Want to learn how jQuery can help you build smarter, more dynamic user interfaces — in particular, within Drupal? I’m presenting an intro session at this weekend’s Bay Area Drupal Camp (BADCamp) gathering in Berkeley.
The session is on Saturday at 11am. Drop by and check it out if you’re attending. For those who can’t make it or didn’t register before alll the spots were gone, I’ll post my notes here.
Looks like a DNS problem this time. Both apps.new.facebook.com and apps.facebook.com, the domains from which applications are initially accessed, have gone offline several times today — at least for Comcast customers — according to reports in the forums. (I can confirm this too, and I’m on Comcast.)
It’s unclear if it’s a Comcast problem, a Facebook problem, or something else. But Facebook does plan to get rid of the .new. subdomain now that the new profiles are rolled out, which would require some DNS modifications. And given the company’s track record, I’m not entirely ready to give Facebook the benefit of the doubt.
The only really shocking things to come out of the hacking of Sarah Palin’s Yahoo-based email account are the revelations that:
Indeed, it’s the latter point that makes the former all the worse.
If the so-called hacker who accessed Palin’s emails is to be believed, Yahoo allowed the intruder to reset the password on Palin’s account simply by answering some security questions. And sure enough, that’s exactly how Yahoo’s password recovery system works: You answer some simple questions like “Where did you meet your spouse?” and Yahoo checks to make sure your responses match up with the answers you provided when you first created your account. In other words, these questions serve as a secondary, “backup password.”
The problem with security questions like these is that they’re all too easy for almost anyone to answer. This is especially true if you have information about your life published on the Web (as Palin found out) — or, more likely, if you publish that information yourself on blogs, social networks, profile pages, and so on.
So what should Yahoo have done instead? Or, more importantly, if you’re developing a Web site that needs a password recovery feature, what should you do?
While rolling out new new profile pages to users today, Facebook also released a modified Apps toolbar — which no longer shows recently used applications. Developers are not happy about this (myself included) as it makes it difficult for users to get back to applications they’ve used but haven’t yet formally bookmarked. It’s a good bet that a lot of apps will show a dip in return visits beginning today.
To make matters worse, there seems to have been no advance warning of the change. And as of this morning, the Facebook Beta site that is supposed to act as a preview sandbox for developers didn’t show the change either.
Facebook’s response? A company rep posted this in the forums after developers complained: “We’re sorry about the confusion — we’re in the midst of finalizing the feature and what you see here is definitely not final!” No word on what the final version will look like nor when it’ll show up.
As I was just saying, Facebook’s seemingly haphazard release process is harming its relationship with the developer community. The more the company ignores the needs of developers who, in many cases, are building their businesses and livelihoods on Facebook’s platform, the less chance it has of sustaining the budding market its created.
Update: Facebook finally posted a note about the upcoming changes to the application menu on their Developer Blog at the end of the day. I logged back into my Facebook account and noticed the menu in the lower left corner of my window, as the blog post notes. However, I’m not sure I would’ve found it there without having read the post. Hopefully they find a way to notify users of this change.
At last night’s San Francisco Drupal Users’ Group meetng, Matt Cheney of Chapter Three gave a demonstration of Drupal for Firebug — a combo Firefox extension and Drupal modle that lets you send Drupal debugging and status messages to Firebug.
“A smarter var_dump()” is one way to think of it. But it also does several other handy things, like let you see how and where forms are altered by various modules, gives you access to the user object for inspection, and lets you execute PHP from Firefox.
Definitely something to check out if you’re developing modules or themes for Drupal.
Some Facebook apps are currently messed up due to what looks like Facebook not parsing app stylesheets and missing its own master stylesheets. It’s unclear how many people and how many apps this affects, but it’s a major screwup.
Clearly, managing a site that serves tens of millions of people on a regular basis is no easy task. But it’s not the first mistake that has made the site or the apps inaccessible.
If Facebook wants its ecosystem of third-party apps to thrive — and expects developers to build businesses on the Facebook app platform — it has to start treating the platform like a true business-level service. And that means getting a grasp on Facebook’s QA and deployment processess so that bugs like these don’t keep knocking apps offline.
I had completely forgotten about Joyent’s Facebook Accelerator program, having eventually built my word game app on a different server. But then guess what? A spot must have opened up (five weeks after I applied) and I got the following email:
Hi Amit Asaravala,
Your new Facebook Accelerator from Joyent is ready for use and your login information and webmin credentials are listed below, along with some important links for documentation to help you along the way.
…
I’ll have to give it a look-see.
So after switching my blogs over to WordPress, I attended WordCamp SF on Saturday to get a better sense of what’s going on with the platform from a developer’s perspective. I have to say that I was impressed with the conference and with what’s going on under the hood.
The various folks working on WordPress shared plans on how they’ll continue building on their strengths (great UI, modularity, social media), and were quite honest about what they haven’t gotten right yet (confusing security API, too frequent releases, needing to separate core files from user folders.) And unlike many conferences focused on a single product or technology, many WordCamp sessions went beyond WordPress to cover topics of importance to developers and online publishers. In particular, Steve Souder’s talk on improving front-end site performance was well done.
If you’ve got a WordCamp in your area, I highly recommend attending. At $20 (at the SF conference at least), you can’t beat the dollar-to-signal ratio.
Did one of Joyent’s recently circulating ads touting a free year of Accelerator hosting for Facebook applications tempt you to head over to Joyent site and sign up? Still waiting for your account?
Right. About that.
Turns out that Joyent has been advertising the program for months (it’s been running since November), the program is limited to 3500 developers at a time, they’ve been overwhelmed by registrations, and they only allow new developers on when they kick off those with accounts deemed to be inactive — which could mean 300 open spots one day, or none for weeks at a time.
Developers have asked for more clarification on wait times, or even some notice before signing up that there’s a long waiting list, but so far that hasn’t happened. Looks like you might be better off starting elsewhere unless you really, really need that free year of hosting.
Seems like I’m running into problems on the Web everywhere I go. Over the weekend it was an Amazon S3 failure that took down several sites. Yesterday it was Facebook’s redirection loop that made the site inaccessible for roughly an hour. Today it’s the Drupal Web site, which seems to be experiencing a problem with an overloaded MySQL database. I hope the good folks behind Drupal.org can fix the problem soon — this doesn’t help the organization defend claims that Drupal is resource-intensive and hard to scale.
As for the error message itself, it’s particularly troubling that the error message tells you:
Granted, you probably could have guessed that Drupal.org was running on a MySQL database, but now everyone has three of the four pieces of information you need to access the database and a hacker can focus on guessing the last piece: the password.
There are two things that can be learned here: First, your Web application error messages shouldn’t reveal any details to anonymous users about the underlying system. All your site visitors need to know in a case like this is that there was an internal error that makes the site inaccessible for the time being. And secondly, limiting your database connections to specific IP addresses can add an extra layer of security even if the other info gets out (which Drupal.org may well have done.)
My name is Amit Asaravala. I'm an Internet technologies consultant & Web developer located in the San Francisco Bay Area. I specialize in helping organizations build great Web sites on open source technologies.
You can contact me by emailing amit@ this domain.
bookmarked