Archive

Archive for the ‘Software’ Category

Trust

12 March 2012 Leave a comment

It’s been a long time since I posted here. With blogging, you need to keep the momentum going, and I didn’t.

I’ve been involved in a new project. After leaving Luxembourg, I’ve come back home and started working for a company in Hong Kong. I was approached via a recruiter who’d found my profile on LinedIn, we talked, I spoke to two of the people in the startup, and we agreeded terms.

When I was explaining this to one of my colleagues in Luxembourg, he was perplexed. Why have you done this? How do you know they will  pay you? If they don’t, what can you do to reclaim the money?

I just laughed.  Maybe I’m a trusting fool, but everyone I’d spoken to were totally well-behaved, and I immediately developed a rapport with them. They thought I was good, I thought they were good, we’d do cool things together.

Am I old-fashioned, stupidly naive, normal? Different people would give different answers. I just didn’t worry about it until it became a problem, which it didn’t.

Categories: Real Life, Software

Google+ spotted in the wild

16 November 2011 Leave a comment

When Google plus hit in typical Google beta-fashion, some people put up an “I’ve moved” profile picture on Facebook, and left, or so their status update said.

Everyone that I saw do this is still active on Facebook. The trouble is that they have 300 contacts on Facebook, 200 on LinkedIn, and ten on Google+. (Actual values may vary, contact your friends for details.)

Forgetting the personal/social point of view, from a fan/corporate point of view, there are lots of “follow us on Twitter” or “like our Facebook page” links on websites, but none that say “Join our circle on Google+.” Until, that is, today, when my favourite motor racing team, Force India (I’m not sure I should put the sponsor’s name in front of that) *tweeted*

Join our circle on Google+ to share even more plus.google.com/i/1x6CO0EiYkI:…

This is the first time I’ve seen this in the wild. And the irony that they used another social media to inform us of their circle is not lost on me. I’m pretty sure that there will be no extra content for me, only extra work for the admins that run the team’s social media, as they now need to tweet, post on Facebook, possibly update blogs or websites, and now update Google+ as well. I’m not sure that Google+ is worth that effort at the moment.

The thing is, that I get overloaded with info. To me, there is no point in liking your Facebook page, if I get all your updates via RSS. And if I get your data from Facebook, I don’t need to see it in Google+.

One thing that really annoys me about messages from Google+ are that they don’t give a useful subject. Instead of saying “Alistair McDonald shared a post entitled ‘The red mist descends'” they just say “Alistair McDonald shared a post with you.” I’m NOT going to click that link, ‘cos I’m pretty sure if it was important, I’ll find out eventually. But, if the subject piqued my interest, then I might click. But clicking into a black hole – no way.

Another way I’m really going off Google is that now so many services require a unified email address/ID. I’ve stopped putting any information into YouTube (Favourites, subscribing to channels, etc.) because they want a Google ID. I already have one – well actually three – but I don’t want to join my email to my videos to my news page, maps page, or news alerts. (I know that Google can, and probably do, track my usage of these sites via cookies or embedded scripts, the point here is not privacy, but convenience for me. For example, I set my home location on maps.google.co.uk to be a zoomed in shot of my home. But since I needed to “unify” my Google accounts, now when I visit maps.google.fr or maps.google.lu, my home page is *still* in the UK. If you are viewing a UK map, then your searches default to the UK – so you get Birmingham, West Midlands, not Birmingham, Alabama. That’s a good feature. BUT, if I’m visiting the French map site, why on earth would I want to start from the UK, where all my searches are crazily misinterpreted. So, to work around this, I end up first searching for Paris, or Luxembourg, so that Google maps displays the correct country so that my searches will work. [Google pay for bandwidth and processing power, I don’t, so I lose time and they lose money. ] )

Getting back to the subject of Google+, as I said before, they need to get some client apps out there – there are dozens of Twitter clients – and that means that they need to stop trying to be so controlling over data and APIs. Part of the problem is that they are playing catch-up, and many competing services (this is business, it makes money, and so there is a real competitiveness to it) are much more free with, and, remember, Google see the usage data it collects as the most important thing that they have.

Why not take part in a little experiment: inspect the cookies that the browser(s) you use have collected. Maybe even try to delete them and see (a) how many similar ones reappear without you visiting the sites mentioned, and (b) see just how many services you can use after a single login.

Hacked email

26 October 2011 Leave a comment

I get emails from people who have had their online email accounts hacked, and spam email is issued. Normally, I just send them an email and hear nothing of it. But today I got a message (via another mechanism) that they were going to trash their email account.

The rest of this post is my message back to them. On reflection, I should have considered that their password was leaked internally from their email provider (one of the “big few” – i.e. google, hotmail or yahoo). And that this could happen from a rogue employee ($0.10 per email, here’s a text file) or from hackers getting illegitimate access.

But here goes:

I don’t think you need to discard the email account, but there are a couple of things to consider

How did you get hacked? Was it malware on your PC (you can pick up malware infections just from things like Adobe Flash-based adverts if there’s a security problem in the flash plugin, for example) or was it someone picking up a session cookie if you were using unencrypted WiFi (coffee shop/hotel) (read this post on cookie hijacking to see how it works). Or did you use someone else’s computer (colleague, internet cafe?) These are the three main categories (I’m discounting you turning into a spammer.)

No matter how it happened, visit https://browsercheck.qualys.com/ on a weekly basis – or more frequently – to check your browser(s) and plugins are up to date – you need to do this for each browser that you use, on each computer that you use.

So, how do you tell which one happened to you? I’d get some anti-virus and scan your PCs and see if they detect anything. If you’re technical enough, then the SysInternals “autoruns” tool tells you *everything* that starts when you start your PC and log in. You can google the various process names shown in Task Manager and ensure they are benign too.

So, if you have malware, the only totally secure thing to do is to wipe and reinstall your OS and applications – although you might want to trust antivirus to detect and repair, it’s not guaranteed. And if you can, try more than one anti-virus product (free versions available for several) but you might have to install one, scan your PC, uninstall it and then install another – they might not co-exist nicely.

If you’re PC is clean, but you use public Wifi, chances are that you have been victim of a cookie hijack. The solution is to either always use HTTPS (which is encrypted so no-one can “sniff” your cookie.) (Most sites now offer it, and I expect your email provider is one of them; google is now offering HTTPS for searches, let alone email/calendar/etc.), OR, if you have one available, *always* use a VPN (Virtual private network), which encrypts everything (including normal unencrypted http traffic, although your VPN provider can “sniff” stuff). Maybe your employer has a VPN, otherwise you can buy the service, I believe. And, best of all, if it was a cookie hijack, you can just log on and change your password, the hijacked cookie will be invalid afterwards. Maybe ask where you were accessing the net in the days immediately before the spam started – can you correlate a location with the date/time.

And if you think you’re the victim of a keylogger, it should appear as malware. Let me tell you that one thing I do when I’m using someone else’s computer is to *not* enter my password in one go. I use the *mouse* to move the cursor between keypresses, and build up my password. So if my password was 12345678, I might start by entering “56” then click (don’t use the keyboard, keystrokes might be logged, including the cursor keys) at the beginning and add “23”, then at click the end and add 8, then between the 3rd and 4th character and add the 4. It takes a bit of mental juggling, and I rarely use a PC I don’t trust.

So, depending on how you were hacked, is anything else at stake? If it’s malware, chances are that a keylogger has been installed, and so every keypress might have been recorded and then might have been transmitted. If you use the same password for many things, e.g. online email, work email, online banking, then you are at greater risk than if you use a different one for each service – even if the usernames are different, your identity might be linked to an account via publically available search info.I use a three-tier system – one password for sites I really don’t care if someone impersonates me on, a second for a few other things (access to my server, and email, and so on), and a third tier, where I use a different password for each system – things like online banking, the UK Government Gateway, etc.

So, the bottom line is that
1: Stopping using the account might not be enough
2: Stopping using the account might not be neccesary

And that’s what I sent. Did I miss anything apart from the password-leak-from-provider?

Update: I added
3: change all your important passwords anyway. Consider a 2/3-tier system.

Categories: online, privacy, Real Life, Software

Maths, Comp. Sci, and Music

29 August 2011 1 comment

Ah, how I hate when reading and television screw up my perception! I remember reading (or seeing) something about maths and music being linked together. The current peak of this is Douglas Hofstadter’s book “Godel, Escher and Bach,” which (deep down) relates cognition and creativity emerge from the mind. He puts it better than I can, but there a number of common (i.e. I read about them elsewhere but forgot the details) thoughts.

Although I am paid to be a software developer, I am also a musician, and, I’m pretty sure that if I’d chosen that career path and been given the perfect breaks I could have suceeded as a guitarist. Further research suggests that lots of computer scientists are also keen fans of music. Many key figures are musicians – <A HREF=”http://en.wikipedia.org/wiki/Richard_Stallman”>Richard Stallman<a> notably travels with a recorder.

I think an unusual proportion of computer programmers/scientists/experts have an unusual interest in music. But I can’t find a survey to confirm it. Any emirical results out there?

Categories: Real Life, Software

And the (l)user is . . .

29 June 2011 Leave a comment

The recent web site attacks by popular hacker group <a href="http://twitter.com/#!/lulzsec"lulzsec have shown two main things:

Firstly, it’s a jungle out there. The CIA, banks, governments, are all targets for an organised bunch of techies. Basically, whoever you bank with, if you are just covered by a password or two (PIN + password) then you are dangerously vulnerable. Vulnerable to brute-force hacking, vulnerable to phishing, or vulnerable to malware, which might track every key you type.

Secondly, security on the WWW sucks, in general. If banks, government agencies, and so on, can’t get it right, can you trust a friendly site like facebook to store your details properly? If you use the same password for your gmail account and for your your facebook account, if a leak in facebook allows hackers to learn your password, then your gmail account is vulnerable. And, if you use that password for online banking (or paypal, or anything that *knows* your payment card details) then you are looking at a security hole.

Lulzsec have shown that it is so easy to penetrate any web site that they choose, that it’s almost pointlesss to attempt to prepare against malicious attack. I disagree, and think that there are many things that we can do to mitigate any vulnerability.

Once, I had a credit card for less than 24 hours before it was withdrawn by the issuer – a shame, as it had five or six zeroes in a row, which I think is cool. Turns out, a major CD retailer in the UK had been compreomised and in that window I’d used my new card, which was not only useful to scrape the ice off my windscreen.

So, how to mitigate? Firstly, lie. Unless it’s a bank, if it asks your birthday, give your fathers, brothers, favourite pop-star, whatever – but change the year to suit your demographic. If it wants your mother’s maiden name, give it your first pet’s name, as another example.

Be consistent, so you can do this with many web sites – but do not do this with *important* accounts, like online banking. They should all have unique passwords. #separate accounts into groups – change-your-life important ones, major inconvenience ones, and low convenience ones. Use a different password policy for each one . . .

As the online world evolves, it’s important that us early adopters are aware of the current problems. We all need to wear a black-hat at times, because we cannot trust the banks and merchants to do this for us. We should all insist on personal key-generation devices (my Luxembourg bank gave me one by default), for example. These, when powered on, give a passcode to be used to authenticae you to the web site.

We should all use an up-to-date browser and plugins, we should regularly test the systems that we trust our personal details with, and we should have the skill to work out where the intrusion in the train is, when things go wrong. These days, I reckon that less than 1% of visitors to this blog, and less than 0.01% of online personas would know how to do these things.

Categories: Analogies, Real Life, Software

Length of working day

30 April 2011 Leave a comment

Someone I know recently posted on facebook that they only worked 10.5 hours in one day, and wanted to know if he should feel guilty. I’d say definitely, yes. But not for putting in only 10.5 hours, but for doing more than his contracted hours (in the US, I guess this is 8 hours, after subtracting breaks). He should feel guilty that he’s not spending those extra hours with his family. He should feel guilty that he’s creating an expectation in the workplace that everyone should work extra, unpaid hours.

I guess that there are two reasons to work extra hours. One is that there’s a corporate culture of this. I see this in the USA, and in India as well. I see it a little in the UK, too. When I worked for a bank in the city, I was at my desk for ten hours a day, and my manager mentioned that he just wanted to see me be there a little longer. I pointed out the 3.5 hours commute I had in addition to working, and the fact that I had a 15-minute window to see my kids at night, *if* the trains were on time, but he really didn’t understand: he was young, single, and striving for promotion.

I recently read Managing Humans: Biting and Humorous Tales of a Software Engineering Manager and one thing I noticed was the number of times that working the weekend was expected. Sure, the companies appeared to be mainly startups, and maybe everyone had equity share, but it seemed that these people were expected to work extra *days* as a matter of course. This seems so wrong to me – weekends should be sacred and for the family, not working.

In some cases, it’s just being in the office, not how much work you get done. This is called “presenteeism.” For many, many years, I’ve noticed that I am edgy when involved in seemingly non-work related discussions, either at desks or at the water cooler. I’ve felt guilty that I’m not working. Now I’m doing more reading into management, and trying to develop my people skills (mildly aspergic), I don’t feel so bad about these conversations, at least I didn’t last month! But I suspect that in some places, the amount of time spent working is well below the amount of time *in*the*office*.

The second reason for working extra hours is that there is a crisis. A support issue that needs fixed to prevent the company going under. A last-minute show-stopper bug preventing a release going out. In my opinion, these are ligitimate reasons to work late. But it’s not, in my opinion, productive to work long hours for a long period. A week of extra half-days, even if fuelled with free pizza, is going to dull almost everyone, and productivity will drop so much so that everyone would be better off just working a normal day.

I’m working in Europe from next week, and one of the reasons I am going there is because there are strict labour laws where, in some cases, your manager can be fined if he lets you work more than 40 hours a week. This sounds like bliss!

That’s *my* association

23 April 2011 Leave a comment

I get really cheesed off with some software, always hijacking my file extension associations.

For the uninitiated, these link a file (normally the bit after the dot in a filename, ext in ThisIsAFile.ext) to an application. To do this, Windows (and other GUIs) keep a list: If the file is a .doc, open it with Word. If the file is a .xls, open it with Excel, if it’s a .frood, offer these choices . . . .

It’s easy for those files in my example, but there is a real, and constant battle for the audio and video world. Each time I upgrade an otherwise nice and wholesome piece of software, a video player called VLC media player, it insists on attempting to take over all my audio file extensions – like .mp3, aac, and even the playlist files .m3u, which it hides under a different menu to “audio files”. 1: it’s a video player – it’s in the bloody name and 2: every time it asks, and defaults to taking over the associations. Why can it not remember my choices from the last install? This is particularly important as the fantastic browser check from Qualys always points out when it’s out-of-date.

I need to point out that if every piece of software did this, and you didn’t respond appropriately, you’d probably not see the same application open a file twice. Yor browser would run around like an eager puppy, saying “I can deal wih that jpg; I can deal with that .bmp; I can deal with that .pr0n as well!” Thankfully, not all software is as self-centered as VLC, so the average user gets some consistency.

The popular browser, Firefox, was just as bad, I use the Heroes browser, Opera, but I also have IE and Firefox installed. I don’t use Chrome because Google are powerful enough already – actually I’d say they are too powerful, but I’ve got my 18th job interview with them lined up so I’m hoping to get in while ‘evil’ is still relatively cheap – I want a small throne, at least. But some sites do not work with Opera (despite it being the first browser to pass the ACID-3 test (stop yawning at the back!), so I need an alternative. I’d rather eat my own kidneys devilled with Tabasco sauce and onions than use IE, so I use Firefox. And Firefox was very naughty indeed, and when I upgraded it, it did not even *ask* if it could be my default browser, it just did it. As presumptuous as an Australian internet activist during a night of passion (allegedly).

So, I can understand that many, many people can get confused when they used to click on a file, and it would open in a particular app. Then, the install some more software (maybe more than one, people are fools like that) and next time they try the same action, they get an unfamiliar app thrown in their face, beause the new software has hijacked the file association.

As PC manufacturers are loading stacks of crappy software on new PCs for $$$, there is now another confusion – on my Dell Vista PC, every user (me, the wife, the kids) was hounded to buy some expensive software whenever we clicked on a particular file type – in this case, any image file at all. To put this in context, new user, new PC, plug in the new digital camera, click on the files, and the PC asks for money to install a full version of the software – that’s just wrong!

In my opinion, this is moving PCs away from being easy to use. I had this rosy idea that one day, PCs would be easy to use. They’d coaxs inexperienced users through configuration, and degrade gracefully when things went wrong. However, I think that in the immediate future (next ten years) PCs are going to be clogged down by more and more software that says it has the user’s best wishes at heart, but in reality it will recommend paid for options – and won’t even mention the free options that may be as good, or even better than, the commercial options.

All Nerfed out

23 April 2011 1 comment

I am now the proud owner of a Nerf gun, a Nerf N Strike Recon CS-6, in fact. My son has an N Strike Raider Rapid Fire CS-35 Blaster. Mine has a laser sight, and his has a 35-bullet rotating magazine.

Nerf is harmless. The guns fire foam darts at a reasonable speed, as long as you do not hit someone in the eyes or face, then there are no bruises. My vegetarian, tree-hugging mate found that Nerf guns are also good for killing the invasion of flies that we have locally. I’ve taken out a few myself, although I’ve found that I only stun them, and then need to move in with a secondary weapon.

Geeks and Nerf seem to go together like Fred and Ginger (aren’t they both dead now?) or drums’n’bass. Why is this? I had a desk calendar where each discarded page could be made into a model aeroplane, and these littered the desks of my fellow software developers. We loved them, and the managers hated them – even the ones who used to be softies themselves. Geeks love toys. Nerf, remote control airships, anything that they would have loved as kids seems to be OK. It’s as if softies haven’t grown up.

Perhaps this is one of the things that makes a good softie – a child-like imagination.Software development can be an enormously creative process. It’s been likened to art (Knuth titled his works the Art of Computer Programming, after all.) And creativity involves the imagination.

My manager asked me to take my plane calendar home – he did not like the mess and lack of order, with planes launched and scattered on the floor. But it did not affect our performance, we can be very focussed when we need to. And softies respect each other’s need for lack of interruption – in a lot of places I’ve worked, people will either see headphones on as a sign that says “do not interrupt,” or some people actually put signs up asking not to be disturbed.

The planes, nerf, toys provide a point where developers can let their brains take a rest. Being physical, it also gives them a chance to stretch their legs and get their butts off their chairs, even if it’s just picking up a plane or Nerf dart.

So, if you’re a manager and you see your geeks being unruly or untidy, please leave them to it – their apparent playing is part of the creative process. Don’t, however, let them take the mickey too much, as this cartoon shows:
Are you stealing those LCDs? Yeah, but I'm doing it while my code compiles (XKCD)

Incidently, this is why I prefer C++ to Java or Perl, you get time to put a fake moustache on.

Categories: Real Life, Software

Code Wars

21 April 2011 Leave a comment

The screen is split. Both left and right views zoom in over the shoulder of a stooped individual to the large computer monitor that now fills both screens.

There’s a vice-over. A hushed voice, as would befit snooker, or a Royal parade. The tones used are revered, and every word is carefully chosen. Let’s listen in:

[Voice 1] So, Dave, we’re five minutes into this competition and both contenders are well into their stride. Initial impressions, Dave?

(The screen shows both users are typing furiously, menus are popping up and items added to lists on the left and right of the main code-editing windows)

[Dave] John, it’s really interesting how both users really know their IDE’s inside out. Grekor, on the left, is using Exclipse, and, as you can see he has quickly set up a project that targets the correct build type. He’s *very* good with the context menus, as you can see.

(The screen shows both users are typing furiously, menus are popping up and items added to lists on the left and right of the main code-editing windows)

[Voice 1, now identified as John] So, Dave, is Grekor alreay ahead?

(The screen shows both users are typing furiously, menus are popping up and items added to lists on the left and right of the main code-editing windows)

[Dave] Not in the slightest, John, as Joolz is also using his IDE to create the project template. Joolz has chosen NetBeans, and it, too, provides a default project type.

[John] Ah, now let me remind the viewers that the contendors are free to choose their programming languages, development environments, keyboards, and mice and are given 20 minutes to alter the configuration of their PC once it’s been built by Charlie, who heads our team of “hardware hacker hoods.” When I say he heads the team, I mean he’s the only….

[Dave] Sorry to interrupt you there, Joanne, but our back-room boys have spotted something interesting.

(A larger code window appears in front of the split-screen view. It’s semi-transparent, but you can’t really see what’s behind, which means it’s pointless, but looks good (-ish). Remind me to rent the better video desk if we make a second series.)

[John] Did you just call me Joanne? That was supposed to be our little secret!

[Dave] Look at this. (screen zooms in on one line of code, grainy, but highlighted as the rest is greyed out slightly. ) Grekor has used entirely the wrong syntax for his regular expression! That will compile alright, but it’s never going to work properly. This is a major mistake for Grekor, and it will be a tricky one to find.

[John] someone once said “Some people, when faced with a programming problem, thing ‘Aha! I’ll use regular expressions!” If they do that, they’ve suddenly got two problems.

[Dave] (laughs) Too right!

(The large window shrinks to the centre and disappears with a pop. The screen now shows both users are typing furiously, menus are popping up and items added to lists on the left and right of the main code-editing windows)

[John] Grekor, I remind you, won his previous heat where the competition was very mathematical. This assignment is more text-based, isn’t it Dave?

[Dave] Very much so. I must admit I was suprised when both contenders chose Java, Perl would have been my first choice!

(The screen gets darker and the voices more muted. Eventually, you awake and are in the office. No-one  appears to know what you’ve experienced. You blink and reach for the Dr Pepper in front of your screen…)

Idea by Nick, Ian and Alistair. Vidio by  @netroman. Coming to a screen near you, soon. 

Categories: Software Tags: , , ,

Between a rock and a hard place

21 April 2011 4 comments

“Buying a TV is harder than buying a computer,” my buddy recently said. The reason he said this is because everything will be obsolete in a few months.

I’ve got a similar quandry, but I’ve only got two choices to decide between.

For many years I’ve used Gentoo Linux as the operating system for my server and laptops. Gentoo has the advantage of being very flexible, and normally very quick to produce security patches for the various pieces of software that are installed. The unusual feature of Gentoo is that everything is compiled on your machine, with your choices of options. Things don’t always work, and actually maintaining a Gentoo system will (a) teach you a lot about Linux and (b) take a proportion of your time every so often.

My server was built in 2005. I’m shocked by this, but it has a 5-year old  Linux kernel using features that have long since been removed (devfs made way to udev, for example). Migrating from this kernel will be painful, and the system has already got a host of cobbled-together software that is failing to build consistently. (This is partly due to my lack of knowledge when fixing build problems in the past).

So, I’ve decided to rebuild the server. The server has a few main purposes: It hosts my personal web site, where I keep my Effective C++ CD. It hosts email for me and the family, providing storage and a webmail interface. It is a fileserver for us all. And it runs the software that powers my Squeezebox digital music player.

And it’s this last role that’s my big problem. Since emerging the latest and greatest of everything, the software has failed to build and run. And that means no music, no radio, no-thing at all.

So, I have to rebuild. The question is do I use the latest Gentoo, or do I use a mainstream Linux distribution? And, do I use a 32- or 64-bit version, as in Gentoo, many more packages are marked as unstable on the 64-bit version than on the 32-bit, and even Ubuntu recommend 32 bit and not 64 bit, despite most new computers being 64-bit systems.

I really don’t want to give up on Gentoo, it has taught me a lot about  Linux and there is a certain kudos in using a cutting-edge system. I just want to be sure that the server will work for me after I spend hours installing it.