Loading ...
Sorry, an error occurred while loading the content.

Re: [rest-discuss] ITAS Awards

Expand Messages
  • Alessandro Nadalin
    2011/2/22 Eric J. Bowman ... How d you know that? :) Just to know *what* they are implementing ... A really good point. +1 ... --
    Message 1 of 4 , Feb 27 5:58 AM
    • 0 Attachment
      2011/2/22 Eric J. Bowman <eric@...>
       

      >
      > "It's the Architecture, Stupid!"
      >

      Any ideas on what to call the opposite of this award? I have a first
      recipient in mind; I'll be spending some time this weekend checking out
      their architecture and highlighting its RESTful points...

      "Al Jazeera reported Web traffic to its site increased by 2,500 percent
      between Jan. 28 and Jan. 31, much of it from the United States."

      http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/02/20/INHD1HO6NG.DTL

      ...because, obviously, their architecture exhibits certain desirable
      properties we're targeting as REST developers. All the more impressive,

      How d'you know that?  :)

      Just to know *what* they are implementing 

      considering those new visitors were mostly after video content. Is
      there even a term for something an order of magnitude greater than a
      mere slashdotting, in both scope and duration?

      I'd rather teach REST through positive reinforcement, by highlighting
      the rare site which doesn't collapse in a heap of smoking ruins when
      subjected to such massive, sustained traffic increases. I wish the
      linked article had cited a reference.


      A really good point.

      +1
       


      -Eric




      --
      Nadalin Alessandro
      www.odino.org
      www.twitter.com/_odino_

    • Eric J. Bowman
      ITAS #3 goes to Citigroup. I start getting e-mails from online providers that my recurring charges are being rejected for fraud; I check my account online and
      Message 2 of 4 , Jun 24, 2011
      • 0 Attachment
        ITAS #3 goes to Citigroup.

        I start getting e-mails from online providers that my recurring charges
        are being rejected for fraud; I check my account online and the page
        looks like it's been hacked there's so much red text, plus a notice
        that my card is cancelled and will be reissued, blah blah blah.

        So I call customer service and say yes, that's me when the rep speaks
        my company name as "bee-SOHN sees-TOHMs" which leads me to believe that
        this is the first Vietnamese call center I've encountered (fwiw), and
        assure the nice lady that there's no fraudulent activity on my account,
        and to please pay my suppliers, and please *not* issue me a new CC #.

        I've been moving, so I hadn't heard of recent events; apparently the
        response was to flag all online payments on my account (the only thing
        I use that account for) as fraud until they'd heard from me. But I
        digress -- this is about architecture, not lousy customer service:

        http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html

        "Law enforcement officials said the expertise behind the attack was a
        'sign of what is likely to be a wave of more and more sophisticated
        breaches' by high-tech thieves."

        Oh, dear... we really are in trouble if law enforcement's that clueless.
        There was *no* expertise involved here. I've seen the account # in the
        URLs hundreds of times, I just always _assumed_ I was only logged in to
        my account not everyone's. Having that bad an architecture is just
        criminal.

        The lulzers? Not so much. I bet the black-hats who've been mining
        that hole for years, are plenty upset with them. Personally, I feel
        like an idiot for not bringing all my own http skills to bear on the
        Web interfaces for any account involving my money, instead of foolishly
        trusting the likes of Citigroup to be at least script-kiddie-proof.

        Since we're already dealing with https, what are the arguments against
        http auth again, aside from how it looks/works in browsers? The
        problem here wasn't the CC #'s in the URLs -- hash and salt them for
        the DB, sure, but don't expose that to a world that already knows how
        to format CC #'s; then you have an encapsulation layer instead of SQL-
        injection-via-URL.

        So I never saw the URI allocation scheme as a problem, and I still
        don't even though it was the vector of attack responsible for my own
        data being distributed freely on the Internet. The problem is bad
        architecture, which is all too common on roll-your-own cookie-based
        authentication schemes.

        Which is an argument in favor of not being able to style the good ol'
        butt-ugly browser login boxes. At least when I'm dealing with those, I
        know at a glance that any security holes the site has are probably just
        misconfigurations which may be fixed by anyone knowledgeable of http --
        as opposed to systemic flaws buried in custom algorithms, which will
        take "years to fix," in the words of the runner-up to this ITAS, Sony...

        -Eric (wearing disgruntled-Citi-customer hat)
      Your message has been successfully submitted and would be delivered to recipients shortly.