OS X has arrived. I will be unreachable for a while. :-)
AOL has started to block access to AIM via Jabber.
Someone managed to convince Verisign that s/he was a Microsoft employee, so now there's a forged Microsoft digital signature out there.
"This wasn't a failure of technology. It was a failure of one particular Certificate authority to follow its procedures," a Microsoft employee said. One particular CA -- who just happens to be the biggest and baddest. But it does highlight that one of the weakest points in any security system is not the technology, but the people who use it.
Recently the students at a local school managed to get a hold of an administrative password that granted them access to the student tracking databases -- with grades, evaluations, and such. How did they get it? A teacher accidentally typed it into the wrong field while a student looked over her shoulder. It took a couple days before anyone thought to change the password.
Just about when I start wondering if maybe I'm maybe just a wee bit too paranoid and perhaps too emphatic about security precautions -- usually when I can detect the fanatical whine in my voice as I rail about what I think should be common sense security -- I hear about something like this and am brought sharply back to reality.
Some time ago, when faced by a user who somehow believed that "Titanic" was a good password (never mind that the title of the single highest grossing film of all time just might be a security risk) I wrote a guide for how to choose a secure password. I offer it for your reading pleasure. Seriously. This is important stuff. It won't deal with the sort of social engineering that fooled Verisign, but it's a step toward eliminating human error in security systems.
::
Speaking of security failures: I can't believe that this happened to me. I'm furious.
Recently I went to the web site of a financial institution with which I have some dealings to check on the status of my account. Fortunately they have a secure server so I felt pretty comfortable doing this online. I checked the certificate on the login page, and it was good. So I proceed.
On the second page, the same valid certificate information. Good. But then I look at the URL, and what do I find? My login and password!!!
The idiots have gone to the trouble and expense of setting up a secure server, but then pass critical identifying information in the clear. AAARGH!! It should be so obvious that this is insecure. Why does this ever happen? This is downright negligent.
Naturally I fired off an angry email, somehow (I think) managing to be polite about the whole thing. I left a voicemail with my account rep. I even offered alternatives to the mockery of a security system they've set up. But for chrissakes, people, THINK!
I have received no response from them, by the way.
When I mentioned on the 13th that lots of people had started working on CSS-based page layouts, I took a look at Noah Grey's weblog and thought, "now there's something that you probably couldn't pull off with CSS." I like the design, but just didn't see how it could be done without tables. Well, hot damn, Eric Costello pulled it off. Now I have to rethink everything. I love it!
I'm also pretty psyched cuz I got a new job.
Lots that I could be doing tonight. In particular, I had rather hoped to start in on my commentary on a draft of the State's proposed web accessibility guidelines, and then dig into Steven Levy's Crypto, which is a real page-turner. But no, instead I've found myself poring over Apache's source code to figure out some of the gritty details of how it handles Basic authentication (in particular, what it does with certain encrypted passwords). I make it sound bad, but really it's pretty fun; I'm learning a lot, even if I haven't yet found what I'm looking for.
Ever since the Web Standards Project started their browser upgrade campaign, and an article or two appeared on A List Apart, all sorts of people have been working on and publishing CSS-based multi-column layouts. Eric Costello just published his contribution, probably the best resource for this that I've seen so far. Just as well, too, since although I've been meaning to work on this for months, I know that it'd be months more before I ever got to it myself. I've got my own little projects in mind...
The CSS Anarchist Strikes Again!
Getting Started with XML-RPC in Perl, on IBM developerWorks. Among the best intro tutorials on this subject that I've seen, this really shows how easy it is to use Perl for XML-RPC.
In his Otherland series, Tad Williams has created a character, Dread, with a running soundtrack in his head that can adjust to fit his mood. This is mildly interesting at first but becomes increasingly disturbing as we uncover Dread's violently murderous nature.
Not the sort of thing that I want to remember as I enter the 19th straight hour of this non-stop John Denver medley that's been running through my head. I think it's time that I went to sleep.
::
A while back I converted this site to PHP, primarily as an exercise to familiarize myself with the language. But y'know, I much prefer working with Perl, and am considering switching to AxKit.
One of the many reasons I love Perl: a couple students at MIT have written a cousin to DeCSS (to decrypt DVDs) using only seven lines of Perl.
Basically: fuck you, MPAA. I cannot believe that this DeCSS fiasco has continued to the point it has. Here's the full story on Wired.
::
My coworker John, who has some of the most diverse and arcane interests of anyone I know, pointed me to the Composites Adventure Game, brought to the world by the Center for Composites Materials at the University of Delaware. While describing the game, John did impressions of some "tough-guy" voices. At the time, I thought he'd completely lost it, but they're really part of the game.
The 2001 5k contest is now accepting entries.
O'Reilly's new Peer to Peer book has been released and arrived today, I've started a delightful book about Ancient Israel, I'm tearing through Tam Lin, I've discovered Clay Shirky's web site, I'm volunteering at a Destination Imagination competition tomorrow...and I feel like crap. The cold that beset Kiara some days ago is seizing control of my body. <sigh> I can do nothing but sleep.
Too Much Security is Holding Back ecommerce. Right...