We needed a password system that was secure but which would allow us to share client passwords across our team, while ensuring limited access within the organization, and unique, complex passwords every single time. We ended up making use of the wonderful KeePass tool, synced through Dropbox.

KeePass is a wonderful password manager (though not as much for Mac or Linux users, for reasons I’ll get to) in general. And it has some pretty great features, some unique to KeePass, others relatively standard fare:

Strong Security
Clearly, any good password manager needs to be secure itself. KeePass supports AES and TwoFish, amongst other encryption standards that are very difficult to crack. Your password database is duly encrypted thusly. Further, you can expand your security by requiring the use of a unique key file in addition to (or instead of, though this isn’t recommended) the password you use to unlock the database. This adds an additional layer of security against things like keyloggers, in that the hacker must have access to and identify the key file to use, in addition to knowing or cracking your password. (A strong password is still important, since simple passwords will fall to dictionary attacks relative quickly.) You can also use your Windows login to unlock your database, but again, this shouldn’t be your only method to unlock, and this doesn’t work when sharing a password database as we do.

KeePass also goes to some length to keep your passwords completely out of process memory. This keeps malicious software from identifying passwords in the memory stream of the process while it’s running. It also can be configured to automatically purge the computer’s clipboard after a set period of time, to prevent a user from walking up to your computer and hitting paste and hoping for the best.

Workspace Locking
Workspace locking goes hand-in-hand with strong security, itself being a subset of the program’s security. You can easily configure KeePass to automatically re-lock your database after a period of system OR KeePass inactivity, when the software is minimized, or when your workstation itself is locked. (I’ve noticed that it can sometimes pause the locking process when the database has changed, though this might have been resolved in recent updates.)

Intelligent Sync Management
KeePass surprised me with its intelligent management of file changes. If a user on my team alters the KeePass file (which is stored to a Dropbox folder we all have access to) while I’m using the file, it prompts that it can merge the changes with any changes you may have made. Unless both of us happened to be editing the same record, the merge typically works perfectly, ensuring that all of our changes are current.

Our Process
We store our KeePass file on our team’s Dropbox folder. We have a very strong password applied to that file, which we change frequently. We also require the use of a key file to unlock the database, which is NOT stored in our Dropbox. This file is distributed manually and only on a few systems. We also maintain several different databases, based on what access a user needs. Unfortunately, there isn’t a way to share a record amongst databases in order to keep it current, so this sort of functionality only goes so far, but if necessary, we’re able to quickly change all of the passwords we need to in the event of a personnel change or other problem.

Dropbox syncs the file as I described above, ensuring we’re all working off of the same copy of the file. If we wanted to, we could enforce a read-only rule that would have one member of the team making all password changes and entries, but this wouldn’t be very efficient for our team, and we trust our team members.

Potential Issues
Unfortunately, KeePass isn’t built to play terribly kindly with OS X or Linux. KeePass is kept in two development variants: 1.x and 2.x, with 1.x being Windows- and WINE-compatible, but missing some great features, and 2.x only working in Mono, to varying degrees of success (as far as those in our organization were concerned.) A solution to this is KeePassX, which works natively in OS X/Linux, but which doesn’t support the kdbx file format used by 2.x. The KeePassX developer is looking to rebuild it to support kdbx, so hopefully we’ll see that problem reconciled in time, but for now, Mono may be your best bet, if you can get it to cooperate.

Neat Bonuses
KeePass has a pretty great Android app that can work together with the Dropbox app to load your database, even if it requires both the password AND key file. I haven’t had a chance to use the iOS apps, but apparently they’re pretty nice as well. I generally use this in read-only mode exclusively, but it’s convenient nonetheless when you absolutely *need* a password. There’s also a plugin system that allows for some cool extensibility, and it’s actively being developed, so you’ll see updates hit on a regular basis. It’s also entirely free.

You can easily sort passwords into folders and sub-folders, assign icons to them, search through records, attach other encrypted data to each record, store record histories, and even have it perform a macro of keystrokes when “auto-typing” your password in. (This is useful if you need to select a database, for instance, from a dropdown. You can even have it launch a new browser tab, browse to the page in question, and go from there, though this requires a bit of configuration to get working.)

Conclusion
Overall, we’ve been very happy with KeePass. We weren’t willing to take the plunge and use an online, hosted solution to store our passwords, if we could avoid it. Because we control the encryption and access requirements, and because Dropbox is pretty secure in and of itself, I feel comfortable keeping our password database on Dropbox, encrypted with AES-256 bit on a strong password, and backed by a non-Dropboxed encryption key.

This is a somewhat unique configuration for our smaller group, and you’ll likely need to modify it accordingly, but hopefully this can give you a great starting place for good password management with your team.

KeePass Password Manager (free!)

Dropbox (free!)

I’ll keep this simple:

1. Your full address, hours, and phone number should appear on EVERY SINGLE PAGE, please. Don’t make me hunt for this information, since this is what at least 90% of your visitors are hunting for. Jam it into a sidebar or footer, but do NOT make me click a separate link or search like a truffle pig for something so very basic.
2. Put a map on your contact page. Don’t just link to it, put the damn map there. This is extraordinarily simple, and full instructions are here, but suffice to say, enter your address on Google maps, click the Link option in the upper right corner, and copy and paste the embed code that appears. Don’t make me click through to see the map.
3. Stop using Flash. Just stop. Resist the urge. It doesn’t make you edgy. It annoys the hell out of me. And any of your users who are trying to pull your site up on their phones. You can accomplish cool image changing effects in other ways, and if you’re playing music, that needs to stop too. Save the ambiance for your restaurant. Flash is also exquisitely bad for search engine optimization; people searching for a specific dish or words and phrases that would otherwise appear on your site may not find them if the search engines have trouble grabbing them. They’ve gotten better at searching Flash, but it’s still nearly impossible to drop someone accurately to the right spot in your Flash movie, so it just frustrates people.
4. Make your full menu available. With prices. And incredibly prominently. The 10% of users who already know where you are and when you’re open are coming to check your menu. If you have several menus, list each of them. If they change often, that’s fine, but keep it seasonally representative at the very least.
5. Make your menu available in a manner other than PDF. I know this one is a toughy and it’s unlikely to be a change anyone adopts in the near future. Restaurant owners are busy people who barely have the time to update the menu in PDF form, which is how they get it printed, to worry about converting it to HTML or making it otherwise available on the site in a way that looks half decent. But doing this the right way is better for search engines, mobile users, and people who know that opening a PDF is a sometimes-Sisyphean ordeal that causes you to curse the gods. Don’t put us through that. We want to plan our meals or see if you have something we like. Make it easier on us.
6. Only show fantastic food photos. Pay a photographer to get it right if you must, but do NOT post cell phone pictures from your Blackberry that you took on the patio at 11pm. This reflects poorly on your presentation even if the dish looks fantastic in person, and there’s no need to give people a specific reason NOT to show up. Also, you need not over-emphasize photos. While fantastic photos can really help push someone the right direction, you don’t need to overwhelm them. This isn’t McDonalds. In any event, make sure they’re great quality photos: well-lit, not overly compressed, and of something appetizing and plated well.
7. Make sure you list things that set you apart. If you offer dietary considerations for diabetic, gluten-free, kosher, vegetarians, or vegan dieters, mention that. It’ll help in search engine results, and it’s invaluable for people who are looking specifically for that information and are unsure if you have anything that works for them. Consider whipping up an online menu that showcases some of those dishes; people in those communities will be extremely appreciative.
8. Give us a little personality. Clearly state your purpose, your passion, and what you do to deliver and set yourself apart. A simple explanation with a few well-written bits about how much you love making great food for people can get your visitors energized and ready to make a reservation.

These are pretty universal, simple to apply tips that can enhance the experience for visitors who need a very specific piece of information typically very quickly: don’t frustrate us by burying it, forgetting to supply it entirely, or by designing the site so horribly that it’s nearly closing time when we finally track down your hours.

Naturally your mileage will vary, but these are tips I’ve put together based on my experience with companies who are doing Twitter right, and some who haven’t quite got the hang yet:

1. DO: SPELL THINGS CORRECTLY. Don’t treat Twitter like you’re a third-grader sending a text message. If your message is so long that you find yourself having to edit “see” to “c” or “you” to “u”, find a way to make it shorter without resorting to sounding like an idiot. (I’m looking at you, @SarahPalinUSA.) Use the emdash (hold alt and press 0151 on the pc keypad) to break up thoughts—without spaces on either side—instead of ellipses, or other “open set” punctuation. Breaking messages down into “leet speak” or SMS chatter is unprofessional and sloppy. If it absolutely must be said in more than 140 characters, seriously consider a blog.
2. DO: TWEET SPECIAL OFFERS OCCASIONALLY. Use Twitter to incentivize your followers to stick around, but don’t spam them dozens of times throughout the day. Assume that one or two offers a day is a good maximum. (See tip #7.) Consider offering discounts or free products with a “code word” like Sprinkles Cupcakes does. Nearly every day, they give away a free cupcake to the first 25 or so customers who whisper their coupon phrase that day. This has the wonderful benefit of getting people in to your store, where they’ll likely make a purchase even if they’re not one of the 25. There’s also a good chance that they’ll buy something else even if they get the free cupcake, and by limiting it to the first few customers, you can contain your costs outright. Even if you’re not a brick and mortar, special offers can encourage customers to make purchases they had been holding off on but wouldn’t have otherwise known about. Dell claims to have booked $6.5 million in sales directly through their Twitter presence over the past two years.
3. DON’T: BE BORING. Special offers are great and might be enough to keep followers around, but you can engage your customers on a much deeper level by talking about your product, your business practices, and even offering some single-tweet behind the scene glimpses into how you operate. Restaurants especially can make use of this, and one local eatery called Liberty Market does a great job tweeting about new menu items they’re working on, showing pictures, and discussing special offerings of the day. It keeps your brand on people’s minds and makes the brand far more personable.
4. DO: PROACTIVELY ENGAGE CUSTOMERS. Use Twitter’s search capacity or any respectable Twitter client to set up a search with your brand or company name in it. For smaller businesses, you’ll likely see feedback directed to your Twitter account as a mention, but larger brands are going out of their way to engage customers who simply tweet ABOUT them. Pizza Hut is a fantastic example of a corporation that really engages their customers intelligently. They reply back to people simply mentioning Pizza Hut, asking what they had and thanking them for their patronage. They also try to resolve issues, which is my next tip.
5. DO: RESOLVE ISSUES WITH CUSTOMERS. Twitter is a valuable tool for companies to identify trends and monitor feedback about their brand. It’s also a powerful tool for customers to share their dissatisfaction. Because conversations through mentions/replies are public, it’s in a company’s best interest to identify negative tweets and attempt to engage the customer and make their problem right. Pizza Hut does this with nearly any negative experience tweet that comes through. You should focus on making things right, but feel free to move things off the “public” side of Twitter to resolve the issue.Similarly, I tweeted to @hpsupport about a problem my brother had with his HP laptop and they engaged me directly, asking me to send an email to one of their Twitter support staff. They’ve now set up a call next Monday. This is a level of service that’s above and beyond what I was expecting from going through normal channels, and you can believe that it’s in part because the alternative is a vocal, upset customer.
6. DO: TWEET THROUGHOUT THE DAY. Twitter is a different medium than an email newsletter. While mail can lose itself in the shuffle, it’s likely that a customer will at least see the message’s presence in their inbox even if they simply delete it. With Twitter, there is no such assurance. Depending on your audience, your customers may very likely not see tweets about offers or important news simply because you mentioned them earlier in the day. Most clients only fetch the last hundred or so tweets so a user who has just opened their client will likely miss a tweet from a day ago. If you’re going to have a Twitter presence, commit. An account with no new updates for three months looks worrisome.
7. DON’T: TWEET NONSTOP OR SPAM YOUR USERS. Keep things to a balanced 7-12 tweets a day. Don’t repeat yourself over and over, but don’t count replies (tweets starting with someone else’s name)  in that number. Encourage users to tweet back by asking questions about what your customers like or want to see more of. Hold mini contests, discuss upcoming events, or talk about your history. But keep things in check and try to spread out your tweets. CoTweet is a wonderful tool for scheduling tweets to go out so that you don’t have to be in front of a computer managing your account all day.
8. DO: FOLLOW COMPETITORS & OTHER LOCALS. Even though you compete with other local businesses, it’s vitally important that you follow them and see what they’re doing on Twitter, but you can also feel free to engage them online and stay friendly out in the open. You should also make a concerted effort to track down local businesses whom you work with and follow their accounts and engage with them. Word of mouth is everything and the people following your favorite businesses are likely to be great potential customers for you as well. Strike up conversations with others and you can bet they’ll return the favor. When other companies mention you (@reply within a message), it appears in their follower’s feeds, linking right to your name. A great way to earn free word of mouth is just to have productive conversations with your favorite local fellow businesses.

Twitter is a quick growing medium that companies are still feeling their way around within. It’s really exciting to see companies taking customer feedback over Twitter to heart, engaging users directly, offering great deals, and using Twitter to solve problems. Still, jumping in to social networking can be a bit of a challenge and is something that does require time and effort. If you need more advice or want some help establishing your Twitter or Facebook social media presence, we’d love for you to contact us. In the meantime, I’d love to hear any tips or favorite practices you’ve seen other companies make use of that I might have left out.

It’s no surprise then that they’d take the time to get surveys right. Netflix (like most companies trying to make a profit) has a need for constant feedback from their customers. They want to know how their distribution system is working, where there may be bottlenecks, and other things like how their new instant streaming service is performing. Instead of producing staid, time-consuming, multi-page affairs, they send an email with a single question.

In my most recent survey, that question read “How was the picture and audio quality?” Simple enough. The real stroke of genius lies in how the user is asked to respond: Three links are displayed, each with a different quality option: “The quality was very good”, acceptable, or unacceptable. You click the link and your survey response is sent. Done. That’s all there is to it.

The survey requires exactly one click to respond to. Users aren’t asked to login, fill out demographic data, attempt to remember details they aren’t likely to, or even read anything to qualify their answer. They are given three relatively unambiguous options and clicking the link from within the email submits their response.

Since not every company has the luxury of being able to boil their customer feedback loop down into simple multiple choice questions, let’s look at a few key points almost anyone can replicate:

1. Keep it simple. Remember that users value their time, and while they may like to let you know what they think of your company and how you’re doing, they may simply not have the time. Focus on a few measurements that can be easily procured and ask just a couple of questions. Consider anything else an imposition for the sake of a casual survey.
2. Don’t require a login. If your users have accounts with you, don’t require them to login to complete their survey. Include a hash tag unique to the individual survey in every call to action link and compile your results from that. Every additional step a user has to complete is another hoop that will encourage them to close their browser and forget about responding. Remember that when you consider adding a confirmation screen, for instance.
3. Provide a call to action. Even if you can’t find a way to boil a survey down into a completely self-contained piece like Netflix does, provide the user with an initial call to action. Have them answer a single question up front, and present the user with an optional means to supply more information based on their response. In the Netflix example, the user might be prompted to explain the issue if they mark the quality as unacceptable.
4. Require as little data entry as possible. This goes back to items one and two: every next step or request for additional information is an opportunity to frustrate your user. In order to ensure the highest quality data, don’t give your users those opportunities to jump ship.
5. Allow users to opt-out or set email frequencies. Don’t abuse users with surveys, or you’ll find they’re no longer users. Provide an unsubscribe link that does the work for them so that they can go back to enjoying your service and so that you don’t frustrate them.
6. Keep the design simple, too. More than just the format of the survey itself, consider paring the design down dramatically. If you’re emailing the survey, the user shouldn’t have to activate images to make a selection. A logo, a border, and some simple elements that tie your corporate color scheme in are acceptable, but making the entire email HTML-based is yet another barrier for users to hit when they may have otherwise completed your survey.
7. Provide context. Users love to know they’re making a difference. While it may seem obvious, just mentioning that you’re issuing the survey as a means of proactively enhancing their experience can go a long way. Feel free to let some personality come through, but don’t forget to keep it simple overall. The less users have to read, the better your response rate will be.
8. Say “thank you.” This may seem like a no-brainer, but since the user will be directed to a page upon clicking your call to action/survey response link, make sure you thank them and provide them with options to navigate back to your site if they so desire.

Even with these tenets in mind, you may find it difficult to break out of the mold and build surveys based around such narrow data points. Consider it an exercise in analyzing what really makes your customers happy and what makes your business tick. Think a bit outside the box and consider: If you can only ask your customers one question about their experience with you, (a multiple-choice at that!) what would it be? Remember that you can rotate questions around of course, but start there.

Finally, if you’re reading this and not sure how to implement this sort of survey system on your own website, by all means please contact us over at Synapse Studios. It’s what we do!

In my review of Filttr, I mentioned that Facebook features some comprehensive friend sorting and grouping tricks that Twitter sorely lacks. But the feature is only slightly obvious, so I’m going to show you an equally obvious quick tutorial on the quick way to get a reasonable Facebook feed of People You Actually Care About, and setting that as your home page, to differentiate from People You Met At That Party That One Time or That One Girl (or Guy) You Shouldn’t Have Hooked Up With Who Keeps Posting Creepy Profile Pictures Of Themselves But Blocking Them Would Only Make Things Worse.

This is really simple: When you first log into Facebook, click the down arrow next to Live Feed. Next to Friend List Feeds, click Edit Feed, click Make New List, name it something cool, and start typing the names of people you really care about. Easy. (You can also manage all of this from the Friends page, from the top nav.)

Now, if you access Facebook via a bookmark, or through the Bookmarks Toolbar, you can click on the same arrow, right click on the Friend Feed, and use that for your new bookmark.

To be fair, this feature has been around since August 2008. Disturbingly, they broke the permalink functionality about two months ago, which drove me absolutely insane because it happened to be about three weeks into having changed my primary bookmark to the Friend List Feed. Facebook Support told me that they knew it was an issue and that they were working to resolve it and it looks as if it’s finally been restored, so you can now make the first thing you see when you log into Facebook the feed of people you care about. Or your “Keeping My Enemies Closer” list. Whatever.

(Bonus: You can also use Friend Lists to send blanket messages to groups of friends. To do this, just start typing the Friend List name when composing a message.)

When I began my career at the medium sized company, I initially saw my project managers as a pain in the ass. All I was interested in doing was coding. I had my own ideas of how the project or feature was going to be done and I thought that I could handle deadlines and project requirements better than they could. Was it really necessary to ask me multiple times a day what I was doing and what percentage of the project was still left to be done? PM’s gave new meaning to the phrase “avoid like the plague.” In all honesty, I wondered why in the hell these people were even hired to begin with. I just could not see the role of a project manager as being all that important.

Of course, after a bit of development work and experience doing projects with and without them, I found myself having moments of… “OMFG…where is my project manager?” As developers, void of project managers, we often get carried away with the art that is code. We plan for one thing but, weeks post-deadline, end up creating something entirely different. Does it work? Usually. Is it beautiful? Maybe. Is it what was promised to the customer? Well, no.

I’m not just talking about instances where a simple login feature ballooned into a grand hierarchical authentication scheme. I’m also talking about those projects, that for some reason or another, we just despise working on and push off completion; sometimes even writing substandard code just to get it over with. And don’t forget those projects that are just so complex that we’re not even sure if we are starting at the right place, much less dedicated to a deadline of any sort.

It seems that the problem here is not one of competence—most of us could, if we really tried to, stick within initial specs and scope. To me the problem lies in the fact that without the role of the project manager on the team, we lack the time and task management designed to keep us on track. We are trained in how to solve problems of logic through good coding principals and design. We are artists. Our canvas is digital and we sometimes let our creativity and desire for compounding beauty interfere with the job we were hired to do. We are not trained in restraint; the project manager is, at least in theory.

Depending on your experience, I suppose this next statement may be gospel or blasphemy, but to me, it is gospel all the way. The successful completion of any project hinges upon a solid development methodology based in clearly defined project goals, block specifications, complete use cases, and the division and distribution of task level development. A good project manager will be able to take high level design specs and goals from a product manager or customer contact and break them out into clearly defined and manageable building blocks. Each block can then be broken down into feature/requirement sets which can finally be tasked out to the developer/s for completion. This is the job of the project manager, not the developer. Developers should only be given spec’d out tasks with detailed use cases and an explanation of exactly what should be done. It is then up to the developer to determine how the task will be done.

Now, this is not to say that developers are not to be involved in planning or design phases of projects; by nature, they have to be. However, design and planning meetings involving developers should be focused on the technical goals of the project or block, not on management and product/customer level concerns. These meetings must be narrow in focus and should have a clearly defined result. For instance, determining the database schema for the project or settling on a development framework. The layer of abstraction here is critical in keeping the project within scope and to prevent developers from expanding on or reducing the project deliverables. Once the meeting objectives have been met, project managers should then be able to chunk and task out the technical specs to the team of developers.

Now, up until a little while ago, I hated the word “task.” Every morning I would check my email and see, “You have been assigned a new task from…” after which my head would sink low and I would seriously contemplate my career path yet again. I would constantly wonder why everything had to be a task: a task to change a misspelled word, a task to add 5 pixels of spacing to the end of the page. Wouldn’t it just be easier to send me an email or IM or for goodness sake, just turn around and tell me? Surely this couldn’t be the Zen that is programming? However, recent experience has taught me that, by God, we all need tasks just like we all need competent project managers!

Task assignment, and by extension, a good task management system (note that a task/project management system is very different from a strict bug tracking system) is an absolute necessity for project management. Proper task etiquette enabled by a solid and complete project management system serves many purposes. First and foremost to developers, it serves as our grocery list. It tells us EXACTLY what we have to do, when it needs to be done by, and contains a history of the problem or feature (most PM system tasks have comments/histories and file attachment capabilities). From the management side of things, a PM system will track the number of hours developers spend on each task which can then be used for billing or other performance metrics. It also can serve as a yardstick in determining the level of project completion by showing a variety of statistics based on ticket assignment, time used, percentage of tasks complete for a given project, and developer performance.

Not to sound too preachy (or take too much of an aside), but I have come across a number of good techniques gathered from the various project managers and lead developers I have worked with in the past that I would like to share and recommend that people use.

Quote Tasks

Make use of quote tasks. It may take a little more time and to some it may seem really useless, but in the end it will serve as a good measure of your time estimation abilities and speak to the thoroughness of your work. The way it works is that for every task you are assigned, unless fixing the problem will take less than 10 min., in the comments section you should list the files and line numbers that you will need to make changes to in addition to a brief one liner explaining the expected change. You then assign the ticket back to your project manager to quickly review. If your time estimate falls within the allowable project time, then you will get the task back and no matter how many days or weeks may pass, you will know immediately what needs to be fixed and where.

Notate Completed Tasks

When tasks are complete, you should list each file and line number range that you made modifications to and provide a one or two sentence description of changes (in addition your regular brief outlining the totality of changes). This makes tracking changes easier for those who may follow you and serves as a written history in a developers words of exactly what was done for the task.

The Six-Hour Work Day

One small tip on time management and allocation I learned from my last PM was to only allot 6 hours of estimated work in a day. He said that the remaining 2 hours are spent on bathroom breaks, water cooler conversations, task switching ramp up, nerf fights, etc. At first I thought this was strange. Could bathroom breaks really take up 2 hours of my working day? But as I was tasked on this schedule, it seemed to work out pretty well. While I didn’t exactly lose 2 hours doing random things, what did happen was that I was rarely under pressure to squeeze out tasks leaving me less stressed and able to produce better quality and more thoroughly tested code and documentation. Funny thing, comparing a “6 hour” work day with the regular, “get as much work done in the 8 hours you are here” approach, I felt more productive and competent under the 6 hour routine. Give it a try, you may be surprised.

Developers as Project Managers: Warning

Developers should never be placed in the role of a project manager; creating and managing their own tasks. However, sometimes there is little choice (little company resources, sole operation, etc). If this is the case, expect that as a developer you will be spending probably 1/4-1/3 of your day planning and managing tasks; not working on them. Be sure your boss knows this if they are not willing or able to task out projects properly to begin with. This is really for your sanity and for the thoroughness that comes with being a competent developer. Now, in the rare case where you as the developer are tasked with actually taking customer specs and being told to simply get it done, placing the entire development life cycle on you or your team’s shoulders, I strongly suggest that you ask management to hire a project manager. If that is not possible then maybe you should be dusting off that resume because project specing, chunking, and higher level project management duties like those are not your job. There is a good reason developers are not PM’s and PM’s are not developers.

The Devil’s in the Details

Nag, nag, nag. If you get assigned tasks that are too general in scope and you have any questions about exactly what it is that your PM or boss is asking for, send the ticket back and ask for further explanation. It usually only takes a few times doing this for your boss to get the idea of what information you need to get your work done right. Remember, training goes both ways; you learn from your boss as much as your boss learns from you. It’s better to take the time upfront and get accurate and detailed specs than for you to guess and have to go back and rewrite something down the road.

All that being said, there are a number of development methodologies out there to help you and your team develop software in an efficient and smart manner. Now, as I’ve made crystal clear, I’m not a PM so I don’t claim to be an expert on any development methodology, but I take particular affinity to Agile development methods like Scrum. Any methodology where you as a developer are protected from business processes (changes in specs/customer expectations, etc) external to your core job function is a winner in my book. Avoid the traditional waterfall and cowboy coding approaches as they are highly inflexible and in the former case, plain stupid as a development methodology for any business.

So there! I hope I’ve been able to give a little personal experience to you developers out there (and you managers) who may be a little too code-centric. Don’t ignore the management side of your business. It can save your sanity and make you a better developer in the process!

Thus I am here today to offer a few recommendations for those of us that still believe in the right to individual privacy. (And a few that might get you into trouble on your next time at the airport.)

As a certified GIAC Computer Forensic Analyst, I have a bit of experience in the methods used by law enforcement to collect and process digital evidence. Thus, here is a list of 10 things that you can do to keep your data protected when either crossing the Gestapo-controlled borders of our fine country or sitting in your home office with a warm mug of hot chocolate:

1. Encryption

Yes, this one may seem obvious, but I am constantly amazed at how many people do not encrypt their data or encrypt it in a less-than-ideal manner. There is (currently) no easy or entirely effective way to retrieve data within a well-encrypted (1024-bit key or greater) archive. Despite the fact that most types of encryption today are considered relatively safe against attack, I would still recommend a tiered approach to data encryption:

1. Your first and most broad layer of protection should be at the system or hardware level. This type of encryption is implemented by either the operating system or hard disk hardware itself. In general, this type of protection is very good. Most current major OS’s either include or offer as an enhancement, the ability to encrypt your entire drive. (This is true of OSX and Vista Ultimate) There are also third-party software packages like TrueCrypt that offer this ability.

   Many hard drive manufacturers now also offer hardware-based encryption of their drives. How’s this work? Well, prior to any data being read/written, the hard drive I/O stream is passed through a hardware encryption chip. Thus, there is no way for any unencrypted data to be accidentally written to the disk.

   However, keep in mind that both of these methods, while easy to implement, have some downfalls: In order for an OS-level encryption scheme to work seamlessly, the encryption key must be readily available for use. Otherwise, the system would constantly ask you for your password for every file you wish modify, add, delete and move. How does the OS get around this? It keeps the encryption key in memory. To try it yourself, do a memory dump and parse it for your entire key…it will be there. If you can find it, so can the fuzz (usually). (Consider, this is also the method used successfully by hackers trying to break HD-DVD and Blu-Ray encryption.)

   As far as hardware encryption is concerned, I don’t entirely trust it. There are a number of recorded instances where the government has successfully “requested” private entities to build in backdoor access to systems it deemed important. Thus, I’m inclined not to fully trust the claims of the manufacturers. (If your whole-drive encryption scheme was backdoored for the government, would you advertise that a vulnerability existed?) For casual, non-the-feds-have-confiscated-my-shit use, this is a good option. But we’re trying to beat the feds here.

2. The next layer of protection would be individual file encryption for your most sensitive files. Programs like GPG, PGP, TrueCrypt and a multitude of others offer solid encryption methods. Most of these programs will also allow you to create encrypted “drives” or self-executing archives that contain many files and can be used to fill USB drives or moved around quite easily. Also, your hard disk key and file level key should be different. (In other words, use different passwords and encryption algorithms!)

   I have read a number of threads where people recommend file-level passwords to protect their content. Here’s the story there: These password protection schemes are useless unless there is some form of encryption involved. This means that, in general, PDF, Word, ZIP, and other types of password-only protections are a waste of time—cracking tools are easily available to even casual users with a quick Google search. They’re typically based on two-way encryption schemes and thus, aren’t secure at all.

2. Frequent Free Space Drive Wipes

Most encryption packages also include a method to “wipe” your drive. This is important since we all know that “delete” really doesn’t mean delete. (When you delete a file, the OS just marks that space as “writable” and removes the file’s listing from the file system. It’s still highly recoverable, though.)

A free space wipe forces your hard drive to write either a set or random stream of 1′s or 0′s to all the areas of your drive designated as free space by your OS. (Or basically, over the files you’ve deleted.) If you are using an encryption software package, you may find that there are all kinds of crazy options for drive wiping including impressive titles like, “NSA level data protection, blah, blah, blah” that wipe your drive 7+ times. It’s generally a waste of time—a single wipe with random data is typically all you need. But if you want to feel extra safe, go ahead and run a few more passes over it.

3. Setting Your Browser To Automatically Clear Its Cache & Cookies on Close

I know this one is a pain in the ass since you end up losing all of your logins and such but it makes clearing your internet trail automatic and fast. It would suck if your friend quickly jumped on your computer only to see all the S&M sites in your history from the other day that you forgot to clear. Unless that’s your thing. And maybe their thing. And then you guys could, you know, discuss it. As men do.

It’s a judgment call if this level of protection is worth it for you. At the very least, you need to make sure you follow my next tip and:

4. Password-Protect Your Screen Saver

. This one may be a bit annoying, but it’s nowhere near as frustrating as clearing your browser cache can be. And it’s probably the most important thing you can do to protect your data after encrypting your drive. This one’s simple. Quick instructions follow, for XP users, for Vista users and for OSX users.

Also, get in the habit of locking your screen ANYTIME you leave your desk. It may not seem like much, but from a Five-O investigative perspective, this is a serious pain in the ass. The reason being, if you encrypted your drive like you should, then the investigator has no choice but to pull the plug on your system since they cannot do a live forensic duplication. However, when they later proceed with the duplication after seizing your drive, they will find the drive is encrypted AND they will have lost the volatile evidence in memory. Thus, they will get NOTHING!

Don’t forget to use strong passwords or passphrases. Be clever: pick a line in a song you really like and use the first letter of each word. Better if it has a number. And don’t write your passwords down.

5. Always Wipe the Entire Drive When Giving Away a System or Drive

Again, this should be obvious but it bears repeating: formatting does not overwrite data on the drive, it simply erases any reference to the data. The best method to wipe an entire drive is to attach that drive to an existing system and to wipe the entire drive from there. There are many people out there who buy drives or old systems for the sole purpose of analyzing them for the previous owner’s personal data. We did this as part of my CF training. Fortunately, we didn’t do anything with the private data, but this represents a huge vector for identity theft. If you’re simply tossing a hard drive instead of donating it, go the extra mile: Wipe the drive and then drill several holes straight through it.

Other, Less Savory Data Protection Practices…

All that said, I’ve gone ahead and brainstormed a few ways to give your friendly customs agent a bit of a hazard at getting to your data. Try these at your own risk:

1. Remove the hard drive and mail it home. When customs tries to start the laptop and it won’t boot, tell them it’s idiot proof. (Expect a pistol-whipping or a tasing here.)

2. Leave your computer in sleep mode but take a screen shot of your desktop (with incriminating filenames on the desktop) and make that the background of the login screen. See how many mouse clicks and keystrokes it takes them to figure out that their actions aren’t really doing anything. (Vista doesn’t display your desktop wallpaper when your system is locked, but there are ways to customize your login screen for fun as well.)

3. Pop the keys off the keyboard and move them around to different positions. (Or just use Dvorak.) When they ask for your password, give them a random sting and watch as they try to figure it out.

4. Mail your real laptop home and/or bring a fake/broken laptop. (If you happen to have one on hand. Clearly, we’re being a bit tongue-in-cheek here.) Before you leave, epoxy the lid closed and see how long it takes them to get the lid open. When they ask you how to open it, explain that they have to say a Harry Potter spell to open the laptop. (Expect a tasing here, too.)

5. When it still doesn’t open, tell them you left your wand at home. Or that you just use the battery compartment to store your cocaine. Customs agents are renowned for their wonderful sense of humor.

In my few years of experience in LAMP development, I have worked with a number of developers with wide-ranging abilities on the CLI. I have oftentimes been surprised that even some of the very best PHP coders can feel a bit uncomfortable when faced with the CLI (hey, sometimes it’s unavoidable). So I thought I might write a series of how-to articles on some of the more useful CLI tools, to help the budding or even advanced PHP developer increase their familiarity with the CLI when they need it. Dive in, after the jump.

Since I’m sure most of us have at least a basic understanding of the Linux CLI, I first wanted to cover some of the lesser-known yet incredibly simple Bash tools. In this post, I’ll be covering the basics of cut, paste, tr, and sort.

Cut

Cut is a very useful command that is used to, as you may expect, extract various fields of data on a line-by-line basis. It has only a few arguments, the most useful of which I will cover here. Basic usage looks like this:

$ cut –c1-10 file.txt

The “–c” option specifies the range of characters on the line to print. The above command prints out the first 10 characters of each line in file.txt. (Note that it’s not zero-relative, like, say, PHP’s substr.) You can also specify an open ended character range like so:

</code><code>$ cut –c1,5-, file.txt

This will print the first character, followed by the fifth character continuing through the end of the line, for every line in the file.

The “-d” and “-f” options specify a delimiter and field number. These are very useful for, say, parsing out log files with a standard delimiter. The default delimiter, when not specified with “-d” is the tab character.

The /etc/passwd file is a good example to parse with cut. Let’s say we wanted to get a list of all the users of a system and their home directories:

$ cut –d: -f1,6 /etc/passwd

The output would look something like:

user1:/home/user1
user2:/home/user2

In laymen terms, this might read something like, “cut out fields 1 and 6, as delimited by a ‘:’, from /etc/passwd.” Now let’s look at paste.

Paste

The paste command functions pretty much as you’d expect it to: as the opposite of the cut command; it pastes multiple lines in two or more files together. Let’s say we have three files with the following contents:

file1:
Hello

file2:
there

file3:
everyone

If we ran paste on these three files, using a + as a delimiter (again, the default is a tab), we would end up with a single line:

$ paste -d+ file1 file2 file3
Hello+there+everyone

Basically, each line in each file is pasted together, 1->1, 2->2, etc. Now, if you specify the “-s” option and only list one file, then each line of that file will be pasted together to form one giant line:

file1:
hello
there!

$ paste -d' ' -s file1
hello there!

Tr

The tr command stands for translate and basically acts like a substitution filter. Let’s say I wanted to replace all capital letters in a document to lowercase; you could run this:

$ tr '[A-Z]' '[a-z]' < file1

You will notice that tr does not take a file argument. This is because tr is a filter, not a command and thus you will have to pass it text through pipes, redirection, or standard in.

One of the more useful features of tr is that it takes octal values of certain ASCII characters:

Bell = 7
Backspace = 10
Tab = 11
Newline = 12
Linefeed = 12
Formfeed = 14
Carriage return = 15
Escape = 33<

So, if you wanted to replace all spaces with a newline, you’d run the following:

$ tr ' ' '\12' < file1

tr also has the “-s” option which will squeeze out multiple occurrences of the replacing character after the input is translated. So given a file like:

file1:
this

is some

text

If you ran:

$ tr -s '\12' < file1
this
is some
text

The above command replaces multiple newlines with only one.

Finally, the “-d” option will delete the specified character from the input stream:

$ tr -d '\12' < file1
thisis sometext

Sort

The sort command has a number of options available so I’ll just cover the basics here. The most obvious usage is to simply sort a file alphabetically.

file1:
orange
apple
grape

$ sort file1
apple
grape
orange

Sort will convert the characters into your system’s internal encoding, (typically ASCII on Linux boxes) and then order them based on the encoded value.

Here are a few easy to use options:

-u = Removes duplicates
-r = Reverses the order
-o = Output file (this is useful if you want to replace the source file, since using a redirect into the input file will obviously not work since it is still being parsed by sort)
-n = Tells sort to order the line arithmetically (used for sorting files containing numbers)

Conclusion

Next time, I will be covering the sed and grep tools as they are extremely useful, yet a bit more involved than the simple tools I covered today. In the future, you can look forward to topics on process and memory management, a vi primer, using PHP as a CLI scripting tool, and much more. And in the mean time, please feel free to post your helpful hints for getting around CLI or using Linux as a dev environment in general.

And if even these commands have gone over your head, you should probably read through these tutorials first to get the hang of CLI basics:

Linux Command Line Tutorials [tuXfiles.org]

Does news.yahoo.com really have the directory structure reflected by this URL? Of course not. That would create an astronomical amount of directories in a website with thousands of index.html files. (And wouldn’t make any sense to begin with; that’s what query strings and dynamic pages are for.) But there’s a way to create legible, sensical URLs that mirror a directory structure but really include variables to a dynamic page. It’s called a rewrite engine. Through the use of a rewrite engine, we can create URLs that make sense to people AND that are attractive to search engines. Take a look at how, after the jump.

Apache includes a rewrite engine called mod_rewrite. Since we use Apache as our web server of choice, we’ll be covering how to configure mod_rewrite.

Mod_rewrite is an interesting beast. Some call it “magic” and some call it a “nightmare”. Really, it’s a bit of a magical nightmare that, when skillfully and practically employed becomes a powerful tool. It’s not a cure-all for every problem with URLs, but it’s great for doing many things. You can use mod_rewrite to:

• Prevent hotlinking
• Create pretty and SEO friendly URLs, eschewing the use of illegible query strings
• Create redirect pages

Redirection is handy because you can move pages if need be, maintaining the old URL while serving a page from the new address. This removes the need for a redirection server-side script, client-side script or meta-refresh and keeps your search engine rankings from taking a hit.

However, in this tutorial I want to focus on how to use mod_rewrite to replace illegible query strings. This tutorial is not comprehensive, but it should provide you with a place to start from and teach you how to do basic rewrites.

Our Goal

Let’s say you have written a PHP script that lists the top 10 restaurants of any city in any state. You are very happy with your excellent script and you have spent several years traveling across the United States on unicycle to personally collect this data. Let’s say your website is www.best-food-of-the-usa.com. Well, the URL to look at the best restaurants in Mesa, Arizona, is pretty ugly looking:

http://www.best-food-of-the-usa.com/index.php?operation=top&state=arizona&
city=mesa&limit=10

Blah! Let’s see what we can do with mod_rewrite to make that look nicer, more appealing and comprehensible to the user, and more search engine friendly. (As search engines apply rank based on the file name and path, putting relevant information in the core path instead of the query string can help boost your ranks considerably.)

Enable mod_rewrite

The first step to using mod-rewrite on your website is to make sure it’s installed and enabled. If you have a system administrator, they should be able to do this for you. If you don’t, you’ll need access to your httpd.conf and you’ll want to uncomment the line that reads:

#LoadModule rewrite_module modules/mod_rewrite.so

by removing the #. (Or add the line it if it doesn’t exist.) You’ll need to restart Apache for this change to take effect.

Create an .htaccess File

Create a plaintext file and add the following two lines:

Options +FollowSymLinks
RewriteEngine On

These lines ensure that mod_rewrite is enabled and active. Save this file as .htaccess. Make sure that you do not accidentally name it .htaccess.txt. (If you’re creating the file in notepad, make sure you select “All Files” from the file type dropdown when saving it. If you’re creating the file in vi on the server, you should already know what’s up, and it won’t try to add an extension automagically.) Put this file in the directory with your script.

Rewrite Rules & Regular Expressions

Now we are ready to start writing some basic rewrite rules. Each rule follows this form:

RewriteRule PATTERN DESTINATION [FLAGS]

The PATTERN is what we are looking for and the DESTINATION is what we are going to rewrite to. FLAGS are options you can set for each rewrite… optionally. FLAGS are beyond the scope of this tutorial and will have to wait for the next.

Here’s a small example:

RewriteRule ^home\.html$ index.html [R,NC,L]

This rewrite rule redirects visitors to home.html to the index.html page. Mod_rewrite makes use of regular expressions (regexes, for short) to parse your PATTERN element. If you’re not familiar with regex, they’re extremely powerful expressions that make use of special characters to denote pattern-types to search for, like ranges, white space, numbers and more. They’re a bit difficult to wrap your head around at first, so let’s look at this example to start.

The PATTERN portion of the rewrite rule typically begins with a carat, ^ and ends with a dollar sign, $. This syntax establishes the beginning and end of the pattern to match. These two symbols are optional, and including or excluding them can have different effects. If only carat (^) is used at the beginning, our PATTERN must appear at the beginning of the URL. If only the $ is used, our PATTERN must be at the end of the URL. If both are used, our PATTERN can appear anywhere inside the URL. To make our PATTERN exactly what we want, we are going to remove the carat so that the PATTERN is matched only at the end of the URL. This will be the case in rest of this tutorial.

Next we have the period, (.). (In case you didn’t know what symbol I was referring to there…) The period is used in regular expression syntax to indicate “any single character.” Since that’s not what you mean in the example home.html, you need to tell the parser to ignore it. You do this with a backslash, \, directly in front of EACH character you need to escape. Because your DESTINATION doesn’t go through a regex parser, you don’t need to deal with that on the destination side of things.

If you find your PATTERN breaking, you’re probably going to want to give it a once-over and escape any non-alphanumeric characters with a backslash. Chief among these, ^ $ [ ] ( ) { } ! \ .. (That’s right—if you want a literal backslash in your PATTERN, you need to escape it… with a backslash.

Our first rewrite rule example wasn’t too helpful; it redirected users but didn’t rewrite a query string. What we need are rules that can apply to variable incoming requests. Let’s suppose we take any page and redirect it to index.html. This is a useful way to create a front controller pattern. We would write the rule like this:

RewriteRule (.+)\.html$ index.html

You use parentheses to group things in your regular expressions. In this case we have created a group containing “.+“. The period is interpreted as “any character” and the plus means “1 or more times”. So all together, our PATTERN is (any character one or more times).html. That matches any page with an html extension. If we wanted to include htm extensions, we would change our rule thusly:

RewriteRule (.+)\.(html|htm)$ index.html

The pipe character ( | ) is used to represent a logical OR. That means our pattern can end in “html” OR “htm”.

Range brackets are also very useful. Let’s say we only wanted to accept pages that had alphabetical characters in their URL only. Then we would write our rule as follows:

RewriteRule ([a-zA-Z]+)\.html$ index.html

The range is shown by putting values within square brackets. You can choose specific values like [abc] (only allows a, b, or c) or you can do ranges like [a-g], [0-9] or [n-y]. Now that we’ve covered some regex basics, we can build a pattern that can accept variables within a “directory structured” URL.

Pretty URLs

Our example URL from earlier looks like this:

http://www.best-food-of-the-usa.com/index.php?operation=top&state=arizona&
city=mesa&limit=10

We’re wanting to convert it to this:

http://www.best-food-of-the-usa.com/arizona/mesa/top10.html

However, we want to use the same Rewrite Rule for any city and state. To do this we will use regular expressions, but we will also use variables in our DESTINATION by using the values from the groups in our PATTERN. Whenever we use a group (groups are contained in left and right parentheses) in our PATTERN, the string that gets matched in that group can be accessed by use of a variable in our DESTINATION . That way, if our group ([a-zA-z]+) matches the string “arizona”, we will be able to use that string in our DESTINATION.

RewriteRule ([a-zA-z]+)/([a-zA-z]+)/top10\.html$ index.php?operation=top&state=$1&city=$2&limit=10

This will rewrite our pretty URL to the URL needed by our script. You will notice within our DESTINATION that we have state=$1 and city=$2. The $1 and the $2 represent the values from our first and second regular expressions in our patterns, respectively, and contain whatever strings matched. in the case of our example URL $1 would contain “arizona” and $2 would contain “mesa”.

Conclusion & Other Resources

We’ve rewritten our ugly URLs to be able to parse something a good deal more readable. And we learned a little bit about regular expressions along the way. Regex can be a confounding mistress; extremely powerful but extremely confusing, depending on how complex your patterns are.

I highly recommend you take a look at Added Bytes’ mod_rewrite Cheat Sheet to get you started and as a handy reference. And their Regular Expressions Cheat Sheet is great for that side of things.

You can also take a look at Apache’s documentation on mod_rewrite:
Apache Mod_rewrite

And a few other guides on getting started:
Mod_rewrite: A Beginner’s Guide
URL Rewriting
Easy Mod Rewrite

If you’re getting stuck with regular expressions, post a comment and we’ll ask the regular expressions bear (that’s Edgar) to reply.

After I configured my account, it was time to make Twitter work for me, to the maximum extent allowed by the law. Here’s what I’ve done to make my Twitter experience a bit better, after the jump.

Firefox Integration
If you’re running Firefox like you should be, then you’ll want to take a look at TwitterFox and TwitterBar. TwitterFox is a tasty little Add-On that sits in your status bar and offers pop-up updates when your friends tweet. @replies are colored different as are direct messages, and you can of course set your status right from the box. I like this better than some of the sidebar-based add-ons mostly because I hate the sidebar concept in general.

You can have TwitterFox check multiple accounts and configure its update frequency and popup duration. Just what I’d want from a Twitter app.

TwitterBar is an even simpler way to post status updates. Just start typing into the address bar and click the green + instead of the blue arrow. Done and done.

Facebook Integration
This one’s simple: Browse on over to the Twitter Facebook App and get cracking. This app used to prepend your status with “is twittering” much to the chagrin of a good deal of users. Now there’s something of a schism, and two distinctly boring camps have formed. I’m in the “please don’t verb my FB status” camp, for what it’s worth.

An alternative used to be available called TwitterSync which allowed you to customize the prepend verb. Since Twitter deactivated their XMPP service for most API clients, this and many other plugins have stopped working. (That link discusses the possibility of them reactivating the XMPP functionality.)

Finally, you’ll need to ensure you browse to the privacy options and explicitly allow Twitter to push status updates through to Facebook.

Mobile Integration
Now you’ll want to set up your phone to allow you to post Twitter updates. By simply text messaging 40404, you can publish a status update to Twitter and to Facebook. Cool. You can also select if you wish to be text-pinged with direct messages.

For some reason that completely confounds me, however, Twitter does NOT allow you to be SMS-pinged with @replies. Since hardly anyone uses direct messages (relatively speaking), this smacks of obnoxiousness. What’s worse is that they acknowledge their own stupidity on this matter with the follow FAQ answer: “Unlike Direct Messages, there is no special setting for receiving @replies only, but if you’d like to see one, send us a feature request by selecting “idea.” Let me just say that if enough users have requested a feature for you to write an FAQ about it, perhaps you should build it instead of suggesting we file it as a feature request!

One Twitter user posts a workaround, essentially relying on the mobile “track” feature. Type “track {yourname}” and you’ll get all updates that mention that phrase. This totally sucks if your user name also happens to be, say, a word someone would use in their normal vocabulary. (It also seems to have a significant delay associated with it…)

Other Twitter Stuff
There are plenty of other Twitter features and fun times to be had including other mobile applications, desktop- and sidebar-based apps and more. Check out VirtualHosting.com’s rather comprehensive breakdown of Twitter applications and plugins and get tweeting!