Deadbolt Your Hotel Room; Use the In-Room Safe

Sebastian Anthony for ExtremeTech:

With less than $50 of off-the-shelf hardware and a little bit of programming, it’s possible for a hacker to gain instant, untraceable access to millions of key card-protected hotel rooms.

A great example of how something higher-tech is inherently less secure than what it replaced.

Apple IDs and Passwords in Plain Text

Lex Friedman for Macworld has a report on the in-app purchases hack that’s been circulating. The most amazing part:

iOS users who try the hack may find that, in addition to robbing the developers behind apps that they enjoy, they’ve put themselves at risk. “I can see the Apple ID and password,” for accounts that try the hack, Borodin told Macworld. “But not the credit card information.” Borodin said that he was “shocked” that passwords were passed in plain text and not encrypted.

According to Tabini, though, “Apple presumes it’s talking to its own server with a valid security certificate.” But that was clearly a mistake—“This is entirely Apple’s fault,” Tabini added.

Anyone who has done this is fortunate that the first person who found the hack seems to be a pretty nice guy.

And this being the case is shocking.

Scaling Lessons Learned at Dropbox

Rajiv Eranki:

I was in charge of scaling Dropbox for a while, from roughly 4,000 to 40,000,000 users. For most of that time we had one to three people working on the backend. Here are some suggestions on scaling, particularly in a resource-constrained, fast-growing environment that can’t always afford to do things “the right way” (i.e., any real-world engineering project ;-). If people find this useful, I’ll try to come up with more tips and write a part 2.

I don’t understand the majority of the information presented here, but it’s still interesting to read. I was particularly interested in this bit though:

Security is really important for Dropbox because it’s people’s personal files. But all services are different, and many security decisions will inconvenience someone, whether it’s a programmer or a user.

For instance, almost every website has a thing where if you enter in a wrong username OR wrong password it’ll tell you that you got one wrong, but not tell you which one. This is good for security because you can’t use the information to figure out usernames, but it is a GIANT pain in the ass for people like me who can’t remember which username they registered under. So if you don’t actually care about exposing usernames (maybe on something like a forum or Pinterest where they’re public anyway), consider revealing the information to make it more convenient for users.

Jakob Nielsen: Summary: Usability suff…

Jakob Nielsen:

Usability suffers when users type in passwords and the only feedback they get is a row of bullets. Typically, masking passwords doesn’t even increase security, but it does cost you business due to login failures.

It’s time to show most passwords in clear text as users type them.

This is an interesting challenge of the status quo, and the more I think about it the more I agree with the idea.