Blog

  • Avoiding cross site request forgery in your web apps

    Google recently fixed a glaring vulnerability in gmail that allows an attacker to forward copies of all or some of your email to themselves by adding a filter to your gmail account. But not before someone lost their domain name to an attacker who then proceeded to try to sell it back to them for cash.

    The gmail bug was a cross site request forgery exploit. The attack is incredibly simple. If a user is authenticated to a website, an attacker simply gets that user to load a URL that causes the user to effectively take some sort of action on that website. So by clicking a link in an email or on a website, or by simply loading up a malicious web page that contains an image URL with the correct query string parameters, an attacker can get an unsuspecting user to “do something” on a website they’re a member of.

    Wikipedia has a good summary on CSRF and I recommend you read it if you haven’t already. Avoiding CSRF vulnerabilities in your web apps is easy: In all forms that require a user to be authenticated, simply reauthenticate them using some user-specific transient data. You could, for example, include a users session ID in a hidden form field and when the user submits the form check that the session ID in the form POST matches the session ID in the users cookie.

    If your session ID’s change every time a user authenticates to your website, it effectively defeats this attack. For extra security you may want to either encrypt the session ID in the form’s hidden field, or set the hidden fields value to an MD5 hash of the real session ID.

    The Google CSRF required a form POST which was only slightly more complex for an attacker to implement. But many CSRF attacks don’t require a POST and parameters can therefore appear in a URL query string. The effect of this is that your website can be exploited by one of your users simply loading an image on a malicious web page or in a malicious email.

  • The importance of not knowing what isn't possible

    A Microsoft quote from an NY Times article I’ve already cited has been bugging the crap out of me. It bugged me when I first blogged about this article and it bugged me as I wandered around B&N last night doing the last of my xmass shopping. I wound up in the management section and picked up a book on the top 10 mistakes leaders make. Staring at me as I flipped open chapter 5 was confirmation that I wasn’t nuts.

    Here’s the quote that bugged me:

    “I’m happy that by hiring a bunch of old hands, who have been through these wars for 10 or 20 years, we at least have a nucleus of people who kind of know what’s possible and what isn’t,”

    I’ve lost count of how many times as a software developer I’ve sat down and said “I wonder if this is possible?”. When I created WorkZoo I wondered if it was possible to aggregate all the worlds jobs into a single database – and I got pretty darn close. When I created Geojoey I wondered if it was possible to have a rich pure Ajax application with a client-side MVC model – and it was. When I created LineBuzz I wondered if it was possible to post inline comments on arbitrary text on any web page – yes it’s possible. When I created Feedjit I wondered if it was possible to scale to serve real-time traffic data in a widget. We’re serving almost 100 Million real-time widgets per month now.

    I started coding on an Apple IIe and later moved to IBM PC’s so in my youth Apple and Microsoft were symbols of innovation and I wanted to innovate the way they did. Apple’s still doing a great job, but it breaks my heart to see MS floundering like a fish out of water in the new world of broadband, browser standards, open source and dynamic web applications.

    Come on guys. Get it together already!! Fire those know-it-alls, hire some new blood and pretend for a moment that the past doesn’t matter and that anything is possible.

  • The 6th most viewed video on MySpace?!

    I don’t get it.

  • Microsoft Buzzquotes

    “My machine overnight could process my in-box, analyze which ones were probably the most important, but it could go a step further,” he said. “It could interpret some of them, it could look at whether I’ve ever corresponded with these people, it could determine the semantic context, it could draft three possible replies. And when I came in in the morning, it would say, hey, I looked at these messages, these are the ones you probably care about, you probably want to do this for these guys, and just click yes and I’ll finish the appointment.” ~Craig Mundie from Microsoft in today’s NY Times

    Sounds like Microsoft is working on a Positronic Brain rather than writing software for multi-core processors.

  • Shhh! Two new Feedjit widgets quietly being tested

    I’m testing two new Feedjit widgets on the right side of this page. We launched the back-end code for these tonight and they’ll only appear on the public site in a week or so after they’ve been thoroughly tested.

    The first is a simple page popularity widget that has been much-requested by our users. It shows the most popular pages for your website today.

    The second is my favorite – it’s a passive collaborative filtering widget. It suggests other pages your visitors may like based on the current page they’re viewing and the traffic patterns of previous visitors. I’ll be adding more detail about the widget and algorithm in the FAQ once published.

    If you’re an HTML hacker and an early adopter type, you can view/source of this page and grab them for your own site. To customize them, just go to Feedjit and customize the current widgets, and then grab the query string for those and append them to the new widgets javascript URL.  If you do install these, I’d love to get your feedback, so email me at mark-at-feedjit.com.

    Mark.

  • California Fire Satellite Map

    I found this image on the awesome http://firefighterblog.blogspot.com/ that’s getting a lot of traffic today and is posting a constant stream of fire updates, so be sure to subscribe to his feed if you’re following the fires.

    Originally from the MODIS Terra polar orbit Satellite (click the image for the source). The fire appears to have crossed the Southern US border.

  • Server Downtime == Police Baricades and Angry World Series Fans

    Paciolan is managing ticket sales for the Colorado Rockies. Their servers were hit with over 1500 requests per second and it took down not only the Rockies ticket sales infrastructure, but all Paciolans other customers too.

    They claim to have been hit by a DDoS attack, but that’s something that’s hard to prove or disprove when you have corporate firewalls and AOL firewalls sending many requests from a single IP – it looks just like a DDoS attack but it actually isn’t.

    Is 1500 requests per second a lot? No. Feedjit (my site) peaks at 140 requests per second and it does it with just two servers – and the data it’s serving is dynamic.

    So a cluster of 10 to 30 servers should easily handle the load they’ve described – especially if all it’s doing is queueing visitors and only letting a handful through, which is what Paciolan’s ticketing software does.

    The result? Police are erecting barricades around Coors Field. Here’s a quote from cNet:

    “…many fans are apparently converging near Coors Field in hopes that the team will sell tickets in person through the box office; so many in fact that the police have closed streets around the ballpark and are erecting barricades, the paper reported.”

    Ticketmaster is trying to buy Paciolan – the deal is currently under government review. Ticketmaster runs Mod_Perl (and so does Feedjit) and some very smart people who know a lot about scalability (and who I used to work with) work for Ticketmaster. So hopefully the deal will go through and mod_perl will come to the rescue.

    btw, I’m doing a short talk in 2 days on how to scale your web servers fast based on my experience scaling Feedjit.

  • Wikipedia, Vulcans, Suss-Mahn and cerebral entropy

    In case you were looking for it, here’s a list of fictional martial arts courtesy of wikipedia…

    http://en.wikipedia.org/wiki/List_of_fictional_martial_arts

    How did I arrive there? I was researching Vulcans.

    There’s a martial art called Suss-Mahn used by T’Pol in one of the enterprise episodes (which I just watched for $1.99 courtesy of the awesome Unbox) and it’s named after producer Mike Sussman.

  • More press…

    I got a few emails from folks in Texas this morning. Looks like John Cook’s article about rapid startups made it into Statesman.com.

  • South Africa are the new Rugby world champs!!!!!!!!!!

    It was a tougher game that I expected – in fact it was a bit of a nail biter. But we won and Bryan Habana has been named player of the year by the Rugby Board. 🙂

    It was cool hanging out with other South Africans at St Andrews pub in Green Lake watching the game (The Kiwi and Kangaroo was full) but I was bummed when someone told me Lucky Dube has been killed in a car jacking. One day someone’s going to fix crime in South Africa. Lets just hope that day comes soon.