While travelling and visiting a family members home recently, I ran into an issue with their modem not allowing me to connect with my laptop.  Turns out that their provider had MAC filtering on their system.

A MAC Address is a unique number (hexadecimal) that most every network adapter has.  When you plug in a cable to a router and then to your computer, the first communication that occurs is the two devices declaring who they are by stating their MAC address (Ok, this is a big simplification, but no need to digress to far).  MAC addresses are intended to be globally unique, and as such are divided into two: The manufacturer ID and a manufacturer assigned ID.  This  helps guarantee that all MAC addresses are unique.

MAC filtering is a security measure some routers or ISPs use to limit access to the network. By stating that only computers with a certain MAC address are allowed onto the network, you can add an additional layer of security.  Most wireless routers have this feature (a good idea if you're paranoid and already set up a password on your wireless network [WHICH EVERYONE SHOULD DO]). Many non-wireless routers have this feature also.  And occasionally, ISP's enable this feature on their networks.

This is a problem that I rarely (actually, only once before) have run into.  It used to be simple for me to overcome, as I used to take a wireless router with me also, and that would easily allow for overriding of the MAC address though a configuration screen.  However, with the proliferation of wireless routers I stopped bringing my own and instead just jump on the local network.

Luckily, there is a way to spoof your MAC address.

There's a couple programs out there to do it for you (google will help, but I haven't tried any of them so can't recommend them) but I prefer to get my hands dirty, so with no further ado, how to spoof your MAC address:

Windows Vista:

NOTE: This requires modifying your registry.  If you do NOT know what you are doing, DO NOT DO THIS.  If you mess up your registry, your computer may not boot at all.  

First, you'll need to know the adapter you are changing your mac address for.  The easiest way to make sure you have the correct one is to open a command prompt and type:

net config rdr

You'll see a line that says "NetBT_Tcpip_{XXXXXXX....}.  This is the GUID of your adapter (A GUID is a Globally Uniqued IDentifier).  Copy this number, (between the curly brackets)  In this example, the GUID is 6F3A69A0-81B8-42B4-A38D-06ECC66485CC

Next you'll need to edit the registry.  In the command prompt, type:

REGEDIT

Once in the registry editor, navigate to the key:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

Underneath this key are lots of sub keys.  To find the one you want (with that key selected) press Ctrl+F and search for the GUID.  You should find it as a value for a key named NetCfgInstanceId.  Inside this key, add a new string value with a name of NetworkAddress and set the value to the MAC Address you want (no dashes).

Once that is done, you can reboot or disable/re-enable  the network device in Device manager.

To revert back, simple delete the key you added (NetworkAddress).

Hope that helps

We've been developing a couple of applications using the WPF (Windows Presentation Framework) and I've been spending a good amount of time reviewing it.  And I have to say, it really is hand over fist a very great framework to work with.

While we had developed a few Silverlight controls and apps using it in the last few years, I've personally haven't had the time to really get knee deep into the details of it until now, and boy what I have been missing.  From a coding standpoint, it's still just C# (or VB if you're so inclined); but from an designing point of view, it offers a wealth of features and enhancements.

In essence, WPF allows the separation of visual design and actual programming much in the same way as Asp.Net does so with code behind.  While programming for Windows Forms had the resemblance of the separation of the two (at least if you were using Visual Studio or another editor), it really was not separated at all, as the whole layout and stying was done inside the class's "Initialize" method.

With WPF, all the design is done inside the XAML file, which is simply an XML file.  And with tools like Microsoft's Expression, designer's and developers can work hand in hand with the tools designed for them.  (Let's face it, Visual Studio leaves a lot to be desired when in the hands of a graphic artist)

But while WPF separates code and design like ASP.NET, it extends the capabilities of the XAML in ways that ASP.NET could never even dream of.  Submitted for your approval, see this implementation of the standard listbox.

Sorry for the long span between posts, but things have been pretty busy here.

In the first part of this series, we reviews the Xml-Rpc specifications and used the XSD tool to generate our starting point.  Now, we'll tackle some of the basic changes we've done to those generated files.

Standards and Compliance

The first thing we need to do is to move the classes into a form that that is compliant with the software development standards for Bambit.  This is, for the most part, rather trivial, if not just tedious.  It includes:

1. Putting each class into it's separate file
2. Changing properties that simply expose private data variables to auto-properties
3. Create proper casing for classes, properties and methods

As I said, simple, but (somewhat) tedious.

Class Implementation Changes

MethodCall Class

In the MethodCall class, the xsd file had originally created a special class called methodCallParams, which itself simply wrapped an array of parameter objects.  This was overly redundant to me, so I eliminated the methodCallParams class entirely, and changed the property

    [System.Xml.Serialization.XmlElementAttribute("param")]
    public parameter[] param {
        get {
            return this.paramField;
        }
        set {
            this.paramField = value;
        }
    }

 to

[XmlArray("params")]
[XmlArrayItem("param")]
public List<Parameter> Parameters { get; set; }

This was a lot cleaner.  First, the naming  convention follows our guidelines. Second, we eliminated a class entirely.  Third, we changed from a non-expandable array data type, to a List<>.  This allows us to add to the list at any point in time, so calling code can keep adding parameters, instead of having to assign all parameters at once.

In doing this, we need to create a default ctor to initialize the List<>.  If we don't do this, De-serializing will explode on us, due to the fact that, when de-serializing to a List object, the Framework assumes that the object is valid and simply calls Add instead of putting the entire list on at once, so it will try to call Add on a null object.

Value Class

This class was given a lot of additions to, all having to do with casting.

Since the specifications state that a value can be a whole host of things, it must be stored as an object (outside of customizing the serialization and keeping a whole slew of different type variables).  However, an object is much too vague to be of real use in most situations.  So what we did was to store the actual object as an object, but add cast operators to the Value class itself.  To be effective, we made casts both ways, so that casting from a double, int or any other valid type to a Value would be allowed, as would casting from a Value to any other type (as long as the Value WAS of that type).

To do this, casting from a Double (or any other valid type) to a Value would be an implicit conversion, while converting from a Value back would be an explicit.  The reason for this is that, in an implicit casting, you should NEVER thrown an exception, while explicit conversions allow for an exception to be thrown. Since the Value object can be any other type at any time, it is allowed to be implicitly cast.  However, if the Value already contains an RpcStruct object and we try to cast it to a double, we will blow up.

We then entered every cast possible, in the following form:

public static explicit operator <TYPE>(Value value) { return (<TYPE>)value.Item;}
public static implicit operator Value(<TYPE> item) 
{
  return new Value { Item=item, ItemType = <APPROPRIATE ITEM TYPE> } ;
}

For instance, the conversion casting for a double was:

public static explicit operator double(Value value) { return (double)value.Item;}
public static implicit operator Value(double item) 
{
   return new Value { Item=item, ItemType = ItemChoiceType .Value } ;

}

As you can see, our implicit conversion will never fail, as assigning the "Item" (which is an object) anything is completely legal.  Our explicit will fail only if the framework does not know how to do the conversion itself.  We could have done some checking on ItemChoiceType ourselves, but this would have been a bad idea.  First, it's extra work on our end that is redundant.  Second, if we try to cast to a double and it's an integer, we would fail (unless we actually check all the different types that can be cast to/from), when it is a perfectly legal cast.  As such, it's much better just to let the Framework do the work for us.

Well, that covers a few of the design decisions.  In the next installment, I'll go over changes to the RpcStruct and MethodResponse classes.

NOTE:

We've released this project under the LGPL and you can download it at codeplex, BXmlRpc.  The current generated documentation can be found at http://bxmlrpc.bambitinc.com/Documentation/

There are multitude amount of Firefox extensions downloadable over the internet right now targeting day to day website visitors and developers as their primary audience. ….. This being said, have you ever wondered what would it take to make such amazing software tools?  Let me walk you through the fundamental steps in making a very basic Firefox extension.

Let's begin by creating a folder that would contain your extension definition.  For illustration purposes we will name this “demo@bambitinc.com”.  Inside the demo@bambitinc.com folder create another folder named content.  Inside the content folder create an empty javascript file named bambit.js.  On the same level as the bambit.js file create an empty XML User Interface Language file named bambit.xul.  Now lets step back to the previous directory and create another two empty files named chrome.manifest and install.rdf.  You should end up with a directory structure like this:

        demo@bambitinc.com/
            content/
                bambit.js
                bambit.xul
            chrome.manifest
            install.rdf

Using your favorite text editor, open up the bambit.xul.  Inside we would want to add an overlay.  In general, Firefox's interface is written in XUL defined at http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul and javascript.  The XUL document defines the widgets such as the buttons, toolbars, etc.  While the javascript handles the user actions.  For us to extend the browser, we partially modify the browser UI by inserting, removing, or modifying the widgets defined in the master XUL.  This can be accomplished using overlays.  XUL overlay is a way of attaching UI widget to the XUL document at runtime.

First we would import the bambit.js that will handle user actions and modify a merge point.  In this case the browser's status bar.

<?xml version="1.0"?>
<overlay id="bambit:" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
    <script type="application/x-javascript" src="chrome://bambit/content/bambit.js" />
     <statusbar id="status-bar">
        <statusbarpanel id="bambit"
            label="Bambit"
            insertbefore="statusbar-display"
            onclick="bambit();"
        />
    </statusbar>
</overlay>

We import the javascript file just as a child of the overlay.  Take note that the path of the file is not called by the file URI nor was it a fixed path.  It is invoked using the chrome URI.  This is a bundled package that defines scheme, package name, type of data, and finally the file to load.

Next we defined a new child of statusbar named statusbarpanel.  Statusbar serves as the merge point where the modifications would take place.  The child statusbarpanel creates a new panel on the left of  the statusbar-display with a text “Bambit”.  The next attribute “onclick” defines the javascript function to be used when user clicked on that panel.  This will be defined on the bambit.js file.

After saving open up the bambit.js file and make the function “bambit”.  As a proof on concept we will only redirect the whole window to the bambit website.

function bambit(){
    window.location = “http://www.bambitinc.com”;
}

Now we need to create the manifest that will be used on the chrome package.  Inside the chrome.manifest file we'll define the type of material, name of the chrome package, and the location of the files.  Also we need to merge our overlay with the browser during runtime.  All these can be accomplished by this code.

content bambit content/

overlay chrome://browser/content/browser.xul chrome://bambit/content/bambit.xul

Finally, open up the install.rdf  file.  Inside place the following code.

<?xml version="1.0"?>
<RDF
    xmlns="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
         xmlns:bambit="http://www.mozilla.org/2004/em-rdf#">

      <Description about="urn:mozilla:install-manifest">
            <bambit:id>hello-world@bambitinc.com</bambit:id>
            <bambit:name>Bambit Hello World</bambit:name>
        <bambit:version>1.0</bambit:version>
        <bambit:type>2</bambit:type>
           <bambit:targetApplication>
              <Description>
                <bambit:id>{ec8030f7-c20a-464f-9b0e-13a3a9e97384}</bambit:id>
                <bambit:minVersion>1.5</bambit:minVersion>
                <bambit:maxVersion>3.0.*</bambit:maxVersion>
              </Description>
            </bambit:targetApplication>
           
      </Description>      
</RDF>

These are the minimum elements required in the installation manifest. For the complete list of the install properties click here: (https://developer.mozilla.org/en/Install_Manifests)
- id:    This is the id that makes your extension unique.  On Firefox versions prior to 1.5 this can only be in a GUID format and nothing else.  For 1.5 onwards it can accept GUID and email address format though it is not necessary to be a valid email address.
- name: This is the name your resource will be known universally.
- version: This represents the version of your resource.
- type: This indicate what kind of resource you are installing.  Since we will install an extension that value would be 2.  If we would like it to be a theme or a locale we should use 4 and 8 respectively.
- targetApplication: This defines the application you're resource is applicable to. Since we are making an extension for Firefox the id should be equal to the Firefox application id (ec8030f7-c20a-464f-9b0e-13a3a9e97384). If you notice that the mini-version is set to 1.5, that is because I used something that is not applicable to earlier versions, specifically the id of the application.  Earlier versions only support GUID.  For the max-version we set it to 3.0.x to ensure that the resource is compatible with Firefox's security and stability updates.
(Link to compressed file)
Test
We are now ready to test our extension.  First, we need to setup a development environment.  We don't want to ruin the Firefox version we are currently working on even though it is easily repairable.  We do this by creating another Firefox profile.  For this example “dev” is the name of the new profile.
On linux:

/usr/local/bin/firefox -no-remote -P dev

On MAC:

/Applications/Firefox.app/Contents/MacOS/firefox-bin -no-remote -P dev &

On Windows:

start "" "%ProgramFiles%\Mozilla Firefox\firefox.exe" -no-remote -P dev

The first time you run the command it will display the profile list screen.  There create the new profile named “dev”.
Now we our environment ready.  What we'll do is copy the entire demo@bambitinc.com folder within the Firefox's (dev profile) extensions folder.  In Vista you can go to <% Users %>\AppData\Roaming\Mozilla\Firefox\Profiles and browse through the extensions folder and paste the entire folder there.  Open an instance of the development profile.  You are supposed to see that a new extension named Bambit Demo is installed and you'll notice the text “Bambit” at the lower left of your status bar.  Click on it and it will take the whole window to the Bambit website.
Package
Now that we got the extension working on our environment we'll need a way to publish it.  Firefox's extensions are packaged as XPI files.  In essence XPI files are just zipped files that have an extension of XPI.  Using your favorite archive tool zipped the contents (not the folder) of the demo@bambitinc.com folder.  Now delete the demo@bambitinc.com folder inside the extensions folder of your development environment.  Close all instance of your Firefox development profile.  You'll notice that the Bambit is no longer installed.  Now using Firefox, open the XPI file you created earlier.  This will go through the installation process.  Viola! Your Firefox extension is made!!!

Sorry for the long span between posts, but things have been pretty busy here.

In the first part of this series, we reviews the Xml-Rpc specifications and used the XSD tool to generate our starting point.  Now, we'll tackle some of the basic changes we've done to those generated files.

Standards and Compliance

The first thing we need to do is to move the classes into a form that that is compliant with the software development standards for Bambit.  This is, for the most part, rather trivial, if not just tedious.  It includes:

1. Putting each class into it's separate file
2. Changing properties that simply expose private data variables to auto-properties
3. Create proper casing for classes, properties and methods

As I said, simple, but (somewhat) tedious.

Class Implementation Changes

MethodCall Class

In the MethodCall class, the xsd file had originally created a special class called methodCallParams, which itself simply wrapped an array of parameter objects.  This was overly redundant to me, so I eliminated the methodCallParams class entirely, and changed the property

    [System.Xml.Serialization.XmlElementAttribute("param")]
    public parameter[] param {
        get {
            return this.paramField;
        }
        set {
            this.paramField = value;
        }
    }

 to

[XmlArray("params")]
[XmlArrayItem("param")]
public List<Parameter> Parameters { get; set; }

This was a lot cleaner.  First, the naming  convention follows our guidelines. Second, we eliminated a class entirely.  Third, we changed from a non-expandable array data type, to a List<>.  This allows us to add to the list at any point in time, so calling code can keep adding parameters, instead of having to assign all parameters at once.

In doing this, we need to create a default ctor to initialize the List<>.  If we don't do this, De-serializing will explode on us, due to the fact that, when de-serializing to a List object, the Framework assumes that the object is valid and simply calls Add instead of putting the entire list on at once, so it will try to call Add on a null object.

Value Class

This class was given a lot of additions to, all having to do with casting.

Since the specifications state that a value can be a whole host of things, it must be stored as an object (outside of customizing the serialization and keeping a whole slew of different type variables).  However, an object is much too vague to be of real use in most situations.  So what we did was to store the actual object as an object, but add cast operators to the Value class itself.  To be effective, we made casts both ways, so that casting from a double, int or any other valid type to a Value would be allowed, as would casting from a Value to any other type (as long as the Value WAS of that type).

To do this, casting from a Double (or any other valid type) to a Value would be an implicit conversion, while converting from a Value back would be an explicit.  The reason for this is that, in an implicit casting, you should NEVER thrown an exception, while explicit conversions allow for an exception to be thrown. Since the Value object can be any other type at any time, it is allowed to be implicitly cast.  However, if the Value already contains an RpcStruct object and we try to cast it to a double, we will blow up.

We then entered every cast possible, in the following form:

public static explicit operator <TYPE>(Value value) { return (<TYPE>)value.Item;}
public static implicit operator Value(<TYPE> item) 
{
  return new Value { Item=item, ItemType = <APPROPRIATE ITEM TYPE> } ;
}

For instance, the conversion casting for a double was:

public static explicit operator double(Value value) { return (double)value.Item;}
public static implicit operator Value(double item) 
{
   return new Value { Item=item, ItemType = ItemChoiceType .Value } ;

}

As you can see, our implicit conversion will never fail, as assigning the "Item" (which is an object) anything is completely legal.  Our explicit will fail only if the framework does not know how to do the conversion itself.  We could have done some checking on ItemChoiceType ourselves, but this would have been a bad idea.  First, it's extra work on our end that is redundant.  Second, if we try to cast to a double and it's an integer, we would fail (unless we actually check all the different types that can be cast to/from), when it is a perfectly legal cast.  As such, it's much better just to let the Framework do the work for us.

Well, that covers a few of the design decisions.  In the next installment, I'll go over changes to the RpcStruct and MethodResponse classes.

NOTE:

We've released this project under the LGPL and you can download it at codeplex, BXmlRpc.  The current generated documentation can be found at http://bxmlrpc.bambitinc.com/Documentation/

Adam Ostrow has posted a blog about the SECs (That's the South Eastern Conference, NOT the Securities and Exchanges Committee) decision to prohibit attendees from making any comments about the games they are at in any form.  This is essentially a blockage against Twitter, Facebook, YouTube and the like.  I,for one, would like to take this opportunity to say what a profoundly stupid idea this is.

For full disclosure, I don't have a twitter account and I do not follow anybody's tweets.  I do have a Facebook account, but I almost never log in to it.  My general life is much too busy for these.  However, I did go to the University of Florida, which is in the SEC.

So on to the stupidity.  It seems that companies and organizations (especially older, established ones) tend to shoot themselves in the foot when it comes to new technology and new ideas.  This one is apparently a joint shooting of CBS and SEC together.  Their fear here is, possibly, base on the fact that someone could, in theory, stream an entire game onto the Internet, and CBS would be bypassed and lose all that viewership.

Now I know that cameras on phones are getting pretty good, but seriously, am I going to choose to watch the game on YouTube from the 90th row or see it on CBS with a dozen cameras at all angles, complete with zoom and audio?

What we may get, from you tube, is the occasional shot of something the other cameras missed, an angle (albeit from far away) that shows a better shot of the play, or something that happened elsewhere then at the ball.  This can only enhance the experience for all those who can not make it to the game.  (I think nearly every Gator game is sold out these days, and most definitely the big ones are).

And when it comes to Twitter updates...It seems that nearly every year there's a big event in my life at the same time as a big Gator game:  Weddings, Birthday Parties, etc.  And in most of these, a TV is not available, or at least on a different station.  In the past, I have been relegated to watching updates on ESPN.com or similar web sites on my phone, which are often poor in response times.  Now if I knew someone at the game who was twittering about it, I could get live updates immediately.  Again, this is only good all around: SEC keeps a loyal fan happy, I get updates to the game in as close to real time as possible.

Adam also makes the point that after receiving an update he has often gone to see the game on TV, which is another win for all involved.

In the end, no one should try to limit my ability to talk about my experiences in any way.  If I am at the game, I should be allowed to tell my friends what I'm doing (technically, I would not be allowed to even call my dad to say "Did you just see that touch down Tebow threw?"). So please, SEC, think before you issue dumb, inherently unenforceable rules.

Here at Bambit Technologies, we use log4net in nearly every application that we build, from web sites, to desktop apps to server services.  It's well written, easy to implement and extremely versatile.  With that said, there's a couple things I would like changed or implemented.

One of the biggest changes I would like to see is when logging an exception.  Generally, to log an exception you make a call like this:

ILog myLogger=LogManager.GetLogger(); 

Exception exception=new Exception("Something happened"); 

myLogger.Error("Something happened, and it wasn't good", exception);  

	

Pretty straight forward, right? 

But what if I want to format the string I am logging, then you have to do the following:

	
myLogger.Error(string.Format("Something bad happened: {0}", errorString), exception);
	

Essentially adding a "string.Format" call to the message string.  log4net DOES have the method "ErrorFormat", but if you call it like:

	
myLogger.ErrorFormat("Something bad happened: {0}", errorString, exception);
	

the actual exception is lost, as it is passed in as an argument to the format string.

For a long time we resigned ourselves to just adding the extra String.Format call, as trying to change the implementation for all the different types of loggers would be a headache at best, not to mention having to test and verify and rebuild everytime a new version of log4net comes out (which, admittedly isn't that often, it's extremely stable)

Extension Methods

Now, with the 3.0 framework, we have a new option: Extension Methods.  Extension methods are exactly what they sound like, ways to extend a class with added functionality.

To see how this helps us with log4net, we create an extension class with the new methods we would like to see implemented.

public static Exception Exception(this ILog logger, Exception exception, string fmt, 
params object[] args)
{
   logger.Error(string.Format(fmt, args), exception);
   return exception;
}

To see the complete code listing, see this link

Now, when I need to log an exception, I can simply call:

myLogger.Exception(exception, "Something is definatly wrong: {0}", errorString);
	

You'll also note that each of these methods returns the exception I pass in.  This simply allows us to join everything in one statement:

	throw myLogger.Exception(
		new Exception("Something is wrong"),
		"Something is wrong:", errorString);

which comes in pretty handy.

When we fist decided to implement a blog on our site, we figured it would be quick and easy to roll our own, and for the most part it was.  After all, a blog is only composed of a handful of tables, each with a spattering of columns.  You have the blog itself, then you have comments.  That's the long and short of blogging.

At least at first glance.

After you get the blogs up, you certainly want to implement trackbacks and pingbacks.  If you don't know what these are, they are simply a way of interlinking sites, so that if I comment on a blog at foobar.com, they can add a link back to my site, saying comments were made there.

Trackbacks are relatively straight forward as they are simply HTTP calls made in a REST fashion (spec can be found here)

Pingbacks are only slightly more involved.

Enter the XmlRpc Spec

Pingbacks are entriely built arond the Xml-Rpc specificaion, which is exactly what it sounds like, remote procedure calls via Xml, a simpler version of SOAP if you will (I'll leave the Xml-Rpc vs SOAP vs REST argument for another day).  I'll be the first to admit, somehow up to this point in my programming experience, I had somehow avoided interfacing with Xml-Rpc directly. So I did what I always do when confronted with a new spec, I read the manual.

This is a point that I want to stress.  I know a lot of developers who can churn out code to email someone without having read one single RFC concerning SMTP, MIME or any other similiar technology.  This is a sure way to limit your usefullness as a programmer.  Along with learning a language a year, coders should also strive to understand the undelying concepts of the systems they are working with.

But I digress.  To return to point, I went and read the spec, which on the surface seemed pretty simple.  Since I didn't know how to implement it myself and it seemed rather simple, I decided to take a crack at implementing my own library.

In the beginning, there's the XML

Since Xml-Rpc utilizes HTTP for the request/response, and since the HttpWebRequest method is built into the .Net libraries already, I decided to start with the xml.  The spec site gives a very verbal breakdown of how the xml is structured, but it is missing a schema definition file, so that's where I began.  This can be found here.

Once I have the xsd defined, I used XSD.exe tool that comes with Visual Studio to create the first version of the classes to serialize the documents.  The XSD.exe tool is an extremely valuable tool, but, generally, we only use it to get a base to work from.  You can find the results of this generation here.

In the next part, I'll go over the changes to the Xml

NOTE:

We've released this project under the LGPL and you can download it at codeplex, BXmlRpc.  The current generated documentation can be found at http://bxmlrpc.bambitinc.com/Documentation/

YouTube, that bastion of wasted work hours, is terminating support for IE6.  I can only join in the giant chorus of "WOOHOO!!"

IE6 use needs to be abolished.  It is a thorn in the side of any web developer who is trying to create a standards based web site simply because it is not a standards compliant browser.  On any given design project that require support for IE6 and any other browser, there's an added 15-50% increase in time (depending on the complexity of the site in general and how many of the IE hacks that need to be implemented).  And that's completely wasted time.

IE6 gained dominance simply because it came pre-installed on Windows (and led to many anti trust suits against Microsoft).  Of  course, it also helped that the main competitor to IE at the time was Netscape Navigator, which was, to say the least, slow and bloated.  Then FireFox entered the picture and Microsoft, after 5 years of stagnation in the web browser market, suddenly got up and released a new, more standards compliant browser, IE7, followed by an even better browser 3 years later, IE8.

FireFox is still my browser of choice (although I have IE6,7,8, Chrome and Safari on various Virtual machines for testing), but IE8 has come a long way from IE6 by way of web standards (not to mention adding a lot of features that FF has) and so I don't rant about people not using IE anymore (leaving it more as a personal preference...each browser has its good points and bad points). 

So with youtube.com no longer supporting IE6 and other sites like Digg doing the same, hopefully it will become a faded memory. A painful, shameful, faded memory

Here's a little quiz.  How many passwords do you have?  How complex are your passwords?  How do you remember your passwords?

Personally, I know more than 100 passwords.  I remember passwords to all my accounts, all my computers, servers, databases and most of my clients systems also.  As a general rule of thumb, passwords I create are relatively complex and considerably strong.  I use upper case, lower case, symbols, avoid dictionary words and have at least 8 characters in my passwords (at least the ones that matter).  I do this because of the inherent belief that weak passwords are bad passwords.  They are susceptible to brute force attacks. 

But does that really matter in the long run?  A new paper published states that it's really not that important.  The paper is easy to read and well worth it, but I'll summarize (and improvise) here.

Lets start with the first key problem with passwords:  Who are you supplying your password to, and how often do you reuse the same password?

Your password can be 102 characters, use every symbol and be generated by putting tape on a cats foot and letting it run across your keyboard, if you use this password more than once you could be opening your self up to a severe spanking, depending on where you use it.

Some sites still store your password in clear text.  This mean, in their database, there is a simple string that has your password in there, in all its 102 character cat induced glory.  Any database admin (or maybe even a low tech, customer support rep or bored manager with too many privileges) can see what your password is (not to mention the ever so dangerous possibility that the site you are logging into can be hacked).  And with a little bit of research, can probably learn a lot about you and be able to use that password elsewhere that you have.  (do you have the same user-name in multiple places with that same password?).  It is almost ALWAYS a bad idea to store passwords in plain text.  But how can you tell if the application/web site you are using is storing your password in clear text?  Simply, you can't be sure, but if the site will send you your password to your email address, they are either storing your password in clear text or a two way hash (which is almost as bad)

So to avoid this possibility, you generate a new 100 character password, with all the bells and whistles, for every site you give your password to.  The downside of this is it's getting harder to remember your password (and your cat is starting to glare malevolently at you and your keyboard now).  Even if you degrade it to 10 characters, it still starts to become tiresome to remember all your random passwords.  So now you rely on other tools to remember your passwords for you.  Maybe you save your passwords in your browser.  Maybe you write them down on post it notes stuck to your screen.  Whatever it is, you are a secure trooper, knowing that if one password is broken you will still be safe.

Unfortunately, now we enter the biggest threat to your passwords: Trojans, Viruses and Bears oh my! (alright,not really bears). 

Unlike the brand used for protection, a computer Trojan is one of the most detrimental things you can encounter in the online world (right up there with with people who use smiley faces after every sentence).  A key-logger Trojan will record every key, click and action you perform.  This means it will record every site you go to and every password you enter for that site.  It will then send that information off to it's mother ship and before you know it, all your passwords are hacked.  A virus can read all your stored passwords on your system and send them off.

So what does that tell us?  First, it tells us that we really need good antivirus software on our computers.  Second it tells us that all our efforts at keeping our passwords secure can come to naught very easily.

This is the crux of the paper: Adding strong requirements only complicates users' lives and does little or nothing to ensure safety.  In the end, if someone wants your password bad enough chances are they can get it.

But service providers (aka, web sites) should do something to help mitigate the damage.  First, no one, and I mean no site ever, should use plain text, and should almost never use 2 way hashes for passwords.  Second, if using a 1 way hash, they SHOULD use a complex one as not all one way hashes are created equal (I'm looking at you,  MD5!).  Third, all sites should implement a lockout feature for failed log ins.  This one aspect alone can pretty much eliminate brute force attacks (unless of course,  someone gets a hold of the database from the outside)