Meet you back here in half an hour.
What are you going to do?
What I always do - stay out of trouble... Badly.

Friday, November 10

Geek

Need For (Quad) Speed

Running yum update for a new Fedora install under VMWare and snarfing my daily podcast fix via iTunes.

That's more than enough to turn a 2.6GHz Pentium 4 into jelly.

Just on that subject, is iTunes a complete and utter cow on MacOS too, or does that version actually work? Grabbing 100% of the CPU simply to download a file (at, I might add, an effective speed of 128kbps) seems a bit much.

Hrrm. I have a 7.02 update to apply. Bet you twenty cents it doesn't help.

Posted by: Pixy Misa at 08:54 PM | Comments (2) | Add Comment | Trackbacks (Suck)
Post contains 96 words, total size 1 kb.

Thursday, November 09

Geek

INXSS

My current headache is cross-site scripting, or XSS.

Cross-site scripting is an unforseen product of the combination of browser programmability and communally-updated websites. Javascript and XMLHttpRequest let your browser do all sorts of nifty things; community web sites let people build really nifty things; together they let bad people steal your ID.

Anyone can create a web page that will read your cookies, but browsers aren't stupid, and they will only cough up the cookies for that web site. Which was not a problem in the past, because before anyone could do anything untowards they had to take control of the website by some other means.

But if you have a community site where people can insert unfiltered HTML, that lets other people steal your cookies for that site. Badness.

The approaches to this problem seem to be threefold:

1. The listen-to-nanny approach, as typified by CERT: Tell people to turn off Javascript, and not to browse unknown web sites, especially after dark.

2. The patch-it-and-hope approach: Scrub the HTML for any untowards Javascript. If your site can restrict what users put up on their pages, you may be able to eliminate Javascript altogether - though even then, you might get tripped up the way MySpace was.

3. The keep-the-doors-and-windows-locked approach: Don't use cookies that give users global access. I think Blogger may be doing this, and that's why you keep having to log in to comment.

You have to do some of 2 in any case. If you don't scrub comments of bad HTML, you will find your page layouts corrupted in very short order. 3 looks likely to be the most robust, but at the cost of user functionality.

Anyone know of any in-depth resources on this? Or are people keeping their solutions close to their chests?

Posted by: Pixy Misa at 07:09 AM | Comments (1) | Add Comment | Trackbacks (Suck)
Post contains 299 words, total size 2 kb.

Wednesday, November 08

Geek

Ping!

SoftLayer, our new hosting company, now has Xeon 3060's available. That's a 2.4GHz Core 2 Duo, for those of you who've lost track.

Same monthly price as our existing servers, but 60% faster.

Sob.

Oh well. I knew they were coming, and I need them for my new project anyway. So this is actually good.

And our existing servers mostly aren't CPU bound. And wouldn't be CPU bound at all, if we weren't still running Movable Type. And my new project is all about getting us off Movable Type...

Meanwhile, mu.nu is looking at its first 2TB month. Who the heck is reading all those blogs?

Posted by: Pixy Misa at 08:09 AM | Comments (3) | Add Comment | Trackbacks (Suck)
Post contains 108 words, total size 1 kb.

Saturday, November 04

Geek

Ugh

Server clock doing straaange things.

This entry was posted hours after the "Mmmm" and "Rrrrrr" posts.

Posted by: Pixy Misa at 09:06 AM | Comments (2) | Add Comment | Trackbacks (Suck)
Post contains 18 words, total size 1 kb.

<< Page 2 of 2 >>
54kb generated in CPU 0.0318, elapsed 0.2316 seconds.
54 queries taking 0.2142 seconds, 340 records returned.
Powered by Minx 1.1.6c-pink.
Using https / https://ai.mee.nu / 338