Wednesday, December 18, 2013
Tuesday, December 10, 2013
Thursday, December 5, 2013
That AIN'T REST
I don't have screen shots for this because it happened a while back and I've switched jobs, so I'll tell this tale in text.
Working on migrating articles out of a company wiki I wrote a script to download these articles automatically using the wiki's rest API. Here's the general algorithm:
1. Start with article 0 and request a batch of 100 articles (maximum allowed)
2. Request the text for the first article returned
3. Request list of attachments for each article
4. Download each attachment
5. Repeat for the next article in the batch
6. Grab the next batch
7. Stop when the batch returned is less than 100
Since the API is labeled "RESTful" this should be fine, right? Each batch of 100 will always return the same 100 articles, so asking for them sequentially is fine, right?
Wrong. So very wrong. Putting the word "REST" next to the word "API" does not necessarily mean they gave you a REST API.
One article was failing, making my whole script bomb. Thinking I could pop in and try to exclude that specific article, I found the index number and excluded it. But the next day it failed again. I tried to figure out why and realized that the bad index was moving down the index once every 6 - 10 hours. Which means that the indexes were stateful. Which means it's not REST.
I get it. I honestly do. Not cleaning up indices makes for a painful system that can get bloated fast. But don't use the buzzword if you can't actually make it work.
Working on migrating articles out of a company wiki I wrote a script to download these articles automatically using the wiki's rest API. Here's the general algorithm:
1. Start with article 0 and request a batch of 100 articles (maximum allowed)
2. Request the text for the first article returned
3. Request list of attachments for each article
4. Download each attachment
5. Repeat for the next article in the batch
6. Grab the next batch
7. Stop when the batch returned is less than 100
Since the API is labeled "RESTful" this should be fine, right? Each batch of 100 will always return the same 100 articles, so asking for them sequentially is fine, right?
Wrong. So very wrong. Putting the word "REST" next to the word "API" does not necessarily mean they gave you a REST API.
One article was failing, making my whole script bomb. Thinking I could pop in and try to exclude that specific article, I found the index number and excluded it. But the next day it failed again. I tried to figure out why and realized that the bad index was moving down the index once every 6 - 10 hours. Which means that the indexes were stateful. Which means it's not REST.
I get it. I honestly do. Not cleaning up indices makes for a painful system that can get bloated fast. But don't use the buzzword if you can't actually make it work.
Tuesday, November 12, 2013
OWASP Top 10 For the Average Internet User: Broken Authentication/Session Management
Where can it happen?
This can happen anywhere you need a username and password to login or anywhere that you are uniquely identified from other internet users.
What is it?
When you log on to a website that website needs a way to identify your internet traffic and keep you straight from all of the other people that are out there. Let's say when you log on to Facebook, Facebook tells you to identify yourself as user 150 everytime you go to a new page. As long as you send that number, Facebook knows to show you your friends, allow you to post new status updates, comment on pictures as yourself, etc.
But what if I (as an evil internet hacker) decided to browse Facebook and send them 150 as my identifier? Suddenly I become you! I can ask for my (your) chat history and see what girls you've talked to, I can post witty comments on your mothers pictures, I can unfriend your girlfriend! Mwwahaha!
Why should I care?
We really just covered this, but in case you don't care that I can unfriend your girlfriend on Facebook, what if I get your session token for your bank? Or your fandango or paypal account? Now your finances as well as your social life is at my mercy, which is very bad.
How can I protect myself?
Make sure that your websites log you in over a secure connection. This means that you should log in over ssl (you should see HTTPS at the beginning of the URL). Not many companies provide it, but it doesn't hurt to ask your bank or credit union how they handle your internet security before agreeing to do business with them online. That being said, the larger the company the more likely they are to put time and resources into ensuring your online security.
Tuesday, November 5, 2013
OWASP Top 10 For the Average Internet User: Injection
Where can it happen?
This can happen anywhere that a website allows users to enter text (Literally anywhere. Comment boxes, twitter updates, payment fields, username and password fields, etc, etc, etc) or anywhere that a website accepts text from the internet.
What is it?
A computer program is really just a series of letters and symbols put together by a person that a computer understands as instructions and then executes. When a computer program (like a website and your browser) handles text that you type, the distinction between the text and program is completely created by the computer. Think of it like a chocolate bar in a wrapper. The wrapper contains the chocolate bar and you can tell the difference, so you know to eat one and not the other.
But what if someone made a wrapper that looked and smelled like chocolate? You'd probably wind up with a mouthful of paper.
Injection is someone making the text they type into your website look and smell like program code so that the computer will run that code.
But what if someone made a wrapper that looked and smelled like chocolate? You'd probably wind up with a mouthful of paper.
Injection is someone making the text they type into your website look and smell like program code so that the computer will run that code.
Why should I care?
Usually the program that is injected is SQL or javascript. Both of these are very bad. Javascript can make your browser do almost anything. The possibilities are only limited by the attackers imagination and the time they have to search for javascript tricks on the internet. If the attacker can find enough information about the website, they can make find a lot of information with SQL.How do I protect myself?
Unfortunately this one is mostly on the people running the websites. The best thing you can do is to be careful what websites you visit. If someone sends you a link that doesn't look familiar, or you don't know why they're sending it to you find out more from them first.
You can also search for the name of the website on google. If you add "virus" or "malware" to the website's name, google should return some helpful results telling you if the website is known for suspicious activity.
Monday, October 28, 2013
Wednesday, October 23, 2013
Sunday, October 20, 2013
Miss Teen USA Hacked
My wife recently showed me an article about Miss Teen USA having her computer hacked. Let me start off by saying I konw this is a delicate subjct and I have a lot of sympathy for this lady as I know people who have gone
Monday, October 14, 2013
Tuesday, October 8, 2013
Wednesday, October 2, 2013
Tuesday, September 24, 2013
Tuesday, September 10, 2013
Dot on Dot off
We can all agree that the folks over at Google are web programming wizards, right? If you've ever even heard of google docs and what it does with javascript, you won't argue with me (not that you could anyways, this is a blog, not a conversation).
Now that we're all on the same page, let's poke fun at
Now that we're all on the same page, let's poke fun at
Monday, September 2, 2013
Read the whole stacktrace/Be careful when using spring
As a disclaimer, I am critical of a lot of Spring frameworks. Don't get me wrong, they're often useful and can save a lot of time when they're used right. But it's really easy to shoot yourself in the foot (or the head) when using a lot of them. For this post, exhibit A will be Spring DI. I recently had a developer forward me the following exception:
Wednesday, August 28, 2013
Tuesday, August 20, 2013
Wednesday, August 14, 2013
Overflowing
Do you ever have trouble learning outside of work? I certainly do. In college, during the summers, I felt like I had tons of time and concentration to dedicate to personal projects and ideas. Now, when I try to pick up a technical book outside of work, my brain stalls. Have the time, when I try to pick up a technical book at work my brain stalls. Here's my theory. Your brain is like this:
And the water is all of the topics you're expected to keep
Tuesday, August 6, 2013
Platonic Computer Science
Recently I encountered a file permissions issue. Long story short, I had a service that needed to run a .bat file, but because of a Windows quirk, it needed list access to the root of the drive the file was on. I called up my friends at our Information Security department and after getting transferred around a bit, I was informed that their policy was to not grant special access to the root of any
Monday, July 29, 2013
Knee-jerk Scripting
Some people become programmers because they like math, some because they like video games, but most because they are lazy. That's right, lazy. Picture this scenario (the names have been changed to protect the guilty).
Monday, July 22, 2013
Hold on....why did they let it do that?
When we work with computer systems, we rarely imagine the people who designed them. If we do, we only think of them in their work context, abstract entities that give us their product and answer our questions about it. We don't like to think about them being dumb, or having a sense of humor. I'm not sure which of those two to chalk this
Tuesday, July 16, 2013
I was told there would be support?
If you work in a technical position and use any sort of vendor product you have likely had to call them for help with their technology.
Here we run into a question: do you have engineers answer the questions more slowly or hire non technical people to answer more quickly.
Thursday, July 11, 2013
No Progress Bars in Hacking
I have played through the following scenario at least three times now.
Me: Hello Information Security, I need admin access to <server> for <amount of time> to complete <activity>. Would you be able to give it to me?
Info Sec: Thanks for the request. We'll get back to you.
Me: Hello Information Security, I need admin access to <server> for <amount of time> to complete <activity>. Would you be able to give it to me?
Info Sec: Thanks for the request. We'll get back to you.
Thursday, March 7, 2013
Perspectives: Purchasing Technology
As someone who works in enterprise IT, I can understand developers' frustration with purchased technology. As developers, however, we must learn (for the sake of our own jobs, if for no other reason) to understand the perspectives of those around us. Doing so will allow us to fully understand the roadmap behind business decisions, and provide the organization with synergy. Take an enterprise class web server, for example. This tool could potentially be perceived in any of the following ways . . .
Purchasing |
Subscribe to:
Posts (Atom)