For the past two days I have enjoyed attending Strange Loop 2011 as a perk from my awesome employer. I got to meet some very interesting people; mostly developers but some were designers and I even met a science fiction author.

Most of the talks were good but my favorites were:

A Tale of Three Trees

Scott Chacon is a very entertaining and humorous presenter. His talk covered the three locations that content is referenced in Git (HEAD, index, and working directory). More specifically the commands that move content from one to another and how each command has a reverse action, e.g. commit/reset.

At the very end he whizzed by some very interesting possibilities. One of which was demonstrating a daemon/cron that would commit any changes directly to a “backup” branch (without interfering with the working directory, index, or your HEAD). If I get a copy of that or take the time to implement it myself I’ll definitely share it.

Teaching Code Literacy

I attended this talk both because I am interested in my son’s future education and more generally because I think programming is a powerful tool for exploration and creativity. Sarah Allen did a great job of connecting with the audience and of telling a story that explained how she has approached working with children. She is working on an easy way for kids to make web apps in Ruby. Her project, Pie, seems to be a great fit for making interactive stories.

Product Engineering

When I saw the presenter’s name, Mike Lee, I instantly felt like it sounded familiar but I couldn’t quite place it. He is of course the author of the Motherfucker blog! This was absolutely the most entertaining talk of the conference. Over the past few years I have become very interested in product design (and apparently product engineering). Most of what he said were ideas I had heard before but it was awesome to have the presented in the way they were.

In addition to the topic of product engineering he also talked about how awesome the Netherlands are and how he and others are creating a great environment for app developers there; henceforth known as Appsterdam. Not only that but they are also creating a legal defense foundation to fight trolls like Lodsys.

Simple Made Easy

Rich Hickey appealed to the need to create simpler and therefore more robust solutions in software; that our current practices are overly complex and just not sustainable. I am very new to programming as a profession so I did not fully connect with the sense of crisis but it would be hard to disagree with anything he said. It definitely inspired me to look further into functional programming.

I installed iOS 5 Beta 5 this week to make sure Hashed was working. At first it crashing on launch but that turned out to be a bug in iOS 5 needing to re-authenticate the phone with the App Store. The next issue I found was that the bookmarklet was no longer working. Here’s an over-simplified part of the code:

- (BOOL)application:(UIApplication *)application handleOpenURL:(NSURL *)url
{
    NSString *theURL = [url absoluteString];
}

For some reason the absoluteString method on NSURL now returns a string in a different format than before. Previously this would return the URL from the bookmarklet with the hashedapp:// prefix, e.g. hashedapp://http://google.com. However, now it is returning hashedapp://http//google.com. I don’t know the reason for the change or whether it is a bug but it’s easy enough to work around so I am already testing a fix.

This extension can access:

• Your data on all websites
• Your browsing history
• Your bookmarks

I have been working on integrating graphite into our environment at The Genome Institute. I have been running it for a couple weeks off of my own workstation. On their I had setup a series of cron jobs to push metrics. Since then I wrote a simple daemon using AnyEvent (and AnyEvent::Graphite) to bring all that under one process. Today I finally polished off the packaging details and fired up the daemon.

Unfortunately, metrics were not showing up; or more so the graphs were not showing up. I confirmed it was only an issue with the graphs by viewing the metrics “database” with whisper-fetch.py. One of my colleagues noticed the following error in the logs:

[05/Jul/2011 16:25:42] "GET /render/?width=586&height=308&_salt=1309901142.808&target=builds.current_failed HTTP/1.1" 500 67358

and from there was able to figure out that the problem was we were missing python-cairo. So we added that to our package dependencies, upgraded, and were good to go.

I was alerted to “suspicious” activity when I logged into Gmail today. Two IP addresses, 173.192.79.98 and 173.192.79.101, had been used to access my Gmail account on May 12th. My initial reaction was that my account may have been hacked so I immediately changed my password on it and on my bank site. I then enabled Google’s 2-step verification; something I should have done long ago.

I had already confirmed as Google had suggested that the IP addresses were under the control of Softlayer, a provider of on-demand data center and hosting services. They had a verified Twitter account and looked pretty legit so I started calming down and kept on looking for answers. I found a post, “Someone Hacked My Gmail!“, which reminded me that while Softlayer controlled the IP it may have been for the use of another entity. So like the author I did a whois lookup on the IP and saw that it listed Remixation, Inc in the rwhois info. A quick search of this name revealed that they were the makers of Showyou, an app I had just installed.

network:Organization;I:Remixation, Inc.

Thank god! I hadn’t been hacked but still… why was Showyou logging into my Gmail account? I know I had used the app to connect to my YouTube account. I thought perhaps it was that Gmail’s recent activity would show logins to the Google Account in general and not specifically Gmail. So I started testing logging into Youtube and Gmail. I logged into YouTube from my home machine and then browsed to Gmail and saw my login. I then logged into YouTube from another machine through a VPN, through which all traffic is routed, but the remote IP did not show up in my Gmail account activity!

So I’m left wondering why the heck Showyou logged into my Gmail account. Is it a glitch in Google’s logging? Did Showyou accidentally log into my Gmail account? Or far worse, did an admin at Showyou use my YouTube credentials to gain access to my Gmail account? I am less worried that my account has been compromised but I still don’t feel safe.

Update: Showyou responded very quickly to my email:

This is a result of connecting your Youtube account to Showyou. We don’t do anything with this connection other than scan your youtube feed to import into Showyou. The connection certainly doesn’t give us any access to your gmail account.

We are working with Google to try to avoid having this alert generated, or at least have the alert marked as resulting from the Showyou app connection. We apologize for the alert.

It still concerns me as showing up as a log in to my Gmail so for now I am no longer using Showyou but I hope they get this worked out with Google.

Storing your passwords anywhere is dangerous whether that be in a database (1Password), in the cloud (LastPass), or using an algorithm (PwdHash). In all three cases an attacker needs only compromise your master password and he would have access to all your passwords. In the discussion of LastPass’s (possible) security breach this would be what many people have been calling a “single point of failure”. While it is valid concern it it would be far worse to return to weak and frequently used passwords. Realistically all of these tools create a net gain in your security.

They enhance your security by making it far easier to use strong passwords. A reasonably long password that is not based on a dictionary word or other commonly used phrase will be near impossible for an attacker to crack. PwdHash’s algorithm always generates a password that contains at least one lower case letter, at least one one upper case letter, and at least one number. They are not based on any word and are always two characters longer than your master password.

Another way password utilities can enhance your security is that they make it easier to use different passwords for different sites. This is very important because you don’t want someone else’s security problems to cause your too-frequently-used password to be exposed. If you’ve used a separate password for every site then a breach in one is mitigated to only that site. One major caveat here is your email server because so much can be accomplished if someone has access to your email.

Security is always a compromise and you have to make that choice for yourself. Just try to be informed so that you understand what compromise you are making. Personally, I’ll continue using PwdHash and while I may seemed biased having written Hashed my opinion really is based on what I think works well for me.

“You never fail until you stop trying.” — Albert Einstein 1

“Whatever we are, whatever we make of ourselves, is all we will ever have – and that, in its profound simplicity, is the meaning of life.” — Philip Appleman 2