Rafblog - Jake Cohen's Blog

There are many articles describing how to make a password more secure. They usually suggest using letters, symbols, and so on, to increase the complexity of the password, such as is the case with this article by Apartment Therapy.

There is also an argument that simply increasing the length is the best way to achieve password security, such as described in the vaunted 936th xkcd comic.

However, these techniques only increase the security of the password from an outsider's perspective by making it harder to guess. What about the security of the password when stored on the remote site? The best password in the world is no good if the site itself isn't secure, or if they store it in plain text somewhere.

One giveaway that a site probably stores your password in the clear is when they enforce a maximum length on the field. This probably indicates that they store passwords in a database column and the max password length is the size of that database column.

Secure sites don't store your password in the clear at all. Rather, they pass it through a one-way encryption algorithm such as SHA-1, and store the encrypted value. When you sign in with your password, the password you type is encrypted with the same algorithm and compared to the encrypted value.

To add security, these sites will often add a "salt" value to this algorithm, meaning that even if an attacker steals the encrypted passwords and manages to guess a value that encrypts to the same value as one of the stored passwords, it won't work because the stored passwords are created with a combination of the typed password and the salt value.

So it is useful to have a secure password, but keep in mind the security of the site you are using the password for. If they store passwords in the clear in a database, I wouldn't use that password for anything terribly important.

Welcome, new or prospective followers.

First, the brief autobiography: 31 years old. Married, with one son and a baby girl on the way. Software manager at Amazon.com. I've lived in the Pacific Northwest for 7 years, San Diego for 8 years before that, and I grew up in the San Francisco Bay Area.

My tweets are usually random jokes I think of when on the bus to or from work, or walking to lunch. They are usually pretty tongue-in-cheek, and often are puns.

Some random facts about me:

• I play bass guitar, and in college I was the bass player for an indie (pronounced "no one has heard of us") rock band called Bedroom Heroes. We named our band after the term "bedroom hero", which is a term that ironically means nearly the opposite of what it seems it means. You can find some of our songs by searching around on Google. It appears people actually use our songs as replacement tracks when Youtube takes down a video's audio track due to copyright infringement.
• I enjoy playing Words With Friends. Look me up! (username: jacobc79)
• I tend to learn things by diving in and doing them. For example, I taught myself French by picking some books I was familiar with (e.g. The Hobbit) and reading them in French (also listening to the Harry Potter audiobooks in French).

Thanks, and welcome.

Every time Facebook launches a new feature (such as Places, or Questions), they seem to add a few new categories for e-mail notification.

The problem with this is that these new notifications are always enabled by default, forcing me to go back to their settings page and uncheck a bunch of checkboxes again.

So, while I haven't been able to solve the problem of being opted in whenever they launch something new, I wrote a little bookmarklet to uncheck every checkbox on a web page. This is useful when dealing with the notifications settings page on Facebook which is starting to have many, many checkboxes.

Try it out: All Checks Off

(just drag this link to your bookmarks bar, or if you're using IE, right-click and save to your Favorites bar)

You can try it out here:

Many resumes for technical positions tend to read like a list of all the tools a person knows how to use. I've already compared programmers to chefs. To illustrate what is so meaningless about this emphasis on tools, let's pretend that instead of a programming job, you're applying for a job building stuff in a workshop, and your resume looks like this:

2004 - 2006

Gilbert's Gadgets - Townville City, WA

Sr. Gadget Builder

Responsibilties included using hammers, wrenches, screwdrivers and pliers in a fast-paced environment.

• Used a hammer to drive several different types of nails.
• Participated in the use of a phillip's head screwdriver on the BigGadget project.

2001 - 2004

Wilbur's Widgets - Metropolis, WA

Gadget Builder

Responsibilities included investigating the use of saws, hammers, glue, sandpaper, and wood stain.

• Used glue on at least four different furniture projects.
• Cut wood for several projects using both power and manual saws. Responsible for keeping the saw sharp in between projects.

Skills:

• Hammers: ball peen and claw
• Wrenches: open and closed, familiar with both tightening and loosening
• Stanley-Certified Screwdriver Turner - 2007

Really, all the person reading the resume wants to see is what you actually built with your skills. Not how you used the tools.

This is a response to Steve Jobs' recent open letter to Adobe posted on the Apple web site.

In this letter, Mr. Jobs explains his (and Apple's) official position on why Flash is not, and will not be, available for the iPod, iPhone, and iPad.

I think he raises some valid points about the shortcomings of running Flash on mobile devices, such as lack of a "hover" interaction. However, many of his arguments against the use of Flash do not sound to me like valid justifications for preventing use of the platform entirely.

For example, take the following paragraph.

Adobe has repeatedly said that Apple mobile devices cannot access “the full web” because 75% of video on the web is in Flash. What they don’t say is that almost all this video is also available in a more modern format, H.264, and viewable on iPhones, iPods and iPads. YouTube, with an estimated 40% of the web’s video, shines in an app bundled on all Apple mobile devices, with the iPad offering perhaps the best YouTube discovery and viewing experience ever. Add to this video from Vimeo, Netflix, Facebook, ABC, CBS, CNN, MSNBC, Fox News, ESPN, NPR, Time, The New York Times, The Wall Street Journal, Sports Illustrated, People, National Geographic, and many, many others. iPhone, iPod and iPad users aren’t missing much video.

What is the problem with Flash, here? "Almost all" is not all, and I think he vastly overestimates how much of the internet's video is available in formats that will play on the iPhone.

The YouTube app that ships with the iPhone cannot decode all of the video that is available on YouTube. It does not take much probing to uncover the stark difference between the quantity and quality of videos available on the web versus on the iPhone app.

What about other important and popular video sources, such as Amazon Video on Demand, or Hulu? It is disingenuous of Apple to suggest that users will not miss videos from these sources because they are available to purchase through the iTunes store. I can play my Amazon videos on my Zune, my computer, my TV, and other devices as well. iTunes only allows this on Apple-approved devices such as the iPod and iPhone. My $99 Roku will play Netflix and Amazon Video on Demand movies, but not iTunes purchases.

I would go on, but I just discovered a response to Steve Jobs' letter by Jesse Warden which already says most of the points I was going to make, as well as many others, so I will just link to that instead.

I searched high and low for evidence that someone else out there had run into this particular problem, but I was unable to find anything. So I am writing this in the hopes that the next person who faces this particular problem will have an easier time.

I had just used Picasa to import about two thousand photos from memory cards onto my new Windows 7 computer. I then noticed that these files were stored in C:\Users\Jake\Pictures, not the "My Pictures" folder like I expected (On my system I set up "My Pictures" to be on a larger drive since my boot drive is a relatively small SSD). I changed the location in Picasa's settings, but this didn't move any of the files it had already imported.

I closed Picasa and copied the files to the My Pictures folder, then re-opened Picasa. Then I started to notice that every file now had a duplicate (both in Picasa and on disk). For whatever reason, Picasa created an extra copy of each file. For example, IMG_5435.JPG now had a twin, IMG_5435-1.JPG.

I searched high and low for an easy way to use Picasa to remove these duplicates. However, it does not appear that Picasa's search feature offers wildcard search. The way it handles characters like - and . and ? is a mystery to me. Searching for "1.jpg" will return results such as "IMG_3145.JPG".

So in the end I used Windows Explorer to find the duplicates, as it is happy to search for wildcards. Since all the duplicates ended in -1, I just searched for *-1.JPG and it showed the 1,982 duplicates. I then hit Ctrl-A to select all, and Del to delete them. Close and reopen Picasa, and boom. No more duplicates.

I have been trying out Ableton Live for the past few weeks, and last night decided to buy it. (I should write a separate article on the virtues of full-featured but time-limited demos). The product registration process for Ableton Live is very easy to use, and I think more commercial software vendors should adopt this process.

After making the purchase, you simply start up Live again, and instead of clicking the button to get a trial usage authorization for the demo, there's a link to the Ableton web page to authorize the product. Since I was still in the same browser session as when I just bought the product, I was still signed in and it was able to determine quickly that yes, I had in fact just paid for a copy of the product, and it gave me a link to use to authorize my copy of Ableton.

Clicking on this link took me to a file type that opens directly in Ableton Live (you know when you get that Save / Open with dialog when clicking a file - this one had pre-selected "Open with Ableton Live"). Opening the link authorized my copy of Live.

This was fast and easy. No need to wait for the box to arrive, no need to cut and paste auth codes or type in a lengthy CD key. They have found an easy way to link the fact that I paid for the software (their web site) with the software that is installed on my computer.

Well, it's been two weeks since Facebook launched their new "Live Feed" feature.

Their explanation of this new feature is to allow top news stories to stay in the "News Feed" based on some criteria of interest that Facebook establishes based on your interaction with the site, while fresh stories scroll by on the "Live Feed".

This seems like a plausible explanation, but it leaves me with some doubts.

For one thing, Facebook will revert to showing the News Feed by default eventually, no matter how many times you click on Live Feed.

I suggest there may be an alternate explanation to the new feature, as well as some other changes the site has seen. Scaling problems.

This is only conjecture based on some observations I have made in the past two weeks, but here are some of the observations:

• Facebook reverts to News Feed, which would be much easier to cache and give better performance than the Live Feed.
• The feed no longer auto-updates to show new posts using AJAX like it used to.
• The page shows fewer stories and does not auto-fill when you scroll down as often.