Skip to main content

Posts

Showing posts from November, 2010

Eggnog review: Mountain Dairy Eggnog

Rich and creamy. Not quite enough nutmeg. Don't try the vanilla flavor.

Better then average. Recommendation: Buy.

Eggnog review: Darigold Eggnog

Not enough nutmeg. Cheap sweetener flavor.

Terrible. Recommendation: Don't buy.

Twitter API vulnerable to replay attacks

Reading about Google's security today reminded me of an vulnerability I discovered in the @ a while ago. October 4th to be exact. The response was a typical but as of this writing the replay attack vulnerability has not been fixed.

Replay attack
A replay attack is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary who intercepts the data and retransmits it, possibly as part of a masquerade attack by IP packet substitution.Notification

My email to security@twitter.com on October 4th and their response.
A single OAuth request can currently be made repeated until the timestamp expires. For example the below url worked in a browser repeatedly.

http://api.twitter.com/1/account/verify_credentials.json?oauth_consumer_key=DC0sePOBbQ8bYdC8r4Smg&oauth_signature_method=HMAC-SHA1&oauth_timestamp=1286249576&oauth_nonce=2568844471&oauth_version=1.…

Say no to broken Twitter avatars

What do all of the many Twitter mashups hanging around on the internet have in common? Broken avatars! At the rate users upload new avatars every site will at some point have outdated profile information. I have come up with a simple and elegant method of keeping profiles up to date with very little wasted computer cycles.

The basic idea is to bind an event handler onto JavaScript error events with @. This handler will perform two actions. Fist it will replace the image source with a temporary static link to the users avatar so the visitor will see a working image. Second the handler will ping the server with the screen_name of the missing avatar so the persistent storage can be updated.

In your HTML load jQuery and use selectors to find all image elements with a class of twitter-avatar. The error handler bound to all the selected image elements updates the image source and pings the server.


The second file is in PHP and uses TwitterOAuth but can be in any programming language. …

Hello San Francisco!

I have enjoyed being in Seattle but have decided to take a job with @ and move to San Francisco. Answerly is a @ startup building some awesome stuff and I am very excited to be joining the team. While I can't go into details yet, be sure to follow me (@) on @ to see my latest startup experience unfold. I love working with lots of social data so I'm sure there will be some of that mixed in. :-P



When am I moving? Well pretty much immediately. I will be in Portland for Thanksgiving before driving down I-5 early December. If you happen to be long the route drop me a note and maybe I will drop in for a bit.


View Larger Map

I am looking for an apartment in downtown SF so if you know of something or are looking for a roommate let me (and doxy) know.



And with that be sure to look for me at SF tech events and have a wonderful Thanks Giving.

8 Experts Break Down the Pros and Cons of Coding With PHP

5. Abraham Williams: Copy-Paste Hacking
Williams is a developer and self-styled “hacker advocate.”
Williams, like his fellow experts, admits that PHP “has a short route to minimum viable product.” He also says that the readily available resources online can be great and terrible at the same time.
“There is a huge amount of code laying around on the Internet ready to copy and paste to hack together. On the flip side, the low barrier of entry results in a lot of crappy code that you really don’t want running on your server.”
He also says one of his favorite PHP apps is the open-source microblogging platform StatusNet. (http://status.net/).

The 1-step Google login from heaven

@ had an experience with some of @'s terrible user experience trying to access his @ account. While Google definitely needs to improve their sign in system, (which they are doing) Alain's example is a perfect storm of everything going wrong.

I though I would share my YouTube sign in experience:

1. Click on Sign In

On YouTube I simple click "Sign In".



Since I am always authenticated with my Google Account...



Youtube refreshes and I am signed in.

Startup Weekend Seattle development tools

Startup Weekend Seattle had 13 teams working nonstop Friday through Sunday brainstorming, designing, and building startups. These are the tools they used.

501K - @
We are paying it forward one portfolio at a time
ASP .NET MVC 3MS SQL Server 2008jQueryFacebook APIAmazon Flexible Payments Servicemyhosting.comSubversion
Chatter Sphere
Discovering People and Things Around You
Java ServerletMySQLjQuery/UIeApps.com
Clpstr - @
Watch it Later
iOS SDKAndroid SDKWindows Phone 7 SDKRuby on RailsJavaScript BookmarkletEmbedly APIGitHubHerokuPostgreSQLjQuery
Tellus Homes
We Create Ecologically, Economically and Socially Sustainable Homes
MarketingKeynoteMicrosoft Excel
Snuggle Cloud - @
Romance in the cloud
Google Calendar embedSlicehostRuby on RailsMS PaintWufoo
StyleCast - @
Broadcast your style!
Facebook APIGoogle App Engine - JavaDISQUS CommentsPhoneGapSencha
We Referee - @
Fans Make the Call
PerlTwitter APIGoogle ChartsRimuHosting
SayCal - @
Say hello …

The Changelog: GitHub Follow Friday for 20101029

Another Friday, time to spotlight some GitHub folks you should follow.
tenderlove (Aaron Patterson)nokogiri and mechanize, Aaron also empowers you to do fuzzy texticle searches.
isaacs (Isaac Z. Schlueter)The man who helps you manage your package using npm.
abraham (Abraham Williams)The author of the canonical PHP library for the Twitter API and fun Chrome extensions, a cool dude who is master of his domain — name.