Wednesday, January 31, 2007

Are you a Firebug power user ?

If you think you know everything that is to know about developing Javascript with firebug, think again !
Click the title to the ajaxian blog entry with Joe Hewitt demonstrating the firebug for power-users.

Tuesday, January 30, 2007

Javascript rocks ... seriously

The Ajaxian has a blog post about a javascript api that allows developers to integrate sound into their webpages. Meebo's been doing this a while. It's nice to see that we'd be able to do it too now, thanks to this api.

Sunday, January 28, 2007

She sings a love song to a Mac Pro

I think I'm starting to crave for one of them Macs.
Click the title to see a Filipina singing modified lyrics of James Blunt's "You're Beautiful" to a Mac Pro. Hilarious !

Sunday, January 21, 2007

Enjoying my Seafood inspite of my allergies

I count myself as one of the many that are allergic to seafood, specifically shrimp and crab. In my younger years, I found that I must stay away from food with those ingredients unless I want to end up with itchy red blotches all over my face and body.

While growing up, I discovered that certain things will allow me to enjoy seafood without very adverse effects.

1 - Devein the shrimp. Deveining removes the vein or the dark line that runs along the back of the shrimp. I noticed my allergies are less intense when eating deveined shrimp.

2 - Avoid the head of the shrimp. It seems whatever is causing my allergies, as far as shrimp goes, is heavily concentrated in the head so I stay away from it and eat the body only.

3 - Cider Vinegar and Pepper. I dip shrimp and crab meat in cider vinegar with pepper before I put it my mouth. I feel that it tastes really good and more importantly it seems to counter act the itchiness I usually get in my mouth after eating it.

4 - Lemon. I discovered this while dining at a UCC coffee shop. The water they served smelled like rubbing alcohol, at least it did to me. I inquired and it was in fact lemon and NOT rubbing alcohol. It seems dipping shrimp and crab in lemon has the same effect as cider vinegar and pepper. Alternatively, I found that I could chase away the itchiness in my mouth if I drink water with some lemon juice.

WARNING : The above are based on my personal experiences only. I classify my condition as mild. People with very serious reactions to seafood like shrimp or crab should consult a physician. As mild as the term "allergy" sounds, there have been known incidents of people dying due to allergic reactions. You have been warned !

Wednesday, January 10, 2007

there's an iPhone after all

I can't count myself an Apple "fanboy" just yet but since the news broke out that "pigs can fly" I've been pretty keen about the goings on in the world of Macintosh.

Just a few hours ago Steve Jobs announced to an ecstatic crowd the availability of a mobile phone developed by Apple. I'm not sure I share the same sentiment. It's cool but will it fly this June 2007 ?

Monday, January 08, 2007

Are you on the list ?

I don't get to watch a lot of television. Heck, it's been so long since I've been to a movie theatre I can't even remember what it's like inside. It's a good thing because by the time I figure out that it's something I like to watch ...

- It'll be on the internet (e.g. youtube, peekvid, dailymotion).
- If it's a TV series, I can watch all the episodes in succession without worrying about schedules.

One thing I did notice about my TV and movie habits is how many of the stuff I watch are about super heroes. Not heroism in the patriotic everyday sense but rather seemingly ordinary people with extraordinary abilities.

Hero is no exception.

What's different about it is that, it's good, really good. It's the kind of series that makes you ask the obvious questions but it keeps you engaged with the wonder of discovering the answers. Like the recent big screen encarnations of Spiderman and Superman, the writers attempt to add the 'human' component. The characters are not portrayed as 'super heroes' but human beings with special abilities. Yes, there's a difference. The former connotes a level that you or I can never achieve while the latter identifies us mere mortals with the characters.

If you're in the US, you'll be able to see the episodes from http://www.nbc.com/Heroes/episodes/. Outside the US, I would suggest http://www.peekvid.com.

Friday, January 05, 2007

Google Answer to Filling Jobs Is an Algorithm

I didn't realize that Google has so many employees already, 10,000 and counting.
They've been known to do the most innovative things to attract prospective employees. Remember the math problem on the billboard ?.
Looks like they're going to go a step further and innovate the selection process with an alogrithm.
Click on the title to read the NY Times article.

Tuesday, January 02, 2007

Gmail's CSRF Security Flaw, is OpenACS vulnerable to a CSRF attack ?

For those interested to read about Gmail's CSRF security flaw, click the title to go directly to the article over at Ajaxian.

Don't be misled, just because it's in the Ajaxian, doesn't mean that this is purely a problem with web applications that use Ajax. In fact, if I understand CSRF correctly, an out of the box OpenACS application that uses ad_form is possibly vulnerable. Well, except for the login form :-) Curious ? read on ....

What is CSRF ?

CSRF is an acronym for "cross site request forgery". Also known as "session riding", it describes a malicious exploit where a script takes advantage of an authenticated session to get information, like in Gmail's case, your contact list, but in other cases can be your personal or, worse, your financial information from the site that your browser is currently authenticated with.

How does it Work ?

The players involved are (A) you, the user, (B) the site with the malicious script and (C) the website where you are currently logged in or authenticated with. Examples of (C) are Gmail, your online banking website or an OpenACS web application.

The scenario would go something like this.

The user (A) logs in to (C) and stays logged in by checking "Remember me on this computer". On another window or tab, (A) goes to a website (B) with the malicious script. The script in (B) gets executed either from clicking a link or loading a page. The script from (B) will attempt to access (C) using the authenticated session and attempt to retrieve information like your contact list or other information.

Javascript can't do that ! Can it ?

Javascript is not suppose to be able to have access to cookies from other domains. Cookies are used to determine if a user is logged in to a site. They contain session information and other user specific information, hence, the browser imposes this cross domain limitation on javascript. In short, you can't use javascript to fake or manipulate cookies of other domains.

So this exploit will only work if the user (A) is logged in to (C) at the moment the script in (B) is executed.

Where did Gmail go wrong ?

In the case of Gmail, they were exposing a URL that returned JSON structured data that contained the contact list information. Hence you can actually put this url in script tags with the src pointing to this url. Like so


<script type="text/javascript" src="http://docs.google.com/data/contacts?out=js&show=ALL&psort=Affinity&callback=google&max=99999"></script<


While the browser prevents javascript from one domain to control a window in another domain, it will however allow you to specify a javascript source file from another domain.

I'm sure Gmail checks that the user is logged in before actually serving the javascript source file but after this check it has no way of knowing for sure that it was the user who requested it or a script from (B) a malicious website.

Is my OpenACS Web Application vulnerable ?

Unless your OpenACS application is running a web service or providing some sort of API, chances are its not.

he turned down an offer from Google

This post is about a year old, it is nevertheless an interesting read.
He blogs about how his 2 day interview with Google went and how (and more importantly, why) he turned down their offer.