K-Squared Ramblings

Free Gas with your Spam List!

Wow… you know gas is expensive when the spammers start hawking gas cards.

Our support contact address received a message touting “Finest List of Nurses Including Email Addresses - Free $50 Gas Card” I had to wonder what the heck it was, so I took a look at the message. They were trying to sell “sales leads” — i.e. names and contact information — of nurses, and were offering to throw in the gas card if you spent enough on “leads” to do your own spamming.

Double-Digit Danger

Andrew Gregory points out that some browser detection scripts might have trouble when Opera 10 eventually rolls around. Why? Because one of the easiest, ways of testing for a version number is to do look for the the “Browser n” or “Browser/n” patterns. The problem is that this strategy only grabs the first digit of the version number. That works fine for 1–9, but once you hit 10, suddenly it looks like 1 again.

Firefox and Safari, currently at just before and just after 3, are likely safe for now, but IE is creeping up on 8, and with their new, faster release schedule, IE10 may only be a couple of years away.

I’ll admit, I’ve written code like that myself (not the specific example, but I’ve done regexp matches that only look at the first digit), but always on sites that I expect to be able to maintain. Of course, one of the lessons to learn from Y2K is that shortcuts get entrenched, and code you thought you’d have time to clean up long before it became a problem has a tendency to stay in use far longer than you expected. And we’ve seen the same thing with web script archives, where someone’s example code that mostly worked in IE4 gets enshrined as “the” way to accomplish something, even though there have been better ways that work more consistently for years.

No, They Don’t Read

It’s clear that a lot of people don’t actually read web pages before they respond to them. They’ll do things like…

• Contact someone with a similar name, even when it’s clearly the wrong sort of organization — say, a student writing club and not the bookseller that’s been causing them problems.
• Ask a blogger for a job application for a company mentioned in the post.
• Ask unrelated tech support questions on a blog post because they used the wrong search terms for their problem.
• Ask for help creating Flash animations on a forum dedicated to the Flash super-hero, then get indignant when people have the gall to point out that they’re in the wrong place.

Now, usability guru Jakob Nielsen reports on a study showing just how much people don’t read. In the average visit, users only read 28% of your text if you’re lucky. You have to drop way down — to 111 words — just to count on visitors reading half of it.

Depressing, but it explains so much. And it suggests there’s a benefit to highlighting key phrases. If they’re only going to read ¼ of the text, you may as well make sure it includes the important stuff.

Hazards of DRM on Music (or video, or any other media)

Mark Pilgrim, in The Day the Music Died, points out what happens when DRM meets market failure.

On August 31, Microsoft will turn off the servers that validate their “PlaysForSure” DRM system (this predates the system they use for the Zune). This means that anyone who has bought music that uses PlaysForSure will not be able to transfer it when they upgrade or replace their computer, or get a new music player.

It won’t be an instantaneous death like DIVX was, or like a subscription system, because it doesn’t phone home whenever you try to play a track. But it’ll be a lot faster than simple technological obsolescence. I can still play my old VHS tapes until my VCR breaks down (and then I could probably still get it fixed if I really wanted to), even though I don’t think I’ve seen a pre-recorded tape in a store in years.

This is also why I prefer to check Amazon’s MP3 store first, before going onto the iTunes Music Store, and then prefer DRM-free iTunes Plus to standard iTunes tracks. Given their current position, Apple isn’t likely to get rid of iTunes anytime soon, but if they ever did, I’d be in the same boat as people who purchased PlaysForSure tracks. (Though I’m hoping they’ll move the entire catalog away from DRM long before that happens.) Whereas since Amazon’s tracks are plain, ordinary MP3s, they could abandon the business tomorrow and I’d still be able to play the tracks for as long as I can find software that plays MP3s.

(via ma.tt)

Weirdest Spam Yet

I’ve seen some pretty weird spam in my time, both as an email user and an email admin. My favorite is still the request to purchase a Dimensional Warp Generator. But this one, which showed up in the spamtraps a few days ago, has got to be pretty close.

Old Witchcraft Secrets - make your wildest dreams come true
Read the rest of this entry »

Flagging (Non)-Spoofed Mail

Following up on the PayPal anti-phishing discussion of a few weeks ago, I see that PayPal is promoting a service called Iconix. You install the program on your system, and it looks at your inbox for messages that claim to be from one of its customers. It tries to verify them “using industry-standard authentication technologies such as Sender ID and DomainKeys.” Messages that pass get a lock-and-checkbox icon attached to the sender’s name, and in some cases the name is replaced by the sender’s logo.

On the tech side, it’s similar to SpamAssassin’s whitelist_from_spf and whitelist_from_dkim features. Both allow you to specify a sender to whitelist, and it will only give a message special treatment if it can verify the sender.

On the user-interface side, it’s similar to EC certificates, in that it tries to highlight a “good” class of messages rather than flag or filter out a “bad” class.

It’s not a bad idea, actually, and now that I’m surprised I haven’t seen something similar in other email clients. It’s sort of like setting up custom rings or images for images on your cell phone address book

They seem to be focused on webmail and Outlook so far, and only on Windows, but it looks like the perfect candidate for a Thunderbird extension. They do have a sign-up form to notify you when they add support for various programs and OSes, and I was pleased to see not only Thunderbird and Mac OS listed, but Linux as well. Too often, Linux gets forgotten in the shuffle to ensure compatibility with every Windows variation.

Browser Bits

Avenicus compares Firefox 3 beta 5 to Opera 9.50 beta 2 on performance and memory usage. The surprise: Firefox 3 uses less memory than Opera 9.50. Clearly all the work Mozilla has done on cleaning up memory usage has paid off.

Codedread comments on Apple’s Web Inventions.

Asa Dotzler counteracts FUD about the safety of Firefox, Safari, and other alternative browsers. His main point: the key measure of security is not the number of vulnerabilities, but the window of vulnerability: the time between a hole being discovered and the patch getting onto users’ systems. (In addition to a responsive security team, automatic updates really help here.)

In just over a week, Opera’s new developer toolset, code-named Opera Dragonfly, will be ready for an alpha release. This will be a welcome addition, not just for developers, but ultimately for Opera users as well. Obviously, it’ll make it easier for web developers to debug compatibility issues, leading to fewer sites breaking in Opera. But it could also bring more people in. Firefox’s growth got started with recommendations by techies. If Dragonfly proves to be as good or better than Firebug, developers will spend more time with Opera, which could lead to recommendations.

There’s a convention for everything

Here’s a weird one. it turns out that ROFLCon, dedicated to all those Internet fads, was held at MIT this past weekend. Found via the Mozilla blog: Firefox Spotted at ROFLCon (look there for a picture of a life-size Firefox mascot with Tronguy).

Flash Sighting? Opera: The Fastest Browser Alive!

Opera Software has just released a new beta version of the desktop web browser, Opera 9.50 beta 2. The splash page makes me think of something a bit different, though:

Opera 9.5 beta
Speed, security, and performance matter.

Now, we’ve made the fastest browser in the world even faster. Opera’s new beta is quicker to start, faster at loading Web pages and better at running your favorite Web applications.

Hmm, a red and yellow blur, zooming across the view? And an emphasis on speed? That reminds me a bit of this guy:

Opera has long promoted itself on its speed, and it has used a super-hero theme in its advertising before. The vaguely Superman-like* “Opera Man” was used heavily in advertising Opera 8, despite being ridiculed by most of the browser’s user community.

So why not a subtle reference to the Flash?

*Blue costume + red cape. Hey, if a blue shirt and red jacket work for Clark on Smallville, you know the color scheme has become iconic.

WordPress Update & Plugin Request

WordPress 2.5.1 is out, with a slew of bug fixes and one “very important security fix” which will reportedly be disclosed soon. It’s worth upgrading ASAP. You don’t want your blog hacked.

Highlights are listed at that first link, but for me the most noticeable change was a fix in the new media uploader. When uploading images on Linux, the thumbnail+properties form would display 3 times, none of them actually usable, for each image uploaded. Once I clicked on the gallery and went back, it was fine, so I could still use it, but it was an extra step that shouldn’t have been necessary. I kept meaning to report the bug, but it looks like someone got to it ahead of me. Thanks, someone!

And now, a request to WordPress Plugin Developers. When you release a new version, please tell me what has changed. Some plugin authors are good about this, including announcements on their web pages. Some even include a changelog with the download. But some don’t do either, and the only way to find out is to download the new files and compare them to the old ones using a tool like diff.

Now that I think about it, putting a “release notes” section in each entry in the Plugin Directory would go a long way toward making this work. It would put the information right there in the directory, and it would encourage plugin authors to compile the information int he first place.

Links: Freedom and Security

The CBLDF has issued a press released detailing the victory in the Gordon Lee case. This was the case in which a comic book store in Rome, Georgia, as part of a 2004 Halloween promotion, was handing out free comics left over from that year’s Free Comic Book Day. Among over 2,000 comics, they accidentally included a copy of Alternative Comics #2, which included a story about Picasso which included him running around his studio in the nude. And they accidentally gave it to a kid. The parents wouldn’t accept an apology, and pressed charges instead. The DA has been determined to make an example out of him, pushing grossly overinflated charges including felonies that would have given him prison time. 3½ years, 3 trial dates, a mistrial for prosecutorial misconduct, and $100,000 in defense costs later, the Rome DA finally agreed to drop the case in exchange for a written letter of apology — which is exactly what the store owner had offered in the first place.

Cookie Security in WordPress 2.5. The latest version of the blogging software has a feature that can make it harder for attackers to grab your login sessions. It involves setting a pass phrase in wp-config.php, one which you’ll never have to remember, but which will be unique to your site. You have to copy the SECRET_KEY section from wp-config-sample.php and add in your passphrase…or you can generate a random code at http://api.wordpress.org/secret-key/1.0/ (be sure to put it in the middle of the file!)

The Internet Storm Center writes on Hundreds of Thousands of SQL Injections — all websites that have been hacked to host various sorts of malware.

Blocking IE6: You, Me and…PayPal?

On Thursday I stumbled across a campaign to Trash All IE Hacks. The idea is that people only stay on the ancient, buggy, feature-lacking, PITA web browser, Internet Explorer 6, because we web developers coddle them. We make the extra effort to work around those bugs, so they can actually use the sites without upgrading.

Well, yeah. That’s our job.

And a bunch of random websites blocking IE6 aren’t going to convince people to change. If I were to block IE6, or only allow Firefox, or only allow Opera, I’d have to have seriously compelling content to get people to switch. Mostly, people would get annoyed and move on. Who’s going to install a new browser just so they can read the history of the Flash? Or choose an ISP? Or buy a product that they can get from another site?

Slapping the User in the Face

It’s so easy for someone to walk away from your site. One of the tenets of good web design is to make the user jump through as few hoops as possible to accomplish whatever you want him/her to do. Every hoop you add is an obstacle. Too many obstacles, and they’ll just go somewhere else more convenient.

Back when I was following Spread Firefox, every once in a while someone would suggest blocking IE. Every time, people like me would shoot it down. Read the rest of this entry »

Sci-Tech Links

Scientists have built a computer model of the Neanderthal vocal tract based on fossils, and have simulated the kinds of sounds they could have produced. Ever since I read Robert J. Sawyer’s Neanderthal Parallax novels, I’ve been fascinated by the idea that there were two distinct human species, living side by side, for perhaps thousands of years. What happened to them? Did our ancestors kill them off, or interbreed with them? Did they fail to adapt to a changing climate? (via Slashdot)

On a related note, it seems that Expelled, the anti-science propaganda film that actually invokes Godwin’s Law by claiming that “believing” evolution leads to Nazis, opens this weekend. I’m curious to see how badly they misrepresent things (it’s always best to look for yourself, instead of just taking other people at their word—that’s the whole idea behind science, after all), but I can’t bring myself to support them by actually giving them money. Meanwhile, Expelled Exposed is interesting reading.

Somewhat(!) less controversial, InformationWeek reports that Windows XP SP3 may be out as soon as next week. This reminds me: I really should look up some reviews of Vista SP1 and see if it’s improved matters any.

Still in software, dria.org explains why the AwesomeBar is awesome. That’s the nickname given to the new address bar in Firefox 3, which lets you search your browser history as you type. It’s the reason I never went back to Firefox 2 after trying out one of the later FX3 betas, and why I’ve installed Fx3b5 on two more machines. The Opera 9.5 previews have a similar feature, but Firefox’s implementation is better visually. It’s easier to spot the page you want, and over time, it learns which pages you visit more often. It’s so much faster to type a word or two than to hunt through the bookmarks menu. (via Asa Dotzler)

[Edit] I forgot to include IEEE’s article on how copyright law applies to websites, What Can You (Legally) Take From the Web?

Finally, ***Dave relates an incredibly cool story of going to see Avenue Q and what happened after the show. I had no idea that (at least in New York), the “Give Me Your Money” segment was actually collecting for a charity.

Apple Updates Software Update, Addresses Criticism

In conjunction with the Safari 3.1.1 security release, Apple has also released a new version of Apple Software Update for Windows. With version 2.1, they’ve taken the opportunity to fix one of the problems that caused so much criticism last month.

It now shows two lists: one for updates, and one for new software. This takes care of one of the three easy steps that I culled from discussions back in March:

1. Separate updates from new software and label them clearly. Done.
2. Leave the new stuff unchecked by default. Bzzzt! Try again!
3. When run automatically, don’t pop up a notice more than once for each piece of not-installed software. [Edit:] Done.

Unfortunately the new software is still checked by default, but one hopes that the separate list would be enough to make people stop, look, and make a conscious choice as to whether or not to install it.

I don’t know yet how it handles new software when run automatically, or whether they’ve made the ignore option apply to an entire piece of software rather than a specific installer. I’ve taken iTunes off the ignore list and set it to check daily so that I can find out. [Edit:] I haven’t seen it pop up in the last 24 hours, and according to eWeek, “Apple will now only prompt the user if there are critical security updates available.”

Read the rest of this entry »

Avatars!

Since Gravatar was bought by Automattic, the service has been a lot more stable. I had already re-enabled them on this blog before WordPress 2.5 came out with built-in Gravatar* support.

Not everyone has a Gravatar, though, so many comment threads just show the default icon, over and over. Not only does this look boring, but it misses out on the whole point of using an avatar: providing an easy at-a-glance visual distinction between each author.

When I first used Gravatars on this site, I set it up to use a giant first initial as a fallback. Now, I’ve been trying out two plugins that will automatically generate avatars for people who don’t have their own:

• Wavatars builds up cartoony faces using geometric shapes. Interestingly, it’s by Shamus Young, author of the screencap-based webcomic DM of the Rings and writer of Chainmail Bikini.
• WP_Identicon sounds like a Transformers faction, but produces a geometric pattern as inspired by Don Park’s Identicon, which built a similar image based on a visitor’s IP address. The same author also has one that generates cartoon monsters, which appears to be one of the earliest implementations of this concept.

These plugins will use a Gravatar if available, or else generate an image based on the commenter’s email address (if supplied). That means each comment by the same person should use the same image. Other blogs using the same plugins at default settings will come up with the same avatar for each commenter, as well. The images are stored in a cache, so each only has to be generated once.

Once I made sure both plugins worked, I showed the results to Katie. We ended up settling on Wavatars, since faces are easier to recognize than patterns. (Though the patterns are really cool!)

You can try out the automatic avatar by leaving a (relevant, please!) comment on any post. Or you can run over to Gravatar and set up an icon of your choice!

*What’s a Gravatar? The intent is to be a Globally Recognized Avatar. You upload an image to Gravatar and associate it with your email address. Then any site with Gravatar support will be able to display your image next to your posts. Right now it’s mostly used in blog comments, but it could easily be worked into forums, wikis, etc. The Gravatar Blog mentions other uses they’ve seen people apply it to, such as plugins for Thunderbird and the Mac OS X Address Book

Note: I did notice one important drawback to the WP_Identicon plugin: it’s very inefficient at generating the images. When I first visited posts with long comment threads, like Another One Bites the Dust (174 comments) and Songs Not to Play at a Wedding (87 comments), WP_Identicon took over a minute to generate all the icons and maxed out the server’s CPU. Sure, the images are cached, so it’s only really an issue when you first install the plugin (unless you get a lot more people commenting at once than we do here), but to compare, Wavatar on an empty cache finished the same posts in just 4 seconds and 2 seconds, respectively.