Monday, December 26, 2005
Sunday, December 25, 2005
Wednesday, December 14, 2005
iTunes Database Issues
The Apple Blog has an in-depth analysis of the way iTunes stores its music catalog information, and various issues encountered when handling huge music libraries. From the article: 'Each time I play a song - any song - iTunes has to write out 122MB of data.' Is it time for Apple or the developer community to come-up with a "Pro" music management tool? Or should Apple tweak things a bit to address those issues?
Sunday, December 11, 2005
Monday, November 28, 2005
latest Java ant broke in Tiger?
Upon installing the latest Apple Developer Tools, if your "ant" acts up with an error complaining about a "-cp" argument, you might consider opening-up /Developer/Java/Ant/bin/ant, going to line 295 and removing -cp \"$CLASSPATH\" toward the end of the line.
Has anybody experienced a similar issue with Java J2SE 5.0 Release 3 on Mac OS X Tiger, and Xcode Tools 2.2?
Has anybody experienced a similar issue with Java J2SE 5.0 Release 3 on Mac OS X Tiger, and Xcode Tools 2.2?
Thursday, November 17, 2005
Cross Site Scripting and You
In this era buzzing of "web 2.0", "ajax" and social networks, more Internet users no-longer passively "surf" or "browse" the web, they increasingly contribute to it in online forums, portals, aggregators and blogs.
The concept of cross-site-scripting (XSS) has been around for quite a while, fun was had, holes were plugged. Yet, once a while, as i troll around some open social network, i still see a few vulnerabilities crop up here and there.
Putting XSS back on our collective radar can't hurt.
In not-too-nerdy terms, some of the sites most vulnerable to XSS are sites which allow users to contribute richly-formatted content. The concept of a "user" is also key, because a user account's integrity could get compromised by an XSS vulnerability.
For more info, the Wikipedia article has the meat. See also their related vulnerabilities at the bottom. I wonder whether the whole HTTP TRACE vulnerability was ever plugged in IE/Mozilla?
On a nerdier note, are there free/open-source libraries in various application platforms such as Java, PHP, Python, Ruby that handle various forms of HTML content parsing and harmful markup/scripting filtering? The tried-and-true Tidy by Raggett sure helps as a foundation.
Here are a few of the things I would try to look out for, when allowing any foreign markup to make its way onto my site.:
1) filter out all <script...> ... </script>
2) filter out all event handler html attributes from all html tags. Such attribute always starts with the word "on". "onmouseover". "onload". "onclick".
3) filter out all instances of the word "javascript:" in all HTML attribute values. It's otherwise possible to get funky with "javascript:" URIs.
4) i would also filter out <link .../> and <style /> tags. I've heard of a "javascript:" URI used as the value of a "background" url directive, that's just nasty. If you really want to allow CSS styling, let them do it inline with a good old "style" attribute. If they use get funky with javascript:, 3) ought to catch it.
5) to be on the safer side, and to avoid annoyances, i'd also remove all basic html document constructs such as "html" "body" "head" "title", and all complex object embedding constructs such as "object" and "embed".
6) and ensure the resulting html snippet remains clean, valid html.
... what am i leaving out?
The concept of cross-site-scripting (XSS) has been around for quite a while, fun was had, holes were plugged. Yet, once a while, as i troll around some open social network, i still see a few vulnerabilities crop up here and there.
Putting XSS back on our collective radar can't hurt.
In not-too-nerdy terms, some of the sites most vulnerable to XSS are sites which allow users to contribute richly-formatted content. The concept of a "user" is also key, because a user account's integrity could get compromised by an XSS vulnerability.
For more info, the Wikipedia article has the meat. See also their related vulnerabilities at the bottom. I wonder whether the whole HTTP TRACE vulnerability was ever plugged in IE/Mozilla?
On a nerdier note, are there free/open-source libraries in various application platforms such as Java, PHP, Python, Ruby that handle various forms of HTML content parsing and harmful markup/scripting filtering? The tried-and-true Tidy by Raggett sure helps as a foundation.
Here are a few of the things I would try to look out for, when allowing any foreign markup to make its way onto my site.:
1) filter out all <script...> ... </script>
2) filter out all event handler html attributes from all html tags. Such attribute always starts with the word "on". "onmouseover". "onload". "onclick".
3) filter out all instances of the word "javascript:" in all HTML attribute values. It's otherwise possible to get funky with "javascript:" URIs.
4) i would also filter out <link .../> and <style /> tags. I've heard of a "javascript:" URI used as the value of a "background" url directive, that's just nasty. If you really want to allow CSS styling, let them do it inline with a good old "style" attribute. If they use get funky with javascript:, 3) ought to catch it.
5) to be on the safer side, and to avoid annoyances, i'd also remove all basic html document constructs such as "html" "body" "head" "title", and all complex object embedding constructs such as "object" and "embed".
6) and ensure the resulting html snippet remains clean, valid html.
... what am i leaving out?
Sunday, November 13, 2005
Wednesday, November 09, 2005
Hermosa Beach Elections Results
The election results are in.
Keegan stays! Yay!
J.R. Reviczky stays! Yay!
Art Toon yields his seat to Howard Fishman.
Measure E did not pass, yay! I liked its stated goals, but a sample ballot is no place to amend a poorly drafted measure, no matter how much its proponents want to believe it is. Let's try again by specifically designating the areas the measure is supposed to protect.
Keegan stays! Yay!
J.R. Reviczky stays! Yay!
Art Toon yields his seat to Howard Fishman.
Measure E did not pass, yay! I liked its stated goals, but a sample ballot is no place to amend a poorly drafted measure, no matter how much its proponents want to believe it is. Let's try again by specifically designating the areas the measure is supposed to protect.
Monday, November 07, 2005
Friday, November 04, 2005
Thursday, November 03, 2005
Build Extra Secure Web Applications: IBM DevWorks
Interesting framework that could alleviate some of the more tedious bulletproofing we deal with.
Friday, October 28, 2005
Thursday, October 27, 2005
Flickr Does Printing! Finally!
This is likely already old news, but i just noticed a message on my Flickr account indicating U.S. customers can now order prints of pictures, with more countries coming soon.
This really should help them further monetize their service.
Tuesday, October 25, 2005
Protecting Documents from Google Accelerator
In light of the heated controversy surrounding Google Web Accelerator I'm toying around with a way to produce "links" that would be immune to those technologies.
The main issue is that most user-agent implementations tie a user interface paradigm, an "anchor", to an HTTP method, "GET".
Through scripting, there are quite a few ways to make an anchor tag more immune to accelerators, and automated crawlers. javascript: url as href attribute value, "#" as href attribute value, and onclick attribute submitting a form, etc.
In an attempt to explore alternatives to scripting, I've started toying around with the "button" HTML element. So far, I've found that Mac MS IE 5 doesn't appear to support it. Everything else is looking reasonably happy.
Here's what i'm looking at so-far.
It seems to work in: Opera, Gecko, Safari, Treo650/Blazer, Windows IE
It does not seem to work in: Mac MSIE5, SideKick (thanks Kevin).
Issues/Thoughts:
- Can anyone try more handheld devices?
- One might add a wee scripting to set window.status.
- Removing various CSS directives from that example gets you closer to the original "button" construct, as rendered by default by the user agent. Good to play with.
- You no-longer benefit from a browser's "default way of rendering a link".
- I need to test this with images. - done: it works :)
- Notice what the browser does when your mouse is "down": it lowers the text. Not sure how to override the initial "position" with CSS.
See also:
JAH, by Kevin Marks.
The main issue is that most user-agent implementations tie a user interface paradigm, an "anchor", to an HTTP method, "GET".
Through scripting, there are quite a few ways to make an anchor tag more immune to accelerators, and automated crawlers. javascript: url as href attribute value, "#" as href attribute value, and onclick attribute submitting a form, etc.
In an attempt to explore alternatives to scripting, I've started toying around with the "button" HTML element. So far, I've found that Mac MS IE 5 doesn't appear to support it. Everything else is looking reasonably happy.
Here's what i'm looking at so-far.
It seems to work in: Opera, Gecko, Safari, Treo650/Blazer, Windows IE
It does not seem to work in: Mac MSIE5, SideKick (thanks Kevin).
Issues/Thoughts:
- Can anyone try more handheld devices?
- One might add a wee scripting to set window.status.
- Removing various CSS directives from that example gets you closer to the original "button" construct, as rendered by default by the user agent. Good to play with.
- You no-longer benefit from a browser's "default way of rendering a link".
- I need to test this with images. - done: it works :)
- Notice what the browser does when your mouse is "down": it lowers the text. Not sure how to override the initial "position" with CSS.
See also:
JAH, by Kevin Marks.
Tuesday, October 18, 2005
On TV Tonight - KABC-TV News Channel 7 @5pm
update: 5pm: I just found the story online
Back in August, KABC-TV, channel 7 of Southern California stopped-by the house to do a brief bit on blogging.
They called me this morning, telling me they're finally airing it *TODAY 10/18/2005*. Chances are i might show-up for a whole 5 seconds :)
They're saying it should air on News that come-on at ... around ... or after 5pm. I'm never home during that time, so i really don't have a way to tape it, watch it, or see how much of a fool i made of myself, which i guess, is a good thing. heh, heh.
If you're able to TiVo or VCR it, that'd be cool.
Back in August, KABC-TV, channel 7 of Southern California stopped-by the house to do a brief bit on blogging.
They called me this morning, telling me they're finally airing it *TODAY 10/18/2005*. Chances are i might show-up for a whole 5 seconds :)
They're saying it should air on News that come-on at ... around ... or after 5pm. I'm never home during that time, so i really don't have a way to tape it, watch it, or see how much of a fool i made of myself, which i guess, is a good thing. heh, heh.
If you're able to TiVo or VCR it, that'd be cool.
Thursday, October 13, 2005
Call an Apple an Apple: By Ian Hickson
I recently stumbled upon this causticly insightful short piece by Ian Hickson.
I share many of his frustrations, while i've come to reluctantly embrace yet another onslaught of acronyms.
These days, the surest way to call attention to your work is to file it under "Ajax" and "Web 2.0".
While a very useful tool in our shed, the almighty XmlHttpRequest object isn't a panacea for building compelling applications. It's just a newer tool, which happens to have polarized certain developers' creativity, who in turn felt compelled to create a new buzzword that would give it a more central position.
Most buzzwords to-date have either focused on the wrong technology, or put too much emphasis on a particular technology.
Just to mess with the minds of the three people who read this blog, and see whether i can either start a trend or get flamed into oblivion, I'm hereby coining one ugly acronym:
SBIIC: Standards-Based Interactive Interface Components
"sbeeek". oh yeah baby. stop the presses on those Ajax books, we've got something hot here.
ajax
I share many of his frustrations, while i've come to reluctantly embrace yet another onslaught of acronyms.
These days, the surest way to call attention to your work is to file it under "Ajax" and "Web 2.0".
While a very useful tool in our shed, the almighty XmlHttpRequest object isn't a panacea for building compelling applications. It's just a newer tool, which happens to have polarized certain developers' creativity, who in turn felt compelled to create a new buzzword that would give it a more central position.
Most buzzwords to-date have either focused on the wrong technology, or put too much emphasis on a particular technology.
Just to mess with the minds of the three people who read this blog, and see whether i can either start a trend or get flamed into oblivion, I'm hereby coining one ugly acronym:
SBIIC: Standards-Based Interactive Interface Components
"sbeeek". oh yeah baby. stop the presses on those Ajax books, we've got something hot here.
ajax
Sunday, October 09, 2005
Wednesday, September 28, 2005
Damaka: Another SIP Player?
Damaka. No OS X Client! Pshah! In any case, the more players in the SIP field, the merrier!
Friday, September 23, 2005
.Mac Upgrade
I just received this from Apple:
\o/ :D
Dear .Mac Member,.Mac membership now comes with 1 GB of combined .Mac Mail and iDisk storage. Because you purchased additional storage for this membership year, we've increased your total storage to 2 GB (and increased your monthly data transfer limit to 25 GB) for the duration of your current membership. This update has already taken place. You can use your Account Settings to take advantage of .Mac's storage flexibility and reallocate storage to best fit the way you use the service.In addition, .Mac is now available in French and German as well as in English and Japanese. You'll also find that .Mac now includes new Backup 3 software and the ability to create .Mac Groups.We value your membership and hope you enjoy these enhancements to your .Mac service.
\o/ :D
Thursday, September 22, 2005
Monday, September 19, 2005
Why Phone and Cable Companies are Evil
As Philly is getting close to finally ink a deal with private businesses to develop a city-wide WiFi network to help bridge the digital divide, the phone and cable companies lobby and scare machines are in full-force. Once again, "studies" are "emerging" advising against the project:
See also: Video Prodcasting, Broadband, and You
His firm's analysis, which was funded by cable and phone companies that stand to lose customers to the Wi-Fi initiative, shows that providing Internet access wirelessly over 100 square miles would cost $31 million over five years. [ Read the Article from mcall.com ]Of course phone companies are just a little bit scared. I can't say they didn't have it coming. Once residents start realizing that they can pay $10-$20/month for Internet connectivity and perhaps another $20-$25/month to a company such as Vonage, Lingo.com ( my favorite so-far ), or even EarthLink for Internet-powered phone service, allowing them to make unlimited calls to anybody in the U.S., while preserving their current normal phone number, suddenly, paying phone companies $20/month just to have a phone line (no voicemail, call waiting, call forwarding, or any of the stuff you get for free from VoIP providers), an extra $10-$20/month in metered long-distance charges, and $50/month for basic broadband will no-longer make that much sense.
See also: Video Prodcasting, Broadband, and You
Sunday, September 11, 2005
Om Malik is Mr. 5000
Mad congrats to Om Malik for finally reaching the 5000th posts mark. He manages to juggle a very busy day job contributing insightful columns to Business 2.0 Magazine, while bringing the tech community a constant flurry of scoops and ever thoughtful commentaries.
Speaking of Business 2.0 Magazine. I recently subscribed, received my first issue, and was very impressed by the quality of its content. Subscription right now is only $10 for the whole year. With that cheap a price, I was expecting the magazine to just be a collection of ads. But it isn't!
I've also recently subscribed to the quarterly Make magazine
I've heard good things about it, and their online journal posts are always interesting. And free! I haven't yet received my first issue, but will try to report back when I do get it.
Speaking of Business 2.0 Magazine. I recently subscribed, received my first issue, and was very impressed by the quality of its content. Subscription right now is only $10 for the whole year. With that cheap a price, I was expecting the magazine to just be a collection of ads. But it isn't!
I've also recently subscribed to the quarterly Make magazine
I've heard good things about it, and their online journal posts are always interesting. And free! I haven't yet received my first issue, but will try to report back when I do get it.
Saturday, September 10, 2005
Live From New Orleans
Jacob Appelbaum has made it to NOLA:
What’s the plan? The plan is to help the people who’ve been without aid, without help and without hope. [Read]
Friday, September 09, 2005
Vote for Om Malik!
Om Malik says:
Okay vanity takes over - Business Week is having best of the web poll and I am against some heavy hitters in the tech-sites @ Work Category. I mean up against News.com, Slashdot, Digg, and O’Reilly Radar. Not even have a prayer, but hopefully all of you can at least help me put up a decent showing. Here is the link to cast your vote.
Subscribe to:
Posts (Atom)