dgibson.net

Web Typography and Fonts Still Being Discussed

With all the recent activity around typography on the web and font embedding, this College Humor video (after the jump) was timed perfectly (or at least my friend sending me the link the other day week). I can't believe that someone would put this amount of effort into a video about fonts, but it is very well done and chock full of geek humor.

Continue reading "Web Typography and Fonts Still Being Discussed."

On Coldfusion And SQL Injection Attacks

To follow up on my previous message about my site, Metalunderground.com, being "hacked," I thought I'd go into more detail on the attack and what web developers and site owners can do against it. To clarify, I put quotes around "hacked" because it's not really so much hacking as it is a scripted attack, perpetrated by some script kiddie in China, not a "real hacker."

If I wasn't so busy of late, I'd have noticed the many blog posts about SQL Injection attacks hitting ColdFusion sites.
It seems a similar attack swept through MySQL-powered sites earlier in the year, but the recent bout of attacks affecting ColdFusion sites using MS SQL Server hit hard in July with a few as early as June from what I have read. There's a particularly nasty version of the attack (seemingly largely perpetrated by a botnet)
that appends a cross-site scripting exploit (XSS) into EVERY varchar, nvarchar, text and ntext column in your database. Doing so not only corrupts your data, but can result in data loss beyond cleanup.

Fortunately, the attack on Metalunderground.com appears to be more targeted. The attacker injected a 24KB payload of XSS and spam links into each of nearly 40,000 news records. The focus of the injection actually made finding the problem very difficult.

To reiterate what's been said around the Coldfusion development community, absolutely make sure you use CFQUERYPARAM on EVERY variable going into your queries - especially URL, FORM, SESSION and COOKIE and CGI variables, which can all be corrupted. You might as well just make it standard practice, because often variables in the local, request, or other scopes are often dumped from cookies or sessions as well (in application code, that is), meaning any tampering could trickle down into those scopes.

Also, do not rely on the CFADMIN checkbox for "Global script protection" or any other built-in security. I've always been very skeptical of the built-in protection in ColdFusion or any other black-box code like this, and for good reason. This particular attack uses a DECLARE statement and encoded SQL and payload, failing to trigger the catch-words to invoke the protection.

Read on to learn from my experience gained from this attack.

Continue reading "On Coldfusion And SQL Injection Attacks."

Metalunderground.com Gets "Hacked"

If you were visiting Metalunderground.com and you're seeing this message on my personal/web development blog, it's because I'm working on cleaning the corrupted data from a SQL injection attack. Some of the data in our database was corrupted, but Metalunderground.com will be restored and back online today, Monday, August 4. More details soon.

Thanks for your patience.

Debunking The "Build It And They Will Come" Myth

One thing that's slowly been beaten into me from recent reading (books and blogs) is the importance of marketing.

As a developer, I've had bad experiences with marketing and sales people. They have been the ones who make promises, whether related to features or delivery deadlines, that the developer has to deliver. Often, they don't even have a clue about the technical aspects of a project and are often talking out of their ass. Not to mention these people just seem to talk too much for an introverted developer's (such as myself) taste. So perhaps I ignored those skills and marketing and sales as a whole for some time as a result.

But as a freelancer or web entreprenuer, there's really no choice but to learn how to market - market yourself, your services, your products, your web properties, etc.

Continue reading "Debunking The "Build It And They Will Come" Myth."

Just Say No To Kirby's Free Carpet Shampoo

I got a call a week or so ago offering a free carpet shampoo for one of my rooms. I usually do not deal with these marketing people or listen to their offers at all. But this seemed simple enough and didn't require much of a committment on my part, especially since I work from home. I realized I would probably have to sit through a sales pitch, but that wouldn't be a big deal since the appointment was set near lunch time.

The person on the phone who set this up did not elaborate any further than confirm that I would have to listen to a sales pitch. I had no idea what the company did, but assumed that they were a service company.

Kirby Sells VERY Expensive Vacuum Cleaners

When the appointment came, I learned they were selling Kirby vacuum cleaners. I knew they would be expensive as well, but it wasn't until the end that I learned that these were $1,600 vacuum cleaners! If you aren't interested in a $1,600 vacuum cleaner, then take my advice and don't ever set up one of these appointments. The two and a half hours-plus that was wasted on this demo was not worth the free carpet shampoo by any means.

Continue reading "Just Say No To Kirby's Free Carpet Shampoo."