If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserves success. Go buy this book.
Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.
I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.
The structure flows pretty well, building upon what you’ve already learnt ... there is advanced stuff, but the authors have to bring the newbie audience along for the ride.
Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.
It’s quite possible that many Star Wars Ajax security fans will be calling Billy Hoffman, the great “Obi-Wan”, and pdp “Lord Vader” to represent the “light” and “dark” sides that is The Force behind the power wielded by Ajax.
The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tri... [ Read More (0.2k in body) ]
Is this the right way to get persistent storage in EC2?
FuseOverAmazon
FUSE filesystem backed by Amazon S3 Overview
s3fs is a fuse filesystem that allows you to mount an Amazon S3 bucket as a local filesystem. It stores files "natively" in S3 (i.e., you can use other programs to access the same files). Maximum file size=5G.
Its quite useful and stable, e.g., can be used to easily copy daily backup tarballs to s3.
To use it:
1. get an amazon s3 account! 2. download the source, compile it (I've used fc5/ppc and f7/i386) and slap the binary in, say, /usr/bin/s3fs 3. do this:
Alberto Santos-Dumont - Wikipedia, the free encyclopedia
Topic: Technology
9:30 am EST, Nov 30, 2007
Between 1898 and 1905, he built and flew 11 dirigibles. With air traffic control restrictions still decades in the future, he would glide along Paris boulevards at rooftop level in one of his airships, commonly landing in front of a fashionable outdoor cafe for lunch. On one occasion he even flew an airship early one morning to his own apartment at No. 9, Rue Washington, just off Avenue des Champs-Elysees, not far from the Arc de Triomphe.
Robot Boats Hunt Pirates - Navy - Unmanned Surface Vessels - Protector - Popular Mechanics
Topic: Technology
9:21 am EDT, Nov 1, 2007
The Protector, which comes mounted with a 7.62mm machine gun, wasn’t originally intended for anti-piracy operations. But according to BAE Systems spokesperson Stephanie Moncada, the robot could easily fill that role. “Down the line, it could potentially be modified for commercial use as well,” she says. Instead of being deployed by a warship to intercept and possibly fire on an incoming vessel, a non-lethal variant of the Protector could be used to simply investigate a potential threat.
WHOIS Redux: Demand Privacy in Domain Name Registration
Topic: Technology
2:58 pm EDT, Oct 31, 2007
By Wendy Seltzer
Doc’s post and the impending comments deadline for the next iteration of ICANN’s never-ending WHOIS saga finally pushed me to write up my thoughts on the latest iteration of ICANN debate.
Its interesting that this has cropped up again. It seems that European and Canadian privacy laws have begun to have an impact on the cabal of intellectual property interests and assorted supporting elements who aren't thinking hard enough about the issue who together have foisted Whois requirements on the Internet. I have written extensively and perhaps angrily about this issue in the past. I'm less concerned about the issue than I was in the past because the proxy services exist, and the need to handle subpoenas does provide some economic justification for them. However, there are better ways to handle this problem by far, and whats frustrating to me is the sheer amount of technical and situational ignorance that has been exhibited by people participating in this debate. I have never read an argument for the policies that exist that didn't fall to very simple critical thinking, and yet so many people insist on holding on to these deeply authoritarian ideas.
Forward 40: What Became of the LOGO Programming Language? on Wired Science
Topic: Technology
5:31 pm EDT, Oct 17, 2007
While I sat at my desk one day, two of my classmates figured out how to overwrite the entire screen, which seemed kinda naughty at the time. They giggled, did it again, then giggled some more. From curious children, hackers were born.
PhreakNIC Technology and Hacker Culture Convention
Topic: Technology
3:09 pm EDT, Oct 14, 2007
PhreakNIC 0x0b
PhreakNIC is an annual gathering in Nashville, TN, for hackers, makers, security professionals, and general technology enthusiasts. Hours upon hours of both informative and entertaining presentations are given by volunteers and many areas are set up with the intent of encouraging socialization. In our 11th year, we are now the longest running non-commercial hacker convention in the United States.* PhreakNIC is organized by the Nashville 2600 Organization, which is a 501(c)(3) tax deductible charity. However, it takes many resources to organize, and help is given to PhreakNIC by other 2600 groups in the South East United States, as well as the Nashville Linux Users Group. Our thanks go out to all who contribute.
School: Did you really name your son Robert'); Drop Table Students;--? Mom: Oh. Yes. Little Bobby Tables we call him School: Well, we've lost this year's student records. I hope your happy. Mom: and I hope you've learned to sanitize your database inputs.
HAHAHA! Sweet.
To be fair, you shouldn't sanitize user input, you should validate it.
Good News, Bad News about Facebook Application Market: Long Tail Rules
Topic: Technology
1:30 pm EDT, Oct 8, 2007
My team at O'Reilly Research has been crunching the numbers on the rise of Facebook as application platform, and we've released a new report today, entitled simply The Facebook Application Platform.
The good news has already been widely disseminated: there are nearly 5000 Facebook applications, and the top applications have tens of millions of installs and millions of active users. The bad news, alas, is in our report: 87% of the usage goes to only 84 applications!
