MAN has it been busy. I'll spare you the boring details, but things have been a little rough. Working on a project where priorities are largely defined by the sponsoring organization's primary donor and his wife can be tiring. When wealthy Mrs. X asks for the website to be rose-scented, and intermediary Y decides he'd better hop to it or risk the collapse of the entire enterprise, humble web programmer Z has some long nights ahead of him.

But, with a minor milestone accomplished, I can return to the lovely internet for a little bit before attending to Crushingly Urgent Project #2 in a few hours. There's been a lot of good stuff that I've missed:

1. DCeiver's analysis of the Post Best Bets is predictably excellent. But I do have to give the GoGs credit for making their own picks. The merit of those selections aside (they seem fine), it's a shrewd move to point out the stupidity of WaPo poll participants before the rest of the internet can snarkily associate your paper with the Cheesecake Factory. I hereby suggest "blogproofing" as the technical term. Expect an RFC from the W3C shortly.
2. You might remember that AOL stupidly released a bunch of search data last week. It included the search query, the date, and a unique identifying number corresponding to the user who made the search. By tieing search queries together by those numbers, some users could be identified. The New York Times managed to positively identify an individual pretty quickly. But the real fun is coming now, as other organizations pore over the data to expose just what kind of creepy weirdos populate the internet. Something Awful has a pretty great collection of examples (text, but still probably NSFW).
3. George Allen got into trouble! This is fantastic, and not just because he appears to be a racist asshole who needs to be kept off the national stage. No, it's much more urgent than that: if his presidential ambitions aren't ended by these sorts of public displays of awfulness, I'd have to see Virginia political expert and UVA professor Larry Sab/ato on television for an entire electoral race. I'll do whatever it takes to prevent that grim, dystopian future from coming about.
4. Now for some geeky tech complaining: how did this make it to TUAW? For those who aren't interested enough to follow the link, it's a means of stripping iTunes copy protection by embedding an AAC file purchased from the iTunes Music Store into an iMovie project. You can then get it decompressed to an AIFF (like a WAV, but on the mac), which can be recompressed into a copy-protection-free MP3.

   But you can only do one song at a time. And because you're recompressing, it's a lossy process. In other words, this is a really stupid, inefficient way to remove DRM from ITMS songs. I haven't checked in on the HYMN Project recently, but if I wanted to un-DRM a bunch of songs, that's where I'd start. And if that no longer works, I'd see about writing an Applescript that methodically moves through an iTunes playlist, playing songs, capturing the output via Soundflower, then compressing to MP3. You could even have it automatically use the existing song metadata in the ID3 and filename. Alternately, you might look into burning to a virtual CD-ROM, which you could then rip (I'm not sure how feasible this is in OS X, but it's certainly doable in Windows).

   So the iMovie method: stupid. Don't bring that weak-ass shit in here, TUAW. That's right, I said it.

5. This hack walkthrough was linked off of the Slashdot frontpage. But it doesn't make any goddamn sense. If I understand correctly, step 1 is to fool the user into trying to log into the target website, except on your own server. This is called phishing, and it's not very complex — it's just tricking people.

   But instead of simply capturing the login and password before sending the user along, the author embeds some Javascript that eventually shows up on the target site (when the user's login request is sent in, via the phishing server). That Javascript sends the cookie that maintains the user's session back to the phishing computer, allowing the author to hop onto the user's session.

   The thing is, by that point he already has the user's login and password. He can make new session cookies whenever he wants — the cross-site-scripting stuff is completely and utterly pointless. Worse that pointless, it's stupid, since session cookies generally expire much faster than login credentials.

   From there he goes on to pwnz0rz the website, thanks to some security lapses that one would only find in high school CS classes. It's all kind of ludicrous. I'd really like to see an XSS attack example that does something useful. And hey, maybe I'm missing something here. But as far as I can tell, this article is kind of like writing up "How To Rob A Bank", with step 1 defined as "assume the security system is off and all the doors are unlocked."