It’s Not a Backslash

This is a re-run form my old blog, originally posted on November 12, 2008. After hearing “backslash” on the radio this week, I decided it needed to be posted again.

The slash (/) that shares its key with the question mark is not a backslash. It’s a plain old forward slash, and should always simply be called “slash”. This is the same slash that you see in URLs.

I cringe every time I hear this done wrong, and it happens all the time on radio advertisements. Let me set the record straight:

If you’re reading the URL “nytimes.com/pages/world”, say, “nytimes dot com slash pages slash world”. Never call either of those things a backslash. It’s not only unnecessary, it’s wrong.

I suspect the confusion about slashes stems from Microsoft’s use of the backslash in DOS, the popular operating system from the 1990s. In filenames and paths, DOS used a backslash (\) to separate folder names. For instance, a folder name might be “C:\DOS”, or “C colon backslash DOS”. Unix systems didn’t use this convention, and that’s largely what the Internet is based on.

Of course, in the DOS days, computers were unforgiving. If you accidentally used a forward slash, things wouldn’t work. Today, if you unnecessarily use a backslash in a web browser, your computer now knows enough to ignore you and do the right thing.

Don’t believe me?

http://en.wikipedia.org/wiki/Slash_(punctuation)
http://en.wikipedia.org/wiki/Backslash

And while I’m on the subject, you never have to say or type “http://”, and you almost never need the “www”. Just say or type, “Google dot com”.

The Steve Jobs Movie

It’s on IMDB, so it must be true: Ashton Kutcher will star in Jobs, a 2013 biopic about the Apple founder. Scrolling through Kutcher’s filmography, I’m going to go ahead and declare that this is his first serious role.

I’m just finishing the biography by Walter Isaacson (I’m late to party, I know), and there’s more than enough intriguing material for a great film. But that’s the problem. As a nerd, I want them to tell a visionary’s amazing success story rather than a cheesy romantic drama.

What the movie should be is an edgy, foul-mouthed drama showcasing the best anecdotes from the book. I want to see Gates and Jobs have at it. I want to see Jobs and Jony Ive look together at a mockup of the first iPhone. And I want to witness freak-outs in full Jobsian narcissistic glory. In short, I want to see the history behind Apple’s products and the computer industry at large. These are the people and events that have shaped my profession and, to a some extent, influenced my life.

But who’s listed third under cast? Ahna O’Reilly playing Chris-Ann Brennan— Jobs’ girlfriend in his twenties and the mother of his first daughter. How is she the third most important “character” in Steve Jobs’ life? This is why tech nerds hate Hollywood.

3 Lessons from the LinkedIn Password Disaster

LinkedIn made the headlines for all the wrong reasons last week. If you haven’t been  paying attention, here’s a great summary of what we know. Certainly, it’s disturbing that a company with such substantial resources couldn’t follow basic security practices. Decent web developers routinely implement hashed, salted passwords on shoestring budgets. However, we all stand to learn something from this whole episode.

1. It Could Be Worse (Technically Speaking…)

Taking a step back, LinkedIn could have done worse from a technical standpoint. There are many companies who don’t even hash their users’ passwords. Every so often, I’m completely taken aback when a website emails me my own password in plaintext. This is a bad practice for two reasons: first, email is inherently insecure, and second, passwords should be stored such that they can never be recovered, just in case of a data leak. I find being emailed my own password such a troubling breach of trust that I keep track of offending websites. In 2008, VistaPrint emailed my password right after I created an account. And it happened again in 2009 after I bought concert tickets from Live Nation. I can only hope they’ve subsequently corrected their ways. Perhaps it’s more excusable from smaller operations, such as Evite and Rent.com, who revealed my passwords in 2007 and 2010, respectively. LinkedIn dropped the ball by not appending a unique salt value to each password, but I’ll give them partial credit for hashing and using the right algorithm (SHA-1 instead of MD5).

2. Users Need More Information

LinkedIn followed a common-sense approach in response to the breach. According to the company blog, they identified users whose passwords were compromised, disabled those passwords, and alerted those users so they could change passwords on other websites as necessary. But they did it quietly. Although a banner at the top of the page directs users to the company blog, LinkedIn’s official response was drowned out by news sites and social media. And when users concerns aren’t addressed officially, they look for answers elsewhere.

Two days after the story broke, I got an email from a family member who stumbled onto LinkedIn Answers looking to determine whether his password was among the compromised. He got this answer:

LinkedIn Answers suggests downloaded the stolen password hashes and looking for your hashed password.

LinkedIn Answers: not how you want your users getting their information

He didn’t follow the advice, and I wouldn’t recommend these steps to anyone. For one, I wouldn’t want a list of stolen password hashes on my PC. Also, why would I trust a third-party website to hash my LinkedIn password? However, I’d bet some users would mistake this for an official LinkedIn response. Scary.

3. Protect Yourself

I was surprised to see this happen to such a large website, but I should not have been. No one seems to be immune to cyber attacks, as the nation’s largest defense contractor learned last year. Evidently, we need to assume the online services we use are simply not secure. There are ways to protect yourself, but not without some inconvenience. Here are some practices that I think are a nice medium between paranoia and vulnerability:

  • Use a strong password — many of the leaked password hashes that have been cracked so far were likely weak passwords and easy for algorithms to guess
  • Use a unique password for every account you’d like to keep safe — remembering dozens of passwords is hard, but you need to vary your password on sites you care about
  • Be careful whom you trust — assume that wi-fi hotspots are insecure, most websites will be hacked, and apps from companies you’ve never heard of (especially on Facebook) exist solely to steal your data

Hope that helps.

Welcome

I’m always amazed at the wealth of knowledge and work produced by the open source community and then given away for free. Like so many others, I’ve benefited considerably, both in my personal and professional life, by the countless blogs, message boards, and software projects. To help repay my karmic debt, I’m pleased to introduce 10flow, my new personal blog on all things digital.

By way of introduction, I’m an electrical engineer with a broad background spanning hardware and software. I’ve studied at Villanova University and the University of Pennsylvania, and my work has included freelance projects, several years a major defense contractor, and now a staff position at a government lab. Of course, all content on this site reflects my own work and opinions and not those of any past or present clients or employers.

I plan to share technical thoughts and insights that might help someone, somewhere. I encourage you to leave comments, and I hope my posts will start interesting discussions.

Thanks for visiting!