Password security on the web is a troublesome issue. We have hundreds of web accounts, some of them with access to all our money, and it must be secure, not just from phishers and people snooping the web line, but from viruses and keyloggers that can take over our own computers or roaming computers we want to use to access password protected web sites.

The only way to be secure if you can't trust the very computer you're logging in from is to have a security dongle which contains the real secrets and does the logon negotiation, plus confirmation of any big actions like large cash transfers. People have carried login dongles for years, typically which have a screen with a constantly changing number (securid) or which can do challenge/response.

Most of the world is moving now to having a smart phone, in particular one with a standardized data protocol such as bluetooth. I propose a protocol so that web sites can, given a limited channel to the phone, do a login dialog with the phone. The computer would just be a conduit for the data, it would not matter if it were compromised, as the passwords would not be sent in the clear.

More thoughts...

The sound of digital pianos continues to improve, and expensive ones also have a good feel, often by building individually weighted keys that go beyond simulating a key on a real piano.

What might be done with more modern technologies, such as super-fast servos, and fluids whose viscoscity can be varied based on the strength of electric or magnetic fields applied to them. (Some of these fluids are being applied to the development of dynamicly responding shock absorbers.)

There is buzz about how Jason Kottke, of kottke.org, has abandoned his experiment of micropayment donations to support his full-time blogging. He pulled in $40,000 in the year, almost all of it during his 3 week pledge drive, but that's hardly enough. Now I think he should try adsense, but I doubt he hasn't heard that suggestion before.

However, PBS/NPR are able to get a large part of their budgets through pledge drives, so it's possible to make this happen. I think we should be able to do it better on the web.

Each year since 1992 the EFF has given out the EFF Pioneer Awards to a wide array of online pioneers. Check out the lists on the web site.

We're seeking new nominees for this year's awards, to be given at CFP 06. We need them by Feb 28. Check out the web page, and e-mail us the nominee's name and contact info with a description of their contribution. Organizations and Systems can be nominated, as well as individuals.

Who do you think has helped make the cyberworld what it is? Get them recognized.

Found a thread on avsforum where NBC's engineers are participating. Turns out it would be very simple for them to include a second audio stream without the commentary. In addition, this has apparently been done by some European broadcasters.

I'll be moving soon to the Canon 5D camera from my 20D. It's better in just about every way, but like many "pro" cameras it does not have a built in flash.

It's not that there isn't a reason for this. Built in flashes usually suck, and nobody would use them for any sort of serious photography, except for fill. So if you're going out on a shoot, you would of course carry along some quality flashes and the built-in would be a waste of space.

Ok, like a lot of people I find it fascinating to browse Zillow and see the estimated values of my neighbour's houses, and yes, I admit it, my friends. Another example of the little shock you get when data that was always technically public becomes truly public thanks to some new internet application.

We've been working on an inherited house in the Irving Street/23rd avenue neighbourhood of the Outer Sunset of San Francisco. This is one of SF's "new chinatowns" -- the original one on Grant St. long ago given over to the tourists. Irving is where the real asians go to shop and eat. I've been impressed at the incredible quality to price ratio of the food here, I think it's the best locus of value in the city.

I'm not in the business of helping countries be repressive, but I started thinking what I would do if I were the Chinese internet censor. I don't think I'm giving them any secrets, but these thoughts may affect our own plans on how to fight such censors.

The most important realization was that I wouldn't want to make my great firewall really strong. That it was not only easier, but possibly better, to make it possible to bypass it with a moderate amount of determination. Not trivial, as in "hold down the shift key" but not requiring cypherpunk level skills.

The reason is that if I allow such holes, I can watch who uses them, and watching them is more valuable to the secret police than plugging them. And if the holes don't require fancy data encryption and hiding techniques, most people seeking to bypass the firewall will do so unencrypted, making it far easier to watch what is done. But even if people encrypt, they do reveal who they are. So long as there are not immense numbers, that's enough to give me a good dissident watchlist.

My goal as censor would be to tune the filtering so that the true dissidents can all bypass it, but make it hard enough that I don't get so many people on my watchlist that I can't handle the size of it. The censors know they can't keep information from the truly determined, even in the most repressive regimes. They just need to keep it from the masses. (Even the masses will hear rumours in any society, but they will always just be rumours.)

This explains why many of the proxies people have put up to let people bypass the firewall remain themselves unblocked. This also can be explained by inefficiency of maintaining the block-list, but this time I am prepared to attribute something to malice rather than incompetence. Especially if the proxies are unencrypted I would not want to block them -- unless they go so popular that I could no longer track the users.

This is one of the problems with the Google China decision. In the past, use of the firewall-blocked google.com was not suspicious, though typing certain phrases into it may have been. Now, with censored google.cn, use of google.com suggests you are trying to get past the censorship at least. A big win for surveillance. Google is, wisely, not keeping logs in China, but that doesn't stop the international gateways from keeping the logs.

(Read on for some anti-censor techniques.)

I haven't been to a laundromat in ages, but we're fixing up a house that has no washer/dryer yet and has a laundromat 200' away. Long ago, when I lived in an appartment tower, I would go to the basement laundry room, and leave my clothes there. Worst case was they ran out of machines and somebody tossed them in a basket. And even though the odds of somebody stealing your clothes are low, most people are not as willing to leave their stuff unattended in a city street laundromat.

So how about combining the machines with a timed airport style locker system. You would insert the coins and pull out a key which you could use to open the washer or dryer. The lock would auto-reset about 10 minutes after the cycle ends, so in addition, you could put in more coins, which would act as insurance. If you didn't get to the machine in time, these coins would be taken, and give you more time on the lock. If you did get to the machine shortly after the cycle ended, you could get back your extra coins in the coin return...

Note 1: NBC doesn't have nearly enough HD cameras for the Olympics, and I can't really blame them for not having one for every section of luge track to show us something for half a second.

But it seems in many areas they are showing us a widescreen image from an SD camera, and it looks more blurry than the pillarboxed SD footage they show of past scenes. I wonder, are they taking a cropped widescreen section out of their 4:3 SDTV camera? If so, that's not what I want. Or are there a lot of 16:9 SD cameras out there?

Google's decision to operate a search service in China, implementing Chinese censorship rules into the service, has been a controversial issue. Inside Google itself, it is reported there was much debate, with many staff supporting and many staff opposing the final decision, as as been the case in the public. So it's not a simple issue.

Nonetheless, in spite of being friends with many in the company, I have to say they made the wrong decision, for the wrong reason.

Yahoo is now entering the context-driven ad field to compete with Adsense, and that's good for publishers and web authors. I have had great luck with adsense, and it provides serious money for this blog and my other web sites, which is why I have the affiliate link on the right bar encouraging you to join adsense -- though I won't mind the affiliate fee as well, of course.

There are 14 different calendars possible -- With Jan 1 on each different weekday, in both regular and leap-year form.

An interesting idea for schools (and other places) would be to put up a calendar for a year from the past which has the same form as the current year. For example, an old 1995 Calendar would work mostly fine for 2006.

One could use real calendars, or specially made calendars which would talk about the history of the year in question, showing events which took place on the days those years ago.

In thinking about a Kitchen remodel, in a house which sits on top of a garage/basement where the recycling and garbage bins are, I thought it would be nice to have a chute in the Kitchen to drop stuff into the bins down below. But you don't want to waste a lot of space in the kitchen on those.

One idea is to put the chute under a regular cabinet/countertop. It would look like a large mail slot at the base of the cabinet, under the door (or behind the door so you have to open it up to see it.)

While I have been using Google ads on the blog for some time (and they do quite well), they don't yet do RSS ads outside of a more limited beta program. So I'm trying Yahoo's ads, also in beta but I'm on the list.

They just went live, and all that's showing right now is a generic ad, presumably until they spider the site and figure out what ads to run. Ideally it will be ads as relevant as Google Adsense does.

Competition between Google and Yahoo will be good for publishers. Just on basic click-rates, one will tend to do better than the other, presumably. If one is consistently doing not as well, they will lose all the partners, who will flock to the other. The only way to fix that will be to increase the percentage of the money they pay out, until they get to a real efficient market percentage they can't go above.

Read on for examination of the economics of RSS ads.

Some flat panel displays being made today have modestly thin edges, and people like using them for multi-monitor systems with a desktop that spans one or more monitors.

There are a lot of popular programming languages out there, each popular for being good at a particular thing. The C family languages are fastest and have a giant legacy. Perl is a favoured choice for text manipulations. Today's darling is Ruby, leader of the agile movement. Python is a cleaner, high-level language. PHP aims at the quick web/HTML scripter language and has a simpler access to SQL databases than most. Java's a common choice for large projects, with lots of class libraries, slower than C but faster than interpreted languages.

Tom Selleck narrates:

Have you ever arranged a wiretap in Las Vegas without leaving your office in Fort Meade?

Or listened in on a mother tucking in her baby from a phone booth, all without the bother of a warrant?

Or data mined the call records of millions of Americans with no oversight?

You will.

And the company that will bring it to you... AT&T

A big announcement today from those of us at the EFF regarding the NSA illegal wiretap scandal. We have filed a class-action lawsuit against AT&T because we have reason to believe they have provided the NSA and possibly other agencies with access to not only their lines but also their "Daytona" database, which contains the call and internet records of AT&T customers, and probably the customers of other carriers who outsource database services to Daytona.