You are viewing [info]bloggit's journal

 

Bloggit's Journal

About Recent Entries

The Lie of Password Strength Jan. 18th, 2012 @ 05:05 pm
This has been bugging me for a while.

Password security metrics are a lie. I.T. Nazis who insist on them are incompetent. Websites that enforce them are providing a false veneer of security while selling your identity down the river to save money that should have been spent on security.

What?, you ask. How could I be so vitriolic about something as "settled" as, oh, say, gravity and global warming?

Forget all the lies you have heard from "security experts". Also forget everything you think of as truths from them. Now, think back to every security breach you can remember.

The newest, this week, was Zappos.

What happened? Hackers broke into their system and stole their database. Including possibly your passwords, but they didn't guess your password; they just stole it.

In May 2005, GMail was hacked... via JavaScript. Didn't expose passwords directly, but did expose contacts and such. And again, secure passwords weren't part of it.

June 2005, CardSystems Solutions (a payment processor) was hacked and 40 million credit card numbers stolen... via SQL Injection. No passwords, just full names, addresses and passwords. And no passwords needed to be cracked for the hack.

In 2007, TJX (TJ Maxx, a retailer) lost 45 million credit card records in a hack... by unprotected WiFi and unencrypted records. Again, secure passwords wouldn't have helped.

In April 2007, the AdWords system (a Google division) was hacked into... by surrupticious files being installed. User passwords were stolen. Again, not guessed.

October 2007, Hotmail (Microsoft), GMail and Yahoo passwords were stolen and posted online... due to phishing by look-alike websites taking advantage of a weakness in Microsoft's IE web browser. Again, no passwords were cracked or guessed, just stolen.

April 2011, Epsilon Data Management was hacked and passwords stolen. Not guessed. This impacted customer accounts on Citibank, Chase, Target, Walgreen and Best Buy.

This is just a small sample.  And what does all this mean?  That your password isn't the weak point.

Criminals don't attack the strong point.  If you go to the hardware store, you can pay between $20 and $200 for a lock-set for your door.  The more expensive is harder to pick, and therefore better.  But... criminals aren't picking locks. They mostly go in through unlocked doors, or break a window, or ring the doorbell.  

Similarly, a weak password isn't going to hurt much.  Avoid being super weak, and use a different password for each site (just in case the site gets hacked), and you'll be fine.

Why the rant now?  Because Zappos, after getting hacked and exposing passwords, won't let me use one of similar structure to previously because it's too weak.  Think about that.
  • Zappos, through aggressive stupidity, exposes our account data
  • Then when we try to change passwords, insists we use stronger passwords.
We weren't the problem.

Eclipse and Java - Even More Not REALLY Cross-Platform Jan. 9th, 2012 @ 06:38 pm
Ah, a new Java frustration: Cannot load 32-bit SWT libraries on 64-bit JVM

A few months ago I griped that Eclipse and Java weren't really cross-platform.  The problem is the Eclipse SWT libraries, which are very platform specific.  To some degree, they have to be, if they're going to provide a native UI experience, but they throw away the Java benefits in the process.

This recently hit even harder... Eclipse + Java is not compatible across all Windows 7.  Seriously.  You cannot build one executable JAR (using Eclipse) to run on all Windows 7 systems.

The problem?  That native SWT again.  It's JVM (Java Virtual Machine) specific.  It's for either 32-bit or 64-bit Windows, but not both.

There are a few solutions.  Work-arounds really.  They're unfortunate because each is kludgey, but here are the ones I've found:

Install several JVMs and build custom configurations

This is probably the most traditional (for developers) approach, but my development system is 32-bit. Seriously. Largely because I bought a super-duper extreme high end system back in the early days of Vista and it's still more than enough box, compared to the pain of migrating.

Plus, seriously, that's a lot of work, and would result in a full JAR per target.

Install the 32-bit JVM on the target systems

Okay, this is even worse.  But is commonly suggested on the development fora.  I mean, seriously, you want me to tell my users that they can't use the stock Java that the system came with, and they have to manually find and install a different version?  Sun/Oracle doesn't even make that easy; it's a real PITA.

And most of the time I don't want my users knowing it's running Java.  Nor should they have to download and install a 100MB package to use my tightly-written application.

Hack the heck out of it!

Ah yes, harking back to the good old days when we used machine language because Assembly wasn't optimized enough.  When we cracked game protection as the game, feeling a huge sense of achievement for getting four commercial games onto one 170KB diskette.  

Here's how to hack an executable JAR to convert from Windows 32 (i.e. the laptop your non-techie relatives and friends are using) to 64-bit (what you're using, in the dark, alone.  Wait!  I mean because programming is done late at night and is a solitary activity!  What the zark where you thinking?)
  • Download a copy of the 64 bit (or 32 bit if that's what you're missing) JAR file.
    Today's version du jour (but I repeat myself) is:
    org.eclipse.swt.win32.win32.x86_64_3.7.0.v3735b.jar
    but you should be able to see which it is in your .classpath file.
  • Replace the non-_64 file and rename the new one to the old name.
    This can be done with most archiving utilities.  But  I'm partial to 7-Zip.

So now all you've done is written over the 32-bit version with the 64-bit version, with the same name.  A cleaner way to do this (but takes more time and files) is to modify the classpath (in the Manifest, which is META.INF/MANIFEST.MF) to point to the correct file.

I may write a launching wrapper to do that for us on the fly, since the JAR files are 16MB (the library-in-question is about 2.6MB of that.)  Or of course the file could be external to the JAR and installed as appropriate.

The bugger is that neither Java nor Eclipse provide (as far as I can see) an automatic method for dynamically selecting the desired version.  You'd really expect that to be part of the Write Once, Run Anywhere (WORE - e == "everywhere") mantra.


Microsoft's approach to memory Dec. 20th, 2011 @ 09:16 am
I run Microsoft Exchange Server (2007) at home.  Recently the entire machine has gotten dog slow.  The processors run at under 22% usually, but RAM is always fully maxxed out.  And once in a while weird stuff just starts happening.

Initially I tried upgrading the RAM on the box but ran into another problem; my motherboard is an ASUS P5-variant, but on this one ASUS only allowed four sides of RAM... so with double-sided sticks in there, I couldn't add any more.  Of course they don't tell you this; you find it through spending hours trying to determine why all of the sticks work but not any three or four at a time.  

So back to analysis.

Microsoft Exchange uses store.exe to cache the message base.  That alone was taking all available memory.  And there are some very tricky ways to reduce it, but they aren't supported by Microsoft.  Using one does seem, at least for now, to have improved speed (though not really freed up much memory.)  But here's the odd bit...

Store's cache was grabbing multiple gigabytes of RAM, but there are only three people in the system and two use the system in POP mode... the three mailboxes together have around 180MB... well under 1/5th of 1GB.  So why is store grabbing so much more?

Typical Microsoft.  They don't need that memory and can't possibly use it, but don't want anyone else having it either.  Sheesh.

AdBlock on Bloggit (the revenge of hosts) Dec. 3rd, 2011 @ 07:19 am
Many many years ago, when we had wood-burning computers and some of us could type faster than our modems, back when news came from usenet with hex-encoded binaries and nobody had a GUI or mouse... there were no ads.  Business hadn't discovered the internet yet, and besides, computer geeks were not considered a valuable demographic.  

Now many programs and sites are ad-supported.  I'm fine with that, and try to support the sponsors of work I value.  But not when it's intrusive.  The big bad ones for me are the Vibrant/Kontera ads that pop up, even past ad-blockers, using fancy CSS.  Put a few ads on the right rail, fine, but don't get in the way of the text I'm reading.

There are three mechanisms for controlling ads:
  • Custom hosts files
  • AdBlocking software
  • Pop-up and active content controls (blocking)
The last one is, in my opinion, the least effective.  Blocking javascript prevents a lot of sites from working at all, and fine-tuning to block the pop-over ads is a huge effort.  Plus you're still downloading them, which takes bandwidth (time).

A hosts file is essentially a first-line DNS replacement telling the system that, for example, *.vibrant.com is 127.0.0.1... which is really your loopback and resolves instantly.  This speeds loading up quite a bit because, in addition to not displaying the ad, it isn't loaded (no bandwidth) and the handling of the address is done once.  But this can get in the way if overly broad, and some pages will get into a tight loop retrying it due to scripts.

I also use, on my primary computer (a MacBook Air) and my home dev system (Win7, Chrome and AdBlock.  These types of programs block the request from the browser.  Done well, they work better (and more selectively) than the hosts file.  AdBlock is great, but completely blocks this Bloggit page!  I was surprised to eventually figure that out, by virtue of the page rendering in the Google cache and in Safari; my guess initially was simply that LiveJournal was suffering an outage.  But whitelisting "bloggit.livejournal.com" brings the page back.

On my Android phone, I use "AdFree" from BigTinCan.com.  That blocks local access to ads for the browser (but not Opera, which goes to a server farm anyhow, but which also seems to prevent those pop-ups) and for ad-supported apps and games like Angry Birds.  Makes them much faster.  I haven't yet put any such programs on my Kindle Fire... but I do find the browser ads to take too much real estate on it so that may be coming.

SMP - Roku vs Sony, Costco vs Amazon Nov. 22nd, 2011 @ 02:26 pm
I have pointed out a few times that neither Amazon nor Costco necessarily ofter good deals.  But they don't always make it easy to discern; Costco often receives PCs, cameras and electronics with different features and part numbers than everyone else.  For example, their Dell PCs have slightly different components, and the BluRay players right now, in the same price from the same brands, have different numbers with the primary difference being (as far as I can see) that they don't have the latest streaming support (e.g. Amazon Video-On-Demand.)

Roku and Sony both sell devices that enable your system to receive streaming video.  If you have a newish high-end TV or BluRay player, you probably already have most of that functionality, but even then Amazon Video-On-Demand is often an outlier.  For our older plasma, I got a Roku LT, $49 and free shipping from Amazon.  The closest things Costco has are the Roku 2 XS, at $95 with an HDMI cable ($3 from Monoprice.com) and the Sony SMP-NX20 for $70. 

So let's compare them...
  • Roku LT: $50, streams all the standards plus Amazon, HD at 720p via internal WiFi.  Amazon.
  • Roku 2 XS: $99 list (see end), adds Angry Birds, ethernet port, USB (for your own media) and things like a DLNA client you'll probably never use.  $98 at Amazon, $95 at Costco with an HDMI cable.
  • Sony SMP-N20/-N200:  Similar to the Roku in features, adds Component output, digital output, DLNA, ethernet port, USB port and reputedly a terrible user interface.  Does not claim to support Amazon VOD, but reviews suggest it does.
    • The SMP-N200 is $78 from Amazon and many other places.
    • The SMP-NX20 is $75 from Costco, and adds an HDMI cable.  That's the only difference.

So Costco has better prices on the Sony device, which is an inferior device, but hides that fact beneath their proprietary model number. Amazon has the better deal on streaming devices in general, because Amazon has the Roku LT which is less feature-rich but easier/better to use than the Sony, at less money and at about half of the more-featured Roku Costco offers.

The moral of the story?  Don't assume Costco has a good deal.  (Don't assume that about Amazon or EBay either!)
Other entries
» Generic vs Brand Name Flask/Buff
I tend to comparison shop.  Hard.  I analyze, build spreadsheets, determine characteristics and then rate my priority for them.  For example, my post a long time ago on Sambucol/Sambucus.  Recently I did this with three types of items...

Tubular Headwear
The big name in tube  shaped headgear is Buff.    It's basically a slightly-stretchy microfiber tube made in Spain that can be worn as a scarf, skullcap, ponytail holder, sweatband, balaclava, etc.  And, at $24/pop, it seems a bit pricey, especially compared to the $12 (from Amazon) ergodyne work gear "Multi-Band".  Which is clearly a clone and is made in Taiwan.  

So how do they compare?  

The packaging is clone-like, they are the same size, the same stretchiness in one way and lack-of in the other direction, same ragged cutting of the tube... seriously I can't tell a difference.  I wanted to like the Buff more, since I spent more money on it and it's the original, but that additional 40% doesn't buy you much.

LED Flashlights

I bought the Rayovac Sportsman Xtreme and the TerraLUX Lightstar 100.  Both take normal batteries - 1 x AA for the TerraLux and 3 x AAA for the Rayovac.  The Rayovac is larger, feels well enough made, but is much dimmer.  It's rated at 80 lumens instead of the 100 for the TerraLux.  And it shows.  Five years ago, the Rayovac would have been a class leading flashlight, but I prefer my tiny Streamlight over it also... solely because the Rayovac is too large.

Seriously, three batteries and it only puts out 80 lumens on bright?  It is brighter than my standby, the TechLite Lumen Master, but those were like half the price from Costco and are smaller.

All of these lights are nice though, and all better made than the comparably priced Energizer penlight I bought 2.5 years ago.  

Flasks

I don't drink much.  In fact I used to get teased for "stranding" drinks.  But I like good stuff and when we're at a remote event, it's nice to be able to carry-and-share.  So I bought a pair of flasks.  A generic SE stainless flask ($4.25) and an Oggi stainless flask ($11.29.)  They looked similar.

No, excepting the Oggi logo, they looked identical.  The Oggi closes more easily, but I suspect sample-to-sample variation in that.  Otherwise, there are no distinguishing characteristics, and exactly the same seams, stamps and numeric codes on them.

What did that extra $7 get me?  A nice box and a funnel.  Which isn't too bad a deal; a flask funnel is necessary.  But it shouldn't cost 150% of what the flask costs!
Nov. 10th, 2011 @ 06:29 pm
» Connecting Outlook 2010 to Exchange 2007
My Exchange setup is a bit unusual; AutoDiscover is not fully configured, mostly because the purpose of my Exchange system is just to enable me my own Android cloud.  No sharing email and contacts with Google.com for me!  

This works fine with Outlook on the Macintosh, which I like much better than Apple Mail/Calendar/Contact mostly because the Apple Mail won't let me accept appointments directly to my Exchange Calendar... although the main reason it's okay on the Mac is that Mac-Outlook is screwed up in its own beautiful way.  

Tip: If your "Server Name" on the Mac isn't working, try...
   https://  <your mail server name> /EWS/Exchange.asmx

and your user name is <domain>\<username>

That works for me.

But on the PC connecting Outlook 2010 wasn't so easy.  In fact it was bitterly painful.  So some tips.

Tip 1: Even if you have configured a different Documents directory, Outlook puts files in "c:\Users\<username>\Documents\Outlook Files"   So when it gets fully screwed up, you need to delete from c:\users\<username>\AppData\local\Microsoft\Outlook (or similar) and this other location.

Tip 2: You must change the security option before entering your username and clicking "Check".  Go to "More Options", then the Security tab, and select "Always Prompt" for the login data.  Trust me.  

Then it will let you try more successfully.  If on an internal network, and this is really odd. even if the server winds up being, e.g. "mailserver.servername.local" (which of course isn't what you hope for),, you will have to get there by putting in the IP Address, not the name, and then your credentials, at which point it will change all of that to values it won't directly accept.

Again, I'm not saying most or even many people will run into these problems, but judging from a few Google searches, they're not uncommon... and the magic brew is elusive.  This is what worked for me.

Oct. 24th, 2011 @ 07:24 pm
» Eclipse and Java - Not REALLY Cross-Platform

I do a lot of cross-platform work.  This week one of my projects has been a Mac/Windows/Android project, in Java.  Unfortunately, I chose Eclipse as my IDE for this, despite the mediocre Android support, due to the generally very good Java support.  Oops.

This fell down when trying to use the IDE in both Windows and Mac.  I'd started on the Mac - gotta love the Mac Air.  Which was fine.

But that project is not Windows-compatible, for two big reasons.
1. The .classpath file hardcodes all the library paths in!  This is really bizarre, and I'm not kidding.  Any proper platform would use a library path, but not Eclipse.  Here are a few examples...

The Mac generated: 


<classpathentry kind="lib" path="/Users/meUser/Dev/eclipse/plugins/org.eclipse.core.commands_3.6.0.I20110111-0800.jar" sourcepath="/Users/meUser/Dev/eclipse/plugins/org.eclipse.core.commands_3.6.0.I20110111-0800.jar"/>
dir <classpathentry kind="lib" path="/Users/meUser/Dev/eclipse/plugins/org.eclipse.equinox.common_3.6.0.v20110523.jar" sourcepath="/Users/meUser/Dev/eclipse/plugins/org.eclipse.equinox.common_3.6.0.v20110523.jar"/>

On Windows, after a lot of work, I determined I cannot just strip those paths out and set a system variable.  Nope, doesn't work that way.  (Or, if it does, it's not easy to find on Google.)  Instead, I had to change them to...
<classpathentry kind="lib" path="D:/Dev/Java/eclipse/plugins/org.eclipse.equinox.common_3.6.0.v20110523.jar" sourcepath="D:/Dev/java/eclipse/plugins/org.eclipse.equinox.common_3.6.0.v20110523.jar"/>
<classpathentry kind="lib" path="D:/Dev/Java/eclipse/plugins/org.eclipse.core.commands_3.6.0.I20110111-0800.jar" sourcepath="D:/Dev/java/eclipse/plugins/org.eclipse.core.commands_3.6.0.I20110111-0800.jar"/>

Note that these are both in a plugin folder owned by Eclipse.  Why these open-source cross-platform devs can't get the concept of a system library varaible is beyond me.

But it gets worse.  Even fixing that won't fix the whole thing, because, you see, the Java interface isn't itself cross-platform enough to load the right JRE stuff.   So you also must swap out 
<classpathentry kind="lib" path="/Users/meUser/Dev/eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.7.0.v3735b.jar" sourcepath="/Users/meUser/eclipse/plugins/org.eclipse.swt.cocoa.macosx.x86_64_3.7.0.v3735b.jar"/>

for 
<classpathentry kind="lib" path="D:/Dev/Java/eclipse/plugins/org.eclipse.swt.win32.win32.x86_3.7.0.v3735b.jar" sourcepath="D:/Dev/java/eclipse/plugins/org.eclipse.swt.win32.win32.x86_3.7.0.v3735b.jar"/>

This is beyond stupid.  We have duplicate entries (path, sourcePath), we have hard-coded absolute paths and we have platform-specific settings, none of which Eclipse can resolve on it's own.  

Seriously?!!!


Sep. 17th, 2011 @ 01:38 pm
» On Independence Day in 2011
My first political post!

The U.S. was, and perhaps will be, a great country.  Why?  Independence.  We used to be able to:
  • Risk everything to make everything
  • Enjoy the fruits of our own efforts (without guilt)
  • Provide a safety-net for each-other, because that's what family and friends do, not the government.
  • Go hungry if we didn't work
  • Make judgments - if you were convicted of a crime, had a child out of wedlock (regardless of gender), didn't stand up for your family, were lazy... you were pushed to the fringes of your society until you were willing to fix it.  (We'd help, but you had to work at it.)  Now that's considered divisive or hateful.
Now we have:
  • Enormous amounts of paperwork for a simple loan.  (It used to be 1-3 pages ~30 years ago, now it's ~100 pages.)
  • Taxes that the IRS can't even get right.  
  • The highest taxes in the developed world (which the current "ruling party" is trying to raise even further.)
  • The highest unemployment rate in many of our lifetimes... partly because "benefits" keep getting extended.  One of my former-friends has been refusing jobs and on unemployment for two years!

Jul. 4th, 2011 @ 07:55 am
» (No Subject)
 About a year ago we purchased and had installed a Samsung DMR78AHS dishwasher.  This is a very quiet digital unit with sanitize, stainless exterior, digital face, etc.  In theory, a great unit with a great reputation.

It was great looking and extremely quiet, but we had all sorts of problems:
  • It wouldn't dry well, especially not plastic such as TupperWare.
  • It wouldn't clean well, especially deep glasses or travel mugs.
  • It smelled a bit.
  • The bottom shelf collided with the gasket holder and made it hard to close.
The first two issues were apparently somewhat well-known, a consequence of the trade-offs to make it quiet and power-efficient.  But the last issue was a problem - the bracket was glue-gunned on and simply not-in-place.  So we called service.

It took them about 10 minutes to decide that it was a defect but that they couldn't fix it and would  need to exchange the washer.  And another 70 minutes at our place on the phone with Samsung to figure out what to do about it.  And then a bunch of fruitless calls with Samsung by my wife to work on it further. With Samsung screwing up every which way.  But eventually they decided:
  1. They would REFUND the cost of the dishwasher, since they don't do exchanges and couldn't fix it
  2. But that excludes sales tax
  3. And excludes installation, even if we buy another Samsung.
So we're out $220+ even if we get the same model put in!  (Moral: Samsung warranties are worthless.)

Our dealer, a high-end place, stopped carrying Samsung dishwashers (though they still carry their laundry machines) because of several warranty problems, ours included, in the last year.  Apparently Samsung took a big hit with our model-line, so much so that they replaced it quickly... with a new model line with terrible drainage, smell and cleaning problems.

Anyhow, we did more research and had a KitchenAide put in. Similar features, less digital, but with a food grinder and heating element. It is:
  • Noisier.  The Samsung was really quiet.  This thing makes some noise, even though it's rated quiet.
  • Much better at cleaning.  Everything is as clean as you'd expect/hope-for.
  • Much better at drying.  Everything.
About the same price from the dealer (perhaps partly due to a discount from them for the pain-and-suffering caused by Samsung.)  Come back in a year to find out if it lasts.
May. 22nd, 2011 @ 03:03 pm
Top of Page Powered by LiveJournal.com