Entries tagged with internet

Entry tags:

You have got to be kidding me...

The last couple times I've tried to have a Google Hangout from my desktop computer, we have had audio problems. Specifically, the other people could hear me just fine, but I couldn't hear them. The "test" button in the Hangouts settings produced sound just fine, and other applications produced sound. The last time this happened I resorted to joining the call from both my computer (for video and screen-sharing) and my phone (for audio). That felt stupid. I had previously used Hangouts on this computer just fine.

Tonight I got Dani's help (needed another call participant) while I tried to debug it. Same symptoms and no bright ideas. (We tried the phone thing; that worked fine again.) This time my searches led me to this thread, where I saw that somebody else solved the problem by using a different browser. Specifically, Safari.

I was using Chrome, figuring that Google's browser and Google's conferencing application ought to play well together. But nooooo, that was a mistake. I don't know whether the fault lies with Google or Apple, but sheesh! (No, there was nothing relevant in my Chrome settings. Chrome offers to prevent sites from using your input devices, like your camera or microphone, but this was output.) Switching to Safari worked, after I installed and enabled a plugin.

I suspect that, the last time it worked, I was using Firefox instead of Chrome and that made the difference. But once I found a solution I stopped taking up Dani's time with experiments, so I haven't tested.

WTF is wrong with Chrome + Hangouts + Mac? I found lots of other people who had this problem; it's not just me.

Entry tags:

responsive design: do pixels even mean anything?

I don't know a lot about the nuts and bolts of responsive design (the "how", I mean), but Stack Exchange is moving toward it so I'm starting to pay attention.

Meanwhile, my ancient tablet seems to be in its death throes, so I've started to look around at what's out there these days, and I realized something. I'm looking at some 10" tablets with resolutions like 2048x1536. My 30-inch monitor at work is something like 2500px wide. These are, of course, not even remotely the same size pixels. Pixels have always varied with the size of the monitor, of course, but a ~10" tablet used to be in the range of 1024 or 1280 wide (landscape), not twice that.

I've seen discussions of SE's upcoming responsive design that say things like "and at widths under 900px it does this" and "the max width for the content area is (some number of pixels)".

How does this work? How can I see reasonable "real-world" sizing of things on both my big monitor and my tablet when designers are measuring things in pixels and tablets are doing crazy-dense things with pixels these days? I guess the same can be said of 4k displays (which I don't have). Do these ultra-dense devices somehow tell the browser "no, really, treat me as half that for layout purposes"? On a tablet will I need to have tons of zoom -- but still struggle to see the actual application's controls, because those don't zoom when you make content bigger?

I must be missing something obvious. Anybody want to enlighten me?

Entry tags:

small payments are still hard

If you use Patreon, a site that connects creators (writers, artists, musicians, cartoonists, anybody) with people who'd like to support their work, then you probably already know that they're about to start charging the patrons (funders) for the credit-card transaction fees. (So you signed up to pay somebody, say, $1/month, and you'll now be charged $1.38.) What you might not have noticed is that they're charging a little more than what the credit-card companies charge them, and they're charging for each individual transaction even though they charge your card once for all the creators you support each month. Uh huh. siderea did some money math on their current practices.

One of the complications in trying to do online financial match-making, whether that's Patreon or PayPal or others, is that actually holding money is messy, legally speaking. So creators who have income and support other creators don't get to pay from their income (which is just bookkeeping); each transaction has to start with a credit card and end with a deposit. Or so it sounds.

Back in 1995 when the web was still young, I went to work for a micro-payment research project at CMU, NetBill. The idea was that consumers used a credit card to load some small amount, like $20, into a NetBill wallet, and merchants could sell digital goods for a nickle or a dime or $1/month or however they wanted to structure things. There was a secure protocol with escrow so nobody got screwed, and nobody was paying transaction fees on ten-cent sales. Since this was a university research project it was never set loose in the wild, so nobody ever had to decide what NetBill's fees would be. What made me think back to that now is that I have no idea how the financial regulatory stuff was supposed to work; we were holding money, after all. What I do know is that the project had Visa and a major bank on-board from the start to make sure it would be legal. Now I wonder how they planned to do that. I assume the rules have changed since then anyway, but I now realize that this was a part of the business model that I had no real insight into.

(I joined the project in part because it sounded interesting and in part because it sounded like something that could launch a start-up and that sounded interesting. Instead, two years after I joined, CyberCash licensed the technology and that was the end of that.)

Making small payments was hard then and it hasn't gotten much easier since. If you want to publish through Amazon Kindle or iTunes you can still make some income that way (and of course the platform takes a large cut), but self-publishing for small amounts is still hard. And supporting people without going through the "make a sellable thing on Amazon or iTunes" is even harder.

Edited to add: Some donation-processing systems give donors the option to pay the transaction fees. For example, Jewcer, the site we used to raise funds for "Days of Awe - Mi Yodeya" a couple years ago, was like that, and most donors tacked on the fees. My congregation asks members to kick in the fees when we make credit-card payments and, again, it's optional. Sometimes I do, sometimes I don't -- depends on what the payment is for. But the key is that it's optional. If Patreon had offered patrons the choice instead of imposing the change, this might have gone over better -- but they couldn't do that, because they're using this to overcharge for those fees so people who know that won't go along with it.

Entry tags:

internet

FCC feedback on net neutrality faked and the FCC blocks investigation, NY attorney general says

The New York Attorney General is investigating fraud aimed at FCC commenting. The FCC refused to cooperate. According to this post, tens of thousands of New Yorkers, and many more people elsewhere in the US, had their names falsely and illegally used in fake feedback on net neutrality.

Successfully investigating this sort of illegal conduct requires the participation of the agency whose system was attacked. So in June 2017, we contacted the FCC to request certain records related to its public comment system that were necessary to investigate which bad actor or actors were behind the misconduct. We made our request for logs and other records at least 9 times over 5 months: in June, July, August, September, October (three times), and November.

We reached out for assistance to multiple top FCC officials, including you [Chairman Pai], three successive acting FCC General Counsels, and the FCC’s Inspector General. We offered to keep the requested records confidential, as we had done when my office and the FCC shared information and documents as part of past investigative work.

Yet we have received no substantive response to our investigative requests. None.

Net neutrality is important. The integrity of the public record is even more important, as it is used to support policy changes (not just this one). And right now it looks like we've lost both.

You can use this site to look for fake comments using your name and, if you find them, file a complaint. With, um, somebody -- I didn't find any under my name, so I haven't gone down that path.

Entry tags:

internet,
software

oops

My Mac has been bugging me to let it install some updates for several days now (requiring a reboot), so since I was going out for the afternoon anyway, I let it do so.

I completely forgot that this would cause Firefox to update to version 57. Oops. (At work I both turned off automatic updates and did some prep work to update to add-ons that will continue to work in 57. I hadn't gotten around to updating add-ons at home, and I forgot that I hadn't turned off browser auto-updates.)

I've lost my Stylish CSS overrides. Some I shared between home and work (or between Firefox and Chrome at home), so those ones I have, but some sites I only visit at home so I didn't have those at work. I found some stuff about how to find them on a Windows machine, but the filenames mentioned there don't exist on my Mac.

For the most part I'm going to just live without them and migrate more of my browsing activity to Chrome. The main reason I limit Chrome is that the tabs display is totally unreadable if you have too many tabs, unlike Firefox which sets a minimum size and gives you scrolling and a drop-down menu to see all of them. I just found a Chrome extension that provides that drop-down menu, so I can at least find stuff, though I haven't yet found a way to get Chrome to stop trying to show all of them anyway.

I also found these instructions for doing some of the things that Classic Theme Restorer did.

I've updated my earlier post about Firefox 57 with other workarounds I've found. For userscripts, I installed TamperMonkey, which I'm already familiar with from Chrome. For both scripts and CSS, I decided that at home I'll just do all my Stack Exchange stuff in Chrome -- I mostly was anyway, and now that it'd be actual work to get those scripts and styles back, time to just commit to it. Firefox is now almost exclusively for blog-reading (mainly Dreamwidth and those few people still on LJ), and everything else I do in Chrome. (That's at home; at work I do a lot more in Firefox.) I tend to have a lot of DW tabs open, so keeping that activity in the browser that handles tabs better makes sense.

Entry tags:

internet,
software

Firefox breaking many add-ons soon

I found out today, via a notice provided by one of my add-ons (Stylish), that the next version of Firefox (57) is going to break most add-ons, which they are now designating "legacy". Firefox, like Chrome, automatically updates itself (I'm not sure that can be turned off any more), and these changes are coming "in November". I found this blog post from Mozilla from August, but I never received any sort of notification as a user and I don't make a habit of seeking out blog posts from vendors of software I use.

Why the hell didn't I get some sort of notification from Firefox? Is this news to you, too?

So now, the hunt for replacements commences. Gee thanks, guys.

Here's what I've found so far, untested unless otherwise noted:

Stylish replacement (notice pushed by Stylish, apparently): Stylus. Listed as beta. I don't know whether styles will just work (after being manually imported, it appears) or if changes will be needed. ETA: I needed to rework one style, which had several blocks applying to different sets of (related) sites. I had to break that up. The style I was using to make tooltips bigger doesn't work (not supported by Mozilla's new API), but I found a workaround. The day after I got all this migrated to Stylus, I got a Stylish update -- but it couldn't read my existing scripts either, so I would have had to migrate to it in exactly the same way I'd just migrated to Stylus. (The UI was even the same.) So I punted that; I've already got Stylus working.
Greasemonkey: Google led me to ViolentMonkey. Ditto about not knowing if things just work or require adjustments. ETA: ViolentMonkey is slow and times out about a third of the time for me, but TamperMonkey (which I already know from Chrome) exists and works fine. I had to manually add each of my scripts (to either), but I didn't need to modify them.
NoScript: it looks like they're migrating, but I don't know if I'll have to do anything. ETA:* Seems to be broken in 57; supposedly they're working on it.
Session Manager: is this built into Firefox now? It's very important that when I restart Firefox, I get the tabs and windows I had before. Can anybody who doesn't use an add-on for that confirm whether that works out of the box now?
AdBlock Plus: this is my one extension not listed as legacy, so I assume it will keep working.
Classic Theme Restorer: um, I found this github repository; haven't waded too far into the readme yet. ETA: this page explains how to move the tabs below the URL/extensions bar where they belong. The other look&feel stuff it did isn't as critical. (One could make a good argument that the URL bar belongs below the tabs, but all the other stuff the browser puts in that horizontal slice is more global, and having those reversed confuses me.)

Entry tags:

internet

What do you call somebody who speaks two languages? Bilingual. One? American.

I get email sometimes that is presumably the result of somebody using my email address (erroneously or intentionally) to sign up for services like Facebook, Twitter, dating sites, etc. (Also the occasional hotel booking confirmation.)

Today I got email from Twitter with a subject line of something like "please confirm your account (account name that is not mine here)". I figured anti-confirming might be helpful (at least to me; don't know about the other guy), so I looked. The body of the message was in Portuguese.

The text that looked most like "not my account" passed muster with Google Translate, so I clicked -- and worried that I'd have to navigate a Portuguese confirmation page. But no! The page was in English. Yay; with luck that email stream will stop now.

So I guess when they sent the mail I thought I was that other person, and that account has a default language or a language setting, so they used it. But they weren't sure enough to also use Portuguese in the subject line. (Correct call: I wouldn't have opened it if it weren't in English.) And then when I indicated "nope" they either chose a language based on my IP address or just used English on the assumption that everybody on the web is used to that. I wonder which it was.

Making decisions about this stuff is probably harder than it first appears. I think they made all the right calls here (except they might have repeated the "nope, not me" link in English), and they didn't just pick one language and go with it.

Entry tags:

internet

policing the Internet

Yesterday Cloudflare, a service that increases reliability (and speed?) of web sites, shut down the Daily Stormer web site. Daily Stormer, if you haven't heard, is the site for the a hate group with broad impact in the US, most recently in the violence and murder in Charlottsville.

Their CEO's blog post announcing the termination isn't just a "they're evil and they're gone" announcement like you sometimes see. It's a thoughtful post that explains the dilemmas faced by the organizations that, by and large, make the Internet work, and what dangers this decision opens up.

Our team has been thorough and have had thoughtful discussions for years about what the right policy was on censoring. Like a lot of people, we’ve felt angry at these hateful people for a long time but we have followed the law and remained content neutral as a network. We could not remain neutral after these claims of secret support by Cloudflare.

Now, having made that decision, let me explain why it's so dangerous.

[...] Someone on our team asked after I announced we were going to terminate the Daily Stormer: "Is this the day the Internet dies?" He was half joking, but only half. He's no fan of the Daily Stormer or sites like it. But he does realize the risks of a company like Cloudflare getting into content policing.

I also found this tidbit interesting:

In fact, in the case of the Daily Stormer, the initial requests we received to terminate their service came from hackers who literally said: "Get out of the way so we can DDoS this site off the Internet."

After finding that post I found this post on Gizmodo that, among things, quotes from internal email he sent.

This was my decision. Our terms of service reserve the right for us to terminate users of our network at our sole discretion. My rationale for making this decision was simple: the people behind the Daily Stormer are assholes and I’d had enough.

Let me be clear: this was an arbitrary decision. It was different than what I’d talked talked with our senior team about yesterday. I woke up this morning in a bad mood and decided to kick them off the Internet. I called our legal team and told them what we were going to do. I called our Trust & Safety team and had them stop the service. It was a decision I could make because I’m the CEO of a major Internet infrastructure company. [...] No one should have that power.

I don't have a coherent opinion yet. On the one hand, policing content is a dangerous game and why I support net neutrality. On the other hand, private companies (and individuals) should be free to act (legally) in their own interests; companies have been refusing service to unacceptable customers on a case-by-case basis for years. On the third hand, there are differences between competitive markets and monopoly markets. (Within monopolies there are government-sponsored ones and we're-big-and-drove-everybody-out ones too.) Balancing all of that is hard.

Entry tags:

Pennsic

I'm home from Pennsic. Brief notes in the form of bullet points:

My good friend Yaakov HaMizrachi was elevated to the Order of the Laurel! Yay! The Laurel is the SCA's highest award (peerage) for arts and sciences. He's also now known (additionally) as Yaakov HaMagid, Yaakov the Storyteller. The ceremony felt like a reunion of old friends, and it was a nice touch that they had his son chant the scroll (in Hebrew).
The part of Atlantian court that I attended (because of the previous) was very well-done and engaging. I don't live there, I don't know most of those people, and yet I was not bored. They moved things along without it feeling rushed, and everybody speaking from the stage could be heard clearly. They also mixed it up, instead of doing all recipients of one award and then moving on to the next. Sprinkling the peerages throughout the court works well and, really, it's not a big deal for order members to get up more than once in an evening. (Also, if peerage ceremonies are burdensomely long -- theirs weren't; ours sometimes are -- it's nice to be able to sit down between them.)
I don't think I've ever heard "we're ahead of schedule; let's take a 10-minute break" in the middle of court before, though. I wonder if someone on the stage had an urgent need?
They elevated another bard to the Laurel, and that one sang his oath of fealty. While he was doing so I wondered if the king would respond in song -- and he did. That he used the same melody suggests some advance coordination (beyond "we're singing"), I wonder which of them wrote the king's words.
I had long, enjoyable conversations with both Yaakov and Baron Steffan. I miss the deep email conversations I used to have with both of them, before the great fragmenting of the digital-communication world (some to email, some to blogs/LJ/DW, some to Facebook, some to Google+, some to Twitter, some to places I don't even know about). It's harder to track and stay in touch with people than it used to be.
No I am still not going to start using Facebook. It's frustrating that by declining to do so I miss more and more stuff, but I'm not ready to let yet another thing compete to be the center of my online life. Also, Facebook in particular is icky in some important ways.
SCA local group, that means you too. Plans for a baronial party at Pennsic were, as far as I can tell, announced only on Facebook. (I've checked my email back to the beginning of April, so no I didn't just forget.) And thus I did not bring a contribution for your pot-luck. I do not feel guilty about that.
The Debatable Choir performance went very well. I conducted a quartet singing Sicut Cervus (by Palestrina), which I think went well. Two of the four singers had not previously done a "one voice to a part" song with the choir, and I'm proud of them for stepping up and doing a great job. I hope we got a recording.
I went to a fascinating class on medieval Jewish astrology (taught by Yaakov in persona). I've seen zodiacs in ancient (and modern) Jewish art and in synagogues, and a part of me always wondered how this isn't forbidden. It turns out that astrology is more of an "inclination", a yetzer, than a hard-and-fast truth -- there are stories in the talmud where astrology predicted something bad but the person, through good deeds, avoided the bad outcome. Also, in case you're wondering (like I did, so I asked), the zodiac signs get some solar smoothing, so if there's a leap-month (Adar Bet) there's not a 13th sign in those years.
Our camp has two wooden buildings (besides the house on the trailer, I mean), which we wanted to sell this year because we're making a new kitchen trailer that will replace both of them. We succeeded in selling the larger one (yay!). Maybe we'll be able to sell the other next year. (We'll set it up and use it for something else, because potential buyers would want to see it set up.)
Overall the weather was good. There were big storms on the first Friday ("quick, grab snacks and alcohol and head for the house!" is our camp's rallying cry), but only occasional rain after that and it wasn't sweltering-hot, which makes a huge difference.
The last headcount I saw was around 10,500.

Entry tags:

internet

URLs can fool you; watch out

We've all seen text on the web that looks almost like ASCII, but it's really very-similar characters from other alphabets like Cyrillic, right? These can appear in domain names too, and your browser will helpfully display them in Unicode.

So, yeah, that can be exploited. It's called a homograph attack.

Browsers display a URL with some special characters in its uglier, non-translated form, so you can tell. But there's a bug or feature, depending on whom you ask, that if the domain consists entirely of special characters from a single language, it all gets translated. You can see how that would be helpful to Internet users in Russia or Israel or China, but for those who surf using the Roman alphabet, it's a risk that even careful security-minded people can miss.

Chrome version 58 reportedly fixes the problem. Firefox isn't going to fix it, but there's an about:config setting you can change (set network.IDN_show_punycode to true).

This post from Ars Technica explains the problem in more detail.

Crossposts: http://cellio.livejournal.com/1070924.html

Entry tags:

link round-up

I have some things collecting in tabs, so here's a hodge-podge:

First, border-crossing. You've probably heard by now that border control in the US has gotten aggressive, including demanding passwords for encrypted devices and then taking them out of view for an extended time. You don't have to give up your password, but if you don't, they can confiscate your device for weeks or months for "review". The rights you have against unreasonable search and seizure in the US are not the same as those you have at the border. While they can't deny entry to US citizens, they can to others.
It's important to know what you don't know. David Director Friedman has an interesting idea about applying economics to teaching -- specifically, grading exams.
A lot of the Rands article The New Manager Death-Spiral sounds very familiar.
We all know one of the Internet rules: don't read the comments. The parts of the net I frequent tend to be better than, say, a random sample of YouTube, which is due to a mix of conscientious participants and comment moderation. A while back I came across a comment-moderation policy described as "Victorian Sufi Buddha Lite": they require a comment to be at least two of true, necessary, and kind.
I'm not sure that philosophy applies to windshield notes, but they sure are funny.
How do we know Humpty Dumpty is an egg? The rhyme doesn't say so. Huh, I never thought about that.
Speaking of things I hadn't thought about, have you ever noticed the similarities between fantasy-adventurer settings and westerns?

Crossposts: http://cellio.livejournal.com/1067186.html

Entry tags:

domains for dummies

Can you believe that I've been online since the ARPAnet and yet, in 2017, do not know the nuts and bolts of domain-name management? Perhaps you, dear reader, will point me toward the clues, and I promise not to be offended that you're quietly snickering there.

The recent LJ upheaval is far from the first signal that really, if you care about durable links, you need to own your own domain, but it's the one that's finally gotten through to me. Instead of relying on Livejournal or Dreamwidth or Medium or whomever else to provide a durable path to my stuff, I ought to control that, so if a service goes belly-up, the old, public URLs still work (with content migrated elsewhere).

What (I think) I would like (please tell me if this is flawed): some domain -- I'll use cellio.org as my example, though that one is taken so I'll need another -- where www.cellio.org points to my ISP-provided web content (which I can easily edit), blog.cellio.org points to my DW journal, medium.cellio.org points to my Medium page, and I can set up other redirects like that as needed. So I can't do anything about links that are already out there, but I can give out better URLs for future stuff (stop the bleeding, in other words). Bonus points if the durable URL stays in the URL bar instead of being rewritten (unlike pobox.com redirects), but that might be hard.

I do not want to run my own web server.

Now I already pay pobox.com for, among things, URL redirection, but it's to a single destination. And it's not at the domain level -- www.pobox.com/~cellio redirects to my ISP-provided web space. It'd be ok, though a little kludgy, if I could manufacture URLs like www.pobox.com/~cellio/blog that do what I described above, but unless there's something I can drop into my own web space, without requiring access to my ISP's web server, I don't think I can do that. Also, this leaves me dependent on pobox.com; owning my own domain sounds like a better idea. pobox.com has been solidly reliable for 20+ years, but what about the next 20?

I understand that I need to (a) buy a domain and (b) host it somewhere, and if I were running my own server then (b) would apparently be straightforward, but I don't know how to do that in this world of distributed stuff and redirects. Also, I'm not really clear on how to do (a) correctly (reliably, at reasonable cost, etc).

So, err, is this a reasonable thing to want to do and, if so, what should I do to make it happen?

Entry tags:

today I learned...

TIL #1:

Somebody linked to this question on Stack Overflow about some unexpected results when doing math on dates in Java. The problem, according to Jon Skeet, is that the date being used in the calculation is near midnight on December 31, 1927 in the Shanghai time zone -- when Shanghai moved its clocks by 5 minutes and 52 seconds. So the time in question existed twice, and Java chose the one that the programmer wasn't expecting.

That answers the programming question, but my question from that was: why in the world would somebody move clocks by 5 minutes and 52 seconds? I understand shifts of an hour (that happens all the time), and there are timezones out there that have 30-minute offsets and even one with a 15-minute offset, so that wouldn't have much surprised me either. But 5:52???

So I asked Google, which led me to a question on History Stack Exchange about this, where an answer explained that 1927 was not a good year for political stability in Shanghai, and one of the side-effects was a change in who had control over the central astronomical institution, with the result that the reference point moved east from Beijing to Nanjing. Greenwich was apparently not yet a thing as far as they were concerned.

A comment on the answer, from Taiwan, casts doubt on whether there was a time shift at all -- but, if not, doesn't explain where Java got the idea. Curious.

TIL #2:

A few days ago on Mi Yodeya somebody asked if, during the Exodus, the commandment to place the blood on the doorposts and lintel was just on one door or all of them. (Is it like mezuzot, which are on every door, or like the chanukiyah, which we place next to one door only?) My first thought was that there might have only been one door in ancient Egyptian slave housing. Last night I learned a little about ancient architecture and then wrote an answer about the four-room house, which appears to have had one outside door. I argued that we're given the reason for the commandment: it's to mark which houses are to be passed over. To me, that says blood on exterior doors, of which there was one.

Not TIL #3:

Today on Mi Yodeya somebody asked how many people the Pesach offering would feed. The torah says to use a lamb or kid, that it all has to be eaten that night, and that if you don't have enough people to do that, get together with your neighbors. So how big a group are we talking about? One can find plenty of information (not always in agreement, mind) about the weights of modern livestock animals, but animal husbandry has worked its magic over the centuries -- heck, even within my lifetime we've seen "standard" chickens for food get a lot bigger. So knowing how much a yearling lamb weighs today doesn't necessarily tell us what it might have weighed in ancient Egypt or in the time of the first or second temple, when this was done.

I considered asking on History SE, but I haven't yet. Anybody happen to know?

Entry tags:

the comments problem

"Don't read the comments" -- common, often-correct advice when browsing the Internet. But comments are important, if you want to build community instead of just publishing stuff.

The Guardian looked at trends in the 70 million comments they've received. Not too surprisingly, articles posted by identifiable women get more abusive comments than those posted by men -- except in the fashion category. About 2% of the comments they get are blocked by moderators as way over the line; I'm surprised it's not rather higher, actually.

People who find themselves abused online are often told to ignore it – it’s only words; it isn’t real life. But in extreme cases, that distinction breaks down completely, such as when a person is doxed, or SWATed, when nude photos are posted of the person without consent, or when a stalker assumes the person’s identity on an online dating site and a string of all-too-real men appear at their door expecting sex. As one woman who had this experience said: “Virtual reality can become reality, and it ruins your life.”

But in addition to the psychological and professional harm online abuse and harassment can cause to individuals, there are social harms, too. Recent research by the Pew Centre found that not only had 40% of adults experienced harassment online but 73% had witnessed others being harassed. This must surely have a chilling effect, silencing people who might otherwise contribute to public debates – particularly women, LGBT people and people from racial or religious minorities, who see others like themselves being racially and sexually abused.

Is that the kind of culture we want to live in?

Is that the web we want?

They talk about their research methods.

Entry tags:

Ghostery just got annoying :-(

Dear LJ brain trust,

I use the Ghostery browser extension to notify me of (and disable until approved) third-party trackers on web sites, because I don't really want random sites snooping on my browsing habits. I just restarted Firefox, picking up some updates in the process, and the notifier thingie has gotten super-annoying and hard to dismiss. I looked at the configuration options and set it for the shortest period of time before (supposedly) auto-dismissing, five seconds, but it's still taking more than that. And it's bigger and more intrusive than it was, on every single site regardless of trust settings:

New Ghostery notification

I want big and intrusive on untrusted sites, or if something new has shown up, but for sites I've said I trust, where nothing special is happening, I want it to just shut up already.

Is anybody else seeing this? If so, do you know how to fix it or revert, or are my choices to live with it or disable the extension entirely?

Is Ghostery actually still useful? Are there better tools for this?

Entry tags:

I wrote a thing and Reddit noticed

The Worldbuilding blog, Universe Factory, is still fairly small; we're new and trying to grow. So I was surprised when my latest article, Worldbuilding As You Go: A Case Study, in which I describe a process by analogy with train games, got lots of views in just a few hours. (I mean hundreds, not hundreds of thousands, but more than I'm used to.) Curious about where it was linked (it must have been linked, right?), I looked into the referrers and found Reddit. I didn't know there was a worldbuilding sub-reddit, though I guess I shouldn't be surprised. There are sub-reddits for practically everything, after all.

I've not used Reddit before. Is bookmarking that page and occasionally visiting it the best way to keep an eye out for other interesting material on this topic? Assuming I don't want to commit a large amount of time to that, is just going with the community voting to cull the vast pile of material the way to go, or are there easy personalization options?

Entry tags:

charity fundraising

Dear Charities¹ That I Already Support,

I sent you a sizable donation this year. Recently, even, because I mostly do that at year-end when I know where the annual finances ended up. You acknowledged receipt.

So stop bombarding me with email asking for donations, will you? If I weren't inclined to support you the repeated appeals would not change that -- in fact they would drive me away, as they've done with some of your predecessors. And even though I am inclined -- I like you and support you, after all -- I'm starting to weary of this. It feels like the left hand doesn't know what the right hand is doing. Get your fundraising people in sync with your receipts people, please. I want to support you, but your methods are growing frustrating.

¹ Yes, the use of the plural is correct. I have gotten several email requests this week from each of two organizations I have a long record of supporting with single, annual donations.

Entry tags:

internet

what's the deal with this phish?

I see a lot of phishing attempts and more than a few spear-phishing attempts, but a recent one is leaving me wondering what the phishers were trying to do.

A couple days ago I got email, purportedly from eBay, acknowledging my new account. The email came to my Gmail address, which I don't publicly use but is easily guessable. The account had a goofy name starting with the first few letters of my email address.

Whenever I think there could be an unauthorized account in my name on a real service I try to reset its password, just in case. So I fired up an incognito window and went to eBay (really eBay, not using the link in the email), went to the login page, gave that account name, and clicked "forgot password". This generated email to me -- which means, I think, that an account of that name really was created (not by me). I reset the password.

While I was there I checked the transaction history and looked for private information. That was all clean. I initiated an account-deletion request, choosing "concerns about identity theft" from their menu of reasons. (Aside: eBay's short list of deletion reasons includes "concerns about identity theft"!) eBay holds such requests for a week to ensure that transactions close, even if there are no transactions (I consider the latter a flaw). I set a reminder to check back in a week.

A day later (just about 24 hours, in fact), I got password-reset email, identical to the email my own reset request had generated (other than the specific link).

Now if the phishers tried to log in and clicked "forgot password", they should already know that that would only work if they could intercept that email. I am as confident as I can be without server access that my Gmail account has not been compromised (I'm very careful about that), but I nonetheless changed my password and reviewed recent access logs. No new devices had accessed my account in this timeframe.

It is always possible, of course, that I am dealing with somebody who is just inept. But if this is a viable attack vector, what's the deal? How is it supposed to work? How does creating an account on eBay attached to an email address you can't access help you?

Entry tags:

Internet harassment in the modern age

When I was in college, some people thought it was a right fun prank to sign other people up for wildly-inappropriate catalogues and suchlike. These days they use the Internet for that. Any site that blithely accepts an email address without sending confirmation email to that address is contributing to the problem, big-time.

I know that already, but reading this article about a victim of the Ashley Madison breach -- spoiler alert: not an actual user -- reminded me how problematic this still is. Definitely worth five minutes of your time.

I want to ask you, Internet, to please stop taking all of this [supposed evidence] at face value. Please stop taking things like lists of names stolen from a company as a reason to abuse others — online or offline. When you see a story about someone doing something you think is either wrong or even just lame, it’s not a reason for you to abuse, stalk or attack someone you don’t know.

A friend whom I trust quite a bit not to be using their services is also on that list. So if you don't believe a random person on the Internet, there's that.

Entry tags:

UI development in a dynamic world

It used to be that if you put out a software product, and particularly as you produced new versions of it, people might complain about things that were hard or different (change bad!) or broke their workflow, and you'd decide whether to add some configuration parameters or redesign it again or just tell them to suck it up. There wasn't much they could do within the scope of your software if you didn't give them hooks. (They could, of course, take their business elsewhere if your breaking change was important.)

Then, if what you were developing was a web site, you had to cope with some variations ("IE did what to our site?"), but you still had a lot of control. Well, until browser add-ons became a thing, and people could block your ads and trackers and make you use HTTPS and your site had better still work if you didn't want people to surf away.

Now, quite aside from the multitude of browser add-ons that might be relevant, we have tools like Greasemonkey and Stylish that empower users to rewrite your site to their heart's content. For some of us this lets us turn unusable sites into usable ones ("you chose what font? and assumed I had a 1500px-wide browser? feh!"). But it goes beyond that; Greasemonkey, by allowing JavaScript injection, lets us add, remove, and redefine functionality. I have several Greasemonkey scripts for Stack Exchange that make those sites easier for me to use and moderate, scripts that let me add shortcuts and override assumptions the designers made that don't quite fit my circumstances. I like SE's designers and, mostly, the designs of the sites I use, but some things just don't work so well for me out of the box. I'm not picking on SE; I think this happens with lots of sites.

All of this got me wondering: how do you develop web UIs in that kind of world? Are there some best practices that designers use to say "ok, if you're going to hook into the site and change things, we'll make it easy for you to hook in here and here to try to guide and contain you"? Is there some way of doing defensive design, so that if people do add scripting they can reduce the chances that that'll break something important? Or do they mostly just not worry about this, figuring that the Greasemonkey heads know how to use the browser console and will reverse-engineer their pages and, anyway, if you're going to mess with our site it's ok to say you're on your own? (I don't actually know enough to write those Greasemonkey scripts myself; I use scripts that others have written. So I don't have a good perspective coming from the developer-user side here.)

I'm curious about how the expansion of user-driven variation, on top of the browser-driven variation we already had, is affecting the field.