security

Because Everyone Needs a Router

networking

Because Everyone Needs a Router

Do you remember when a router used to be an exotic bit of network kit? Those days are long gone. A router is one of those salt-of-the-earth items now; anyone who pays for an internet connection needs a router, for: 1. NAT and basic hardware firewall protection from internet evildoers

By Jeff Atwood ·
Comments
Vampires (Programmers) versus Werewolves (Sysadmins)

security

Vampires (Programmers) versus Werewolves (Sysadmins)

Kyle Brandt, a system administrator, asks Should Developers have Access to Production? A question that comes up again and again in web development companies is: “Should the developers have access to the production environment, and if they do, to what extent?” My view on this is that as a whole

By Jeff Atwood ·
Comments
We Done Been... Framed!

security

We Done Been... Framed!

In my previous post, Url Shorteners: Destroying the Web Since 2002, I mentioned that one of the “features” of the new generation of URL shortening services is to frame the target content. Digg is one of the most popular sites to implement this strategy. Here’s how it works. If

By Jeff Atwood ·
Comments

security

The Wrong Level of Abstraction

In Why Isn’t My Encryption... Encrypting? we learned that your encryption is only as good as your understanding of the encryption code. And that the best encryption of all is no encryption, because you kept everything on the server, away from the prying eyes of the client. In The

By Jeff Atwood ·
Comments
The Bathroom Wall of Code

security

The Bathroom Wall of Code

In Why Isn’t My Encryption... Encrypting?, many were up in arms about the flawed function I posted. And rightfully so, as there was a huge mistake in that code that just about invalidates any so-called “encryption” it performs. But there’s one small problem: I didn’t write that

By Jeff Atwood ·
Comments

encryption

Why Isn’t My Encryption... Encrypting?

It’s as true in life as it is in client-server programming: the only secret that can’t be compromised is the one you never revealed. But sometimes, it’s unavoidable. If you must send a secret down to the client, you can encrypt it. The most common form of

By Jeff Atwood ·
Comments

security

I Just Logged In As You

I received this anonymous email a few days ago: I found what one could call a security hole in Stackoverflow. I’m curious enough to go digging around for holes, but too ethical to actually do anything with them. However, I’m afraid that by pointing it out I’ll

By Jeff Atwood ·
Comments
How Not to Conduct an Online Poll

security

How Not to Conduct an Online Poll

Inside the Precision Hack is a great read. It’s all about how the Time Magazine World’s Most Influential People poll was gamed. But the actual hack itself is somewhat less impressive when you start digging into the details. Here’s the voting UI for the Time poll in

By Jeff Atwood ·
Comments
Rate Limiting and Velocity Checking

security

Rate Limiting and Velocity Checking

Lately, I’ve been seeing these odd little signs pop up in storefronts around town. All the signs have various forms of this printed on them: Only 3 students at a time in the store please We took that picture at a 7-11 convenience store which happens to be near

By Jeff Atwood ·
Comments

security

Top 25 Most Dangerous Programming Mistakes

I don’t usually do news and current events here, but I’m making an exception for the CWE/SANS Top 25 Most Dangerous Programming Errors list. This one is important, and deserves a wide audience, so I’m repeating it here – along with a brief hand-edited summary of each

By Jeff Atwood ·
Comments
Dictionary Attacks 101

security

Dictionary Attacks 101

Several high profile Twitter accounts were recently hijacked: An 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News. The hacker, who goes by the handle GMZ, told Threat

By Jeff Atwood ·
Comments

programming languages

You’re Reading The World’s Most Dangerous Programming Blog

Have you ever noticed that blogs are full of misinformation and lies? In particular, I’m referring to this blog. The one you’re reading right now. For example, yesterday’s post was so bad that it is conclusive proof that I’ve jumped the shark. Again. Apparently, according to

By Jeff Atwood ·
Comments