« June 2006 | Main | August 2006 »
When the bugs do exist, they are usually pretty easy to find and squish. Daniel Hinojosa has taken this to a whole new level using Dave Thomas' Programming Ruby book:
This is proof that code generation tools are not needed in Ruby. Generation tools cannot do *that*!!
Mashable had a blog post that summed up my feelings: Diigo Launches, Nobody Cares.
Now, to be fair, it is great to see developers creating cool new applications. I don't want to lose site of the fact that creating something is hard work, so I applaud the Diigo developers.
What I want to rant about is how many of these things do we need? I was reading a blog today and was greeted with this at the end:
Why on earth does the world need 26 social bookmarky things for?? My thought is that once del.icio.us was bought out by yahoo!, everyone and their dog decided to start the next "Bookmark 2.0" company, and the VC's had plenty of capital sitting around with no where to put it.
Honestly, the only reason I might check out Diigo is because one of the comments on Mashable said that it was like Cocoa Puffs — man I love those!
Note to Venture Capitalist's: I have many better ideas than this. Contact me ;)
So let's say you are even more sophisticated, as I used to consider myself, and you add some symbols to your password. I always thought my password was super-secure because it used mixed-case letters, numbers and multiple common symbols - something like "pA$$w0R@". However, according to the chart, this password could be cracked in 2.25 years with a reasonably strong multi-core workstation. This may seem like a long time, but it really isn't - your password should last as long as the value of the contents require - my banking information will likely remain valid for the next 10-20 years. For me, 2.25 years is simply not enough. So maybe I should add one more digit?
Before adding just one digit, consider a distributed network of machines like distributed.net is using for their RC5 project. This project recently showed that it was capable of trying 139,285,658,551 passwords a second!! That's 139 Billion keys (yes, that is a B) per second. Simply amazing. With a system like this, a hacker could break your 8 character password (that includes symbols) in 83 days.
Adding a single digit would increase this time to about 22 years to crack, which is still a little too close for my liking. After all, in 20 years machines will be a million times faster, so the equivalent of a Pentium 100 in 20 years will be able to crack your password in about 2 hours.
I think it's time to ditch the 8 character password and use something more reasonable like 12. This would expand the keyspace size by 84 million times. This would cause a network like distributed.net to take 20 million years to crack. Even in 20 years, the it would still take 20 years to crack.
Reports from early testers compliment two of the significant new features [...snip...] The phishing filter (an integrated component of IE 7.0 as well) works with locally stored lists of bad sites, along with Google's site listing, and possibly others down the road.I really hope this report is wrong, because having a "Black list" of phishing sites is just plain stupid. Why am I so upset by Firefox having a "locally stored lists of bad sites"? Well, Marcus Ranum said it best in his article on The Six Dumbest Ideas in Computer Security (emphasis mine):
Default Permit Another place where "Default Permit" crops up is in how we typically approach code execution on our systems. The default is to permit anything on your machine to execute if you click on it, unless its execution is denied by something like an antivirus program or a spyware blocker. If you think about that for a few seconds, you'll realize what a dumb idea that is. On my computer here I run about 15 different applications on a regular basis. There are probably another 20 or 30 installed that I use every couple of months or so. I still don't understand why operating systems are so dumb that they let any old virus or piece of spyware execute without even asking me. That's "Default Permit."A black list of phishing sites is destined to fail. Again, let's let Marcus explain:
One clear symptom that you've got a case of "Default Permit" is when you find yourself in an arms race with the hackers. It means that you've put yourself in a situation where what you don't know can hurt you, and you'll be doomed to playing keep ahead/catch-up.Worst of all, you are now required to rely on corporate America to tell you if a particular web site is "safe". I think Firefox would be better off not following the corporate IE approach, and solve the phishing problem in the simplest and most effective way: rely on a Password Manager to only fill forms on sites that **you** have filled before. You see, Firefox has a Password Manager that will only fill passwords on sites where the Top Level Domain (TLD) matches; by relying on the Password Manager, you will never accidently put your credentials into a phishers site. This seems incredibly simple and effective to me. If users understood the benefits of a Password Manager, instead of being fooled by a magic black list that will never stay up-to-date, we might actually stop Phishing attacks since the hackers return on investment wouldn't be worth the effort.
This is why I keep mentioning RoboForm and 1Passwd — these password managers protect you from many evils while at the same time making your surfing experience more convenient. I am so passionate about this that I had to write 1Passwd. Please do yourself a favour and use a Password Manager; leave the snake oil for someone else.
I'm a big fan of the plastic look and feel, so I was delighted when I found this step-by-step tutorial on creating plastic effects. This tutorial was great for me because it walked me through the entire process - this was great for a PhotoShop newbie like myself.
After following the steps, and repeating them 4 times because of my newbie status, I ended up with this "masterpiece" :
This isn't exactly the plastic look I was looking for, but I actually think it looks pretty neat! The "asswd" looks like it is made of glass and has been polished to the 9's. But the "1P" looks really kinda neat -- it's like a glass container with a gel inside it.
What do you think?
I would have been happy to further the article with some comments, but LifeHacker has this strange "comment by invite only" philosophy. Here is the comment I would have placed if I was allowed to:
Phishers Cannot Trick Form FillersIf anyone has a LifeHacker "invite" and found this comment useful, please send the invite my way.
There is no phishing attack invented yet that can trick an automated Form Filler. In today's day-and-age you need to have a Password Manager for your sanity and security. Everything mentioned here (except the eBay toolbar) relies on you being safe. If you are tired (or drunk) then you're likely to make a mistake.A Form Filler, otoh, will only ever fill a form with your user id and password if the Top Level Domain matches exactly. This means a phisher has to hijack the paypal.com domain in order to steal your login. While this is possible, eBay would figure it out pretty quick :)
Do yourself a favour and try RoboForm for Windows or 1Passwd for Mac OS X.
I have to admit, that my first impression was that Josh had lost his marbles. Clearly search is one of those "Edge Cases" that our new CRUD mindset cannot be applied to. But with most things, Josh was already ahead of me.
Having a search model object I think is actually an incredibly wonderful idea. Consider the following ideas that you could add to your application:
I wanted to add Google Alerts to DevLists for a long time; you can already easily manage your developer mailing lists, but imagine if your mailing list contacted *you* when there was something that you were very interested in. That would be neat!
As for my current baby, my Password Manager and AutoFiller for Mac OS X would benefit greatly from having a search box on the website. If I added a Search object to my domain, I could have realtime data on whether my users are finding what they want.
Imagine how more effective I could be if I had a list of everything my users searched for **and** how many results they had. If they searched for "Keepass", they would currently have zero results because it is not mentioned in the manual. Once I saw this, I could add "How 1Passwd Goes Beyond KeePass" to my documentation.
Comments?
