Simon Willison’s Weblog

Subscribe

May 2010

May 20, 2010

ZOMBO.com in HTML5. Uses SVG (scripted by JavaScript) and the audio element. Finally, Zombo.com comes to the iPad.

# 3:26 pm / audio, html5, ipad, svg, zombo, zombocom, recovered

App Engine at Google I/O 2010. OpenID and OAuth are now baked in to the AppEngine users API. They’re also demoing two very exciting new features—a mapper API for doing map/reduce style queries against the data store, and a Channel API for building comet applications.

# 3:30 pm / appengine, comet, google, mapreduce, oauth, openid, recovered

The Guardian’s Open Platform is open for business. The Guardian’s Content API is now out of beta. Of particular interest: you can access basic article metadata (headline, URL and tags) without using an API key at all, and the API supports JSONP—just request format=json and include a callback=foo argument.

# 5:40 pm / api, content, guardian, json, jsonp, openplatform, recovered

OpenPlatform Content API Explorer. The new API explorer for the Guardian’s Content API.

# 5:42 pm / api, api-explorer, guardian, openplatform, recovered

May 21, 2010

Headroid1—a face tracking robot head. Kind of creepy—Ian Ozsvald’s openCV + pySerial motorised camera follows your face around the room, and will soon be able to react to your emotions.

# 4:59 pm / ian-ozsvald, opencv, pyserial, python, recovered

May 24, 2010

Busting frame busting: a study of clickjacking vulnerabilities at popular sites (via) Fascinating and highly readable security paper from the Stanford Web Security Research group. Clickjacking can be mitigated using framebusting techniques, but it turns out that almost all of those techniques can be broken in various ways. Fun examples include double-nesting iframes so that the framebusting script overwrites the top-level frame rather than the whole window, and a devious attack against the IE and Chrome XSS filters which tricks them in to deleting the framebusting JavaScript by reflecting portions of it in the framed page’s URL. The authors suggest a new framebusting snippet that should be more effective, but sadly it relies on blanking out the whole page in CSS and making it visible again in JavaScript, making it inaccessible to browsers with JavaScript disabled.

# 11:40 am / clickjacking, framebusting, iframes, javascript, security, xss, recovered

What’s powering the Content API? The new Guardian Content API runs on Solr, scaled using EC2 and Solr replication and with a Scala web service layer sitting between Solr and the API’s end users.

# 2:08 pm / apis, contentapi, ec2, guardian, openplatform, scala, scaling, solr, recovered

doc/beatings.txt (via) Rubberhose is a disk encryption system developed by the founder of Wikileaks that implements deniable cryptography—different keys reveal different parts of the encrypted data, and it is impossible to prove that all of the keys have been divulged. Here, Julian Assange explains how this works with a scenario involving Alice and the Rubber-hose-squad.

# 2:17 pm / coercion, cryptography, julian-assange, rubberhose, wikileaks, recovered

May 25, 2010

OpenCart CSRF Vulnerability. Avoid OpenCart—it’s vulnerable to CSRF, but the maintainer has no intention of fixing it as “there is no way that I’m responsible for a client being stupid enough to click links in emails”.

# 12 am / csrf, opencart, security, recovered

A New Type of Phishing Attack. Nasty trick from Ava Raskin—detect when your evil phishing page loses focus (when the user switches to another tab, for example), then replace the page content with a phishing UI from a site such as Gmail. When the user switches back they’re much less likely to bother checking the URL. Combine with CSS history sniffing to only show a UI for a site that you know the user has visited. Combine that with timing tricks to only attack sites which the user is currently logged in to.

# 3:20 pm / azaraskin, phishing, security, recovered

Twitter is an open, real-time introduction and information service. On a daily basis we introduce millions to interesting people, trends, content, URLs, organizations, lists, companies, products and services. These introductions result in the formation of a dynamic real-time interest graph. At any given moment, the vast network of connections on Twitter paints a picture of a universe of interests. We follow those people, organizations, services, and other users that interest us, and in turn, others follow us.

Dick Costolo

# 4:54 pm / dick-costolo, twitter, recovered

May 28, 2010

Is This Really The Future of Magazines or Why Didn’t They Just Use HTML 5? A scathing critique of the new Wired iPad app, which weighs in at 500MB per issue due to storing every single page as two static PNG images—one for landscape and one for portrait mode. “The only real differentiation between the Wired application and a multimedia CD-ROM is the delivery mechanism: you download it via the App Store versus buying a CD-ROM”.

# 12:13 pm / cdrom, html5, ipad, multimedia, wired, recovered

Zero-downtime Redis upgrade discussion. GitHub have a short window of scheduled downtime in order to upgrade their Redis server. I asked in their comments if they’d considered trying to run the upgrade with no downtime at all using Redis replication, and Ryan Tomayko has posted some interesting replies.

# 2:50 pm / github, ops, redis, ryan-tomayko, upgrades, zero-downtime, recovered

May 29, 2010

Smokescreen demo: a Flash player in JavaScript. Chris Smoak’s Smokescreen, “a Flash player written in JavaScript”, is an incredible piece of work. It runs entirely in the browser, reads in SWF binaries, unzips them (in native JS), extracts images and embedded audio and turns them in to base64 encoded data:uris, then stitches the vector graphics back together as animated SVG. Open up the Chrome Web Inspector while the demo is running and you can see the SVG changing in real time. Smokescreen even implements its own ActionScript bytecode interpreter. It’s stated intention is to allow Flash banner ads to execute on the iPad and iPhone, but there are plenty of other interesting applications (such as news site infographics). The company behind it have announced plans to open source it in the near future. My one concern is performance—the library is 175 KB and over 8,000 lines of JavaScript which might cause problems on low powered mobile devices.

# 11:32 am / chris-smoak, datauri, flash, javascript, smokescreen, svg, recovered

The easiest way to have no-downtime upgrades is have an architecture that can tolerate some subset of their processes to be down at any time. De-SPOF and this gets easier (not that de-SPOFing is always trivial).

Ryan King

# 11:36 am / architecture, ryan-king, spof, recovered, zero-downtime

tobeytailor’s gordon. Another Flash runtime in pure JavaScript project, released back in January. Not quite as advanced as Smokescreen yet (it doesn’t have an audio implementation) but already available as open source under an MIT license.

# 11:57 am / flash, gordon, javascript, mitlicense, open-source, tobeytailor, recovered

2010 » May

MTWTFSS
     12
3456789
10111213141516
17181920212223
24252627282930
31