Quick quote from High Performing Agile Teams: An Introduction on the Quality is Speed blog:

The parts of Agile I hate are the parts that ignore this essence. High performing teams are the goal. Not practices. Not user stories. Not estimation. Not Scrum. Not the manifesto. Not TDD. Too often the practices become the goal while we lose sight of the real goal: high performing teams.

Yes, thank you.

In other news...

The question in question [sic] is bad news on a couple of fronts, but the one Shackles doesn't like is this bit:

SqlConnection con = new SqlConnection(@"server=MOON\SQLEXPRESS;"
    + "Initial Catalog=Moon;Integrated Security=True");


Had a similar thing happen to me recently creating the image upload service for my Markdown editor. It was surprisingly easy to set up the call to the API in C#, but it quickly occurred to me that it was also really easy for someone to Fiddler what I was sending, grab the API keys, and use my account to upload as much jive as they wanted.

I contacted Mashape to see if there wasn't some way to put a cap on my account, thinking I could just cross that bridge if I ever came to it. I mean, what's the point of limiting exploitation potential if nobody's going to buy the danged app to start with? (I'm an inveterate optimist, as you can see.) Then if I ever, say, hit $20 in a day (which would mean something like 21,250 image uploads in 24 hours), I'd quickly write an API, through it into the cloud, change the API keys, release a new build, and be done with a little egg on my face.

Well, Mashape never got back to me, so in an abundance of caution, I wrote the cloud service. Kinda a pain, atc. I eventually settled on a system of requesting an access key, creating a trivial hash that creates the key, giving the key a sunset time, then matching that key to upload requests. If someone hits more than X in period Y, they're shut down. If the whole system receives more than Z in Y, everything shuts down.

So I have my own rate limiter, and my API key, like the database connection in the bad SO question, is reasonably hidden. I mean, there's still a chance my cloud gets hacked and the code gets out, but that's a lot more difficult than grabbing Fiddler and sniffing API keys, even if they're SSL'd (which they weren't, initially).

Kinda painful how quickly a small feature addition because a pain, but at least I've got a nice cloud-based API presence now. On the down-side, I'm back to thinking I need to figure out how to move my entire website over to Linode eventually, as it's sooooo much cheaper to admin it all yourself.

PS -- How in the world did Redis get so popular for small-time hosted app services? I mean, if you have a distributed system, I get it, but if you want an in-memory key-value store for a single box, why would you bother? Just keep a dictionary in memory, right?

Labels: , , , ,