Comments on Online Account Security

September 3rd, 2010

I see that Facebook has been casting around, looking for some way to enhance security.

They certainly have challenges:

  • users with weak passwords
  • application bugs
  • advertising-supported, so cannot afford a lot of human-human account support
  • user account lists circulating through partners and malicious users.

The physical world relies on either a guard who knows your face, or 2-factor authentication:

  1. something you know (a passphrase) and
  2. something you have (a token) or are (biometrics).

Web-sites usually get considerably less …

Being an Internet company that doesn’t issue X.509 certificates, on a good day Facebook can only get 1-factor authentication (a strong password), and on most days, 0-factor authentication (their users are re-using weak passwords from other accounts.)

I give them credit for adding login notifications and the “force logout” feature. Users can change their password and disconnect other users and bots from their accounts.

The next step would be enforcing strong passwords and displaying a captcha on every logon.

Beyond that, enforcing online security gets hard to tighten in a reliable manner.

I’m skeptical of their additional security attempts.

Cookies can be deleted, and IP addresses are shared in proxies or change over time. Doing SMS verification seems like a burder for a social media account user.

However when you’ve got 500 million accounts, any means of improving security or analyzing security issues saves on support costs.

Authentication: Something You Know, Have, or Are

Posted in Business, Tech | No Comments »

HTTP to HTTPS and CDN Transitions in Web Browsers and Email Clients

September 1st, 2010

It’s easy for front-end designers and server-side engineers to create web sites that don’t play well when SSL and Content Delivery Networks (CDNs) are added to the site.

Fortunately it’s also easy to solve that by understanding how to design HTML and site structure in advance to support those.

One of the most helpful things that can be done is to have well-defined URLs for HTML, images, CSS and JavaScript in the following scenarios:

  • homepage content rooted under /, like ., images, css and js respectively
  • admin site content rooted under /app, like ., images, css and js
  • CDNs where you may store content in the future, such as a network-local proxy, Amazon, Akamai or Limelight. Generally a remote URL is overlaid onto the homepage or admin site structures listed above.

If you have localized content, each of the subdirectories above may be subdivided by ISO language code also.

Generally HTML and URLs intended for web browsers and email clients needs to be considered separately:

  • web browsers handle relative URLs well
  • email clients do not handle relative URLs as well as browsers, if at all. For example, not using an absolute URL or not specifying the scheme (ie. ://domain.tld) will cause problems in most email clients.
  • in both cases, HTTP servers can use URL rewriting if necessary to make changes after the design is done.

Relative URLs not only help with HTTP to HTTPS transitions, but also in creating developer sandboxes, and test and QA servers.

Try to make as many links as possible relative in your HTML as possible if you’re planning on using SSL or test servers in the future. Fixing the links later can be expensive as it requires testing the entire site again for broken links.

By having reserved directory paths for images, css and html, it’s possible to set far-future expiry times to improve cacheability of those assets. However, the filename may not be reused, so new version of images need to receive a new filename or else caches will continue serving the old content.

And by having a URL available for items that could be served from a CDN, it’s possible to configure your CMS to be CDN-aware from Day One and avoid site changes and testing later. One of the first things I check when evaluating CMS programs these days is how I would easily be able to change serving images from a local web server to a remote CDN.

Posted in Business, Open Source, Tech, i18n | No Comments »

Some ZFS News

August 27th, 2010

Phoronix has a really well-written article on ZFS, including news on a company planning to release a CDDL-licensed linux kernel module.

ZFS is the holy grail of filesystems. Many Database Administrators have switched from Linux to Solaris because ZFS has much better snapshot support than LLVM, as well as good SSD support.

phoronix.com: Native ZFS Is Coming To Linux Next Month (Aug. 27, 2010)
phoronix.com: Btrfs, EXT4 & ZFS On A Solid-State Drive (Aug. 9, 2010)
phoronix.com: Benchmarking ZFS On FreeBSD vs. EXT4 & Btrfs On Linux (July 27, 2010)
phoronix.com: Running ZFS With CAM-based ATA On FreeBSD 8.1 (July 26, 2010)
github: Native ZFS for Linux
FreeBSD Wiki: ZFS

Posted in BSD, Business, Linux, OSCON, Open Source, Oracle, Storage, Tech, Toys | No Comments »

DynDNS Being Evil

August 27th, 2010

DynDNS is changing the ToS on their free accounts to make them less appealing, thus encouraging upgrades to their Pro account for $15/year.

Now a Free account holder is required to “log into your account or update your hostname monthly” or their account gets expired, resulting in the hassle of having to setup their dynamic address again.

Previously 5 free domains were allowed, now reduced to 2.

DynDNS Changes Dialog

Posted in Business, Tech, Toys | No Comments »

Major Tornado Damage in Leamington, Canada

August 22nd, 2010

I grew up in a town called Leamington, Ontario, Canada. Although occasionally I saw waterspouts on Lake Erie, tornados were less common and rarely caused damage.

This summer the town had a major tornado (F1) tear through town at ground-level for miles that caused millions of dollars in damages.

Although many buildings and cars were damaged, most of the damage was done to trees torn from their roots and electrical poles snapped like twigs. Nearby Point Pelee National Park was closed due to fallen trees.

Millwood, Ohio was not so lucky, with some fatalities and a high school destroyed.

My folks are fine, with only about $500 in tree pruning and cleanup required.

cbc.ca: Leamington tornado damage in the millions
More Photos

Posted in Personal, Tech | No Comments »

Simultaneous Outages for All Major Credit Card Sites

August 22nd, 2010

I just tried to pay my USA credit cards online, and at 1:30 am PST this morning (Sunday) all three account websites were down for maintenance (either refused the login or refused to show account activity.)

Hmm … I’ve noticed a pattern of financial websites always taking the maintenance window, instead of architecting for 7×24 uptime. The web is still treated like a second-class citizen compared to the rest of the banking system.

Note: I used to work for a major bank, and the IT employees were smart enough to avoid this. Not sure what’s going on.

msnbc: BofA online banking down for 4 hours (August 27, 2010)

Posted in Business, Tech | No Comments »

IMUG: How Google Built a Strong & Robust I18N Organization in Four Years

August 20th, 2010

At IMUG tonite Manish Bhargava from Google reprised his talk on “How Google Built a Strong & Robust I18N Organization in Four Years”, previously presented at the WorldWare Conference. Manish is the product manager for Google’s 40 language initiative.

This was a fairly non-technical general talk on Google’s efforts to realize their mission statement.

What was most notable about the talk is that no mention was made of where their i18n staff came from. Google largely gained their deep Internet i18n knowledge from hiring former Netscape and IBM ICU staff. Currently the group hires based on referrals of experienced people.

It was decided to pick the 40 most natural languages as they represented 99.7% of web traffic. (To get to 100% would require 120 more languages.) Google search itself is in 113 languages, and GMail in 54, soon to be 58. Eric Schmidt, Google’s CEO, is a strong supporter of this effort and quality of user experience is considered more important than cost of translation.

Lux-IQ: program to get feedback on international User experience and localization quality of various Google products from a network of in-market evaluators.

Example findings:

Issue type

Language/translation, interaction design, feature missing, feature bugs, visual design, data quality, other. Total.

Google translation toolkit used for ads. Machine translation. Some ad customers request translation into 50 languages for example.

Language Findits. 3 hour testing party for language-related products. Very successful.

Language console would help with finding already translated strings.

Globalization continuum

I18n prd, intl 1-stop, i18n checklist, country planningn legal, content, l10n checklist, translation, review and qa

I18n, planning, deployment

All is global, weekly pushes, 0.25 seconds for search query response

Quality is more important than cost.

High level advice alone – not effective
Deliver concrete solutions, hands-on
Adapt to product needs, constraints and priorities
Earn credibility
Success breeds success
Be persistent

Metrics: intl revenue, top10 problems
Graph of i18n api adoption

Challenges

Unicode redesign
Bidi in webapps
Broad range of environments
I18n technologies
Deep dives: android, chrome, gmail, youtube: to help critical area, new areas

40 language initiative

Take aways

I18n by design
Educate, evangelize, communicate
Design globally, implement locally
Build credibility. Success breeds success.
Retrofitting happens. C’ets la vie. Learn from it.
“Make it easy to do right, and hard to do wrong.”

3 engineers for 7 months to fix gmail

Thanks to Google for hosting.

Twitter: IMUG

# XIHA Connects Facebook and Twitter Friends with New Multilingual Translation http://tinyurl.com/2ankev2 #L10n about 3 hours ago via web

# Zynga Launches First Localized Game In China: Texas Poker. http://tinyurl.com/2fxp9tm #L10n about 3 hours ago via web

# @localization sorry didn’t see your Q (no hashtag) but their i18n team seems fairly centralized but serves all projects and offices. about 4 hours ago via web in reply to localization

# And the event is over! Thank you Manish, and thank you Andrew Swerdow & the Google i18n intergrouplet for hosting! #imug408 about 6 hours ago via web

# Question: is there a process for self-localization of smaller language? Yes, for example Search recently translated into Hawaiian. #imug408 about 6 hours ago via web

# Question: why 40 languages? Those 40 can reach 99.7% of all internet users. Actually 42 now. ~100 more needed for remaining 0.03%. #imug408 about 6 hours ago via web

# Many questions from audience. One was how well-integrated is bug-management system? Manish summarized end-to-end process for that. #imug408 about 6 hours ago via web

# @renatobeninatto approximately 60 attended tonight’s Google #i18n event. #imug408 about 6 hours ago via web in reply to renatobeninatto

# Manish now summing up: #i18n by Design and other take-aways for any organization. #imug408 about 6 hours ago via web

# Google #i18n API adoption has grown 173% since start of the 40 language initiative. #imug408 about 6 hours ago via web

# Google has a team dedicated to #Unicode “Redesign”. #imug408 about 6 hours ago via web

# First two points on successful #i18n: not high-level advice alone; deliver concrete solutions or even hands-on help. #imug408 about 6 hours ago via web

# How can an #i18n team make an impact on projects from the outside? Manish offers 6 points. #imug408 about 6 hours ago via web

# Amazing how much the Web challenges but also offers opportunities in #i18n. #imug408 about 6 hours ago via web

# Interesting timeline now of Google’s Globalization process from i18n thru Planning to L10n. But I’m not going to give it away. :-) #imug408 about 6 hours ago via web

# Apparently this internal Language FindIt program results in far less mischief than other firms’ community translation efforts. :-) #imug408 about 6 hours ago via web

# Manish now onto Language FindIts: Googlers identifying translation & #L10n issues to improve Google products in own languages. #imug408 about 6 hours ago via web

# Interesting discussion going on with audience about MT vs. transcreation. And rule-based vs. statistical translation. #imug408 about 6 hours ago via web

# @renatobeninatto Yes they do use Google Translator Toolkit internally for example in automated ad translation. User can then edit. #imug408 about 6 hours ago via web in reply to renatobeninatto

# @renatobeninatto I found Petra, she says Hi, but she is still making me ask your question. :-) #imug408 about 6 hours ago via web in reply to renatobeninatto

# @ken_lunde yes similar to Wordware but the entrance fee was far less! :-) Very good presentation, great interaction with audience. #imug408 about 6 hours ago via web in reply to ken_lunde

# Google has a program called Lux-IQ to get feedback from local market-savvy non-technical users in all 40 language markets. #imug408 about 6 hours ago via web

# #i18n quality issues include not only basic encoding and locale issues, but also missing features important locally. #imug408 about 7 hours ago via web

# The presentation is now turning to quality issues in #i18n. #imug408 about 7 hours ago via web

# Manish is also presenting case studies, such as their experience with Google Video and Unicode (pre-YouTube). #imug408 about 7 hours ago via web

# And by the way Google is hiring #i18n engineers! #imug408 #jobs about 7 hours ago via web

# Manish has given us perspective on Google’s incredible global growth, and the start of Google’s 40-language initiative in 2007 #imug408 about 7 hours ago via web

# Manish Bhargava, Google #i18n Product Manager, is presenting. #imug408 about 7 hours ago via web

# Tonight’s IMUG event at Google kicked off 1/2 hour late, big crowd not enough badges. :-) #imug408 about 7 hours ago via web

# Going to tonight’s IMUG event @ Google? Maps, directions and more: http://www.imug.org/google/ #imug408 about 10 hours ago via web

# Shirley_Rogers Twitter Unicode Hashtags – http://bit.ly/9ciNuu about 12 hours ago via web Retweeted by i18n_mug

# 57 yes, 5 maybe RSVPs: 8 left for tonight’s 70 chairs. Will it be SRO? Google’s Manish Bhargava is an #i18n star! #imug408 about 12 hours ago via web

# Localization Project Manager, Net-Translators, Sunnyvale, CA. Just posted to IMUG Jobs: http://www.imug.org/jobs/ #L10n #jobs about 13 hours ago via web

# Maps and directions to tonight’s 7 PM Google #i18n event in Mountain View, CA: http://www.imug.org/google/ #imug408 about 14 hours ago via web

# IMUG cannot do webcasts from Google yet. Hope to see you all there tonight! http://tinyurl.com/2f9esas Hashtag will be #imug408 about 14 hours ago via web

# RT @ken_lunde Two font- and CJKV-related Tech Notes now live. http://tinyurl.com/23ffulg & http://tinyurl.com/yzd3hjj <–Kazuraki font! about 16 hours ago via web

# Kazuraki: Adobe’s Groundbreaking New Japanese Typeface http://tinyurl.com/2by46nn Next month’s IMUG event, @ Adobe #imug408 about 16 hours ago via web

# TONIGHT 7 PM: The Google i18n Story http://tinyurl.com/2f9esas Hashtag for this IMUG event @ Google will be #imug408 about 16 hours ago via web

# cathywissink RT @TalkStandards Nascent Web Open Font Format is getting boost thanks to W3C’s new initiatives http://bit.ly/biE85M #typography about 16 hours ago via web Retweeted by i18n_mug

Posted in MySQL, Tech, i18n | No Comments »

Movie Review: The Expendables

August 16th, 2010

Jason Statham did a good job in “The Transporter”, so I decided to see what he was up to in “The Expendables.”

I hadn’t read any reviews, so was surprised to find the movie cast had every 80’s era action star one could think of, plus WWE and MMA wrestlers and Jet Li. Eric Roberts is completely believable as the villain.

Very little CGI is apparent in the film, so it has a vintage look to it. In this case that works out fine.

A real bonus was several minutes of aerial footage with a DC3 and original panel that is flown on missions.

I’d recommend sitting towards the back of the theater to take in all the action scene details. Some scenes have a lot going on.

Overall it’s a worthwhile film if you like action movies, though better writing could have really evened out the plot.

There’s a fair amount of humor, though my unintentional favorite was Mickey Rourke doing a monologue on humanity that would make Hamlet proud. I might pay to see the movie again just for that.

But imagine if a better writing team had been involved. This mid-budget movie could have accomplished a lot more than just another popcorn shoot-em-up, possibly an ensemble analogy to Clint Eastwood’s “Unforgiven.”

After seeing the movie, an LA Times article indicates that the production budget was $82 million (sort of a minimum baseline for making a Hollywood film these days) which was pre-sold to foreign and domestic distributors … ie. can’t lose money deal.

Posted in Karate | No Comments »

« Older Entries