Fwew. Good thing I don't have to remember my password anymore....
Technorati Tags: badsecurity
]]>
Fwew. Good thing I don't have to remember my password anymore....
Technorati Tags: badsecurity
]]>I built a little GAppEngine tool that facilitates uploads to my Amazon S3 account, and then provides a list of the items. It's crufty, but, since I don't do much Python development, I'm proud it's working.
If anyone wants the S3 code, I'll be happy to post it later. Basically, my app will build an S3 Post form for anyone who's on the "admin" list of the application whenever they wander buy. The file gets uploaded directly to my S3 account, which, on success, redirects back to my AppEngine site to record the file upload. Non-logged in users just see a list of uploaded files.
Now that I've used the tool some, a few comments:
The toolkit is actually pretty easy to get started in, if you've done any actual under-the-covers web development. Getting used to the BigTable way of doing data storage is another thing, though.
Even though they currently limit developers to 3 launched apps, it looks like you could have pretty much unlimited apps, if you don't mind unfriendly URLs for your users. Major versions of your code live at the same time - just change the "version" in your app.yaml. The value doesn't have to be numeric - and the value shows up in the URL of the app: {version}.{minornumber}.appname.appspot.com.
Deployment is fast, provisioning is non-existant. I hope they announce pricing soon - unless there's a hefy cost per project, I'm likely to use AppEngine for any personal project I write from here on out. Maintaining personal project installations is a drag.
Anyone who wants to poke at the AppEngine-backed front page can surf to http://upload.geekdom.net/. If you know me, I'll be happy to add you to the admins list so you can try out uploading on my dime, too.
]]>Well, I can't promise it's trivial, though the S3Firefox plugin is my current favorite for quickly posting files.
As for the second, there's now an easy solution, for a measly $2/mo. S3stat generates Webalizer stats for you against your S3 log data, letting you now, easily, also keep track of your site's static S3 usage. S3stat will even let you try the service for 30 days free, so you can test out the reports before you have to pay. Or, for even less, review the service to get in on the cheap bastard plan.
]]>Well, welcome to this morning:
It appears that the new iCal in Leopard can only publish groups from the "Calendars" section, and subscribed calendars are in their own section. Groups in Subscribed calendars cannot be Published using the context menu nor the menubar menu. Yet, during my upgrade, some of my (subscriptions-only) calendar groups survived, and are still republishing. Anyone know how I can start publishing new groups of calendars in the new iCal?
]]>Meanwhile, I needed a copy of Windows on my Mac, and I went and downloaded a trial copy of VMWare Fusion, a Windows XP 64-bit trial, and installed the later within the former...... in less time than it took for them to trade out one single physical window.
sigh <sarcasm>Yes, I obviously wanted to stay home for the entire day on a Saturday.</sarcasm>
]]>New Mac + ScreenRecycler + IP over Firewire = Passable external display
(no need to give up your main machine's precious ethernet connection)
Why? Well, I've got an old Mac laptop, which isn't too much use by itself (PB 1Ghz with 768mb of RAM against a Dual 2.1Ghz MacBook with 3Gb). But, it is an extra display. In fact, I've always thought it a shame that laptops and systems with permanent displays don't come with a video bypass, so that when the machine itself is past its useful lifetime, the display can still be used. This is a less power-efficient option to that end.
How? First, purchase a license to ScreenRecycler, a tool that basically lets you use any machine you can run VNC on as an external display for a Mac (via a virtual display driver). It currently costs $25... which seems pretty decent for getting an extra display. But, because it uses the network to connect the two machines, you want that connection to be as fast as possible. While you can trivially use an Ethernet cable (Macs have, for a long time, done auto-crossover, so any ethernet cable will do just fine), I want to keep my Ethernet port, because Ethernet is precious where I go to school, and also more reliable.
How can you connect the two machines, assuming you don't have access to an appropriate ethernet switch? Firewire! If you're not using your firewire ports for anything else, just enable "Built-in Firewire" in your Network preferences pane of each Mac. In fact, if you then turn on Internet connection sharing in the Sharing preference pane (share your Built-in ethernet to your Built-in Firewire, naturally), the "screen" machine will even be able to connect to the network. I use this so that I can run Foldershare on both machines, and have a constant backup of several folders on my main machine.
The final step is to plug the firewire cable in between machines, install ScreenRecycler, and start up the screen sharing. I used the JollysFastVNC that ScreenRecycler includes with it, and have it set up with the name of my primary machine and the settings for auto-reconnect and fullscreen turned on... I just have to wake the extra machine up from sleep, and it returns to being the 'extra' screen as soon as it has found the network connection. I further use a tool called MarcoPolo to detect when I'm sitting in this configuration and launch both ScreenRecycler as well as changing the Network Location to the one where I have this network setup enabled.
Simple enough? No screenshots, 'cause I figure this is still a fairly advanced tutorial. If you have trouble following my steps, post a comment, and I'll beef things up.
]]>During the signup process, I got to the now-standard "Security Question" phase (though, they oddly call it a "Secret" question, even though they'll show it to anyone who pretends to be you having lost your password), and was amused to see this option. Here's what I saw:
Yes, they're asking a question for which there are only 50 legitemate answers, for which many individual's friends will have a good chance at guessing correctly .... and then they go one step further, and exclude 3 of the states (Ohio, Iowa and Utah are not 5 characters long).
Fwew. Thanks goodness Ohio (sure to trivially show up, in my case, on an appropriate web search) wasn't long enough, or I might've fallen for it! :)
Technorati Tags: badsecurity
]]>Ok, before I go boasting all about it, my current situation is pretty complicated, and not really usable enough for the common man. That said, I've gotta' tell my stories, and the gripes that go with it, if only to be able to defer a length explanation the next time it comes up in conversation.
My current situation is composed of several delicately interwoven systems: 1) My now several-year-old Asterisk system. It contains many weird optimizations to minimize latency, pick the cheapest way to complete the call at runtime based on current market conditions, among others. 2) My GrandCentral number. This is the only number I give to people anymore, unless they need to SMS me. 3) Physical VoIP hardware (in this case, an old Sipura SPA-2000) 4) AT&T Prepaid phone on its $1/day + minutes plan. 5) The Sidekick Toll Averter, Wife Alerter (now with better CID hacking)
What have I woven together with these systems? Well, I use GrandCentral pretty much as described... except that, to ring my AT&T cell phone, I run the call through my VoIP system first. Basically, I discovered that AT&T's way of figuring out if a call is on the AT&T network just looks at the callerID. Thus, I complete the call from GrandCentral to my cell phone in a way that advertises an AT&T cell phone number as the originating caller ID - and only have to pay for the cost of the VoIP call ($0.005/minute), vs the non-network rate for AT&T prepaid ($0.10/minute). Yes, it's 20x cheaper to use my prepaid cell phone with this trick.
Detailed explanation:
Basically, I created a new SipPhone.com account, which my Asterisk server registers itself with. I added the SIPphone 747 number as one of my GrandCentral numbers, since they recently began offering VoIP call completion using GizmoProject/SipPhone numbers. I then arranged a special extension inside of my Asterisk to answer that SipPhone number - it first sets the callerID to an appropriate AT&T number, then initiates the outgoing call. Head spinning yet?
So, this lets me use a prepaid cell phone for $1/day+0.005/minute any day I use it. If I don't use it on a given day, it costs me $0 that day. Put another way, if I only use the phone on average every other day, but still make 500 minutes of calls (the typical cell phone plan of my friends and associates), it'll cost me as little as $17.50/mo to use this service. Yeah, for 500 minutes. In fact, at the highest rate I pay for VoIP minutes, using the phone every day of the month, I'd still only pay $40/mo for the service. Not $40+taxes and fees, $40 total. Nuts, eh?
But wait, you say! That's only for incoming calls! True, outgoing calls are still $0.10/minute.... if I make them. But, since this is essentially a temporary, throwaway phone, I don't actually want to make direct outgoing calls.... then the people I call might end up using a throwaway number to call me after I've thrown it away. Instead, I wove another way to make outgoing calls and have the CallerID show my GrandCentral number, while also avoiding the $0.10/minute outgoing trap of the prepaid phone. Basically, I either use my Sidekick Toll Averter Wife Alerter web interface to initiate the call, or, I call a special number that, when called from my cell phone, hangs up on me and calls me back, giving me a dialtone. Of course, either of these cases is set to connect the call to my cell phone using an AT&T number for CallerID, thus, the calls are still only $0.005/minute (well, generally 2x that, as I still have to place another call to someone else after I get the dialtone - I end up paying for two outgoing VoIP calls, linked to each other).
So, now, people can call me on my GrandCentral number, and I can pick it up for free while at home, for $1/day+0.005/minute from my cell, or at any other phone I might be sitting near long enough to have added it to the GrandCentral hunt list. I can make outgoing calls, although I do lose the ability to use the cell phone's local call history, since all it shows are incoming calls from that special AT&T number I've been using.
All in all, this is working out very well. I've been in some state of moving now for nearly a month, and, yet, I've stayed well inside the $60 that I'd normally spend on cell phone service in years past. Meanwhile, for another $1/day, my wife, who's still on the west coast, also has an AT&T prepaid phone, and we can spend as much time as we'd like chatting on any given day. Once she moves out here, we can toss all of these electronics in the recycling bin for all I care, since we've got no contract, and the phones only cost $10/each after rebate and initial service allocation. Who can complain?
One more gripe: When I'm making calls using the dialback or web-initiated methods, I'm using 2 channels of VoIP. I've arranged my provider-picking priority to it nearly always chooses my Voicepulse Connect account... these guys are great, and, though their highest rate, at $0.019/minute, is relatively expensive for VoIP calls, most of my calls end up costing between 0.005 and 0.010. Keeping both legs of the call on the same provider means that, using the IAX native transfer function, I can actually remove virtually all latency from the call, effectively using VoicePulse as a local switchboard. This is great, except that Voicepulse limits each account to 4 simultaneous channels unless you pay quite a bit extra in monthly service fees. It's not hard to use up 4 channels when you're using them up 2 at a time (and your wife has access to the same tricks), and this has turned out to be a problem of late. I can understand the limit, in principle. However, since anyone with a credit card can sign up for an account with them, and they don't appear to have any rules against having multiple accounts, it makes no sense that Voicepulse charges extra for the ability to open up more channels. sigh
Technorati Tags: grandcentral, voip, voiptricks
]]>Along the way, I encountered a lot of different kinds of Internet and Wifi availability. There was the Chicago Hyatt Regency, where we stayed during the YearlyKOS conference... which wanted something like $14/day to use their in-room Internet (which I had to troubleshoot and fix the wiring of to get working, but that's another story.). There were many cafes and motels along the way with Internet connectivity.... even in Mexican Hat Utah, a tiny little town just outside of Monument Valley.
But, most of them, even if they offered free Internet connectivity, had you go through some sort of Wifi login/confirmation redirect page. These things are the devil to begin with, but they suffer from a couple of notable specific faults:
1) Many don't keep track of the original page you were surfing to. Ever try opening Firefox with a session restore feature turned on with one of these? You get a whole bunch of tabs with the login page, and virtually no way to go back to whatever page was in your session. Ugh. 2) Few Ajax apps seem to check properly for these conditions, and either fail in odd ways when they make a request, or don't offer an appropriate way to keep going once you've fixed things. Nothing like having to reload a heavy Ajax app (Gmail, I'm looking at you...) on a slow or expensive link because someone wanted to inject their hotel branding into your Internet experience.
Fortunately, both are correctable. Several of these tools actually do remember where you were surfing when you hit their redirect pages, and will set you back there once you log in, so point #1 is definitely avoidable. Point 2 is more tricky, of course, since it requires the web app author to code more defensively. Anyone out there know a good 3-line or less idiom to catch and report this kind of offense in a Javascript snippet, so it can be published alongside this rant for all of posterity?
More updates on the trip itself when I have time.... short excerpts of my progress were chronicled on my twitter site, though, which can still be seen here: http://twitter.com/bp
]]>However, looking for other places to test things out, I noticed they have a partner, iamdentity. These people win my first DogHouse award (in the style of Bruce Schneier). When you get to their website, it's not 100% clear what service they even offer. How does a service which keeps an additional copy of your personal information safeguard it, exactly? I suppose single signon is useful, but....
So, I click on the "New Client? Click to apply for an iamdentity account" link, which takes me to a scary questionnaire to "assess my risk". It's riddled with typos and questions you can't really answer correctly.... After scary questions like "Have you ever been successful in ensuring all your personal data has been deleted after canceling a subscription?", and "How often do you familiarise yourself with a sites data protection and online security policy?", you get to click a button and get an answer. I'm pretty sure the best result you can get is:
Although you do spare a thought for personal information security, you are not doing enough and risk becoming the victim of an opportunistic fraudster.
You have taken some precausions to prevent your identity being stolen, but not all the holes are covered yet.
Of course, you're still offered the chance to apply for an account. In the following form, oddly, they ask you for a ton of personal information. Hrm, how are they protecting me, exactly? This form loads from a different domain than iamidentity, some mysterious "ssl-01.com". You want me to trust my privacy to a company that's too cheap to even follow standard practices and register their own SSL cert? And I'm never once given control of the encryption key that stores my data (if, in fact, there even is encryption against my stored data, which I highly doubt).
Once done with the form, you get e-mailed a confirmation link, which includes your initial password. When you log in, they e-mail you again, this time with the session PIN. Apparently, they'll do this each time you sign up. I'm unconvinced how much this helps security, but it certainly does slow down the process, increasing the chance someone's going to ditch their service entirely.
Once logged in, you can see that they're trying to integrate with a small list of probably e-commerce sites. I guess they do do something, after all. No one on the list I've heard of, so, no reason for the account, and the MyPW integration only comes if you pay MyPW $20/year for service on their token. Unfortunately, when I clicked on the "cancel account" link it leads to an error message implying I'll have to contact support to cancel my account (but with no link, error number, or other details). Huh, wasn't one of their questions "Have you ever been successful in ensuring all your personal data has been deleted after cancelling a subscription?" Sure gonna' be tricky this time. The initial e-mail links to a web page for support, but, when I go there, it says I have to e-mail support@iamidentity.comsupport@iamdentity.com for anything other than password or initial signup concerns. So, I do... leaving an ironic comment in the e-mail at the absurdity of this process from a company supposedly providing a user-information-management solution.
... and nothing happened. I made the request to cancel my account nearly 2 weeks ago, and yet, my account still exists. No response to my e-mail was received.
Stay far far away from these snake oil salesmen.
Update: Sheesh. One of my other problems with this site is that, at least for me, it's cognitively difficult to spell their domain. I, for some reason, easily type iamidentity, when it's just plain imdentity. They could have at least registered the common typo domain and redirected. sigh
Technorati Tags: badsecurity, doghouse, rants
]]>For the last several years, I've been playing around with VoIP. Hardware, software, various ins-and-outs. And, while there are dozens of blog posts I could write about what I've learned, today I'm going to cover one of the issues I've spent the most time tinkering with, because its one of the issues that every VoIP company has to deal with to satisfy their customers.
Several things go into the perceived quality of a telephone call - fidelity, echo, reliability.... and transmit delay. Transmit delay is tricky - up to a certain point, delay doesn't greatly affect the happiness of the callers, but, after a certain point (around 100ms of total delay, a rough amount of latency from many kinds of technologies that start to get annoying), the delay on a call makes conversation harder. So, as a tinkerer with less-than-top-notch equipment and connectivity, I've spent quite a bit of time over the last few years trying to remove latency from the systems I use for VoIP.
This is tricky, of course. You can look up that your provider is in New York, say, and that your colocated box where you run your VoIP is in Pennsylvania. In theory, that should be close enough that the extra latency isn't very noticable. That is, until you discover there are many different ways the Internet might route between New York and Pennsylvania.
One of my best tricks, as the title of this blog implies, is to use a better tool for the VoIP, and thus get out of the way. I use the open-source Asterisk for my VoIP software, which supports both the standards-based SIP VoIP protocol, and its own, proprietary-but-open IAX protocol. SIP has the benefit of being implemented in fairly widely available hardware... IAX is, to a few exceptions, not supported in hardware. But, IAX has a few really killer features: it has a guaranteed-success transfer handoff, and a small enough base of supported devices that interoperability is rarely a problem. If you want to remove latency from your calls with IAX, you just have to teach your system to hand off the transfer of the media path to the two endpoints - no more routing through Pennsylvania even if both the caller and the callee are on the west coast.
SIP can do this, but, it has a much more complicated media path, and a much bigger pool of implementations. With SIP, you might try to do the same trick where you hand off the media path to be direct between the source and destination, but only find out it didn't work when you get a support call complaining that there was no audio on the call. Or, you have to use elaborate discovery tools on your network to figure out which devices are behind a firewall, and which ones aren't, and then check those results before trying to hand off a call.
In my own setup, I have tags I apply to the incoming channels on my Asterisk system. If a call is IAX, I deliberately try to complete it using IAX, and get my system out of the path. Otherwise, I have SIP set up to hand off where it can, but, in practice, I have to leave the configurations a little bit conservative to avoid no-sound issues from cropping up periodically: my callers pay with extra delay.
Bigger corps have different approaches (and, with few exceptions, all have to use SIP). I've read that Vonage has regional centers, and your device is setup to detect the closest one and use that. Then, presumably, they have internal rules to minimize the total network distance your call crosses. Too hard for someone small-time like myself, but probably very effective. GizmoProject seems to push everything through their SIP proxy. Even if you call from one phone on your local network to another. I believe they can still fix the media channel some of the time, though I'm pretty sure its beyond the reach of the Asterisk SIP implementation.
It's hard to get right... especially because some of the ways you can transfer a call effectively put you outside of the call - if you need to bill on that call, this just isn't an option. Here's hoping the day comes soon when providers just charge for listing and support: when we stop paying per minute, we can stop worrying about auditing every second of every call, and instead focus on delivering the best sound experience. Skype has got this right, and cheers to them for their routinely very high call quality.... but, they're not using SIP or IAX, so there's not much that can be learned from them directly.
Unfortunately, my favorite (and, at this point, the only one I've never had a serious gripe with the service of) VoIP provider started out as an IAX-only shop (http://iax.cc/), but got bought-up to a bigger firm that has now started to treat their IAX features as deprecated (http://vitelity.com/). I hope I'm small-time enough that they let me keep the IAX side active - I sure do appreciate the better call quality that results. Further unfortunately, I'm moving across the country soon, so I'm going to have to reconsider what all of my most-prefered choices are for colocation and VoIP routing. Good for my family, though, who is centered nearer where I'll be living, and are likely to end up with better call quality all around. sigh
Ok, . If anyone reading this is interested in my tricks to detect source channel type and try to send outgoing calls to an appropriately matched destination channel type, please chime in on the comments. It's all done with Asterisk macros, and it isn't quite a drop-in fix, unfortunately.
Technorati Tags: iax, latencysucks, sip, voip, voiptricks
]]>As I started contemplating the big change that was coming, I started peaking at the weather a little more often than I had. Sure enough, even the online electronic forecasts have this problem. Here are two clippings from weather.com across the last two months:
sigh I’m going to miss the Bay Area.
]]>After much work, applications, exams, discussions and soul-searching, the final decision was to join the Human Computer Interaction Institute at Carnegie Mellon University. My plan is to pursue a PhD project which focuses around the issues of Usable Security, that is, building systems that are more secure than their alternatives, but also have a better user experience. See, for instance, PARC's Network-In-A-Box project for an idea of what I mean. CMU's HCI program appears to be ideal for this, with a world class HCI program, as well as ongoing research which targets the same field.
Pittsburgh will be an adjustment after 6 years living in Silicon Valley, but I'm definitely looking forward to the program.
Technorati Tags: cmu, hci, usablesecurity
]]>