Most of you who know me know that I’m a huge fan of Pandora. When coding on a project, Pandora is superb for providing a constant stream of quality Trance music. For those unfamiliar with the site, it’s a flash-based service that allows you to stream music based on your own personal tastes. You can add channels based on artist, song, or genre.
Pandora engineers (many are musicians themselves) have analyzed countless songs for musical properties that make every song unique. Rare, esoteric music can be played through Pandora, and it’s a natural way to discover new artists and genres. Their main service is a Web 2.0 site that plays music in your browser. Recently, Pandora launched an iPhone app that is highly-rated and one of the top 20 downloaded apps on Apple’s store.
So that’s great, and Pandora is an awesome service, but it needs your help. Music royalties for Internet radio usage are causing companies like Pandora to pay upwards of 70% of their yearly revenues in royalties. Legislation has been introduced so Internet radio services such as Pandora are fairly charged for streaming music, similar to the way in which traditional broadcast radio is structured. However, the legislation, H.R. 7084 The Webcaster Settlement Act of 2008, is being lobbied against by the National Association for Broadcasters (NAB). If you’re a fan of Pandora or Internet radio in general (as the bill affects all web casting services, not just Pandora), you should take the opportunity to call or write your congressman, asking their support for H.R. 7084. More information can be found on Pandora’s blog.
I’m headed to Portland soon to spend some time working at the new Vidoop World Headquarters. Adam, Chris, and Jason were gracious enough to offer me a couch to sleep on for my time there. I’m hoping to get caught up with everyone and get a bit more acclimated to the Portland way of life. As always, it should be an interesting trip.
SQL injection is nothing new, but it’s not every day that you read about a famous, widely-read journal like BusinessWeek getting hacked and distributing malware. Apparently BusinessWeek readers were directed to download malware from a Russian site (that has since become unavailable).
SQL injection attacks are relatively easy to protect against. One good way to prevent SQL injection is to use parameterized statements, also called prepared statements. These involve the use of placeholders in SQL queries, which are later filled-in by the database with a subsequent call. Thus, raw SQL is never executed, instead, a prepared query is created, and then its parameters are bound in order. Here’s a simple example (in C++):
stmt = "SELECT * from USER WHERE userID = ?";
/* ? is the parameter placeholder
* stmt is prepared, and then the parameter is bound using a bind_param()
* call
*/
In this way, user input is only bound to a variable with pre-determined constraints (max length, type, allowable characters, etc.).
Some other common defenses against SQL injection are user input escaping and network security devices that do pattern analysis on traffic. Input escaping is tricky, because attackers can be clever and use Unicode characters and other techniques to bypass typical escaping rules. So web developers should be aware of these techniques. IDS/IPS devices can provide an additional layer of security to detect and block traffic that matches knows SQL injection signatures.
Read More »
I ran across this article today relating how a popular news item that rose through the ranks via Google’s Automated News Crawler resulted in a stock market plummet for one unfortunate company, United Airlines. Apparently an older article concerning UAL’s bankruptcy filing, originally published in 2002, was mistaken for current news, picked up by Google’s crawlers, and became a runaway hit. The text of the original article was missing the publication date, which is why it became widely circulated as “current” news.
UAL’s stock quickly witnessed a deficit of $1.14 billion as a result of the news, but by the end of the day had mostly recovered. The resulting loss in shareholder value was ~ $300 million. Of course, had the original article included the publication date (2002), this likely wouldn’t have happened. The investigators believe this was an innocuous event, but it’s very easy to imagine a similar case as a malicious event. Industry competition, rogue employees, or other nefarious parties could conspire to hijack another company’s stock or reputation (which has a strong correlation to stock price).
It’s not clear that much can be done to mitigate this form of social engineering. Once a news blurb gains traction, it circulates the various blogging networks, online media conglomerates, and aggregators like Google News. One way to attempt to contain an inaccurate story is to issue an official company press release stating the news is inaccurate or misleading. This, however, may appear unconvincing to many, eager to trust third-party reportings over the official party line.
Another interesting facet is in assigning blame. Is it Google’s crawlers’ fault for not being able to distinguish old news from current? Or perhaps Tribune is at fault: its online paper South Florida Sun-Sentinel published the old article without a date. Stockholders (and automated software acting on their behalf) selling their shares based on the news are also potentially to blame for not researching the news with due diligence prior to acting on it.
After more than a 2 1/2 year hiatus, the blog is once again open for business! I’ve updated wordpress and supporting themes and plugins to the latest versions. I’ve even added support for OpenID logins for adding comments (courtesy of Vidoop’s own Will Norris and Chris Messina).
Perhaps I should back up a few steps and talk about I’ve been doing the past few years.
I’ve been working at Vidoop since the company’s inception, being one of the inventors of the ImageShield authentication system. The company has grown tremendously since the founding date in March 2006.. from the original 4 people, the staff has grown to somewhere close to 50 (I’ve lost track of the official count). We’ve established ourselves as pioneers in the identity space, working with a variety of organizations to help foster growth and innovation in identity on the web. In the process Vidoop has moved from our original headquarters in Tulsa, OK to our new home in Portland, OR. I’m still based in Tulsa for awhile, until my wife and I can move out to Portland.
Which is a nice segue into the next major announcement: This past May, I got married to a wonderful girl named Adrienne! The wedding was an eventful occasion: lots of great memories with family and friends. We also enjoyed our honeymoon in Maui.. it was a paradise we didn’t want to leave 