stormbrew

So tonight, for the first time in about 4 years, I did public speaking. Back in college there was a fair amount of public speaking and presentation giving to do, and I enjoyed it then. I always come away from doing public speaking feeling like I’ve done a good job, and I hope that perception is accurate. I find myself able to get my thoughts across clearer in presentation form (even though I always wing it) than I often can in just direct discussion.

What I presented was, of course, bittablog, which has been my pet project for the last little while. I knew from experience that last minute additions to a presentation are a bad idea, so the feature where you can post a bitta directly from your twitter account didn’t make the cut as something I could present, but the bonus of cutting it out was that nothing in my presentation failed. And I think that’s pretty important.

I won’t get too much into what bittablog is here, because I already covered it here in my first post on here, and the front page manages to do it concisely in 140 character bitts. Suffice to say that I really enjoyed presenting bittablog tonight, and I think a lot of the audience got a kick out of it too.

One interesting thing that I experienced, which was reminiscent of RailsConf last year, was the way in which people were twittering as I presented. After I was done, I pulled out my iphone to read what people were tweeting as I was talking. I have to say, it was really gratifying to come back and see the really nice things people said about it while I was up there talking.

At RailsConf I got to see this from the audience side through IRC (there was also twittering, but I was unconverted at the time), and one thing that I said I wanted to do then at some presentation was have a cohort twittering/ircing at the same time, answering people’s questions and talking back.

One difference though was that there was no silent heckling going on, and I think that’s good. A lot of the railsconf presentations had some really viscious talkback going on on irc. Some deserved, some not, and it was actually kind of intoxicating and hard to resist falling into the same trap. None of that at #democampyeg, which is great. This is a very supportive community, and I hope it stays that way.

Google just announced something called OpenSocial, which is a facebook apps-like mechanism running on an open platform of essentially embedded js and html. At least, that’s the jist I’m getting.

But where’s the security? Letting untrusted apps run js on my social network site (and that’s not just a hypothetical. 1 million actual users, more like 3 million the way facebook and myspace counts them) means giving them access to cookies (we do httponly, but that doesn’t cover all browsers by any means) and the ability to do a lot of really nasty things to our users.

Seems to me facebook didn’t do a closed platform so much for lock-in as for a desire to avoid security issues just like this. The hoops you have to go through to get any serious information on a facebook app, including several levels of user confirmation, are a serious hindrance to overt abusive use.

Either google has failed to make this useful to me, or they have failed to market it to me. Both of these possibilities seem very surprising.

So my bank has recently decided to start DEMANDING security question/answer pairs for their web page login system. In order to log in, you MUST answer one of your security questions in addition to your password.

They give you 5 sets of questions to choose from and a freeform field to put the answer into. Am I the only one who sees the gaping stupidity of this? If they could allow you your own questions, maybe that’d be ok. But since all their questions are easily discoverable (stuff like maiden names, high school mascots, pets, best friend names, etc. In fact, the very things that all these years password security policy has advised you to KEEP OUT OF YOUR PASSWORD, and for very good reason), change really often (favorite magazine, favorite chocolate bar, favorite restaurant), or are very gender selective (favorite fashion designer — and a big wtf to that one in general too).

If someone can take the time to find out your actual password, they can take the time to find these things out. There are only 5 questions, so at a minimum it’ll take 5 random attempts at login from different computers over a couple of months to find out what they are and do some research without setting off alarm bells with the bank.

When are companies going to realize that security questions are a serious regression in security?

qmail has a limit of 900 characters on email addresses it’ll relay.