&yet

This week is the 20th anniversary of one of the worlds largest and longest running hacker conferences, DEFCON.

&yet Security Officer Adam Baldwin will be presenting Friday at 5:30 PM on “Blind XSS (cross-site scripting)”.

Adam’s talk will announce the release and demonstrate the xss.io toolkit. xss.io is a platform to help ease cross-site scripting (xss) exploitation. We use this tool to to demonstrate to our clients the severity and exploitability of vulnerabilities we find in their web applications.

Adam will also announce [redacted] during the talk, which will also aid in the exploitation of web applications.

Futurists tend to see gadgets and computers as assistants to our lives, but they're still just tools. I think we're close, we just need to combine some technologies that already exist and add a little context.

But what's really the problem?

The Problem

Here we are, in the future, and boy is it overwhelming. I have a phone with several hundred "apps", about 400 websites I care about, a desktop at home and a laptop for work, a tablet, and maybe someday I'll have some Google glasses. Do I need all of this? Probably not, but it makes for some easy context. I use each device for different purposes, but what if my devices were more aware of what I was doing?

Here's a little about &yet.

Our team loves to do great things and get stuff done. We know that doing good work is how you get to do more of what you're passionate about, so we always aim to go above and beyond.

We build products like And Bang, our team collaboration app—and, in doing so, create new tools and techniques that help others do new and innovative work in their products. Disqus, for example, uses Thoonk as a critical piece of its realtime commenting architecture.

We build things and provide consulting for clients, including companies whose names we can't mention but who nonetheless you know well and whose products you're almost certainly attached to all day long.

The other day, DHH[1] tweeted this:

Forcing your web ui to be "just another client" of your API violates the first rule of distributed systems: Don't write distributed systems.

-- DHH (@dhh) June 12, 2012

In building the new Basecamp, 37signals chose to do much of the rendering on the server-side and have been rather vocal about that, bucking the recent trend to build really richly interrative, client-heavy apps. They cite speed, simplicity and cleanliness. I quote DHH, again:

It's a perversion to think that responding to Ajax with HTML fragments instead of JSON is somehow dirty. It's simple, clean, and fast.

-- DHH (@dhh) June 12, 2012

This morning I had an epiphany of sorts.

I received yet another recruitment message from a high profile tech company. I'm sure many of you receive lots of them, too. But this time, as I was reading the email, I realized that I can't think of a job offer that would convince me to walk away from my current employer.

Why? I work at a weird company. A company where most of us are pretty happy with our work, our co-workers and our employer most of the time. You see, at &yet, we have discovered that the keys to employee happiness are simple. They are not a set of HR tricks or esoteric geek benefits. Employees are humans, and the keys to our happiness are the keys to human happiness.

I believe that everyone is on this little planet for a reason and is 'wired' to be truly amazing at a handful of things (at least a handful, maybe more). Because of this feature of our existence, we are most likely to be happy if we are able both to discover and to do those things. The chances skyrocket if we can also do them with excellence, companionship, and appreciation.

Panic is on &yet's short list of Hero Companies.

We had the privilege of interviewing founders Cabel Sasser and Steven Frank shortly before Panic shipped their highly anticipated web development app, Coda 2.

Here's one segment in which Cabel is asked about building "minimum viable products".

Recently it was disclosed that the NPM registry leaked the usernames, salts and sha1 hashes of registry users. Essentially this amounts to a breach of about 4k user accounts.

The issue has since been taken care of and users are being asked (not forced) to change their passwords. The leaked data has been available for a very long time, probably since the registry has been using couch. Everyone should be resetting their passwords. Now.

I first found out and notified Isaac about this on 3/1/2012. I only found out about this because I was looking for potential ways that &! could be compromised.

One of the ways we build our development and production environments is by using npm to install packages. I was curious just how hard it would be to compromise the integrity of packages published to the registry, turns out not very. It’s great to point out however that npm is meant to be a distribution channel. It’s a free and open service in which anybody can distribute packages. It’s not meant to provide any level of integrity and quality checking. As developers we are responsible for the code that executes in our environments. Maybe checking verified packages into your projects repository isn’t such a bad idea after all.

&yet's ops and security guys hash it out in this latest vodcast.

Nathan Lafreniere talks about what's in his devops toolkit, his code deployment process, how ops can help maintain code quality, and his new documentation library, ape.

Adam Baldwin discusses his new Node.js header security library for express, helmet, a few headers that most apps should be including by default now, and some random bits about realtime security.

Fortunately for you this particular cut doesn't include Adam singing Russian Unicorn but it does feature a yeti and Adam doing what he would consider dancing.

The Problem

When I was at FOSDEM last weekend, I talked to several people who couldn't believe that I would use Redis as a primary database in single page webapps. When mentioning that on Twitter, someone said, "Redis really only works if it's acceptable to lose data after a crash."

For starters, read http://redis.io/topics/persistence. What makes Redis different from other databases in terms of reliability is that a command can return "OK" before the data is written to disk (I'll get to this). Beyond that, it is easy to take snapshots, compress append-only log files, configure fsync behavior in Redis. There are tests for dealing with disk access suddenly cut off while writing, and steps are taken to prevent this from causing corruption. In addition, you have redis-check-aof for dealing with log file corruption.

Note that because you have fine tuned control over how fsync works, you don't have to rely on the operating system to make sure that operations are written to disk.

Because we are huge fans of human namespace collisions and amazing people, we're adding two new members to our team: Adam Baldwin and Nathan LaFreniere, both in transition from nGenuity, the security company Adam Baldwin co-founded and built into a well-respected consultancy that has advised the likes of GitHub, AirBNB, and LastPass on security.

We have relied on Adam and Nathan's services through nGenuity to inform, improve, and check our development process, validating and invalidating our team's work and process, providing education and correction along the way. We are thrilled to be able to bring these resources to bear with greater influence, while providing Adam Baldwin with the authority to improve areas in need of such.

Adam Baldwin

Adam Baldwin has served as &yet's most essential advisor since our first year, providing me with confidence in venturing more into development as an addition to my initial web design freelance business, playing "panoptic debugger" when I struggled with it, helping us establish good policy and process as we built our team, improving our system operations, and always, always, bludgeoning us about the head regarding security.