OAuth Explained: Secure API Integration

OAuth is a relatively new open authentication protocol that allows secure API communication without the necessity of continually passing a username and password with each request. The idea for OAuth was conceived in 2006 by a group of individuals working on the Twitter implementation of OpenID. After reviewing both OpenID and other existing industry practices, such as Amazon Web Services API and Flickr API, it was decided that a proposal should be written for a new open protocol for application authentication. The movement quickly gathered momentum, with support heralded by Google, and in July 2007 an initial specification was drafted. We find ourselves using OAuth Core 1.0a today, with a new 2.0 spec being drafted.

How Does It Work?

Here’s a real-world example — one that you may have already come across and not even known it.

Let’s follow the OAuth path of how foursquare sends tweets on your behalf:

  • foursquare has initially registered themselves as an “application” with Twitter. In doing so, they’re provided with a token set called “consumer key” and its paired “consumer key secret.” These are used by foursquare in their application code and as a part of the OAuth model in generating requests.
  • From a user perspective, when you log in to foursquare and click the “please link my Twitter account” button, foursquare uses its consumer key to contact Twitter and generate a “request token.” You’re then provided with a special URL that whisks you off to Twitter’s website.
  • If you aren’t already logged into Twitter, you’ll be prompted to just like always, and then presented with a screen that asks if you’d like to provide said application with access to your account.
  • Clicking “Allow” tells Twitter that this app (foursquare) which has requested access using its particular consumer key should have access to your Twitter account. Twitter then redirects you back to your application (the foursquare website) with an attached coded verification string.
  • The foursquare application then reads the previously generated request token, and takes the returned verification to ask Twitter to generate a final token set called “access token” and “access token secret.”
  • Now when you perform an action on foursquare and it’s tweeted, foursquare calls the Twitter API by creating a request using its Twitter-provided consumer key and the newly stored access token for your account.

And amid all of this, your Twitter username and password are never seen, let alone stored, by foursquare.

By the way, the best graphical representation of this process I’ve found is documented here by Digg.

Useful WordPress Security Tweaks

WordPress templates are wonderful ways to get started and maintain a website with minimal hassle. It is important, however, to use plug ins, tweaks and tweaks to get the most out of the site as well as ensure that the site is secure and providing the best experience for your visitors.

Great suggestions from an article by Jean-Baptiste Jung

Security has always been a hot topic. Offline, people buy wired homes, car alarms and gadgets to bring their security to the max. Online, security is important, too, especially for people who make a living from websites and blogs. In this article, we’ll show you some useful tweaks to protect your WordPress-powered blog.

1. Prevent Unnecessary Info From Being Displayed

The problem
When you fail to log into a WordPress blog, the CMS displays some info telling you what went wrong. This is good if you’ve forgotten your password, but it might also be good for people who want to hack your blog. So, why not prevent WordPress from displaying error messages on failed log-ins?

The solution
To remove log-in error messages, simply open your functions.php file, and paste the following code:

1 add_filter('login_errors',create_function('$a', "return null;"));

Save the file, and see for yourself: no more messages are displayed if you fail to log in.

Code explanation
With this code, we’ve added a simple hook to overwrite the login_errors() function. Because the custom function that we created returns only null, the message displayed will be a blank string.

Source

2. Force SSL Usage

The problem
If you worry about your data being intercepted, then you could definitely use SSL. In case you don’t know what it is, SSL is a cryptographic protocol that secures communications over networks such as the Internet.

Did you know that forcing WordPress to use SSL is possible? Not all hosting services allow you to use SSL, but if you’re hosted on Wp WebHost or HostGator, then SSL is enabled.

The solution
Once you’ve checked that your Web server can handle SSL, simply open your wp-config.php file (located at the root of your WordPress installation), and paste the following:

1 define('FORCE_SSL_ADMIN', true);

Save the file, and you’re done!

Code explanation
Nothing hard here. WordPress uses a lot of constants to configure the software. In this case, we have simply defined the FORCE_SSL_ADMIN constant and set its value to true. This results in WordPress using SSL.

Source

3. Use .htaccess To Protect The wp-config File

The problem
As a WordPress user, you probably know how important the wp-config.php file is. This file contains all of the information required to access your precious database: username, password, server name and so on. Protecting the wp-config.php file is critical, so how about exploiting the power of Apache to this end?

The solution
The .htaccess file is located at the root your WordPress installation. After creating a back-up of it (it’s such a critical file that we should always have a safe copy), open it up, and paste the following code:

1 <files wp-config.php>
2 order allow,deny
3 deny from all
4 </files>

Code explanation
.htaccess files are powerful and one of the best tools to prevent unwanted access to your files. In this code, we have simply created a rule that prevents any access to the wp-admin.php file, thus ensuring that no evil bots can access it.

Source

4. Blacklist Undesired Users And Bots

Sm4 in 10 Useful WordPress Security Tweaks

The problem
This is as true online as it is in real life: someone who pesters you today will probably pester you again tomorrow. Have you noticed how many spam bots return to your blog 10 times a day to post their annoying comments? The solution to this problem is quite simple: forbid them access to your blog.

The solution
Paste the following code in your .htaccess file, located at the root of your WordPress installation. As I said, always back up the .htaccess file before editing it. Also, don’t forget to change 123.456.789 to the IP address you want to ban.

1 <Limit GET POST PUT>
2 order allow,deny
3 allow from all
4 deny from 123.456.789
5 </LIMIT>

Code explanation
Apache is powerful and can easily be used to ban undesirable people and bots from your website. With this code, we’re telling Apache that everyone is allowed to visit our blog except the person with the IP address 123.456.789.

To ban more people, simply repeat line 4 of this code on a new line, using another IP address, as shown below:

1 <Limit GET POST PUT>
2 order allow,deny
3 allow from all
4 deny from 123.456.789
5 deny from 93.121.788
6 deny from 223.956.789
7 deny from 128.456.780
8 </LIMIT>

Source

5. Protect Your WordPress Blog From Script Injections

The problem
Protecting dynamic websites is especially important. Most developers always protect their GET and POST requests, but sometimes this is not enough. We should also protect our blog against script injections and any attempt to modify the PHP GLOBALS and _REQUEST variables.

The solution
The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables. Paste it in your .htaccess file (located in the root of your WordPress installation). Make sure to always back up the .htaccess file before modifying it.

1 Options +FollowSymLinks
2 RewriteEngine On
3 RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
4 RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
5 RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
6 RewriteRule ^(.*)$ index.php [F,L]

Code explanation
Using the power of the .htaccess file, we can check requests. What we’ve done here is check whether the request contains a <script> and whether it has tried to modify the value of the PHP GLOBALS or _REQUEST variables. If any of these conditions are met, the request is blocked and a 403 error is returned to the client’s browser.

Sources

6. Fight Back Against Content Scrapers

The problem
If your blog is the least bit known, people will no doubt try to use your content on their own websites without your consent. One of the biggest problems is hot-linking to your images, which saps your server’s bandwidth.

The solution
To protect your website against hot-linking and content scrapers, simply paste the following code in your .htaccess file. As always, don’t forget to back up when modifying the .htaccess file.

1 RewriteEngine On
2 #Replace ?mysite\.com/ with your blog url
3 RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
4 RewriteCond %{HTTP_REFERER} !^$
5 #Replace /images/nohotlink.jpg with your "don't hotlink" image url
6 RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

Once you’ve saved the file, only your website will be able to link to your images. Other websites will automatically display the nohotlink.jpg image. Note that you can also specify a non-existent image, so websites that try to hot-link to you would display a blank space.

Code explanation
With this code, the first thing we’ve done is check the referrer to see that it matches our blog’s URL. If it doesn’t, and the file has a JPG, GIF, BMP or PNG extension, then the nohotlink image is displayed instead.

Source

7. Create A Plug-In To Protect Your Blog From Malicious URL Requests

Sm7 in 10 Useful WordPress Security Tweaks

The problem
Hackers and evil-doers often use malicious queries to find and attack a blog’s weak spots. WordPress has good default protection, but enhancing it is possible.

The solution
Paste the following code in a text file, and save it as blockbadqueries.php. Once you’ve done that, upload it to your wp-content/plugins directory and activate it as you would any other plug-in. Now your blog is protected against malicious queries.

01 <?php
02 /*
03 Plugin Name: Block Bad Queries
05 Description: Protect WordPress Against Malicious URL Requests
07 Author: Perishable Press
08 Version: 1.0
09 */
10
11 global $user_ID;
12
13 if($user_ID) {
14 if(!current_user_can('level_10')) {
15 if (strlen($_SERVER['REQUEST_URI']) > 255 ||
16 strpos($_SERVER['REQUEST_URI'], "eval(") ||
17 strpos($_SERVER['REQUEST_URI'], "CONCAT") ||
18 strpos($_SERVER['REQUEST_URI'], "UNION+SELECT") ||
19 strpos($_SERVER['REQUEST_URI'], "base64")) {
20 @header("HTTP/1.1 414 Request-URI Too Long");
21 @header("Status: 414 Request-URI Too Long");
22 @header("Connection: Close");
23 @exit;
24 }
25 }
26 }
27 ?>

Code explanation
What this code does is pretty simple. It checks for excessively long request strings (more than 255 characters) and for the presence of either the eval or base64 PHP functions in the URI. If one of these conditions is met, then the plug-in sends a 414 error to the client’s browser.

Source

8. Remove Your WordPress Version Number… Seriously!

The problem
As you may know, WordPress automatically displays the version you are using in the head of your blog files. This is pretty harmless if your blog is always up to date with the latest version (which is certainly what you should be doing anyway). But if for some reason your blog isn’t up to date, WordPress still displays it, and hackers will learn this vital piece of information.

The solution
Paste the following line of code in the functions.php file of your theme. Save it, refresh your blog, and voila: no more WordPress version number in the header.

1 remove_action('wp_head', 'wp_generator');

Code explanation
To execute certain actions, WordPress uses a mechanism called “hooks,” which allow you to hook one function to another. The wp_generator function, which displays the WordPress version, is hooked. We can remove this hook and prevent it from executing by using the remove_action() function.

Source

9. Change The Default “Admin” Username

Sm9 in 10 Useful WordPress Security Tweaks

The problem
Brute force is one of the easiest ways to break a password. The method is simple: try as many different passwords as possible until the right one is found. Users of the brute force method use dictionaries, which give them a lot of password combinations.

But knowing your username certainly makes it easier for them to guess the right combination. This is why you should always change the default “admin” username to something harder to guess.

Note that WordPress 3.0 let you choose your desired username by default. Therefore, this tip is still usefull if you still use the old “admin” account from older WordPress versions.

The solution
If you haven’t changed the “admin” username yet, simply run the following SQL query to your database to change it for good. Don’t forget to specify your desired username.

1 UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'Admin';

Code explanation
Usernames are stored in the database. To change one, a simple UPDATE query is enough. Note that this query will not transfer posts written by “admin” to your new username; the source post below shows you how to easily do that.

Source

10. Prevent Directory Browsing

The problem
By default, most hosts allow directory listing. So, if you type www.yourblog.com/wp-includes in the browser’s address bar, you’ll see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.

The solution
Just add the following to your robots.txt file:

1 Disallow: /wp-*

Code explanation
To disallow directory listing, we update our blog’s robots.txt file. Using the * wildcard, we can prevent any directory that starts with wp- from being listed.

Source

iPhone & iPad Development Kits GUI Resources

These GUIs are provided from a multitude of sites, including SmashingMagazine, SpeckyBoy, Yahoo Design Library, Freshbooks and others. Please note that they are provided for free, but donations are appreciated to keep the innovation coming and reward those who worked hard to make them available.

I have had great success with the Omnigraffle Ultimate iPhone stencil and am particularly excited to use the iPhone 3  stencils.

To help streamline your iPhone app design and development, here is  a fairly comprehensive collection of iPhone & iPad GUI kits that will allow you to focus on developing rather than having to design everything from scratch.
Within this post you will find complete GUI kits and stencils, iPhone GUI elements and PSDs and finally a collection of the best icon-sets perfectly suited for the iPhone. (Some of the preview images are intentionally to large to show the as much of each GUI as possible).

Complete iPhone & iPad GUI Kits Continue reading

How TED Connects the Idea-Hungry Elite

I have published multiple videos and discussions spawned by the TED conference that happens every year in Long Beach, CA

I find the talks inspiring and the fact that the videos are available to the general public and spawn additional ideas and responses is what makes TED so influential.

An article from FastCompany Online makes mention of several of the best features of TED.

Additionally, they point out some of their favorite videos. I must say that Patti Maes and Pranav Mistry’s Sixth Sense talks still; capture my imagination of the future of personal computing. Barry Schwartz’s Paradox of Choice is also very compelling.

1) Jill Bolte Taylor
My Stroke of Insight

2008
When the neuroscientist picks up a human brain with a spinal cord attached, the audience gasps. When she’s done talking about her stroke, they’re crying.
6) Dan Pink
Surprising Science of Motivation

2009
The science proves that intrinsic motivation works better than extrinsic rewards, but your boss doesn’t understand. Pink explains how to tell her.
2) Patti Maes and Pranav Mistry
Sixth Sense Demo

2009
The MIT Media Lab researchers debut a spooky Minority Report — style wearable interface.
7) Hans Rosling
The Best Stats You’ve Ever Seen

2006
The Swedish professor dances through a spectacular animation of world development.
3) Ken Robinson
Schools Kill Creativity

2006
This highly influential talk spawned a viral 2010 follow-up and made the creativity expert a star; Robinson says he now “gets stopped in airports.”
8) Benjamin Zander
On Music and Passion

2008
TED hosts performances as well as talks. This blends the two, with Zander at the grand piano.
4) Tony Robbins
Why We Do What We Do

2006
Robbins high-fives Al Gore in this video. “One of the best TED moments of all time,” says TED video chief June Cohen.
9) Barry Schwartz
The Paradox of Choice

2006
In a baggy T-shirt, with glasses sliding down his nose, Schwartz gives a profound, witty discourse on why more freedom doesn’t equal more happiness.
5) Elizabeth Gilbert
Nurturing Creativity

2009
The best-selling author bares her struggle to repeat the success of Eat, Pray, Love.
10) V.S. Ramachandran
On Your Mind

2007
A brain scientist in a leather jacket tell us how “this 3-pound mass of jelly … can contemplate the meaning of infinity.”

I would also recommend taking a look at several of the best performance videos on TED. (click on TED and select talks re-sized to ‘beautiful’ and related to ‘entertainment’)

Netflix to Stream Films From Paramount, Lions Gate, MGM

I probably watch more streaming films than discs from my Netflix account now.  So far, I have been a bit dissatisfied with the number of films available and quite often, they were ‘the films you never heard of.’
Looks like that is about to change (September 1, 2010)
A new deal will give Netflix the right to stream feature films from Paramount Pictures, like “Iron Man 2,” Lions Gate and MGM far earlier than it does now.

Robert Downey Jr., left, as Tony Stark in “Iron Man 2.”

At a cost of nearly one billion dollars, Netflix on Tuesday said it would add films from Paramount Pictures, Lions Gate and MGM to its online subscription service.

It was a coup — albeit a costly one — for Netflix, which knows its needs to lock up the digital rights to films as customers stop receiving DVDs by mail and start receiving streams via the Internet. The deal will commence Sept. 1.

Ted Sarandos, the chief content officer for Netflix, said he is essentially taking the “huge pile of money” that Netflix pays in postage for DVDs by mail — about $600 million this year — “and starting to pay it to the studios and networks.”

Wall Street analysts estimated that Netflix would pay about $900 million over the course of five years to Epix, a fledgling competitor to HBO that holds the rights to the film output of Paramount, Lions Gate and MGM. Those payments are expected to help the money-losing Epix break even in the next fiscal year.

The Epix deal will add new releases like “Iron Man” and “The Curious Case of Benjamin Button” to Netflix’s catalog, greatly enhancing the “Watch Instantly” streaming service that the company markets to subscribers as part of an $8.99 package that also includes DVD deliveries. It was the second film deal for Netflix this summer, coming a month after a pact with Relativity Media, the firm run by Ryan Kavanaugh.

Netflix’s open checkbook demonstrates that Internet streaming is clearly coming to the forefront in Hollywood, but in a carefully controlled manner. Mr. Sarandos said in an interview Tuesday that the content deals were part of “our continued commitment to making streaming a better and better proposition for our subscribers.”

Netflix’s future depends in large part on cutting financial deals that keep those streams in place.

The company first took on the likes of Blockbuster with DVDs by mail. Then, in 2007, it set its sights on online streaming, but existing deals with pay TV operators like HBO made it impossible to stream many of the biggest film releases. These deals preserve what is called the pay television window, which opens up about a year after a film is first released in theaters and gives HBO, Showtime or Starz about 18 months of screening (and, more recently, Web streaming) time.

Pay TV arrangements are important contributors to the bottom lines of Hollywood studios, helping them wring more money out of both blockbusters and flops. These arrangements rely on cable and satellite carriers to collect monthly payments.

Accordingly, the movies that were initially available on the “Watch Instantly” service were mostly ones “you’ve never heard of,” Mr. Sarandos said. But the company in 2008 cut an important deal with Starz that allowed access to high-profile films from Sony and The Walt Disney Company. Now it is adding more films through the payments to Epix.

In doing so, it is essentially creating a brand new window for movie viewing, one that does not depend on cable or satellite carriers. “If you own content, you want to sell it to as many people as possible without blowing up your existing revenue streams,” said the Morgan Stanley analyst Benjamin Swinburne.

At the same time, having Netflix in the marketplace puts pressure on cable and satellite providers “because you’ve got another bidder out there,” he said.

The 2-year-old Epix is invisible to most consumers because it has had trouble gaining space on those carriers’ systems. But it is preserving the deals it does have by carving out a three-month TV window for films before they are available to Netflix subscribers.

Jon Feltheimer, the chief executive of Lions Gate, told analysts Tuesday that “by creating this groundbreaking new window for their streaming service, we both protect our traditional MSO customers and create a significant and guaranteed new revenue stream for our service.” MSO is an abbreviation for cable and satellite carriers.

The Los Angeles Times first reported the pending deal on Monday.

Netflix says it prefers to be a distributor for pay TV — not a competitor to it — and wants to license content from HBO and Showtime. HBO has the rights to Fox, Universal and Warner films for at least the next four years.

Asked about the giant amount of content that Netflix was lacking due to HBO’s deals, Mr. Sarandos seemed to take a long-term view. “Every deal expires,” he said, “and every deal has to be renewed.”

some text from NYTimes Online