Running as Root

I ran across a post in my RSS feeds today that referenced a paper on Bypassing Web Authentication and Authorization with HTTP Verb Tampering. What an awesome title. I'm immediately adding "verb tampering" to the list of things I randomly exclaim in meetings. The short version of the paper (that's represented pretty well by the other blog post) is:

• some developers secure URLs in their web application by URL and method (POST, GET, etc). Everything else is allowed (for some strange reason)
• some servers when they receive an invalid HTTP method or often HEAD will perform a GET and then just discard the body of the response. This is fine and is part of the RFC apparently, since the headers have to match between the two. I just wasn't aware of the fact
• there are still programmers that have non-idempotent GETs in their applications

The scenario is you find these applications / servers and do something like send a HEAD to the URL "deleteUser?userId=27" and then the server does it, despite the fact that you're not logged in.

I'm amazed that this is a problem, for multiple reasons. Who are these people that still don't understand that you don't use GET to do things like delete records from your system? I'd hate to see what one of those crazy internet spiders could do to these guys.

This is also a reason why I'm a big advocate of pushing your security checks as close to the data as you can comfortably stand. Certainly you should have protection at a service or DAO layer to prevent users with inadequate permissions (unauthenticated users fall into this category) from performing most operations in your system. This is also a good practice to ensure that different types of potential front ends don't accidentally grant access to the wrong users. The URL level of security is just icing and fluffery to make the application a little more user friendly.

Of course, that being said I work on an application that relies on mostly on URL level restrictions (I didn't do it and I'm working on changing it) and, if I remember correctly, so does my favorite Java web stack. I should point out that neither of these suffer from the problem described in the paper.

As I mentioned in another post, I'm giving Twitter a retry. I must say I'm enjoying it a lot more now that I'm not trying to treat it like other mediums of communication both in terms of what I follow and in how I use it to communicate. I'm definitely more willing to tweet things that don't warrant a blog post or an email.

A great example of this is when I was able to find out that a former co-worker had left their previous job. While that might be email or blog worthy, most people wouldn't bother putting that kind of information out there, but he tweeted it. As such, I didn't have to wait for that information to make it through the traditional grapevine. For once, I even knew about the news before some of the other people I know.

While I'm using it to keep in more constant contact with friends and former co-workers, some people are using it for a lot more. This post as a few recommendations for using Twitter that I found interesting. I'm not sold on a few of them, such as event updates. I realize that quite a few events are using Twitter to update attendees on things. This just seems like an alternative to email lists and RSS feeds. Does Twitter have better penetration than email or RSS? Is it just that I have more noise in my RSS reader? Won't Twitter suffer from that eventually? I don't know. It just seems like using an alternative form of communication just for the novelty of it.

Another use I've seen is people soliciting feedback or getting votes on an issue via Twitter. I think that's a great use, but I don't think I'll ever have enough followers to do it effectively. There's a big difference between asking your 1-10k followers for feedback and asking 20 people. Maybe I'm wrong. Maybe I should tweet the question (and get feedback from 1 or 2 people).

The idea of using Twitter to create and track ToDo lists intrigues me, but again, I just can't get my mind around the advantages. While Remember the Milk seems interesting I haven't gotten off my ass long enough to try it. I hear good things though.

Foamee is another one that I like. You can let someone know that you owe them a drink for something. I haven't used it yet. Maybe I'm too stingy with my kudos. Maybe I'm just an asshole. Who could say? Is my reluctance to use these and many, many other services that integrate with Twitter another example of me being too set in my ways to "get it"? Maybe in another few months I'll be writing posts about how I've come around to using them.

I switched jobs recently and although the current company used to do daily stand up status meetings ala Scrum/XP/Agile/Wagilefall, they had stopped at some point. As near as I can tell, they stopped because they couldn't keep the meetings short and on track. I expressed to my manager(s) that I thought it'd be great to start doing them again and lo and behold we had one on Monday.

Of course, the first issue that came up was the notion of the correct time. Inevitably when you try to start a meeting "on time" you get bogged down with the fact that no one thinks they're late because their clock says they're not. In the past I've used web based atomic clocks, but I'm now convinced that anyone planning to start meetings on time has to invest in a digital clock that synchronizes with the official time. I further suspect that anyone thinking that the people they work with are too mature to have this "argument" is probably wrong. We also haven't settled on the "punishment" for being late. I'm a big fan of cash fines though.

I'm enamored with the idea of Google Android. I briefly looked at the development kit and was very impressed by it. And then I did nothing with it. Part of the problem is that there is no Android capable phone at the moment. That takes some of the sex appeal out of developing for it. More than that is the fact that I don't have any ideas for applications that I'm all that passionate about.

This weekend I heard that Google acquired Grand Central. They're a company I've never heard of but they've got an impressive list of features. Grand Central is a "web-based voice communications platform". It'll let you do all sorts of cool things with your phones via a single number.

This got me to thinking about cool things you could do with Grand Central and Android. Where I work, we use a product called Contactual to route calls for our support number to any other phone number. You can also use their web interface to place an outgoing call and have the resulting call sent to your phone. This is in place so support technicians don't inadvertently give their personal phone number to a customer via caller ID. Once a customer gets a personal number they think that they have a buddy in technical support that can't help them out whenever they run into a snag, rather than going through the proper channels.

What would be interesting would be to see an Android/Grand Central application that would make a similar scenario as easy as dialing an ordinary number. Perhaps allowing you to select any of your phone numbers from a drop down when making the call.

Many of the other features listed on Grand Central's page also look like they'd be an excellent fit with an Android phone.

• Call Record – Use the phone to signal to the server that you want to record your current call
• Block Callers – Why not use Android to let you mark an incoming call's number (or current call) as a blocked number?
• Call Switch – Use your phone to transfer your current call to any of your other numbers.

All of these things are possible with Grand Central and become that much cooler if you can use your phone to do them more directly. It seems like a great tie in for an upcoming product and a recent acquisition all in the same related problem space. Of course, I'm far too lazy and stupid to code any of it, but it still sounds cool.

I recently re-discovered BitStrips thanks to a post today on BoingBoing. Now artistically challenged people can create their own comic strip. Sadly, most of them aren't funny (including my own), but it's the thought that counts.

I do wish they had better options for embedding comics into other pages. Currently they only support a weak ass frame by frame flash widget rather than a simple image of the entire strip. If you're interested in just how un-funny I can be in comic strip form rather than blog form, you can find my crap here.

Here's an example of their shitty widget:

Widget removed for your protection.

Update: I filed a bug report (not on the widget issue yet) and found through an automated email that BitStrips uses FogBugz. I have no real point here, I just like spotting tech products I'm somewhat familiar with.

Update: Better embedding options and feeds made it into BitStrips a while back so I'm updating this post to include the better option. Sorry about it popping up in your feed reader again:

Initial Dismissal

I tried to get into Twitter a few months ago but I really didn't see the point of the whole thing. However, its wild popularity and frequent mentions in every blog and podcast I follow have made me realize it's once again time to retry a technology or product I had written off early. I did the same thing with Google Reader, Google Documents, and Facebook. I'm now a big fan of the first two. Maybe I need to re-evaluate Facebook next.

The main problem I had with Twitter is that I thought of it in terms of more direct and intrusive methods of communication. I wouldn't want to get an email or a phone call from someone every time they thought about taking a dump or were wondering what was in their refrigerator. This was made worse because I put Twitter in my RSS reader. When I'd check my feeds I'd have 100 messages from people that I would usually just ignore. What's the point of that?

I'm now trying to think of Twitter as a general group chat. I'm using a client for it instead of the reader (currently TwitterFox). I then get updates as they happen (or within 5 minutes at least). I'm usually not bothering to catch up on anything that I missed unless it's a reply. It's a very lossy communication method. I'm free to ignore it for long periods of time if I feel like it. It's also filling the gaps in time after I've run out of subscribed content. We'll see how that works out.

SXSW and the Mob Mentality

Part of the reason for the re-evaluation has to do with the recent SXSW / Zuckerberg / Twitter incident. I wasn't there and there are conflicting accounts as to how big of a fiasco it was, but the interesting thing is how vocal the audience became. In the days before instant ubiquitous communication everyone would have sat quietly through the interview thinking like thoughts about the poorness of the interview. After the interview they'd then compare notes about the perceived suckitude, blog about it, and move on.

With Twitter, the audience was able to communicate with each other in a relatively clandestine fashion. I think this creates a feedback loop where everyone gets more and more pissed off. The perception of the poorness becomes enhanced and it's just a hop skip and a jump from tweeting your dissatisfaction to voicing it quasi-anonymously in the room. I'm not sure this is a good thing, but it's certainly interesting.

I say it may not be a good thing because I'm not a big fan of micro-ratings within a public forum. When presenters adjust their content on up to the minute feedback from the consumers I think there is a tendency to dumb things down and appeal to either the least common denominator or the most vocal group. I'm not sure this was the case at SXSW, but I'm not ruling it out.

To get back on track, I'm once again paying attention to my Twitter account, so feel free to find me and follow me if you're curious about my bowel movements, mental or otherwise.

I read a post recently about how someone found a password via a search for its MD5 hash on Google. Within the comments someone mentioned a site that had a database and search engine for hashes. The part I found clever was that the database of hashes self populates whenever someone uses the site to calculate a hash off of a string of plain text. I'm sure they populate from another source as well, but the last just struck me as interesting.

In the Future, Everything Will Be Glue

The entry title is from Weird Science, by the way:

Gary: I was crazy for this little eighth grade bitch.
Wyatt: Crazy, Insane!
Gary: I was dedicated to this girl, I called her every damn night!
Old Pimp Dude in the Bar: You called her every night? On the telephone?
Gary: On the telephone? What's he mean on the telephone, course it was on the telephone!

In my work life, the team I'm on has been working for quite some time fixing the architecture for an existing product. One of the things we've been doing while we've been fixing things is to add a REST API. You can save the REST vs WS-* debate for some other time and place.

Meet the New Product, Same as the Old Product

Unfortunately, there was a distinct lack of excitement about the new stuff we'd been doing from other areas of the company. Programmers seem to immediately "get" why exposing all of the CRUD functionality of your system through a web API is the sheer sweetness in terms of application integration. Sales and executive staff don't always see the possibilities. They saw the new version as architecture changes that improved performance and scalability while maintaining functional parity with the shipping version. That didn't scream sexy.

The programmers, ever fearing being a cost center with a very killable project, decided to start creating proof of concept integration examples that would create internal demand for the nearly finished version.

Pretty State Machine

As background, our system has an operational state that changes the way almost everything behaves. The change in this state is typically user driven. Someone using the software would decide to change the operational state due to an external event such as a Martian invasion. The software has a web interface but we had the idea that it'd be much cooler to change the operational state via a telephone.

We can change our operational state via the REST API by putting (as in HTTP PUT) an XML document representing the system status to the server. The system status has an element that represents the operational state. Now, our IT guy is always telling me the crazy stuff he can do with his home VOIP system. He runs a virtual machine with Asterisk and other assorted software an combination with an IP phone. I ran the idea of executing a shell script from a phone menu by him and he assured me it should be easy to do.

I was working under a deadline (of course) so I created three versions of the XML (one for each state I would be changing to) and got a copy of cURL installed in the Asterisk VM to PUT each document to our server, hopefully in response to someone pressing a button on a phone. After hitting a very serious dead end and wasting several hours trying to get an IVR working (that's what phone people call those voice menus) I finally found an example of an Asterisk iTunes controller. To use it you dial an extension, hear a beep, then press a button to do something. The script in Asterisk then calls a shell script in response to your button press. Five minutes after finding it I had a working example of changing operational state in our product via a telephone (actually a softphone but who's really keeping score at this point). Booyah! Sure it only took me 10 hours discover how to do an hour or so worth of work but then that's the plight of the knowledge worker.

Demo Day

The next day we invited additional people to our iteration demo meeting (really it's just the people that were supposed to be going all along but weren't) and showed the phone demo as our finale. Suddenly, people seemed as interested in our new version of the product as the developers are. There was a palpable sense of excitement. There were tears of joy. The developers were hoisted up onto the shoulders of sales and management and carried out into the streets (think about the scene in Dragon: The Bruce Lee Story).

I'm exaggerating a little bit perhaps. Of course there are all sorts of negatives preceding and following this event, but can't we just bask in the glory of this one little success for just a few moments? On the telephone.

For the last month or two I've been having a war with whoever is stocking our beverage cooler. We have a cooler with a limited capacity and a locker with a backup supply of room temperature cans.

The first problem is that someone is ordering a whole shitload of Coke products–Coke, Black Cherry Vanilla Coke, Diet Coke, Coke Zero, Caffeine Free Diet Coke–and taking up way too much shelf space. This increases the chance that my beverage of choice will run out and I'll be stuck gazing longingly at a room temperature Diet Dr. Pepper and thinking about what might have been. To combat this, I sneak into the break room and re-arrange all of the sodas in my free time. Typically this consists of trying to make the shelf presence of each beverage more proportional to its popularity. This means eliminating as many Coke slots as possible.

Today I wander into the break room only to discover that they're attacking me on all new fronts–layout, usability, and increased error rates. Check this shit out:

That's right. Not only is the Diet Dr. Pepper down to two slots (I had managed to expand it to three), they've also put it on the Diet Coke shelf AND put that abomination known as Cherry Vanilla Diet Dr. Pepper right next to it. They've put two similarly colored, diametrically opposed diet drinks right next to each other. They've sandwiched an innocent beverage between two fizzy misanthropes. They're obviously trying to get me to pick up a can of that Cherry Vanilla pisswater by accident and lose my love of Diet Dr. Pepper. Barring that, they're thinking I'll grab a Diet Coke by accident and somehow fall victim to the brainwashing chemicals contained in every can.

I now have to fall back and formulate some manner of counter-offensive. This day is lost. Well played…

Update: If It's Worth Doing…

Behold, a [more] properly stocked soda refrigerator:

I relocated all of the juices on the bottom shelf, being careful to separate the orange and apple juices in order to decrease the chance of accidental color related selection. The same goes for the Diet Coke, Diet Dr. Pepper, and Cherry Vanilla Diet Dr. Pepper. Ditto for Mountain Dew and Canada Dry (both green cans). I also took the liberty of claiming a full four (4) shelves for Diet Dr. Pepper. I figure any soda that spends that long in medical school deserves an additional slot or two in the soda fridge.

Sure, there are still problems. The Diet Sprite still has a full five rows (spanning two shelves–4 and 1), even though no one seems to drink it. I'm hoping someone will start drinking them in order to clear out the heinous stocking abomination that occurred at some point in the recent past. Then I can claim that shelf for the Minute Maid Light Lemonade if they ever start ordering it again. The ball is now in their court.

How I waste my free time

In between trying to get a simple Arduino project thrown together and farting around with the Yahoo! UI Library, I took a timeout to play around with Firefox add-on (back in my day they were extensions) named Stylish.

The subject came up on Jyte that black text on a white background wasn't the friendliest design for some people. Unfortunately, most sites don't support user specific skins so if the site's design causes you problems, from a vision related impairment for instance, then you're just shit out of luck. That's where Stylish comes in. It lets you create custom CSS overrides on a per site basis.

Can you see me now?

Yet another thing to do when you're bored: see if you can completely change the color scheme of a site to make it hideously ugly for no good reason. It took a little work, but I managed to make a really nasty looking blue and purple on black style for Jyte.

Most of the work was just finding all the nasty little inherited background colors, background images, etc. One interesting problem came up because Jyte has a set of menus that are images of text. They have a white highlight built into them and look like complete crap on the new black background. I thought it wouldn't be a problem to turn links with images into links with the image alt attribute as the link text and then hide the image.

Let the CSS fun begin

I thought maybe some sweet CSS action like this would work:

.nav_item a img:before {
  content:attr(alt);
}

.nav_item a img {
  visibility:hidden;
  width:0;
}

Oh, how lovely that would be. Apparently it'll work in some builds of Firefox but got turned off in later versions. I think it was a feature request specifically to make my life more difficult. :before and :after pseudo elements for other elements work fine, just not images.

So, with a lot of trial and error I wound up with the less than ideal:

.nav_item a[href="/home"]:before {
  content:"Home";
}

.nav_item a[href="/home"] img {
  visibility:hidden;
  width:0;
}

Since I no longer had access to the alt attribute on the image I had to manually insert the correct link text for each menu item. I did this for each menu by using an attribute selector to find each link by its href attribute, then hard coded the content to the correct text and finally hid the image.

You nasty, nasty boy

Oh, it's nasty all right, but it works. The only problem is I was trying to make the CSS overrides generic and there's a dynamic menu that includes the user name. Luckily there's only one such dynamic menu so I just made an entry to handle all such menus as the dynamic one and let the more specific rules clean up after the fact. Ta da! A custom, site specific CSS override that no one will ever use because it looks like it was beaten with a bag of hammers and makes your eyes hurt to read.

The interesting thing is that there are now ways for users to make the sites they frequent more appealing and possibly more accessible via add-ons like Stylish and Greasemonkey. It's not ideal for non-technical users, but sites like Userscripts and Userstyles can help by acting as repositories with aids created by the more technical members of the community.