Usernames, Passwords, and Bad Ideas that Won’t Go Away

Posted on December 11, 2011 By

Hi again, everybody.

I just had to defend Scarecrow’s use of old-style usernames and passwords. Not to my boss, because I don’t have one of those here. It was just a conversation. But it’s a conversation I keep having, and maybe some of you guys do too. So here are my thoughts on the online password problem.

What problem? Well, how many accounts do you have on unrelated websites that all use the same username and password? Don’t tell me–I’m just going to assume the answer is “several.” Obviously this isn’t a good situation. If a hacker or unscrupulous employee gets your information, he may exploit it.

There are several proposed solutions. Browsers now track our usernames and passwords on the various sites we visit, so we’re somewhat more free to choose hard-to-remember passwords (though on that subject, this is interesting, funny, and useful). Downside: they’re only stored on the computer we used to set up or access each site. There are various workarounds to share this information, but they won’t work on all the computers we use. In short, this is a hassle. Trusting some online provider to securely store all our credentials, so we can get to them regardless of where we are, has an obvious risk to it, too.

(Here’s a story: A very savvy friend told me about the system he’d purchased to encrypt and save his passwords. I thought: Cool! And I congratulated him on solving the problem for himself. It sounded like a hassle to me, but this guy has access to a lot of systems that do important things, and I guess I admired him for taking this seemingly straightforward but actually rarely-accomplished step. So now, I told him, his various accounts were safe from each other! His response: “Um. Well. Actually now I have this really secure system that records the fact that I use the same username and password everywhere.” I thought about that. “Oh,” I said.)

So some people think everybody ought to just cut it out, and use a single sign-on for most or all of the sites they access. By this I mean people like those who contribute to or use OpenID, which sounds like a great idea until you think about it a little, at which point it begins to seem like a semi-good idea. Basically the notion is that you’d only log in to the one system, and other sites would defer to its authentication protocol.

It sounds great. The idea has its good points. In fact, I think a lot of site developers, administrators and owners would benefit by adopting it. But if a user is going to store private information with you, you are then trusting the provider of the authentication service in two separate but critical ways. You are also asking potentially unsophisticated users to trust you more than they may be comfortable with. The problems, as I see them:

  1. If the authentication service is compromised, so is your ability to protect your users. The more users choosing a given service, the more likely it is to be seen as a worthwhile target by hackers.
  2. If there are several competing authentication providers, as a business owner you can either trust them all or try to monitor all of their security issues or trust only some of them. There are obvious issues with all three choices.
  3. If the authentication provider decides it doesn’t like you or your business, or changes the way it operates without what you’d consider sufficient notice, it may have just taken your customers away from you.
  4. If your potential customers are not familiar with this sort of system, or don’t trust that a “login” link provided by your site will not give you personally access to their OpenID credentials and thus all their other sites, you’ll either have to kiss those folks goodbye or…worst case in my opinion…also offer your own proprietary username/password system. And take a little credibility hit. Some folks may decide you’re just another “phishing” site. Ouch.

So people do stuff somewhat like this when they try to integrate with social networks. Even I may decide to make Scarecrow available as a Facebook app. There are obvious benefits. But…there are downsides, too.

Another idea: since most people surfing online have an email address, why not use that as the username? That way they won’t have to remember yet another username!

Okay. So what’s the point? There’s nothing magical about email addresses. Using them as part of your login credentials is precisely as bad (or good) as using any other username everywhere. Maybe a little worse, because it’s easier to guess by people who know you.

Plus, most folks who go that route then send out an email to “verify” the email address, and require their potential users to go check the address and click a link or navigate back to their site. What problem were we solving again? Uniqueness of usernames? Sheesh. Is it that hard to just, you know, check for uniqueness when users are creating them? In fact, even with all this rigmarole, don’t you have to check anyway? Just how many hoops should users be expected to jump through, again? Isn’t this whole practice really about–wait for it–making sure we grab an email address from our users? Whether they want to give it to us or not?

Okay, remember those pure, solve-the-world’s-problems OpenID guys? At the time of this writing, doesn’t this page say, under “Link your site to the social web,” that “protocols such as Portable Contacts can be used with OpenID to offer your site access to a user’s address book and friends lists.”

C’mon. That ain’t right even if it’s implemented as opt-in. Not at all.

Don’t get me wrong. I’m not saying I have a solution to all of this. I wish I did, but I don’t. What I’m saying is that Scarecrow is trusted with data that is important to our customers, and I don’t see a way around having to invest effort into protecting that data. It goes beyond username/password information, but it starts there.

So we may seem a little old-fashioned. Lots of recent college grads in Computer Science will not approve of the way we do things.

But I care about our customers more than I care about buzzwords and “standards.”

Okay. Now tell me how I’m wrong, and I’ll change my mind.

My Fiction


Is it really better to know?

Posted on December 10, 2011 By

To know what? About your site going down. Or, in this case, ours. Sort of.

Site uptime graph

Bad day at the server farm.

My wife and I had plans for today that definitely did not include my sitting in front of a computer. On the other hand, I’d recently received some good advice about the Scarecrow website’s design, and had made several changes, so I wanted to kinda check on things in my office.

Big mistake.

It turned out that the machine hosting this blog had been down for hours. Scarecrow had been trying to let me know, but I just hadn’t been listening. In addition to the blog, the affected machine had some of Scarecrow’s “agents” running, and also hosted demo.protectedbyscarecrow.com, which only exists to allow potential new users of the Scarecrow software to see what the application looks like once they sign up. (If you haven’t tried it yet, you can click “View Demo” at https://protectedbyscarecrow.com/login/new. Checking out the Demo will log you out, though, if you have an account and are currently logged in.)

Temporarily losing the “agents” was no big deal either. They’re back-end processes that do the grunt work behind the Scarecrow website. There are enough running in other places that I doubt any users even noticed. Scarecrow kept running just fine.

So, what was the big hit? Well, to my day with my wife. We had fun, and I definitely enjoyed hanging out with our daughter, but I kept checking my email. Once in a while I’d actually log in to a server with the terminal emulation app I have on my iPhone. Yes, that’s pretty geeky.

I mean, I couldn’t make the broken machine work. I’m in awe of the fact that it was down for a total of over 9 hours, but what could I do about it? Nothing.

Yes, I’ll be moving the blog to a more…uh…stable environment. But I really like the company that was behind this mishap. I’ve never considered their service to be especially reliable, but on the other hand it’s cheap. And I get a kick out of their monthly newsletters. In spite of this incident, I’m going to continue doing business with them. They’re a great place to run stuff customers don’t see. Stuff that doesn’t have to be actually running all the time.

So I’ll be moving the blog in the next week or so. But guess what? I already knew I should do that.

I guess a kick in the pants can be helpful. It’s definitely encouraging me to take action. Great. And all.

But c’mon. Today wasn’t the day to be thinking about it. And if it hadn’t been for Scarecrow, I wouldn’t have noticed a thing. Is that good, or bad? I guess it depends on how you look at it. Next time this sort of thing happens? I’m going to turn my phone off.

Still. It’s hard to solve a problem you don’t know you have.

Personal


Slouching toward accountability?

Posted on November 3, 2011 By

website is up!

So...it must be working?

Hi guys! Software is fun to write!

Well, it is. The trick, though, is to write the software that people actually need.

Here I am, with an application that’s been stable for months (untouched by human hands! self-repairing!), which is what I needed to know, and now I do. So I sent a quick note to some loyal beta testers, asking them in a perfunctory sort of way if they knew of any outstanding issues. Certain that they would not, I gave ’em a quick rundown of my plan to launch the surrounding website and, you know, try to collect some money.

Ha. One of my beta testers (we’ll call him M) thought Scarecrow had failed him utterly, and he wasn’t wrong. The problem? It had worked perfectly! Exactly as designed!

Oops. Bad design? Bad communication? Who cares? I’m pretty sure I don’t want it to happen again, anyway.

The issue was that M’s credit card blew up when his internet hosting provider tried to bill it. Somewhere in there I’d guess an email was sent, or was supposed to be sent. At any rate, communication didn’t happen. Billing didn’t happen. Not Scarecrow’s fault so far, right?

At some point the hosting provider (we’ll call it HP just for fun, but it wasn’t, you know, actually HP) took down M’s homepage and put up a page claiming that M’s account had been suspended for nonpayment. Ouch! Just what M wanted his own customers to see. Or, well, not.

See…M would have liked for Scarecrow to notice all this. And it could have! Scarecrow monitors site uptime, but doesn’t actually check a site’s content unless it’s specifically requested to do so (not hard to set up, but it does require specifying the content Scarecrow should look for). So Scarecrow looked at the site’s server, saw that it was indeed functioning, and…did nothing. Because, you know, the site was up. That page asserting my tester was a low-down non-paying Bad Customer was right there where it was supposed to be! No problem, dude!

It’s also possible that Scarecrow would have noticed a change to the site’s files, but (1) HP could have modified the homepage shown to the public without actually modifying M’s files, and (2) M saw some value in the uptime monitoring but preferred not to ask Scarecrow to monitor his site’s files.

Argh! How is this my fault??

Well, it’s not. But it made me wonder–how can I fix this issue? It’s a bit of a stretch to get Scarecrow to monitor a credit card for declined transactions. I mean…I could actually do that, but (at least as of this morning) I don’t think it’s a reasonable choice for a feature.

But! I could, actually, require that a Scarecrow user specify some text that’s supposed to appear on his homepage.

The problem: not specifying content is sometimes a better choice. M is technically rather ept, and he likes to play with software that analyzes his web server’s access logs. He set Scarecrow to check his site every 15 minutes, but he didn’t want Scarecrow to clutter up his log files. So he took advantage of a feature: Scarecrow sends an HTTP HEAD request when it’s not looking for content, and an HTTP GET request when it needs to look at the actual page. An HTTP HEAD request gets a much smaller response from a server, while still verifying that the server is functioning. More importantly: M could filter the HEAD requests from his log files.

I don’t want to alarm anybody. If you’re using something like Google Analytics, Scarecrow’s periodic checks will never show up in the reports, regardless of whether it’s looking for specific text. The reason? That sort of analysis tool requires JavaScript to work, and Scarecrow is just looking at content–it never runs JavaScript from a customer’s server. And there are other ways to filter out Scarecrow’s requests (tech note: UserAgent is set to “ProtectedByScarecrow.com verifier”…not common at all). But M had come up with a reasonable solution, and Scarecrow didn’t help him when an unforeseen problem arose.

So what do I do? I guess, first, I write this post as a warning to others. At this point I don’t want to force users to specify content for Scarecrow to verify. What if they don’t care about content? What if it changes a lot? I don’t plan to monitor credit cards directly, either. So, really, I’m not going to do much about this failure mode other than advertise its existence.

Scarecrow exists to solve problems very similar to this one, and I think it’s likely that future customers will feel as M did, that Scarecrow should have been more helpful. I will likely agree with them.

Because: yes, I do regard this as a failure. I don’t know how to fix it. If you have any ideas, let me know.

 

My Fiction


The Learning Curve: Part I

Posted on August 23, 2011 By

After years of schooling I am still surprised when I cannot pick something up and immediately run with it. I get frustrated when new things make me do the primate thing where I turn it over and over in my hands and grunt in confusion. As much as I might try to make this sound profound, the problem that inspired this little rant was a forgotten user-name. That’s right, a user-name.

In college I was what people referred to as a ‘conceptual learner’. In a less politically correct speech that could also be said ‘can’t memorize for shit’. There were a few tricks that worked, like extreme repetition  and association. The same things that works for training animals. Maybe I’m being a little bit harsh, I did like processes. Ask me how meiosis or mitosis happens and I can draw you an outline, ask me for the signalling proteins involved and all I can remember is alphabet soup.

There are crutches available for people like me now, but I’m not sure if they make it easier to walk or doom me to limp forever. All my phone numbers are saved on a phone that allows me to just select a person, so no more memorizing phone numbers. My computer offers to remember passwords. Well now all I have to remember is my damn user-name….. and now that is the barrier. Its starting to feel like a staged retreat from a battle. If I was older I could blame age, but the truth is its more like a wiring issue and every little crutch makes the wire a little shorter. Pretty soon I will have no slack left. Anyway, put yourself in the shoes of the programmer I’m trying to work with. Poor guy wants me to explore WordPress and try out themes and plug-ins. Instead he gets an email two days into his 5 day road trip, during which I’m supposed to figure this stuff out saying “what was my user-name again?”. I don’t think it means that I’m doomed and this whole thing isn’t going to work, but I must admit some trepidation when it comes to what my partner thinks.

I was able to log in to our actual blog, so maybe there is hope for me yet. Soon my computer will have me automatically logged in to all the necessary sites for work and all will be well….

My learning curve is definitely not like a bacterial growth curve. It seems to be starting out more like the tail of a bell curve. Hopefully the curve will get steeper before I drive my techie business partner mad or at least destroy his faith in the basic Internet user. Although I’m guessing most of you know all your user-names.

Personal


Hello World: From Biology to Software?

Posted on July 27, 2011 By

While sitting around the fire watching flames shoot sparks into the air, I wonder if I can actually make this work.

I’ve spent the last seven years working and going to school to be a biologist. I toed the line. I managed to get my education without becoming a total mindless automaton. I persevered and emerged with my degree ready to begin my career or continue with school so I could contribute to society. I planned to do something important for humanity like research cancer or do genetics work.

The hammer drops. The bloated government establishment leads to an economic collapse, the job market bottoms out, and all the sudden graduate schools are only taking 4.0 geniuses that never took so much as a summer off to have a ‘real’ job. It is now my eighth month of unemployment, sixth if you don’t count the two months I spent getting rejected from graduate school despite my ten years of employment experience, my two years of teaching experience, and my six months of research experience. Oh well. What the hell do I do now?

Enter Cabin Fever Software.

I’ve known about Cabin Fever Software for a while as David and I had previously been boat dock neighbors (a story for later perhaps). Software is a fairly alien subject to me. Of course I use software, I even remember the first version of Microsoft Golf (my dad was a fan and a database support guy for Sprint when I was a kid). To me, computers have simply been tools to produce projects and assignments for school and work. It was interesting to listen to David talk about it because it was his thing, and it is usually quite fascinating to listen to people talk about their passions. It never crossed my mind that I could be useful in such an endeavor, after all I was going to save humanity from genetic disorders and disease….

Last month David asks me if I would like to help him with Cabin Fever Software. My first reaction was something along the lines of “I don’t know anything about programming or software.” I think David said something like “exactly”. The premise behind all this was that he needed a non-techie to look at his user interface to see if the average small business owner could follow it. In general he needed the average internet user around to say “what does this mean” and “I don’t get it”. In my current disillusioned state I remained ambiguous.

After another week of working on my car, organizing my sock drawer, and watching my in-laws argue (of course I didn’t have my own place, unemployed remember?), I realized that it came down to this: I didn’t have anything meaningful to do. My prospects have dwindled to zero. Here is a long time friend offering me a share in his start up business, all I had to do was step up and learn something new. I’ve been shoving information into my brain at a ridiculous pace for years, whose to say I couldn’t let David and I be the ones to determine the new curriculum? Here I am writing a blog for the first time in my life from the living room of a cabin with the hum of the generator outside. David offered me something meaningful to do, and I was almost too stupid to accept because it wasn’t what I had already learned about. Laziness.

Yes, Cabin Fever Software is meaningful. If you don’t understand that sentence, you should read David’s entries (for one he is a better writer). We are going to help small businesses get what they need and generate products that actually help people. Let me put it in terms I can relate to better (I’d say terms you could understand better but who are you anyway?). When you go to the doctor with a complaint, the doctor is going to assume its the most common ailment with those symptoms and then prescribe a medicine that works for the highest percentage of people with that ailment. So if you are lucky enough to be entirely common and your illness is also entirely common, then you will be helped. If you or your illness are in any way unique there is likely no help for you. If there is one thing I learned from my biology training is that there is no true homogeneity in nature. We are not all the same. There is no cure all. Why should businesses be any different? Just as I think personalized health care is the only way to address medicine, so too do I like the idea of personalized software for small businesses.

Go easy on me, if you didn’t catch it earlier, this was my first time (blogging!).

Personal


Dogfood vs. Getting Help: a Dichotomy

Posted on July 20, 2011 By

I’m pretty stoked about a potential new partner/employee (terms not yet determined) here at Cabin Fever.

Over the last couple of years, pretty much everyone but me has fallen by the wayside as we (I, now) march toward releasing a product. I still say “we” here & there, and I do in fact get to consult with some pretty smart folks who have an (intellectual) interest in the company, but as for doing the work? It’s all me.

That’s actually been okay, because I write code pretty fast & it takes a team of several people to equal what any one of them could do on his/her own anyway–any benefit from multiple developers comes, IMHO, only after the addition of Coder #5 to a team, and even that’s horribly risky. Well, two guys can be somewhat faster than one, maybe, if they’re on the same wavelength, but three? No. Not over the long haul. Not if the project is at all complex. Just saying.

So, free rein to do what I think I should, plus intelligent advice from people not afraid (or perhaps even eager) to point out my boneheaded mistakes? Cool! Plus, I do get to work from my cabin.

Still. Scarecrow’s private beta test can’t credibly be stretched out for more than another couple of months at most, and there is a LOT of content to be developed. There’s a lot to learn, and it probably won’t all find room in what I use for a brain. Plus, a newcomer who isn’t a clone of me can’t be expected to know all the weird hacks I do to create websites.

Enter WordPress. Not just to host the blog. For the Cabin Fever and Scarecrow websites, as well (though not for the Scarecrow application itself).

As a software developer, I hate working with it. I strongly prefer other technologies…specifically, other programming languages than PHP. But you know what? I’m having to face this central fact: nobody but me cares that I don’t like it. It’s quick to set up, lots of people have worked very hard to add all sorts of features I’ll find useful, and so: I am working on a decent simulation of gratitude. After a while, it may seem real even to me.

This will boost productivity (I tell myself). New Person will not need to learn a bunch of coding/scripting tricks to be productive. I will have to take a week or so and migrate what content I have (meager, ’cause I’ve been coding instead, y’know?) to the new platform and set up all the fancy new bells & whistles. But afterward, things will be better. That which is intended to be parsed by readers of English will now be written in…English. As a concept, that ain’t all bad.

Really, I’m excited, and this is all good stuff. It just goes a bit against the grain, ’cause I prefer building things to using stuff other people built. I will, however, get used to it.

Will anybody but me ever care to what extent we’re dogfooding over here? For our core product (Scarecrow), maybe yes. For the site’s content? Probably not.

Welcome, O Brave New World!

My Fiction