Why you Should not Give Out Your Facebook Password

Recent new stories from the Associated Press and Wired report that some employers are asking interviewees to give up their Facebook password so that they can check for objectionable content.  Plenty of people are outraged about the obvious privacy violation, but allowing a potential employer to view your account is only the beginning of what someone can do with your Facebook password.

Anyone who has your Facebook password can not only read your private information, but also read your friends’ private information that they only share with friends.  I have at least one Facebook friend who has had problems with an anonymous stalker.  While it is unlikely that the person interviewing you for a job is the stalker, how well do you really know them after a 30 minute interview?  You really have no way of knowing if the interviewer is going to write your username and password on a Post-It note and put it on the office whiteboard for everyone to see.

I may be comfortable giving up the information on my Facebook page, but it is a violation of my friend’s trust to give a stranger access to their information without at least giving them the opportunity to prevent it.

Beyond just reading people’s private information, an interviewer who gets your password can do all the bad things that a criminal can do after cracking your account.  For example, they can:

  • Post anything they want to your Facebook wall or the walls of any of your friends,
  • Send private messages to your Facebook friends on your behalf,
  • Log in to other sites that allow authentication with Facebook credentials,
  • Create new accounts on your behalf at sites that use Facebook authentication, and
  • Install Facebook applications in your account (which may further compromise your privacy, even if you change your password).

In most cases, unapproved postings will just lead to embarrassment.  On professional sites, like LinkedIn and Stackoverflow, inappropriate material could could hurt your reputation in the online community enough to prevent you from getting a job elsewhere.  In an extreme case, they might post child pornography in an attempt to get you arrested.  You could probably prove that the post did not come from your computer, but you could have to defend yourself against civil or criminal charges.

There is a good reason that security principles say that you should never tell anyone your password — as soon as you tell someone your password, you lose control of the account.  Demanding interviewees to give passwords to interviewers conditions employees to give up their passwords when asked by anyone with apparent authority.  This kind of practice usually ends up with an employee sending a password through email to an attacker who demanded it.

If you are asked to surrender a password in an interview and you do not feel like you can outright refuse because you need the job, you should at least explain the risks to the interviewer.  If they expect to have continuous access to your account (i.e., you cannot change the password as soon as you leave the office) you should definitely ask to see the part of their security practices document that describes how your password will be protected, who will have access to it, and under what circumstances.

 

Advertisements

Base sqrt(2)

So, everyone knows and loves positional number systems of different bases. We use base 10 every day, and base 2 if you are a computer, with base 16 as a more compact form that us humans enjoy. Our system of time and measuring circles in degrees uses base 60.

What might happen if you tried to build a positional number system around 2? In a positional number system each digit contributes to the value of the number by weighting the base to a power based on the position. The weights are required to be integers less than or equal to the base. Thus:

(437)10 = 4 × 102 + 3 × 101 + 7 × 100
        = 400 + 30 + 7
(110101)2 = 1 × 25 + 1 × 24 + 0 × 23 + 1 × 22 + 0 × 21 + 1 × 20
        = 32 + 16 + 4 + 1 = (53)10

If the rule is that each weight must be an integer less than the base, then for base \sqrt{2}, the weightings could either be 1 or 0. For example:

(1100101)_{\sqrt{2}} = 1 \times \sqrt{2}^6 + 1 \times \sqrt{2}^5 + 0 \times \sqrt{2}^4 + 0 \times \sqrt{2}^3 + 1 \times \sqrt{2}^2 + 0 \times \sqrt{2}^1 + 1 \times \sqrt{2}^0
             = 1 \times 2^3 + 1 \times 2^2\sqrt{2} + 0 \times 2^2 + 0 \times 2^1\sqrt{2} + 1 \times 2^1 + 0 \times 2^0\sqrt{2} + 1 \times 2^0 \\ = 8 + 4\sqrt{2} + 2 + 1 = 11 + 4\sqrt{2}

The interesting thing to note is that the even powers act just like base 2, and the odd powers act just like base 2 multiplied by a factor of \sqrt{2}. Addition is similar to binary addition, except that carries skip adjacent digits and go to the next digit. That is, a carry out in an even position is a carry in to the next most significant even position, and a carry out from an odd position is a carry in to the next most significant odd position.

It would be more convenient to split a base \sqrt{2} number into a rational part, that is a regular binary number, and an irrational part that is also a regular binary number, but that is multiplied by \sqrt{2} when computing the value of the number.

Using this representation, any base \sqrt{2} can be represented as two binary integers. Addition, subtraction, and multiplication are straight forward. For addition, add the real parts and the rational parts separately to get the result. That is, to add two numbers a and b,

 (a_r + a_i \sqrt{2}) + (b_r + b_i \sqrt{2}) = (a_r + b_r) + (a_i + b_i)\sqrt{2}

where a_r is the rational part of a, a_i is the irrational part of a, b_r is the rational part of b, and b_i is the irrational part of b. Subtraction can be implemented as addition of the inverse.

Multiplication works in the straightforward way:

 (a_r + a_i\sqrt{2}) \times (b_r + b_i\sqrt{2}) = (a_r b_r + 2 a_i b_i) + (a_r b_i + a_i b_r)\sqrt{2}

Division by a purely rational divisor follows the standard rules. Both the rational and irrational parts are divided by the divisor. If the divisor is not purely rational, it can be carried out as follows:

{(a_r + a_i\sqrt{2}) \over (b_r + b_i\sqrt{2})} = {(a_r + a_i\sqrt{2}) \over (b_r + b_i\sqrt{2})}{(b_r - b_i\sqrt{2}) \over (b_r - b_i\sqrt{2})} = {(a_r br - 2 a_i b_i)  + (a_i b_r - a_r b_i) \sqrt{2} \over b_r^2 - 2 b_i^2}

This arithmetic should work for any base \sqrt{n} where n is an integer. For example, the above addition and multiplication rules are reminiscent of complex arithmetic, as they should be, since i = \sqrt{-1}.

So, what is this all good for? It is hard to see a use for the general case of base \sqrt{n} (or even base n^{1/p}). However, base \sqrt{2} could be useful when dealing with cartesian coordinates and two dimensional maps.

Some games and mapping systems use a movement or planning system where players can move horizontally, vertically, or diagonally. Each move is considered one move, even though a diagonal move is \sqrt{2} than a horizontal or vertical move, in the interest of avoiding square root calculations. Printed circuit boards are often laid out with traces that are either horizontal, vertical, or at 45 degree angles.

In a mapping or planning system, like one of the above that can only make horizontal, vertical, or diagonal moves, distances between any two points can be computed in base \sqrt{2} using the above arithmetic with no need for square roots.

QuickSynergy Server Troubles

Synergy allows one computer to control the keyboard and mouse of one or more other computers seamlessly, even if the computers are all running different operating systems. I am using my Mac laptop to drive my Mac and a Windows 7 laptop. When it is working it is a pretty sweet setup, but the configuration can be a little touchy.

Sometimes the Mac OS X server refuses to start. When it fails I see this message in /var/log/system.log on my Mac:

Oct  6 13:37:06 eagle [0x0-0xe4be4b].com.cordeiro.QuickSynergy[36223]: INFO: Synergy server 1.3.1 on Darwin 11.1.0 Darwin Kernel Version 11.1.0: Tue Jul 26 16:09:02 PDT 2011; root:xnu-1699.22.81~1/RELEASE_I386 i386
Oct  6 13:37:06 eagle [0x0-0xe4be4b].com.cordeiro.QuickSynergy[36223]: FATAL: unknown screen name `eagle.local'

It appears that QuickSynergy cannot resolve the name of my Mac for some reason, though I can ping it both locally and from another computer on the same subnet.

My Mac has both a wireless and a wired 1 Gbps link, by default, routes over the wired network.  When I disconnect and reconnect the wired network, the error from QuickSynergy goes away and netstat shows that Synergy is listening on the wireless network.  Since the client that connects does so through an ssh tunnel to localhost, it does not really matter.  It just seems strange that Synergy would be able to listen on the wireless network and not the wired network.

This problem requires more debugging, but for now I can make it work, so I’ll get back to what I wanted to do and figure it out later.

Automatically Start ssh-agent on Mac OS X

Mac OS X does not automatically start ssh-agent for you when it creates a new login session.  I suppose this makes sense for much of the Mac target audience that will never use ssh, but it is annoying for those of us who use it regularly.

I added the following to my .profile automatically start ssh-agent when I open my first terminal window:

if [ "x" == "x`ps -x -u ${USER} | egrep [s]sh-agent`" ] ; then
	ssh-agent | sed -e "/^echo/d" > ${HOME}/bin/agent-env
fi
source ${HOME}/bin/agent-env

Terminal.app starts a new login shell, which calls .profile every time you create a new window.  The ‘if’ statement check so see if ssh-agent is already running, if not, it starts a new ssh-agent and writes the output to ${HOME}/bin/agent-env.

This file sets the environment variables ssh needs to find the ssh-agent.  The ‘source’ command after the if statement runs agent-env in the current process, which allows the environment variables to take effect in the current process.

You will still have to run ssh-add to add your keys, but at least you do not have to start the ssh-agent.

Installing MacPorts on Lion with Xcode 4 from the App Store

Installing MacPorts on Lion requires first installing Xcode 4.1.  Apple makes Xcode available as a download to developers who have subscribed as Mac developers for $99 per year, or for free through the Mac App store.  Unfortunately, the Xcode installer that the App Store downloads does not install the “Unix Development” or “System Tools” components required by MacPorts.

After much fiddling, I found a way to install Xcode 4.1 from the Mac App Store and get the “Unix Development” and “System Tools” components.  Here is what I did:

  1. Install Xcode 4 through the App Store
  2. Go to the /Applications folder
  3. The “Install Xcode” application is the installer that the App Store used to install Xcode (without the components you want).  Right click on “Install Xcode” and select “Show Package Contents”.
  4. Open Contents/Resources and double click on Xcode.mpkg

Double clicking the mpkg installer will give the option to install Xcode in a custom location and to customize which components are installed, including “Unix Development” and “System Tools”.

The install process took my laptop about 30 minutes to complete.  It might be possible to cancel the initial install after “Install Xcode” has been fully downloaded, then proceed to the mpkg install, but I have not tested that.


Google Docs for Document Collaboration

Escent is comparing Google Docs, Sharepoint, and a few other tools to handle document sharing within Escent.  I had previously played a little with Google Docs for writing shared documents, but not tried anything serious with it.  This post describes my initial impressions.

The Good

Being able to have multiple people edit the same document at the same time on different computers is really cool. The old way is to send the document back and forth via email or some medium (like email, a FLASH drive, network share, or Dropbox).  With two people, this process is not so bad.  The Track Changes feature in MS Word makes it easy to figure out what changes from revision to revision, as long as everyone remembers to turn it on.  However, with more than two people, either someone ends up having to manually merge changes from several editors or editors have to take turns editing passing around the file — not an efficient use of time.

The next biggest features of Google Docs are easy availability and version history.  Google Docs saves all the uploaded and saved versions of your documents so you can revert to old versions if something goes wrong.  As with any cloud storage, the docs are always available online for download or direct editing.  For Windows users, Google Cloud Connect, lets you access documents from Microsoft Office.  Office has a few more features than the online Google Docs tools, but more importantly, gives you a way to work on documents when network access is not available.  Documents get uploaded every time MS Office saves them, so the latest version is always online, assuming you have a network connection.

Google Docs makes all these features available for free for up to 10 GB.  That is enough space to really try out Google Docs and see if it will work for you.  Other cloud solutions typically will give 15 day free trial.  After the trial period, you either have to pay or lose access.   Being able to grow into the system over a period of time and only pay when it becomes necessary lowers the barrier to entry for Google Docs.  The additional cost to go beyond 10 GB on Google Docs is quite reasonable and should not be an issue for many businesses.

The Bad

I pretty quickly ran into several big limitations with Google Docs.  The first was the upload size limitations.  Google Docs will not upload a Microsoft Word document bigger than 1 MB through the web interface.  According to the documentation, it does not matter whether you pay for extra storage or not, if the document is too long, then it just will not upload.

In this day and age, 1 MB is terribly small.  I have very few Microsoft Word documents under 1 MB.  The reason is that Microsoft Word does not work very well with vector graphic formats, so pictures end up getting included in documents as images.  Line art needs to have a resolution of 600 dpi or higher to look respectable when printed.  Once a document has two or three 600 dpi, full page width images, it exceeds the 1 MB limit.

The other major problem with Google Docs is figure formatting.  The first real document I uploaded is a Microsoft Word description of some tests Escent will run.  The document is about 2.6 MB with thirteen pages of text including three floating figures and several inline tables.  It took several minutes to view the document with the document viewer.  Google Docs flowed the text and tables behind the figures making them hard to read.  When I tried to edit the document, Google Docs failed to convert it to editable format because it was more than 1 MB.

Conclusion

If our entire document life cycle stayed within Google Docs, I would spend more time looking at it and probably eventually use it.  The collaborative mode is a really step up in document sharing, and the low barrier of entry is great.  However, we already have a lot of documents that we would like to move to whatever solution we end up using.  Not being able to handle files bigger than 1 MB is a real deal killer.  These days 1 MB is just tiny for a document with an figures in it.  Most of our documents end up with at least one figure, so Google Docs will not work for us.

If we stayed entirely in MS Office and only used Cloud Connect to sync documents through Google Docs, it still might be worthwhile.  Unfortunately, Cloud Connect does not work for the Mac.  We would have to manually upload and download documents to use them on a Mac.

My next task is to see if Sharepoint is any better.  Being a Microsoft product, I am sure it can be made to play nice with MS Office.  At first glance the Sharepoint integration with Office appears to be comparable to Google Cloud Connect.  The real problem with Sharepoint is configuration.  It is general enough to do anything, but with that flexibility comes the hard work of making it do the specific things we want.  A good set of defaults would be helpful.  Unfortunately, our install does not seem to have any useful defaults.

Rails 3 Unit Testing on Hudson

I recently setup a Hudson continuous integration server for our main development at Escent.  Part of that project is a Ruby on Rails web app using Rails 3.  I had trouble getting the existing documentation to work for me, possibly because it was designed for Rails 2.  I ended using a Gem written by Nathan Humbert to generate the code coverage information.  I include a brief description of what I did here in case it is useful to anyone else.

Installing Dependencies

Hudson needs both the Hudson Ruby plugin and the Hudson Ruby Metrics plugin.  To add the plugins from the Hudson dashboard, click “Manage Hudson”, then “Manage Plugins”.  From the Plugin Manager  page, click the “Available” tab, and select the check boxes for the plugins you want.  You may also want to select the plugin for your SCM software.  Subversion is included by default, but we are using Mercurial, so I also checked the “Hudson Mercurial Plugin” box.

Click the “Install” button at the bottom of the page after you have selected all the plugins you want, and return to the Hudson Dashboard.

We will be using the “rails_code_qa” gem to measure code coverage.  to make sure it is in your project, add the following to the project’s Gemfile.

group :development, :test do
       gem "rails_code_qa"
end

Configuring the Build

Starting from the Hudson dashboard, click “New Job” to create a new job for your Rails 3 project.  Name the job in the “Job name” box, check the “Build a free-style software project”, and click OK to continue.

The first section is pretty straightforward.   You can optionally add a description for you project, configure how many builds to keep, etc.  I set our configuration to discard builds after seven days and accepted all the other default options, then skipped the “Advanced Project Options” section.

In the “Source Code Management” section configure this project to access your SCM.

In the “Build Triggers” section you can set the conditions for starting a build.  I checked “Poll SCM” and set the schedule to:

*/1 * * * *

So that Hudson will check for updates to the SCM every minute.  Once per minute is probably overkill, but for testing purposes, it made it easier to see if Hudson was working.  I’ll probably back it off to three or five minutes at some point, to cut back on unnecessary polling.

The “Build” section is where things start to get interesting.  Each time Hudson starts a build of your code, it automatically pulls a source tree from the SCM and runs the build commands from the top-level directory of your source tree.  The commands “Build” section lets you specify a sequence of commands to be run in a number of different forms.

First, click “Add build step” and select “Execute shell”.  In the “command” box that appears type:

bundle install

to prepare your build environment.  Click “Add build step” again, but this time select “Invoke Rake”.  I accepted the Default version and in the task box entered:

db:create
db:migrate
test
rcqa

You could just as well add  rake to the list of shell commands.

In the “Post-build Actions” section, check the “Publish Rails stats report” and “Publish Rcov report” boxes.  The “Rcov report directory” points to the HTML coverage report from rcov.  Unfortunately, rails_code_qa  does not have an option to give coverage for all the unit tests.  It splits results into coverage/units and coverage/functionals directories.  For now I am using coverage/units.

Modifying rails_code_qa to put all the results into one directory is trivial, but I still have to figure out how to make it get included in the project.  When I figure out the magic rails/rake is doing to run things, I’ll update my Hudson config.