Recent blog entries for epsalon

Facebook FriendPhotoCaptcha Roadblock

Facebook has recently and silently introduced a new “security” feature, that does a lot to prevent legitimate users from accessing facebook, but almost nothing to deter determined scammers and hackers.

The security feature works as follows: Suppose you try to log in to Facebook from a location you don’t usually use, for example when traveling (which is usually when it’s most important for you to keep in touch with friends and family). Facebook asks you to verify your identity. And how would you do that? By identifying photos where your Facebook friends have been tagged. In order to regain access to your account you need to solve a CAPTCHA, then identify 7 out of 9 photos of friends. Even a single error fails the test but you do have two “skip”s. The photos are selected randomly from all photos in which any of your friends have been tagged. If you fail, you can try again within an hour. Returning to a “verified” location does not help once the roadblock has been triggered.

I guess the reasoning behind this: If you are really you, you should be able to identify your friends by their pictures. Right? Wrong! First of all, Facebook (and certain apps) keep pushing you to add more and more distant acquaintances as friends. People who you’re unlikely to even identify by seeing a clear picture of their face. Second of all, people tag each other in photos that are nothing like a clear portait. When I was faced with the challenge I had to tag pictures of feet, pictures of dogs, blurry pictures of people from behind, and “funny” drawings. I am not the only one. Many people have been locked out of their accounts for hours due to this impossible “security” challenge.

How did I eventually regain access to my account? The same way any attacker who isn’t me could have. The questions in the challenge are multiple-choice. One or two pictures and five names to choose from. Since my profile is relatively open to the public I could create a bogus Facebook account and see my friend list and their public pages. Most of these include a profile picture which allowed me to try and verify the person. Some have a more public profile where all pictures are available, and then I could find the actual picture from the challenge — just like anyone who isn’t me could have.

An attacker’s arsenal would also include creating a new account with my name and photo, and trying to “friend” all my Facebook friends. With enough people accepting this friendship (which many will), you can access all their photos and easily solve the challenge. In fact, this could be automated, and the only obstacle is several CAPTCHAs that need to be solved, a problem easily solved by spammers using outsourcing or fake “free porn” sites.

Finally, I would like to suggest several other security methods that could actually work:

  • Require a user to tag only photos he or she has uploaded, or that he or she appears in. Ask about where or when a picture was taken, and be more lenient.
  • Require a user to use an alternative method to contact a few of his or her friends (of the user’s choice) and have them log in can confirm they are OK (for example by giving them some kind of key).
  • Get security questions or challenges from the users in advance — something the user knows he or she can solve. Make it clear that these questions are not ONLY for the case of lost passwords.
  • Make a phone call or send a text message to a phone number that is in the user’s profile with a key to access the site.

Better still, allow several of these methods at once. Besides, Facebook is not a bank. Just let go of the stupid security.

Syndicated 2010-07-25 08:11:43 from Alon's Blog

Delays, Downgrades, Dress Shoes – My visit in Toronto

I haven’t blogged here for a long time, opting to tweet short cryptic messages, if at all. Well, my trip to and from Toronto was eventful enough to warrant a full post or two.

Being the mileage optimizer I am, instead of flying direct to Toronto, I had a stopover in Houston, a Continental hub. Due to differences in price, I flew from San Jose airport instead of SFO, and parked my car in a hotel near the airport. This minor fact will prove crucial later.

The outwards flight went well, except that I did not get an upgrade on the flight to Houston (I was 2nd on the waiting list). I arrived in Toronto, and took the cool wifi enabled bus to my hotel. Upon arrival, I checked the conference schedule and was somewhat surprised to see that the main part of the conference starts the next evening, which meant I had a whole day to tour the city.

Since the banquet was to be held in the CN tower, Toronto’s primary attraction, I decided to use my free day to visit the Royal Ontario Museum. That day I walked several kilometers to the conference venue, then to the museum, inside the museum, and finally back home. During all that time I wore dress shoes I usually wear for interviews — I packed my best clothes for the conference.

What I did not realize, is that dress shoes can severely hurt your feet. By the next day my feet started to develop painful blisters and abrasions, which made it painful to walk. I used taxis for my travel to and from the conference venue since.

Academically, the conference was very fruitful. I got to meet many colleagues from institutions around the world, including Michael Wooldridge from the university of Liverpool, where I am about to interview soon. My students’ talks went well and there were many interesting posters, some with the potential to lead to further research.

The conference banquet was held in the revolving restaurant on the top of the CN tower. This was the first time ever I’ve been to such a restaurant. Dinner was edible (not a trivial thing for a fancy restaurant) and the view was beautiful. Having the restrooms in the non-revolving part proved a challenge when I was trying to return to my seat. Sitting right next to the windows, I have attempted to send clever messages by writing them on paper and putting them on the non-revolving part of the restaurant. Few of these came back to me.

On the final day, I rushed to pack all my things and check out of the hotel. Then I took a taxi to the conference venue, attended the final talks and demos, and took the wifi bus back to the airport. At this point my feet were still in pain and it was difficult to walk.

At the airport, I found out that my flight to Houston was delayed by about an hour, which meant I was going to miss my tight 1-hour connection to my flight to San Jose. The Continental agents at Toronto had two options for me: Fly direct to SFO on Air Canada, or stay in a hotel in Toronto and fly via Houston the next day. In either case, my confirmed first class upgrade will be canceled since there was no first class availability.

Since my car was parked near San Jose airport, and they were not willing to pay for ground transportation to San Jose, I decided to go for the next day flight. However, since the flight was pretty early, I asked if it was possible to take the delayed flight to Houston and spend the night there. The agents agreed. This had the added benefit of being able to make the connecting flight in case the other flight happens to also be delayed.

By the time I made it through US customs and immigration at Toronto airport, the flight had been pushed back even more. The reason: Delayed incoming aircraft — the plane from Houston departed late. With the flight two hours late, there was little hope in making the connection. By the time I was ready to leave toronto the plane I was supposed to board to San Jose was already en route and on time from San Juan Puerto Rico.

Upon hitting the ground in Houston, I decided to check the flight status to San Jose in a last-ditch effort to make that flight. To my astonishment, the flight was severely delayed and I would be able to make the flight! As it turned out, the plane fron San Juan (SJU) had to be diverted to Baton Rouge (BTR) due to weather in Houston. By the time I landed, the diverted plane was en route from BTR to Houston (IAH).

As it turned out, I had to spend a few additional hours waiting in Houston. The plane had to be maintained and was even further delayed. I finally landed in SJC 3 hours late. I still had the upgraded first class seat so I was able to sleep for most of that flight until finally returning home, going straight to sleep. Until now.

Syndicated 2010-05-16 00:58:49 from Alon's Blog

Twitter Weekly Updates for 2010-03-21

  • Just arrived at TLV. Will stay in Israel till the end of March. #
  • Arrived at parents' house. Wifi again at last! #

Syndicated 2010-03-22 06:34:00 from Alon's Blog

Blog update, forum crash.

Some have you may have noticed that my blog has a new look. Others may have noticed that the Israeli polyamory forum that I’m hosting has crashed, losing all information. Both of these events have to do with my (paid) hosting account at bluehost.com.

It all started when I wanted to upgrade my ancient wordpress install (with some custom modifications) to a more modern and standard install. So, I backed up my blog and database and proceeded to install the new version. This required a few iterations, each requiring to delete the old instance of the blog.

My major mistake was during one of those installations, I have misclicked and deleted the wrong site — the active poly forum. The delete action did create a backup, but since the database was exported using the wrong encoding, all Hebrew data (including the entire forum) was lost.

I immediately called my hosting provider, but they did not have backups of my account. I never set up a backup script for my hosting account, so the entire contents were lost.

I did reinstall a new forum and the blog. I am now working on a backup solution for my account.

The new blog has several nifty features: On the right sidebar you may find my current exact location. Also, the subscription system should work better and replies could be verified by OpenID.

Syndicated 2010-03-17 21:42:04 from Alon's Blog

Happy π day!

Today is March 14th, aka pi day, a day celebrating one of the most important numbers in mathematics - π.

Since I happened to be in Germany today, I celebrated π day with my brother and his wife by making 2π — a yummy beef pie for dinner and a chocolate pie for dessert.

 Beef pie for pi day

For dessert we decided to make the pie even more meaningful and decorate the pie with the first few digits of π, resulting in a delicious, and informative pie:

Chocolate pi with digits!

More photos are available on Flickr and Facebook.

In other news, I’ll be arriving in Israel on Tuesday. If you want to meet me, let me know…

Syndicated 2010-03-14 18:29:11 from Alon's Blog

Open Letter to Stanford University

I have sent the following letter regarding the AlertSU system at Stanford University. I am hereby posting the letter I have sent verbatim.

Subject: Troubling unsigned email message sent via AlertSU.

I have received an email message regarding a personal issue via the AlertSU system, which is supposed to be only used for emergencies (letter attached below). The letter was unsigned except by the general name “STANFORD UNIVERSITY”.

First of all, I would like to request the name and job title of the author of this message, since this information was never supplied.

Second, this message is by no way shape or form related to any kind of emergency, and therefore should not be posted via AlertSU — a system the Stanford community cannot opt out of.

Third, I am very concerned about the content of the message itself. The message uses phrases such as “stranger”, “Unbeknownst to the student” and “did not appear to pose a threat” and selectively mentions some of that person’s private belongings. It seems these were designed to lead the readers to assume that the stranger may have intended to act maliciously, when this is just a simple case of a person forgetting his bag in a stranger’s car. The important cautionary note is that you should make sure to take your belongings with you upon leaving a vehicle.

Implying that lighter fluid and handcuffs have no use other for illicit purposes reeks of intolerance that the Stanford community should not be subject to.

Alon Altman

In the early morning hours of Saturday, January 30th, a Stanford student struck up a conversation with a stranger at a bar in Palo Alto near the campus.  The stranger, a male, suggested that they go out for food.  The student drove the stranger to a McDonald’s in East Palo Alto.  The stranger then asked the student if he could crash at the student’s residence. The student refused, so the stranger got out of the student’s vehicle.  Unbeknownst to the student, the stranger left a bag of personal items in the student’s car.  Upon discovering the bag, the student took it to the Stanford Police (on Monday, February 1) so that it could be returned to the stranger.  Among the items in the bag, the police located a pair of handcuffs and lighter fluid.  The officers were able to ascertain the identity of the stranger and, after some investigation, determined that the individual did not appear to pose a threat to the student or the community.  None-the-less, the Stanford Police would like to remind you to be wary of offering rides to people whom you do not know.

Syndicated 2010-02-02 09:12:39 from Alon's Blog

Macs, part 4: getting a new MacBook

In my previous post I wrote about my experience with macs, and the conclusion was that in order to criticize macs effectively, I should get one. Over $3,000 and one week later, I got a brand new MacBook Pro 15″ (and a free iPod touch).

Apple MacBook box Everything mac

The mac came in a brown box, which included a white box inside it. Inside the white box, was the MacBook, the power and video adapters, and a black envelope. Inside the black envelope was a book titled “Everything Mac”. There was also an envelope labeled “Everything Else”. Following the instructions in the “Everything Mac” book I connected the power supply and powered on the mac using the hidden power button. The book included important information about using the TrackPad, stuff I had to figure out slowly in the previous posts.

Power connector  Power button

When the system started for the first time, I was greeted with a language selection screen, and then a welcome video (with no useful information). After the welcome video, I was prompted to press Esc to hear instructions on how to use the mac. I did, however, it started a detailed explanation about an accessibility feature that didn’t even work.

Macbook (off)  VoiceOver

I managed to complete the setup without much difficulty, but no tutorials were provided. According to instructions in the Everything MAC book, I installed software updates, and started to explore. I found a document about “Stacks” and document and download stacks. I also found some online tutorial videos.

Taking my picture   After setup

One of the things I tried to do with the new mac was use the “Time Machine” backup software. I tried connecting two different external HDs, and got no visual response from the OS for the first, and only the small FAT partition showed up for the second. Reading about it online, I figured that ext3 partitions are not supported, and only plain old FAT drives can be used for backup. Big fail!

Another thing I tried was to download TV shows on iTunes, but I was stumped by the repeated requests for money. I have paid $3000 for a mac, why do I have to pay extra to use it???

Syndicated 2009-08-23 20:22:38 from Alon's Blog

Macs, part 3: Podcasts, Customer Service, and Fingers

As I’ve posted before, I’m staying at a fancy hotel in the Boston area. Next to the hotel is a Mall, and in this mall is an Apple store. Again I tried using the display laptops. If you recall, the laptops have no mouse buttons (the entire pad is a button), which after a short use causes pain in the wrist. The answer I got regarding this issue from “mac people” was: My mac has a button, but I’m sure the no-button pad is just A-mazing, Steve Jobs is God and I am his servant!

So, this time I tried a new approach: I asked a customer service person at the Apple store for help.  The customer service rep didn’t repeat the same “Apple is God” story I get from fanpeople (I guess they are trained to avoid it). Instead, he calmly explained to me another Mac gesture: Hold a finger on the pad while dragging another finger. I had to ask where I find those fingers. It turns out Apple hardware uses unique input devices called “fingers”. The idea is that the trackpad somehow reacts differently to multiple input positions. It turns out this feature is required for basic functionality. Right-click is also supported with the Ctrl button, there is also a multi-finger gesture for that but I’m not sure what it is.

The next thing I tried to do is to replicate functionality I have on Linux on the mac machine. The functionality I decided to try was downloading and playing podcasts. I googled it and the search results pointed me to software called “GarageBand”. I launched it from the dock and selected podcast. It opened a complicated screen with space for male and female voices (why do I have to tell it who’s talking in the podcast?). I decided to try listening to Car Talk from NPR. I used the Safari browser to find the Car Talk podcast, and copied the URL. Then I had to right-click (with Ctrl) on a submenu that said Podcast (why do I have to select podcasts again?), the only option was “open in iTunes”. I know iTunes is spamware for copying music to iPods under Windows but that was the only option. Anyway, the iTunes had an option to add a podcast under the Advanced menu (If that’s advanced, what’s the basic way?). I pasted the URL using SpecialAlt(⌘)-V and confirmed.

Now I could go back to GarageBand and after a few trails I could finally see the podcast there and drag it to the play area. I put it under “Male Voice” since the show is narrated by men.  The GarageBand software seems to be an audio editor like Audacity. I’m reminded of old Windows 3.11 WAV files were opened in sound recorder… Anyway, I clicked the play button and it played! seeking was pretty hard since it was extremely zoomed and there was no way of seeing the entire file in one screen.

I thought to myself there must be an easier way to do it. So I googled “mac podcast player” and found a program called Juice. I installed it, subscribed to Car Talk with the URL, and clicked on the play button. Well, it stated playing. In the background. With the same show of Car Talk still playing in GarageBand. All attempts to stop it didn’t work. I even closed Juice entirely (with SuperAlt-Q, as the customer service guy explained) and still both podcasts were playing. It finally stopped after I SuperAlt(⌘)-Q’d all applications I could find (except GarageBand, and Finder, that wouldn’t close).

Then, I decided to see if GarageBand can export to a mobile device. The whole idea of podcasts is to listen to them on the move! So, under the share menu there was something about Podcasts and iWeb. I clicked that, and the podcast stopped playing and moved to the start, forgetting my playback location. Good thing I remembered what it was and seeked back there manually (the export failed BTW).

After all those trials, an Apple guy finally approached me, and told me — that the store is closing and I have to leave. I asked why is the GarageBand thing so complicated, and he said that I should use iTunes to play podcasts. He couldn’t explain more since I had to leave.  That’s all for now.

PS: I forgot to mention the fact that keyboard shortcuts don’t work as expected, the Alt-F4 Expose settings screen for example, says that expose could work F9, F10, and F11. Instead, those buttons adjust the volume! It turns out the real shortcut is F3! But I found that out only after coming back to my room. Amazing documentation from Apple, yet again.

PPS: I even thought I’d buy one just to see how it works, but an Apple laptop costs over $7,000, and for that price it’s only a 256GB hard drive. What is it made of? Solid Gold? And you still have to pay extra for backup hardware (yes, macs need special $500 hardware to enable backups). It seems like macs are the fancy hotels of the computer world — anything you want to do costs extra.

PPPS: I suspect Apple puts addictive substances in their products. That’s the only way I can explain why anyone who’s purchased an Apple product seems to be in love with it. On a more serious note, I think the main driver for people loving Apple products in cognitive dissonance — You don’t want to admit to yourself you significantly overspent for a product that is no better than others, and since things aren’t customizable, people convince themselves they like it that way.

Syndicated 2009-08-12 02:07:39 from Alon's Blog

Rant about fancy hotels

I have just arrived in Cambridge, MA for a week of consulting for Microsoft Research. They paid for my flight and hotel room so they put me in a fancy $200/night hotel. In this post I will try to explain why in my opinion, in general, the fancier the hotel the worse it is.

I have nothing against hotels as a service. Hotels provide a traveler with a clean place to spend the night, and with basic necessities. Hotels are useful when traveling, or when you need a clean neutral place to have sex. However, fancy hotels do not seem to provide these well, and charge a lot of money to do so.

Compare, for example, the fancy hotel I’m staying at now with a cheap motel for $40/night. The motel included a microwave and fridge, free parking, free wifi, and a free “breakfast”, which, admittedly, is nothing to feast over. However, the fancy hotel includes none of those (or least without caveats galore).

Here is a comparison of the cheap motel and the fancy hotel. I am purposefully omitting hotel names, as this is common for many hotels and motels.

Amenity

Cheap Motel

Fancy Hotel

Price per night

$51

$211

Parking

free, right outside room

$20/day

Internet Access

free WiFi

WiFi free with loyalty program, otherwise $10/day

Getting there

free airport shuttle

15 minute walk from subway station

Breakfast

free coffee and popcorn

$21 for continental breakfast

Refrigerator

free in room, empty

only mini-bar

Microwave

free in room

not available

Location

right off highway

near center of town

Storage Space

lots of empty drawers, closet

one drawer, small closet

Bed

Queen size, comfy, extra pillows on demand

King size, very comfy, useless decorative pillows

Power outlets

Limited

Limited

Phone

One phone near bed

Three phones (one cordless)

Phone Costs

Free local calls

$1/local call

Bath/Shower

Included, with fancy showerhead

Included, with fancy showerhead


Given the above comparison, why would anyone choose the fancy hotel over the cheap motel? I’m really curious. If you blog readers willingly stay at (and pay for) fancy hotels, why do you do so?

Syndicated 2009-08-10 01:43:47 from Alon's Blog

The Strange World of Macs (Part 2)

I promised a second post about macs, and it’s time to deliver. The reason I’m updating about it now, is that it turns out that two of the undergrads working with me on the computational pool project are mac people, and use mac laptops. Whenever I explain to them why macs are hard to use and complicated they keep saying I’m doing it wrong, and there’s a better way to do it. My main complaint here that this “better way” is never documented and isn’t easy to find.

For example, one mac person in our group re-installed a mac machine that was sitting in my office after the HD died (it required a trip to the shop to replace, since mac hardware is hard to maintain, and this is desktop!). After he left, I tried using his machine, the first thing I was greeted with was a screen asking for a password. That’s not very user friendly!

So, I googled for password reset information. I found several sites explaining how to reset a password without the CD, but all required you to be already logged in. I realized, it must be possible with the CD. However, there was no apparent way to boot from CD. Heck, there was no apparent way to get the CD out of the drive. Later I found the eject button on the keyboard, but still the computer will always boot from HD. I googled “mac boot from cd” and found you need to hold the option button while booting, not del of F1 like normal computers, and of course no message on boot to tell you that.

I booted the install CD, and it had a password reset option, but it didn’t work, since it wasn’t the right version. I had to boot an upgrade CD in order to successfully reset the password. After the password was reset I could finally log in.

Next step was to create a user for myself. This was not easy. The “spotlight” search feature I was told so much about did not work since it was “indexing”. I finally found the user management from the control panel and created my user.

All this time I was interrupted with an annoying window that wouldn’t close saying “Welcome” in different languages. Same annoying pop-up junk as with Windows. After that was done, an “install updates” popup came up and it had to restart and install the updates. By the time I was writing this post, the updates have finally been installed. I will now try to log in.

I am now on the mac itself. I managed to install Adium and Firefox. As it turns out, the popup window that appears is a mounted virtual drive. The two icons represent the application and a shortcut/symlink (I’m not sure) to the “Applications” folder, which is similar to the Start menu in windows. Dragging one to the other launches an install script, though I’m not sure exactly how. After installation is done you must unmount (”Eject”) the disk image in order to use the application. The application itself is only available from the applications menu, which can be accessed by searching for “Applications” using the magnifying glass on the top-right of the screen (called “Spotlight”). Spotlight does not search the web, or for uninstalled applications.

You could also  use spotlight to search for a specific application. In a way, it’s like a limited graphical command line. The most important application to locate with Spotlight is the real command line (called “Terminal”). This application will later appear on the bottom of the screen, and as I found in the book “Mac OSX or Unix Geeks”, you can drag it do a different position on the bottom of the screen to have it stay there. I did not find a similar way to add a non-running application.

Another discovery I’ve made: The screen has a hidden camera near the top, I guess Apple literally watches you. More to come soon.

Tried to install Hebrew. Worked, but without a keyboard shortcut. Any attempt to enable launched a monster keyboard shortcut menu, where it turns out that Hebrew conflicts with the “spotlight” thing. So, it’s either Hebrew or being able to launch applications. Updates to come.

Syndicated 2009-07-04 01:30:27 from Alon's Blog

104 older entries...

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!