“Trying to fix or change something, only guarantees and perpetuates its existence.”

“Tell me and I forget. Show me and I remember. Involve me and I’m yours.”

After spending some time trying to achieve the design that I wanted for my website, finally I got it, and ended up with an extremely simple one. It’s KISS at it’s best. I’m not a designer but, I like the result.

I also changed the blog theme to something less heavy to match the website. Most people won’t like it, because of it’s extreme simplicity, but for me it works just fine. Currently the template is in beta state, some details might change over the next few days. The website is also in beta since “weblog” is the only link that works.

Heres the link to a group of articles that inspired me, and here’s the link to the website.

Today I went to the first Starbucks in Portugal. I have to admit that although the concept of the store is interesting (you can choose every little detail for your coffee based drink, muffins, cookies, etc), this Starbucks is very disappointing. First, it’s in a shopping mall (Alegro in Alfragide). That’s already bad enough to make someone skip it. But even worst, the place is small, very small. There are 10 tables maximum and I thought that it would have wireless, like many other Starbucks. No signs of it.

So besides being something new to try, I don’t see any reason to come back to this Starbucks. I’ll wait for the one in Belém or a better place like Chiado. And wireless would be great, actually it would make the difference, because the coffee is no big deal.

So after a my accidental leak of the “not-supposed-to-be-public” episode #0 of the Prt.sc videocast, Vitor and Armando are back with the real first episode of the videocast, now named “alt.prt.sc“.

There are some notorious production improvements. But an iPod version is still missing. Check it out here!

From Mozilla Labs:

Today we’re announcing the formation of a new group that will focus on the research and development of developer tools for the open Web.

We believe that there’s tremendous opportunity for innovation in tools that increase developer productivity, enable compelling user experiences, and promote the use of open standards.

Read the full post here!

Prt.Sc has released the first episode of a diggnation like videocast. I’ve watched it today, and besides the home made feeling in the production, I liked the content and predict some very interesting content in the future.

I’m very pleased to see such initiatives growing in the portuguese web. A great cheers to Vitor Domingos and Armando Alves for this.

This videocast is only available in portuguese. Watch it here!

I’ve been away from the blog from sometime, thanks to some freelance projects and university projects, so this is almost old news.

Clickjacking is the new buzzword on the web. What is it? It’s supposed to be a new vulnerability that mainly affects websites. It hasn’t been completely disclosed since vendors (Microsoft, Mozilla, Adobe, etc.) have asked for some time before disclosure. Patching every website on the web is definitely an impossible mission, so, browsers will be patched in order to solve this possible threat.

You can check here and here for details about clickjacking from RSnake’s blog, one of the two researchers that found this.

Update: Here’s the proof of concept video of clickjacking and webcam hijacking in Adobe Flash.

Update 2: A nice post from gnucitizen about this.

Everyone knows that almost every login form on a website has a “remember me” option, that stores a cookie on your browser that allows you to access the site without entering the username and password. Although this might be very convenient, it helps a common threat on the web to become easily successful. I’m talking about CSRF (Cross Site Request Forgery).

I write this post under the inspiration of Jeff Atwoods article about CSRF. I highly recommend it’s reading as an introduction to my post, and also every other article by Jeff.

So, many people use the “remember me” option in sites like Gmail, etc. Let’s imagine a simple case. You are using a forum, and you *don’t* check the “remember me” option. You leave the forum open in a tab, while browsing other sites in other tabs. In this case, you are temporarily vulnerable to CRSF, as long as the session in the forum remains active, and if the forum doesn’t have any anti-CSRF measures. Now, if you check the “remember me” option, you will be vulnerable even with the forum tab closed, because your authentication cookie remains in the browser, valid and… forever (at least until you clear the cookies or logout). That means if you visit a website that has a form or a link that executes some sort of a POST or some other action in the forum, it will be executed as your user.

In my example, maybe a forum isn’t really something worth to be paranoid about CSRF or other type of attacks, or maybe it is, it’s up to you to judge that. But definitely a web based email, or online shopping website is.

So it’s really important for web-developers to take this issue in consideration when developing web applications, even knowing that it will only fix a hole in a net (http protocol wasn’t designed for this). You can find some measures to protect your website against CSRF in Jeff’s article. Users should also be aware of this threats when using sensible and personal content web sites or applications, because relying on every web-developer’s security expertise, is putting themselves at risk.