Tuesday, December 17, 2013

How did we end up with this?

I, along with several million other people, got caught up in both the LinkedIn and Adobe account hacks, and I've had "stop using 'password' as my password for every online account" in my to-do list for at least a year.

A couple of weeks ago I decided to do something about it. I activated two-factor auth on every account that supported it, clicked the 'generate temporary password for devices' link on Twitter, and then hit the nuclear button by downloading LastPass and beginning to upgrade my passwords (I don't really use 'password' as my password - I also use 'P@ssword', 'Passw0rd!' and 'pa55w0rd' - I'm always thinking, see).

It was a PITA changing old passwords, but I just about got around to changing the important things (accounts attached to credit cards, and core identity providers) when my new phone arrived (Moto-G, which is fantastic, btw, although I am comparing it to a 2.5 yr old HTC).

What a clusterf*k. Activating two-factor auth and various device checks means that I am constantly being asked to re-enter passwords, only this time I have no idea what those passwords are, as I've changed them from the ones I know to the brilliantly uncrackable long, complex, passwords generated by LastPass.

On the plus side I've discovered that Google Keep is a very efficient way of copying complicated passwords in plain text between devices. On the downside, lots of apps don't support 'Paste' on Android, so I have to write them down instead (hence a pocketful of Post-It notes). I think I'm now technically less secure, as I'm far more prone to social engineering hacks that I was before.

I really hope that those who hold our secrets (no, not the NSA) are working on solutions to the secure login conundrum, because no one outside of the tech industries would use a computer if it was as complicated as the situation I find myself in.

Friday, December 13, 2013

Marketing reality distortion - a case study.

It's a slow day at work (warming up for the Christmas party), so I thought I'd blog about Accenture instead. Actually, this is a rant about marketing departments, not Accenture per se, they just happen to have riled me this morning.

A friend of mine works at Accenture, and this morning retweeted an image from their current recruitment marketing campaign. It's a great pic (see below), and contains a very clear message. They're looking for Big Thinkers, the ambitious, those who aspire to a Better Future. The message itself is literally spelled out, "Future > Present", and visually it taps into something many men (possibly a tad too gender specific, but maybe I'm being over-sensitive) will immediately understand: I want to be an astronaut. That's my dream.

It's a seductive message - and for anyone remotely ambitious just starting out (it's aimed at people just starting their working lives) it makes Accenture look like somewhere you'd like to work. Maybe not quite as cool as Google (who do genuinely have a "Moonshot" division), but a good option nonetheless. So you click through.

And that's when the wheels come off. Apparently the recruitment budget was spent, in its entirety, on the campaign. Having nothing left they got the guy in Accounts' brother to knock up the campaign microsite. He's jazzed it up with a carousel of incredibly happy people in grey suits (and ties - really, who wears a tie these days) - but I'm pretty sure none of them are Felix Baumgartner or Commander Hadfield.

Pretty much everything on this page (font, use of white space, formatting, images) is bad. I imagine it's just the default Sharepoint "Add new microsite" template, but that's not really the point. This page, which is where things get real, also has a very clear message: we're accountants, or possibly management consultants, but either way you're going to spending a lot of your time in front of a spreadsheet, and it's not memorising launch code sequences. In addition, we really don't give a sh*t about design, the process of creation, attention to detail, refinement or finesse. We're robots. With spreadsheets. And sometimes we hand out awards to other spreadsheet-toting robots.

In reality I've known lots of people who've passed through the Accenture machine, and they're not all number-crunching automatons - they're generally intelligent, hard-working, interesting people, with a lot to say, on a lot of subjects.

This is a masterclass of old-school marketing-reality distortion, and rather than making Accenture an attractive place to work, it makes them look desperate ("we couldn't think what to do, so we just made it up"). There are lots of good reasons to work at Accenture - wanting to be an astronaut isn't one of them.

Wednesday, August 14, 2013

Spies stole my laptop. Possibly.

I've bought a tin-foil hat.

I was burgled last month. Nothing dramatic, they broke a window,  stole a laptop. They didn't make any mess (suspiciously neat as it happens, I'd almost claim they vacuumed the place), and it was more of an inconvenience than anything else.

The police came round and dusted for fingerprints - nothing - no blood where they'd crashed the window, no greasy fingerprints on anything. They may have worn gloves (professional thieves, in Stockwell?)

And then I realised that a couple of other things were missing -  principally two other (old, not used) laptops (resale value < £50), and rather bizarrely, and most annoyingly, my v. expensive Logitech wireless keyboard.

At about the same time the Snowden story was unfolding, and I was tweeting and posting occasionally on the subject.

Oh, and I live less than a mile from MI6, the UK's foreign intelligence service (007).

So here's my tin foil hat theory - spies stole my laptops, and more than that, they stole my keyboard as they have backdoor key-logging software installed on popular wireless keyboards. Don't say I didn't warn you.

Over and out - heading off-grid for a while...

Wednesday, April 03, 2013

Status codes are not for humans.

Last week I finally managed to provoke our tech lead into using the 'F-word' in conversation. The trigger for this outburst was none other than HTTP status codes, and my desire to invent a new one. This was clearly beyond the pale.

I have since retreated from my original stance (a custom status code), but have committed a change to our dev branch to use an existing, but rarely seen, status code - 422 "Unprocessable Entity" (more on the situation in which I return this later).

This code is an extension to the base set of codes, proposed as part of the WebDAV extensions to HTTP 1.1 in June 2007 (citation):
The 422 (Unprocessable Entity) status code means the server understands the content type of the request entity (hence a 415(Unsupported Media Type) status code is inappropriate), and the syntax of the request entity is correct (thus a 400 (Bad Request) status code is inappropriate) but was unable to process the contained instructions. For example, this error condition may occur if an XML request body contains well-formed (i.e., syntactically correct), but semantically erroneous, XML instructions.
This status code has seen increasing adoption within the HATEOS / REST community, however it's not without its detractors - as the comment thread with this post illustrates.

My particular crime is not just to use this code, but to use it in a classic vanilla HTML scenario - in the event of form POST validation errors.

It has always seemed to me a peculiar anomaly that whilst the PRG pattern and the use of 3xx status codes (albeit typically the 'wrong' code, 302, instead of the code specifically designed for this situation - 303) has become ubiquitous, it is perfectly acceptable to return a 200 OK status when the form POST is rejected (because some validation has failed).

The common argument against this is that form validation is an application specific issue, and therefore not the responsibility of the protocol used to the transmit the data, but I think that's a thin argument at best. Additional, accepted, status codes exist for "Payment Required (402)", and "Forbidden (403)", both of which relate to the underlying application, and not HTTP per se.

The 2xx code block specifically states:
This class of status code indicates that the client's request was successfully received, understood, and accepted.
But what if the request was successfully received, understood, and not accepted. Surely this is a valid use case - in fact I would suggest that it's one of the canonical HTML/HTTP use cases. And whilst the specific rules around acceptance are application specific, the generic concept of 'Request Declined' is ubiquitous - in 15 years of web development I've never seen an application that does not support this scenario. And the rules around this are no more application-specific than the 'Payment Required' example.

It is (IMO) unfortunate that people who are looking to support this as a valid 4xx exception are having to shoe-horn this into the 422 WebDAV extension, but my suggestion for a new 421 code (421 on the basis that it's between 422, which is the closest formal code, and 420, which Twitter appropriated and therefore also made-up) seems to have really upset people, so I'm happy to stand down on that. (And in fact, re-reading 422 now, it is basically what I'm looking for - just would rather it wasn't within the context of a WebDAV submission. My ideal outcome would be to rewrite the description of 422 in a more generic sense, and have it adopted as the de facto response in the event of a request validation error.)

All of which brings me to the real purpose of this post. In researching 422, I have come across endless discussion around the rights and wrongs of HTTP code assignments, but not one post or comment on what, to me, is the main reason for adopting status codes at all (beyond the functioning of the web, of course) - which is to facilitate testing and analytics, i.e. making it easier for computers to understand what is going on without having to read HTML.

Status codes are transparent and invisible to end users, but stick out like a sore thumb in logs, which makes them invaluable for analysis. A log file that includes nothing but 200s or the occasional 404 provides very little insight in to what is really going on.

Similarly, having to interrogate the HTML body of a response to understand whether the HTTP request was "received, understood and accepted" or not is painful at best, and often misleading.
HTTP status codes aren't there for humans, they are there for non-humans, whether that be the routing infrastructure (understanding what to cache), or HTTP clients (understanding what to do next).

And remember, browsers are not the only clients.

(PS - to everyone who disagrees with me, bear in mind that I do understand your objections, I just don't agree with them. I'm trying to make the web more useful, not studying for my Masters.)


I found this in the original HTTP 1.1 specification:

HTTP status codes are extensible. HTTP applications are not required to understand the meaning of all registered status codes, though such understanding is obviously desirable. However, applications MUST understand the class of any status code, as indicated by the first digit, and treat any unrecognized response as being equivalent to the x00 status code of that class, with the exception that an unrecognized response MUST NOT be cached. For example, if an unrecognized status code of 431 is received by the client, it can safely assume that there was something wrong with its request and treat the response as if it had received a 400 status code. In such cases, user agents SHOULD present to the user the entity returned with the response, since that entity is likely to include human- readable information which will explain the unusual status.
You can make up your own mind from this (I have).

Thursday, February 21, 2013

Programmers are not interchangeable

[UPDATE: just found this in my drafts folder from a few months ago - not sure why I never published it at the time, but since YJ is out-and-proud, I thought I should push the button.]

This essay by Paul Graham (YC founder) from back in 2007 has been doing the rounds recently (trending on HN), and it struck a chord with me because of the following extract and the new project with which I am involved - YunoJuno - www.yunojuno.com.

YJ is founded on precisely this belief - that certain 'craft skills' (designers, developers, ux etc.) are not interchangeable, and that the success of a project is very largely dependent on the specific individuals involved.

To that end, we want to create exactly the kind of relationship that Paul outlines below - "Maybe we could define a new kind of organization that combined the efforts of individuals without requiring them to be interchangeable." 

It's a vision we share, and one that I hope YunoJuno will be a part of (specifically the part that looks after the individuals). If you have a skill, and you want to treated as an individual, but to feel part of something greater, then head on over and 'Join the Family'.

(We're in beta at the moment, launching in earnest in the new year. Not any more - we are open for business.)
One of the defining qualities of organizations since there have been such a thing is to treat individuals as interchangeable parts. This works well for more parallelizable tasks, like fighting wars. For most of history a well-drilled army of professional soldiers could be counted on to beat an army of individual warriors, no matter how valorous. But having ideas is not very parallelizable. 
And that's what programs are: ideas. 
It's not merely true that organizations dislike the idea of depending on individual genius, it's a tautology. It's part of the definition of an organization not to. Of our current concept of an organization, at least. 
Maybe we could define a new kind of organization that combined the efforts of individuals without requiring them to be interchangeable. Arguably a market is such a form of organization, though it may be more accurate to describe a market as a degenerate case—as what you get by default when organization isn't possible. 
Probably the best we'll do is some kind of hack, like making the programming parts of an organization work differently from the rest. Perhaps the optimal solution is for big companies not even to try to develop ideas in house, but simply to buy them. But regardless of what the solution turns out to be, the first step is to realize there's a problem. There is a contradiction in the very phrase "software company." The two words are pulling in opposite directions. Any good programmer in a large organization is going to be at odds with it, because organizations are designed to prevent what programmers strive for.

Desktop ambivalence (in a post-OS world)

There was a time when your choice of desktop OS said something about you - you were a Windows nerd or an Apple hipster - hell, Apple even based an entire advertising campaign on it. That was then. This is now.

A couple of years ago I was exclusively a Windows person. I wrote software for the .NET platform, which made Visual Studio my tool of choice, and the software I wrote ran on Windows servers. Even if I was working with VMs, I was running Windows Server VMs inside my Windows desktop OS.

I was always aware of Apple, but as I wasn't a hipster, and had never opened Photoshop, I left them to one side. When I was forced to use OSX I felt quite strongly that it was inferior to Windows.

Then I went to work at a creative agency, where I was swimming in an ocean of Mac-luvin. I started using one on the odd occasions when I need to borrow an office laptop. I still didn't like OSX, but I could get along with it.

At the same time I started playing around with Python, and I decided to scratch an itch I had around my complete lack of understanding of Linux as an OS. So I installed Ubuntu on a VM, and started playing with that.

Then I was given an iPad by work. And I bought myself a Windows 7 phone. So now I had Windows 7, Windows Phone 7, iOS, OSX, and Ubuntu in my life. I even installed Windows 8 when it came out (and paid for the upgrade!), but uninstalled it a week later (you can read about that here).

I finally realised that I had become ambivalent to the OS - and started concentrating on the tools I was using instead. I dropped Visual Studio in favour of Sublime Text, and dropped Word in favour of anything that worked with Markdown (which is anything).

I still don't like OSX - the fact that maximising a window doesn't, you know, maximise it, and the woeful Finder being my pet hates - but I bought myself a MacBook Air as my primary computer simply because I like the hardware, and frankly, I don't really care about the OS.

A beautifully designed piece of hardware running beautifully designed, and simple, software (stand up iA Writer), running on an OS that just gets out of my way, is all I need these days. Are we in the post-OS-as-brand world?

Postscript: the logical conclusion of this is no (discernible) OS at all. Over Christmas I thought I'd be a good son and back up the laptop I bought for my mother a couple of years ago. She uses it infrequently, but enough, and I figured she probably had something of value on it worth saving. In fact there was nothing - at all - on it. Every single thing she does on her computer is web-based. She is the Chrome OS poster child (grandmother).