Oliver Thylmann’s Thoughts

XSS stands for cross site scripting. Another interesting acronym is Cross-site request forgery (CSRF). All in all, what most of you should think about is that for web sites that are written without security in mind, or that simply have a bug, you can possibly infiltrate code of your own as an outsider. A good example of this would be the MySpace Worm which enabled the creator to have somebody who visited his MySpace profile, automatically add him as a friend. Additionally, that person automatically added his little code to their profile, automatically making all people that visited that persons profile the authors friend again.

So let’s see how long it took him to get a few friends. He included a little bit of code on his profile when he had 73 friends, an hour later somebody looked at his profile (1 more friend, bit more code on that persons page), 7 hours later he had 221 friend requests, one hour later 480, then another (he since accepted the 480 ;)) 561 another hour later, … 3 hours later 2503 friends and 6373 request; 5 hours later 2503 friends, 917084 requests, a few minutes later over a million friend requests.

Now that’s really fun. I mean nobody was hurt. But what follows next can be just a small little addition to that little worm, or an add you see, or a forum posting, or an article, … .

As seen in this article that has just been published, entitled U R Insecure - how URl exploits are changing the webappsec landscape, you can at this time on firefox, or ie, or any other browser really as long as it is on windows, infect the file system. What does that mean again? It means that provided I have somehow been able to inject code on a web site you are visiting, I can open a command prompt on your machine without you noticing, download a small application, install it, and then can do virtually anything to you. What could that be?

• I delete all contents of your hard drive (actually don’t need the app for that)
• I turn of your computer
• I scan all network drives for a file with “financial”, “next”, “quarter”, “confidential” or something mixing those (of course then sending me those files)

Just to connect this again to the MySpace Worms. Within a few hours I’d have turned off a million PCs, or scanned them for confidential material. You will by now come up with your own ideas. The thing is that the door is wide open because a system in browsers allows you to open another application. There might be a joost:// prefix on your machine and Joost might be insecure (not saying it is!) and I embed a link that will open joost://something that will again give me access to the file system.

This is not posted to make anyone afraid, but it should alert us all that this Web 2.0 idea, and all the JavaScript usage, doesn’t make things easier. We can’t just bang out an Alpha release of something without some idea of security. This is possibly getting dangerous and we need to be aware. With suddenly being able to get online apps offline the problem will only be bigger. We can write great apps that run in a browser and I am looking forward to more cool things coming there, but keep in mind that it’s not all as simple as it sounds. Imagine this working on the iPhone (I am not aware that it is). I’ll just call a few numbers and you are broke and I am rich.

We love to compare things. That’s why IVW Online is so important in Germany, and others world wide. IVW has started out as the company that measures circulation of news papers in Germany and IVW Online is doing the same thing for Web Sites. The idea is that everyone has a standard tracking pixel on their site and this measures page impressions. I never thought this would be very brilliant as a page impression is not a page impression. Forum traffic is totally different from search traffic or high quality editorial content. IVW Online recently worked with AGOF to give us a unique user count, which took a long time to set as a standard as it is very hard to agree on what a unique user is on a web site.

Why is that hard? Because you can use cookies but not everyone uses cookies and those that do might be three people at the same PC. Those that don’t mostly are not trackable and especially stuff like proxies makes it even more problematic. But they agreed on something that they call true, which is as good as anything else. It just needs to be the same statistic.

Now the problem becomes even worse because of AJAX. Matt Cutts from Google has a great post on it. The thing is that moderate use of AJAX is a good thing, but if you are IVW tracked, it might be a bad thing because suddenly you seem small. I can leave Google Finance open all day and see the share prices move around, only doing one page impression for the site. Thankfully this is something where AGOF can help, but I still presume that lots of sites out there opt out of using AJAX as their traffic will seem to decline, like it did for Yahoo!, who moved their mail system to a new version using AJAX. This is a good move and I hope the start-ups out there go the same direction.

Another good post on the problem of measuring a sites importance is the one by VentureBeat on the new funding of Digg. Comscore for example doesn’t count RSS traffic, another problem for sites having high traction.

Some days ago Gartner has released their 2006 Emerging Technologies Hype Cycle and there is some interesting stuff in there.

As a side note, I had the same graph placed in front of me for coding languages in an argument by consultants to change a web platform from PHP to Java in my last job. Thankfully I, with the help of the team, wasn’t easily convinced and we stuck with PHP back then. I am still sticking with PHP now, even though I could go Ruby, but for now I am happy with the decision.

Anyway, back to the Gartner report. To start with, here is the hype cycle:

The general idea is that at the top of the curve, the hype around something is amazingly high and it needs to go through a valley of disillusion to be really adaptable by a large enterprise. All in all, this is not necessarily incorrect, but obviously depends on how far out there the company is and how far it sees technology as something of its core capabilities.

So one big part of all of this is Web 2.0. Social Network Analysis is obviously one thing and I have to agree that with reasonably big sets of data, this can get really interesting. Ajax is the second item on their list and they also see a lot of potential there, but I like this part:

High levels of impact and business value can only be achieved when the development process encompasses innovations in usability and reliance on complementary server-side processing (as is done in Google Maps).

One thing that is also important here is that with the current hype around frameworks and splitting code in a Model-View-Controller fashion again, the general way of working with JavaScript is a real problem. A lot of controller parts are suddenly back in the view and you don’t want that. Having been able to get some very good developers on board at Ormigo, I am happy to say that we seem to have found a good solution though. Timo has already posted about it on Cake Bakery. What Timo and Dirk developed is a model-view-controller system for Ajax, with the help of things like JSON and jQuery. Our templates are now fully free of JavaScript and the entire Ajax Framework is being tested via Unit Tests. Of course there are still some rough edges but things are moving along nicely and we are thinking about putting the entire system on Google Code or something similar in the not too distant future.

Management Tip: Buy your coders all the books they want to read because there are some interesting things bound to happen, especially if you have people that have a thirst for knowledge.

Collective Intelligence is another big term that Gartner throws around and boy do I believe it to be true. While we often think about speed to delivery, which might make a command control system more worthwhile, many people forget that software is more like art. There is not one way to do something, but a million and diversity of opinion might slow you down in the short term, but make you more agile in the long term. Additionally, switching costs on the net are close to zero (in the absence of interlinking users for example and allowing for internal networks to build) and that means that the small things make a difference. These small things mean that you need collective intelligence to find them. You need to rely on your users and be able to adapt fast. Uncertainty is a big thing that management will have to deal with in the future. I’d like to quote somebody here:

People are not afraid of change. They fear the unknown. - Dick Brown, chairman CEO of EDS

With no clear view of what will happen next, the known will have to become that things are unclear. Change needs to become part of the development system. For that, you need the right people.

If you don’t like change, you’re going to like irrelevance even less. - General Eric Shinseki, Chief of Staff, U.S. Army

Mashups are also mentioned but I believe their importance to be rated as moderate only because the idea of the mashup is so diverse. I sure as hell can host my static files on Amazon S3, get Maps via Google, Geocode via a third party, score data via somebody else and … . You get the idea. That’s a mashup if you want.

All in all, the future is continuing to be interesting, but I am repeating myself.

Technorati Tags: Ajax, Change, Collective Intelligence, Gartner, Mashups, Uncertainty, Web 2.0

Greetings everyone. I posted another update on the Ormigo Blog about another job opening. First we were looking for core developers, which was also posted on the old Ormigo site and has proven to have been quite successful. After our successful financing, we changed the site a bit so you can’t find the original bit about developers anymore, other than on my own blog. At the moment, the Ormigo Jobs Section has three open positions, all in German. One would be for a quality assurance professional, which I called Qualitizer (for Quality Optimizer) here. This can be a part-time, or freelancer, or whatever job really. This should really be a full time job but we are testing our feet to see what is out there first. There are lots of options for you to move in this post, and we are open for suggestions. The new job I just posted is for a Web Developer who will be responsible for our Front End, Corporate Identity and Usability initiative. We are looking for a young and fresh mind that wants to move things and has an eye for good web design and a drive for going deeper into the development part of it all.

The other job that is posted is an internship for a marketing, creative writer type of position. We want somebody that is good with words and wants to try out their skills in a fresh new start-up. Looking forward to hearing from you too.

Technorati Tags: Ajax, Corporate Identity, Gui Design, Jobs, Ormigo, Scripting, Smarty, Web Developer

Want to know what is on the mind of people around the world now? Check out digg spy. (Source: Loic Le Meur Blog: digg Spy rocks)

Technorati Tags: Digg, News, Ajax