16 Feb

ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools

Most members of Anonymous would prefer to stay, well, anonymous. But as the group has engaged in increasingly high-profile attacks on government and corporate websites, doing so effectively and staying out of harm’s way have become an ever-growing challenge. To protect itself, the group has altered its tactics over the past year to both increase the firepower of its attacks and shield members from the prying eyes of law enforcement.

via ArsTechnica – High Orbits and Slowlorises: understanding the Anonymous attack tools. Fascinating look into both some of the tools Anonymous uses to launch it’s attacks and how it/they attempt to stay anonymous.

12 Sep

Read Write Web – How’s Mozilla Doing with Do Not Track? Not So Good

Get the picture? Don’t get me wrong – I love the idea behind DNT, but the implementation is wholly ineffective. So much so that Firefox ought to include a big warning in its privacy preferences lest users be lulled into a sense of complacency. Another suggestion for Mozilla and other browser vendors that support DNT? Include a big warning for Web sites that don’t honor DNT settings.

via Read Write Web – How’s Mozilla Doing with Do Not Track? Not So Good. Do Not Track, is a nice idea but not much more than that.

27 Aug

Tantek – How many ways can you slice a URL and name the pieces?

I was developing a small single purpose microsite and decided to build it using CASSIS not just for application logic, but for the server-side runtime execution and flow as well. I figured the needs of a simple real world site would work well to drive the design of a simple runtime.

No need to invent anything new, just re-use Apache/CGI environment variables (e.g. as used in PHP, like SERVER_NAME). But they look like old C constants, and CASSIS coders will be more familiar with Javascript.

Window.location’s properties seem reasonable, until you get to "search" for the "?" query part of a URL. What about the source, the specs for URL and HTTP? And that’s when I started to see the problem.

With a little more research I found a half-dozen different ways to slice and dice URLs. Kevin Marks asked me, what about Python? And that made seven. I published my research publicly on the microformats wiki, which is a good place to document existing formats for something (a key step in the microformats process).

Among all the differences (and overloading of the same terms to mean different things) it did seem that there were some patterns. So I made a diagram of a sample URL, chopped into pieces and named according to seven different conventions over the years, in the hopes that doing so might reveal such patterns.

via Tantek – How many ways can you slice a URL and name the pieces?. Or standards are so awesome everyone keeps making a new one.

15 Jul

Mark Story – My thoughts on the built-in php server

Earlier today I saw the announcement that PHP5.4 will have a built-in web server . I mentioned on twitter that I wasn’t too happy about the server being added. In the discussion that followed, I feel like I wasn’t able to properly convey my thoughts through tweets. I figured I might be able to better explain myself in a post.

I have mixed feelings about the built-in web server to be honest. Having a low effort web server is great for lowering the barrier to entry when building things with PHP. I can also appreciate the instantaneous feedback you get from a simple command line server, and not needing to fiddle with Apache or other more complex web servers. All of these things seem really great in isolation, and when you ignore some of the problems that it creates.

I can think of a few problems that the new command line server creates. First, while its intended for quick and dirty development, it will invariably end up being used as a production server somewhere. PHP already has a spotty track record with providing features meant to be helpful, but later become painful. I’m thinking of things like magic quotes and register globals. All of these features were at some level intended to make development easier. Instead they have become huge headaches, and are only now being removed.

via Mark Story – My thoughts on the built-in php server. I think he reached into my brain and said exactly what I was thinking.

11 Jan

Electronic Frontier Foundation – EFF Calls for Immediate Action to Defend Tunisian Activists Against Government Cyberattacks

Demonstrations and protests over unemployment and poor living conditions have been ongoing in Tunisia since the beginning of December, but last week the Tunisian government turned up the heat on bloggers, activists, and dissidents by launching a JavaScript injection attack that siphoned off the usernames and passwords of Tunsians logging in to Google, Yahoo, and Facebook. The Tunisian government has used these stolen credentials to log in to Tunisians’ email and Facebook accounts, presumably downloading their messages, emails, and social graphs for further analysis, and then deleting the accounts entirely.

via Electronic Frontier Foundation – EFF Calls for Immediate Action to Defend Tunisian Activists Against Government Cyberattacks. Umm, wow, glad I don’t live in Tunsia.