Last week I was checking out Amazon‘s Mechanical Turk web site. For those of you not familiar with the site, it allows people to set up simple tasks called Human Intelligence Tasks (HITs) for others to do that are easy for people to do but too difficult to automate by computer. The people who perform the tasks are then paid a modest amount for their effort.
I came across one HIT that I thought would interest some friends so I right-clicked the link to a preview of the HIT, chose Copy URL, then shared the link with the friends. After checking the site out, my friends astutely noticed that visiting the site logged them in as me. Looking closer at the URL, I realized it contained the actual session state. Rut roh! But that’s not all. There was a link to a “Your Account” page, which then linked to an option to change the name, e-mail address, and password on my Amazon account… without prompting for the current password. Double rut roh! Even after I changed the password, that URL could be used to log in and change it again.
Realizing the security exposure, I immediate deleted the credit card info that was on file. I then sent a few messages to the Mechanical Turk team through a few different channels describing the situation. Though I only got “Thank you for your feedback. We’ll be looking into the situation.” type messages from their team with no way to respond back, it appears they did act on the messages. Upon revisiting the site later that day I noticed that:
- I could no longer find a HIT preview link with the state information included in the URL.
- The offending URL brought up a page saying the request could not be completed successfully. However, this could just be because the session had expired. The top of the page still shows my name and there’s still a Your Account link. But…
- When clicking on the link to change the password, the site now prompts for the existing password first.
Kudos to the Amazon Mechanical Turk team for addressing the issue so quickly after I reported it. I have to say, it was kinda fun, though a bit unsettling, to find a security issue with such a high-profile site.
Two years ago I participated in the Leukemia & Lymphoma Society‘s Team in Training program to complete my first marathon. I had a terrific experience, made many new friends and raised over $5000 for the organization from the overwhelming generosity of my friends and family. I received a brochure for their Hike for Discovery program in the mail and knew it was time to do some fund raising again.
So this year I’d like to repeat the experience doing something I have a passion for in a place that I love: hiking in Yosemite National Park. I will be training, hiking and fund raising in memory of my wife’s grandmothers Barbara Pugsley and Dorothy Andrews, both of whom past away in recent years due to blood cancer-related illness. I’ve committed to raising a minimum of $3700. If you have not already, please considering donating. Your support is greatly appreciated.
I’ve set up a separate blog to record my thoughts and experiences while training for the hike. I’m sure it will be a terrific experience and I look forward to sharing it with you.
It’s been a few years since I’ve posted anything related to the current presidency. A friend past along a link to this Harper’s Magazine article regarding a painting by W.H.D. Koerner titled “A Charge to Keep” (1916) that George W Bush admires.A blurb from the article:
Bush has consistently exhibited what psychologists call the “Tolstoy syndrome.” That is, he is completely convinced he knows what things are, so he shuts down all avenues of inquiry about them and disregards the information that is offered to him. This is the hallmark of a tragically bad executive. But in this case, it couldn’t be more precious.
I thought it was quite humorous. Life imitates art? How true.
I realize I haven’t been very good about blogging recently. As a stop gap measure, I’ve been using Twitter to capture fleeting notions over the past week or so. I had been holding off, as I felt the last thing I needed right now was another Internet distraction. But I have to admit, it’s kinda fun. And I find I post to it fairly frequently because 1) the entries have to be short because they are limited to 160 characters and 2) there is little to prevent me from posting since I leave the site open in a browser tab most of the time. And I explicitly chose to not have it notify me when a follower tweets (in Twitter parlance) so that it wouldn’t be a distraction.One of these days when I upgrade the blog software I’ll figure out a way to pull my tweet RSS feed into this blog’s entry stream. Until then, you’ll have to visit the site (or use the RSS feed) to see updates.If you’ve got a Twitter account or feel like getting one, let me know so I can add you to my “following” list.
A few friends asked me what I’ve been listening to recently, so I thought I’d share my response in case you’re looking for some new tunes.
- Wilco. Chicago band that makes music that’s kinda like Southern rock meets Radiohead. I haven’t heard their latest album but Yankee Hotel Foxtrot is one of my all time favorites.
- Calexico. Like their name sounds, the music is a mix of southern Cal/Mexican style folk rock. I like pretty much everything they’ve made.
- Beck – “Guero”. This came out a few years ago but it’s still high on my list. I haven’t heard much from his most recent album “The Information”, but what I’ve heard has been pretty good. He’s got an amazing ear for hooks.
- The Weepies – “Say I Am You”. Kind of a melancholy Six Pence None the Richer or Shawn Colvin sound. This was on heavy rotation in my iPod last year (just one of those years).
- CÈU – a Brazillian female vocalist. Latin American lounge with hints of hip-hop beats (her band includes a turntablist).
- DJ Shadow – “In Tune and On Time”. A live album from 2004 that’s a pretty good mix of all he’s done in the past (of which I’m a big fan). I haven’t heard his latest album but I heard it’s more of a hard-core hip-hop album so I haven’t had much interest in checking it out.
- MixMaster Mike. DJ for the Beastie Boys. I recently picked up Eye of the Cyklops and it’s pretty good albeit short (it’s an EP).
- Easy Star All-Stars – “Radiodread”. A well done reggae cover album of Radiohead’s “OK Computer”.
- Ashton Allen – “Dewdrops”. Very Elliot Smith-sounding indie artist.
- Camera Obscura – “Let’s Get Out Of This Country”. Another indie band with a female vocalist. The album has a optimistic, vintage sound if that makes any sense.
- Bonobo – “Days to Come”. Loungy, (mostly) instrumental downtempo trip hop. Nice relaxing music after a day of work.
- “Cinematic”. An album of remixes of a bunch of classic film scores.
- Jack Johnson – “In Between Dreams”. I’m sure you’ve heard his stuff on the radio. This is a good album for making breakfast to on weekends (or any day of the week really).
- Putumayo Presents “A New Groove” – Latin-American influenced groove compilation. Lots of catchy tunes.
- Rodrigo Y Gabriela – Virtuoso Spanish guitar street busker duo. You can check out some cool videos on YouTube.
- Radiohead – “In Rainbows”. Not their best album, in my opinion, but a decent showing. Good to hear some fresh material.
Other artists that I’ve recently come across and like but haven’t bought any music from yet: