Feeds

Verity's secret shame revealed

Password techniques and retrospective Daleks

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

Stob I defrosted my ideas box, and found several morsels which wouldn't make a whole meal in themselves, but nonetheless needed eating.

Palmed off

Here you are: a free chance get to laugh at-not-with me.

I am a Palm Pre owner, pretty much the last one in the box. I hold this status in a work environment of iPeople. I feel my position deeply.

I was an enthusiast. In the bright early days of Pre ownership, I joined the developer programme, and actually wasted some time creating a noddy app or two, in anticipation of the fortune this skill would bring me once it all took off. I was excited when HP bought the company. I thought they would likely take a belt-and-braces approach to progressing WebOS.

So they did: carefully tying the braces around their middle, and knotting the belt around their metaphorical neck. When they dramatically and abruptly scrapped all their WebOS hardware, 1) I was not best pleased and 2) I received a circular email from one Richard Kerris, VP WebOS Developer Relations.

Dear webOS developer:

We have opened the next chapter for webOS, and we understand that you must have many questions. Yesterday we announced that we will focus on the future of webOS as a software platform but we will no longer be producing webOS devices. While this was a difficult decision, it's one that will strengthen our ability to focus on further innovating with webOS as we forge our path forward. [...]  We will continue to support, innovate and develop the webOS App Catalog. Our intent is to enhance our merchandising and presentation of your great products and to continue to build our webOS app ecosystem.

But without any hardware to run it on. Right.

The tone of this ridiculous email seemed familiar, but it took me a while to place it. At the end of the splendid video game Portal, after the player's character has defeated and apparently destroyed the deliciously malicious computer GlaDOS, she – GlaDOS – is restored from backup and returns in the credits sequence to sing:

This was a triumph.
I'm making a note here: HUGE SUCCESS.
It's hard to overstate my satisfaction.

Same logic, no?

Once this mapping was achieved, everything else fell into place. HP is of course channelling Aperture Science, the game's lunatic corporation ('we do what we must because we can') whose inventions – Aperture's, not HP's – include Douglas Adamsesque robot machine guns that apologise as they shoot you to bits. HP's boss Leo Apotheker is modelled on Aperture's Cave Johnson, whose robust approach to life's lemony gifts is justly famous.

Mr Apotheker certainly found the HP Touchpad had a citrus flavour. I have so far seen no evidence that he has implemented Cave's threat regarding their inflammatory engineering; on the other hand, you can't be too careful. Those "lucky few", who managed to catch one of the rare, cheap models might consider investing in a fire safe to keep it in.

Perhaps HP also makes fire safes. Which talk. And run WebOS. Perhaps you will soon be able to nab a cheap one in an HP fire safe fire sale.

OK, OK, I'll stop bitching. Just a word of calm and rational advice to Mr Apotheker, you Palm-killing monster. Don't surround yourself with sycophants: sooner or later you will inevitably slip up in their syc. This is Cave Johnson; we're done here.

Tone up, tone up your passwords

His worship xkcd recently filed a piece on password strength, which has been much commented on and admired. Our Toony Laureate's contention is that it would work much better if, instead of using 12-letter passwords rich in both cases, punctuation and numeric digits, we all selected four random common words and just used them.

That's all very well, but even allowing that I can accurately recall a short phrase – say "Remember the fifth of November" – the chances of me typing something that long and getting it right are not good. (Please do sit down again. This is not a real password. All passwords in this item are fakes, impersonated – badly – by actors.)

When I type

•••••••••••••••••••••••••••••

what do you think is going to come out?

Rembeer th efifth of nOvember

That's what, and there isn't a computer in the world that will accept the substitution.

The trouble is, xkcd's 40-character phrases do not fit in the 14 byte cache of finger memory which is where I must store passwords if I am to type them accurately.

And if I can't type them accurately then I am in big difficulties, because I will be deposited in Password Reminder Personalised Question Hell ("What was the name of your second-favourite Auntie's third cat?" "What was the motto of your stepmother's primary school?") without passing Go and collecting £200 to pay the gas bill.

Slasher's delight

Ever since – what, MS-DOS 2? – Microsoft OSes have used backslashes in their file paths. When writing in a C-ish programming language, this is a pain, as the backslash is the escape character and has to be doubled up in any string constants:

"C:\\App Path\\"

If you are rash enough to use UNC path names, which begin with a double backslash, you need to put four of them in a row:

"\\\\machinename\\share\\App Path\\"

Now regex's have finally arrived in C++, and we have the exciting prospect of using them to process and verify paths, just as Perl users have done for the past 150 years. Naturally enough, a regex needs an escape character. No marks for guessing which character was chosen, causing a further redoubling.

boost::regex unc_name(
    string("(\\\\\\\\(\\w+)\\\\(\\w+(\\W\\w+)*\\\\)?)") + ...

This is getting silly. And I haven't even considered the extended-length path prefix \\?\, which itself looks like a broken-off piece of regex even before you start escaping it.

So here is my proposal. To fix things, or at least make them slightly less frightful, Windows 8 paths should use forward slash throughout, and so fall in line with Unix and internet URLs. (Yes, I know they can already sometimes; but this should be the full production.) In all the excitement about Metro this and touchscreen that, I have seen no coverage of this important issue, but I notice the developers' conference was called //build/ (sic), so I live in hope.

Meanwhile, here is this week's code homework. Write a constant for a C++ regex that matches text containing a PHP regex assignment that matches text containing a JavaScript regex assignment that describes a Windows UNC path with extended length on a machine called 'minimum'. Only, to make it interesting, use the Tom Lehrer spelling of 'minimum'.

First person to break the \ key wins.

Security and trust: The backbone of doing business over the internet

Next page: Doctor Renew

More from The Register

next story
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
Not appy with your Chromebook? Well now it can run Android apps
Google offers beta of tricky OS-inside-OS tech
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
NHS grows a NoSQL backbone and rips out its Oracle Spine
Open source? In the government? Ha ha! What, wait ...?
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.