The Dirty Truth About Web Passwords

Good article by Jeff Atwood on the Gawker web site compromise. The jist of it is that Gawker stored passwords, which is oh so wrong. Yet many sites continue to follow such rediculous practices. It's not just the small sites. eTrade did this during their first years in operation. If you called for a password reset, they'd read you your password over the phone. Altassian Software sent you your password in the clear if you did a password reset. I find that when you alert companies to their incorrect practices they invariably show disregard. At least until they don't.

Atwood calls for a greater use of federated identity so that users don't need to create as many accounts. I couldn't agree more. There is, however, the sticky problem of usability. OpenID botched this. Facebook Connect does a good job with usability but at the cost of reduced security. The web is still waiting for a good user interface solution to federating identity: one that is usable and secure. There was an opportunity for Adobe to solve this problem with Flash because Flash allows code execution within a sandbox. This opportunity has passed since Adobe ceded their opportunity for ubiquity to Apple's interests.

Amazon: It's okay to train you to accept phishing messages

Amazon apparently thinks it’s okay to send you email asking you to click on a link and enter your credit card information. I confirmed with Amazon that the email shown below was in fact sent by them.

Read More

EETimes: Paypal talks about security on mobile devices

A good article on mobile phone security and authentication.

Just protecting the user’s login screen will not be protection enough as the stakes increase. There must be a way to bind the physical identity of the mobile device—some identifying hardware characteristic—to the PayPal account, while allowing only minimum exposure of the user’s password to the network. He suggested several alternatives, only to reject each of them. SIM cards could work, but would require the cooperation of the world’s service providers—an unlikely scenario at best. Micro SD cards similarly could work, but would add cost to the handset that neither the service providers nor the end users would likely accept.

I'd have thought the cooperation of the world's service providers would be something they would be pursuing.

curl, JSON and pretty print

Curl is a wonderful thing. The output can be a bit messy, however.

This python pipe pretty prints your otherwise messy JSON output.

$ curl -H 'Accept: application/json' http://localhost:3001/myserver/cmd | python -mjson.tool

Or, using Ruby, if necessary run

sudo gem install json

then pipe your output.

cat myfile.json | prettify_json.rb

An even nicer solution is this node script, written specifically to handle curl output. You’ll need to make sure you’ve installed Node.js before you can use it.

ActionScript reflection based JSON validation and conversion to VO class

For an AIR application I had a need/desire to convert JSON generic Object instances to a tree of strongly types VO objects. The best post I could find on the subject did not go so far as to convert the Object tree to a strongly typed tree of objects that I’ve spec’d out. This post shows how I did this and I provide my conversion code.

Read More

Flash is great, evil Flash - or how technology changes

It's fun to look back in time. This blog post from 2007 reminds us of the messy state of the web back then, and points out how the Flash runtime seemed like the best answer to writing Rich Internet Apps (RIAs).

Flash is great

Macromedia/Adobe delivered on a compelling vision, with a fast runtime and some incredible, rich features. They essentially solved the world's video interoperability problems (remember Quicktime, Real and Windows Media Player wars). They could even play video on machines with no hardware video acceleration (which was most computers until recently). They followed Apple's lead and supported the H.264 video standard (what some reporters like to now call HTML5 video) rather then proprietary formats (e.g. VC-1 from Microsoft).

Read More

Microsoft: Our strategy with Silverlight has shifted


Update: Or not.

Google: 95% of users ignore warnings of bad site

According to Google security researcher Fabrice Jaubert 95% of users ignore the warning page that Google presents when they try to access a website that is likely to harm their system. It used to be that this warning offered a button which allowed them to proceed to the page, and it is this button that users clicked.Google thus changed the page so that users must copy and paste the URL.

We've long known that users will click through, presumably without reading, any dialogs or alerts that are in the way of them getting what they want. I think this confirms it.

Just wow.

Related article: A peek into Google's anti-malware operation

Favourite place #3

Parliament Buildings

Bikes/cars/peds in NY

The article A unified theory of New York biking and the subsequent comments are very good. Bike Snob has a bit of rebutal here which I also recommend.