Internet Strategy Guide

I'm going to talk more about ACLs than Auth. Auth is simple, it's the ACL that will trip you up.  Since both concepts are coupled together when you're making a login system, I feel it's appropriate to at least touch on Auth. What I want to cover is the ways we can create the ACL object to suit needs based on the scale of the project. I'm going to assume that readers have a passing familiarity with using the Auth and Acl objects and may have even implemented them into projects.

(continue reading...)

been trying to comment on Chris Shiflett's post on the twitter "Don't Click" debacle and can't seem to get authenticated through openid. so having to post my reply here (below).

cavaet: i'm not an expert on anything and a n00b at a lot of things

liked the article, however I want to disagree that it isn't a csrf attack since "The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have authenticated" (according to wikipedia [oh no, i'm that guy. *sigh*]). @ramsey said it didn't affect him because he wasn't logged in on the website.

It seems to me that it used clickjack ui redressing to carry out the authentication exploit.

Want to know the funny thing? The only reason I logged into the website was to follow @shiflett.

So after reading this post, I want to go. There's a list of other things that seem interesting to. At a glance this guy seems cool and oddly familiar. The name reminds me of some of the DJs I knew in PBS when I was at Purdue. So if anyone is going, vote for them. I want to hear audio on this at the very least.