Web Info & Tutorials

A bunch of hub-ub has been created over a presentation at the CCC conference called Subverting Ajax.

The FUD has been interesting to watch. Early in the article they discuss how JavaScript is a prototype-based system which is a 'flaw' as people can do things like:

The article does do a good job in explaining some of the dangers, but doesn't mean that all Ajax is bad. Much as SQL injections are bad, but if you do a few smart things you will make sure that there is no surface for them.

Alex Russell of Dojo has a great response over on his blog:

What really makes me sad though is that the work of folks like H.D. Moore, Thor Larhom, and Jeremiah Grossman gets lost in the noise when chaff like this is published. By not providing an honest evaluation of the real-world potential of a threat vector, the authors of a paper like this create a sort of seismograph that can’t tell magnitudes, only number of things shaking. Without magnitude information, an instant market is created for people to stand on the tops of roofs and yell down how bad it is (or in this case, how bad it could have been had they not been valiantly standing there).

Threat information is only valuable as when there is enough data about it to manage and mitigate risk. Yes, security problems are real, and web app security problems aren’t going away any time soon, but without level-headed analysis of the threat vectors, the real-world risk profiles, and the root-of-trust that is being attacked there is very little reason for clients to view the security community as anything but a freakish collection of opportunists, wolves, and disillusioned techno-utopianists. Accurate data builds trust, and trust builds a relationships that allows you to effectively mitigate risk. It’s high time that the security industry developed a code of ethics that prevents FUD-slinging. OWASP could even lead the way although I suspect there’s not a chance in hell of it happening.

What are your thoughts?

NovaLet is a new blogging service that aims to be even simpler than Vox.

It isn't quite open to the public yet, but already features:

• Create, Edit and Delete categories instantly.
• Create, Edit and Delete Links instantly.
• Create, Edit and Delete static Pages.
• Create, Edit and Delete Blog Posts under a certain category.
• Update, Add and Delete images on posts (You can also add YouTube and GoogleVid on Expanded posts, more services will be added of cause).
• Create, Edit and Delete comments on a blog post.
• Categories, Links or Pages on the header can be reordered by clicking on the green icon on the header.
• RSS for the blog and RSS for every category.
• Searcher
• MetaWeblog API
• Url Rewrite
• Pinging
• XSS (Cross Site Scripting) Secure
• Domain mapping (NovaLet accounts can be hooked to any domain)
• Localisation (Right now it only supports English but hoping to support other languages in the future. The entire system is localised, including the JS errors.)
• Good Performance (It performance even better when you are logged off. The current NovaLet beta is running on a weak celeron server with 512MB and MS SQL Express 2005).
• Cross browser, so far it perfectly runs on all these browsers that I have test it on (IE, Firefox, Opera, Safari, Camino).

CheckItOut is an unstoppered maker Rails supported covering to control individualized money accounts. It was dropped discover of the want to hit an covering same this scheme based.

You crapper provide it a spin via the demo.