Article

Internetland

This blog post is about password security. If you don’t run a website and you just want to know what you should do to protect yourself, jump to the end.

I’d like to tell you a story about a place called Internetland. Internetland is a little bit like the town or country that you live in, but there’s one really important difference: in Internetland, everybody is afflicted with an unusual disorder called prosopagnosia, or “face-blindness”. This means that, no matter how hard they try, the inhabitants of Internetland can’t recognise each other by looking at one another: it’s almost as if everybody was wearing masks, all the time.

Denied the ability to recognise one another on sight, the people of Internetland have to say out loud who they are when they want to be identified. As I’m sure you can imagine, it’d be very easy for people to pretend to be one another, if they wanted. There are a few different ways that the inhabitants get around that problem, but the most-common way is that people agree on and remember passwords to show that they really are who they claim to be.

Alice’s Antiques

Alice runs an antiques store in Internetland. She likes to be able to give each customer a personalised service, so she invites her visitors to identify themselves, if they like, when they come up to the checkout. Having them on file means that she can contact them about special offers that might interest them, and she can keep a record of their address so that the customer doesn’t have to tell her every time that they want a piece of furniture delivered to their house.

One day, Bob came by. He found a nice desk and went to the checkout to pay for it.

“Hi,” said Alice, “Have you shopped here before?” Remember that even if he’d visited just yesterday, she wouldn’t remember him, so crippling is her face-blindness.

“No,” replied Bob, “First time.”

“Okay then,” Alice went on, “Would you like to check out ‘as a guest’, or would you like to set up an account so that I’ll remember you next time?”

Bob opted to set up an account: it’d only take a few minutes, Alice promised, and would allow him to check out faster in future. Alice gave Bob a form to fill in:

Alice took the form and put it into her filing cabinet.

The following week, Bob came by Alice’s Antiques again. When he got to the checkout, Alice again asked him if he’d shopped there before.

“Yes, I’ve been here before,” said Bob, “It’s me: Bob!”

Alice turned to her filing cabinet and pulled out Bob’s file. This might sound like a lot of work, but the people of Internetland are very fast at sorting through filing cabinets, and can usually find what they’re looking for in less than a second. Alice found Bob’s file and, looking at it, challenged Bob to prove his identity:

“If you’re really Bob – tell me your password!”

“It’s swordfish1,” came the reply.

Alice checked the form and, sure, that was the password that Bob chose when he registered, so now she knew that it really was him. When he asked for a set of chairs he’d found to be delivered, Alice was able to simply ask, “You want that delivered to 1 Fisherman’s Wharf, right?”, and Bob just nodded. Simple!

Evil Eve

That night, a burglar called Eve broke into Alice’s shop by picking the lock on the door (Alice never left money in the till, so she didn’t think it was worthwhile buying a very good lock). Creeping through the shadows, Eve opened up the filing cabinet and copied out all of the information on all of the files. Then, she slipped back out, locking the door behind her.

Alice’s shop has CCTV – virtually all shops in Internetland do – but because it wasn’t obvious that there had been a break-in, Alice didn’t bother to check the recording.

Now Eve has lots of names and passwords, so it’s easy for her to pretend to be other Internetlanders. You see: most people living in Internetland use the same password at most or all of the places they visit. So Eve can go to any of the other shops that Bob buys from, or the clubs he’s part of, or even to his bank… and they’ll believe that she’s really him.

One of Eve’s favourite tricks is to impersonate her victim and send letters to their friends. Eve might pretend to be Bob, for example, and send a letter to his friend Charlie. The letter might say that Bob’s short on cash, and ask if Charlie can lend him some: and if Charlie follows the instructions (after all, Charlie trusts Bob!), he’ll end up having his money stolen by Eve! That dirty little rotter.

So it’s not just Bob who suffers for Alice’s break-in, but Charlie, too.

Bob Thinks He’s Clever

Bob thinks he’s cleverer than most people, though. Rather than use the same password everywhere he goes, he has three different passwords. The first one is his “really secure” one: it’s a good password, and he’s proud of it. He only uses it when he talks to his bank, the tax man, and his credit card company – the stuff he thinks is really important. Then he’s got a second password that he uses when he goes shopping, and for the clubs he joins. A third password, which he’s been using for years, he reserves for places that demand that he chooses a password, but where he doesn’t expect to go back to: sometimes he joins in with Internetland debates and uses this password to identify himself.

Bob’s approach was cleverer than most of the inhabitants of Internetland, but it wasn’t as clever as he thought. Eve had gotten his medium-security password, and this was enough to persuade the Post Office to let her read Bob’s mail. Once she was able to do this, she went on to tell Bob’s credit card company that Bob had forgotten his password, so they sent him a new one… which she was able to read. She was then able to use this new password to tell the credit card company that Bob had moved house, and that he’d lost his card. The credit card company promptly sent out a new card… to Eve’s address. Now Eve was able to steal all of Bob’s money. “Muhahaha!” chortled Eve, evilly.

But even if Bob hadn’t made the mistake of using his “medium-security” password at the Post Office, Eve could have tried a different approach: Eve would have pretended to be Alice, and asked Bob for his password. Bob would of course have responded, saying “It’s ‘swordfish1’.”

Then Eve would have done something sneaky: she’d have lied and said that was wrong. Bob would be confused, but he’d probably just think to himself, “Oh, I must have given Alice a different password.”

“It must be ‘haddock’, then,” Bob would say.

“Nope; wrong again,” Eve would say, all the while pretending to be Alice.

“Surely it’s not ‘h@mm3rHead!’, is it?” Bob would try, one last time. And now Eve would have all of Bob’s passwords, and Bob would just be left confused.

Good Versus Eve

What went wrong in Internetland this week? Well, a few things did:

Alice didn’t look after her filing cabinet

For starters, Alice should have realised that the value of the information in her filing cabinet was worth at least as much as money would be, to the right kind of burglar. It was easy for her to be complacent, because it wasn’t her identity that was most at risk, but that of her customers. Alice should have planned her security in line with that realisation: there’s no 100% certain way of stopping Eve from breaking in, but Alice should have done more to make it harder for Eve (a proper lock, and perhaps a separate, second lock on the filing cabinet), and should have made it so that Eve’s break-in was likely to be noticed (perhaps skimming through the security tapes every morning, or installing motion sensors).

But the bigger mistake that Alice made was that she kept Bob’s password in a format that Eve could read. Alice knew perfectly well that Bob would probably be using the same password in other places, and so to protect him she ought to have kept his password encrypted in a way that would make it virtually impossible for Eve to read it. This, in combination with an effort to insist that her customers used good, strong passwords, could have completely foiled Eve’s efforts, even if she had managed to get past the locks and CCTV un-noticed.

Here in the real world: Some of Alice’s mistakes are not too dissimilar to the recently-publicised mistakes made by LinkedIn, eHarmony, and LastFM. While these three giants did encrypt the passwords of their users, they did so inadequately (using mechanisms not designed for passwords, by using outdated and insecure mechanisms, and by failing to protect stolen passwords from bulk-decryption). By the way: if you have an account with any of these providers, you ought to change your password, and also change your password anywhere else that uses the same password… and if this includes your email, change it everywhere else, too.

Bob should have used different passwords everywhere he went

Good passwords should be long (8 characters should be an absolute minimum, now, and Bob really ought to start leaning towards 12), complex (not based on a word in any dictionary, and made of a mixture of numbers, letters, and other characters), and not related to you (dates of birth, names of children, and the like are way out). Bob had probably heard all of that a hundred times.

But good passwords should also be unique. You shouldn’t ever use the same password in two different places. This was Bob’s mistake, and it’s the mistake of almost everybody else in Internetland, too. What Bob probably didn’t know was that there are tools that could have helped him to have a different password for everybody he talked to, yet still been easier than remembering the three passwords he already remembered.

Here in the real world: There are some really useful tools to help you, too. Here are some of them:

LastPass helps you generate secure passwords, then stores encrypted versions of them on the Internet so that you can get at them from anywhere. After a short learning curve, it’s ludicrously easy to use. It’s free for most users, or there are advanced options for paid subscribers.
KeePass does a similar thing, but it’s open source. However, it doesn’t store your encrypted passwords online (which you might consider to be an advantage), so you have to carry a pen drive around or use a plugin to add this functionality.
SuperGenPass provides a super-lightweight approach to web browser password generation/storing. It’s easy to understand and makes it simple to generate different passwords for every site you use, without having to remember all of those different passwords!
One approach for folks who like to “roll their own” is simply to put a spreadsheet or a text file into a TrueCrypt (or similar) encrypted volume, which you can carry around on your pendrive. Just decrypt and read, wherever you are.
Another “manual” approach is simply to use a “master password” everywhere, prefixed or suffixed with a (say) 4-5 character modifier, that you vary from site to site. Keep your modifiers on a Post-It note in your wallet, and back it up by taking a picture of it with your mobile phone. So maybe your Skype suffix is “8Am2%”, so when you log into Skype you type in your master password, plus that suffix. Easy enough that you can do it even without a computer, and secure enough for most people.

Spee Kin Dork Weans Anguish

Door Anguish languish moose beer month a moth faux net tickley verses tile ant flecks a bill languishes spur ken honours. Wither ladle procters, eaters easer two ewes whirrs inn quiet weedy queue louse weighs.

Dizzy woo nose a tin naan teen fitter sex, ah gentile moon aimed Hough Ardle Chase deed eggs ark lead art? Hear oat uh buck kern tame in severer furry tells, nosier rams, fey mouse tells, ant thongs, end duke cane henge joy atoll own lion. Half pun wit tit!

Par hips eye shut starred rye teen owl may blocks boats lark these?

The Signal and the Noise

I’d just like to say a few words of praise for Andy‘s new album, The Signal and the Noise. It’s not the first time I’ve said nice things about him, but it’s the first time since he’s been recording under his full name, rather than as “Pagan Wanderer Lu”.

I can say this for sure, though: The Signal and the Noise has finally dethroned my previous favourite Lu album, Build Library Here (or else!). It’s catchy, it’s quirky, and it’s full of songs that will make you wish that you were cleverer: so far, so good. I think that one of the things that particularly appealed to me in this album were that the lyrical themes touched on so many topics that interest me: religion and superstition, artificial intelligence, the difficulties of overcoming materialism, cold war style espionage, and cryptography/analysis… all wrapped up in fun and relatable human stories, and with better-than average running-themes, links, and connections.

One of the joys of Andy’s (better) music comes from the fact that rather than interpretation, it lends itself far better to being issued with a reading list. To which end, here’s a stack of Wikipedia articles that might help you appreciate this spectacular album a little better, for the benefit of those of you who weren’t lucky enough to have read all of this stuff already:

Signal-to-noise ratio
Cargo cult, and John Frum
Numbers station and one-time-pad (you might also enjoy my 2010 blog post on one-time pads)
Deep Blue versus Gary Kasparov, Technological singularity, and Ludditism
Choose Your Own Adventure

Oh; backing vocals, you’re too kind! But this is just another chapter in the story of my life.

The Omniscient Narrator

The final track’s a little weaker than the rest (the actual final track, not the “hidden track” bit), and I’m left with a feeling that this was so-close but not quite a concept album (which would have been even more spectacular an achievement), but these are minor niggles in the shadow of an otherwise monumental album.

Go get a copy.

~~By the way; I’ve got a spare – who wants it?~~ Spare copy’s gone to Claire as an early birthday present. Somehow she failed to preorder a copy of her own.

Looking for an alternate opinion? Here’s a guy who didn’t “get it”.

Signs Seen in Service Stations

It feels like most of the time I’ve spent in a car this year, so far, has been for travel related to somebody’s recent death. And so it was that yesterday, Ruth, JTA and I zipped up and down the motorway to attend the funeral of Ruth’s grandmother.

It went really well, but what I wanted to share with you today was two photos that I took at service stations along the the way.

This one confuses me a lot. If I buy alcohol from this service area, I can’t drink it either inside… or outside… the premises. Are they unlicensed, perhaps, and so the only way they’re allowed to sell us alcohol is if we promise not to drink it? Or is it perhaps the case that they expect us only to consume it when we’re in a parallel dimension?

It’s hard to see in the second photo without clicking (to see it in large-o-vision), but the sign on the opposite wall in this Costa Coffee implies the possibility of being an “Americano Addict”. And there was something about that particular marketing tack that made me cringe.

Imagine that this was not a café but a bar, and substitute the names of coffees with the names of alcoholic beverages. Would it be cool to advertise your products to the “wine addicts” or the “beer addicts” of the world? No: because alcoholism isn’t hip and funny… but caffeine addiction is? Let’s not forget that caffiene is among the most-addictive drugs in the world. Sure, caffeine addiction won’t wreck your liver like alcohol will or give you cancer like smoking tobacco (the most-popular way to consume nicotine) will, but that doesn’t detract from the fact that there are many people for whom a dependency upon caffeine is a very real part of their everyday life.

Is it really okay to make light of this by using such a strong word as “addict” in Costa’s marketing? Even if we’re sticking with alliteration to fit in with the rest of their marketing, wouldn’t “admirer” or “aficionado” be better? And at least that way, Costa wouldn’t leave me with a bitter taste in my mouth.

Eurovision Spectacular 2012

As I’m sure you’re aware, Saturday marks the final of the 2012 Eurovision Song Contest, the musical highlight of the year. You may also know that there’s been a long tradition among our group of friends to have a Eurovision Party to mark the ocassion, generally hosted by Adam. If you’ve somehow missed this event, then here’s some background reading that might help you understand how it came to be what it is: me, 2005; Liz, 2005; Paul, 2005; Adam, 2006; Adam, 2007 (1); me, 2007; Adam, 2007 (2); Matt R, 2007; Adam on Paul’s blog, 2008; Adam, 2008; Adam, 2010; Adam, 2011; me, 2011. Like I said… a long history.

For the last few years, though, the population of Aberystwyth has been dwindling, and Adam’s parties have turned from an immense hard-to-squeeze-everybody-in ordeal to a far more civilised affair. While simultaneously, groups of ex-Aberystwyth people (like those of us down in Oxford, and those who are up in the North) have been having their own splinter satellite parties.

And you know what? I miss doing Eurovision Night with you guys. So this year, we’re going to try to bring Eurovision Night back to its roots… with technology!

Google+ Hangouts. One of the technologies that will bring us closer this Eurovision Night.

Here’s where the parties are at, this year:

Adam’s house, in Aberystwyth – mission control
New Earth, in Oxford (hosted by Ruth, JTA, and I) – technical operations
…and… anybody else having one this year? One of you up in the North, perhaps?

If you’re one of the usual crew, or one of our newer friends, come on over and join the party! Or if you’re going to be watching from further North (Liz? Simon? Gareth? Penny? Matt? Matt? Kit? Fi?), let me know so that I can bring you in on my proposals for “sharing the experience”, drawing together our votes, and whatnot.

And regardless of whether you’ll be joining one of these parties in person, or not, I hope you’ll be joining The Party at Adam’s and The Party on New Earth digitally. If you’re among the 17 people who are actually on Google+, come and join us in our Hangout! Dust off that old webcam and point it at you or your little party, make sure you’re in Adam or I’s “circles”, and then log in on Eurovision Night and join us via the power of the Internet! You’ll have to provide your own crisps and beer, and (unless you’re at Adam’s) you’ll need to bake your own cupcakes with adorable European-flag icing, too, but at least you can be part of the moment with the rest of us.

See you online!

Worst Weekend Of Cinema – Part 2

This weekend was the worst net weekend of cinemagoing experiences that I’ve ever had. I went to the cinema twice, and both times I left dissatisfied. An earlier blog post talked about the second of the two trips: this is about the first.

You know what – 2012 has been a pretty shit year, so far. We’ve had death (my father’s), more death (my partner’s grandmother’s), illness (my sister’s horrific face infection), and injury (a friend of mine lost her leg to a train, a few weeks ago, under very tragic circumstances). We’ve had breakups (a wonderful couple I know suddenly separated) and busy-ness (a cavalcade of day-job work, Three Rings work, course work, and endless bureaucracy as executor of my dad’s will).

But it gets worse:

Piranha 3DD. Twice the terror. Double the D's. — Of all the things that have gone horribly, tragically wrong so far this year… going to the cinema to watch this film was the worst.

On Friday night, I went out with my family to watch Piranha 3DD.

This is one of those bad films that falls into the gap of mediocrity between films that are bad but watchable and films that are so bad that they wrap right around to being enjoyable again (you know, the “so bad they’re good” kind of movies). To summarise:

[one_half]

The Good

Lots of nudity, all presented in 3D. If there’ll ever be anything that convinces me that 3D films are a good idea, porn will probably be it. Boobs boobs boobs.
Fun cameos from Christopher Lloyd (Doc Brown!), David Hasselhoff, and Ving Rhames, along with enjoyable accompanying pop culture references.

[/one_half]

[one_half_last]

The Bad

3D films remain a pointless gimmick, still spending most of their time playing up the fact that they’re 3D (lots of long objects, like broom handles, pointing towards the camera, etc.), and still kinda blurry and headache-inducing. Plus: beams of light (e.g. from a torch) in 3D space don’t look like that. The compositor should be fired.
The cameos mostly serve to show off exactly how unpolished the acting is of the less well-known actors.
Plenty of less-enjoyable pop culture references: if you’re not going to do the “false leg is actually a gun” thing even remotely as well at Planet Terror, don’t even try – it’s like trying to show a good movie in the middle of your crappy movie, but not even managing to do that.
Unlikeable, unmemorable characters who spend most of their time engaging in unremarkable teen drama bullshit. Same old sex joke repeated as many times as they think they can get away with. And then a couple of times more.
Lackluster special effects: mangled bodies that don’t look much like bodies, vicious fish don’t look remotely like fish (and, for some reason, growl at people), and CGI that would look dated on a straight-to-video release.

[/one_half_last]

So yeah: give that one a miss.

Worst Weekend Of Cinema – Part 1

This weekend was the worst net weekend of cinemagoing experiences that I’ve ever had. I went to the cinema twice, and both times I left dissatisfied. This blog post is about the second of the two trips.

The less-awful of the two trips happened on Saturday. Ruth, JTA and I turned up for the 20:10 showing of Avengers Assemble at Oxford Vue. We were quite surprised, entering the cinema right on time, to find that they weren’t already showing adverts and trailers – the screen was completely dark – but we found our way to our seats and sat down anyway.

A little over 20 minutes later, nothing had happened, so I went out to where the ticket collectors were doing their thing, down the corridor, and asked if they were planning on showing a film in screen six at some point this evening. “There’s a technical problem with the projector,” I was informed, “We’re trying to fix it now.”

“When were you planning on telling the audience who are all just sat there in the dark?” I asked. There were mumbles of concern, but they were half-hearted: these people were paid primarily to tear tickets, not to deal with irate customers. The stub collector apologised, and I returned to the cinema to feed back to the others. Sensing the dissatisfaction of the other audience members, I briefly considered making an announcement to them all: “Ladies and gentlemen: I regret to inform you that Vue Cinemas doesn’t care about you enough as human beings to tell you themselves, but there’s a technical fault and they’re working on repairing it.” Instead, I grumbled to myself in a British fashion and took my seat.

“I could have downloaded a pirated copy by now,” I joked, “But then I wouldn’t be getting the real cinema experience.”

“For example, it’d start when you pressed the play button,” replied JTA.

(for those of you who know the story of his employment there, you might be unsurprised to hear that this was the very Vue cinema at which Paul worked, very briefly)

A little while later – still with no announcement from staff, we got sick of the whole thing and went and demanded a refund. The manager – when we finally got to see him (apparently he’s also the guy who was fixing the projector: I guess the cinema must be run on a skeleton staff) – was suitably apologetic, offering us free passes for our next visit as well as giving us a full refund. Another staff member apologised for the delay in sorting out the refund, explaining that “it always gets busy, especially on Orange Wednesdays.” I’m not sure why he told us this, given that it was now Saturday. Perhaps there were still patrons from the previous Wednesday, also still waiting to see their film, too.

As we explained to the manager, it wasn’t the wait that bothered us so much as the lack of information about the reason (or an estimate of the duration) of the delay. All it would have taken would have been a staff member to turn up at five or ten minutes, apologise, and explain, and we’d have understood: things break sometimes. All we wanted was a little respect.

Pay To Post

I see that Facebook is experimenting with allowing you to pay a nominal fee to make sure that your posts end up “highlighted” over those of your friends’ other friends. That’s a whole new level of crazy… or is it?

I’m not on Facebook, but I think that this is a really interesting piece of news. The biggest thing that makes Facebook unusable (and which also affects Twitter) is that people will post every little banal thing that comes to their mind. I don’t care what you’re eating for your lunch. I don’t want to read the lyrics of some song that must have been written for you. I really can’t stand your chain messages (for a while there, after I hadn’t received any by email for a few years, I hoped that they’d died out… but it turns out that they just moved to Facebook instead). If you’re among my friends, I know that you have some pretty smart and interesting things to say… but unless I’m willing to spend hours sifting through the detritus it’s buried in, I’ll never find it.

Social Media Citation. The littering fine tickets of the digital generation.

But this might work. If the price sweet spot can be found, and it’s marketed right, then this kind of feature might make services like Facebook more tolerable. When you’re writing about a cute picture of the cat you’ve seen, that’s fine. And when you write something I might care about, you can tick the “this is actually relevant” box. You’ll have to pay a few pence, but at least you know I’ll see it. And if I want to churn through reams of “X likes Chocolate” (who doesn’t?) and “Y is… in a queue for the bus” then I can turn off the “only relevant things” mode and waste some time.

The problem is that the sweet spot will vary from person to person, and there’s no way to work around that. Big Bucks Bob can probably afford to pay a couple of pounds every time he wants to push some meme photo to the top of your feed, but Poor Penniless Penny can’t even justify ten pence to make sure that all of her friends hear about her birthday party.

It’s a pity that it won’t work, because a part of me is drawn to the idea that economic theory can help to improve the signal-to-noise ratio in our information-saturated lives. Turning my attention to email: of all the cost-based anti-spam systems, I was always quite impressed with Hashcash (which Microsoft seem to be reinventing with their Penny Black project). The idea is that your computer does some hard-to-do (but easy-to-verify) computational work for each and every email that it sends. But in its own way, Hashcash has a similar problem to Facebook’s new system: the ability to pay of a sender is not directly proportional to their relevance to the recipient. If my mother wants to send me an email from her aging smartphone, should she have to wait for several minutes while it processes and generates an “e-stamp”, just because – if it were made any faster – spammers with zombie networks of computers could do so too easily?

Yes, I just equated your social network status, about what you ate for your lunch, with spam. If you don’t like it, don’t share this blog post with your friends.

hashcash token: 1:20:120511:https://danq.me/2012/05/11/pay-to-post/::UVHo081pj6bSDWkI:00000000000001sxI

On This Day In 2005

Looking Back

On this day in 2005 (actually tomorrow, but I needed to publish early) I received an unusual parcel at work, which turned out to contain a pan, wooden spoon, tin of spaghetti hoops, loaf of bread… and an entire electric hob.

This turned out, as I describe in my blog post of the day, to have been the result of a conversation that the pair of us had had on IRC the previous day, in which he called me a “Philistine” for heating my lunchtime spaghetti hoops in the office microwave. This was a necessity rather than a convenience, given that we didn’t have any other mechanism for heating food (other than a toaster, and that’s a really messy way to heat up tinned food…).

It was a different time: a time when the lives of many of my friends were still centered around academic persuits (Siân was working on and handing in her dissertation, as was Liz, Claire was getting results back, Ruth was stressed out by a useless student on her team, Paul took things too far, and even JTA was suffering: struggling with his wordcount of an essay that he considered handing in late). It was a time when our evenings were being consumed watching Knightmare (my blog posts mentioning: the first series, first half of second series, second half of second series, Ruth’s commentary) or at the Ship & Castle (both, sadly, without Sian). It was a time when Andy worked at the cafe under The Flat, like we were all in some kind of sitcom or something.

It was clearly a time when we were all blogging quite regularly: apologies for the wall of links (a handful of which, I’m afraid, might be restricted). Be glad that I spared you all the posts about the 2005 General Election, which at the time occupied a lot of the Abnib blogosphere. We were young, and idealistic, and many of us were students, and most of us hadn’t yet been made so cynical by the politicians who have come since.

And, relevantly, it was a time when Paul was able to express his randomness in some particularly quirky ways. Like delivering me a food parcel at work. He’s always been the king of random events, like organising ad-hoc hilltop trips that turned out to be for the purpose of actually releasing 99 red (helium) balloons. I tried to immortalise his capacity for thinking that’s not just outside the box, but outside the known Universe, when I wrote his character into Troma Night Adventure, but I’m not sure I quite went far enough.

Looking Forward

It seems so long ago now: those Aberystwyth days, less than a year out of University myself. When I look back, I still find myself wondering how we managed to find so much time to waste on categorising all of the pages on the RockMonkey wiki. I suppose that nowadays we’ve traded the spontaneity to say “Hey: card games in the pub in 20 minutes: see you there!” on a blog and expect it to actually work, for a more-structured and planned existence. More-recently, we’ve spent about a fortnight so far discussing what day of the week we want out new monthly board games night to fall on.

There’s still just enough of the crazy random happenstances in my life, though. As I discovered recently, when I once again received an unusual and unexpected parcel in the post. This time, it wasn’t from Paul, but from Adam, who’d decided to respond in a very literal fashion to my tongue-in-cheek suggestion that he owed me tea, and a keyboard.

I got the chance to live with Paul for a couple of years, until he moved out last month. I’m not sure whether or not this will ultimately reduce the amount of quirkiness that I get in my diet, but I’m okay either way. Paul’s not far away – barely on the other side of town – so I’m probably still within a fatal distance of the meteor we always assumed would eventually kill him.

We’ve turned what was his bedroom into an office. Another case of “a little bit less random, a little bit more structure and planning”, perhaps, in a very metaphorical way? Maybe this is what it feels like to be a grown-up. Took me long enough.

This blog post is part of the On This Day series, in which Dan periodically looks back on years gone by.

A New Keyboard

I already own the best mouse in the world. Maybe it’s time for a new keyboard, too.

A few weeks ago, Adam blogged about his trip to London last year, and mentioned that, after trips out to Soho’s “G-A-Y” nightclub when he was younger, he’d often surprise himself the following morning to wake up in some quite distant travel zones of London. My favourite bit was when he mentioned that, on one ocassion, he’d…

…somehow managed to whore my way beyond the reach of the Underground.

Adam

I replied with a comment, stating, among other things:

You owe me a fresh herbal tea. Also a new keyboard, which might never recover from the nasal spraying of herbal tea that it’s just been exposed to.

Dan

(it’s not a particularly original comment, I know: Jimmy said something similar in a comment on this very blog, about four years ago)

A gift note from Mr. A Westwood: Hi Dan, As requested, one replacement keyboard. I do hope that it's a suitable replacement and that nobody's got their wires crossed. Happy tapping! Adam xx — This note went a little way to explaining the parcel.

In any case: the week before last I received a pair of unexpected parcels. I opened the first, an Amazon box, and pulled out a note. It was from Adam, and stated that the contents were “a replacement keyboard”, assuming that “nobody’s got their wires crossed.”

A musical keyboard: this one’s powered by air (I’d have never guessed that Stagg would have made such a thing!). The musician blows into a tube while they play the notes in order to elicit a tune. It doesn’t sound bad, actually, although I do feel that it could do with a MIDI port. And an air-driven dynamo to power that port. And then a battery-powered pump so that you don’t need to blow it at all.

The second parcel continued the theme:

A selection of herbal and fruit teas, from ~~Asda’s~~ Morrisons’ range. There was no note in this parcel, but it was pretty clear by now who the sender must be. I’d have been ever so confused if I’d have opened the second parcel one first.

So thank you, Adam, you crazy old fool, for making me laugh out loud yet again. I shall have to compose a song in your honour: and given the amount of air intake that’s needed to keep the keyboard playing, I shall call it, The Big Puff Song.

Ageism, Nightline, and Counselling

As a trainee counsellor, I’ve had plenty of opportunity of late for self-analysis and reflection. Sometimes revelations come at unexpected times, as I discovered recently.

I was playing the part of a client in a role-play scenario for another student on my course when I was struck by a realisation that I didn’t feel that my “counsellor” was able to provide an effective and empathetic response to the particular situations I was describing. It didn’t take me long to spot that the reason I felt this way was her age. Probably the youngest in our class – of whose span of ages I probably sit firmly in the middle – her technical skill is perfectly good, and she’s clearly an intelligent and emotionally-smart young woman… but somehow, I didn’t feel like she would be able to effectively support me.

And this turned out to be somewhat true: the session ended somewhat-satisfactorily, but there were clear moments during which I didn’t feel that a rapport had been established. Afterwards, I found myself wondering: how much of this result was caused by her approach to listening to me… and how much was caused by my perception of how she would approach listening to me? Of the barriers that lay between us, which had I erected?

Since then, I’ve spent a little time trying to get to the bottom of this observation about myself, asking: from where does my assumption stem that age can always be associated with an empathic response? A few obvious answers stand out: for a start, there’s the fact that there probably is such a trend, in general (although it’s still unfair to make the outright assumption that it will apply in any particular case, especially with somebody whose training should counteract that trend). Furthermore, there’s the assumption that one’s own experience is representative: I know very well that at 18 years old, my personal empathic response was very weak, and so there’s the risk that I project that onto other young adults.

However, the most-interesting source for this prejudice, that I’ve found, has been Nightline training.

The Nightline Association, umbrella body representing student Nightlines around the UK and overseas

Many years ago, I was a volunteer at Aberystwyth Nightline. I worked there for quite a while, and even after I’d graduated and moved on, I would periodically go back to help out with training sessions, imparting some of what I’d learned to a new generation of student listeners.

As I did this, a strange phenomenon began to occur: every time I went back, the trainees got younger and younger. Now of course this isn’t true – it’s just that I was older each time – but it was a convincing illusion. A second thing happened, too: every time I went back, the natural aptitude of the trainees, for the work, seemed to be less fine-tuned than it had the time before. Again, this was just a convincing illusion: through my ongoing personal development and my work with Samaritans, Oxford Friend, and others, I was always learning new skills to apply to helping relationships, but each new batch of trainees was just getting off to a fresh start.

This combination of illusions is partly responsible for the idea, in my mind, that “younger = less good a listener”: for many years, I’ve kept seeing people who are younger and younger (actually just younger than me, by more) and who have had less and less listening experience (actually just less experience relative to me, increasingly). It’s completely false, but it’s the kind of illusion that nibbles at the corners of your brain, if you’ll let it.

Practicing good self-awareness helps counsellors to find the sources of their own prejudices and challenge them. But it’s not always easy, and sometimes the realisations come when you least expect them.

On This Day In 2004

Looking Back

On this day in 2004 I handed in my dissertation, contributing towards my BEng in Software Engineering. The topic of my dissertation was the Three Rings project, then in its first incarnation, a web application originally designed to help university Nightlines to run their services.

An early Three Rings Directory page. If you remember when Three Rings used to look like this, then you're very old.

I’d originally started developing the project early in the previous academic year, before I’d re-arranged how I was going to finish my course: Three Rings celebrates its tenth birthday this year. This might be considered to have given me a head start over my peers, but in actual fact it just meant that I had even more to write-up at the end. Alongside my work at SmartData a few days a week (and sometimes at weekends), that meant that I’d been pretty damn busy.

A page from my dissertation, covering browser detection and HTTPS support (then, amazingly, still not-quite-universal in contemporary browsers).

I’d celebrated hitting 10,000 words – half of the amount that I estimated that I’d need – but little did I know that my work would eventually weigh in at over 30,000 words, and well over the word limit! In the final days, I scrambled to cut back on text and shunt entire chapters into the appendices (A through J), where they’d be exempt, while a team of volunteers helped to proofread everything I’d done so far.

Finally, I was done, and I could relax. Well: right up until I discovered that I was supposed to have printed and bound two copies, and I had to run around a busy and crowded campus to get another copy run off at short notice.

Looking Forward

Three Rings went from strength to strength, as I discussed in an earlier “on this day”. When Bryn came on board and offered to write programs to convert Three Rings 1 data into Three Rings 2 data, in 2006, he borrowed my dissertation as a reference. After he forgot that he still had it, he finally returned it last month.

The inside front cover of my dissertation, along with a note from Bryn.

Later still in 2009, Ruth expanded Three Rings as part of her Masters dissertation, in a monumental effort to add much-needed features at the same time as getting herself a degree. After handing it in and undergoing her defense (which went better than she expected), she got a first.

My dissertation (left) back on my bookshelf, where it belongs.

Today, Three Rings continues to eat a lot of my time, and now supports tens of thousands of volunteers at hundreds of different helplines and other charities, including virtually every Nightline and the majority of all Samaritans branches.

It’s grown even larger than I ever imagined, back in those early days. I often tell people that it started as a dissertation project, because it’s simpler than the truth: that it started a year or two before that, and provided a lot of benefit to a few Nightlines, and it was just convenient that I was able to use it as a part of my degree because otherwise I probably wouldn’t have had time to make it into what it became. Just like I’m fortunate now to have the input of such talented people as I have, over the last few years, because I couldn’t alone make it into the world-class service that it’s becoming.

This blog post is part of the On This Day series, in which Dan periodically looks back on years gone by.

Visitor Tracking Without Cookies (or How To Abuse HTTP 301s)

Last week I was talking to Alexander Dutton about an idea that we had to implement cookie-like behaviour using browser caching. As I first mentioned last year, new laws are coming into force across Europe that will require websites to ask for your consent before they store cookies on your computer. Regardless of their necessity, these laws are badly-defined and ill thought-out, and there’s been a significant lack of information to support web managers in understanding and implementing the required changes.

British Telecom's implementation of the new cookie laws. Curiously, if you visit their site using the Opera web browser, it assumes that you've given consent, even if you click the button to not do so. — British Telecom’s implementation of the new cookie laws. Curiously, if you visit their site using the Opera web browser, it assumes that you’ve given consent, even if you click the button to not do so.

To illustrate one of the ambiguities in the law, I’ve implemented a tool which tracks site visitors almost as effectively as cookies (or similar technologies such as Flash Objects or Local Storage), but which must necessarily fall into one of the larger grey areas. My tool abuses the way that “permanent” (301) HTTP redirects are cached by web browsers.

[callout][button link=”http://c301.scatmania.org/” align=”right” size=”medium” color=”green”]See Demo Site[/button]You can try out my implementation for yourself. Click on the button to see the sample site, then close down all of your browser windows (or even restart your computer) and come back and try again: the site will recognise you and show you the same random number as it did the first time around, as well as identifying when your first visit was.[/callout]

Here’s how it works, in brief:

A user visits the website.
The website contains a <script> tag, pointing at a URL where the user’s browser will find some Javascript.
The user’s browser requests the Javascript file.
The server generates a random unique identifier for this user.
The server uses a HTTP 301 response to tell the browser “this Javascript can be found at a different web address,” and provides an address that contains the new unique identifier.
The user’s browser requests the new document (e.g. /javascripts/tracking/123456789.js, if the user’s unique ID was 123456789).
The resulting Javascript is generated dynamically to automatically contain the ID in a variable, which can then be used for tracking purposes.
Subsequent requests to the server, even after closing the browser, skip steps 3 through 5, because the user’s browser will cache the 301 and re-use the unique web address associated with that individual user.

How my "301-powered 'cookies'" work. — How my “301-powered ‘cookies'” work.

Compared to conventional cookie-based tracking (e.g. Google Analytics), this approach:

Is more-fragile (clearing the cache is a more-common user operation than clearing cookies, and a “force refresh” may, in some browsers, result in a new tracking ID being issued).
Is less-blockable using contemporary privacy tools, including the W3C’s proposed one: it won’t be spotted by any cookie-cleaners or privacy filters that I’m aware of: it won’t penetrate incognito mode or other browser “privacy modes”, though.

Moreover, this technique falls into a slight legal grey area. It would certainly be against the spirit of the law to use this technique for tracking purposes (although it would be trivial to implement even an advanced solution which “proxied” requests, using a database to associate conventional cookies with unique IDs, through to Google Analytics or a similar solution). However, it’s hard to legislate against the use of HTTP 301s, which are an even more-fundamental and required part of the web than cookies are. Also, and for the same reasons, it’s significantly harder to detect and block this technique than it is conventional tracking cookies. However, the technique is somewhat brittle and it would be necessary to put up with a reduced “cookie lifespan” if you used it for real.

[callout][button link=”http://c301.scatmania.org/” align=”right” size=”medium” color=”green”]See Demo Site[/button] [button link=”https://gist.github.com/avapoet/5318224″ align=”right” size=”medium” color=”orange”]Download Code[/button] Please try out the demo, or download the source code (Ruby/Sinatra) and see for yourself how this technique works.[/callout]

Note that I am not a lawyer, so I can’t make a statement about the legality (or not) of this approach to tracking. I would suspect that if you were somehow caught doing it without the consent of your users, you’d be just as guilty as if you used a conventional approach. However, it’s certainly a technically-interesting approach that might have applications in areas of legitimate tracking, too.

Update: The demo site is down, but I’ve update the download code link so that it still works.

Star Wars – Machete Order

This weekend, Ruth, JTA and I watched the Star Wars films in a single sitting, in Machete Order. What’s Machete Order, you ask? Well, assuming that you’re too busy to click the link and find out, the short summary is that you:

Start with Episode IV: A New Hope (originally billed as just Star Wars), as if you were going to watch the films in release order,
Then roll on into Episode V: The Empire Strikes Back,
Set your blaster to rewind, and go back to Episode II: Attack of the Clones; yes, really,
Carry on into Episode III: Revenge of the Sith,
And finally, finish up with Episode VI: Return of the Jedi

Machete Order. The way Star Wars should be enjoyed.

This is a remarkable and unusual order in which to watch the films, but it’s not without its merits, especially compared to the two most-common alternatives: Release Order and Episode Order:

[spb_message color=”alert-warning” width=”1/1″ el_position=”first last”]Spoiler Alert! The remainder of this article contains extensive spoilers about the Star Wars universe. If you haven’t seen the films yet, go watch them in the order specified above and then come back. It’ll only take you about 11 hours; I’ll wait.[/spb_message]

Release Order – IV, V, VI, I, II, III – has the problem that you either watch the original cut of Return of the Jedi, and see Sebastian Shaw playing the ghost of the “unmasked” Darth Vader at the end (and then go “that doesn’t look anything like him!” when you get to Attack of the Clones), or you watch the 2004 edit of Return of the Jedi, in which they inserted Hayden Christensen in his place, and you go “who’s that guy? we’ve never seen him before!”, because he hasn’t been introduced until the next film that you’ll watch.
Episode Order – I, II, III, IV, V, VI – should fix that problem, but it introduces an even worse problem: it completely ruins the surprise that Luke’s father is Darth Vader (and as a result, also ruins the surprise that Leia is Luke’s sister, and results in more “eww” moments when we see them kiss in The Empire Strikes Back).

Machete Order fixes those problems. The new films become a “flashback” in a longer ongoing narrative, and the timing couldn’t be better. At the end of The Empire Strikes Back, Luke has just learned that Darth Vader is his father, and so we zip back by about 20 years and see the story of how Anakin Skywalker became Darth Vader. You couldn’t plan it better.

You lose The Phantom Menace, but seriously, you’re not missing much (and you can always go back and watch it later): a surprisingly dull podrace, an incredibly annoying alien, “midichlorians”… all of these are dropped. You get to start and end with the strongest movies. And the continuity is actually pretty beautiful, seeing Attack of the Clones and Revenge of the Sith as a flashback rather than a series in their own right.

JTA tweets about Star Wars: Machete Order — JTA tweets from the front lines about Star Wars: Machete Order

So what did we learn:

This is absolutely the way to watch Star Wars. If I ever come across somebody who’s never seen any of them films, this is the order that I’ll recommend that they watch them.
It takes a surprising amount of energy to sit and watch 11 hours of a story in a single sitting. Make sure you’ve got plenty of booze and snacks lined-up, and are ready to sacrifice a day, if you want to do this in one stretch. It wasn’t quite as hard as when we watched all of the Lord of the Rings movies (Directors’ Cuts, no less) back to back at a Troma Night many years ago, but it was still a bit of a marathon.
The model shots (IV, V, VI) have aged, but they still look okay. The CGI effects (II, III) have aged, and they look awful. Watching a mixture of old and new films in this way exaggerates this.

If you’d like to learn more about why this is such a great way to watch these films, I’d highly recommend that you read the original article that inspired us. And then – whether you’ve seen the films before or not – you should totally go and do this too.

One Hundred And Sixty

When I first went to university, in 1999, I got my first mobile phone. Back then, messaging features on mobiles were a bit more simplistic than they are today.

For example, phones were only just starting to appear that could handle multi-SMS messages. For those without this feature there was a new skill to be learned.

With practice, we got to be particularly good at cutting out messages down to the requisite number of characters to fit into a single SMS: just 160 characters.

We even learned how to meaningfully split messages in our heads, with indicators (ellipses, or numbers showing message parts), to carry longer concepts. (4/19)

Even when multi-message capable phones came out (I got one in 2000), these skills were still useful. At 10p or 12p per message, you soon learned to be concise.

Nowadays, this skill has lost its value. With more and more people having “unlimited SMS” plans or enormous quantities of credits, there’s no need to be brief.

If you’ve got an iPhone, you don’t even get told how long your message is, I hear. You just keep typing. And that’s not uncommon on other kinds of handset too.

Your phone’s still splitting your message up, in the background. Putting markers in, so that other phones can understand. And these markers are human-readable.

Just in case your message is going to a phone that’s over about 12 years old, your smartphone makes sure that the markers would be understood by humans. (9/19)

So now we’ve got smartphones talking to each other in a language that humans designed to talk to one another in. Does that feel really strange to anybody else?

I looked at my phone while I wrote a message, today. I noticed that number in the corner, that indicated that my message would span 3 texts. And I didn’t care.

Why would I? It’s a vestige of an older form of communication. Someday, it’ll look as primitive as the paintings on the walls of caves, daubed by early humans.

But for now, I remember. And, somehow, the skill I learned all those years ago – a trick that’s alien to almost anybody younger than me – has a new, fresh use.

Twitter. 140 character messages. A little bit less than a text, which seems strange. Are they really trying to make us even more brief than those early phones?

The skill is still the same. Think ahead. Prune. Plan. Snip. And, if you absolutely must span several messages, make it clear to your reader so that they know.

I see a whole new generation of people learning this skill that I once learned. It’s not the same (it never will be): they don’t pay 10p every time they tweet.

But you know what? It’s just as pointless now as it was the first time around. If you want to say something, say it. If 36p is too much, risk a 10-second call!

And in the case of the Twitter generation: if your message doesn’t fit on Twitter, then it probably doesn’t belong on Twitter. I’m a 160-character-or-more man.

I’m not sure I’m cut out for the Twitterverse with its 140-character limits. But it’s nice to remember how to think in 160, just like I have in this blog post.