Menu ⇓

  1. Fixed a simple security hole in , uncovered unintentionally by an attack mounted ≈5hrs ago — intent appeared to be to create new user accounts, unintended result was the creation of a new, empty article.

    Hundreds of requests were made against URLs similar to these:

    • /articles/do.php
    • /articles/modules.php?app=user_reg
    • /articles/index.php?app=home&mod=public&act=register
    • /action/sign_up
    • /articles/sign_up.html
    • /articles/?page=login&cmd=register
    • /articles/tiki-register.php
    • /articles/index.php?page=register&action=register
    • /index.php?page=item&action=item_add
    • /articles/index.php?user/create_form/
    • /articles/join.php
    • /articles/index.php?dll=register
    • /articles/index.php?option=com_community&view=register
    • /articles/register.php
    • /articles/signup.php

    Presumably these URLs are compromised on other systems — needless to say they are far too ugly to exist in ! I’m unsure exactly why /articles was used as the base URL for the attack in all cases apart from two.

    As these URLs don’t exist, and will never exist, it should be safe enough to add server- or application-level filters immediately closing any requests which include them.

  3. Mocking up what an subscription UI could look like:

    A personal site optionally has a homepage feed, as well as linking from the homepage to other pages with some rel value. When asked to subscribe to a URL, if a feed reader finds these links, it shows a UI a list of the linked feeds, with “Homepage” (any posts found on the page) automatically selected.

    The user can then select/deselect feeds, with the preview updating to reflect what the subscription will look like. The selection dialog could either be a modal which goes away once confirmed, or it could be a collapsable panel in the feed column, which has the nice side effect of putting the preview directly where it will be seen, in context.

    Additionally, either the personal site could mark up, or the feed reader detect, special feeds such as personal metrics feeds, and treat those differently.

  7. Last night: built commenting on posts direct from my feedreader using — video demo:

    Example replies sent using this technique: 1, 2

    Next up: cleaning code, implementing likes, distilling learnt knowledge into diagrams, code.

    Futher reading:

  11. Posting this note from barnabywalters.bit — been experimenting with namecoin, got .bit domains resolving on my machine by following instructions namecoin.bitcoin-contact.org, installed namecoin wallet on my VPS and registered a name, pointed it at my web server.

    Surprisingly it was a fairly straightforward process. The most difficult part was getting hold of some namecoin to register names with — I ended up trading some of my DOGE for NMC on vircurex.com.

  14. Pelle Wessman: @BarnabyWalters http://auphonic.com/  good for indie publishing audio, Instacast great for consuming it, @timpritlove great at pushing it

    @voxpelli thanks for the links, auphonic looks like a great service! Certainly going to look into using that for automating stuff like audio encoding.