ZDNet reports that over 30 Comcast mail servers were compromised recently:
NullCrew FTS used a Local File Inclusion (LFI) exploit to gain access to the Zimbra LDAP and MySQL database — which houses the usernames and passwords of Comcast ISP users.
I am a Comcast customer and I haven’t heard anything from them about this. Which is line with what ZDNet has reported, that they haven’t been forth coming with details yet.
Off I went to change my Comcast password. That is when I ran into this disappointing password policy:
The good part is that they do support special characters, which is more than I can say for some other password policies I’ve seen.
The bad part is that it only supports up to 16 characters and doesn’t allow spaces. That suggests that Comcast might be storing the passwords in plain text. Which of course would be bad.
Related to this is a review of URL validation regular expressions. It compares 13 different methods, but only for URL validation, not necessarily matching.
I’m not super keen on the idea of having a list of TLDs as part of the regex, since the number of TLDs is continuing to grow. I do like that Gruber’s regex includes comments in it, that is really helpful for longer, more complex expressions.
Drew McLellan wonders Why is Progressive Enhancement so unpopular?:
Simon St. Laurent touched on this as well in Web Application Development is Different (and Better):
Let’s extend the Web and help it do more – but let’s do that by valuing the many strengths it already brings.
Intentional or not the last few years have brought us a strong push to ignore the idea of progressive enhancement. In many cases that has been to our detriment.
Marco Arment on forcing a link to open in a new tab or window (emphasis is mine):
Most people know how to open your article’s outbound links in new tabs or windows, especially readers of a tech site. Modern browsers make multiple-tab/window management very easy for almost everyone who wants them, and the people who don’t know how to manage them usually don’t want them.
Up until last year I would have agreed with him.
What changed was watching a friend browsing the web and noticing that they never opened links in new tabs, even though it would have made things easier. I asked if they were familiar with using the middle click on a mouse to open the link in a new tab ( this was Firefox on a Windows system ). I wasn’t surprised when I got a no back.
I took a few minutes to walk them through middle clicking to open links in a new tab and general tab management. They were thrilled with this new piece of information, declaring how much this had changed ( for the better ) their web browsing experience.
This is only one data point, but it reminded me to very careful about my assumptions of what people know, especially for things that I take for granted. The little voice in your head that says “everyone knows that” can easily be wrong.
It simply isn’t true that every single Internet user has already made up their own personal policy on forcing links to open in a new tab or window. In some cases they didn’t even realize they had that feature in the first place.
For web sites with a mostly technical audience I think Marco is right, those are visitors who likely already know what they want and don’t want. But believe it or not there are still people who use computers and browsers to do things that don’t involve reading about computers and browsers.
System Preferences → Keyboard → Text → “Use smart quotes and dashes”
There are times when smart quotes just get in the way.
Tip from Fred Cheng.
There is no predictable connection to the effort and thought you put into something and the response it receives, and every experienced blogger has a story of something they spend a few minutes on and toss out casually going viral, a one-hit wonder that makes your stats in future months and years puny in comparison.
This has happened to me a few times, and it always seems strange. The prolonged impact of distorted stats makes it even worse.
The suggested fix? Write for just two people:
.. when I get caught up in that the randomness of what becomes popular or generates commentary and what doesn’t it invariably leads me to write less. So blog just for two people.
Scott Berkun left a comment on Matt’s post that put the situation this way:
Is it better to be popular or good?
After giving it some thought I don’t like this question as much as I had hoped. There are some things and people that are popular that I would still consider good.
I’d adjust the question by adding just one more word: Is your intent to be popular or good?
Hopefully the best of us at least start out wanting more to be good than popular.
This site has my name all over it, hopefully it is clear that the things here start as something for me. If they are helpful or enjoyable to anyone else, then that is a bonus. A wonderful bonus of course :-)
TechCrunch ran a Best iOS And Android Apps Of 2013 article this week. I thought the platform break down was interesting:
- iOS only: 9 ( Seene, QuizUp, Cycloramic, BillGuard, Oyster, HeyDay, TimeHop, Clumsy Ninja, Sunrise )
- iOS & Android: 5 ( Newsblur, Tinder, Digg, Duolingo, Vine )
- Android only: 2 ( Cover, Agent )
It looks like we are still in a holding pattern for the long predicted “Android first” tidal wave. Instead, the Android only apps tend to focus on things that aren’t allowed on the iOS platform. Everyone else either targets only iOS, or iOS and Android together.
I don’t see anything in the short term that is likely to significantly change that pattern.
This is only one best of list, for one year, so my sample size is rather small ( to put it mildly ). Take this with a sufficiently large grain of salt.
I’m asking for my age in dollars from everyone I know. Every penny of the money raised will directly fund clean water projects in developing countries. Even better, charity: water will show us exactly which projects we funded once they’ve been fully completed (which takes about 18 months). That means we’ll know the locations and names of the communities we helped.
You can donate at http://my.charitywater.org/matt-30.
For 2013 I talked about shaping your neighborhood:
At a high level we make an effort to shape the type of neighborhood we live in. It isn’t always easy (and sometimes takes a fair bit of work), but it has always been worth it. In the coming year we are going to try and do more along the same lines, which seems to mostly involve sharing food with people who live around us.
We brought food to new neighbors, shared treats during the holidays, and shoveled a fair bit of snow.
In 2014 I want to expand the radius a bit. Lets expand beyond our neighborhood and start getting more familiar with our city governments. For me that is Sandy, Utah.
In many cases you can do basic research about your city online. Sometimes really interesting items can be found. For example, the mayor of Sandy, Utah is the highest paid mayor in the state of Utah, despite only being the sixth largest city in the state. At $160,329 for 2013 it is more than the governor of Utah made ( $151,294 ).
Now for some specific goals. For 2014 I am going to attend at least four city council meetings. Sandy has city council meetings Tuesday at 7pm most weeks ( some of them get canceled for holidays or other events ). I will also read the city budget, which is more than 250 pages ( PDF ). After doing those two things I’ll follow what ever interesting items come up.
Go watch your local government. Find out when your city council meets and attend a few meetings. Find a copy of your city budget and start looking at where the money is going. If you find something interesting, follow up on it, ask questions until you get answers.
I am in the process of trying out a new host for this site. If you are reading this then the DNS update has made it to your neck of the Internet.
Great read on the some of the black market activity of stolen credit cards from Target from Brian Krebs:
Like other card shops, this store allows customers to search for available cards using a number of qualifications, including BIN; dozens of card types (MasterCard, Visa, et. al.); expiration date; track type; country; and the name of the financial institution that issued the card.
After reading the article the first question I had was do these stores re-sell the stolen card details. I wasn’t the only one wondering that. In the comments Brian Krebs addressed this question:
This shop in particular is highly rated, and one the biggest no-nos you can commit in this business is selling the same card more than once. These guys are pros, and they have access to more dumps than they know what to do with. There is no reason for them to try to cheat people, as doing so would very quickly ruin their cred in the underground.
As I state in the story, customers can check cards to see if they’re still active, and will get money back/refund if a card is already canceled. The surest way to have all of your customers complaining about all or most of their purchased cards coming back as canceled is to try and sell the same card to multiple buyers.
It seems that even in the black market you can’t always escape the demands of good customer service.
Everything that I’ve read so far about the Oregon state health exchange web site has been bad news. Oregonlive.com has a lengthy article spelling out the mismanagement details.
Don’t worry though, the state of Oregon has done a good job taking care of Oracle:
Nevertheless, Oregon has been good for Oracle. Between the OHA and Cover Oregon, the state has paid Oracle more than $90 million over the last two years and could pay the company another $30 million or more. Overall, the project has cost more than $160 million so far.
For the $90 million that Oracle has received over the last two years it has provided an unusable web site.
What to do now that the deadlines have hit and there is no way to provide online enrollment? Go back to the old methods of course:
Cover Oregon leaders, meanwhile, have swung their attention away from the website to processing paper applications by hand, hiring more than 400 reinforcements.
Oracle is a huge company, in their last fiscal year ( ending 31 May 2013 ) it had a net income of $10.9 billion on $37.1 billion in revenue. Making the $90 million that Oregon has paid them a small drop in their very large bucket. That doesn’t excuse their failure to deliver though.
At this point Oracle should stop making this about money and Larry Ellison should step up and make it about pride and honor. Do what ever it takes to make things right for the state of Oregon, and do it without taking another dime.
Ilya Grigorik on optimizing NGINX TLS time to first byte (TTTFB):
let’s now turn to the practical matter of picking and tuning the server to deliver the best results. One would hope that the default “out of the box” experience for most servers would do a good job… unfortunately, that is not the case. Let’s take a closer look nginx
In the simplest terms, TLS involves more work. The current realities of securing communications means we don’t have a good way to avoid doing that additional work, indeed we will be doing it more often than we ever have before. The end result is that we need to spend more time thinking about how to optimize the HTTPS experience for all users.