Posts

Posted on

How I organize my books

Barcode stickers as book tags

I keep all of my books organized in Librarian Pro by Koingo Software. Admittedly, the Windows port is a sort-of-slow version of the Mac software, but it’s usable and rather pretty.

Librarian Pro interface
The Librarian Pro software I use to catalogue books

Along with this, I use a USB barcode scanner to import items by their EAN/UPC barcodes. Librarian Pro connects to Amazon’s APIs and loads book metadata based on that barcode.

Laser barcode scanner
The operative end of a laser barcode scanner

After importing a book, I make sure to tag it with a code of my own, specific to my collection. For that, I have these stickers:

Barcode stickers as book tags
Barcode stickers as book tags

And voila, an electronically-catalogued library of books awaits. It’s pretty easy to add location information to the metadata to help look for books, as well as generate HTML pages to show off or sell used books.

Posted on

Windows Live Hotmail is now authenticating DKIM

Hotmail inbox screenshot

I haven’t seen anything published about this yet, but I noticed today that Windows Live Hotmail seems to be authenticating incoming e-mail using DKIM in addition to Sender ID.

Background

In the past, Hotmail has verified the authenticity of incoming e-mail through Microsoft’s proprietary version of Sender Policy Framework called Sender ID. Both of these projects were designed to verify that the computer sending the message, as identified by the originating IP address, is authorized to send e-mail on behalf of the named sender.

A typical SPF policy, specified through a TXT record in DNS, might say

v=spf1 ip4:208.97.132.0/24 -all

This means that only IP addresses in the 208.97.132.1–208.97.132.254 range are allowed to send e-mail on behalf of this domain. (The Sender ID policy would look similar, but starting with spf2.0/pra.)

Hotmail’s policy has been to verify all incoming e-mail using the Sender ID framework. This theoretically reassures users that authenticated e-mail definitely comes from the named sender, reducing the likelihood of header forgery. If an e-mail does not pass Sender ID verification (softfail) and has other signs of being forged, it will likely be classified as junk.

A valid e-mail is marked with these headers:

X-SID-Result: Pass
X-AUTH-Result: PASS

If the organization’s policy uses the strictest policy (-all), and the message does not pass Sender ID validation, and the organization has submitted its Sender ID records to Microsoft, invalid e-mail sent to @live.ca and @live.com domains are rejected. As far as I am aware, this protection is not applied to @hotmail.com accounts.

From SPF to DKIM

The problem with SPF is that it doesn’t verify much. All it tells us is that an e-mail comes from the right computer—not that an intermediate server hasn’t tampered with it. In addition, SPF only really validates the From: or Sender: headers.

Besides, many large service providers cannot implement a strict SPF/Sender ID policy because users may be sending e-mail through other servers. (For example, I might use my ISP’s SMTP servers to send e-mail from my Windows Live Hotmail address; a strict SPF/Sender ID policy would mark those e-mails as junk.)

DKIM, however, encompasses the contents of the message body, in addition to the headers. It does not necessarily require the e-mail to come from a certain IP address. Using public key cryptography, it allows organizations to take responsibility for sent e-mails by verifying that the e-mail came from an authorized source, similar to the way secure servers connect over TLS/SSL.

Implementing DKIM means that all outgoing e-mails are signed using a private key; the signatures are then checked by compatible software against the public keys published in DNS. Each domain can have multiple DKIM keys, allowing multiple sending systems to sign outgoing e-mails independently.

A sample DKIM signature looks like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=frederickding.com; s=google;
        h=domainkey-signature:mime-version:from:date:message-id:subject:to
         :content-type;
        bh=b3wR4p4G21l92tc0ahioopi7atMwDp2wkaQb/uOL65E=;
        b=YJ6nD3Nx5hgwRhYppb/n2g5lQxA5jzFvYEJ0dR4dtkRFv14GVJWStQXwwZryGuujC/
         v4ve5ZE3ZAEAtv5hCj99ZLAfR52rskpbitso+106M8uQvryLyuLSnX1mrk6JaDFLMr8V
         qHmCEZUF5+cnWEYSwlLo1T8hntgN28hj8OyJY=

DKIM actually requires a lot more work for organizations to implement, as it requires additional DNS lookups and (perhaps) expensive cryptographic calculations. A decade ago, it would have been unfeasible to implement this on an organization as large as Windows Live Hotmail.

Hotmail today

Today, the inexpensive cost of processing power makes it possible for Hotmail to validate DKIM. Yahoo! has been doing this since the beginning, as it was the source of this technology. Gmail, too, has been validating DKIM for some time. (Both Yahoo! and Gmail sign outgoing e-mail with DKIM signatures, and Google has made this possible through its Google Apps service for companies as well.)

While Windows Live Hotmail has always validated Sender ID, today I noticed the addition of a new e-mail header:

X-DKIM-Result: Pass

This is good news.

Conclusion

To summarize a post’s worth of babbling, this means that Windows Live Hotmail is taking additional steps to combat e-mail forgery, phishing and spam. A step forward for everybody.

Posted on

CRTC: never-ending madness

Easing of standards proposed

'In the wake of the Arizona shootings, it seems especially insensitive to suggest that we should lower the bar on media obligations as long as no one is directly threatened or killed:' NDP MP Charlie Angus.

Earlier, Angus told reporters the public has just three days to comment on a proposed regulatory change at the CRTC that would ease standards for radio and TV networks in terms of broadcasting false or misleading news.

A motion by Angus to have the Commons committee on Canadian heritage call witnesses and study the proposed changes passed late Monday. Witnesses may be called as early as next week.

Under the proposed changes, licence-holders would have more latitude in their reporting as long as comments do not directly put human life in danger.

Broadcasters would face penalties if it could be proved the licence-holder had prior knowledge that information was inaccurate.

Angus said the proposed changes directly contradict section 3.1 of the Broadcast Act obligating Canadian media to maintain high standards of objectivity.

“It seems astounding that the CRTC would consider such a move at a time when we see the growing backlash in the United States to the poisoned levels of political discord in the American media,” he said, referring to the debate over what might have influenced someone to shoot U.S. Congresswoman Gabrielle Giffords and 18 others in Tucson last month.

“In the wake of the Arizona shootings, it seems especially insensitive to suggest that we should lower the bar on media obligations as long as no one is directly threatened or killed.”

Read more of this article at cbc.ca

Pretty much, they’re changing

5. (1) A licensee shall not broadcast
(d) any false or misleading news.

to

5. (1) A licensee shall not broadcast
(d) any news that the licensee knows is false or misleading and that endangers or is likely to endanger the lives, health or safety of the public.

Posted via email from Frederick’s posterous

Posted on

How would you shorten your name?

Happy New Year!

We’re now in the year 2011 — which I propose is “twenty-eleven” as opposed to “two thousand eleven”. It’s time to answer some serious questions.

I’ve been bothered recently (very recently, perhaps a few minutes ago) by a daunting challenge. Why do I abbreviate my name to “Frederick D.” instead of “F. Ding”?

I don’t know. What do you do, and why?

Posted on

Random PHP/MySQL discovery: time differences

I had been plagued by a nagging question while developing a PHP application: how do I calculate the difference between two timestamps, to check whether the timestamps are within x minutes of each other?

My initial solution wasn’t at all perfect, although it was still better than developing an algorithm from scratch to decipher timestamps into hour/minute/second objects and coding math.

Solution 1: MySQL’s TIMESTAMPDIFF()

My first solution was to use a function native to MySQL, TIMESTAMPDIFF(). This function takes in three parameters: the unit of time in which the return value will be, and two datetime expressions.

To query whether a given timestamp was within 15 minutes (either +/-) of the current UTC timestamp, I used this statement:

SELECT ABS(TIMESTAMPDIFF(MINUTE, *********, UTC_TIMESTAMP())) < 15

It worked, but I wasn’t satisfied with having an extra query just to verify a timestamp. Besides, I was concerned about speed; that one query takes about 0.004 seconds to execute, which was too much for me.

Then I discovered the native Date/Time extension, built-in on PHP 5.2 and above.

See the better solution after the jump »

Disclosures Proudly powered by WordPress