Friday, December 29, 2006


Today over lunch at d.b.a. we discussed different chili recipes. My favorite is still black bean chili with masa harina, this is a recipe I've sort of made up a while ago from various recipies I've tried in the past.

2 Tbs. ancho chili powder
2 Tbs. ground cumin
1 tsp. coriander
1 can black beans (goya works fine)
1 28 oz can of whole tomatos (or you could use crushed or whatever)
Olive oil
1 small yellow onion
2 garlic cloves
2 Tbs. masa harina

  1. chop up the onion and garlic cloves, put it in a pot with some olive oil & cook for a few minutes
  2. add chili powder, cumin, coriander
  3. add black beans (drain off some of the extra water first if there's a lot in the can)
  4. stir
  5. add tomatos
  6. stir, bring to a boil over medium high heat
  7. let it boil for about 5 minutes then lower heat to low
  8. cook at least 30 minutes, but you can leave it on low heat for much longer if you need to
  9. 5 minutes before serving, mix in masa harina to thicken, stir until it thickens

Saturday, December 23, 2006

ice skating

Kate went ice skating for the first time yesterday, in the cutest teensy hockey skates. I had to hold her upright the whole time, but by the end her feet were only sliding out from under her every 3 seconds instead of every .0000001 seconds. Progress!!

Afterwards, we went over to Fosterfields to say Merry Christmas to the animals. Calvin and Hobbes (the Belgian draft horses) came over to say hello when we got there, and Hobbes decided that my scarf was dinner and tried to eat it. So I got horse slobber all over my shoulder. blech. But he's a cute guy so we forgave him. Their coats are really thick for winter already! Then it was time for all the animals to get dinner- the two farmers walked Calvin and Hobbes into their stable, rounded up the 3 cows (Calico was more interested in saying hi to us than going inside), and collected the turkeys. Kate said hello to the cat (named B.C. for barn cat) and all the chickens and roosters. We didn't stay around while the sheep were fed, but they were all clustered at the gate waiting their turn when we left.

When we got home, we made Red Velvet cupcakes for Ana's first birthday. Yum!

Wednesday, December 20, 2006

so that's how you do it

From a Wall Street Journal book review of Citizen Marketers:

"The key was the more recent development known as Web 2.0. Powered by XMA, a computer language that makes it easy to merge data from any number of sources, Web 2.0 has transformed the Net from what was largely a platform for micropublishers to a free-floating community forum that encourages multimedia participation by anyone with a broadband connection."

Aha. So nice to learn that I haven't been writing multi-tiered database backed websites with AJAX web frontends and RSS/Atom feeds, I've just been doing XMA. ;-)

ps the article is over here if you have a login

Friday, December 15, 2006

Javascript and XSRF

XSRF (or CSRF) stands for "Cross Site Request Forgery" and is a class of website application vulnerabilities. It's a fancy term for a fairly simple "exploit" -- really, I think exploit is far too fancy for this. Let's say that I'm logged into Blogger, writing this blog post, and I have a few other Safari tabs opened at the same time. My browser has blogger cookies that are "active" - when I send a HTTP request from my browser to, the cookies that go along with it will match up with my current blogger session.

So now let's image that blogger has a form on its site for removing your blog. If you submit the form, you might post to "" or something along those lines, and your blog would be gone. If my friend decided that I'd been posting far too many annoying blog posts about Declan and wanted to nuke my blog, he might set up a page on his web site that has this HTML code on it:

<img src="">

He would then send me a link to the page, or post a comment on my blog- anything to get me to load the page that contains that image tag. When my browser loads that page, it would try to fetch that image by sending a GET request to And if I was still logged into my blogger account in another tab, it would send along my blogger cookies. So blogger would see a request to delete a blog, with my blogger cookies, and it would... delete my blog.

The generally recommended way to get around this is to also generate a "one time code" to use as a confirmation. Blogger would create a hard-to-guess token, and insert this code into its "Delete Your Blog" form:

<input type="hidden" name="secret" value="1234567890SECRET0987654321">

The value, of course, should really be something harder to guess than that code, and a new value should be generated every time that the page was served up. So now blogger will only delete my blog if I post to the "deleteblog" form with the current secret value. If it doesn't match, or is missing, my blog is not deleted.

If javascript did not have the cross-domain restrictions that it has, my friend could insert some javascript into that page he wants me to visit that:
1. create a hidden iframe
2. set the source of that iframe to the blogger "do you want to delete your blog?" page which holds the form (remember, my browser issues that request, so it gets issued to with my current cookies)
3. grab the innerHTML of the iframe, regex out the "secret" value
4. set the image to send along my current secret:

<img src="">

Thankfully, javascript does have cross domain restrictions. My friend can set a hidden iframe on his site to be the blogger "do you want to delete your blog?" page, but he can't access the innerHTML that's returned, so I can continue to post crazy posts about my dog.

However...there's been an explosion in the last 2 years of dynamically generated sites that use javascript, and specifically JSON, to render their sites. What if blogger also generated their site using a ton of javascript, and slipped up and included my secret value inside a javascript file that they would send to my browser to assemble the form? There is no cross domain restriction on scripts included via <script src="">

So, in step #2 above, my evil friend would not set an iframe to be the blogger blog deletion page, but would instead set up tag like <script src=""> and then pull out the secret code. He would then create that image HTML, write it out to the page, and my blog would be gone.

JSON is a great technology, but there are a lot of web developers out there who don't realize how it ties in with vulnerabilities like this one. Think very carefully when building a site about what information to put into a javascript file on your site, and what information you include in a JSON feed from your site.

Wednesday, December 13, 2006

a flickr xmas gift

Santa Hat!!

the bestest easter egg I've ever seen! Draw a note with the tag "ho ho ho hat" and you get a spiffy xmas hat. wonderful.

Monday, December 11, 2006

Christmas in NYC

Walking down the streets in NYC recently has smelled like walking through a pine forest with all the little Christmas Tree vendors on the sidewalk every few feet. I keep forgetting to bring a camera to take a few pictures of them before they all disappear.

Last week I also went ice skating in Bryant Park, and hopefully I'll make it up there a few more times before the rink closes at the end of December. I've been madly trying to fit in lots of Christmas-in-NYC things this season; I know that I'll have other Christmases here but it's still tempting to try to get to everything right away! Here are some things that I probably won't be doing, though:
  1. Radio City Christmas show - too expensive, and I'd rather wait for Kate to be a little older so she could enjoy it
  2. Going to a performance of Messiah - might be semi interesting, but I don't know if I'd sit still that long
  3. Skating at Rockefeller Center - the Bryant Park rink is much nicer