Kainwood's blog

Generally about project management, and even more ;)

Why the secure question in your email provider just sucks

My sister recently had her Hotmail account compromised.

As the IT guy of the family, she asked me to try to retrieve her account.

That's where the fuck begun. (can I say donkey punch? it's feels more adequate...)

I tried to acces her account with her old password. As expected, it wasn't successful.
I clicked on the "recover my password" and tried the secret question ... of course, it was a new one, impossible to answer it.

I decided to send the recovery password to the secondary email. For that, hotmail shows you the first two letters of the secondary email, and the domain where it belongs.
For me, it was sf*****@live.fr, but no one in the family have this email. The hacker had changed it too.

So, I decided to try the last solution, contact the Support center.
They provide a form to complete with the maximum information to confirm you are the owner of this account.
In those questions, you can find :
  • Your first and last name
  • Your birth date
  • Your address
  • Some subject of emails you sent
  • Some contact you have
  • Some other password you used.
I asked my sister the maximum information she can provide me, and sent the form.
Two hours later (that was quite fast!), the answer was definitive : "We cannot identify you as the owner of this email address, we are sorry".

Her Hotmail account (and all accounts related to it, like facebook) were dead.

So, what this has to do with the secure question?

A quick Google search shows that secure question sucks. They sucks because you can have the best password ever, the question you will provide is something that you know and is generally official.
By generally official, I mean something that can be found either by searching on the web (Facebook is the best place ever for that) or by social engineering (a bit more twisted :p)

So any one, with a bit of knowledge to about the person, can access its account.

Thinking like a hacker, after gaining access to an account, what would you do? Obviously, those steps:
  • Changing the password
  • Changing the secondary email for recover the lost password
  • Changing the secrete question
  • Changing all the personnal information, even the mobile phone
  • Deleting emails.
Doing these steps make the Hotmail form useless, since only the old password used can still be relevant. (#fail)

I believe, and I'm not the only one, that secure question should be removed from every website that use them.
This technique is more helpful for hackers that try to access an account that for people that tries to recover their account, since a compromised account have it's secure question changed (<= this is just sooo dumb).

Ok, so what should we do instead?

I don't have THE solution, but looking at some place, like GMail (for example), great ideas can be highlighted :
  • First of all, REMOVE THE FUCKING SECURE QUESTION! (or change the answer with something like "rzezzkoe zer zerkop zkper zerz ekrz")
  • Allow secondary emails to be multiple, keep a trace of them, and when a password is lost, allow the user to choose between his current and old secondary email, where to send the password recovery link. Since the secondary email has probably changed to the hacker address, keeping them in the memory should seems obvious!
  • Send a code by sms to a phone. But like the secondary email, keep a trace of the previous phone and let the user choose. The hacker will probably change that too. Eventually, force the user to confirm it's new phone number by sending a code every time he changes his profile phone number. That would force the hacker to enter a valid phone number or not changing it at all.
  • Send a unique identifier when a user create an account, to it's secondary email that it should keep. Ask it when his account can't be retrieved. (That's what GMail does).
  • Enabling 2-way authentication (like GMail).

GMail limit the access to the "Answer to your secure question" at 5 days after the request. I don't know why.
My first though was "That's genious! If the user does not login for 5 days, then the question is opened". But, it doesn't work for many reasons :
  • If the account has been compromised, the "not real" user will access it within the 5 days range.
  • If you are on vacation, you won't probably access to your inbox during 5 days.

Well, some of you will notice me that my sister could have indicated her phone number, that would have make the recovery work eventually easier. But how many users like to share their personal information with their email provider?

Please, Hotmail, GMail, Yahoo, and all the others, remove the secure question, you do not help your users.

I hope you enjoyed this post.
Feel free to debate in the comment below, I would love to know your opinion on it :)

A. Kainwood.

Follow me on twitter !

The elevator pitch, or how to be concise

As I said earlier on Twitter, A good project can be described in one tweet.

By that, I mean you should be able to describe the main goal of your project in less than 140 chars.

Why?

Because if you can't, it means you don't have any idea of what you're doing exactly.

It means you lost yourself in too many details, because you don't have specified what problem your project is solving.

To help you doing so, there is a little exercise known as the elevator pitch.
I won't go into details on how to do it, you'll find plenty useful links out there, like this one from The Netsetter.

Nevertheless, a great video made by Adeo Ressi, the founder of Founder Institute shows a rudimentary template of what could be a good micro pitch.
It's template goes like this:

My company, (company name), is developing (a defined offering) to help (a target audience) (solve a problem) (with secret sauce).

If you're working on a project and you are looking for investors or just sharing your idea with others, you should try this exercise.

I hope you enjoyed this post.
Feel free to debate in the comment below, I would love to know your opinion on it :)

A. Kainwood.

Follow me on twitter !

Happy new years folks!

I'll do just a quick post to wish you all the best for this new year.

My new year resolution will be quite simple : I'll try to write one post per week, probably every Tuesday.
I have a lot of ideas prepared for project oriented posts that I hope will help you. I'll try to keep them short (I HATE having to read long blogs posts and I hate most when there are splitted in many pages, I don't care it simulate more visitors!).

See you tomorrow then :)

Cheers!

A. Kainwood.

Follow me on twitter !

Don't reinvent the wheel, improve it!

On my last post on why doing less is going to help you more, I mentionned the DRY principle.

Today, I'm gonna go deep on that idea, based on the idiom of Don't Reinvent the Wheel.

As wikipedia says:

As it has already been invented, and is not considered to have any operational flaws, an attempt to reinvent it would be pointless and add no value to the object, and would be a waste of time, diverting the investigator's resources from possibly more worthy goals which his or her skills could advance more substantially.

For someone working in IT industry, you probably (surely) heard something like :

"_ I have a new project!
_ Great, what is it?
_ I'm gonna make a Twitter alternative!
_ WTF?"

Maybe YOU were the guy with the new project!

And the guy with this kind of projects is often seen as the dumb guy with no ideas, copying existing one.

You must need to make the difference between copying something, and improving it!

Take a look at all these PHP Frameworks (for example), there is tons of them out there (and this list is surely not complete!), where is the improvment here?

You can find notable differences for the most known ones, but for the others?
I can't find the improvement, it's just copying! (sometimes it's better, sometimes it's not).

As I said previously, Don't reinvent the wheel,

Improve it!

You can SHOULD start a new Twitter, but bring in some new and exciting stuff (no, I don't care yours will allow 150 chars..), because if your project is really better in some points, you will add a new parameter between you and Twitter:

competition!

And this is absolutely good, for You, for Twitter and for the community.

Not enthusiastic? Let me bring some example:

Imagine one of your friend telling you, ten years ago, that he would create a new web browser.
What would have you thought of his idea at this time?
Yes... "it's a dumb one".

But then came Firefox, and this started competition between browser, also considered as a war.
This competition brought new exciting stuffs, like forcing Microsoft as being more W3C compliant, improving web page interpretations (e.g. faster javascript engines), etc.

Ok, maybe Twitter, was a bit extreme. So what if I change it to ... Facebook ?

"I have a new project! I'm gonna make a Facebook alternative.", someone.

Well, this is real, and it's name is Diaspora*.

Again, not enthusiastic? Well, you should, like 6479 other peoples who trusted in this project!


So? When are you gonna make the next Twitter/MySpace/Delicious/Digg/Flickr?


I hope you enjoyed this post.
Feel free to debate in the comment below, I would love to know your opinion on it :)

A. Kainwood.

Follow me on twitter !

Why doing Less is going to help you More and how to achieve it

"It seems that perfection is reached not when there is nothing left to add, but when there is nothing left to take away.", Antoine de Saint Exupéry.


Today, we are going to discuss about a subject you already know (I hope so!)

Less is More

First, a bit of culture.

This motto was first written by Robert Browning in his poetry collection : Men and Women.

The architect Ludwig Mies Van Der Rohe used this in his creations to "describe his aesthetic tactic of arranging the numerous necessary components of a building to create an impression of extreme simplicity, by enlisting every element and detail to serve multiple visual and functional purposes." (Wikipedia, Minimalism)

Yeah, good, but seriously, what is the relation with my projects?

If you are a developer, you already know this motto behind two principles :

But Less is More applies to a more global view too : It has been transposed to project management and been defined as a principal key to successful web applications.

Fred Wilson, in is talk conference at Future of Web Apps, described 10 golden principles of successful web apps (Slideshow here).

(You really should watch this video, or at least, read the transcript.)

"Less is more" appears at the fourth principle and Fred Wilson compare it as simplicity, Minimalism.

You should start simple, by defining three most important key of your application, because these three keys will cover 80% of your users need.

Doing so, your project will have a better global vision and will require less effort to be finished and released (on time!).

Moreover, not implementing everything from the beginning will allow you to add new features over time, one by one, and this will be seen from your users as a very active company that take care of its projects and listen to their community.

Take Google for example, they permanently add new features at their search engine very often, even yesterday!

You must see this as improvement, not as missing piece.

Every major companies did this, like Google, but also Facebook, Delicious, etc.
And you, do you apply this principle on your projects?

I hope you enjoyed this post.
Feel free to debate in the comment below, I would love to know your opinion on it :)

A. Kainwood. (Follow me on twitter !)

Why a naming convention is important and why it's the first thing you should do

I've got to say, if you didn't write a naming convention, your project have great chances to fail.

Let me explain.

I used to work for a big company as a web developer sharing my work with 20+ local developers and 10+ outsourced developers and there was no naming convention defined (or at least, never heard of it, and my colleagues neither)

It was a chaos!

Everyone has it's own naming convention, I remember methods like do_something_with_var(), and ten lines later, doOtherStuff(), variables like string var, boolean test.
The files were almost randomly named and the url ... oh - my - god !

Well, you get the point.

It's not a secret that every major language have defined a code convention, that help you create durable project.
(Wikipedia also have it's own dedicated page for it, here, here and here)

YES! DURABLE!

Because if you don't specify a naming convention, maybe your project will be released and will work, but when you'll want to do some modification later, in 3-6-12 months, you won't understand what you did, and mostly what this f*cking function name represent.

Today, every programming framework define their rules for making durable project, from your code (package, namespace, class name, function, vars, etc) to the structure of the folders, including the file names, and even the comments.

You can find conventions for the major frameworks (like Java or .Net Framework) but you should extend this convention to your entire work.

You also shall apply this to your database structure, because seeing an id_user PK and then a actions_id PK in the other table wants me to put a velociraptor and the dba in the same room.

What is, or will be exchanged, must be clearly defined.

This includes programming language, but you can extend it to :

  • File names (even for non-project stuffs)
  • Folder structure
  • Email subject
  • etc...

By doing so, you will ensure long live to your project and a peaceful code management :)

---

I hope you enjoyed this post.
Feel free to debate in the comment below, I would love to know your opinion on it :)

A. Kainwood.

Follow me on twitter !

Why describing your project is a good idea and why people won't steal it

Ok folks, on my last post I said that :


WTF? and what if someone stole my idea?

What? seriously? you're really thinking you displayed your idea in a 4x3 giant poster in the most viewed building in the world?
Ok, yes, your idea is probably great, but if it were amazingly ... well ... amazing, it would already be done by someone else.

Way too often, when you talk to your friends about your great idea, you just came up with "I have this new idea, but well, I can't talk to much about it now, it's secret!"
(lets try again :)

It's secret!

No! it's not!

Please, tell me one reason why you would have to keep it secret.
As far as I can think about it, I come up with only one :

What if someone stole this idea?

Why on earth your friends would do that?

Talking to your project with your friends in details can only be helpful.

  • If your friend is an IT guy(/woman), he/she will have a more technical oriented questions and could easily come across specific points that you might have ignored and that could potentially destroy your idea.

  • If your friend is not in the IT industry, he/she will mostly ask you about the general aspect and actions of your project. These types of questions will help you have a more detailed view and even bring you new ideas to implement !

But still, you believe some IT friends can stole your idea.

They won't, for three reasons:

  • They are your FRIENDS (come on! trust them!)
  • They also have one (or more) project in mind : they don't have time to copy yours.
  • They don't care about your project, really ! They will remember "my friend have an idea", that's it. There is nothing concrete, so nothing to remember.
If all else fails, they'll eventually propose you their help or even ask you to work together.

Of course, I don't say to describe your new project to all your 10.000+ twitters followers.
They are followers, not all friends. And some of them can be greedy.

Choose which people you can trust, and give them all the details, you will only gain benefits.

---
I hope you enjoyed this post and I would love to hear your thought on the comments bellow ! :)

What is Hell Driven Development and how to get rid of it.

Yay! That's it! You have your next most successful project that will bring the actual world in a new era.
This is soooooo exciting!
You can't wait and you go straigh to that project, leaving the actual(s) one(s) in a draft state (or worse : almost finished!)

You just failed.

The thing is, if you can jump from project to project in a no matter way, you are probably using a Hell Driven Development method, allowing chaos as your project-time.

A project is not just a good idea, it's a combination of many component that will bring the actual idea into a finished and fully working state that will (at least) make you feel successful.

Don't break them !

When a new idea pops up in your head, write it down.
Take a paper, and write what this application is about and how it should (globally) works.

Then, forget about it (or at least, try to).

I'm pretty sure your first thought is:


WTF? and what if someone stole my idea ?

What? seriously? you're really thinking you displayed your idea in a 4x3 giant poster in the most viewed building in the world ?
Ok, yes, your idea is probably great, but if it were amazingly ... well ... amazing, it would already be done by someone else.
(by the way, did you check that?)

So please, write it down somewhere and continue to work on your actual project.

Few days after, go back and read what you wrote.
From here, two solutions :

  • what you wrote is a complete piece of crap and this idea was the dumbest ever (ok, done, what's next?)
  • or, well, your idea could works!
If you find yourself in the second point, good for you! you have your next project

YES, NEXT PROJECT, not the new one from now.

By avoiding starting a new project every time a new idea come into your mind, you will avoid unfinished projects and start having successful ones.
By doing so, you will avoid Hell Driven Development and adopt something far better like GTD Driven Development ;)

Next week, I'm gonna (try to) explain why describing your project to people won't make them steal your idea.

I hope you enjoyed this post.
Feel free to debate in the comment below.
I would love to know what do you thought about that one :)