Dealing with digital mess – Part 2: Passwords

Today’s topic is dealing with sensitive information – such as logins, passwords, PIN numbers, credit card numbers and so on.

Up to last week, I was using the SplashID software to keep everything worth securing secure. I started to use SplashID back in 2001 when I bought the Palm based Sony Clie SJ30 (as replacement for wonderful Palm IIIxe). The Palm based program came with desktop counterpart that allowed editing of entries. Later in 2004 when I switched to Pocket PC, I simply purchased Windows Mobile version of the same software.

So – similarly as TheBat!, this was a legacy and similarly as TheBat! it had to go for two main reasons: closed source with proprietary format and Windows mostly. Technically, there is a Mac-OS-X desktop client for SplashID, but both Windows and Mac desktop clients are mainly add-ons to mobile platform counterpart. They focus on the problem of synchronizing one desktop with one or more) mobile device, but they do not do a good job in synchronizing two desktops.

I also found out that I do not really use the Pocket PC for other purposes than reading eBooks and sometimes looking up phone number or address. Since I have MacBook, the later happens really rarely, because Macbook wakes up almost instantly and it takes about same time to find address on PPC and Mac.
After some research and evaluation, I have decided to go with OpenSource solution KeePass. It is available for Windows as well as for MacOS and Linux, and in case I’d like to use my Toshiba again there is even a PocketPC version. The binary file format is 100% compatible – I tested out the file created on Windows works fine on Mac. I am not competent enough to judge the cryptographic capabilities of the system, but I trust the open source peer review process :-). The authors seem to know and care about security a lot – for example, after you copy password from entry edit form into clipboard, program automatically clears clipboard entry after defined amount of time (default is 10 seconds). Also user interface is very nice and what I liked is visual indication of the password strength – gives you some idea about how bad your passwords are. If you are really security conscious, it has nice generator of really strong passwords – the ones that you probably will not be able enter without clipboard.

I still need to solve the issue of synchronizing different desktop. For now I do it with workflow: whenever I make a change in passwords or logins (this implies I am online), I sent myself an email with attached latest password file and enter ToDo to update other desktops. The file is very small – for few hundred entries ~ 50 kB. The file sits in my mailbox and is always available. When I receive new password file, I erase previous one in mail archive. Not ideal, but workable – because the frequency of adding new entries and changing passwords is not that high.

A friend of mine is using USB stick on which he carries both the file as well as the KeePass software. This works too – assuming that you do not keep forgetting your USB key as I do. I have better results with email.

Final note to the conversion: it is possible to export the data as CSV file and import it to KeePass. What strangely was more efficient for me was to transfer the entries by opening both program and using clipboard entry-by-entry. This way I got rid of some really obsolete entries, verified many passwords and URL’s and changed several long overdue password.

How to get rid of Outlook: the plan

I have decided to stop using Microsoft Outlook. No, I did not have any major issues with it, no horror stories of crashed, unreadable emails or viruses. As long as you use decent anti-virus (for example this one), switch off automatic loading of images and never do anything stupid such as clicking on an attachment or a link in email, you are reasonably safe. What got me to switch was lack of interoperability between anything non-Windows and Outlook and headaches of synchronization with on-line information. Using Outlook-only everywhere is not an option for me, because I need to use Mac as well as Windows and buying license of Outlook for every notebook, PC and virtual machine would be prohibitively expensive.

Decision is easy step, what is harder is to implement it. Outlook is (was for me) 4 different things

– email client
– contact manager
– to-do list manager
– calendar

I am lucky enough not be dependant on Exchange integration or on corporate shared calendaring solution, which is often one of the main reasons people are stuck with Outlook. Until recently, I also needed Outlook to keep my PocketPC synchronized with rest of the world. During few last month, I use my Toshiba e830 more and more are eReader device and less for actual information process, so this became less critical. Final blow came from unexpected angle – when I discovered the The Missing Sync. I can synchronize PocketPC on Mac, without needing the Outlook or even the Windows.

To completely avoid Outlook, I need to find reasonably good replacement for each of these 4 areas, so that the result is better, more open, location-agnostic and multi-platform. The result will probably less integrated than Outlook, but that’s reality of Web 2.0 versus desktop applications.

– For email, I have good solution in combination of GMail/Thunderbird (see yesterday entry).

– For calendar, I am evaluating Google Calendar.

– For ToDo’s, my current favorite is Remember The Milk.

– Right now, toughest part are contacts. Still working on this one.

I will cover these in the coming days. Stay tuned.

Dealing with digital mess – Part 1

In certain sense, people and companies have one things in common. If have been around for few years, you collect, acquire or create very strange collection of tools, platforms, software and data formats. In short, you end up with lots of digital mess. I am planning to make major cleanup and streamlining in 2007 – consolidate the hardware, software, data formats and workflows both at home and at work.

I have read the GTD book and many interesting articles and blogs on how people implement it. I noticed that the best way how to succeed is try to follow and customize the GTD approach for own circumstances, and build set of tools and processes that would make dealing with stuff easier, faster and more efficient.

Most of my “data stuff” consists of:

– email(s)
– appointments and todo’s
– contacts and people information
– passwords and sensitive information
– links, bookmarks
– chunks of information from the Web
– active content (documents in process)
– reference – finished documents , files
– ebooks
– music (MP3)
– images and digital video
– source code examples and chunks
– backups, archives and data CD/DVD’s

I’d like to review and adjust all of the above over next month or so. I am saying next month – this is no new year resolution thing, it is more like convergence of the technology being available and size of the mess to deal with being uncomfortably large. Streamlining and simplifying email seems like good place to start – for one single reason: it keeps coming 🙂

Dealing with Email

Here is what I had up to last week on email side:

– multiple email accounts (GMail, Yahoo, severals Rogers-Yahoo accounts)
– multiple email clients on multiple platforms: Outlook and Thunderbird on Windows, Mail (and possibly Thunderbird) on Mac OS, none (only Web based access) on Linux

There are two basic workflows with email: one is daily use – reading/writing/answering. Occasionally you need to search back and find something for reference. The other is organizing, archival and searching for historical purposes. Unlike the first one, which must be done daily and from everywhere, the later can be executed from dedicated place, which allows the really old archives not be online. The setup I was using until this end of year was configuring each email client to leave messages on the server and then, using single “sink” once in a while I downloaded the old messages into archive. Sort of many-to-many setup, each client pulling emails from several on-line accounts. As result, I had many duplicate copies of emails on many machines. Every sorting and structuring of email was very time consuming and because there was never simple way how to “repeat” the cleanup/organizing from my desktop to my notebook, it was seldom done … I was also never sure that any local client has complete snapshot – in case the client was down during archiving it could miss part of the conversations.

I had two main goals on desktop side of email: to decrease the number of email clients to maximum 2 and define “standard” client. The format of the stored email must be open and client independent (to avoid lockup), must be multiplatform (so that I can move to Mac as main home platform as soon as Leopard is out) and must be programatically accessible (so that I can later process information from emails). The only email client that fits is Thunderbird, which fortunately uses open format, it is cross-platform, free and nicely extensible by plugins and there are many other good reasons for using it.

This also pretty much excludes Outlook as email client because it uses proprietary binary BLOB format with fairly bad track record of reliability and is (for all practical purposes) Windows only. For historical reasons, I was also using TheBat! for the “sink”. Bat has same issues as Outlook, so the first task was to get my old emails out of the proprietary TBB format something more portable and more open.

Converting TheBat! email to Thunderbird / mbox

It is very easy, but needs some manual work. In TheBat! you can export one folder at a time into Unix mbox format. You have to select all messages (Ctrl-A) in folder, select Tools -> Export, Unix mailbox and it is done. As long as you do not forget to select all messages, you will be fine. The resuting file is probably the most accessible and portable format you email can be in. You can easily import the emails from mbox to Thinderbird by free plugin mboximport. Conversion works like charm, including the attachements. The result is also very easily accessible – e.g. see examples using Python here.

Unlike some people, I spend very little time working on my emails offline. For that reason, biggest simplification and improvement is using on-line email as base repository, rather than trying to keep it on desktops. This removes problems with email synchronization and makes it always available. The desktop clients are really meant to be used mainly for back-up and archiving, occasionaly for more comfortable editing or editing offline.
When deciding between Yahoo and Google as main online platform, Google won. Both services give 2 GB free storage (Google right now almost 3 GB), both provide POP access. GMail user interface is however much more user friendly and lighter. Yahoo mail 2.0 is taking too much memory and power to run – and the old one is nowhere close to GMail. GMail also nicely integrates (by personalized Google home page) with Google Docs and Google Calendar which I am using a lot (and will need a lot for other categories of stuff).

To make Google central email hub is quite easy. You need to redirect other emails to GMail. Rogers-Yahoo allows that – after you set redirection email, you need to send verification request and enter code from received email – to confirm that you own the destination email address. After that, all works and all the spam that would otherwise be downloaded to your PC and filtered by excellent spam filters of Thunderbird, will be caught by GMail spam filters.

After this, none of the Rogers email accounts in my machines are receiving any emails. In order to make all sent email from any PC or Mac available in global repository, it is necessary to add rule ‘Bcc: my-gmail-account’ in every Thunderbird email account that can be used for sending email. With this change, all is set.

The Thunderbird(s) and Mail.app are now used only for sending email and editing off-line emails (should it be necessary).

GMail allows you to use multiple identities – you can set multiple From addresses and select (when writing new email) which one to use. This feature is available from Settings->Accounts. Email addresses you use must be verified (by clicking on URL in verification email) to be addresses owned by you.

There is one “feature” of GMail that needs to be mentioned: when you have multiple clients who use POP to download GMail messages, unlike with my Rogers accounts, only first client downloads message. This can be used to your advantage when you set up one dedicated client to do frequent checks for new emails and all others to do no automatic checks – this way all your email will be automagically archived on one of your clients.

What are achievements of all these changes:

– all my email is available on-line via GMail (platform agnostic)
– all clients are more or less just convenience how to send email when working offline
– all email is archived in one place (home desktop), in open and portable format (Thurderbird mbox). Most of email still stays on-line
– there are no duplicates of emails in the clients
– rather than trying to sort emails into folders, I use tags and Archive feature of GMail. Searching works good enough and whole process is much faster.
– Outlook as email client is gone, as well as problems with PST format (like synchronization)
– TheBat! as email client (archiving sink) is gone, archiving is now platform-agnostic mbox. Old archives are converted to mbox.

Nice start !

Sales as Con Art – or welcome to Direct Energy flat rate plan

During over 8 years living on this continent I’ve developed reasonably thick skin in dealing with business calls, unsolicited mailings and other annoyances of aggressive selling. I was pretty sure nothing can make me really upset. Up until yesterday. Thanks to amazing capability of the Direct Energy sales force who does not take No for an answer.

But let’s start from the beginning. About 3 weeks ago I started to get frequent calls from Direct Energy about their flat rate plan. After avoiding them few times, I realized that they will not give up and answered the call. I have got myself into a discussion with guy who wanted me to lock up my price per kWh for next 5 years. Sort of protection plan. The idea is that you pay same amount – starting with higher than market price – and as the price goes up, you may end up to be better off over time.

As I never buy anything from a telemarketer, I said no. Upon insistence, I agreed that it is OK to mail me information about the prices and so on. I was very explicit to repeat about three times that I am not ordering anything, or enrolling into any plan – and the guy agreed. Just an information – no obligations.

Now guess what: yesterday I have received a letter starting with sentence “Thanks for enrolling into flat rate …”. That got me really going. I had to call customer support just to find out that I was indeed enrolled. I cancelled, of course, but feel this is such rude and inappropriate behaviour, that it deserves some publicity.

What is proper English term for this “business” method – when a sales person is openly lying to you ? It is not false advertisement. In that case, the consumer decides to buy based on incorrect information – but at the end, it is the customer that says yes and decides to buy. I am not a lawyer, but what happened sounds like fraud to me – I was put in position to be paying for something I have not ordered. And because one can safely assume I was not the only case they have tried it on, maybe even a scam ? It would not be the first time:

http://www.ontariotenants.ca/electricity/articles/2003/cp203f20.phtml

“Direct Energy Marketing Ltd. and Ontario Energy Savings Corp. have been fined a total of $232,500 after some of their agents apparently forged signatures on 31 consumer contracts, the Ontario Energy Board said today. Direct Energy was fined $7,500 for each of the 21 switched consumers and Ontario Energy Savings Corp. was fined the same amount for 10 switched consumers.”

The only difference is that now, they are not even bothering to fake your signature – they just sign you up, because you have answered the phone.

There seems to be nothing wrong with the idea of locking down the rate you pay for electricity for 5 years. Assumed that a) the prices will go up by predictable amount and b) you will indeed be able to get electricity or whatever you paid for for the full duration of the contract. There is even sound business plan behind – with enough subscribers, you can buy in large quantities with discount and have decent margin. What happened to a friend of mine was that he enrolled and paid about 2 years higher price. On year 3, the company he had contract with claimed bankrupcy and the new company promptly offered new 5 year plan – for a price about 30% above market price in year three. Hmm, how very convenient …

As Hanlon’s razor says Never assume malice when stupidity will suffice. Last week, I would give them benefit of the doubt. Not today, I am afraid.

Lesson learned – never ever go to any discussion with a business caller. If you want to save time and do not mind sound rude, just say NO and hang the phone on them. If you want to invest some time and avoid being rude, here is what you can do: start recording the phone calls and tell the bugger you are doing so. Ask them to remove your name and phone number from their list – technically, they should be oblidged to do so when you ask. You can also ask for the intruder’s name, home address and home phone number – why should only you have to provide private information to him/her ? Ask also for the name of the manager or superior, his or her home phone number. When they ask why, tell them that you would like to call them at home, in their private space just to let them experience how it tastes when an unwelcomed stranger interrupts whatever they are doing and steals their time talking about some stupid braindead useless product or service. Let them feel the pain.

Publish your own book – or Lulu.com rocks!

One of the most successful presents this Christmas was five copies of the same book. Not just some kind of a book. Our daughter got five copies of the book she authored as a surprise. How can this happen ?

I was toying with an idea to try out self-publishing on-demand printing company that would allow you to create and publish book without spending hundreds or thousands of dollars as investment – sort of “pay as go” plan. The only way how to do it is create the the printable book yourself and find publisher that can do print on demand. Most companies that I found were selling packages in price segment $800 to few thousands of dollars, which included professional assistance in book creation: proofreading, editing, graphics design etc. One company however, offered exactly what I needed: a service that allows you to upload content file, design the cover and order as little as single copy – or as many as you need. No setup fees, publishing packages or minimum orders. See www.lulu.com for more detail. So we have decided to give it a try. It was an easy decision because manually printing the color pages and paying for binding would cost about 3 times more as was the price on Lulu.

You do not need any special software to create content – Microsoft Word document, RTF or PDF will do fine. If you upload DOC, Lulu converts it PDF for you and gives you a preview of the final product. Because the files can be big – sometimes too big for HTTP upload, Lulu offers FTP upload service.

I had no commercial intentions with the book, I just wanted to create a great gift. You can, however, decide that you want to publish for profit: Lulu gives you per-copy production cost, you set the price and from the difference, Lulu gets commission. You keep the copyright, you can decide whether the book is private (available only to you) or public – available to everybody. You can also for about hundred bucks purchase a distribution service – your book will get real ISBN and will be available for order from Amazon or Barnes&Noble and independent stores.

The on-demand printing takes about 10 business days for paperbacks, 15 days for hardcovers. We have received our books on time, despite the pre-Christmas volume. I have also exchanged few emails with technical support: their answers were fast professional and actually helpful – a quality not seen so often seen these days (hi there, Internet cable company, speaking of you).

The quality of the books is excellent. Very good printing, great color reproduction and good paper. It made perfect present, made our daughter very proud and me and my wife very happy. Highly recommended. In case you want to see the book, here it is. It is even available for ordering :-). Big thanks to Lulu for making it possible.

Disclaimer: I am in no form affiliated with the Lulu.com. I just liked the idea and enjoyed their great service.

Vista security and Java

I had a brief MSN chat with friend of mine today, who tried to install and use Vista as development platform. I mean install on the real hardware, in order to use it as core operating system. I have no feedback yet on how Visual Studio works, but as he found out, his Ant build files he uses to compile and deploy Java programs stopped working – because Vista did not allow to copy Javascript files. I can understand why Javascript files are treated with caution – however, it should not be considered the same when a file is copied from a local file to a local file, rather then downloaded from the internet.

Problems like this one were not occuring on XP for two main reasons: one becase XP security was nowhere at the same level and two because pretty much every developer was running XP as administrator. Using an admin account for everyday work is bad for security and Microsoft tried hard to create system that would be actually usable when logged on as standard non-priviledged user.

If suprises like this one occur too often, people will likely decide to go back running as administrators again … which beats the idea of having better security under Vista. If I think about it, all code related demos at the “Ready for the new day” were done under administrator account. Is it because this is the only practical way how to develop application under Vista ?

I guess Steve Gibson‘s scepticism about early adoption of Vista was not far off (again). Let’s wait for real stories from real use scenarios and maybe even a Service Pack 1 – and then evaluate whether Vista is already prime-time ready for a developer.

Got the Sony reader :-)

Despite Sony’s attempt to ignore non-US markets and leave Canadians in the cold (pun intended, even if it is still above zero), I have become a proud owner of the wonderful gadget for all eBooks fans. I still do not have it physically, so I cannot put it under the tree. It is coming next week, when my friend who now enjoys the vacation down in the south returns. He was not only very kind to buy one for me too, but he also wrote a wonderfull review which he is going to post on the Net. I will add a link as soon at it happens. Until that time, here is the summary, in his very own words:

“So in short, I am really impressed by the Sony eReader. Everything from case construction, functionality, file format support, screen resolution, and most importantly the actual readability of the unit all hit the target. You really have to see it to believe it. The only negative comments are the lag-times between screen refreshes, and the somewhat unintuitive menu navigation. As far as future functionality (wish list), I can imagine that full color support will be the next thing on the list, as well as searching and annotation of documents, and maybe even support for wireless connectivity for good measure. “

Statistics are fun

I have discovered recently the nice feature of WordPress – Dashboard which shows number of visits, but also shows incoming links and search phrases the people used to land on my blog. Sometimes, they provide really interesting and surprising insights. Of course, I do not see who they are or where the visitors are coming from – so no privacy concerns.

Because of my first name (which is btw abreviated form of Miroslav), I am getting some visits from the people interested in the works of Joan Miró – spanish/catalan artist. Must be quite a disappointment for them, sorry. Nothing to do with visual arts here – unless you count art of coding ;-).

Here are few examples:

– books about miró – see above.
– Linkify Firefox extension
– mac open .cdr image
– fedex memphis ottawa apple – looks like somebody else from Ottawa is expecting Mac delivery
– weird spreadsheets – how did I got to this one ?
– ready for a new day event – maybe marketing department is checking feedback
– C# 3.0 versus Java – I plan to get back to C# vs Java
– firefox linkify – surprisingly, Linkify extension get’s a lot of searches.
– undocumented Miro – what the heck is this ?
– c# ORM Dynamic Method – good idea for an entry
– c# mixing compiled and dynamic code – I’d look at IronPython first, folks,
– business objects c# 3.0 – after my project is over, I’ll do a summary of “Doing business objects with CSLA – lessons learned”
– miro’s world – I like this one, somebody who knows what to search for 🙂

Few more podcasts

Unfortunately, as of previous Sunday I have run out of the backlog in Security Now! episodes, which means that with all three of my favorite podcasts (Twit, Windows Weekly and Security Now!), I am pretty much dependent on their weekly releases. This is a problem, because the sum of 5-7 weekly commutes to work and back (about 15 minutes one way) plus about 40 minutes in a gym every day equals to about 6 hours of required podcast quality content, and the new episodes of three podcasts above cover barely half of it.

So I needed to enhance the podcast menu. Here is what seems to work and what worked less:

1) Merlin Man’s 43folder podcast. As with Steve Gibson, I listened up to the current one and enjoyed it a lot, specially the episodes with David Allen. Fast paced, entertaining, informative. I liked Merlin humor.

2) FLOSS – do not run away, this has nothing to do with that scary profession, it stands for Free Libre Open Source Software. I started to listen from the beginning. It is interesting to hear the people you know through their code or technical achievements as living human beings. The quality of the podcast (both audio and moderation) is not as good as other Twit series – but I guess Leo cannot be everywhere and content is heavily dependent on the guest. So far I am at episode 4, the episode #2 with Ben Goodger (Firefox) was interesting, the #3 (Rob Malda aka CmdrTaco of Slashdot) was not so great.

3) Cranky Geeks. Run and moderated by John C Dvorak. First I thought this will be something as good as TWIT, but it was not quite so. Maybe it’s selection of the guests, maybe selection of the news they focus on, but IMHO John put together with few more cranky geeks without compensation of basically positive, enthusiastic person such as Leo leads to overcrankyfication (at least for my taste buds). Second – the commercial breaks. There are way too many and way too annoying. I can accept TWIT’s 2-3 commercial plugs about Dell, Vista or Astaro, but this is an overkill. If John does not make you cranky, the ads will. Use with moderation 🙂

I have also downloaded back episodes 1 to 45 of Security Now! which were not in iTunes subscription – at least I have not discovered how to make them apper there from the grc.com and will listen to them. Unlike the news based podcasts, the topics are still very valid and relevant. Thanks, Steve and Leo – you are fantastic.

Unlike Vista, this user interface *is* something new

Quite seldom I see something on the net that is elegant, beautiful, and simple – so simple that it becomes obvious. Last time I had this feeling was with iPod’s wheel.

There was lots of excitement about new Vista user interface features. The users who never used / saw OS-X, must love Vista. It is huge improvement over XP – much nicer, cleaner, very good typography, comes very close to Tiger. Linux users have their own great looking desktop XGL. From human-machine interaction point of view, neither Vista, nor XGL did really bring anything new – just caught up with Apple and added few eye candies on top. All this 3D-turning, spongy shaking windows, transparencies and rotating planes look indeed nice, but add very little to the functionality of Expose (besides, no one except Apple has two finger trackpad scrolls). So what is so cool about the BumpTop ? Everything.

User interface paradigm demonstrated in BumpTop prototype combines 3D graphics and physics in very new and creative ways. But see for yourself. The site offers hi-res videos in QT and WMV formats as downloads or torrents. The Youtube link to low res version is here. The lasso-n-cross idea and pile/unpile are so impressive. Enjoy !