Thursday, November 20, 2008

Passwords

In this post I mentioned that you should not use the same password for everything due to a number of security reasons. I also mentioned that you shouldn't store your passwords unencrypted anywhere.

Most people aren't going to remember a different password for every website/computer/email address they use. So what should you do?

Well the first option is to store them in an encrypted file (which requires a password to access...). Also, if you ever lose that file (stolen, deleted, hard drive crash, etc) then you are SOL.

The way I solve this problem is to use a predefined pattern to modify a base password. For a simple example say your base password is "VerySecret7" then you could make your password for Gmail "GerySecret7" and your password for Facebook "FerySecret7". Granted this is not a very secure example (yet still much more secure than the same password!), but you can extend this to make more complicated patterns. For example:

1. Use the next letter of the alphabet so the connection isn't as apparent. (thus "HerySecret7" for Gmail and "EerySecret7" for Digg)

2. Convert letters to numbers. ("7erySecret7" Gmail and "25erySecret7" for Yahoo).

3. Take multiple letters from the service name. (IE take the first and third letter and put them at the end -- "VerySecret7Ga" for Gmail or "VerySecret7Fc" for Facebook)

4. Use classes of passwords. (For banks use "SuperSecret39" for your base password, then apply your normal pattern to it.) This is probably overkill if you have a half decent pattern/base password.

5. If the first letter of the service starts with a letter after M spell your base password backwards. (Also probably overkill)

6. You get the idea, basically whatever you can think of. Combinations of patterns will be more secure, and symbols, caps, and numbers always improve password security.


Get creative, but not so creative that you won't remember it... Just be consistent. A relatively simple pattern such as take the letter after the first letter of the service name and add it to the front, then convert the last letter to a number gives you a pretty secure password and fairly unrecognizable pattern ("Hery11ecret7" for gmail).

It would be very hard for someone who has one of your passwords to both know you are using a pattern and discover your pattern (if it is half decent, not VerySecret7Gmail...). On the other hand it *should* remain easy for you to remember all of your passwords without writing them down.

The big drawback of this is that you can't change just one password without breaking the pattern, so to change one password you need to change all of them...


This technique is essentially a simple hash function. If you have a better solution (IE it solves the above problem), please let me know :).

Monday, November 17, 2008

iPhone Goodness

Some useful iPhone tidbits:

1. All of the below is contigent on jailbreaking. Really this is the only way I could ever justify buying an iPhone... Thanks a lot to the iphone-dev team. You guys rock.

2. If you want to develop an iPhone application, and don't want to pay apple, wait for their certificate, or go through their application review process then you should try: http://www.saurik.com/id/8 and Cydia for development, deployment, and distribution. In general everything by saurik is badass and worth reading.

3. If you want to be able run official applications in the back ground (for example listen to pandora while looking up something on maps) checkout "backgrounder" on cydia.

4. If you write your own app, and don't care about releasing it in the app store, you can run it in the background using:



@interface Thing : UIApplication {
}
@implementation Thing
- (void)applicationSuspend:(UIApplication *)application {
[super applicationSuspend: application];
}



Thanks AlJaMa in iphone-dev irc for that. (I haven't tried it yet)


5. If you want to be able to use Fring (or other wifi limited applications) over the cellular network, then there is a patch on cydia for that too: Voipover3g. You can apparently specify which applications to spoof wifi access for by editing /Library/MobileSubstrate/DynamicLibraries/VoIPover3G.plist

The default config looks something like: "Filter = {Bundles = ("com.Fringland.Fring", "com.apple.AppStore", "com.audiofile.Interstate", "com.apple.MobileStore");};"


6. I haven't tried Erling's accelerometer hack on 2.x firmware yet, but hopefully it still works (allows you to adjust sample rate): http://blog.medallia.com/2007/08/iphone_accelerometer_source_co.html

UPDATE: It appears that there is a way to use the SDK to set the sample rate through UIAccelerometer.

7. http://www.cocoamachine.com/blog/ has also been a good resource. And of course there is always #iphone-dev on irc.osx86.hu

8. There are some headers missing from the official framework. You should be able to do a class dump:

class-dump -H /Developer/Platforms/iPhoneSimulator.platform/Developer/SDKs/iPhoneSimulator2.0.sdk/System/Library/Frameworks/UIKit.framework/UIKit -o output-directory

The file it spits out is mach-o.

9. PDANet also from cydia, allows you to share the iphones 3g connection via wifi.

10. Netatalk appletalk / general storage.

11. DiskAid

Other: terminal, hp calc, stumbler plus, and on the app store Rooms (irc) and motionX dice.

GWT RPC Exceptions

So... Most of GWT's documentation is pretty good, but the part about RPC exceptions is kind of lacking.

I found some posts such as:

http://groups.google.com/group/Google-Web-Toolkit/browse_thread/thread/c048700dcaee7b2a
http://astithas.blogspot.com/2007/08/case-of-disappeared-exception-message.html
http://blog.platinumsolutions.com/node/198


But all of them mentioned the now deprecated SerializableException. According to the API this was deprecated because Exception implements Serializable, and thus a normal exception should work fine... (http://google-web-toolkit.googlecode.com/svn/javadoc/1.5/com/google/gwt/user/client/rpc/SerializableException.html)

Unfortunately I was still getting the "the call failed on the server see server log for details" message from exceptions that reached the client.

Anyway, the solution I reached was very, very, simple. My ServiceImpl class throws a standard RuntimeException ("throw new RuntimeException("Epic Fail");"). But this is what I was already doing that didn't work. I had to add "throws Exception" to the method, and thus the client side service interface as well. Worked like a charm after that.


public interface SomeService extends RemoteService {
void doSomething(Object someObject) throws exception;
}

public interface SomeServiceAsync {
void doSomething(Object someObject, AsyncCallback callback);
}

public class SomeServiceImpl extends RemoteServiceServlet implements SomService {
public void doSomething(Object someObject) throws Exception {
if(epic.fail())
throw new RuntimeException("Epic Fail");
else
doSomethingCool();
}
}