This is an example of why. Not the blackboard system. Just the question. See previous rants.
UIUC was Awesome
November 19th, 2008
Passwords in the Clear
November 19th, 2008I recently made a purchase on MacUpdate and as part of the purchase I was required to setup an account with them (username, password, etc.). Annoying, but all well and good until I received both my username AND PASSWORD in the clear from them in the same confirmation email.
For most people, the reasons that this is very bad should be obvious, but for those for whom it’s not, here are a couple reasons why this is not good.
First, both my username and password were sent unencrypted across unsecured mail relays. At the very least, they should never be included in the same email as this would require a potential attacker to put together several pieces of communication to get all information needed. Regardless, user created passwords should NEVER be sent to a user, as they very well could be used for other things. If you must send the user a password, it should only be a randomly generated password to which the account has been reset. It would be best if this randomly generated password had an automatic expiration if the user did not go in and change it to something personal in the site.
The second, and perhaps less obvious implication, is that the fact that you can send me my own password tells me that you are either storing my password in your database unencrypted or with reversible encryption. Again, this is a bad idea. (I confirmed that they didn’t just send the password from the initial form by requesting my password be sent to me after the initial registration.) You should always store a password using one-way encryption (a hash) and then validate login attempts by taking the supplied password applying the same encryption to it, and comparing the result to the stored, encrypted password. This has the benefit of preventing an attacker from obtaining the actual passwords from your system in the event that you are compromised.
This isn’t even getting in to more advanced ideas for securing pages (not having the username/password fields on the same page for example), but rather just the very basics of not throwing sensitive information out into the network.
Anyway, needless to say, I was very annoyed at all this and sent them an email criticizing their security practices. I also asked them to remove my information from their systems as this is likely an indication of their security practices in general. Anyone who has done business with them in the past may wish to consider doing the same thing.
Lightsabers: The Duct Tape-Tool of the Galaxy
November 17th, 2008This How Stuff Works article is making its way around the internet again, this time via Slashdot. Still, every time I see it I laugh, so I thought I’d post it.
Matrix + Windows = Awesome
November 10th, 2008Another great College Humor original video.
First Snow 2008
November 7th, 2008Woke up this morning to the first snow accumulation of the year.
It went from 70 degrees on Monday to this today. Also kind of windy (as you can see by the lawn furnature tossed around on the deck).
Determining which Process is Locking a File
November 3rd, 2008If you’re like me, every so often when working on Windows you get a message similar to the following:
(So the google can index this: “Cannot delete X: It is being used by another person or program. Close any programs that might be using the file and try again”)
You are trying to move or delete a file and some other program has it locked. Of course, Windows isn’t nice enough to tell you which program has it locked, so the process becomes one of experimental elimination. Try closing program after program until the file frees up, or if that doesn’t work, reboot the system and try again before starting any programs.
After this had happened to me several times in the same day, I got fed up and finally did a little research about tools that can give you some more useful information when this happens. This Google groups discussion gave some good resources that can be used to help out. The first option is one of the Sysinternals tools that was acquired by Microsoft. That tool chain can give you all sorts of great information, including which processes are holding which files.
The downside of Sysinternals is it’s a bit like killing a fly with a sledge hammer. Another alternative is the simple and elegant (yet slightly ghetto-sounding moniker) Who Lock Me. This tool adds an entry to the context menu in Windows Explorer that quite literally says “Who Lock Me”, and by clicking this entry it will list program(s) that are locking the file. I can’t vouch for the legitimacy of the tool. The website looks a little sketchy, but I have installed it on one virtual machine with no perceived ill-effects, and it did do what it advertised, so it seems to work. At least it tells you what Windows refuses to.
UPDATE:
I came across a site for an alternative to WhoLockMe, UnLocker that also listed alternatives of similar tools. Below is a list of the tools linked from the aforementioned page.
The Concept of Superman can Limit Plot Complexity
October 22nd, 2008As shown in this video. Still my favorite super hero, though.
Stuff White People Like
October 18th, 2008Ran across this great (and scarily accurate) satire Stuff White People Like from the facebook news feed (I forget who’s it was, my apologies). My personal favorites include apprearing to like classical music, outdoor performance clothes, threatening to move to Canada, and Facebook.
3..2..1..Resume Posting YouTube Videos…
October 18th, 2008Carmen has indicated that she needs more help procrastinating at work, so I’ll do my part.
These gems are from a recent gem that was on Digg.
White Coat Ceremony
August 23rd, 2008On another family note, my sister Kendra just started Med school this week. My parents took her down to Kirksville, MO where she is attending AT Still. Pictures from the white coat ceremony are available here.