frogcake.net

Our good dog Bluey died today, aged sixteen years. He was a gentle, good natured dog with a deep interest in black socks.

Like most dogs he also loved to eat, although when his sister was around he would only get what she allowed him. His most favourite food of all, however, was whatever you happened to be eating at the time. I have strong memories of Bluey sitting at my feet, watching every mouthful of toast or chips or whatever, fully believing that this time I wasn’t going to give him any. Of course I always did. This is important, I think. A boy needs a dog to share his crusts with.

He lived a long and happy life but I suppose he missed his sister.

I’ll miss you, Blue.

We all know about The Book of Mozilla but Firefox 3, which was released today, has a cute easter egg when you type about robots into the address bar with all sorts of robot references.

I always thought Alistair Darling looked like a Thunderbird, but today realised who those eyebrows really reminded me of: Sam the Eagle from the Muppets.

Paul Graham has written an interesting essay on great cities and the messages they give out and why it is that a city should have such an effect on a person and their ambitions.

No matter how determined you are, it’s hard not to be influenced by the people around you. It’s not so much that you do whatever a city expects of you, but that you get discouraged when no one around you cares about the same things you do.

I’ve seen a few cities now and each one has its own distinct soul that can’t help but subtly affect you when surrounded by it. Apparently the message Paul gets from London is: “one should be more aristocratic”. I’m not sure I agree with him. Then again, thinking back to when I first arrived here, maybe I did notice a more class-based society.

Maybe I’ve just tuned that message out as background noise.

I just received a notification that my first Kiva loan has been repaid! Kiva is a micro-lending website where you can make loans directly to entrepreneurs in the developing world. You can see who I am lending to on my Lender Page.

It’s a great way to help people improve life for themselves and it gives you a real connection with the people you lend to in interesting places around the world. So far I have made micro-loans to people in Kenya, Tajikistan, Peru and Cambodia.

Where’s the best place at SFO to kill an hour? Not the Northwest WorldClub where I’m typing this (although it is a fairly nice lounge - mmm, chocolate chip cookies). No, the best place is the San Francisco Airport Commission Aviation Library & Louis A. Turpen Aviation Museum. Who would have thought there is a whole museum in the airport?

The museum is just before security at Concourse A and is a lovely, quiet space with plenty of chairs and lots of interesting exhibits. The museum’s collection is housed in a two story room modelled on the Passenger Waiting Room of the 1937 San Francisco Airport Administration Building. The top floor is an aviation library with over 6,000 books and periodicals. The bottom floor houses different exhibits from the collection. At the moment they have an exhibition on Cathay Pacific on one side and aviation toys on the other. There are some marvellous steel planes and zeppelins.

The museum is open 10:00 AM to 4:30 PM Sunday through Friday, so if you happen to be waiting for a flight around then I thoroughly recommend taking a look.

After a very long week I could do little more than lay around in Huntington Park on Nob Hill today but tonight I caught the F Train to Davies Symphony Hall to see Michael Tilson Thomas conduct the San Francisco Symphony Orchestra in an all Brahms concert. Lief Ove Andsnes played the Second Piano Concerto and the second half was Brahms’s Fourth Symphony.

It was a great concert, despite sitting next to a head nodder and occasional hummer (!) who had an odour that suggested he had just had the Forty Clove Garlic Chicken at the Stinking Rose. MTT conducted the symphony without the score which allowed him the freedom for some truly balletic gestures; sometimes it looked like he was fencing with the violas.

I’ve just been to a very interesting BOF by Ludovic Champenois at JavaOne about the new PHP support in NetBeans. The talk was in the context of the new OpenSolaris WebStack so some time was spent on this, including the unique DTrace functionality which looks neat, but I found the NetBeans demo the most interesting.

NetBeans has great support for Ruby and JavaScript and now PHP is starting to get some of that goodness too. At the moment it is only available as either an Early Access release with just the core PHP stuff or in NetBeans trunk (6.5) but it looks very promising. It has:

• code completion
• PHP documentation
• variable renaming
• source navigation
• goto type
• extensible templates and auto-comments
• integrated debugging with XDebug

Sure, you don’t get all the neat refactoring you can have with a statically typed language like Java but even just the variable/method/class renaming is a big help. The code completion is good and the navigation even works over the filesystem in ‘require’ statements. Debugging works just like normal NetBeans debugging including all the usual stuff like call stack, mouse-over variable values, step-in/out, etc. A JMaki plugin brings all that goodness as well.

It’s still fairly early days but it looks pretty neat and maybe PHP finally has a good open source IDE.

This was a popular session. The queue stretched down the hall, out the front door and around the block. It covered the main vulnerabilities bad guys exploit to attack websites. It was a good session given by Joe Walker who also gave the BOF on Comet.

First up was cross-site request forgery or CSRF. This is basically misusing people’s cookies. For example if a user is logged in to bank.com on one tab and then they visit evilsite.com on another tab it is possible to do something like: <iframe src=”bank.com/transfer?amt=all&dest=dr_evil” />. No JavaScript required. The only real way to prevent CSRF attacks is to include some kind of authentication token in every request that is separate from the cookie, like a hash of the user’s session ID. These tokens shouldn’t be in GET requests as they could cause problems with bookmarks, etc and GET requests should be idempotent. So a hidden POST field is better. You can use the OWASP servlet filter to add these hidden fields.

He also covered JSON hijacking and the old favourite, XSS. An interesting point was that if your site has an XSS vulnerability that will allow bypassing of any CSRF protections you may have put in place. One of the biggest problems for preventing XSS is that browsers will render any old crap. Basically the web is broken.

I attended a session by Bill Pugh (although sometimes it seemed more like a TB ward with all the coughing and sneezing going on) about using FindBugs on large code bases. FindBugs is a static analysis tool that analyses your class files without executing the program. Some people don’t think it should be needed but smart programmers still make dumb mistakes and FindBugs can catch these.

FindBugs can scale to very large code bases; Google has fixed more than 1000 issues discovered by FindBugs. Bill’s talk described ways of using FindBugs on a large project where the number of issues found can be overwhelming. For example, running FindBugs on Eclipse 3.4M2 discovered 36,000 issues. This can be made manageable by using FindBugs filters to filter out:

• Low priority issues (leaves 26,000)
• Vulnerability to malicious code (5,000)
• issues also present in v3.3 (now down to 62 issues)

The reason the vulnrability to malicious code is filtered as this is mainly for code that will run untrusted code, like the JVM.

Another key point was to integrate FindBugs into your CI. Hudson has a good plugin that can display historical results and cause FindBugs issues to affect the health of a build. It can also notify who caused the issue.

Bill gave some typical warnings density of 0.3 - 0.6 medium or high priority warnings per 1000 LOC and about 1 - 4 other potentially relevant warnings per 1000 LOC. But don’t use these numbers to judge whether your project is good or bad!

To narrow what issues you should be investigating he suggested ignoring the low priority issues. High/medium issues are useful for ranking issues within a pattern but not across patterns, ie, don’t just look at high issues. Each bug has a category, for example, correctness (code seems clearly wrong), security (xss, sql injection), bad practice (violates good practice), dodgy code (something weird that might be wrong), i18n, etc.

We use Hudson at work, so it’s probably worth trying the plugin to see what it turns up.