Two Cross Site Scripting Cheat Sheets

I love cheat sheets. They jog my memory about things I need to do or should test for – especially when I have not done it for awhile.

From a test perspective, my favorite test value cheat sheet for cross site scripting (XSS) is If you have not tried out these samples (and variations on the themes) in your own web application, you need to do it now.

From a developer perspective, OWASP’s (Open Web Application Security Project) XSS (Cross Site Scripting) Prevention Cheat Sheet provides a set of rules to implement.


March 2011 mensming Twitter Posts

Follow mensming on Twitter

RT RKHilbertSpace Q: How to generate a random string? A: Put a fresh student in front of vi and tell him to quit.
Wed Mar 30 2011 11:46:55 (Pacific Daylight Time)

"Most of you are familiar with the virtues of a programmer. There are three, of course: laziness, impatience, and hubris." – Larry Wall
Tue Mar 29 2011 07:56:57 (Pacific Daylight Time)

10 things I miss about old school Linux –
Fri Mar 25 2011 06:58:07 (Pacific Daylight Time)

Social media sites explained in terms of pee –
Thu Mar 24 2011 05:29:35 (Pacific Daylight Time)

Internet Explorer versions 1 through 9 compared, signs of progress found (video) –
Wed Mar 23 2011 08:12:20 (Pacific Daylight Time)

Posted – Tool – blindtextgenerator,com –
Tue Mar 22 2011 07:24:32 (Pacific Daylight Time)

Welcome David and Ricardo to the @conenza development team.
Mon Mar 21 2011 07:00:17 (Pacific Daylight Time)

Finished reading _Rework_ by Jason Fried and David Heinemeier Hansson – Recommended –
Fri Mar 18 2011 07:04:23 (Pacific Daylight Time)

Funny – The History of Twitter As Ken Burns Would Tell It –
Thu Mar 17 2011 06:57:39 (Pacific Daylight Time)

A Tangled Web of Shortened Links –
7:30 AM Mar 16th

I need to work on this – The Cult of Busy –
6:56 AM Mar 15th

Retro browser war: IE6 vs. Netscape in 2011 –
8:28 AM Mar 14th

Snooping on Social Networks to Vet Jurors and Hire Employees –
9:27 AM Mar 11th

Visualized: US smartphone market share, by manufacturer and platform, made pretty –
7:58 AM Mar 10th

10 Most Insightful Infographics About Internet –
7:56 AM Mar 9th

2010 In Movies, As Seen On Foursquare [Graphic] –
7:27 AM Mar 8th

Read _Core JAVA Interview Questions You’ll Most Likely Be Asked_ – – NOT recommended
7:46 AM Mar 7th

Microsoft It’s not often that we encourage you to stop using one of our products, but for #IE6, we’ll make an exception:
12:24 PM Mar 4th

Innovate Or Execute? –
7:53 AM Mar 4th

Conenza is looking for Community Manager #job
5:42 PM Mar 3rd

A Better Filing System for Public Speakers (and Writers) #Evernote –
7:38 AM Mar 3rd

Secure Erase Methods Probably WonÂ’t Work on Your Solid-State Drive –
9:11 AM Mar 2nd

Encrypting Cookies in the Browser –
7:51 AM Mar 1st


Velocity 2010: Tom Cook, “A Day in the Life of Facebook Operations”

Here are my notes from the the Velocity 2010 lecture "A Day in the Life of Facebook Operations"

A Day in the Life of Facebook Operations
Tom Cook, Facebook
Velocity 2010
June 22-24, 2010
(40 minutes, 48 seconds)

  • Description of the size of Facebook in terms of minutes on site, pieces of new content, etc.
  • User growth curve
  • Server footprint growth curve
  • Bay area and Virginia (and soon Oregon)

The stack:
Load Balancer -> (assigns a web server)
Web Server -> (assembles data)
Services (fast, complicated), Memcashed(fast, simple), Databases (slow, persistent)

Web server (HipHop for PHP)

  • source code transformer
  • converts PHP to C++, compiled with gcc


  • 300+ TB live data in RAM


  • persistent store
  • lots of sharding


  • news feed, search, chat, ads, media, etc.

Operations is supplying a platform for the Facebook developers to deploy
So, below the stack, we have:

Deployment, Monitoring
Systems Management
Core Operating System

Operating System

  • Linux
  • CentOS 5 variant with custom kernel

Systems Management

  • Configuration management
    • Facebook uses CFengine
    • Update every 15 minutes, about 30 sec run on each machine
  • On demand tools
    • No open source solution that meets Facebook needs (used to use DHS)
    • Wrote their own internal tool


  • Push for frontend code (web push)
    • At least once a day, frequently multiple times a day (bug fixes, etc.)
    • New features at least once a week
    • Built on top of on-demand control tools
    • Code distributed by BitTorrent (1 minute to push code to all servers)
  • Backend deployments
    • Formal QA process removed, QA is responsibility of engineers
    • Engineers deploy their own code
    • No ‘commit and quit’ mentality
    • Ops ’embedded’ into engineering teams
    • Change logging (every change, who, start time and end time)


  • Ganglia (systems focus, graphing), (
  • ODS (application focus), written by Facebook
  • Nagios (ping, ssh, server up, etc.), alerting feeds into internal tools
  • Aggregate alarms, drilldown capabilities

What Facebook operations deals with…

  • Constant Growth
  • Constant Failures

Look at network as logical units and dependencies

  • Servers
  • Racks
  • Clusters (some thousand # of hosts)
  • Data centers

Constant Communications

  • IRC
  • Internal news updates
  • Banners on top of lots of tools with alerts as to current status
  • Change logs / feeds
  • Small teams


  • Version control everything
  • Optimize early
  • Automate
  • Use configuration mangement
  • Plan to fail
  • Instrument everything