Bounce

I love traveling, but somethings things start looking a little crazy. I'm trying to figure out my schedule for one weekend in Febuary, and this is what I think I'm going to be doing:
Friday morning: skiing in Vermont
Friday afternoon: go to NYC
Saturday morning: train to Providence, RI
Saturday afternoon: fly to Washington DC
Sunday morning: fly to Rhode Island
Monday morning: train to NYC
I believe I'm going to wake up on Monday and not know where on the east coast I am.

chili

Today over lunch at d.b.a. we discussed different chili recipes. My favorite is still black bean chili with masa harina, this is a recipe I've sort of made up a while ago from various recipies I've tried in the past.

2 Tbs. ancho chili powder
2 Tbs. ground cumin
1 tsp. coriander
1 can black beans (goya works fine)
1 28 oz can of whole tomatos (or you could use crushed or whatever)
Olive oil
1 small yellow onion
2 garlic cloves
2 Tbs. masa harina

1. chop up the onion and garlic cloves, put it in a pot with some olive oil & cook for a few minutes
2. add chili powder, cumin, coriander
3. add black beans (drain off some of the extra water first if there's a lot in the can)
4. stir
5. add tomatos
6. stir, bring to a boil over medium high heat
7. let it boil for about 5 minutes then lower heat to low
8. cook at least 30 minutes, but you can leave it on low heat for much longer if you need to
9. 5 minutes before serving, mix in masa harina to thicken, stir until it thickens

ice skating

Kate went ice skating for the first time yesterday, in the cutest teensy hockey skates. I had to hold her upright the whole time, but by the end her feet were only sliding out from under her every 3 seconds instead of every .0000001 seconds. Progress!!

Afterwards, we went over to Fosterfields to say Merry Christmas to the animals. Calvin and Hobbes (the Belgian draft horses) came over to say hello when we got there, and Hobbes decided that my scarf was dinner and tried to eat it. So I got horse slobber all over my shoulder. blech. But he's a cute guy so we forgave him. Their coats are really thick for winter already! Then it was time for all the animals to get dinner- the two farmers walked Calvin and Hobbes into their stable, rounded up the 3 cows (Calico was more interested in saying hi to us than going inside), and collected the turkeys. Kate said hello to the cat (named B.C. for barn cat) and all the chickens and roosters. We didn't stay around while the sheep were fed, but they were all clustered at the gate waiting their turn when we left.

When we got home, we made Red Velvet cupcakes for Ana's first birthday. Yum!

so that's how you do it

From a Wall Street Journal book review of Citizen Marketers:

"The key was the more recent development known as Web 2.0. Powered by XMA, a computer language that makes it easy to merge data from any number of sources, Web 2.0 has transformed the Net from what was largely a platform for micropublishers to a free-floating community forum that encourages multimedia participation by anyone with a broadband connection."

Aha. So nice to learn that I haven't been writing multi-tiered database backed websites with AJAX web frontends and RSS/Atom feeds, I've just been doing XMA. ;-)

ps the article is over here if you have a wsj.com login

Javascript and XSRF

XSRF (or CSRF) stands for "Cross Site Request Forgery" and is a class of website application vulnerabilities. It's a fancy term for a fairly simple "exploit" -- really, I think exploit is far too fancy for this. Let's say that I'm logged into Blogger, writing this blog post, and I have a few other Safari tabs opened at the same time. My browser has blogger cookies that are "active" - when I send a HTTP request from my browser to blogger.com, the cookies that go along with it will match up with my current blogger session.

So now let's image that blogger has a form on its site for removing your blog. If you submit the form, you might post to "blogger.com/deleteblog?delete=true" or something along those lines, and your blog would be gone. If my friend decided that I'd been posting far too many annoying blog posts about Declan and wanted to nuke my blog, he might set up a page on his web site that has this HTML code on it:

<img src="http://blogger.com/deleteblog?delete=true">

He would then send me a link to the page, or post a comment on my blog- anything to get me to load the page that contains that image tag. When my browser loads that page, it would try to fetch that image by sending a GET request to blogger.com. And if I was still logged into my blogger account in another tab, it would send along my blogger cookies. So blogger would see a request to delete a blog, with my blogger cookies, and it would... delete my blog.

The generally recommended way to get around this is to also generate a "one time code" to use as a confirmation. Blogger would create a hard-to-guess token, and insert this code into its "Delete Your Blog" form:

<input type="hidden" name="secret" value="1234567890SECRET0987654321">

The value, of course, should really be something harder to guess than that code, and a new value should be generated every time that the page was served up. So now blogger will only delete my blog if I post to the "deleteblog" form with the current secret value. If it doesn't match, or is missing, my blog is not deleted.

If javascript did not have the cross-domain restrictions that it has, my friend could insert some javascript into that page he wants me to visit that:
1. create a hidden iframe
2. set the source of that iframe to the blogger "do you want to delete your blog?" page which holds the form (remember, my browser issues that request, so it gets issued to blogger.com with my current cookies)
3. grab the innerHTML of the iframe, regex out the "secret" value
4. set the image to send along my current secret:

<img src="http://blogger.com/deleteblog?delete=true&secret=1234567890SECRET0987654321">

Thankfully, javascript does have cross domain restrictions. My friend can set a hidden iframe on his site to be the blogger "do you want to delete your blog?" page, but he can't access the innerHTML that's returned, so I can continue to post crazy posts about my dog.

However...there's been an explosion in the last 2 years of dynamically generated sites that use javascript, and specifically JSON, to render their sites. What if blogger also generated their site using a ton of javascript, and slipped up and included my secret value inside a javascript file that they would send to my browser to assemble the form? There is no cross domain restriction on scripts included via <script src="http://someothersite.com">

So, in step #2 above, my evil friend would not set an iframe to be the blogger blog deletion page, but would instead set up tag like <script src="http://blogger.com/scripts/secret.js"> and then pull out the secret code. He would then create that image HTML, write it out to the page, and my blog would be gone.

JSON is a great technology, but there are a lot of web developers out there who don't realize how it ties in with vulnerabilities like this one. Think very carefully when building a site about what information to put into a javascript file on your site, and what information you include in a JSON feed from your site.

a flickr xmas gift

the bestest easter egg I've ever seen! Draw a note with the tag "ho ho ho hat" and you get a spiffy xmas hat. wonderful.

Christmas in NYC

Walking down the streets in NYC recently has smelled like walking through a pine forest with all the little Christmas Tree vendors on the sidewalk every few feet. I keep forgetting to bring a camera to take a few pictures of them before they all disappear.

Last week I also went ice skating in Bryant Park, and hopefully I'll make it up there a few more times before the rink closes at the end of December. I've been madly trying to fit in lots of Christmas-in-NYC things this season; I know that I'll have other Christmases here but it's still tempting to try to get to everything right away! Here are some things that I probably won't be doing, though:

1. Radio City Christmas show - too expensive, and I'd rather wait for Kate to be a little older so she could enjoy it
2. Going to a performance of Messiah - might be semi interesting, but I don't know if I'd sit still that long
3. Skating at Rockefeller Center - the Bryant Park rink is much nicer

thanksgiving hacks

Having just cooked a two Thanksgiving dinners, I thought I would blog a few Useful Thanksgiving Hacks.
Turkey: Turkeys are actually easy to cook.
1. remove turkey from whatever packaging it came in.
2. Remove neck and other icky pieces from inside it and toss them
3. use a nice turkey roasting dish
4. rub the entire turkey with butter, shake some salt & pepper over it
5. toss about 6 bay leaves into the turkey cavity
6. put it in the oven at about 350
7. set a timer for 45 minutes
8. when the timer goes off, pull out the turkey. use tongs to flip it (easier than using those crazy turkey forks) and re-butter the entire bird
9. put it back in, re-set the time
10. when the breast & wings start getting very crispy, cover them in aluminum foil
11. cook, flipping & re-buttering every 45 minutes, until it's at 165F in the breast
Gravy: create a roux by putting 2 tablespoons of butter into a pan, and adding some flour. stir it around & mash it up. add some chicken stock and turkey juice. if you need to thicken it, make more roux in a new pan, then move the gravy to that new pan & stir well.
Timeline: the hard part of making a thanksgiving dinner is time management. Here's mine:
1. start the turkey
2. cook some veggies that can be microwaved at the end (sweet potatos, green beans)
3. prepare some biscuit dough that can sit in a fridge
4. make some mashed potatos, leave them sitting over a double boiler on low with a lid on them
5. when the turkey is done, pop the biscuits in the oven
6. make gravy, have someone warm veggies in microwave
7. when gravy and biscuits are done, serve

working from a browser

Web Worker Daily asks how you know when you're a web worker today. My answer is easy, it came the other day in a discussion about replacing my work powerbook possibly with a macbook. I expressed my needs for a work computer as (1) runs a web browser and can ssh (2) can do EVDO (3) light as possible. That pretty much sums up all I need to do my job. I guess coffee helps too.

when I learned what XSS is

Here's another old Amazon history post. February, 2000- I'd had Declan for barely over a month, and I remember being outside with him, walking around our parking lot, on a rather sunny day. (It's never sunny in Seattle in February, that's why I particularly remember this.) I was the oncall frontend QA- basically, if we had to do an emergency content push to the onlines, I would be the one checkpoint. Small responsibility for a 22 year old. My pager went off, I went in, and logged into my computer, and read the problem. It linked to CERT Advisory On Malicious HTML Tags on slashdot. That was the birth of XSS.

I spent the next several hours testing pushes for every single page on the site that echoed back user input. On a site like amazon, you can imagine what that was like- I seem to recall that a lot of my time was frantically deleting pages from my pager because it kept running out of space for stored messages. Thankfully I worked with some great people, I remember farming out a lot of the testing to Jason, who was still really a newbie at that time. This is one of my starkest memories: we had the slashdot article on this open, and would reload over and over again reading the comments as more vulnerable sites were found, more exploits related to this came to light. The comments are still an interesting read today.

It took a few days for me to wrap my head around what this bug was, at the time I was just trying to test with the sample input we had, without totally following the complete theory of what we were doing. To be fair, I doubt anyone that understood that. I can talk a lot now about filtering vs escaping, why I love <plaintext>, and so on, but that day was more about survival mode. Lots of fun, though, and another insane amazon experience that I wouldn't trade for anything.

30 degrees & RFID interference

This is a "I need to investigate something" note to myself. I've read lots of interesting stuff on RFID theft (schneier on security covers skimming today), it's something that's fascinating- I wonder if the person who invented the "tin foil hats" meme years ago could possibly have predicted tin foil wrapped passports. However, I have 3 proxcards on a chain that I carry around every day. When I need to scan one, I have to take the particular card that I want to read and either flip it out almost perpendicular to the other cards, or fan it out (as if I was holding some playing cards in my hand) so that there's about a 30 degree angle between the card I want and the others. Holding the cards stacked up on top of each other- as they usually are on the chain- means that none of them will scan. I think this must be some kind of radio wave interference, and I wish I knew the physics behind it. One more thing to look up some weekend. I really wonder why 30ish degrees is the magic angle.

a found morning

My ancient ipod finally died this weekend (almost 4 years old, it lasted longer than many laptops), so I decided to make a small trip to the 5th Ave apple store on Monday to trade in the old one- that store is open 24 hours, so I could stop off before work. When I tried getting into the 123 line from Penn, it was a mad zoo, and jampacked with people. No one was moving, I could hardly make it through the turnstiles (no idea why I went through them, I should have turned around, but I wasn't fully caffinated yet). In any event, once I squeezed though and saw that two trains were sitting on the local and express tracks, going no where, the station attendent made a very crackily announcement, of which I made out something on the lines of "trains stuck at 42nd st" - I think. It was really unclear, but I got the idea no trains in this station were going to help me out any time soon. I decided to give up on my $2 fare and hike to Herald Square for a NRW. Once outside, it was warm, and almost sunny. And gorgeous. A complete "I love this city" morning, so I walked over to 5th and hiked up 5th to the Apple Store. I hadn't walked up 5th in ages, so it was a nice break- I noticed Saks and Lord & Taylor were all set up for Christmas (already!). Sadly, I found out later that the reason why I took that walk was that someone was killed by the 1 train, which gave sort of a sad twist to my found morning of NYC bliss. I still can't get over how lucky I've been, getting to be in NYC every day. What a gorgeous, incredible city.

Purple

Cosmos


Taken in New Hampshire at the beginning of October

Boo!

Halloween
Originally uploaded by wck.

Yesterday I went trick or treating with Ana and Kate -it was really warm! It was the first time I'd gone trick or treating with them, I mostly held Ana while she played with the glow-stick attached to her jacket.

With the recent warm spell, my cosmos FINALLY bloomed. Or... one bud did. Took long enough. I took a picture of a cosmos in New Hampshire a few weeks ago, I'll post that shortly.

My Boston Picks

I've needed to write this post for ages, my favorite places to go in Boston, to give to people who are going up there for the first time. These are just places that I love to go, and not at all "What tourists should see in Boston" definitive kind of list. Heavily slanted towards food, because I love eating.

1. Mike's Pastry for cannollis and other Italian desserts


2. Toscanini's (One in Central Square, and one in Harvard Square) for great ice cream flavors


3. Newbury and Boylston Street shopping


4. Trident Bookstore and Cafe on Newbury St


5. A walk down Charles St (great little shops, and there's an excellent pizza store along it called Upper Crust), then walking up to Louisburg Square


6. Boston Public Garden


7. Walk along the Esplanade, which is a waterfront park. It runs from the Longfellow Bridge to Harvard Bridge. Actually, you can keep going down to the BU bridge, switch to the Cambridge side, and complete the loop on Storrow Drive to Longfellow bridge, but that's LOOONG. Along the Esplanade, you can see the Hatch Shell and watch all the sailboats in the Charles River Basin.


8. walk down the Infinite Corridor at MIT: go to 77 Mass Ave. walk up the stairs. walk straight ahead, and all the way down the hallway. If you don't know the MIT campus well, you might then want to turn around and go back the way you came, or risk getting kind of lost


9. Walk down Commonwealth Avenue in the evening on a sunny day


10. Walk Central Square to Harvard Square


11. In Harvard Square, walk around the Harvard campus a bit


12. Also in Harvard Square, go to the Fogg Art Museum (free on Saturday mornings until noon)


13. Go to Peet's coffeehouse in Harvard Square


14. Go to the great little gourmet store across the street from the Curious George store in Harvard Square. I think it might be called Cardulo's


15. In Back Bay, go to the Isabella Stewart Gardener Museum. My favorite art museum in the world.