July 2009 - Stay N Alive

There’s More Than One Way to Store a Password – PerlMonks Hacked

nirvana-smells-like-teen-52041Hackers are in a state of Nirvana as it would appear they hit the gold mine of programmer passwords in a hack of the popular Perl forums and resource site, PerlMonks.com yesterday.  The hack claims to have gained access to the database of more than 50,000 passwords, which insanely were stored in plain text in the database for anyone to see.  The hackers subsequently published the list to several mirrored servers (I can’t find a link to verify, but it’s not something I would publish anyway), along with the following statement:

“There is a really simple reason we owned PerlMonks: we couldn’t resist more than 50,000 unencrypted programmer passwords.

That’s right, unhashed. Just sitting in the database. From which they save convenient backups for us.

Believe it or not, there is actually debate at perlmonks about whether or not this is a good idea. Let’s just settle the argument right now and say it was an idea that children with mental disabilities would be smart enough to scoff at. We considered patching this for you but we were just too busy and lazy. I’m sure you can figure it out yourselves.

This isn’t a bad set of passwords, either. Programmers have access to interesting things. These Perl guys are alright, just a little dumb apparently. A lot of them reuse. You can explore them yourselves, I really do not want to point out anyone in particular.

In case you guys are worried, we did NOT backdoor dozens of your public Perl projects. Honest. Why would we want to do that?

Not worth our time ;)”

It’s unclear exactly who, and how many were compromised, but the site is recommending all who have previously had accounts on PerlMonks.com to change their passwords immediately.  In addition, one of the worlds largest repositories of open source code, the CPAN network, has also recommended that its authors change their passwords, as evidently somehow the two sites are connected.

As a Perl developer, and CPAN author, this is a bit concerning.  First, it would be one issue if this were just some random group of people whose passwords had been hacked, but this is a database of tens of thousands of developers, probably most with root access to the machines they write code on, and according to the hackers, many using passwords that are being re-used elsewhere.  These are the passwords of developers like Chromatic, Brian D Foy, Andy Lester, engineers at major corporations and government entities, and more.  The hackers couldn’t have picked a worse server to crack and expose.

I’m baffled at what the PerlMonks developers and admins were thinking storing their passwords in plain-text, something that, in my own opinion is amateurish, and should have some sort of repercussions at their lack of responsibility in handling their users passwords.  This is something that not only has been in Perl since version 1.0, but has also been integrated natively in almost every database environment on the planet.  That said, there is no privacy policy that I can see on the PerlMonks website, so maybe the users should have paid better attention.  I don’t expect the PerlMonks admins to say that, though. I’m ashamed as a Perl developer, and this gives a huge black eye to the entire Perl community.  It only gives further validation to the rest of the world’s claims that Perl is for messy code.

I hope the PerlMonks developers and admins can make right of this situation and not only fix their database, but make amends with the community, and the rest of the world, whose trust they just violated. After this, I’m seriously considering switching to another language for my next project.

Hey Utah, You Have a Tech PR Problem

Laptop MegaphoneThose like myself that live in Utah know there is a thriving tech startup community here.  From early startups like Omniture, Freeservers, and Wordperfect, to newer ventures like SocialToo, TweetBeep, TodaysMama.com, FusionIO, i.TV (previously number 1 in the iTunes app store), and FamilyLink (the makers of the Facebook App, We’re Related, one of the top 5 apps on Facebook) there’s no shortage of innovation in the Tech community in Utah.  Add to that some very talented investors like Bryce Roberts, co-founder of O’Reilly AlphaTech ventures, Peterson Partners, and the entire Sorenson Capital and vast array of angel investors and private equity options available, there’s no shortage of innovation and capital to support that innovation.  Unfortunately though, money and innovation are only part of the equation.  A company needs eyes.  It is extremely difficult to grow a tech company without the attention of Silicon Valley and the technorati out there.  So why is it that we so rarely see Utah companies in TechCrunch, or Mashable, or Gizmodo, or ReadWriteWeb even?

What amazes me is the vast amount of attention Boulder, Colorado startups get.  I think they know how to generate news, because the main “incubator” for lack of a better term) of those companies is Tech Stars, and Tech Stars has an amazing success rate at cranking out fairly successful companies in relatively short amount of time.  But I really don’t think Utah has any shortage of tech startups in similar timeframes when compared to Boulder.  In fact, our startups in many ways have shaped the internet (University of Utah was one of the first 4 nodes of the internet, after all).  On FriendFeed, I compiled a list of all the tech startups that either started in Utah and are now flourishing, or that are brand new and working to get off the ground that I could think of – this is what I came up with:

Of course, that list is just off the top of my head – there are many more that I’m sure will come up in the comments.  I look at this list of companies, and I look at the bustling activity of jam-packed rooms full of people at iPhone dev garages, Social Media developers garages, Tweetups, Social Media Club meetings, Launchups and more, why in the world is Utah having such a hard time getting into the tech Press of Silicon Valley?  Utah has a serious tech PR problem, and I’d like to help fix it if I can.

So why the PR problem?  Well, for one, correct me if I’m totally wrong here, but I’m not aware of many Tech bloggers in the area visible in the Silicon Valley scene, with over 1,000 subscribers that can get the word out easily.  I’m aware of three right now, please correct me if I’ve missed you: Matt Asay, Phil Windley, and myself.  Are there any more?  I think this could change if more people in Utah focused on technology in their blogging.  I’ve noticed a trend in Utah recently of many bloggers completely giving up on that, and it’s depressing, personally.

Secondly, of those 3 bloggers (sorry Matt and Phil – you’re going to hate me after this, I know), we’re not getting pitched by Utah companies.  The majority of my blog audience right now, as you can see, are Silicon Valley, and states outside of Utah.  Chances are that if you’re reading this you’re not even in Utah, and I think that’s sad, personally.  Utah has a huge opportunity to get the bias of their local tech bloggers, which in turn could lead to TechCrunch mentions, TechMeme exposure and more, and they’re not even taking advantage of it.  If you run an Open Source company, you should be pitching Matt Asay to write about you in his Open Road blog on CNet.  Phil Windley is also very interested in that (as am I, occasionally), along with interesting startups and people for his IT Conversations podcast.  If you’re building a social, real-time, or otherwise just plain cool tech startup you should be pitching me to write either here or on LouisGray.com, where I occasionally write.

picture-8

The darker states represent the higher traffic areas to StayNAlive.com

If you run a tech startup in Utah, money is hard to come by these days.  Exposure is easier than you think though.  If you’re hiring an expensive PR company to do this for you, you’re doing it wrong.  You should start by pitching locally, then if that doesn’t work (sorry, like an investor, bloggers have to turn down pitches as well), get on Twitter, build an audience, and most importantly, start your own blog.  If you ever want any advice in doing that please don’t hesitate to contact me.

There are hundreds, if not thousands of new startups in Utah right now.  I don’t know who you are.  There are hundreds of tech bloggers in the area, I’m sure, which can easily build an audience and help these startups.  I don’t know who you are.  I’m not sharing this to boast of my own subscribers, but rather to offer a call for help.  Utah, let’s work together to let Silicon Valley know we’re out here.  I think if we do it right, we could, and should, very well be considered the next “Boulder” of the MountainWest.  How can I help Silicon Valley know more about you?

If you live in Utah, or run a business in Utah, let’s retweet this around so we can help each other out.  Please be sure to share it with your friends.

FriendFeed Opens Up the Firehose to Developers

friendfeed-logo.jpgFriendFeed seems to be staying one (or two or three) step(s) ahead of Twitter in everything they do. Today FriendFeed released their real-time stream of data in beta to any and all developers wishing to write applications. Unlike Twitter, there is no application necessary, no NDA to sign, and all is controlled by simple OAuth. This also means users of FriendFeed-based applications will no longer need to get their special key to manually enter as was previously required.

The real-time stream is based on long-polling techniques to receive near-immediate updates of data from FriendFeed. With Long-polling, developers send a request to a given address, which the server holds open until data is ready for that request. The result is real-time data from the polled source, in this case FriendFeed. It is also less server-intensive as compared to the typical push updates similar to what Twitter is using for their /track and real-time streams, so in theory will scale better (and to me shows the maturity of the FriendFeed team as compared to Twitter’s).

In addition to their real-time stream, FriendFeed released an OAuth solution to developers, enabling users one-click access to the FriendFeed data stream for compatible apps using the platform. SocialToo, my service currently using the Twitter and Facebook platforms, will be using this authentication as well as we integrate FriendFeed into our environment. It will enable simple, one-click login and registration into our system, making it much easier for users to use socially-based applications.

My favorite addition is the integration of social graph data into the stream returned by FriendFeed. Previously, only the list of people a user subscribed to was available via the FriendFeed API. Now, both the list of those subscribed to, and those subscribed to a user are provided, enabling apps like my SocialToo to very soon be able to provide useful analytics around those following you on FriendFeed. Yes, this will also enable auto-follow and auto-unfollow (to keep out spammers) as well if users opt to do so.

Other features released in the API are the ability to upload almost any file attachment to a user’s FriendFeed stream, access to the powerful (and more than 140 character) direct message features of FriendFeed, sharing to multiple streams at once, and more. In addition, FriendFeed is returning the HTML for users and groups, so developers don’t have to differentiate between the two. Hopefully, this will also enable FriendFeed to maintain control of the API and, if you ask me, provide advertising and monetization opportunities via the API in the future as well, which Twitter has completely lost control over.

FriendFeed’s API has proven to have potential as a much more flexible option for developers than Twitter’s in the past, and I think they’re proving that with the new features. In addition to the features launched today, developers can also opt to customize the requests they send to FriendFeed, specifying query parameters about exactly what information they want to retrieve about users, allowing much smaller and much fewer requests to the platform. This is a welcome site as compared to the Twitter platform, which forces entire requests to pull information about a user and their friends, forcing much larger data requests, and higher costs for developers in the end.

FriendFeed is putting the pressure on Twitter with this release. My hope is that developers will see this, and try the platform out, giving Twitter more pressure to fix their own platform issues. If you haven’t tried it, today is the day for Social Platform developers to try FriendFeed’s API.

With No Notice, Twitter Adds More Limits – Password Trouble Ensues

twitter fail whaleTwitter is up to their old antics of adding limits again, changing the API, and not telling developers as they do so.  This morning Twitter released into production new limits around their verify_credentials() method in the API, only allowing users to verify their usernames and passwords through Twitter applications 15 times per hour.  The problem is they didn’t tell any of the developers.

Sure enough, searching Twitter (the issues are intermittent), users are having password issues across the Twittersphere, wondering what is going on.  It even affected my service, SocialToo, as we were using that method as a backup to verify users were indeed authenticated (and hence enabling us to notify them if they forgot to change their password with us).  I e-mailed Twitter, and while very respectful as always, they seemed surprised at the issues we were having.  When I asked if it had been announced anywhere they responded, “It wasn’t, no, because [we] assumed (apparently incorrectly) that people were only using this method occasionally.”   There has still been no announcement by Twitter on the new limits.

Apparently, on June 29th, new text was added to the Developer API Wiki stating (regarding the verify_credentials() method in the API), “Because this method can be a vector for a brute force dictionary attack to determine a user’s password, it is limited to 15 requests per 60 minute period (starting from your first request).”  The new limits don’t appear to have been put in place until this morning however, as that is when we noticed it at SocialToo.

So if you’re using the verify_credentials() method in your app, you may want to consider finding some other way to be sure your users are verified – I’m happy to announce it here.  It now only takes a few runs by only a few apps to hit that limit for each user, and then users are stuck in the water until the next hour is up until apps begin to adapt to these new limits.  That is why we’re seeing the issues across all of Twitter.  According to Twitter, the best way is to look for a 401 response code returned in your API calls, as unauthenticated users will return as such when using the API.  Twitter only suggests using verify_credentials() for new users.  My conversation with Twitter ended with the suggestion from them, “Migrating to OAuth avoids the risk of a user changing her password, FWIW.”

FWIW, OAuth is still in beta and not yet suggested for use in Production. In their exact words, “For us, ‘beta’ really means ‘still in testing, not suitable for production use’.” In other words, use the Twitter API at your own risk.

You can follow the password problems as they happen in real-time on FriendFeed below:

http://friendfeed.com/search?q=password+service%3Atwitter&embed=1

Twitter Looking to Raise the Dead With Previous Tweets

thriller zombieOne of the biggest complaints about Twitter is that it is only a “present-tense” service. To pull up a previous conversation or post, I either have to have favorited it, or it has to have been in the previous 3200 Tweets of a user. Anything beyond that disappears forever, or so it would seem. Twitter has previously said they are still archiving these old Tweets, giving comfort to some that maybe their conversations are not gone forever. Today Twitter gave further evidence to that, adding “Get the full archive of a user’s tweets” to their V2 platform roadmap on their developer Wiki. (under “Users”)

While the V2 Roadmap is not set in stone, nor is it intended as an announcement platform for Twitter, it does suggest that some time in the near future we may see access to your previous Tweets open for public consumption. It also suggests that it is something Twitter is currently working on, or has plans to be worked on.

One of the reasons I joined Twitter was that it could be used as a journaling service. It was a public way I could journal the little tidbits of life that perhaps, while insignificant to most, would enlighten and entertain generations to come that would like to learn more about me and my life. It lost that value however when I hit my limit of 3200 (or so) Tweets and could no longer retrieve my past posts, thoughts, and conversations. My hope is that Twitter releases this soon and I can again utilize Twitter as an archival, as well as communications platform.

Have an old conversation you just wish would go away? Looks like getting it off your stream may not be permanent after-all. Twitter seems to be getting ready to bring back those zombies again.  Now where’s Buffy when you need her?

Internet Everywhere – It Starts With Your Startup

Fix the internet - Mt RushmoreAs I type this I’m driving in I-90 East through somewhere near Madison, Wisconsin (I’m in the passenger seat), finally able to access the internet for the first time in 2 days. We started our trip in Salt Lake City, Utah where I live and have since driven through most of Wyoming, South Dakota and Montana. The withdrawals were setting in, yes, but I’ve learned a lot over the previous days – the Internet is advancing but most people still do not have Internet!

I realized what a terrible state we are in when on Wednesday we were visiting Mount Rushmore and in front of our eyes, rappellers from Greenpeace began to descend down and hang a sign protesting Obama’s position on Global Warming. I had my telephoto lens and SLR with me so I immediately began snapping pictures of the entire event as it unfolded and recording video on my iPhone. I had a problem however – there was no Internet at Mount Rushmore. No Wifi. No Edge. No 3G. Evidently there may have been a connection from some other service, since supposedly Greenpeace livestreamed the event from Ustream, but I have no idea what. I was dead in the water to be able to report what was happening. I was able to call my contact at a local Utah news station to report the news (ironically they probably had the news before South Dakota even had it), but I had no way of getting them any images or video of the event as it was unfolding. It wasn’t until 3 hours later that I was finally able to find a store with a connection I could use. However, what was the first thing I did? I SMS’d a Tweet to Twitter (a few, actually) telling the world about what was happening. I also called Cinch, and recorded my voice thoughts of the event – those went out to FriendFeed and Twitter.

Global Warming aside, I think President Obama has other things to consider as well. One of the initiatives he is striving for during his Presidency is the ability for every American, everywhere, to have access to broadband Internet. It’s an interesting initiative, begging the question whether Americans actually have “rights” to have Internet access. However I think there’s one better Initiative President Obama needs to consider that will help towards this cause: Businesses should be encouraged to adopt alternative communications platforms that take up much less bandwidth such as SMS, MMS, and Voice. That’s right – we need to take a step back before we can take a step forward.

Others may argue, but one of the major reasons Twitter has been successful has been due to the support of SMS as a publishing and communications platform. One message of “follow soandso” to 40404 and you have updates coming straight to your phone, no registration necessary, no internet necessary, and just one number anyone has to remember. It’s a powerful concept, and while not used by most people, it has enabled people to post “earthquake!” to Twitter, collaborate and organize forest fires in the middle of nowhere, report political unrest and more. It’s how I was able to be the first person to report on Mount Rushmore’s protest on Wednesday. This is what brought the media to Twitter, which is what inspired others to join, and even brought Oprah to Twitter. It’s the information and quality of information that can be delivered, worldwide, which has made them successful – that would not be near as effective without SMS as a simple medium to publish that information when internet is not available.

A Proposal

My first suggestion is for President Obama: We need more measures to make SMS and MMS more affordable for businesses to integrate. It is currently too expensive, without financing, for startups to afford SMS integration into their startup. It’s one reason Twitter removed the previously popular “track” service which allowed you to receive updates via SMS when people Tweeted various keyword criteria. It’s why Twitter has completely removed SMS service in many other countries. It’s why hardly any other competitor to Twitter has been able to integrate SMS at all.

We need tax breaks for people that choose to integrate these “simpler services”. The companies that provide these communication mediums should also receive tax breaks and incentives for reducing the price. Perhaps the government needs to step in a little bit on the costs. In addition, the public needs to be educated of these incentives. Startups should know the potential numbers they could reach by enabling such simpler services in addition to their more broadband-appropriate offerings.

Now I have a suggestion for the startups: Consider integration with SMS, MMS, and even voice. Some times the numbers may not be so obvious, but if you’re trying to provide information to the masses, the best way to get the quality posts may be through non-internet posting mediums.

Recently Robert Scoble wrote about some stats shared by Thomas Hawk about Twitter and Facebook growing, but FriendFeed remaining stagnant. Let’s lay aside the argument that I don’t think any of the three are even competitors. I think the number one step FriendFeed could take right now that would increase their traffic, reduce the growth of the other two, and put them ahead, is to integrate some of these simpler services. The media will never join unless they can get the “earthquake” and “fire” and political unrest stories they’re getting from Twitter right now. Many of those posts can’t happen if there is no non-internet form of communication.

In addition, imagine if I could send e-mail via SMS? Now, I may not want to have it on all day but what if I could at least send a quick e-mail when my internet is not working but I do have a cell phone plan? A simple SMS ought to do. Services like Gmail and Yahoo and Hotmail could all provide such a service, and open up to a much wider worldwide audience. I remember in Thailand in various towns much of the community not having internet without having to go to the local University to get it. Guess what? They all still had cell phones.

There’s a void in the world right now. It exists in a large part of our nation, in fact, and I think outside of Silicon Valley circles we often forget that. It’s time to step back just a bit and be sure we’re accommodating those without internet access in our startups as well as those who have it.