isnoop.net blog

They say clothes make the man, so it stands to reason that the theme makes the blog. After receiving several moans about my blog’s styling, I’ve finally decided to do something about it. No more Kubrik theme for me.

For those who don’t care for the WordPress default theme, I do hope this one is more appealing. For tech and convenience oriented folk like myself, this new theme was easily customizable to support multiple widget bars. Plus, I hear three column fixed width layout is in this year.

Most programmers take a pragmatic approach to security and scale their efforts based on an estimate of the sensitivity of the data they are storing.

The unfortunate truth is that password security is frequently underestimated, making it easy for credentials to be sniffed or stolen.  Users often keep a very small collection of passwords, with many people memorizing a small collection and using them on almost every site and service they use. A password compromise on one site can lead to a compromise on many.

#1 Only store salted password hashes, not the plaintext password itself

The cardinal rule for handling user passwords is to never store the password itself.  You should only store a hash (one-way encrypted representation) of the password, cryptographically salted with a string at least 16 characters long. When you want to check a user’s login, simply re-hash their input with the same salt and compare it to the hash stored in your credentials table. 

#2 Never display a user’s password

There is never a good reason to display a user’s password on a web page.  If they have forgotten their password, send the user through a password reset procedure.  This also includes displaying their password in HTML forms.  Don’t send the user’s password out as the value of a password form field input.  This is almost as bad as displaying it on the page.

#3 Use the password field in forms

On occasion, a site will not use the “password” input field type on a login form.  Any sensitive input acting like a password should be presented as a password input.  This provides basic protections against caching, copying, and prying eyes.  This applies to passwords, PINs, SSNs, and other private authentication data.

#4 SSL encrypt pages where users create new passwords

Prevent packet sniffing password theft by encrypting pages where the users are changing or creating new passwords.

#5 Protect passwords sent over non-encrypted connections

If you can, SSL encrypt any page where a user is sending their password for login.  In places where this may not be an option, consider using javascript to prevent the password from being sent in plaintext.  (More info on this in a later blog post)

#6 Never store passwords in cookies

Many developers don’t consider the fact that cookies are sent by the user’s browser for every request to a domain, including requests for images, CSS, and javascript.  All this traffic makes it extremely easy to sniff passwords stored in cookies. Passwords stored in cookies are also easily found by someone who has access to a computer’s harddrive.

#7 Enforce reasonable password rules

All sites need some basic rules around passwords to keep users from using poor passwords.  However, don’t think you’re doing yourself or your users any favors if you implement rules like setting a maximum password length, requiring users to change their passwords too often, or preventing users from ever re-using a password once they’ve changed it.  

Forcing users into situations like these frequently leads to password post-it notes stuck to monitors or the underside of keyboards.  Sometimes, it even drives site users away (I’m talking about you, sharebuilder.com).

#8 Send confirmation emails when their password is changed

Whenever a user’s password changes, send a confirmation message to their verified email address.  Tangentially, any email address change should trigger confirmation emails to both their new and old addresses.  This behavior helps your users quickly find out when they’ve been compromised, which can limit the damage done by a malicious user.

#9 Never email a user’s password

Many sites feel they are doing their customers a courtesy by emailing them their own password when they change it or sign up.  However, if your email account is ever compromised, a simple search for ‘password’ can reveal a treasure trove of passwords, allowing a malicious person to gain access to many more sites and services used by a user.  The resultant password list may also be used against any other site that hasn’t emailed a user their password, such as their bank, PayPal, or social networking sites.

#10 Use a proper password reset system

When a user forgets their password, generate a random temporary password and email it to their verified email address.  This should not overwrite their old password.  Instead, it should be set to expire within a reasonable amount of time (a few hours) and if it expires, the old password should remain in place.  If the user logs in with the temporary password, they should be required to enter a new password before continuing to the site.  The temporary password should then be expired and unusable on that account.

Google Voice is a very interesting service. If you were one of the people (like myself) that got an account on GrandCentral.com before they were bought out by Google, you are now eligible to be part of the Google Voice beta.

It offers a lot of interesting services such as visual voicemail, speech to text, VOIP, free long distance, and many others. However, in order use most of these, you need to use the phone number Google assigns you. Google can’t be your voicemail provider unless all of your calls are routed through them first.

So are you going to hide your current cell phone number and tell all of your friends and family to call your GV number instead? Unlikely.
I believe it is much more likely that Google is actually moving to become a telephone service provider themselves. That way, you just transfer your phone number to Google and they give you all of the great features of GV along with it. However, in order to participate in LNP (the FCC program that enables users to transfer phone numbers between providers), they must become a wireless carrier.

I know it sounds unbelievable. I am somewhat skeptical myself. It seems like quite a stretch for them to actually get into voice service. After all, couldn’t Google just partner closely with the existing providers and integrate their GV directly into your existing plan? Unfortunately, cellular service providers would probably never play ball with Google this way. GV bundles free long distance VOIP, SMS, and (quite possibly) unlimited airtime.

Many people were skeptical when a search engine company was rumored to be branching into email. There was even more surprise as the rumors of a Google phone came true. Now that they have their own cell phone OS and a fantastic web integration platform, it is not inconceivable that they will take the next step and start leasing tower space.

Google is out to eat the telco’s lunch.

Google Voice is the long awaited re-release of Grand Central, an online voice communications service. Based on their beta, Google Voice will essentially be a Gmail for voicemails with call forwarding, filtering, SMS, VOIP, and speech to text.

They appear to be assigning Montana area code (406) phone numbers to folks who call or SMS a Google Voice user. I can only assume that the generated number will be your default Google Voice number if you eventually sign up.

If you would like to know your default Google Voice number, send an SMS to 206.855.5330. I’ll reply back to you with your number. Once established, you can start receiving calls at that number that are forwarded to your phone.

Disclaimer: I don’t know if the numbers are permanent, but they appear to keep working after at least two weeks.

It only took a few minutes in the food processor to turn a quart of heavy buttermilk into one of the tastiest butters I’ve ever had. The transition from creamy liquid into butter is almost instantaneous and is very interesting to watch.

The leftover buttermilk went into a quick and easy batch of bread machine bread. A few hours later, we had a great homemade treat.

Buttermilk costs just over $2 a quart here. The yield was just under 2 lbs of butter. That’s about a 60% savings per pound for a better product than you can buy at Safeway or QFC.

I’ll be making my own butter from now on.

I’m looking for one or more advertisers who would be willing to sponsor the package tracking RSS feeds generated over at Boxoh.com. As it stands, only about 5% of the traffic to the site is via web browsers. Last month alone, I got just under 1.5 million hits to the dynamically generated RSS feeds for package tracking. The Google ads on the web page are hardly reaching my audience.

Unfortunately, commercial RSS advertising systems such as Feedburner will not work as they are geared towards blogs with a small number of feeds to monetize. Since Boxoh delivers individualized feeds based on package tracking numbers, the number of unique RSS feeds is vast.

If this sounds appealing to you, please get in touch with this contact form.

Thanks to the site Feed43.com, I was able to quickly and easily generate an RSS feed to the PHP5 Changelog, a very large page that doesn’t already have a feed.

Check out the PHP 5 Changelog Feed.

Feed43 beats Yahoo’s Tubes service because if a page is too large, it simply truncates it to a usable length. Tubes will simply fail to process a page that it deems is too big.

It is a common belief that moving into a higher tax bracket will cause you significant financial hardship. People have given away large sums for a tax deduction or even accepted lower pay believing they are actually saving money by maintaining a lower tax bracket. This post explains why this is incorrect and illustrates what a tax bracket transition really means for you.

The Myth
The basic belief is that tax brackets are retroactive and that all income is subject to your highest tax bracket’s percentage rate. The chart below illustrates the tax amounts a person would be subject to if this logic were applied.

(Click to enlarge)

The Reality
Only the income above the minimum amount for any given tax bracket is subject to that bracket’s rate.

For example:
If you are filing single and made $30,000 in 2008 you would be in the 15% tax bracket. Your first $8,025 would be subject to 10% in taxes. The remainder ($21,975) would be taxed at 15%.

This chart illustrates the actual tax breakdown for each taxable income group:

(Click to enlarge)

This detail view illustrates the different tax brackets as they apply to the income of a person filing single. The red line is a reference to help illustrate the slope of the tax amounts below.

(Click to enlarge)

This final chart illustrates the myth vs reality when one’s income moves from one tax bracket to another. The blue vertical bars indicate the tax brackets. The red zone illustrates the incorrect assumption that your tax rates apply retroactively. The green zone is your true net income.

(Click to enlarge)

Summary
This post should dispel the myth that your current tax bracket applies to 100% of your income. While taxes are complicated by many factors, this basic rule still applies. Don’t let yourself be fooled into believing that you are actually saving money by lowering your tax bracket. You should make tax-deductible donations as you see fit, but don’t think you’re saving any money by doing so.

More information
IRS 2008 tax tables
Chart source data (Google Docs spreadsheet)

The Drobo storage device is a beautiful piece of technology. It is quite possibly the most user-friendly RAID (like) device on the market. With very little effort, you can have 3TB+ of failure-protected storage at your fingertips.

The problem with the Drobo is that in order to change its true data capacity on the fly and dynamically share it between multiple volumes, it must create “pretend” volumes in even-sized chunks. 2TB, 4TB, 8TB, and 16TB are the options currently available. This means that if you have 1.2 TB of actual space, the Drobo will tell your OS you have two or more TB.

This isn’t usually a problem except when you are running low on space (the Drobo is good to warn you when this happens) or when you are using the Drobo as a Time Machine storage device. Time Machine will continue filling up a drive until it is almost full.

In this post, I will provide you with a simple approach that will allow you to isolate your Time Machine data and give it room to grow in the future.

Preparation
If you have an empty Drobo, I suggest you format it with the largest size you feel comfortable with. Drobospace has a good article explaining the tradeoffs of formatting with a larger partition size.

Open Apple’s Disk Utility and click the drive icon (not its nested partition(s)) for your Drobo.
Next, click the Partition tab and examine your data volumes. You should see one or more named segments in the Volume Scheme section.

Most likely you have just one large volume here named Drobo. If you already have more than one volume, we will work with the largest one.

Making the Time Machine volume
If you already have a dedicated partition for Time Machine, you can skip to the next segment.
You should see a small resize handle in the lower right corner of the DLP. If not, you have journaling disabled. See the note on enabling journaling below and then return here.

Press the plus button below the Volume Scheme display to create a new volume. Name this volume something descriptive like Drobo Time Machine. Make sure to use the format “Mac OS Extended (Journaled)”.

Next, drag the volume size divider so your new Time Machine partition will have a much space as you can see yourself giving it down the road. I’ll create an 8TB partition and allocate a 4TB volume to Time Machine.

Finally, press the Apply button and let OSX create the new volume. Note that the Drobo may throw some free space warnings during this procedure. This is merely an effect of the OSX partitioning process. This procedure can take a long time depending on how full and how fragmented your Drobo is.

Give Time Machine only what it needs
Now that you have a volume just for Time Machine, you need to shrink it down to just the size you want TM to use for now.

If I have 1.6TB of usable space available on my Drobo, Time Machine will eventually gobble all that up if I leave the new 4TB TM volume as-is. The final step is to shrink that volume down to the right size for now and to expand it only when you are ready.

In Disk Utility, your new volume should have a small resize handle in the lower right corner. Grab that handle and move it up to shrink the volume. I want my Drobo to always have at least 1TB available for usable storage, so would shrink the TM volume down to 600GB.

Press apply and let the Mac resize the partition. Your Time Machine volume is now the perfect size for your backup needs. When you need to enlarge that volume in the future, just go back into Disk Utility and drag the volume handle down to the desired size.

A word on journaling
If the options to resize or split a partition are disabled in Disk Utility, your drive is either not formatted as Mac OS Extended or has journaling disabled. Having the wrong format type will require a volume reformat in order to continue. No journaling is a quick and simple fix:

Open Terminal.app
Run the command “diskutil enableJournal ‘/Volumes/My Drobo’”
Substitute “My Drobo” for the appropriate name.

Once you have completed the volume creation and resizing procedure, you probably won’t need to re-disable journaling. If you have a good reason to turn it back off, run the command “diskutil disableJournal ‘/Volumes/My Drobo’”.

There was a time several months ago when Apple Time Capsule devices required connected Drobos to have journaling disabled, but that problem has long since been fixed. Journaling should be enabled on all Mac OS Extended volumes unless you know what you are doing.

For more information, Apple provides an excellent KB article on the topic.

Summary
I hope this explainer proves useful to you if you find yourself in this situation. Please feel free to share your experience in the comments below.

A co-worker just pointed out a wonderful new tool for those who are frequently bothered by people who would rather ask you question instead of Googling it themselves:

LetMeGoogleThatForYou.com

Aside from being snarky and satisfying, it immediately struck me as a brilliant money maker. Perhaps even the best Google AdSense for Search referral generating tool since Mozilla put the Google search bar in every broswer it ships (Mozilla pulled down 75 million USD last year from your searches).

So, next time your cousin wants to know all about mesothelioma, send your response by way of LMGTFY and know that those guys are probably making a good chunk of the $40-$60 CPC the keyword “mesothelioma” commands.

Of course, I am in no way affiliated with LMGTFY. If they aren’t using their site as a Google search revenue generator, they’re missing out.

Update:
I’ve delved into their code and it would seem that they aren’t currently monetizing their searches. Perhaps it is better this way because it might break Google TOS to have their current gag auto-submit the search on behalf of the user.

Still, if you arrived on this page after searching for mesothelioma, I have my own ads that I use to help cover the cost of this and all my other sites. Just sayin’…

Update 2:
Good for them! The site is now sponsored by 37 Signals and they are bouncing traffic through Google AdSense for Search. Unfortunately, the referral version of the search results does not have the pretty look that traditional search results do. However, this does not degrade from the original thrust of the site which is to teach people that they, too, can use the Google.