I just saw this article in Bloomberg about Obama wanting to tax corporate jets and private planes an additional $100/per flight. Sure it’s a small amount but that’s beside the point. It’s easy to rag on “corporate jet” owners, but one thing stuck out from the article.

The main rational for charging the $100/flight is that “General aviation users currently pay a fuel tax, but this revenue does not cover their fair-share use of air traffic services.” Basically commercial airlines pay $1,300 – $2,000 in taxes to cover the air-traffic controllers, but private jets only pay $60. Okay fair enough – basically it costs the system the same for a jumbo jet as it does corporate jets, so they should pay the same amount. Rational principle.

But why isn’t this principle carried over in taxation? Doesn’t anyone see the hypocrisy in their argument?

The top 5% pay 60% of federal taxes. Does providing billionaires government services cost more than the ordinary man? Do billionaires really cost the government more? Do roads for them cost more? Does their national defense cost more? Why should they pay taxes at a higher rate?

My Netflix recommends “Heartfelt Dramas Featuring a Strong Female Lead.” FML. I should have learned in elementary school. This is why you don’t share with girls.

I’ve drank the Cool-aid, fallen for the hype, and purchased an iPhone. I’m keeping it this time for one reason: FaceTime.

Most of the shortcomings that made me return the 1G, 3G, and 3GS are still there, but the killer application that I can’t live without is FaceTime. Skype, Yahoo Chat, MSN Messenger, all have been around for years – video chatting isn’t new, but with FaceTime, Apple does it right. The ability to have a handheld device, press a single button, and be able to share lives across the continent is magical.

From a technical standpoint it’s an engineering marvel. I clearly remember the days when simple actions like AIM Direct Connect would require port forwarding behind routers and often failed. Today, I’m able to video chat, in amazing quality, without a single thought to firewall configuration. If you’re interested in the nitty gritty of how FaceTime really works, check out Packet Stan’s blog, but Apple has managed to use technologies that have existed for years and turned them into something truly magical.

FaceTime technology coupled with the iPhone 4′s superb hardware and software allow crystal clear audio, and not quite HD, but excellent video quality. In fact, with the shoddy AT&T coverage I have my house, I was having 5-6 dropped calls every hour; with FaceTime, I have virtually none. The hardware is so good it picks up whispers and conversations in the other rooms. The software so good, that there are zero ambient noises – it actually sounds as if the person is in the same room.

I was a skeptic when FaceTime first came out, thinking I never video chat on my PC, so why would I care to on my phone? Today I’m a fan – I love it. There is no replacement for seeing someone in person, but for people who have dear ones far away, FaceTime certainly makes the distance seem less.

PS: I’m still an ardent BlackBerry user and can’t live without my BlackBerry. I still believe the BlackBerry experience is unrivaled for work. When compared to an iPhone, for contacts, emails, tasks, and calendars, I firmly believe the Blackberry is a superior device. However, with my new found love of FaceTime, it has been relegated to my daytime phone, and the iPhone is my evening phone. I can’t wait to upgrade to iPhone 5.

It’s November 2nd, 2010. Election day. This year America celebrates 234 years of democracy. Democracy is a beautiful thing.

Funny (and probably true) election day quote:

Democracy substitutes election by the incompetent many for appointment by the corrupt few. – George Bernard Shaw

But more seriously:

The death of democracy is not likely to be an assassination from ambush. It will be a slow extinction from apathy, indifference, and undernourishment. -Robert Hutchins

Please take twenty minutes out of your day and go vote!

So my new favorite product is Dropbox. Rarely do I get so enthusiastic about a product, but it’s simply the easiest way I’ve found to backup files, share large files over the web, share files between my multiple devices (desktop, laptop, blackberry, and iPhone), all without ever leaving the native OS I’m working with. No file web upload boxes, no proprietary upload clients, just native folders on my computer, and a little background application working the magic.

That said, Dropbox has a very hand feature called Public Folders. Simply create a folder in your root Dropbox called “Public” and any content you put in there will be web-accessible to anyone, anywhere, on any device. This is particularly handy for me, as I often have to work with large files (too large to email), and having to turn up my FTP client, upload files to my webserver, and sharing the links is tedious. Simply drag a file to my Public Folder, Dropbox uploads it, and gives me a public URL similar to http://dl.dropbox.com/u/9502594/test.txt. I can share this file with anyone, anytime, and they can access it anywhere.

However, I prefer giving the semblance my data is on my own servers, for a variety of reasons.

Enter mod_rewrite. I have the following .htaccess file in a folder on my web server called “dl” (for download) which allows me to mask my Dropbox URL and provide users with a URL such as http://kadakia.com/dl/test.txt.

1
2
3
4
5
6
7
8
9
10
11
12

# Check to see if mod_rewrite is installed / avaliable
<IfModule mod_rewrite.c>
RewriteEngine on
 
# Check to see if file or directory exists
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
 
# Rewrite to Dropbox URL. Make sure you change the data after "/u/" (9502594) to your own user ID
RewriteRule ^e/(.*)$ http://dl.dropbox.com/u/9502594/$1 [L,QSA]    # Embedded File
RewriteRule ^(.*)$ http://dl.dropbox.com/u/9502594/$1?dl=1 [L,QSA] # Force Download (Default)
</IfModule>

Some points:

• Be sure to change the “9502594″ with your own user ID.
• You don’t necessarily need line 6/7, but they are useful in case you want to host some content on your own servers rather than from your Dropbox. It tells Apache to check to see if the file exists, otherwise, rewrite to Dropbox.
• If you send a bad link, (a file that doesn’t exist on your server or Dropbox), the default 404 page will be Dropbox. This doesn’t bother me, but it may bother you.
• There is no file transfer load on your server, as you are doing an redirect. Your server isn’t downloading the data, and then transferring to user. The user will be downloading directly from Dropbox, saving you bandwidth.
• Many files may be executable by your user’s web-browser (.mp3, .htm, .html, .txt). However, most of the time, you are trying to share a file and would like people to download the file to their computers. Dropbox has a function that allows you to force download of the content, by appending ?dl=1 to your URL. On the flip side, sometimes you may be trying to make the content embeddable such a signature or an embedded picture. You can change the URL and add an e before the file name to allow the content to be embedded (if the user’s browser supports it).
• For me, download as default was more useful, but you can just as easily reverse it. Make the catch all without the ?dl=1, and change the ^e/ to something like ^f/ (for force download).

Embedded: http://kadakia.com/dl/e/test.txt
Download: http://kadakia.com/dl/test.txt

That’s all folks.

It’s scary how little we are investing into our infrastructure. Infrastructure is the foundation for tomorrow’s commerce. Instead of nearly all tax revenue being spent on transfer payments, it’s time to make a shift and rebuilding American infrastructure.

I’ve historically used MD5 for encrypting passwords in web applications. While MD5 is great in most instances, I’ve become aware how vulnerable it is to a brute force attack. In past projects, user/password combos were simply used for validating simple harmless data or posting comments – hardly worth a hackers time. However, I’ve recently been working on a project that will entail storing users credit card numbers, among other personal details, so security is of utmost importance.

MD5 or simple hashing will make a hackers job more difficult, and is certainly better than storing passwords as plain text in a database. However, simply using a hash alone isn’t enough. An attacker can generate hashes for numerous potential passwords (either randomly or from a dictionary). The hashes generated are then compared with those in your user database and any matches will reveal the password. Powerful computers make this all the easier as they are able to generate hashes at thousands per second, and MD5 hash databases are already available for nearly every word.

How to make it harder for hackers? Salt.

Before generating a hash we create a random string of characters of a predetermined length, called salt, and prepend this string to our plain text password. If the string is long enough and randomly generated – the resulting hash will almost certainly be different each time we generate a password, requiring a hacker to rebuild his entire database of MD5 hashes for every random possible variation. Two users with the same password, will have different hashes, because their passwords are rehashed with a unique random code. When we try and validate a user’s login credentials we follow the same process, only this time we use the salt from our database instead of generating a new random one. We use the user supplied password, run our hashing algorithm, then compare the result with the hash stored in the database.

Here is my simple code:

// Hash function
define('SALT_LENGTH', 5);
function generateHash($plainText, $salt = null){
   if ($salt === null){
      $salt = substr(md5(uniqid(rand(), true)), 0, SALT_LENGTH);
   }
   else{
      $salt = substr($salt, 0, SALT_LENGTH);
   }
   return $salt . sha1($salt . $plainText);
}

// Sign Up
$newUser[user_password] = generateHash($_POST[user_password]);
$newUser[user_email] = $_POST[user_email];
$db->insert("users",$db->escape($newUser));

// Login Check
$storedPass = $db->get_var("SELECT user_password FROM users WHERE user_email = '$_POST[user_email]'");
$passwordHash = generateHash($_POST[user_password],$storedPass);
if($db->get_row("SELECT * FROM users WHERE user_email = '$_POST[user_email]'
                                       AND user_password = '$passwordHash'")){
   echo "User is authenticated";
}
else{
   die("Bad username/password");
}

Calling generateHash() with a single argument (the plain text password) will cause a random string to be generated and used for the salt. The resulting string consists of the salt followed by the hashed password which is hashed with your salt appended. We store that in a database. When you’re checking a user’s login, the situation is different in that you already know the salt you’d like to use. The string stored in your database can be passed to generateHash() as the second argument when generating the hash of a user-supplied password for comparison.

While nothing is perfect, and virtually every password is vulnerable at some point to brute force (it’s just a function of time and computing power) this simple few lines of code will add n^SALT_LENGTH more variations to your user’s passwords making your application that much more secure.