Storing Passwords in the Cloud?

There’s been a recent event at LastPass and users have potentially lost their passwords. Honestly, I wonder why would anyone ever store their passwords anywhere, much less in the Cloud?

Good security practice dictates that passwords should never be stored at all. Period.

While we should use random passwords with different ones for different sites, and it is difficult for users to remember so many meaningless passwords across so many different sites, it is no excuse to store passwords.

IMHO, the ideal solution for this would be to use generated passwords. These passwords could be generated from multiple secrets that are known only to each individual, but not to everyone. Think of it has having different parts of a dollar.

One example would be to use something like password hash, which would generate the password based on the website domain name and a known secret. Try it out and you’ll see.

There are more complex schemes that can be invented if necessary but the idea is there – don’t store the passwords anywhere – generate passwords on-the-fly.

Web Development

There are many work-flows for web-development and there exists many different deployment environments for web-applications. Therefore, I have found that it is important to have a suitable development environment where web-applications can be developed, validated and verified before being sent to production.

A typical web-developer might either test the application on their own development machines or they might have access to a development server for testing. In the first case, there might be subtle differences between their own machines and the production environment. Therefore, testing applications this way is not very useful. In the second case, there may not be sufficient isolation between multiple developers on the development server – be it database access or file system access. So, there is the possibility of destructive collaborations.

One solution that I think might be suitable is the use of virtualisation. VirtualBox is particularly suitable for this because it is able to access a shared folder on the host machine from within the guest virtual machine. So, code can be developed locally and tested locally on a VM running locally. The VM images themselves can be set up by the system admin to be a complete clone of the production environment. In this case, the test environment approximates the final deployment environment while there is enough isolation to avoid clobbering each others’ work.

The only catch would be the required additional computing resources. However, most modern computers are able to handle virtualisation very well. In fact, I began using virtualisation in 2004 and have no complaints with regards to web-application performance because these things are not simulating the stars in the universe. They are just doing simple jobs for the purpose of testing functionality.

So, I would recommend the use of VirtualBox for development purposes.

Typodermic Fonts

I doubt that I will ever be for want of a font again. I just found an artist who gives away 390+ fonts for free, including commercial usage.

Typodermic is a site created by the artist, Ray Larabie, who has been obsessed with typefaces and fonts since his childhood. There are lots of styles on the site and a large number of them are free.

What can I say, I am a sucker for peng, leng, zheng stuff.

Another great source of stylistic fonts is Dieter Steffmann, though I am not quite clear about their licensing.

VirtualBox vs QEMU

Turns out that VirtualBox is extremely easy to use for personal virtualisation. I have been using KVM and XEN based virtualisation solutions on the server. They both work wonderfully for that purpose. However, for local machine virtualisation, they are both a chore to setup.

Turns out that another open source product – VirtualBox, is better suited for local virtualisation. I will ensure that it is made available for all my machines in the future. It even supports non-VT based hosts after KVM decided to drop support for it in their recent versions.

I have been setting up some personal virtual machines for the purpose of testing software. It is always a good idea to start off with a virgin machine when doing testing.

I hope that Oracle does not kill this product!

Verifying Anonymity

When it comes to electronic voting, the biggest problem has always been the divergent requirements of maintaining the anonymity of a ballot versus the authentication and verification of a voter with the ballot. There is a lot of research going on to ensure that all of these requirements are taken care of. While the following is a good step in the right direction, it has one specific assumption – that the ballot sheets are given out randomly. It is unlikely that such a thing can be done fairly and easily.

Waterfall Model Failure

I recently saw the video on “Real Software Engineering” and one of the things that struck me about the video is that it pointed out that the classic ‘waterfall model‘ of software development that we are all taught in schools, does not work. Not only does it not work, in fact, the original author and person attributed for inventing the model actually said that, “I believe in this concept, but the implementation described (above) is risky and invites failure.”