Wednesday, December 24, 2008

Making Google's 'Note in Reader' work with Firefox's 'NoScript'

Update Jan 31, 2009: As of NoScript 1.8.9.7 this is fixed. Per Giorgio's comment looks like it was fixed back in 1.8.8. Thanks Giorgio!

This is a specific post for FireFox NoScript users.

I use the FireFox Noscript extension for extra security. I also like to use Google's Note in Reader. The problem is that the cross-site scripting (XSS) protection of the former blocks the latter.

But I found that I could configure an exception to NoScript for 'Note in Reader'.
  1. First, bring up the NoScript preferences (in FireFox, under Tools select Add-ons, then find NoScript and select its Preferences).
  2. Then, in NoScripts preferences, select the Advanced tab, and then the XSS tab.
  3. Add the following to Anti-XSS Protection Exceptions and click 'OK'
^http://www.google.com/reader/link-frame
That should do it. Not even a restart required.

Update Jan 31, 2009: Fixed broken link to Note in Reader.

Wednesday, December 17, 2008

How to really make something secure...

This is a little off my normal post of a simple how-to for this blog, but I saw this nice description of the real issues for making something secure from Perry Metzger and thought it was worth calling out.

This paragraph captures the gist:
The biggest problem in security systems isn't whether you're using 128 bit or 256 bit AES keys or similar trivia. The biggest problem is the limited ability of the human mind to understand a design. This leads to design bugs and implementation bugs. Design and implementation flaws are the biggest failure mode for security systems, not whether it will take all the energy in our galaxy vs. the entire visible universe to brute force a key.
I could not have put it better myself.

Tuesday, December 16, 2008

lifehacker post: Lessons Learned from a Hacked Gmail Account

A nice post on life hacker about what to do if your GMail account gets compromised:
http://lifehacker.com/5110737/lessons-learned-from-a-hacked-gmail-account.

As far as I can tell, it would apply to any other web email account.