Two Slashes

I honestly can’t put my finger on why some of the top stories of the past two days are nothing more than reports of people who found random bologna in the EULA of some software they were installing (or considering installing).

Is it just me, or does anyone really care that Safari (until late yesterday) couldn’t be installed on non-Apple hardware?  Is anyone shedding a tear that youngsters shouldn’t be looking up something with a search engine?

No offense, but I think the time of those lengthy legal documents is drawing to an end.  Users ignore them.  Companies (obviously) don’t even bother proofreading them anymore, and instead distribute them without even verifying that their demands and requirements are enforcable.

I myself have had some very interesting run-ins with EULAs over the past few months.  Not that I’m running to alert Slashdot, The Register, The Onion, or any other news source that might care to listen to me (even if they don’t take it seriously), but there’s something going on when companies shrink the viewable area of the agreement to such insignificant lengths that it’s almost a waste of space to even have it there in the first place.

Users click through any agreement displays without reading.  It’s been proven time and time again.  It’s one way malware installs itself without violating laws, it’s one way software companies can get you to bite off more than you originally wanted, and, believe it or not, it’s one way end users are made a joke out of.  Yes, I said joke.  There’s definitely something to be said about a company who can embed a paragraph on getting paid to read the EULA into one of their agreements, and then sit back and wait four months for someone to come across that, all with countless people installing the software and missing their chance at payment in the meantime.

If people aren’t even going to bother to read what they’re agreeing to, perhaps it’s time to dumb it down into a few bullet points.  Heck, make the bullets checkboxes, and you can make sure the user reads each and every one of those (perhaps require one of them to be *unchecked* in the way they’re worded to prevent the same type of clickthrough that occurs now from occuring in the future).  By making the users actually sift through and read everything you’re requiring of them, it will make them understand more of what’s going on.

If you’re a developer, jump outside the box.  Don’t write pages and pages of nonsense nobody (including yourself) ever reads again.  Your users certainly aren’t reading it.  So why not encourage them to, and demonstrate that being careful and paying attention are beneficial?

…you figure out a way to parse apart an old database backup and perform a near-perfect recovery of your site.

Most of my content has now been put back up, though you might need to update your links if you’ve tried hotlinking to them in the past few days, and there’s a gap since this backup was from early February, but most things people would want to read are now back online.  Also, I think the categories might be a bit mixed up.  Not much I can do about that without a lot of manual labor.

However, there is one bigger caveat…there are no downloads available for anything besides the Hamachi hack.  I know this is an issue, and I will go through at some point and correct them.  In the meantime, if you come across a download I haven’t posted, please e-mail me and if I can, I’ll send you the file you’re looking for.

Woohoo!

Since it’s a required part of my curriculum here at school, I’ve been taking a rhetoric class. Recently in this class, we were assigned a research paper on a category of problems in academia, something that we can observe and then propose solutions about. Considering the post topic and me in general, you can probably guess (at least partially) what problems I’m focusing on in my research. This assignment couldn’t come at a better time, as I’ve heard plenty of complaints in particular about password-related issues as of late. You see, the school I attend mandates yearly password cycling, and considering the timeframe at which they hand incoming freshmen their account information, it’s becoming the one-year mark for a lot of people. Mostly, every gripe I’ve heard centers around one of a few major issues:

• The passwords my university requires are much more complex compared to the passwords most people use in their daily lives.
• Most services don’t require password cycles every year, or…ever.
• Since most people keep the same password (or set of passwords) for everything, constantly forcing password changes forces people to forget their password more often since it’s not the same password as other things they use on a daily basis.

While these arguments are perfectly legitimate, the people attempting to use them as rationale against needing to change their passwords also are the same people you find in a typical setting, not groomed in any form of security beyond that of the idea that any password is a surefire protection. (Cue Morpheus’ voice…”Welcome…to the real world.”) Anyway, as part of my research paper, I decided to compare the three pages’ worth of requirements about our university passwords with the requirements used by what I thought to be popular web services. And, after a few hours’ worth of investigative work, I can sympathize with the people who think changing their password is a lot of work. In short, these services, which I thought probably had at least a slight pulse on the idea of security, are grooming their users to be lazy and very unprotective of their data and service access. I’ve put together a table that should at least give an overview of the services I selected (if you have suggestions for more, I can’t promise anything but would welcome the heads-up) and the security procedures they enforce:

The numbers in brackets above correspond to these quick side notes:

1. MySpace’s requirement is an in-between: at least one numeric and one alphabetic character must be included in the password; no requirement is made as to the case of this character, however.
2. Windows Live has two sets of requirements that depend on the services the user accesses. Typically, users only have a six-character requirement, but if necessary due to the requirements of an application they use, Windows Live will force all of upper- and lower-case letters, numbers, and a unique symbol, and mandatory password changes every 72 days. These 72-day password changes are provided as an option to non-qualified users.
3. eBay refused to accept the password ‘aaaaaa’ because it is very poor in security. However, ‘ababab’ works, which means that eBay offers at least a slight security check at registration.

Frankly, I’m very concerned with all of that red, and especially concerned with sites like Amazon, which allow you to store important credit card information in your account for easy checkout, and then allow me to log in with a capital ‘A’. Microsoft even surprises me (though in a good way), if you consider their forced-security dependency to be a good idea. (For once, Microsoft, I like.) Not that these sites and services even compare to the requirements for our university credentials, but it gives you an idea of just how absurd it is. Especially when I throw in the fact that a lot of these places have posted “suggestions” for creating a good and secure password, and then brush them all away in favor of some six-character string. So I apologize if I’m re-iterating what you already know or have seen, but after all of that, I think it’s important that people actually understand what good security is.

• The best passwords are not found in any published or publicly available work, be it a dictionary, your favorite action novel, or some random screenshot you found on Flickr. Don’t use anything important either, like a social security number. And anything personally identifiable or that has a direct reference to your life is out too; that means quit using your aunt’s birthday as a PIN.As one demonstration of coming up with unique but memorable passphrases, try to think of memorable snippets from your favorite written work (you’re probably double-taking right now, but continue reading). Now, develop your own personal algorithm for going through the phrase to select characters (hey, don’t be afraid of punctuation or numbers, because they help too and add uniqueness). For example, try taking the Fibonacci sequence’s digits and pulling those letters out. It sounds tedious now, but if you use the password regularly, your muscle memory will take over and you won’t even realize you’re entering the password anymore. At least, if you use it that regularly.
• NEVER use the same password in more than one place. There IS a reason for this, aside from “the man” trying to confuse you and prevent you from checking your mail; it’s compartmentalized security. If an attacker can compromise one account, and holds a password you use everywhere, you haven’t just handed him one site or a credit card, you’ve handed him your entire life. If that password doesn’t work somewhere else, the attacker’s got to go back to work and start all over again on the new site (if they’re indeed targeting you). If you can’t keep all of your passwords straight, get a trusted and notable password manager, and store your passwords with it. Some suites also provide you the added benefit of randomly-generated passwords like ‘Bs4&nd*D’ - but at the expense that you probably won’t remember them unless you use the application.

Considering these password recommendations are nearly timeless, it only makes me wonder when people are actually going to pay more attention BEFORE something bad happens to them. So quit complaining that you’ve got to change your password. Make it memorable, make it unique, and consider it worthy of a national secret. And for christ sake, ignore the fact that Google isn’t going to check for varied-case characters; force yourself to check for them. And a note to the few, the proud, the WordPress users: WP2.5 RC1 is nice, but I don’t think it’s ready yet. It’s got a few bugs, and I miss my old blue administration panel. I actually think it made more sense doing “Blogroll > Add Link” than “Write > Link” to add things to my blogroll.

It seems that computer users today fall into an almost cookie-cutter fashion. Firefox for web browsing; Winamp, Windows Media Player, or (rarely, but common enough that I mention it) VLC for media playback; uTorrent for P2P, and some AIM client (any of the official client, Trillian, or Pidgin in that order). Of course, while this makes it a lot easier knowing that all of these have a relatively large userbase, this only covers the basic and common tasks people perform every day with their computers. Common being the key word here.

While I’ve seen one or two attempts, I don’t think anyone’s ever actually pulled off recommending some of the lesser-known software; however, niches need to be filled, and someone’s got to do it. The only caveat is that nobody ever actually does. When have you opened your favorite downloads site and actually trawled through hundreds of useless or irrelevant applications to find some backseat freebie nobody’s ever heard of, because it was useful to you? Chances are, you’re probably muttering “never” at your monitor right now.

Sure enough, there are sites like Giveaway of the Day that offer up this rare niche software with surprising regularity; the problem is that they require you to bring your product to them, rather than searching for it and indexing it themselves. (Understandably, this makes more sense given their business model for shareware software, but all the same this means that they don’t actually dig.) Where are those hidden freebies, those things that could be useful to someone, but are never found because they’re the last result on Google, or nobody’s ever thought to go searching for it in the first place?

Given the sheer number of people on the planet at this point (let’s limit that to people ‘with access to a computer’ for the purposes of my example), there’s no problem that hasn’t been encountered at some point that a piece of software couldn’t aid in overcoming. Whether it’s some meaningless, trivial, repetitive task that needed to be done over and over, or some specialized project, chances are someone out there has experienced the same thing, and perhaps they or someone they know was savvy enough to come up with a solution. So it only follows that there are solutions for everything out there; the problem is that these solutions are often buried too deep to be found by more than a select few people.

Forgive me for saying this, but someone needs to get off their backside and come up with a site that shines the spotlight on some of these hidden gems…

So, there was obviously plenty of hype around Orange Box when it first hit. Since Valve has already announced that they’re working on a sequel, I jokingly figured I’d come up with a few names for the next bundle pack they release…and then it hit me.

Valve needs to call the next release the “Cake Box“. Not only would it have Portal and Portal 2, and perhaps another game or two or expansions to current titles, but perhaps they could throw in some lovable Weighted Companion Cube propaganda? Or a piece of cake?

Alright, enough late-night joking for one night. Oh, and Happy Pi Day!

There really hasn’t been much I’ve felt warranted enough attention for me to rant on it so far this week, but I can let you in on a project or two in the works.

First off, I’d like to announce the start of LostCarrier IRC Network. With TechCentric and our partner show BSoD hosting two linked IRC servers, yet sharing so much else, it made sense that we brought the communications aspect (and some smaller side projects from that) together under one name. So, with that in mind, mosey on over to LostCarrier.net for more information. If you’re looking to see what IRC is all about, you’re more than welcome to party on with us. Start your own channel, or join an existing one; the fun can be had either way, and I’ll be around to help if you need it.

I’ve got some school-related projects coming up (one of which I would prefer not talking about at the moment), including what I hope to be an interesting research piece into the use of technology in higher education, and the problems and solutions it presents. Yes, I’m excited because it means I get to rant…even if I have to cite every other argument.

Shameless plugs for my new projects aside, I will be going on spring break from classes later this week and should have some time to work on the site and/or post some of my backlog…I hope. We’ll see.

And remind me to rant about related topics to this at some point.

So, now that my efforts to restore from backups have proven to be a bust (I’m still wondering how that worked out…), I’ve moved on to offering up the first of my queued content for your public consumption.

The morsel of the day is a writeup and application for Hamachi, enabling you to use it in service mode without having to have a subscription, with the help of a rather slick workaround (if I do say so myself).

If you use Hamachi (or even if you don’t), do yourself a favor and at least check it out.

So, after all that waiting, it’s starting to look like recent snapshots of my MySQL database and downloadable crap aren’t going to make it. So, for the second (or is it third?) time in this blog’s history, I get to start anew. I’ll try to restore as much content as I can, but I can’t guarantee everything will survive. (Actually, most crap dated before February should make it…should I choose to restore it.)

Expect me to get a new, more-fitting theme, and do some minor background work before I start producing anything new, or posting the backlog I’ve got.

Consider this “Under Construction, Phase 1b”, I guess.

Edit 1: I’ve at least gone back to one of my favorite themes for the moment (4u from UtomBox). I’ll explain all about why all of my stuff’s not coming back in another post in the near future. In the meantime, hold out as I start to poke about with the content.

Edit 2: I decided that I should post what I can. Which isn’t a lot, but it should be enough to at least get things started. It’ll be appearing post-by-post and page-by-page, so it’ll be a while, but hopefully I should at least get the majority of things put back the way they were.

Edit 3: So, I tried to restore the backup. Turns out it’s incomplete, due to reasons unknown to me. Considering the backup pretty much only covers June to September of last year (again, wtf?), I’m just going to clear it, save for a few documents I think need to be rescued. So, consider this a new day.