-term goal of trying to understand how to improve the language so that the pattern becomes invisible or unnecessary.

See also: this.

Tuesday, October 03, 2006

to do list for today..

1. write scathing email
2. wait for the screams

Monday, October 02, 2006

what does it say about my workplace..

..That I can actually download the JDK from Sun's website over my home cable modem connection faster (and not just a little bit faster, either) than I can copy the same file from a file server at work?