If you are writing or reviewing Ajax code, you need this book. Billy and Bryan have done a stellar job in a nascent area of our field, and deserves success. Go buy this book.
Is it just a re-hash of old presentations? No. The book breaks some new ground, and fills in a lot of the blanks in all of our presentations and demos. I hadn’t heard of some of these attacks in book form before. The examples improved my knowledge of DOM and other injections considerably, so there’s something there for the advanced folks as well as the newbies.
I really liked the easy, laid back writing style. Billy and Bryan’s text is straightforward and easy to understand. They get across the concepts in a relatively new area of our field.
The structure flows pretty well, building upon what you’ve already learnt ... there is advanced stuff, but the authors have to bring the newbie audience along for the ride.
Billy and Bryan spend a bit of time repeating the old hoary “no new attacks in Ajax” meme which is big with the popular kids (mainly because their products can’t detect or scan Ajax code yet and still want money from you), and then spend the rest of the book debunking their own propaganda with a wonderful panache that beats the meme into a bloody pulp and buries it for all time.
It’s quite possible that many Star Wars Ajax security fans will be calling Billy Hoffman, the great “Obi-Wan”, and pdp “Lord Vader” to represent the “light” and “dark” sides that is The Force behind the power wielded by Ajax.
The book, Ajax Security, covered a lot of new material that hadn’t been seen or talked about in the press or the security industry. The authors introduced Ajax security topics with ease and provided greater understanding of how to view Javascript malware, tri... [ Read More (0.2k in body) ]
School: Did you really name your son Robert'); Drop Table Students;--? Mom: Oh. Yes. Little Bobby Tables we call him School: Well, we've lost this year's student records. I hope your happy. Mom: and I hope you've learned to sanitize your database inputs.
HAHAHA! Sweet.
To be fair, you shouldn't sanitize user input, you should validate it.
SCO Chariman wants Congress to make port 80 porn-free
Topic: Technology
3:29 pm EDT, Mar 16, 2007
The governor of Utah signed a nonbinding resolution on Tuesday that calls on the US Congress to do something about the rising tide of Internet pornography, preferably using technology to stick it in a ghetto where those who don't want to see it don't have to do so. The resolution, which passed both houses of the Utah legislature, was backed by CP80 ("Clean port 80"), a group founded and headed by Ralph Yarro. CP80's plan to cleanse the Internet isn't the only controversy that Yarro's involved in, though; he also happens to chair the board of directors for SCO.
OK, its official. SCO doesn't just hate linux. They hate the entire Internet.
"The Internet is not a force of nature, it's a man-made creation. It can be changed and evolved to better serve us all," said Yarro in a statement after the signing of the resolution. "There is no reason why we should tolerate an Internet that allows children to easily access pornography."
Someone has been reading Lessig... And getting exactly the wrong point. What, exactly, is the problem with filtering software?
CP80's solution would apply to the US only, of course, and their plan for dealing with international pornographers (who are unlikely to move to another port dictated by the US) is a simple but draconian one: consumers would ask ISPs to "simply block all IP addresses originating from a non-compliant country." Problem solved!
Instead of clamoring for legislation that forces anyone who says the word fuck to move to a different TCP port why don't they just ask pornographers to include an HTML meta tag on their pages. Not authoritarian enough? Doesn't generate revenue for our financial backers by creating a government mandated market for their software systems? Its just not any fun if its Constitutional? Sure, you won't get 100% compliance, but you're not going to get that anyway.
The Internet Community Port Act (ICPA) protects your right to publish, view AND block content deemed inappropriate to minors - a choice that you do not have on the Internet today.
You can install Internet filtering software.
ICPA supports the use of widely accepted social and legal standards, such as MPAA, RIAA, ESRP, FCC, the legal definitions for obscenity, indecency and harmful to minors, or any other community-defined standards.
In other words, anyone who says the word fuck would have to move to a different TCP port. Its very important that children don't hear the word fuck, because it harms them developmentally, as opposed to the word shucks, which is just a word. Did I mention that Unicorns are real?
Categorization Is Not Censorship
If categorization were censorship then phone books, libraries, street signs and all oth... [ Read More (0.2k in body) ]
The Amazon Elastic Compute Cloud (Amazon EC2) web service provides you with the ability to execute your applications in Amazon's computing environment.
To use Amazon EC2 you simply:
1. Create an Amazon Machine Image (AMI) containing all your software, including your operating system and associated configuration settings, applications, libraries, etc. Think of this as zipping up the contents of your hard drive. We provide all the necessary tools to create and package your AMI.
2. Upload this AMI to the Amazon S3 (Amazon Simple Storage Service) service. This gives us reliable, secure access to your AMI.
3. Register your AMI with Amazon EC2. This allows us to verify that your AMI has been uploaded correctly and to allocate a unique identifier for it.
4. Use this AMI ID and the Amazon EC2 web service APIs to run, monitor, and terminate as many instances of this AMI as required. Currently, we provide command line tools and Java libraries, and you may also directly access our SOAP or Query based APIs.
We're looking at moving MemeStreams into this. The biggest challenge is that if your instance shuts down for some reason you loose all of your data.
The first peak in Apple's stock price (approx 1:45 EST, or 10:45 PST) was at the tail end of Steve Job's demoing the phone. He then goes on to talk about the busniess side (the price, exclusive with Cingular, etc) as well as the target 1% market share goal and the share price drops a little.
It's like watching a sing-a-song, only with lots of money!
Ladies and gentlemen, the Internet has left the building...
Topic: Technology
2:37 pm EST, Jan 4, 2007
RSnake is a fucking genius. Using a file:/// URL pointed at the manual PDF installed with Acrobat, you can execute JavaScript in the local zone. Oh yeah, local file access, program execution, completely uncrippled XmlHttpRequest.
Acidus wrote: There is a flaw in Abode’s Acrobat reader plugin which allows JavaScript to execute. This flaws means ever website that contains a PDF file has a de facto Cross Site Scripting (XSS) vulnerability.
Acidus does a good job of putting this latest PDF vuln in perspective.
Within months of the government-run "Association of Kazakh IT Companies" getting control of Kazakhstan's internet domain, it shut down the website of British comic Sacha Baron Cohen (best known as Ali G). The site at www.borat.kz featured another of Cohen's comic creations, Borat Sagdiyev, a Kazakh journalist. It was removed from the Internet.
Why? The president of the organisation said it was so the comic "can't bad-mouth Kazakhstan under the .kz domain name". If you want an example of government-owned and run censorship on the internet, you'll be hard pushed to find a clearer example.
In principal I think governments should control their ccTLDs, but this is what happens. I think Kazakhstan is in the wrong, but its to be expected.
Linked in this story is another story about Iraq's ccTLD that is interesting. The previous owners of the domain were sent to prison for selling computer parts through a broker to Lybia and Syria. They really got nailed because one of their investors was Musa Marzuq, who is connected with Hamas. The U.S. alleges that this computer company was intended as a funding source for Hamas. Google provides a thick and interesting web here. The Council on American Islamic Relations called the convictions unfair, but there seems to be a number of direct links between them and the computer company. The people running the company also seem to have been connected to charities that were funnelling money to terrorist organizations.
Check this bio of one of the company's founders. A well educated technology guy who has been in the US for decades. Someone you could imagine doing business with... And apparently his business paid someone who planned terrorist attacks in Israel!
It is amazing and troubling to ponder how deeply integrated some of these people are into our society. Did this guy know about all of the activities of the charities he helped start? Did he realize his cousin and co-investor was married to someone who was planning terrorist attacks? Did he contemplate the fact that by generating money in his business he was helping fund her husband's activities? If this guy hired you to do consulting work would you have suspected this connection and turned him down? Why would someone who spent so much of his life developing communications tools that contribute to understanding get involved in business with someone who is killing innocent people?
TinyDisk - An anonymous shared file system on top of TinyURL.
Topic: Technology
2:11 pm EDT, Oct 25, 2005
TinyDisk is a program from saving and retrieving files from TinyURL and TinyURL-like services such as Nanourl. It overlays a write-once-read-many anonymous, persistent and globally shared filesystem. Once something is uploaded, only the database admin can delete it. Everyone can read it. No one can know who created it. Think of it as a magical CD-R that gets burned and placed on a network.
This is a file system I demoed at Phreaknic that runs on top of the link shortening service TinyURL. Its the perfect case study of how to write meaningful extensions on top of existing web applications, which was the topic of my presentation.
I've already uploaded some fun stuff into TinyURL, like The Adventures of Sherlock Holmes, and even TinyDisk itself. Thats right, the program to read and write to TinyURL is stored inside TinyURL! It was also very cool to see other people starting to use it.
