This is part 2 in a 3-part series about security at Meebo. See part 1.

Before we get started I want to make it clear that sharing this information doesn’t give away any secrets and doesn’t make you any less safe!

Today I’d like to talk about how we store the password for your Meebo account. Or more accurately, how we don’t actually store the password for your Meebo account. Instead we store a “hash” created from your password. A hash is a string of characters that is calculated by running your password through an algorithm created by cryptographers (aka crazy smart math people). For a given password, the algorithm generates the same hash every time. It is easy to take a password and create a hash, but it is basically impossible to reverse this process, i.e. to take a hash and determine the original password. (For anyone curious, we’re using bcrypt.)

When you type your username and password to log into Meebo we calculate the hash of the password you provided. If this hash matches the hash stored in our database then you have successfully authenticated, yay!

By storing a hash instead of the password, we greatly lessen the damage in the unlikely case that a hacker manages to get ahold of the information stored in our database. One weakness with this scheme is that, because many users use a simple word as their password, if a hacker is able to obtain the password hashes from our database then it would be possible for them to perform a “rainbow attack” to ascertain weak passwords. In this attack the hacker precomputes chains of hashes for each word in the dictionary and creates a rainbow table. The hacker would look up each hash from our database in this rainbow table. If he finds a match then he knows the password that was used to generate the hash.

We neutralize rainbow attacks by “salting” the password before generating the hash. Salting means that a few letters are added to the password before the hash is calculated. We generate a few random letters for each user, and store this “salt” along with the password hash. In effect this makes everyone’s password just a bit more random, which would require an unfeasibly large rainbow table.

In summary: We store a salted hash of your password, NOT The password itself. These techniques are pretty brilliant and we certainly can’t take credit for them—Unix at least has been using salted password hashes since the 1970s. It is our hope that sharing this information inspires other companies to be equally diligent with their own websites.

Stay tuned for part 3, coming in a few days!

Mark

[ comments ] [ past blogs ]
Follow us on Twitter

Meebo was fortunate to have the opportunity to sponsor and participate in the 2010 MIT Web Programming Competition judging process today. With coats and scarves in tow, Priscilla and I flew to snowy Boston to shake hands with thirty-five extraordinarily talented students.

When we arrived, Professor Rob Miller, the competition faculty advisor, explained that the student staff responsible for organizing the event chose the theme “Food, Health, and Sports” for this year’s MIT Web Programming Competition. As a result, many of the teams developed personalized workouts, healthy meal planning, and sports fan applications. After sitting on a plane for hours the day before, I started wishing I had packed my running shoes midway through the judging process.

All of the projects were amazing. It was painful to compare entries when there was such strong execution across very, very different types of applications. Often times, it’s the small attention to detail and user flows that make a Web application sparkle. And in a fast-paced competition, I think extra credit is warranted for the students who took the time to get the small details right despite going days without much sleep and with a cash prize at stake. We only had a few minutes to become familiar with each application so I’m sure there were many magical moments in all of the projects. However, here are a few that I happened to notice today:

Benefit: Richard, Joseph, and Patrick designed a site dedicated to helping their users achieve their weight loss goals. I appreciated that in the 3-step registration process, the step number is displayed in the upper right and that next/previous buttons allow you to go between step 2 and 3. I was also impressed with their decision to use minimal graphics so that the user is drawn to the tasks and data at-hand.

NBA Rewind & Star Stats: I appreciated that Ray, Tedrick, Lin, and HaoQi used data visualizations to deeply investigate questions that would be hard to answer without a chart or graph (e.g. does this player score more points at the end of the game, or which gaming strategy will be better against this player). Sometimes data visualizations play a supporting element (e.g. a simplified log of events). However, these apps focused on their visualizations almost exclusively. As a result, the applications had to predict the entire range of questions a user might ask and then provide the UI hooks for the user to research those questions most easily.

IronNerd: Daniel and Jong-moon took first place for their full-featured fitness social network. I especially appreciated that they considered badges to incentivize users to later return to their site and log their progress. Priscilla also pointed out that the team had an eye for information layout. They made an effort to have thoughtful margins and paddings on every page and because they’ve divided the page into distinct sections with easily scannable columns, it’s easier to figure out what to do next.

Lambda Fitness: Ryan, Cai, and Jacob focused on showing how muscle groups react to exercise. I wasn’t the only judge who appreciated that they used the gender information collected in their registration process to show either a male or female visualization of targeted muscle groups later. They were also one the few teams who implemented the ability to re-edit your profile after you’ve registered.

DrinkMath: Kenneth coded a pixel-perfect implementation of a traditional Nutrition Facts label with an HTML table. In a time-constrained task, it must have been tempting to use sliced images or a larger graphic with dynamic text on top. It’s unlikely that Kenneth expected the judges to walk through his HTML implementation. However, that’s why we were so impressed. It’s a great implementation and makes it easier for the user to copy and paste text. And even though he didn’t have to and it’s unlikely anyone would notice, he did it anyway.

Foodora: Andrew created a food-recommendation system that predicts recipes you should try based upon foods you already like. Anytime you develop an application that is magically intelligent, there’s always the risk that 1% of the time your algorithm won’t work like you intended. However, I appreciated that in each recommendation, Andrew also lists why this recommendation was made. At the bottom of each recommendation page, the user sees, “Based on what you’ve told us so far, we recommended this dish because it contains…”

NewsMesh: Kevin and Dave deserve kudos for their experimental geolocation news reader that they’ve made public to the Meebo community. Feel free to give it a try and provide feedback in the comments section here. This is the first day it is public so please be kind. To use it, select your favorite news source in the upper-left and see where news stories are popping up across the globe.

Hopefully all of the students who participated are catching up on sleep right now. Thanks for the opportunity to be a part of the competition and congratulations to all on a job very well done!

-Elaine

[ comments ] [ past blogs ]
Follow us on Twitter

This is part 1 in a 3-part series about security at Meebo.

We take your security very seriously. Every time we release a new product and every time we change our software we ask ourselves, “how might this be exploited?” And if someone points out a security problem in Meebo we investigate and fix as fast as possible. This is because we assume our service is under constant attack by nefarious computer hackers the world over, so we take whatever precautions are necessary to help keep you safe.

I wanted to take some time to talk about a few of the specific things we do for security at Meebo. Partially because we think it’s important to disclose this information, but also because we think it’s a pretty sweet system and we want to boast a little

First, I’d like to talk about how we transmit your passwords over the Internet. Most importantly, we never transmit your passwords in clear text over an unencrypted connection. If we did, it might be possible for someone to listen to your network traffic and learn your username and password. We either transmit your password over https, or, if https isn’t available from your location, we encrypt your password with a special key that allows only us to decrypt it. For details, please see our privacy and security page.

And just to be clear: sharing information about Meebo’s security doesn’t give away any secrets and doesn’t make you any less safe! So this message won’t self destruct in ten seconds or anything silly like that.

Stay tuned for part 2, coming in a few days!

Mark

[ comments ] [ past blogs ]
Follow us on Twitter

The Meebo office is small, and our open floor plan makes it easy to find anyone that we might need to have a quick word with.

But for many of us, most of those conversations happen over IM. So naturally, that means we’re on Meebo. All the time.

A company using its own products is sometimes called dogfooding, and I guess since we’re a communications company, it’s only natural we’d be using Meebo internally for messaging each other, sending links, or posting the status of our current projects.

Personally, I have 15 accounts associated with my Meebo account, including all of my email/IM accounts, my Facebook, my Flixster, and a couple of testing accounts as well.

I also use the Meebo Notifier on my Lenovo laptop. I really like the email notifications. (Plus the message that says “life is good” when it re-establishes a connection after I undock my computer always makes me smile.)

You might have noticed the addition of the Meebo Bar to the bottom of our blog. In yet another opportunity to eat our own dogfood, we have enabled the bar and even added a few buttons that we thought might be interesting or useful to our loyal readers.

I don’t know why we didn’t get around to this earlier. I guess we were so busy helping our partners set up the bar on their sites, we didn’t have the time to take care of our own blog. But now that we have a self-serve version of the Meebo Bar available, it was so easy and quick that the “not enough time” argument was just silly.

You can chat and share with your friends, view our Facebook fan page and Flickr feed, and even see public Tweets of links being sent from other Meebo Bars around the web, all right from the bar. Plus, any large images on the blog are shareable via drag and drop, which is a lot of fun.

So play with the bar on our blog at blog.meebo.com if you like, and let us know what you think. And conveniently, if you like it so much that you want one for your own blog or site, there’s a place where you can do that – bar.meebo.com.

-Greg

[ comments ] [ past blogs ]
Follow us on Twitter

Oh, there’s no place like home for the holidays. At least that’s what the song tells me, and I couldn’t agree more.

The Meebo team is on holiday until after the New Year. Please be patient if you don’t receive immediate responses from our Customer Support team. We’ll get back to you as soon as we can.

And as a last parting gift for the year, please enjoy this new holiday wallpaper that David and Seth J put together.

If you are viewing the blog from inside Meebo, try out the new Meebo Holiday wallpaper by clicking here! To change your wallpaper manually, go to Preferences > Appearance, select the “Meebo” wallpaper category and click the image you like.

Happy holidays!

the Meebo team

[ comments ] [ past blogs ]
Follow us on Twitter

To get the Meebo Bar on your own blog or site, go to bar.meebo.com

Last month we shared that there were over 100 partner websites that have integrated the Meebo Bar. Up until now only larger partners like Mashable and The Hollywood Reporter could sign up for the bar. Many users who run their own websites or blogs have been asking if they could get the Meebo Bar as well. Today, we are excited to announce the beta availability of the Meebo Bar for everyone!

We can guide you through setting up the Meebo Bar if you have a blog hosted on TypePad or Blogger or if you are hosting your own site using Wordpress or Movable Type. We also support other platforms like Tumblr or any self-hosted site.

Like you would expect, the Meebo Bar allows your site visitors to sign in to Meebo to chat and drag-and-drop to share photos and videos. Now you can also add a slew of new buttons to the Meebo Bar on your site. We’ve put together a bunch of buttons that we think partners and bloggers might want to make available: a Facebook Fan Page, Twitter, Flickr, YouTube, Lala, Meebo Me, Stumble Upon, Digg, RSS and more!

So, if you have your own site or blog and you’d like to give the Meebo Bar a try, head on over to http://bar.meebo.com

We are so excited to see what you do with this and can’t wait for your feedback and suggestions. We tried to make it as easy as possible to put the Meebo Bar onto any site, but I’m sure that we may have gotten few things wrong. As always, send us your comments and we’ll work to get things fixed as fast as we can.

Thanks!
Chris

[ comments ] [ past blogs ]
Follow us on Twitter

There’s a twelve-foot-tall Douglas Fir Noble Fir standing next to my desk here at Meebo HQ in Mountain View.

Just like last year, Vijay found us a gorgeous tree to put up for the holidays, and Sandy got started adding lights as soon as the tree was set up. We couldn’t find Kevin, who is tall like Shaq (well, not quite), to get the lights onto the top half of the tree, so I hoisted Jim onto my shoulders and we managed as best we could.

Here’s a pic after the lights were put up (I’ll get an updated photo with all of our holiday decorations a bit later):

Non-denominational trees with decorations can be tricky in work environments. Obviously, not all people celebrate Christmas or Hanukkah or Kwanzaa, and a decorated tree has strong associations with Christmas, in particular. Some of my close friends will celebrate the Winter Solstice on December 21st as an alternative to more traditional winter holiday celebrations. But everyone at the Meebo office does get time off for the holidays, so that’s certainly something to celebrate!

So right now we are all just appreciating a gorgeous tree glowing with lights, the smell of the forest in the office, and planning for a “secret” gift exchange later this week. I already got the present for my secret person.

Do you celebrate the holidays where you work or go to school? Do you get time off to spend with family and friends?

Happy Holiday Of Your Choosing!

Greg

[ comments ] [ past blogs ]
Follow us on Twitter

Four years ago, I wondered whether I could predict how a company was organized just by looking at their website design. “A product is a reflection of its team.” If there are lots of tabs at the top, perhaps that tab organization also represents how the product teams are divided. If an ad unit is floating off in a sidebar or cordoned off in a corner, then I wonder how frequently their product and business teams interact.

Since then, my belief in “a product is a reflection of its team” has grown. If it weren’t for hiring Jian, we never would have built out our widget strategy. If it weren’t for Paul, we would have no mobile presence whatsoever (and bear with us, the next mobile update is coming soon). And if you knew Andreas’ love for eye candy, you’d understand why I think our ads product knocks your socks off.

If you agree with “a product is a reflection of its team,” I’d propose considering its corollary, “a product is a reflection of its hiring practices.” Without amazing hiring practices, you’ll never find or attract the team that will build amazing products.

So how does a resource-starved, fast-paced, don’t-have-time-for-distractions start-up like Meebo manage to compete with monolithic organizations who could easily have ten recruiters for each person we have on our relatively tiny team?

Heck, it’s not easy. There are lots of things we do well (e.g. calibrated metrics, short time process, and a culture that is invested in hiring well) but there is one secret hiring process gem called the “Meebo simulation” that we hold sacred in our overall talent strategy. Originally inspired by Plaxo, a Meebo simulation is a 3-hour exercise that represents a typical task that someone would expect on day one in that role. For instance, a potential Visual Designer might be asked to create three icon concepts, work with the team to narrow it down to one, and then spend the remaining time polishing that concept. Just like a day-one experience, candidates are encouraged to ask questions and to consult whatever resources they’d normally have available to them (online searches, favorite books, even previous snippets of code written). In contrast to a stressful interview environment where candidates are asked puzzlers about gnomes, manhole covers, or New York piano tuners, we just focus on whether you can excel in Meebo’s environment in the described role. Unless you are being hired as a professional puzzle solver, we see very few appropriate places where brainteasers provide significant data on which we can make a good hiring decision.

And this week, I saw the best simulation of my entire career. Anita & Diem have been refining a Recruiter simulation for months. They’d narrowed down the simulation to four small tasks and taken pains to make sure it felt like a day-to-day experience at Meebo, going so far as to have a Recruiting candidate (supposedly) cold-call a talented engineer and talk with them about a role at Meebo. After watching several candidates complete this particular simulation, I felt like I had an especially accurate perspective into every candidate’s skill set, motivation, and team interaction style. In fact, I’d venture that the three-hour simulation provided about 90% of the data we needed to make a definitive hiring decision. Just when I thought Meebo’s tried-and-true hiring practices were about as good as they get, the experiences from this week made me rethink everything about our hiring process and to place even more emphasis on the Meebo simulation.

For a candidate, an effective simulation is amazing. If you’re searching for your next career opportunity, you may have to wait weeks for feedback or phone calls. A three-hour simulation eliminates weeks of stressful sit-and-wait. Plus, you leave from the experience knowing what’s expected of you in your role, who your team members are, and whether you think it’s a good fit.

Recruiters spend countless numbers of hours searching for things that will provide the same level of confidence – degrees, GPAs, schools, previous company experience. With that approach, you immediately eliminate the majority of the potential talent pool. If we think a candidate can play a part in creating delightful user experiences that the Meebo community will love, then, really, why nitpick over a GPA?

Finally, the best hiring practices stem from hiring the very best recruiters. For thousands and thousands of extremely talented folks, a Meebo recruiter is their first and only personal connection to Meebo. We’re hiring for a few (like 1-2, not 100s) Meebo Recruiters and Sourcers right now. And if you’re still reading this blog entry, there’s a chance that you might be that Recruiter who is just as passionate about building extraordinary teams and playing a pivotal role in our environment. In that case, we want to hear from you. Shoot us an email and come in for our Meebo simulation

Take care,
-Elaine

[ comments ] [ past blogs ]
Follow us on Twitter

I love Disneyland. Always have.

We would travel down from the Bay Area as a family when I was little. As soon as the park opened, I would race to Space Mountain and ride it over and over again. Until the lines got long.

My junior high band played a concert there every year, and of course we got to go to the park as well. As soon as the park opened, I raced to see Captain EO and then rode Star Tours over and over again. Until the lines got long. So I ran over to Space Mountain and rode that a bunch too. Everyone else was in line at Star Tours.

When I was old enough to road trip to LA on my own, I would make sure we were the first in line at the gates. And I would race to Space Mountain and ride it over and over again. Until the lines got long.

And as an adult, I would make an annual trip to Disneyland, and right when the park opened I would race over to Space Mountain, head over to Indiana Jones to grab a FastPass on my way to Splash Mountain, go back to ride Indiana Jones, and by then all the lines were long.

I have a bunch of other favorite attractions—Pirates of the Caribbean, Small World, America Sings (now gone), Soarin’ over California and Tower of Terror at Disneyland’s California Adventure Park—but the most important thing was always to race over to the most popular rides before the lines got ridiculously long.

Well I recently had a chance to experience Disneyland from a slightly different perspective. I went with a toddler.

We lined up at the gate 45 minutes before the park opened. They opened the gates fifteen minutes later and we raced to the end of Main Street to wait at the ropes. They took down the ropes and we raced to Space Mountain and Star Tours Peter Pan and Dumbo. Wow. I thought Space Mountain had long lines.

In the end, the favorite rides of the day were Winnie the Pooh and Small World. So we rode them over and over again. And conveniently, those lines never got too long.

What are your favorite attractions at Disneyland? Do you remember Adventures Thru Inner Space, the Country Bear Jamboree (they still have this in Florida), or maybe even E tickets?

If you go, get there early, avoid long lines, and have a wonderful time. Maybe I will see you over by the flying elephants.

-Greg

[ comments ] [ past blogs ]
Follow us on Twitter

Most people who use Meebo probably don’t realize that the games and applications in Meebo weren’t written by our team. In 2007, our email boxes were flooded with requests for games, voice chat, and video chat. While we had a few favorite ideas we were itching to build, we also had heard from a few developers that they’d jump at the opportunity to build applications for the Meebo community. Instead of creating a fun game and hoping people would find it on their separate site, they could launch into Meebo’s existing community where folks were already clamoring for the opportunity to challenge their friends to a game of Checkers. A few months later, we opened up an API to outside developers and encouraged anyone to create applications for the Meebo community. And voila! nearly overnight, we suddenly discovered that we had a lot of Chess fans.

Since then, we’ve seen our applications slowly evolve into two successful categories – games and voice chat. Meebo’s environment is a little bit unique. Unlike solitaire or virtual pet games, Meebo is best suited for faster-paced, real-time interactions with your friends. So it makes sense that games like 8-Ball and applications like TokBox’s voice chat have become our most popular applications over time.

So this week, we streamlined the application list to reflect this activity. We’re replacing the rocket icon with the dice icon with the hopes that the next time you want to play Darts, you won’t have to think “launch application to play game” first. You might have already noticed that the rocket icon has been retired and that David’s dice icon is now perched at the top of your IM dialog. If you want to see your friends while you’re chatting, you can continue to use the webcam icon to launch Tokbox’s voice chat and web cam features, or use the send file icon to send files over IM.

If you didn’t know that you could play Marbles inside Meebo, we hope it will be more self-evident now. And with the holidays just around the corner, hopefully more of you will have some time to beat Jian’s high score of 105,000 in
Blockz or see if you can try to get a Scholar’s Mate in Chess (that’s checkmate in four moves).

Enjoy!
-Elaine

[ comments ] [ past blogs ]
Follow us on Twitter