Blog readership is apparently up just lately, according to FeedBurner. So: Hey, new people! Thanks for dropping by.

Though my other analytics tell me nearly every one of you is using an RSS feed, and so you guys ain’t actually dropping by. Which is fine with me; I don’t care either way. But it makes me wonder, given that not all web denizens are RSS-savvy: should I set up an email newsletter with essentially the same content? Or is it ridiculous to put effort into getting more people to read this stuff? I mean, shouldn’t I be writing just for…I dunno…the sheer creative joy, the alternative to self-medication, the ability to tell myself I’m doing something worthwhile without actually working?

Ha.

Here are some changes coming in the next few weeks to our favorite website backup provider:

• A free level of Scarecrow’s site uptime monitor. Most likely this will be restricted to a domain’s homepage, and will not include checking the page for specific text (which is helpful when customers want to verify their database is functioning, if the text comes from that database). Also, I’m playing with the idea of asking for, and possibly requiring, a link to Scarecrow as a condition. But hey: FREE!
• Another level of service, cheaper than the standard Scarecrow package, that includes a single site plus content (or source code) monitoring.
• The current package (four sites, uptime & content monitoring, plus backup/restore to & from the cloud) will remain in place. Which means, logically, that this bullet point shouldn’t be in my list. It was supposed to be changes only.
• A somewhat more expensive option, which will be like the current package but will include only two sites. Instead of four.
• Wait…what was that again?

Okay, the more expensive package is aimed at web developers. Or possibly small-scale web hosting resellers. Excuse me a moment while I talk to them.

Hi guys! You’ll be able to add any number of additional sites on behalf of your customers, and the price will be lower than what your customers would have to pay if they bought their own subscription. I’m all about the interface between developers and business people, and so I’m building in a (very small, but present) incentive to encourage ongoing communication. This helps you, too, because you know they’ll be calling you when the site goes down, and once in a while that’ll turn into a discussion about more stuff they’d like you to build. Since they’ll call you first, I can charge less. Cool, huh?

Hi, again, to the rest of you. There’s more to say about all this, but I need to get to work. Talk to you soon.

Big news coming soon. But I can’t talk about it yet.

Unfriendly, isn't it?

Instead, let me ask you this: How does a community–by which I mean people actually living in reasonably close proximity–communicate?

Yeah, I liked how those words went together too. But it’s true. A community communicates, or it doesn’t. And isn’t.

I’m not sure there’s any real way for it to happen right now. Online? Well, it’s easier to talk to folks halfway around the planet than it is to say hey to a neighbor. In person? I guess you could get involved in local politics, if you don’t mind its essentially coercive nature.There are clubs for adults and sports for kids, but it takes real effort to go beyond that and connect with people. Why does it need to be hard? Why does it take a special effort?

I’m asking you this because I really want to know. We’re a much more mobile society than we used to be,which may mean we’re less of a society and more of an aggregation. I don’t know that it’s such a bad idea to be this way, either, but I do think folks used to talk to their neighbors more than they do now.

Now, me? I’m more mobile than most. I enjoy the communities of like-minded people I’ve found online. I like the debates, and I like the constantly-shifting technology. But, you know, the last place I lived was…different. Almost nobody was online. People stopped to talk to each other in the streets. To put it mildly, the place was less than perfect. But now I find myself in the Washington DC area, and…people don’t talk to each other. They barely acknowledge each others’ existence when passing on a sidewalk (not that people are on sidewalks anyway).

So…is there something missing? Is there a way to get it back, or (more likely) to devise a new way to connect and interact? Maybe even with people who don’t see things the way the same way we do?

Some days I think the interwebz are not much more than a giant echo chamber, where we all get to hear our own ideas parroted. There’s some distortion, and it’s fun to try to fix it, but…I think, amidst all the frenetic typing and ranting, we might also be getting just a little bit lazy.

Or maybe it’s just me. Thoughts?

I’m experimenting with social media. You may notice a new “Recent Tweets” section in the blog sidebar, courtesy of my new Twitter account, @CabinFeverSftwr. Cabin Fever also has a new Facebook page. And I’m all over LinkedIn lately too.

I’m getting some interesting results already. It’s clearly possible to engage people in conversations.

• There’s a startup out there (I signed an NDA & don’t want to be more specific) with a really great idea and a partially-built product, and I may be jumping in to help.
• People keep telling me about jobs.
• In the process of figuring this stuff out, I’ve reconnected (to some extent) with people I haven’t seen or talked to in years.

But does this translate to success for Cabin Fever per se? Or Scarecrow? Maybe, and maybe not. I’m hoping I can ride this beast & get value out of it.

Maybe the trick is to keep an open mind and see what develops. I’ll let you know how it goes.

Also, stay tuned. I’m going to put up a site to showcase another kind of writing entirely. Here’s a hint: there’ll be a link to buy my novel from Amazon.

I hope this helps you guys next time you have to deal with wi-fi that’s a little short of fi. Or maybe its best function is as a warning to others. In the latter case, here’s the TL;DR takeaway: sometimes a problem isn’t worth solving.

Anyway: last night was…somewhat irritating. I tried to get some work done. Really, I did. However…

• Teenagers. In the hallway. (I just shot them. Nothing else would have worked.)
• “Free wi-fi” that redirects to a “You MUST agree to our terms AGAIN” page every 30 minutes or so. In that context, I highly recommend the iMacros extension for Firefox. A couple of hints: “WAIT SECONDS=1000″ introduces a useful delay when looping, and “SET !ERRORIGNORE YES” (although bass-ackward to my taste) will get around any slow-to-load page components. (The script will exit after waiting 60 secs for page load otherwise.)
• ssh 8080 -D username@my_server_address. Okay, this is for Linux people, but here’s the short version: it creates a tunnel to a server somewhere, assuming you have access to such a thing. Internet browsing then happens from the remote server–so the hotel can’t block sites. Otherwise maybe something like Anonymizer might work, though I’d actually recommend:
• Tor. Go read about it. It’s often slow, but try the Tor browser bundle anyway. You can combine the pleasure of being slightly subversive with actually helping others. Neat, I say. Just configure yourself as a relay, and it’s instant good karma.
• If you happen to decide to give up on the hotel wi-fi entirely, but you can make your iPhone into an access point to share its 3g connection–aka tethering–but you’re sharing the room with someone whose computer isn’t allowed to connect to an “ad-hoc” network…maybe you should give up. Watch a movie. If, though, you have what people call a wireless router, you can share your laptop’s wired connection via the router (turning off DHCP on the router) & connect your laptop to the iPhone’s wi-fi. Then that other person can connect to the “infrastructure” network provided by your router. Is this really how I spend my time? Why?

Okay. Did I actually need all of that last night? No. If I’d known what my final solution would look like, I’d have gone right to it. But next time you’re in a hotel room with lousy wi-fi, and you want to work, maybe these ideas will help.

Or not. Especially the thing about the teenagers.

Maybe tonight will be better?

Where we were....

Or nearby, anyway. I’ve relocated with my family, and we’re looking forward to new opportunities.

So what’s next for Cabin Fever? Scarecrow is out there in the world, making its users happy. There are a couple of updates scheduled:

• I plan to begin offering two new levels of service. The $20/month standard will still exist, but there will be a cheaper ($5? Free?) notification-only version and a $50/month option for those who back up more (or larger) files.
• I want to make it easier to register/support multiple “sites” under a single account. A web development shop or hosting reseller should be able to support several clients.

Outside of that, though, I’m not planning many changes to Scarecrow per se in the near future. Unless, of course, you guys ask me for something specific.

Instead, I’m looking for paying work. Here are my options:

• Freelance stuff might be fun. If you’re a potential client, feel free to contact me. Lately I’ve been using Ruby, Ruby on Rails, and various open-source tools on Linux servers.
• Another startup (depending on how you count, that would be somewhere from my third to my sixth) would be very interesting. I really liked Eric Ries’s The Lean Startup, and that led me to Steve Blank’s The Four Steps to the Epiphany. They’ve convinced me that, yet again, I know less than I want to…even about the things I do every day. Cool!
• Some third option that presents an interesting challenge. This is a really fun game, and I never quite know what’s coming next. Got an idea? Try me.

So here’s my profile on Stack Overflow, and here’s another on LinkedIn.

But have no fear: Scarecrow will still be around, and so will I. I look forward to our conversations.

Can I take a moment here to point out that the above punctuation is in fact correct? “Y’all” is a contraction of “you all” and thus I find the proliferation of “ya’ll” to be Just Plain Weird. Also, “y’all” is plural. Not singular. Please make a note.

And on a similarly important subject, if I ever again read a novel in which a character orders a single malt whiskey (or whisky…it’s island-specific) without specifying anything further, I may discorporate and haunt the author. The whole point, guys, is that single malts exist to help us celebrate, you know, unique and interesting flavors. Or, more often, flavours. So, I mean, what the heck? Glenfiddich and Glenlivet, by the way, might as well be blended. Try the Laphroaig 15-year, or the Lagavulin 16. Take a small enough sip that, by the time it reaches the back of your tongue, it has evaporated or elsewise gone away. Ignore all advice to add water, or Splenda, or manure. Though actually the manure might be interesting. After you recover–this may be painful at first–do it again. One of Lawrence Block‘s characters, in a book I very much liked, once either said or thought that, upon considering the first sip of Laphroaig, one wonders why anyone would drink it. But by the tenth sip, one wonders why anyone would drink anything else. Larry’s smarter than I am, and so are his characters, so pay attention.

Okay. I had a conversation a couple of weeks ago with a couple of recent college graduates. They seemed proud of themselves, and as they seemed to be productive young adults, they had every right. But the thing is, and you guys know I’m all about the thing, they espoused a most horrible idea concerning the storage of passwords.

Once upon a time passwords were commonly stored as plain-text in a database. Obviously this caused issues when the database was compromised. Next idea: passwords were stored in “hash” or “digest” form. For the uninitiated, a hash (or digest) is the result of an algorithm that takes input, such as a password, and returns an otherwise-incomprehensible string. It’s a one-way deal, so a document will always produce the same hash, when using the same algorithm, but you cannot generate a document from its hash. Also, a small change in a document produces a large change in its hash. So storing hashed passwords is neat: you see what the user gives you to log in, hash it, and compare. And you don’t store the password at all.

Problem: it’s not too hard to create a table of hashes of common passwords using the most common algorithms. And it’s absolutely possible, in every case, to find or create a password that will match any given hash, once the algorithm is known. Though, yes, in some cases it might be difficult. So progress has been made, but we aren’t done yet.

Next came the “salt”…which is not necessarily passed at the dinner table. A salt could be something like “hi this is david’s most recent rant” which is appended to a password before its hash is generated. No, I don’t know why hashes are almost always appended rather than prepended or interpolated or whatever. Deal with it for now & we’ll return to this in a bit.

A salt does something neat: an attacker now has to generate tables of hashes of common passwords with the salt appended. Yeah, I know. So what? Enter the “random” salt. The idea is that a different salt is generated on a per-password basis. So sure, you can generate a “rainbow table” that includes hashes of various common passwords plus salt, but you have to do this for each salt value. Neat! The whole thing becomes more secure!

Lots of applications use this method for password storage. There are standard “plugins” that take all the work out of it, too, which is nice for busy programmers. But…uh…guess what? Given sufficient computing resources & data storage (what year is this again?), lots of user passwords can still be identified. Why is this?

Because the “salt” is almost always stored in the database, right next to the hashed password-plus-salt.

Ow.

So here’s another idea: generate the salt via some application-specific algorithm. Include a timestamp, some weird manipulation of a username or email address, or really any data that is expected to remain constant over the span of time you anticipate interacting with a given user. Don’t store the salt in a database. If you don’t trust your algorithm, heck, use a hash of the weird string it gives you. Don’t store that either. In fact, if your application runs on multiple servers, let part of the data used to generate the salt live on a server entirely separate from the one hosting your database. Require login credentials that are not stored in either your database or your application’s code. Further, cause the server hosting that data to restrict access to a small range of internal IP addresses, making it very difficult for an outside attacker to access it at all.

Downside? It’s harder to build a generic plugin. As it, you know, should be.

I have this notion that people who store other people’s data should take some responsibility for it. And, you know, do the work. The guys I was talking to literally would not hear what I was trying to tell them, though. It kind of hurt my brain.

So what’s Scarecrow do about all this? I’m not telling you. Nor did I enlighten the guys I spoke to earlier. I might have dropped some hints, though, if they hadn’t wandered off in a huff.

Remember: single malt is about doing something different and not easily repeated. It is not the same as a blended whiskey. It’s not trying to be.

Okay, I’m done. As always, please feel free to tell me how I’m wrong.

Thanks, Jeff. I suppose you know already, but lots of us out here in the world have been watching.

This is a take on Steve Jobs’s death that hadn’t occurred to me. I’m actually more likely to go the other way and work more hours in the near future…but still: food for thought.

This is a short post. Working harder on it seems inappropriate. {8′>

The worst part of it? I asked for it by signing up for a bunch of services that email me. People who like to write about business like this guy say things like “What gets measured gets done.”  Sure, that sounds sensible.  If I track what I eat and how much I exercise, it may help me lose weight. If I put together a budget, I might spend less. But it does seem to be easier to not step on that scale, not draw up a budget, and in this case, not keep an eye on my website.

A few weeks ago, I received a few emails from Scarecrow telling me that one of my websites was down. My first instinct was to ignore them, since they were brief outages, but they kept happening. On January 7th in particular, there were 18 separate outages totaling about 58.30963026 minutes. Yikes. I sent an email to my webhost with the dates and durations of the outages  – hoping they could correlate the data with their data and isolate/fix the problem. They emailed me back, and said there have been “…no issues with the server on the dates you mentioned…” Hmm. I looked at the detailed data again and found that the cause of many of the outages was DNS. Because I am using a DNS provider that is not my webhost, it makes sense that the webhost is not seeing these errors – the traffic never got to their server!

Next, I logged into my DNS provider and found they had been the target of a pretty gnarly Denial-Of-Service attack, which started on January 7th. Yay! (Not good that they were attacked, but the fact that they posted openly about what happened and what they learned from the experience is exactly the type of thing that makes me want to keep using their service.)

Is it really better to know?  Yes. I get it. It’s better to have the data, than not. Now that I know my website has been unavailable to potential customers, what will I do about it? Turn off all notifications and bury my head in the sand? That doesn’t really work for anyone…not even ostriches.

So here we are. I’ve had a lot of fun with Google AdWords. I learned some interesting things…would you have guessed, for example, that “Files Changed? Server Down?” would attract roughly twice the clicks I got from “Site Hacked? Server Down?”? I sure didn’t. But hey, I changed the text on Scarecrow’s site to match the better-performing ad headline as soon as I found out.

I learned it’s possible to get 57 clicks in a few hours from people using Android devices, for roughly $.15 each, without any way to identify where the heck they’re coming from. And without a single one of them choosing to click on a single additional page once they landed on Scarecrow’s site.

I’m sorry, but I really am wondering right now: do mice gargle? I’m guessing they don’t. But does anybody out there know for sure? How?

Here’s the thing, today: I get better walk-ins. I’d love to be able to test various elements of the site, such as the logo–which I created in roughly 5 minutes in an attempt to irritate a coworker, who then claimed to like it, about which I call shenanigans–but testing is impractical without attracting more visitors, and when the visitors who do come in via the ads are so unlikely to actually pay for the service.

Hey, a couple of weeks ago a Google search on “obvious usernames and passwords” brought up a blog post of mine in the #1 spot. Did I plan that? Did that phrase, before today, actually appear anywhere in this blog? No. But neat stuff like that happens for free. We do pretty well on “contracts are evil” too, which pleases me no end, though nobody coming in through that particular door has actually bought anything. So far.

I think it’d be possible to find sweet spots where paid ads of one kind or another can provide a measurable profit. But I also think managing that may be a full-time job. It’s not actually a full-time job I want, though–I’d rather build something.

The official Cabin Fever plan, therefore, is to spend more time blogging. More time commenting on other people’s sites. Hey, maybe I’ll put up a personal site with a link to buy my novel from Amazon. And a link to this blog too. Whatever.

Oh, and you may have noticed the blog looks a bit different. The Cabin Fever & Scarecrow sites are also getting a makeover–expect it within a week or two. Cabin Fever first…it’s much easier.

Meanwhile, our irregular programming continues. As current users, for those of you who are: what would it take to get you to tell more of your friends about Scarecrow? We’re listening.

Today I called a toll-free number and spoke to a couple of friendly, knowledgeable support staff. I was on hold for a very brief period–less than a minute. I had some general questions, and asked for advice. I got what I wanted. It was neat.

So here’s to you, Google. Though I’d sure like it if you’d send more than one click my way today. I realize yesterday’s mess may have been my fault, but still. More clicks, please.

And “Site Hacked? Server Down?” strikes me as a perfectly reasonable headline for an ad, by the way. Sheesh, it’s on Scarecrow’s homepage. It doesn’t make me a bad guy.

Thanks.