13 Things a Web Application Attacker Won’t Tell You
Saw this post being referred to in Jeremiah Grossman's blog post, it's just too good/funny and true not to share, so here goes...
1. Just because you moved something from being a GET parameter to a POST parameter so I couldn’t see it in the URL bar doesn’t mean that I don’t know it is there. And it also doesn’t mean I can’t change it. (Download WebScarab if you disagree)
2. Just because you put something in a hidden FORM parameter doesn’t mean I can’t find it. Or change it. See #1.
3. Ditto for cookies. See #1.
4. Validating things on the client side with JavaScript doesn’t prevent me from submitting whatever the heck I want.
5. I love it when you say “That would never happen in production.”
6. I really love it when you say “An attacker would never do that.”
7. I really hate strong server side input validation.
8. That page with the detailed error message – my job would be way harder without it.
9. Most of those “Guaranteed Secure!” banners you put on your site only serve to tell me you don’t understand the first thing about security.
10. That web application scanner you ran – it didn’t find everything. Not even close.
11. That network scanner you ran – it didn’t even start testing the security of your application.
12. I understand AJAX (or fancy, new technology “XYZ”) better than you do.
13. The more clever you think you are – the better I feel.
Lao Zha Bor!
Talking with my wife about something random made me remember about this Lao Zha Bor blog (first mentioned in the movie Just Follow Law). Going back to browse through her site first welcomed us with the sight on the right. Laughworthy or pukeworthy, I'd say it's pretty much like...her 
Oh yeah, another of her pictures that we found absolutely crazy was this Ratatouille poster photoshopped with her face on it. Try not to laugh too loud heh.
Push Button, Receive Bacon
Got a new wallpaper for my iPod Touch. Love it when fresh perspectives are given to mundane everyday signages
Apparently the original was from here.