blog | archive | November '05

9:47am, Tuesday November 29

Google indexing Flickr

My site traffic from Google images has jumped considerably in the last couple of months. Pre-September I had no links through from Google images and in October and November I had ~800/month. The links also corresponded to a big jump in bandwidth so it wasn't just Google changing their headers.

It seems like there have been some changes at Google Images the most interesting one being that it now features my Flickr images. If I search for tags I've used at Flickr like, for instance, tube signs, then lo, one of mine is now at the top of the results

The interesting thing is that whilst Google used to pay a *load* of attention to the filename of the image these searches don't correspond to anything in the filename, only the tags. The next image along from it has a filename that actually includes the words "tube signs" and yet ranks lower.

It makes sense for Google to be indexing Flickr but it's still a little cheeky. It would be interesting to see some of the server stats from Del.icio.us.


Comments (2) bookmark digg reddit
1:07pm, Monday November 28

Storing third party passwords - a question

A question...


I'm no security expert but I can still see that the rise of web-services is going to lead to some serious vulnerabilities.

Any developer worth their salt hashes passwords when storing them on a server. Ideally this will be a one-way has so that even if someone cracks the database they still can't see the password.

What happens though when your website also accesses data from several other websites - perhaps it provides an interface to your del.icio.us or flickr accounts. Being a helpful sort of chap the designer of aforementioned tertiary-service lets you save your passwords for these accounts so that you don't have to log in again every time you open up his new uber-site.

There's a problem though. When he stores your Flickr and del.icio.us passwords, he can't do a one way hash because he's got to use them to get back into your Flickr/del.icio.us accounts. Normally you might MD5 a password but the whole point is that md5_password isn't much help when you need to actually login. Solution - a two way (and hence fairly pointless) hash that makes it less obvious that a database column contains passwords.

Not a great solution though is it? I've been mulling this over for ages and have come to another solution. I'm sure this is a time-tested security technique but since my knowlege of security is less than others, I'd be grateful for confirmation.

Could passwords be securely stored by using the unhashed password for the tertiary service (all-my-accounts.com) as a salt to encrypt the third party passwords? Doing this means that a password is never stored in its entirety. On login to all-my-accounts.com the server then breifly decrypts the stored passwords, despatches them to flickr/del.icio.us to get a cookie/session id and flushes all unencrypted info.

Passwords are only ever on the server in an unencrypted form during the initial login and even then they're never written to a file or database.

Does this work or is there something I've missed?
Comments (1) bookmark digg reddit
12:38pm,

Security

Last year I got a call from my mobile phone company asking me to go through securty with them so we could have a chat. Not having any information to indicate that they were in fact my bank, I refused.


Ben Metcalfe made a post about exactly the same issue (which I can't find to link to) a little while back citing exactly the same objections I had a year ago - making people comfortable with giving out their security details to a random caller is paving a big, well lit path for phone phishing.

I pointed this out to my credit card company when they too called asking for my details today. They did at least acknowlege the issue but said that the level of cracking was too low to make it a problem. Not perhaps the most forward approach to security but I can just about see their logic.

I don't know how easy it is to masquerade phone numbers but this approach could be solved very easily by banks issuing customers with a number that they will always call them from (witheld doesn't count).

Everyone has caller ID on their mobile so asking a customer to store the bank's number under - "MBNA Official" would confirm their authenticity when they call. Equally, requiring that the bank produces a password to identify itself (as British Gas workmen do) would also make cracks considerably harder.

This reminds me of a thought that I had a while back. RSS presents an interesting solution to the phishing problem. RSS is essentially a pipe between you and the publishing party. If you encrypt that pipe and add a password then its a closed pipe.

Use a customer-unique URL for the feed (firstdirect.com/customer2343245/secure_messages) and you have standards based route for sending secure information to a customer and an interface (their reader) that alerts them to that message. Whether people can be taught not to expect messages in their email is another matter but it does at least solve the problem of requiring a customer to be pro-active in checking their messages (I can't check mine unless I log in to my account via the webpage).




Comments (1) bookmark digg reddit
4:08pm, Thursday November 24

Big names coming to London

Ryan and Gillian Carson have another event in the pipeline and this one looks to be very interesting. On the lineup are:

  1. Joshua Schachter - Founder of Delicious
  2. David Heinemeier Hansson - Lead developer at 37 Signals (creators of Basecamp, Backpack, Ta-da List and Writeboard) and creator of Ruby on Rails
  3. Eric Costello - Flickr
  4. Steve Olechowski - COO of FeedBurner
  5. Shaun Inman - Mint
  6. Tom Coates - Yahoo! and Plasticbag
It costs £75 and I'm signed up.
http://www.bd4d.com/blog/2005/11/24/carson-workshops-summit-the-future-of-web-apps/
Comments (0) bookmark digg reddit
4:05pm,

Developer job in London

I promised to put this up ages ago - Ed, please accept my apologies. From Mr Dowding:




---------------------------------------------------------

Very experienced and clear thinking developer need to join the team on www.communitysafe.org

We are a small but very fast growing company with established relations with both the public and private sector.

Candidate must have a very solid understanding of software structure, testing procedures, agile development, OOP, javascript, database design and optimisation. Superlative CSS skills would be a bonus, as would experience of development for mobile platforms. Relevant degree preferred but not required.

The position is a very varied one that involves working across many different programming areas. Your ideas and input will always be greatly valued - we're only looking for someone who brings intellect and insight.

The company is growing quickly at the moment, so the right candidate will soon have a few junior developers working with him/her.


SUMMARY:

Required:
- PHP
- MySql
- (X)HTML, CSS, Javascript, DOM

Desirable:
- Apache / MySQL / PHP administration
- Experience of scaling applications
- Mobile platform development (eg Blackberry, Palm)
- Linux administration
- XML / XSLT / XPath


4+ years experience required.


Salary:
- £30-40k per year neg. depending upon experience
- regular pay reviews


No agencies.
Must be available for work in Bristol at least 2 days per week. Work from home a possibility for the right candidate once working practises have been established.
Must be able to work from home on rare occasions (eg emergency out of hours support.)


Anyone interested in this position should please forward relevant materials (esp URLs), a summary bio or CV, and a brief covering letter to jobs [at] commmunitysafe.org



ABOUT CITYSAFE
==============
CitySafe is a powerful, integrated set of proprietary web-based, secure communication tools enabling Enterprise Business Continuity Security personnel to more effectively prepare for manage emergencies other disruptive events.

Within the United Kingdom, CitySafe IRIS powers ‘CommunitySafe London Extranet’ (www.communitysafe.com), which provides emergency planning and real-time business disruption information to London businesses. In partnership with the City of London Police, the Corporation of London, London Prepared (a government inter-agency team created following the US September 11 attacks), and the ESRC Domestic Response to Terrorism programme.

Comments (0) bookmark digg reddit
4:36pm, Thursday November 17

iTunes

What sort of drones are designing the Windows software strategy at Apple? iTunes on Windows is a whole hunk of messy software. It runs slowly, it freezes and worse, it's not very good at keeping its house in order.


I've now been told on three separate occasions that one of my iPod directory files is corrupt and as a result my iPod now doesn't update. Explanation/instructions - "please run the chkdsk utility".Who exactly thought that asking users to run a boot-utility is the correct error message and why on earth hadn't it backed up sensitive files in the first place?

Not to despair though - there's *yet another* iTunes update available. Only a 33Mb download. 33Mb? Who on earth are they kidding. Most people won't bother with an incremental update and my delicate wireless connection won't even make it through the time it takes for a 33Mb download.

Get it together Apple. Stop letting marketing-monkeys write your software and stop erroding your brand. Give use software that works. If you don't then you will eventually see your users turn into someone elses users. iPod Ubuntu anyone?
Comments (3) bookmark digg reddit
3:48pm, Tuesday November 15

The foibles of users

Having read the MS RSS team's vow to only accept well formed XML I felt I had to offer a comment of appreciation at a difficult decision but a grown up attitude. In writing the comment I was reminded of one of the chapters from Joel's Best Software writing. (If you haven't read the book, read it, it really is excellent)


If you haven't read it or even if you have it's worth glimpsing at the chapter (cartoon) I was reminded of - still so funny.
Comments (0) bookmark digg reddit
10:10am, Monday November 14

Laszlo mail

Clearly things are changing. With the resurgence of Javascript and the un-blacklisting of Flash, web apps are becoming a realistic alternative to their desktop equivalents. I got to have a play with Zimbra at EuroOSCON and it was very good. Today I see that Laszlomail has finally put up a demo and it too is very impressive. Laszlo is a mail client built in flash and it seems to give great performance.

However, after seeing both of these and during the process of writing my own app it reminded me of something I thought of a long while back which was that it would be really nice to have a good webservice for spellchecking.

Rather than having to build all of the back end of spellchecking it would be so much easier to register your client with the service behind the scenes and then pump requests to and from your and their servers. Better still would be if the consumer did actually know about aforementioned service and you could enter their username and tap into their personal spellcheck-exceptions.

I assume this already exists, could anyone point the way?


Comments (2) bookmark digg reddit
4:17pm, Saturday November 12

Test post from Flock

Just seeing how this works....

Comments (0) bookmark digg reddit
1:10pm, Tuesday November 8

A Unicode challenge

Not a teaser this time but a real world problem that needs you.

I know nothing about character encodings. I know enough to have read Joel's piece and vowed that it's something I should definitely know about but not enough to have actually made tracks to aforementioned wisdom.

Today I am reminded of that vow by the gentle sting of my ignorance biting me on the bum.

For the last couple of days I've been coding keyboard shortcuts into my application. I want users to be able to change their keyboard shortcuts and to enter them into a preferences file. All good except I don't know how to map from the event.keyCode value to the Unicode value of the character in the preference file.

See my worries in a little AJAX(aka bait) demo here: keystrokes and keycodes (Non IE browsers only)

My problem is that I really don't see what the Javascript event.keyCode property actually maps to in terms of real characters.

Could someone who knows more than me about this please put me out of my misery and tell me how I can connect event.keyCode to String.charCodeAt() to Unicode?
Comments (3) bookmark digg reddit
6:40pm, Thursday November 3

Venkman profiling charter?

Does anyone know of a charting component for the Venkman javascript debugger?

I'd like to be able to take the profile data that it generates for scripts and display it graphically. Can't find anything on the web but would be interested to know even if there's a parser which will put the data into XML / CSV etc. and let me display it in Excel or similar.

If I don't hear any replies then I'll probably write a parser in Javascript and stick it up here. Watch this space...
Comments (0) bookmark digg reddit
11:24am,

Bug in GMail

Has anyone noticed that the number of unread messages in the left hand nav menu doesn't always update properly at the moment? It must be a new batch of code because it's always been rock solid before.

Kudos to the Goog for making bugs newsworthy.
Comments (1) bookmark digg reddit
11:16am,

enfin

Finally Tiscali have reconnected my broadband. After patiently waiting three weeks for them to transfer my account I phoned up to enquire where the service was. Ten minutes of Indian hold music later and they tell me that their understanding was that I didn't want my account transferred to my new address because it wasn't the 2Mb I'd originally signed up for (the exchange only supports 500k here).

That's right guys, change my address, leave my live account at the old one and I'll just soldier on with dialup. Or then again maybe not. Seriously, if they want to subsidise the cost of transferring account by cutting customers off for a month (but still charging us) then that's their perogative but at least give us the option to pay for a faster reconnection.

Turns out that the "15 working days" (quickest it can possibly be done sir) it takes to switch your line can actually be reduced to "10 real days" but only when they realise they've really boo-booed. What a surprise.
Comments (0) bookmark digg reddit

Archives

June 2005 July 2005 August 2005 September 2005 October 2005 November 2005 December 2005 January 2006 February 2006 March 2006 April 2006 May 2006 July 2006 September 2006 October 2006 November 2006 February 2007 March 2007 April 2007 May 2007 June 2007 July 2007 September 2007

Other posts

YC startup, Clickpass requires HTML/CSS designer/i... Orange becomes an OpenID provider and consumer White 'n Nerdy Approaching YC demo day Boston - minor update London Open Coffee is moving venue Directions from London to San Francisco We want a developer to come to YC with us Webkitchen and Y-Combinator Open Coffee Club Palo Alto and Edgeio

Webkitchen is Peter Nixey's blog and website.

Originally from the UK, Peter is now in San Francisco and CEO of Clickpass a startup working to make single-sign-on and OpenID both website and consumer friendly.

Subscribe

Email powered by Feedburner
Read Computer Reviews!
Top reviews: Software Printers Scanners
Product search:



Your Ad Here
Eventsites - serverless web development
RSS Email