Created on by .

Categorised under:

In 1997 a bunch of us went out ot he Y-100 FEZtival, the yearly summer modern rock mega-concert.

The concert was held at the E-Center, The Sony/Blockbuster Entertainment Center, which has since become the Tweeter Center. The E-Center is one of the worst large entertainment venues in Philly (technically in Camden, NJ), especially if you've paid a premium price to sit inside the echo chamber attached to the stage.

The stage itself and the seats directly in front are covered, and the entire building is shaped like a bullhorn with its wide mouth pointing out toward an expanse of grass — the lawn. We knew better to sit near the stage, and so we have all bought the cheaper lawn tickets and were seated outside.

We had hoped for a sunny day to see the concert, and we got one. It was gorgeous. We arrived early enough to each get a gimmick red felt fez with a gold tassle. Yes, they were preventing people from bringing blankets into the venue even back then.

The band lineup was excellent, perhaps only second to Lollapalooza of ‘92. With two stages, we didn't get to see every band we wanted. Most of the up-and-coming bands played the secondary stage, and we missed them. For example, Matchbox 20 did not play on the main stage.

Still, the main stage had some great acts. We saw:

One act that I was particularly looking forward to, though, was Matthew Sweet. Matthew Sweet had always struck me as the perennial rocker. Not in the KISS sense, but in a wholesome rock sense. I had always considered that if I was going to go on tour as a rock musician, I would be like Matthew Sweet. My music would sound like his, and I'd be kind of laid back like I imagined him to be, and I'd just be a new 90's version of cool rock. On stage I would exude cool, and when my fingers touched the guitar, girls would throw their underwear on stage.

Well, Matthew Sweet sucked live. After hyping him up to all of my friends, I think he blew it for me. He was out of tune, out of beat, not loud enough, and generally shoddy all around. It's a shame because my image of him (and my wannabe rock star image) was completely blown to hell.

The rest of the concert was pretty good. Pretty much everyone bugged out before Beck came on stage because they were tired of sitting in the blazing sun. Nobody had thought to bring sunscreen, and so we were all deep, deep red the next day. I could barely bend my legs because of the pain of the sunburn. Over the following weeks I peeled three times.

I don't blame it all on Matthew Sweet. Everyone else was good.

Created on by .

Categorised under:

Dear Web Development Community,

I've been running a web site of my own since 1995. I have used shared servers, dedicated servers, virtual private servers, and all sorts of operating systems with various hosting companies. I even host some services out of my home office.

I also have an immediate need for a to-do list application that is web-based so that I can access it from wherever I go. I should also either be able to sync it with my Palm, or use it from my Palm's web browser without having compatibility issues. It should take advantage of the latest technical innovations in web development like Ajax.

For the love of all that is holy, create an open source version of something like all these todo apps so that I don't have to pay $5-$20 per month for yet another service that I could be hosting myself. Stop waving around the phrase "nothing to install" like it's the rallying cry of every user. Your service-based application does nothing additional for me that a self-hosted todo application and a little personal TLC couldn't do. It might also help if the open source application you create didn't utterly suck and was written in PHP and not Ruby/Rails so that I could make changes if I needed to.

I refuse to use any of these hosted applications, whether they are offered for free or not. My personal information is not yours to hold. My personal information is my own responsibility to maintain, and I'm happy to do it if you'd write the freaking software and just give it to me.

Thank you,
Owen

Created on by .

Categorised under:

You might have noticed that the service release of WordPress 2.0.3 is now available for download. I do recommend to users that they perform this upgrade if they are using the 2.0 branch, because it addresses at least one security issue.

One security-related issue that you might be interested in is the new nonce system. It started with this thread on the WordPress hackers mailing list and became one of the most involved and complex discussions we've ever had. I personally had all too much to say about it. So what is a nonce and how does it affect you?

First off, "nonce" is pronounced like the prefix "non", but with an "s" sound at the end. It is not "noun" with an "s" sound. The term "nonce" is used in a variety of ways, but for our purposes it is a unique code that is only used (more or less) once to identify a particular transaction. How is this useful?

Every time you submit a form in the WordPress admin console in versions prior to 2.0.3, the system looks for the originating page of the form submission in your request. It verifies that the page that you were on prior to submitting the form was actually within the WordPress admin. Why is this important?

Imagine that you had logged into your WordPress admin but were browsing your own site. The cookie stored in your browser would allow you to access your admin pages without logging in again. While you are browsing your site, you encounter a new comment on a post. The comment has a link in it, and without looking too closely at it, you click it. That link could be to a page in your admin console that is responsible for deleting a post!

Now before you panic, note that for normal visitors who do not have permission to delete posts on your site this link would have no effect. They would simply see the WordPress login page and be able to proceed no further. But since you were already authenticated for deleting pages, that link could prove disastrous!

Thankfully, WordPress verifies the page that you were on prior to submitting that link. Since it is not part of the admin console, the link fails to execute and you are saved from a hazardous mistake.

The trouble is that if you are using a browser that does not report the referring page, then everything you try to do in the admin fails like this. It makes it very difficult to manage your site from behind some privacy proxies (common at the workplace or public terminals) and even from some more functional cell phones.

To get around this issue, WordPress 2.0.3 introduces nonces. Basically, every operation in the admin is now assigned a unique code - the nonce. That code is passed along with the form information when you delete posts, moderated comments, etc. WordPress verifies that the nonce is valid for the transaction that you're trying to make, just like it used to do with the referrer. The difference now is that this method works for every page and offers a tad more security by tieing the nonce code to the action, your site, and a range of time.

With nonces, it would be virtually impossible for someone to leave a comment that worked in the horror story I described above. When you clicked the link, you would receive a confirmation page asking you if you were sure that you wanted to proceed. If you really did, you could follow through. But this extra page prevents anything bad from happening. Because your admin produces valid nonces, you will never see these confirmation pages under normal use.

Ok, so this feature isn't all that impressive from the point of view of the average user. But it gives you a better idea of the security concerns that you should have about your web site's software, and what WordPress is doing to address these issues.

I'm particularly happy with the inclusion of nonces since I lobbied so hard for its addition and it has turned out so nicely.

« Newer Posts  1  542 543 544 545 546  564 Older Posts »