geeky

Leading By Example

This week, I was reading the new EU legislation [PDF] which relates to, among other things, the way that websites are allowed to use HTTP cookies (and similar technologies) to track their users. The Information Commissioner’s Office has released a statement to ask website owners to review their processes in advance of the legislation coming into effect later this month, but for those of you who like the big-print edition with pictures, here’s the short of it:

From 26th May, a website must not give you a cookie unless it’s either (a) an essential (and implied) part of the functionality of the site, or (b) you have opted-in to it. This is a stark change from the previous “so long as you allow opt-outs, it’s okay” thinking of earlier legislation, and large organisations (you know, like the one I now work for) in particular are having to sit up and pay attention: after all, they’re the ones that people are going to try to sue.

The legislation is surprisingly woolly on some quite important questions. Like… who has liability for ensuring that a user has opted-in to third-party cookies (e.g. Google Analytics)? Is this up to the web site owner or to the third party? What about when a site represents companies both in and outside the EU? And so on.

Seeking guidance, I decided to browse the website of the Information Commissioner’s Office. And guess what I found…

…not what I was looking for: just more circular and woolly thinking. But I did find that the ICO themselves does not comply with the guidance that they themselves give. Upon arriving at their site – and having never been asked for my consent – I quickly found myself issued with five different cookies (with lifespans of up to two years!). I checked their privacy policy, and found a mention of the Google Analytics cookie they use, but no indication about the others (presumably they’re not only “opt-out”, but also “secret”). What gives, guys?

Honestly: I’m tempted to assume that only this guy has the right approach. I’m all in favour of better cookie law, but can’t we wait until after the technological side (in web browsers) is implemented before we have to fix all of our websites? Personally, I thought that P3P policies (remember when those were all the rage?) had a lot of potential, properly-implemented, because they genuinely put the power into the hands of the users. The specification wasn’t perfect, but if it had have been, we wouldn’t be in the mess we are now. Perhaps it’s time to dig it up, fix it, and then somehow explain it to the politicians.

World Backup Day

It’s World Backup Day, folks. That means it’s time for you to look at your data and check that you’re backing it all up to a satisfactory level.

Have a look at the computer you’re sat at. If it’s hard drive(s) broke, irrecoverably, or if it were stolen: what would you lose?

Me? I like my backups to go “offsite”, so I use online redundant storage to shunt my important stuff to (I use a personal Amazon S3 bucket and some software I’ve written for that purpose, but you don’t have to be that geeky to use online backups – just check the World Backup Day website for suggestions). If you’re not quite so paranoid as me, you might make your backups to CDs or DVDs, or onto a pendrive. It doesn’t take long, and it’s worth it.

Backups are like insurance.

Now go celebrate World Backup Day by making some backups, or by checking that your existing backups restore correctly. You’re welcome.

Passwords – The Least You Should Do

If you see me in person, you’ll know that this is something I rant about from time to time. But that’s only because people consistently put themselves and their friends at risk, needlessly, and sometimes those friends include me. So let me be abundantly clear:

If you’re reading this, there is at least a 95% chance that your passwords aren’t good enough. You should fix them. Today.

Let’s talk about what what we mean by “good enough”. A good password needs to be:

Long. Some of you are still using passwords that are shorter than 8 characters. The length of a password is important because it reduces the risk of a robot “brute forcing” it. Suppose a robot can guess 1000 passwords a second, and your password uses only single-case letters and numbers. If you have a 4-character password, it’ll be lucky to last quarter of an hour. A 6-character password might last a week and a half. At 8-characters, it might last a few decades. Probably less, if your password makes one of the other mistakes, below. And the robots used by crackers are getting faster and faster, so the longer, the better. My shortest password is around 12 characters long, these days.

Complex. Remember how long an 8-character password lasts against a “brute force” attack? If you’re only using single-case letters, you’re reducing that by almost a third. Mix it up a bit! Use upper and lower case letters, and numbers, as standard. Consider using punctuation, too. There’s no legitimate reason for a website to demand that you don’t have a long and complex password, so if one does seem to have unreasonable requirements: write to the owners and threaten to take your business elsewhere if they don’t get with the times.

Random. If your password is, is based on, or contains a dictionary word (in any language), a name or brand name, a date, a number plate or (heaven forbid) a national insurance number, it’s not good enough. “Brute force” attacks like those described above are usually the second line of attack against properly-stored passwords: first, a robot will try every word, name or date that it can think of, with and without capitalisation and with numbers before and afterwards. Many will also try common phrases like “iloveyou” and “letmein”. WikiHow has a great suggestion about how to make “random” passwords that are easy to remember.

Unique. Here’s the one that people keep getting wrong, time and time again. You should never, never, use the same password for multiple different services (and you should be very wary of using the same password for different accounts on the same service). This is because if a malicious hacker manages to get your password for one site, they can now start breaking into your accounts on other sites. Some people try to get around this by keeping two or three “levels” of passwords, for low-, medium-, and high-security uses. But even if a hacker gets access to all of your “low” security sites, that is (these days, frequently) still a huge amount of data they have with which to commit an identity theft.The other big reason to make sure your passwords are unique is that it makes it safer to share them, if the need arises. Suppose that for some reason you need to share a password with somebody else: it’s far safer for everybody involved if the password you share with them works only for the service you wanted to give them access to. Every person you trust is one more person who might (accidentally) expose it to a hacker by writing it down.Even if you have to memorise a complex “master” password and keep in your wallet a list of random “suffixes” that you append to this master password, different for each site, that’s a huge step forwards. It’s also a very basic level of two-factor authentication: to log in to your Twitter account, for example, you need your master password (which is in your head), plus the Twitter suffix to the password (which is written down in your wallet).

There’s been a wave of attacks recently against users of social networking websites: an attacker will break into an insecure web forum to get people’s email addresses and password, and then will try to log in to their webmail accounts and into social networking sites (Facebook, Twitter, etc.) using those same credentials. When they get a “hit”, they’ll explore the identity of the victim, learning about their language patterns, who their friends are, and so on. Then they’ll send messages or start chats with their victim’s friends, claiming to be their victim, and claim some kind of crisis. They’ll often ask to borrow money that needs to be wired to them promptly. And then they’ll disappear.

In this interconnected world, it’s important that your passwords are good not only for your benefit, but for your friends too. So if you’re guilty of any of the “password crimes” above – if you have passwords that are short (under 8 characters), simple (don’t use a mixture of cases and include numbers), predictable (using dictionary words, names, dates, etc.: even if they include a number), or re-used (used in more than one place or for more than one site) – change your passwords today.

Here’s some resources to help you do it:

WikiHow’s guide to choosing secure passwords.
PCTools’ great random password generator.
The top 500 worst passwords of all time – if yours is in here, it’s probably already been compromised.
SuperGenPass – a very good way to use a strong, unique password for every website without having to remember multiple passwords. Free.
KeePass – a great way to use a strong, unique password for every site and service without having to remember multiple passwords. Free.
LastPass – another great way to use a strong, unique password for every site and service without having to remember multiple passwords. Free (or cheap, for the premium version).

IE6 Countdown

Microsoft recently tweeted: “It’s not often that we encourage you to stop using one of our products, but for IE6, we’ll make an exception”. This coincides with the launch of The Internet Explorer 6 Countdown, a website that tries to encourage people to drop this hideously old and awful browser in favour of better, modern, standards-compliant ones, thereby saving web developers heaps of work.

Internet Explorer 6 usage stats. — Internet Explorer 6 usage stats, from IE6 Countdown. I'm honestly shocked that the number is still as high as 12%. Where are they getting that from?

That’s not strictly true; they’re encouraging people to upgrade to Internet Explorer 8 and 9, presumably, which are still a little lacking in support for some modern web standards. But they’re a huge step forward, and everybody who’d like to stick with Internet Explorer should be encouraged to upgrade. There’s no excuse for still using IE6.

They’re even providing a tool to let you put a “Upgrade now, damnit!” banner on your website, visible only to IE6 users. It’s similar to the IE6Update tool, really, but has the benefit of actually being supported by the browser manufacturer. That has to count for something.

Will it make a difference? I don’t know. I’m frankly appalled that there are modern, high-tech countries that still have significant numbers of IE6 users: Japan counts over 10%, for example! We’re talking here about a ten year old web browser: a web browser that’s older than MySpace, older than Facebook, older than GMail, older than YouTube. Internet Explorer 6 was released into a world where Lord of the Rings that would take you a long time to read, rather than taking you a long time to watch. A world where in-car CD players still weren’t universal, and MP3 players were a rarity. Do you remember MiniDisc players? Internet Explorer 6 does. The World Trade Center? Those towers were still standing when Internet Explorer was released to the world. And if that’s making you think that 10 years is a long time, remember that in the fast-changing world of technology, it’s always even longer.

Just remember what Microsoft (now, at long last) says: Friends don’t let friends use Internet Explorer 6.

Too Ruby

Ruby, a programming language of which I’m quite fond, is well-known for it’s readability and ease of comprehension, among about thirty-seven other wonderful features.

I rediscovered quite how readable the language is when I genuinely ended up writing the following method last week:

# On saving, updates the #Shift counters if the #ExperienceLevel of this
# #Volunteer has been changed
def update_counters_if_experience_level_changed
  update_counters if experience_level_changed?
end

For the benefit of those of you who aren’t programmers, I’ll point out that which is obvious to those of us who are: the body of the method (that’s the line that’s indented) is almost identical to the method name (the line that starts with “def”).

This is the equivalent of going to WikiHow and looking up the article on, say, How to Make a Tie Dyed Cake, only to discover that the text of the article simply says, “Choose what colours you want, and then make a cake in those colours”… and you understand perfectly and go and make the cake, because you’ve got that good an understanding. In this metaphor, you’re the Ruby interpreter, by the way. And the cake is delicious.

Okay, I cheated a little: the experience_level_changed? method was provided for me by the Rails framework. And I had to write the update_counters method myself (although it, too, contains only one line of code in its body). But the point is still the same: writing Ruby, and thinking in a Rubyish way, produces beautifully readable, logical code.

The Week of Balls

Early this week, I’ve spent quite a bit of time knee deep in the guts of Phusion Passenger (which remains one of the best deployment strategies for Rack applications, in my mind), trying to work out why a particular application I’d been working on wouldn’t deploy properly after a few upgrades and optimisations on the development server. Ultimately, I found the problem, but for a few hours there there I thought I was losing my mind.

This lunchtime, I decided to pull out all of my instant messenger logs (being out of the office, my co-workers at SmartData and I do a lot of talking via an IM system). I’d had a hunch that, so far this week, “balls” would be amongst my most-frequently typed words, chiefly uttered as yet another hypothesis about why the development server wasn’t behaving itself was blown out of the water. A few regular expressions (to strip it down to just the words I typed) and a run through a word-counter, and I had some results!

Here’s my top words of the work week so far:

Position	Word(s)
1 – 18	the, to, I, a, it, that, of, in, and, on, but, have, what, is, you, just, so, for Positions 1 through 18 contain some of the most-common conjunctions and pronouns that I use on a day-to-day basis, as well as some common verbs. Nothing surprising there. So far, so good.
19	Rails Between the projects I’ve been involved with and those my colleagues are working on, there’s been a lot of discussion about (Ruby on) Rails around the office so far this week.
20	IPN, do One of the projects I’ve been working on this week has used a payment gateway with an Instant Payment Notification service, so it’s not surprising that “IPN” appeared in the top 20, too…
22	was, this
24	my, know, at
27	up, don’t Over 50% of “don’t”s were immediately followed by “know”: Monday was one of those days.
29	I’m
30	yeah, be, [name of troublesome web app] Not unexpectedly, the name of the project that caused so much confusion earlier this week came up more than a little.
33	there, one, if
36	we, see, problem, get balls, back, all These seven words never all appeared in a sentence together, but I sort of wish that they had. There’s the key word – balls – apparently the joint 36th most-used word by me between Monday morning and Wednesday lunchtime.

Other common words this week so-far included “jQuery“, that great JavaScript library (there was some discussion about how we can best make use of the new features provided by version 1.5), “payment” (again; a lot of talk of payment processing, this week), “means” (mostly where I was explaining the results of my investigations into the troublesome server), “tried” (a disappointing-sounding word), “error” (I saw a few of those, to be sure!), and “somehow” (not a reassuring thing to catch yourself saying).

Also pretty common this week was “boiler”, as I explained to my workmates the saga of the boiler at my house, which broke down at the weekend, leaving us with no hot water nor heating until it was repaired on Tuesday. On the upside, I did get to poke around inside the boiler while the repairman was taking it to bits, and learned all kinds of fascinating things about the way that they work. So, a silver lining, there.

With the boiler fixed at home, and the development server fixed at work, it finally feels like this week’s turning into the right kind of week. But for a while there, it didn’t look certain!

Free Deed Poll Generator

I talk a lot. If you don’t want to listen to me ramble, and you’re just looking for the free deed poll generator, click here.

After Claire and I changed our names back in 2007, I actually took the time to do a little research into deeds poll (or, more-specifically in this case, deeds of change of name). It turns out that we did it the wrong way. We paid a company to do all of the paperwork for us, and – while it wasn’t terribly expensive – but it wasn’t free, and “free” is exactly how much it ought to cost.

In the intervening years I’ve helped several friends to change their names via deeds poll (yes, “deeds poll” is the correct plural), and I’ve learned more and more about why the whole process should be simpler and cheaper than many people would have you believe.

A deed poll, by definition, is nothing more than a promise signed by one person (it’s not even a contract – it’s got little more weight than a New Year’s resolution), on paper which has straight edges. That’s what the word “poll” actually means: that the paper has straight edges. Why? Because back then, a contract would typically be cut into two on an irregular line, so that when the two halves came together it would be clear that they were originally part of the same document – an anti-forgery measure. A deed poll, because it’s signed only by one person, doesn’t need to be separated like this, and so it has straight edges.

That means that’s it’s perfectly legitimate for you to write, on the back of a napkin, “I have given up my name [former name] and have adopted for all purposes the name [new name]. Signed as a deed on [date] as [former name] and [new name]. Witnessed by [witnesses signature(s)].”

The problem comes when you send that napkin off to the Inland Revenue, or the DVLA, or the Passport Office, and they send it back and laugh. You see, it helps a hell of a lot if your deed poll looks sort-of official. You ought to put some work into making it look nice, because that makes a world of difference when you ask people to believe it. That’s not to say that they won’t laugh at you anyway – the Passport Office certainly laughed at me – but at least they’ll accept your name change if it has an air of authority and is covered with all of the most-relevant legalese.

Behind the dozens of scam artists who’ll charge you £10, £20, £30, or even more to produce you an “official” deed poll (tip: there’s no such thing), there are one or two “free” services, too. But even the best of these has problems: the site is riddled with advertisements, the document isn’t produced instantly, you’re limited in how many deed polls you can generate, and – perhaps worst of all – you have to give them your email address in order to get the password to open the documents they give you. What gives?

Generate free UK deeds of name change at freedeedpoll.org.uk.

So I’ve made my own. It’s completely free to use and it’s available at freedeedpoll.org.uk: so what are you waiting for – go and change your name! Oh, and it’s also open-source, so if you want to see how it works (or even make your own version), you can.

Why? Well: I don’t like feeling like I’ve been scammed out of money, so if I can help just one person change their name for free who might otherwise have been conned into paying for something that they didn’t need: well, then I’ve won. So change your name or help your friends and family to, on me, or just download my code and learn a little bit about Ruby, Sinatra, and Prawn (the technologies that power the site). What’re you waiting for?

Mobile One-Time-Passwords in Ruby

I recently came across the Mobile One-Time-Passwords project, which aims to make a free, secure alternative to commercial two-factor authentication systems (like SecurID). The thinking is pretty simple: virtually everybody now carries a mobile phone capable of running basic applications, so there’s no reason that such an application couldn’t provide the processing power to generate one-time-passwords based on a shared secret, a PIN number known only to the authenticating party and to the server, and the current date and time stamp.
Great! But it turns out that despite there being libraries to produce server-side implementations of the technology in PHP, Perl, and C, nobody had yet bothered to write one in that most marvelous of programming languages, Ruby.

Well, now I have. So if anybody’s got the urge to add one-time-password based security to their Rails or Sinatra app, or would like to write an MOTP client for their Ruby-capable smartphone: well, now you can.

Copy-Pasting Passwords into Steam

Just want to know how to ‘fix’ Steam’s password field? Scroll down to “How to Fix It”

Steam & Security Theatre

You’re a smart guy. You’re not stupid about computer security. And that’s why you always make sure that you use a different password for every service you use, right? You might even use a different password for every account, even when you have different passwords on the same service. You know that there are really, really good reasons why it’s simply not good enough to, for example, have “high-security”, “general use” and “low security” passwords, and re-use each of them in several places. And if you don’t know that: well, take my word for it and I’ll explain it in detail later.

It’s no great hardship to have lots of long, complex, effectively-random passwords, these days. Tools like SuperGenPass, LastPass, and KeePass, among others, mean that nowadays it’s so easy to use a different password for every service that there’s no excuse not to. So you probably use one of those (or something similar), and everything’s great.
Except for that one application – Steam. I have Steam save my password on my desktop PC (by the time somebody steals my desktop PC and breaks into the encrypted partition on which my data files lie, I have bigger problems than somebody stealing my Just Cause 2 achievements), but it forgets the password every time that Ruth uses her Steam account on my computer. No problem, I think: I can easily copy-paste it from my password manager… nope: Steam won’t let you paste in to the password field.

What? If you ask Valve (Steam’s creators) about this, they’ll say that it’s a security feature, but that’s bullshit: it’s security theatre, at best. And at worst, it means that people like me are inclined to use less-secure passwords because it’s harder to memorize and to type out that a more-secure password would be.

How to Fix It

Well, obviously the best way to fix it would be to successfully persuade Valve that they’re being stupid: others are already trying that. But what would be nice in the meantime would be a workaround. So here is is:

Edit Program FilesSteamPublicSteamLoginDialog.res (Program FilesSteamPublicSteamLoginDialog.res on 64-bit Windows, somewhere else entirely on a Mac) using your favourite text editor (or Notepad if you don’t have a favourite). Take a backup of the file if you’re worried you’ll break it.
In the "PasswordEdit" section (starting at about line 42), you’ll see name/value pairs. Make sure that the following values are set thusly:

"tabPosition" "1"
"textHidden" "0"
style="TextEntry"

The next time you load Steam, you’ll be able to paste passwords into the password field. The passwords won’t be masked (i.e. you’ll see the actual passwords, rather than asterisks), but the dialog never loads with a password pre-populated anyway, so as long as you make sure that nobody’s looking over your shoulder while you type, you’re set!

Update: let’s face it, Valve’s security policies suck in other ways, too. Please read the tale of a friend-of-a-friend who’s desperate to change her Steam username.

They Say that Programmers Never Die

They just gosub without return. That is, of course, a joke (with all due apologies to those of you to whom it means nothing), but there’s a kernel of truth in the saying. In their own way, programmers are like authors or artists in that their work can easily outlive them, and their unique and distinct style can be found in their creations: and in that created by those that learn from or imitate them.

This morning I was working on some legacy Perl code that holds together a part of a client’s web site. In particular, I was refactoring the code that displays dates and times in an appropriate format, as part of an effort to simplify the code after fixing a bug that would, under some unusual conditions, use the “pm” suffix for morning times (e.g. 11pm, when it means 11am). Under normal circumstances this would have been a simpler job than it was, but this particular piece of software has been passed from developer to developer, and (until it came into my hands) I’m pretty sure that none of them took the time to understand what their predecessors had done. Several different stylistic and semantic styles are used in the code, and several different solutions are used for the same problem, depending on who was in charge at any given time. In short, the code’s a mess, but the client is on a tight budget and can generally only afford to pay for the minimum amount of work, and not for the sweeping overhaul that the system so badly needs.

I came across a particular line of code, today (evidence, perhaps, of a previous developer looking into a related issue to the one with which I was tasked):

$leu_something .= $hour . " - " . $amorpm;

Even without the developer’s name embedded within the variable name, I could have told you who wrote this code because of its distinct style. Even this single line has a defining appearance of its own, to the trained eye. To illustrate this, consider that the line could equally have been written in any of the following ways (among hundreds of others, without even looking at the optional space characters and interchangeable types of quotation marks used), and would have functioned identically:

$leu_something = $leu_something .= $hour . " - " . $amorpm;
$leu_something .= "${hour} - ${amorpm}";
$leu_something = join($leu_something, $hour, " - ", $amorpm);
$leu_something .= sprintf('%s - %s', $hour, $amorpm);

Some of these methods have specific advantages or disadvantages, but all have the exact same fundamental meaning meaning. However, even from a glance I could tell that this code belonged to the former developer named Leu (and not any of the other developers whose names I’ve seen in the project) because of the style in which he chose to write it.

Non-programmers often fail to understand why I describe programming as being as much an art as a science. The work of a programmer has been compared to the work of a poet, and I agree with this sentiment. Even merely on a superficial level, both computer code and poetry:

Can be good or bad (by consensus, or subjectively).
Attach significant importance to proper syntax and style (you need the right rhyming pattern in a limerick and the right number of brackets in a loop).
Express a concept through the artistic use of a language.
When used to express complex ideas, benefit from creative and sometimes out-of-the-box thinking.
Often lose value if they are literally translated to another language.

Not only that, program code can be beautiful. I’ve examined code before that’s made me smile, or laugh, or that has saddened me, or that has inspired me. I shan’t argue that it’s on a par with the standard of spoken-language poetry: but then, programming languages are not designed to appeal to the pathos, and are at a natural disadvantage. Sometimes the comments for a piece of code can in themselves carry a beauty, too: or they can serve simply to help the reader comprehend a piece of code, in the same way as one can sometimes find guidance in the interpretation of a poem from somebody else’s research.

However, it’s possible to say things with code that one simply can’t convey in the same way, using a spoken language. To prove this point, I’ve composed a short haiku in the medium of the Ruby programming language. For this purpose, I’m defining a haiku as a poem whose lines contain 5, 7, and 5 syllables, respectively. It’s an existentially nihilistic piece called Grind:

def grind(age = 0) die if age == 78 grind(age + 1); end

Vocalised, it would be read as follows:

Def grind: age equals zero,
Die if age equals seventy-eight,
Grind (age plus one); end.

I enjoy the subtlety its use of recursion to reinforce the idea that every year of your life gives you a bigger burden to carry (and a larger amount of memory consumed). This subtlety does not adequately translate to a spoken language.

The line of code I showed you earlier, though, is neither interesting nor remarkable, in itself. What makes it interesting to me is that it persisted – until today, when I removed it – in this piece of software. The author, Leu, died several years ago. But there will exist software that he wrote, being read again and again by tireless machines on a daily basis, for years to come.

I wonder how long the code I write today will live.

The Worst Server Infection I’ve Ever Seen

With my day job at SmartData I’ve recently been doing some work for a client, transporting their data from the Microsoft SQL Server that back-ends their desktop application and converting it to a different schema on a different database for a new, web-based application. Because there’s quite a lot of data, the schema are quite different, and the data needs to be converted in a “smart” way: I’ve written a program to help with the task.

My program takes data from our client's old server and moves it to their new server, making several alterations along the way. — My program takes data from our client’s old server and moves it to their new server, making several alterations along the way.

Unfortunately, it’s a slow process to move all of the data over. So, to test my program as I continue to develop it, I thought it might be useful if I could take a copy of the “live” database to somewhere more local (like my computer). This would remove the overhead of going through the Internet each time, and reduce the run time of the program significantly – an important consideration during its ongoing development.

Unfortunately, a quirk in the way that Microsoft SQL Server works is that the backup file I can make (ready to restore onto my computer) doesn’t appear on my computer, but appears on the old server. And I don’t have a means to get files off the old server. Or do I? I have a username and password: I wonder if there are any other services running on the server to which I might have access. To find out, I use a program called Nmap to try to get a picture of what services are running on the server.

The results of running Nmap on the server. That's a lot of open ports... — The results of running Nmap on the server. That’s a lot of open ports…

And that’s when I realised that something might be wrong. For those of you who aren’t inclined toward understanding the ins and outs of network security, the screenshot above should be considered to be more than a little alarming. There’s pretty obvious and clear signs that this computer is infected with Trinoo, NetBus, Back Orifice, and quite probably other malware. It’s almost certainly being used as part of denial of service attacks against other computers, and could well be stealing confidential information from our client’s server and the other computers on their network.

How have things gotten so out of control? I’m not sure. I’ve never seen such a rampant runaway set of infections on a server system before. Computers belonging to individuals, especially individuals inclined to installing BonziBuddy, Smiley Central/Cursor Mania, and so on, are often littered with malware, but one would hope that a server administrator might have a little more wisdom than to let unauthorised code run on a server for which they were responsible. At the very least, a Windows-based, Internet-accessible server ought to be running a strict firewall and antivirus software (virtually all antivirus software would have detected all three of the infections I’ve named above).

Just about anybody can get onto the ‘net, these days, and I can just about forgive a regular Jo who says says, “I don’t know anything about computers; I just want to play FarmVille.” It’s disappointing when they end up inadvertently helping to send email advertising “$oft C1ALIS tabs” to the rest of us, and it’s upsetting when they get their credit card details stolen by a Nigerian, but it’s not so much their fault as the fault of the complexities they’re expected to understand in order to protect their new computer. But when somebody’s running a service (as our client is paying for, from a third-party company who’s “managing” their server for them), I’d really expect better.

The Bit for the “Regular Jo”

And if you are a “regular Jo” on a Windows PC and you care enough to want to check that you’re part of the solution and not part of the problem, then you might be interested in a variety of free, trusted:

Anti-virus software (essential)
Adware/spyware removal tools (useful if you routinely install crap downloaded from the web), and
Firewall software (essential if you connect “directly” to the Internet, rather than via a “router”, or if you’re ever on networks on which you can’t trust the other network users – e.g. free wi-fi access points, shared Internet connections in student houses, etc.)

Edit: And don’t forget to regularly install your Windows Updates. Thanks to Gareth for the reminder that regular Jos should be encouraged to do this, too.

Favourite Firefox Four Feature FAIL!

I’ve been playing about with the beta of Firefox 4 for a little while now, and I wanted to tell you about a feature that I thought was absolutely amazing, until it turned out that it was a bug and they “fixed” it. This feature is made possible by a handful of other new tools that are coming into Firefox in this new version:

App tabs. You’re now able to turn tabs into small tabs which sit at the left-hand side.
Tab groups. You can “group” your tabs and display only a subset of them at once.

I run with a lot of tabs open most of the time. Not so many as Ruth, but a good number. These can be divided into three major categories: those related to my work with SmartData, those related to my work with Three Rings, and those related to my freelance work and my personal websurfing. Since an early beta of Firefox 4, I discovered that I could do this:

Group all of my SmartData/Three Rings/personal tabs into tab groups, accordingly.
This includes the webmail tab for each of them, which is kept as an App Tab – so my SmartData webmail is an app tab which is in the SmartData tab group, for example.
Then – and here’s the awesome bit – a can switch between my tab groups just be clicking on the relevant app tab!

Time to do some SmartData work? I just click the SmartData webmail app tab and there’s my e-mail, and the rest of the non-app tabs transform magically into my work-related tabs: development versions of the sites I’m working on, relevant APIs, and so on. Time to clock off for lunch? I click on the personal webmail tab, look at my e-mail, and magically all of the other tabs are my personal ones – my RSS feeds, the forum threads I’m following, and so on. Doing some Three Rings work in the evening? I can click the Three Rings webmail tab and check my mail, and simultaneously the browser presents me with the Three Rings related tabs I was working on last, too. It was fabulous.

The other day, Firefox 4 beta 7 was released, and this functionality didn’t work any more. Now app tabs aren’t associated with particular tab groups any longer: they’re associated with all tab groups. This means:

I can’t use the app tabs to switch tab group, because they don’t belong to tab groups any more, and
I can’t fix this by making them into regular tabs, because then they won’t all be shown.

I’m painfully familiar about what happens when people treat a bug as a feature. Some years ago, a University Nightline were using a bug in Three Rings as a feature, and were outraged when we “fixed” it. Eventually, we had to provide a workaround so that they could continue to use the buggy behaviour that they’d come to depend upon.

So please, Mozilla – help me out here and at least make an about:config option that I can switch on to make app tabs belong to specific tab groups again (but still be always visible). It was such an awesome feature, and it saddens me that you made it by mistake.

A Video Game Movie I’d See

Video game movies are notoriously bad, no matter how awesome the game that inspired them. Wing Commander took a classic video game series and completely ruined it. Doom was incredibly dull, even though it was based on one of the most popular game series that have ever exited. Prince of Persia: The Sands of Time had so much potential and the chance to draw from the multi-rebooted Prince of Persia video games, but in the end its only redeeming feature was that it co-starred Richard Coyle, whose earlier appearance in hit comedy series Coupling lead Ruth, JTA and I to rename the film after his character from that series, calling it The Legend of King Jeff, which would honestly have been a better film.

And let’s not forget the truly dire Street Fighter: The Movie, which ultimately lead to the short-lived arcade game Street Fighter: The Movie – The Game, attempting to cash in on the film before the developers realised that this wasn’t actually a very good idea. And it’s only the eighth-worst video game movie of all time, according to this video on GameTrailers. Let’s face it: video games don’t convert well to films.

That said, I’ve had an idea for a video game-inspired film that I think could really be good. Or, at least, so awful it’d be good.

Don’t you dare tell me that you wouldn’t go to the cinema to see Asteroids: The Movie: CGI like this just has to be enjoyed on the big screen.

The plot is as follows: Earth governments have been secretly tracking an enormous asteroid for many years. Under the cover story of satellite launches, they’ve been firing nuclear weapons at long distances to try to destroy or deflect the mass, but all they’ve managed is to break it up into many hundreds of smaller (but still devastatingly-huge) rocks, many of which are still headed towards our planet.

We’re introduced to our main characters: a cocky ace fighter pilot who’s just been expelled from his wing group for being too cocky and ace, a young and immature geek who spends his life playing retro video games, and a love interest who spurns both of them and is probably employed by the shady government agency. Early in the film, she acts professionally and doesn’t approve of the other main characters’ respective aggressive self-confidence/childish behaviour, but eventually the three become closer as they work together (and probably save one another’s lives a few times).

Recruited for their various “talents” they’re recruited to pilot an experimental spaceship right out into the asteroid field and fire their cannons to destroy them. All is going well, but there are occasional sightings of fast-moving metallic objects around the edges of the field. These turn out to be aliens (in flying saucer like spaceships) who had originally propelled the enormous rock towards Earth in an effort to wipe out humankind, who they – as a result of their warlike culture – perceive as a threat to their galactic dominance. Earth has been on the brink of cracking faster-than-light travel for a while now, as evidenced by secret test flights of the ships which preceded the vessel used in the movie, and this makes the aliens twitchy.

There’s a fight, and it momentarily looks like the aliens stand to destroy the human ship. “This isn’t a video game: we don’t get extra lives!” shouts the love interest character, at one point. “No,” agrees the geek, “But we do have this…” He engages the highly-experimental “hyperspace jump drive” and the ship disappears just seconds before the alien missiles destroy it.

While drifting in hyperspace, the crew find evidence of the aliens’ culture and history, and the other planets they’ve destroyed. They also discover a possible weakness. They’re just beginning to understand what they have to do when they reappear in normal space, apparently only a split second after they disappeared. The chase is on as the aliens pursue the humans through the asteroid field in an exciting chase scene. Finally, the humans discover what they need to do to penetrate the alien shields, and fire upon them. They rush away as the alien ship explodes, vapourising the remaining asteroids as it goes.

The crew return to Earth as heroes.

Now: isn’t that at least as good as whatever Hollywood would come up with? And it’d certainly be far better than the Super Mario Brothers movie.

Hmm. Further research indicates that this might be already going to happen…

Parsing XML as JSON

This morning, I got an instant message from a programmer who’s getting deeply into their Ajax recently. The conversation went something like this (I paraphrase and dramatise at least a little):

Morning! I need to manipulate a JSON feed so that [this JSON parser] will recognise it.

Here’s what I get out of the JSON feed right now:
<?xml version="1.0" encoding="UTF-8"?>
<module-slots type="array">
  <module-slot>
    <title>Module3</title>
    ...

“Umm…” I began, not quite sure how to break this news, “That’s XML, not JSON.”

“Is that a problem?” comes the reply.

Civilization V Release Day

For those of you in the USA, at least, today is the release day for the much-anticipated Sid Meier’s Civilization V. With the promise that this will be the most groundbreaking Civ game since Civilization II, I’ve managed to acquire a leaked screenshot of the very first thing that players will see when they launch Civilization V for the first time:

With apologies to those of you who haven’t had the experiences to find this funny.