Fascinating experiment in user interface at Don’t Click It. Using it for a few minutes you begin to realise .. wow, I really DO miss clicking. Pity it’s flash, although you would have difficulty doing it any other way ..
via TooBiased
Archive for January, 2007
DontClick.it
Tuesday, January 30th, 2007Sentence of the Day
Tuesday, January 30th, 2007Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo.
Hilariously, it’s perfectly correct English. My deepest condolences to anyone actually trying to learn this insane language.
Song of the Week
Monday, January 22nd, 2007さよなら (sayonara) by Rumania Montevideo.
Recent Movies
Friday, January 19th, 2007Very good, although confusing. I had no idea what it was actually about until, after watching, I went and researched the story online. Still, great.
Johnny Mnenomic (Japanese Cut) (1995)
A less than optimal, and horribly dated, conceptualisation of the William Gibson short story. Still worth watching if you’re a fan of Gibson, as I am, and can stomach the cringe-inducing “futuristic” CG. A good example of how and why not to use too much “dateable” computer graphics in films, and Keanu Reeve’s acting is atrocious. Still watch it.
The Manchurian Candidate (2004)
Very good and highly recommended.
Star Wars – Clone Wars (animated) (2003)
I avoided this for years because I considered it a silly spin-off of the “real” series, and also because the animation style is apalling. However, it was repeatedly recommended to me despite its appearance and so I bit the bullet and watched it.
I’m glad I did. If you can stomach the animation style – and you do get used to it after a while – it’s well worth watching. One wonders why the immense backstory contained within, which basically connects the 2nd and 3rd films in the series, was “locked away” in such an overtly made-for-children format!
Anyway, if you’re in any way a fan of Star Wars, and you’re not too fussy about the “seriousness” of the presentation, I’d highly recommend it.
My application’s so bad …
Monday, January 15th, 2007My application’s so bad …
… It runs faster with debugging turned on.
… It maxes out the CPU even when it’s not running.
… the error messages crashed console.
… the errors email was too large for my inbox.
… it outputs messages to console begging for me to kill it.
… subversion rejected my commit, and called me an “asshole”
… other applications around it shut down out of pure disgust
… it crashed my modem
… it crashes other computers who are just in the same room
… it starts up my computer, just to crash it
etc.
Worst loading website I’ve ever seen
Monday, January 15th, 2007Has to be http://monsterpod.us/. Load it up while doing a net/inspect/all in Firebug and giggle as it grinds its way through an incredible 161 requests, totalling 7.28M (!) and taking over two and a half minutes on my 100Mbit connection.
ECC meets Boards of Canada
Sunday, January 14th, 2007The Evolution Control Committee mixes acapella rap from Doug E. Fresh and Slick Rick’s La-di-da-di over Aquarius by Boards Of Canada. Like most of their work it’s an interesting addition to the original, in this case one of my favourite BoC songs.
Creating a hash from a query in Ruby
Friday, January 12th, 2007God, who would have thought it would be so easy. And yet it took me several days of playing around to finally figure it out.
I wanted to make a hash of interface strings to use in localisation. So I’ve got my user, and he has a language_id which links him to a languages table. Then I have interfaces, which have interface_strings attached to them, with a language_id field .. so by association joined back to the user. I want to make a hash of interface strings, determined by the user’s language_id, for easy localisation throughout the app.
So I’ve got my user:
= User.find_by_id(session[:user_id])
From that I can query interface strings in the language of that user
= .language.interface_strings.find(:all)
now let’s make an empty hash:
= {}
And fill it with the strings:
for i in [i.interface_id] = i.text end
and now I can just call it by id number, ie interface_id .. or by modifying that loop, I can stick whatever identifying key I like into the hash. I’ll just go with ID numbers because I don’t want to worry about escaping anything:
[1]
.. will return the first interface string (“welcome!”) in whatever language the user has specified (and I have translated).
God, that was easy. Too easy! That’s why it took me so long, I couldn’t join dots that were so close together …
Pretty Fucking Impressed with Amazon Japan
Friday, January 12th, 2007Ever since Agile Web Development with Rails, Second Edition, was released in mid December I’ve been itching to send my favourite Gay Developer, David Heinmeyer Handsome, some hard-earned cash. But wouldn’t you know it? All the stupid bookstores here in Tokyo are still only carrying the First Edition, and overpriced it is too. Anyway, I have that one already, in fact I have 2 copies – one here and one in AU.
Now being from Australia, I didn’t even think about getting the book from Amazon. To an Australian, ordering from Amazon means $20+ delivery fees no matter how small your order, at least 2 weeks delivery or maybe 1 if you pay more than what the item is actually worth for air delivery, maybe a customs import duty, endless delays, orders getting lost .. it’s just not worth it. So I didn’t even consider Amazon, even though people started suggesting it.
But I really needed the book, so eventually I caved in and finally ordered it from Amazon. They had it in stock. Cost was ¥4,947, less than the bookshops. Because it’s over ¥1500 delivery was free. And from clicking “checkout” to holding the delivered book in my hand? Under 24 hours. Ordered around 2pm Thursday, delivered to my door before noon the next day.
Un-fucking-believable. Prediction: a lot more orders from Amazon, a lot less wasting time in bookshops.
Software Praise
Saturday, January 6th, 2007Here’s some software I really like recently and want to publicly praise.
Finally, a replacement for the abandoned Meteorologist. Can be configured just the way I like it – to display the current outside temperature and weather in the menubar, nothing in the dock (despite the name!). Free. Reliable. Good stuff.
Actually that’s all I can think of. But it’s still praiseworthy!
I have a total of 3 non-Apple apps running in my menubar – Weatherdock, SoundSource, and MenuMeters. Love them all.
Why not just store passwords in plaintext?
Saturday, January 6th, 2007I mean seriously .. what is the actual reason to store them as hashes?
So if your database is compromised, people can’t see the passwords? Is that the reason? Seems to me that if your DB is compromised, you’re kinda fucked anyway.
Is it so you can save the hash in a cookie, and log people on automatically? So why not just store the hash in cookies only? And if you can see the hash, you can fake the cookie anyway, and gain a login that way! And let’s not forget that a dedicated attacker in possession of the hashes can just brute force them anyway, so you’re just slowing them down a bit. Even if you use a different salt for every hash, how long do you seriously think it takes to brute force a 6-digit password on a modern computer? 10 minutes max?
So why? Is there some killer reason I’m missing? Because there’s certainly a cost – you can’t email users their passwords anymore, something that users find extremely convenient, which is why YouTube and MySpace both store in plaintext. And don’t tell me emailing a password is a risk any more than emailing a “click here to change your password” link – which inevitably contains some sort of authentication token encoded in the URL. If an attacker owns the email, he owns an account which relies on that email, period. And as for “protecting your password from the webmaster” – don’t make me laugh, if he wants your password he can get it the next time you type it no matter what’s in the database. And if an attacker has compromised your main server, he could easily add some code to store login information somewhere, or even email it to himself!
So let me get it straight: Storing credit card information – no problemo! Storing names, dates of births, and other personal information useful for identity theft – hokey dokey! Storing hits, IP addresses, full text of all private messages, and the complete history of everything a user ever does on a site – yes sirree! Sending passwords in plain text over the wire, over insecure private and public networks, through countless routers owned by who knows who .. alrighty then! But storing passwords in a secure database- oh no, can’t do that, not in a million years.
Oh and yes I’m well aware of what happened to Reddit. But their database was stolen! I mean .. isn’t the real problem not that the passwords were in plaintext, but that their database was stolen??? As far as I can see, the only valid argument for hashing passwords in an otherwise well-designed system is to protect them from rogue non-authorised personnel with physical access to the machine, as you might find in a datacentre. But gee, if you’ve got that type of person hanging around in your datacentre you’ve got other problems .. and they could just as easily sniff you at the switch. Hell, the lesson I take away from the Reddit case is simply this: encrypt, or otherwise protect, your backups.
My take: it’s OK to store passwords in plaintext as long as you’re real careful about it. Treat them the same as you would CC information – preferably in a seperate machine from the web server, on a private network, with a different authentication regime. Extra points for implementing some kind of token system so only one password can get out at a time over a defined interface. But geez, we can put man on the moon, you’d think we could store a fricking password safely.
My feeling is that the obsession with password hashing derives from the old days of massive, shared computers, where anyone could read /etc/passwd, and an insecure database was assumed. For anyone with their own dedicated servers, it’s just not such an issue anymore. With the proper precautions in place, I don’t see why passwords shouldn’t be stores in their native state.
I hate GoDaddy
Thursday, January 4th, 2007I used to like GoDaddy. More than any other single company, they pulled down the cost of domains. I appreciated their aggressive debut into the domain market and bought most of my domains through them. Basically they were the first good alternative to that spawn of satan, Network Solutions.
But these days I can’t stand them. I can’t stand their web site design, I can’t stand their ugly girls with whom they try to appeal to the NASCAR crowd, I can’t stand their nickel-and-diming on every conceivable add-on, nor their misleading pricing.
I also can’t stand their egomaniac CEO Bob Parsons, the earring-bedecked bald fuckwit whose blog is so utterly soaked in sickening self-congratulation that anyone glancing at it for more than a few seconds is possessed by an irresistable desire to run the diminuitive poser over with a truck. His name, by the way, is featured not once but TWICE on the company’s current home page – a level of onanistic chutzpah exceeding any other example I can think of.
They made a deal with Microsoft to change their domain parking servers over to IIS, thus providing MS with a massive artificial boost of IIS market share. They’ve been implicated time and again in breach of privacy cases, and totally ignore the free-speech rights of their customers as they fold effortlessly to the smallest request from practically anyone to pull any domain anytime. Basically I don’t trust them at all.
I hate their logo, that stupid guy with the hair and sunglasses. I hate their slow, over-complicated, website, and the fact that it’s served by ASP. I hate how every second sentence of worthless tripe on that site ends with an exclamation mark. I hate how they try to sell you their worthless “guides” whenever you try to buy anything. I hate their product “Website Tonight” – anyone who cannot understand how to build a web site, or pay someone who does to do it for them, does not fucking deserve to have a web site.
I could go on for hours, but what’s the bottom line? They are ugly, greedy, unreliable, untrustworthy, irresponsible, egotistical, mercenary bastards who do not deserve my – or your – money.
SSL scam now slightly cheaper
Thursday, January 4th, 2007I have always viewed the entire SSL regime as nothing but the worst of scams – even worse than Verisign’s control of .com. I would say it’s a license to print money, but they don’t even have to print it – it’s a license to generate money, day in day out, via a simple set of scripts. And let’s not even get into the fact that they are basically useless – there has never, ever been even one single verified case of sensitive information being stolen while in transit! – but I admit that the psychological value is high. Still, I loathed the system so much that I’ve never bought an SSL certificate for personal use.
Until recently, that is. The price of the certificates has massively decreased – so that instead of straight-up daylight robbery, it’s now more akin to night-time pilfering, maybe of your milk delivery, the paper, and some garden gnomes. While I remember in the bad old days of NetSol and Web 1.0 these tiny text files could set you back multiple hundreds of dollars, the value has dropped continuously – slowly but surely creeping more into line with the vanishingly small cost of actually delivering the service – and now is kind-of, sort-of acceptable.
The price I’m finally willing to pay is USD$13.95 from ServerTastic, who resell RapidSSL, ultimately issued by GeoTrust. The certificates are pretty good quality, appearing as being signed by “Equifax Secure Global eBusiness CA-1″ and utilising a single root certificate – none of this chaining bullshit. Service is good, and RapidSSL sure are rapid – a confirmation email to the domain owner, an automated phone call, and you’re done.
So yeah. It’s still a scam, but at least it’s a cost-of-a-6-pack scam instead of a cost-of-an-iPod scam. And I highly recommend ServerTastic.
BTW, if you’re coming off a nasty chained cert like those issued by the previous lowest-price provider, Comodo, RapidSSL has a promotion where you can switch to them for free.