Bank payments delayed due to software problem

March 31, 2007

I have just noticed that the payment I arranged from my company earlier in the week (more than £7,000) hasn’t arrived.

It turns out that there has been a problem with the BACS payment system and payments that should have arrived yesterday are now likely to clear on Monday.

Product Promotions

March 29, 2007

You may be aware of the Vouchercodes web site, which lists codes you can use to get a discount on various web sites. The site does apparently qualify conditions associated with use of the vouchers (to avoid the kind of debacle that happened at Hamleys last December).

While I was browsing Amazon today I noticed this promotion which made me do a double take. This could be a simple mistake, but given that Amazon’s site is known to be highly dynamic I’m guessing that it’s their default position when there aren’t any real promotions available. I just thought it was interesting that they didn’t simply remove the text.


(Update: It’s gone now, so I guess it was a mistake.)

Cross-site Scripting Bugs

March 20, 2007

Following on from the PHP month of bugs, IDG reports that two hackers have announced they intend to make April the month of Myspace bugs. They apparently intend to publish mainly cross-site scripting (XSS) bugs.

XSS has been widely written about; the idea is that if a web site will display unescaped user-submitted data then this can be used to include malicious code in a page as a means of stealing user data, such as session cookies. One of the main approaches to mitigate this threat is to filter input, and escape output; filtering against a “white list” of allowed characters is usually more effective than trying to hunt for combinations that are invalid. The XSS cheat sheet has a set of markup fragments that you can use for testing. Assuming you have PDFs on your site, and your users are running Acrobat version 7.0.8 or earlier, it is very easy for a malicious site to make the Acrobat plug-in pass JavaScript to the browser; simply append to the file name:;

The advisory from Adobe recommends upgrading to the latest version.

A related, but slightly different technique is the Cross-Site Request Forgery (CSRF) which (as described by Wikipedia) “exploits the trust of the origin of the request and transmits commands from a trusted user”. For example, if didn’t guard against this, a piece of malicious code might post a link for some undesirable site to your collected bookmarks
while you are logged in (the cookie set by remains active for a long time, to avoid the hassle of having to log in frequently). The CSRF FAQ offers some good advice on how to protect your application against CSRF attacks, including:

  1. Fix any XSS vulnerabilities first
  2. Set short session times
  3. Prompt the user to enter their login details on important pages
  4. Include a random token in the request page, which is then checked against a value stored in the session (read the FAQ, and Chris Shiflett’s article for further guidance)

(Update: Bruce Schneier highlights a paper describing possible attacks against Web 2.0 applications using data in JavaScript Object Notation, and how to mitigate against these.)

On the BBC Suspending its Jam Service

March 14, 2007

Mike Arrington reports that the BBC has suspended its Jam service following complaints to the European Commission. This doesn’t appear to be the same project that Mike mentioned at FOWA,
but it covers roughly the same territory; as he puts it “the BBC is struggling with its boundaries and what types of services it can offer”.

The BBC account of the suspension notes that under BBC’s charter the Corporation is charged with promoting learning for school-aged children. BBC Jam was aimed at meeting that requirement.

My own experience of the BBC’s sites for children (through my own family) is that they are very well done. If they weren’t then the privately funded companies probably wouldn’t have such an issue.

So personally, I would like to see educational material of this quality continue to be available. However, the boundaries do need to be set so that the startups know where they can compete, or a different funding model needs to be considered for those activities that are less closely tied to the BBC’s traditional programme output.

Odd Book Titles

March 14, 2007

Radio 4’s Today programme has been running a competition for its listeners to come up with short works inspired by some of the more unusual book titles, including How Green Were The Nazis?, Tattooed Mountain Women and Spoon Boxes of Daghestan and The Stray Shopping Carts of Eastern North America: A Guide to Field Identification.

Tim Sanders’ excellent offering was read out this morning, and begins:

The sound of creaking leather from their collective greatcoats broke the silence as the assembled Wehrmacht officers leaned forward to examine the huge table map of the Spreewald, the vast forest area standing between the XI SS Panzer Corps and the Red Army. The problem was clear – vast stretches of gorse in the forest (ulex europeus) were in flower and it was the nesting season of the rare inversely-spotted bark-spitter. “Well, gentlemen” General Busse announced to his colleagues “there is no way we can attack them through the forest – the damage to the environment would be too great. Our panzer tanks still emit excessive CO2 and the electric hybrid version is still on the drawing-board.”

In the banter that followed, judge Alexander McCall Smith commented (RealAudio): “… it really is a model for countries contemplating aggression, that they can still be aggressive but they can do so in an environmentally responsible fashion”.

The BBC has posted some of the entries online and will be adding others.

Amazon Web Services

March 8, 2007

BusinessWeek called it “Amazon’s Risky Bet“, but Amazon’s decision to expose its infrastructure as a set of web services is very exciting for those of us who would rather focus on building apps than infrastructure.

After Werner Voegels’ overview presentation on day 1 of FOWA, I decided to attend the workshop session with Jinesh Varia, Amazon’s web services evangelist.

The two main infrastructure services are the Simple Storage Service (S3), and Elastic Computing Cloud (EC2). Both offer a pay-as-you-go service – you pay only for what you use. When you store an item in an S3 “bucket”, that item is uniquely accessible through a URL. So some of the early uses of the S3 service are for photo/media sharing and backup. There are even a number of front-end tools such as S3 Explorer, Backup
, and S3 Fox that allow you to start using the S3 service straight away. If you access the storage through EC2 you pay only for EC2 usage and not the storage.

Jinesh took us through some of the details of S3, including:

  • S3 buckets are object containers; you are limited to 100 buckets per account (to encourage you to use the associated namepace more efficiently)
  • Objects are limited to 5GB (which seems to be the limit at which POST can operate, due to router constraints, for example)
  • Buckets are URL-accessible through AWS’s virtual hosting
  • Bucket keys are Unicode, and up to 1024 bytes long; you decide on the key format most suitable for your application
  • Access Control Policy can be applied to buckets and objects

Richard Kirk, gave a demonstration of LignUp‘s web service-enabled telephony platform which uses EC2 and S3. Richard demonstrated getting an application to call a cellphone (currently restricted to the U.S. due to an issue with DTMF), recording a message on the cellphone and then associating that recording with a blog. Storage of the resulting WAV bypasses the blog site’s infrastructure, as the EC2-based telephony platform sends the file directly to S3, and the blog references
the WAV file through its AWS URL. LignUp has pricing models for corporations, and also for individual bloggers (with the latter based on a solution hosted by LignUp).

For EC2, the model is to clone existing instances when you need more. You could achieve this using agents to check CPU usage over a period of time (e.g. 5 seconds) and then start another instance if required. (AWSConsole also provides you with a web interface to make administration easier.) Jinesh mentioned that the model for a database like MySQL would be to have it running on EC2 and then replicate to S3 every 15 minutes, say. (In other words it wouldn’t be feasible
to run MySQL directly on top of S3.)

T. J. Kang of Thinkfree also talked about how his company is moving to AWS for DocExchange’s storage and computing resource. Thinkfree currently has 15,000 documents stored and they are targeting 1M by the end of the year. T.J. estimates that they reduced their infrastructure costs from $52,000 to $8,000 in the first year.

Jinesh wasn’t able to go into detail about the outstanding issues they are having, but the question was posed as to how EC2 manages IP address allocation across clones for load balancing; he said they were working on this and expected to have it resolved soon. Clearly Amazon is working with early adopters like Thinkfree to address these issues. I also asked him about the location of data storage; there might be Data Protection or other legal implications depending on the geography; he gave a similar answer to
that given by Werner Voegels on day 1: that the data is spread across data centres but noted that Amazon do have a presence in the UK.

Links: AWS Zone