returncontrol

The only really shocking things to come out of the hacking of Sarah Palin’s Yahoo-based email account are the revelations that:

1. The Governor of Alaska uses the free Yahoo email service for work-related emails; and that
2. Yahoo uses really bad security practices for its password recovery system.

Indeed, it’s the latter point that makes the former all the worse.

If the so-called hacker who accessed Palin’s emails is to be believed, Yahoo allowed the intruder to reset the password on Palin’s account simply by answering some security questions.  And sure enough, that’s exactly how Yahoo’s password recovery system works: You answer some simple questions like “Where did you meet your spouse?” and Yahoo checks to make sure your responses match up with the answers you provided when you first created your account.  In other words, these questions serve as a secondary, “backup password.”

The problem with security questions like these is that they’re all too easy for almost anyone to answer.  This is especially true if you have information about your life published on the Web (as Palin found out) — or, more likely, if you publish that information yourself on blogs, social networks, profile pages, and so on.

So what should Yahoo have done instead?  Or, more importantly, if you’re developing a Web site that needs a password recovery feature, what should you do?

Read more »

At last night’s San Francisco Drupal Users’ Group meetng, Matt Cheney of Chapter Three gave a demonstration of Drupal for Firebug — a combo Firefox extension and Drupal modle that lets you send Drupal debugging and status messages to Firebug.

“A smarter var_dump()” is one way to think of it.  But it also does several other handy things, like let you see how and where forms are altered by various modules, gives you access to the user object for inspection, and lets you execute PHP from Firefox.

Definitely something to check out if you’re developing modules or themes for Drupal.

Some Facebook apps are currently messed up due to what looks like Facebook not parsing app stylesheets and missing its own master stylesheets.  It’s unclear how many people and how many apps this affects, but it’s a major screwup.

Clearly, managing a site that serves tens of millions of people on a regular basis is no easy task.  But it’s not the first mistake that has made the site or the apps inaccessible.

If Facebook wants its ecosystem of third-party apps to thrive — and expects developers to build businesses on the Facebook app platform — it has to start treating the platform like a true business-level service.  And that means getting a grasp on Facebook’s QA and deployment processess so that bugs like these don’t keep knocking apps offline.

I was going through some articles I had written a while back and came across this one on Web accessibility.  Though I wrote it in 2006 while I was at TechSoup, it’s surprising to see these myths persist.  In particular, myths #1 through #3 pop up over and over again on projects I work on.  And though #4 (JavaScript use) isn’t much a problem for “Web 2.0″ sites, it’s shocking that JavaScript is still off limits in many enterprise and instiutional situations.

Read more »

Do the links on your Web site need to be colored differently depending on whether a visitor has already clicked on them?  If you read a lot of Jakob Nielsen, you’re probably tempted to say yes. Indeed, in Nielsen’s 2007 update to Top Ten Mistakes in Web Design, “not changing the color of visited links” is sin number three.

But the problem with one-size-fits-all usability guidelines like these is that they tend to overlook the fact that not all Web sites are created equal — or, in this case, that not all hyperlinks are equal.

Read more »

Seems like I’m running into problems on the Web everywhere I go. Over the weekend it was an Amazon S3 failure that took down several sites. Yesterday it was Facebook’s redirection loop that made the site inaccessible for roughly an hour. Today it’s the Drupal Web site, which seems to be experiencing a problem with an overloaded MySQL database. I hope the good folks behind Drupal.org can fix the problem soon — this doesn’t help the organization defend claims that Drupal is resource-intensive and hard to scale.

As for the error message itself, it’s particularly troubling that the error message tells you:

• the type of database
• the name of the database user
• the hostname for the database server

Granted, you probably could have guessed that Drupal.org was running on a MySQL database, but now everyone has three of the four pieces of information you need to access the database and a hacker can focus on guessing the last piece: the password.

There are two things that can be learned here: First, your Web application error messages shouldn’t reveal any details to anonymous users about the underlying system. All your site visitors need to know in a case like this is that there was an internal error that makes the site inaccessible for the time being. And secondly, limiting your database connections to specific IP addresses can add an extra layer of security even if the other info gets out (which Drupal.org may well have done.)

I’m trying to log into Facebook and am getting the following error message. It seems Facebook is trying to redirect me to new.facebook.com, which is where they were automatically sending people who had opted in to get a preview of the new facebook profile. But they must have flipped the switch to have new.facebook.com redirect to facebook.com… and well, now you’ve got yourself an infinite loop. Oops.

Clicky is a Web site analytics service, similar to Google Analytics. In essence, both let you measure traffic to your own Web sites. Given that Google Analytics is free while Clicky charges up to $10 a month, and that Google Analytics is run by, well, Google, you’d think that there’d be no contest: Everyone should be using Google Analytics, right?

Not so fast. I’ve been putting both services through their paces over the past few weeks and it’s clear that, in many cases, Clicky is far better. In fact, I must admit that I’ve become addicted to Clicky.

How does an upstart fee-driven service beat a “give it away for free” giant like Google, you ask? Here’s how: First, Clicky provides a much more usable interface for accessing your analytics. That’s a surprise, given that Google is known for its usually sparse and simple interfaces. Yet, somehow Google managed to completely clutter Google Analytics. Finding meaningful reports means navigating your way through all the nested sidebar links, and the graph at the top of each pages is often redundant. And if you’re not using Google’s AdSense for advertising, parts of the interface are simply useless and get in the way.

Clicky on the other hand has a very clean dashboard and simple tab-based navigation that lets you quickly access important stats about your sites’ visitors and what actions they took as a result of your content. A “Spy” feature lets you drill down on actions taken by a single IP address (though the feature could possible use a less creepy name.) And unlike Google Analytics, Clicky automatically tracks user downloads and clicks on outgoing links.

But what makes Clicky so addictive is that it offers real time analytics, as opposed to Google’s 24-hour delay. So you can pull up Clicky at any time and see how many people have already visited your site that day, roughly how many are on your site at that given moment, and how they’re reacting to content you published that morning. Try it, and you’ll likely find yourself checking Clicky several times a day. No more waiting around for Google or your logfile parser to crunch numbers and produce a final report.

To be fair, Google Analytics does have some features Clicky doesn’t — in particular, “goals”, which is the ability to track traffic through a particular “funnel”, or set of pages. (A note on Clicky’s site says those are in the works.) Likewise, Google Analytics’s integration with AdSense makes it a popular choice for people using AdSense. And finally, Clicky currently does not offer tracking for sites with more than 100,000 pageviews per day. (We imagine that will change as the company grows.) But if you don’t need those things at the moment and are looking for a simple, intuitive way to track and analyze your site’s traffic, Clicky is by far the better choice.

So what have I been doing with my time now that I’m a fancy-pants “Independent Technology Consultant”? In addition to working for some great startups and nonprofits — and, oh right, that whole procreating thing (which I did in my off hours, I promise) — I’ve teamed up with two sharp partners to build Kinverge, a free family intranet service.

In a nutshell, our goal with Kinverge is to make it super easy to set up a private Web site where your family can share and store family photo albums; set up birthday, anniversary, and other event reminders; post announcements and group messages; create gift lists; …and you get the picture. We built it with the philosophy that photo sharing and blogging and other technologies don’t have to be complicated and just for the tech-savvy. We think using a private family Web site can be easy enough to allow everyone in the family to participate.

We’re still refining the site and adding new features, but if it sounds like something your family might be interested in or you’re just curious, definitely head on over and get yourself set up. It takes all of a minute — and did I mention it’s free? Plus, it’d make me very happy.

(And if you perhaps felt compelled to tell others about it, or post about it on your own blog, I’ll tell everyone you’re the greatest.)

[Cross posted on my personal blog at amit.asaravala.com.]

I don’t remember when, but at some point I must have signed up to receive emails from Buy.com. The messages show up a couple times a week and are full of offers for all sorts of tech stuff — hard drives, SD cards, wireless base stations, printers, and the like. But the message I got the other day is, well, a little odd. Here are the top offers:

• Sonic Impact HF1 High Fidelity Earphones
• Gateway M-6308 Notebook
• Kingston 2GB DataTraveler USB 2.0 Flash Drive
• Sonic Impact i-P23 Portable Speakers
• Logitech Cordless Desktop S510
• Trojan Elexa Ultra Sensitive Lubricated Latex Condoms – 24 Pack

[Cross posted on my personal blog at amit.asaravala.com.]