my recent reads..

'Promote Bad Security Practice' Grand Achievement Awards

As usual, Jeff cuts to the heart of the matter on Coding Horror when calling out Yelp for the astonishingly evil and unconscionable act of asking users to hand over their email passwords.

I am not sure who started this, but it has somehow scarily become accepted practice, especially among the social networking sites. Facebook, LinkedIn, Plaxo ... they all do it, and seem to think that waving some privacy mumbo-jumbo 'but you can trust US!' makes it OK. Some are particularly heinous, like Tagged, which obscure the fact that handing over your email password is optional.

As many have pointed out (see the comments on Jeff's post), this is a lazy solution to a problem that is solvable in ways that do not need to compromise user security.

Facebook, LinkedIn - these guys should know better. And I think have an obligation to do better, especially since it is becoming more and more common for a social networking site to be an individual's first experience on the net. While the old hands may have well-ingrained security awareness thanks to the evangelizing efforts of people like Steve Gibson and Leo Laporte on the Security Now! podcast, we have a whole new generation of users being taught exactly the wrong thing thanks to the misguided and irresponsible acts of the social networking sites that are requesting email passwords to be handed over.

The proliferation of this perfidious practice must be reversed! A good first step is to heap professional scorn on anyone associated with developing such a feature. Shame!
read more and comment..

Oracle Release Timeline with Dipity

Derek Dukes was on net@nite #53 the other week, and it was really interesting to hear him talk about dipity.

Dipity is an experiment in information organisation, with time being the primary dimension currently being explored. Similar in a way to MIT's SMILE widget, which I was investigating a while back for visualizing time-based information.

Dipity shows a great deal of promise, and I like its emphasis on self-discovery and organisation information if directed (rather than everything having to be painstakingly entered). It is certainly a fun way to get lost for a few hours and learn a whole lot of stuff you never set out to study (just go to the home page and start checking out different timelines!)

Ulrich has already worked up a history of Oracle Releases. Not complete, but a fantastic visualisation that would be worth supporting and maintaining!

NB: I'm posting a static image here for now, because the embed code doesn't seem to work in all browsers at the moment.

read more and comment..

Adding reCAPTCHA to Oracle SSO - now on sourceforge

Yes, it's time for some house cleaning!

One of my favourite little hacks is how to add reCAPTCHA to Oracle SSO, which I wrote about last year. I've now finally got around to setting it up with its own sourceforge project.

OssoRecaptcha is a demonstration of integrating the CAPTCHA service from with Oracle Single-Sign-On. It can be used in production OSSO deployments, and also as an example of integrating any 3rd party authentication system with OSSO. Logo
read more and comment..

Request header rewrites with Java servlet filters - now on sourceforge

Some time back I posted a sample and discussion of request header rewrites with Java servlet filters, and I now finally got around to setting it up with its own sourceforge project.

RewriteRequestHeaderFilter is a Java servlet filter for request header rewrites according to regex rules specified in the servlet init parameters. It is packaged as a sample application and also jar that can be inserted into any arbitrary site. Logo
read more and comment..