Tuesday, April 29, 2008

Doubly Encrypted for Extra Safety

Floating 'round the twitterverse today was a new service called twittersnooze. The possibilities for twitter apps seem endless, and considering how easy and, well, fun the api is to play with, I'm sure there will be many more.

Among other nice features, I applaud the auther's honest disclosure that "TwitterSnooze stores passwords on the DB". Currently as the twitter api is written, this is a necessary evil for an application of this sort. If you want to authenticate, you need the user's password in plaintext.

However, there is a way around this that I think twitter, and other web sites that have apis should consider doing (I think lastfm does this, but I'm not sure). Basically I am suggesting that the site doubly encrypt their passwords, and make the first level of encryption publicly available. How exactly would this work? In this example, I will describe a double encryption scenario using salted md5, and I will use twitter and twittersnooze as api providers and consumers:

  • When the user signs up for twitter 2 salts are generated (salt1 and salt2) and the password (plaintext) is then encrypted as: md5(salt2 + md5(salt1 + plaintext))
  • Both salts will be stored in the twitter's user table, as will the result of the double encryption.
  • Salt1 will be made available through the api without authentication.
  • When a user signs up for twittersnooze, twittersnooze will make an api call to retrieve salt1. It will then encrypt the user's password as md5(salt1 + plaintext) and store the hash in it's user table.
  • When twittersnooze needs to authenticate as the user, it sends the hash that it has stored. Twitter then applies md5(salt2 + hash) and checks that it matches it's own user table.
  • Viola! No plaintext passwords stored anywhere!
Some other benefits:
  • Twittersnooze can now use the twitter password for its own user accounts, saving the user the trouble of creating a new account.
  • The plaintext password never has to be transmitted over the wire between twittersnooze and twitter.
  • If salt1 == salt2 then there is no additional storage requirements for twitter.

Of course, there are other approaches. The first one that comes to mind is to generate api keys for every user, which can be fetched via their api. This is certainly better than nothing, but has the drawback of requiring that the plaintext password be sent over the wire for authentication when the api key is fetched.

Please note that I am not suggesting that applying md5 twice is stronger than applying it once. Thats a different issue and I think thats what people usually mean when they say "double encryption". Rather, I am suggesting that doing it obviates the need to store plaintext passwords.

If tweetersnooze's database was compromised under this scenario, it would still be a security breach for twitter. It would not, however, impact the naive user who uses the same password for twitter that they use for their online banking.

Any thoughts?

Labels:

Sunday, April 06, 2008

LOTD tracker update II

The great staff over at wiredset (the makers of trendrr) fixed the bug, and I was able to update the bad data points. Thanks so much Dustin for the quick turnaround, and on a Sunday nonetheless!!

Muxtape - clean and simple

I have to admit that like so many others I am impressed by Muxtape. A UI experiment that has caught like wildfire, clearly Justin filled a need, and did it with style and skill. I put up a muxtape of some stuff that I am currently into, and I put a good amount of thought into the selections and the ordering.

Of course, the biggest question is the business model. 3 possibilities:

  • Linking to amazon, and/or itunes and even possibly giving the muxtape author a cut of the revenue generated from singles sales. (This came up at the most recent NY tech meetup)
  • Audio ads at some point through the muxtape.
  • MICROPAYMENTS!! Whether you pay 10 cents to listen, or you pay 10 cents for for someone else to listen, I think its time micropayments started coming into play in the US.
Here are some other suggestions:
  • Multiple file uploads: Wouldn't it be much easier if you could queue your uploads at once, and then click upload for all of them? I really don't like that I have to go one file at a time. One possible way to do this is with a java applet (gasp) called jupload but theres got to be a way to do it with javascript and iframes.
  • Uploads out of order: I uploaded my playlist in the order in which I wanted them to play. It wasn't until I was done that I realized I had to reorder them as they were backwards. (The last track uploaded was the 1st in the playlist)
  • Mixtapes always had an intended audience, so should muxtapes: I think this is my biggest criticism. I like that muxtape forces you to edit down to 12 songs. However, if the idea is to simulate the old school mixtape, then it fails for this reason. I always made mixtapes with an audience of 1 in mind. How can I make one mixtape that my mom would like and my weird friend from college would also like?? I can't.

Finally, I want to thank Justin for perhaps the biggest innovation on the site. I think its absolutely brilliant that muxtape doesn't require you to enter your password twice when you register. I have always believed that I could manage to get my password right on the first try, and finally someone gave the chance to prove it. I am really curious to know whether this has caused significant problems with registration or not.

So, please give my muxtape a spin. I guarantee there will be music on it you have never heard, and just maybe something that you will enjoy.

LOTD tracker update

I am very proud to have gotten a link from Fred Wilson's blog mentioning the lyric of the day tracker that I built. Of course, I have been going crazy all day trying to figure out how to fix the data problem that was caused by twitter being down last night for maintenance.

I guess I could have handled bad data in my bot's code, but I thought I would be able to manually edit the data if there were any problems. I still think that I can, but I can't seem to do it at the moment. Either trendrr is having a temporary problem, or there is a bug in their site as their data view clearly allows for in place updates of the data, however it doesn't allow for saving the change. I have several frantic emails in to trendrr support, however something tells me they have better things to do on a Sunday :)

Anyway, I hope to fix the data soon. I am excited to have the views and the link, but of course I want it to be perfect.

Friday, April 04, 2008

Lyric of the Day Stats


http://www.trendrr.com/timeseries/378706
Written in ruby using Hpricot. Unfortunately I couldn't see where the twitter api allows for fetching the post and user counts for an account, so I just use the original web api. Updated hourly.

Wednesday, April 02, 2008

Back from the dead

I'm too excited about goings on online and in my life to keep quite. I'm baacccckkkk....

Friday, June 23, 2006

InC.pdf (application/pdf Object)

InC.pdf (application/pdf Object)



Piece of musical history (and cool)
This is the score to Terry Riley's 1964 classic work entitled "in c". It is a seminal work in minimalist music, and spawned a new type of composition, the use of rhythmic patterns that are combined by the performers. Even if you cant read music, I recommend looking at the instructions given to the musicians which are pages 2 and 3.
posted by peter

Tuesday, May 23, 2006

Ornette Coleman - Body Meta

Ornette Coleman - Body Meta

Personnel: Ornette Coleman (saxophone); Charlie Ellerbee, Bern Nix (guitar); Jamaaladeen Tacuma (bass); Ronald Shannon Jackson, Denardo Coleman (drums). Recorded at Barclay Studio, Paris, France in 1975. Includes liner notes by Ornette Coleman. Digitally remastered by Quintessential Sound. One of the most important jazz albums of the 1970s, BODY META arrived at a time when many had declared jazz t...

What a tornado would sound like
if it played instruments. This is Ornette blowing the whole thing wide open. Forget about traditional Jazz, forget about Rock, forget about funk. How about two Drummers, two guitarists, and Jamaaladeen Tacuma who might as well be two bassists just wailing. Then on top of it all, Ornette blowing like the wind. You don't know where he is going, but he is going there, and the band is coming along with him, propelled by his improvisations. The heads are great. Voice poetry, the album opener, is perhaps the most interesting. First an eiko eiko like drum beat with guitar chords hit emphasizing the beat. Then the bass and second guitar enter, playing off each other and making no attempt to hold things down, as the beat is already established. Finally, after several minutes of increasing tension, enter Ornette. Perhaps his most dramamtic entrance. More than a dramamtic entrance, Ornette's exposition of the head of this song is one of his finest moments, and his dive into improvisation is immediate and signals the arrival of a completely new music. More than music, I see prime time (The name ornette gave his fusion band - which debuts on this album - and yes, it's a bad pun) as a force of nature. This is a challenging album, and probably not a good introduction to Ornettes music (See in all languages), but it is a gem.

posted by peter

Saturday, March 11, 2006

Japanese Temple in Hawaii


Japanese Temple in Hawaii
Originally uploaded by pooty_tang.
This is my attempt at tiltshift - I don't think it looks like a model, but I am happy with it nonetheless. This is a recreation of a Japanese temple that is in Hawaii.