Categories
PHP usability web 2.0

How to get an awesome tag-cloud for WordPress

There’s only a few tag-cloud plugins that still work – most of them have stopped being supported.

The best one I found has super-awesome-multi-colour mode. But by default it’s disabled, and the config-options don’t include a way to turn it on. You have to dig in the developer documentation to find out how.

Categories
advocacy bitching programming Web 0.1 web 2.0

Why you shouldn’t use webfonts instead of images

Warning: principled rant against sloppy design and bad coding about to start; kids these days! Get off my lawn!

There’s a terrible disease affecting modern web developers – Twitter.com has just fallen ill with it, and it could be a long time before they cure themselves.

Deleting all images, and replacing them with the dreaded “web font”.

It’s the wrong solution for the problem, it doesn’t do what you think it does, and it pisses all over some of the Web’s core principles. If you’re a web developer, and you respect your craft, you shouldn’t even consider this, not for one moment. Here, for instance, is how Twitter currently looks for me – ugly, and very hard to use!

Screen Shot 2014-04-15 at 10.18.17

GitHub was another recent victim of this disease. They’re still in recovery, but they at least made their site “slightly usable” by adding tooltips:

Screen Shot 2014-04-15 at 10.30.18

What’s going on?

The problem

Core Web principle:

Information is everything; presentation is optional. It’s acceptable to forego presentation, so long as everyone can access the information.

Effect: When you load a webpage, your browser requests every image separately. This is a long way short of the “most optimal” code implementation.

Is this a big problem? For most of us … Not really. The system works, it’s flexible, it’s powerful – it’s a little inefficient, but for the corporations that care there are plenty of hacks and optimizations they can deploy.

The other problem

Most artists should be creating Vector images most of the time, but the software vendors who made the editing tools for Vectors … all died out around 15 years ago. Back then, the advantages of Vectors were small, because most screens were low res.

We still haven’t recovered. There are many standards for bitmap image files, and two very popular ones – PNG, JPG. There are many standards for vector image files, but no popular ones.

Effect: web developers end up looking to Web Fonts as a de facto “vector image” standard.

SVG, or not to SVG?

There is an official Web/HTML approved vector standard – SVG – in wide use, with strong support in all current browsers.

Does it work? Let’s see (http://caniuse.com/svg) …

Screen Shot 2014-04-15 at 10.45.46
Screen Shot 2014-04-15 at 10.45.33

… but many software companies ignore it. For instance, Apple allows programmers to use both PNG and JPG (why?) in core iOS, but not SVG (despite having a full SVG parser built-in to their web browser). Many programmers I speak to believe that SVG isn’t supported at all – FUD wins again.

The other, other problem

A core principle of the Web is that information is accurately described (the M in HTML). A recent trend in web development is “progressive enhancement”.

def. “Progressive Enhancement HTML”: a webpage written the way you were supposed to write it, instead of being hacked-together by unskilled monkeys

HTML has always been “progressive” – this was a core principle 20 years ago. But HTML was so easy to use and abuse that many of us (most of us? nearly all of us?) have been writing poor HTML most of that time. Shame on us (shame on me, certainly – been there, done that :( ).

But … the key point here is: Progressive Enhancement isn’t an “optional extra”, it is the Web. If you fight PE, you’re fighting the entire web infrastructure – and we know how that war will end.

…whatever. What about Web fonts?

So, when you remove an “image” and put a “web font letter” there instead, and change that letter so that the font contains an image you wanted …

…your HTML is now a lie.

Maybe you’re the kind of web developer who scorns blind people (and partially blind), who ignores the Internationalization features of software. You laugh in the face of Accessibility Standards, so you can reduce development time.

But HTML doesn’t make these things optional. They are so core to HTML that they are “always on”, even if you personally never use (need) them. One of the beautiful features of HTML is that if you do nothing, most of the Accessibility is automatically done for you.

With HTML, you have to go out of your way to prevent Accessibility. For instance: replacing images with magic-letters from a magic font.

You’re not blind; why does the Web Font fail?

The thing about custom Web Fonts is … the user can disable them.

Again, this is fundamental to the web. Partly for the Accessibility issue (who are you to decide which users require Accessibility? No. It’s for the user to decide).

But also to support the web principles of openness, and user-control (not corporation-control). My machine, my browser, my choice.

Just as you cannot prevent users from hitting the “View -> Zoom” menu option and making your web page take more or fewer pixels on their screen (I’ve worked with web designers – mostly ex-print designers – who HATED this, and felt it was a feature that should be banned) … you cannot force a crappy font on the user.

Information is everything; presentation is optional. It’s acceptable to forego presentation, so long as everyone can access the information.

In my case: I have a MacBook Air. While wonderful in many ways, they have tiny (11″), non-retina screens, and they’re laptops – so the screen is often further away than I’d like. When WebFonts came to CSS, a lot of the websites I use (art sites, design agencies) started using “beautiful but TINY” fonts that were unreadable. Game Studios still do this today, sadly – lots of hard-to-read but “edgy!” fonts and bad colour choices.

Sometimes, the only way I can do my day to day work is to disable the crappy 3rd party fonts.

Another solution?

SVG says “Hi!”. Think about it.

Categories
entrepreneurship startup advice Web 0.1 web 2.0

What’s wrong with Cloud Computing?

This:

Screen Shot 2013-07-19 at 11.01.58

(blocking me from doing any work – I need that spreadsheet, and thanks to Cloud, it’s impossible. Any other system – source / revision control, local files, file servers, etc – would have a quick, easy way for me to get at it. It’s only Cloud that fails … opaquely :( )

Categories
computer games games design MMOG development network programming networking programming system architecture web 2.0

MMO scalability is finally irrelevant for Indie MMOs

Here’s a great post-mortem on Growtopia (launched 2012, developed by a team of two)

It’s slightly buried in there, but I spotted this:

Categories
PHP programming startup advice usability web 2.0

WordPress: inline “signup email” drop into post or sidebar

My blog posts are info-rich and spam-poor. Most of the “enter your email address” plugins are designed for spam – covered in bling, in-your-face animations, background music, all sorts of crap.

There’s nothing out there, so I made one, using a GPL’d existing project. Feel free to use this yourself.

note: this is an image, not a form!
Screen Shot 2013-06-13 at 13.48.14

Categories
security web 2.0

Yahoo’s “unusual activity” detector…

I rather like this. I guess it could feel like an invasion of privacy – but the truth is: all web companies have been tracking you like this since the late 1990’s. Until now … they used the data, but never shared it with the you, the user. This is so much better:

Screen Shot 2013-05-06 at 10.56.42

Categories
games industry startup advice web 2.0

Amazon and the high-value of a low-margin business model…

Some good observations on tech business strategy here

Low-margin can still mean high-value-business:

“Most people just look at a company’s margins and judge the quality of the business model based on that, but the cash flow characteristics of the business can make one company a far more valuable company than another with the exact same operating margin. Amazon could have had a margin of zero and still made money.”

Preventing the number-1 biggest threat to a mainstream company (disruption):

“Study disruption in most businesses and it almost always comes from the low end. Some competitor grabs a foothold on the bottom rung of the ladder and pulls itself upstream. But if you’re already sitting on that lowest rung as the incumbent, it’s tough for a disruptor to cling to anything to gain traction.”

And … an idea I’d considered more seriously back when I started in iOS development. This was the perfect way to disrupt agencies (tough and unpleasant though it was):

“Not having to sweat a constant onslaught of new competitors is really underrated. You can allocate your best employees to explore new lines of business, you can count on a consistent flow of cash from your more mature product or service lines, and you can focus your management team on offense. I”

Categories
agile games industry marketing startup advice web 2.0

How middleware (and open source) downloads ought to work – Unity3D

While upgrading Unity, I noticed the current download page is a great example of how it SHOULD be done:

Unity 4 has some … issues … with backwards compatibility – but at least they made the “need an older version?” link prominent. And how many old versions can you download?

Many!

(it goes on right back to unity 3.0)

Old versions? Who cares!

Well, that backwards compatibility thing is a *****. If you work on a project with other people, and they’re using Unity 3.5 … you SHOULD NOT (must not?) use Unity 4 (there be Dragons).

But it’s fine; Unity makes it trivial for anyone joining such a project to get exactly the version they need.

Some games middleware *cough*Hansoft*cough* companies declare that everyone must use the latest version, even if it is buggy and breaks existing projects. Or if it requires staff retraining. You must retrain EVERYONE! NOW!

(Hansoft has probably changed by now – maybe unfair to single them out. But for a long time they only allowed you to download the “latest” version, and actively deleted everything else. As soon as a new version existed, BOOM! Everything else got wiped. A happy customer I was not)

Recap

So, here we have a piece of middleware, with a download page:

  • Lives at an obvious, permanent URL: http://unity3d.com/unity/download/
  • Makes it very easy to find the download link (many open-source projects: shame on you)
  • Uncluttered webpage, and makes it easy to understand which download you want (Eclipse.org: shame on you)
  • Every version has its release notes right there, for you to click on! (Apple (every product), and Firefox: shame on you)
  • Every version has BOTH the windows AND the mac downloads (computers today are cheaper than they’ve ever been. Many people have a laptop thats Mac, and desktop that’s Windows, or vice versa. You can’t assume that the browser they’re using dictates the desktop they’ll be working from)

Designing a website to look simple is certainly a difficult and non-trivial task.

But in the case of a download page – where almost everyone has the same needs, and there are many examples to copy (plagiarise) from – it doesn’t take much. More projects (and companies) should at least try to do this.

Categories
advocacy games industry GamesThatTeach programming web 2.0

Free art can help create a generation of non-pirates

The 21st century will be dominated by “digital” culture and art. History suggests that non-digital art will flourish too (while becoming a smaller, more specialized, part of a larger pie). So it’s all good: more people will have more opportunities to create – and more access to experience – a wider array of art. Win/win!

Except … our societies are struggling to work out how we’ll pay our artists when the marginal price of a copy is less than a penny.

Last week, something interesting happened when several unrelated projects I’m in all came together at once.

Someone is ‘stealing’ from CGTextures.com

Marcel at http://www.cgtextures.com/ gives away a huge library of high-res photo textures, aimed at game-developers, entirely for free. You don’t pay for access, you don’t pay to use them. You can include them in commercial games, make a million dollars – and you owe him nothing (bar gratitude).

Last week he came to a private forum asking for advice on suspected copyright infringers, who might have been taking his free images, removing the attribute/authorship info, and selling them for themselves.

Copying the images, and charging for them, is not theft. It’s illegal, but it’s not stealing. The original source is still available – free – to anyone who wants it. And many authors in this case are inclined to let the scummers go free, so long as they stop charging innocent users for something that’s free to all.

But CGTextures isn’t free to run; if they ever need to raise funds to pay for it, some of that money – which the community would happily donate – is being taken right now by a selfish scummer. Hmm. Tricky.

3D art is hard

If you’re “not an artist” (which for most people means: “I’m crap at drawing/painting!”) then making any kind of 2D art is very difficult, and tends to look like utter crap.

Computer games are dominated by good or great art. Even in the Indie scene, where “teams” are often no more than 2 people working together, we have a blinding array of beautiful artworks. At the opposite end of the spectrum – the AAA titles with budgets counted in “tens of millions” of dollars – it only gets better.

People love playing games – and they love making them too. Many people – artists and programmers – dream of “making a game”. But … just like “I’ve a great idea for a book” … the vast majority never manage it.

Two of the most common reasons they fail:

  1. Aiming too high: games require a lot more work than people imagine, and most people get 10% in and discover they’ve bitten off way too much to chew
  2. The artwork looks crap: everyone they show it to hates it (or they dont dare show it), the author hates it, they realise that no-one will play it, let alone pay for it, and they gradually lose the will to finish the project

Anyone can make a game: even un-trained teenagers

We’re in the final few weeks of proving this (a team of three 15-year-olds are about to publish their iPhone game that they designed, built, tested, and launched from scratch).

Starting with nothing but beginner-level knowledge of Javascript (not enough to write an app), they’ve:

  1. Learnt Javascript
  2. Learnt 3D-modelling
  3. Created all their own 3D models, with textures
  4. Built, tested, and refined a working game

Sounds hard, right? Well, yes, it was. But – if you know enough tricks of the trade – most of that can be made easy enough for anyone to do themselves.

  1. Game structure – use an established game engine
  2. Programming – stick to “simple” programming concepts
  3. In-game artwork – “stylised” 3D models are trivial to create (c.f. Minecraft)
  4. Testing – use a modern IDE with a decent debugger

This is all great, but I’ve glossed-over one item there: textures. You can avoid the need for painting skills by making your game-items 3D instead of 2D, but sooner or later you’re going to need to texture them.

JFGI

With the programming, one of the skills I’ve drummed into them is JFGI (Just F’ing Google It). Everytime you get stuck: google it. If you get no hits – fine, you’ll have to work it out yourself. But often you’ll find:

  1. It’s a bug in your tools, not your fault! Here’s a workaround…
  2. It’s practically impossible; don’t waste time trying to solve it…
  3. Your software documentation / manual was missing the following info: …
  4. It’s a generic boilerplate piece of code. Don’t worry about it, but use this copy/pasteable code solution: …

Leveraging the internet as a resource is fundamental to being a great programmer. I’ll gloss over the risks / dangers for now (I’ll write another post on that later), but most of the time you cannot JFGI too often.

But … with the 2D artwork, with the textures for 3D models … Google becomes a danger.

Google Images: the devil on your shoulder

Writing a presentation, and need an image? Google Images it!

…making a game, and need a “wood texture”? Google Images it!

WHOA THERE, JOHNNY!

Doesn’t feel like stealing (that’s cos it isn’t) – but it is something illegal: copyright infringement. It’s precisely why “copyright” was invented in the first place.

And yet: this single problem can make all your effort, all your hard work on your own creative artwork (your game), invalid. You can have the most sublime game design, a control system that a toddler can master, a frame-rate as smooth as silk … but if the 2D graphics (or the textures) are crap … the whole thing falls flat on its face. And most people can’t draw.

How the pros do it

There are simple techniques for making very good textures starting from random photographs. Even a novice can create something perfectly “good enough” in a short amount of time.

Only one thing is needed: a big library of photographs, MORE THAN ONE per real-world “texture” you need to create. If you have the money, there are dozens of Stock Photography resources, each one costing hundreds (or: thousands) of dollars a year.

But if you’re students – undergraduates, high-schoolers – or simply “not rich” (“artist” isnt’ exactly a high-paid career) and working on your own, you probably don’t have “hundreds of dollars”.

Hey, I know! Let’s use Google Imag- … crap.

Enter stage left: > http://www.cgtextures.com/ – a FREE, ROYALTY-FREE, MASSIVE collection of photographs DESIGNED FOR USING IN COMPUTER GAMES. Why? I guess Marcel is just a naturally generous person.

I showed the guys CGT. No problem; texture sources a-plenty. And it’s all free. And legal…

Full circle

  1. potential pirates who are ‘creating’ are happy to respect copyright, if you educate them early enough … so long as they have viable alternatives
  2. if you take away the alternatives, they must weigh up the moral “cost” of infringement against the moral “benefit” (and personal satisfaction) of completing their own work
    • I’m not advocating this piracy; but where no theft is involved, to most people’s minds the cost is tiny and the benefit is huge. Realistically I expected few people to resist when he temptations – both moral and practical – are so big
  3. sites like CGTextures put “artistic creation with 3D” in reach of everyone
  4. pirating art from CGTextures is – AFAICS – only a criminal activity: illegally extract money from someone else’s work, with no ‘creation’ involved
  5. …but if sites like CGTextures go away (if Marcel gives up), and the next generation of artists lose their alternatives, “copyright” has no chance at all

IMNSHO, anti-software-piracy organizations tend to be idiotic, amoral, and begging to be nuked from orbit. They’re often part of the problem, not the solution. If they genuinely wanted to reduce piracy, they should be creating sites like Marcel’s: royalty-free resources of reduced cost that their industries could easily afford to give away for free.

The debate has – for way too long – characterized software pirates as “inherently evil; bad-doers; malicious”. This is undoubtedly true of some (my opionions of anyone re-selling CGT’s free art are unprintable). But we’re not born as software-pirates; we get that way because of the culture and society we grow up in. We have the opportunity to teach new generations respect for copyright – but that cuts both ways.

In the Digital Age, copyright needs to deserve our respect, not simply demand it.

Some other free texture sites

While checking some of the points in this post, I noticed a few other photo-texture sites that offer royalty-free images suitable for games dev, worth checking out:

Categories
advocacy bitching web 2.0

Ethics in the modern world: Lessig on Aaron Swartz

I don’t normally blog about this stuff, but here we have the intersection of an eloquent speaker on core matters of modern life and how they intersect the legal systems … with the kind of tragedy that’s often threatened when elements of society have orders of magnitude more power than responsibility:

http://lessig.tumblr.com/post/40347463044/prosecutor-as-bully

The public statement by the prosecutors is worth reading too:

http://0v.org/carmen-ortiz-has-released-a-statement/

UPDATE: according to the United States Department of Justice’s own website (?), in relation to this case:

United States Attorney Carmen M. Ortiz said, “Stealing is stealing whether you use a computer command or a crowbar

It is extremely difficult in practice (practically impossible?) to steal via “a computer command”. To me, the Attorney’s statement has no relevance to what – it is reported – happened in this case.

For reference, type “define: stealing” into Google, and see what you get

Lawyers can *always* hide behind a claim that they’re “only following the letter of the law”; unfortunately, the Western legal system is generally based upon NOT following the letter of the law, but the spirit of the lawmakers (as interpreted by various stages of Judges). Which makes such arguments inherently specious.

I’m not a lawyer, merely a slightly-informed amateur, but … If this is the best defence that the prosecutors can offer, as eloquent lawyers, it appears to me that they knowingly do terrible things.

Categories
iphone startup advice web 2.0

Rise and fall of Microsoft’s hegemony over Apple

Building and Dismantling the Windows Advantage – a great article, telling the story in a mix of words and graphs.

“The consequences are dire for Microsoft. The wiping out of any platform advantage around Windows will render it vulnerable to direct competition. This is not something it had to worry about before. Windows will have to compete not only for users, but for developer talent, investment by enterprises and the implicit goodwill it has had for more than a decade.”

Categories
bitching games publishing web 2.0

Pearson doesn’t like people buying books; Amazon knows where you live (in a bad way)

Wow, Pearson has some strange ideas about commerce! To buy this popular textbook as an ebook, you have two choices, both conveniently linked from the front page of the author’s website:

  1. Go to Amazon. Buy it, in any country / price you want. Get it immediately. (unless this is your first purchase … see below)
  2. Go to Pearson. Not allowed to buy it, unless you’re American (especially funny given that Pearson was originally English, IIRC)
    1. Get taken to a page listing 100 random URLs, with bizarre domain-names, grouped by country.
    2. Guess which one (out of several for your country) is appropriate for you.
    3. Manually search for the product YOU’VE ALREADY SELECTED
    4. Get quoted a price that is MORE THAN TWICE AS MUCH for the IDENTICAL download

And publishers *still* complain that people use Amazon? Hmm…

Which means Amazon is able to get away with treating the consumer like crap – because it’s *still* less insulting and obstructive than what the original publisher is doing. If you haven’t already surrendered your private data – which is nothing to do with buying a book – to Amazon, you’ll be prevented from buying a book at this point. Here’s the screenshot:

And, yes, Amazon.co.uk ensures VERY carefully that I cannot buy this book, until I’ve gone through this process:

  1. I want to buy this eBook
  2. “No: you haven’t yet given our Secret Police full access to all your computer hardware”
  3. But … wait, what? … I want to give you MONEY for something you’re SELLING, and you’re telling me you want access to my hardware? What’s that got to do with the price of fish?
  4. “Not until you voluntarily destroy some of your civil rights. Your government wouldn’t let us do this, so … you know … we have to get you to do it ‘voluntarily’. LOLZ”
  5. WTF? Apple’s currently the defendant in a billions-of-dollars court case in USA for doing exactly this. Aren’t you even slightly worried?
  6. “It’s OK. We know that the book’s publisher is going to treat you so badly that even our bad behaviour is mild by comparison. Let me know when you’ve ponied-up your privacy, and I’ll let you serve me. That’s what we mean by “a service company”: it’s a company that you serve. Have a nice day! Yours, Amazon”

Net result: use someone else’s hardware, sacrifice it to Amazon, rip the evil DRM off there, and give Amazon less money in future (since there will only be a “fake” account on their system).

Treating consumers like idiots – in the age of Internet literacy – is a net loss … for all of us. And it continues to drive the younger generations further and further away from paying for stuff, and closer and closer towards pirating it.

When I think of media corporations today, this image comes powerfully to mind, from back when Swine Flu broke out. Guess which one sits on the board of directors of a corporation (I grant you, it’s not easy to be sure) :

Categories
fixing your desktop Google? Doh! programming system architecture web 2.0

Google Docs 2012: Google loses your documents

Beware – latest version of Google Docs has the Gmail bug whereby emails (documents) randomly disappear and become completely inaccessible (this happens a few times a year with Gmail’s IMAP client). With Gmail, you can use the web interface to get around it and see the actual email – but with Google Docs, I don’t know of an alternative route. What you get is that Google appears to have deleted your data, with no comeback.

I just saw it now with Google Docs where a doc created yesterday allegedly didn’t exist any more – it had been removed from history, from recent documents, and … most distressing of all … it resulted in zero hits if you searched for it.

Solution?

There’s none – it’s just Google’s software being stunningly bad (again).

You have to wait. And pray. And wait some more. And click random things. And pray some more.

For me, clicking around on the different tabs on the left hand side (Home, All Items, Owned by Me) after a minute or so it randomly reappeared.

SaaS In the Cloud: Screwing the User, yet again…

I’m coming back to this topic more and more, because these abuses of web and HTML services are getting more and more damaging to the users.

If the “old” version of Google Docs doesn’t have this bug, it doesn’t matter – Google has already confiscated it from us. Unlike the core concept of desktop, laptop, and home computers … Google repeatedly takes the software that you possessed, and destroys it, for no reason other than to make things a little easier for engineers who don’t like to support the bad code they shipped.

That’s what this is about: people who use Cloud/SaaS to avoid taking responsibility for the apps they created.

Categories
bitching Web 0.1 web 2.0

Apple OS X install hell: way worse than Windows :(

Almost a year after Apple’s disastrous “force consumers to download Lion, instead of installing from DVD”, apparently it still doesn’t work. It’s hard to recommend OS X to anyone after this experience.

UPDATE 2: Apple’s “download a file from the internet” code is so bad it’s causing the MacBook to overheat – 80 degrees celsius, very close to the “automatically reboot” temperature. This is *to download a file*. Apple’s misuse / misunderstanding of web technologies seems quite incredible.

(the process is called “storeagent”)

My last 24 hours:

  1. Buy Lion
  2. Download starts
  3. …it’s a 4gb download, this takes a long time…
  4. Download stops at 25% for no reason.
  5. Resume button gives a wait cursor for 5 seconds, then goes back to “paused”
  6. Repeat twice
  7. Third time, the Resume button is disabled, and now Lion is stuck in “Waiting” and there’s no buttons you can press except “cancel”
  8. Remains in “waiting” for many hours. Googling suggests this is a permanent crash in Apple’s App Store.
  9. Cancel the download, re click the “buy app” link
  10. Apple quits OS X, kills all apps, deletes all unsaved data, throws me out to the login screen
  11. Login again, and Lion icon has appeared in the dock.
  12. …but: Lion now refuses to even start downloading – it’s stuck on “Paused, 0 of 0 bytes”

UPDATE:

  1. Try again (delete OS X Lion, re-purchase from App Store) and … finally the download starts. Waiting now to see if it will complete this time, instead of giving up partway like before…

I.e. Apple’s infrastructure is still blocking me from downloading the OS. How hard can it be to *download a file* ?

Next step: walk in to an apple store and ask them to give me a USB stick, since their webserver is FUBAR.

Categories
amusing marketing and PR programming security server admin system architecture web 2.0

Ruby on Rails dead. All sites p0wned. GitHub shoots the messenger?

Two things here: if you run any Rails site, check out the security hole ASAP if you haven’t already. You might be safe – but given that even GitHub wasn’t, I’d double check if I were you. (The Rails community seemingly isn’t patching it – and there’s nothing recent on the Security list. Which leaves me going: WTF? The evidence is right there on GitHub of how bad this is right now, in the wild).

Secondly … what just happened? Apart from doom and gloom and “the end of every unpatched Rails site on the planet”, there’s a fun story behind this one. As someone put it “it’s the whitest of white-hat attacks” (i.e. the “attacker”‘s motives appear extremely innocent – but foolish and naive)

It seems that GitHub got hit by the world’s nastiest security hole, in Rails – trivial to take advantage of, and utterly lethal. The hole appears to allow pretty much anyone, any time, to do anything, anywhere – while PRETENDING to be any other user of the system. So, for instance, in the attack itself, someone inserted arbitrary source code into a project they had no right to.

Hmm. That’s bad. It effectively destroys GitHub’s entire business (it’s already fixed, don’t worry)

But it gets worse … it’s a flaw in the RoR framework, not GitHub itself (although apparently GitHub’s authors were supposed to know about the flaw by reading the Rails docs, as far as I can tell from a quick glimpse at the background). Rails authors have (allegedly) known about it and underestimated how bad it is in the wild, and left Rails completely open with zero security by default.

So, allegedly, the same attack works for most of the web’s large Web 2.0 sites – any of them that run on Rails.

WTFOMGBBQ!

Who was the perpetrator of this attack? Ah, well…

made an impossible issue, a post that GitHub’s database believed was created 1,000 years in the future.

Classy. Dangerous (high risk of someone calling the police and the lawyers), but if people won’t believe you, and *close* your issues, claiming it’s not that important, what more amusing way to prove them wrong?

Whoops, shouldn’t have done that

I can’t state this strongly enough: never attack a live system. Just … don’t.

Any demonstration of a security flaw has to be done very carefully – people have been arrested for demonstrating a flaw allegedly *at the owner’s request*, because under some jurisdiction’s it’s technically a crime even if you’re given permission. In general, security researchers never show a flaw on a real system – they explain how to, and do it on a dummy system, so no-one can arrest them.

(why arrest the researcher? Usually seems to be no reason beyond ass-covering by executives and lawyers, and a petty vindictiveness)

Homakov appears to have been ignorant of this little maxim, hence I’m writing it here, let as many people as possible know: never attack a live system (unless you’re very sure the owners and the police won’t come after you)!

GitHub’s response

On the plus side, they fixed it within hours, on a weekend. And then proceeded to tell every single user what had happened. And did so in a clever way – they put a block on all GitHub accounts that practically forces you to read their “here’s what happened, but we’ve fixed it” message. They could have kept it quiet.

Which is all rather wonderful and reassuring.

On the minus side, IMHO they rather misrepresented what actually happened, portraying it more as a malicious attack, and something they fixed, rather than what it was – the overspill from an argument between developers on some software that GitHub uses.

And they initially reported they’d “suspended” the user’s account. Normally I’d support this action – generally it’s a bad idea to let it be known you’ll accept attacks and not fight back. But in this case it appears that GitHub didn’t read the f***ing manual, and the maintainers apparently (based on reading their tickets on the GitHub DB) refused to accept it was a serious problem – and apparently didn’t care that one of their own high-profile clients was wide open and insecure. The attack wasn’t even against GitHub per se – it was against the Rails team who weren’t acting. IF it had e.g. been a defacement of GitHub’s main site, that would have been different, both in impact and in intent. Instead, the attack appears to be a genuinely dumb act by someone being naive.

Seems that GitHub agreed – although their reporting is a bit weak, it happened days ago, but they never thought to edit any of their material and back-link it.

“Now that we’ve had a chance to review his activity, and have determined that no malicious intent was present, @homakov’s account has been reinstated.

…and it’s pleasing to see that their reaction included a small mea culpa for being unclear in what they expect (although anyone dealing with security ought to be aware of this stuff as “standard practice”, sometimes it’s not security experts who find the holes):

“We haven’t been as clear as we should have been on how to responsibly disclose security problems, and for that I’m sorry. To prevent future confusion about security-related account suspension, and to make explicit our stance on responsible disclosure, we have added a section entitled Responsible Disclosure of Security Vulnerabilities to our Security policy.”

Rails’s response

I’d expect: shame, weeping, and BEGGING the web world to forgive their foolishness. I’m not sure, but it’s going to be interesting to watch. As of right now, the demo’s of the flaw are still live. I particularly like one commenter’s:

drogus closed the issue 5 days ago

kennyj commented

5 days ago

“I’m closing it (again).
@drogus was close it, but it still open.
github bug?”

Closed

kennyj closed the issue 5 days ago

“github bug?” LOL, no – massive security flaw :).

Categories
entrepreneurship facebook recruiting startup advice web 2.0

New startup, aiming for acquisition by Facebook

Please email me (adam at red-glasses.com) if you have skills / interest in the following:

  1. Mass market (i.e. everyone + their mom) telling stories
  2. javascript frameworks for complex visual 2D stuff (e.g. iGoogle, Netvibes, etc)
  3. Visual manipulation of large 2D images on mobile (especially iPhone)

NB: we have no funding yet, just an idea. This is a scatter-gun first approach – if things go well, there will be another call for people in 2-4 months time.

Categories
android facebook programming project management social networking startup advice web 2.0

Is Google’s mistaken belief in the power of Product killing them?

Steve Yegge’s Google Platforms Rant is not so much a rant as a sign of someone fighting an inappropriate culture. We saw stuff like this a lot at NCsoft when people were trying to turn around the $100 million clusterf*ck that created hundreds of redundancies all the way to director level.

It’s a great article, but a couple of the key points resonated with my own experience of Google UK’s hiring practices a couple of years ago. There was clearly a lot wrong with the internal culture, but as an outsider I couldn’t quite put my finger on it. Here’s the crux of Steve’s post (but seriously – read the whole thing, it’s rich and meaty):

That one last thing that Google doesn’t do well is Platforms. We don’t understand platforms. We don’t “get” platforms. Some of you do, but you are the minority. This has become painfully clear to me over the past six years. I was kind of hoping that competitive pressure from Microsoft and Amazon and more recently Facebook would make us wake up collectively and start doing universal services. Not in some sort of ad-hoc, half-assed way, but in more or less the same way Amazon did it: all at once, for real, no cheating, and treating it as our top priority from now on.

But no. No, it’s like our tenth or eleventh priority. Or fifteenth, I don’t know. It’s pretty low. There are a few teams who treat the idea very seriously, but most teams either don’t think about it all, ever, or only a small percentage of them think about it in a very small way.

It’s a big stretch even to get most teams to offer a stubby service to get programmatic access to their data and computations. Most of them think they’re building products. And a stubby service is a pretty pathetic service. Go back and look at that partial list of learnings from Amazon, and tell me which ones Stubby gives you out of the box. As far as I’m concerned, it’s none of them. Stubby’s great, but it’s like parts when you need a car.

…and finally, reading that, it clicked for me what I saw that was so wrong:

Google has forgotten what a Product is

“It’s a big stretch even to get most teams to offer a stubby service to get programmatic access to their data and computations. Most of them think they’re building products.”

That pair of sentences, back to back, is the problem: people outside Google would put the word “except” in between. Googlers put the word “because” in between. Google’s cultural definition of Product has got lost and perverted somewhere along the way, and now looks and smells like the real thing but is – to the rest of the world – a fake. Except Google – internally – can’t see this.

Every Googler I talked to worshipped at the altar of Product-as-King; three quarters of them would then – even in the same sentence – admit that they hated Product, didn’t believe in it, and felt it was a waste of time — “get out of my face with your product BS, and let me write beautiful code in my Ivory Towers, and leave me alone”.

They were smart people; they never said this explicitly (although one came very close – and you could see the moment when he had the thought: “oh crap; if anyone else hears I said that…”, then backtracked very hastily) – instead they frequently said mutually conflicting things, and dressed them up in enough abstractions that you could pretend that they weren’t conflicting. They were very good at it – I could tell there was a crack, but I couldn’t work out where the fault-line lay.

Google’s illusions of Product

As Steve puts it later on:

Google+ is a prime example of our complete failure to understand platforms from the very highest levels of executive leadership (hi Larry, Sergey, Eric, Vic, howdy howdy) down to the very lowest leaf workers (hey yo). We all don’t get it. The Golden Rule of platforms is that you Eat Your Own Dogfood. The Google+ platform is a pathetic afterthought. We had no API at all at launch, and last I checked, we had one measly API call. One of the team members marched in and told me about it when they launched, and I asked: “So is it the Stalker API?” She got all glum and said “Yeah.” I mean, I was joking, but no… the only API call we offer is to get someone’s stream. So I guess the joke was on me.

Product. Platform. Since when have those been mutually exclusive? Not in this Millennium, I believe…

And even when Google gets over their hatred of Platform, even with something as simple as the pixels that their apps put on screen, they’ve jumped the shark:

You know how people are always saying Google is arrogant? I’m a Googler, so I get as irritated as you do when people say that. We’re not arrogant, by and large.

But when we take the stance that we know how to design the perfect product for everyone, and believe you me, I hear that a lot, then we’re being fools. You can attribute it to arrogance, or naivete, or whatever — it doesn’t matter in the end, because it’s foolishness. There IS no perfect product for everyone.

And so we wind up with a browser that doesn’t let you set the default font size. Talk about an affront to Accessibility. I mean, as I get older I’m actually going blind. For real. I’ve been nearsighted all my life, and once you hit 40 years old you stop being able to see things up close. So font selection becomes this life-or-death thing: it can lock you out of the product completely. But the Chrome team is flat-out arrogant here: they want to build a zero-configuration product, and they’re quite brazen about it, and Fuck You if you’re blind or deaf or whatever. Hit Ctrl-+ on every single page visit for the rest of your life.

It’s not just them. It’s everyone.

Any genuine Product person would run screaming from that situation – there’s nothing salvageable. It’s like someone coming to you with their design for a chocolate teapot: “Once you’ve had your tea, you can have a tasty chocolate treat too!”, leaving you wondering: where do I even start with trying to explain to this person what they’re missing?

Categories
bitching community web 2.0

StackOverfow: PLEASE fix your search engine

StackOverflow.com has long had one of the worst search-engines I’ve ever seen. It’s clearly a simple thing hacked together. It generally doesn’t work, and most of the people I know use google isntead, and rely upon Google to collage all the stackoverflow results together.

Occasionally, you have search terms where Google gives you lots of non-programming hits (e.g. “iphone video (something)”. So the above method fails, and you have to use the appalling SO search engine.

Then you get this, because the search engine is so poor that it often ignores search-terms, so you have to creatively re-search and experiment to find the results you need:

ARRGGGH!!!

Categories
amusing marketing and PR web 2.0

52 card MOO – Part 1: The Challenge

I’ve known MOO for 6 years (back when they were PleasureCards), and I’ve been using them as my primary business / personal cards for most of that time.

Back when they only did the PleasureCard form-factor, it was always fun to find a fellow MOO customer. Shared conversations were easy with strangers, usually over the great reactions we get from non-MOO users.

Ever since they first integrated with flickr, one concept has come up again and again in those conversations:

“What about a custom 52-card deck made using MOO.com?”

Rounded Corners…

MOO just introduced a new option on their cards – Rounded Corners. This is a trivial thing.

…unless, like me, you still want to do that 52-card playing deck. Now much easier!

Also, they recently upgraded their Flash uploader / composer software, and seem to have fixed most of the bugs that plagued the last version I used, back in 2010.

What do we need to make this work?

The Spec

To make a deck of playing cards, we need:

  1. At least 52 unique cards, ideally 54-58 (2-4 jokers, plus 2 blanks in case a card gets damaged)
  2. All cards have an identical back
  3. All cards have a unique front (except for the blanks, which share the same empty image)
  4. ROUNDED CORNERS

Also, to make this more than just a vanity project, it would be great if we could also have:

  1. The “identical back” has some (subtle) text – maybe just the URL of the author/company, plus their twitter handle

MOO’s current features

  1. 52-58 unique cards: FAIL: they do a “maximum” of 50
  2. identical back, full-sized image: SUCCESS (it’s a new option: full-image instead of contact details)
  3. unique front: SUCCESS (this is MOO’s raison d’etre)
  4. ROUNDED CORNERS: SUCCESS
  5. TEXT on the identical back: FAIL: their flash uploader won’t let you (“Computer says No”)

So, I sent an email to MOO support, outlining the above, and making some suggestions about how I could make this work – but asking if there’s an easier way?

My plan (in brief):

  1. Online, it says a “max” of 50 cards. That’s probably not a hard limit – is there a way I could get 60, if e.g. I do a large enough order size? You guys do orders in multiples of 50, 100, 150, 200, 400, 600, 800, 1000. I could do 60 cards (only a slight wastage over the 58), and make my orders in multiples of 600. i.e. 10 complete sets.
  2. There seems no reason to prevent me putting an image and text on the identical back – it’s just that your loader won’t allow it. Any way around this? I could bake the text in, but then it would be a massive pain to change – I would do fewer print runs.

MOO.com Support FAIL

I reached out to MOO, explained how I could achieve this with manual pain, working around the missing features. Also, asking if they had better ideas of how to do it – or if there was a way around the 50-card-limit?

MOO’s response:

Thank you for getting in touch with the MOO Team.

You can have multiple images on one side of the cards in a pack, you can’t specify how many of each but the systems will divide the designs as equally as possible.

The other side must remain exactly the same for every card in the pack.

You can upload a logo to the left right top or bottom of the side of the cards with the text on (contact info etc).

basically, if you were to upload 52 different designs (cards) and 2 jokes, your total uploads to a pack of 100 would be 54. The remaining 46 would be repeats of the first 46 to be uploaded.

I hope the above makes sense.

Some observations:

  1. I’ve bought literally thousands of MOO cards over the years, and I know very well how it works. I didn’t need a re-hash of the facts I’d already included in my original email! I’m surprised he didn’t see from my account how many cards I’ve ordered in the past
  2. He’s simply wrong about the logos; go on the website right now, and you’ll find that you can put a full screen image on both sides of the card.
  3. No real answer about my core request. Is it impossible to do 60 cards instead of 50? Maybe, maybe not. Who knows?

Understandable, but overall I’m disappointed by that response.

I’m doubly disappointed that MOO featured the following on their website, 2 years ago:

http://www.moo.com/blog/2009/07/02/the-story-of-jacks-rounded-cornered-business-cards/

…but apparently isn’t interested in other people doing this for themselves.

What now?

I can still do this, it’s just going to be a LOT harder (I’ll have to do lots of things manually that MOO could automate easily). I’ll document it as I go, it’s a fun challenge. Part 2, coming soon…

Categories
games design social networking web 2.0

Google Street Maps … of a videogame (GTA IV)

This is cool – a great use of Google’s tech, a great example of what it *really* means to drag Online Games and MMO’s out of the stone-age of “do what Diablo did, but with more people on screen”.

Sadly, it doesn’t quite work – none of the stereographic projection stuff (which is key to making Google StreetView) is working here. Oh well.

And it raises the question: why didn’t R* do this themselves, and make more of the R* Club (their “social/online” part to GTA) than the silly farting-about it was at launch?

http://www.gta4.net/map/