Verity's secret shame revealed

Password techniques and retrospective Daleks

  • alert
  • submit to reddit

Top three mobile application threats

Stob I defrosted my ideas box, and found several morsels which wouldn't make a whole meal in themselves, but nonetheless needed eating.

Palmed off

Here you are: a free chance get to laugh at-not-with me.

I am a Palm Pre owner, pretty much the last one in the box. I hold this status in a work environment of iPeople. I feel my position deeply.

I was an enthusiast. In the bright early days of Pre ownership, I joined the developer programme, and actually wasted some time creating a noddy app or two, in anticipation of the fortune this skill would bring me once it all took off. I was excited when HP bought the company. I thought they would likely take a belt-and-braces approach to progressing WebOS.

So they did: carefully tying the braces around their middle, and knotting the belt around their metaphorical neck. When they dramatically and abruptly scrapped all their WebOS hardware, 1) I was not best pleased and 2) I received a circular email from one Richard Kerris, VP WebOS Developer Relations.

Dear webOS developer:

We have opened the next chapter for webOS, and we understand that you must have many questions. Yesterday we announced that we will focus on the future of webOS as a software platform but we will no longer be producing webOS devices. While this was a difficult decision, it's one that will strengthen our ability to focus on further innovating with webOS as we forge our path forward. [...]  We will continue to support, innovate and develop the webOS App Catalog. Our intent is to enhance our merchandising and presentation of your great products and to continue to build our webOS app ecosystem.

But without any hardware to run it on. Right.

The tone of this ridiculous email seemed familiar, but it took me a while to place it. At the end of the splendid video game Portal, after the player's character has defeated and apparently destroyed the deliciously malicious computer GlaDOS, she – GlaDOS – is restored from backup and returns in the credits sequence to sing:

This was a triumph.
I'm making a note here: HUGE SUCCESS.
It's hard to overstate my satisfaction.

Same logic, no?

Once this mapping was achieved, everything else fell into place. HP is of course channelling Aperture Science, the game's lunatic corporation ('we do what we must because we can') whose inventions – Aperture's, not HP's – include Douglas Adamsesque robot machine guns that apologise as they shoot you to bits. HP's boss Leo Apotheker is modelled on Aperture's Cave Johnson, whose robust approach to life's lemony gifts is justly famous.

Mr Apotheker certainly found the HP Touchpad had a citrus flavour. I have so far seen no evidence that he has implemented Cave's threat regarding their inflammatory engineering; on the other hand, you can't be too careful. Those "lucky few", who managed to catch one of the rare, cheap models might consider investing in a fire safe to keep it in.

Perhaps HP also makes fire safes. Which talk. And run WebOS. Perhaps you will soon be able to nab a cheap one in an HP fire safe fire sale.

OK, OK, I'll stop bitching. Just a word of calm and rational advice to Mr Apotheker, you Palm-killing monster. Don't surround yourself with sycophants: sooner or later you will inevitably slip up in their syc. This is Cave Johnson; we're done here.

Tone up, tone up your passwords

His worship xkcd recently filed a piece on password strength, which has been much commented on and admired. Our Toony Laureate's contention is that it would work much better if, instead of using 12-letter passwords rich in both cases, punctuation and numeric digits, we all selected four random common words and just used them.

That's all very well, but even allowing that I can accurately recall a short phrase – say "Remember the fifth of November" – the chances of me typing something that long and getting it right are not good. (Please do sit down again. This is not a real password. All passwords in this item are fakes, impersonated – badly – by actors.)

When I type


what do you think is going to come out?

Rembeer th efifth of nOvember

That's what, and there isn't a computer in the world that will accept the substitution.

The trouble is, xkcd's 40-character phrases do not fit in the 14 byte cache of finger memory which is where I must store passwords if I am to type them accurately.

And if I can't type them accurately then I am in big difficulties, because I will be deposited in Password Reminder Personalised Question Hell ("What was the name of your second-favourite Auntie's third cat?" "What was the motto of your stepmother's primary school?") without passing Go and collecting £200 to pay the gas bill.

Slasher's delight

Ever since – what, MS-DOS 2? – Microsoft OSes have used backslashes in their file paths. When writing in a C-ish programming language, this is a pain, as the backslash is the escape character and has to be doubled up in any string constants:

"C:\\App Path\\"

If you are rash enough to use UNC path names, which begin with a double backslash, you need to put four of them in a row:

"\\\\machinename\\share\\App Path\\"

Now regex's have finally arrived in C++, and we have the exciting prospect of using them to process and verify paths, just as Perl users have done for the past 150 years. Naturally enough, a regex needs an escape character. No marks for guessing which character was chosen, causing a further redoubling.

boost::regex unc_name(
    string("(\\\\\\\\(\\w+)\\\\(\\w+(\\W\\w+)*\\\\)?)") + ...

This is getting silly. And I haven't even considered the extended-length path prefix \\?\, which itself looks like a broken-off piece of regex even before you start escaping it.

So here is my proposal. To fix things, or at least make them slightly less frightful, Windows 8 paths should use forward slash throughout, and so fall in line with Unix and internet URLs. (Yes, I know they can already sometimes; but this should be the full production.) In all the excitement about Metro this and touchscreen that, I have seen no coverage of this important issue, but I notice the developers' conference was called //build/ (sic), so I live in hope.

Meanwhile, here is this week's code homework. Write a constant for a C++ regex that matches text containing a PHP regex assignment that matches text containing a JavaScript regex assignment that describes a Windows UNC path with extended length on a machine called 'minimum'. Only, to make it interesting, use the Tom Lehrer spelling of 'minimum'.

First person to break the \ key wins.

Top three mobile application threats

Next page: Doctor Renew

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.