Caveat Utilitor

Howdy y’all-

Can I take a moment here to point out that the above punctuation is in fact correct? “Y’all” is a contraction of “you all” and thus I find the proliferation of “ya’ll” to be Just Plain Weird. Also, “y’all” is plural. Not singular. Please make a note.

And on a similarly important subject, if I ever again read a novel in which a character orders a single malt whiskey (or whisky…it’s island-specific) without specifying anything further, I may discorporate and haunt the author. The whole point, guys, is that single malts exist to help us celebrate, you know, unique and interesting flavors. Or, more often, flavours. So, I mean, what the heck? Glenfiddich and Glenlivet, by the way, might as well be blended. Try the Laphroaig 15-year, or the Lagavulin 16. Take a small enough sip that, by the time it reaches the back of your tongue, it has evaporated or elsewise gone away. Ignore all advice to add water, or Splenda, or manure. Though actually the manure might be interesting. After you recover–this may be painful at first–do it again. One of Lawrence Block‘s characters, in a book I very much liked, once either said or thought that, upon considering the first sip of Laphroaig, one wonders why anyone would drink it. But by the tenth sip, one wonders why anyone would drink anything else. Larry’s smarter than I am, and so are his characters, so pay attention.

Okay. I had a conversation a couple of weeks ago with a couple of recent college graduates. They seemed proud of themselves, and as they seemed to be productive young adults, they had every right. But the thing is, and you guys know I’m all about the thing, they espoused a most horrible idea concerning the storage of passwords.

Once upon a time passwords were commonly stored as plain-text in a database. Obviously this caused issues when the database was compromised. Next idea: passwords were stored in “hash” or “digest” form. For the uninitiated, a hash (or digest) is the result of an algorithm that takes input, such as a password, and returns an otherwise-incomprehensible string. It’s a one-way deal, so a document will always produce the same hash, when using the same algorithm, but you cannot generate a document from its hash. Also, a small change in a document produces a large change in its hash. So storing hashed passwords is neat: you see what the user gives you to log in, hash it, and compare. And you don’t store the password at all.

Problem: it’s not too hard to create a table of hashes of common passwords using the most common algorithms. And it’s absolutely possible, in every case, to find or create a password that will match any given hash, once the algorithm is known. Though, yes, in some cases it might be difficult. So progress has been made, but we aren’t done yet.

Next came the “salt”…which is not necessarily passed at the dinner table. A salt could be something like “hi this is david’s most recent rant” which is appended to a password before its hash is generated. No, I don’t know why hashes are almost always appended rather than prepended or interpolated or whatever. Deal with it for now & we’ll return to this in a bit.

A salt does something neat: an attacker now has to generate tables of hashes of common passwords with the salt appended. Yeah, I know. So what? Enter the “random” salt. The idea is that a different salt is generated on a per-password basis. So sure, you can generate a “rainbow table” that includes hashes of various common passwords plus salt, but you have to do this for each salt value. Neat! The whole thing becomes more secure!

Lots of applications use this method for password storage. There are standard “plugins” that take all the work out of it, too, which is nice for busy programmers. But…uh…guess what? Given sufficient computing resources & data storage (what year is this again?), lots of user passwords can still be identified. Why is this?

Because the “salt” is almost always stored in the database, right next to the hashed password-plus-salt.

Ow.

So here’s another idea: generate the salt via some application-specific algorithm. Include a timestamp, some weird manipulation of a username or email address, or really any data that is expected to remain constant over the span of time you anticipate interacting with a given user. Don’t store the salt in a database. If you don’t trust your algorithm, heck, use a hash of the weird string it gives you. Don’t store that either. In fact, if your application runs on multiple servers, let part of the data used to generate the salt live on a server entirely separate from the one hosting your database. Require login credentials that are not stored in either your database or your application’s code. Further, cause the server hosting that data to restrict access to a small range of internal IP addresses, making it very difficult for an outside attacker to access it at all.

Downside? It’s harder to build a generic plugin. As it, you know, should be.

I have this notion that people who store other people’s data should take some responsibility for it. And, you know, do the work. The guys I was talking to literally would not hear what I was trying to tell them, though. It kind of hurt my brain.

So what’s Scarecrow do about all this? I’m not telling you. Nor did I enlighten the guys I spoke to earlier. I might have dropped some hints, though, if they hadn’t wandered off in a huff.

Remember: single malt is about doing something different and not easily repeated. It is not the same as a blended whiskey. It’s not trying to be.

Okay, I’m done. As always, please feel free to tell me how I’m wrong.

…and not to yield.

Thanks, Jeff. I suppose you know already, but lots of us out here in the world have been watching.

This is a take on Steve Jobs’s death that hadn’t occurred to me. I’m actually more likely to go the other way and work more hours in the near future…but still: food for thought.

This is a short post. Working harder on it seems inappropriate. {8′>

I have a problem. I am getting way too many emails trying to remind me, warn me, alert me. I did a Google blog search to see if anyone had sage advice. At the bottom of the page, one link caught my eye: “create an email alert for ‘overnotification’!” Nice. Sounds like a “Yo Dawg!” moment.

The worst part of it? I asked for it by signing up for a bunch of services that email me. People who like to write about business like this guy say things like “What gets measured gets done.”  Sure, that sounds sensible.  If I track what I eat and how much I exercise, it may help me lose weight. If I put together a budget, I might spend less. But it does seem to be easier to not step on that scale, not draw up a budget, and in this case, not keep an eye on my website.

A few weeks ago, I received a few emails from Scarecrow telling me that one of my websites was down. My first instinct was to ignore them, since they were brief outages, but they kept happening. On January 7th in particular, there were 18 separate outages totaling about 58.30963026 minutes. Yikes. I sent an email to my webhost with the dates and durations of the outages  – hoping they could correlate the data with their data and isolate/fix the problem. They emailed me back, and said there have been “…no issues with the server on the dates you mentioned…” Hmm. I looked at the detailed data again and found that the cause of many of the outages was DNS. Because I am using a DNS provider that is not my webhost, it makes sense that the webhost is not seeing these errors – the traffic never got to their server!

Next, I logged into my DNS provider and found they had been the target of a pretty gnarly Denial-Of-Service attack, which started on January 7th. Yay! (Not good that they were attacked, but the fact that they posted openly about what happened and what they learned from the experience is exactly the type of thing that makes me want to keep using their service.)

Is it really better to know?  Yes. I get it. It’s better to have the data, than not. Now that I know my website has been unavailable to potential customers, what will I do about it? Turn off all notifications and bury my head in the sand? That doesn’t really work for anyone…not even ostriches.

…gang aft agley, according to Mr. Burns. As I am a modern & sophisticated human being, that naturally puts me in mind of a character in a John Cusack movie (which one? I dunno) who said something like this: “Some drink from the fountain of knowledge. Others…gargle.”

So here we are. I’ve had a lot of fun with Google AdWords. I learned some interesting things…would you have guessed, for example, that “Files Changed? Server Down?” would attract roughly twice the clicks I got from “Site Hacked? Server Down?”? I sure didn’t. But hey, I changed the text on Scarecrow’s site to match the better-performing ad headline as soon as I found out.

I learned it’s possible to get 57 clicks in a few hours from people using Android devices, for roughly $.15 each, without any way to identify where the heck they’re coming from. And without a single one of them choosing to click on a single additional page once they landed on Scarecrow’s site.

I’m sorry, but I really am wondering right now: do mice gargle? I’m guessing they don’t. But does anybody out there know for sure? How?

Here’s the thing, today: I get better walk-ins. I’d love to be able to test various elements of the site, such as the logo–which I created in roughly 5 minutes in an attempt to irritate a coworker, who then claimed to like it, about which I call shenanigans–but testing is impractical without attracting more visitors, and when the visitors who do come in via the ads are so unlikely to actually pay for the service.

Hey, a couple of weeks ago a Google search on “obvious usernames and passwords” brought up a blog post of mine in the #1 spot. Did I plan that? Did that phrase, before today, actually appear anywhere in this blog? No. But neat stuff like that happens for free. We do pretty well on “contracts are evil” too, which pleases me no end, though nobody coming in through that particular door has actually bought anything. So far.

I think it’d be possible to find sweet spots where paid ads of one kind or another can provide a measurable profit. But I also think managing that may be a full-time job. It’s not actually a full-time job I want, though–I’d rather build something.

The official Cabin Fever plan, therefore, is to spend more time blogging. More time commenting on other people’s sites. Hey, maybe I’ll put up a personal site with a link to buy my novel from Amazon. And a link to this blog too. Whatever.

Oh, and you may have noticed the blog looks a bit different. The Cabin Fever & Scarecrow sites are also getting a makeover–expect it within a week or two. Cabin Fever first…it’s much easier.

Meanwhile, our irregular programming continues. As current users, for those of you who are: what would it take to get you to tell more of your friends about Scarecrow? We’re listening.

I’ve heard terrible things about Google customer service. And I may even say some of them myself in a bit. But not today.

Today I called a toll-free number and spoke to a couple of friendly, knowledgeable support staff. I was on hold for a very brief period–less than a minute. I had some general questions, and asked for advice. I got what I wanted. It was neat.

So here’s to you, Google. Though I’d sure like it if you’d send more than one click my way today. I realize yesterday’s mess may have been my fault, but still. More clicks, please.

And “Site Hacked? Server Down?” strikes me as a perfectly reasonable headline for an ad, by the way. Sheesh, it’s on Scarecrow’s homepage. It doesn’t make me a bad guy.

Thanks.