Profilactic Mashup - fm

twitter: @dharmesh twitter auth with permission: can post and update profile! Why?

Sat, 11 Feb 2012 10:57:19 GMT

fmavituna: @dharmesh twitter auth with permission: can post and update profile! Why?

twitter: RT @jeremiahg: Google's 1 yr anniversary of their [web application] Bug Bounty program: http://t.co/mtQ6iW3o

Thu, 09 Feb 2012 18:01:51 GMT

fmavituna: RT @jeremiahg: Google's 1 yr anniversary of their [web application] Bug Bounty program: http://t.co/mtQ6iW3o

twitter: RT @ashk4n: TomTom and Progressive both now using voluntary GPS tracking to determine insurance premium discounts http://t.co/GYHnRMzW

Thu, 09 Feb 2012 06:15:11 GMT

fmavituna: RT @ashk4n: TomTom and Progressive both now using voluntary GPS tracking to determine insurance premium discounts http://t.co/GYHnRMzW

twitter: @huseyint :) Same here. They are really trying hard to minimize the UI

Thu, 09 Feb 2012 06:02:30 GMT

fmavituna: @huseyint :) Same here. They are really trying hard to minimize the UI

twitter: @aemregunay Maalesef

Thu, 09 Feb 2012 05:53:26 GMT

fmavituna: @aemregunay Maalesef

twitter: Web browser devs doing same mistakes over and over and over again RT @johnwilander: Six Android 0days released - http://t.co/2qw82nJ0

Thu, 09 Feb 2012 05:50:30 GMT

fmavituna: Web browser devs doing same mistakes over and over and over again RT @johnwilander: Six Android 0days released - http://t.co/2qw82nJ0

twitter: Chrome 17's preemptive rendering is yet another reason to not use GET for modifying stuff :)

Thu, 09 Feb 2012 05:47:11 GMT

fmavituna: Chrome 17's preemptive rendering is yet another reason to not use GET for modifying stuff :)

twitter: THREADFIX 1.0 PUBLIC BETA NOW AVAILABLE - http://t.co/TXqdHVIL

Tue, 07 Feb 2012 16:42:49 GMT

fmavituna: THREADFIX 1.0 PUBLIC BETA NOW AVAILABLE - http://t.co/TXqdHVIL

twitter: RT @netsparker: SQL Injection Vulnerability in Batavi E-Commerce - http://t.co/mu39bAbe Netsparker Advisories - http://t.co/5MJZ2Aj6

Tue, 07 Feb 2012 14:01:28 GMT

fmavituna: RT @netsparker: SQL Injection Vulnerability in Batavi E-Commerce - http://t.co/mu39bAbe Netsparker Advisories - http://t.co/5MJZ2Aj6

twitter: @bemre @halilozturkci aslinda onun anlamı yok çünkü o olay başlamadan polis hdd nin tam kopyasını almak zorunda kanunen

Fri, 03 Feb 2012 18:29:31 GMT

fmavituna: @bemre @halilozturkci aslinda onun anlamı yok çünkü o olay başlamadan polis hdd nin tam kopyasını almak zorunda kanunen

Google Reader: Skype - Changing the default chat font to Comic Sans makes the...

Fri, 03 Feb 2012 15:30:05 GMT

Skype - Changing the default chat font to Comic Sans makes the smiley sad.

/via kreshnik34

Google Reader: Listen to Your Community, But Don't Let Them Tell You What to Do

Fri, 03 Feb 2012 10:18:54 GMT

You know how interviewers love asking about your greatest weakness, or the biggest mistake you've ever made? These questions may sound formulaic, maybe even borderline cliche, but be careful when you answer: they are more important than they seem.

So when people ask me what our biggest mistake was in building Stack Overflow I'm glad I don't have to fudge around with platitudes. I can honestly and openly point to a huge, honking, ridiculously dumb mistake I made from the very first day of development on Stack Overflow – and, worse, a mistake I stubbornly clung to for a solid nine month period after that over the continued protestations of the community. I even went so far as to write a whole blog post decrying its very existence.

For the longest time, I had an awfully Fight Club-esque way of looking at this: the first rule of Stack Overflow was that you didn't discuss Stack Overflow! After all, we were there to learn about programming with our peers, not learn about a stupid website. Right?

I didn't see the need for a meta.

Meta is, of course, the place where you go to discuss the place. Take a moment and think about what that means. Meta is for people who care so deeply about their community that they're willing to go one step further, to come together and spend even more of their time deciding how to maintain and govern it. So, in a nutshell, I was telling the people who loved Stack Overflow the most of all to basically … f**k off and go away.

As I said, not my finest hour.

In my defense, I did eventually figure this out, thanks to the continued prodding of the community. Although we'd used an external meta site since beta, we eventually launched our very own meta.stackoverflow in June 2009, ten months after public beta. And we fixed this very definitively with Stack Exchange. Every Stack Exchange site we launch has a meta from day one. We now know that meta participation is the source of all meaningful leadership and governance in a community, so it is cultivated and monitored closely.

I also paid penance for my sins by becoming the top user of our own meta. I've spent the last 2 years and 7 months totally immersed in the morass of bugs, feature requests, discussions, and support that is our meta. As you can see in my profile, I've visited meta 901 unique days in that time frame, which is disturbingly close to every day. I consider my meta participation stats a badge of honor, but more than that, it's my job to help build this thing alongside you. We explicitly do everything in public on Stack Exchange – it's very intentionally the opposite of Ivory Tower Development.

Along the way I've learned a few lessons about building software with your community, and handling community feedback.

1. 90% of all community feedback is crap.

Let's get this out of the way immediately. Sturgeon's Law can't be denied by any man, woman, child … or community, for that matter. Meta community, I love you to death, so let's be honest with each other: most of the feedback and feature requests you give us are just not, uh, er … actionable, for a zillion different reasons.

But take heart: this means 10% of the community feedback you'll get is awesome! I guarantee you'll find ten posts that are pure gold, that have the potential to make the site clearly better for everyone … provided you have the intestinal fortitude to look at a hundred posts to get there. Be prepared to spend a lot of time, and I mean a whole freaking lot of time, mining through community feedback to extract those rare gems. I believe every community has users savvy enough to produce them in some quantity, and they're often startlingly wonderful.

2. Don't get sweet talked into building a truck.

You should immediately triage the feedback and feature requests you get into two broad buckets:

We need power windows in this car!

We need a truck bed in this car!

The former is, of course, a reasonable thing to request adding to a car, while the latter is a request to change the fundamental nature of the vehicle. The malleable form of software makes it all too tempting to bolt that truck bed on to our car. Why not? Users keep asking for it, and trucks sure are convenient, right?

Don't fall into this trap. Stay on mission. That car-truck hybrid is awfully tempting to a lot of folks, but then you end up with a Subaru Brat. Unless you really want to build a truck after all, the users asking for truck features need to be gently directed to their nearest truck dealership, because they're in the wrong place.

3. Be honest about what you won't do.

It always depressed me to see bug trackers and feedback forums with thousands of items languishing there in no man's land with no status at all. That's a sign of a neglected community, and worse, a dishonest relationship with the community. It is sadly all too typical. Don't do this!

I'm not saying you should tell your community that their feedback sucks, even when it frequently does. That'd be mean. But don't be shy about politely declining requests when you feel they don't make sense, or if you can't see any way they could be reasonably implemented. (You should always reserve the right to change your mind in the future, of course.) Sure, it hurts to be rejected – but it hurts far more to be ignored. I believe very, very strongly that if you're honest with your community, they will ultimately respect you more for that.

All relationships are predicated on honesty. If you're not willing to be honest with your community, how can you possibly expect them to respect you … or continue the relationship?

4. Listen to your community, but don't let them tell you what to do.

It's tempting to take meta community requests as a wholesale template for development of your software or website. The point of a meta is to listen to your community, and act on that feedback, right? On the contrary, acting too directly on community feedback is incredibly dangerous, and the reason many of these community initiatives fail when taken too literally. I'll let Tom Preston-Werner, the co-founder of GitHub, explain:

Consider a feature request such as “GitHub should let me FTP up a documentation site for my project.” What this customer is really trying to say is “I want a simple way to publish content related to my project,” but they’re used to what’s already out there, and so they pose the request in terms that are familiar to them. We could have implemented some horrible FTP based solution as requested, but we looked deeper into the underlying question and now we allow you to publish content by simply pushing a Git repository to your account. This meets requirements of both functionality and elegance.

Community feedback is great, but it should never be used as a crutch, a substitute for thinking deeply about what you're building and why. Always try to identify what the underlying needs are, and come up with a sensible roadmap.

5. Be there for your community.

Half of community relationships isn't doing what the community thinks they want at any given time, but simply being there to listen and respond to the community. When the co-founder of Stack Exchange responds to your meta post – even if it wasn't exactly what you may have wanted to hear – I hope it speaks volumes about how committed we are to really, truly building this thing alongside our community.

Regardless of whether money is changing hands or not, you should love discovering some small gem of a community request or bugfix on meta that makes your site or product better, and swooping in to make it so. That's a virtuous public feedback loop: it says you matter and we care and everything just keeps on getting better all in one delightful gesture.

And isn't that what it's all about?

[advertisement] What's your next career move? Stack Overflow Careers has the best job listings from great companies, whether you're looking for opportunities at a startup or Fortune 500. You can search our job listings or create a profile and let employers find you.

twitter: RT @mattcutts: Got a message that my IStockphoto credits are going to expire. Why, @istock? They're virtual. It's not like bananas that ...

Fri, 03 Feb 2012 10:06:11 GMT

fmavituna: RT @mattcutts: Got a message that my IStockphoto credits are going to expire. Why, @istock? They're virtual. It's not like bananas that ...

twitter: 5 Lessons Learned From Our Groundhog Day Release - http://t.co/3ZqMtxQg

Thu, 02 Feb 2012 17:08:12 GMT

fmavituna: 5 Lessons Learned From Our Groundhog Day Release - http://t.co/3ZqMtxQg

twitter: @wisecwisec We added Language Expression Injection checks to #netsparker 2.1 thanks for the research , feedback is welcome

Thu, 02 Feb 2012 15:25:41 GMT

fmavituna: @wisecwisec We added Language Expression Injection checks to #netsparker 2.1 thanks for the research , feedback is welcome

twitter: @kevinmitnick Compared to Las Vegas everywhere is cold :)

Thu, 02 Feb 2012 14:42:13 GMT

fmavituna: @kevinmitnick Compared to Las Vegas everywhere is cold :)

Google Reader: Internet Banking, 22seven & Security Fallacies

Thu, 02 Feb 2012 12:26:01 GMT

There's been a lot of hoopla recently about internet banking security and the introduction of 22seven. I'd like to add to the discussion, by attempting to extract the key arguments and critically analyzing them.

1) 22seven is secure

Figuring out if something is secure is really hard. The current way the industry measures it is by getting a reputable company to perform an in-depth and broad security assessment. 22seven claim to do this in their description. However, none of the results are published, so as a member of the public, we have little to go on. Even then, security testing is a bit of a market for lemons; that is, unless you are an expert, you don't know if the testers did a good job or not. For me to take their claim seriously I'd like to see a letter of attestation from a reputable security testing firm at the least. Until then, we can't know.

On the flip side, I use tons of online services all day that don't even get around to claiming they test their stuff, let alone go as far as I described above, and so do you. But, these services don't want access to my personal financial transactions, limited power of attorney, and leave all the risk of compromise on me.

2) 22seven is safe because they use Yodlee and they are safe

This is the claim put forward by 22seven themselves as part of their security overview, and elaborated on by Simon Dingle. The problem with this is two fold. First, there are many possible ways in which 22seven could be modified in the event of a compromise to provide access to your credentials, even though Yodlee is secure. Paul Cartmel reminds us of the old security truism; that you're only secure as your weakest link. A simple modification of their invocation of Yodlee would be enough to get the job done. Even if you aren't targeting credentials, a disclosure of your financial transactions alone could be a serious breach. So, you need 22seven to be secure AND Yodlee to be secure.

Even then, the use of a third party, with whom I have no contractual relationship, in another country's jurisdiction (now the US gov can subpoena my financial details, yay) makes me uncomfortable. What recourse do I have to Yodlee if they are the source of a breach?

Once again, you do this all the time, so put it into perspective a little :)

3) Yodlee is safe, because they've never been breached in 13 years

If you refer back to point (1) you'll note that I didn't use "no past breaches" as a criteria for "secure". This is for two reasons again. The first is that detecting breaches is really hard. You need to have significant monitoring, and the capability to understand what the tools are producing to know if you are breached. Even then, the possibility of the attacker being smarter than your monitoring exists (and to bypass your average IDS, you don't have to be that smart). Second, having never been compromised could be as much an indication that nobody has ever tried as it could that the site resisted attacks. Even if it was rock solid till now, people make mistakes, and introduce new code with potential vulnerabilities all the time. The past is no guarantee of future success.

To be fair to Yodlee, at no point on their site do they make this claim. This was put forward by Simon in his article.

4) Yodlee's access to your bank account is a good idea

I'm paraphrasing heavily here, but it captures the general argument between 22seven (and supporters) and the likes of Absa. The claim is that Absa is being a stick in the mud and resiting the new wave of customer service possibilities. Commercials aside, I think Absa has a point here. Of all the possibilities for how 22seven could get your info, giving you banking creds to Yodlee has to be the worst. In fact, this is a solved problem. How do you think you accountant has been getting transactional information from Internet Banking into Quick Books or Pascal all these years? They export the stuff in OFX (open financial exchange) or QFX formats and import it into their tool. Better yet, PFM's that support this have been around for a while. I've been using buxfer.com for over a year with this method, and it works well, without me handing over full control of my bank accounts to a random third party (but you'll not I do fall prey to some of the problems I listed above re jurisdiction & the possibility of buxfer getting hacked). There are a ton of other options too, a client-side browser plugin that stores your creds and imports it into the site would be a use of automation that doesn't require credential disclosure. Here, let me draw a picture:

Banks Response

There seem to have been two responses from two banks, Absa and FNB. Absa's response was to block Yodlee's servers. I think it may be a bit drastic, but I certainly have sympathy for their stated objection to handing your creds over to a third party. FNB, on the other hand, ~~has responded by~~ will be getting rid of their One Time Passwords (via GSM as a 2nd-factor-auth) on login, and relying on transactional ("confirmation") OTPs only. They contacted me to clarify that this was planned before 22seven and was not a response to it. I think this is a bad idea (outside of 22seven), and have asked (as a customer) that FNB retain login SMS notifications at the least (they will publish a log of logins within Internet Banking, but by the time you've found an illegal one, it's possibly too late). ~~Hopefully they'll respond.~~ FNB went on to clarify that login notifications will still be sent by e-mail, and that the audit trail published in the app will include both failed and successful logins.

This has happened before though, with Twitter and Facebook. Remember when you had to give sites your twitter and facebook credentials, and the problems that caused? They ended up building in OAuth and providing an API that caters for third party applications (and per-application permissions). This may the chance for the banks to start doing the same.

Conclusion

I'm not saying 22seven and Yodlee are ripe for hacking, nor that they are safe. I'm not even saying us not knowing they're safe should preclude their use given what you do with the rest of your online data. Unfortunately, you need to make the decision, but I'm sticking to my OFX export in the meantime and find the risk of disclosure some transactional data, should buxfer get hacked, acceptable compared with the benefits it provides me (for e.g. I moved bank after buxfer made it clear just how much I was paying). I'm also not joining in any name calling, I disagree with some of Simon and Paul's points and agree with others, but this stands as my opinion in the end.

Update: Modified the "Bank's Response" section based on feedback from FNB. Thanks for going to the trouble of contacting me :)

twitter: RT @netsparker: Netsparker v2.1 is out ! SSO, multiple-step auth, extensibility support, new dashboard, comparison reports and more - ht ...

Thu, 02 Feb 2012 10:32:53 GMT

fmavituna: RT @netsparker: Netsparker v2.1 is out ! SSO, multiple-step auth, extensibility support, new dashboard, comparison reports and more - ht ...

twitter: RT @mickeyc: http://t.co/Xo30nNml - Abusing Apache to read httpOnly flagged cookies from JavaScript. I like.

Thu, 02 Feb 2012 06:43:22 GMT

fmavituna: RT @mickeyc: http://t.co/Xo30nNml - Abusing Apache to read httpOnly flagged cookies from JavaScript. I like.

Google Reader: ThreadFix 1.0 Public Beta Now Available

Wed, 01 Feb 2012 20:33:33 GMT

By Dan Cornell

After more than two years in development we’re finally publicly releasing our ThreadFix open source application vulnerability management system. It is still pre-production, but it represents an almost complete rewrite from the “Technology Preview” version we released when it was still called “Vulnerability Manager.”

A more complete description of the system and its capabilities is:

ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.

So what’s next? You can download ThreadFix here. The current beta is available as a pre-built Tomcat install (the final release will likely be a pre-configured virtual machine). Just unzip and run. During the beta period we will be looking to push new versions on a weekly basis. Also we have a “Getting Started” guide that runs through the major functionality as well as other documentation on the wiki to describe the different parts of the system.

There is still work to do – we need to improve the stability of the scan importers, we need to tighten up the security of parts of the system, and we need to build out the REST API. If you run into any issues using ThreadFix or if you have feature requests please use the online bug tracking system here or email me at the address listed below.

Also you can follow ThreadFix on Twitter: @threadfix

We’re tremendously excited to get this software released to a wider audience. Contact us if you are interested in learning more about using ThreadFix for application vulnerability management.

--Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group's Posterous