I spend too much time on Facebook. There, I said it.

Over the past few weeks I've been aware of myself visiting Facebook 15 to 20 times a day - sometimes more. I have to stop.

Don't get me wrong, Facebook can be great! It's a chance for me to connect with friends all over the world, catch up with people I haven't seen in years and keep up to date with what everyone is doing. However, as someone who works on-line, having such an alluring distraction steal my attention every 20 mins is destroying my productivity and ultimately costing me money! I have a business to run and, for me, it's more important than local weather updates, photos of babies, and duck-facing girls dancing on tables.

From now on, I'd like to limit my Facebook use to once per day. A short 5 minute session is more than enough time for me to scroll through the news-feed to see who's given birth or eloped or washed their car, respond to messages, and update my status so everybody knows what's on my mind.

Steps To Cut Down On Facebook Use...

To cut down on my Facebook use I've come up with a 4 point plan:

1. Track my progress for a month
2. Sign out when I'm not using Facebook.
3. Prevent Facebook from seeking my attention
4. Have a reward in sight.

Track My Progress For a Month

This is a great tip I picked up from Matt Cutts' talk: Try something new for 30 days . The idea is simple: 30 Days is about the time it takes to train a new habit (good or bad). I want to replace my old, bad habit of checking Facebook every time I change position in my chair, to a new, awesome habit of working harder and checking Facebook once per day, in the evening.

I've printed off a 30 day calendar and stuck it to my office wall. Each evening before I go to bed, I can check off another day where I've only visited Facebook once. This will not only help me track my progress, it gives me a reason to stick to my goal as day without a cross is an ultimate failure and I'll have to commit Seppuku.

I'll track my progress for the entire month of May.

Sign Out When I'm Not Using Facebook

Since I work in software, I spend a lot of time waiting on screens to load, programs to boot or code to compile. This is prime Facebook-checking time for me and I've mastered opening a new browser tab and hitting Facebook with a fluent, half-second, reflex motion. It's pretty much sub-conscious now. To get around this, I'll log out of Facebook whenever I'm done using it. This will stop me from accidentally browsing subconsciously before I'm able to catch myself.

Prevent Facebook From Seeking My Attention

As an iOS developer, I spend most of my working day with either my iPhone or my iPad in my hands or on my desk in front of me. If I'm logged into Facebook and I receive a new notification my attention is immediately drawn away from what I'm doing to satisfy my curiosity and check what the notification was.

According to some experiments, after being distracted it can take someone 25 minutes to get their attention back to the level it was prior to being distracted. On an average day, Facebook can send me notifications every 30 minutes, meaning the attention I'm paying to my work will almost never be optimal.

From now on, I'm staying singed out of Facebook on all of my mobile devices!

Have a reward in sight

Two techniques to help follow through with accomplishing a goal are 1) making a public declaration that you'll do it, and 2) that you have some sort of reward in sight. I guess writing this blog post covers point 1. As for point 2: Once I'm rehabilitated I'll get more work done throughout the day (so can stop working earlier), I'll be more productive, I'll have more to talk about with my friends when I see them (rather than sending messages back and forth throughout the day) and I'll get over what has becoming a pretty annoying habit - all of which all rewards in themselves.

My month starts now! I'll write a follow-up post in a month or so to document how it went.

If you didn't catch all of the action on Github last week - where have you been?

If you need a catchup, you can read more about the "attack" on GitHub here, and an interesting response to how Github handled it here.

In this post, I'd like to share my opinion on Rail's inherent vulnerability to mass-assignment attacks and suggest a solution which should be applied to Rails to help make Rails more secure for all of us.

Who's job is it anyway?

First up, I don't think this is a problem with Rails; I think this is a problem with Rails developers!

Rails is sometimes too convenient for us. Because Rails handles so much behind the scenes we can often miss out on some of the essential responsibilities we have when writing software.

While others have suggested solutions for improving the mass-assignment situation in Rails (including Yehuda Katz and Technoweenie), I don't agree that we need to change how we assign attributes from query parameters. The current Rails approach was a perfectly viable solution. The problem is that not everybody was using it!

Any n00b who's watched a few of Ryan Bates's (fantastic) Railscasts knows that sensitive attributes should be protected from mass-assignment. Yet from experience working with my own code and other seasoned developers, it's a point we often miss (along with applying constraints to database columns - another bugbear for a separate post).

In short, the solution to this problem is not to dramatically change Rails. The solution is to notify developers while they're using Rails.

My Proposal for Improving Mass Assignment in Rails

Rails's current attr_accessible and attr_protected methods offer perfectly adequate protection against mass assignment when creating or updating records from the params hash. The real problem lies in Rails developers overlooking their importance in the architecture of the system.

Every ActiveRecord::Base subclass is mass-assignment vulnerable by default.

What if we were to add this as an attribute to each ActiveRecord::Base subclass?

class User < ActiveRecord::Base

  self.mass_assignment_safe? # => false

end

Each time save is called on an instance of User, a warning is printed to the log to alert the developer that they haven't protected the model from mass-assignment attacks. Something along the lines of

@user.save

would log:

[Warning] User is not protected against mass-assignment attacks. Please use either attr_protected or attr_accessible.

Calling either attr_protected or attr_accessible within the class would set mass_assignment_safe? to true

class User < ActiveRecord::Base

  self.mass_assignment_safe? # => false

  attr_accessible :first_name, :last_name, :email, :password

  # or ... 
  attr_protected :created_at, :updated_at, :admin

  self.mass_assignment_safe? # => true

end

This would ensure that developers cannot inadvertently overlook applying at least some mass assignment protection to their model.

Of course there will be some models where no attributes should be protected. In these cases, having this warning message cluttering up the console a hundred times each time the test suite is run or showing up in the log all the time would be a pain in the ass.

To avoid this, the developer can explicitly state that the model should allow all attributes to be mass-assigned by passing :all => true to attr_accessible or :none => true to attr_protected.

class User < ActiveRecord::Base

  attr_protected :none => true

  # or ...
  attr_accessible :all => true

  # BTW ...
  attr_accessible :all => true, :username # => raises an exception!
  attr_accessible :none => true # => raises an exception too!

end

Conclusion

It's an obvious and simple solution but it requires no extra work from developers to implement, it won't break any existing code, and unlike the other suggestions I've seen it's DRY.

What's more, it keeps the implementation logic for attribute protection in the model where it belongs.

Today I was trawling the web for a complete list of the game genres under which Apple categories games in the app store.

After a hefty search, I found the list in the most obvious place to look - the Apple website :/ duh

Anyway, if you're like me and couldn't think to look there. Here's the list:

• Action
• Adventure
• Arcade
• Board
• Card
• Casino
• Dice
• Educational
• Family
• Kids
• Music
• Puzzle
• Racing
• Role Playing
• Simulation
• Sports
• Strategy
• Trivia
• Word

enjoy