Blog

  • 3.5 hours chatting to customer service and the iPhone works

    We totaled it all up and 3.5 hours spent on the phone to both t-mobile and AT&T and the iPhone works. Strangely enough she actually seems to think it’s worth it. Whatever. I’m sticking with my Blackberry for now. Who needs an interface that’s good enough to lick and those sweet animation effects and that beautiful touch screen and super-bright display anyway.

  • A great speech

    Obama’s victory speech at Iowa this evening was one of the most inspiring political speeches I’ve ever seen, particularly the second half. Watch it on cpan.org and it’ll be on youtube tomorrow.

  • An iPhone? Thanks but I'd rather get punched in the face.

    I gave a loved one an Apple iPhone as a gift this afternoon. The happiness lasted until she started trying to transfer her cellphone number from T-Mobile (who we love) to AT&T (the only network with iPhones).

    After spending 40 minutes on the phone with an AT&T customer service rep she had to call T-Mobile and when she called AT&T back they had lost all her data – which meant another 40 minutes. It also meant they had to do another credit check which dings her credit a second time.

    She asked the AT&T rep if she could speak to a manager, got a deep sigh and the rep hung up on her. Of course she didn’t get a name.

    …she’s sitting across the way from me right now singing “…every rose has it’s thorn” And amazingly she’s about to try a third time to activate her phone.

    She’s not alone. Googling for AT&T iPhone Nightmare yields thousands of miserable customer stories.

    People are quick to blame AT&T but in my humble opinion Apple are complete bastards for partnering with the crappiest network in the USA – and for turning my gift into a curse.

  • Live Caucus Map – courtesy Google

    Google has a Live Caucus Map in case you’re watching the Iowa caucuses this evening.

  • I'm a fan

    Saw this image on cnn.com this morning. It captures the essence of democracy. While I wonder if Barack knows what’s good for American business, I can’t help but like the guy.

  • Avoiding cross site request forgery in your web apps

    Google recently fixed a glaring vulnerability in gmail that allows an attacker to forward copies of all or some of your email to themselves by adding a filter to your gmail account. But not before someone lost their domain name to an attacker who then proceeded to try to sell it back to them for cash.

    The gmail bug was a cross site request forgery exploit. The attack is incredibly simple. If a user is authenticated to a website, an attacker simply gets that user to load a URL that causes the user to effectively take some sort of action on that website. So by clicking a link in an email or on a website, or by simply loading up a malicious web page that contains an image URL with the correct query string parameters, an attacker can get an unsuspecting user to “do something” on a website they’re a member of.

    Wikipedia has a good summary on CSRF and I recommend you read it if you haven’t already. Avoiding CSRF vulnerabilities in your web apps is easy: In all forms that require a user to be authenticated, simply reauthenticate them using some user-specific transient data. You could, for example, include a users session ID in a hidden form field and when the user submits the form check that the session ID in the form POST matches the session ID in the users cookie.

    If your session ID’s change every time a user authenticates to your website, it effectively defeats this attack. For extra security you may want to either encrypt the session ID in the form’s hidden field, or set the hidden fields value to an MD5 hash of the real session ID.

    The Google CSRF required a form POST which was only slightly more complex for an attacker to implement. But many CSRF attacks don’t require a POST and parameters can therefore appear in a URL query string. The effect of this is that your website can be exploited by one of your users simply loading an image on a malicious web page or in a malicious email.

  • The importance of not knowing what isn't possible

    A Microsoft quote from an NY Times article I’ve already cited has been bugging the crap out of me. It bugged me when I first blogged about this article and it bugged me as I wandered around B&N last night doing the last of my xmass shopping. I wound up in the management section and picked up a book on the top 10 mistakes leaders make. Staring at me as I flipped open chapter 5 was confirmation that I wasn’t nuts.

    Here’s the quote that bugged me:

    “I’m happy that by hiring a bunch of old hands, who have been through these wars for 10 or 20 years, we at least have a nucleus of people who kind of know what’s possible and what isn’t,”

    I’ve lost count of how many times as a software developer I’ve sat down and said “I wonder if this is possible?”. When I created WorkZoo I wondered if it was possible to aggregate all the worlds jobs into a single database – and I got pretty darn close. When I created Geojoey I wondered if it was possible to have a rich pure Ajax application with a client-side MVC model – and it was. When I created LineBuzz I wondered if it was possible to post inline comments on arbitrary text on any web page – yes it’s possible. When I created Feedjit I wondered if it was possible to scale to serve real-time traffic data in a widget. We’re serving almost 100 Million real-time widgets per month now.

    I started coding on an Apple IIe and later moved to IBM PC’s so in my youth Apple and Microsoft were symbols of innovation and I wanted to innovate the way they did. Apple’s still doing a great job, but it breaks my heart to see MS floundering like a fish out of water in the new world of broadband, browser standards, open source and dynamic web applications.

    Come on guys. Get it together already!! Fire those know-it-alls, hire some new blood and pretend for a moment that the past doesn’t matter and that anything is possible.

  • Microsoft Buzzquotes

    “My machine overnight could process my in-box, analyze which ones were probably the most important, but it could go a step further,” he said. “It could interpret some of them, it could look at whether I’ve ever corresponded with these people, it could determine the semantic context, it could draft three possible replies. And when I came in in the morning, it would say, hey, I looked at these messages, these are the ones you probably care about, you probably want to do this for these guys, and just click yes and I’ll finish the appointment.” ~Craig Mundie from Microsoft in today’s NY Times

    Sounds like Microsoft is working on a Positronic Brain rather than writing software for multi-core processors.

  • Shhh! Two new Feedjit widgets quietly being tested

    I’m testing two new Feedjit widgets on the right side of this page. We launched the back-end code for these tonight and they’ll only appear on the public site in a week or so after they’ve been thoroughly tested.

    The first is a simple page popularity widget that has been much-requested by our users. It shows the most popular pages for your website today.

    The second is my favorite – it’s a passive collaborative filtering widget. It suggests other pages your visitors may like based on the current page they’re viewing and the traffic patterns of previous visitors. I’ll be adding more detail about the widget and algorithm in the FAQ once published.

    If you’re an HTML hacker and an early adopter type, you can view/source of this page and grab them for your own site. To customize them, just go to Feedjit and customize the current widgets, and then grab the query string for those and append them to the new widgets javascript URL.  If you do install these, I’d love to get your feedback, so email me at mark-at-feedjit.com.

    Mark.