Re: [rest-discuss] ITAS Awards
- 2011/2/22 Eric J. Bowman <eric@...>
> "It's the Architecture, Stupid!"
Any ideas on what to call the opposite of this award? I have a first
recipient in mind; I'll be spending some time this weekend checking out
their architecture and highlighting its RESTful points...
"Al Jazeera reported Web traffic to its site increased by 2,500 percent
between Jan. 28 and Jan. 31, much of it from the United States."
...because, obviously, their architecture exhibits certain desirable
properties we're targeting as REST developers. All the more impressive,How d'you know that? :)Just to know *what* they are implementing
considering those new visitors were mostly after video content. Is
there even a term for something an order of magnitude greater than a
mere slashdotting, in both scope and duration?
I'd rather teach REST through positive reinforcement, by highlighting
the rare site which doesn't collapse in a heap of smoking ruins when
subjected to such massive, sustained traffic increases. I wish the
linked article had cited a reference.A really good point.+1
- ITAS #3 goes to Citigroup.
I start getting e-mails from online providers that my recurring charges
are being rejected for fraud; I check my account online and the page
looks like it's been hacked there's so much red text, plus a notice
that my card is cancelled and will be reissued, blah blah blah.
So I call customer service and say yes, that's me when the rep speaks
my company name as "bee-SOHN sees-TOHMs" which leads me to believe that
this is the first Vietnamese call center I've encountered (fwiw), and
assure the nice lady that there's no fraudulent activity on my account,
and to please pay my suppliers, and please *not* issue me a new CC #.
I've been moving, so I hadn't heard of recent events; apparently the
response was to flag all online payments on my account (the only thing
I use that account for) as fraud until they'd heard from me. But I
digress -- this is about architecture, not lousy customer service:
"Law enforcement officials said the expertise behind the attack was a
'sign of what is likely to be a wave of more and more sophisticated
breaches' by high-tech thieves."
Oh, dear... we really are in trouble if law enforcement's that clueless.
There was *no* expertise involved here. I've seen the account # in the
URLs hundreds of times, I just always _assumed_ I was only logged in to
my account not everyone's. Having that bad an architecture is just
The lulzers? Not so much. I bet the black-hats who've been mining
that hole for years, are plenty upset with them. Personally, I feel
like an idiot for not bringing all my own http skills to bear on the
Web interfaces for any account involving my money, instead of foolishly
trusting the likes of Citigroup to be at least script-kiddie-proof.
Since we're already dealing with https, what are the arguments against
http auth again, aside from how it looks/works in browsers? The
problem here wasn't the CC #'s in the URLs -- hash and salt them for
the DB, sure, but don't expose that to a world that already knows how
to format CC #'s; then you have an encapsulation layer instead of SQL-
So I never saw the URI allocation scheme as a problem, and I still
don't even though it was the vector of attack responsible for my own
data being distributed freely on the Internet. The problem is bad
architecture, which is all too common on roll-your-own cookie-based
Which is an argument in favor of not being able to style the good ol'
butt-ugly browser login boxes. At least when I'm dealing with those, I
know at a glance that any security holes the site has are probably just
misconfigurations which may be fixed by anyone knowledgeable of http --
as opposed to systemic flaws buried in custom algorithms, which will
take "years to fix," in the words of the runner-up to this ITAS, Sony...
-Eric (wearing disgruntled-Citi-customer hat)