How I migrated my homepage away from Google+

Previously, I was using the Google+ API to fetch my posts as JSON and render them on my homepage using a custom template. Now that Google+ is going away, I had to find another solution.

Available sources

So I investigated which sources have good APIs that you can use:

• Facebook: Unfortunately no API to access posts of a profile. You can only access posts of a page.
• Instagram: Public posts are available, and you can convert them to RSS using e.g. Queryfeed.
• Twitter: Can also be exported to RSS via Queryfeed and others.
• Blogger: Exports RSS and Atom, obviously.

Combining sources

I found RSS Mix to be a very easy way to combine multiple feeds. I'm now combining my Instagram and Blogger feed.

Rendering to HTML

On my website I now download that combined feed using feedparser and render the feed using a Jinja2 template. Et voilà, goodbye Google+!

This is probably better anyway, as I stopped posting to G+ a long time ago and my stream got stale. So my homepage should look a little more up to date now!

How to show only top stories in Feedly

I haven't had internet for two weeks but still wanted to know roughly what was going on in the world during my vacation.

I use Feedly to read news, but obviously it was exploding and catching up wouldn't make any sense.

As I couldn't find an option in Feedly to only show top stories above a certain recommendation threshold I rolled my own using jQuery. Just type this in the Browser's console:

// Load jQuery.
script = document.createElement('script')
script.src = '//ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js'
document.head.appendChild(script)
// Hide all articles below 100 recommendations.
$('.u0Entry').not($('.nbrRecommendations').filter(function(i) { return parseInt(this.textContent.replace('K', '000')) >= 100 }).parents('.u0Entry')).hide()

You will have to trigger a scroll to load more articles and filter again. So it's not fully automated, but definitely helps when trying to catch up on some news!

How to convert a series of photos into a video

Actually rather simple:

• Rename the pictures to have consecutive filenames. I used muCommander, sorted by date, and used the batch rename tool.
  
• Turn them in the right position, scale them and place them on a black background:
  

  mogrify -background black -auto-orient -resize "960x720>" -extent "960x720" -gravity center -format PNG *.jpg
  

• Convert the pictures into a video:
  
  

  mencoder "mf://*.PNG" -mf fps=9.2 -ovc lavc -lavcopts vcodec=mjpeg:vhq:vqscale=2 -oac copy -audiofile Breakeven.mp3 -o movie.avi
  

• Profit!
  

The final result:

Mexican Fire Bean Soup (Actually not as spicy as the name, for 20-24 people)

Wondered what that awesome soup was on my parties?

Here's the recipe!

Prepare/add in that order:

400g	Onions. Fry with 200g butter.
280g	Tomato puree and some Paprika powder.
400g	Red and green peppers.
150-400ml	Sweet Chilli sauce. Try less first, maybe add more as you like.
2l	Meat stock.
1l	Sweet cream bound with 4 table spoons of flour.
4	Cans of red beans.
2	Cans of sweetcorn.
1kg	Lean pork or beef. Cut in slices, fry with salt and pepper, add it.

Maybe add a little starch if it's too thin for your taste.

Serve with 0.5l sour cream.

Short URLs are so 2008. Long URLs for the win!

Do you find it annoying when you receive URLs which are completely meaningless? http://news.cnet.com/8301-1023_3-10191283-93.html? http://news.bbc.co.uk/2/hi/technology/7894516.stm? http://books.slashdot.org/books/09/02/18/1423251.shtml? http://bit.ly/GH4Cn?

How many times have you clicked on a link and would've known from the web page's title that it's not of interest to you or that you've even read it already? That happens a lot to me and so I present the solution: longr.us.

It's simple: You enter a website, and get a URL that contains the page's domain name, title and optionally an excerpt of its content. If you now share that descriptive URL the recipients will me much happier receiving it instead of the cryptic original URL.

The URLs above will be converted to these much more descriptive URLs:

• http://longr.us/news.cnet.com/schmidt-google-unlikely-to-buy-twitter-soon-digital-media


• http://longr.us/news.bbc.co.uk/technology-second-google-phone-is-unveiled


• http://longr.us/books.slashdot.org/collective-intelligence-in-action


• http://longr.us/google.com/google

Also, everybody seems to create URL shortening services at the moment. A URL enlarging service is just the next logical step!

Summary: Descriptive URLs are nice, but unfortunately not every website uses them. longr.us fixes that.

Oh, by the way, there is a bookmarklet for the service, too: Long "R" Us

FOWA Dublin Notes: Doing a Startup in the Real World - by David Heinemeier Hansson (37signals)

This was the last and probably most enthusiastic presentation. It was really good fun watching David's talk.

Fuck the real world

A lot of ideas "will not work" in the real world — or at least most of the people will tell you that they won't.
On of David's example was that a few years ago Java and PHP dominated the market for web application development and "in the real world" out wouldn't work challenging them. Despite that, he wrote Ruby on Rails anyway and it was a huge success.

Too simple

Often people will say that it's not worth implementing seemingly trivial tools. David's counter-example are the 37signals applications which are dead simple. And in fact a lot of people have simple problems and appreciate simple solutions to them.

Another example was the camcorder. This "problem" seems to be solved for years and it seems to be impossible to challenge the big players with years of experience in that area. Until tiny cameras with nothing more than a USB port conquered the world and were sold millions of times.

No plans

You need good plans to get things done and working.

Wrong! You cannot predict the future. Plans are often obsolete very early and rarely ever work out. 37signals products are very successful without any business plan.

Say no

"No we're not going to implement your feature request".

Yes, you should listen do your customers, but you need to be able to say "No!". Otherwise you not only spend much more time and money but also risk to lose the focus of your product.

All rock stars

To have a successful company you need to hire rock stars.

That's not the case according to David. There are no rock stars! What counts is a rock star environment, where everyone can live up to their potential. Trust your employees, give them responsibility, they are not stupid!

Easy domain

Simple tools are too simple to imitate and it's likely that a big company will copy it and win the battle because of their enormous resources.

In fact, easy tools are not necessarily easy to develop. Simplicity is very hard to achieve. Even the biggest companies often have a hard time challenging a well done, simple product.

Pitch the killer idea

It's all about the idea!

No, it's not. Successful businesses are much more than just an idea.

An idea is so small part of a business that it's almost a rounding error.

David Heinemeier Hansson

FOWA Dublin Notes: Web application security horror stories - by Simon Willison

XSS

Simon started his both entertaining and informative presentation by talking about the probably most commonly known Web Security threat: Cross Site Scripting (XSS).

An XSS attack is possible when others can inject JavaScript into your page (e.g. via forms or URLs). The attacker is then able to perform virtually any action on the attacked site, just as if they were you.

Myspace Worm

The MySpace Worm was a result of an error in the sanitization of user-provided HTML. The injected code caused the visitor to add a friend request to the attacker and put the attacker's code on the victim's page as well. That way, the attacker had more than a million friend requests after 20 hours, finally bringing MySpace down.

Google UTF-7 hole

A missing character encoding header in Google's redirect pages allowed the users to inject a string into the page which caused Internet Explorer to interpret it as UTF-7 content and execute included JavaScript.

Don't trust CSS

CSS is not executable, is it? Well, you can include active components into CSS by using HTC in Internet Explorer or XBL in Mozilla. Also a position: absolute hack allowed an attacker to steal 30,000 MySpace accounts.

SQL injection

You never ever glue user-provided strings together with your SQL queries. Instead, use parameterized queries or an ORM. This is much safer and also easier to maintain.

A nice variation is to use SQL injection to create a mass XSS: You can insert JavaScript into a database which will then be potentially displayed on every page of the attacked website.

CSRF

Cross Site Research Forgery is probably one of the most wide-spread vulnerabilities as a lot of developers are not aware of it or don't care about it. If you haven't taken any action to prevent CSRF your site is most likely vulnerable to it. Popular examples are the Digg-exploit (a self-digging page) and the Gmail filter hack.

Just using POST requests for your forms doesn't help. Instead, you have to use hard to guess transaction tokens which the server checks for every action. This, of course, can be useless if your site has an XSS vulnerability as the attacker can then steal your token.

Clickjacking

Clickjacking is tricking the user into clicking on a certain link or button. This can be done for example by showing a button which to user wants to click on (e.g. in a game) with an Iframe that has the CSS opacity: 0.0. That way, the Iframe will actually receive the click although it's not visible to the user. The Twitter Don't Click This hack was an example for a Clickjacking attack.

You can prevent this attack by using JavaScript to check whether your page runs in an Iframe. Unfortunately there is no standard way to prevent this when the user has JavaScript turned off, what makes this attack quite dangerous.

Insecure admin accounts hack

The recent Twitter hack was actually caused by a dictionary attack on a popular user's password. The password was "happiness", the user was a Twitter employee with admin access. So you should make sure that admin accounts get an extra protection like limiting the access to users on your local network only.