Delicious dessert blog

Married to Chocolate

Subscribe to Married to Chocolate: eMailAlertsEmail Alerts newslettersWeekly Newsletters
Get Married to Chocolate: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn

Top Stories

Options to put a stop to the latest mutation of the Pushdo trojan The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them. I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth. -- ShadowServer 01/29/2010 Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. (SecureWorks, Analysis of a Modern Malware Distribution System... (more)

HTML5 WebSocket Security is Strong

This is a two-part blog post that discusses HTML5 WebSocket and security. In this, the first post, I will talk about the security benefits that come from being HTTP-compatible and the WebSocket standard itself. In the second post (coming soon) I will highlight some of the extra security capabilities that Kaazing WebSocket Gateway offers, things that real-world WebSocket applications will want to be fully secure. A WebSocket connection starts its life as an HTTP handshake, which then upgrades in-place to speak the WebSocket wire protocol. As such, many existing HTTP security mechanisms also apply to a WebSocket connection — one of the reasons why the WebSocket standard deliberately chose the strategy of being HTTP compatible. Unified HTTP and WebSocket Security Thanks to the HTTP/WebSocket unified security model, the following is a list of some standard HTTP securit... (more)

When Everything Is a Threat Nothing Is a Threat

The current threat level is … the same as it was yesterday, and the day before, and will be tomorrow. We’ve all been in the airport before and heard the announcement. “The current threat level is orange. Blah blah blah blah yada yada whatever.” At least that’s what I hear today because I’ve become immune to the fact that “orange” means there’s a threat. There’s always a threat, it seems, and the announcement simply conveys what appears to many of us to be the “status quo.” We have effectively been desensitized to a “higher” threat level as it is now treated as nothing out of the ordinary. It is the norm, rather than something that grabs our attention. The same is true in the enterprise, where the threat level is always high. Although most organizations likely don’t have a “threat level announcement” the effect is the same: personnel and infrastructure alike treat... (more)

Purple WiFi launches Presence Analytics and Location Based Services, allowing venues to track and engage consumers directly based on behaviour and location

Purple WiFi, the cloud-based Social WiFi software company, has added Presence Analytics and Location Based Services to its Guest WiFi product. Presence Analytics bridges the gap between Google Analytics and the real world, offering real time data and reporting using WiFi technology, similar to how cookies track user browsing online. This arms the venue with an unprecedented level of insight into consumer behaviour and opportunities to engage customers directly. Purple WiFi already serves demographic and engagement information from users to the venue through its Purple Portal, which allows the business to understand who is visiting and using the hotspot, how long they are online, as well as their age, gender and any other relevant information that they offer in their social networking profile. Purple WiFi's Presence Analytics feature also incorporates Customer Trackin... (more)

Fernando Bermejo on Measuring Advertising

Fernando Bermejo is giving a Berkman lunchtime talk titled “Mapping Online Advertising: From Anxiety to Method.” He says that people sometimes hear that he researches advertising and assume t)hat he works for advertisers and wants to improve advertising. In fact, his interests are scholarly. He’s going to talk about the dynamics and logic of online advertising. (The subtitle of his talk is a reference to Devereaux.) NOTE: Live-blogging. Getting things wrong. Missing points. Omitting key information. Introducing artificial choppiness. Over-emphasizing small matters. Paraphrasing badly. Not running a spellpchecker. Mangling other people’s ideas and words. You are warned, people. He begins with the John Wanamaker (1838-1922) quote: “Half of the money I spend on advertising is wastsed. The trougle is, I don’t know which half.”: It’s the most repeated sentence in adverti... (more)

Following Google's Lead on Security? Don't Forget to Encrypt Cookies

In the wake of Google’s revelation that its GMail service had been repeatedly attacked over the past year the search engine goliath announced it would be moving to HTTPS (HTTP over SSL) by default for all GMail connections. For users, nothing much changes except that all communication with GMail will be encrypted in transit using industry  standard SSL, regardless of whether they ask for it by specifying HTTPS as a protocol or not. In the industry we generally refer to this as an HTTPS redirect, and it’s often implemented by automatically rewriting the URI using a load balancing / application delivery solution. Widely regarding as a good idea, and I’m certainly not disagreeing with that opinion, SSL secures data exchanged between the client and the server by encrypting every request and response using a private/public key exchange. This is a Good Idea and the gener... (more)

REST API Developers Between a Rock and a Hard Place

A recent blog on EBPML.ORG entitled “REST 2010 - Where are We?” very aggressively stated: “REST is just a "NO WS-*" movement.” The arguments presented are definitely interesting but the most compelling point made is in the way that REST APIs are constructed, namely that unlike the “ideal” REST API described where HTTP methods are used to define action (verb) and the path the resource (noun), practical implementations of REST are using a strange combination of both actions (verbs) and resources (nouns) in URIs. What this does is simulate very closely SOA services, in which the endpoint is a service (resource) upon which an action (method) is invoked. In the case of SOAP the action is declared either in the HTTP header (old skool SOAPaction) or as part of the SOAP payload. So the argument that most REST APIs, in practice, are really little more than a NO WS-* API is fa... (more)

Are You Scrubbing the Twitter Stream on Your Web Site?

Web 2.0 is as much about integration as it is interactivity. Thus it’s no surprise that an increasing number of organizations are including a feed of their recent Twitter activity on their site. But like any user generated content, and it is user generated after all, there’s a potential risk to the organization and its visitors from integrating such content without validation. A recent political effort in the UK included launching a web site that integrated a live Twitter stream based on a particular hashtag. That’s a fairly common practice, nothing to get excited about. What happened, however, is something we should get excited about and pay close attention to because as Twitter streams continue to flow into more and more web sites it is likely to happen again. Essentially the Twitter stream was corrupted. Folks figured out that if they tweeted JavaScript instead... (more)

Amazon Makes the Cloud Sticky

Stateless applications may be the long term answer to scalability of applications in the cloud, but until then, we need a solution like sticky sessions (persistence) Amazon recently introduced “stickiness” to its ELB (Elastic Load Balancing) offering. I’ve written a bit about “stickiness”, a.k.a. what we’ve called persistence for oh, nearly ten years now, before so I won’t reiterate again but to say, “it’s about time.” A description of why sticky sessions is necessary was offered in the AWS blog announcing the new feature: Up until now each Load balancer had the freedom to forward each incoming HTTP or TCP request to any of the EC2 instances under its purview. This resulted in a reasonably even load on each instance, but it also meant that each instance would have to retrieve, manipulate, and store session data for each request without any possible benefit from lo... (more)

What You Need to Know About the Evils of Firesheep

Firesheep screengrab from Firesheep is a great new plugin that works in the Firefox browser.  It is easy for you to install, easy to run, and gives you, and just about anyone else, the power to do pure evil using just your browser and a laptop. With this post I’ll explain some of this evil and offer some thoughts on what it means for CTOs. First a bit about the code itself, from the author: When logging into a website you usually start by submitting your username and password. The server then checks to see if an account matching this information exists and if so, replies back to you with a “cookie” which is used by your browser for all subsequent requests. It’s extremely common for websites to protect your password by encrypting the initial login, but surprisingly uncommon for websites to encrypt everything else. This leaves the cookie... (more)

Cookie Cutter vApps Realized

A rarely mentioned obstacle when attempting to duplicate or migrate enterprise-class applications is IP-dependency. Not just topological dependencies that are easily addressed with dynamic routing and switching protocols in conjunction with a boot script, but internal dependencies – the ones so deeply embedded in the application’s “identity” that to change the IP address is to break the installation and render it useless. These are the applications that, upon asking for an exported image for testing purposes, virtualization experts will tell you is far more efficient to start from scratch, because the IP dependency issue will cause more trouble in the long term than simply starting over. Moving such an application to a public cloud is nearly impossible due to this restriction, and any bursting or data center extension model is out of the question. This is also a pr... (more)