After of some weeks flirting with the Apple keyboard, today I finally bought it. I’m writing this post with it. And I can only say that this is the best keyboard one can have. It’s very slim and the typing is smooth, actually is pretty much the same as the new macbook keyboard.

I bought it to use at work, mainly because working endless hours in a laptop can injure your back and an external keyboard allows me to vary my posture when sitting in front of the macbook. Another reason, is that in summer time, having my hands resting in a macbook pro, turns out to be a hot and sweaty experience.

I opted for the USB version because I don’t really like batteries at all, and I wouldn’t be very tolerant with random bluetooth disconnects. Although the keyboard USB cable is short, Apple was king enough to include an extension for those who need a longer cable.

Here’s the Apple keyboard side by side with my old Revoltec Lightboard, so you can get an ideia about the size of this thing:

Just to end this post, as you can see on the first picture, I bought this keyboard at TB Store in Colombo. I definitely recommend this store to buy Apple stuff. Great customer service, nice and unusual bags for the shopped products and bonus key chain lanyards.

If you “worship” your google account, and the idea of losing it sounds catastrophic to you, because all your life is in it. You might just keep on reading this post.

What’s the problem?

The web is mostly an unsafe place, and having your google account logged while browsing “random” web sites, might be a russian roulette experience. Because with some recent techniques like clickjacking, an attacker might set up a web page with malicious code that uses your logged in google account session to perform actions on your behalf. And if you don’t believe this, you can try for your self in the following example.

You can try this using a dummy Gmail account if you feel insecure about it.

Log in to your dummy Gmail account, open a new tab and go to this website. Now click the “send” button on the page, and go check your dummy Gmail sent messages folder. You will see that you have just sent an email, without even noticing (well you did notice actually if you checked the status bar, but it was too late anyway).

The way to achieve a hack like this is not very complex. Quoting the author:

You get a copy of the generated HTML code of the target webpage, then you simply hide everything, except for the button you want to overlay.. you could draw other things using absolute positioning, but this is enough for most scenarios.

You can checkout the “ghost page” here: http://www.sirdarckcat.net/dad.html

This attack has it’s pros and it’s cons.. the most important pro is that it’s the best way of doing cross-browser exploits.. since you don’t depend on the sizes, margins, overflow rules etc.. that different browsers use.

Possible solutions?

The best way to prevent against these attacks, while it may not be the ideal solution, is by simply reducing the time you spend logged in on the browser. Actually, you can even use these services with no logged session on the browser.

The answer is simple: don’t use these services web interface on your personal computer. For Gmail, use a POP or IMAP client of your choice, for every other, use Prism. Prism lets you run web applications in a desktop/standalone mode. This way you have all your sessions encapsulated, in a kind of sandbox way. Leaving you free to use the browser in a more relaxed manner.

Why do I say “on personal computer” ? Because it’s in your daily use machine that you are more tempted to save login forms and such, leaving you vulnerable to the type of attacks I described. On other machines you are less tempted to do that, because it’s not your machine, or it’s a public computer, and you spend much less time on it.

While I’ve been talking about Google accounts and Gmail along this post, actually, every other service may be vulnerable to this type of attack, but generally Google services are usually more secured than the rest.

What can web developers do?

Not much really. For web developers, the way to prevent that your site gets opened in a iframe is the piece of code known as “the Framekiller“. This is a javascript code snippet to include in your HTML pages:

<script type="text/javascript">
if (top !== self) top.location.replace(self.location.href);
</script>

This works with the obvious javascript/client side limitations, so it shouldn’t be regarded as a reliable approach, but it definitely helps.

More on the subject

If you wish to know more about other similar techniques, you can check these links below:

CSS Attacks

Clickjacking

First, all methods were returning a SimpleXML object, which is a mistake in terms of flexibility. I’ve changed them all to just return a XML string. Now its up to the user (programmer) to choose the way to access/parse the XML.

Second, TwitterPHP is a class, you can instantiate it several times, for let’s say, accessing multiple accounts. At least you should be able to do that, but since I was reading the Twitter username and password from a configuration file (naive, I know), multiple instances could only use the same account. Now the problem is solved by simply adding the username and password as arguments of the constructor method and removing the configuration file.

Third and last, I switched from PHPDocumentor to Doxygen. This was mainly because I found out that Doxygen is much more flexible, I can use it with any other project with any other language. And the resulting documentation is more fast and clean than PHPDocumentor.

So you can take a look at the new version of TwitterPHP here and the documentation generated by Doxygen here.

In future releases I’m planning to add OAuth support and implement more Twitter API actions.

One of the most interesting things about Javascript OO is the way to define a Class. Actually there is no keyword “class” at all. So here’s an example on how to create a class Book in Javascript:

/**this will be the constructor method,
that automatically creates the class**/

function Book (isbn, title, author) {
    this.isbn = isbn;
    this.title = title;
    this.author = author;
}

/** And now the getters **/

Book.prototype.getISBN = function () {
    return this.isbn;
}

Book.prototype.getTitle = function () {
    return this.title;
}

Book.prototype.getAuthor = function () {
    return this.author;
}

If your class has attributes that are not passed as constructor arguments, you can declare the attribute just like we did for the methods:

Book.prototype.numTimesRead = 5;

//a setter
Book.prototype.setNumTimeRead = function (n) {
    this.numTimesRead = n;
}

Now if we wish to instantiate our class, it’s identical to most OO languages:

var mybook = new Book("123", "Dive into Python", "Mark Pilgrim");

//I tried to output this the ugliest way possible :P
document.getElementsByTagName("body").innerHTML = "Title: "+mybook.getTitle();

This will (pwn your body element) print the Book title, you can add any other info as you wish.

You may find more on object oriented programming with Javascript at the Mozilla’s Developer site.

I was thinking about writing a post on Extreme Programming, but I’ve just found a very good video of a lecture on the subject by Richard Buckland, that explains it the best way possible and with some humor. So here’s the video:

This is a highly recommended video for those that want to learn about Extreme Programming and Unit Tests.

Video Link: http://youtube.com/watch?v=XP4o0ArkP4s

This is definitely a tool of great convenience, but like almost everything in life, has a drawback. Actually, two drawbacks. First, spammers, phishers and alike are using this service to mask the URL of their malicious website so that when someone sees the link, feels comfortable about clicking it, and unaware of what’s coming. And second, it’s slowly building a “broken” web, because if this kind of services disappear, a good portion of links on the web won’t work anymore. And this can’t be good.

Against the first drawback, TinyURL has a feature that allows you to send a preview link instead of an instant redirection one, but it’s hardly used by anyone.

Some time ago, I developed a small online tool that unveils every tinyurl that is sent to it. But its usefulness is almost none, since no one will bother to visit another website just to unveil the tinyurl’s target. So, to simplify that process, I’m developing a Firefox Extension that integrates with the tool, so that when you visit a tinyurl, before that url is loaded, is passed trough the reverser and the target is shown on a confirmation popup or just a tooltip.

While the extension is not ready, I leave you here a small example of how to reverse a tinyurl in PHP. It’s very simple, and straightforward:

function reverse_tinyurl($url){
	$url = explode('.com/', $url);
	$url = 'http://preview.tinyurl.com/'.$url[1];
	$prev = file_get_contents($url);
	preg_match('/redirecturl" href="(.*)">/', $prev, $res);
	return $res[1];
}

Well, or maybe if you prefer Ruby:

require 'rubygems'
require 'net/http'

def reverse_tinyurl(url)
    url_parts = url.split('.com/')
    preview_url = "http://preview.tinyurl.com/#{url_parts[1]}"
    response = Net::HTTP.get_response(URI.parse(preview_url))
    original_url = response.body.scan(/redirecturl" href="(.*)">/)[0][0]
end

Or if you are more of a Python guy/girl:

from lxml import etree

def reverse_tinyurl(url):
    hash = url[url.find(".com/")+5:]
    preview_url = "http://preview.tinyurl.com/"+hash
    parser = etree.HTMLParser()
    tree = etree.parse(preview_url, parser)
    elem = tree.findall('.//a[@id="redirecturl"]')
    if len(elem) == 1:
        return elem[0].get("href")
    return None

This examples should get you started on developing something around this.

I decided to upgrade the ram of my black macbook. I was noticing it getting slower on some more demanding apps, so I upgraded it from 1Gb to 4Gb (2×2Gb) Kingston RAM. Damn it’s fast now! :D

By the way, I decided to post this on the blog and not on Twitter just for a change :P

Here’s an example:

<?php

function foobar ($foo) {
    echo $foo;
    return 0;
}

Most programmers in a file like this, would put a ?> in the end. It’s ok. But in PHP-only files, it’s not recommended.

How come this is a good practice? Well, first of all, the PHP interpreter won’t complain about a missing closing tag. And second, the most important, is that leaving the file without a closing tag will avoid accidental injection of trailing whitespace into the response.

Quoting Zend manual:

The closing tag of a PHP block at the end of a file is optional, and in some cases omitting it is helpful when using include() or require(), so unwanted whitespace will not occur at the end of files, and you will still be able to add headers to the response later. It is also handy if you use output buffering, and would not like to see added unwanted whitespace at the end of the parts generated by the included files.

Off course that there are people radically disagreeing with this. They point out that leaving the PHP tag open is programming lazyness (although I don’t see how anyone can be lazy about writing two characters) and they also state that it’s fear, it’s an “easy and safe solution”. Well the “easy” part it makes some sense, but the “safe” one?! Oh, ok… let’s just fire all the security conscious programmers! Who needs security? Security is bad. Not. PHP already has a very bad reputation because of his kind of attitude.

I’m sure there are better arguments against this, but my opinion is to leave it open, don’t close the tag, it can bring unnecessary problems. It won’t harm your PHP code and won’t make you lose hours trying to debug some invisible white spaces.

What is TwitterPHP? It’s an object-oriented and easy to use PHP library to interact with the Twitter API. It is still in development but it has almost every API feature implemented, which makes it the most complete of it’s kind (at least from what I’ve seen out there, please correct me if I’m wrong). You can do lots of stuff with TwitterPHP, you can write your own client, or bot, or even just use it to display twitter info on your blog or website.

You can check out the Google Code project page and soon I will host the phpdoc online, to make it easier (but it’s already included in the zip file).

Link: twitterphp.googlecode.com

Image taken from here