This article caught my eye today: GPUs democratize brute force password hacking. Let me start off by saying that I’m not an expert in cryptography, or online security. But that didn’t stop me from having an idea…

For the average person who lives their life “online“, proper password management is one of those things that fall into the “Never skip breakfast” category. You know you’re supposed to listen, but you rarely pay attention. It’s a hassle more than anything else. Sometimes the number of email messages in my inbox that start with “You have requested to reset your password…” outnumber all others. Equally abundant are the number of applications out there that promise to handle all of your passwords so that you never have to. To my knowledge, not a single one of them has caught on (probably for fear that you might forget the password to that all-encompassing app one day).

Hollywood and hardware alike have long promised highly advanced, incredibly slick looking ways of securing access to data. Everything from retinal scanners and voice-print identification to facial recognition software has been touted as the next wave in identity protection. However, aside from appearances in commercial and military applications (and on ThinkGeek), none of these shiny gadgets are in widespread consumer use. Even fingerprint scanners haven’t really blossomed as much as once expected.

So what do you do? How do you find that sweet spot between “Idiot-proof to manage/remember” and “Fort-knox secure?”

Firstly, let’s think about the way we access secure data – email, website content, bank accounts, etc. Successfully doing so usually requires matching one value with another (username/email and a password); a pairing that in theory, is known only to the user. One remains constant and is publicly exposed in most cases (the username), while the other one (the password) changes. Methods for [humans] generating passwords usually involve remembering something unique to the user, combined with some obfuscating characters that make random guessing harder for the would-be password cracker, human or otherwise. The name of your cat using numbers for letters, plus the last four digits of your wife’s birth date. Your childhood nickname plus the number of siblings you had (multiplied by 3). Sounds reasonable, though recent reports show that some users aren’t quite so savvy:

Images from Tom’s Hardware

It’s quite a hassle! Considering the number of websites and applications people access on a daily basis, it’s no wonder some people cave and do a 2-finger dance down the number row in order to generate a password that isn’t hard to remember (for the user, or the identity thief.) Well, there is an idea which I’ve always thought could pass the test of being user-friendly and relatively secure (perish the thought). It uses an existing piece of technology – Security Questions – in a slightly different way. Security Questions are usually used to validate the identity of a user that has already entered a correct username/password combination; a “just in case” measure. It’s supposed to be an easily identifiable piece of information which is also unique to the user.

There are LOTS of little bits of information like this, which we constantly keep stored in our heads. A long forgotten (and sometimes hated) nickname, the address of our favourite greasy spoon, the number of days till retirement, and so on. Well, what if passwords were done away with entirely, and the system were to ask us for 1, 2, or more of these questions from a pre-set list that you could modify at any time? The system presents you with the random question (in Captcha form if you like), you enter the correct answer(s), and you’re in. On the off chance you get one wrong, you’re given a certain number of alternates. Higher level security systems might require more answers. The benefit to a system like this is that there is no longer a 1:1 relationship between the 2 values used to authenticate a user. It can be 1:2, 1:30, 1:100…or 1:X. The number of possible question-answer pairs is up to the system architect. If they wants to get fancy, they could use any number of ways to manage the list of questions and answers. Store them separately and match them using a unique hash, or put them together in a database as an object and match them to the user, for starters.

Every time a user tries to gain access to a system, a different different question is asked. Consequently, a different answer must be given depending on what question the system asks. It’s as if you’re carrying around a set of keys and the system prompts you which lock to open. For added security, every time a question-answer pair is added to the list, an attribute of the entire list can be changed (think checksums) which makes previous attempts to crack the entire list useless. This is a lot of work up front for the user, granted. But it pays off… IF the system is designed to be portable. People HATE going through the hassle of setting up passwords for single user accounts, let alone several. So, much like importing bookmarks across browsers, there needs to be a way to shuffle the question/answer list around from app to app. Of course, portability means maintaining standards across the board, and well… we all know how well standards are adhered to on the web.

This type of security system is not fool-proof however (I challenge you to find one that is), and it will inevitably come under assault as people ask the following questions:

Q: What happens if someone guesses the answer to your security question?
A: This is no different than someone guessing your password, and only if they happen to be prompted with the appropriate question. Further, they may be able to guess one answer, but can they guess 2, 3, or more?

Q: The list of answers is still vulnerable though! People know that city names are likely the answers to questions like “Where were you born?” What good is that?
A: Simple answers in and of themselves are fairly weak, but it’s up to the user to choose multiple question and answer pairings that are both secure and easy to remember. As well, it’s up to the user to determine the format of the answers. The answer to “What city were you born in?” doesn’t have to be “Toronto.” It could be “That city I was born in”, or “Monkeytown” or “Rigel IV” for that matter. As long as it’s the answer you designated, everything’s fine.

Q: What happens if you don’t want a question in the list any more?
A: … delete it.

The fundamental difference with this concept is that the “lock” isn’t one static thing that can be pored over and studied in an attempt to break it. It constantly changes, and yet remains easy to manage. Another significant difference is that the focus isn’t on making passwords themselves harder to “guess.” Rather, it’s about changing the way we think about passwords in general, and moving away from the traditional “lock-and-key” model, in order to make accessing sensitive data a simpler process without sacrificing security.

It’s entirely possible that I’ll review this in a few months, and file the idea away on a shelf next to my plans for Hamburger Earmuffs and Electric Paperclips. But until that time, I invite your thoughts and opinions.

I am a Google Zealot. This is nothing, new, especially to those that know me. There are many, many aspects of my identity and the data that goes along with it, which are tied to one or more Google-related products. This is not to say that my life is an open-book, prone to scrutiny by random web-users from Buenos Aires or anything. I’m quite careful about the information that I opt to post online, as should everyone of course.

However, I was organizing/clearing out some items in Gmail the other day, when my eyes casually fell upon the indicator at the bottom of the screen that lets you know how much space you have left in the ever-expanding Google datastore. “You…blablabla…3% of 7400MB. Wow, 7400MB is a lot of-…wait. 3% I’ve got about 250MB of stuff on here.” I sat back and thought about that number, drawing relatively silly, almost cartoonish analogs just to get a sense of how much data that really is.

~230 floppy disks (remember those?).
~17,000 average (15K) Word documents, or about as many email messages of similar size.
~125,000 Twitter posts (to get even sillier, this is roughly equivalent to 14 tweets per hour, for a year)

That’s quite a bit of data!

…Sorry.

Then I wondered what I would say if a company were to come to me and say “Hey. So would you let me follow you around for a year and record what you say 14 times an hour? Oh and we’re not going to pay you for this information either. Oh and we’re also going to use this info to show you some advertising here and there.” Were I walking around just going about my daily life, I *might* have a problem with this. I mean, I don’t know if my shower-stall rendition of “Poker Face” is anything I want people listening to, never mind recording (Note: I do not actually sing in the shower.)

But the fact of the matter is, as I mentioned before, I’m making a conscious decision to post information online. As such, I’m aware that when using a Google service/product (for free), that information might actually be looked at. This is not to say that I’m allowing them to do whatever they want with it, mind you. Depending on the context (more on that in a second), I usually take a conservative approach and just presume that whatever post online will be considered public domain. Period.

What’s this about context you say? Well, truth be told, there are in fact some small corners of the internet that are marginally more “obscure” than others. I’m not talking about seedy underground file-sharing sites or any other “non http” source. I’m referring to the fairly niche clusters of community-oriented sites, blogs, forums and portals that serve members with similar interests. ArsTechnica, xkcd, Orchid Forums, and even certain social networking groups are just a few examples. Popular in their own right, and yet focused enough to attract users who search for information within a particular subset of info.

This is not to say that you shouldn’t be cognizant of material that you post in these instances, but it does tend to be the case that the level of familiarity amongst users in these sub-cultures is high enough to allow certain things (Vacation photos, discussions regarding family members etc…) to pass. But I digress.

As time goes on, more and more of your information is going to end up in the cloud. It is inevitable. The netbook segment of the hardware market is exploding. Businesses are adopting cloud infrastructure, enabling their employees more flexibility and freedom to work wherever they want to, physically separated from their information/data. Data storage limits are at a point where petabyte thumb drives (~1,000,000 Gigabytes, people) aren’t that far off. As far as cost/benefit goes, it just makes more sense (for now). We look at the concept of “unlimited storage space” today, in very much the same way we looked at the concept of smart-phones 5 years ago. Nifty sounding tech, but there are too many limitations to make it feasible for the consumer market… look how that turned out. So as this data migration occurs, it just makes sense to realize that parts of our identity are going to do the same.

I’m allowed 2 TNG references in once post.

Just a few quick thoughts about URL shortening services, like the explosively popular Bit.ly, and it’s lesser known rivals Ow.ly, TinyURL and others.

They’ve become the standard mechanism by which people share links via microblogs like Twitter, and they’re even being adopted on forums, and other social networking sites.

As fantastic as they are for compressing unwieldy links that can end up being hundreds of characters of long (think driving directions from Google Maps), they can also be somewhat dangerous. See, I used to be (and still am) one of those people that would visually inspect a link and try to deduce whether or not I’d be clicking through to something interesting, or if I’d be greeted with flashing neon backgrounds and promises of “sexy singles in my area.” This is actually quite helpful in avoiding links that are most often, inadvertently sent through instant messages or email, by users that have fallen victim to a worm or a virus of some sort.

But with a nice, neat, short URL, there’s no way to tell the difference between the benign and malevolent. I realize that some of the bigger players are offering up ways to preview the contents of the URL beforehand (see TweetDeck’s preview URL function as an example of this.), but this does little to deter the average user from blindly clicking on a link from someone that’s considered a “trusted” source.

I see a lot of room here for 3rd party developers to hook into URL shorteners to expand preview functionality in order to minimize the clickthroughs for these virtual wolves in sheep’s clothing. Perhaps making more use of alt-tags to display long URLs, or color-coding the short URL in such case that it’s been reported as malicious/dead. Those of us in the digital space have spent years being indoctrinated against the use of “mystery meat” navigation. Links (image or otherwise) should be clear enough so as to eliminate, or at least minimize ambiguity for the user. URL shortening in its present incarnation just seems like a step away from that.

I’m going to put the content from this post (God help me, I was *this* close to calling it a ‘tweet’) into two separate buckets: One to describe the differences between my initial and present perceptions of this 800-pound social media pachyderm, and one to describe what’s remained largely the same.

Where I went wrong:

Prior to it’s explosion in 2008-2009, Twitter had been around quietly adopting a modest userbase since about 2006, playing off of the same basic model as other microblogging platforms like Pownce, Identi.ca and others. Outside of the blogosphere though (yes, that was me you heard sighing at another term I despise using), virtually nothing was known about it. When I first started looking into the service, my guess was that the VAST majority of users would be essentially be of the “fast-food” variety. Get in fast, get a quick bite, get that heavy, bloated feeling as you wonder why you’re there in the first place, and then get out.

I also assumed that commercial entities/businesses would fail to see value in it, based on the fact that the business world is just NOW starting to understand the benefits of social tools. Further, I assumed the celebrosphere (… give me that one at least? They’ve done a LOT worse.) would embrace Twitter for as long as takes FOX to cancel a series, and be done with it.

Well,… not so much. Though current numbers suggest that there are crests and troughs with regards to who uses Twitter and for how long, there are FAR many more persistent users than I thought there would be (to be conservative) figure 1 million people broadcasting their lives in little micro-bursts over the course of the last year).

Amongst the masses is an unexpected group of users; the same businesses that I thought would have turned a blind eye to this thing. Sony Pictures, Time Magazine, the Discovery Channel, the Beeb… the list goes on. Mind you, there are a few that I totally expected to be there from the start (Explore Music and iTunes Trailers being among them).

As far as celebrity involvement that pushes beyond the boundaries of toy-dog updates and upcoming project promos? They’re there as well, and the list extends beyond the usual suspects. People like ICE-T (yes that ICE-T) broadcast daily images, quotes, and fields questions in between filming on set. “DJ” John Larroquette is among the many people posting their latest musical selections using Last.fm’s popular service. Drew Carey recently offered to donate $1 for every follower he obtained (up to 1,000,000) to the Live Strong Foundation. I can’t be the only one who finds that even slightly innovative.

Where I was right:

Even given a level of interaction and involvement amongst the Twitter community that is MUCH deeper than I anticipated, the overall environment is still dominated by spectators and transient users. Amongst my own very meager following, I’ve had people post once or twice and then go dead silent ever since. This is expected though, regardless of the technology or service that you look at (How many people out there have a blog with less than 3 posts?). However, I think this will change once a much tighter integration between mobile services and handsets is introduced. Twitter has to be part of every mobile device out there, by default, full stop. Further, proper data plans and pricing need to be there to support it (especially in Canada.)

A significant percentage of accounts out there are spambots (especially porn related spam bots). That’s just reality. Where technology evolves, porn will follow. Like it or not, the adult industry is a leader in technology development and innovation, and their balance sheets will indicate nothing less. There are a few tools and services out there that attempt to minimize the intrusion (no pun intended), but by and large it’s best to just click and unfollow these sexy, language challenged sirens when they come knocking.

Lastly, the following remains true about Twitter: For every person out there that “gets” it, I can guarantee you that there are probably 5 more that don’t. I’m gradually making my way over to the “get it” camp, but I’d still need to see exactly where this company is going in the next 12 months before the lightbulb goes to go off in my head. Is there a business model, or is it all about building a userbase? Does it maintain its residence as a “site”, or does it truly make its home on mobiles? How will commercial interests be accommodated?

As far as I’m concerned, this is still very much a “wait and see” game.

It’s Christmas morning, and you’re 5 years old. You rush downstairs before everyone else and start tearing into that one gift that’s been teasing you with its shiny wrapping and big red bow for what seems like forever. Shreds of paper begin to rain down as your eyes widen at the sight of… a brand new chemistry set.

That’s pretty much how I felt about Google Wave when I first looked received my invite. It could be awesome… later, once I actually figure out what to do with it. But because it’s in limited beta right now, there aren’t really enough people that I can interact with in order to take advantage of all of its features. … Ok, a chemistry set isn’t really a social device, but you get my drift.

Don’t get me wrong. I “get” why it’s awesome. I just haven’t been able to experience it for myself. Depending on how long it’s in beta (which is likely to be quite some time, given their track record with their other products) I suppose the userbase will grow, and soon we’ll all be engaged in really rich conversations about the most recent episode of House, or how much I loathe green peppers or something.

That’s one of the things that amuses me about the mass audience (myself included). We seem to crave really cool, ever advancing technology to perform the simplest of tasks. The vast assortment of new applications dedicated to interesting ways to churn out 140 character posts on Twitter is proof of this. What do any of these apps do that’s really THAT much different from sending a text message to one or more people? Further, given that there IS a difference, how many of us take full advantage of even the most basic features? Given the iconic nature of the image below, I’m willing to bet it isn’t many.

If you’ve seen any of the trailer videos for Google Wave, they make a pretty good case for how it could be used in the course of daily events. A near seamless blending of email/IM/texting etc., making the sharing of information that much easier. But given the ever present challenge of convincing people to change their online habits (IE is still the leading web browser, despite Firefox/Chrome/Safari being better products in my opinion), I’m a little apprehensive about how fast this will take place. This isn’t merely a new tool, it’s a new toolset that’s going to require people to change the way they think about how they communicate.

I guess, as with most things, we shall wait and see. If anyone else out there has access to Wave and wants to give it a spin, drop me a line at my Gmail account (Chris DOT Baboolal).

As I fell asleep last night, a thought began to coalesce which accurately summed up what I’ve learned so far from being on Twitter. About a half hour later I woke up in a daze and wrote down that thought, hoping to expand on it at some point today. Of course, when I looked at that note this morning it was apparent that my moment of clarity was anything but (hence the title of today’s post – 2 points to anyone who gets the reference):

Fortunately, with a little caffeine and some online radio tunes, I’m able to recover some of the highlights. The early-adopt / early-abandon method was definitely taken by a LOT of people, as evidenced by several accounts that only 1 or 2 posts in the first couple of days since joining. There’s a strong, active community of people (celebs and non-celebs alike) that post no less than a half a dozen random thoughts per day. And then there are some that post one or two well-crafted thoughts with attached links whenever the mood strikes. Of course, there’s a healthy number of hybrid Twitterers (Tweeters? – forgive me, I still haven’t really absorbed the clique-lingo) that fill out the scatterplot as well, of which I consider myself to be one of.

From what I gather, people haven’t come to a consensus about exactly WHAT Twitter is. To some it’s a blog, to others it’s a megaphone, and still yet to others it’s like some sort of lasso, used to corral the random thoughts of others for later processing. As I posted some time ago, it’s not unique, but I suppose all that matters is that it’s still standing.

Some other random highlights:

Brent Spiner – Still amusing, still weird, still strangely compelling to read.
Alan Cross – Yet another channel to follow one of radio’s most knowledgeable and entertaining personalities.
@EverySpam/PornBot that has ever added me to their list – Perpetual proof that there will always be a mechanism out there to add noise to balance out the signal.

I’ll keep this (kinda) short, because I expect that among the people reading this, there will be some who know me, and some who don’t. Of course, that expectation presupposes that a lot of you actually read this blog. Hah. We’ll see I guess. Oh, and for those of you that don’t know me, don’t get scared off by the title of this blog. I’m not trying to sell you anything.

I signed up for Twitter a few years ago when a friend (@joanna) introduced me to it. I hadn’t used it since. I’ve posted quite a bit about it in the past, but I’ve never actually used it.

As time went by, I heard about more and more people hopping on, but I never took to it. I just didn’t get it. In fact, I still don’t. As far as the communication angle is concerned, I’m already waist deep in instant messengers, websites, message boards, text messages and a cellphone. So why am I here/there then?

Well, I’ve noticed that like with many mechanisms of communication, people use Twitter in very different ways. Some people are letting the world know about their breakfasts, some are self-promoting, some are staying in relatively close circles of communication, and some people are actually engaging in conversations with, well, just about everyone. This is something I didn’t expect, and in retrospect it should have been obvious.

One look at the list of people that I’m following, and your next question is probably…”WTF?” Well, there’s no semblance of order there, really. In addition to the few people that I know, I just started going through the lists of people that were following others, and adding names that I recognized. I will admit that I was rather surprised when I was notified via email that “Richard Moll is following you on Twitter!” Now, this is likely due to the fact that some people return the favour of a follow-action in order to expand their own networks. But hey, I thought it was kinda neat regardless. Thanks Richard!

So I guess I’m here to [attempt to] join the conversation. I’ll be blogging (here) about some of the things that I really can’t cram into 140-characters, but I’ll also be in and amongst some of you, trying to be somewhat entertaining, but mainly trying to figure this whole Twitter thing out.

Cheers!

As far as the Digital space goes, a mountain of information has been absorbed into the collective consciousness of the world in the last couple of weeks. So much so that it’s hard to measure or even comment on exactly what it means.

The Chinese government hobbles Google, Twitter becomes the de facto source of connection for the Iranian election conflict, Bing says hello world, the Palm Pre makes a surprisingly impressive entry into the marketplace, and the web itself felt the strain of half a dozen celebrity deaths.

With each of these events comes the maelstrom of online commentary, as people attempt to reflect and organize the information into digestable units. But in recent weeks it seems that there hasn’t been enough time to consume one event before another explodes onto the scene.

How do you think this affects our overall ability to communicate about events that occur all around us? Do these things go into a queue for future processing? Do some things get filtered out? Is it possible to process them all in parallel? All of the above?

The first thought from many of you is going to be “Yup, he’s on the sauce again.”

10am Drambuies notwithstanding, hear me out on this. I was thinking about the way technology is moving forward and how we’re all collectively responding to our innate need to find stuff. The internet is built on a system of requests and responses. The very first “computerized” searches came in the form of relatively crude algorithms that were designed to brute force their way through reams of information to return the closest match to a given query. Present day search systems are much, MUCH more sophisticated. Predictive algorithms, organic search mechanisms, and multi-modal search engines (voice search for example) are just some of the ways that we’ve attempted to make “finding stuff” easier.

There’s just one problem. Finding stuff isn’t really easier because overall, people still don’t know how to search. Think about it. There’s still a massive disconnect between the way that the average person thinks, and the mindset that’s required to search for something “properly” online.

Take for example, a question that’s the de facto litmus test for a search scenario; “Where should I go for dinner tonight?” Now, if *I* were to start searching for the answer (and yes, I am somewhat snobbishly excluding myself from the general public in that I think differently when it comes to online searches), I would go to Google, make sure I’m cookied for Canada by signing into my Google account, and then I’d type something like the following into the query field:

The first result is a rather simple site, but it’s a list of lots of restaurants with links to their website. For a general query, it’s not that bad. However, if you type in a much more natural query like: “Where should I go for dinner tonight?” (still signed into my google account mind you), the results are markedly different. The first result is a Yahoo Answers page from Australia:

http://au.answers.yahoo.com/question/index?qid=20071130191037AAZmpb2

Now, there are of course some very valid reasons for the differences between the two sets of results. My question is a qualitative one, for starters. By asking a natural question, I wasn’t explicitly asking for a list of restaurants. How would the system know which restaurant I “should” go to? It doesn’t necessarily know what I like (yet). The system also doesn’t really know where I am unless I tell it (either through the query itself or via GPS if I’m using a mobile to execute the search). There are in fact a lot of variables that make “natural search queries” quite difficult to handle by a system that doesn’t know who you are.

A ha. Therein lies the reason why the current method of search engine optimization (from the search engine’s perspective) is flawed. It starts off by assuming that the system is completely disconnected from the person asking the question. The goal is to provide enough information to this blind user in order to make the search result more relevant. Queue meta-tags, content strategies, and any other number of mechanisms to make this happen, and make “possibly relevant” results float to the top.

Well, why bother with that assumption in the first place? The only other activity that rivals searching online, is social networking. Ok, fine. It’s actually porn, but we’ll just assume that’s a given and continue on with the story. You’d be hard pressed to find anyone with access to the internet that didn’t have some kind of profile or identity online. Between Facebook, Twitter, … and all of those other communities, nearly everyone is linked to one of them. Everyone’s got some kind of profile online, and most of those will continue to evolve as they accumulate history. Now, before I go on I’d like to clarify that I know the reasons why profile-related search results are perceived as a scary concept to some. Regardless of the fact that many are quick to enable things like search histories and information-sharing between websites, there are some that focus on the potential dangers of doing so. There is merit to these concerns, but it also represents a whole other series of potential material to cover. So for now we’ll move forward.

Think about it like talking to your Doctor or your Lawyer, your Accountant or even your friends. All of these people could be considered systems which are profile-aware. They know you in some specific context and as a result, they can provide you with answers to pretty vague questions (“I’ve got like…a thing on my arm, and it hurts. What’s wrong?”). With the exception of your friends, they’re legally bound to keep your information private but if you think that they all adhere to those regulations 100% of the time, I’m sorry but you’re fooling yourself.

Now think about how this translates to an online search. All of a sudden, “Where should I go for dinner tonight?” doesn’t seem all that unreasonable, does it? If there is a shift in focus from making disconnected information “possibly relevant”, to making relevant information accessible, the way we all “find stuff” could drastically change in the next few years. All of the pieces are already there. The same sophisticated search mechanisms I mentioned above wouldn’t have to change at all. Social networking is already set up to gather information about us. The only bit that’s left to do is to connect the two properly.

Though, I guess the whole thing is really going to get weird when you start seeing stuff like this in response to a dinner selection query:

Thoughts?

“Can I send you a link?”

“Nah, I’m at work. Email/Facebook/Twitter it and I’ll grab it when I get home.”

That’s probably a conversation that many of you have had before over IM. Conversations over IM have typically been laced with some type of sensitivity regarding the content that’s transmitted, especially when one of the participants is at work, or somewhere else where the potential for “eavesdropping” or snooping of some kind. Most companies are gradually allowing the use of IM clients in the workplace, but not without a system to monitor traffic and content over what they view as a “company owned resource.”

The internet is rife with stories recounting embarrassing situations involving risque material that would have been better viewed outside of work. All it takes is one click to trigger content filters or other software designed to keep an eye on what people are viewing online.

Don’t ask me why this particular image was included. I just found it amusing.

The latest version of Windows Live Messenger, arguably the most popular IM client in the world, was recently released with a long sought after feature which could change the way IM conversations take place (especially if you’re nerdly leanings resemble my own). You can now sign-in to WLM from mulitple locations at once, and have completely separate settings for conversations in each place. If you have a machine at home that’s always on for example, you can use it to save your conversations while you log on from work, or when you’re mobile.

I think this is interesting because save for Google Talk (which is massively underused), no other messenger client has this as a native feature. There are several 3rd party plugins that are available to accommodate this, along with some registry hacks that can accomplish the same thing. But why muck about in the registry when you don’t have to?

Anyhow, it’s a handy little feature, and I thought I’d give it a mention.