Something that’s exercised me over the last few years is what I sometimes call “the tyranny of free”, because the instance that everything must be free is actually very costly to us all. But, that’s only part of a bigger picture, and this week’s announcement from Google that they will be killing a number of services people have come to rely on, including Google Reader, got me thinking about this again.
I’ve blogged about the tyranny of free before, so I don’t want to focus on that today, instead I want to take a step back and talk about the importance of following the money.
This week’s Insgragram TOS kerfuffle is nothing new. Instagram is not the problem, it’s just the latest symptom of a sick business model that has been allowed to become so dominant as to be almost un-challengeable – services on the web MUST be free, so you MUST give up your privacy and/or your intellectual property rights to enable the service providers profits. If you dare stand up for privacy then you are a greedy idiot who wants something for nothing, and you need to grow up and let the companies make money.
My problem is not that companies want to make profits, it’s their instance on selling our data to do it that I have a problem with. How about this for an idea – why not let people pay for services rather than insisting we all whore out our privacy and intellectual property?
Steve Gibson really set the cat among the pigeons with his Password Haystacks site a few months ago, and XKCD’s ‘Correct Horse Battery Staple’ web comic brought that message home to many many nerds and geeks. The basic idea is that you’re better off making your passwords long and memorable than short and complex. In the simplified XKCD example the password is simply made up of 4 common words, but Steve Gibson suggests you should add some padding around those words to make the passwords much harder to guess.
This is a lovely theory, but I’m not imaginative, and I need to invent a lot of passwords every week, so I wrote a Perl module to do it for me, and called it
xkpasswd.pm. The first thing I’m announcing today is that I’ve made this library available for free for both personal and commercial use (under the FreeBSD license), you can download it from www.bartb.ie/xkpasswd.
It’s great to have a library for nerds to play with, but what about everyone else? Well, that’s where my second announcement comes in, I’ve also created www.xkpasswd.net, a simple web front-end to the
In case anyone is wondering where the name comes from? It’s a mashing together of XKCD, and
passwd, the Linux/Unix command for changing passwords. Because I used to use Solaris, and hence the
yppasswd command, I liked the idea of keeping the prefix to just two letters, hence
xkpasswd, rather than
For any programmers interested in using the Perl module, it has no prerequisites other than base Perl, and all you need to get started is the module and a dictionary file to point it at. The download package contains the module, a sample dictionary, and a sample Perl script which invokes the module.
The technosphere is a buzz this week with the news that DropBox’s security has a rather large and rather stupid hole in it. I’m only going to give a brief overview of the issue here, so if you’d like more details please check out the blog post that broke the story. What I do want to say is that this is a really infantile mistake on DropBox’s part, and the fact that they could overlook something so elementary for so long worries me a lot.
Anyhow – the whole problem revolves around the Host ID which DropBox uses to identify a computer within your account. This code acts as both an identifier and a password, and it’s a big long string of random looking gibberish. The problem is not that this ID is easy to guess, but rather that it’s not tied to any particular machine. If a bad-guy gets their hands on the file containing this ID they can effectively clone your machine in DropBox’s eyes, and see your files in perpetuity, regardless of how many times you change your password. The only way to kill the bad guy’s access would be to de-authorise the machine who’s ID they cloned in your account pages on the DropBox website.
The original blog post that broke this story describes in detail where you can find this ID on Windows, but doesn’t mention any other OSes. Quite a few listeners to my various podcasts have asked me if I know where the file is located on the Mac. I didn’t, but I figured it would be worth spending a little time finding the answer.
This is not a finished project. Not even nearly. But I think it’s about time I shared what I have, and now is the perfect time since it’s the topic for this week’s Chit Chat Across The Pond segment on the Nosilla Cast.
I don’t normally log in to Twitter directly – I almost always use clients – but today I did, and I noticed something which shocked me – Twitter is sending login details over an unsecured HTTP connection! I have no idea if Twitter’s always done this, or if they are experiencing some kind of bug today, but either way, this is a serious issue.
Were I to be using public WiFi or any other un-trusted network it would be trivial for someone to get both my username and password and take over my Twitter account. Worse still – if I were to use the same credentials elsewhere like so many people do – all those other accounts could be taken over too. This is just not acceptable in 2009.
I have been a huge fan of NetNewsWire for many years and have recommended it every chance I got on podcasts, blogs, and in person. Before NNW was free I was a happy paying customer, and, to be honest, I worried a little when it went free. Without charging for it, would the developers keep adding to it? Keep driving it forward? The answer to that was a resounding ‘no’, it stagnated. However, it was still every bit as good as before it became free, so the stagnation didn’t really bother me. It did what I needed it to do, and it did it well, so I was happy.
What did I need it to do? Firstly, it let me organise my feeds into folders nested as deeply as I wanted, and it allowed me to read a folder as if it was a single feed generated as a combination of all the feeds in that folder or sub-folder. I had literally hundreds of feeds, and had them perfectly organised in folders often three or even four levels deep. It also allowed me to sync read and unread statuses between my many copies of NNW on the three Macs I use and on my iPhone. Finally, it allowed me to keep “clippings” which were also synchronised between all my clients.
This all lead to a fantastic workflow. I would read my news feeds on what ever computer I was at, and, when ever I came across a potential story to include in the IMP Live podcast, I’d just drag and drop it to my clippings folder. On Fridays when it was time to assemble the show notes for IMP Live, I’d just go through my clippings folder on my Mac at home and remove stories from the clippings folder as I added them to the IMP Shownotes. Then, the next week, I’d start the process over again. It was the perfect news reading and gathering experience for me.
Then came last week’s ‘update’ to NNW. I use the term very very loosely, because all this ‘update’ did was strip out features, and hence destroy my news reading experience, and my IMP Live work flow. To paraphrase Churchill, NNW have managed to snatch defeat from the jaws of victory!
I recently moved to a new machine (a hand-me-down G5 20″ iMac), and when it came to installing my new apps I decided I’d had enough of Adobe AIR and the whole idea of web apps pretending (poorly) to be native apps. I like OS X, and I want the full power of OS X in my apps. I also like how OS X apps all look and work similarly to each other. You just don’t get that with AIR apps like Twhirl (which had been my Twitter client up to that point). Not long before I got my new Mac listener Scott had contributed a short review of Syrinx to the NosillaCast, so I decided to give it a go.
I took and instant liking to the app because it’s a proper OS X app, because it uses the OS X keychain to securely save my password, and because it has Growl support. The fact that it’s free also helps of course! I’ve been using it for a month or so at this stage, and I’m still happy enough with it to keep it as my current client on all three of my Macs. It’s also under very active development at the moment with updates coming out regularly, so I have high hopes for this app’s future.
There can be no doubt that Twitter has taken off. It has become completely main-stream, and is rapidly rising in popularity and usage, last weekend’s twitpocalypse is proof of that! It would be nice to think that Twitter can remain the peaceful and relatively spam-free haven it is now, but I can see the start of the downward spiral already. Spam. Sure, you choose who you follow, and if you choose badly you can un-follow people, but does that prevent spam? Unfortunately it doesn’t. Anyone can message you using the @ sign, even if you don’t follow them. In many ways this is a great thing, for me, it lets listeners to my podcasts contact me without my having to give out my email address. However, this provides spammers with a mechanism to target people with their infuriating crap.
‘Click Jacking’ is the latest browser-based security problem to crawl out of the wood work. Since it’s entirely browser based it affects everyone, regardless of their OS, not even Linux users are safe from this one! This is a cross-browser problem and also affects Flash. The technical details have not been released yet, but there is a proof-of-concept exploit doing the rounds. The basic idea is very simple, trick people into clicking on something you want them to click on but they don’t want to click on. From what I’ve been able to piece together from reading various blog postings and reports the attack uses CSS and iFrames to place invisible content over visible buttons or links. When the user clicks the button or link they see the click gets diverted to what ever is in the invisible layer above it instead. If you can do it by clicking the mouse, then you can be tricked into doing it with Click Jacking.