ornoth

Who is the best foosball player in the company? This question has followed me through three of my last four employers, ever since I spun my first rod back in 2005.

I’m happy to say that I’ve been able to provide my coworkers with an answer to that eternal question, through FRank, the foosball ranking site I first developed nearly ten years ago. If you’re interested in ancient history and FRank’s inception, you can read more about it in this blogpost from 2007.

A year after I wrote that post I left Optaros, and my foosball ranking site languished, nearly forgotten. After wasting a couple years at a sad little company that didn’t even have a foosball table, last December I found myself interviewing at Buildium, whose kitchen included not one but *two* tables! During the interview process, I made sure they knew that hiring me meant access to my foosball ranking site, too!

Naturally, after years of neglect, I wanted to clean things up a bit (and size up the foosball culture) before I opened the app up for public use. So over the past few weeks I put a few hours into a bit of a refresh. And I’m pretty happy with the result.

Here are some of my favorite new features:

First, I rewrote everything using Google’s Angular javascript framework. For non-techies that probably doesn’t mean much, but it’s cool new technology that I really need to learn anyways. And it allows me to easily do some cool things like providing predictions of the score of any given combination of players.

I also made it a single-page app, which means everything happens on one page, kinda like Google Docs, without any page refreshes because all that data comes from behind-the-scenes API calls. It feels more like a native application and less like a website.

Next, I redesigned it to have a mobile-friendly user interface, so that it would be simple and easy to use, whether you were on a desktop, laptop, tablet, or smartphone. It even has its own little icon so that its bookmark looks just like any other app on your phone.

I even added the Web Speech API, which allows anyone using Google Chrome to enter a set of players by saying aloud something like “Jordan and Matt versus Dave Owens and Ben”, rather than having to manually navigate four cumbersome drop-down lists.

In the first two weeks of public availability, the adoption rate among players here has been great. This week I added a user-suggested feature: when someone logs a game, a message is automatically broadcast in our company’s foosball chat room (from “FRank Foosbot”), summarizing the result for all to see.

Needless to say, I’m pretty happy with how I was able to bring it up to date with how the web has evolved. It’s been a fun coding exercise, while contributing something unique to the company culture.

The biggest irony, however, was when Buildium hired my old friend Dave. I worked with him at both Sapient as well as Business Innovation, where he wrote (and then lost the source code for) his original Microsoft .Net foosball application that inspired me to create FRank. And years later, we’re working together again, and I get to show him what his old foosball ranking system has evolved into.

In honor of my recent job hunt, I thought I might relate my worst interviewing experience as a job candidate. It’s not that entertaining a story, but it was definitely painful to go through.

It was around 2005 when I applied for a job at Macromedia’s office out in Newton. As it happened, this was just before the company was swallowed by Adobe.

The job was really cool (for that time): lead designer for a new product that would revolutionize the web by giving developers the ability to programmatically create and script dynamic forms and interfaces. The web had begun to evolve beyond static pages, toward more dynamic behavior and interactivity, and the question was whether that would be based on dynamic HTML or something like Macromedia’s successful Flash animation suite.

Naturally, Macromedia wanted to push Flash, but its authoring interface had been designed specifically for the workflow of an animator; they needed to create a new tool that would allow engineers to write programs that could build forms and dynamic pages on the fly. And that’s where this new product—called Flex—would come in. And they were hiring for the lead designer on an ambitious second version after a promising but not very useful proof of concept.

So I showed up at the Macromedia office at about 8:40am. Due to my own conservatism, I was about 20 minutes early for the scheduled 9am interview. Unfortunately, the office was still dark and locked up; no one had arrived yet. No biggie, I’ll wait.

And wait.

The first person to show up—a secretary—didn’t come in until 10am, an hour after my presumed interview. She spent some time trying to track down the manager I was supposed to see, and eventually told me that he was “running late”. How helpful! At least she let me into the office to wait.

And wait.

When he finally arrived around 11, he told me that he had a meeting to run to, and asked if I would mind interviewing with two programmers on the team. It was immediately clear that neither of the developers had any idea what the position was about, nor did they have any questions to ask. We managed to kill an hour, achieving absolutely nothing. With the manager still unable to meet with me, they sent me home with apologies.

Despite the fact that the hiring manager had scheduled my 9am interview time, after over four hours on site I went home, having gotten less than 30 seconds of his time.

Needless to say, that made an indelible impression on me! Definitely not the best way to show a candidate that they’d be a valued member of the team.

One browser feature I make frequent use of is the auto-complete in the URL field. I can almost always get to the URL I want within one or two keystrokes and one or two down-arrows. Usually it’s a nice combination of sites I’ve visited recently and sites I visit most often.

This got me thinking about what URLs would come up as the first result for a one-character search starting with each letter of the alphabet. That is, go to your URL bar and type ’A’ and see what comes up, then ’B’, etc.

Thus another new meme is born, courtesy of YT.

Here’s what came up for me this evening:

A world-changing piece of software was released recently, and you need to know about it. It’s called Firesheep, and it makes stealing your login information for the web sites you visit as easy as: point, click, done. I strongly urge you to Google it and educate yourself about it.

It shouldn’t surprise anyone that your login credentials have never been secure. After all, email, the world wide web, and the underlying packet switching protocols: none of them were designed to carry encrypted communications. And it’s not in the interest of commercial web sites to spend more time and effort than the absolute minimum necessary to convince you that that their sites are “secure”.

Still, up til now you’ve been able to reassure yourself with the belief that only people with very specialized knowledge and tools had the ability to hijack your web sessions.

Firesheep has changed that forever by putting those techniques behind a point-and-click interface that anyone from a four year old child to an eighty year old grandmother could operate.

All someone needs to do is (1) download the Firefox plugin, (2) connect to a public network, and (3) when presented with a list of other users’ sessions on that network, click the one they want to log in as. With no more skill or effort that that, they’ve got instant access to your account on Amazon, Twitter, Facebook, Gmail, Yahoo, Foursquare, Wordpress, and so forth. The rest, as we say, is YFN.

This is doubly bad news for anyone with a smartphone, because most of those devices automatically and indiscriminately connect to public WiFi networks, then send your login credentials to any sites you regularly monitor, without your knowledge or involvement.

There are solutions to this problem, and the people who create and maintain web sites have known about them for years, but balked at putting the extra security measures into practice. Firesheep was actually intended to bring this vulnerability to everyone’s attention, so that the problem might finally be addressed. How quickly do you think that’ll happen?

So here we are. After decades of playing fast and loose on the web, keeping your head in the sand about the risks, it’s finally time to get serious about securing the information you send over the public channel.

If you’re like most people, you probably don’t even take your username and password seriously. How often do you change it? How hard would it be for a human to guess? How long would it take a password guessing computer to crack? Do you use the same username and password for several sites?

The username/password security that we’ve gotten used to is largely just a placebo. It wrongly makes people think they’ve taken an effective security measure. But if your network traffic isn’t encrypted, Firesheep makes it easy for everyone else on the network to hijack your login.

Ideally, all public web sites would immediately transition to sending all web traffic via SSL. But deployment will certainly be extremely slow and spotty.

So what are your options? The first is obviously to carefully regulate your use of public networks. Another is to use a tool like Blacksheep, which might alert you when someone on the network is running Firesheep.

You can also ensure that all your traffic is encrypted by setting up a virtual private network (VPN). The problem there is that you need a trusted host to serve as a gateway, and if you use someone like your workplace, you might discover that they block the sites you want to visit on your personal time, like Facebook and YouTube.

In the meantime, it also makes sense to review your password policy.

I’ll admit my own culpability there: up til now, I’ve only had two passwords. I had one password that never changed, that I used for dozens of sites I didn’t consider that important; and I had another that I changed annually for sites that needed an extra level of “security”, like brokerage and bank accounts.

Needless to say, I’ve decided to fix that. My first change is to start using purely random generated passwords, making use of the full gamut of permitted characters (e.g. mixed case letters and special characters). I’m also using as long a password as each site allows (many allow passwords to be 15, 20, 40 or more characters). These measures are all designed to make my passwords harder to break.

The second change I’m making is that I’m assigning a different password for every single site I use. That ensures that if someone does break one of my passwords, they can only use it for one site, containing any possible damage they can cause.

My third change: turn off all password caching in my web browsers, and remove the existing memorized passwords. This has always been a huge, gaping security hole, and one that should never be used in the first place.

You might think those sound like a big pain in the ass. While it is some extra effort, it’s a lot better than handing a fifteen year old Russian hacker unlimited access to my bank accounts, yanno?

And actually, it’s not that much of an inconvenience if you use one of the many specialized password database managers that are out there. I started using KeePass, which—now that I’ve got it set up—seems like a no-brainer. Look into it.

For years, you’ve gotten away with not putting any serious thought or effort into your internet security. Like the companies that run the world’s major web sites, you did the bare minimum, and, like an ostrich, buried your head in the sand.

That was then, but this is now. Armed with weapons like Firesheep, there are lots of ostrich hunters out there now. People who continue to keep their heads in the sand will soon be meat on the table.

Don’t be one of them. Start taking care of your shit.

Entries tagged with web

Son of FRank

In-FLEX-ible

What’s the URL, Kenneth?

Changing the Way the World Works

Ornoth's profile

Links

Frequent topics