In the end, if 70% of the people will give their password for a chocolate bar, why not at least help them do it from multiple computers? Thanks Google Browser Sync.

Elias Torres. I don’t have much faith in the accuracy of that chocolate bar password survey, but still …


last night i could be heard saying "i'm not too concerned about security." this morning i got an email from yet another kind visitor pointing out that my .inc files, including the one with all my passwords, were being presented by the server as plain text when called directly. so anyone could get my database password, my password, and my google api key. suddenly i became concerned about security.

i added the following line to my .htaccess file to make the server parse .inc files just like .php files (as my previous server did):

AddType application/x-httpd-php .inc

which solved the problem. then i changed all my related passwords. no harm done.

so now i'm back to not being concerned about security. after recovering from my initial freak-out mode, i realized that access to the database is restricted to certain IP addresses, so the password alone will not do much unless you are one of my neighbors sharing my IP address. and my posts are now automatically backed up on the links page, so no worries there. and my google api key is pretty much worthless. but still, putting passwords in a publicly-viewable text file is probably not a good idea.


a kindly visitor recently pointed out that the source code viewer could be used to launch XSS attacks. "egads!" i responded "that sounds terrible! wait...what does that mean?"

"they can steal your cookies!" the protector of bakery goodness replied. that's when i knew i had to take action. "NOBODY STEALS MY COOKIES!!" i shouted as i edited a few lines of code to prevent XSS attacks. and thus it was that the great cookie thievery of ought four was prevented.