Sat 29 Apr 2006 19:40:38
This rocks! I’m at MindCamp 2.0. I just ate dinner, which was surprisingly delightful (salmon, chicken skewers, delicate desserts, etc…). I’m on a waiting list to get what looks like a pretty damn good massage. And to top it all, I’ve spent the day engaged in stimulating conversations with the best minds in Seattle. Here’s a picture from the dinner table:
Fri 28 Apr 2006 15:11:32
I just hacked out a little exploit/”proof of concept” for automatically bookmarking a site on ma.gnolia without the user noticing. This is a very simple hack, based on prefetching a link to a bookmarklet. If you are using Firefox or any other browser that uses prefetching (and you have a ma.gnolia account). check it out. You’ve just bookmarked this site :)
// this script will set a prefetch link on a page, which, if the browser has prefetching enabled, will bookmark the site on ma.gnolia.com
// this is an inherent security hole in automatic bookmarklets. The point of having them is to accept user input from 3rd party locations--therefore, it can't be trusted.
function magnoliaBookmark()
{
s=String(window.getSelection()).replace(/ {2,}/g,'%20').replace(/^ | $/g,'');
m='';
d='';
metas=document.getElementsByTagName('meta');
for(count=0;count
if(metas[count].name=='description')
{
m=metas[count].content;
}
}
if(s!='')
{
d=encodeURIComponent(s);
}else if(m!='')
{
d=encodeURIComponent(m);
};
var url = "http://ma.gnolia.com/bookmarklet/snap/add?url="+encodeURIComponent(location.href)+'&title='+encodeURIComponent(document.title)+'&description='+d;
document.write('
');
}
magnoliaBookmark();
This technique can be used on any other site that allows a link to add information to a users account without further user interaction. I can think of several fixes for this but:
I’m sure you can come up with countless more fixes… It’s just not safe to allow someone to so easily add information to an account. Del.icio.us has a better way of doing it. Although not as transparent and seemless, it requires the user to hit ’save’ before adding the bookmark. Granted this too could be bypassed by opening the del.icio.us URL in a new window and then using javascript to submit the form within that window, then close the window (all of which could be done in a matter of miliseconds–before the user could see what was happening).
I’m all for web 2.0 but we must be careful not to fall into huge security traps while we build these cool sites. Ma.gnolia.com is still pretty damn cool.
If you hate this site, feel free to delete it from your ma.gnolia account :)
Thu 20 Apr 2006 23:46:00
Lena’s mother and sister just got back from China–and what did they bring me? Only the coolest foriegn gift possible!
It’s a windup Chairman Mao wristwatch. His hand waves as the seconds tick by. It’s awesome!
Tue 18 Apr 2006 10:10:37
The worst part about 9 hour coding binges is staying up until 3am. Normally, staying up late is no problem. However, after that much straight coding, the human brain changes. Neurons are excited and race around making it impossible to focus on sleep. The moment the eyes are shut, the brain realizes it’s free to think about everything else in the world–in code. Then there is the sudden realization that even though the brain is fervently alive with activity, the brain matter itself is being pushed around by large angry Frenchmen who keep shouting “hoagh, hoagh, hoagh” in a thick, nasel accent–right at the point above the ear.
Then, of course, hunger sets in.
What to do…. Eat? sleep? Can’t really move anyway. Just sit and wait for the Frenchmen to go away.
Thu 13 Apr 2006 19:21:04
This spam was kind. No advertisements, no attachments, no porn images–just this:
Sun 2 Apr 2006 01:32:27
I saw V for Vendetta again today.
The first time I saw it, I loved it.
The second time, it was even better.
I cannot count how many times I had to stiffle tears of triumphant rebellious joy.
I will buy this DVD when it comes out. That should say something to people who know me about how damn good this film is.
Also, I was able to find the artist of the song played on the credits (the only song that isn’t on the official soundtrack–even though it rules).
You can hear a sample of this song on Ethan Stoller’s mySpace site.
He’s offering a 99 cent download of the “speechless” version, which is pretty cool–but he needs to have the version from V with all the cool political activism speeches. That was tight.
