Back to top

Technology

Broadly defined "technology" e.g. software, water pumps

Cross Site Request Forgery in Tumblr "Ask a Question" feature

This might be the first nerd-blog post in a long time, so my apologies if I startle anyone. As a quick update, I wrote a book on security in Drupal and then founded a company focused on Drupal security services and then sold that company to Acquia where I currently work.

So....Tumblr is a big deal. They apparently have 120million users and are totally awesome.

I was trying Tumblr out for a site and noticed that many of their interactions relied 100% on Javascript for a "delete/cancel" confirmation. I fired up my handy-dandy browser tools and inspected the http headers associated witih deleting a message. Turns out that it's vulnerable to a cross-site-request-forgery. In general Tumblr uses the token-synchronizer csrf prevention (as documented on OWASP). I'm not necessarily saying they copiedOWASP or were inspired, just that it follows the pattern of using a second form token that is sent on all requests for a session. They do not use a different token per form/action: once you get the anti-CSRF-nonce it's the same for multiple different operations. Their token is called the form_key.

Want to see the problem in action? I even made this handy dandy movie of the problem:

Category: 
People Involved: 

Initial Thoughts on the Kindle Fire

So, a few weeks back my Kindle Fire arrived and I started jotting notes as I opened it and used it. Here's the collection:

  • The un-boxing was surprisingly pleasant: minimal plastic, lots of recycled elements, no user-manual (it's on the device!). The package was about 2.5 inches tall and about 2 inches of that was empty, with a small cardboard elevating the kindle above the empty space that contained a small USB cord.. Why ruin the experience with all that empty space?
  • The USB Cord...it's a "wallwart" with a micro-usb on the end. I'm super excited that the device uses the current standard micro-usb b as its source of power and connectivity but what a waste to send me a cable connected to a wall-wart. I'd be way happier with something like this wall-usb and standard usb cable.
  • I now have learned that this wallwart USB outputs more than normal power, so it can't be a normal device. That kinda...sucks. If it uses different power I would almost rather have a different plug just to make that clear (though apparently the size lets me power it up slowly via computer if I'm in a bind). I wish it would take normal micro-usb power form a normal cable even if that means slower charging.
  • The power button is on the bottom right next to the USB port and headphone port which makes it easy to accidentally press it when you connect/disconnect your headphones/usb plug. To solve this, I've started using it upside down which means I type my password upside down when I unlock it. Of course the screen flips once it's unlocked, but now the sound comes out the "bottom" and gets my stomach messy with it's messy, messy sound.
  • The screen is pretty awesome. Very bright and crisp.
Category: 
People Involved: 

Android Apps I actually Use

I recently had to reset my entire phone deleting all contents (different story). In the process I wrote down the old apps I had that I liked so I could reinstall them after wiping it. I was surprised how easy it was to do that and how all my contacts/mail/calendar being associated with my Google account made the whole process simple.

So, in case you're interested, here's the list of apps I actually reinstalled:

Category: 
People Involved: 

How to write an email to piss off your developer

I'm writing this so other developers can share in the laughter (ha!) and designers/managers can learn.

I've seen this a few times. It feels like there's a mad-libs form that designers/managers use to communicate things in a software project.

Hey:

$normal_behavior_of_our_product_for_the_past_year, $insulting_phrase, $client_need_never_mentioned_before_this_month, $high_stress!!!!!

Thanks,
$designer_or_manager

So, an example letter:

Hey:

Category: 
People Involved: 

Technology things I threw away today (2011 Edition)

I am an early adopter, packrat. When people need an extra phone charger or connector cable they come to me.

So if I throw something out, that means it must be old as dirt. Here is a list of things I threw away today.

  • A Dell PS2 keyboard I got for free with my computer in 1997
  • Palmrests for two keyboards I'm not even sure I own any more
  • A Belkin vga/ps2 KVM switch I purchased in 2004
  • A IEEE1394 (Firewire) PCMCIA card I purchased so I could connect my first generation ipod to my Windows XP powered 2003 HP laptop (I'm keeping the laptop)
  • A PCI E-Sata connector - I think I got this with a 2.5" hard drive enclosure that ran on USB2.0 or E-sata (actually, I'm so keeping this if I can just find the e-sata cable!)
  • 2 RJ11 (yes, 11!) cords - one approximately 10 feet, one 20 feet. Wired telephones??!?! Ha!
  • A 6 foot long USB extension cable (i.e. male to female) that we bought in 2002 so we could put the computer behind the couch and the monitor on the side table like a TV
  • A serial to ps2 connecter that I got for free from upenn.forfree so I could plug in a serial mouse I got somewhere...I don't even remember how this story ends
  • A plug that goes from UK to standard power supply - WTF did I need this?
  • A USB to Sony Ericcson T-9(?)00? connector cable I purchased in 2004. The software it came with sucked
  • A PCMCIA adapter for compact flash I bought in 2000. This was awesome. But, it turns out that compactflash is the biggest kind of flash. Also, I have another 9 way flash adapter that has compactflash in it! :)
  • Not one, but TWO power chargers for mini USB phones. Too bad the industry just standardized on micro USB.
  • An adapter that takes USB/PS2 power and uses that to give energy to an external 2.5" hard drive enclosure just in case your USB1.1 doesn't give the drive enough power. (Yes, USB 1.1!). I bought this in ~2005.
  • A PS2 mouse from a computer I bought in ~2005
Category: 
People Involved: 
timeline: 
Location: 

On Cutting the Comcast Cable TV Cord: How many rooms should be wired

We moved to a new house about a year ago. In the process we left our TV in the old house for "staging" which meant it was there for 6 months (it's hard to sell a house now, apparently). In the mean time we watched a ton of Hulu and Netflix instant shows on our 15" computer. This has been relatively glorious.

Cutting the Cable TV cord

With the TV in the old house and our computers in the new we moved our high-speed-internet service (delivered by Comcast over cable) to the new house but shut off the TV service. Luckily Hulu and Netflix ably filled in the gap. We're watching weird and great shows, documentaries, and even adver-tainment like the Ford Focus Rally (although having to endure commercials in the middle of adver-tainment grated on our nerves enough that we stopped).

Hulu has a rolling schedule where they drop content. We can't see old episodes of the Chicago Code (our favorite new show). In a year or two, though, they should be on Netflix. It seems like every day Netflix gets more and more instant content. Amazon's got some instant offering, but we haven't run out of content on Netflix+Hulu enough to worry about what Amazon might have for us. I would love for the BBC's Junkyard Wars to be opened up on Hulu or Netflix. Right now it's making zero money from the American market - why not let it out? So it seems like our TV watching needs will be fulfilled by on-demand media delivered by Netflix, Hulu, Amazon and companies like them.

So long, physical media

We have several bookshelves and boxes full physical media: books, journals, magazines, CDs, DVDs. Our TV is currently used primarily to watch DVDs. But the transition is clear: even though high def TV with surround sound is fun, the immediacy of on-demand video media wins. If nothing else it means we can eliminate about one quarter of the furniture in our house since it is designed strictly for holding and showcasing our physical media!

Category: 
People Involved: 

Pages

Subscribe to RSS - Technology