Online Personal Finance Tools

I've been collecting bank accounts for the past 8 years. Perhaps there's a 12-step program for this sort of thing, but I'm pretty happy with my collection and don't really want to get rid of any right now. Keeping on top of 12 separate accounts is quite a task, though, so what's a lazy guy like me to do?

The conventional answer would be to grab a copy of Quicken or Microsoft Money. Those cost money, though, and isn't desktop software like so last millennium? (Not to mention that there's no Linux version of these products.)

Luckily there are alternatives: A new company called Mint recently unveiled their web-based solution and won TechCruch40 as a result. Mint is a great tool, but it's currently limited to tracking checking, savings, and credit card accounts. I have a couple brokerage accounts, though, so I was even more excited when I read about a similar service called Geezeo that recently added support for these types of accounts. Unfortunately, Geezeo seems to be much more of a "beta" product than Mint at this point, which is a pretty big issue for software that wants you to trust it with all your financial data.

It turns out there are at least two more similar services out there as well. I'm in the process of testing them out and decided that I'd start a series of posts to review each one. Here are the sites I'm currently looking at:

• Geezeo - social finance application
  
• Mint - refreshing money management
  
• Wesabe - get financial tips from other members
  
• Yodlee - all of the power, but none of the pizazz?
  

I'm also considering taking a look at Quicken and Microsoft Money if I can get trial versions or decide I can spare the cash to buy one or both.

Stay tuned for more updates!

Tilt-Shift Photography

This is absolutely cool. I read about this technique called tilt-shift photography today and just wanted to share it:



Photos taken at a distance generally have a very large depth of field which makes everything look focused. In these photos, though, the depth of field has been artificially decreased so that the foreground and background are out of focus, even when everything is at a distance. Since we are used to seeing a small depth of field only in closeups, the pictures appear to be miniature models rather than the full-sized subjects they actually are.

Make sure to checkout this cool video slide-show about a NY Times photographer who has been using this technique.

Facebook Exposes Email Addresses

As many people may know, Facebook displays users' email addresses as images rather than plain text. Supposedly, this is to help prevent spamming (though, it seems like you might have bigger issues if your friends are spamming you). In any case, it turns out that these images actually aren't protected by the login process at all. For example, my email address image should be viewable by anyone. You don't have to be on my friends list and you don't even have to be logged into Facebook at all!

Now, before 40 million people pickup their pitchforks and try to lynch the Facebook developers, realize that this isn't as bad as it might sound at first. The emailgen.php page requires two parameter (id and key) to actually generate the image. The id parameter is pretty clearly the user's Facebook ID and is pretty trivial to lookup but the key parameter is a bit more cryptic (and turns out to be fairly secure).

Finding the Key

I was a bit curious as to what that key value represented. Here's the value from my email link above:

47fe78750d8d158caca8419203fd54bf

It appears to be a 32-character hexadecimal (128-bit) number. Now, it was certainly possible this was simply a randomly generated GUID that maps back to the real address in their database. If this were the case, though, there would really be no reason to include the id parameter as part of the call. However, MD5 checksums also happen to be 128-bits long and hashed values are often used for this sort of thing. Perhaps the key is simply a hash of some combination of the user's Facebook ID and the email address that will be displayed?

As it turns out, this is exactly what is being done. After trying just a couple combinations, I came up with the following result:

$ echo -n cfbradford@gmail.com668876587 | md5sum
47fe78750d8d158caca8419203fd54bf -

Eureka! I just generated the magic key needed to display my own email address! All I need is a user's Facebook ID and their email address and I can generate the proper key (and then URL) to display the email address image. And I can do all this without being your friend on Facebook or even being logged in at all!

But Wait...

Right about now the clever readers are scratching their heads trying to figure out why this even matters. What I've basically said so far is that "if I know your email address, I can find out your email address". Doesn't seem very exciting, does it?

The even more clever readers, though, are realizing that Facebook is actually giving me confirmation that I guessed the correct email address. More specifically, I can now essentially ask Facebook "Does user X have email Y registered with you?" and Facebook will essentially respond either "Yes" or "No" rather than just ignoring the question completely.

The less-cryptographically inclined may be wondering if I can reverse the process to get an email address and Facebook ID from the MD5 hash. In general, though, it is impossible to reverse such a hash since information is generally lost in the process.

How is this Useful?

Obviously this is only a big deal if it allows people to do something really cool or really scary with this information. Since the same basic functionality should be available in the Friend Finder, though, this probably can't be used to take over the world.

If you have a Facebook account, you should be able to upload an address book with a single email address in it to find if a Facebook user has that email address (and discover their Facebook ID in the process). You don't need to be friends, so pretty much anyone could do this (though I haven't actually tested the process).

To do the same thing with this "trick" would require having a list of all ~40 million (and growing) Facebook IDs, computing hashes based on each possible ID, and then requesting an email image from the Facebook site for each combination. Just computing that many hashes on my computer would take more than a day, and that's just for one email address. Verdict: Friend Finder is more useful.

In order to "discover" one of these IDs in the first place, you basically have to have access to a Facebook user's page, which means you also know their Facebook ID and could read the image with OCR software to figure out the email address in an automated way. So, this doesn't really provide any information that a person didn't already have access to.

What it could do, though, is provide alternatives to OCR in certain situations. If you have a small-ish list of possible email addresses you can just calculate the MD5 hash with each candidate until you find a match. As the number of possibilities grows, this becomes slower until OCR would be a better approach. (Depending on the speed and accuracy of the OCR software, this could be 100 or 1,000 possible emails). Even if OCR is used, the hash is still useful as a means to verify the results (if the detected address doesn't properly hash back to the key, then its not the correct address).

Conclusion

Despite the overly dramatic title of this post, I don't see any reason to really be worried about this. In light of recent posts about Facebook being a roach motel, I thought it was interesting discovering possible alternatives to OCR for extracting email addresses from Facebook. I'm a bit surprised that the emailgen.php page doesn't at least check to ensure you are logged in, but with open logins now this would be more of a placebo anyway. If someone is good at guessing what your email address is, they can get confirmation if they are right or wrong, but since this same information (and more) should be available through the Friend Finder, its really nothing new.

Suunto t6 Review

About a month ago, my trusty old Timex watch finally passed on to the next life. I've had that watch for almost 15 years now and would certainly vouch for their moto: "it takes a licking and keeps on ticking". Still, its a sad day when an old friend like that needs to be replaced ;-)

So began my search for a new watch. Last year I had promised myself I would get a fancy new running watch with a heart monitor if I could manage to keep running regularly for 2 months. As luck would have it, I finally met that goal this summer, so it was time to make good on my promise! I checked out watches from Timex, Polar, and Suunto, and finally settled on the Suunto t6 and have been using it for the past two weeks.

Retail price is about $450 and I got it for about $300 from an eBay store. The watch comes with a heart rate monitor (which straps to your chest), a USB cable, and a CD with the Suunto Training Manager software on it. I swapped out the rubber watch band with a buckle that it comes with in favor of a cloth band that velcros (buckles alway dig into my arm and the cloth is just more comfortable).

The watch itself keeps track of date and time, obviously, and it also has a built-in barometer and thermometer. Calibrating the barometer is a bit counter-intuitive, but the default calibration seemed correct once I set my altitude properly. While in "barometer" mode, the watch displays a graph of recent pressure changes. We haven't had any drastic pressure drops around here recently, so I haven't been able to really test it, but it should be interesting to watch when a storm is coming. The thermometer doesn't seem to work all that well and generally reports a temperature significantly higher than it should, but I suspect its just warmer next to my wrist. Taking the watch off for a while makes it report roughly the correct temperature, so if I ever REALLY need to know the correct temperature I should be able to figure it out. More interestingly, though, the thermometer and barometer can work together as an altimeter while I run.

The "training" mode has typical stopwatch functionality with lap times. It also has a warm-up timer and an interval timer (which I haven't really used yet). While the stopwatch is running, it will also record altitude and heart rate information. Other PODs can also send data to the watch to be recorded. There are currently PODs for running and biking as well as a GPS POD that I'm thinking about getting at some point in the future.

After a workout, I plug the watch into the computer to download all the stored data. The software calculates a bunch of other interesting things from the data and personal parameters that you enter and then can graph them all and compare several workouts. The most interesting calculation is the EPOC value (Excess Post-exercise Oxygen Consumption) which is basically a measure of how hard the workout was. Based on my current level of conditioning, this number is then converted into a Training Effect which lets me know if I'm training too hard or not enough. If I'm still tired from a previous run, the next run will be more difficult and have a higher Training Effect as a result. This helps me to make sure I have a good mix of hard and easy days in my workout schedule.

I used to be in much better shape than I am today. I ran cross-country and track throughout high school, but stopped once I went off to college. I've tried to start running again several times, but wasn't successful until recently. Looking back, the most important thing seems to have been telling myself to SLOW DOWN. Its going to be a while before I can run a 5 minute mile again, so trying to train at the pace I used to in high school just doesn't work. I started with a "Couch-to-5k" workout schedule and mixing walking with running really helped at the start. Now that I'm running with the t6, it helps remind me to jog slower to keep my heart rate down where it should be which is letting my run farther to build a bigger mileage base.

pros:

• Heart rate during a run is a good way to stay at the proper pace.
  
• EPOC/Training Effect is a great way to track training progress.
• The altimeter and barometer are kinda cool.
• Speed/distance/location tracking can be added with additional PODs.
  

cons:

• Thermometer doesn't really work next to my wrist.
• Some settings are a bit strange.
• It would be nice if it toggled between alt/baro modes automatically.
• The software kinda sucks. Suunto should open source it or create an API or something. There's lots of opportunity here for some sort of "virtual coach" that tailors future workouts based on past performance.

I'll report more as time goes by but, overall, I'm liking the watch so far.

Finally Starting

So, I bought chippydip.com and setup this blog several months ago--Friday, April 13th to be exact. Perhaps that was an unlucky day to set things up, or perhaps I'm just incredibly lazy (my money is on the latter) but in any case, I never actually posted UNTIL NOW!

My goal is to try and post here whenever I do something interesting and perhaps whenever I'm just bored. Getting an intro post up seemed like a good place to start. Its all downhill from here, right? ... right?

Dummy Post

This is a dummy post to fix this bug.