Put the knife down and take a green herb, dude. (c) Ruffin Bailey 2001-2021

Quick quote from High Performing Agile Teams: An Introduction on the Quality is Speed blog:

The parts of Agile I hate are the parts that ignore this essence. High performing teams are the goal. Not practices. Not user stories. Not estimation. Not Scrum. Not the manifesto. Not TDD. Too often the practices become the goal while we lose sight of the real goal: high performing teams.

Yes, thank you.

In other news...

Questions like this make me sad....please don't connect directly to your databases from your mobile apps, folks: https://t.co/FNKf8qDA18
— Greg Shackles (@gshackles) February 21, 2016

The question in question [sic] is bad news on a couple of fronts, but the one Shackles doesn't like is this bit:

SqlConnection con = new SqlConnection(@"server=MOON\SQLEXPRESS;"
    + "Initial Catalog=Moon;Integrated Security=True");

Ooops!

Had a similar thing happen to me recently creating the image upload service for my Markdown editor. It was surprisingly easy to set up the call to the API in C#, but it quickly occurred to me that it was also really easy for someone to Fiddler what I was sending, grab the API keys, and use my account to upload as much jive as they wanted.

I contacted Mashape to see if there wasn't some way to put a cap on my account, thinking I could just cross that bridge if I ever came to it. I mean, what's the point of limiting exploitation potential if nobody's going to buy the danged app to start with? (I'm an inveterate optimist, as you can see.) Then if I ever, say, hit $20 in a day (which would mean something like 21,250 image uploads in 24 hours), I'd quickly write an API, through it into the cloud, change the API keys, release a new build, and be done with a little egg on my face.

Well, Mashape never got back to me, so in an abundance of caution, I wrote the cloud service. Kinda a pain, atc. I eventually settled on a system of requesting an access key, creating a trivial hash that creates the key, giving the key a sunset time, then matching that key to upload requests. If someone hits more than X in period Y, they're shut down. If the whole system receives more than Z in Y, everything shuts down.

So I have my own rate limiter, and my API key, like the database connection in the bad SO question, is reasonably hidden. I mean, there's still a chance my cloud gets hacked and the code gets out, but that's a lot more difficult than grabbing Fiddler and sniffing API keys, even if they're SSL'd (which they weren't, initially).

Kinda painful how quickly a small feature addition because a pain, but at least I've got a nice cloud-based API presence now. On the down-side, I'm back to thinking I need to figure out how to move my entire website over to Linode eventually, as it's sooooo much cheaper to admin it all yourself.

PS -- How in the world did Redis get so popular for small-time hosted app services? I mean, if you have a distributed system, I get it, but if you want an in-memory key-value store for a single box, why would you bother? Just keep a dictionary in memory, right?

Labels: api, coding, images, markdown, style

title: Put the knife down and take a green herb, dude.	descrip: One feller's views on the state of everyday computer science & its application (and now, OTHER STUFF) who isn't rich enough to shell out for www.myfreakinfirst-andlast-name.com Using 89% of the same design the blog had in 2001.
FOR ENTERTAINMENT PURPOSES ONLY!!! Back-up your data and, when you bike, always wear white. As an Amazon Associate, I earn from qualifying purchases. Affiliate links in green.
x MarkUpDown is the best Markdown editor for professionals on Windows 10. It includes two-pane live preview, in-app uploads to imgur for image hosting, and MultiMarkdown table support. Features you won't find anywhere else include... MarkUpDown Multiline Table & Bootstrap Grid support. Beautiful Easy Actions that keep the Markdown flowing. HTML paste to paste HTML source into your documents. You've wasted more than $15 of your time looking for a great Markdown editor. Stop looking. MarkUpDown is the app you're looking for. Learn more or head over to the 'Store now!

Monday, February 22, 2016
Agile is about teams, and hide your API keys, please Quick quote from High Performing Agile Teams: An Introduction on the Quality is Speed blog: The parts of Agile I hate are the parts that ignore this essence. High performing teams are the goal. Not practices. Not user stories. Not estimation. Not Scrum. Not the manifesto. Not TDD. Too often the practices become the goal while we lose sight of the real goal: high performing teams. Yes, thank you. In other news... Questions like this make me sad....please don't connect directly to your databases from your mobile apps, folks: https://t.co/FNKf8qDA18 — Greg Shackles (@gshackles) February 21, 2016 The question in question [sic] is bad news on a couple of fronts, but the one Shackles doesn't like is this bit: `SqlConnection con = new SqlConnection(@"server=MOON\SQLEXPRESS;" + "Initial Catalog=Moon;Integrated Security=True");` Ooops! Had a similar thing happen to me recently creating the image upload service for my Markdown editor. It was surprisingly easy to set up the call to the API in C#, but it quickly occurred to me that it was also really easy for someone to Fiddler what I was sending, grab the API keys, and use my account to upload as much jive as they wanted. I contacted Mashape to see if there wasn't some way to put a cap on my account, thinking I could just cross that bridge if I ever came to it. I mean, what's the point of limiting exploitation potential if nobody's going to buy the danged app to start with? (I'm an inveterate optimist, as you can see.) Then if I ever, say, hit $20 in a day (which would mean something like 21,250 image uploads in 24 hours), I'd quickly write an API, through it into the cloud, change the API keys, release a new build, and be done with a little egg on my face. Well, Mashape never got back to me, so in an abundance of caution, I wrote the cloud service. Kinda a pain, atc. I eventually settled on a system of requesting an access key, creating a trivial hash that creates the key, giving the key a sunset time, then matching that key to upload requests. If someone hits more than X in period Y, they're shut down. If the whole system receives more than Z in Y, everything shuts down. So I have my own rate limiter, and my API key, like the database connection in the bad SO question, is reasonably hidden. I mean, there's still a chance my cloud gets hacked and the code gets out, but that's a lot more difficult than grabbing Fiddler and sniffing API keys, even if they're SSL'd (which they weren't, initially). Kinda painful how quickly a small feature addition because a pain, but at least I've got a nice cloud-based API presence now. On the down-side, I'm back to thinking I need to figure out how to move my entire website over to Linode eventually, as it's sooooo much cheaper to admin it all yourself. PS -- How in the world did Redis get so popular for small-time hosted app services? I mean, if you have a distributed system, I get it, but if you want an in-memory key-value store for a single box, why would you bother? Just keep a dictionary in memory, right? Labels: api, coding, images, markdown, style posted by ruffin at 2/22/2016 01:15:00 PM

<< Older \| Newer >>