Simon Willison’s Weblog

Subscribe

January 2009

Jan. 2, 2009

The compiler only pays attention to the semicolons and braces while ignoring the line breaks and indentation, but humans usually only pay attention to the line breaks and indentation while ignoring the semicolons and braces. This gives the code the opportunity to lie about what it’s really doing. Consequently we need to take extra care when writing in C, Java, C++, C# etc.

Elliotte Rusty Harold

# 10:26 am / c, codestyle, elliotte-rusty-harold, indentation, java, syntax

OSM 2008: A Year of Edits (via) Stunningly beautiful visualisation of the year in OpenStreetMap.

# 10:34 am / visualisation, openstreetmap, mapping

Antipatterns for sale. Twply collected over 800 Twitter usernames and passwords (OAuth can’t arrive soon enough) and was promptly auctioned off on SitePoint to the highest bidder.

# 10:48 am / passwordantipattern, jeremy-keith, sitepoint, oauth, twitter, security, passwords

Wikipedia over DNS. Added to my ~/bin/ directory as dns-wikipedia.sh: host -t txt $1.wp.dg.cx

# 11:29 am / wikipedia, dns

Jan. 5, 2009

Talking about OpenID. “So a relying party walks in to a bar...”

# 10:46 am / openid, jargon, relyingparty, comic

The username/password key's major disadvantage is that it open all the doors to the house. The OAuth key only opens a couple doors; the scope of the credentials is limited. That's a benefit, to be sure, but in Twitter's case, a malicious application that registered for OAuth with both read and write privileges can do most evil things a user might be worried about.

Alex Payne

# 10:47 am / phishing, alex-payne, oauth, security, twitter

MemcacheDB. A server that speaks the memcache protocol but uses Berkeley DB for reliable persistent storage. Speedy: 20,000 writes/second and 60,000+ reads/second. Includes a full replication mechanism (with custom memcache protocol commands) based on Berkeley DB’s.

# 12:37 pm / replication, memcachedb, berkeleydb, memcache, scaling, keyvaluepairs

Travel time to major cities: A global map of Accessibility (via) Visualisation developed by the European Commission and the World Bank.

# 1:24 pm / europeancommission, worldbank, maps, visualisation

Jan. 6, 2009

As more details become available, it seems what happened is that a Twitter administrator (i.e., employee) gave their password to a 3rd party site because their API requires it, which was then used to compromise Twitter's admin interface.

Blaine Cook

# 9:37 am / oauth, twitter, security

Update on the “antipatterns for sale” Twply auction (via) The collected username and password database is NOT included in the auction.

# 9:41 am / antipatterns, twply, twitter

The Twitter administrator hack was a dictionary attack. I quoted Blaine earlier suggesting that the recent Twitter mass-hack was due to a Twitter admin password being scooped up by a rogue third party application—this was not the case, as Alex Payne explains in a comment.

# 11:56 pm / alex-payne, blaine-cook, twitter, security

Jan. 7, 2009

Weak Password Brings “Happiness” to Twitter Hacker. The full story on the Twitter admin account hack. I bet there are a LOT of web applications out there that don’t track and rate-limit failed password attempts.

# 12:04 pm / twitter, passwords, security, hacking

Rate limiting with memcached

On Monday, several high profile “celebrity” Twitter accounts started spouting nonsense, the victims of stolen passwords. Wired has the full story—someone ran a dictionary attack against a Twitter staff member, discovered their password and used Twitter’s admin tools to reset the passwords on the accounts they wanted to steal.

[... 910 words]

Gaza OpenStreetMap Update. “We’re looking into purchasing satellite imagery for the north or the entirety of Gaza. There’s actually B/W imagery available from yesterday!”

# 11:10 pm / gaza, openstreetmap, mapping, satellite, mikel-maron

Jan. 8, 2009

Wetpaint no longer supports OpenID. I missed this, but they turned off their OpenID support in November due to low usage and high maintenance costs.

# 2:53 pm / openid, wetpaint

The simple truth is that in the age of Web 2.0/3.0, in the era of cloud and utility computing, the application server is a commodity. A commercial, proprietary app server simply cannot survive in this environment anywhere outside the lethargic, soft-padded walls of the enterprise.

Aral Balkan

# 6:10 pm / appservers, commoditisation, coldfusion, aral-balkan, open-source, enterprise

why’s potion. why’s latest project is a small, fast language (JIT to x86/x86-64) which seems to take ideas from Ruby, Lua, Python and who knows where else. Everything is based around objects, closures and mixins, with the delightful inclusion of scoped mixins so you can modify an object only within a certain module (hence avoiding Ruby’s action-at-a-distance problems).

# 6:37 pm / ruby, whytheluckystiff, potion, programming, languages, jit, lua, mixins, closures

How we use IRC at Last.fm. With IRCCat, an elegant Java IRC bot that accepts Twitter-like messages to a network port (generally sent using netcat) and directs them to a user or channel.

# 7:04 pm / netcat, nc, irccat, irc, lastfm, richard-jones, java

Jan. 9, 2009

Manage Amazon EC2 With New Web-Based AWS Management Console. Finally! I’m amazed it took Amazon so long to do this. Managing EC2 instances from a custom Firefox extension was pretty bizarre. It’s a very nice interface, built on top of YUI. Unfortunately you still have to manage your entire virtual server farm using a single shared Amazon account.

# 9:34 am / amazon, aws, ec2, cloud-computing, yui, javascript

The Django Book: Version 2.0 (via) Adrian’s working on a new edition of the Django Book updated to cover version 1.0. As with the first edition, it will be available free online in addition to a published Apress paperback. The first three chapters are now available.

# 2:54 pm / adrian-holovaty, django, book, python, apress

Jan. 12, 2009

instanceof considered harmful (or how to write a robust isArray. JavaScript’s instanceof operator breaks when dealing with objects that may have been created in a different document or frame, since constructors are unique to each frame. Instead, you can check for arrays using the default Object.toString method which the JS spec guarantees will return [object Array].

# 10:55 am / arrays, javascript, instanceof, tostring, frames

Powering a Google search. I thought the recent estimate of each Google search producing 7g of CO2 was a little high—Google have responded with a claim that the amount is 0.2g instead.

# 11:15 am / co2, google

Leo Hickman on the carbon cost of Googling. Alex Wissner-Gross (who published the 7g/search figures) appears to be including Google’s extra capacity, so total CO2 output divided by number of searches. Google’s 0.2g/search estimate includes just the energy used by the servers processing your query.

# 3:31 pm / google, co2, leohickman, alex-wissner-gross

A Snapshot of The Yahoo! Photos Beta (from 2006). Scott Schiller shares an internal retrospective on the Yahoo! Photos interface from 2006, which was years ahead of its time (they started building it before the term Ajax had even been coined). The material on memory management and event delegation is particularly interesting.

# 10:21 pm / eventdelegation, scott-schiller, yahoo, yui, yahoophotos, ajax, javascript

Jan. 13, 2009

Visualising Radio, pushing, not pulling. The BBC’s new radio player uses Comet over a Flash XMLsocket connection transport, with an ActiveMQ message queue behind the scenes. I’d like to know what server they’re using to broadcast out to the XMLsocket connections.

# 12:59 am / bbc, duncanrobertson, activemq, comet, flash, javascript, xmlsocket

What the Internet has actually done is not decimate literary reading; that was really a done deal by 1970. What it has done, instead, is brought back reading and writing as a normal activity for a huge group of people.

Clay Shirky

# 2:22 pm / clay-shirky, tv, internet, reading

Sloppy—the slow proxy. Java Web Start GUI application which runs a proxy to the site of your choice simulating lower connection speeds—great for testing how well your ajax holds up under poor network conditions.

# 4:17 pm / ajax, javascript, performance, sloppy, java, javawebstart, proxy, richard-dallaway

New Gearman Server & Library in C, MySQL UDFs. Gearman, the job queue written for LiveJournal and now used by Digg and Yahoo!, has been rewritten in C. Looks like a good candidate for an easily configured lightweight message queue. Also includes hooks for writing MySQL functions that can interact with queues.

# 4:41 pm / mysql, message-queues, digg, gearman, livejournal, queues, scaling, yahoo, eric-day

Gearman protocol. Notes compiled by Eric Day, principle author of the C server implementation.

# 4:44 pm / gearman, protocol, eric-day

2009 » January

MTWTFSS
   1234
567891011
12131415161718
19202122232425
262728293031