Friday, December 28, 2007

black & white

kate & ana
Originally uploaded by wck
Just picked up a roll of black & white film from the summer, and I can't get over this picture. They look like they stepped right out of the 1950s. This picture is why I still shoot with black & white 35mm film instead of a digital SLR converted to B&W in photoshop. I swear I would never get this look that way... especially the texture in their dresses and the skin.

Thursday, December 27, 2007

Vegetables at Pike Place Market

Vegetables at Pike Place Market
Originally uploaded by wck
This photo is reminding me how much I miss summer. It's freezing and muddy out here recently.


Why No One Comments on Google News

Look at the comment threads on Digg, for example, or Ars Technica, or Boing Boing. Why are there such long, boisterous comment threads? Because we know that the news we are reading there was driven by human beings, and when we respond, those human beings are paying attention, and want to be part of the conversation. But Google News is driven entirely by a computer algorithm. There is no explicit community. No one goes there to engage in community. Even if one can argue, as one can with web search, that the News algorithm is derived from community actions, it is not subservient to them, as is Digg's. In short, there are no stakeholders in the Google News community. It's not a place people go to be social.

Why am I at Meetup now? Because that cheesy old quote that people are the killer app of the internet is true.

Wednesday, December 26, 2007


Originally uploaded by wck
A peaceful view of NYC from 6000 feet for a quiet week.

Tuesday, December 25, 2007


I have to write this up, lest I slip & start thinking my family might be normal. For almost a week I've been sick- sore throat, headache, whatever. Last night I was curled up in a chair, buried under blankets with a small sheltie snuggled nearby. My dad lit a nice fire, turned on the Christmas tree lights, and turned up next to my chair with a bottle of Drambuie.

Drambuie is really really sweet liquor made from scotch and honey, and if you drink it straight up, it will quite literally take the lining off your throat, and your stomach, and probably strip off a few of your teeth. It's strong. Really, really, bite-your-head-off nasty stuff. My family is cuckoo & Scottish, so whenever one of us got sick as a kid, we were treated with a nice shot of it.

So here's my dad, with his guaranteed sore throat remedy, trying to heal me. When I declined to drink any (come on, I'd brushed my teeth already!) he launched into a "you won't get better until you drink it!" speech. On Christmas Eve. Yes... we think Drambuie is actual medicine around here.

Meanwhile, I've been stumped about how to back up all the text messages I have saved on my sim card in my phone for a few days, and it finally occured to me that I should just type them out or something. So here are a few that I've been carrying around on my phone over the last 5 years.

"Happy no longer working for Gooooooogle" -my sailor 6/15/07 (yes, he put all those "o"'s in there himself. and yes, that was my last day working there)

"She said yes!" - Brian 10/22/06 (after many text messages working up the courage to propose to his now wife)

"Heh i locked myself out of my apt" - my sailor 7/13/05 (might I note that he is an actual licensed locksmith?)

"Ticket 0000XXXXX - Impact 1 - HP6 Automated warm fuzzy" - amazon's ticketing system 7/13/05 (paging me for a not so small bug)

"Hi beautiful. Miss you" - my sailor 11/12/02 (awww. he's so sweet)

round ball of fuzz

round ball of fuzz
Originally uploaded by wck
I love this photo of Declan. He LOVES the sofa in the living room (when he can't reach the doggie bed I made him that's in the green room, behind closed doors). The living room has a huge ceiling with skylights, and the upstairs hall extends to a balcony that runs across it. Right underneath is this sofa. So... you can walk across the balcony, look down, and see a fuzzy sheltie napping. Awwwwww. He's sleeping on a fisherman's cable blanket that my grandma made for me to take to college.

We had a crazy christmas around here- just like always. Yesterday Kate & I made cookie press cookies (sandwiched with apricot and strawberry jam then dipped in chocolate!) and then panettone. Mmmmmm. This morning I made scones and then we had waffles and THEN most of the presents were opened (chaos!) and then french toast. Ana and Tom, as expected, liked the wrapping paper better than the gifts.

I'd finished a quilt for each kid, so the one picture I wanted to get was each one on the sofa with their quilts, but of course that didn't happen. Maybe next year.

Thursday, December 06, 2007


canadian sunset Poli Sci 221 at Wellesley taught me two things (at least that I remember). First, what the prisoner's dilemma game is, and secondly how your brain becomes rather hard wired to see the world through the lens of the culture and background you were raised in. We were talking, mostly, about international relations and yadda yadda heavy stuff. I was reminded of it today, though, for much lighter purposes. I was talking to a coworker about how Boy would like to get back out to sea as soon as possible and the coworker asked me why he would prefer to be on a ship. Seriously, I was stumped what to say. I grew up on boats, and my summer still revolves around the lake almost completely. So, well, it makes absolute sense to me that given a choice between being at sea for a few months at a time and being in a land office, you would take the sea job. Putting that "it's so much better" into actual words, though, was rather hard. And what really stopped me was that he asked- kind of the moment where your implicit worldview becomes visible.

Thursday, November 29, 2007

the right tools

Have you ever tried to use Open Office's "data pilot" feature? It's supposed to be like Excel's pivot tables, but OH MY GOD. I wasted 2 hours on it today. Basically, we're a fast moving software shop and I want to keep tabs on our bug open and bug close rate. Traditionally, software test engineers generate little counts like this- an imaginary "bugs openedy by component" table.
Component NameTwo Days agoYesterdayToday
Product Component X2817
Product Component Y234
Product Component Z330
Looking at that table, I would see that component X has been getting more unstable, while Y and Z have been stable. So if we're going to launch, I need to make sure that more regression tests are run on X and it receives more attention.

You generate these tables by dumping a list of bug IDs by component and Open Date, then making a Pivot Table. Easy. Well... I couldn't make Open Office's "data pilot" give me counts like "8" or "3". It had 100s of columns, each with a date at the top and a "1" somewhere down in the row that corresponded to a component. That's not that useful! I want rolled up counts! And yeah, I was marking "count" on the bug IDs. Oh well... We made the table today in about 3 seconds after pulling the data in Excel.

I was a little bummed out that we'd need to be using Excel for this until I got on the train today. I even looked online to see if there were any online pivot table generator websites or open source tools. And checked AppleWorks (I was desperate).

Or rather until NJT made me sit around on a platform at Penn Station waiting to get on a train (they called our track number and then 5 minutes later a train pulled up). While I was sitting around down there something in the back of my mind started saying "hey... this reminds you of data you've dealt with before". Well, yes. This is why I adore perl, gorgeous little data munging language that it is.

1. read in data
2. split lines so you have $date, $component, $bug ID
3. create %data{$date}{$component}=$count
4. print out your perl generated pivot table
5. profit

I felt like someone all of a sudden handed exactly the right tool. Bliss. And I kind of feel bad for people who want their data pivot tabled who don't know perl (;


Kick some __
Originally uploaded by slimeduckling
taken by lenny

Monday, November 26, 2007

Grand Sichuan St Marks

Damn that is a lot of food.
Originally uploaded by teknogeek
At amazon, we were addicted to 7 Stars Peppers (that review is even written by a former amazonian (; ). Now at Meetup, I'm working on spreading more Sichuan food love. This is Meetup eating lunch together from Grand Sichuan St Marks.

Sunday, November 25, 2007

Bertrand's Island mural at Mt Arlington

The murals are an homage to the Bertrand Island Amusement Park, along Lake Hopatcong, which drew visitors to the area from the early 1900s to its closing in 1983.

Flanking the station’s entrance are two large bas-relief tile murals depicting carousel horses in teal blue, yellow and pink. A tunnel to the station is lined with hand-painted tile murals of photographs from the park’s heyday. In one from 1930, people ride on a spindly-looking Ferris wheel. Another shows visitors wading in Lake Hopatcong in 1907, when the area was known as “Little Coney Island.”

The park had about 20 rides, but one of the most treasured was the carousel, which was created by the designer Marcus Illions, said Marty Kane, president of the Lake Hopatcong Historical Museum.

- article in NYT

Wow! I used to ride that carousel when I was a tiny little kid, and one of my earliest memories is of riding it late in the evening on the weekend that my little sister was born. It was right on the lake shore, and we still sail past where it used to be. This new train station is about the same distance from my house as the train station I use now, so I might have to drive over to take some pictures some early morning.

Tuesday, November 20, 2007

Hello, poor neglected blog. Here's a picture of Declan to make up for recent quietness:

lounging dog

And a few other things
  • we had a surprise snowstorm on monday in NJ which left us with several inches of snow
  • I realized what a total nerd I am when I was asked during a demo the other day when epoch time started and I came up with "early 1970" on the spot (it's Jan 1, 1970 and god knows why I remembered the year so well)
  • I realized what a further nerd I was when I could come up with the date of epoch time overflow, which will be UNIX y2k
  • I need to write a few posts about early amazon christmases. Here's a tiny tidbit for now- when I first reported to the seattle Distribution Center, I was put on gift wrap because I was a girl. But I'm a klutz, so I got kicked out after 2 packages

Friday, October 26, 2007

mission: impossible, the cupcake version

cupcakes for dave's birthday

Ana is turning two soon, and we're having a birthday party her with cupcakes. It would be nice if she could eat a cupcake at her birthday party, so I'm trying to find a good cupcake recipe for her that she can eat. Hence the challenge... she has celiac disease, and appears to also be allergic to corn, dairy, and eggs. I can find plenty of vegan cupcake recipes (which would cover the dairy & eggs part) but they use a lot of soy milk, which usually has gluten added to it, and regular flour. And there are plenty of gluten-free cupcake recipes... which use dairy or eggs.

Vegan Cupcakes Take Over the World claims to have a few wheat-free vegan cupcake recipes. I'll probably be ordering it soon and giving it a whirl. Otherwise, it's going to be major kitchen experimentation time.

Wednesday, October 24, 2007

Verizon EVDO = 5 GB/month, now officially

Well, this certainly took long enough for Verizon to admit to.

Verizon forced to stop calling limited cell data plans "unlimited" - story on boing boing. EVDO is my only internet access, so I always keep in the back of my mind that I should be going to the library to use their wifi when I start doing a lot of downloading or uploading to flickr. I can't believe it took them this long to admit what most EVDO users have known for months.

Tuesday, October 02, 2007

October 21 NYC Breast Cancer walk in Central Park

I'm joining some coworkers to do the NYC Breast Cancer walk this month. Esther's mom had breast cancer when we were in college, and I've known a few other women who had it. If you'd like to make a donation to my team, here is the donation page, or you can find a walk near you.

Saturday, September 29, 2007

lucy's ears

lucy's ears
Originally uploaded by wck
end of the summer fun... kids and rabbits playing in the vegetable garden. Kate and Ana have 2 rabbits, Lucy and Lenny, who are the softest, sweetest little snuggly things ever. Their dad decided that the thing to do on a sunny afternoon was to toss all 4 of them out into the vegetable garden. It has a fence all the way around it... good for keeping rabbits and kids inside.

apple shirt


Friday, September 28, 2007


It was rainy out here this afternoon, and really muggy all day. I was home sick today with a headache. Not so fun. So to take my mind off it I made two shirts for Kate and and one and a half dresses for Ana. (The second one will be finished tomorrow probably.) I wasn't really in a good state to take pictures of what I made, so here is a dress from last weekend. It's hard to see from the close up, but the skirt is a 6 panel trumpet shape, which looks too cute on a 4 year old. Hopefully I'll get a "live action shot" on her soon. And yes, I went ribbon crazy on the skirt. I need to replenish my ribbon stock really soon since every dress lately has had a ribbon hem.

Dress Closeup

Monday, September 24, 2007


Originally uploaded by wck

If that isn't a "move to seattle" ad, I don't know what is.

Monday, September 17, 2007

erector set jr

erector set jr
Originally uploaded by wck
That's Kate playing with her erector set, making a little truck. She made a great discovery last week. She was making some brownies from a mix that I'd bought, and she turned to her mom and announced, "Aunts buy more brownie mix than moms do." That's right, she's 4, and she's discovered correlation. I've long maintained that successful software testers need to understand two things: that correlation does not necessarily imply causation, and how to make and test a hypothesis. So since Kate has correlation down she's on her way to being a nerd.

AB Testing

37 signals just did a blog post on "Secrets to Amazon's Success. Here are my favorite three points:

Use measurement and objective debate to separate the good from the bad. I’ve been to several presentations by ex-Amazoners and this is the aspect of Amazon that strikes me as uniquely different and interesting from other companies. Their deep seated ethic is to expose real customers to a choice and see which one works best and to make decisions based on those tests.

Getting rid of the influence of the HiPPO’s, the highest paid people in the room. This is done with techniques like A/B testing and Web Analytics. If you have a question about what you should do code it up, let people use it, and see which alternative gives you the results you want.

Have a way to rollback if an update doesn’t work. Write the tools if necessary.


That matches up to two of the biggest things that I learned at amazon- you don't know what your customers will do, so you shouldn't guess, you should A/B test. And you're going to screw up unbelievably, and constantly, so you need instant rollbacks. Here's the thing. Amazon was my first job out of college, so I really didn't know any other way to do things. One of my first testing jobs there was to test the very first automated A/B mechanism on the retail site (a version that had died long before I ended up leaving the company- like all features I worked on my first few years, it was re-done a few times to be better than the first version). Testing it wasn't all that fancy, we just checked that visitors were dropped into buckets, saw the treatments tied to those buckets, and reporting worked correctly. The bigger impact on me was the lesson that this was the most important way that new features were going to be launched. It's an incredible testament to the success of A/B testing in the company culture that when I left 7 years later, nearly every new update (and even little tweaky things) to the site was launched initially as an A/B test. Russell used to have all of his launch plaques up on the desk over his wall, with a couple flipped upside down. The upside down plaques were- yes- the projects that bombed in the launch A/B testing phase.

I couldn't even begin to describe the number of rollbacks we did over the years. If you can think of it, we screwed it up. The important part was that we could recover quickly by backing out the change, and that we had a culture of learning from the screwups. In the retail world, there was a tradition of writing "How I broke the website" emails. I will admit to writing a couple- they went out to all the engineers, and carefully analyzed how you had, well, broken the website. You discussed how the problem should have been caught, and what you were going to do differently going forward to prevent that from happening again. Now that I've been at some other companies, I can see how critical the emails were. Breaking things was bad, but more important was sharing how you messed up, and taking the time to do a post mortem of the mistake, and then freely circulating the information. It wasn't the mea culpa that mattered- although accepting responsibility was a big part of it. Larger, really, was the learning you shared with the teams, and the environment where you learned how to recover gracefully from large messes.

37 signals mentions the 'just do it' awards that Jeff handed out. Less known outside of amazon are the 'door desk awards'. I'm not sure that they're still given out, but they used to be handed out at every All Hands meeting. A door desk award was similar to a 'just do it' award, but it was given to an individual who tried something- without their manager's approval- and failed. Their feature bombed in an A/B test, their code blew up, the project never launched, whatever. It was another piece of making an engineering culture where you should just go for it, because failure wasn't the end of the world.

Tuesday, September 11, 2007

declan's blog


What I've been up to in the last month since I posted here: going to the beach with Kate & Ana, starting a blog for declan, riding the PATH and the ferry to work and enjoying a mostly-Penn-Station-free month, visiting the midwest for a wedding, and watching Thomas grow even bigger. Farewell summer!

Friday, August 10, 2007

Hey, my biggest daily annoyance inspired a PopGadget post! I've had a 3M privacy screen on my laptop for ages because of all the people who would blatantly lean over on the train to see what was on my laptop's screen. Since I have EVDO, it was often work related, which was not so much something that I really want random people on NJT to see. Chrissie saw my screen a few weeks ago when I had to take it off to show her photos of declan, and now she has a post up on PopGadget about it. Neat. I really think they should come standard on laptops.

Thursday, August 09, 2007

headphones & apple

Andrej's post on Apple design details reminded me of two Apple details that I recently discovered. They are great little detail-obsessive easter eggs. I noticed the first one at work a day ago- my macbook was muted, then I plugged in my headphones and went to change the sound level and noticed that it had updated to the level that I'd had it at last time I'd had headphones in it. Amazing! When I showed that to a coworker, he showed me how the ipod will pause your music if your headphones come unplugged. Those are such small details, but they're exactly the sort of tweaks that make a great product, ones which show that designers really use and play with their products when creating them.

Wednesday, August 01, 2007

A new icon for the city

The Eagle
Originally uploaded by wck
I walked across the new Olympic sculpture park in Seattle again this evening, watching everyone taking photos of the Eagle sculpture. It's been so fascinating to see how this one particular piece is really almost emerging as a new iconic image of Seattle. Flickr (which has tons of images of it) and the proliferation of digital cameras have certainly led to the ability of a new view of a city to crystalize. It's a gorgeously captivating piece, on its own, and mesmerizing in its location. Experiencing it person makes a strong impression, especially at sunset.

Monday, July 30, 2007

visiting seattle 101

tenzing momo
I haven't had a great family vacation in a few years, so this past weekend when my cousins and aunt and uncle visited Seattle was tons of fun. I'm still out here for a while longer, hanging around Belltown, but they were only in town for 4 days. So my cousin and I took them all around to see the city, and I figured I'd list our itinerary here, since it's a decent list of things to see in one of my favorite cities.

Day One Arrive at Seatac, travel to Belltown to drop off luggage. Walk to Pike Place Market, make sure to pick up some good food at places like Piroshky Piroshky and Daily Dozen Doughnuts. Walk down First Ave to Harbor Steps. Walk halfway down Harbor Steps to Post Alley, head down to Pioneer Square. Stop in at lots of galleries, make your way to Cafe Umbria for an affrogato (espresso poured over gelato) and eat it on the chairs in the courtyard area. Then either catch a free route 99 bus up to Belltown, or walk back. Cook what you got from the market, eat dinner on a deck with a view of Elliott Bay.

Day Two If you're here on the right weekend, travel to Bellevue for the Bellevue Arts Fair. Marvel at all the crafts. Duck into Nordstroms. Eat some ice cream for lunch. Head home to Belltown, walk around the neighborhood a bit, then go up to Golden Gardens Park for the sunset. The beach is great in the evening, even if the water is freezing. If the art fair isn't around, you could go to Woodland Park Zoo or Volunteer Park.

Day Three If it's Sunday, go to Fremont for the Sunday Market and brunch and shopping. If you're feeling ambitious, you could also head over to Ballard. Head home after lunch, walk around downtown, then cook up some more food from Pike Place Market and watch a movie.

feeding koi
Day Four Tour the Olympic Sculpture Park and the Space Needle. Head up to the Japanese Garden in the Arboreteum, then go out for some Thai food. Afterwards, you could fit in a ferry ride.

There, that's the perfect four day visit to Seattle! The most important piece is huge dinners every night with everything from Pike Place market- squash soup, big salads, green beans, olive bread, skagit mud brownies, fruit pies and tarts, and lots of family.

Monday, July 23, 2007

My Best Friend's Wedding

This past weekend was busy busy busy, but one of the best ones I've ever had in my life. I'm out in Seattle, where my best friend just got married yesterday!

Brian & Josalyn are incredibly lucky to have found each other. I've had the chance to see how great they are together for the last couple years. Finally meeting so many members of Brian's family who I've talked to on the phone and heard stories about for years was a great experience, as was seeing so many Amazonians gathered for the party. There will be photos soon- I shot using my Canon EOS 7 (I believe I went through 10 rolls of 35mm with it) and Brian's Nikon DSLR that I used until the batteries ran out. Yes, I ran around the whole wedding with two huge cameras around my neck. Now I wish I could pull some pictures off the DSLR this morning but the battery charger is on the other side of Seattle's downtown. Considering the logistics involved in the wedding, having something small like that be the biggest problem is a great state to be in!

My two wedding jobs were to get Brian, his best man, and the groomsmen into the car and to the wedding on time- we accomplished that- and take lots of pictures. That left lots of time to have fun at the wedding and get to talk to Brian's family, so many "It's great to finally get to meet you after all these years!" were exchanged.

After brunch on Saturday, of course, I got my Harry Potter book from amazon. I snapped a few pictures of the great custom box before I tore into it. As the wedding started on Sunday, I'd managed to get all the way to the last 100 pages. I'd been cramming it in between the rehearsal dinner, the pre-wedding pictures, a few pages here and there. When I got home after the wedding last night I sat down & finished it up. It was very well done, and I enjoyed it a lot, quite a bit more than the previous one which I'd felt was a little weak. I'm not giving away any spoilers, but it's a fantastic read. I will admit I yelled at the couple a few months ago for planning the wedding on the Harry Potter release weekend, but it was fun sneaking in reading a few chapters in the middle of our parties & picture taking.

Thursday, July 19, 2007

awww baby

The following items are being prepared for shipment by
Qty Item Price Shipping Subtotal
--------------------------------------------------------------------- items (Sold by, LLC) :
1 Harry Potter and the Death... $17.99 1 $17.99

Wednesday, July 18, 2007

Why Javascript Remote Procedure Calls beget more Cross Site Request Forgeries

This is going to be a long blog post. I've tried to cut it down, but I've been thinking a lot about this topic for over a year and it's hard to walk all the way through this vulnerability without explaining a lot.

A few days ago I posted a small rant about how there were no "web 2.0 vulnerabilities" that did not also affect older websites. While that's true, the increasing popularity of sites using various javascript RPC methods is definitely leading to a rise in XSRF vulnerabilities, and I wanted to write something on my thoughts on why that is.

I'm not going to talk about vanilla-HTTP-form-post-with-no-secret-token cross site request forgery here. That vulnerability has been about unchanged for a long time, and I'm going to pretty much ignore it- I don't have anything new to say on it at the moment.

In 1995, when I first had web access, websites were pretty basic in comparison to what we have now. To run, say, a search engine, you'd have a handler on a webserver that took user input and wrote out response HTML. It might branch off a new process to do a search, depending on the software, and then it would collect the responses and return them via HTTP to the browser.

Very shortly webpages started getting a little bit more complex. When these first dynamic web pages were made it was very difficult to decouple "backend" software from the pages that it generated. There might be a database behind the web site, and maybe that was on a different server. Most likely, though, the code that wrote to the database was wrapped up in the same binary that generated the HTML for the webpages and processed the inputs and all that was just on one webserver. Everything would be in, perhaps, 1 perl file and a few perl modules.

RPCs, Services, and tiers

So then, "services" started to appear. And front end code, that printed out HTML, was often split out into new binaries, and CSS arrived. So we got some decoupling of "code that writes HTML" from "code that inserts data into the DB" in larger websites. Soon, "code that inserts data into the DB" was moved off to another server entirely. It was the start of "multi tiered" websites.

This is a great way to build complicated websites, and there's so much written about multi tier website architecture that I'm not going to explain it here. We'll just note that the middle tier servers that, perhaps, performed various actions and returned data to the web front ends probably had a bunch of protections in place limiting who could talk to them and involving swanky authentication. And this was generally over internal network connections, entirely within a particular data center. More service layers might be written, caches added and so forth, but the general architecture was the same. So let's say that a site wants to display to a user "here are the groups you belong to".

Probably this was what happened:
1. the user clicks to a URL like "", and the browser sends her login cookie with the request
2. the webserver gets the request and determines it's user "annika" from the cookies
3. the webserver software assembles a request object for the groups that user "annika" belongs to and makes a request to a middle tier server over some networking protocol (over an internal network connection, remember)
4. the middle tier server works magic and assembles an object that holds annika's groups, then dispatches the result to the web server software
5. the web server parses the groups object and builds a HTML page to display the data. that is returned to the user's browser via HTTP

Web 2.0
In recent years, a lot of sites have realized that you can make RPC calls in javascript. (RPC = Remote Procedure Call. Again, there's a lot written on this on the web so I won't explain it much here) This is pretty cool, website applications no longer are bound by "click, load a page, click, load a page" and can now behave more like desktop applications. I think that this is a good thing in general. Again, many other people have written wonderful things about the rise of web services and Ajax and mashups and "the programmable web."

But now in the programmable web world, developers don't want to have to make the user go to a new page to see, perhaps, that they joined a cool group on a social networking site. They want to be able to show the user "here are your groups" on the page that they are on right now.

The browser rendering the webpage makes a GET or a POST to get the groups data, but it might talk directly to the server that used to be "the middle tier server" sitting alone in a data center and only speaking to the frontend web server. In the new model, it might talk directly to browsers. Or the code that ran on it might now run on our webserver. The data isn't just going over internal network connections, so you can't easily limit what IP addresses can make these RPC calls- it's now the users browser making the RPC call, from the user's IP address. The data that it returns is in a nice, portable format generally, like a javascript list.
Remember those steps above? Here's what they are now:

1. the user performs an action that triggers a "getGroups" function in the "myutilities.js" file (that the page we're on included)which perhaps triggers a getXMLHttpRequest (or similiar) call to the webserver. Then the browser sends her login cookies along with the javascript-triggered HTTP request.

2. the request goes not to the webserver software that wrote the HTML but maybe gets forwarded right to the middle tier (potentially via some URL rewriting on the server side or a some other methods)

3. the middle tier server inspects the cookies it was given, sees that they belong to "annika" and works magic and assembles an object that holds annika's groups, wraps it into a javascript list object, then dispatches the result to the browser

4. the browser takes the returned JS and writes it to the page that annika is viewing

So what just happened? For one, we changed who can make the RPC calls and who can access the data returned by it. And we changed the format of the request and the format of the response.

Notice how we lean only on cookies for authentication now. This is where I tend to lose people- there are still all those "determine user" steps in there, so it might look more secure. It's not.

An Explanation of what's broken
What happens in that scenario is that calls like <script src=""> - what we made above- can be placed on -and then calls to its getGroups function will work. And the site is sending back data in a format that can be used on any third party website making the RPC call.

If we have a call to's getGroups fuction on, the user's browser will send the cookies along with the getGroups function... even though the function was called from a page that comes from That just jumped us out of the usual javascript Same Domain sandboxing. The groups will come back in a javascript list and be readable by the javascript on - we used the user's credentials to request data that we want which we wouldn't be able to request on our own. I could maybe see MY groups, but without this technique, I can't see Annika's groups short of stealing her password.

Where most of the security vulnerabilities arise that I've seen is that people don't stop to think about disclosing private data. I've seen a few account change actions disclosed this way, but not as many.

What's mostly happened is that there's been a wrapper put around some old backend libraries to expose them via javascript, and then those have been used on the site. Let me point out something here- even if we did not remove the "talk to web server, web server talks to middle tier server, middle tier server returns an object" steps, this would still be insecure. The fact that we can call this code from any third party site but have the orginal site's cookies get sent is what's insecure. And the format that the data comes back in allows it to be potentially read by the third party site.

Another clarification here- for private data disclosure bugs, we need to have the return data from in a format that the rendering webpage on can read. For account information changing bugs- where hitting a URL will, for example, mark that "I give this group 4 stars!", the return data does NOT need to be readable by the page on

Fixing this
Can this be fixed? Yes, absolutely. It's just that I've seen a lot of naive implementations of frameworks of this sort. And a lot of people try to fix this and fail.

What is a bad fix? Checking referral headers. There was a way to use flash to break that, and it was fixed (but who knows how many users upgraded their flash to the fixed version). And now there's a new way to do it again... I wouldn't rely on that staying fixed. Using POST only isn't going to cut it either.

What is a good fix? Make sure that you don't return a JS list or other eval-able JS code in step #4 above. Boobytrapping is good. I linked a few days ago to a site which shows good and bad ways to return data from RPCs, but here it is again:

This post is really a work in progress because I'm still trying to figure out how to explain all this in a way that's clear. Criticism and feedback welcomed, my email is on my domain's homepage.

Tuesday, July 17, 2007


Originally uploaded by wck
Thomas actually isn't really so teensy- he's almost to 12 pounds. And still the cutest little nephew ever. I love this picture, which my sister took- it's my cousin Chad holding Thomas a few weeks ago. He's such a laid back little baby, so unlike Ana who was fussy and really loud when she was fussy.

Automatically fuzzing for XSRF

Planet Websecurity has a great blog post up about the state of XSRF testing. In particular, there's a section that calls out one of the big difficulties in writing an XSRF fuzzer that would be as useful as most XSS fuzzers. This is mostly due to the fact that fuzzers, as they are mostly written now, use input/output matching to automatically flag vulnerabilities.

It is hard to write a zero knowledge signature for XSRF that is *accurate*. - Planet Websecurity

(it appears that the original of this post is over on O'Reilly: The Complexities of Assessing XSRF Automatically Yet Accurately by Nitesh Dhanjani)

It's true, it's not simple. It's not impossible, though, to write a generalized XSRF fuzzer. First, the fuzzer should be able to record a web app login and use it for fuzzing. Then there are three things to think about:
* the fuzzer should try every GET/POST both with the login cookies and without them
* it should try every POST request that it came across as a GET as well
* it should try GET/POST requests by swapping different subdomains or swapping out the subdomain

The reason to do the first is to identify actions that react differently when the user is logged in/not logged in (and flag ones where it's different as potential XSRF surfaces). The second one is similiar- web developers who are aware of XSRF sometimes try to protect their apps by making requests only work through POST (hint to those developers- that's not a good fix). The last one is because those developers also try to protect their web apps by only taking POST/GETs that modify acct information on certain subdomains of their website. Sometimes they do this for the same reason as the POST-only limitation, and sometimes they do it because they're trying to protect against XSS.

Why? If there's an XSS hole on and all the account changing actions have to be done on, you can't use the foo subdomain XSS to do a XSRF request on the abc subdomain because of the javascript engine's sandboxing. In addition, cookies will not be sent along by your browser with a request to Note that cookies, though, go to both.

Monday, July 16, 2007

more web security

So it appears to me that when it's in the upper 70s and not too humid, Greenwich Village is one of the most wonderful places ever. This evening I had a nice walk across Washington Square park...beautiful. So wonderful. How many times am i going to post "OMG I love this city?" Probably a bunch more until the crush wears off. I really can't believe how lucky I am to get to be here.

I realized this afternoon that googling for "json xsrf" will pull up my December post on this topic in the first set of Google results. That's pretty scary, seeing as I totally waved my hands around on that post and said "be careful" and not much more. And, well, I'm a big webapp sec nerd, but I'm not a javascript expert and certainly not anything like one of the most knowledgeable people on webapp sec.

If you want to really learn something useful about how to secure your JSON from XSRF holes, go read these two blog posts instead:


What really concerns me, though, is that there is a lot of FUD out there about "web 2.0" security. There are no web application vulnerabilities that apply ONLY to "web 2.0 websites" (whatever those really are). XSS is still an issue, but getXMLHTTPRequest does not, on its own, make that any bigger of an issue. Really, there are very few actual new web application vulnerabilities. (I'm still digesting the stuff about registered URL handlers- I think that might be a new one, although it's obviously also tightly coupled with xss and xsrf.)

If you want to shut down XSS entirely on your site, there's very little you have to do.
  1. escape <, >, single quotes, double quotes, and backticks in EVERYTHING you EVER get from a user, even if it's a cookie value that you think you put on their computer, even if it's a text string you think you're just writing to a database and never looking at
  2. Explicitly set your charsets on every single page
  3. Rewrite any user uploaded images that you present back to other users
  4. escape or strip out every \r\n
  5. be mindful of your charsets and character encoding

There. I swear, that will get you 99% of the way there. Ok, yes, re-writing images is a holy pain in the neck. but necessary.

XSRF is a little harder. Not much, but it's not as dead simple as XSS is. There is one fix for it that will work incredibly well, but you had better not have a XSS hole on your site and you need to devote the computational power to fix it.
  1. Generate secure one time tokens for all of your "account modification requests" (for lack of being able to think of a better phrase)
  2. Now check it on every single request and never ever let user B's token work on user A's information

That will cure most xsrf problems... if you don't have an XSS hole on your site. If you do, go google "samy is my hero" to see why you're hosed. One of the interesting parts of security web applications is that all of these vulnerabilities play together. You can do a lot of dumb stuff with XSS like drawing new login boxes to go phishing with, but you can also leverage it to expose xsrf holes in an otherwise secure web application. It's all a big house of cards, because of the statelessness of the web (even so called 'stateful web 2.0 apps' are not really stateful. they fake it by and large) and the craptastic rendering engines we have out there.

Like I posted back in December, and as the two JSON/XSRF blog posts above discuss, you need to think a little more about what information you pass back in JSON, or use it in a way that will protect you from yourself (ie only return code that needs to be tweaked before you eval it). The way that <script src> breaks out of the javascript sandbox is confusing. Go read those blog posts above, they're clear and come with actual sample code.

I was talking with a web dev today about why he had a XSRF hole with some RPC calls that used cookie authentication and returned JSON. He inadvertently pretty much summed up why we have web application holes despite this stuff not being rocket science. He was saying "but we modify the RPC's response before we eval the code... oh wait, just because we modify it doesn't mean you have to. I see, I need think about what other people can do not what we do." That is pretty much what all this rambling sums up to.

I'll write something soon summarizing web services and feed vulnerabilites, but as I noted above about so called web 2.0 vulnerabilities... it's nothing new and it's nothing that only touches them. And of course none of this even touches on SQL injection, buffer overflows, or attacks on specific pieces of software such as exploits against the linux that a particular website might run over.

Friday, June 29, 2007

apricot sunset

The sunset from the train window this evening is a fantastic apricot color. I just had a great evening walking around Greenwich Village with a friend- we got sandwiches, got lost, walked past the house where my maternal grandma grew up, and then got some delicious hazelnut gelato. Yum. It was an evening to remind me why I moved to NYC, there is really no where else quite like it. I do miss Belltown incredibly and I'm looking forward to spending a few weeks there soon, but it's hard to top the Village when the weather is perfect on an early Friday evening.

And to go with my appreciation of life as a Jersey girl, I'm listening to some 80s hair metal music on my ipod- Jump, Come on Feel the Noize, Lay Your Hands On Me. Also in there is Hunger Strike by Temple of the Dog because I realized recently it's long been one of my underappreciated favorites. I'm sitting sideways on the train, watching the sun setting out the opposite windows, just enjoying the glimpses of the sun through the trees as they run past. If summer could last forever I would freeze it right here.

Monday, June 25, 2007

USCGC Biscayne Bay

Originally uploaded by wck
I need to find my old HEALY photos. Would someone like to volunteer to find them on one of my old backup CDs? I've been on vacation, but I haven't gotten anything useful done with all this time, like organizing my photos. So here is one of the few photos from Dan's boats that's on flickr, from the USCGC Biscayne Bay in Michigan.

Friday, June 08, 2007

going places

My to-visit list next week:

* Ryan told me that decent lattes are available in Manhattan! at 9th St Espresso. I didn't make it this week, so I plan to go next week
* Battery Park City. I've never been to it, and it sounds like an interesting place to see
* The Christopher St PATH station, to see how long the walk to SoHo from it is

Thursday, June 07, 2007

navy blue

This evening I stumbled over an old blog post I'd written about remembering what Dissolved Girl sounds like. It made me pause for a moment and think about my color memory vs my sound memory. I stopped at MJ Trim this morning to pick up a ribbon to match some green and blue material, and I've got the ribbon I picked out next to me. I haven't yet laid it next to the fabric it will go with, but I don't need to. For whatever reason, I can picture colors of things I've seen perfectly in my head, and when I looked at ribbons this morning I could see the exact olive and navy shades that I needed to match. Compared to my memory of songs, which are little soft, too loose, memories that unravel rather than get crisper when I dive in closer. Anyway. I like my color memory, but I wouldn't mind having a better memory for songs. When I read a lot of what I've written about music, I talk about what I see when I hear it and describe it in terms of spaces it suggests. I have a one track visual mind sometimes.


This page, on the evolution of "kittah"/"lolcat" speak, was making the rounds today, and since I wanted to bookmark it so I'd be able to find it in the future, I figured I'd just toss it up on my blog.

A Special In-Depth Analysis of the cat image macro speak world.

On a similiar note, I was thinking this week about 1800s era novels. There's a particular feature of many of these novels that characters are called "Mr. R---" or "Mrs. L---". It's kind of cute, and occurs in a lot of writing from that time. This came up because I had four different conversations with friends who I've worked with in the past/work with now and in each coversation we were typing "A" and "G" (where "A" == and for today you can guess what "G" is). This occured independently in each of those separate conversations, and it occured to me that it's a sort of convention among some circles these days to refer to employers by a single letter. For one, it's much shorter to type, but for another, it's a weak defense against the monitoring of email/IM/network traffic/etc that we all know goes on. It's just a little quirk that I noticed, and I was kind of fascinated how conversations adapt to limitations like the realization that the text being transferred between the participants is almost certainly being logged somewhere. Anyway, go read the kittah blog post. It's a neat analysis.

Saturday, May 26, 2007


Originally uploaded by wck
Isn't he just the cutest little boy ever? He's finally waking up a little and peeping around instead of sleeping nonstop.

Friday, May 25, 2007

a snowy treat

I almost burned to a crisp walking through the West Village today (easily 90F) so here's a nice, cool, snowy treat- Declan in a rare Seattle snowstorm!

Winter 2003

Friday, May 18, 2007

Lullaby of London

I haven't posted about music in a long time, and certainly not the long essays I used to write. One part of that is that I've been too busy to track down new music much these days, and I'm now cut off from Amazon's great music editors.

One piece of music that I've recently fallen for, though, is "Lullaby of London" by the Pogues. It's probably about as old as I am these days but it's a beautiful song. When I first moved to NYC, I was working in Times Square, but moved down to Chelsea at the end of last summer. Midtown and Times Square are quite literally the canyons of NYC while Chelsea and the West Village area are not so tall. One bitterly cold day this winter, I set out up 7th Ave to walk to Penn Station, with the Pogues playing on my ipod. As I walked up 7th, wrapped and bundled in a coat and scarf to my eyes and still shivering, I sort of fell into this song. As I kept walking, the huge towers of Midtown started looming over me, making the wind sharper and colder and darker. It all fit together, the appearance of the gray bleakness near Penn Station, the cold, this incredibly beautiful song. Whenever I have to walk up 7th Ave, even now in the warm spring, I try to play it at least once, as it's so tied to this one area for me.

Lilacs and Rhubarb

I left work early today, and my grandpa met me at the train station so that we could pick rhubarb. While we drove over to his farm, which is very close to the train, we talked about the Mets game I'd seen yesterday (I'm a lifelong Yankees fan, but I will happily admit that was a truly inspiring 9th inning yesterday!), and baseball games he went to when he grew up in Quincy, Mass. Then we went out to the field and picked tons and tons of rhubarb. As always, he tried to get me to take a bite of one of the stalks, which I didn't fall for. Rhubarb with strawberries and lots of sugar in a pie is wonderful. Raw rhubarb is...bitter.

Their lilacs are all blooming, so I also picked some of those, and a bit of arugula. What inspired this blogpost is that I just yawning and rubbing my forehead and I smelled the rhubarb and lilac on my fingers still. That's what spring always smells like to me, a sharp mixture of both tangled together.

Tuesday, May 15, 2007

Kate on the Train

Kate on the Train
Originally uploaded by wck.
and to go with my other train post, here is Kate riding the train into NYC


Sometimes I wonder at the ability of my brain to drive down to the train station and get on the right train on basically autopilot every morning. My brain is not particularly functional before I've had 2 cups of coffee, and I only have one before I leave home. This morning was a nice example of how useless I am uncaffinated; last night I'd sat on the right side of the train heading out from NYC and had horrible sunglare in my eyes the whole way. This morning in picking a seat my logic was:
1. the right side of the train had glare going West
2. we are now going East this morning
3. so that means that the right side of the train is on the other side in this direction
4. I'm sitting on the right side
Of course, you see the flaw there, right? Yes... the sun comes up on one side and goes down on the other. So I'm riding along... with the sun right in my face again. Oh well!

Saturday, March 10, 2007


Originally uploaded by wck.
We went to Morristown today to watch the St Patrick's Day parade. Declan got quite into it- he said hello to every single person sitting near us, and he loved all the dogs walking by in the parade (Irish Setters! Irish Terriers! Irish Wolfhounds! Seeing Eye dogs!). He had a cute little shamrock kerchef around his neck, so he fit right in with all the dogs wearing green.

Sunday, February 11, 2007

Sunset at 7000 feet

Sunset at 7000 feet
Originally uploaded by wck.

Sunset as seen flying over NJ, heading back to Rhode Island last night. The Air and Space museum at Dulles was lots of fun!

Friday, February 02, 2007

Dahlia Bakery I've been missing Dahlia Bakery and Macrina incredibly. There are some nice bakeries in NYC, but I got terribly attached to both of those places in Seattle, so nothing here is stacking up. To console my sweettooth, I recently bought Baking at Home with The Culinary Institute of America, which is an awesome baking cookbook. It has little sections on various dessert types, and each opens with some notes on technique. So far I've figured out how to make these:
  • sabayon (yum!)
  • chocolate sabayon torte
  • truffles
  • buttercream cake
  • sponge cake
  • lemon buttermilk cake
  • Raspberry coulis sauce

I've made a few other recipes, but I haven't exactly mastered them yet... created mushy messes would be more like it. One important recent discovery: the kitchenaid whisk mixer is a necessity for sponge cake, just as the recipe says. Fail to use it, and you will end up with something that falls in on itself.

Monday, January 08, 2007


I love traveling, but somethings things start looking a little crazy. I'm trying to figure out my schedule for one weekend in Febuary, and this is what I think I'm going to be doing:
Friday morning: skiing in Vermont
Friday afternoon: go to NYC
Saturday morning: train to Providence, RI
Saturday afternoon: fly to Washington DC
Sunday morning: fly to Rhode Island
Monday morning: train to NYC
I believe I'm going to wake up on Monday and not know where on the east coast I am.