Back to top


All of the Knaddisons in the world

Colorado flowers that bees like best

These flowers were suggested by Denver Botanic Gardens as varieties that do well in Colorado and create blooms all year long to help pollinators. They were selected by monitoring for which varieties bees are particularly drawn to. I searched and found the local Rocky Mountain companies Botanical Interests and High Country Gardens sells seeds for many of them.

People Involved: 

Earth Treks Englewood - The Largest Indoor Climbing Gym?

In April of 2017 the old Sports Authority headquarters in Englewood was sold for $15.7 million but at that point it wasn't well known who the purchaser was and who would inhabit the space. It turns out Earth Treks is one of the major inhabitants of the space and they had a big plan for the building. The Earth Treks climbing gym will open an Englewood location.

People Involved: 

Cross Site Request Forgery in Tumblr "Ask a Question" feature

This might be the first nerd-blog post in a long time, so my apologies if I startle anyone. As a quick update, I wrote a book on security in Drupal and then founded a company focused on Drupal security services and then sold that company to Acquia where I currently work.

So....Tumblr is a big deal. They apparently have 120million users and are totally awesome.

I was trying Tumblr out for a site and noticed that many of their interactions relied 100% on Javascript for a "delete/cancel" confirmation. I fired up my handy-dandy browser tools and inspected the http headers associated witih deleting a message. Turns out that it's vulnerable to a cross-site-request-forgery. In general Tumblr uses the token-synchronizer csrf prevention (as documented on OWASP). I'm not necessarily saying they copiedOWASP or were inspired, just that it follows the pattern of using a second form token that is sent on all requests for a session. They do not use a different token per form/action: once you get the anti-CSRF-nonce it's the same for multiple different operations. Their token is called the form_key.

Want to see the problem in action? I even made this handy dandy movie of the problem:

People Involved: 

Lost: The Drinking Game

We started watching the tv-show lost a while ago on netflix streaming. This is great because we can watch episodes back to back which gets rid of the anxiety over what will happen "next week."

We found a few occurrences that were uncommon enough that they could be used as a pretty decent game.

People Involved: 

Tomato Basil Sauce

Ingredients and Instructions for Tomato Basil Sauce

  • 1/4 cup extra virgin olive oil
  • 1 small yellow onion, diced
  • 3-4 garlic cloves, peeled and thinly sliced
  • 1/4 cup finely diced or shredded carrot
  • 2 cans San Marzano tomatoes (56 ounces)
  • kosher salt to taste
  • small handful basil leaves, torn in pieces
People Involved: 


Subscribe to RSS - Knaddisons