Clickjacking Still a Threat

Back in 2010, a paper was published entitled "Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites". If you're even remotely interested in web security, I highly recommend reading it if you haven't already. It rips apart a number of myths behind clickjacking mitigation and includes PoCs for each.

What Makes a Good Engineer?

What makes a good software engineer these days?

Ruby's OptionParser Is All You Need

This may be the last text on building command line apps with Ruby you'll ever have to read.

How To Break Most Rails Apps

Since version 1.9, Ruby has had a powerful encoding system that makes working with a number of different encoding standards very easy. Unless you've had to debug an encoding issue, you've probably never even noticed the existence of this system. This is because Ruby uses Encoding.default_internal and Encoding.default_external, which act as options for what you expect your strings to be encoded as. Ruby will automatically try to re-encode, if necessary, any data it gets externally (i.e. file IO) or internally (i.e. calling #inspect on a string). This makes our lives a lot easier.


If you've discovered that you're vulnerable, here's what you should do.

Session Nightmares With Rails

For those of you that don't know, I'm a software engineer for a niche social network called FetLife. We run a pretty large operation, serving ~2.8 million users, and last week I may have come across the weirdest session bug I've ever spotted in my career.

Hello World

I've decided to move my blog to GitHub and power it with Jekyll. It's easier for me to manage this way.

Fixing ValidatorException in Jenkins

This morning I installed a new Jenkins plugin that called back to an external host. Unfortunately it didn’t work properly and builds began to produce the following entry in our logs:

Running SSHd Securely on OS X Mavericks

OS X has historically come with sshd pre-installed and ready to use. On Mavericks, you can enable it by going to System Preferences -> Sharing and toggling on “Remote Login”. The problem is, this gives you almost no configuration over sshd. You’re stuck with password authentication and running it on port 22.

Introducing Load Balanced Rest Client

I recently opensourced a project I was working on for FetLife called LoadBalancedRestclient. Basically it's an alternative to the load balancing solution a lot of engineers employ, where you have a dedicated load balancer daemon running that accepts requests from other services.