Good information on how to design a website password recovery feature, by Dave Ferguson at a company called FishNet Security. Mr. Ferguson signs his name as CISSP, which apparently means he’s a “Certified Information Systems Security Professional”.

Best Practices for Your “Forgot Password” Feature (PDF, 260 K)

For a web application, authentication is typically done via username and password inputs from the user. The authentication process often receives plenty of attention during the design and development phases, and much has been written about how to secure the process. Enforce strong user passwords. Display a generic error message for a failed login. Lock or disable the account after a certain number of failed login attempts. Store passwords in the database as one-way, salted hash values. All of these carefully thought-out security measures often go out the window when a user forgets his password.

As a user the expectation is that an application will assist you when you’ve forgotten your password. But there’s something fundamentally insecure about a forgot password feature. Essentially, the application is providing a second, entirely separate procedure to authenticate you. It’s this secondary method of authentication that often gets short shrift by designers and developers. Security weaknesses creep in.

I lived about a half mile from this beautiful gem before I learned about it. It is definitely worth a visit.

View Larger Map

Last year, when they put out a call for volunteers to “deadhead” the roses, there was some confusion when a bunch of aging hippies in tie-dyes showed up. Hilarity and gardening ensued, as reported in the SF Chronicle.

There is a group called the Friends of the Morcom Rose Garden whose dedicated volunteers help keep the garden beautiful.

Just added a set of shows to the African Music Calendar. Malian superstar Habib Koité and his band Bamada will be holding forth at Yoshi’s San Francisco for four nights (!) at the beginning of April. (Via concert promoter IMN.)

Highly recommended. I’ve been to hear them in concert at least half a dozen times in the last decade, and they never disappoint. They put on a fantastically engergetic and soulful live show. It’s worth the price of admission just to hear Kélétigui Diabaté, an elder statesman of Malian music, on the balafon. How can I explain how awesome it is to have him on stage. It would be like if a hot young artist like John Mayer said, “Hey Dave Brubeck, do you want to be in my band?” Well, sort of, anyway.

The National Academies Press is offering free PDF downloads of some of their recent publications, including one which should be of interest to those who are concerned about air quality and their community’s health: Global Sources of Local Pollution: An Assessment of Long-Range Transport of Key Air Pollutants to and from the United States.

The book looks at four pollutants in detail: ozone, mercury, particulate matter, and persistent organic pollutants, which includes a whole range of pesticides and industrial chemicals like DDT which have been banned in the US but are still in use around the world.

Pollutants from traffic, cooking stoves, and factories emitted half a world away can make the air we inhale today more hazardous for our health. The relative importance of this “imported” pollution is likely to increase, as emissions in developing countries grow, and air quality standards in industrial countries are tightened.

Among the things I learned: only about 10-20% of the mercury deposition in my area is from North American emissions. The rest, presumably, are from Asia and Europe.

The authors recommend helping poor countries out of self-interest: “the United States should work with the international community to develop an integrated system for determining pollution sources and impacts and to design effective response strategies.”

Ultimately, these recommendations are weak. Doing more monitoring and modeling studies may help us to better understand the problem, but they are not likely to improve air quality or human health. The authors stop short of recommending foreign assistance to help developing countries wean themselves from these toxic chemicals.

There is also no mention of international treaties for their controls, like the one that phased out CFCs in the 1990s. I suppose this isn’t surprising coming from a group of scientists; they recommend more monitoring and modeling because it’s what they do best, and avoid the quagmires of policies and regulations. I think there is a compelling argument for us to help developing countries develop alternative energy sources, and reduce their consumption of fossil fuels like coal. Acting in enlightened self-interest, we would enjoy substantial co-benefits of reduced greenhouse gas emissions and better health.

In conclusion, this book is a an excellent summary of the science behind global air pollutants, but I wish that the authors had been more daring in crafting their recommendations.

I just updated the SF Bay African Music Calendar with a bunch of upcoming shows from the local band Kalbass Kreyol. All of the shows are donating some portion of the proceeds to Haitian relief. What a great way to help out, have a good time, and maybe learn something about Haitian culture at the same time.

 

 

From their MySpace page:

KALBASS KREYOL, led by Haitian-born frontman Sophis, is a high-energy Afro-Caribbean band that is best known in the Bay Area for its electrifying and uplifting live performances. Founded in 2005 by Haitian natives Sophis and Mr. G, the band grew out of the open mic scene in Alameda.

The band’s music is intently designed for dancing. At the center of their sound are elements of Haitian Kompa and Rara which are mélanged with particles of Merengue, Reggae, Salsa, Zouk, Rock and Funk to create an unusual rhythmic formula that keeps their audience glued to the dance floor.

Kalbass Kreyol is influenced by world music giants in the likes of Kassav from Guadeloupe, Tabou Combo from Haiti and the legendary Santana. Following in the footsteps of these giants, Kalbass Kreyol seems intent on taking their music and message to the four corners of the earth.

In light of the devastating earthquake to hit Haiti in January 2010, Kalbass Kreyol has committed itself to raising funds to benefit victims of this disaster. Come support Haiti’s recovery with Kalbass Kreyol—upcoming shows are entirely dedicated to this project, with all proceeds going to directly to relief efforts in Haiti.

We have a virtual monopoly when it comes to electricity here in California. For most of central and northern California, we get our electricity from Pacific Gas & Electric, or PG&E.

Our rates are an example of “tiered rates” or “inclining block rates”. You get a certain amount at a low price, and you pay more for additional consumption. The theory is that it offers an incentive to conserve. PG&E has a 5-tier system. I wondered what our rates looked like, so made a chart:

A couple of things confused me. Why is the second tier so small, and why is the step up so minor? Why do all the prices have five decimal points? Still, I wonder why they don’t include a chart like this with the bill, or on their website. I think it is powerful to visualize how much more you’ll be paying if you go over a certain threshold.

Here’s how I made the chart. I got the costs from this document: Electric Schedule E-1: Residential Services.

 

 

You need to know what your “baseline allocation” is. It turns out this is based on where you live. I have either the good luck (or bad luck, depending on how you look at it, to live in Zone T, which the electric company says has the lowest energy needs, presumably due to our mild Mediterranean climate. There’s a map of the territories here.

As a final note, the American Water Works Association, in a Discussion of Tiered Rates,) notes that inclining tiers can send a strong conservation message (from the water world, but the same principles apply).

However, it should be noted that this type of rate structure itself, without a significant accompanying customer information program, will generally not produce the desired conservation, simply because the vast majority of customers do not understand rates and do not have any idea that the more they use, the higher the unit price becomes.

A former boss told me to spend a few hours working through the tutorials at SQLCourse.com several years ago. Funny advice to an environmental engineer? Probably not, since almost all modern engineering involves computing, and most non-trivial computer programs use databases to store and retrieve information.

SQL, or “structured query language” is a standard way of interacting with a database. These free online courses are very good, and I still find myself referring back to them now and then. Learn how to select records, make updates, and join database tables…

SQLCourse conents:

1. What is SQL?
2. Table basics
3. Selecting data
4. Creating tables
5. Inserting into a table
6. Updating records
7. Deleting records
8. Drop a table
9. Advanced Queries

SQLCourse2.com contents:

1. Start Here – Intro
2. SELECT Statement
3. Aggregate Functions
4. GROUP BY clause
5. HAVING clause
6. ORDER BY clause
7. Combining Conditions & Boolean Operators
8. IN and BETWEEN
9. Mathematical Functions
10. Table Joins, a must

I was wondering if I could store a procedure or a snippet of code in a string, and then execute that code. Javascript has a function called Eval(), which some say is evil. It turns out that Microsoft Office has an Eval function, but it is not included in Excel, Word, or other software that has VBA.

I suppose I understand why a database would need this. It would let you store snippets of code in a database record, then retrieve them and evaluate them. Here’s a trivial example.

Sub test()

  Eval ("msgbox(""Testing Eval"")")

End Sub

 

But you can imagine doing something more complex, like storing a function or some data. If you want to do something like this in Excel, and you have Access installed, you can just set up a reference to the Access Object Library. In the VB Editor, click Tools > References, then choose the Access Object Library as shown here. Note that this can cause problems with sharing the workbook. If other users don’t have Access installed, or have a different version, your program won’t run, and it will produce all kinds of ugly error messages. So I’d only recommend this technique for something you use in house, or which has a small number of users.

I found myself wishing that Excel or VBA had a simple way to test whether a string exists in another string. In Python you can type

if substring in string:

  #Then do something…

But Excel lacks this convenience. You can sort of hack the built in InStr function to do it for you. Since I always found this confusing (who can remember what the difference is between “text compare” and “binary compare”?), I created a simple function called Contains. On the spreadsheet, you can just type

=Contains("abcdefg", "a"

) and it returns TRUE. In VBA, it is useful in IF statements. Not as clean as Python, but a helpful convenience.

Function Contains(str As String, substr As String, _

   Optional CaseSensitive As Boolean = False) As Boolean

 

'Does a simple test to see if str contains substr

'Example: =Contains("abcd","a") returns TRUE

'         =Contains("abcd","x") returns FALSE

 

'Set CaseSensitive flag to TRUE if you don't want "a" to find "A"

'         =Contains("ABCD","a",True) returns FALSE

'         =Contains("ABCD","a",False) returns TRUE (because the comparison is case sensitive)

 

Dim opt As Long

 

If CaseSensitive Then

  opt = vbBinaryCompare

Else

  opt = vbTextCompare

End If

 

If InStr(1, str, substr, opt) > 0 Then

  Contains = True

Else

  Contains = False

End If

 

End Function

Excel has a pair of useful built-in functions called SMALL and LARGE. Suppose you want to know the third-largest number in a column. Or you want to find the fourth-smallest.

The function LARGE returns the k^th largest value in a dataset. Entering

=LARGE(A1:A9,3) 

returns the third largest value in the range A1 to A9. The function is smart enough to ignore blank cells and text. However, if you have an error in a cells, the result of the formula will be an error.

Here are custom functions to replace the built-in ones, called MyLarge and MySmall. Their use is identical to the Excel version: just enter

=MYLARGE(A1:A9,3).

If you don’t know how to use these, check out the following: How do I… Create a user-defined function in Microsoft Excel at Tech Republic. Or you can download an example workbook with the functions.

(more…)