Life Philosophy

This is even better than Charlie Brown’s “Life is like an Ice Cream Cone – you have to learn to lick it”

Satchel from Get Fuzzy today

“Sometimes you have to get to the line and call an edible”

Ticky-tack

The “phrase” ticky-tack is getting pretty good play recently in our group at work. I’m pretty sure I managed to introduce it at some point a few months ago about something-or-other request we were dealing with.

Apparently James has now started using it and wondered where the heck I got it from.

And I hadn’t the slightest idea.

Until, thanks to Wikipedia(*) – the root of the phrase is from the late sportscaster Chick Hearn. I’m sure that Mr. Hearn’s phrase made its way through sportscasting, and to friends of mine and to me, for me to subvert to the fun and exciting world of technology.

(* it’s not all wikiality )

Practical Security and passwords

I have a classic IT dilemma for your consideration and discussion, concerning (pseudo) “single sign on” and password security.

The question is driven by a real-life example – but do keep in mind that the question is bigger than the example.

We have an account registration and sign-up system in eXtension. The eXtensionID and password is used for most of all of our tools that require authentication in order to prevent a proliferation of accounts and passwords and improve the user experience with authentication. All our apps take a login/password themselves. Our Ruby on Rails apps use a key-based http-post-with-xml-response to a authentication application (sort of an XML RPC mechanism, but not standard). Other applications use an LDAP bind (mediawiki, jabber, and some PHP-based apps).

This, as you know, is “pseudo single sign-on” As you also know, most of the real single sign-on products are limited to a specific platform, language, or similar restrictive scope, or are rather complex. There’s hope with things like OpenID – but that’s as much about identity management as account management and while I think we are going there, it’s going to be a long time before each application catches up and supports OpenID – so you still have to have some passwords.

Single sign-on is a hard (really hard) problem, which is why nobody really does it. (not in environments like ours)

However, pseudo-single sign-on is easier, but creates the problem that a password is going to be jeopardized in some way. This “password jeopardy” actually prevents services from being rolled out out of security concerns. When I was in the College of Engineering at NCSU, we didn’t tie jabber and subversion to the campus Unity password for that very reason, which naturally kept those services from growing beyond a small group of people that could handle and track having more than one account and password. My limited understanding is that this has also been a concern about rolling out a campus-wide chat service at NCSU – because it would likely mean that a whole lot of users are suddenly saving their Unity password in their chat clients – and that’s a pretty big risk.

And while we have that problem in eXtension too (saving passwords in a chat client) – with our userbase, it was worth the risk. However, the “problem example” is that there are cool third-party services for chat – like the web-based Meebo application – which is a fantastic tool. But to use it means that the person is turning over his/her password to a third-party. And that is a security risk that I’m not sure is worth the pseudo single sign-on. How big of one is dependent on what the “account” can do and how good your tracking and audit systems are.

So given that kind of example (again treat it generically) here’s the discussion question.

I’ve personally always believed that the solution for this, given that single sign-on solutions don’t practically exist – is creating throw-away passwords for those services – managed centrally. You have a master password that in turn provides access to a tool that lets you manage a list of passwords (and usernames) for each service.

  • Wearing my security hat. I like it because it limits the scope of jeopardy. Getting the chat password only jeopardizes the chat service, etc. This also lets us roll out new services that don’t necessarily have to be “bulletproof” security-wise, because they aren’t having to take a master password Of course, I know that most would use the same password for everything. But at least I gave them a chance.

  • Wearing my support hat – this idea brings bad memories of multiple passwords and usernames. And of course, I know they are going to use the same password for everything, except for a handful that “get it” and possibly another handful that “try it” and get so completely confused they the create such a support burden that I would curse myself for ever trying it to begin with.

So – what do you think?

Now for something completely different.

I’m not much of a television watcher. I tend to stay away from popular culture in general – and TV and Movies more than most. For the last two years, in fact, I’ve watched no new television shows (I actually watched my first reality show ever last year – Hell’s Kitchen, which turned out to be entertaining until the end, and then it was just completely boring). The only shows I’ve watched more than once in the last two years have been syndicated reruns of King of the Hill, and the more than once episode of The Dog Whisperer and MythBusters. The latter two I enjoy very much, but not quite enough to DVR them.

This season, I decided to give two shows a shot, and see if I liked them or not – I went for Heroes and Studio 60 on the Sunset Strip. I thought Heroes had an interesting premise and that likely some friends of mine would watch it and I could talk about it with them. It does and they do, but after watching the second episode, in which two bloody mobsters were stuffed in a trunk, two people had half-sawed-off heads, and one lady was pinned with knives to a staircase, that was enough. I really dislike television violence (I barely stand for it in war movies) and that was too much for me.

Studio 60 though, is fantastic. I love great television writing, and Studio 60 is as good as the early Sorkin-produced The West Wing I loved Sports Night – I loved The West Wing (until Sorkin left, and the show completely went downhill). And I really like Studio 60 last night’s episode was the best yet (I DVR them and usually watch them on Tuesdays and Wednesdays.)

And because I like it, it’s sure to get cancelled.

(The funny thing is though, they have my demographic interests so nailed with that show, that I’ve actually stopped the fast forward during the commercials to watch the commercials, because the product interested me. That’s saying a lot.)

IE7 – No looking back

It is no secret that I think that Microsoft’s Internet Explorer browser is a gigantic piece of crap. It hasn’t been significantly updated since 2001, its security problems have cost customers millions of lost hours of productivity, it gives web developers headaches galore. My life has probably been shortened from the stress it’s caused.

Well, IE7 is out. And maybe, just maybe, it’s not quite crap anymore – at the very least, the major CSS bugs have supposed to have been fixed – and there’s now transparent (alpha-channel) PNG support, and numerous security fixes. I’m a Macintosh guy – but every windows machine I have or even tacitly support will be going to IE7. And that will be my forthcoming response to every problem in IE. “Problems? Have you upgraded your browser yet? Please do so.”

IT shops should be upgrading in droves.

Give Microsoft a second chance – stop supporting the craptastic IE 6 browser.

Quizzing Interviews

So, after 14 years of being hired, watching peers get hired, being in interviews for peers, interviewing and hiring people myself, I’ve more and more come to realize that the interview just really doesn’t work out. I consider myself a relatively experienced judge of character (work character at least), but I’ve been burned more than once on someone that interviews absolutely fantastically, but just doesn’t end up working out – the biggest issue it seems being work ethic – which is incredibly difficult to judge in an interview.

I also think that the interview isn’t all that fair to technical candidates – because most of the problems that systems and software people solve are best solved when you have time to sit back, look at the parts, search around a bit, and come up with a whole (or find the hole). And trying to ask technical questions that have to be answered on the spot doesn’t really judge much except the ability to be self-reflective enough and not be afraid of the answers “I don’t know” or “I’d have to think about that a bit” – which is all well and good.

I do, though, work for the State, so there’s not much chance that I could contract someone for a few days of work and see how they work out. But I do think I could give a quiz – or more – a questionnaire (as long as I give it to everyone).

However, I’m somewhat at a loss to start with that. The only ideas I have are:

  • Ask them what feed reader they use. And what their favorite blogs are (if you aren’t using a feed reader, then you likely don’t have the other skills we need either)
  • Give them a list of the actual tasks we have open and ask them how they would prioritize them
  • Give a problem or two that we have right now and ask how’d they work through it (this is much more fair with some time with google than trying to answer it in an interview)

Other suggestions? If you are on the giving or receiving end of one of these – is it a good idea? What would you ask? Or want asked of you?

You have to dig deeper

This commentary (linked to by Jeremy Zawodny) is pretty fascinating – on all kinds of levels.

One – the tastyresearch blog is pretty cool in and of itself. Two, I absolutely dig the subject matter. The fact that there are broad linguistic differences in the United States is a pretty interesting subject. ( I’m fascinated by the vocabularies we invent in our fields to communicate amongst ourselves in medicine, computing, animal sciences, etc. ).

But really is interesting about this is found by digging deeper. As I started looking at the generated graph – two things stood out:

legend.png

1) the North Carolina data is pretty interesting.

nc.png

2) I’m intrigued by the blob of Soda around east-central Missouri and south-west Illinois.

missouri.png

I started trying to rationalize why this might be. Missouri/Illinois I could understand from emigration to St. Louis.

But North Carolina’s data was just weird. Could that be because Pepsi started in NC? Throwing off our southern Coke heritage?

So I went looking for the data.

The site linked to by TastyResearch is the source. It’s an older (pre-2002) internet-only self-reporting survey.

In other words, not very accurate science. At all. It’s entertainment and general trends. It probably does reflect general viewpoints pretty well.

But when you really look look at the data – that’s when you begin wondering about things – can ~3300 responses from NC build an accurate county-based view? I’ve forgotten all my statistics, but I’d say for most of the counties, no, the margin of error is too great. However, it is language, and you might have to assume that good data in one county probably likely correlates well with the neighboring county (at least for words like these). But it’s still really entertainment.

At the end of the day though, I really love this kind of data view – especially working in Extension. And would love to figure out ways we can begin to do these kinds of things, and find more accurate data reporting.