Mackerelmedia Fish

Normally this kind of thing would go into the ballooning dump of “things I’ve enjoyed on the Internet” that is my reposts archive. But sometimes something is so perfect that you have to try to help it see the widest audience it can, right? And today, that thing is: Mackerelmedia Fish.

Mackerelmedia Fish reports: WARNING! Your Fish have escaped!
Historical fact: escaped fish was one of the primary reasons for websites failing in 1996.

What is Mackerelmedia Fish? I’ve had a thorough and pretty complete experience of it, now, and I’m still not sure. It’s one or more (or none) of these, for sure, maybe:

  • A point-and-click, text-based, or hypertext adventure?
  • An homage to the fun and weird Web of yesteryear?
  • A statement about the fragility of proprietary technologies on the Internet?
  • An ARG set in a parallel universe in which the 1990s never ended?
  • A series of surrealist art pieces connected by a loose narrative?

Rock Paper Shotgun’s article about it opens with “I don’t know where to begin with this—literally, figuratively, existentially?” That sounds about right.

I stared into THE VOID and am OK!
This isn’t the reward for “winning” the “game”. But I was proud of it anyway.

What I can tell you with confident is what playing feels like. And what it feels like is the moment when you’ve gotten bored waiting for page 20 of Argon Zark to finish appear so you decide to reread your already-downloaded copy of the 1997 a.r.k bestof book, and for a moment you think to yourself: “Whoah; this must be what living in the future feels like!”

Because back then you didn’t yet have any concept that “living in the future” will involve scavenging for toilet paper while complaining that you can’t stream your favourite shows in 4K on your pocket-sized supercomputer until the weekend.

Dancing... thing?
I was always more of a Bouncing Blocks than a Hamster Dance guy, anyway.

Mackerelmedia Fish is a mess of half-baked puns, retro graphics, outdated browsing paradigms and broken links. And that’s just part of what makes it great.

It’s also “a short story that’s about the loss of digital history”, its creator Nathalie Lawhead says. If that was her goal, I think she managed it admirably.

An ASCII art wizard on a faux Apache directory listing page.
Everything about this, right down to the server signature (Artichoke), is perfect.

If I wasn’t already in love with the game already I would have been when I got to the bit where you navigate through the directory indexes of a series of deepening folders, choose-your-own-adventure style. Nathalie writes, of it:

One thing that I think is also unique about it is using an open directory as a choose your own adventure. The directories are branching. You explore them, and there’s text at the bottom (an htaccess header) that describes the folder you’re in, treating each directory as a landscape. You interact with the files that are in each of these folders, and uncover the story that way.

Back in the naughties I experimented with making choose-your-own-adventure games in exactly this way. I was experimenting with different media by which this kind of branching-choice game could be presented. I envisaged a project in which I’d showcase the same (or a set of related) stories through different approaches. One was “print” (or at least “printable”): came up with a Twee1-to-PDF converter to make “printable” gamebooks. A second was Web hypertext. A third – and this is the one which was most-similar to what Nathalie has now so expertly made real – was FTP! My thinking was that this would be an adventure game that could be played in a browser or even from the command line on any (then-contemporary: FTP clients aren’t so commonplace nowadays) computer. And then, like so many of my projects, the half-made version got put aside “for later” and forgotten about. My solution involved abusing the FTP protocol terribly, but it worked.

(I also looked into ways to make Gopher-powered hypertext fiction and toyed with the idea of using YouTube annotations to make an interactive story web [subsequently done amazingly by Wheezy Waiter, though the death of YouTube annotations in 2017 killed it]. And I’ve still got a prototype I’d like to get back to, someday, of a text-based adventure played entirely through your web browser’s debug console…! But time is not my friend… Maybe I ought to collaborate with somebody else to keep me on-course.)

Three virtual frogs. One needs a hug.
My first batch of pet frogs died quite quickly, but these ones did okay.

In any case: Mackerelmedia Fish is fun, weird, nostalgic, inspiring, and surreal, and you should give it a go. You’ll need to be on a Windows or OS X computer to get everything you can out of it, but there’s nothing to stop you starting out on your mobile, I imagine.

Sso long as you’re capable of at least 800 × 600 at 256 colours and have 4MB of RAM, if you know what I mean.

× × × ×

Giving a Damn at Scale

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

How many more developers have to point out how bloated we’ve made the web with our frameworks, tracking scripts, and other 3rd party solutions before we take things seriously? We’ve been banging on about this for ages. It’s like a plague!

This is just what I was thinking when I wrote about that terribly bloated digital climate activism website the other day. I hadn’t meant to single them out specifically because the problem’s… well, it’s a pandemic!

And as Bridget goes on to say, it’s especially important at this unusual time, with many people confined to home and using the Internet to try to get accurate and up-to-date information and resources (and sometimes overwhelming major websites), that performance, accessibility, and availability matters most.

There’ll be many lessons to learn from the coronavirus crisis. But these lessons aren’t just related to healthcare, or work, or supermarket logistics. No field will be left untouched. And one of the things that I hope my field learns, when this is over, is the importance of things working even when things get tough. Test the sad paths, test your site under heavy load, test your site with the CDNs simulated “down”, and develop accordingly. Because this isn’t the worst kind of crisis we could face, and we have to be ready for the worse ones that could come.

Getting Hired at Automattic

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I started at Automattic on November 20, 2019, and it’s an incredible place to work. I’m constantly impressed by my coworkers kindness, intelligence, and compassion. If you’re looking for a rewarding remote job that you can work from anywhere in the world, definitely apply.

I’m still overjoyed and amazed I was hired. While going through the hiring process, I devoured the blog posts from people describing their journeys. Here’s my contribution to the catalog. I hope it helps someone.

I’ve written about my own experience of Automattic’s hiring process and how awesome it is, but if you’re looking for a more-concise summary of what to expect from applying to and interviewing for a position, this is pretty great.

Dungeon Drawers

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Drawers with a dungeon inside

The BEST THING I’ve seen on Twitter this week (month?) is Justin Alexander’s thread documenting “The Dungeon of Drezzar,” Peter Heeringa and Troy Wilhelmson’s spectacular multilevel dungeon built into a series of dresser drawers.

Well now I feel like my DM isn’t trying hard enough. Move aside, Roll20!

Digital Climate Strike’s Carbon Footprint

Ironically, the web page promoting the “Digital Climate Strike” is among the dirtiest on the Internet, based on the CO2 footprint of visiting it.

Global Climate Strike's "Take Action" webpage
Save your bandwidth: just look at this screenshot of the site instead of visiting.

Going to that page results in about 14 Mb of data being transmitted from their server to your device (which you’ll pay for if you’re on a metered connection). For comparison, reading my recent post about pronouns results in about 356 Kb of data. In other words, their page is forty times more bandwidth-consuming, despite the fact that my page has about four times the word count. The page you’re reading right now, thanks to its images, weighs in at about 650 Kb: you could still download it more than twenty times while you were waiting for theirs.

globalclimatestrike.net/action: "Uh oh! This web page is dirtier than 97% of web pages tested. Oh my, 7.74g of CO2 is produced every time someone visits this web page."
Well that’s got to be pretty embarassing.

Worse still, the most-heavyweight of the content they deliver is stuff that’s arguably strictly optional and doesn’t add to the message:

  • Eight different font files are served from three different domains (the fonts alone consume about 140 Kb) – seven more are queued but not used.
  • Among the biggest JavaScript files they serve is that of Hotjar analytics: I understand the importance of measuring your impact, but making your visitors – and the planet – pay for it is a little ironic.
  • The biggest JavaScript file seems to be for Mapbox, which as far as I can see is never actually used: that map on the page is a static image which, incidentally, I was able to reduce from 0.5 Mb to 0.2 Mb just by running it through a free online image compressor.
Image compression comparison for the map image. Before: 536K, after: 201K (-63%).
This took me literally seconds to do but would save about a twelfth of a second for every single typical 4G user to their site. And it’s not even the worst culprit.

And because the site sets virtually no caching headers, even if you’ve visited the website before you’re likely to have to download the whole thing again. Every single time.

It’s not just about bandwidth: all of those fonts, that JavaScript, their 60 Kb of CSS (this page sent you 13 Kb) all has to be parsed and interpreted by your device. If you’re on a mobile device or a laptop, that means you’re burning through lithium (a non-renewable resource whose extraction and disposal is highly polluting) and regardless of your device you’re using you’re using more electricity to visit their site than you need to. Coding antipatterns like document.write() and active event listeners that execute every time you scroll the page keep your processor working hard, turning electricity into waste heat. It took me over 12 seconds on a high-end smartphone and a good 4G connection to load this page to the point of usability. That’s 12 seconds of a bright screen, a processor running full tilt,a  data connection working its hardest, and a battery ticking away. And I assume I’m not the only person visiting the website today.

This isn’t really about this particular website, of course (and I certainly don’t want to discourage anybody from the important cause of saving the planet!). It’s about the bigger picture: there’s a widespread and long-standing trend in web development towards bigger, heavier, more power-hungry websites, built on top of heavyweight frameworks that push the hard work onto the user’s device and which favour developer happiness over user experience. This is pretty terrible: it makes the Web slow, and brittle, and it increases the digital divide as people on slower connections and older devices get left behind.

(Bonus reading: luckily there’s a counterculture of lean web developers…)

But this trend is also bad for the environment, and when your website exists to try to save it, that’s more than a little bit sad.

× × ×

Note #17025

For the benefit of my South African colleagues on Slack, I give you the #maskchallenge #emoji:

:maskchallenge:

×

Happy Birthday, You’re Fired

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I walked the dog, bought myself a wax jacket from a local garden centre – so I could feel more ‘Country’ – and in the late afternoon my boss called me to say… you’re fired.

So begins Robin‘s latest blog (you may remember I’ve shared, talked about, and contributed to the success of his previous blogging adventure, 52 Reflect). This time around, it sort-of reads like a contemporaneously-written “what I did on my holidays” report, except that it’s pretty-much about the opposite of a holiday: it chronicles Robin’s adventures in the North of England during these strange times.

I’ve no doubt that this represents the start of another riotous series of posts and perhaps exactly what you need to lift your spirits in these trying times. A second chapter is already online.

How to not make a résumé in React

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

I’ve seen a fair share of tutorial links floating around in newsletters and Twitter and the like recently. They all promise the same thing, namely how to use React to create a résumé.

I mean, I get it. It’s important to have something to build towards when learning a new skill, especially with development.

At first blush a résumé seems like a good thing to build towards: They are relatively small in terms of complexity and can probably use content that already exists on your LinkedIn profile. If you’re looking for a job, it’s also a handy way to double-dip on a skill that is in high demand.

I checked out a few of these tutorials, and after noticing some patterns, I’d like to mention a few things you could do to your résumé instead. I’m not going to link to the ones I tested because I don’t want to give bad advice more exposure than it is already getting.

I can’t even begin to conceive of the kind of mind that, when faced with the question of how to put their résumé/CV online, start by installing a Javascript framework. My CV‘s online (and hey, it got me my current job so that’s awesome) and I think it’s perfectly fabulous. Simple, human-readable, semantic HTML with microformats support. Perfectly readable on anything from lynx upwards and you’d probably get by in telnet. Total size including all images, fonts, style and script is under 140kb, and can all be inlined with a quick command so I can have a single-file version that looks just as great (I use this version to email to people, but I’m thinking I ought to just inline everything, all the time). Under 1kb of my payload is JavaScript, and it’s all progressive enhancement: using an IntersectionObserver (which I’ve written about before) to highlight the current “section” of the document in the menu. Print CSS so it looks right when you put it onto dead trees. Etc. etc.

My entire CV requires a quarter of the bandwidth of just the JavaScript of any of the handful of React-based ones I looked up. The mind boggles. I tried disabling JavaScript on a few of them (even if you believe “nobody uses the Web without JavaScript” – and you’re wrong – then you have to admit that sometimes JavaScript fails) and they did horrific things like not loading images or links not working, as if <img> and <a> tags were something that requires you to npm install html@0.9 before they work..

A simpler, faster, more-accessible, more-secure Web is possible. It’s not even particularly hard. It just requires a little thought. Don’t take a sledgehammer to a walnut: the best developers are the ones who choose the right tool for the job. Your résumé/CV is not a real-time backendless application on a post-relational-backed microservices architecture, or whatever’s “hip” this week. It’s a page that you want to be as easy as possible to read by the widest number of people. Why make life harder for you, and for them?

Coronavirus: what the hell do we do now?!

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Andrew provides an excellent summary of the current status of the coronavirus crisis with a focus on the endgame goals. As I watched this, his latest video, I kept writing half-finished comments about the deeper caveats of say vaccine development and the limitations of herd immunity if reinfection is possible… and right before I finished each, he answered them anyway. Sooo… I guess I have no comments. You should just go watch this.

Dan Q found GC4CEXE CowSlip

This checkin to GC4CEXE CowSlip reflects a geocaching.com log entry. See more of Dan's cache logs.

Like many others, I came at this cache from the wrong side of the ditch/fence and had to make my way East a little way to find a suitable crossing point. Cache was easy to find, but it’s definitely in bad condition and not watertight. TFTC.

Understanding Them (Pronouns)

I had a bit of a realisation, this week. I’ve long sometimes found it especially challenging to maintain a mental map of the preferred personal pronouns of people who don’t use “he”, “she”, or “they”. Further than that, it seemed to me that personal pronouns beyond these three ought to be mostly redundant in English. “Them” has been well-established for over six centuries as not just a plural but a singular pronoun, I thought: we don’t need to invent more words.

Over time – even within my lifetime – it’s become noticeably more-commonplace to hear the singular “they”/”them” in place of “he or she”/”him or her”, or single binary pronouns (e.g. when talking about professions which have long been dominated by a particular gender). So you might hear somebody say:

“I will make an appointment to see a doctor and ask them about my persistent cough.”

Venn-Euler diagram showing the "set of all people" containing the subsets "he", "she", and the singular "they".
This seemed a perfectly viable model.

It seemed to me that “they” was a perfect general-purpose stand in for everybody who was well-served by neither “he” nor “she”.

I’ll stress, of course, that I’ve always been fully supportive of people’s preferred pronouns, tried to use them consistently, ensured they can be represented in software I’ve implemented (and pressured others over their implementations, although that’s as-often related to my individual identity), etc. I’ve just struggled to see the need for new singular third-person pronouns like ze, ey, sie, ve, or – heaven forbid – the linguistically-cumbersome thon, co, or peh.

I’d put it down to one of those things that I just don’t “get”, but about which I can still respect and support anyway. I don’t have to totally grok something in order to understand that it’s important to others.

Venn-Euler diagram showing "he" and "she" as separate categories, but the name "they" shared between the subset (individuals for whom this is their individual pronoun) and the superset (one or more people whose genders are unspecified), causing confusion.
Hang on, there’s a problem with this model.

But very recently, I was suddenly struck by a comprehension of one of the reported problems with the use of the singular “they” to refer to people for whom the traditional binary pronouns are not suitable. I’ve tried to capture in the illustration above the moment of understanding when I made the leap.

The essence of this particular problem is: the singular “they” already has a meaning that is necessarily incompatible with the singular “they” used of a nonbinary subject! By way of example, let’s revisit my earlier example sentence:

“I will make an appointment to see a doctor and ask them about my persistent cough.”

Here, I’m saying one of two things, and it’s fundamentally unclear which of the two I mean:

  • I do not know which doctor I will see, so I do not know the pronoun of the doctor.
  • I will see the same doctor I always see, and they prefer a nonbinary pronoun.

The more widespread the adoption of “they” as the third person singular for nonbinary people becomes, the more long-winded it is to clarify specifically which of the above interpretations is correct! The tendency to assume the former leads to nonbinary invisibility, and the (less-likely in most social circles) tendency to assume the latter leads to misgendering.

Venn-Euler diagram showing the superset "they" (all people) containing subsets "he", "she", and an unnamed subset.
Okay, so I guess we do need a third-party singular pronoun that isn’t “they”.

The difference is one of specificity. Because the singular “they” is routinely used non-specifically, where the subject’s preferred pronouns are unknown (as with the doctor, above), unknowable (“somebody wrote this anonymous message; they said…”), or a placeholder (“when I meet somebody, I shake their hand”), it quickly produces semantic ambiguities when it’s used to refer to specific nonbinary individuals. And that makes me think: we can do better.

That said: I don’t feel able to suggest which pronoun(s) ought to replace the question mark in the diagram above. But for the first time, I’m not convinced that it ought to be “they”.

Ultimately, this changes nothing. I regularly use a diversity of different singular pronouns (he”, “she”, and “they”, mostly) based on the individual subject and I’ll continue to acknowledge and respect their preferences. If you’ve you’ve told me that you like to be referred to by the singular “they”, I’ll continue to do so and you’re welcome and encouraged to correct me if I get it wrong!

But perhaps this new appreciation of the limitations of the singular “they” when referring to specific individuals will help me to empathise with those for whom it doesn’t feel right, and who might benefit from more-widespread understanding of other, newer personal pronouns.

(and on the off chance anybody’s found their way to this page looking for my pronouns: I’m not particularly fussy, so long as you’re consistent and don’t confuse your audience, but most people refer to me with traditional masculine pronouns he/him/his)

× × ×

Ted Chiang Explains the Disaster Novel We All Suddenly Live In

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

While there has been plenty of fiction written about pandemics, I think the biggest difference between those scenarios and our reality is how poorly our government has handled it. If your goal is to dramatize the threat posed by an unknown virus, there’s no advantage in depicting the officials responding as incompetent, because that minimizes the threat; it leads the reader to conclude that the virus wouldn’t be dangerous if competent people were on the job. A pandemic story like that would be similar to what’s known as an “idiot plot,” a plot that would be resolved very quickly if your protagonist weren’t an idiot. What we’re living through is only partly a disaster novel; it’s also—and perhaps mostly—a grotesque political satire.

What will “normal” look like after the coronavirus crisis has passed? Will it be the same normal as we’re used to? Or could we actually learn some lessons from this and progress towards something better?

I love Ted Chiang’s writing; enough to reshare this interview even though I’m only lukewarm about it!

Third-party libraries and security issues

This is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Earlier this week, I wrote about why you should still use vanilla JS when so many amazing third-party libraries exist.

A few folks wrote to me to mention something I missed: security.

When you use code you didn’t author, you’re taking a risk. You’re trusting that the third-party code does not have security issues, that the author has good intent.

Chris makes a very good point, especially for those developers of the npm install every-damn-thing persuasion: getting an enormous framework that you don’t completely understand just because you need  a small portion of its features is bad security practice. And the target is a juicy one: a bad actor who finds (or introduces) a vulnerability in a big and widely-used library has a whole lot of power. Security concerns are a major part of why I go vanilla/stdlib where possible.

But as always with security the answer isn’t so clear-cut and simple, and I’d argue that it’s dangerous to encourage people to write their own solutions as a matter of course, for security reasons. For a start, you should never roll your own cryptographic libraries because you’re almost certainly going to fuck it up: an undetectable and easy-to-make mistake in your crypto implementation can lead to a catastrophic cascade and completely undermine the value of your cryptography. If you’re smart enough about crypto to implement crypto properly, you should contribute towards one of the major libraries. And if you’re not smart enough about crypto (and if you’re not sure, then you’re not), you should use one of those libraries. And even then you should take care to integrate and use it properly: people have been tripped over before by badly initialised keys or the use of the wrong kind of cipher for their use-case. Crypto is hard enough that even experts fuck it up and important enough that you can’t afford to get it wrong.

The same rule applies to a much lesser extent to other parts of your application, and especially for beginner developers. Implementing an authentication/authorisation system isn’t hard, but it’s another thing where getting it wrong can have disastrous consequences. Beginner (and even intermediate) developers routinely make mistakes with this kind of feature: unhashed, reversibly-encrypted, or incorrectly-hashed (wrong algorithm, no salt, etc.) passwords, badly-thought-out password reset strategies, incompletely applied access controls, etc. I’m confident that Chris and I would be in agreement that the best approach is for a developer to learn to implement these things properly and then do so. But if having to learn to implement them properly is a barrier to getting started, I’d rather than a beginner developer instead use a tried-and-tested off-the-shelf like Devise/Warden.

Other examples of things that beginner/intermediate developers sometimes get wrong might be XSS protection and SQL parameter escaping. And again, for languages that don’t have safety features built in, a framework can fill the gap. Rolling your own DOM whitelisting code for a social application is possible, but using a solution like DOMPurify is almost-certainly going to be more-secure for most developers because, you guessed it, this is another area where it’s easy to make a mess of things.

My inclination is to adapt Chris’s advice on this issue, to instead say that for the best security:

  1. Ideally: understand what all your code does, for example because you wrote it yourself.
  2. However: if you’re not confident in your ability to implement something securely (and especially with cryptography), use an off-the-shelf library.
  3. If you use a library: use the usual rules (popularity, maintenance cycle, etc.) to filter the list, but be sure to use the library with the smallest possible footprint – the best library should (a) do only the one specific task you need done, and no more, and (b) be written in a way that lends itself to you learning from it, understanding it, and hopefully being able to maintain it yourself.

Just my tuppence worth.