Archive for July, 2005


OWASP Guide 2.0 released

The Open Web Application Security Project has released version 2.0 of their Guide to Building Secure Web Applications and Web Services. Many, many improvements over version 1.

It’s well worth reading, but production was rushed a bit to get it ready for release at Black Hat, so you might want to wait for an early update (2.0.1). I’ll have more comments once I get a chance to read through more of it.

Update: Version 2.0.1 of the guide has been released, with a revised cryptography chapter.


If you read this, you’ll know what I mean.

Channel surfing just now, Kiara spotted “Supreme Court of the United States” abbreviated SCOTUS. So that’s my new word for the week. I can’t wait to start talking about SCOTUS nom John G. Roberts.

Update: apparently I’m just out of it. There’s even a Wikipedia page.



Saturday afternoon I went to the Twin Cities PHP User Group meeting, my third time ever. Finding the Renaissance Box is interesting enough. Actually managing to find a way into the building and up to the meeting location is the real challenge. Apparently past meetings were even worse, when they were held at MPR offices downtown and attendees had to social engineer their way into the building. We joked about doing that every month: pick a random office building and finagle our way in to a conference room.

Most of the meeting was host Allie Micka talking about Apache & PHP configuration security, and caching. Things I took with me from the meeting:

  • Remember to ensure that the temp directory where session data is stored is unique to each virtual host.
  • Question for further research: does Smarty actually manage the Expires and Cache-Control headers in its caching? How about Savant? WACT?
  • I’ve had to deal a lot with HTTP caching and it’s confusing for enough people that I should probably do a presentation on it at the ITS conference next year.
  • Squid is very, very cool. But you knew that.

Minnesota West webmaster — excuse me, web architect — Anoop Atre was in attendance with his brother, and we grabbed a cup of coffee afterwards. Good to see you, Anoop.

I’m bemused by (or at least made hesitant about) my involvement with this group. I’m not sure how much time I have to give it. On the one hand, it’s interesting that I never made the time to regularly attend meetings until some months after I stopped using PHP on a daily basis. On the other hand, the more I work with Java for web development, the more I appreciate PHP. It’s fun. I expect that I’ll end up going to more meetings, if nothing else as a nice break from work. It’s what I like about my job, but it’s not my job, and that’s a big difference, bigger than I realized.


5-ingredient recipe

Every month Vegetarian Times has recipes with five ingredients or fewer. They’re great inspiration when we begin to fall into the rut of using prepared foods. The recipes are simple, yet elegant and inventive. It’s just enough to jumpstart cooking “real” food again. Here’s one of our favorites:

  • Chop 1 bunch kale or collard greens, put in pot.
  • Cut 4 or 5 small-medium red potatoes into 1-inch dice, or about the size you think will cook in 15 minutes. Layer these on top of the greens.
  • Add one cup water, cover and simmer 15-20 minutes until potatoes are done.
  • With a slotted spoon, transfer the greens and potatoes into a serving bowl.
  • Cover with 6-8 ounces crumbled feta cheese, a couple tablespoons balsamic vinegar, and a diced avocado or two.



ClamXav, and don’t run as admin

I’ve been asked a couple times recently about virus protection for Macs. There are several commercial options, but I’m inclined to use ClamXav, a free virus checker that uses the open source ClamAV antivirus engine.

You can gain some additional protection by not logging in with an administrator account. Doing this reduces the impact that an attack can have. The account I use every day has no special privileges. I’ve set up a separate user that exists solely as an administrator account. When I need to install software, the GUI installer prompts me for the admin username and password. From the command line, I just use sudo for everything, and occasionally su when there’s a lot of typing involved.

This is nothing new to security-minded folks, but even some long-time Unix users who wouldn’t dream of logging in as root don’t think about it on their Mac. It took me a while to make this switch, even after I decided it was a good idea.

It’s also worth noting that you can and should avoid running as admin on Windows. Aaron Margosis has put together a page with what you need to know to run Windows as non-admin.


YAPC notes

These are the notes I took at YAPC. Had to put ’em somewhere.

To remember:
svn on the mac
local PerlMongers

Hey, since i’m not using Perl professionally, I’m totally able to use Perl 6 whenever I damn well please.

Filled to standing room only on 1st testing session. Good to see, interesting that others look to Perl community as example of a testing culture, yet here we all are, learning about testing. then again, I’m here sold on testing and am there, so why assume others are any different?

Apache::Test rocks!
Test::WWW::Mechanize to test pages. Not just Perl. Hm.

TAP: Test::Harness::TAP

Apache::Test for PHP, really do need to understand this better.


very cool, I hadn’t thought about using Perl to test anything except Perl, but with Apache-Test obviously we’ve got PHP testing and such. Cool. Anything for testing XSS? No, but fun to write. Now here’s my Q: am I interestedin this just so I can use Perl, or do I actually think it’ll be useful?

Books to watch for:
Perl 6 Essentials
Perl Best Practices
Advanced Perl
Perl Testing – a Developer’s Notebook

gotta try monad

UPU spec for addresses,


Ah ha! SQLite for prototyping instead of MySQL. So why the hell did that not occur to me?

Test.Simple in JS

spf => SenderID

DKIM – ISP-signed
Gmail does domain keys

Karma – rottentomatoes for spam



3 Things

Kate tagged me a while back, but it took me a while to notice because I almost always read her blog in Bloglines and don’t get comments until much later. Oops.

3 names I go by: Sam, Papa, Whereisthatdamnsamanyway.

3 Screenames I’ve had: afongen, marqaha, buch0061

3 Physical Things I like about myself: tall, blue eyes that get really vivid with the right color shirt, and the fact that I’m just a few feet from Kiara.

3 Parts of my heritage: Norwegian, Scottish, Ukranian.

3 Things I’m wearing right now: A Macromedia t-shirt. I’m not sure why I got it, but it arrived in the mail one day. My favorite comfy many-pocketed green shorts, which I wear pretty much every day. Sandals.

3 favorite bands/musical artist: I don’t have favorites but lately have been listening to Tom Waits, kd lang, and Carrie Newcomer.

3 Favorite songs: “Les feuilles mortes,” “What a Wonderful World,” “Hallelujah” (Leonard Cohen).

3 Things I want in a relationship: laughter, scintillating dinner conversation, quiet time. Except I’m kidding about the dinner conversation, as I’m not that much of a conversationalist. But it does point to what’s closer to the truth: shared interests and intellectual/emotional stimulation.

3 Physical things about the opposite sex that appeal to me: I got burned on this question years ago when an answer was falsely attributed to me, so ever since I have refused to answer it. Today is no exception.

3 Favorite Hobbies: reading, playing with the kid, long walks.

3 Things I want to do badly right now: eat a monster cookie from Gingko, sleep, read.

3 Things that scare me: bees, failure, something horrible happening to my family.

3 of my everyday essentials: family hugs, lots of water, and quiet time. Strangely, caffeine did not make the list, which I’m sure makes it a little sad.

3 careers you have considered or are considering: teacher (French, ESL), coffee baron, novelist. Wow, haven’t considered the novelist idea since junior high, by which time I was coming to the conclusion that I was doomed to be an English teacher. I have thus far escaped that fate.

3 Places you want to go on vacation: Quebec, England, New Orleans.

3 Kids names you like: Owen, Maura, Tess (short for the not-so-secret name for our next child if it’s a girl). Had Owen been a girl born on December 12, we would have named her Maura after one of Kiara’s students (born December 12). He was not.

3 Things you want to do before you die: raise my kids to be better people than I am. Hm, I can’t think of much else. If we have three kids does that count as three answers?

3 Ways I’m stereotypically a girl: I am on the verge of being a neat freak If you’ve ever seen my house, you might disagree, but I did say on the verge :). When sports are on TV I am likely to be found in the kitchen instead of watching. I get all bleary-eyed at emotional scenes in movies and TV, like the end of the 2nd season Roswell Christmas episode.

3 Ways I’m stereotypically a boy: I carry lots of things in my pockets, I’m emotionally unavailable, I have little to no color sense.

3 celebrity crushes: This was the hardest question, cuz I really don’t think like this and always feel like I’m making answers up instead of answering honestly — except that the honest answer is that I’d have to make something up. Lessee… Michelle Pfeiffer. Uma Thurman in Gattaca. Antonio Banderas, but only in one specific movie and for the life of me I cannot figure out which one, so I suspect that I am not being entirely forthright.


Accept some blame, would you?

Minnesota state government is back in action after a week-long shutdown. But Governor Tim Pawlenty just pisses me off with this comment:

“This agreement makes me feel like the parent of a teenager who has come home late,” Pawlenty said. “It is way past curfew but I’m glad they’re here safe but I’m mad they’re late.”

As if he had nothing to do with the standoff that led to the shutdown.


Owen at Finnish Bistro

My friends and former roommates Stephen and Michaela passed through town a couple weeks ago. They took this picture of Owen at Finnish Bistro, where we met for lunch:

Owen and a cookie. photo by Stephen Howe

The German chocolate cookies (pictured) are quite good, but I’m a sucker for their chocolate crinkle cookies.


Looks bad for “The Inside”

Fox has chosen not to extend options for the cast of “The Inside”, which as Tim Minear explains makes it clear that they’re not interested in continuing the series.

Surprised? Nah, me neither. Disappointed? Yeah, me too.

Next »