I’ve been working on facelinkr.com for a long time, but until recently, it’s been very unorganized and unfocused.
The idea behind facelinkr is simple. Users upload pictures of people that they haven’t seen in awhile, and those pictures are made into one big group photo. They can then choose what to do with it, by printing it with their printers, or using facelinkr to have them distributed.
Facelinkr is currently in private alpha, and is currently being used by a small team of private testers.
This site is going to private beta this weekend, and users will be able to request an account so they can give the service a test drive.
Tags: Uncategorized
January 15th, 2008 · 1 Comment
I picked up a book the other day, about AI applications programming, and it’s pretty interesting. The fact that a computer can already make informed decisions and learn (to a very minimal extent) is pretty amazing. But what’s next? We are going to see more and more improvements in AI in the years coming? Are we going to see computers knowing what to do, long before we know?
And when I say AI, I don’t mean walking, talking, thinking, and dreaming robots. I’m talking about giving programs intelligence, enough to carry on a conversation with a human, and pass the Turing Test. That would be revolutionary. That would forever alter the way we use computers.
Just think of the applications that strong AI has… It could be implemented into cars to help ensure that drivers get to the places they desire.
Word processors would also be greatly improved. You may never have to worry about grammatical errors or anything, as it would be able to fix it as you go.
I really don’t think that Artificial Intelligence research gets all credit it should. It’s going to revolutionize the way we use computers some day. It’s going to change the definition of a computer.
Tags: Uncategorized
If you haven’t already read the first part of this article, head over there now, and have a look for yourself.
Cryptography, Part One.
People are constantly relying on a single function to make their code secure, for example mysql_real_escape_string() for their database interactions, and md5() for storing their sensitive data. And I don’t agree with this at all, and most other knowledgeable programmers will tell you that it’s a very bad practice.
So what I am proposing, is something that I do in my own code, but I do implement some of my own creative secrets that I’m not going to share. Sorry.
But for the sake of brevity, I’m not going to get into what the functions do, as I’m sure you already know.
Take the following code example… for example.
<?php
#keep in mind that the salts can be much longer than this
#and they could be much more complex than these shown below
$i_salt = 'sdjSDn45893*&340dsk1#.!fk';
$t_salt = '49nf!kdfj.34dfIJfmAweo43q';
$string = 'mypassword123';
$string = mysql_real_escape_string($string);
$string = md5($i_salt . $string . $t_salt);
$string = sha1($i_salt . $string . $t_salt);
?>
So that’s my proposal for how to safely store passwords, and other sensitive data. Of course some could argue that it’s overkill, but when someones financial data is on the line, I would take it to an entirely new level. Of course you could get fancy and concatenate the md5() hash with the sha1() hash and then hash those. Then it might make it harder for the attacker to find out what algorithm you’re using.
Another idea, would be to break apart the original string that the user provided and use internal salts within the string. Maybe even some that aren’t completely random, just in the rare case that the attacker managed to get it down to a legible string, in which the password was visible, he may be thrown off by the salts. You can never settle for mediocre security.
(I, Charles Denault, cannot be held responsible for ignorance. These are simply concepts of which you, as the programmer, can work off of)
Tags: Uncategorized
January 3rd, 2008 · 1 Comment
Lately, I’ve been seeing a lot of incorrect usage of the word encryption. Not that the current time has anything to do with it, but it’s probably the first time that I’ve noticed it. Encryption uses an algorithm to create a ciphertext from the cleartext that is passed into the algorithm program along with the publickey. The algorithm can be decrypted using the private key that corresponds with the public key used originally.
Hashing on the other hand, can never be un-hashed to produce a legible cleartext. Hashing is used with algorithms that turn a string, big or small, into a fixed length hash. The popular MD5 algorithm is a 128bit hash.
Now that you’ve had a simple refresher on encryption and hashing, we can now move on to a more applied subject. Storing passwords, in a database, using PHP.
One thing that I cannot stand is weak passwords, for example, in Dan Browns’ Digital Fortress, he mentions that Susan, who is the head cryptographer at the NSA, is using a 5 digit password on her computer. Any cryptographer would know that using any 5 digit password for anything is just udder nonsense.
But we cannot control the passwords that our users use, so we must do all we can to store them safely, because, if someone finds one of their passwords, they could potentially unlock their entire internet-life.
This is rather off topic, but it’s important, and that’s why I’m going to share my neat little idea with you.
Suppose that Joe has an instant messenger account, and someone brute forces his password, and after a few hours, using a shifty program, finally uncovers it. Now since they know their password and their screen name, they perform a simple search online. They search for his screen name, and nothing more. What they uncover is a forum where online sales occur. They find that the user is selling stuff, and only accepts PayPal. The hacker then could do two things, he could find out the users email address, and then hope he uses the same email for his PayPal; or he could send him a message thought the PM system on the forum, and get his PayPal (pretending to be a prospective buyer). He can simply then go to paypal.com, enter the users email, and hope the password that he brute forced from his instant messenger account was the same. The hacker has just gained access to his entire PayPal account, and if he was lucky, his Checking account, and possibly (very likely) his credit cards.
In a perfect world this may not work, because smart internet users would most likely change their passwords a lot. (I do…) But it’s possible, and it may have happened. (Hopefully no money-hungry hackers are reading this blog right now).
How we can prevent such situations like this from happening, are to take out database hashing to the next level, by implementing multi-layered hashing and salting techniques (some of which, are pretty damn neat).
The code will be covered in Part Two, which is still in the works, but should be published by tonight.
Tags: General Programming · PHP · Security
It takes a lot to make a website secure, but here we’ll only be discussing the actual code that runs the website; we’ll dive into SysAdmin concepts later on.
In my early days of coding, someone told me that the only thing you need to do to write secure code, was to validate your incoming data. They told me to simply use mysql_real_escape_string() when I’m passing data to a query. They never once mentioned that I should run more checks than that, they never told me that I should validate the data I’m pulling from the database, they never told me what Cross Site Scripting was and as you can guess, my code was extremely vulnerable; and I found out shortly.
I started looking at other open source code source, mainly PHPBB. I was fascinated by how their code was written. I thought it was so elegant and very secure (As time continued I learned that this wasn’t always the case). Then something happened in my life. A friend of mine told me that my code “sucked”. He told me that he could hack it the sessions, perform an “SQL Injection” (At the time I had no idea what this was), and have my treasured, unbacked-up database on its knees surrendering in no time. As you can guess, I was petrified. I quickly took my site off, and put up a splash page for “maintenance”, and pulled out some books.
I had learned my lesson, it didn’t matter how important my site/application was, there was someone out there that was willing to hack it. I spent a long time obsessing over security techniques, and I was soon creating some very interesting concepts that made session hacking virtually impossible. Or so I thought.
I started worrying that I was spending too much time on my security and that people wouldn’t go to the extents that I was working on covering up. But after doing some more Googling and found a wonderful resource; for hackers.
I stumbled upon a 20+ page list on different methods to successfully inject XXS code snippets using the whole spectrum of XSS; including, but not limited to, image tages, javascript, and encoded strings.
I started learning that I had to code my own sanitizing classes to get the job done properly. I couldn’t simply rely on one function, especially if I didn’t code it myself (mysql_real_escape_string()).
The moral of the story is, you have to step back and take all the precautions you can. You cannot always listen to the people on forums and in IRC Chats, because half the time, they may not know what they’re talking about. You should have the mindset, and skill of a good hacker in order to write good code, or else your code will almost always be vulnerable.
Tags: General Programming · PHP · Security · xss
That’s right, your design may not be the greatest thing you thought it was. But don’t get rid of it right now, because that person who told you it was horrible, may not be the best person to get advice from. When it comes to designing your website/application looks are very important and can have a drastic effect on overall functionality. But you haven’t lost all hope yet, good designs fail, and bad designs succeed; sometimes. Google and MySpace are two great candidates for this article. MySpace has a horrible layout and design hands-down. Google is pretty controversial though. Their design is so simple, that it is borderline ugly, but it’s right on that line.
The design of your site/application is very important, unless you have millions in capital that you’re willing to spend in advertising. I’m going to be completely honest with you today, when I go to a site, and if the design is bad, I’ll leave even before reading what they have to say. However, my mother could care less if the site has a nice standards compliant design. But this is not the main problem, the big deal is when the design starts interfering with usability and function.
When it comes to security, you know that you cannot trust your users to provide anything valid, even if it is an accident, and the same thing goes for design and usability. You cannot rely on your users to find that link, click that button, or go to the right page. When I design a site/application, I use my mother as the average user. If she can navigate the site, then most other users will. And when I say I use my mother as the average user, I do not mean literally. I exaggerate all her traits to create the ideal computer illiterate user that may be on my site or using my application.
MySpace recently launched it’s new and improved layout for logged in users. In my opinion, it does not give the user any more functionality. It is actually harder to find what’s most important. Here’s the scenario, I have been using the old MySpace layout for three years. The only major changes were increased ads, spam, and errors on the homepage (and when I say homepage I am referencing after you log in). Now suddenly they change the layout, even though they give users the option to use the Classic theme. The original theme, when I registered on the site, had your Top Friends near the top of the page. And my friends are most important to me, isn’t that what MySpace is about? Social Networking? Now on the new MySpace layout, my top friends are past the centerfold. I have to literally scroll down almost a page length. I have to scroll past the spammy bulletins, the statuses that haven’t been changed in hours, just to get to the pictures of my friends.
When you design your site, you have to keep in mind two things. What looks nice, and what’s important to the functionality and usability. You need to know what is most important to your users. This is why a lot of sites fail in the design sector, and taking a few little precautions can save you a lot of time in the future. Design does cause a lot of failure, and you need to be aware of this.
Tags: Design
When it comes to writing good solid code, there are a lot of factors that each play an important part. First, from a developers standpoint, code should be secure which includes more than validating input. Good server administration is also extremely necessary and this actually leads to more breaches than bad code does. Throughout the many years of coding on my part, I have learned a lot about coding, but there is one aspect that is invaluable to me.
Coding standards make life easy; especially when it comes time to deploy the source code or hire more coders to expand on the existing project. Take this little example, you’re working on a breakthrough social web application when suddenly you run into a snag and you need to hire 7 more coders to work on it to ensure it will be launched on the right date. There are two possible routes for this story to go and I will explore both with you.
Option one, you are a great coder and you write extremely secure code, but you never indent your code, you never use a systematic approach to spacing your parentheses, your conditionals are unnecessarily grouped, and you have several string concatenations that are completely illegible, except to you, the original author. When you hire the new developers, they have no idea what to do with your code and have to spend the majority of their time (which is also your money) trying to understand, and/or add some simple coding standards.
Option two, you are a great (or mediocre but it doesn’t really matter) coder you deploy some, or all of the best coding standards and include documentation for your standards to ensure the new developers follow them. When your new developers come to work on this project with you, the first thing you do is have them read the standards guidelines, and they will be off to a great quick start. If they code, which they should, in the restrictions of your guidelines, it will be easy for all other developers to develop (no pun intended).
One of my favorite analogies to show people the importance of standards is the old sentence example. Observe: thissentanceishardlylegibleandittakessometimetoreaditproperlyimagineifitwasacompexpaginationalgorithm.
Compared to this (with proper English grammar):
This sentence is hardly legible and it takes some time to read it properly. Imagine if it was a complex pagination algorithm.
See? Much nicer.
Coding standards also help ensure debugging will be a 2 second job. You will find that you have an extremely reduced error rate, and you will spend less time going back to find that pesky little missing bracket. It may take some time to write your code with compliance to your guidelines, but I promise you that it will make everything easier in the long run.
When it comes time to get down and dirty coding, or straightening up your unstandardized code, there are many ways you can get it done right. Check out other open source projects and look for their coding standards document. It’s usually available for download from their website or it’s included in the download of the source code.
Good luck with the coding.
Tags: Uncategorized
So I was a bit late to post this, but it looks like the iPhone already has a new cousin…
Meizu has made the miniOne, an exact iPhone clone for a cheaper price. I’d buy it!
http://www.meizume.com/showthread.php?t=720
Tags: Uncategorized
Microsoft finally apologized for their Ultimate version of Vista. It was said to have Ultimate Extras but they’re a no show so far. It’s been a pretty big disappointment, but then again so was the whole release!
Here’s the article: http://arstechnica.com/news.ars/post/20070702-microsoft-apologizes-for-ultimate-extras-embarrassment.html
Tags: Uncategorized
I guess I can relate to some of this stuff, but it’s just plain ridiculous. Take a look:
That’s what my desk is shaping up to be. 
http://www.scribd.com/doc/32500/Pictures-of-Geek-Culture
Tags: Uncategorized
