WebApp Security is mandatory (even for spammy virals)

I just received a mail from Frank Goossens. I’ve apparently invited myself to view “an adorable Christmas-card” containing “warm wishes”. Moreover I tried to guilt-trick myself into forwarding that same card to friends and family, as that simple gesture would provide the poor with (unhealthy fried) food for the Poverello Christmas-dinner.
In general I don’t like virals, but I was curious to find out if Agency.com just spammed me or if someone (ab)used my name and email to bug me. So I clicked the link, told Noscript to trust the (flash-)site temporarily, looked at the Firebug-output while testing the application and tinkering with some of its URL’s.
The results:

  • One can tweak the system for the “message” to contain links and images (lesson 1: do not solely rely on client-side validation in flash or javascript)
  • Going one step further, you can also insert javascript in that message. That code isn’t  executed inside the flash e-card, but assuming there is a plain html-backend (there always is, for reporting or export-purposes) it’s trivial to sniff the backend URL and steal the session-cookie as soon as someone accesses a page which contains that message. The URL and session-cookie can be used to gain access to the admin-site (lesson 2: render all user-submitted data harmless before storing in the database, use a html filtering component if need be)
  • It’s trivial to abuse this system to send spam with 1 automated GET-request per 5 recipients (lesson 3: think about how your system can be abused an try to harden it accordingly)
  • It’s really easy to  “harvest” all 48.000 names, e-mail-adresses and messages sent (lesson 4: auto-numbers are a bitch)

Ladies and Gentleman marketeers and ad-agency account executives; do not think that virals, mini-sites and e-cards aren’t susceptible to hackers. You should consider web application security as a mandatory feature! Unless you have an unstoppable urge to gift-wrap your (or worse, your customers) data and hand it out to spammers and hackers, off course.

Firefox 3.1; Mozilla Corp’s answer to Google Chrome

Firefox 3.1 is just around the corner and I’ve been using the beta’s for a couple of months now, but I didn’t really feel the urge to write about it up until now. But with things heating up between Google Chrome (already out of beta!), Safari and Firefox and with new versions of MS Internet Explorer and Opera in the making as well, one can’t really stay indifferent I guess?
First off; a non-exhaustive list of changes;

So if FF3.1 performs that great in Sunspider, does it really feel that much faster as well? To be honest; it doesn’t. Or at least, it didn’t, at first. But here’s a tip; if you’re a bit like me you’re bound to have a lot of extensions installed (and disabled and uninstalled and not compatible and …), you might have some forgotten tweak in your about:config and you probably have huge history and bookmark-databases. In that case do yourself a favor and start from scratch with a new profile and Firefox 3.1 will truly fly.
Off course not all is perfect. I don’t like the fact that tabs inadvertently get moved to a window of their own regularly. And Flash still crashes FF all too often, Firefox really needs something like the process isolation in Google Chrome and MS IE8’s loosely coupled IE, but that might be more than just a small CR.
All in all, with Firefox 3.1 the Mozilla-folks seem to have almost everything to fight the new kid in town. You can download the latest beta here and test for yourself. Let those browser-wars rage!

Klara de top 75 voorbij; Iron & Wine live!

Ik luister regelmatig naar Klara, zeker ‘s avonds, vlak voor het slapen gaan. Zo is er op weekdagen van 11 tot middernacht jazz met Marc Van den Hoof en vrijdagnacht presenteert Bart Vanhoudt “Live unlimited” (blog). In dat programma hoorde ik gisteren een opname van een live-concert van “Iron & Wine“. Schoon dat dat is!!!
Luister zelf maar via de VRT radiospeler of klik hieronder op “play” (maar let wel, ge trekt er dan wel een goeie 40Mb door);

It’s the basics, stupid!

Na enkele dagen vloeken, hebben we de thermostaat in het huis waar we sinds kort wonen, vervangen.
Ondanks de veelbelovende lcd-display, de zichtbare en verborgen knopjes en een heuse handleiding om die machine te leren programmeren, zagen de ingenieurs bij Elro namelijk 1 klein detail over het hoofd; je kunt de temperatuur niet met één simpele druk op de knop lager zetten! Om de thermostaat bijvoorbeeld op 18 in plaats van 19 graden te zetten, moet je 48 keer op een knopje drukken! Je kunt immers enkel stijgen, per half graadje en om lager uit te komen moet je dus helemaal rond. 48 keer, op een moment dat je het sowieso al te warm hebt!
Dus hebben we nu een nieuwe thermostaat. Zo een heel gewone, met een grote ronde knop waarmee je alleen de temperatuur kunt instellen. De basis-functionaliteit, niks meer, maar vooral niks minder!
Dat we de basics ook in 2009 niet uit het oog mogen verliezen! En da’s op veel van toepassing …

Free your content now!

Bert Van Wassenhove considers RSS to still be “a diamond in the rough” which has not yet been picked up by the mainstream public. The reason for this, according to him, is that:

[Newspapers] copied their paper/website logic to RSS feeds without adapting it to the medium. As a result, you get long lists of news articles with no difference between front-page news and a small article at the back of the newspaper.

To solve this problem, he proposes editors to (also) offer a “front-page feed”, which would contain only the most popular (automatic) or most important (handpicked) items.
Not a bad idea at all (are you listening, deredactie?), but even more important; shouldn’t news-websites start treating RSS as a publication-channel in its own right, containing the entire article (and why not even enclosures for AV-material)? Because, expecting me to click through, seriously?

RSS-feeds can indeed be a great way for readers to focus on content, without the overhead of the “normal” website-context. Heck, I’d even accept some text-ads and links to related items in there if need be. Publishers will sooner or later really have to let go of the concept of their (semi-)walled garden as the only place where visitors are allowed to consume their content (as they had to let go of the paper-only distribution-model). Focus on reach (“content views”) instead of pageviews, allow your readers to decide in which context the content is consumed (think rss-reader, think syndication, think mash-ups, …)!
I happened to stumble across this full atom-feed for deredactie.be, containing entire articles and enclosures for images, audio and video and it’s just great! I’m sure it could help info-overloaded users to keep more up-to-date with the news and that an official (because this one isn’t) full feed from deredactie could massively improve the reach of the great VRT nieuwsdienst content (according to CIM they’re really not doing that great when compared to the competition).
So, let me quote Bert; “Mr. editor in chief, please help RSS to become the success it deserves to be” and I’ll happily add “Set your content free!” to that.

Joikuspot connection problem with Ubuntu Linux

This weekend I had to resort to Joikuspot (software that turns your 3G-cellphone into a wireless gateway to the internet) for my web-needs. Because I encountered a few problems setting up a connection from my Ubuntu laptop, here’s a quick recap for documentations sake.
The rather fundamental issue was that I couldn’t get my computer (a Dell D620 running Ubuntu 8.04 with the iwl3945 driver) to join the ad-hoc wifi-network which Joikuspot (on a Nokia e61i) created. As connecting from my wife’s Windows XP laptop did work, I googled around a bit and it turned out I had to specifically set the channel used by Joikuspot to 1 or 6 instead of “automatic” or 11. Although NetworkManager still seemed confused, this did allow me to connect from the command line (disabling wireless networking in NM first and then using iwconfig and dhclient). But why joining an ad-hoc wifi-network on channel 11 doesn’t work in Ubuntu, that I still don’t know.
Once connected to the wireless network, I found out that Joikuspot Light requires your browser to auto-detect a proxy. The proxy in Joikuspot seems to be used to limit the functionality of the free version and gently push you towards the non-free Premium product. As my normal web-connection came back soon after I figured this out, I didn’t bother to test if I could tunnel my way out of those limitations. But crippled or not, Joikuspot is great to have around when your broadband connection is down.

“Lifestreaming, across my universe”

Lifestreaming is where it’s at, so here I am, aggregating all my stuff (Google Reader shared items, my Youtube clips and favorites, my Facebook status and my blogposts) into one place. I tried sweetcron a couple of weeks ago, but for some reason it didn’t feel “ready” yet (or maybe I didn’t want to invest to heavily in it). I recently installed a simple WordPress plugin which seems to be doing the trick very well. Sweet indeed!
Next up; something to handle multi-language blogging a bit better, but now for something completely different (The Firm, Star Trekkin’ on Youtube);

The Firm - Star Trekkin'