Ameliorations 1.0

From most good programmers, if you’re being taught how to program in any compiled or interpreted language, you’ll often hear the mantra Comment your code or something similar. Why? Because good comments are worth their weight in gold. It lets others (and you when you’ve put the code away for a while) know what you are trying to accomplish with particular pieces of code. Can’t figure out what a sub-routine is doing or why it’s in there? Read the code and look for comments on it. Chances are, if the programmer had good commenting habits (even if the program your using was one of his first attempts and isn’t that great), chances are you’ll be able to quickly diagnose any problems because you’ll know what that sub-routine is supposed to be doing.

So is commenting your code just a mantra for C, C++, Perl, Ruby, Python, et al programmers? I say no. As a web developer I find websites that have even minimal comments in their code about what is supposed to go there, or why a particular structure exists, is infinitely more useful than a thousand tutorials on how to do the same thing. Conditional comments are even better. It lets you know that there is a problem with certain browsers displaying an element and shows you what the work around is. If you were to implement the work around without any head nod toward the issue (say you did it with a linked javascript, but you don’t give a reason for having it) than someone is likely to encounter the same thing and spend more time trying to reinvent the wheel instead of reusing your bit of code (or some modified version thereof; I don’t have anything to say on code reuse except to adhere to any copyright notices to original content and javascript where any such notice exists).

If at the very least you comment your code, you are allowing other web developers to learn from your own experiences without having to teach them directly and you are reminding yourself why you put that bit of code into the mix in the first place. It also allows you to remember why it’s there when you go back to edit it six months from now.

HTML obfuscation on the Internet is all but impossible. Did someone browse to your site? A copy of the page that they can open with a text editor lies in cache or Temporary Internet Files (or whatever Microsoft calls it these days). Did your page get spidered? A copy with any javascript "protection&qoute; disabled is available for viewing. So why fight against the inevitable. Even if no one else but you looks at your code, those comments can mean the difference between quick and painless updates or hours spent trying to figure out just what you were trying to do while simultaneously trying to update the site in such a way that it doesn’t completely break (I’ve done it before and I’m sure I’m not the only one).

Commenting your code isn’t just for programmers. It’s for anyone who lays down any sort of code whether it is HTML (rendered), Perl (interpreted), or C (compiled). So next time you go out and design your website, or even going back to edit an old one, don’t forget to include comments on what you are doing. Right now I’m working on a site for a client that is getting rather complex rather quick. If it weren’t for me even just commenting where certain div containers end and begin, I’d spend unnecessary time trying to find those end points. Since I started commenting from the beginning, while the page size is slightly bigger for it, I’m able to more quickly go from place to place without having to worry about closing out tags in the wrong div.

Technorati Tags: technology, computers, programming, web, html

Current Mood:  accomplished

I’ll be focusing on web design in this article as that is what I’m familiar with, but the basic concepts should apply to any field.

Client-to-Developer-to-Client Communication

It is extremely important that you have good communication skills for any sort of relationship, but especially if you’re looking to make money as an independent consultant. Without good communication skills you won’t be able to tactfully suggest new layouts or request more information. Tact is something that is good, but is hard to come by unless you have some naturally. Being blunt or demanding or impatient will get you nowhere with anyone, especially your client. For one it will put a bad taste in their mouth for any possible future relationships, especially with you and that client. The worse you are in those categories the less likely you’ll see repeat business (and the more likely they will consider cutting their losses and canceling your services).

A Hypothetical Situation

You’ve taken on a job and you’ve been in almost constant touch over the course of several weeks while you and the client discuss needs, abilities, and everything else that goes into finding out what it is exactly that they want. You have been given a good idea of what that is (could be a brand new website, could be a redesign of an existing one), you’ve created a mock-up that’s been approved and you begin work in earnest after a vague request for content. You have the expectation that the client knows exactly what it is you mean by content so you don’t bother to elaborate or even give it a second thought as you wait for them to deliver. After all, you can’t deliver the mock-up as a finished product and expect the client to know what to do with it.

Unfortunately therein lies mistake number one. You made a vague request for content, not defining what that is and therefore leaving it up to the client to not only define it, but to deliver upon their own definition. Content can be anything, though, and unless you specify you might wind up with very little of anything truly useful. Whose fault is that? Certainly not the client’s, as they delivered to you what they thought you needed based on your vague request.

A better way to have gotten what you need would have been to tactfully ask for every single bit of HTML they had if it is a redesign or to have asked for every ounce of literature they have so that you have a better idea of what you need to put up, at least initially, for the site’s content. Of course in a redesign, it probably is good to ask for the literature as well. You can never have too much information when it comes to making an top quality web site.

What to do now?

So you’ve made the mistake, but you really didn’t realize it until you have begun work on the site and have reached the point where either:

• a) you’ve copy/pasted everything you could from the old site, or
• b) you’ve exhausted the small amount of literature you initially got for useful information to put on the site

In either case, your vague request has brought you to this impasse and now you have to go back to the client and request even more information. This time, though, you’re sure to be very specific. This could be a panic moment if you’re on a deadline. Even if you aren’t, you should be concerned about the delay this is causing you. Timely service for any project is a must. Even if the client doesn’t set a deadline, you need to set one for yourself. Don’t sacrifice quality, either. If you have to work more then 8 hours a day to get the job done on time, it’s time to pull out the energy drinks and the Fritos.

Is That It?

While this is a rather mild example, some of the problems with bad communication are much, much worse and could lead in the end to complete redesign of the entire project costing you dearly in terms of time, money and reputation.

Worst case scenario if you don’t practice good communication skills with your client:

You never get hired by them again.

Best case scenario if you don’t practice good communication skills with your client:

You get hired again, but for a more menial (and lower paying) job that isn’t befitting your technical expertise.

Conclusion

Choose from the beginning to be a good communicator. If anything seems vague, immediately expound and define. Do not let the client define anything they don’t have to otherwise you’ll be constantly bothering them with requests for more information (and or more time) when both you and they have better things to do then spending your time on this now (possibly) overdue project.

Technorati Tags: computers, technology

I’m on more than a few mailing lists that are user support oriented (everyone on the list helps everyone else if they can) and one of the biggest issues I see with people using software aren’t special use cases, which for most of the mailing lists I’m on make up a very small minority of the posts, but are installation issues. They download the software, think they have installed it, are told to reboot the computer and either something strange happens (like the computer hangs on shutdown) or they reboot and cannot find the install file they just downloaded.

I have a sneaking suspicion that these users fall into one of two categories.

Category B-One: The n00b

These are the users that buy a computer, are told amazing things about their capabilities, and when they get home they expect the computer to do everything include making the coffee. Even after many years of computer use, the n00b never gets out of this mode of thinking and often runs into problems with the most basic of tasks if for some reason something doesn’t go as expected. This type of user exists everywhere. Usenet. Forums. Mailing lists. You might even have some n00bs in your own home! Of course I do not use this term in the pejorative (although n00bs definitely task my patience more often than not) but only to describe a type of computer user.

Category B-Two: The neophyte

The neophyte, or newb (note difference in spelling), is someone who just bought a computer, has been told all the wonderful things their computer can do (and probably only believes half of those claims (and rightly so, making coffee is a non-standard feature folks!)), get home and begin using it. They initially have the same amount of problems as the n00b, but over time they actually learn how to use their computer and soon progress to asking questions only when there are problems in special cases (like they are trying to work with a large spreadsheet that is doing multiple calculations and are trying to split it up between multiple sheets while keeping the calculations linked) or they cannot find a solution anywhere on the net.

For category one users, there is nothing to be done accept to have patience with them. They are never going to learn because they think or have been told they don’t have to learn. They have been trained and told so many times that their computer can do everything for them without thinking that when they sit in front of the computer, they stop thinking.

For category two users (the category I think most regulars on a support list wish everyone would become), there definitely still has to be patience for their neophyte age, but a warm welcome to the club once they have reached that plateau where they are ready and willing to help others. Of course upon reaching that plateau, we also hope that they do not become so enamored with their accomplishment that they become one of the next two categories of users.

Category C-One: 31337 h4×0rz

Someone who has become so enamored with their own successes and the ease with which they came, forget where they started and that everyone starts out there. They are haughty, often given to dreaming up of form flames for those who seem too dense to learn anything, and have no care for lesser beings. This kind of behavior is a gateway for the next category.

Category C-Two: The troll

The troll generally has no problems, and if he is a regular on the list generally sticks around only to point out others mistakes (no matter how insignificant or inconsequential they may be), have ardent beliefs about certain things that they think everyone should stick to (and will start and continue discussions on those points) such as what should and should not appear in someone else’s signature line, the use of url shorten-ers, or the benefits of in-line vs. bottom or top posting (I’ve been involved in the latter, but hopefully in a non-confrontational manner while the troll is all about confrontation). Those are just some of the topics a troll will continually bellow about. The best thing to do for a troll is to ignore them and hope they go away or learn to tolerate them.

Neither of the above two categories are very helpful to the first two categories. They cause skewed expectations for users so they are now afraid to join other support lists because of the abuse they received at the hands (indirectly or otherwise, anyone who opens a flame is abused, not just the recipient) of 31337 h4×0rz and trolls.

The most prized of all help on a mailing list, and those who have realistic expectations of what a computer can and cannot do, are those who fall into the following two categories.

Category A-One: The developer

The developer is someone who has major amounts of time providing code to a software project and is considered to be one of the sources of information for the complete ins and outs of any particular piece of software. Often haughty, they do sometimes try to have a humble attitude toward both n00bs and neophytes, while despising (rightly so) the h4×0r and troll. While the view that they now the piece of software like the back of their hand is often unrealistic — they may just work on one particular piece of the entire project — they know where to do for the answer. If you can find humble developers, you’ve truly found people worth emulating and a project worth supporting.

Category A-Two: The expert

While this category of user might not be an actual expert, they have enough experience using whatever software your asking for help with that if they don’t know the answer, they know where to point you. Sometimes they can also seem haughty and intimidating as their first response is to RTFM, a suggestion to read the actual documentation (if the question is about basic features) is quite common because it can not only be illuminating about the issue at hand, but others that might crop up (and now probably won’t because you’ve read the documentation) in the future. This is the type of user that every developer hopes that the neophyte will become, and even has the vague hope that a n00b will someday reach this level too.

What all does this have to do with expectations? A lot, unfortunately.

n00bs expect everything to work automagically with minimal intervention and learning on their part. Life just isn’t like that. It’s a continuous learning experience no matter what you’ve been told. When you download an installation file, it requires you to at the very least click on icons representing the file and to follow instructions printed on your screen. You have to make choices, even if you leave things at the default (there is no such thing as not making a choice). Unfortunately, too many people have the misconception that computers are magical work devices so ingrained to them that it is all but impossible to remove. The C- category of computer users are also in the pickle of having what is unacceptable behavior so ingrained that they do not know any other way of being. I think I fall somewhere outside of all those categories, because I have moments where I’m all of them (except developer, I am not a hacker (in the sense of being a clever programmer)), as much as I hate to admit it.

Computers don’t “just work”. They need input, whether from a human in the form of clicking on a mouse and typing at a keyboard or in the form of a program (which was created by someone most likely typing at a keyboard and/or clicking on a mouse). There also needs to be responsibility for ones actions at all levels. The n00b and neophyte both need to understand that their actions have all sorts of consequences (including unintended ones) whether they are negative or positive. h4×0rz and trolls understand that and try to use it to their own advantage (extended flame wars without them trying and the like). That is simply a lack of morals. Good moral behavior excludes trolling. It excludes the haughty behavior of the so-called h4×0r. The developer and the expert just need to continue working on their patience and thick skins since, unfortunately, the whole world will not become one of them. In reality only a tiny minority will ever actually make it to that level. For those on the way, that simply means we need to positively reinforce them, even if it’s with a small, off-list thank-you for the help they have provided. The n00bs and neophytes of the world make up a majority of all users out there. There is constantly new software in development and new people trying it out.

Even the Bible is clear on this subject:

Whoever loves instruction loves knowledge, But he who hates correction is stupid. Proverbs 12:1 (NKJV, the RefTagger might display the NIV version, which replaces instruction with discipline).

So it is with computers. Those who love instruction eventually become experts or developers. Those who hate correction are doomed to be n00bs (and even possibly trollish n00bs). Just don’t forget who the source of all knowledge is.

Current Mood:  accomplished

URL shortners are all the rage, one of the most popular ones being bit.ly. Now I’m all for url shortening in Tweets and there are plenty of good ones (like is.gd, tinyurl, and others), but there is a good reason to avoid the ly tld. From just a few sources:

First from Wikipedia:

.ly is the Internet country code top-level domain (ccTLD) for Libya.

Bitly Builds Business on Libyan Domain

So far, the news coverage I’ve read about Bit.ly has neglected an unusual aspect of the startup: It’s one of the only prominent online ventures using a domain name in the .LY namespace, which is controlled by Libya.

Think again about who is benefiting from .ly sales.

Update: For corroboration of the Wikipedia entry:
IANA – Root Zone Database.
.ly Domain Delegation Data

Thanks to @gscottoliver for the link to the IANA root zone database.

Technorati Tags: technology

Current Mood:  accomplished

In the beginning of this series on security, “The Privacy Mandate“, I talked about why one should worry about their privacy and security online as well as some tools to use to make your experience that much more secure and private. In “Getting Serious About Security“, I discussed how to make your browsing and IM experience as anonymous as possible. Today I would like to discuss email security with you.

For as long as email has been around, it’s always been seen as an open, non-private means of communicating with others. Passwords are generally transferred in plain text for both sending and retrieval (smtp and pop3) or without an encrypted connection (https) to the net (in the olden days at least, now-a-days most if not all good providers use https for their web login). So how can you secure your email communications? First, you can start by changing your password on a regular basis (once every six months should suffice) or have a sufficiently strong password (if allowed, such would included mixed case, punctuation, and numbers) to change once a year.

If you are on a multi-user computer and you value your password enough not to share with other users of the computer, why would you share your email password with every server on the net that your data passes through? The answer is you probably wouldn’t, and you shouldn’t. If you have a decent mail host you should able to connect via SSL or TLS. Both are accepted means of transmitting your user name and password and email (at least to your mail server) in a secure manner. If you’re mail host doesn’t provide such connections, I urge you to petition them to do so or find another mail host. There are plenty of them out there that respect your privacy enough to provide such secure options (disclosure: My own web host, Blue Host, provides TLS connections).

Now that is all well and good for getting your email to and from your mail host, but what about around the rest of the web? How do you let people know that the mail is from who it says it is? How do you provide them with the security that there isn’t someone else intercepting your email?

That is where tools like GnuPG come in. Coupled with a good MUA such as Mozilla Thunderbird with a plugin like Enigmail (GnuPG is a pre-requisite for using Enigmail) to digitally sign your email. Of course that’s only the last step in this process. There are probably plugins for your particular MUA, most are listed here. My own experience is with Thunderbird and Enigmail currently. I’ll be getting to Microsoft Outlook and one of the plugins for it in the coming weeks. Otherwise, feel free to submit your own setup instructions and screen shots for your particular MUA in the comments for inclusion in an updated security how to. To begin with, after you have GnuPG and Enigmail installed, you first need to generate your first key pair.

Identifying Yourself And Securing That Identity

So we’ve got GnuPG command line client installed. Maybe we even installed the GnuPG Shell to go with it. We have Thunderbird ready with the Enigmail plugin. Where do we go from here? Notice: All instructions are for Thunderbird 3.0 and Enigmail on Windows XP SP3. Your mileage may vary. Instructions for other clients and on other OSes will be addressed in a future web site feature combining this series into one document.

First lets open up Enigmail from the menu in Thunderbird. The menu entry will read OpenPGP and can be reached with alt+n or the mouse.

Next we want to select the Key Management option.

Now, if you haven’t received any email that was PGP signed to verify, your key management window will be empty. We will fix that by selecting the the “Generate” menu option, selecting “New Key Pair” from the drop down.

For most users the default, basic options will suffice. Follow the resulting instructions (doing lots of disk intensive operations during key generation is not only recommended, it should be mandatory). Put in a passphrase (not using one really defeats the purpose of securing your identity in email communications. If you have more then one email account setup in Thunderbird, you can generate a separate key pair for each account. Just keep your pass phrases secure, if you forget it you won’t be able to use the key you just created! For more advanced users, click on the advanced tab for some more options.

As you can see, you can select the key size (bigger is always better in this case, although it is also slower) as well as the algorithm to be used (I suggest researching on your own the differences between the two different options, although I will go into a discussion about them sometime in the coming weeks). Once you have your pass phrase typed in (twice), you’ve checked the option to have the key used with the identity selected, click generate and start doing as many disk intensive operations as you can. Open and close large programs as much as you can (without making the system unstable, of course). Open and close large files. Do everything you can to help add to the randomness of the key generation. The more random data that can be collected during key creation the better off the key will be.

When you’re done with that, your key management window will have your new key listed. You still have one more step to go, though, before you’ll be fully ready to use your key (and let other people verify it). You need to upload your key to a key server.

You’ll just need to highlight (select) your key, and then select the upload key to public server option.

Once your key is uploaded, you are now ready to sign your email, letting people around the world (who use PGP/OpenPGP/GnuPG) know you are who you say you are. Of course there is the issue of verification. It gets harder, though, the less you know a person. Ideally the best way to verify you are who you say you are is to not only exchange keys in person, but to sign each others keys in person as well. That is the only 100% way to achieve verification of the other person. With less reliable methods, you can only at best be marginally sure that you are talking to who you think you are talking with.

Two rules of thumb to remember when using GPG (or any other public/private key pair identity system):

1. Never, ever share your pass phrase with anyone.
2. Never, ever lose track of your private key. Without it your public key is useless.

There is tons of documentation out there for the use of Enigmail and GnuPG, especially on their respective sites. If you are new to using either of them, I highly recommend reading up on the documentation. In a world where personal security and identity protection is essential, you can never have too much information on the tools you are using.

Providing Yourself Anonymity: Anonymous Proxy Relay – Tor Settings

The next step in providing yourself with privacy is setting up Thunderbird 3 (as with GnuPG, other clients/platforms will be included when all this gets combined onto a static website) to use Tor for anonymous proxy relay. You will most likely also have to adjust time-outs accordingly (which will be discussed here).

The settings will be just like for Firefox. The reason for the connection time out change is because it can sometimes take longer then normal to establish a circuit to and from your mail server (if you are running a local mail server, this might not apply, see your mail server’s documentation for passing it through a proxy once it’s outside your local network if you wish for this additional layer of privacy).

This takes care of your proxy settings. If you connect to any mail server over an unsecured connection (port 110), Tor will warn you about this potential security hazard. If you absolutely cannot use SSL or TLS with that server, all you can do is ignore it, but this means that anyone who intercepts your packets to the entry router or from the exit router will be able to read your login and password details.

To adjust your proxy timeout settings in Thunderbird, you will need to hit ok on the connection settings and open the config manager. Take heed of the warning! If you are not entirely comfortable messing with these settings, I recommend that you find a trusted friend who is and ask them to do this for you. I make no guarantees about the continued stability of Thunderbird if you mess with any of the settings past what I’m showing.

From here we want to search for timeout settings.

I use 1800 seconds (yes, that is measured in seconds) because it provides a sufficiently long enough time for a circuit to be created. I’ve had great success with those settings. If you use Thunderbird for NNTP, set the mailnews.tcptimeout to 1800 seconds as well.

You might have some issues with RSS polling if you use Thunderbird as your news reader as well. I highly recommend moving to a stand along application for reading your news feeds.

That about covers securing your privacy and identity within Thunderbird. I’ll have one more article concerning encryption of your IMs in the coming weeks as well as everything else I’ve mentioned. That will be my last article in this series before I move everything to a static website.

If any of these articles have helped you, please leave a comment. Also please leave a comment if you have suggestions or updates or corrections to anything I’ve posted.

Technorati Tags: technology, computers, email, security