Tuesday, May 30, 2006
Curiosity is bliss: Cross-domain AJAX using Flash
Why does Flash allow this? Doesn't this pretty much blow a hole in browser security? One more reason I'm glad I have this stuff blocked.
EDIT: it appears this isn't nearly as bad as it looks, because of the requirement to use crossdomain.xml files on the server-side.
It still seems like you could write some sort of port-scanning flash movie that can tell whether a request failed because of lack of crossdomain.xml or because of a host/port not responding. Maybe by timing how long it takes for it to fail? I don't know enough about flash to know how to try it.
EDIT: it appears this isn't nearly as bad as it looks, because of the requirement to use crossdomain.xml files on the server-side.
It still seems like you could write some sort of port-scanning flash movie that can tell whether a request failed because of lack of crossdomain.xml or because of a host/port not responding. Maybe by timing how long it takes for it to fail? I don't know enough about flash to know how to try it.
Belgian radio rocks..
I think last night I heard the original Spooky Tooth version of "Better By You", probably more infamous as the Judas Priest cover version that was involved in one of the first "backward masking causes suicide" cases.
Meanwhile, somebody help me figure out what song starts with lyrics something like this:
my mama told me
when I was young
"cry in the night until
you wake up the sun!"
Meanwhile, somebody help me figure out what song starts with lyrics something like this:
my mama told me
when I was young
"cry in the night until
you wake up the sun!"
unexpected Google suckage
Google apparently decides which language to display based on your IP address, ignoring the Accept-language header.
Yes, btw, I am in Belgium.
Yes, btw, I am in Belgium.
Friday, May 26, 2006
My life as a Code Economist
every good software company ships products with known bugs
Every time you fix a bug, you risk introducing another one.
Every code change is a risk. A development cycle that doesn't recognize this will churn indefinitely and never create a shippable product. At some point, if the product is ever going to converge toward a release, you have to start deciding which bugs aren't going to get fixed.
Wednesday, May 24, 2006
Cornish Hurling - Wikipedia
The game involves a physical battle on the streets, between two teams of "Townsmen" and "Countrymen", with the shops in the town barricading their windows and doors to protect from accidental damage, which sometimes occurs.
Tuesday, May 23, 2006
Any Officer Who Goes Into Action Without His Sword is Improperly Dressed
Once again, Damned Interesting!
See also:
http://en.wikipedia.org/wiki/Jack_Churchill
http://www.wwiihistorymagazine.com/2005/july/col-profiles.html
See also:
http://en.wikipedia.org/wiki/Jack_Churchill
http://www.wwiihistorymagazine.com/2005/july/col-profiles.html
Damn Interesting ? Flying Rams
Via Digg.com. This is, in fact, damn interesting.
insert bileblog-like insult here
We are constantly bombarded with announcements about solutions that free the developers of web applications from writing basic "CRUD".
It's not that these kinds of things aren't good or needed, it's just embarrassing to watch the world of web apps catch up to an idea whose time had come 20 years ago.
Isn't this all the same damn thing that PC "database" products (which didn't even support SQL yet) could all do back in the 80's? (And, IIRC, certain mainframe-based environments even before that?)
Considering that at least some of the people inventing this stuff are old enough to remember that era, I can only assume that people have selective memories. Or that back they were too busy fighting the Unix Wars or playing Rogue to pay attention to anything as dull as business applications.
Let me refresh you: before 1990, there were a number of "database" products that allowed the ordinary business user (user, not programmer) to create his own tables to hold his data, specify the format (number, text, etc) for that data, graphically create screens which can be used to edit that data, create and print any number of different reports based on the data, etc. And all without writing a line of "code".
The most well-known surviving modern example from this category is of course Microsoft Access, but its a cruddy (heh) example, as it is actually harder and requires more programming skills to use than its competitors. Mac users may be familiar with FileMaker Pro, which I've never used but which was supposed to have been utopia at some point. There were others. I remember using the database component of a software suite called "Eight in One", that was exactly like what I described above.
And people ate up these kinds of applications. The thing that killed them was the fact that they were desktop-based solutions in the age the Internet. And the fact that they were all proprietary.
It's taken the web world approximately 1991 until now to catch up. Why are we all so proud of this fact?
It's not that these kinds of things aren't good or needed, it's just embarrassing to watch the world of web apps catch up to an idea whose time had come 20 years ago.
Isn't this all the same damn thing that PC "database" products (which didn't even support SQL yet) could all do back in the 80's? (And, IIRC, certain mainframe-based environments even before that?)
Considering that at least some of the people inventing this stuff are old enough to remember that era, I can only assume that people have selective memories. Or that back they were too busy fighting the Unix Wars or playing Rogue to pay attention to anything as dull as business applications.
Let me refresh you: before 1990, there were a number of "database" products that allowed the ordinary business user (user, not programmer) to create his own tables to hold his data, specify the format (number, text, etc) for that data, graphically create screens which can be used to edit that data, create and print any number of different reports based on the data, etc. And all without writing a line of "code".
The most well-known surviving modern example from this category is of course Microsoft Access, but its a cruddy (heh) example, as it is actually harder and requires more programming skills to use than its competitors. Mac users may be familiar with FileMaker Pro, which I've never used but which was supposed to have been utopia at some point. There were others. I remember using the database component of a software suite called "Eight in One", that was exactly like what I described above.
And people ate up these kinds of applications. The thing that killed them was the fact that they were desktop-based solutions in the age the Internet. And the fact that they were all proprietary.
It's taken the web world approximately 1991 until now to catch up. Why are we all so proud of this fact?
Geertjan's Weblog : Weblog
Part 1
Part 2
Dude, man.
Significant rant coming soon.
Part 2
NetBeans IDE 5.5 will totally redefine the word "productivity". I mean, forget wimpy little bits of code, pretty little samples, and obsequious hints and suggestions. Think big. How big? Well, how big can you think? That's how big, plus a little bit of extra bigness added on top.
Dude, man.
Significant rant coming soon.
The BigBook Technique
After failing to win several arguments on this point, the engineers became exasperated and decided to hold an intervention with the CEO. They each bought a copy of Brooks' book, brought the CEO into a conference room, and stacked up the copies of the book, telling him, It is extremely urgent that you read this book. We've bought you many copies so that you might read it faster. They made their point.
A Modular Approach to Data Validation in Web Applications
I haven't actually read the article yet. It might be interesting, might not. But I do take umbrage at the first sentence of this posting:
Validation (or the lack thereof) is not the root cause of these vulnerabilities. XSS and SQL injection are, by definition, all about confusion. Confusing code with data, and vice versa. Validation is one (of several) ways to deal with the problem, and in some cases it is the best. But to say it is the root cause of the issue is a mistake.
EDIT: oh, wait this is that same paper that was beat to death on webappsec. The actual PDF doesn't make the same simple (but wrong) statements as the TSS story. It's actually one of the better brief explanations of validation concerns that I have ever read. I still do not, however, share the author's opinion that sanitizing data is a subclass of validation, and I think that lumping them together will confuse the ignorant.
Of course, one of the replies neatly sums up the whole thing, so there is no need to really even read the PDF:
- handle simple input validation (string, number, length etc.) when input enters your system, either from the user or a subsystem
- Never massage input to make it valid - throw away and give an error message
- Handle domain specific input validation in your domain objects as this is domain knowledge
- Handle meta characters when data is leaving your system
Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications, such as Cross Site Scripting and SQL Injection
Validation (or the lack thereof) is not the root cause of these vulnerabilities. XSS and SQL injection are, by definition, all about confusion. Confusing code with data, and vice versa. Validation is one (of several) ways to deal with the problem, and in some cases it is the best. But to say it is the root cause of the issue is a mistake.
EDIT: oh, wait this is that same paper that was beat to death on webappsec. The actual PDF doesn't make the same simple (but wrong) statements as the TSS story. It's actually one of the better brief explanations of validation concerns that I have ever read. I still do not, however, share the author's opinion that sanitizing data is a subclass of validation, and I think that lumping them together will confuse the ignorant.
Of course, one of the replies neatly sums up the whole thing, so there is no need to really even read the PDF:
- handle simple input validation (string, number, length etc.) when input enters your system, either from the user or a subsystem
- Never massage input to make it valid - throw away and give an error message
- Handle domain specific input validation in your domain objects as this is domain knowledge
- Handle meta characters when data is leaving your system
Oracle Regular Expressions
What the title says.
Sunday, May 21, 2006
Will Continuations continue?
A couple of weeks ago I was embroiled in a rather passionate argument about the relevance of continuation-based web servers at an academic retreat at Dagstuhl, Germany. This is an opportunity for me to write down my thoughts on that topic, as the two are closely linked.
Friday, May 19, 2006
Using Aspect-oriented Software Development
Any blog post this long, and with this mich UML in it, has got to be worth reading at some point... maybe.
FOOM!
Choosing passwords to remind you of things you need to be reminded of.
I particularly like "doittoheronemoretime".
Example password/phrases of this kind include "dontstopwriting", "keepstudying", "doittoheronemoretime" and "donteatchocolate".
I particularly like "doittoheronemoretime".
Thursday, May 18, 2006
NetBeans house cleaning
Yesterday I had all of the following versions of NetBeans installed:
3.6
4.0 beta
4.0 final
4.1
5.0 developer build
5.0 final
I have just uninstalled all of them except for the last. I guess it's a good thing that unlike most software from Microsoft, most open source programs (and almost anything written in Java) are happy to have more than one version installed on the same computer. On the other hand, it can contribute to cruftification if you're not careful.
3.6
4.0 beta
4.0 final
4.1
5.0 developer build
5.0 final
I have just uninstalled all of them except for the last. I guess it's a good thing that unlike most software from Microsoft, most open source programs (and almost anything written in Java) are happy to have more than one version installed on the same computer. On the other hand, it can contribute to cruftification if you're not careful.
Wednesday, May 17, 2006
Google Web Toolkit - Build AJAX apps in the Java language
Yeah, there are lots of AJAX toolkits out there, none of which I've tried. But this one is from Google. The folks who made AJAX hot.
Evan Summers's Blog: Swing trumps Ajax and Web 2.0
The author warns at the start that text in italics is off-topic. Note that most of the article is in italics.
cajo: The cajo Project
I am still not exactly sure what this project does, but I like this sentence:
"Best of all, this framework is 100% pure Java: i.e. it requires no Bloody XML, and no Silly Annotations!"
"Best of all, this framework is 100% pure Java: i.e. it requires no Bloody XML, and no Silly Annotations!"
Electro Empire - Home of --<=ELECTRO FUNK=>---
Apropos of nothing... just like everything else on this blog.
Stuck in my head: "B Girls" by Young & Restless (with Eric G.)
Stuck in my head: "B Girls" by Young & Restless (with Eric G.)
Jittery Joe’s Coffee
Is this place named after the one Marge visited in 1F03?
ThinkGeek :: Buzzaire - Metered Dose Caffeine Inhaler
Yes, this is really what it looks like. A device just like an asthma inhaler, only instead of delivering asthma medicine, it delivers caffeine.
Energy Fiend - The Caffeine Database
Sortable by name, ounces, caffeine, and caffeine per ounce.
Notice how much stronger Starbuck's coffee is than the generic coffee. "I can see why his is so popular"
Notice how much stronger Starbuck's coffee is than the generic coffee. "I can see why his is so popular"
Monday, May 15, 2006
CREEM ONLINE: Stooges — Of Pop And Pies And Fun
This is probably about the fifth time I've tried to read this particular "classic" or rock criticism, and I don't believe I've ever made it through to the end. I don't even think this is the first time I've blogged it.
CREEM ONLINE: Creem Archive
wow.
somesongs [song info: Fat Bird (One Night in Heaven)]
Ah, big songs about big women.
Seeking Scalable Web Authentication
Haven't read this yet, so I don't know if it is any good.
Friday, May 12, 2006
The Censored Cartoons Page
My daughter just got her accidental first taste of golden age cartoons, in the form of a DVD of 1940s-50s Mickey Mouse and Pluto cartoons mistakenly shipped to use by NetFlix.
Four years of efforts by me, mama, and the rest of society to feed our kids on a diet consisting solely of safe, educational TV just went out the window.
These Disney shorts are, of course, still pretty tame. I now have to figure out what age to introduce her to the real hard stuff, like Tex Avery.
Four years of efforts by me, mama, and the rest of society to feed our kids on a diet consisting solely of safe, educational TV just went out the window.
These Disney shorts are, of course, still pretty tame. I now have to figure out what age to introduce her to the real hard stuff, like Tex Avery.
Wither Those Tiers
This looks interesting but I haven't had enough coffee yet to read it.
Wednesday, May 10, 2006
Architectural Styles and the Design of Network-based Software Architectures
This is the HTML edition of "the" REST paper.
Tuesday, May 09, 2006
the word of the day..
"mouthfeel"
Beer Judge Certification Program (BJCP)
I suggest that we all pursue this certification rather than SCJP.
Raganwald: I'll take Static Typing for $800, Alex.
Here's my question to my fellow Java programmers: why do we tolerate a compiler that forces us to type some things as BigDecimals and some things as Integers, but we don't insist that the compiler catch places where we aren't checking for nulls?
Why do we resist the idea that programming might be hard
A List Apart: Articles: Calling All Designers: Learn to Write!
This is not just marketing text (though it’s that, too). It’s interface. This is text that can’t come from the PR department—it comes from us, the designers who are responsible for the user experience. The text is as much a part of the UI as the colors, the pixels, the stuff that designers are usually concerned with. Perhaps more.
It rather involved being on the other side of this airtight hatchway
keyword: security
Monday, May 08, 2006
any sufficiently technical email..
... is indistinguishable from non-sense SPAM.
Specifically, the strings of random words that spammers through together to evade filters.
Proof: I got a (non-spam) email entitled Normal Horde Probes and Strange Ones
Specifically, the strings of random words that spammers through together to evade filters.
Proof: I got a (non-spam) email entitled Normal Horde Probes and Strange Ones
Friday, May 05, 2006
what happened to April?
Did I really not blog anything during the whole month of April?
Chansons
The design of this blog is cool. I have no idea who this is, or if the CSS was designed by someone else, or what. Whoever this person is, her life appears to be going well, so good for her. But I just like the design.
Generics gotchas
By the "Hoskinator". Good links.
Thursday, May 04, 2006
Full-up Google choking on web spam? | The Register
from digg
Session Timeout Issue of an AJAX Driven Page
So what happens when the user session times out?
On the bogusness of reporting the winning word in a spelling bee
Nobody misspelled the winning word, so how hard can it be?
Schneier on Security: Man Sues Compaq for False Advertising
"Convicted felon Michael Crooker is suing Compaq (now HP) for false advertising. He bought a computer promised to be secure, but the FBI got his data anyway"
Slashdot | Classic Star Wars Trilogy Finally on DVD.
This is too good, to too many folks, to be true. It has to be some kind of a hoax, right?
Whizlabs: SCJP 5.0 Preparation Article
"Power your way to success"
Evan Summers's Blog: Explicit Reflection
Using strings to refer to instances and methods is "fragile" eg. not refactoring-safe" (or "exception-safe") and is not readily "toolable" in the sense that it does not enjoy auto-completion and error-highlighting in IDE's.
Wednesday, May 03, 2006
Hollywood's Take on the Net
Hollywood's Take on the Internet Often Favors Fun Over Facts
The Good and Bad in Email
The TAGRI (They Aren't? Gonna Read It) Principle of Software Development
"The basic idea is that very little of the documentation which gets created during software development actually gets read by the actual target audience."
Tuesday, May 02, 2006
Bum Wines
"Call them bum wines, street wines, fortified wines, wino wines, or twist-cap wines. Whatever you call these beverages for the economical drunkard, this page explores the top five."
Rwal Life Super Mario
I suspect everyone else has already seen this, but I'm playing catch-up with most of the internet right now.
Eitan Suez's Blog: MVC without leaks implies generic VC
See, over time, everyone eventually gets to be as smart as me.
GUI is plumbing
The Bosnia-Atlantis Connection
I think we heard about this on "Coast to Coast".
