Security in an AJAX World

If data is more openly available as XML over HTTP, it’s going to be pretty damn easy for a smart hacker to get access to that data to make applications like this impressive example… which is great, but undoubtedly someone eventually will feel like their data is being “stolen” or “misused”.

Reverse engineering HTML was easy from the very beginning because Mosaic and then Netscape had a feature that allowed you to view the source code of any HTML page. And since it’s very easy to watch HTTP traffic going back and forth out of your desktop computer using things like Live HTTP Headers or Ethereal. Anybody with a few choice Perl modules can screen-scrape data from a web page and reuse it in another application. For example, let’s just say that I wanted to make an RSS feed of guests on the David Letterman show. I could easily write some code to parse the CBS Late Show homepage to get the data that I want. It’s easy and it’s great, but am I stealing CBS’s data? Getting concensus around an answer to that question is tricky unless the content is specifically licensed for such use.

Buzzword du jour is AJAX (Asynchronous Javascript And XML) which, like Web Services in general, is nothing new, but it will change the way that applications are built. Basically, we’re talking about using the XMLHttpRequest Javascript object to get data from a remote webserver and then manipulate a web page using the DOM. This concept has caught on like wildfire over recent months, led by Google, which is really raising the bar by using these ideas on high profile sites.

Continue reading “Security in an AJAX World”

Ruby: First Impressions

Well, it’s effectively killed Perl. Ruby, that is. That was my first reaction.

This past weekend, I had some small digital housekeeping work to do involving some manipulations in a MySQL database. Mundane stuff: get records from database, perform some string manipulations, insert new records. Historically, my language of choice for this type of work has been Perl. Since it is now 2005, I guess that means that I have about 10 years of experience using Perl, so it’s fair to say that I can slice and dice with it pretty well. I don’t have to think too hard.

Since I had some spare time on my hands and because my last conversation with Pate about Ruby has been echoing in my head, I figured that it was about time to give it a whirl. A new language obviously has an associated ramp-up cost, but Ruby’s is pretty easy, especially if you’re fluent in both Perl and Java – it really felt like I was halfway between as I went about my little task.

Continue reading “Ruby: First Impressions”


Maybe my brain is losing capacity, but I really feel like I have too many passwords. I simply wish that I could just give out a public key to everything I need to authenticate with. This isn’t going to happen soon because getting agreement on how to manage keys and authentication would be as successful as… say, Microsoft’s Passport or the Liberty Alliance’s efforts to do just that. In the meantime, I’m stuck with tons of passwords.

I had a brief brush with password nirvana when I was using OS X, because it has a wonderful little application called Keychain

that manages all of your passwords for mail clients, wifi nets, websites, your ssh agent and whatnot. It’s very well integrated throughout the system as well as popular applications.

I’m using a fair bit of Windows lately, so I recently started using Bruce Schneier’s PasswordSafe application to manage my passwords. In addition to storing them wrapped up nicely in Blowfish, it also is pretty handy at generating good random passwords. It’s the next best thing to Keychain.