Back to top

Is Wal-Mart replacing Green Dot with American Express for Prepaid debit cards?

There's lots of news coverage today that Wal-Mart is partnering with American Express to offer prepaid debit cards in their stores. Wal-Mart previously offered Wal-Mart branded Visas via a partnership with Green Dot. American Express is accepted less widely than Visa, so it seems likely that Wal-Mart will want to continue offering a Visa or Mastercard either with Green Dot or someone else. On the other hand...since Wal-Mart accepts American Express they might see this as a feature: it means people will choose them if another merchant doesn't accept AmEx.

Press covreage of prepaid expansion by Amex

Amex/Walmart deal affects GreenDot shares

In trading on Monday, shares of Wal-Mart (WMT) and American Express (AXP) were largely unchaged while Green Dot was down about 20%. Investors have been watching closely to see whether Wal-Mart will renew their current agreement with Green Dot which is set to expire at the end of 2012.

Fees for the Bluebird debit card

According to a reuters article:

Category: 
People Involved: 

Cross Site Request Forgery in Tumblr "Ask a Question" feature

This might be the first nerd-blog post in a long time, so my apologies if I startle anyone. As a quick update, I wrote a book on security in Drupal and then founded a company focused on Drupal security services and then sold that company to Acquia where I currently work.

So....Tumblr is a big deal. They apparently have 120million users and are totally awesome.

I was trying Tumblr out for a site and noticed that many of their interactions relied 100% on Javascript for a "delete/cancel" confirmation. I fired up my handy-dandy browser tools and inspected the http headers associated witih deleting a message. Turns out that it's vulnerable to a cross-site-request-forgery. In general Tumblr uses the token-synchronizer csrf prevention (as documented on OWASP). I'm not necessarily saying they copiedOWASP or were inspired, just that it follows the pattern of using a second form token that is sent on all requests for a session. They do not use a different token per form/action: once you get the anti-CSRF-nonce it's the same for multiple different operations. Their token is called the form_key.

Want to see the problem in action? I even made this handy dandy movie of the problem:

Category: 
People Involved: 

Initial Thoughts on the Kindle Fire

So, a few weeks back my Kindle Fire arrived and I started jotting notes as I opened it and used it. Here's the collection:

  • The un-boxing was surprisingly pleasant: minimal plastic, lots of recycled elements, no user-manual (it's on the device!). The package was about 2.5 inches tall and about 2 inches of that was empty, with a small cardboard elevating the kindle above the empty space that contained a small USB cord.. Why ruin the experience with all that empty space?
  • The USB Cord...it's a "wallwart" with a micro-usb on the end. I'm super excited that the device uses the current standard micro-usb b as its source of power and connectivity but what a waste to send me a cable connected to a wall-wart. I'd be way happier with something like this wall-usb and standard usb cable.
  • I now have learned that this wallwart USB outputs more than normal power, so it can't be a normal device. That kinda...sucks. If it uses different power I would almost rather have a different plug just to make that clear (though apparently the size lets me power it up slowly via computer if I'm in a bind). I wish it would take normal micro-usb power form a normal cable even if that means slower charging.
  • The power button is on the bottom right next to the USB port and headphone port which makes it easy to accidentally press it when you connect/disconnect your headphones/usb plug. To solve this, I've started using it upside down which means I type my password upside down when I unlock it. Of course the screen flips once it's unlocked, but now the sound comes out the "bottom" and gets my stomach messy with it's messy, messy sound.
  • The screen is pretty awesome. Very bright and crisp.
Category: 
People Involved: 

Android Apps I actually Use

I recently had to reset my entire phone deleting all contents (different story). In the process I wrote down the old apps I had that I liked so I could reinstall them after wiping it. I was surprised how easy it was to do that and how all my contacts/mail/calendar being associated with my Google account made the whole process simple.

So, in case you're interested, here's the list of apps I actually reinstalled:

Category: 
People Involved: 

Pages

Subscribe to Knaddison.com RSS