The last few weeks I’ve had disk corruption issues on my two year old Macbook Pro’s original internal hard drive. The machine and drive still worked, but I needed to bring the machine into the Genius Bar to get a hard disk replacement.
In preparation I dutifully backed up my machine via Time Machine to an attached Firewire drive at least every day. I dutifully backed up my source code to a remote server with git. I added a third layer of backup to my local NAS device using Chronosync.
Time Machine and git failed me. Chronosync saved me. If not for Chronosync I would have lost a full week’s worth of very intense coding, affecting dozens and dozens of files. I did still loose the revision history for these changes.
Peter Bright posted a terrific piece over at Ars Technica describing the fraudulent issuance of nine high value SSL certificates by Comodo. This included such top level domain certificates as www.google.com, login.yahoo.com and login.skype.com and addons.mozilla.org. Other equally good reads are the Tor site detection of the problem and Comodo's explanation. I'm sure Comodo's CEO, Melih Abdulhayoglu, is having fun this week.
The case reveals the instrinsic problems with PKI that we've all been aware of for a long time.
I am a bit surprised by a couple of things, though suprised is perhaps too strong a word.
There is an interesting post by Om Malik over at GigaOm suggesting how Google can get it mojo back from Facebook.
Taking a slight spin on this, I make the observation that a large part of Facebook's value is your identity and your associations and Facebook's willingness to leverage this information elsewhere on the web (Facebook Connect). Facebook Connect is becoming the most common way to login to other sites. The reputation of your identity is increased by your associations: it requires a consipricy to create a fake Facebook account and have N friends, the presence of which increases your identity's reputation.
Good article by Jeff Atwood on the Gawker web site compromise. The jist of it is that Gawker stored passwords, which is oh so wrong. Yet many sites continue to follow such rediculous practices. It's not just the small sites. eTrade did this during their first years in operation. If you called for a password reset, they'd read you your password over the phone. Altassian Software sent you your password in the clear if you did a password reset. I find that when you alert companies to their incorrect practices they invariably show disregard. At least until they don't.
Atwood calls for a greater use of federated identity so that users don't need to create as many accounts. I couldn't agree more. There is, however, the sticky problem of usability. OpenID botched this. Facebook Connect does a good job with usability but at the cost of reduced security. The web is still waiting for a good user interface solution to federating identity: one that is usable and secure. There was an opportunity for Adobe to solve this problem with Flash because Flash allows code execution within a sandbox. This opportunity has passed since Adobe ceded their opportunity for ubiquity to Apple's interests.
Amazon apparently thinks it’s okay to send you email asking you to click on a link and enter your credit card information. I confirmed with Amazon that the email shown below was in fact sent by them.
A good article on mobile phone security and authentication.
Just protecting the user’s login screen will not be protection enough as the stakes increase. There must be a way to bind the physical identity of the mobile device—some identifying hardware characteristic—to the PayPal account, while allowing only minimum exposure of the user’s password to the network. He suggested several alternatives, only to reject each of them. SIM cards could work, but would require the cooperation of the world’s service providers—an unlikely scenario at best. Micro SD cards similarly could work, but would add cost to the handset that neither the service providers nor the end users would likely accept.
I'd have thought the cooperation of the world's service providers would be something they would be pursuing.
Curl is a wonderful thing. The output can be a bit messy, however.
This python pipe pretty prints your otherwise messy JSON output.
$ curl -H 'Accept: application/json' http://localhost:3001/myserver/cmd | python -mjson.tool
Or, using Ruby, if necessary run
sudo gem install json
then pipe your output.
cat myfile.json | prettify_json.rb
For an AIR application I had a need/desire to convert JSON generic Object instances to a tree of strongly types VO objects. The best post I could find on the subject did not go so far as to convert the Object tree to a strongly typed tree of objects that I’ve spec’d out. This post shows how I did this and I provide my conversion code.
It's fun to look back in time. This blog post from 2007 reminds us of the messy state of the web back then, and points out how the Flash runtime seemed like the best answer to writing Rich Internet Apps (RIAs).
Flash is great
Macromedia/Adobe delivered on a compelling vision, with a fast runtime and some incredible, rich features. They essentially solved the world's video interoperability problems (remember Quicktime, Real and Windows Media Player wars). They could even play video on machines with no hardware video acceleration (which was most computers until recently). They followed Apple's lead and supported the H.264 video standard (what some reporters like to now call HTML5 video) rather then proprietary formats (e.g. VC-1 from Microsoft).