Tuesday, August 11, 2009

 

Security, privacy, and an inconvenience

Redirects are often discussed only in the context of search engine optimization (SEO). Here is a good example how redirects affect users as well, and why it is important to choose your redirects wisely.

The Central Intelligence Agency (CIA) in 2006 began serving its Website encrypted in an effort to improve security and privacy of the communication.

This is a clear case for a 301 redirect from the unencrypted URL http://www.cia.gov/page to the equivalent encrypted URL https://www.cia.gov/page. Instead, except for the homepage and very few other pages, all requests get redirected to a splash page informing visitors about the site changes:

CIA Site Redirect. CIA.gov has changed its Web address. CIA.gov is now encrypted, except for our Electronic Reading Room, to assure visitor confidentiality. As a result, the Web address for pages and documents in our site has changed from http:// to https://. In addition, CIA Careers has moved to a new location within the Web site. Please use the links or the search form below to find the information you seek. …

Not only is this a bad idea for search since all those links out there on various sites now transfer link weight to a splash page which is marked as non-indexable. It is also an inconvenience to users who need to navigate to the specific content or go back to the previous page and try again with an edited link.

Even the old URL for the World Factbook, arguably one of the most popular resources on the site, no longer goes to the desired World Factbook homepage directly.

The CIA press release states: “We believe the inconveniences of implementing SSL for the entire website will be offset by increased visitor confidence that they are, in fact, connected to the CIA website and that their visits are secure and confidential.”

The effort to increased security and privacy is commendable, and encrypting all communication with the agency certainly isn't a bad idea. Doing so without the inconveniences would be even better though, and perfectly feasible, too.

Labels: , ,

Monday, June 29, 2009

 

The return of the curvy cucumber

For two decades, the European Union carefully regulated the size and shape of fruit. Often this has been quoted, and rightly so, as an example of the over-regulation by the commission.



Announced in November 2008, the return of the curvy cucumber will become effective on July 1, 2009. Now all those cucumbers and carrots will be “allowed” to grow in all shapes and sizes again (not that they cared too much about EC directives anyway).

Standards usually make life convenient. Just imagine what driving a rental car would be like if manufacturers implemented their own concept of speed and steering controls (too bad that other controls like air condition and radio aren't standardized and often not self-explanatory). Or withdrawing money from the bank without standardized bank cards and ATMs. Or connecting to networks if they weren't all using the same protocols.

Regulating the size and shape of fruit and vegetables, on the other hand, doesn't make life more convenient unless you like to see the cucumbers lined up nicely in the fridge. To me, this is mostly an indication of an unhealthy desire to control everything, including Mother Nature. More than two decades ago, the movement which eventually became the Green party started questioning large technology projects, be it nuclear power plants or ecologically questionable hydropower plants. Many of the environmental and energy related issues still need to be addressed. But, at least we have the curvy cucumber back.

Labels: ,

Wednesday, June 24, 2009

 

Disagreeing with Jakob Nielsen on security—Password masking makes logins more secure

When it comes to usability, disagreeing with Jakob Nielsen is usually not an option. After all, he has been called king, czar, guru or Web usability for a reason, and his Alertbox offers invaluable advise most of the time.

Disagreeing with Jakob Nielsen on security is easier, especially when he advocates to remove password masking as a means to improve usability and claims that this doesn't lower security.

While not offering a high degree of protection, the password masking does a pretty good job for most situations. Certainly, a determined and skilled criminal would be able to observe which keys are pressed, or use other attack vectors to intercept my Web interactions. I am often surrounded by trustworthy people who still shouldn't know my passwords, don't care about my passwords and even politely turn their eyes away while I am logging in. Whether showing someone a Website or doing a demo to a larger audience, accessing protected areas of a site in a semi-public environment like a desk-sharing area at work or logging in from a mobile device, those little stars or dots protect my passwords well from becoming exposed.

Security and usability should not be conflicting objectives; in fact usability is an important aspect for any security system, or users will work around usability issues and use it in unintended ways, like copying and pasting passwords from a text file as Nielsen mentions. An extra checkbox to enable password masking just adds complexity to the user interface and may confuse users more than not being able to see their password.

Typing passwords on mobile devices (or foreign keyboards, for that matter) can be challenging. Some smartphones like the iPhone or the Nokia N95 show the letter as typed but then quickly replacing it with an asterisk, which is a reasonable compromise.

Instead of cluttering Web forms with additional checkboxes, web developers should demand that browsers and mobile devices provide an option to remove password masking when desired by the user. This would maintain the current level of security by not exposing the passwords to people looking over users' shoulders and address the usability issue for those who have difficulty typing their password and would benefit from visual feedback.

Until then, use this JavaScript bookmarklet to unmask password fields as needed:

for(var i=0;(var a=document.getElementsByTagName("input")[i]);i++){
if(a.getAttribute("type").indexOf("password")!=-1){
a.type="text"
}
}
window.focus();

(all on one line, or simply drag the Unmask passwords bookmarklet link to your bookmarks).

PS. More ways to reveal passwords in a controlled manner can be found in Martin Brinkmann's blog post Reveal your saved Passwords in Firefox.

Labels: , ,

Monday, February 23, 2009

 

Amazon.com: User experience delivering value

While shopping on Amazon the other day, I noticed a subtle yet still noticeable hint that I had bought the very same article already in October 2007.


At first glance, the notice would appear to drive customers away from buying; however Amazon.com has a long-standing reputation for innovation in online commerce and good customer service (although I have been less satisfied with their handling of e-mail correspondence lately) so this didn't come as a complete surprise.

Good user experience design is all about delivering value to the customer, and to the business too:
  • The customer may have bought the product earlier and order another copy as a present, which was actually the case for me.
  • Some products, such as blank CDs/DVDs, lend themselves to repetitive orders. Knowing that this is the same product ordered before is reassuring to the customer, which means more business with fewer clicks.
  • In the unlikely case that a customer accidentally orders the same product twice, chances are that she would return the product for a refund, incurring shipping and handling cost for the business; therefore not shipping the product in the first place is not only the most customer friendly, but also the most cost effective solution.
On a related note, Amazon.com has also been innovative in offering pay-as-you-go Web infrastructure, and IBM recently announced plans to deliver software through their Amazon Web Services platform.

Links:

Labels: , , ,

Saturday, January 31, 2009

 

Google: This site may harm your computer

Google generally does a pretty good job warning users about suspicious Web sites assumed to contain malware, but their algorithm seems to have gone overboard now. This morning every search result shows a warning that the site may harm my computer:

Labels: ,

Wednesday, December 31, 2008

 

0101001011101010111

Google search nicely reminded me that digital storage is still all about ones and zeros:

Strategic Briefing New Storage Paradigm for Enterprise<br />2008 IBM Corporation – IBM Confidential. 0101001011101010111. 0110101010111010101. 0110101100110101011. 0101110101010101011. 0101110110101010101 ...

Labels: ,

Tuesday, October 7, 2008

 

Jamming at the InnovationJam™ 2008

InnovationJam™ 2008

Want to explore how organizations can transform themselves into truly global enterprises of the future? Ready to collaborate with technology and business thought-leaders?

Join the InnovationJam™ 2008.

Labels: , ,

Wednesday, September 3, 2008

 

Google Chrome first impressions

Does the world need another Web browser? Probably not, most people are reasonably happy with Firefox (or SeaMonkey), Safari and Internet Explorer, and a wide range of less known specialized browsers.

But then of course it's hard to ignore a new browser when it's launched by Google. Matt Cutts quickly blogged about the Google Chrome announcement and conspiracy theories, and the search engine guessing feature in particular caught my interest.

www.ibm.com has supported OpenSearch for years and it's good to see a browser finally making good use of the OpenSearch description and providing access to custom search engines using keyboard navigation. With the OpenSearch definition for IBM Search enabled, typing ibm.com Green IT selects IBM Search as the preferred engine for that search:



The same can be achieved in Firefox with keywords, albeit not as easily.

Rendering of XML content including RSS news feeds leaves much to be desired. Hopefully Google will add full XML rendering support and integrate a feed reader soon.

Incognito browsing is another neat idea, it won't help much to preserve your privacy but could be useful for testing when you don't want all the test pages to clutter your browser history.

One prerequisite for me using Chrome is support by RoboForm which keeps track of all my accounts and passwords. RoboForm does not work with Safari but hopefully with Chrome being open source will support this browser. Web development tools that work with Chrome will be the other deal breaker.

In the meantime I will continue to experiment with Chrome and see what else Google's latest brainchild has to offer.

Labels: ,

Thursday, July 10, 2008

 

Microsoft DNS patch KB951748 secures Internet access too well

The latest Microsoft DNS patch improves security too well. The update appears to be incompatible with Check Point's hugely popular ZoneAlarm firewall and possibly other firewall products, and results in complete loss of Internet access.

After a lengthy failed attempt to diagnose a family member's “my Internet no longer works” problem over the phone I saw the BugTraq alert “Microsoft DNS patch KB951748 incompatible with Zonealarm” late at night. Sure enough, uninstalling the update nicely resolved the problem.

The other possible workaround, turning off the firewall completely, would be more risky than living with the spoofing vulnerability until this incompatibilty gets fixed.

Labels: ,

Tuesday, July 8, 2008

 

What do all the numbers mean?

Who the heck is Charlie O'Donnell? I don't know, but somehow (more precisely, from Ed Costello's bookmarks on del.icio.us) I stumbled upon his blog post An experiment: Who's really out there and how do you measure influence?

When Feedburner reports 2686 readers, does that mean 2686 folks actually read the blog, or once subscribed to it and never came back? So Charlie is running an experiment to determine who's actually reading, how people find out about the blog etc. and as an aside get really popular. This is social marketing at its best, so let's pass on the word and see just how popular we can get this.

Link to the post: http://www.thisisgoingtobebig.com/2008/07/an-experiment-w.html

Labels: ,

Friday, June 20, 2008

 

Firefox 3

The Mozilla project released Firefox 3 on June 17 with an attempt to set the world record in software downloads per day.

Firefox 3

While I consider raw traffic numbers only mildly useful and the hunt for traffic records somewhat old-fashioned (when IBM did run the Olympics Websites we would report record traffic numbers, and with the technology available back then the numbers were impressive, but that was in the 1990ies) I gladly did my part to set the world record. I mean, how often do you get a chance to be part of a world record, even if your contribution is only 1/8290545.

I even installed Firefox 3 :-) and for most parts have been satisfied with the result. The only complaint I have is that the installation overwrote the previously installed Firefox 2 despite placing the new version in a different directory, and sure enough some extensions were considered incompatible and therefore disabled.

Multiple Internet Explorer versions can coexist on the same machine thanks to the wonderful Multiple IE installer, can we please get an easy and automated way to run multiple versions of Firefox without fiddling with profiles?

Labels: , ,

Thursday, April 24, 2008

 

PowerPoint: No comma, please

A colleague recently showed me a strange problem with Microsoft Office: When inserting a hyperlink in a PowerPoint presentation, one of the available options is linking to another page in the same document:



This seemed to work nicely for most slides but not for the particular slide he was trying to link to, and PowerPoint would not even show a preview in the hyperlink dialog box:



The programmer in me quickly scanned through the slide looking for “suspicious” elements, the only thing that caught my attention though was an innocent looking comma.

Turns out the comma is indeed the culprit, and the bug is well-documented in the Microsoft knowledge base: The hyperlink to a slide does not work when a comma is contained in the title of a slide presentation in PowerPoint.

Removing the comma, placing the hyperlink and then adding the comma back does seem to do the trick. Or, just don't use a comma.

Labels: ,

Friday, April 18, 2008

 

VPS, PDC, DVB, EPG—Why can VCRs not just work?

Video cassette recorders (VCR) have a long-standing reputation for being difficult to use (searching for VCR and usability returns some 90,000 results on Google).

In the early days setting the timer right may have been challenging, and too often the program would change or fall behind and the tape would contain a different program, or a cut off film. Then came the Video Programming System (VPS) and ShowView, which made programming VCRs easy and greatly increased the likelihood of recording the desired program, and later Programme Delivery Control (PDC).

Everything seemed fine until last year when a decision was made to discontinue analog TV broadcasting in Austria and switching to Digial Video Broadcasting (DVB-T). The television system had maintained backwards compatibility with the great many enhancements over the years, from black-and-white to color, from mono to stereo and dual channel audio. This time, however, new equipment would be needed in the form of DVB-T receivers, and of course that means one for each TV set and recorder.

Our first attempt with a twin receiver bought on EBay was a dismal failure. The device seemed malfunctioning and vendor support was non-existent (more precisely, we were unable to locate the vendor, which seemed to have gone out of business). We happily lived for a few weeks without television.

Eventually we got a nice Sony HXD-870 HD/DVD recorder with built-in DVB-T tuner and at first were quite happy. Setting up the device was easy (except for the fact it did not recognize Austria as a country) and we were back to receiving and recording TV programs.

Although the new recorder supports VPS/PDC it does so only from analog sources, which are no longer available, but not from the digital signal despite the fact that the VPS signal is sent digitally as well. The new Electronic Program Guide (EPG) is convenient, but there is no way to tell the recorder to start when the program starts. Instead you can manually tweak the time range to increase the likelihood of recording the full program.

If that wasn't bad enough already, when we switched to daylight savings time, or summer time as it's called here, the program guide appeared to be off by one hour and so were all recordings. There is a timezone menu but toggling daylight savings time on and off did not seem to make any difference.

The Sony support Website was less than helpful. The only firmware upgrade was for the UK version of the recorder and fixed an unrelated problem that we hadn't encountered.
Fortunately a kind soul owning the same device came to rescue and shared instructions how to overcome this bug by switching to a different time zone and then rebooting the recorder. We have since been running on Helsinki time and had mixed success in recording programs.

With all the advances in technology and three-letter acronym features, we are essentially back to the functionality in the early days of video recording, manually setting times and hoping for the program to stay on schedule.

Why can VCRs not just work?

Labels: ,

Monday, March 24, 2008

 

Goodbye, Indy!

Time has come to say Goodbye to my Silicon Graphics Indy workstation. It has been a difficult relationship for years, and I finally offered my Indy on EBay.


Introduced in 1993, the Indy for a long time was the workstation to have, powerful and good looking, too. When EuNet, PING and Computerwelt offered a fully equipped Indy workstation as the reward for the best Austrian Website, my good friend Peter Wansch and I submitted The WWW Entertainment Package, a collection of classic board games ported to the Web from the like-named OS/2 games package that Peter had developed.

I had just learned the basics of writing CGI scripts and managed to get four games up and running. Although playing games over the Web was kind of slow in the pre-JavaScript, pre-AJAX era the gaming site was very well received and generated both lots of traffic and nice feedback from gamers around the world, too. We asked people to register for free access, we made it easy for them to vote and we spent a considerable amount of time answering e-mails and encouraging games to vote.

To make a long story short, we won. In hindsight, we had a pretty good Website that was actively used and would continue for years, but some other submissions were pretty slick, too. I guess we didn't just win for having the best product, we won because of good marketing.

The news reached me while participating at the WWW3 Conference in Darmstadt and while I had been hoping for this when it happened I could hardly believe it—we did it!

What followed then was a huge disappointment. We learned that we would not receive the machine at the official ceremony at Café Stein but only a few weeks later, and what's worse in a different configuration: The 5 GB harddisk that was originally advertised may seem small today but would have been perfectly adequate back then, what we got instead was a machine with a much smaller harddisk, barely sufficient to hold the base operating system and multimedia tools, and no CD-ROM drive to install software from.


Filesystem Type kbytes use avail %use Mounted on
/dev/root efs 439704 408189 31515 93% /

Now the Indy came with great connectivity already, including Ethernet and ISDN ports, only my home office had neither and upgrading the machine with more memory, a larger harddisk and a CD-ROM drive (from Silicon Graphics only, others would not boot!) was too expensive an option. We could have sold the Indy, probably for a good price. Seriously though, if you got an Indy, would you sell it? (Don't answer, please.)

So for many years this marvel of technology has been putting on dust and remained unused. When I booted the Indy today it started up nicely, only issuing one warning message: “WARNING: clock gained 1856 days”

The auction has a few more days to go and already has six bids. It is about time that someone starts using this machine, and time for me to say Goodbye. It has been a difficult relationship, and yet I will miss this electric-blue colored pizza box.

PS. At the age of fifteen the Indy is still a modern computer. For some really old computers, have a look at the Old Computers online museum.

Labels: ,

Monday, January 21, 2008

 

No wonder that this world blows itself up

While standing in line at the supermarket today, I overheard a lively discussion between the cashier and a customer who complained about not getting the discount price advertised on the rack.

This supermarket chain runs a fairly elaborate customer loyalty program, with some discounts applying only to members of the program. There used to be some problems in the past with keeping the signs and the computer systems in sync but not this time. There was no technical problem here, just an oversight on the customer's part.

The customer eventually agreed that the discount wasn't applicable, since she was not and did not want to join the customer loyalty program, and decided to return the tomatoes, mumbling something along the lines of "Everything is getting so much more complicated, no wonder that this world blows itself up."

Now I wouldn't consider the customer loyalty program a serious threat to the world, and actually enjoy the benefits offered, although it means knowingly giving up some privacy in exchange for discounts. (I will gladly post my grocery shopping list here too if someone is interested :-))

Scanner cash registers and storing membership information electronically on the ATM card are certainly vast improvements in usability and convenience over the old manual cash registers (I do remember checking my weekly grocery bill for errors back when I was a student, a rather slow process given the long list of just prices, but it was worth the effort more than once) and collecting discount coupons.

Those of us working in a technology industry should remember though that not everyone will want to or have the ability to adopt new technologies, and those who opt out must not be left behind.

Otherwise, this world will blow itself up ...

Labels: ,

Saturday, January 19, 2008

 

localhost considered harmful

Tavis Ormandy has posted a potential security exposure with DNS entries for "localhost" in zone files on Bugtraq. While the impact of this exposure seems minimal, I would rather err on the side of caution, and this should be fairly easy to fix.

"localhost" DNS records in a domain should not be confused with the ".localhost" TLD defined in RFC 2606 Reserved Top Level DNS Names, and should be configured on nameservers. I haven't been able to find a requirement in the RFCs to have a "localhost" entry in a domain, nor can I think of a compelling reason for keeping the entry as long as nameservers for a domain are properly configured to handle queries for "localhost.".

RFC 1912 Common DNS Errors explains how to configure the localhost and 0.0.127.in-addr.arpa zones:

The "localhost" address is a "special" address which always refers to
the local host. It should contain the following line:

localhost. IN A 127.0.0.1

The "127.0" file should contain the line:
1 PTR localhost.

and recommends to not define "localhost" with the domain name appended.

Thoughts on removing "localhost" from zones, anyone?

Labels: ,

Monday, January 14, 2008

 

Blogger

Choosing a hosted service for blogging was a matter of a few minutes, and it didn't involve working through feature lists and comparison charts.

I started playing with Blogger and within minutes had a basic template and publishing to my Web server working. The template language looked sufficiently flexible, and the backing by search giant Google made this an attractive choice too.

WordPress would have been next on my review list. The hosted options are probably comparable, with WordPress offering some advanced features for a fee. Anita Campbell has published a great article about moving a blog from Blogger to WordPress, citing a number of good reasons why the latter is a much better option, although Blogger was “simple to set up and use”. Good enough for me.

One minor limitation I noticed is that Blogger only creates a single XML feed but no category feeds, which can be created easily using the rich Blogger data API.

The only complaint I have about Blogger is the incorrect rendering of ampersand and angle quotes:
  • Ampersand: &
  • Angle bracket open: <
  • Angle bracket close: >

They are represented correctly as entities in the XML feed, but rendered as plain characters in the HTML version. This looks like a bug that should be easy enough to fix.

Labels: ,

Sunday, January 13, 2008

 

IG-L

When we spent our summer vacation in Sicily in 2004, I often wondered why some road signs in Sicily listed detailed information about the relevant laws and even the specific section and paragraph of the act.

Since 2006, the immission control act Immissionsschutzgesetz-Luft (IG-L) has been enacted in Austria, which allows authorities to impose certain restrictions on production facilities, traffic, and outdoor combustion to reduce immissions when pollution thresholds are exceeded.

The act requires that immission control related speed limit must be signposted with reference to the act. On previous trips between Vienna and Salzburg I had complained about the unnecessary distraction by additional signs; after all I don't usually care why a speed limit has been put in place, although there is evidence that drivers are more likely to adhere to environmentally motivated speed limits (source: Luftreinhalteplan Stuttgart), and lower speeds generally mean lower emissions (source: Land Tirol: Tempo 100).

One set of road signs around Linz looks especially bizarre: a combination of lifting the 100 km/h speed limit and introducing a 100 km/h speed limit for immission control, and vice versa in the opposite direction.

Recently some of the roadsigns were replaced with large over-the-road displays which allow for dynamic speed limits depending on weather conditions, traffic flow and pollution levels, which is goodness. I wonder though how many drivers will have a clue what the big white letters IG-L next to the speed limit signs mean ...

Labels: ,

Wednesday, December 19, 2007

 

I, Blogger

So I have finally started my blog. While the blogosphere continues to grow at an amazing speed, some bloggers of the early days have already switched back to a static homepage they update every now and then, or gone completely offline.

Why now? No particular reason really. I have been playing with the idea of creating a blog and have written up a few blog posts locally without publishing them, just to see how I liked it and what I would have to say. (A few of those early secret blog posts still sit on my hard disk and will eventually show up here retroactively.)

Looking back, I first maintained plogs (for “paper logs”) some 20 years ago when Andrea and I were traveling around in Europe by train. Each of us would write down the experiences of the day, where we went, what we liked and disliked, just about anything that came to mind, in a small booklet. When we were both done with writing, we would read each other's notes, which was great fun.

The intended readership of these plogs was one person. The esteemed readership of this blog may be about the same size currently. By coincidence, Bernhard just started blogging too, so that makes us two late adopters and ensures each of us has at least one reader. Onward.

Next, there was a technology decision to be made: install blogging software or use a hosted service. Ed Costello had shared his experience with getting Movable Type working on pair Networks servers, reading through the steps and given that I wasn't planning to spend more than an hour or two in getting things running I chose to go with a hosted service, Blogger, and have been pretty pleased with it.

Labels: ,

Saturday, December 1, 2007

 

Spam filtering with countries.nerd.dk considered harmful

DNS blacklists (DNSBL) provide information about characteristics and past observations of IP addresses and have been used in filtering spam for more than a decade. In short, a spam filter may check one or more DNSBL services to determine if the network address from where an e-mail is delivered is trustworthy or suspicious.

Besides listing addresses of known spam sources or virus-infected machines, there are lists for criteria such as network type (dial-up/cable/DSL) and configuration issues (open relays, RFC non-compliance).

One of my colleagues recently had e-mail to a client rejected by their mail gateway with the error message "554 Your Host 32.nn.nn.nn was found in the DNS BlackList at uk.countries.nerd.dk."

When he asked for help with this, my first thought was that one of our addresses had, rightly or wrongly, been listed as a spam source. However, after looking around countries.nerd.dk it became clear that the recipient was blocking all mail that appeared to come from certain countries according to the countries.nerd.dk database despite the disclaimer on that Website that "countries.nerd.dk is NOT a list of spammers, it is an IP-to-country DNS mapping service."

What's worse in this case is that the mapping was incorrect: The whole 32/8 netblock is declared to be based in the UK: "32.0.0.0/8 :127.0.0.2:Your IP is in uk, rejected based on geographical location". There may be some UK based addresses in that netblock but others are located in North America and possible other places too, and similar geographic mapping services managed to get the location of the particular mail server (almost) right.

Although many open source and commercial mail filters rely on DNSBLs, there has been valid criticism, and even lawsuits against DNSBL operators. The main concern I have is that administrators may rely on a single DNSBL service to mark messages as spam and reject them without understanding the service's reliability and limitations.

Labels: ,








Page tools



Archives