afongen
Sam Buchanan's weblog.

OWASP Guide 2.0 released

The Open Web Application Security Project has released version 2.0 of their Guide to Building Secure Web Applications and Web Services. Many, many improvements over version 1.

It's well worth reading, but production was rushed a bit to get it ready for release at Black Hat, so you might want to wait for an early update (2.0.1). I'll have more comments once I get a chance to read through more of it.

Update: Version 2.0.1 of the guide has been released, with a revised cryptography chapter.

If you read this, you'll know what I mean.

Channel surfing just now, Kiara spotted "Supreme Court of the United States" abbreviated SCOTUS. So that's my new word for the week. I can't wait to start talking about SCOTUS nom John G. Roberts.

Update: apparently I'm just out of it. There's even a Wikipedia page.

TCPHP


Saturday afternoon I went to the Twin Cities PHP User Group meeting, my third time ever. Finding the Renaissance Box is interesting enough. Actually managing to find a way into the building and up to the meeting location is the real challenge. Apparently past meetings were even worse, when they were held at MPR offices downtown and attendees had to social engineer their way into the building. We joked about doing that every month: pick a random office building and finagle our way in to a conference room.

Most of the meeting was host Allie Micka talking about Apache & PHP configuration security, and caching. Things I took with me from the meeting:

Minnesota West webmaster -- excuse me, web architect -- Anoop Atre was in attendance with his brother, and we grabbed a cup of coffee afterwards. Good to see you, Anoop.

I'm bemused by (or at least made hesitant about) my involvement with this group. I'm not sure how much time I have to give it. On the one hand, it's interesting that I never made the time to regularly attend meetings until some months after I stopped using PHP on a daily basis. On the other hand, the more I work with Java for web development, the more I appreciate PHP. It's fun. I expect that I'll end up going to more meetings, if nothing else as a nice break from work. It's what I like about my job, but it's not my job, and that's a big difference, bigger than I realized.

5-ingredient recipe

Every month Vegetarian Times has recipes with five ingredients or fewer. They're great inspiration when we begin to fall into the rut of using prepared foods. The recipes are simple, yet elegant and inventive. It's just enough to jumpstart cooking "real" food again. Here's one of our favorites:

Enjoy!

ClamXav, and don't run as admin

I've been asked a couple times recently about virus protection for Macs. There are several commercial options, but I'm inclined to use ClamXav, a free virus checker that uses the open source ClamAV antivirus engine.

You can gain some additional protection by not logging in with an administrator account. Doing this reduces the impact that an attack can have. The account I use every day has no special privileges. I've set up a separate user that exists solely as an administrator account. When I need to install software, the GUI installer prompts me for the admin username and password. From the command line, I just use sudo for everything, and occasionally su when there's a lot of typing involved.

This is nothing new to security-minded folks, but even some long-time Unix users who wouldn't dream of logging in as root don't think about it on their Mac. It took me a while to make this switch, even after I decided it was a good idea.

It's also worth noting that you can and should avoid running as admin on Windows. Aaron Margosis has put together a page with what you need to know to run Windows as non-admin.

YAPC notes

These are the notes I took at YAPC. Had to put 'em somewhere.

To remember:
NeoOffice/J
Pugs
svn on the mac
local PerlMongers

Hey, since i'm not using Perl professionally, I'm totally able to use Perl 6 whenever I damn well please.

Acme::PETEK::Testkit
Filled to standing room only on 1st testing session. Good to see, interesting that others look to Perl community as example of a testing culture, yet here we all are, learning about testing. then again, I'm here sold on testing and am there, so why assume others are any different?

Apache::Test rocks!
Test::WWW::Mechanize to test pages. Not just Perl. Hm.

TCWebPros

xrl.us/jstp
xrl.us/jstap
TAP: Test::Harness::TAP
xrl.us/tapj

Apache::Test for PHP, really do need to understand this better.

HTTP::Recorder
HTML::Lint

very cool, I hadn't thought about using Perl to test anything except Perl, but with Apache-Test obviously we've got PHP testing and such. Cool. Anything for testing XSS? No, but fun to write. Now here's my Q: am I interestedin this just so I can use Perl, or do I actually think it'll be useful?

Books to watch for:
Perl 6 Essentials
Perl Best Practices
Advanced Perl
Perl Testing - a Developer's Notebook
PHP 5

gotta try monad

UPU spec for addresses

yacob.org, search.cpan.org/~dyacob

birmingham.pm.org/talks/phrasebooks

SQL::Translator
CPAN::Mini

Ah ha! SQLite for prototyping instead of MySQL. So why the hell did that not occur to me?

OpenGuides
mapufacture

openjsan.org
Test.Simple in JS

Regexp::Compost
spf => SenderID

DKIM - ISP-signed
Gmail does domain keys

Karma - rottentomatoes for spam

spf.pobox.com
mengwong.com/rssemail

Qsmtpd
smtpd.develooper.com

3 Things

Kate tagged me a while back, but it took me a while to notice because I almost always read her blog in Bloglines and don't get comments until much later. Oops.

3 names I go by: Sam, Papa, Whereisthatdamnsamanyway.

3 Screenames I've had: afongen, marqaha, buch0061

3 Physical Things I like about myself: tall, blue eyes that get really vivid with the right color shirt, and the fact that I'm just a few feet from Kiara.

3 Parts of my heritage: Norwegian, Scottish, Ukranian.

3 Things I'm wearing right now: A Macromedia t-shirt. I'm not sure why I got it, but it arrived in the mail one day. My favorite comfy many-pocketed green shorts, which I wear pretty much every day. Sandals.

3 favorite bands/musical artist: I don't have favorites but lately have been listening to Tom Waits, kd lang, and Carrie Newcomer.

3 Favorite songs: "Les feuilles mortes," "What a Wonderful World," "Hallelujah" (Leonard Cohen).

3 Things I want in a relationship: laughter, scintillating dinner conversation, quiet time. Except I'm kidding about the dinner conversation, as I'm not that much of a conversationalist. But it does point to what's closer to the truth: shared interests and intellectual/emotional stimulation.

3 Physical things about the opposite sex that appeal to me: I got burned on this question years ago when an answer was falsely attributed to me, so ever since I have refused to answer it. Today is no exception.

3 Favorite Hobbies: reading, playing with the kid, long walks.

3 Things I want to do badly right now: eat a monster cookie from Gingko, sleep, read.

3 Things that scare me: bees, failure, something horrible happening to my family.

3 of my everyday essentials: family hugs, lots of water, and quiet time. Strangely, caffeine did not make the list, which I'm sure makes it a little sad.

3 careers you have considered or are considering: teacher (French, ESL), coffee baron, novelist. Wow, haven't considered the novelist idea since junior high, by which time I was coming to the conclusion that I was doomed to be an English teacher. I have thus far escaped that fate.

3 Places you want to go on vacation: Quebec, England, New Orleans.

3 Kids names you like: Owen, Maura, Tess (short for the not-so-secret name for our next child if it's a girl). Had Owen been a girl born on December 12, we would have named her Maura after one of Kiara's students (born December 12). He was not.

3 Things you want to do before you die: raise my kids to be better people than I am. Hm, I can't think of much else. If we have three kids does that count as three answers?

3 Ways I'm stereotypically a girl: I am on the verge of being a neat freak If you've ever seen my house, you might disagree, but I did say on the verge :). When sports are on TV I am likely to be found in the kitchen instead of watching. I get all bleary-eyed at emotional scenes in movies and TV, like the end of the 2nd season Roswell Christmas episode.

3 Ways I'm stereotypically a boy: I carry lots of things in my pockets, I'm emotionally unavailable, I have little to no color sense.

3 celebrity crushes: This was the hardest question, cuz I really don't think like this and always feel like I'm making answers up instead of answering honestly — except that the honest answer is that I'd have to make something up. Lessee… Michelle Pfeiffer. Uma Thurman in Gattaca. Antonio Banderas, but only in one specific movie and for the life of me I cannot figure out which one, so I suspect that I am not being entirely forthright.

Accept some blame, would you?

Minnesota state government is back in action after a week-long shutdown. But Governor Tim Pawlenty just pisses me off with this comment:

"This agreement makes me feel like the parent of a teenager who has come home late," Pawlenty said. "It is way past curfew but I'm glad they're here safe but I'm mad they're late."

As if he had nothing to do with the standoff that led to the shutdown.

Owen at Finnish Bistro

My friends and former roommates Stephen and Michaela passed through town a couple weeks ago. They took this picture of Owen at Finnish Bistro, where we met for lunch:

Owen and a cookie. photo by Stephen Howe

The German chocolate cookies (pictured) are quite good, but I'm a sucker for their chocolate crinkle cookies.

Looks bad for "The Inside"

Fox has chosen not to extend options for the cast of "The Inside", which as Tim Minear explains makes it clear that they're not interested in continuing the series.

Surprised? Nah, me neither. Disappointed? Yeah, me too.

Still working

Minnesota state government is being shut down while the Legislature debates how to fund it, but higher education funding has already been passed and signed by the governor, so I still have a job. Unlike 9000 other state employees. Thanks for asking.

Back from YAPC

YAPC was fun. Kiara and I flew into Toronto on Saturday, leaving Owen with his grandma. We spent the first day poking around town, then Sunday went out to Centre Island, where we just happened to stumble into dragon boat races. The first few days, everywhere we went I kept finding myself thinking, "Owen would like this!" And I do think that should we go to Toronto again, which is likely, we would find plenty there for him to enjoy. I think it more likely that our next trip to Canada will be to Montreal and Quebec, but I'd be happy to be in Toronto again. I could even live there. It feels like the Twin Cities, but bigger and with better public transportation.

It pains me to say that, thought it is so obviously true. We have such potential for public transportation here, but it just isn't being realized. This hits me hard whenever I visit somewhere that's doing a better job and has been for decades.

The conference organizers (Toronto.pm, mostly) did a fantastic job. The location was well-chosen, on the fringes of Chinatown, surrounded by restaurants. We stayed at the conference hotel so could take advantage of the food and nearby trains. And we walked a lot. A lot.

Food that stood out:

Those last crepes almost made us miss our plane. We missed the shuttle bus we meant to the airport but shrugged our shoulders. Hey, what could we do? Unfortunately, the next shuttle wouldn't get us there until an hour before our flight, an hour later than we should have been. Aargh! Then traffic was awful, and we ended up racing into the airport less than half an hour before an international flight. Not good. Lines at customs were short, though, and the gate attendants were very helpful, so we just made it. Whew!

Anyway, the conference. It is so very exciting to be surrounded by people who actually enjoy programming Perl, who get it. Every session I went to was good, but I wouldn't say that any of them was a fantastic, life-changing experience. Except that I did walk away with a new understanding of testing in Perl, and how I can use it to test things other than Perl. Casey West gave us a preview of the JavaScript Archive Network, which will be launched in a more complete form at OSCON. JSAN is a JavaScript equivalent of the CPAN (as Autrijus Tang put it, "CPAN is my programming language of choice"). Excellent.
I didn't take part in any of the social events, which I'm coming to understand are really the best part of any conference. But hey, I got to spend five days in Toronto with Kiara! So I hardly missed anything.

We saw two movies in town, after a tragecomic initial failure to find the movie theatre: Hayao Miyazaki's Howl's Moving Castle and Batman Begins, on an IMAX screen. Batman rocks, and it rocks even more on a huge screen.

After five days away, it was a delight to come home to see Owen, running toward us at the airport. The poor kid's been struggling with a cold, though, and is hoarse. It's kinda cute sounding, even if it is sad to hear We brought him a book about the Mounties and another about a hockey-playing bear, which he's been having us read him every day. He's excited about going to Canada someday himself.

I suppose this means I ought to get a passport.

Holy cats, that's a big fish.

Giant catfish caught in Thailand. Normally with stories like this you'll see pictures of the fish with people for scale. Like this:

giant catfish, photo courtesy World Wildlife Fund - National Geographic (via AP)

But how often do you then see photos of the fish being butchered? Now that's journalism.