Categories
JavaScript

Ajax vulnerability

Ajax developers should check out a report on Ajax vulnerabilities in several Ajax libraries, and download the extensive advisory. The advisory details the vulnerabilities, and how to protect against.

It’s always a bit risky to put out such details, but I, as a developer, really appreciate such because it allows me to better understand how to protect against security risks. Much of the discussion of the vulnerabilities in this advisory isn’t necessarily new, but it does cover newer issues, vulnerabilities in popular libraries, as well as overall issues.

Money quote:

An application can be mashup-friendly or it can be secure, but it cannot be both.

Categories
People

The Couple

Our apartment complex is quit diversified, which is one reason I like it so much. There’s an older woman and her daughter who wear the most beautiful saris, and the guy across the way is a young hip-hop rapster, or whatever they’re called.

There is one couple who has always fascinated me. I believe they’re Chinese, but they could be descendant from another nationality. For the sake of the story, we’ll think of them as The Chinese Couple.

Regardless of the weather, he’s out every day for a walk around the complex. Most days, his wife accompanies him. I use the word ‘accompany’ loosely, because she always walks five paces behind him. No matter what happens, whether crossing the street or rounding corners, she maintains that distance.

They’re an older couple but not elderly. Probably about five or ten years older than me. When the man walks, he does so with his hands clasped, firmly but comfortably, behind his back. He never looks right or left; never looks back at his wife, but always straight ahead.

She is not quite as rigid. She tends to look at the ground or his back, but I’ve caught her eye a time or too and she has a shy smile for me.

Today, was beautiful, with cool winds after last night’s storm. I was standing at the screen door, drinking my morning coffee when I noticed them. Both were wearing black pajama-like pants and black nylon jackets. He had a black t-shirt, she had a white and blue floral print. Today’s walk differed from all the others, as she was talking on a cellphone.

Now you know when you talk on a cellphone that your walking rhythm is disrupted. While she talked, she began to slow down. When he finished crossing the street in front of our place, she was actually 20 or so paces away from him.

He stopped on the corner, but not to turn around, either to admonish or to wait patiently. No, he lifted his head straight in front of him, and contemplated the top of the large tree directly across the way. Picture, if you will, a mature, distinguished Chinese gentleman dressed in black, hands clasped firmly behind him, face lifted towards the heavens. There he remained, face impassive, the only movement a slight flexing of his back — forward, as if he had risen on the balls of his feet.

She continued walking leisurely, talking on the phone, until she had crossed the street. She moved into her usual place, directly behind the man, but she stopped too soon and ended up being about ten paces back. He didn’t make a move, just stood there, legs locked, hands clasped, face turned to the heaven in contemplation.

Eventually, realizing her mistake, she moved forward five paces, still talking on the phone. It was as if she stepped on a switch, because as soon as she was her usual five paces back, he turned away from the tree, face directly forward, and continued his walk.

She was still on the phone, though, and her pace continued to be irregular. It was just before I was going to look away, just before they moved past the building across the way that I caught him–quickly, and as stealthily as possible, glancing ever so slightly over his left shoulder behind him, to see where his wife was; making an imperceptible change in his pace so that the distance between them remained constant.

Categories
Connecting Weblogging

It’s all about control

Recovered from the Wayback Machine.

I did not take the break I thought about, primarily because I was still involved with some communications. I also found myself somewhat obsessed with last week’s happenings.

In the end, what saddened me the most about last week wasn’t about people so much as it was about honesty. Or perhaps I should say, how honesty lost out to this never ending desperate rush to get attention.

I have been engaged in a good discussion on the issues at Blogher, in the post that Ronnie Bennett wrote. I can’t tell you how much I have come to admire Ronnie from this writing. Maybe not enough to make up for the respect I’ve lost for others, but it has helped.

I also agree with Ronnie, in her reverence for the freedom of speech.

Tim O’Reilly has come out with this code of conduct, which doesn’t interest me overmuch. He lists several so-called rules to accompany this new ‘approved’ way of weblogging.

One is the elimination of anonymous comments. Some of the more interesting comments I’ve had in my space have been by ‘anonymous’ people, and I have no intention of changing the way comments work in my place. True, I don’t get the number of comments that Kathy Sierra and Robert Scoble get; if these people want to turn anonymous comments off, why do they need our permission? They’re adults. Turn anonymous comments off, go for it. We don’t care.

Another rule is deleting comments. I’m not sure where the idea that one can’t delete obnoxious comments sprang from. If it came from a post at Tara Hunt’s, well Tara has to accept responsibility for some of this by her setting a somewhat defensive and quarrelsome tone in her responses to people, and then pulling out the ‘abuse’ charge when they respond in kind.

A lot of people don’t deal with strong debate, or with criticism. I feel any problems they have will eventually be self-healing, as people come to realize that engaging in dialog in the posts of these people is a waste of time. If they turn away the more interesting people because they won’t always respond in whatever fashion is deemed ‘civil’, those people are welcome here.

Taking a conversation offline is a good one, but risky. I’ve seen this blow up when people respond to seeming innocuous comments with a great deal of animosity. The reason is because a lot of the communication happened behind the scenes and people weren’t privy. To outward appearances, it looks like someone has blown up for no reason. So I would say do so…but do so warily, and with caution. ‘Ware, there be dragons here.

Taking responsibility for what you write in my comments? Only if you let me take credit for what you write. I have been lucky to have excellent commentary in my posts, with very thoughtful and reasoned arguments. If I’m to take responsibility for the negative, I want credit for the good stuff.

Otherwise, I’m going to pretend we’re all adults here. Do I delete comments? I have from time to time. I find, though, that my old editing capability (which I am adding back, but improved) usually eliminated most of this — the people would edit themselves after they cooled down. As for random nastiness, if the comment is on-topic, not meant to injure another’s ability to communicate, and not illegal, it typically stays.

About the rule for ignoring trolls, I agree, and think it’s the most effective ‘weapon’ we have. But this one could have an unanticipated side effect. A lot of people consider me a troll because I’m critical, and can be persistent in my criticism. My way of looking at this rule is that it works both ways: if you consider me a troll, cool; but don’t expect me to link you, comment about you, or mention you by name in the future. I wonder how long some of the webloggers who ‘need’ the attention will maintain such a code if this is the result?

The labeling system that Tim mentions is as ill-thought out as people wanting to put ‘Be Civil’ or ‘Do not be Mean’ in one’s sidebar. I can’t think of anything more likely to attract the behavior they want to avoid than this. I surely don’t know what the people were thinking of when they came up with these.

None of this is new, though. Most of these, other than the labels and badges, have been brought up in the past any time something like this happens. None of these rules inspired me to post. What did, is the following:

It now seems fairly certain that that the images posted on meankids and unclebobism were not intended as actual threats — but as long as the perpetrator remains anonymous, there is no way to be sure. In particular, as the person who is now seen as the most likely perpetrator insists, after the fact, that his computer must have been hacked, Kathy is left with the fear that there is indeed an unknown stalker at large.

There are a massive number of assumptions in this paragraph, all of which demonstrate a disconnect with the rest of Tim’s writing. There is an assumption of intent; of guilt; of convicting without proof; of deciding to toss the blame for all of this on to the person conveniently absent; of innuendo, gossip, and mean spirited finger pointing. How can one person talk such noble sentiment and then completely toss it all aside with one paragraph?

Couple that with this:

Bringing this back to the level of principle: if you know someone who has anonymously published comments that could be construed as a threat, you owe it to them, to their victim, and to yourself, not to remain silent. If there is no actual threat, you need to convince the perpetrator to apologize; if there is, you need to cooperate with the police to avert that threat.

To the Chinese, freedom is a threat. To the right wingers, criticism of the Catholic Church was a threat. To some folks in Missouri, the fact that I continually bring up issues related to Johnson’s shut-ins is a threat. Exactly how do we define a level of ‘threat’ in this new Gestapo brave new world? Is it in the eye of the beholder? For instance, Kathy feels afraid of these images, and therefore it is our duty to hunt down this perpetrator and bring him or her to justice?

This paragraph is a demonstration of a brighter future? A better world? A better world…wasn’t that mentioned in the movie, Serenity?

So I’ll respond in the only way I–and others dragged into this, since this has been tried in the court of public opinion–can respond: Kathy has said she has contacted the police on these matters. Then I believe we–asked to be jury, judge, and executioner–have a right to demand from her exactly what the response of the police was. I believe this is a very fair question to ask, considering the amount of innuendo and this seeming willingness of all participants to convict whomever is most expedient.

Or we can accept that mistakes were made in the past, much has been said, misunderstandings have occurred, poor judgment was practiced, and that all such can happen in this open environment. Oh, and that it’s time to move on.

I await response on this one. And since we’re practicing a new civility, I await response on this one, please.

Until then, this ‘code of conduct’ is really, to me, not worth the paper it’s printed on.

Absolute must-read post by Jeneane Sessum.

As my family name is raked over the coals across the web and in mainstream press, I would ask those of you who decided to tie me to these threats to spend the time I just did sitting still, considering your own motives and assumptions.

I have seen multiple webloggers condemned purely because they didn’t repudiate their friends, one or more of the Four People mentioned, which included Jeanene.

I read in a weblog, and I’m not sure where it was, perhaps at Frank’s or Rogers Cadenhead where the person was condemned because they had linked to an earlier post in MeanKids. Before, as Jeneane wrote, it wrapped itself around the tree. Just for linking to one post!

I’d like to see 1461 links to Jeneane with the words, “I’m sorry”, in the link. Better yet: “Jeneane Sessum is wonderful”. Then we’ll sit down and discuss, as Seth wrote in my comments, a code of ‘honor’, much less a code of conduct.

Karl in comments did mention that setting a comment policy can work. I also think that Blogher’s policy is a good one. The site’s comment policy is well defined and not applied arbitrarily. By all means, write out a comment policy and apply it rigorously (but also consistently).

I think, though, that setting ‘levels of tolerance’ or putting up badges is not the same thing.

A hacker is spreading Kathy’s address and SSN in hacker forums all over. Sounds like they’re making up some stuff to go along with it, too. Does this change the story and its impact on others? No, but it does demonstrate what happens when people smell a potential victim. As such, any discussion of these events leads to victims, and victims draw rats.

Perhaps it is best to let this issue die. I’m closing comments on this post. I would hope that all participants just drop this issue, chalk it up to misunderstandings and mistakes and let it be.

Categories
Photography

What doesn’t make a good photo

One last set of photos from the Gardens, and then I’m off to travel a bit, walk a lot, take care of some business and maybe even more photos.

The weather has been in the 80s and wet. Spring didn’t happen, it exploded. Normally the flowers occur in stages, with crocus, daffodil, and magnolia in stage one; followed by the flowering fruit trees and tulips in stage two. This year, everything was up at once. Walking through the park was like walking into Nordstrom, between the two ladies with the perfume.

Before going to the park yesterday, I was browsing about when I discovered a weblog post where the author asked the question, What makes a great photo?. Several people had responded and the responses were published in the post. After reading it, as I was walking about taking pictures and later, as I was processing photos from my trip, I wondered why no one ever celebrates their less than perfect photo picture taking quirks. After all, if we all took photos like the experts recommend there would be no individuality. Prettier, more profound pictures, perhaps–but no individuality.

For instance, take the following picture. It’s of new leaves. Normally in the Spring, you take pictures of flowers, not leaves. But look at this picture: what are those things surrounding the leaves? That’s the first thing I thought when looking at the tree, what are those things around the leaves? I don’t remember seeing weird little things like that before. Have they always been there, and I hadn’t noticed them? Unique to this tree? Some kind of unhealthy, tuberous growth, which makes itself look green and innocent so it isn’t sprayed?

Quirk one: Nature works really hard, don’t waste the effort by focusing only on tulips.

tree leaves

This next violates probably a dozen rules of photography. There’s conflicting patterns all over, way too much detail and screams ‘busy’. Look at that tree? It doesn’t even have the decency to lose its last few leaves from fall. No, they’ll probably hang around until they’re pushed off by the new leaves.

And the trunk of the tree looks like it has an eye.

Quirk two: Go ahead and take a messy picture. Tell people to look for the fractal patterns. Sit back and snicker.

tree

Daffodils. I got your daffodils here.

Not a bad grouping, but I didn’t have the focus straight on, and so the flowers aren’t sharp. That’s violating the most cardinal rule: sharp photos. However, I liked the grouping–it’s like the flowers were having a chat.

Quirk: It’s a weblog, you can post fuzzy pictures. People will think they’re just tired from reading 342 feeds.

In this one, now, the fuzziness was intentional. It’s called bokeh.

Quirk Four: As long as your mistake has a Japanese name, it’s intentional.

Now this is a split corona daffodil. It’s it an absolutely beautiful flower. With flowers such as these, doesn’t matter what you do with the camera, it will look good. You could take pictures of the flower behind you by bending over and pointing the camera between your legs and the photo will look good.

Quirk five: Bend over, take pictures behind you by pointing the camera between your legs. Suggest you save this for wilderness pictures.

The next two photos are of the same type of flower. Now, typically you won’t publish more than one photo of the same subject. You’d pick your favorite, which shows a fine sense of discrimination by picking only the best rather than put up many.

Why am I repeating the flowers? I liked the first photo better, but I liked the pollen dribble on the second.

Quirk six: Flower drool.

The next photo is sharp enough, positioned correctly, and the light seems to be good. But it just sits there, limp. Why this picture then?

I liked the background. That’s my deep, dark secret for most of my plant and flower pictures: I find a background I like, and then I go look for something to plunk into the foreground to justify the shot.

Quirk seven: Backgrounds. Find a background, hope a deer walks in front of the lens.

This next picture, my god what was I thinking? It looks like Van Gogh decided to paint over a picture by Monet.

Quirk eight: create a photograph that looks like a combination of the work of Van Gogh and Monet.

Hey! We’ve seen this flowering tree before!

Have you ever noticed with flower photos how the photographer will place the flower in the last or first vertical third, and leave primarily blank space in the rest of the frame? This technique gives the photo sensitivity and mood?

This is a crass American photo: if one flower is good, two is better! If one SUV is good, two is better! If one 50 inch TV is good, two is better! If one…

Quirk nine: Nature abhors a vacuum.

Again, same tree. I love this tree. It’s one of my favorite trees.

Quirk ten: one can never have too many pictures of something we love. Next week: pictures of Peeps.

I’ll end with just ten quirks and the last few photos from the set. I not only captured my first butterfly of the year, but captured my first bee–throwing in a cardinal for good measure because you can get away with anything when you add a cardinal.

My leaf!

Categories
Connecting Weblogging

Disappointed

Recovered from the Wayback Machine.

Update

I think AKMA did a better job of taking a closer, calmer, more reasoned look at the situation than I did.

I also wanted to point out Baldur’s post, which leads one to careful thought.

Ronnie Bennett also has an excellent post on the subject.

Earlier

Kathy Sierra just just posted a note about getting death threats and canceling out of ETech. In the post, she specifically mentioned Jeneane SessumAlan HerrelFrank Paytner, and Chris Locke. I know everyone involved–I’ve known Jeneane, Frank, Chris, and Alan for close to six years, and Kathy for a good couple of years.

I’ve not seen the Meankids blog or the other one mentioned, but I also don’t follow most of the emails and stuff associated with the old Cluetrain group. Not because I think the old gang is ‘bad’; just not somewhere I’m at now. I don’t talk much with Jeneane or Chris, but I do chat with Frank and Alan. Any time I’m down, Alan always sends me links to squid stuff or other things I’d like. Alan has also been one of the strongest proponents for increasing the number of women at conferences and calling out on sexist behavior. What I’m hearing and what I know, conflict.

I know these folks and I’m concerned about the implications of what Kathy’s post can mean to each of them. Would they do a death threat? No. Not a bit of it. Absolutely, completely, not possible. The one email that Kathy mentions in her post was from Spain from the IP address given, and is completely unassociated with the people she’s named, or the weblogs she specified. But did the noose post constitute a death threat? You know, the sites are down (ed. Did find a cached version of post) and without having an idea of context, we don’t exactly know what the implications are. At a minimum, it was abysmally stupid. Was it criminal? As my roommate said, if you had done that with Bush, the Secret Service would probably visit.

Kathy has said she’s contacted the police. She didn’t say if it was local or federal.

I have been critical of Kathy in the past, and most likely will be again. We’re two very different people. Same as I have been and will be critical of others that Kathy mentions, such as Tara Hunt and Hugh MacLeod. I might even use satire in my criticism, though I tend to be pretty direct when it comes to people.

At the same time, Kathy and I have made peace from past angers; she even reviewed the first chapter of my last book–had good advice, too. I think she knows that most of my criticism has been based on acts, not the person as a whole. I hope that’s the type of criticism I do, though I know I fail sometimes.

The only time I’ll use any biting humor or sarcasm is when I know the person can take it and dish it back. Kathy doesn’t deal well with this type of humor–yes, mean, nasty, snarky humor–but at the same time, she’s not very good at ignoring it, either. She and her partner Bert do respond in comments, and sometimes this can exacerbate an already volatile situation, and can increase the level of meanness. Does that excuse the meanness and hate? No, but it may provide some balancing context. Or it may not–but we don’t have other people’s stories, and we can’t know the ‘truth’, whatever that is, until we have all the facts. Continuing to focus their shots at Kathy was foolish, thoughtless, and served no useful purpose.

Do I think the photoshopping and the meankids.org is a ‘cool’ thing? No. Such encourages aggression and leads people to do and say things they wouldn’t normally do and say. But I’m not overfond of hiding ‘meanness’ in sweet words and ‘clever’ drawings, either. The cruder might be more obvious, but the subtle is, by far, the more harmful.

Do I think Kathy’s life is in danger? From what she wrote? No. But it’s not up to me to decide, I’m not her and I deal with things differently than she does. Doesn’t mean I’m better or she’s better–just different. As for fully interpreting this as a criminal act, it’s up to the police since she’s called them. But by calling the police, and writing her post, she’s raised some very high stakes, which could end up causing a great deal of harm to some folks. She’s created a posse, and from what I can see, not a lot of people have asked for context. Or care.

The email that Kathy received is separate from the posts. It was unfortunate that she combined these into a post. I’m concerned now that a lot of people are going to react and some folks, including Kathy, are going to get hurt–and no, I don’t mean physically.

Frankly, calmer heads are needed when responding to this event. Webloggers are not very good at maintaining perspective. I know, I’ve been one for too long.

As for the comments derogatory to women, they do disappoint me, profoundly–more so if they’re from people I have called friend. Frankly, this whole incident has taken the heart out of me.

For all the people calling for the police and demanding jail time, I would counsel calm, because we don’t know the full story. The web sites have been taken down, we don’t know the posts that have gone before or the ones after. I’m not disparaging Kathy’s emotions or reactions, but these are serious matters, and I think we need to be very careful in how we respond.

update

Frank Paynter has responded. I’ve been talking with Jeneane, and she’s not long out of the hospital. I recommended that she not overstress herself right now, but if Kathy would like, or needs a response from Jeneane, I’m sure she will provide one.

Alan Herrell, the Head Lemur, has evidentally quit his weblog. He’s been weblogging for 7, 8 years or so. Long as I can remember. He wrote:

character assassination by image and psedonym
believe what you will
get some help
goodbye

What is the true measure of meanness? Words or deeds? When the weblogging world figures this out, you all let me know. OK?

In the meantime, from discussions here and about, I gather that the police called on the threats were federal, which would probably be the FBI. I would keep unenlightened conjecture and inflated discussion to a minimum before more harm is done.

update

Chris Locke has responded.

Lisa Stone at Blogher provided a response related to Jeneane that should be sufficient for those demanding response.