Tuesday, June 28, 2011

Of Auto-Authenticating URLs, Shortlinks, and Danger

The road to hell is paved with good intentions, they say.

So, it was a good intention when someone (not me) decided to install a link shortener and send password reset links through it, before producing the printed newsletters that would be sent out to individual members. They would need to type the URLs in by hand, so a shorter URL was a good idea. At least, it must have seemed like it, at the time.

Today I took a look at this system, which I was asked to clean up before it gets used again after several months of being ignored. I admit it didn't click in my mind immediately, but after producing some newsletter content in our staging system and verifying the shortlinks were being recorded properly, it suddenly jumped out of the screen and bit me on the nose:

The shortener was producing sequential links for a bunch of password reset links.

What this meant in practical terms is that two newsletters sent out with password reset links for two different users would send them URLs like http://foo.com/z1 and http://foo.com/z2 and while these were very short for the user to type in they were not easy to type in, if you require "correctly" as part of the measurement of how easy it is. They are so short and the space so condensed that mistyping won't get you a 404, but someone else's entirely valid password reset link. This is terrible. There is a reason password resets give you links with long randomized sequences of characters, and all of those reasons were being thrown out the window.

Turns out, a shortened URL can be too short.

Monday, June 27, 2011

A tale of three TODO products

I'm the kind of guy that hates the amount of time he spends considering, evaluating, and test driving new productivity software. Recently I had yet another surge of uncertainty over my use of Remember The Milk, and I tried a few other things. I gave a spin on Nozbe and Todo.txt, and I've come to a conclusion.

For now...

I have been a big fan of Remember The Milk, and I pay for a professional account. Even still, I'm not above admitting I might be wrong, so when a few things started to annoy me I sought out something new. I had heard Todo.txt talked up a lot on This Week in Google, given that the author is a host on the show. I had also tried Nozbe in the past, but new it had several large updates since then and wanted to give it another try.

Remember The Milk

I really was happy with RTM, so I want to make clear the things I do like about it! I really have been happy with the Android app, and with the use of smart lists to create filters that match different contexts I want to work in. Here is the corner stone of my smart lists, which I combine with several others:

(dueBefore:"tomorrow midnight" OR (due:never AND tag:next) ) OR (dueWithin:"1 month of today" AND tag:bill) OR (tag:writing AND dueWithin:"1 week of today") OR (tag:sticky)

This means "Everything with a due date that is today or already passed, or without a due date marked to be done next, or due within the next month and is a bill, or is something i need to write within the next week, or is tagged 'sticky'" and I can update this as need be, and other lists that use it adjust themselves. What this lets me do is set due dates in the future and hide the items until they become important, so it works great for setting my todo list for work and to see a condensed set of things I should focus on each day.

So, what was getting on my nerves? What I haven't gotten to feel right is a small and loose set of tasks that I want to do in order, and so only one is relevant at a time. Good example is a book series. I need to maintain next tags on items right now, and that isn't terrible, but automation is great. What I feel would be nice is a tool where lists were super light and throw-away and only the top item on the list was included in the main view, as a "Next Action". Yes, that is a GTD thing.

Todo.txt

I can't say the idea of keeping everything in a file I own isn't appealing, it is. I was able to customize the sorting command and some filtering options so I could kind of do a thing like the next actions I talked about before, and I could see the first thing in each context I've defined when I list my tasks. But, that flexibility kind of vanishes when I use the android app, so while it is very cool that it just syncs my local file via Dropbox, it also means that I can only customize half my experience, which kind of just makes the android half feel worse. At least my smart lists work in RTM's android app.

Nozbe

The most appealing feature here is an actual support for next actions. With any list, anything marked as a next action is easily accessible and the main view will show me only one next action for each list and will show me the next one when I complete the current. That's great. However, lists are not cheap. As in, I need to pay to get more than 5, and it costs more than RTM. I did not feel that I can create them willy nilly, which meant I felt confined. Nice app, and an integration with evernote that I will never use, even though I am an evernote user. Better luck next time.

Conclusion

I've returned to Remember The Milk. I should focus on doing, more than what to be doing.

Freelance Freedom #213: Getting Things Done


Relearning Twisted.web

I want to use Twisted.web for some projects, and I haven't used it in years. I'm relearning and I feel like a novice all over again, as I should, given the years that have passed since I have seriously looked at any twisted code. I miss it, very much. Want to relearn or learn for the first time? I can't stress enough the excellence of a quick pass through the examples of Twisted.web in 60 Seconds. Go through those immediately. Afterwards, I read up on the new twisted.web.template, which is based on the Nevow templates I worked with so long-feeling ago, and I'm pretty happy with what I see there. I'm wondering how well it will produce HTML5 compliant markup, not that it is very strict, but it looks pretty clear.

My brain still thinks in asynchronous operations and I constantly have to unravel those thoughts and figure out how to express them, non-ideally, in a synchronous workflow. This is becoming tiring, and while I don't plan on leaving Django, I do plan on giving my brain a rest. Maybe I'll find a way to combine my two interests in the near future...

This is the result of the hour I spent relearning last night.

import time


from twisted.web.server import Site, NOT_DONE_YET
from twisted.web.static import File
from twisted.web.resource import Resource

from twisted.internet import reactor
from twisted.internet.defer import Deferred

class ClockPage(Resource):
    isLeaf = True
    def render_GET(self, request):
        d = Deferred()
        @d.addCallback
        def _(r):
            request.write("<html><body>%s</body></html>" % (r,))
            request.finish()

        def get_time(r):
            d.callback(time.ctime())

        reactor.callLater(2, get_time, None)
        return NOT_DONE_YET

resource = ClockPage()
factory = Site(resource)
reactor.listenTCP(8888, factory)

reactor.run()

Monday, June 13, 2011

Windows 8, HTML5 Applications, and Bitching, Moaning, Whiny Developers

I have a great idea, Windows developers: stop being a big bag of whiny bullshit. Oh my god, you have yet another optional API in your toolbox, if you want to use it. Oh no! It's based on scary web thingies you haven't used before! Guess what? COM was new and scary, and so was Win32, and so was .Net and WFC and DirectX and everything else Redmond is spat at your feet to walk on our praise, at your discretion, for the last several decades. You're making a big whiny fuss because you have one more optional API to use, for a novelty new feature that has obvious merits, but is so obviously not the entire picture of Windows 8 that your overt and public cry-fest would be laughable if it was even remotely believable. I refuse to accept that the host of Windows developers is really buying into the bullshit story that everything in the history of Windows is getting swept under the rug and replaced by this, that everything is immediately an old, festering legacy API with legacy applications waiting to collect dust on Balmer's bookshelf. Not a god damn chance. They didn't rewrite Word on top of .Net, and they aren't going to rewrite it for HTML5, either. They're going to integrate a lot of things the Internet Explorer 9 platform provides into the new Operating System and they're going to do some fun looking features and make a great effort. Hell, it might even be a Decent Product! But you know what it isn't going to be? It isn't going to be made from scratch biscuits from grandma's secret recipe. No. This is going to be hamburger helper with some basil tossed in, so the cook feels fancy. Learn a little Javascript, because you've got so many things under your belt already that one more language isn't going to make much of a difference, so live a little and see what its all about. Make a fun little touch-based windows 8 application and impress your friends, and then get back to your job where you'll write version 17 of whatever corporate tax audit tool you've been maintainer for the last twenty years. When someone suggests rewriting it for Windows 8, giggle with your friends while one of the managers mentions that most the customers are still migrating off Windows XP and IE6, and move on to getting some real work done.
I write here about programming, how to program better, things I think are neat and are related to programming. I might write other things at my personal website.

I am happily employed by the excellent Caktus Group, located in beautiful and friendly Carrboro, NC, where I work with Python, Django, and Javascript.

Blog Archive