Meme Catcher

Ajax vulnerabilities, originally uploaded by Noah Sussman.

This slide is from Danny Alan’s talk on XSS. I’ve read about the various JavaScript remoting attacks, but it was impressive to actually watch him paste a simple script tag into an insecure form, then later (from a remote host) play back the compromised browser’s session, including cookies, keys pressed (including passwords), all the HTML retrieved by the browser, and details about the browser’s history.

Another disturbing thought: JavaScript can talk to the Java VM via an applet. The Java VM knows the NAT address of the host machine on the internal network. If the router password and IP are known (most users leave these set to factory defaults) then JavaScript can fill out and submit any of the Web forms that control the router. So it’s theoretically possibly to compromise a router with JavaScript.

The demo of Ajax XSS attacks and exploits, had the best quote of the day, as well: "Oops! I accidentally hit the Back button and canceled my attack!"

Vats: Communicating Computational Containment, originally uploaded by Noah Sussman.

Overall the emphasis was on XSS attacks and (the problem of) JavaScript security, proposing a “safe subset” of JavaScript; supported by the “adsafe” option in JSLint. A policy of “cooperation under mutual suspicion.” Other memes included “advertising is a mashup.”

The title of this slide was Vats: Communicating Computational Containment. Crockford said that “vats” are the solution to what he calls “the turducken problem.” That is, there is no way to reliably detect the various perfectly permissible variations of JavaScript-inside-HTML-encodeded-as-a-URL.

Hybrid cab, originally uploaded by Noah Sussman.

This is the first hybrid cab I have seen in the city. I think it was a Nissan but I’m bad with make-and-models.

Today I brought my Macbook to my mom’s house for the first time. Like me, she has a Linksys wireless router, but unlike me she is connected to the internet via Verizon DSL. Now, her Windows PC and laptop connect to the network through the router automatically (there’s no wi-fi password since this is northern Vermont and the next house is a mile away).

The Macbook likewise connected instantly to the wi-fi network, but couldn’t see the internet. When I’d try to ping a Web address, I just got “no route to host.” Very sad.
Read the rest of this entry »

The problem I have with defining “front end development” is that there is no such thing.

Historically there was software called a “home page” or “web site” that was composed entirely of static HTML pages and binary files, connected by hyperlinks. It was then possible to draw a distinction between “real” programmers, who wrote in application languages like C++ and Java, and “web designers” who only wrote HTML.

This distinction was nice, because application languages are compiled, where as HTML is interpreted by the browser. So it was likewise possible to say that “real” programmers wrote in compiled languages, while “web designers” wrote only code that was meant to be interpreted by a browser.

However, since at least 2000, most pages on the Web have been generated in whole or in part by application software. Entire languages have been developed just to generate Web UI. These include Ruby, PHP and many dialects of Java (also called Java frameworks). So it is now perfectly possible to use one of those languages to generate all of the HTML for a Web application, without actually writing any HTML.
Read the rest of this entry »

Today I wanted to know how to get the functionality of the HTML validator Firefox extension. The extension has two modes: Tidy and SGML parser. Each of these modes reports differently on the HTML under test. Both reports can be useful (I’m not going to get into the differences here).

Specifically, I wanted to be able to generate either a Tidy or an SGML parser report from the command line. And I wanted to be able to run my report for any public Web page.

Read the rest of this entry »

Today I set up Synergy, which is quite bad-ass
I set it up for my 2 macs and PC at work.
Read the rest of this entry »

Because I now travel, and demonstrate programming strategies for front-end Web, I had to have a truly portable programming environment

Read the rest of this entry »

Here is the classic Nielsen article on headlines.

The best practice as he outlines it is to place the most specific information about the page /first/ in the title.
Consider Macys.com. The following is a (hypothetical) nice, useful section title that could potentially be used:

“Fine China - DINING - Dining & Entertaining - Macy*s”

The most specific information comes first, then the name of the subsection, the section, and finally the name of the web site.
This is exactly the opposite of the common approach to titles

Read the rest of this entry »

Delicious Whuffie is a bookmarklet that, when clicked, adds via:username to the tags field when saving a URL from another user.

This bookmarklet is intended to be used on the “save this” page at del.icio.us. I have also created (and prefer) a version of the bookmarklet that adds the user’s tags along with via:username; as I seem to always do that as well when tagging with via:

Read the rest of this entry »