Bad E-mail Restrictions

For a few years now, I’ve owned gurganus.name. Over this year, I’ve been changing my e-mail usage to use the e-mail address I have through it. This can be problematic though. Here’s what I occasionally run into. Some sites validate e-mail addresses in various ways. Generally, validating input is a good thing. It’s not a good thing when it is done wrong though. What’s being done wrong? Well, I often see the validation being done with a regular expression that restricts the top level domain to being two or three letters. This is naive and wrong. If you look at the list of top level domains managed by the Internet Assigned Names Authority (IANA), you’ll find many two and three letter domain names, but you will also find the “museum” top level domain. Even if you included a check for every top level domain’s length, you would end up with a system that will break when a new top level domain is created.

What should you do instead?

The better approach is simply to follow the e-mail address format specified in addr-spec production of RFC2822. This doesn’t put a length on the domain name. You’ll find out that part is invalid when you look up the domain name in order to send a message.

Another Coincidence

I experienced another coincidence lately. I was using StumbleUpon and came across Kaeli on it. As I occasionally do, I perused her profile and saw that she was interested in discussion. I wrote to her:

Hey Kaeli, I noticed that you are really into discussion. Let’s start one. What is the most critical subject of elementary skills: reading, writing, and arithmetic.

She replied and said that she was indeed interest in discussion, but she asked "How’d you notice that I’m into discussion?" As she would later tell me, she thought some of her past discussions with other people had somehow become public. Anyhow, I creatively wrote back:

Actually, I’m psychic. I just kind of pick up on subtle clues. In this case, it was the subtle clue in your profile message. I bet if you take a look at it, you’ll see how I figured out that you were into discussion. Go ahead, give it a try.

There was no real psychic element. He profile message said this rather explicitly:

I’m really into spiritual and intellectual learning, discussion, and humor.

Anyhow, I finished the message with a secret to help ensure she would respond:

As for why I asked the question, that is just a secret that I can’t share. Maybe if we continue talking and I trust you with it, I’ll share the secret.

The context of this is that I had been reading various things about relationships and dating. Most of the skills I come across are applicable for general social situations as well. One of those principles is to leave with the other person wanting more so that they will come again. My most recent reading is The Game: Penetrating the Secret Society of Pickup Artists by Neil Strauss. I had actually seen the book originally mentioned on a Dating on Demand segment and seen it recommended at a few sites.

Anyhow, she responded and said that psychic line was funny. I told that I had been reading about relationships and so forth and was reading this book. I ended telling the secret:

As for that secret, I just asked the question to get a response. As for the secret, that is to get a second response. That is actually a bit of an idea from the pickup artist community, but it applicable to general conversation as well. You want to know the secret, so you’ll come back for more conversation in this case.

At this point a weird connection was made:

Yeah, unfortunately I discovered that secret before. lol. A friend of mine (who I had only known for a short while at the time) tried all of this pick-up stuff on me- his best friend’s girlfriend- and wrote in his blog the details of his progress. He commented about the psychological things he was trying to do, and my weird/blondeness. As you can probably tell, I’m kind of bitter about this. lol. I liked him a lot, and it really hurt me to find out that he was just doing this psychological thing, you know?

Coincidentally, he goes to your college. So either you’re him, or your perhaps slightly-more-evil twin is running around your campus. lol. You reminded me of him right away.

Anyway… Your thoughts on this? lol.

Anyhow, since that weird connection was made, she has kept talking to me. It was a weird coincidence though.

This post was reviewed by her before I posted it.

Crazy Coincidence

A crazy thing happened last week. I added the iExist application to Facebook. The iExist application lets you enter a greeting that appears on somebody else’s profile randomly. My greeting asked "What did you dream of today?" The next day, I received a Facebook message. In that message, somebody told me one of their dreams. I replied to the person and we subsequently had a conversation. At some point a day letter, I felt like I was getting along with the person and decided to add them as a Facebook friend. I clicked on their name to go to what bit of their profile I could see at the time. I then clicked the "Add to Friends" link. The window that opened said a friend request was already pending. I was confused thinking maybe I somehow clicked that link twice. I then refreshed the page and that link was now "Confirm friend." I checked my e-mail and there was a friend request from the other person. We had essentially added each other as Facebook friends at the same time. It was weird.

Geni

I came across a new genealogy site called Geni. It is unique in that it combines the ideas of social networking sites, so each person can have their own account and make their own additions to the family tree. Hopefully, some of my family members will join it, and I can see what happens. It is a new site with recent popularity, so it has some bugs and can be slow.

Ready for a New Day

Today, I attended the launch event in Indianapolis for Windows Vista, Office 2007, and Exchange 2007. As a result of attending the launch event, I have valid unused product keys for both Office Professional 2007 and Office Groove 2007. If you are interested in either of these, let me know, and I will pass along the product keys and download instructions.

There were two tracks I attended. The first track was the IT professional track. This track covered deployment of Windows Vista, new features in Exchange 2007, and deployment of Office 2007. In this track, the later talks were more interesting in my opinion.

The other track I attended was the developer track. I went to the launch event with a fellow student, so I had to leave early from it. However, it was definitely interesting.

Why Isn’t Your Software Ready?

Today, I tried renting a video from CinemaNow. It seemed like things were working fine until I actually tried to play the video. It seems like CinemaNow doesn’t work properly on Windows Vista yet. I have asked for a refund of the rental amount as a result.

Here is the problem I have with incidents like this: Windows Vista has been developer ready for over a year. There are various prereleases that were freely available. There is no excuse for companies not being ready. Here is my message: Windows Vista is released. Windows Media Player 11 is released. Windows Internet Explorer 7 is released. Software needs to work on these now. It is true that public availability is not until the end of January, but these products were released in November. Businesses may already be running these products. Users that were in the beta programs for these products may already be running the released products.

I am no business person, but I cannot see how you save money by not making your product work on these systems. Instead, you waste money dealing with support calls wondering why your products are not working.

Get it together! Quality software development includes developing for the future. As I already mentioned and want to reiterate for emphasis, Windows Vista has been freely available in API stable state for over a year. There is no excuse why actively developed products are not working on them right now.

Vista Still Not Vulnerable

While I have no professional need to do so, I monitor the Microsoft Technical Security Notifications. Specifically, I monitor the comprehensive feed that includes bulletins, revised bulletins, and advisories. Security is an interest of mine, and I have been trying to use secure practices ever since I received malware through a remote procedure call vulnerability in Windows XP during my freshman year. Something that has amazed me is that none of the security notifications since the Windows Vista release have applied to either Windows Vista or Office 2007. I believe there are two reasons for this. The first reason is that both products are significantly more secure than their predecessors having been fully developed with Microsoft’s Security Development Lifecycle of its Trustworthy Computing Initiative. The second reason is that Windows Vista has not been widely deployed yet and is not generally availability. This makes it a less promising target for malware writers. It also is not in the hands of security researchers.

There have been some vulnerabilities during the beta and release candidate stages of Windows Vista reported in the popular news, but most of these were misinformed. One issue was reported in the Windows Powershell. This tool is not included in Windows Vista and never has been. Another issue is the so-called frankenbuild of Windows Vista. Unethical hackers took activation components from prereleased version of Windows Vista and spliced them into the release version so that activation could be passed. Microsoft released an update addressing this issue and the product keys used would quick working for activation once the prereleases expired.

Digital Signatures for Small Projects

Digital signatures are a technology used in Windows to ensure both integrity and authenticity of data. Integrity ensures that the data has not been modified. Authenticity ensures that the data came from the source claimed. Usually this is done by creating a hash of the data and encrypting the hash with public key cryptography. The details of how exactly it works are irrelevant to this post. What is relevant is the public key cryptography concept. The way this works is that there are groups call root certificate providers. These are companies like Verisign, Thawte, and Geotrust. Those companies use their root certificate to issue certificates to other people. They authenticate the recipient of the certificate to varying degrees. Hypothetically, a root certificate provider could issue certificates to anybody that asks. As a result, there are no authenticity guarantees. You would not want their root certificate included in your software. This is where companies like Microsoft come in. Microsoft has a root certificate policy to which root certificate companies must adhere in order for their root certificate to be included in Windows. The chain of trust then is: You trust your copy of Windows to be authentic through the physical certificate of authenticity and now with things like Windows Genuine Advantage there are some digital assurances in place. As a result you trust that Microsoft has included root certificates that follow their reasonably defined root certificate policy.

Let’s say you download AOL Instant Messenger. The installer for it is digitally signed with a certificate for AOL. The AOL certificate is digitally signed using one of the root certificate providers. Consequently, you trust Microsoft, Microsoft trusts root certificate providers, a root certificate provider trusts AOL, and AOL trusts the executable you received to be the one that they released. This chain of trust makes some cool things possible. Windows Live OneCare, for example, will automatically allow digitally signed programs through the firewall. This provides a level of convenience to OneCare users without sacrificing security. Because the software is digitally signed, there is a great chance it is legitimate. In the rare case that it is not legitimate, the antivirus and antispyware components can uniquely identify the digital signature without a false positive. The user remains secure with convenience and AOL doesn’t have to deal with as many support cases regarding firewalls interfering with their instant messenger.

The problem is that the root certificate providers trusted by Microsoft charge money for a code signing certificate. These code signing certificates cost a few hundred dollars. This cost is reasonable for larger companies such as AOL, Google, and others. However, there are far more small scale software projects. Examples include Gaim, 7-zip, and more. In many cases, there is usually only one developer or a single lead developer with occasional contributions from others if the project is open source. This leads me to a problem for which I have been trying to find a solution: Are there any reasonably priced code signing options for these projects? I have talked to developers of these projects and they realize the benefits of code signing, but the costs are out of their reach. What solutions are there?

Having worked with Linux systems, I know about PGP, but that is not how code signing is done in the Windows world. I am searching for a solution for developers of Windows freeware. Let me know if you know of a solution to this problem.

Tools I Use

A friend of mine recently shared some of the tools she had discovered during 2006, and I have seen similar lists on other blogs. Here is my annotated list of my favorite products that I have come across in 2006.

I started using StumbleUpon toward the end of 2006. It is a browser extension available for at least Internet Explorer and Mozilla Firefox. The basic way it works is that you rate sites you visit. Based on these ratings, your interests, your friends, and other factors, it takes you to a new likely unknown Web document. I would make the analogy that StumbleUpon is to Web documents what Amazon.com is to books. If that is truly what it is intended to be, I would say its suggestion engine needs some work or it needs more users to give it a better corpus of data from which to make recommendations.

I am currently using Windows Vista. While not generally available until the end of January, it was released in 2006, and I have the release version through both an MSDN subscription and the gift for being a Windows Vista beta tester. If you have a sufficiently powerful computer, Windows Vista has a nice looking interface. At first glance, this interface may look like pure eye candy, but there is usefulness as well. Live previews of many things are rendered. When you hover over a taskbar button, you see the actual window in a live thumbnail. When you switch applications with either the traditional task switcher or the new Flip3D, you also see live previews of the windows. These are also not basic image thumbnails, they are live thumbnails. If there is a video playing in the regular window, it will be playing in the thumbnail. Windows Vista also has several improvements to security from integration of Windows Defender to User Account Control. Unless you are into security, you likely won’t understand the significance of the improvements so I won’t describe them in detail. Windows Vista also has desktop search features built-in. Windows XP has an Indexing Service that served a similar role, and it is still available for backwards compatibility, but desktop search does a better job and has a more appropriate scope of indexing. The final item I like is that Windows Vista constantly improves. If you are not connected to the Internet, it will optimize how it uses memory based on how you use applications. It automatically defragments the hard drive on a schedule. It automatically learns your particular dictation and writing style with its speech and handwriting recognition capabilities. Beyond that, with an Internet connection, it will automatically optimize networking parameters for the actual connection. It can use online help which may be more accurate than the help collection included. It can send crash reports to Microsoft for analysis and automatically tell you when a reported issue has a fix or more information.

I am also currently using Office 2007. In particular, I like the RSS and iCalendar integration in Outlook. I like the To Do bar in Outlook. I also like the account automatic configuration in Outlook. I also like the ribbon user interface. It is present in Word, Excel, PowerPoint, and portions of Outlook that use Word. It makes much more sense than the infinitely nested toolbars and menus in Office 2003 and earlier. Office 2007 also features live previews similar to Windows Vista. Office 2007 also finalizes the death of Clippy. Office Assistants, as I believe they were called, are no longer available in Office 2007.

Another product I started using was Windows Live OneCare. It is an all-in-one security product from Microsoft. It provides firewall, antivirus, antispyware, and more. It does cost money for a subscription, but a subscription covers three computers, so one subscription can cover your family. Generally, I have been fine using free security products and actually found them better than commercial products. However, I was introduced to OneCare as an internal beta tester when I interned at Microsoft. Recently, a particularly amazing capability that I haven’t seen in other security products became evident when I was using OneCare. There was a security vulnerability in Windows with how Windows Metafile images were processed. Before the fix was available for Windows, OneCare began to ensure that Windows Metafile images were not malformed. One that I encountered was malformed and I was warned. OneCare has an extremely simple user interface with literally one care. As long as the programs tray icon is green, you are okay.

That is my report of tools released during 2006 that I have enjoyed using. I am sure I will find new tools during 2007.