Gifts that Last (Plus, why Gustave Caillebotte is now rolling in his grave)
Last month, an article called The Best made its way around the Blogosphere. Not long after, a rebuttal called The Worst offered a different perspective.
I couldn't place my finger on why I didn't really agree with either point. OK, I probably veer toward the "I don't need the ultimate dinnerware" camp.
But one must live at either extreme, given a choice? How about something in the middle, where you don't feel the need to seek out the brand that will impress all your friends and readers of your blog, but something that will actually last for a while so you don't have to keep buying replacements?
For years, I would find that I would need to buy a new pair of slippers each year, with the previous year's purchase having completely fallen apart from wear and tear. (I have a home office — they get a lot of use!) That got really tiresome, so I looked into an alternative. I bought a somewhat more expensive pair of slippers from these guys. That was three winters ago that I bought them, and guess what‽ They are in almost perfect condition today.
Last year, I bought slippers for the rest of the family. Of course, they are still kicking as well.
Next example: You know those cheap umbrellas you buy for $3-$5 when you are caught in the rain? Yeah, I've gone through a lot of those. They don't last long.
But I also have a really cool umbrella I got as a gift, featuring Paris Street; Rainy Day by Gustave Caillebotte. This was three or four years ago, maybe more. I walk in the rain a lot (when it's too wet to be on a bicycle) and this umbrella has seen a lot of use. And it's still in perfect condition.
(I'm guessing that this is the umbrella that I got, which has lasted so long. There are appear to be several variations available for sale over the web, but the one pictured here seems to match the tip and handle of mine.)
Point being, that sometimes it is worth a bit of extra cost if the item you buy is actually going to last for a while.
In related news:
I was recently wondering what would happen if the couple in the Rainy Day painting had that same umbrella? This little hack made in Acorn was the result. My apologies to the heirs of Caillebotte.
13 Tips, Summarized, on Setting up a Secure, Resettable Password Database
Today I ran across an awesome blog post from earlier this year on web database security: "Everything you ever wanted to know about building a secure password reset feature."
Since reading online tales of some of the horrible things that crackers have been able to do to get to people's account information, I thought that this was a fascinating set of guidelines on building a database of users and passwords the right way.
The original article is worth a read, especially if you are working on any database of users, but it's a long read. Here is my brief summary for your convenience (and perhaps someday for my future reference):
- In your database, store passwords as a one-way hash with a salt that is also stored in the table.
- Don't send the user's password to them. (Doing the above will obviate that.)
- If user requests a password reset, send an email regardless of whether that email is associated with an account. (If it's not an account email, you can tell them that in the email, NOT on the web page.)
- In the password reset mail, send a time-limited URL with a unique code that allows them to go in and set a new password; do NOT send a new password. (See point 2).
- Consider using a CAPTCHA on a password reset form if automated attacks are an issue.
- To avoid problems where somebody's email is compromised, a password reset might contain secret questions. If you do this, make sure that they are concise, specific, diverse, hard to discover, and constant over time.
- Secret answers should be stored encrypted in the database. (Hashes are problematic if they need to be verified by a person.)
- Consider two-factor authentication.
- Do not allow password reset via username, only email address
- In your password reset emails, indicate the IP address of where the reset request came from.
- Notify the account owner via email when account information is changed.
- Do lots of logging (but without sensitive information) to help uncover malicious behavior.
- Do not lock out the old password from working until the new password information is completely verified.
All in all, a good overview. Hopefully more and more account providers follow this kind of advice — I cringe when I see my password sent to me over email in clear text!
Making Crisp Retina Icons for your App
Over the last few years, heeding warnings from Apple that we would need higher-resolution icons, we got into the habit of asking our icon guy to make double-size images (sometimes even quadruple-size) when we needed to create a graphic that was better created as a bitmap rather than a vector graphic.
So when the MacBookPro with Retina Display came out, we thought we were in pretty good shape.
Unfortunately, we had to throw out a lot of our work and backtrack. Seeing our icons on the actual retina display, we realized they needed to be a bit sharper, especially when it came to crisp details like lines and outlines.
What we had been doing was essentially doubling any single-pixel lines from the source image. So if we had an icon with a rectangle bordered by a single pixel, the double-size icon would have a retina bordered by a two-pixel-wide line.
So instead, we had the icons re-done so that the lines were a single pixel in the retina version. But to compensate for the fact that this might not be as bold as the original, we made the line a bit darker (or more opaque, which usually ends up being the same thing).
Take for example this icon in Sandvox's inspector: 
On the left is the image enlarged to match the new retina size; on the right is the retina image. (Both of these are enlarged so you can easily see the pixels.)
Here's another one. The non-retina "objects" toolbar icon on the left; the right is the retina version with the single-pixel lines.
The moral of the story is that it's important to pay attention to how a double-resolution image will be perceived on a retina display!
(Here's an interesting example from Apple that somebody pointed out. iTunes 11's "Up Next" icon looks like a bullet list on a standar displays, but actually shows numbers on a retina display!)
Amazing Photo of Nelson Mandela
When I'm working on Sandvox, I tend to have a pile of random images I use for testing things. Here's one I ran across a few days ago. It's one of my absolutely favorite photos. Not for any artistic reason, but the whole story behind it makes me smile.
If you haven't seen the 2009 film Invictus, or the read the book Playing the Enemy: Nelson Mandela and the Game That Made a Nation, do it soon. Both are very well done, and tell the amazing story behind this photograph.
Another reason to love Stripe
Stripe noted today in their blog:
When you refund a transaction, Stripe will return the entire fee. Until today, if you charged $100 and then refunded the transaction, it would still cost you $3.20—that is, 2.9% + $0.30. From now on, it will be free.
Finally! Yeay! One of my few quibbles with them is no more. It's not like it has been a big burden, but it's nice that a refund essentially undoes the transaction.
Furthermore, they won't charge you fees on a chargeback if you win the dispute. Though chargebacks happen so rarely for us now (compared to PayPal, especially!)
Auto-Update your Hosts File to Disable Adware and Other Web Junk
There's a great resource you should install on your Mac(s): a "hosts" file called "how to make the internet not suck (as much)." This is a huge file that masks tons of nasty websites that you probably don't want to see any content from: shock-sites like GoatSe, user-tracking sites, nasty popups, known trojan/malware sites, adware sites like doubleclick.net, and so forth.
I don't want to see any content from any of these domains, and you probably don't either. Fortunately, Dan Pollock has created this mammoth file, which, if properly installed, will block these domains from being reached. And, he updates the file pretty frequently as new honorees are inducted into the hall of shame.
Here's a technique I came up with to install and update this file on your system. Once a week, it fetches a fresh update to the file and installs it on your system.
It does take a bit of command-line-fu, however.
First, you need to become root in the terminal. Type this, and then enter your password when prompted:
sudo su -
You should see a new prompt, something like this:
DansMac:~ root#
First, get a current copy of the file, by pasting this line:
curl --silent http://someonewhocares.org/hosts/hosts | grep '^127.0.0.1' > /etc/hosts
Now type this to edit your system's (not your user's) crontab file. These are the periodic tasks that your system will perform.
crontab -e
This will open up a terminal-based text editor. Maybe you have configured that to your editor of choice (*cough*vi*cough*) or you can stumble your way through whatever is offered as a default.
Paste in a line similar to this:
10 10 * * 3 curl --silent http://someonewhocares.org/hosts/hosts | grep '^127.0.0.1' > /etc/hosts
You can adjust the parameters before the curl command. In this case, it's going to fetch a fresh copy at 10:10 on the third day of the week (Wednesday).
Close and save the crontab editor, and you should be set!
There you have it. My Christmas* gift to you.
* If you don't celebrate Christmas, consider it a belated birthday gift! Next year I'll try to send you a card!
Update: I've updated the command to only bring in lines that start with 127.0.0.1 so that it's impossible for this file, if somehow compromised, to do anything other than redirect a domain to your own machine.
Using 1Password to generate and save a strong password
I've been using 1Password for a while now, and while I find it slightly more tedious to use than Safari's keychain-based password management, I do like the easy syncing via dropbox and the strong password generation utility that is built in.
One problem with the workflow that I have found is when setting up a new account, and choosing a password for it — or changing the password on an existing account to an auto-generated strong password.
You might be tempted, when presented with the prompt at the top of your browser window, to save the password you just generated and filled in at the new-password or change-password prompt.
Don't do this yet! You'll be saving the password associated with the wrong form— not the login form!
Instead, when you open up the 1password generation utility, copy the password to the clipboard. (Don't try to select it with a double-click; you may have characters that double-clicking thinks are word boundaries. Drag your mouse over the selection to get the whole thing.)
Then, copy the selected password to the clipboard using good ol' command-C.
You'll be keeping the password around on your clipboard for a bit here. Go ahead and fill out your new-password (or change-password) form.
Then log out.
You still have the password on your clipboard, right? (If you've used a Mac for long enough, you probably have a bit of a sixth sense that something important is still on your clipboard.)
Go to the start page of the website where you will be logging in, and log in. Paste the password into the appropriate field.
Now, and only now, should you accept the offer to save this login with 1password. If you do it this way, it will be saved in the right spot, so that next time you log in, the field will be auto-filled easily.
(And if you are feeling extra-paranoid, go ahead and select some visible text and copy it to your clipboard so that the password you generated will be wiped out; you don't want to be pasting it in somewhere else, do you?)
Board Games Rock
I just ran across a nice article, Why we still love board games. Worth a quick read.
My family and I love board games. We have some cabinets that are overflowing with them, and for the most part we actually play them.
And when I say board games, I mean the actual physical games, not the computer versions of them. I mean, my pals at IconFactory and Coding Monkeys and those other places where they have made iOS versions have done what appears to be a really bang-up job on their adaptations of some of my favorite board games, but I have no interest in playing them, because a board game you can touch and spread out on your dining table is always going to be better.
The article I linked to mentions (and pictures) Carcasonne, Settlers of Catan, and Ticket to Ride. All three of those are just wonderful. (I barely recognized the Settlers image, though — my copy is second-generation, from the mid-1990s, just after they started producing it in English, and the design has gone through a few changes!)
If you still think of games from forty or more years ago when you think of board games, you are missing out.
If you have small kids, I should point out that you can get kids started on some of these games much earlier than you'd think — for instance with Carcassone, we would just make a "junior" version of it by making the game be about filling out the land tiles, but not keeping score.
If you are giving Christmas gifts (OK, or other holiday gifts, though Christmas is the only holiday that's all about the gifts) then a board game is a great idea. If your town or region has a local game store, go shop there — you'll get personal recommendations, a hand-picked selection, and a much warmer feeling than if you buy online or from a big box toy store.
Even if you've already bought an online version of one of these board games, do yourself a favor and try it out in physical form. Save the online version for when you are on a road trip and you couldn't bring the box.
Here are some of my favorites, off the top o' me head:
- Settlers of Catan — The modern classic. Top of my list, and probably top of everybody else's list.
- Stone Age — A recent discovery but we are constantly playing this game! Many layers of complexity, many strategies, and good at getting your kids to practice their multiplication when it comes to counting up the final score!
- Ticket to Ride — This is a series of several games, based on the geography of the U.S., Europe, and more. Try out one of them, and if you love it, try another one.
- Carcasonne — A tile-building game. Check out their tiny expansion packs that put a twist on the original game!
- Lost Cities — OK, this is really more of a card game, though it has an entirely superfluous board. While most board games are best with three or four players, this one is for two people.
There are others I've heard of that are great, such as Dominion, Puerto Rico, etc. We may try them out, but first we're going to have to figure out where we will store them!
(Do you have any suggestions for amazing board games? Leave them in the comments please!)