Sign in
in
   
"It is the mark of an educated mind to be able to entertain a thought without accepting it."  -Aristotle

About Me

I am a co-founder of Notches, an early stage startup currently based in NYC. We are building a free, open reviews network that anyone can participate in and anyone can build on top of. You can find out more on our official blog.

Read more about my background.

Connect with me on...

Recent Readers

Flickr Photos

Tags

Monthly Archives
 

Browse by Tags

All Tags » Security » .NET » Software Development (RSS)

  • An Introduction to OpenID

    OpenID, which describes itself as "an open, decentralized, free framework for user-centric digital identity", has been gaining momentum and getting press in the Identity 2.0 space. The fundamental idea of OpenID is that a URI is necessarily unique and thus a good way to identify users. If you say you own a URI and can properly authenticate with the URI, then you must be who you say you are. Admittedly, this can be tricky to understand at first. Perhaps the best analogy is an open version of Passport, where you can download and run your own Passport server. When you go to Microsoft.com or MSDN, you don't log in to a "local" account - you are instead redirected to a Passport (now Windows Live ID) screen to enter your username and password. From a user perspective, OpenID is not that different as Simon Willison showed in this his screencast (embedded below). Scott Hanselman also discussed OpenID on a recent Hanselminutes and has a number of good resources (including the screencast) linked...
    Posted Feb 15 2007, 09:06 AM by Tim with | with 4 comment(s)
    Filed under: , , , ,

  • If you can read a file, you can copy it

    Raymond reminds us that there is no "Copy" access mask because copying is not a fundamental file operation . Copying a file is just reading it into memory and then writing it out. Once the bytes come off the disk, the file system has no control any more over what the user does with them. Something to keep in mind when designing your web applications. Once you send something to the client, you inherently give up control over what can be done with that information.
    Posted Jan 09 2007, 09:42 AM by Tim with | with no comments
    Filed under: , , , ,

  • JSON and XML

    Back at the PDC, I mentioned that Microsoft chose JSON over XML in Atlas, its AJAX framework. The debate has reared its head again recently, prompted largely by Tim Bray's post . Tim says that JSON is great for its single intended purpose, "to put structs on the wire." Dare, who used to work on the XML team at Microsoft, say JSON is better than XmlHttpRequest because it helps work around browser security model limitations and is easier to program with . The cross-browser issues are a particularly big issue that people have tried to tackle in different ways - I mentioned before that Julien is using a Flash proxy to work around these issues , and I've seen other architectures which use a server-side proxy on the original server to handle the third-party request. The key here is that AJAX is not about the technology , but the experience. JSON may or may not be the "best" way to approach this, but the exercise at least highlights some of the limitations (and, to be fair, strengths) inherent...
    Posted Jan 05 2007, 09:44 AM by Tim with | with no comments
    Filed under: , , , , ,

  • The Prevalence and Danger of SQL Injection

    Michael Sutton looks at the prevalence of SQL injection vulnerabilities ( via Bruce Schneier ). He tested 708 different servers and found verbose SQL errors on 80 of them (11.3%) - numbers that are not, as Michael says, surprising but are certainly sobering. Michael acknowledges that his method is imperfect, and in fact I think the percentage is actually a lot higher. His test only captures sites that are vulnerable and actually return verbose error messages. I guarantee there are countless others on his list that were actually vulnerable and fail "silently" (i.e., reporting user name not found, but not the words he is testing for). If you're not familiar with SQL injection, and what can happen as a result, I suggest reading Steve Friedl's wonderful introduction in SQL Injection Attacks by Example . (Image above borrowed from his article). Oh, Scott Guthrie also had a great post on how to avoid these problems . As you can see, it's not difficult - you just have to be aware and not construct...
    Posted Oct 12 2006, 03:53 PM by Tim with | with no comments
    Filed under: , , , , ,

Recent Posts

Most Popular Posts

Legal disclaimer

Coming soon.

Articles

My stuff

Friends

Powered by Community Server (Non-Commercial Edition), by Telligent Systems