An Educational Startup/App idea

Posted on April 10, 2010 by Errant

I was reading an article the other day about a lecturer who has scrapped traditional grading from his classes and substituted a RPG-style levelling system (sadly the link has disappeared from my history, if anyone knows where it’s located drop me a line). The premise was simple; as you completed assignments and attended lessons your earned “skill points” and levelled up you character. At the end of the course your grade was the level you attained.

Ok, so the idea has a few flaws (like; you’re not necessarily encouraging learning but attendance), but I love this kind of off-the-wall education reform.

There is, I feel, scope to take this out of the classroom and onto the web. Facebook, Twitter et al are a massive ecosystem for social games – people love to compete (look at things like Farmville) and there is no reason education can’t enter the fray.

So here’s the idea: a set of educational social games which let you level and customise your public character

I would do it like this:

  • Put together a couple of key-skill area games (Maths, Science, English). The games would have to be trivial but educational
  • Link them using a social network (probably Facebook) and have a central ‘character’ who has various skill traits which, on completing game challenges, can be levelled.
  • Let it run for a while (probably you could make some tide-you-over cash with in game purchases upgrades) gaining users and skills
  • THEN pitch it to the schools and educators, produce some more serious games/challenges in line with local curriculum and try to get teachers sold on setting it as, say, homework.
  • The games might not meet the trivial “it’s simple so it’s fun” rule but they are a) set as homework and b) contribute lots more points to your character
  • I believe this benefits everyone; teachers get a free and easy resource for setting homework and the kids are playing an RPG (always fun).

Feel free to build this idea; I’m not going to get a chance :)

Posted in ideas | Tagged , | Leave a comment

How many words have you actually written?

Posted on April 4, 2010 by Errant

Here’s an interesting thought. Im working myself up to write a book of about 70,000 words. Right now that seems a silly amount get through and I find myself procrastinating rather a lot.

So as a motivational tool I figured out how much I write online… it’s a fun exercise.

Since 2005 I’ve hung out on several places, this is a rough (conservative [1]) estimate of the amount written:

  • Forum One: 7,000 posts, around 30 words a post = 120,000
  • Forum Two:  3,000 posts, around 40 words a post = 120,000
  • Hacker News: 2,436 comments, conservatively around 50 words per comment = 121800
  • Blog(s):  somewhere in the region of 90 posts, about 500 words each = 45000

It’s about 400,000 words over 5 years, most of those in the last 3. About 219 words per day.

So that means at this rate it should only take a year to write my book. Maybe not the positive feeling I was aiming for. :???:

1. I feel this is really conservative, my “best guess” figure puts it at nearly 750,000+

Posted in life | Tagged , | 1 Comment

The trouble with Meritocracys

Posted on March 20, 2010 by Errant

A Hacker News post tonight reminded me about Meritocracy; which I’ve always found to be a wonderful theory (it’s a great form of governance).

Unfortunately the few times I tried to be part of a such a community they crashed and burned, badly. It seems there is a problem – a crucial and fundamental flaw – in meritocratic societies…..

…eventually (usually sooner rather than later) someone asks the question:

Exactly how do we define merit?

Thence the arguments begin :)

Posted in opinion | Tagged , , | Leave a comment

Who wants to be a Millionaire at 30?

Posted on March 12, 2010 by Errant

When I was a little younger (though only a little) I used to tell people “I will be a millionaire by 25 and retired at 30″. Eventually I realised it was less an actual goal than something to help with motivation. And yet later I realise that, at the age of 23, it’s unlikely to really happen.

Best of all; that’s great.

Don’t get me wrong, a few million would be swell. But I can’t imagine that being a millionaire before your thirty and then retiring is a very fulfilling life.

I keep seeing blog posts with explosive titles like “How I retired at age 25“, “An 18 year old Millionaire“, “I never have to work again“. Most of these people strike me as individuals who have spent the better part of their late teens and early twenties pursuing opportunities and looking for “the money”. When they make it the immediate desire seems to be “buy a big house, retire”. Then you get the commenters who generally seem to be in awe of this ability to make a bit of cash; and all seem to want to achieve the same life of leisure.

Fine, fair enough. But aren’t you sacking off your potential a little?

You have the capacity to make money, lots of it. Why stop at a few million – why not a billion. And think what you could do with that money. Bill gates is the poster boy example here – super super rich, and now giving away a lot of that cash to charity and global improvements. There are others too – and plenty from the newer generations still working, still making capital that they might work with later. But we should have more money makers aiming to do this – make a packet, provide for your family and then doing something good for the world.

Philanthropy like this is important. Charities are great ways for the collective to improve our world – but an individual can have drive, focus, passion and cut through beurocracy. He/She can move in high social circles and convince important people to do good things. They can donate huge sums at once to places that need it and so on.

So, make a million before your 30 – it’s a smashing idea and you’ll be able to do all sorts of things you wouldn’t otherwise do. But don’t retire. Keep at it, make a fortune and then make the world a better place.

That’s my new goal anyway, seeing as I wont make my original. :) Aim high.

Posted in opinion | Tagged , , | 2 Comments

Adfree: an adblocker compromise?

Posted on March 7, 2010 by Errant

For a long time the idea of ad blockers has been presented as something of a touchy subject – does it hurt websites, or are the blockers just exercising their consumer rights. And so on.

To quote myself on the matter:

Both sides have a clear point here. The problem is that the ad blockers hold all the cards – if sites put up a paywall for ad blockers they lose custom. If they circumvent the blockers they just draw fire. If they denounce the blockers they get berated.

Ok. Adverts can be annoying, but occasionally sites deserve a remuneration for the content they are offering. For most people Ads are a reasonable trade off; “I like your content, ok I’ll see the ads”. For them it is a zero cost transaction that ensures the content stays around.

For others – like myself –  adverts are generally garish and annoying.

Personally I permit adverts on sites that deserve the revenue. I dont begrudge that and fortunately most of them appear to take a tasteful approach. But it’s still not my preferred web experience; the ads are still there.

But is there a better way?

Many blockers say the same as myself; “I would pay you for content that is worth it”. So lets call them on that statement with a micro-payments service.

Im thinking of an ad blocker with extras. It works as normal but for sites that are signed up with the service it places a tasteful link on the page saying “Donate for this content” (or something similar).

Even better you could have an API  to trigger so a site displays an ad free page with the donate link.

You could make the donation a lot smaller than a normal ad “click”. For example if a click is worth $.25 then you make the donation $.05. Whilst this is clearly a lot smaller the theory is that:

a) the blockers claim they are more likely to pay and

b) you’re not getting their money anyway (through ads)

Offering blockers a cheap as chips way to give you money can only be a net positive (especially as your showing willing to give them the web experience they prefer).

Anyone want to give it a shot?

Posted in ideas | Tagged , , | 5 Comments

Choosing a secure password

Posted on March 2, 2010 by Errant

When people find out I work in computer security they usually, at some point, ask me about how I come up with “secure passwords”. My advice (which follows) is incredibly simple – and usually gets scoffed at. “You can’t be serious” etc. And yet all the crazy ways they come up with to solve the “problem” of passwords boggle me. So here, for the benefit of anyone who wants to ask me again “how do I make a secure password”, is my advice :)

The first thing we need to do is consider what we need to protect against when choosing a password. Too many people lose sight of the actual dangers associated with passwords when desiging or choosing them. This is the low down on where your password could go astray:

The website you use has it’s Database Stolen. Luckily it hashed passwords. Unluckily they were just sha1′d without a salt. Argh!

This is the easiest problem to mitigate. Use a complex password. People will argue for hours on the best way to turn a short word into something more secure – but why you would want to do that confuses me. Just use something complex! (ultimately my whole argument comes down to this)

Believe me; if someone is able to brute force a 30 character mix of numbers, letters and special characters, even from a sha1 hash, then I want to meet them (and give them a very expensive job). I am fairly confident that I have seen the most advanced hybrid password breaking cluster; it can handle a lot less (in keyspace terms) characters at it’s current maximum (currently at 20% keyspace coverage for a number, which I can’t disclose, between 10 and20 characters). Pushing to 30 characters is a huge order of magnitude (and not high on the agenda as it happens).

The point is this: provided your password is reasonably complex in the form it is sent to the server you have nothing to fear from stolen databases.

Except that they didnt even hash the password in the said database- it was stored Clear Text. No amount of complexity is going to delay an attacker in this case. Argh! (again)

Not a problem; make sure you use different passwords for different sites (admittedly the one site is compromised – but it was pretty fucked anyway).

The way people try to do this (use different passwords) amuses me. They invent these complex ways to build a password and then hash it (with sha1 usually). The problem with such an approach is manyfold.

Firstly using a sha1 hash as a password is a bad idea generally.  It’s a very recognisable hash and if your creating it from a shorter phrase+url then the brute forcer only has to insert a few more lines into their code. If the phrase+url is longer than the sha hash then you should simply be using that – because it is, uh, longer – the hash simply adds a very small factor of time into the attack.

Another problem is that your ultimately using a standardised system to generate the passwords. If someone is taking the time to figure out your system (or even employing rudimentary testing to pull out yours and similar password schemes) then you have a major security vulnerability. It comes down to the salting problem: salting is great only so long as your salt is secret and your hashing scheme is good enough to make brute forcing pointless.

The final issue is that everyone, well lots of people anyway, are using this and very similar schemes. That reduces it’s effectiveness by increasing the profit from attacking the scheme (if an attacker can only get your password there is no point – but if they stand a chance of getting a few hundred, well, there is worthwhile investment)

My main point in all of this is simply that most of the password creation schemes you see pitched as creating “complex” passwords are actually false security. They add little actual complexity to the result – and indeed the only complex part is the faff you have to go through to make each one (every time you log in too :) ).

No, real complexity is introduced through randomness. You not only need a random phrase and salt but a random scheme too. It has to be memorable and shouldn’t be difficult for you to reproduce. But for a third party it should make no sense – they should not be able to guess how you are building passwords if, by some fluke, they retrieve one of them.

The Man in the Middle is usually the other big concern for techy types. Ultimately there isn’t a lot that can be done to a password to make it secure from this attack. Clearly using different passwords again mitigates the damage but ultimately Prof. Mooney of Harry Potter fame puts it best:

Constant Vigilience!

With that said you can do some useful things. If your password doesnt look like a password then it may fool simple MITM attackers/programs. This is also a good mitigator for Malware attacks – which usually monitor key sequences to watch for your password.

Concern about these last two attacks (in terms of password complexity) is a fallacy anyway. You can take steps to mitigate their effect or reduce the chances of working – but if they have compromised either your system or the route to your website to that extent there is not a lot a good password will ultimately do to protect you.

What else do we need?

Lots of keyspace for one. So you need to be using numbers and, ideally, spaces/special characters. The special characters particularly will make things tough for attackers. There is no need to learn leet speak (replacing letters with numbers in words) to do this. Simple phrases which include a mathematical formula are perfectly sufficient.

Oh and make up some words – that has dual benefit of removing dictionary based attack methods and making the password more memorable to you.

Memorable is important. One reason people use the identical small phrase over and over for their password is because retaining a long password list (database even as you have to key it based on site) is time consuming. The way to do this is learn to associate the password to the site (see below for more on this) so it becomes no longer a list of passwords but a phrase you have to use when entering a site.

So what kind of magic passwords should you be using? As you can clearly see Im working up to suggesting you come up with a phrase. The caveat is it can’t be a common phrase (the number of times I see “one flew over the cuckoos nest” as a password is hilarious :cool:) or indeed anything that makes too much sense.

Here are some suggestion:

“90% of facebookers love to log in securely”

“if 1 = 2 then twitter will failwhale again”

As you can see I am suggesting theming the password to each site to help make it even more memorable. Indeed you could even risk writing these passwords down somewhere (perhaps hidden in other prose) because their “non paswordness”  means the chances of them being recognised as such is relatively low (in such a case avoid outright nonsense – it’s suspicious)

Beyond that; just dont worry too much. Oh, and…

Constant Vigilance

Posted in security | Tagged , | 2 Comments

Google Buzz, Sharks and the jumping thereof

Posted on February 15, 2010 by Errant

This week Google launched, and then spectacularly fucked up, their new uber service called “Buzz“. With all the security mess involved many have hailed this as Google finally jumping the shark. Regardless, on the back of the recent rise in anti-Google mutterings it was clearly a Bad Thing To Happen™.

As a huge Google fan Buzz has been a struggle for me, and so far  I have not commented on the numerous threads kicking around on the news sites. But, my god, Google your crazy.

Fonzie Jumps the Shark (Wikimedia Commons, Fair Use)

Great Idea, But the Execution?

There are numerous problems with Buzz, a lot of them havent been touched on yet. Equally there are some great ideas. The key issue is that the execution of them has been poor at best. Lets ignore the Elephant in the room for the moment (i.e. the security mistakes) and concentrate on why Buzz generally just feels a little underwhelming for me as a user and developer.

Firstly a great idea: all Buzz streams can be exported using the API (and apparently you will soon be able to write to a users stream too). I had a similar idea a few months ago; for a contacts/personal info manager site with social feeds aggregator and a great API sat on top to pull/push content with. Friend Feed does a lot of that but I think there is definitely scope to create a much more customizable experience for both users and developers (I’m thinking along the lines of being able to share personal information, contacts and feeds on a much more fine grained basis).

Perhaps I will blog on this concept later. But, suffice to say, initially Buzz seemed positive move in a direction I am excited about. Sadly they made a few too many crucial errors in the execution.

Clearly the first of which is Gmail integration. I can see the point in doing it- the inbox is a key part of anyone’s day and Google want Buzz to be part of that. The problem is that Buzz doesn’t really fit into an inbox style workflow. You jump in, read your new emails, reply and bug out (I realise others may work differently, but still). When you read mail you are there to engage in either a conversation or to update yourself on some [relatively complex] information. Buzz is too quick and the information too varied to be of use in the same way. If you have images, twitter updates (and other statuses) and Google Reader updates all crowding in from friends you are consuming that data fairly rapidly (like Twitter). It’s not something you’d expect Gmail to be used for.

I’m guessing one reason they heavily integrated with Gmail was because there is an established user base with lots of content ready to publish. This seems a smart move (till it backfired of course) to push the product forward. With Wave one of their main problems was that it was yet another site for people to keep track of and so, Im guessing, it kinda flopped (I’m only basing that on the drop off of news relating to Wave, I haven’t used it since launch). What frustrates me though is that doing it like this turns Buzz from a feed consolidation and publishing service into a “new thing in your inbox”. If users aren’t impressed with it in it’s pure form then they wont take it up – and so building services on top of that is problematic. Instantly the cool new stuff I saw is, well, useless.

The other let down appears to be the API. You can drag out your feed sure, but it doesnt seem like there is any way to customize it. That makes the feed fairly useless. What I wanted to see was the ability to customise a feed with search terms, the data sources and so on. Imagine you’re creating a product review site – what better way to get lots of really relevant reviews than to filter a users Buzz feed for relevant posts, by their friends, from review sites, web stores and blogs. That’s just one simple idea but I could see hundreds of really useful social websites springing up powered by Buzz. Google have access to an incredible number of users pushing an insane amount of content; getting access to that would be pure gold for a developer.

What they Should Have Done

Simples: created Google Buzz. To me it should have been a standalone site consisting of the best bits of Ping.FM, Friend Feed and Twitter. Then on top a rock solid customizable API with which to drag out data, log in with Oauth and post content. These are things Google does well; lots of consumers and great developer tools (stick to your strengths right?). The Buzz site should have been a Twitter like stream of information in an easy to access format just to make sure people are using it.

How awesome would that be.

Jumping the Shark

I dont think Google have jumped the shark with this. They lost a lot of good will in the previous few months for a wide variety of reasons (one of the problems with being such a big company) and the result is that the fairly massive fuck up now is hurting them more than it might have (maybe not more than it should have). In a way it could be a good wake up for them.

I defended Google in the past because I still trust them and find many services incredibly useful and innovative. But there is no real excuse with Buzz – it’s a poor execution of a neat idea, with major security flaws and no real focus. I realise Google have the resources to sustain Buzz for a good while and probably it will achieve “critical mass”. But what they should do (were they the Google of the past) is scrap most of Buzz as it exists, go back to the drawing board and launch a real service a few more months down the line.

With that said I do think that people now talking about dropping Google as their provider are being a little hasty. Buzz is a mistake but I dont think it entirely undermines trust in an otherwise pretty security concious company.

Posted in opinion | Tagged , , | 1 Comment

My Workspace :)

Posted on January 11, 2010 by Errant

via twitterrific

Posted via web from errantx’s posterous

Posted in Uncategorized | Leave a comment

Announcing Modular

Posted on January 9, 2010 by Errant

Modular is my new Kohana module designed to help you manage your other modules! Version 1.0 allows you to track installed and loaded modules and load/unload them with a single click.

The list of loaded modules is stored in the database table; a hook extracts the list during Kohana’s system.ready event and loads them.

Here’s how it looks:

Modular demo page

The documentation and source code is on BitBucket.

Future plans include creating a scheme to install modules via a web interface; Modular was created as part of a larger Kohana project that aims to have customisable modules you can upload – so development will be driven by that.

Please report any bugs you might find; or just give some feedback.

Posted in code | Tagged , , , , | Leave a comment

Using Version Control as a “Save” package

Posted on January 2, 2010 by Errant

This week I was without internet but with netbook; which left me somewhat free to code whatever took my fancy. So, armed with the latest mercurial release and as much info on the API available (read: very little) I set off to build something fun.

One project I’ve always wanted to try and complete is a standalone IDE for EventScripts. ES users tend to consist of fairly new entrants to the programming language so modifying an existing IDE is probably too hardcore an approach. It needs something a bit more gentle with lots of ES related buttons and hints littered around. So this was the project I mostly hung around on.

Mercurial fits into this quite nicely; originally I wanted a way to backup projects to a mercurial repository (this would be handy for me as I use BitBucket extensively) and so drafted a kind of wrapper to mercurial to make commiting, pushing and pulling changes nice an easy. The Mercurial API is far from what I would describe as “good” but once you get to grips with it things eventually make sense. It didn’t take long to have a working prototype.

The next step I wanted to look at was  creating a save package. The IDE is mostly designed for creating EventScripts Addons – folder packages containing some ES code to load on a game server. The current IDE stores these packages in folders in a single location identified by their “basename” or folder name. The issue is that it isn’t hugely portable; having to copy folders between computers while maintaining the right structure is obviously prone to cock ups.

The solution initially was to zip up the folder and create an export package which can be transferred and unzipped at the other end.

Then it struck me: Mercurial is incredibly portable. I can pick just the .hg folder off the disk and shift it to another machine (even a different OS) and quickly load up the latest working directory with a few commands. It is, in fact, a really nice, versioned package.

So the new method is quite simple and highly effective: zip the .hg directory and drop in a single meta-data file that the IDE uses to load the addon correctly. To “open” such a package the IDE only has to check the meta-data for relevant information, create a directory, drop in the Mercurial repository and “hg update”.  Not only do you get to transport the entire package but you also get the entire version history.

I think this is a really neat application of version control. I know a lot of programs already implement their own forms of rudimentary version control (Word for example) or backups (NP++). But surely it makes more sense to use a mature versioning system rather than custom build your own. By using Mercurial my IDE now is pretty compatible with anything else that might be useful. For example you can simply push to a remote Mercurial repository and you have it accessible online.

The user still gets a single package in a form they understande (i.e. one file == my entire project) but there is much wider scope to do things with it!

Some bullet points:

  • There is the downside that you are carting around an entire version history – which could get big. However the biggest ES project I know of is less than 8MB which isn’t the end of the world. Most are a few KB at most
  • Mercurial is GPL. Which is a bit of a pain because I much prefer MIT/BSD licenses for my work. Any released IDE would have to be GPL… which sticks in my craw.
  • EventScripts has it’s own package repository ESAM. This allows you to add collaborators on an addon. Mercurial is great because you can have collaboration and linking the 2 ideas wouldn’t be hard. If the package was hosted somewhere online (say BitBucket or even a custom ES solution) valid collaborators could work on the project together merging their changes.
  • Merging is a sticking point. Most of the time it works fine, sometimes it needs user input. Avoiding this is a catch 22 and ignoring it is just going to lead to massive gotcha’s down the road.

All in all I am quite happy with my nice little versioned save package. :)

Posted in code | Tagged , , , , | Leave a comment