Twitter Insecure by Design

It happens I have a new identity … no, someone has my credential or such for using my twitter account. Twitter does not reply, there is no team that can fix it.

Problem with twitter is that it is insecure by design. You indicate an email address and confirm it, at registation time, or whenever you want.

Well, now? If you want to change email address you have to confirm it with the old, confirmed one, email, you are guessing … no. You have to verify the new email address with the new email address!!

That’s all. I used to have @danielecr twitter account. Now it is Gale Albee @GaleIsWide, and there is nothing I can do about it.

To check it, I does a google search: “danielecr twitter”

interesting enough …

What does it means to you? This show that twitter is insecure by design, and if you are subscribing a service you should never rely on it, that is you open an account for new service using twitter, then make sure to add email address and make it the principal way to log in, never rely on twitter for security, it seems there is no customer care and noone who you can effectively contact and to which you can ask for assistance. You will loose all associated accounts.

Simply put: do not rely on twitter.

PayPal SEPA o no


SEPA (Single Euro Payment Area) a parte, le tariffe sulle transazioni paypal sono differenti nel caso i fondi provengano da carta di credito, e nel caso provengano da trasferimento bancario. Me ne accorgo solamente ora.

Negli e-commerce siamo abituati ad aggiungere una riga per le tasse, nel caso il cliente scelga di pagare tramite paypal, ora la cosa diventa più complicata, il cliente paga tramite paypal e dovrebbe autorizzare il pagamento, da parte sua, dei costi della transazione. Oppure deve esserci un modo per determinare, relativamente al prezzo da pagare, quanto costa la transazione, quindi, tornando all’ecommerce dopo l’autorizzazione (senza quantità di denaro) dell’acquirente, calcolare il prezzo per il pagamento. In non trovo nessun riferimento all’addebito dei costi.

Runyourjs drupal module

Done, as said in, I created a sandbox project:

I attach here an archive as git archive –prefix=runyourjs/ HEAD |gzip – > ../runyourjs.tar.gz

I have wrote this for my personal use, if you found it useful, share and give feedback (in drupal). Thanks


p.s.: of course filename is protected 🙂

Commissione europea e open standard … source … cosa?

Punto informatico ( and ( talks about an direction approved by European Commission on adoption of open standars, then later, they use open source, as synonimous.

Some time ago I had an argue in linkedin during which I sustained that public administration should adopt opensource software because it is open and cheap, a microsoft supporter enlight me on difference between open source and open standards, and point out that Microsoft has an offer of software that respect open standards.

Open standard concerns the openness of data, while opensource spoke about source code. It is less simple than it appear to discern what is data and what is code. Java define a language, that has semantic, and class prototypes, that is code. Spreadsheet standard has function syntax and semantic definition, macro language defininition (syntax and semantic), and so on. PDF is a programming language, so if you send a PDF you send a program code.

The ratio is that everything you exchange with other, in this case public administration offices, should have a deterministic interpretation, free from a give software producer fee, or a patent fee to be paid in order to read, thus be an open standard format.

So, what are talking about European Commission? Open standard, of course. Because the direction is to endorse freedome of choice, and freedom of choice is to be able to choice closed source, or opened, with the advance of one or another, but without restriction neither to the citizen, nor to the public procurement, that should accept only documents that can be read without restriction.

This, immediate rest apart, favorite a polite concurrence: less marketing, better software.


Image taken from no copyright in exif datas, there is the name of a internet site that I can not interpret, nothing that look like “copy”

Upload a javascript as attachment to drupal entity (and run it) … and what is it munge?

I am in the need to attach javascript code to my content for tech blog purpose, and give capability to run it by visitors.

Do you think there are security concerns? Me no.

PHP filter is there in Drupal core from the begin, and it was not a security concern, unless you give permission to everyone to post content or comment in PHP format. What does it make javascript a security concern?

Well, writing such a module (yes, I want to make something useful and versatile for this, I am tired to upload it and write < script src=…. with php filter everytime), I googled and found

the interesting suggestion to use variable_set('allow_insecure_uploads',1); because of munge mechanism make me curious about what is mounge. That is from (drupal 7.22):

 * Modifies a filename as needed for security purposes.
 * Munging a file name prevents unknown file extensions from masking exploit
 * files. When web servers such as Apache decide how to process a URL request,
 * they use the file extension. If the extension is not recognized, Apache
 * skips that extension and uses the previous file extension. For example, if
 * the file being requested is exploit.php.pps, and Apache does not recognize
 * the '.pps' extension, it treats the file as PHP and executes it. To make
 * this file name safe for Apache and prevent it from executing as PHP, the
 * .php extension is "munged" into .php_, making the safe file name
 * exploit.php_.pps.
 * Specifically, this function adds an underscore to all extensions that are
 * between 2 and 5 characters in length, internal to the file name, and not
 * included in $extensions.

so, be warned on this apache behaviour that can make things unstable. Note: it is Apache filter behaviour not php, so it work with anything else that has an Apache module. (The use of a dedicated data directory is the best practice).

 I decided to let it be and go with drupal security, changing the src attribute to load that .txt file, that is perfectly legal.

The module would be named runyourjs, I have just done the upload file part, then I want to add a default load button (interactive), then just upload it to a drupal sandbox.

Unesco World Heritage List

Ok, following I can not find a good export of unesco world heritage sites, interested in Italy.

first step is to download xml format (, use an online service to translate to csv (, save it (download), then transform from dos to unix, import in libreoffice calc (google docs does not work), saved as ods format, imported to google docs.

The file in google docs:

All those for some tests … next toys I am going to do are … (the mapsengine is

… import the “Notes” part at the end of

(PHP) CurlParallel around the world

About the project:

Selfing on the net this morning I discovered at least another interesting implementation of parallel fetch of network resource via PHP curl, that is of, and is older than the one I take as starting point.

Also that solution put focus on tasks to be managed not in curl by itself, thus giving more weight to the use of network resource, and less on the implementation specific part. He also does a good and extended use of Standard PHP Library (SPL). Definitely areas on which my implementation have to pay attention.

Seeing from different point of views (and implementation) make clear that it does not parallelize execution, but parallelize waiting of I/O, the client classes are not executed in parallel, but executeted with an undefined order, say you know that the whole block of code is executed from start to the end without interleaving other client’s instruction.


This can cause some problem in term of memory required, and balancing how much elaboration has to be done during consume phase: it should be done at least all elaboration that warrant to throw out unuseful data that occupy not needed memory, but it might be needed to defer some operation on following code, say, instead of write report, there is a collector class that can destroy some instances and require more processing for some else. The need to do this operation could arose from the presence or absense of a specific resource, part of the requested pool. Obviously act early is better e things become complex when the same consumer asks if it is the case to throw out the received buffer because the “main” resource “has said no”.

(specials thanks to dia developer

Consigli SEO per javascripter: Se ‘o sai è meglio. (ricapitoliamo)

What does is indexed by search engines? Of course the static pages are, but what about javascript originated content (i.e. AJAX)?

By the end of 2011 Google indexs comments loaded via AJAX (i.e. Facebook, Disqus, …). this is the last specs, that means (reading that the web server must provide a snapshot of the requested page and it should do someway.

All was due to limitation of javascript on replacing location.href string on browser address bar, replace limited to the hash sign # following part of url. Thus hashbang (#!) was introduced, very famous (sometime infamous) in twitter, but that give the opportunity to index pages with AJAX loaded content. BUT it demand the server to provide a static version of AJAX page to the search engine crawler when requested with ?_escaped_fragment=… (ellipse are for the hashbang following string escaped).

Using Java all fine. There is PhantomJS, but ia not nodejs (is a desktop app). PHP has a javascript intepreter (V8, v8js extension), but it does not manipulate DOM, or it has to be implemented, just an idea, maybe it is possible to load the standard browser environment (window and document) via registerExtension method. Life is hard.

But now there is HTML5 and pushState … what? the same thing, but better. Simply remove limitation on browser address bar rewrite to javascript and let it manage history by javascript. Say:

var data = null;
var title = 'view video';
var url = '/listvideo/video1';

this snippet replace the url in address bar, then it could be followed by code to inject html with video tag loaded via AJAX. Let say the video is loaded in a layer and the close cross is clicked then click handler will do another history.pushState(), remove the layer and user will see the list of video again, while using the browser bar back button it goes back in the history. Cool, doesn’t? … a moment, for back to function it is needed an event’s handler, something like:

window.addEventListener("popstate", function(event){
  // location.pathname contains the new current path
  // contains the passed data

Well, what search engines want is that the server provides the whole page (with both base page and overlay), in response to requested url. But it can be done via client side code! (read javascript)

For browsers that do not support the new history api, snippet contents have to be loaded every time and everytime AJAX should fill it: the server provide the base page, a check is done on location.href and the right content loaded via AJAX (i.e. showPage(location.href)). It is vital for SEO prospective that pushState url matches the href of clicked element. (an intrusive example to show it: <a href=/url/video1/ onclick=action> then action() must call pushState with url=/url/video1)

No more snapshot due by server, all is managed by search engines, Bing and Google agree on this: client side code are executed before indexing.

From a SEO prospective: HTML5? use it.

Debugging Javascript worker (and jQuery & workers howto)

Even if I finally found Web workers:error and debugging article that explains it well and exensively, I just had to report that developing with Firefox is still the right choice in most case.

What happen in Chromium if you try to importScripts() jQuery? Simple: no error message. The problem is that jquery refer to window object that does not exist in worker environment, but onerror event is not implemented, you neither will know there is a problem if you are using Chromium browser.

Javascript Web Workers: From Basics to jQuery.Hive series in part 3 explains how to use a reduced version of jQuery, however now Internet Explorer support web workers, so it is time to use it.

following coursera courses

I am updating my knowledge by following some courses on, that is: (computational neuroscience) and (exploring quantum physics). I found both require that kind of math called statistic, or something like that, and summing vector of values, multidimensional calculus … very interesting and mind opening. I would endorse these courses because they make me feel really better 🙂