When I started writing this blog, I hosted the images in my posts on the same server that hosted the blog. A little later I started hosting the images off site in the name of increased load speed (load balancing across servers), keeping the bandwidth usage of my server down and to keep the images in a separate location in case I wanted to change my blog’s host (which I did: blogger -> wordpress -> my own host). I started using Photobucket simply because I had heard of it before and it seemed easy enough to use. Well, not too long after I moved all my images to Photobucket, I found a comparison of various image hosting sites. In the comparison, it showed that ImageShack had a higher bandwidth limit per image per hour. Since I’m a plan-for-the-future kinda guy, I thought I’d investigate ImageShack a little more. I signed up for an account and started using it for my next post. Half way through uploading my images, I just quit and went back to Photobucket. ImageShack just took too many clicks.

Here’s how I upload an image to Photobucket and get the URL:

1. Log in (if I’m not already):

2. The next page you come to both has a few edit fields to upload new images and also lists the last several images that you uploaded. From here, you can browse to or enter the local path of the image(s):

3. Now the image is uploaded and appears in the uploaded image list. You simply click (not double click, just single click) on the edit field containing the newly uploaded image’s URL and you’re done:

To accomplish the same thing with ImageShack, I do this:

1. Log in (if I’m not already):

2. Click on “Upload Image”:

3. A little popup dialog appears. From here, you can browse to or enter the local path of the image (only a single image can be uploaded from here):

4. After the image has been uploaded, it appears in the uploaded image list. From here, you need to right click on the image:

5a. If you click “View Image”, you’ll see a page showing the photo. You can then right click the image and copy the image’s location:

5b. If you click “Share It”, another popup dialog appears with various fields that you can then manually select the photo’s URL and then copy it:

Both websites have a multiple image upload, but since I rarely need to upload more than two or three images at a time I can just use the simple image upload. Either way, to just upload a single image is immensely easier and faster to do in Photobucket than in ImageShack. There may be a simpler path that I’m not aware of in ImageShack, but I haven’t found it. And even if that’s true, than that’s another strike against ImageShack; It would prove that it’s not easily discoverable either.

Sure Photobucket doesn’t have the prettiest or fanciest UI, but if we only look at pure ease of use and speed of uploading process, Photobucket wins hands down. If we don’t count login and if we use the mouse to do everything, Photobucket needs five mouse clicks to upload a single image. ImageShack requires eight mouse clicks (plus one to return to the main page, which Photobucket does not).

Flickr is another popular image hosting, but I encountered similar problems. It took nine clicks (plus one to return to the main page) and loaded numerous pages in the process. I know there are some tools to make it easier to do this, but I can’t see how any of these can beat Photobucket’s great ease of use and single page to do everything I need to do.

Yet another thing I love about Photobucket is the format of their URLs. Since I have an account there, I already know the format of the URL of each image I upload. It will be:

http://i183.photobucket.com/albums/x294/mike6024/<filename>

I can write up my post and fill in all of my img src’s before uploading any of the images. You can’t say the same about Flickr or ImageShack. So based on all that…

Why in the world shouldn’t you use Photobucket?

Lawrence Lessig, known for his work on copyrights, recently posted on following the rules where he discusses when it’s done, why it’s done and why it’s not done. To help illustrate his point, he posted a video of a news segment (which I’ll also include here) on the Texas legislature and their blatent disregard for the rules (rules that they themselves voted on).

It’s pretty disgusting how the laws are getting increasingly strict for regular citizens to vote and increasingly harsh when regular citizens bend the rules when voting and then having our lawmakers act like this. Then to top it off, state representative Riddle tries to justify it all by saying how grueling their schedule is. It’s pretty incredible.What I would like answered is how are we to ask our senators and representatives to make a difference when they may not even be the one casting their own vote? Admittedly I don’t know how widespread this problem is, but it seems that we need our own lawmakers to start following the rules before we can ask them to help pass and enforce laws on our behalf.

I recently received a new PC at work (that 1GB of RAM just wasn’t cutting it) and today I finally got around to installing Visual Studio 2005. Shortly after I started the install and UAC graciously allowed me through, I saw this dialog:

It’s telling me that it’s doing something, but other than the wait cursor, I don’t know if it is actually doing anything. It may be frozen. It may be in an infinite loop. I just don’t know. Not very user friendly. An updating list of what it’s doing or the constantly updating text showing the current task would work. Even a status bar in marquee mode would be better than nothing at all. At least I know the dialog is actually doing something. Then suddenly a regular progress bar appears with the text “Gathering required information..”:

Great. Now it’s gathering information? What was it doing before when it was in limbo? After it’s done gathering required information, I get a timer telling me the time remaining:

But the time remaining to do what? The “gathering required information” progress bar completed, so it can’t be gathering required information anymore. Now I’m just being shown the time remaining, you know, in case I need to know how much time before I’m shown the next confusing bit of UI.

So first I had 7 seconds remaining, then 9, then 13, then 10, then 15, then 12, then 9, then 10, then 7, and now 0 seconds. Boy, I’m glad that wasn’t confusing or misleading. Not to mention the displayed time remaining didn’t really reflect reality at all. And now I have 0 seconds remaining… and I’ve had 0 seconds remaining for the past 45 seconds…

I’ve talked before about ui foibles involving communicating status via checkboxes, but this is a different beast altogether. This is simply communicating wrong status, communicating incomplete status and communicating no status… all at the same time. You don’t need to tell the user everything. Sometimes you just need to tell them the overall task. Sometimes you need to tell them a little more. But you always need to tell them something valuable. So just remember…

when communicating status to the user, do it extensively, do it truthfully and do it appropriately.

Coding Horror’s Jeff Atwood posted today about Elcomsoft’s new technology which uses your video card’s GPU to increase the speed of its password cracking by a factor of 25. A factor of 25 is nothing to sneeze at, however, that 25 is quickly dwarfed by the orders of magnitude of increase in amount of time it takes to crack your password when you start adding characters and complexity to it. Basically, it all boils down to some tried and true laws in the security world:

Don’t use short passwords with a small character set.

Short single case passwords are simply insecure, but there are several good ways to increase the security of your password:

1. Use multiple words. It can be a sentence or a simple phrase. It can be a lyric from a song or your favorite quote (unless you’ve already posted that on FaceBook of course). It’s something you already remember, so why not use it here too?

2. Mix in some numbers and special characters. You can use l33t sp34k and substitute similar numbers or special characters for their alphabetic equivalent. You can add in punctuation or substitute characters 4 words. It’s easy + not that hard 2 remember.

3. Use a different language. If your first language is English, use Spanish, French or one of the other Romance languages. Dictionary attacks aren’t real productive if the bad guy is using the wrong dictionary! Better yet, use a relatively unknown language. As long as it’s using the Latin alphabet, it’s fair game for use in passwords. That would even include something like romanized Japanese. You could learn a few words to create a passphrase that’s relatively easy to remember and virtually impossible for anyone to guess.

4. Don’t use short passwords! As much as you may want to believe it, eight characters aren’t enough. With Elcomsoft’s new technology and an eight character password you have:

	528 / 200,000,000 pps / 60 / 60 / 24 =  3.1 days

So you have to change your password every three days. Ten characters offer a little more of a cushion:

	5210 / 200,000,000 pps / 60 / 60 / 24 / 365 =  23 years

And with twelve or more… well, you’re pretty much set for life:

	5212 / 200,000,000 pps / 60 / 60 / 24 / 365 =  61,973 years

On the flash drive I carry on my keychain, I use TrueCrypt with a password 21 characters long. That may seem unreasonable but using all the principles above makes it very manageable.

5. For website passwords, mix in the name of website or domain in some formulaic manner. If you’re creating a password for your shiny new profile at Virb, intermix a common password starting point with “virb”. For instance, say you like gargoyles. You could do something like:

g

a

r

g

o

y

l

e

v

i

r

b

v

i

r

-

-

-

-

-

-

-

-

-

-

-

-

-

-

-

g

v

a

i

r

r

g

b

o

v

y

i

l

r

e

…where you repeat either the domain or the starting point until the other is done. Another method is taking the domain and applying a transform to it. Say our transform was 1 key to lower right, then 3 keys to the right with edge wrapping. If we applied to that our account at delicious, we would result in nhx’u'a;b

Anyway, those are just a few ways to strengthen your passwords. Use just one of them for a little bump or use them in combination for extra insurance. It’s up to you to set your own password policy. So…

What password methodologies do you use?

We all know there’s a multitude of social networking sites out there. Some focus on customization, some on messaging, some on embedded applications.

Well there’s another nice one out there called Virb:

It focuses on music and sharing music with your friends. It also includes the standard messaging, photos, videos and music that the rest of these sites support. Heck, even digg has some basic social networking built-in, so why shouldn’t every other site too? Anyway, Virb is now pretty polished and with a little CSS action you can end up with a very nice looking profile:

The problem is that no one I know is using it. I currently have zero friends on Virb. I would love to transition my social network over to Virb, but there’s the ever present chicken or egg dilemma here. No one wants to switch to Virb, because no one they know is on it. You would need a mass exodus from another site in order for it to be useful and effective. I often wonder about the possibility of one-social-network-to-rule-them-all:

It would be able to handle messaging to and from heterogeneous sites, setting status and presence, integrating the previously uploaded photos, videos, and mp3s, and all the other common social networking functions. However, you would then need to give it your username and password for all the social networking sites you want to integrate. I don’t want to give FaceBook my email password to import contacts let alone all my social networking site account info:

So is this even an option? This type of site would endlessly need to add support for more and more social networking sites as they get created… unless of course, this site became the new site du jour. The thing is that if I don’t even want to give FaceBook my email password (even if I just gave it a temporary password and then changed it again), where does that leave us?

Update: Apparently, this is already in the works:

SuperSociety, a social networking technology firm, announced today its plans for adoption of a new service that will target existing social networks and communities, like FaceBook, Myspace, and YouTube, and link them together using a single login platform.

I signed up at SuperSociety to see for myself, but didn’t see anything like what was promised yet. I suppose time will tell…

We know how the telecoms were involved with the surveillance by the government. Well, last Thursday the Senate advanced legislation to give telecoms immunity for helping the government in these illegal activities… immunity not just for future involvement, but for their past involvement as well. This is nothing but bad. Thankfully, the mainstream media is giving their two cents worth. Here’s some excerpts of the excerpts:

[Telecom immunity] is not primarily about protecting patriotic businessmen, as Mr. Bush claims. It’s about ensuring that Mr. Bush and his aides never have to go to court to explain how many laws they’ve broken. It is a collusion between lawmakers and the White House that means that no one is ever held accountable.

All those who deliberately broke the surveillance laws should be held to account. If not, we are simply inviting more privacy abuses in the future.

Just because he’s the president doesn’t mean he can do an end run on the Constitution, and ignorance and fear of political retribution isn’t an excuse for violating our rights.

And to make a bad situation worse, it was recently uncovered that these privacy invasions had begun well before Sept 11th, which was the commonly held impetus for all of this:

Until a few days ago, it had been widely assumed that the Bush administration began its secret surveillance of citizens’ telephone calls and e-mails in the aftermath of the terror attacks of Sept. 11, 2001. That was bad enough, given that the law requires government agents to first obtain a court warrant before spying on communications. But new court papers indicate that the illegal spying might have been going on for months before 9/11.

Now it appears that 9/11 may well have been used to cover a program that was in place months in advance, when there was no good argument for warrantless surveillance.

There has been a blog post floating around recently which discusses the many pitfalls of OpenID. The article breaks the problems down into seven areas: security, privacy, trust, usability, adoption, availability and patent. There are some valid points and some not so valid points., many of these issues are simple policy issues. They can be resolved by implementation decisions by the OpenID provider. Let’s dig in a bit…

1. Security

The main problem here is that of phishing. You’re trusting that the site you’re at will faithfully send you to your OpenID provider and not some man-in-the-middle masquerading as your provider. However, as I’ve shown before, VeriSign PiP doesn’t allow referring websites to redirect to the VeriSign site in order to log you in. You already have to be logged in. So as long as users know of this behavior of the VeriSign PiP OpenID provider, they can’t be phished by phony redirects.

2. Privacy

This one breaks down to recyclying of user ids and providers being able to track every site you use your OpenID at. Also, there’s the issue of if your provider gets hacked and all your login history gets exposed. Gary Krall, the technical director of VeriSign PiP, has told me how they don’t recycle user ids for this very same reason. And there’s no reason that other providers can’t do this as well. The usage history (which I talked about here) is kind of a mixed blessing. This allows you to see if your OpenID has been compromised, but also allows your provider to track your every move when using your OpenID. Sure all this information may be in a central location, but is this really any worse than what we have now? How often do you reuse the same username and email (and maybe even password) when registering from site to site? How much information can a google search already return on your activities? And I would expect OpenID providers to take more precautions and be much more secure than some run of the mill web 2.0 website that I have an account at.

3. Trust

Here it’s the problem of trust and identity and which is required for which. This is another case where the provider could verify your real identity when issuing OpenIDs, but they simply don’t. This may be a case where people are trying to make OpenID deal with more than its designed to. OpenID is meant to facilitate you being able to prove you own an identity similar to an email verification loop. It’s not supposed to be able to prove that the identity is actually you. That would most likely require an offline action.

4. Usability

Here the claim is that using OpenID is no easier than using a password manager and that using OpenID is actually a double login since it doesn’t fill out your account information for you at each website. In this case, OpenID is more convenient because its very existence absolves the need for a password manager. And again, the OpenID provider can help provide the referring website with account information as I’ve shown before. Sure it can never completely fill out the account information for all websites it may encounter, but there’s simple no way to do this. It’s simply not possible to have every mapping of every field in your provider to every other field in every website you may encounter.

5. Adoption

Basically, there are many more OpenID providers than OpenID enabled websites. The blog post is trying to claim that if your website supports OpenID then users will just use OpenID to sign in. And since the users don’t have an account, they aren’t locked into your website and so won’t be compelled to come back. However, I have about 140 accounts in my account manager app and I consistently only go to maybe 10 or 20 of the sites. Just because I create a username and a password at a website does not compel me to go back to that website. If the site has good content and is well designed then I’ll go back. Contrary to their point, if the website supports OpenID I’d be more likely to go back to that site since I don’t have to create and manage yet another username/password pair.

6. Availability

This addresses the problem of needing your OpenID provider up and running every time you need to use your OpenID. If it goes down temporarily or permanently, you can’t log in. This is a valid point, but again if the provider does things right, this won’t be a problem.

7. Patent

Now this could get bad. There are several patent claims on OpenID which threaten its longevity. This is a problem that will play out in court (if it gets that far) and that no OpenID provider can fix.

So to sum up everything here, out of the box OpenID has several problems. However, if the OpenID provider implements it right and uses some offline methods, it can be as good or better than other authentication methods out there.

It’s amazing that AT&T would only fix their TOS after feeling tremendous pressure and criticism worldwide for their recent update to their TOS. Now, apparently, they agree with the rest of the world that freedom of expression is a good thing:

AT&T respects freedom of expression and believes it is a foundation of our free society to express differing points of view. AT&T will not terminate, disconnect or suspend service because of the views you or we express on public policy matters, political issues or political campaigns.

Aw, that just gives me a nice warm and fuzzy. How about you? I wish that AT&T would have added this statement for the right reasons and done this from the start, instead of adding this as damage control. And how can they even try to claim this at all? As Cory Doctorow said:

I wish they’d kept this in mind when they were illegally wiretapping the entire Internet for the NSA

Today the EFF confronted congress on the government’s surveillance of Americans and on the repercussions to those Americans’ privacy that could result. The government is collecting vast amounts of personal data and storing them in those oh so secure government databases:

We have all heard about security problems with government databases. A report from the Department of Homeland Security found 477 breaches in 2006 alone.

These databases are a black hat hacker’s dream come true. This is, of course, why OpenID is such a great idea. Sure it has its problems, but using OpenID means that login data doesn’t need to be distributed across the Internet at every website you visit. This decreases the black hats’ vector of attack tremendously. If I could have all of my login data being held at VeriSign, instead of having some of it at Yahoo, some at Tumblr, and some at Facebook… I’d be fine with that.

Anyway, while the distributed login data issue has a solution in sight, the government surveillance issue does not. The RESTORE Act will hopefully reinstate those checks and balances that were lost when the Protect America Act granted the telecoms immunity when helping the NSA spy on Americans. So I’ve said it before, and I’ll say it again: Support the EFF!

You can still use your own domain if you’re using VeriSign PiP in the same way as other OpenID providers. This allows you to use your own domain:

And that’s very convenient when your OpenID is something like mike6024.pip.verisignlabs.com. Anyway, all you need to do is add these tags in between your head tags:

<link rel=”openid.server” href=”https://pip.verisignlabs.com/server” />
<link rel=”openid.delegate” href=”http://mike6024.pip.verisignlabs.com/” />

And of course put your id in place of mine. If you aren’t already logged into VeriSign PiP, you’ll still see the login page:

But if you’re already logged in, things will be just fine.