why not ben

It’s always a good day for a little Carl Sagan. I love...

Tue, 13 May 2008 16:22:29 -0400

It’s always a good day for a little Carl Sagan. I love this excerpt and his reading is of course amazing.

MUTO a wall-painted animation by BLU (via...

Mon, 12 May 2008 23:19:00 -0400

MUTO a wall-painted animation by BLU (via Quotably.com/popular)

This is unbelievably amazing.

FINISHED!!!!!!!!!!!!!!!!!

Mon, 12 May 2008 14:53:16 -0400

FINISHED!!!!!!!!!!!!!!!!!

Off to my final final!

Mon, 12 May 2008 12:42:51 -0400

Off to my final final!

Last night as a student: Looking like an allnighter. Fitting way...

Mon, 12 May 2008 05:45:17 -0400

Last night as a student: Looking like an allnighter. Fitting way to end a school career.

Wow, news of the horrible earthquake in China was at the top of http://quotably.com/popular before...

Mon, 12 May 2008 04:01:51 -0400

Wow, news of the horrible earthquake in China was at the top of http://quotably.com/popular before CNN even had an alert up.

iTunes not seeing jailbroken iPhone

Sun, 11 May 2008 13:48:00 -0400

This happened to me after I trashed my iPhone as a result of a corrupted SpringBoard.app property list file. (I think this was Installer.app’s fault, but I can’t say for certain).

Anyway, to restore the iPhone that iTunes doesn’t see follow these steps:

Connect iPhone to computer
Power up iPhone if it’s off
Press and hold down both the power and home buttons at the same time
The “drag to turnoff” slider will come up, but keep holding down the buttons
The screen will go black, then the apple logo will appear
let go of the power button, but keep holding the home button
iTunes should open and say your iPhone is in recovery mode and offer to restore.

This worked for me, YMMV.

An update on Hahlo security (it’s improving, but still needs work):...

Sun, 11 May 2008 03:47:33 -0400

An update on Hahlo security (it’s improving, but still needs work): http://stream.btucker.org/post/34406476

Hahlo security improving

Sun, 11 May 2008 02:13:00 -0400

Big props to Dean Johnson of Hahlo for improving security of the tool. After some discussion Hahlo no-longer stores your twitter authentication details in the clear in cookies. This is certainly an incremental improvement, but there are still problems.

The login page is still not SSL, so for the login request your credentials are still in cleartext for anyone nearby to snoop. Still much better than them being included with every request as was the previous situation.
Now your credentials are stored unencrypted for the duration of your session (up to 7 days) on the Hahlo server. This is unfortunate, since it means anyone that gains access to the Hahlo server now knows your twitter username and password. Since half the internet uses the same password for multiple accounts, this would mean that in addition to all Hahlo users from the previous 7 days have their Twitter accounts open to being hijacked, so to would any other online services for which they used the same credentials.

So at the end of the day, here’s my current advice. Hahlo is now probably the best choice, security-wise, of the iPhone web-based Twitter clients. BUT (and that’s a big but), change your twitter password if it’s the same as one you use for another online account, and refrain from logging in to Hahlo at a Tech Conference, College Campus, Coffee Shop, or somewhere else traffic is likely being snooped.

Hahlo could still completely solve the issue by moving to SSL for the login and encrypted credentials stored in cookies.

Changing my address at usps.com back to VT, effective a week from Monday. Feels good.

Thu, 08 May 2008 23:14:03 -0400

Changing my address at usps.com back to VT, effective a week from Monday. Feels good.

"Excuse me if a look of bewilderment crosses my face when a surrogate of Sen. Hillary Clinton’s..."

Thu, 08 May 2008 21:28:06 -0400

“Excuse me if a look of bewilderment crosses my face when a surrogate of Sen. Hillary Clinton’s starts off on the “we need hard-working white workers to win in November” mantra.”

- Roland Martin: Democrats need more than working-class whites

Online Advertising: News Corp. exec explains why MySpace traffic rose, revenues dropped

Thu, 08 May 2008 13:14:12 -0400

Online Advertising: News Corp. exec explains why MySpace traffic rose, revenues dropped: In other news: the banner/text ad model is clearly broken for apps where the user is not searching out something in particular.

This may have limited appeal since it’s a lot of...

Thu, 08 May 2008 02:49:39 -0400

This may have limited appeal since it’s a lot of “inside jokes”… but I think it’s really funny! And so well done.

Saw Iron Man last night. ‘was fun, but I was offended by the notion software writes itself. My...

Wed, 07 May 2008 13:24:45 -0400

Saw Iron Man last night. ‘was fun, but I was offended by the notion software writes itself. My friends replied: umm, it’s a superhero movie.

learning just how little I understood about MySQL optimization.

Tue, 06 May 2008 03:50:05 -0400

learning just how little I understood about MySQL optimization.

The twitter client Hahlo is not secure. I recommend thinking twice before using:...

Sun, 04 May 2008 14:03:39 -0400

The twitter client Hahlo is not secure. I recommend thinking twice before using: http://stream.btucker.org/post/33710515

Use Hahlo Twitter Client with Caution

Sun, 04 May 2008 13:51:00 -0400

Hahlo is a really nice Twitter client targeted primarily at the iPhone, but also usable from any browser. Unfortunately, it handles authentication in a completely insecure way, exposing users’ twitter credentials to any third party sniffing packets on the network.

For starters the login page does not use SSL. This in and of itself is a problem since for that one login request a user’s login credentials are exposed, but it’s actually much worse. Hahlo stores a user’s username and password unencrypted in cookies. This means that every single request to hahlo (even ones for images) includes the user’s username and password completely in the clear.

This is unacceptable for a production application, especially since it’s undisclosed. Definitely don’t use it at a coffee shop, tech conference or college campus. Or if you connect to the internet with a cable modem.

Update: @hahlo complained on twitter that I didn’t mention other twitter clients are equally insecure. This is true (just confirmed PocketTweets has exactly the same vulnerability). I singled out Hahlo because it was a new release getting a lot of attention. But this is no excuse not to fix (or at least disclose) that hahlo is so insecure.

The fix is not hard, either.

1) buy an SSL cert for $30
2) setup https://hahlo.com
3) use 2-way encryption on the cookie so that only with a secret can it be read

(This is how Quotably handles authentication.)

It’s really fun to watch other people pitch your stuff...

Fri, 02 May 2008 01:47:56 -0400

It’s really fun to watch other people pitch your stuff with even more enthusiasm than yourself! Thanks Ed!

18 years after shyly entering my first classroom at age 5, today I left my last.

Fri, 02 May 2008 01:34:32 -0400

18 years after shyly entering my first classroom at age 5, today I left my last.

What a great ad! I’m glad my last contribution went...

Thu, 01 May 2008 01:08:01 -0400

What a great ad! I’m glad my last contribution went toward this. This should serve as a model for political advertising as far as I’m concerned.