Saturday, October 30, 2010

Important: Steve Gibson Explains Firesheep

with Leo Laporte on Security Now.  If you never watch another TWiT video/pod cast, you should probably watch this one.

A new Firefox extension, Firesheep by Eric Butler, allows anyone at an open WiFi hot spot (e.g., current, typical Starbucks) see your face, your Facebook and other sessions on other services and have full access to your stuff and whatever you're doing.  They can look at your pictures, change them, make posts, change your profile and even reset/change your password.

The fix is simple:  If  you didn't type in a password to access their WiFi, then it's not secured.  If you typed in a WiFi password (technically, if they use WPA encryption), then all is okay.  Hopefully everyone involved will fix this as soon as possible.  Until then, beware.

Some sites are secured against this themselves, e.g., Gmail, such that it's not a problem, because they force the use of SSL (https://).

Note that there's a brief chunk of news discussion in the early middle of this video.  You may want to skip ahead to 44m30s.

For computer folks who may be wondering, the blinking lights behind Steve Gibson are old PDP-8 computers!   8-)

Embracing the Virtual

I'm starting to embrace virtual computers and machines, and virtual computing in a big way.

I'm also starting to embrace video and music streams vs. media and soft downloads vs. buying hard media.

More to come.

The 11-in Macbook Air

I saw the 11-in Macbook Air at the Apple Store last night.  My first impression is, Wow!  My second impression is, Yeah, Apple is right on this one, this is the future of the netbook/laptop computer.

Additional impressions:

  • This is better than the iPad.  Yeah, I've finally played with iPads on a few occasions and it's compelling and amazing, but I'm not sure how practical.  The enthusiasts I listen to on podcasts are starting talk about migrating back to their laptops and refer to the pad as always a second computer that you want to use, but that it's maybe even a luxury.
  • The 11-in screen is sufficient and the resolution is the same as on the 13.
  • My 13-in Macbook Pro seems big now.   8-/  And heavy.  !!
  • I've been expecting the end-of-media for a few years now and I'm starting to embrace it.  I'm resisting buying CDs, DVDs and Bluray discs, and a Bluray player, so far.  So, no so-called optical drive is okay, I think.
  • The 11-in has exactly the ports I use, USB for a mouse and keyboard, video for external monitor or TV, audio for speakers or headphone.
  • The wider aspect screen seems shorter and is a bit off-putting.  I don't know if it would actually be bothersome but that's something to take a second look at.
More later.

Basically I've had nothing but reservations about the iPad from the start, in spite of being excited about the idea of a computing pad for decades.  I have no reservations and I'm pretty excited about this computer.

Web Site Easily Cracks Windows 14-Char Passwords from Hash

CIO Zone has an article by Dan Dieterle has written about a web site put up at Objectif Securite which can crack a 14-character Windows password from an input hash in only a handful of seconds.  Their secret sauce is using fast solid state drives (SSD) to make cracking very fast.

If you are a Windows user then it may help to know, before you completely panic, that using this technique requires getting the stored hash of a password.  This means they've already broken into your computer, and have access to everything, before this could be used.

A common technique on computer systems is to take a password, use a hashing function to turn it into a long, random-looking string, and store that string on the computer.  Then, to verify a password when you type it in, the hash function is applied to what you type in, a long string is generated and it's compared to the stored string.  If they match, then the assumption is that the passwords match and you're authenticated.

Another assumption is that the hashing function is essentially one-way, i.e., you can't take the hashed string and immediately turn it back into a password.  The above web site uses a brute-force type of attack to make this possible and break that assumption.

So, again, to use this to get your password, an attacker would have to have already compromised your system to dig out the hash string.  For a single computer this isn't that big a threat.

What is the threat then?  Well, at a site, say a corporate office, by compromising a single, poorly protected system, say some person's desktop, an attacker could get the hashes and then use this technique to get the password of an important user, even the site or system administrator.  They would then gain immediate access to other more important systems, the entire corporate infrastructure, and important corporate data.  The intruder could potentially live and operate, well-hidden, in such a compromised system for weeks or months.


It doesn't seem that long ago that we considered eight-character passwords to be secure.  I used 14-char for a while simply because that was the maximum limit Windows allowed.  Now I use longer passwords (and no, I'm not saying how long), for non-Windows systems and web sites.

Pretty soon, you're going to start seeing other “factors” used to authenticate to a system.  In other words, you'll no longer just type in a password, you'll have to do something else, say answer a question.  Or authentication may involve something else you have with you, like a key of some sort.   Some well-designed financial sites already use such techniques now.

Thursday, October 28, 2010

Yesterday's Hurricane

Over the midwest.

Credit:  Suface map image from The Weather Channel.

I've Really Been Enjoying

@stevemartintogo on Twitter, when I remember to read them.  For example:

Saturday, October 23, 2010

GTD Realization of the Day

While sorting through a big box of cables that I'd collected, I realized that I don't need a 6-liter box full of telephone cables and jumpers with RJ-11 connectors.  The fact is, we don't even use wired telephones any more!

Friday, October 22, 2010

Hooray! Gmail Animated Themes

Are working again!

I Manage by Dipping

Into the information firehose that @louisgray speaks of.

In an early talk by Laura Fitton, @pistachio, was the idea that Twitter was a stream to dip into, not a flow to fully consume.  You don't try to back up and catch it all, you just dip in and take from what's flowing by at the time, like channel surfing on TV.  (Well, at least some of us remember pre-Guide channel surfing).

My way of doing this is to read Twitter once or twice per day.  I usually read it in the morning and, occasionally, a time or two throughout the day.  Maybe more on days like a holiday when I have more free time.  I generally read back a little way into my stream of followees, typically covering the most recent hour or two of posts.  There are some followees that I will click on to read further back in their stream.  Those tweeters are likely to be a news web site, almost never an individual with the exception of a few bloggers.  That way, I catch up on their stories of the day and not just what they published in the last hour or so.

In fact, since I tend to read Twitter early in the morning, it's heavily slanted toward Great Britain, so selective reading back on some streams helps balance that out.

For Facebook, I generally only look at the Facebook gadget on the home screen of my Nexus One Android phone.  That gadget is on the far left of the five screens, way over there with the music player, photo gallery, Shazam and such, so it's not where I normally go on the phone.  I may click through recent wall updates that appear there, but it's only a handful.  I probably do this less than once per day and just at random times.

After looking, I might actually click into the Facebook app itself and read more comments or reply to something.  This makes my reading of Facebook a similar dipping into the stream.  I don't keep up with everything that would appear on my Facebook page because I rarely log into it, maybe once or twice per week.  But then, I describe myself as far less than a fan of Facebook.

The other way I interact with Facebook is through email when someone messages or posts to me directly.  In that case, I probably do log into Facebook, via clicking on the link in the message (watch for phishing attacks!!), to reply or read further.

I don't use notifications at all (well, almost), so I'm not interrupted by beeps or buzzes or popups.  Google Talk and Chat are silent in my configuration.

For years, I've maintained the practice of not using any sort of new-message email notification.  I read email periodically throughout the day.  Admittedly, I may check email more than once an hour, but it's part of my job.  If I'm consciously trying to achieve more productivity, at a higher than normal level, I try to limit looking at email to less than once per hour or I wait until I've completed a timed session of working on a task.  Usually I zero out my inbox in the morning so it's only additional messages that come up during the day.  Also, my email is very heavily filtered, so I only see the most important messages anyway.

A side effect of this practice is that meeting notices that arrive in less than 24 hours may not work for me.  Asking for more than 24 hours notice for meetings has been a standard request of mine for decades.

As far as chat goes throughout the day, I try to keep a browser tab visible, sticking out somewhere on the computer screen, typically out of the way over on the edge.  There won't be an audible cue if there's a chat message, but I should eventually see the tab blinking if I happen to glance over that way.  That's the closest thing to an interruption I get during the day.

There is one more exception to the above.  My Nexus One Android phone does chime or buzz when I receive a text or chat message.  Those tend to be almost exclusively from family or close friends, so they are the equivalent of an important phone call and only occur rarely thoughout the day.

So, to answer Louis Gray's question, I wasn't interrupted at all while reading his excellent post.  8-)

Thursday, October 21, 2010

Computing at Scale

or how Google has warped my brain by Matt Welsh.

Having been at Google for almost four months, I realize now that my whole concept of computing has radically changed since I started working here. I now take it for granted that I'll be able to run jobs on thousands of machines, with reliable job control and sophisticated distributed storage readily available.

I do all of my development work on a virtual Linux machine running in a datacenter somewhere -- I am not sure exactly where, not that it matters. I ssh into the virtual machine to do pretty much everything: edit code, fire off builds, run tests, etc.

Matt Welsh is a professor of Computer Science at Harvard University. His research interests include distributed systems and networks. He is currently on leave at Google.

Moon Map

This high-resolution map by James W. Head, Maria Zuber and collaborators based on data from the NASA Lunar Reconnaissance Orbiter covers craters down to 20 km in size.  Note the beautiful video!  Passed on by Amanda.  Published in Science.

From their abstract they conclude, “The characteristics of pre- and postmare crater populations support the hypothesis that there were two populations of impactors in early solar system history and that the transition occurred near the time of the Orientale Basin event.”

Tuesday, October 19, 2010

Monday, October 18, 2010

Inbox Zero

I read this interesting post this morning about cleaning one's inbox to zero.  The zero inbox concept comes from, and is a central idea, of GTD, which I've been practicing for a year now.  In addition to that, I was already practicing a form of email inbox zero before GTD.

Here's a quick list of how I do it.

  • I use Gmail.  That takes spam out of the picture completely.
  • I use **a lot of filters** in Gmail to filter mail into a lot of labels.  Most of them contain messages that I never read unless there is some reason to.
  • The only mail in my Inbox consists of messages I want to look at.
  • When I read them, if they require some action, If I can do it or reply immediately, I do.  The GTD rule is replies that take less than 2 minutes.  I probably use a rule or more like if it takes less than 30 seconds.
  • Otherwise, I click on More Actions, Add To Tasks, and that email message goes into my Tasks list, which I use for my GTD process.
That's it.  With this approach my INBOX gets, I don't know, I'd guess maybe 100 messages a week.  A lot of them are ads from vendors I actually do care about, so I click through them with just a glance.

I use this same approach for both work email and home email.

In the spirit of Gmail, I don't delete messages (usually).  So far, after using Gmail since it began, that's not been a problem.  The excellent search capability means it's not difficult to find and email message that I may need.


Sigh.  I think it's probably time that I started paying attention to IPv6.

Saturday, October 16, 2010

A Dog Named Beau by Jimmy Stewart

[Video] This has been a favorite moment of mine for a long time.  I enjoyed watching it again when Penny sent this out the other day.

Thursday, October 14, 2010

Out Though the Blog, In Through Email

With the communication world seeming as unstable as the Genesis Planet, I'm wanting to retreat to the blog as the only reliable home for my outgoing messages.  It's relatively permanent (as things on the Internet/Web go) and I “own” and control all of the content.  I can edit or delete any posting at any time.

The next problem is notification.  How do I let particular friends or readers know I've posted something.  They could subscribe to an RSS or similar feed from the blog, but that requires action on their part.  I doubt they'll do that, so I need to send a notification to them.   If they tend to be gathered in one of the usual places like Facebook or Buzz, then the blog can be gatewayed into those sites.  However, the most reliable of all is to use old-fashioned email.  In spite of the fact that, apparently, almost noone uses email any more, generally everyone still reads it.

Finally, there's the need for a back channel for comments, where individuals can post a follow up to something that has been said or, even better, a conversation, where a group can accumulate on-going comments that they all see.   This is still the missing link, IMHO.  There doesn't seem to be a good general mechanism for doing this. You can do it with Buzz, Facebook, but those may be subsets of people and the groups, e.g., on Facebook, don't always align with the set of people I might want to have a conversation with.

And, for some of these sites, you never know what crazy things they'll go off and do with your privacy or sharing permissions.

Right now my personal solution is to use email to collect responses then manually publish them, if requested, and manually fan them back out to the list (if there is one) if it involves a small, closed group.

I still say the classic BBS is the best solution, but it only works if everyone in the group joins the BBS and then, either they read it regularly, or it has a notification system that will work for all of the participants.  Again, the only such notification system I know of is email.  Well, I guess text messages to phones works pretty well, too.

I have to say that it looks like Posterous really seems to handle all of the above really well.  It's highly email-oriented to the point that you can practically do all of the above including posting and follow up comments via email.  You can limit a blog to a particular set of participants using only their email addresses which means they don't have to set up accounts on Posterous and don't have to log into the site.  In fact, a particpant can never look at the blog at all, so it all functions like an ad hoc email list.  This is quite huge, really.

Another similar and interesting site is does actually require you to log in or authenticate to continue on a conversation, which ends up being similar to a Brizzly picnic.  But watch out for that Libian domain name!


If you want to leave a comment on a post here, please send me a message.  Be sure to indicate whether or not  you want your comment published.

Wednesday, October 13, 2010

Steve Wozniak on Twit Live Any MInute  (Corrected URL)

Monday, October 04, 2010

Scale of the Universe from Primax Studio

Beautifully done!  This model is extremely well executed.

Of course, this will remind some of us of the Powers of Ten film that we were awed by in the 70s.

EPA on Bedbugs

Excellent general information on the problem.  The EPA has a pretty good site with information on bedbugs.  It actually goes beyond just pesiticide information.

Saturday, October 02, 2010

Corporate developers: exclusive first look at Application Craft

From @scobleizer, a new tool for corporate web apps.

 “Today Application Craft (CrunchBase info on Application Craft) is releasing a new system that looks somewhat like Visual Studio, but is completely web based.”

The Persuaders

With Tony Curtis and Roger Moore was a show I used to like.  Here's the pilot episode (video).  It was reminiscent of shows like The Man from UNCLE (Robert Vaughn and David McCallum), I Spy (with Bill Cosby and Robert Culp), and others.


With Fox Sports local channels holding out on renewing Dish Network contracts for a 50% increase in charging, I'm glad to say we finally subscribed to  This is a step toward removing the traditional media and buying programming directly from the source.

There's been a lot of talk on TWiT and related shows recently about disintermediation of the carriers and resellers of TV programming.  It would be nice to find the program you want and click on it to buy, say a year's worth of a particular show.  You get the shows you want instead of a cable bill.

A lot of things have to happen before we get there, well, at least a few, but I've heard a number of folks say they only watch T'V on the Internet and don't use the traditional sources.

Friday, October 01, 2010

The lifespan and depth of tweets vs blog posts | cre8d design

An interesting blog post, with links, on the whole question of microblogging vs. traditional blogs.