IETF has an interesting new working group: TCPINC. “TCP extensions to provide unauthenticated encryption and integrity protection of TCP streams”. Practically what this means is “make it harder for third parties to eavesdrop on your Internet traffic”.

In theory IPsec was going to solve this problem for the Internet, but it is a failed technology. Right now the best we have is HTTPS for some websites. But wrapping every network protocol in an SSL layer is stupid, why not just encrypt the network? TCPINC is making a lot of compromises. “Unauthenticated” means they are punting on the harder half of the crypto problem and will leave users vulnerable to man in the middle attacks. It’s TCP only, and has to be NAT-compatible at that, so it won’t be a complete clean solution. But compared to the status quo of a lot of traffic not being encrypted at all, it’s a good choice. Making it a TCP extension should mean it can be deployed incrementally without a lot of pain.

There’s a few related draft specs already, such as draft-bittau-tcpinc-tcpcrypt-00.txt. tcpcrypt.org has more info as well. The mailing list archives go back to March 2014. The IAB just came out with a statement in favor of encryption, which is nice support.

techgood
  2014-11-15 19:50 Z

I’m a huge fan of OpenStreetMap but the organization is a mess. Last year I fished around thinking I should get deeply involved with OSM, it’d be a good use of my time. But I gave up on the idea because I didn’t like what I learned about the culture. I think OSM could grow to be as important and influential as Wikipedia. But not with the current trajectory.

The problem boils down to a question of scale and influence. OSM has accomplished a huge amount with very little. No full time staff, lots of borrowed server resources, annual budget of less than $200,000. Think what it could do with more! The impression I’ve got talking to the folks who make OSM work day to day is they’re perfectly happy with the current scale. The de facto leadership, the most active mappers, sysadmins, developers, don’t want a change. And there’s no single visionary leader to bring things forward.

There are related problems with OSM. There’s a strong anti-commercial bent which not only results in an awkward license but also an inability to engage with potential partners like Apple or MapBox. The community itself has some toxic elements; I gave up asking questions on the IRC channel after the seventh time someone implied my questions were dumb. And right now there’s a bunch of drama around elections for new leadership that indicates structural problems, years-old grievances getting aired ineffectively on mailing lists.

I don’t have a solution to get OSM to grow into the massive influence it could have. I worry there can’t be one, that culturally the active OSM members want to remain small and unsullied by commercial interests. I could say and do a lot more to try to help, but I don’t think it would get me anywhere.

tech
  2014-10-26 19:40 Z

Riot’s hugely popular game League of Legends is still installing malware, some five months after saying they don't use it, players can delete it, and they planned to remove it.

The malware in question is Pando Media Booster. A few years ago this software was arguably useful, it allowed games like LoL to distribute patches via a peer-to-peer network. But Pando was discontinued in August 2013. Then in February 2014 someone used Pando to install malware on any suckers who still had the software. The software Riot is still distributing. And all of Riot’s customers who clicked “yes” on the update dialog had their browsers hijacked.

Riot has millions of users all over the world. I’m sympathetic to how hard it is to make software changes; they’re famously behind on a whole lot of development projects. But continuing to distribute malware to customers is unacceptable.

Update: a Riot employee said on Reddit that the problem was "the amount of work it takes to hand update new installers for every language" and offered the idea that the previous Pando owners might help them prevent the malware. That was five months ago.
techbad
  2014-08-02 18:03 Z

My tweet last night “Node.js is the MongoDB of programming languages” got enough response I feel I need to explain it a bit. It’s an awfully snarky thing to say, but it has some truth.

MongoDB used to be the cool kids’ database. It’s appealing when you start using it: good docs, easy to get going, a plausible story on performance. NoSQL is exciting and MongoDB is an easy NoSQL system to try. But then people started looking closer and finding all the ways it broke and now MongoDB is out of favor, at least for serious production servers.

Node.js is now the cool kids programming language. It’s appealing; good docs, clean slate of libraries and tools, fast VM, and a plausible attempt at server performance. Non-blocking systems are exciting and Javascript closures make continuation programming easy. But now people are looking closer and finding all the ways Node.js is awkward or brittle and one starts to wonder.

I’m not saying Node.js is bad. There’s a lot of good in it, I particularly like that it’s made non-blocking programming more accessible than Python or Java or Nginx has. Mostly I’m just mocking the fashion of the month. It is a shame that people are rushing to this Brand New Thing without knowing the history and potential pitfalls. Just like we learned with MongoDB that ACID is hard, Node users are now discovering that reasoning about continuations is hard and memory management with closures is tricky, not to mention unwinding the stack on errors. The Node community is hard at work on improving things, hopefully that development process will lead somewhere productive.

For a more hilarious view on MongoDB and Node.js see Mongo DB Is Web Scale and Node.js is Bad Ass Rock Star Tech.

tech
  2014-06-18 16:40 Z

I had no idea Microsoft’s Bing Ads included an option to import from Google AdWords. Complete with simple OAuth-like authentication and seamless data import. It’s been able to do that for at least a couple of years, I only learned about it today when setting up a Bing campaign.

Warms my heart to think my AdWords API project helped enable some data portability for Google customers. That’s essential to having a competitive market. Google AdWords is nearly a monopoly, so much so I’m surprised there’s not more anti-trust interest in Google’s ad business. Allowing customers to bring their data to competitors is a valuable step in staying honest and legal.

The drawback is Bing’s ads have to mirror Google’s crazily complex data model. (Quick, what’s an AdGroup, and how is it different from a Campaign or a Creative?) I also recently set up my first AdWords campaign in years and the frontend product is really complicated and confusing. It’s been nearly ten years since I worked on the AdWords advertiser UI, I was sad to see that it hadn’t gotten any simpler or clearer for advertisers.

tech
  2014-06-10 16:04 Z

There’s a new history of Perl making the rounds now that’s worth reading, if nothing else then for the dissonance of reading a whole thing written about Perl in the past tense. It reminded me of a bet my friend Marc and I made back in 1999 or so.

Marc and Nelson will agree that Python has more mindshare than Perl on May 1, 2004. If so, Nelson gets the contents of this envelope. If not, Marc does.

In 2004 I conceded he won the bet, based on this evidence of Google search result counts:

Perl: 28M. Python: 14M
Perl filetype:pl: 2.9M. Python filetype:py 0.2M

I don't think anyone would argue that Perl is still more popular than Python in 2014. I looked at those measures again today, but given how goofy Google’s results count can be I don’t put too much stock in this:

Perl: 28M. Python: 45M
Perl filetype:pl: 11M. Python filetype:py 2.9M

I wish I'd taken up his 2004 follow-on bet: Groovy vs Python. Oops. Meanwhile we both missed the language right under our noses, Javascript. Mostly I’m just grateful Java is on the way out. If it weren’t for all the work put into JVM efficiency I think it’d be entirely dead now.

tech
  2014-06-09 16:00 Z

Interesting report of stolen Bitcoins, a phishing scam involving a Google ad. I just confirmed that the phishing ad is still running on Google on a search for blockchain.

The ad says the URL goes to blockchain.info. The URL displayed on mouseover on the link is to a Google redirector, goo.gl/vL2zmr. But when you click the link you go through a few redirectors and end up at blockchain-info.consulpisos.com, which is allegedly a phishing site. It sure looks suspicious; that page goes straight to a “type in your password” page, which the real site hides behind several clicks.

I don’t much care about the Bitcoin part of this, but Google should really not be selling ads with fake URLs on display.

techbad
  2014-06-07 15:45 Z

There are two terrible web properties out there that everyone hates, Scribd and Quora. Please don’t use them. Instead of Scribd just host a PDF anywhere, or upload text to pastebin or make a nice blog on WordPress or Medium or something. And instead of Quora use Ask MetaFilter or StackExchange.

Scribd’s business model is to host documents in formats that are unusable. For instance, here’s a copy of the Declaration of Independence. Or rather, the free preview; you have to download it to read the rest and a one-day guest pass costs $9. Here’s a copy of Elliot Rodger’s insane manifesto. It starts “This is the story of how I, Elliot Rodger, came to be.” Only I had to retype that phrase; if I copy-and-paste I get “]fjs js tfh stgry gl fgw J, Hccjgt Tgmahr, eknh tg dh” because Scribd uses some stupid DRM font. Easy enough for a pirate to reverse engineer but impossible for normal use. They also broke “Find”; there’s some Javascript thing overriding the browser that doesn’t seem to work.

Quora’s business model is to trick people into sharing information for free, then put it behind a login. It’s like Experts Exchange 2.0! For instance, on Quora you can read Who owns the copyright on content contributed to Quora? Only you can’t just read the text. Depending on your history with the site and the way you got there you may see a giant popup demanding you log in obscuring the page, or the first answer clear and then the rest blurred, or if you're lucky just the page. It appears nondeterministic.

Both businesses are deliberately trying to lock up text content to make it harder to access, to force users to pay or share advertising data or some such bullshit. The part that kills me is some engineer actually wrote code to deliberately break document sharing on the web. It’s terrible.

Update: the Quora CEO responded on Hacker News to correct me that Quora neither runs ads nor charges users. At the moment, they apparently have no revenue.
techbad
  2014-06-02 20:23 Z

Screenflick is good software. It captures full video with sound from your Mac desktop, full screen or a portion. I’m using it to record games I play. Could have all sorts of applications.

There’s a variety of screen capture options on the Mac from the free recorder included in Quicktime to the market leader ScreenFlow for $99. Screenflick’s only $29 and is very good at capture, including keystrokes, mouse events, and audio via Soundflower. I also appreciate its ability to downsample the raw video when recording. It also has an impressive variety of export options.

The big drawback is that Screenflick has no editor, not even a simple interface for cropping out sections of video. My theory is that’s what iMovie is for. But folks I know who produce a lot of screencasts appreciate that ScreenFlow is an integrated solution.

techgood
  2014-05-19 20:39 Z

I continue to maintain my linkblog; here's how it works these days. It's all managed via a Pinboard account. Every time I see something I want to linkblog, I add it as an URL to Pinboard with a browser extension. My Pinboard page is the web view of my linkblog. Pinboard also publishes an RSS feed for my followers. I also use dlvr.it to automatically tweet my links to a Twitter account.

The Twitter account has been very successful for me, it's a natural form of engagement for the short form. (The follower number is hugely inflated because it was a featured account for a couple of hours a long time back.) The Pinboard extension is great because it makes it very easy to linkblog any URL I'm looking at. I also like that Pinboard archives the full text of pages I link ($25/year); I often find myself searching my own linkblog. The one drawback to my setup is the web view is ugly. That's kind of purpose, I expect people to mostly follow via RSS or Twitter. But I may yet use IFTTT or the like to set up a Tumblr for a nicer web view.

techblosxomlinkblog
  2014-05-10 17:30 Z