REST is like Quantum Mechanics

Sunday, April 23rd, 2006

A resource is identified by URI and may emit representations. There’s no way to tell from the representations what the resource “is”; I tend to believe a resource is what its publisher says it is as a good rule of thumb. But it doesn’t affect the software very much.

–Tim Bray on the xml-dev mailing list, Wednesday, 23 Jul 2003

REST is like Quantum Mechanics; or, more specifically, resources are like atoms (and I do mean atoms, not ATOMs). In quantum mechanics you cannot actually say what an atom is, where it is, or how fast it is moving. You can only predict how it will respond to certain experiments, and then only in a probablistic fashion. As soon as you try to figure out what the wave function actually represents, well then you fall down a sink hole of bad physics and worse philosophy.

Resources are the same. When designing RESTful systems, you never see the resources. All you see is the URL and the representation of the resource the URL provides. What resource does the URL identify? Who knows? The only way to reason about it is through the Copenhagen interpration.

Another Major Security Hole in WordPress

Friday, April 21st, 2006

In the ongoing discussion about check_admin_referer, and how CSRF attacks can be used to trick administrators into deleting posts from their blogs, I missed another attack suggested by Paul Mitchell. This attack only affects blogs that allow users to register and submit drafts. However for those sites it’s a nuclear attack.

Major Security Hole in WordPress? Turning off Comments

Wednesday, April 19th, 2006

Recent discussion on the wp-hackers mailing list has convinced me that there is a major security hole in all recent versions of WordPress that enables an attacker to delete posts. The vector for this attack seems to be including certain links in comments which are then viewed or modified by the administrator. I don’t fully understand the claimed attack yet, but it seems plausible, and Brian Layman says he has a proof of concept. I hope I’m wrong about this, but in case I’m not I’ve temporarily disabled comments on this and my other WordPress hosted blog.

An Open Letter to Amalgamated Bank

Saturday, April 15th, 2006

Dear Amalgamated Bank,

I’ve recently begun using online banking to manage some accounts and was hoping to do that with my primary checking and savings account at Amalgamated Bank as well. However, your terms for AmalgamatedOnline state:

A personal computer running Microsoft windows with Internet access is required to access our Internet Banking System (the “System”). For security we require the web browsers to support 128-bit SSL encryption. For example, Microsoft Internet Explorer Version 5.0 (or later) and Netscape Navigator Version 4.75 (or later) are acceptable.


Amazon Associates Categories

Wednesday, April 12th, 2006

For reference, here are the categories one can use in the mode field of an Amazon Associates recommended product query string such as