" /> BP's Weblog: August 2007 Archives

« July 2007 | Main | October 2007 »

August 31, 2007

More bad security: Dumb security questions

I recently created a new account for company whose service is a hybrid of web-era scalability and accessibility combined with metered, nearly-instant access to a physical product... in other words, a site which it's important that my account not be easily compromised, because someone somewhere could run up a bill for services I didn't personally get to use.

During the signup process, I got to the now-standard "Security Question" phase (though, they oddly call it a "Secret" question, even though they'll show it to anyone who pretends to be you having lost your password), and was amused to see this option. Here's what I saw:

Security Question

Yes, they're asking a question for which there are only 50 legitemate answers, for which many individual's friends will have a good chance at guessing correctly .... and then they go one step further, and exclude 3 of the states (Ohio, Iowa and Utah are not 5 characters long).

Fwew. Thanks goodness Ohio (sure to trivially show up, in my case, on an appropriate web search) wasn't long enough, or I might've fallen for it! :)

Technorati Tags:

August 19, 2007

Going one-numbered, while still tinkering with tons of gadgets

I've now been in Pittsburgh about a week. I have no local phone, no phone with nights-and-weekends, I'm making constant calls inquiring about housing, and, yet, it's all probably still costing me less than it cost me the last time I was on a cell phone contract with anyone.

Ok, before I go boasting all about it, my current situation is pretty complicated, and not really usable enough for the common man. That said, I've gotta' tell my stories, and the gripes that go with it, if only to be able to defer a length explanation the next time it comes up in conversation.

My current situation is composed of several delicately interwoven systems: 1) My now several-year-old Asterisk system. It contains many weird optimizations to minimize latency, pick the cheapest way to complete the call at runtime based on current market conditions, among others. 2) My GrandCentral number. This is the only number I give to people anymore, unless they need to SMS me. 3) Physical VoIP hardware (in this case, an old Sipura SPA-2000) 4) AT&T Prepaid phone on its $1/day + minutes plan. 5) The Sidekick Toll Averter, Wife Alerter (now with better CID hacking)

What have I woven together with these systems? Well, I use GrandCentral pretty much as described... except that, to ring my AT&T cell phone, I run the call through my VoIP system first. Basically, I discovered that AT&T's way of figuring out if a call is on the AT&T network just looks at the callerID. Thus, I complete the call from GrandCentral to my cell phone in a way that advertises an AT&T cell phone number as the originating caller ID - and only have to pay for the cost of the VoIP call ($0.005/minute), vs the non-network rate for AT&T prepaid ($0.10/minute). Yes, it's 20x cheaper to use my prepaid cell phone with this trick.

Detailed explanation:

Basically, I created a new SipPhone.com account, which my Asterisk server registers itself with. I added the SIPphone 747 number as one of my GrandCentral numbers, since they recently began offering VoIP call completion using GizmoProject/SipPhone numbers. I then arranged a special extension inside of my Asterisk to answer that SipPhone number - it first sets the callerID to an appropriate AT&T number, then initiates the outgoing call. Head spinning yet?

So, this lets me use a prepaid cell phone for $1/day+0.005/minute any day I use it. If I don't use it on a given day, it costs me $0 that day. Put another way, if I only use the phone on average every other day, but still make 500 minutes of calls (the typical cell phone plan of my friends and associates), it'll cost me as little as $17.50/mo to use this service. Yeah, for 500 minutes. In fact, at the highest rate I pay for VoIP minutes, using the phone every day of the month, I'd still only pay $40/mo for the service. Not $40+taxes and fees, $40 total. Nuts, eh?

But wait, you say! That's only for incoming calls! True, outgoing calls are still $0.10/minute.... if I make them. But, since this is essentially a temporary, throwaway phone, I don't actually want to make direct outgoing calls.... then the people I call might end up using a throwaway number to call me after I've thrown it away. Instead, I wove another way to make outgoing calls and have the CallerID show my GrandCentral number, while also avoiding the $0.10/minute outgoing trap of the prepaid phone. Basically, I either use my Sidekick Toll Averter Wife Alerter web interface to initiate the call, or, I call a special number that, when called from my cell phone, hangs up on me and calls me back, giving me a dialtone. Of course, either of these cases is set to connect the call to my cell phone using an AT&T number for CallerID, thus, the calls are still only $0.005/minute (well, generally 2x that, as I still have to place another call to someone else after I get the dialtone - I end up paying for two outgoing VoIP calls, linked to each other).

So, now, people can call me on my GrandCentral number, and I can pick it up for free while at home, for $1/day+0.005/minute from my cell, or at any other phone I might be sitting near long enough to have added it to the GrandCentral hunt list. I can make outgoing calls, although I do lose the ability to use the cell phone's local call history, since all it shows are incoming calls from that special AT&T number I've been using.

All in all, this is working out very well. I've been in some state of moving now for nearly a month, and, yet, I've stayed well inside the $60 that I'd normally spend on cell phone service in years past. Meanwhile, for another $1/day, my wife, who's still on the west coast, also has an AT&T prepaid phone, and we can spend as much time as we'd like chatting on any given day. Once she moves out here, we can toss all of these electronics in the recycling bin for all I care, since we've got no contract, and the phones only cost $10/each after rebate and initial service allocation. Who can complain?

One more gripe: When I'm making calls using the dialback or web-initiated methods, I'm using 2 channels of VoIP. I've arranged my provider-picking priority to it nearly always chooses my Voicepulse Connect account... these guys are great, and, though their highest rate, at $0.019/minute, is relatively expensive for VoIP calls, most of my calls end up costing between 0.005 and 0.010. Keeping both legs of the call on the same provider means that, using the IAX native transfer function, I can actually remove virtually all latency from the call, effectively using VoicePulse as a local switchboard. This is great, except that Voicepulse limits each account to 4 simultaneous channels unless you pay quite a bit extra in monthly service fees. It's not hard to use up 4 channels when you're using them up 2 at a time (and your wife has access to the same tricks), and this has turned out to be a problem of late. I can understand the limit, in principle. However, since anyone with a credit card can sign up for an account with them, and they don't appear to have any rules against having multiple accounts, it makes no sense that Voicepulse charges extra for the ability to open up more channels. sigh

Technorati Tags: , ,

August 12, 2007

Nit: Ajax websights and wifi redirect pages

So, as many of you know, I've been road-tripping across the US of late. I'm now in Pittsburgh, after a little over 3600 miles of not-the-straightest-path cross-country road trip.

Along the way, I encountered a lot of different kinds of Internet and Wifi availability. There was the Chicago Hyatt Regency, where we stayed during the YearlyKOS conference... which wanted something like $14/day to use their in-room Internet (which I had to troubleshoot and fix the wiring of to get working, but that's another story.). There were many cafes and motels along the way with Internet connectivity.... even in Mexican Hat Utah, a tiny little town just outside of Monument Valley.

But, most of them, even if they offered free Internet connectivity, had you go through some sort of Wifi login/confirmation redirect page. These things are the devil to begin with, but they suffer from a couple of notable specific faults:

1) Many don't keep track of the original page you were surfing to. Ever try opening Firefox with a session restore feature turned on with one of these? You get a whole bunch of tabs with the login page, and virtually no way to go back to whatever page was in your session. Ugh. 2) Few Ajax apps seem to check properly for these conditions, and either fail in odd ways when they make a request, or don't offer an appropriate way to keep going once you've fixed things. Nothing like having to reload a heavy Ajax app (Gmail, I'm looking at you...) on a slow or expensive link because someone wanted to inject their hotel branding into your Internet experience.

Fortunately, both are correctable. Several of these tools actually do remember where you were surfing when you hit their redirect pages, and will set you back there once you log in, so point #1 is definitely avoidable. Point 2 is more tricky, of course, since it requires the web app author to code more defensively. Anyone out there know a good 3-line or less idiom to catch and report this kind of offense in a Javascript snippet, so it can be published alongside this rant for all of posterity?

More updates on the trip itself when I have time.... short excerpts of my progress were chronicled on my twitter site, though, which can still be seen here: http://twitter.com/bp

Technorati Tags: , ,