<< Vorherige | Home

Thank you culture

As in "The culture to say 'Thank You'"

A lot of things reminded me lately of some of my resolutions. Interaction with other people is often about the tone, intention and about courtesy and gratitude. Gratitude and friendlyness is the salt in relationships with people, even with those that you barely know.

One coffee 5 €
One coffee please 2,50 €
Good morning, one coffee please 1,50 €
Some times I see things that catch me completely off guard. Probably the most effect on my use of the german (and english) language had a random photo on the internet that's well described in this article (and that I'm mimicking to the right). Since I saw this, I'm training myself to add a "Please", "Thank you", "Good afternoon" or whatever is the current language's expression for these terms, to as many sentences as possible. And Yes, those are the first words that I try to learn in every language. A smile also helps a lot. But I'm still a "grateful person in training" - quite often I'm skipping the explicit statement inadvertently.

At Liferay's recent developer conference I had the honor to open and close the conference - and guess what I totally forgot when I hasted to close it (we were running late and it was a long day)... I am still not fully recovered from missing to publicly thank those that did the most work and enabled me (and all others) to have a great event.

What actually triggered this article is another vivid memory of the same event (and several related events before): Multiple people approached me and expressed their gratitude for my help with random forum- and stackoverflow-posts. Needless to say that I didn't recognize them from the tiny avatars used on those sites, but it feels really good if that otherwise anonymous work is well recognized. To those who did: Thank you for noticing, and thanks for letting me know.

As you expect, these are not the only stories, but this is as far as I'd like to go back in this article. If I ever forgot to explicitly thank you: I'm sorry and hope it won't happen again.

And here's the action item for you: Express gratitude, always and especially where it might not even be expected. And I'm promising to do the same. Watch out for the results - if you want to improve the world, this is one of the easiest steps you can take.

Thank you for reading until the end.

HTTP and HTTPS - mixed mode configuration

why it doesn't work and how to fake it

tl;dr: Are you tasked with setting up a webserver that must be accessible in both http and https?

When somebody demands that this mixed mode must be possible, here are some arguments why you shouldn't give in (because in general it does not work - at least not as it is expected to work) and how to use a neat workaround that can help you sleep better when you can't make the argument to go https only.

Mehr...

Ersatz wofür?

Schnittlauchersatz

Ich dachte ja, dass sich im einheimischen Supermarkt-Gemüseregal nichts mehr findet, was ich nicht kenne. Ja - es gibt Märkte und Anbieter von alten, unbekannten Gemüsesorten, die ungewöhnlich aussehen, aber die Sorten kennt man dann doch (lustig gefärbte Möhren, Tomaten etc.).

Ich weiss aber bis jetzt nicht, was ich heute im Regal gefunden habe... Lieber wieder Wochenmarkt, solange es noch nicht zu kalt und ungemütlich ist...

Tags :

TNO - Trust No One.

Exploring firefox sync

First of all: This is not a security analysis, and no statement about the actual security of firefox sync. It's merely an analysis of the description given in the FAQ and my conclusion from that. And a brief one as well. I do not want to downplay the security of Firefox Sync. It's merely an example of how to read and judge claims of security features - documentation! I did not even look at the technical background of sync, I didn't try to use it - and I don't want to. Read on to know why.

[Update: From the comments below it seems that technically everything is well designed: Keys get generated on the client. Still, as this is about reading security information literally, the comment holds. I hope the FAQ will be updated to state this sooner or later]

Handling passwords

I know that I can save my passwords in firefox. In fact, I use this feature for certain sites. I implicitly trust the algorithm that's used for encrypting the password vault with the passphrase that I have to enter (the so called master password). Of course, this is the first thing I do after installing Firefox to a new machine. And I trust my passphrase to provide enough security for the purpose of the passwords that I save in there. And I trust that my passphrase never leaves my computer.

However, now, on a new system with the latest and greatest Firefox, Firefox not only offers to store my password, but also to sync it to Mozilla's servers. This is from a component called Sync, has been a plugin previously, but is now in the core. I guess many people might use it due to this fact.

Being the security conscious wisenheimer (why do I want my passwords to be stored on a third party computer?), I looked up "firefox sync", and got directed to Mozilla's FAQ. There it states, among other information

What is a Sync Key and why do I need one?

When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.

Where's all my data?

It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.

Sounds good? Well, very convenient at least. Let me emphasize the parts that caught my attention:

What is a Sync Key and why do I need one?

When you set up a Sync account we generate a long string of numbers and letters that we call a Sync Key. The Sync Key is used to encrypt your data before it's sent to the Mozilla servers. Think of it as a key that locks your information in a vault that only you can open. This means that neither Mozilla nor anyone else can read your information without having your Sync Key to unlock it.

Where's all my data?

It's encrypted with your Sync Key and safely stored on the Mozilla servers. Because Sync uses advanced security measures your information is never vulnerable to online bad guys or companies that will sell your information.

As I said, I never analyzed sync! I only read the linked FAQ article. And these two paragraphs make me want to uninstall it immediately. But I can't - it's in the core now. Well, at least I can "not use" it.

Just in case there is someone who didn't get my point from the emphasis above, here's some reasoning:

Mozilla generates a key, and nobody who does not have it can access my data. This should imply that nobody but me can access my data. But what keeps the party that generates such a key to keep a copy? I have been somewhat wary even before I started to listen to the Security Now netcast, but from Steve Gibson I learnt the term "Trust No One" (TNO), which give a name to my suspicions.

Well, and being never vulnerable is probably a bit too far fetched and would need a few disclaimers. But this is merely a small detail, not the core of my problem.

It's not that I don't trust Mozilla (I'm running their software loyally since the Netscape age, and you know that software running locally can do), but this description is hiding the underlying problems from the ingenuous reader. I know that the FAQ is a wiki - I could edit it or the discussion - but the underlying problem is not so much in this documentation, it's rather the principle that's broken (if the documentation is correct). Yes, it's a convenient solution, but no, there's no way I accept the described mode of operation as a security feature for knowingly storing data like my passwords on any third party server. I know that other's might accept this, but it really turns me down and away from this.

Even if the FAQ is incorrect ant the Sync Key is generated locally and never leaves my computer (unless I install it on another computer myself), this article shall still ask for reading such documentations accurately.

And, to finish this with another disclaimer: For the foreseeable future Firefox will stay to be my preferred browser. I'm a geek of habit, and it's easy to work around this issue by not using sync. After all, it takes some work to activate it. And I love Firefox (and the plugin zoo that I have assembled and that I'm trusting implicitly). Oh, and did I mention that I love Security Now?

Radio Liferay

the people, the project, the product and the company

I've started podcasting again. It's all on liferay.com and feedburner. The current working title is "Radio Liferay" and it covers all things noteworthy about Liferay.