Cotton Rohrscheib's Personal Blog & Podcast...
Tim Bray of Sun Microsystems delivered an awesome keynote speech at the Future of Web Apps Expo 2008. Unlike many keynotes (which generally tend to be upbeat), Tim spoke about the economic tough times ahead, and what you can do to get though them. There’s some very solid advice in this presentation.
This is yet another reason why premium email solutions, like those offered by Pleth Networks, are a wise investment even for personal usage over free hosted email solutions.
I ran across this security notice this evening on Netcraft and thought that it was a pretty big deal. If the media wasn’t buried so deep in the presidential race I suspect this would have been pretty well publicized but it turns out, most of you are probably learning about this for the first time here.
Turns out that Yahoo email user account information was recently exploited. Details of this exploit from Netcraft can be found below. I should also probably state for those of you that aren’t already aware that I co-founded a company, Pleth Networks, LLC, who sells a premium email solution for individual and enterprise level accounts. If you are interested in email solutions for your business or even a personal email account that you can have peace of mind about, click here to contact us.
Here’s some info regarding the exploit / vulnerability taken from Netcraft‘s website.
The Netcraft toolbar community has detected a vulnerability on a Yahoo website, which (at the time of writing) is currently being used to steal authentication cookies from Yahoo users — transmitting them to a website under the control of a remote attacker. With these stolen details, the attacker can gain access to his victims’ Yahoo accounts, such as Yahoo Mail.
The attack exploits a cross-site scripting vulnerability on Yahoo’s HotJobs site at hotjobs.yahoo.com, which currently allows the attacker to inject obfuscated JavaScript into the affected page. The script steals the authentication cookies that are sent for the yahoo.com domain and passes them to a different website in the United States, where the attacker is harvesting stolen authentication details.
When websites use cookies to handle authenticated sessions, it is extremely important to protect the cookie values and ensure they are not seen by other parties. Cross-site scripting vulnerabilities often allow these values to be accessed by an attacker and transmitted to a website under their control, which then allows the attacker to use the same cookie values to hijack their victim’s session without needing to log in. This type of attack can be mitigated to some extent by using HttpOnly cookies to prevent scripts gaining access to the cookies — a feature that is now supported by most modern browsers.
Earlier this year, Netcraft blocked a similar flaw on another Yahoo website. The previous attack targeted a cross-site scripting vulnerability on Yahoo’s ychat.help.yahoo.com site, which was served securely using a valid SSL certificate, adding further credibility to the attack. The attacker used the vulnerability to inject malign JavaScript into one of the site’s webpages. Unlike the current attack, the injected code was sourced from a server in Spain, but also resulted in the victim’s cookies being stolen and transmitted to a PHP script on the same server.
Netcraft found that the Yahoo cookies stolen by the attacker would have allowed him to hijack his victims’ browser sessions, letting him gain access to all of their Yahoo Mail emails and any other account which uses cookies for the yahoo.com domain.
Simply visiting the malign URLs on yahoo.com can be enough for a victim to fall prey to the attacker, letting him steal the necessary session cookies to gain access to the victim’s email — the victim does not even have to type in their username and password for the attacker to do this. Both attacks send the victim to a blank webpage, leaving them unlikely to realize that their own account has just been compromised.
The Netcraft Toolbar protects users against both of these attacks, warning that the malformed Yahoo URLs contain cross-site scripting elements, and that the URLs have been classified as known phishing sites.
Netcraft has informed Yahoo of the latest attack, although at the time of writing, the HotJobs vulnerability and the attacker’s cookie harvesting script are both still present.
I thought that it was interesting that even during an economic downswing that Acxiom was able to post a 20% Increase in earnings this quarter. They released their earnings today, and ACXM Shares closed today slightly higher, this will definitely make the shareholders happy given that just about everything in their portfolio has taken a beating as of late. Here’s a snippet from Arkansas Business:
Despite a decrease in revenue, Acxiom reported a 20 percent increase to $15.85 million, or 18 cents per share, in earnings during its second quarter. Earnings for the quarter ending Sept. 30, excluding extraordinary items, were at about 18 cents per share, up 20 percent from $9.19 million, or 15 cents per share, during the same quarter last year. The interactive marketing services company recorded revenue of $328.9 million for the quarter, down 5.7 percent from the same quarter a year ago.
Acxiom’s earnings for the quarter are slightly above analysts’ earnings estimate of 17 cents per share, but below their revenue estimate of $341.3 million. Including an unusual gain of $2.4 million for the second quarter of the company’s fiscal 2009, Acxiom (Nasdaq: ACXM) reported earnings per share of 20 cents.
For the six months ending Sept. 30, the company reported $660 million in revenue, down slightly from $683.5 million for the same period last year. Earnings per share for the six month period, including extraordinary items, were 34 cents, compared with a 6-cent loss during the previous year.
Acxiom Reports 20 Percent Increase in Earnings on Down Revenue – ArkansasBusiness.com
I have been in the process of updating my church’s website over the past few weeks to incorporate some new features and plugins that we were needing.
For the redesign I started w/ one of Brian Gardner’s premium themes and customized it quite a bit to include the featured gallery plugin on the home page as well as the new Facebook Connect application that allows users to comment on the church website using their Facebook accounts. You can click here to visit the website or click on the screenshot below.
This is the second church website that I have built on the WordPress CMS but I would love to open up that market for a couple of reasons. One reason is that WordPress lends itself well to the needs of most churches today. If you have a church website project that you would like for us to look at, please feel free to contact us.
I just thought that this was too funny not to post. This is our Chihuaha Mojo, that stays with my parents. He is absolutely spoiled rotten too and probably has one of the worst dispositions known to man. He can go from adorable to insane in a matter of seconds. This is one of his more adorable moments.
Mom had him dressed up for the Razorback game this past weekend w/ Ole Miss in a Razorback sweater. He also has one of those hog nose things but doesn't like to wear it.
I have been following the Facebook Connect platform every since it was announced on the Facebook Developers Blog. This project makes a whole lot of sense to me as both a developer and a website owner. One of the goals that every blogger has is to build a large readership. This can sometimes be a daunting task for beginners who quickly learn that the saying, “if you build it, they will come” isn’t always correct.
Building a community of blog subscribers can take years unless for some strange reason you are already famous or have an extensive bankroll to finance some promotional campaigns. Then along comes Facebook Connect. Facebook Connect is the next iteration of the Facebook Platform that basically allows anyone with a facebook account to post comments on your blog as well as invite their friends to participate by commenting.
Why would you want to go about building a community from the ground up when you can harness one of the largest social networks on the web? I did some investigating and came into contact with another developer, Javier Reyes, who has been working on a Facebook Connect plugin for WordPress. Needless to say this peaked my interest because I am a buge fan of the WordPress CMS to start with, integrating it with Facebook was a no brainer for me, I was sold!
This past weekend I spent some time going through the source code for the plugin and getting familiar with how it operates and interacts with Facebook. It’s really simple, you simple go to the Developer Center on Facebook and apply for an API Key. You simply put your API Key and your Secret Key into the plugin and configure a sidebar widget for the application and you are all set.
So far this past week I have experimented with this plugin on 3 projects and have it running successfully on all three. I also have it installed here so that anyone who is interested can give it a shot. One of the current bugs that I have found with the plugin is that it doesn’t work with Internet Explorer, you will need to use Firefox or Safari to use the app.
Once you have this website pulled up in Firefox, simply locate the Facebook Connect Box located at the bottom of the sidebar. Click on the Facebook Login button. You will enter in your Facebook Account information if it asks for it. Once you are logged into Facebook you should see your avatar from Facebook in the Facebook Connect box. The next thing you will want to do is to come back to this blog entry and post a comment, from there you will see that it will allow you to post comments using your Facebook Account, and also gives you the option to post the comment to your facebook account as well. I recommend doing this so you can get the idea as to how this all flows.
Here is a little background information on the Facebook Connect Platform from Facebook’s Blog:
In August 2006, we introduced the first version of the Facebook API, enabling users to share their information with the third party websites and applications they choose. Hundreds of companies have leveraged these APIs, allowing users to dynamically connect their identity information from Facebook, such as basic profile, friends, photos information and more, to third party websites, as well as desktop and mobile applications.
In May 2007, we launched Facebook Platform, which allowed third party developers to build rich social applications within Facebook. More than 350,000 developers and entrepreneurs from 225 countries have signed up, and started developing applications, and have seen significant adoption by Facebook users worldwide.
Today we are announcing Facebook Connect. Facebook Connect is the next iteration of Facebook Platform that allows users to “connect” their Facebook identity, friends and privacy to any site. This will now enable third party websites to implement and offer even more features of Facebook Platform off of Facebook – similar to features available to third party applications today on Facebook. Here are just a few of the coming features of Facebook Connect:
Trusted Authentication+
Users will be able to connect their Facebook account with any partner website using a trusted authentication method. Whether at login, or anywhere else a developer would like to add social context, the user will be able to authenticate and connect their account in a trusted environment. The user will have total control of the permissions granted.
Real Identity
Facebook users represent themselves with their real names and real identities. With Facebook Connect, users can bring their real identity information with them wherever they go on the Web, including: basic profile information, profile picture, name, friends, photos, events, groups, and more.
Friends Access
Users count on Facebook to stay connected to their friends and family. With Facebook Connect, users can take their friends with them wherever they go on the Web. Developers will be able to add rich social context to their websites. Developers will even be able to dynamically show which of their Facebook friends already have accounts on their sites.
Dynamic Privacy
As a user moves around the open Web, their privacy settings will follow, ensuring that users’ information and privacy rules are always up-to-date. For example, if a user changes their profile picture, or removes a friend connection, this will be automatically updated in the external website.
These are just a few steps Facebook is taking to make the vision of data portability a reality for users worldwide. We believe the next evolution of data portability is about much more than data. It’s about giving users the ability to take their identity and friends with them around the Web, while being able to trust that their information is always up to date and always protected by their privacy settings.
We look forward to working with other leading identity providers to develop the best policies and standards for enabling the portability and protection of users’ information.
We expect that Facebook Connect will be available publicly within the next several weeks. If you want to learn more about bringing Facebook users to your website, application or device, send us an email at: connect@facebook.com.
One of the funner projects that I have been working on as of late is a WordPress driven website for Celebration Church in Fresno, California. I have been working closely with Tim Langley, who is on staff at the church and we have basically built this website from the ground up with Tim supplying the graphics while I handled the code work.
This isn’t your ordinary church website by any means. Running on top of WordPress we have incorporated Plugins for managing an Events Calendar, Podcast, and even E-Commerce. In addition to building the website I have also launched a Facebook connect app that allows for Facebook users to interact on the website by posting comments, inviting their friends to events, etc. This is my first time to work with the Facebook API so I wasn’t for sure how it was going to turn out, but it appears to work pretty well so far. We haven’t launched the website officially but I figured I would post a screenshot of it here as a teaser until we do the official launch which we hope will be around the first week in November sometime.
Automattic has posted some screenshots of what the revised Dashboard and Post Page is going to look like in the WordPress 2.7 Release Candidate. A while back you might remember a survey that Automattic put out asking for input on what changes developers and bloggers would like to see in the next release candidate. Like many other developers I did my part and provided my input, although there isn’t really a whole lot that I would change.
WordPress software works great and once you get your clients up to speed on managing their content via the Dashboard or third party tools like Windows Live Writer, it’s pretty much smooth sailing. Here’s an excerpt of the blog post where the screenshots were shared:
It’s finally here, the moment you’ve all been waiting for! The long months of your tolerance and forbearance as you suffered through the inelegance of our hacked-together, leftover Crazyhorse interface are almost at an end. (Was it really that painful?)
The visuals you have been craving are finally finished enough to show, and have been approved by the lead developers. We hope you like them. Mad props to Matt Thomas and Andy Peatling for their visual talents. You can expect these designs to be extended to the rest of the 2.7 screens and implemented over the coming weeks.
So now that we finally nailed down the look, how’s it going to work? The menu system in particular has been the topic of discussion on the hackers and testers lists, so I thought I would take this opportunity to explain how we plan for it to work. As you know, one of the goals of 2.7 was to reduce the necessity to load new screens just to access sub-navigation menus; we wanted the most-used screens to be within a click or two at most. If you’ve been using the nightly builds, you got used to the arrow controls that allowed you to expand and contract the menus. Then you got used to the box-style with icons that not only opened and closed vertically, but could be minimized horizontally as well, leaving a remnant of icons to provide a kind of “advanced mode,” though you don’t need to be particularly advanced to use it. Now that we have real button styles (the icons are still placeholders, and we hope to have some new ones soonish), we’ve nailed down the menu functionality.
New Post Screen:
Click here to view the new WordPress Post ScreenEach section header has three parts: the icon on the left, the blue link text, and the area to the right where an expansion arrow appears on hover or in expanded state. You can see that the arrow is contained in a small segment of the header, similar to the way the favorites menu is structured. If you click on this segment, the menu will expand to show the choices in that section. Click again to close the menu. Click on the blue link text and you will go directly to the screen for the first choice in that section, where the section menu will be opened to show you the other section choices. Double-click on the section icon and the menu will close horizontally, leaving the icon list visible. In this state, hovering over the icons will display the menus for each section, so you’re still only a click away from most screens. Double-click on an icon when the menu is closed this way and it will take you to the first screen in that section. The small arrows attached to the dividing lines between menu groups will also act as open/close toggles for using the horizontal collapse/expand function.
This variety of ways of using the menu system aims to accommodate both power user and novice alike. Clicking on blue link text like normal will bring the expected result for the novice, while the advanced user has more options for navigation that allow a more customized experience. We hope you like this result as much as we do, and you can expect to see it implemented in Trunk soon.
The image linked here is the new Dashboard style, for which I’ll save the explanations until early next week, but hopefully the preview will get you excited for the new design.
My business partner, Greg Smart, was recently asked to explain our retainer agreement to one of our new clients, he posted this description on his blog. Retainers are a real value that we offer our clients. I thought that this was a dead on description so decided to repost that description here:
Our retainer agreements are intended to benefit the nature of our customer relationships and helps open the lines of communication with our priority customers. We have found that these agreements can smooth fluctuations in charges and often alleviates some of the hesitancy customers may feel when unsure about incurring hourly charges. A retainer will cover any content updates to the website as well as general consultations. This allows for updates to be posted in a more expeditious manner, can help maintain consistency of site design with content presentation, and ensures that the website will remain consistent with other marketing activities. It has been our experience that customers with this agreement tend to feel much more at ease in calling for overall site support, brainstorming sessions, and quality control issues.
This agreement does not include any site structure changes, graphic design changes, or increases in functionality. We will do our best to try to cover these unanticipated costs under this retainer agreement. Should a request be made that is deemed outside the scope of this agreement we will notify you and actively consult with you to explore your options. If necessary we will work to develop a quote at that time. This will occur prior to any additional site changes being made and any additional costs being incurred.
Today I was waiting around for a meeting to get started and pulled up Google’s blog to read about their earnings report that was posted yesterday and saw where they had expanded their Webmaster Tools to include XSS Exploit notifications. This is a great idea in my opinion!
My business partners and I were in Las Vegas a few years ago and partnered with ScanAlert (now owned and operated by Mcafee) to offer Hackersafe Certification as an add-on service to any of our clients that might be interested in certifying their web presence to be HackerSafe.
This service has proven to be a valuable tool for us internally by alerting us of vulnerabilities and potential XSS holes for some of our third party and open source client applications. Of course Hackersafe certification requires a small investment from the client to setup, etc., but with Google’s webmaster tools, this very similar service is now free!
I am extremely anxious to spend some time checking out this new tool. Here’s an excerpt from Google’s webmaster blog:
Recently we’ve seen more websites get hacked because of various security holes. In order to help webmasters with this issue, we plan to run a test that will alert some webmasters if their content management system (CMS) or publishing platform looks like it might have a security hole or be hackable. This is a test, so we’re starting out by alerting five to six thousand webmasters.
We will be leaving messages for owners of potentially vulnerable sites in the Google Message Center that we provide as a free service as part of Webmaster Tools. If you manage a website but haven’t signed up for Webmaster Tools, don’t worry. The messages will be saved and if you sign up later on, you’ll still be able to access any messages that Google has left for your site.
One of the most popular pieces of software on the web is WordPress, so we’re starting our test with a specific version (2.1.1) that is known to be vulnerable to exploits. If the test goes well, we may expand these messages to include other types of software on the web. The message that a webmaster will see in their Message Center if they run WordPress 2.1.1 will look like this:
Official Google Webmaster Central Blog: Message Center warnings for hackable sites
|
|
Wimpy’s Burgers & Fries – Blog