So this also proves that, ultimately, this list of passwords was not properly hashed.

People jump up and down and scream that SHA1 and MD5 are broken, but if properly used, they still offer significant password security. One trick is to use salts when storing passwords in the database.

password: 'foo'
salt: '2010-11-16T08:39:05Z - some_random_string$#@!'
password-hash (md5): 14e80778512f578a5fe263abe4b58e9c

that increased the amount of time required to brute-force the password significantly. Also, the use of a database of hashes is largely worthless since each password in the list would have a completely unique hash. for the sake of brute-forcing the data, short passwords don't matter (on the other hand, brute-forcing login to the application is not affected). Having a different salt for each password makes the time spent on each other password completely worthless once the cracker gets to the next item in the list.

to improve that, we can say... hash the result 1000 times in a row. For someone trying to brute force the hash, they would spend 1000x the CPU resources creating the hash. It's mostly not a big deal to run that hash 1000 times when creating the information for the database or authenticating the user.

of course, SHA1 and MD5 are still broken when it comes to file integrity checking (when it comes to tampering) since there are documented collisions. For this case, cryptographic signatures are where it's at. You can guarantee that not only was the file not tampered with, but also that the person who supplied the signature was who they say they were. Gotta love public key encryption.

...you insensitive clod!

8 commands. period. no more, no less. Super maintainable, cross platform and...

bah, who am I kidding?

cars are lame.

friends from out of town don't understand my love affair with being carless. living in NYC, public transportation is spectacular... I just wish it was better outside of the city.

hooray for public transportation!

since moving to NYC in 04, I haven't had a car and it's AWESOME. no more insurance, worrying about people breaking in, parking, oil changes, cleaning it, gas, etc etc etc.

plus I walk like 10x more than I used to. it's great.

I'd get a bike, but I've been hit by a car on my bike in the past and I don't want to deal with that again. I value my safety too much.

The worst thing is that, when it comes to upgrading their browser, their assumption IS valid. They shouldn't HAVE to install a 3rd party browser. I'm not saying that there shouldn't BE 3rd party browsers, but the browser that comes with your OS should at least work properly.

One of my semi-techie friends saw those Chrome commercials and said to me "you told me that google was NOT a browser, but look, it is! You don't know what you're talking about!" I seriously think that it's a conspiracy to confuse consumers lately. Between confusing branding (Motorola Droid vs HTC Droid Incredible vs Android OS vs "Droid Does" and this whole 4G thing) and confusing metrics that are difficult (if not impossible) to explain to non-technical users (4MP vs 8MP camera, it's possible that the 4MP takes better pictures... and the difference between 4" and 5" display, when the 4" has higher pixel dimensions). And don't get me started on the difference between a fast internet connection, fast network connection, fast computer and fast browser.

So now you have uninformed users throwing terms around that they think they understand, you've got companies leveraging these misunderstandings to sell overpriced, sub-par electronics, and all these inexpensive electronics that you buy every year that are incompatible with each other (chargers, data cables, etc).

Keep consumers in the dark and confused so you can sell them whatever you want.

Although I still feel that way, I've been forced on several occasions to make things look and function in IE (8 or newer only, luckily). One customer hounded us to get their site working in 6, and after we spent a week building a system to detect the browser and output different HTML and were only 1/2 done, they changed their minds.

It's sometimes difficult for non-technical customers to understand that each version of IE is a different beast and requires you do do much of the front-end work over again for each version.

If it was up to me, I'd just say that we don't support IE, but a good chunk of windows users on the public internet have not installed an alternate browser. I just don't get it.

DRM-free, too. Although they won't play on the likes of the 360. Luckily I have my machine connected to my TV so I can watch Hulu/AdultSwim/Southpark/iTunes shit.

I think iTunes "rentals" are full of DRMs, but I don't see any value in that, especially since I have the netflix.

My old Nokia fell out of my pocket whilst riding the roller coaster (Medusa) at Six Flags. It fell about 30 feet onto the sidewalk and the only issue with it was that the casing kinda split a little and the bottom 4 rows of pixels on the screen stopped functioning. I stuck some tape on the thing and it kept chugging along for about another 6 months before finally failing.

I have a feeling that this part hype, part inept programmers who don't actually understand SQL, or database optimization.

This is part of the problem... similar to PHP, most people learn some examples that teach some bad habits right off the bat (sticking SQL in your view, etc) because it's so easy to get started, but you've gotta get a grasp on the tech before you can do anything big.

Also, I feel that one of the root causes of the hype is that SQL and RDBMSs in general don't solve all your problems and sometimes get in the way of your application design. Between rigid schema definitions and the SQL language that has a bit of a learning curve when you start dealing with nested queries and handling shards/partitions/etc, I think that's the reason we're starting to see more non-RDBMS databases.

At work, we had a project that we started building on MySQL, but was falling short because we were constantly making schema changes. We begun to build a system where we could have arbitrary attributes attached to arbitrary objects, but then our queries were getting REALLY nasty. We discovered MarkLogic which is an XML database server and uses XQuery to query the data. We were ingesting around 100MB of XML a day, and we needed to be able to handle just about any XML that went into the system. MarkLogic was a natural fit since we needed to put XML in and we wanted XML out most of the time.

We're still using MySQL for tracking the ingestions and managing the frontend to the system (which is built on Rails), but having XQuery at our fingertips has been a godsend.

There's a lot to be said about new technologies that solve needs and get around shortcomings of the more ubiquitous technologies, but, as with anything that people see as a solution, it's not a silver bullet. You've gotta be careful not to get trapped in "everything looks like a nail" syndrome.

It really depends what kind of service(s) you're launching on the cloud. If you're building generic infrastructure to cover some area of the market that AWS doesn't cover well or at all, then you may be in for a rude awakening in the future. This doesn't mean that such a service should not be built, it's just that one should realize what kind of risks are involved when developing something like that.

There are plenty of services that build on top of AWS that will probably be safe from competition well into the future. Those include services that are very specific such as Heroku's Rails app hosting, which will actually benefit from additions such as this MySQL instance type and the price cuts of EC2.

Also, when building apps that essentially turn you into a reseller of AWS services, although there may come a time when amazon starts competing directly with you, you've got your app built. If you built it properly, it should not be difficult to re-wire your backend to utilize some other service or build your own cloud infrastructure. If you're big enough and have the necessary capital, it may actually be a cost savings to do such a thing.

The "try before you buy" excuse ... Pure bullshit. Honestly, it's difficult to take people that say these things seriously.

Being someone who has done his fair share of pirating, I have another theory about this.

I, and other people I know who pirate games (Xbox360, wii, etc) will actually download and install/burn EVERY piece of software that comes out. I have friends who have binders and binders of games that they never play. Frequently, we play even less of the game than would be available on the demo.

Now, this correlates with the article in that it's only been a week since they released the title and they're having an 80% piracy rate. This is because these people are downloading and installing every single game that's coming out, playing it a bit, then moving on to the next game. Assuming that piracy was unavailable, I doubt that they'd have even tried this game.

I think the guy is jumping the gun on his conclusions and should wait a month or two and post and update on his piracy findings. I'm certain that the numbers piracy rate will drop.

New York - Central Park

I actually just saw one of these guys today at Rockefeller Center:

http://www.flickr.com/photos/spike666/4017224220/

If anything, it shows that you can work in a highly regulated field that moves a LOT of money around at a LOT of locations with HIGH security.

I agree 100%.

Much like working in the porn industry (on the tech side, I mean), they [generally] use the latest and greatest of technologies and practices for security. The gambling industry was one of the first to utilize large deployments of quantum random number generators among other, similar technologies.

Personally, I think that when it comes to quality of experience, I think banks, porn and gambling companies are at the bleeding edge of tech and the exposure to their technologies will make you a better developer.

I'll take "when hell freezes over" in place of "once in a blue moon" any day of the week.

I agree completely, although I have seen systems breached because of mismanaged keypairs, misconfigured applications, and mismanaged permissions. Even without password logins, an insecure PHP script could potentially obliterate that layer of security.

I've gotten into the habit of chmod'ing my keypairs to 600 (and chmod'ing the .ssh directory they live in as 700) ever since a php script was exploited to fetch the keys on a friend's server. I know Redhat/CentOS is smart enough to not allow that, but it's still a real threat especially on shared boxes. You've also got to be careful about the authorized_keys2 file.

I'm a huge fan of SELinux although I find that it requires the sysadmin to be SERIOUSLY on his toes when configuring everything. You really need to know what you're doing or things will randomly break and you'll be left scratching your head.

I went to an Amazon's AWS talk in NYC a couple months ago where they brought some start-ups in to talk about their projects, the cloud and how the cloud helped them build their applications faster and better. During the opening talk, the speaker showed some use-cases, one including the New York Stock Exchange and how, at the closing bell, they provision over 3000 EC2 instances to crunch numbers overnight to be ready for the next morning.

A guy from a startup that I was talking to before we were seated was talking about how his company keeps between 5 and 10 instances up all the time for their application (dynamically bringing them up and down to scale with demand) and how they frequently had 4 and 5 sets of these servers running on the side for testing (20-40 instances at a time). He was talking about the metrics they were using to keep track of their use and how it was flawed due to the fact that they had hundreds of instances a day going up and down all the time.

Just because 50,000 instances are started per day doesn't mean that those 50,000 instances are running for any period of time. I frequently bring up an instance, tweak some things, create an image, then bring it down... or bring up an instance to test something for 20 minutes, then bring it down. EC2 has really benefitted my QA/Testing/Experimentation in that I really have an unlimited pool of resources to play with. It's a much more robust system than I have at home with VMWare... vmware was a gamechanger for me since before that, I had 2 physical servers at home and stacks of 40GB and 60GB HDs with multliple versions of OSs on them.

Of course AWS isn't for everyone. EC2 can be expensive for what they offer and the biggest advantage to AWS's services are that they are on-demand and work really well with applications that need to scale up AND down in real-time. If you've got an application that doesn't require to-the-minute scaling responses, it's less expensive to get a physical dedicated server with Xen on it and create your own virtual infrastructure... although if you don't have the skills or time to learn the tools, then AWS offers a much better learning curve.