Terminally Incoherent

I previously wrote about two of my observations regarding use of email among the young and technologically clueless college students. First observation was that none of my students ever had a straight POP3 or IMAP email account in their life. Every single email account they have ever used had a webmail interface and so in their minds, email is something that you do on a webpage. Email client to them is an oxymoron or some strange archaic piece of software, about as useful to them as a floppy drive.

Their primary mode of communication is IM, texting and naturally Facebook/Myspace. Email is something you when you need to send Christmas wishes to your grandmother, or complain about your grade to your professor.

Second observation was that if allowed, most of my students (as well as my coworkers) will try to avoid ever managing the file system directly. They use their desktop or My Documents folder as a big Temp file, and either delete files from it afterwards, or just ignore them and live with the mess. Very rarely do I see thought out directory trees or any hierarchical sorting in the file system on their machines.

My third observation is a direct outgrowth of the second one, and is related to the first. Since students no longer really use email as primary communication tool they decided to use it for something else - storage. They understand email, but do not understand the file system. So whenever they want to save something for later, they just email it to themselves - and i t becomes instantly available to them from anywhere via an easy to use web interface.

I think this mentality is heavily influenced by student mobility. Since not everyone owns a laptop, some people find themselves working on computers they do not own - for example workstations in a public computer lab, a laptop borrowed from a room mate, their home desktop and etc… How do you easily transfer files between computers in such an environment? You could use a flash drive but these are easy to loose or forget. Online storage is the only reliable way to handle it. And what is the easiest way to implement online storage? Via email of course.

I have to admit that I’m guilty of using my email this way as well. Each day I alternate between my home desktop, my work laptop, and one of the 3 or 4 teacher workstations at school. When I’m in a hurry I will sometimes send something to myself to pick it up from a different machine later because it is often the fastest, and least complicated thing to do. That of course doesn’t mean I approve of this behavior. To me it just doesn’t feel right. Email was not meant to be used this way and the whole procedure is silly. Your file ends up being stored twice - once in the inbox, once in the Sent Mail folder, and it makes a short trip between the webmail server, the outgoing server, the incoming server and back to the webmail. It’s a waste of bandwidth and it bothers me.

Are there alternatives? Yes, but none are as convenient or n00b friendly. Ideally, you would want a web service which is as easy t use as email whose sole function would be providing you with online storage. One such service I have been using recently is Xdrive. It’s not perfect though. Their online interface is horrid - cluttered, counter intuitive, and way to busy with buttons, panels and color. It insists on showing you your files both as a list and as a tree at the same time. It also has an impressive array of buttons, links and controls which are often redundant. It is the quintessential AOL school of design - seeing how these are the folks behind the application.

While I’m on the topic, I wanted to mention that there are two distinct ways to design your UI. There is the interface driven way, and the content driven way. The former puts emphasis on buttons, panels, levers, switches and blinkenlights and then stuffs contents into some small view port hole surrounded by interface elements. The later shows you content, and tries to minimize interface elements handling interaction in context aware way. Google excels at making context driven interfaces both for the web and for the desktop. Everyone else seems to be falling short in the web based area. AOL was always notorious for creating horrid interfaces that looked sleek, but were barely usable.

So it’s surprising that Xdrive Lite client is a content driven application. It sports a much cleaner interface, with much fewer buttons. There is virtually no clutter and the app is extremely easy to use. You copy files to your online storage space by simply dragging and dropping them from your file explorer application. It is actually working fairly well in Linux but not thanks to AOL or Xdrive naturally. It works because Adobe Air now runs on linux and so, accidentally the Xdrive client does too. File manipulation and downloads are done via clear, intuitive context menus.

I must say that I really like this app. So I often use it to shuffle small files between my work computer, my home desktop and my laptop in a hassle free way. It works great, it is light on resources and feels much more appropriate than spamming my own inbox.

Still, this is not a perfect solution for my rather clueless students because they inherently despise client software. Installing something is always a hassle. AIR apps install rather quickly and easily, but you need to have AIR installed first. So it is at least a 2 step procedure. Not to mention that public lab computers often do not have admin privileges that would allow them to install stuff. The web interface on the other hand is just to clunky to be useful. They’d have to learn to use it, and I’m sure that this would be a nuisance.

All our students naturally have Novell Netdrive accounts but the web interface for that thing was also designed by professional contortionists. I make them use it when they create HTML websites but I often must walk them through the process 4 to 5 times before it starts sinking in. Not that it is hard, or complex - it’s just new, and not very intuitive. Or rather what is intuitive to me (public websites go into PUBLIC_HTML folder) is alien and incomprehensible to them. Logging into webmail and emailing themselves is just more convenient, straightforward and familiar. I could try to break this habit, but then again who am I to say how people should use technology that’s available to them. If they want to use email as storage, then more power to them I guess… No matter how that annoys me.

For like a week or two now, I noticed something strange and yet not entirely unpleasant happening to my inbox. There were no angry emails from students complaining that I didn’t grade their homework submitted 3 weeks late the very second when they submitted it on Sunday evening at 3AM. My spam filter has already learned to automatically and quietly file away the mail from all the MSU specific mailing lists to my SPAM folder so I didn’t really notice any decrease in traffic.

Here is a side note for those of you who haven’t attended my lovely alma matter, and current teaching grounds. When you start as an undergraduate and get your university based email address you get automatically subscribed to 5 million mailing lists with creative titles such as [allstudents], [undergraduatestudents] and etc. The mailings range from weather announcements, information about campus events, bookstore deal, off campus events, local events, events that have nothing to do with the school, job opportunities, random shit and a etc. On average you can get 60+ emails per day. If you are silly enough to come back as a grad student you get signed up for another million mailing lists, some of which double up on functionality with the undergrad ones so you get upwards of 100+ emails per day. If you become a faculty member or an adjunct after that you… Well, you get the picture. Naturally, your mailbox has 15 MB quota so if you go on vacation and don’t download any of your emails for a week your mailbox will fill up, and new emails will get rejected. Best system evar!

Before they took away my school unix account I was using a simple procmail script to sieve all this crap to /dev/null. The script was actually written by my former mentor who was also sick of this crap.

But let’s get back to the matter at hand. Apparently several of my students told me they were trying to reach me via email for days with no success. I went digging in my inbox and my SPAM folder, and my fears were confirmed. There was no recent email there. Everything was few weeks old. What happened?

Worst part is that there was almost no way for me to notice this. There were no error messages, no notifications, no bounced emails. KMail had no problems connecting and authenticating against the POP server and kept telling me that there was simply no messages on the server. Hell, I could even log into the school’s web mail service to see this:

I called OIT today and confused the hell out of them too. Apparently I was still using my student email account and these expire after a year. But while my email expired, my login was inexplicably tied to other services which I was still using - such as the course management service, the online storage, and dozen of other things. So it appears that I appear as a teacher in some school systems, as a student in other, and even as neither in some. In other words, whatever was done to my account(s) last may was done wrong and it set off a time bomb destined to explode in a year. And that’s what happened here. And the timing couldn’t be worse either since this is the very end of the semester - the time when students always have tons of questions about their grades, projects and etc.

I guess few grad students turned adjuncts stick around for longer than a year around here. It seems that my case is fairly unique and unusual. Let’s hope they can figure out how to fix it without totally fucking up my login to all the school services.

I talk about DRM a lot, but I never really found a perfect way to explain it to people who are clueless about technology. When I teach a class on digital media, and go over DRM I usually briefly cover different methodologies, and then put up dates when they were cracked at the end of each slide. I found that it really drives the point home when I go through this buildup stage, explaining these extremely complex systems and conclude each series of slides with “Oh, and this scheme was actually cracked 3 days after release”.

Then I usually reuse few slides from my cryptology lecture and give them Bob, Alice and Eve example, emphasizing how in DRM world Alice and Eve are the same person. This is a great example that really speaks to people who understand and care about cryptography, but Fluency in Technology students usually find it a bit confusing. I’d love to have something explains the absurdity of DRM in a way that is clearer, funnier and doesn’t involve the 3 most hated people in my classroom (sorry Bob, Alice and Eve).

I think I might have found an allegory that might just work on that level. This is how Shamus from Twenty Sided described DRM in his recent post:

In the original Monkey Island, at one point you are captured by natives who lock you in a simple bamboo hut. There is a trap door in the floor through which you may escape. If you’re dumb you can walk over to the natives once you’re out, and they will grab you and throw you back into the hut. The second time they throw you in, they add chains to the door. The next time the door is made of metal. This keeps going until eventually (if you keep going back) they have a bamboo shack with a massive steel vault door on the front, a timed lock with an alarm system on it. It looks like the front of Fort Knox.

“How he keeps getting out is almost as mysterious as why he keeps coming back.“

In a lot of ways these DRM schemes are a bamboo hut with a vault door on the front. The keep using a bigger and bigger lock and a more complex system of authentication, but it still has to run on a machine where you can edit the executable, and all the hacker has to do is go in and disable the part that says, “Do the security check.” It doesn’t matter how secure or complex or devious the security check is, if the machine’s not doing it, it’s not doing it.

I played that game, and I remember that part but I never connected the two! But it is a perfect fit! It’s vivid, funny and really gets the point across. I really don’t expect my students to actually know what Secret of the Monkey Island was. Most of them are just to young to have played it when it was still on the market, and to clueless to download it from one of the the abandonware sites and play it via ScummVM. Well, maybe one or two would actually know about it. Still, the story is silly enough to work so I’m totally stealing it.

Here is a youtube video of that scene for your reference:

escape from the hut © pheedbaq

Shamus is right of course - it very difficult to design copy protection software in a way which will be difficult to crack by a 15 year old kid armed with a debugger and a hex editor. Anything that is running on the client machine can and will be tampered with. The only way to make the game uncrackable is to have the copy protection run on a remote server and have the client simply forward over user authentication. Still, that doesn’t prevent people from sharing accounts and hacking the client to do weird things. Not to mention the costs of running an operation like that. Most of video games that are not MMO’s are really client based applications ant as such will always be vulnerable.

So the second best thing you can do is to mislead and confuse the potential attacker and make his job difficult. Adamantyr posted a god example of this practice in the linked thread over at Twenty Sided:

Concerning executable cracking, Chris Crawford has a VERY good write-up of how he protected one of his games in his book “Chris Crawford On Game Design”.

In particular, he uses obfuscation techniques such as:

• Burying work code inside of recursive loops, so reading the active process stream has a ton of noise the hacker has to wade through to find the ONE interval that does something.
• Code over-writing, in other words, the program overwrites parts of itself while running in memory. This is actually really bad from a security standpoint nowadays, but it’s fiendishly clever and sadistic for the poor hacker who’s world view has just been demolished by code that changes when he’s NOT LOOKING.
• Dummy variables with obvious names that draw the hacker away from the actual important ones.
• Storing actual data in the stack garbage and fetching it in a clandestine way, like an “accidental” buffer over-run.
• Deliberately breaking the game so the legitimate version would “fix” one element of data. Otherwise the game can’t be finished.

He actually hired a professional hacker to try and break his program after he’d finished it, and the guy never got past the first level of defense he set up. He later found cracked versions online, but none of them were actually completable as his “flawed” data element wasn’t fixed.

I haven’t read Chris Crawford’s book but the techniques mentioned above would indeed make the life of your average teenage cracker very difficult. However, they would make the life of your average game developer a nightmare as well. Some of these things are really bad practices. Storing data in garbage, controlled buffer overflows, cryptic spaghetti code - this stuff is just bad software development plain and simple. If you are a single programmer on the project, you can probably get away with scattering stuff like that all over your code. When you are working as part of the team, this is the kind of stuff that will get you beaten up by an angry mob of coworkers who have to debug your cryptic code.

These methods do not really seem to fit well into the modern software development model. The only way to make this soft of copy protection work is to have it tightly woven into the very fabric of your software. The copy protection checks should be tightly coupled with real processing code, overlapping and hiding behind real data in as many places as possible. But who the hell is going to test and maintain that kind of stuff? No one really does copy protection this way anymore.

These days most companies think of DRM as a security layer or a module you can buy or license then slap onto a wide range of products your products. They view it as installing a lock, on the bamboo hut because that makes sense and is economical. Once you build an awesome lock, you can use it on any hut you want. Sadly, a hut is still a hut. It is made out of bamboo which can be defeated with a hacksaw, and you can always tunnel under it since it has no floor. What Crhis Craftword seems to be proposing is building a Cube like environment instead of a hut. But that is a hard job which requires not only dedication but also experience. The problem is that most game developers are not really experts in obfuscating their code, and building copy protection mechanisms into their code. In fact they are usually the exact opposite of that. They are trained to write clean and understandable code that is easy to test, easy to debug and conforms to the best practices. Game development studios just want to make games. Who insists on DRM then? The publishers of course. They are the major driving force behind the copy protection industry because “piracy” cuts into their profits the most. And they are not experts on writing obfuscated software either. What they want is something simple like this:

1. Get a nice black box containing precompiled binaries for the game from the developer studio
2. Purchase a another box with a complete, end-to-end DRM solution
3. Pay some low skilled employee to wrap the game proper in the DRM container creating master package to be burned on CD’s or DVD’s
4. ???
5. Profit

Neither game developers nor publishers are really interested in building these protection systems. They are interested in buying them, and thus a whole new industry grew as a response to this. Companies started specializing and building DRM systems as separate products. DRM is now a piece of software that is generic and modular designed to fit with as many different products as possible to maximize profits. It can’t blend seamlessly into the game it is protecting or hide behind live data. By necessity, the number of places where the game code intersects with DRM code is limited. The more you try to integrate the two, the more of custom code and modifications you need. And of course, DRM makes charge for this kind of stuff at a premium rate. So the direction which the game industry seems to be taking is building really complex and impressive locks to use on their bamboo huts because it is really the only logical and economical way to do this. The other route is just plain nutty - exuberantly expensive, and potentially creating huge maintenance problems in exchange for what? They can’t guarantee you success - no one can. If something runs on the client machine, it can and will be tampered with - any part of it can be overwritten or modified.

But as you can see the whole system is deeply flawed. Sometimes I wonder how do executives who make the decisions to use DRM systems such as SecuRom or StarForce react when they find out that a cracked version of their product hit the torrent sites 3 hours after the release? How do they justify the expenses they incurred to license the protection technology? Perhaps they don’t. Perhaps no one tells them these things. Perhaps they live out their lives oblivious to the truth, thinking that the millions of dollars spent on licensing some DRM product actually made their software invulnerable. More likely though they hide behind company policy so they can then justify low sales to their sock-holders telling them stories how evil pirates are still robbing them blind despite these strong counter-measure steps they took.

Anyway, if you don’t mind Shamus, I’m gonna use your Monkey Island allegory next semester when I’m teaching my class about digital media and DRM.

I’m posting this a day late because it took me a whole morning to figure this one out. It appears that Comcast has completely blocked both inbound and outbound traffic on port 25 for my company. For a few years now we have been running a in-house authenticated SMTP server using IIS. It was running on port 587 and basically relayed emails to another server at an off-site location on port 25. Why was it set up this way is a topic for a whole other rant, but it worked well for us until now.

When I came in to work yesterday morning all was well. Few people around the office mentioned something about a slow day, noting their inbox was unusually empty. I didn’t really pay much attention to that chatter, until someone decided to email something to herself and it never came through. Then all hell broke loose.

You see, this problem was essentially hidden from regular users because they could connect to my in-house server on port 587 without any issues. So their emails were leaving their outbox as normal, and then queuing up on the server, never to be seen again. The server itself could not shoot them back failure notifications either, because it could not connect to it’s relay point on port 25. So people were emailing each other all morning without even realizing something was amiss. When they caught on, it was instant panic mode spreading throughout the organization like a fucking wildfire.

For several hours I was methodically checking, re-checking, restarting, and power-cycling every single device and service that had anything to do with email traffic. I was also calling the folks who maintain the off-site server every 5 minutes to see what was their progress. They were convinced the issue was on my side, and I was adamant that it was on their side. After much deliberation, we came to the conclusion that we were both wrong. The off-site server was accessible from everywhere but my location, but there was nothing here in the office which would prevent it from communicating on port 25.

We tested outbound and inbound traffic on their side and it was working just fine so that left only one conclusion - my ISP fucked us over and completely sealed off port 25. Once we realized that, the conclusion was as swift as it was simple. We simply switched the external server to listen on port 587, changed the outbound port in IIS and an avalanche of backed up email started streaming into people’s mailboxes.

Let me run that by you again in case you didn’t notice - once we figured out what the issue was, it took us 5 seconds to reconfigure our shit, and route around it. So if this supposed anti-spam measure is so easy to circumvent, then can someone explain to me how is it supposed to be stopping hard core spammers with their sprawling botnets out there? I’m pretty sure most of semi-modern spam-trojans can be remotely reconfigured to send out emails on alternate ports.

Port blocking has became pretty much an industry standard these days, but I still fail to see how it could ever be effective. What is stopping me from running an email server on port 80 or 443? Will they block these two ports as well? It is just a knee jerk reaction, that might be effective in a short term. It won’t work in the long run though - soon they will run out of ports to block, and regular customers won’t be able to use any kind of non-standard internet services for genuine purposes without bending over backwards.

This is just one of these wholesale, one-click-and-your-done spam solutions. Why do ISP’s do it? Because it’s easy! You block some important ports, and the amount of spam and genuine email routed through your network goes down. You boss is happy, your investors are happy, folks in the security business are clapping their hands marveling at the sudden drop in spam, forgetting it will be back to normal in a month or two as all the spammers will figure out the same thing I did just now.

The only people who are not happy about this are the customers, but Comcast does not really care about them that much anyway as it has blatantly demonstrated in the past with it’s bandwidth throttling, and lackluster tech support.

Also, Twitter > than regular tech support resources it seems:

Despite the fact that we were constrained to 140 characters per pop, talking asynchronously and multitasking, this was still way more pleasant than my experiences with Mr. Rooter and Mr. 125 Times. Not sure if that guy is an actually really affiliated with the company in any way, but he seems to be representing them well in the 140 character conversation universe.

One more reason to love Twitter and hate Comcast!

I wasn’t going to comment on Joel Spolsky’s Martian Headsets ramble for two reasons: it was an obvious troll-bait, and people much smarter than me already pounded it into the ground. But alas, the Spolsky FUD seems to have infected one of the less known blogs that I really enjoy. I don’t blame Shamus though - he is a good man. It’s just that well written FUD is contagious like brain rot. And Spolsky went all out - he even has pretty pictures all over that article. So I kinda feel that I must counter measure this until it spreads any further.

Joel is essentially trying to tell us that W3C standards are bad because there is no 100% compliant implementation in existence. Therefore he advocates completely ignoring them, and and claims that the efforts make IE8 default to standards mode are ill conceived.

Only he is missing the forest of the trees here. If there is no standards, how can we even strive for interoperability between browsers? Joel doesn’t care because he only uses IE and he is convinced that 98% of the universe does the same (which is gross exaggeration). In the real world however, the standards give us an ideal towards which we can strive for. Different platforms will implement things in different ways, and by comparing implementations we can slowly improve and creep toward that ideal. Sooner or later everyone will be roughly on the same page, and the differences in implementations will be small enough to be negligible. Stefano Mazzocchi does a much better job of describing this process, so take a look on his post on the topic.

In a way this has already happened. Most of the major browsers out there including Firefox, Opera and Safari are perfectly happy displaying the same pages in very similar ways. The standards problem only becomes apparent when IE enters the equation - it has always been a problem. If we bring IE8 into the manifold, then this inter operation and compability issue will slowly phase itself out of existence. I think Sam Ruby hit he nail on the head when he said:

Web pages like Google Maps work on other browsers. Not because of a mythical, platonic “standard” in scare quotes. But because of standards that are actually implemented compatibly. And because in standards mode, these other browsers don’t implement the non-standard IE only Javascript objects that Google Maps checks for.

After reading Joel’s long winded rant, one might come to the conclusion that these “standards” are some truly arcane mysterious texts. But they are not. Granted, they are not simple and straightforward, but it’s not like there is no existing body of knowledge, and interpretations out there. Volumes of text have been written on the nuances of these standards, and there are groups and communities out there completely devoted to pouring over these documents and interpreting them. There are people who specialize in this stuff and will actually hire them to consult you on any and all standards related questions and concerns. But Joel conveniently ignores this fact. He goes on to say:

The precise problem here is that you’re pretending that there’s one standard, but since nobody has a way to test against the standard, it’s not a real standard.

Mark Pilgrim, whose post on this topic is hilarious, eloquently sums with one short sentence:

I have never heard of test suites.

There are test suites, applications and comparison tables you can use. And if anything else fails, you can go straight to the source and hit up the W3C mailing lists. But Joel is not done, he goes on this weird tangent - just bear with me while I quote it in it’s entirety:

If you’ve ever visited the ultra-orthodox Jewish communities of Jerusalem, all of whom agree in complete and utter adherence to every iota of Jewish law, you will discover that despite general agreement on what constitutes kosher food, that you will not find a rabbi from one ultra-orthodox community who is willing to eat at the home of a rabbi from a different ultra-orthodox community. And the web designers are discovering what the Jews of Mea Shearim have known for decades: just because you all agree to follow one book doesn’t ensure compatibility, because the laws are so complex and complicated and convoluted that it’s almost impossible to understand them all well enough to avoid traps and landmines, and you’re safer just asking for the fruit plate.

WTF in hell? I actually laughed as I was reading this. I hope you find this funny too, because this whole big paragraph shows exactly where Joel is coming from, and how far he is of the mark. They are nothing like religious orthodoxy. The interpretation of religious scriptures accepted by the Mea Shearim Jews is pretty much set in stone. In 50 years they will probably be using the same interpretation - perhaps slightly adjusted to account for advances in technology and changing lifestyles. Implementations of web standards are not meant to be religious orthodoxies. If MS doesn’t make IE default to standards mode now, then they will be in the exact same situation in a year or two when they are ready to release IE9. If we keep defaulting to quirks mode, and continue rendering web pages in the same half assed IE6-7 mode, then why even bother implementing the standards? Why even make any changes to the rendering engine? Let’s freeze the code at IE7 stage and only improve the browser by adding UI features from now on. That seems to be what Joel is implicitly suggesting.

Gordon Weakilem makes a very good point when he says:

I mean, really, after Joel harping on about “smart, gets things done”, would Joel accept “Those documents are super confusing” as an excuse in an interview, or for why a developer doesn’t understand something like operator precedence? Really, is there an excuse for ignorant or lazy?

Indeed my friends. Joel’s whole rant is about how difficult, confusing and impossible to implement the standards are. I guess we ought to give up then, right? A mark of a good software developer is that he simply abandons a project at the first sign of trouble.

But the best part is that even Joels summary near the end of his lengthy triad contains a hidden contradiction:

98% of the world will install IE8 and say, “It has bugs and I can’t see my sites.” They don’t give a flicking flick about your stupid religious enthusiasm for making web browsers which conform to some mythical, platonic “standard” that is not actually implemented anywhere. They don’t want to hear your stories about messy hacks. They want web browsers that work with actual web sites.

Let’s for a minute assume that 98% of the world does use Windows, and that they will all install IE. If my website doesn’t work in IE8 on the release date, guess who is going to get publicly flogged and then castrated by the upper management? If you guessed it was me, you are right. My boss is not going to give a flying fuck that the IE changed the way it is rendering pages. The people who will notice this change the most will be web developers who will have to fix hundreds of web pages, not the customers. No major company will allow their page to remain broken once IE8 release is imminent.

Here is what I secretly think will happen - IE8 will get released, and end users will blog at length about all the new features in the browser. Most of them won’t even notice the standards thing. Few legacy applications, and poorly maintained pages will break, but Google, Yahoo, Myspace, Facebook and all the other big and popular sites will work like they always did, or better.

Sure, few people here and there will blame IE8. Are they going to install Firefox? Yeah, right. The people who know about Firefox either don’t like it, or are already using it. IE8 breaking won’t push people towards alternative browsers. And surely it won’t make them abandon windows altogether. That would be the day! Worst that will happen is that they will downgrade back to IE7 - if they can figure out how to do it. Most of the clueless users from Joel’s example will simply shrug it off and learn to live with it.

You don’t even want to know hoe many times I heard my users complain about “the new Microsoft” (IE7 in luser speak) that got installed on their computers. When I offered to downgrade them back to IE6 almost all responded with a surprised “you can actually do that?”. Users will survive - they are already used to Microsoft breaking their shit.

So there. This is my Spolsky headsets rant. Regrettably, that’s another link to Joels page, and probably few dozen page views (considering my click through rates) and few extra dollars in his adsense account. Maybe I should take cue from Mr. Spolski and post some horribly inflamatory, nonsense every once in a while and then just sit back and rake in the cash. Unfortunately, while I’m shameless and blunt at times I have that thing… I think they call it integrity or something like that. Oh well… Now that it’s over with, let’s get back to usual craziness.

Here is a question for my IT/Sysadmin readers out there. When you get a user who has an apostrophe, or an unusual character in their last name, how do you go about setting up his or her email address? Do you:

1. Drop the apostrophe and special characters and/or replace them with the closest ASCII equivalent to keep it easy
2. Keep the special characters and force everyone in the world to struggle as they try to email that user

Apparently IT people at a certain bank that I will not name (but let me just say it’s initials are HSBC) think that option #2 is a good idea. Why? Let’s think about a hypothetical scenario in which, for example and apostrophe in the email could be a problem. Again, this is just a make believe situation that has never actually happened yesterday at my company.

So, hypothetically speaking a made up user JC calls me up yesterday and tells me that she can’t send email to one Frogurt D’mangello who works at the said bank. Why can’t she do it? Because Mr. Frogurt’s email looks like this:

On the surface this is ok - after all apostrophes are allowed to be part of the email address according to the RFC, right? I know this, you know this but apparently whoever hacked together SquirrelMail didn’t. So when you try to send an email to Mr. Frogurt via this popular and widely used webmail application his address becomes:

Yes, someone is running mysql_escape_string method on all input fields, even those which legally are allowed to contain MySQL unfriendly characters. I should be mad at SquirrelMail but you know what - they are doing the right thing. I sanitize all my input fields too when I work on a web application. Better be safe than sorry. Naturally, they could use strip_slashes just before actually sending the email but what are you going to do. It’s a bug (which might have been already patched in then newest release), but I can’t fix it because I do not maintain the SquirelMails server.

But the situation is now a conundrum because JC is behind some draconian firewall which blocks all outgoing ports save for port 80 meaning she can’t use Outlook to send emails. She also can’t use SquirrelMail due to this peculiar bug. So how do they communicate?

This could have been easily avoided if certain IT department simply had a policy which said “only dots and alphanumeric ASCII characters in usernames”. And not just because certain email packages may not support all the different addressing formats as specified in the RFC. It’s also because everyone thinks they know how to validate emails but they don’t. Half the validation scripts out there is just plain wrong. You actually need a 6.4K regular expression to cover all the different addressing schemes covered by the RFC. So if Mr. Frogurt wants to subscribe to some mailing list, or sign into some popular web application he might at one point be told his email is not valid. Remove the apostrophe, and even the most broken email validator will let it through.

Not to mention the hassle of emphasizing the apostrophe every time he tries to dictate his email address to someone over the phone. So really, other than blindly following the RFC, what other benefits are there of putting that non alphanumeric character in his email? Would Mr. Frogurt really mind if his email started with frogurt.dmangello? Would it really make his life a living hell, or would it actually spare him some potential hassles, misunderstandings and unnecessary tech support calls?

I too have a non-standar letter in my name. If I wanted, I could set up my email as: Łukasz@example.com. It would be legal under RFC but I would probably spend the rest of my days explaining to people what that “weird L” is and how to get it in Outlook. Oh, and no iPhone user would probably ever email me because these poor schmucks can’t copy and paste yet. ;P

I say stick to alphanumeric ASCII and dots. Anything more is just asking for trouble.

The internet is killing Microsoft these days. Ever since man climbed down from a tree, learned how to walk upright and figured out how to write AJAX apps, the number of chairs thrown at unsuspecting developers in Redmond has been climbing exponentially. Let’s face it - the interweb is the great equalizer. It levels the playing field - because it doesn’t really matter whether you use Windows, Apple or Linux to access your Gmail, Google Docs and your Facebook. Your desktop is slowly becoming a thin client for the ever-richer web applications.

This is a direct threat to Microsoft’s defacto monopoly - and they are fighting back, the only way they know how - by implementing a vendor lock in strategy. Silverlight is just that. It is an attempt to create a Flash like plugin that will run great on Windows, somewhat acceptably on Apple, and not at all on Linux/Unix based systems. Yes, I know there is Moonlight but I suspect it will always be lagging behind the MS releases, and it will come loaded with proprietary codex that won’t be bundled with the public releases.

Same old shenanigans - you know how it works. Besides, we have been there before. Remember how we couldn’t play Youtubes for a while there because we were stuck with Flash 7 while Windows and Apple folks enjoyed versions 8 and 9? I remember and I Adobe didn’t even have a vested interest in putting Linux down. They just didn’t care enough. Microsoft on the other hand is poised to profit if the plugin doesn’t work well on other platforms. The internet leveled the playing field, and they are planning to tilt it again by getting into these huge Silverlight contracts for the government, libraries and educational institutions.

I’m writing about this now, because my heard of nooblets (and I tell you, heading cats is an enjoyable past time compared to herding throngs of flabbergasted luserati) started asking about it. They want to know what the “Silver Lights” (or “Silver Flight” or “Sliver Lite”) are, and why do they “pop up on Microsoft” (whatever that means). And when they ask, I simply pull out my pocket version of this very image:

Yes, I keep Admiral Ackbar in my pocket especially for those occasions when I must condescendingly point out an obvious trap to someone. It also works for identifying tarps. I like the blue tarp the best.

It’s a trap my friends. Don’t be fooled by their promises of a 100% compatibile moonlight release. It’s called moonlight, because you will be up all at night, and will end up howling at the moon in despair if you try to compile it and get it working on a linux box that does not run some version of Novell on it.

This new and exciting technology is nothing else than a vendor lock-in for the web. And I’m worried about that because I’m a linux user, and my prospective progeny will also likely be linux users. And I don’t want to find out one day that I have to sit at the “gaming box” to access tone governmental or educational websites because Mono folks are dropping the ball on Moonlight.

This is not just some silly rant of a random linux loon. It is a real concern, and the great state of Cali-fornication is also taking it very seriously - to the point where in October of 07 they asked the District Judge to extend the Microsoft anti-trust settlement for another 5 years - precisely because of issues surrounding Silverlight.

I just want you to keep this in mind. When your boss asks you if you should invest in that “Silvered Lights” platform, you just whip out your Ackbar and yell at top of your lungs: “IT’S A TARP!”

I noticed a disturbing trend recently among many users. This includes my coworkers, students and family. See if you noticed it too. I can for example tell someone to go to some website - let’s say I want to point someone to this very blog. I would simply tell them to go to terminally-incoherent.com. This is the process these users go through to get to my site:

1. Open IE which by default opens up the MSN website with all the flashing flash animations
2. They click in the address bar and type in http://www.google.com (yes, they actually type in http and www parts)
3. Then they click in the Google search box despite the fact that Google uses Javascript to make it the active box on the page
4. They type in http://www.terminally-incoherent.com in the search box
5. They click the search button with their mouse
6. Finally they inspect the search results and click on the link to my page

I swear - this happens so often that I no longer get surprised to see it. I can understand the excessive clicks and the silly insistence on typing http and www in front of every address. What I really do not get is why people insist on using Google as the intermediate step when trying to navigate to some address?

In fact we had a guy call up our help desk recently because he could not access one of the company’s new websites. I think he spent half an hour on the phone doing various troubleshooting steps before someone realized that he was actually using the process outlined above. Naturally the website, being an internal service used only by the employees is not and does not need to be indexed by Google. When he was instructed to type in the URL he was very confused and it took him 3 or 4 follow up questions to actually locate this “mysterious address bar”.

The things users do these days baffle me sometimes. I really do not understand their logic. It’s almost as if there was this huge gap between us and the lusers. And instead of closing up, this gap seems to be widening as new generations grow up with technology learning to use it without ever even trying to understand it.

It’s funny, back in the day used to wonder how the future will look. It seemed really bright and positive back then. We figured that kids will be growing up with technology, and using computers on every day basis. We figured that they will play and tinker just the way we did, and every generation will be more computer literate. We were wrong.

The level of computer literacy did not increase. The kids learn to use computers very early, but they do not learn how to understand them. The myspace generation has no fucking clue about technology - all they know is how to awkwardly browse the web and IM eachother all day. Nothing else.

It almost seems like some of us are predisposed for this stuff. We are naturally drawn towards technology and we love figuring out how things work, and how to do things better and faster using the available tools. Others are destined to remain clueless forever despite the fact they have every single opportunity to learn and experiment. Having easy access to technology does not always imply any level of familiarity with it.

I came to accept HTML email as somewhat necessary evil. Or rather, I’m wiling to acknowledge that it has legitimate uses. For example HTML links are much nicer and convenient than those 5 mile long URL’s. Most email clients will take a URL and linkify it for you, but when the address spans 3 lines (like for example every single website on microsoft.com) a simple link is usually more elegant than truncated or word-wrapped URI. So if you send me an email which contains a HTML link or two I really won’t get mad. In fact at least one of the applications I coded up recently, routinely sends HTML emails - but these are essentially time sensitive reports that need to be formated into tables. And HTML tables look nicer than ASCII tables - at least to normal people.

What irks me though is the blatant abuse of HTML at the hands of some people. For example, is writing your entire email:

really necessary? I can really understand the aesthetic value of being able to write some words in bold or italics for emphasis, without using some old school tricks like using asterisks or underscores but come on. Using this type of formating is a selfish, and inconsiderate. Fortunately most clients are able to strip shit like that out of emails. For example my KMail is able to rip off any funky formating generated by Outlook but it leaves well formed HTML alone. I’d like to think that this feature was developed for this very reason. Unfortunately the HTML emails generated by Thunderbird are not stripped and so I’m still left to suffer ugly ass correspondence.

If your email looks anything like the example above you need to seriously stop. It’s not cut! It does not give your emails more personality - it just makes them look as tacky as your myspace page. All it does is tells your recipient that you are a pompous, selfish luser with no aesthetic tastes whatsoever. If you want to play around with HTML get a myspace account and create a lovely theme with a dark on dark color scheme and a screamingly bright background image that just drowns out everything else, like everyone else does. But leave your email in the default boring font - especially your work email. Yes, I actually exchanged emails with people who used similar font and color for official work related correspondence.

These people were not working with me, or for me. My boss would probably have them publicly flogged for something like that. I guess the email etiquette rules at their place doesn’t really exist. Nevertheless I found it very unprofessional - not to mention annoying.

You already know my opinion on tacky email signatures. I just needed to get this out of my system. Email is not your myspace page. People actually need to read it (does anyone actually read myspace pages? I thought they were mostly about pictures and ugly ass layouts). Note that not everyone enjoys your super sized, raging pink font as much as you do. Be considerate!

Folks at Wachovia recently decided that all the confidential information they exchange with contractors and field examiners via email and the internet must be encrypted using at least 128 bit AES. Good for them! I applaud this move but then I realized that human stupidity can turn even best security practices to a mere farce.

I think that Wachovia really evaluated this problem realistically and chose the the method that was easiest to implement without forcing their contractors to spend a lot of money on software and/or training. Both 128 bit and 256 bit AES implementation is built into WinZip. That of course means you need to buy WinZip at the $20 a pop, but surprisingly enough most businesses do. It always amazes me that the company forces us to install WinZip on new machines despite the fact XP has a built in zip file support. At least we now have a reason why to use it.

It’s a good policy, but there is a problem here:

Hey, here is the file you requested. I encrypted it with winzip like you asked. I set the password to be “password”. In case you can’t open this file, I’m also attaching the original word document.

This, ladies and gentlemen is why the suicide rate among IT professionals is so high. Also, this is why you should be terrified when someone asks you to give them your personal information. Think about it - that at some point your social security number, address and credit record will be handled by this guy above. There is no way around it. A person like that works at almost every company - even yours. Dangerous information handling practices are commonplace, and data leaks are imminent. It scares the living shit out of me, but there is not much I can do about this. Or rather I can only try to improve security practices at my company, and hope others will do the same (they wont).

There are two ways you can handle encryption. The easy way is via symmetric encryption like AES which requires little or no infrastructure or forethought. To send data between Bob and Alice they both simply need the encryption/decryption software and the key in a form of a pass phrase that can be exchanged over the phone for example. Of course exchanging pass phrases for each document is a pain in the ass, so Bob and Alice will likely use the same one for all their correspondence. Since Alice will need to share this data with her coworkers, they will probably all use the same password for all correspondence with just about everyone. So whether they are working with Bob, or Eve or someone else they will use the very same common password.

What is that password? You have 3 guesses!

The password naturally is Alice’s company name written as one word in lowercase. If Alice’s boss is especially security conscious it will be the company name followed by a single number. And no, I’m not making this up. I actually seen this happen. Given a choice, lusers will pick a password that is easiest to remember or figure out, and by that virtue the least secure. This is the huge problem with symmetric encryption. You can educate the users, you can beat them up, threaten them or reason with them. But when you are not looking they will invent new clever ways to circumvent company security policies - or at least make them ineffective. And it’s not like it is some kind of secretive “fool the sysadmin” club. That would actually be cool - that I would respect. But no, this is just like an impenetrable wall of stupidity that shields them from common sense and reason.

The alternative of course is asymmetric encryption which removes the password choice from the equation. But it has it’s own limitations - namely, it is a pain in the ass to implement, deploy and train your stuff. Optimistically speaking I think we can get somewhere within 50-60% of our staff trained to use the winzip AES properly within a few months if we get a go-ahead for rapid forceful insertion of knowledge into the cranial cavity using blunt tolls. It would be faster if I was training orangutans for example, because they are not inherently afraid of technology. Humans unfortunately are - they seem to consider it a mysterious mystical force that cannot be comprehended by anyone sans a super-intelligent and yet socially inept nerds. Learning technology is naturally out of the question. Not only is it not possible to understand this stuff without the born-in nerd gene, but forcing that knowledge upon you apparently can cause severe brain damage.

So you can clearly see why blunt tools are necessary. We need to convince them that the brain damage will take place either way. Learning simply hurts less.

But public key encryption is such a foreign and incomprehensible subject. It’s like a high level arcane magic. Hell, for that stuff you need to have like a PHD in Jedi Mastery to even begin to understand it. When you start talking about public and private keys, exchanging and signing them, key rings and key servers you can see your user’s expression change from “LOL, they be trying to teach me magic but it wunt work” to “OMG! My head is about to explode”. By the time you are finished you can see pure fear in their eyes. Most go into catatonic for hours afterwards. Some never recover.

And of course after you spend many many hours configuring everyone’s email, generating keys and training people to use them, without fail someone will send their private key company mailing list.

Generally speaking I believe that an asymmetric public key approach is intrinsically less prone to human error (like for example choosing a weak password) but it is also more costly to implement. Costly both in man hours, as well as licensing. If you choose to go with PGP you are looking at around $200 per license. You could go with GnuPG naturally but it does not have the brand name weight, and it is slightly rougher around the edges - which ends up being a huge deal when you hand it to users who are terrified of computers as it is.

Don’t you just love it how this is a fucking never ending struggle. We really need policies like that, but the policies are half the battle. The other half is the long and painful process of IT beating the users into submission to enforce them.