I’m back from the autumn Intel Developer Forum in Taipei, Taiwan, and posted a bunch of photos to my flickr photostream.
Both keynote demos and our robotics session went very well.
It’s good to be back home, though. I think I’m finally adjusted back to Seattle time.
Comcast does a really annoying thing on their web sites that require you to log into your account. I’ve seen it other places as well.
It seems benign enough; it’s simply a little JavaScript that automatically places the cursor into the username field once the page has finished loading, the idea being that the user doesn’t have to click in the username field before he starts typing. Unfortunately, the script executes after the page finishes loading, which is usually a few seconds after the username and password fields first appear.
The standard behavior for a web browser is for the user to click in the field before starting to type, so as soon as the username field shows up, I click in it and type my username. Then, I hit the tab key, and begin typing my password. About the time that I start typing my password, the page finishes loading, and the bit of JavaScript puts the cursor into the username field.
This is at best annoying, if I catch what has happened right away, because it means I have to tab back down to the password field. But it can be more harmful than that–if I don’t catch what’s going on, and someone happens to be watching over my shoulder, I’ve just typed my password for him to see. Worse, if I don’t catch what’s happening until I hit the return key, and the web browser is configured to save the contents of form fields (which all of the popular browsers are by default) my password is now saved, in cleartext, in the browser configuration.
On the subject of logging into web sites, something else that’s becoming increasingly more common that I don’t understand is the use of a user-chosen image to verify the identity of the site you’re logging into, combined with the separation of the username and password fields onto two separate pages. The idea is that you enter your username, hit submit, and then the password field is presented to you, with an image that you’ve previously selected. You’re then supposed to verify that the picture is the one you expect before entering your password, so you don’t inadvertently type your password into a phising site.
However, what’s to stop a malicious site from asking from your username, using that username to submit a login request to the real site you’re trying to log into, retrieving the image, and displaying it to you with the password prompt? Sure, it makes things slightly more complicated for a phisher, but only slightly. It merely provides the illusion of security to the user, while requiring two pages to be loaded to complete the login process instead of just one.
And don’t even get me started on the “security questions” that most sites allow you to use to reset your password. People frequently have all of the answers to those things posted on their MySpace or Facebook pages. It doesn’t matter how secure your password is if someone only has to look at your profile to find out where you were born.
I’m trying something new.
One of the reasons I haven’t been posting to Ordered Pixels very often anymore is that the way I have it set up now, it’s kind of a pain to do. I need to get the photos off of my camera, sort through them, upload the ones I like via SFTP, and then compose a post with a bunch of custom tags that I’ve added to WordPress. It’s not that bad, but it’s more work than just picking a few photos and writing some text. It worked fine back when I was a college freshman and actually remember being bored at times (what a novel concept!) but anymore, I take a few photos, think about uploading them to Ordered Pixels, and then decide I’ll get around to it later. Which, of course, never happens.
So, I thought I’d give the whole flickr “photostream” thing a try. You can see my photostream here, and there’s an RSS feed there that you can subscribe to. I’ll also occasionally blog photos here on the main Ordered Pixels blog, like this.
