tommorris.org

Discussing software, the web, politics, sexuality and the unending supply of human stupidity.


technology


Proposal: 'change password' discoverability metadata

The recent leak of LinkedIn’s password database shows that passwords remain a fragile part of our security ecosystem. Users are bad at coming up with passwords. They use the same password among multiple services. Enterprise password change policies have been part of the problem: users simply take their existing passwords and stick an incrementing number on the end, or engage in other substitutions (changing the letter o for the number 0, for example). Plus, the regular password change doesn’t really help as a compromised password needs to be fixed immediately, rather than waiting three months for the next expiration cycle. CESG recently issued guidance arguing against password expiration policies using logic that is obvious to every competent computer professional but not quite so obvious to big enterprise IT managers.

Many users, fed up with seeing yet another IT security breach, have switched over to using password managers like KeePass, 1Password, Dashlane and LastPass. This is something CESG have encouraged in their recent password guidance. Password managers are good, especially if combined with two-factor authentication.

For users who are starting to use a password manager, they have the initial hurdle of switching over from having the same password for everything to using the password manager’s generated password approach. They may have a backlog of tens or hundreds of passwords that need changing. The process of changing passwords on most websites is abysmally unfriendly. It is one of those things that gets tucked away on a settings page. But then that settings page grows and grows. Is it ‘Settings’, or ‘My Profile’ or ‘My Account’ or ‘Security’ or ‘Extra Options’? Actually finding where on the website you have to go in order to change your password is the part which takes longest.

Making it easier for a user to change their password improves security by allowing them to switch from a crap (“123456”), reused, dictionary word (“princess”) or personally identifiable password (the same as their username, or easily derived from it: “fred” for the username “fred.jones”) to a strong password that is stored only in their password manager like “E9^057#6rb2?1Yn”.

We could make it easier by clearly pointing the way to the password change form so that software can assist the user to do so. The important part here is assist, not automate. The idea of software being able to automate the process of changing passwords has some potential selling points, but the likelihood of it being adopted is low. Instead, I’m simply going to suggest we have software assist the user to get to the right place.

In the form of a user story, it’d be like this: as a user of a password management application, I’d like to speed up the process of changing passwords on websites where they have been detected to be weak, reused or old. When I’m looking at a password I wish to change, I could click “change password” in the password management application and it’d take me to the password change form on the website without me having to search around for it.

There’s a few ways we could do this. There are some details that would have to be ironed out, but this is a rough first stab at how to solve the problem.

This is my preferred option. On the website, there is a link, either visible (using an a element) or invisible (a link in the head). It would be marked with a rel attribute with a value like password-change. Software would simply parse the HTML and look for an element containing rel="password-change" and then use the href attribute. The user may have to go through the process of logging in to actually use the password change form, but it’d stop the process of searching.

One issue here is that there are a large number of web apps that rely on JavaScript to render up the page and there is the potential for rogue third-party JavaScript to modify the DOM. A simple way to ameliorate this is to search for the value in the HTML itself and ignore any JavaScript. Another possible solution is to require that the password change form be located on the same domain as the website, or decide whether to trust the URL relative to the base domain based on an existing origin policy like CORS.

Putting JSON in a specified location

Alternatively, have people put some JSON metadata in a file and store it in a known location, similar to robots.txt or the various things spooked away in the .well-known hidey-hole. This is okay, but it suffers from all the usual flaws of invisble metadata, and is also a violation of the “don’t repeat yourself” principle—the links are already on the web in the HTML. Replicating that in JSON when it already exists in HTML increases the likelihood that the JSON version will fall out of sync with the published reality.

Same principle as the JSON one, but using HTTP(S) headers. Same issue of invisible metadata. Same issue with same-origin policies.

Security considerations

As noted above, there are some security issues that would have to be handled:

  1. Should a consuming agent (i.e. the password management application) allow third-party (or even same-origin) JavaScript to modify the DOM that contains the link?
  2. Should a consuming agent ignore password change form endpoint targets that are on a different domain?
  3. Should a consuming agent follow a password change link to a non-HTTPS endpoint?

My rather conservative answers to these three questions are all no, but other people might differ.

Warning on scope

As I said above, this is a very narrowly specified idea: the ecology of web application security is pretty fragile, and the likelihood of radical change is low, so I’m not proposing a radical overhaul. Just a very minor fix that could make it easier for (motivated, security-conscious) users to take steps to transition to better, stronger passwords.


Lessons from trying to help with Android/iOS transfer

This weekend, I have been helping an Android user I know switch over to iOS.

What a fucking mess. The tech industry really ought to feel collective shame for the horror movie that is trying to switch from one platform to another.

Let’s start with the official route for moving from Android to iOS: Apple’s Move to iOS app.

  1. You can only run the app at the point of initial setup. If you managed to miss the option, enjoy wiping your iPhone and restarting.
  2. The fucking thing crashes repeatedly and there’s no way to resume the transfer. It starts from scratch. This is an infuriating process.
  3. If you try and Google anything related to this app, you get anything-but-helpful answers from the fandroid community. Instead of a detailed description of the technical issues with the app and how to get around them, you get helpful nuggets like:

Why would i move to ios, most android phones today out perform iphones. Quad core vs dual core, 4k vs 720p, freedom vs being told how your phone should look. Choice is yours.

FREEDOM! CHOICE! OPENNESS! (Except the freedom, choice and openness to move data between platforms easily etc.)

And things like this:

Moving to iOS was backwards logic. It’s like putting a straight jacket on your phone. Why jailbreak when you can use an open source OS like Android?

How about because the user might fucking prefer it? How about because you don’t want your phone pwned by the hilarious cascade of systemic security failure that is the Android ecosystem?

And one more:

Like I’d ever consider switching to using an iPhone… and as for that slow and buggy Watch of theirs, words can’t describe what a useless pile of overpriced crap it is.

Quite what the Apple Watch has to do with an app to help you move data between Android and iOS, I’m not sure. All discussions of going between mobile OSes ends up in pitiful religious argumentation and if you are just trying to get shit done, it does nothing but incite a lot of eye-rolling.

Fanboy awfulness aside, we re-ran the Move to iOS app once more but deselected the transfer of photos. I kind of figured that if we could get it to transfer things like old text messages and contacts and so on, then we could maybe move the 14Gb of pictures onto the iPhone by hand. They’ll all be stored as JPEGs on either the SD card or the internal storage on the phone.

After waiting some more, Move to iOS chunters everything it can except the pictures over. It kinda worked in a slow, clunky, crashy kind of way. Hardly as “seamless and simple as possible”, to quote Lifehacker.

Next job, let’s get the photos out. I had an Android phone many years ago. This should be easy. Plug it in, it mounts up as a USB mass storage device, drag and drop. That’s, y’know, what everyone tells me that Android did that iOS didn’t—no futzing around with iTunes, it’s just a USB mass storage device.

You’d think that. In the meantime, Samsung have deprecated USB mass storage in their Android devices and replaced it with the Media Transfer Protocol (MTP). Despite coming from the same place as Windows Media DRM nonsense, MTP sounds like a nice idea: unlike USB mass storage, it is a simpler protocol that implements much simpler operations than a traditional I/O interface, perfect for shunting the odd MP3 and JPEG around.

In practice though, actually using MTP from my Mac is soul-gnawingly awful. Obviously, there’s no filesystem that is mounted. For a while, I thought there must be some issue with the cable or that the Android phone had some formatting issue. Silent failures aren’t fun. Eventually, I find out how to switch the device into MTP mode and it then tells me that I ought to download the Android File Transfer app for Mac (you probably shouldn’t be surprised to learn that it isn’t open source). The UI is horrible. Cmd+A doesn’t work. It just randomly disconnects from the phone. And, worse, because MTP has no parallelism, transferring substantial quantities of data is godawfully slow. Especially if it is having to walk a directory tree and retrieve file lists. I’ve now dragged mostly all of the pictures off the phone and stored them on a computer, but systematically getting things other than the pictures off the filesystem has been unsuccessful.

There’s some alternatives, but all require effort. There’s libmtp, which I’m sure is excellent. There’s a rather nice looking Go program called go-mtpfs which will mount MTP devices as FUSE filesystems. That looks like it might be an improvement on the horrible OS X frontend at least.

What’s next then? How about WhatsApp messages? WhatsApp stores messages differently depending on whether you are using Android or iOS and all the methods for transferring between them look pretty damn rickety. They mostly involve shareware Windows apps from websites that give me that disconcerting feeling of talking to a sleazy second hand car dealer. I don’t quite trust any of the purported solutions to this.

I started looking into it myself. The files in WhatsApp for Android are stored in an encrypted SQLite store using a crypto system called crypt7 and/or crypt8. I have managed to extract this file from Android and I just need to decrypt it. There are some tools for this online. Pushing that data to iOS looks pretty simple. On the Mac, iCloud data is stored in ~/Library/Mobile Documents, and within there is a folder for WhatsApp containing a backup of WhatsApp conversations (in SQLite format) as well as media sent via WhatsApp. If one can retrieve the data from Android, it shouldn’t be too hard to push it into iCloud for the iPhone app to use.

All of this is way too fucking hard for non-programmers. The stuff on people’s phones is documentation of their life—their holidays, their families, their relationships, their co-workers. It’s not a part of some stupid platform war bullshit or an ideological debate about free software or DRM or whatever. It’s their stuff and they should be able to transfer it onto any device they choose to use. At the same time technologists have debated the ideal solutions for data portability, and churned out a thousand bullshit specs and documents that don’t do shit, ordinary people switching between iOS and Android (in either direction) have a hellish time doing ordinary stuff like WhatsApping with their friends and family. That’s a ludicrously poor show from our industry.

This is a shitshow. Be ashamed, fellow technologists. We have made a world that disempowers users and locks them in. And when they go online to find out why, all we have to show is a bunch of religious apologists telling them that this is okay because they are locked into a platform for their own freedom. Absolutely fucking terrible.


Ignore the talking heads: TalkTalk's security issues run much deeper

I have to say I’m rather intrigued by the TalkTalk hack. First of all, they’ve found the 15-year-old who allegedly did it, arrested him and bailed him pending investigations. Hopefully, if said person did it, he’ll be quite interested in helping the police with their inquiries and with a bit of luck, the customers aren’t going to have their personal or financial details released. TalkTalk have waived cancellation fees for customers who want to leave, but only if a customer has sustained a financial loss.

Meanwhile, Brian Krebs reports that the TalkTalk hackers demanded £80k worth of Bitcoin from the ISP. We’ve now had the media tell us it is “cyberjihadis”, a fifteen year old boy, and people holding it ransom for Bitcoin.

What’s curious though is how the mainstream media have not really talked very much to security experts. Yesterday, I listened to the BBC Today programme—this clip in particular. It featured an interview with Labour MP Hazel Blears (who was formerly a minister in the Home Office) and Oliver Parry, a senior corporate governance adviser at the Institute of Directors.

Here’s Mr Parry’s response to the issue:

The threat is changing hour by hour, second by second—and that’s one of the real problems, but as I said, I don’t think there’s one way to deal with this. We just need to reassure consumers, shareholders and other wider stakeholder groups that they have something in place.

Just a few things. This attack was a simple SQL injection attack. That threat isn’t “changing hour by hour, second by second”. It’s basic, common sense security that every software developer should know to mitigate, that every supervisor should be sure to ask about during code reviews, and that every penetration tester worth their salt will check for (and sadly, usually find).

As Paul Moore has pointed out in this excellent blog post, there are countless security issues with TalkTalk’s website. Craptastic SSL, no PCI compliance. The talking heads are going on about whether or not the data was “encrypted” or not. The SSL transport was encrypted but you could request that they encrypt traffic with an obsolete 40 or 56-bit key rather than the 128-bit that is considered secure.

There are new and changing threats, but SQL injection isn’t one of them. That’s a golden oldie. And it also doesn’t matter if the data is encrypted if the web application and/or the database is not secured against someone injecting a rogue query.

Mr Parry is right that there is not “one way to deal with this”. There are plenty. First of all, you need to hire people with some security expertise to build your systems. You need to hire independent experts to come and test your systems. That’s the in house stuff. Unfortunately, TalkTalk seem to have lost a whole lot of their senior technical staff in the last year, including their CIO. Perhaps they weren’t confident in the company’s direction on security and technology matters.

Then there’s the external facing stuff. Having a responsible disclosure process that works and which gives incentives for people to disclose. Have a reward system. If you can’t afford that, have a guarantee that you won’t seek prosecution or bring legal action against anyone who engages in responsible disclosure. Have an open and clear log where you disclose your security issues after fixing them. Actually fix the issues people report to you. Again, Paul Moore’s post linked above notes that he tried to contact TalkTalk and was ignored, disrespected and threatened. That’s not how you should treat security consultants helping you fix your issues.

All of this stuff should be simple enough for an ISP that has over four million paying customers. It isn’t rocket science. The fact that they aren’t doing it means they are either incompetent or don’t give a shit.

Brian Krebs nailed this corporate failure to care about security recently in a discussion on Reddit:

I often hear from security people at organizations that had breaches where I actually broke the story. And quite often I’ll hear from them after they lost their job or quit out of frustration, anger, disillusion, whatever. And invariably those folks will say, hey, we told these guys over and over…here are the gaps in our protection, here’s where we’re vulnerable….we need to address these or the bad guys will. And, lo and behold, those gaps turned out to be the weakest link in the armor for the breached organization. Too many companies pay good money for smart people to advise them on how to protect the organization, and then go on to ignore most of that advice.

Mr Parry said that the important thing was reassuring customers that their information was safe, not actually ensuring that customers data is safe. This is exactly the problem. I don’t want to be “reassured”, I want it to be safe. I don’t want to be reassured that my flight isn’t going to crash into the Alps—I actually want my flight to not crash into the Alps. Reassuring me requires salespeople and professional bullshitting, not crashing requires well trained pilots and staff, engineers doing proper checks, the designers of the plane making sure that they follow good engineering practices, constant testing. Engineering matters, not “reassurance”.

So long as business thinks “reassuring” customers matters more than actually fixing security problems, these kinds of things will keep happening. It would be really nice if the media actually spoke to security experts who could point out how trivially stupid and well-known the attack on TalkTalk was, so this kind of industry avoidance tactic could be properly squelched.


TechCrunch's Gigster profile is proof tech journalists will believe just about anything

Read this if you want a giggle.

Got a startup idea? That and some cash is all you need to get a fully functional app built for you by Gigster. Launching today, Gigster is a full-service development shop, rather than a marketplace where you have to manage the talent you find.

Oh, you mean like hundreds of other software development companies?

Just go to Gigster’s site, instant message with a sales engineer, tell them what you want built, and in 10 minutes you get a guaranteed quote for what it will cost and how long it will take.

10 minutes for a fully estimated project plan: that’s the biggest load of bilge I’ve ever heard.

Once you get your project back, Gigster will even maintain the code, and you can pay to add upgrades or new features.

You bet. Can you get anyone else to add upgrades or features? Or do they have any IP interest or right of first refusal? Those sort of questions are things a journalist might ask. But, oh, this is tech journalism.

And “maintain”. Bit more detail required.

Gigster fixes [management issues] by assigning a project manager to handle 100 percent of the management of your developers and be your sole point of contact. If the project is behind schedule, Gigster just assigns more developers to it or fires under-performing ones so it gets done on time.

Yeah, let’s ignore that the Mythical Man Month problem is a thing. Chuck more developers at the problem! “Beatings will continue until morale improves” is not a good management philosophy.

I’m sure that when your motivation is “get this shit out the door and get cash money now” and your clients are the sort of idiots who believe that they can hire coders like they do Uber cabs, you’ll produce reliable, well-tested and secure code. Right? I mean, no motivation to cut corners or anything.

The Gigsters come from companies like Google or Stripe that are looking for some extra projects

I’m sure they don’t have any no-compete or employer-owns-all-employee-produced-IP constraints in their contracts. Should work out just fine, right up until the client finds out that Google or Facebook owns a whole bunch of their IP.

10 minutes for full project costings? Mythical Man Month solved? This snake oil sure is deee-licious.

The idea that a guy who has built a whole bunch of Facebook apps is going to wave a magic wand and make software development cheap, predictable and with the kind of modularity and simplicity of booking a cab is such a laughable notion that the only people I can see believing it are tech journalists.


This is interesting (and depressing): Why women leave tech: It’s the culture, not because ‘math is hard’.


Conference on hypertext asks for submissions in PDF only

HyperText 2015 (bold mine):

The ACM Conference on Hypertext and Social Media (HT) is a premium venue for high quality peer-reviewed research on theory, systems and applications for hypertext and social media. It is concerned with all aspects of modern hypertext research, including social media, adaptation and personalisation, user modeling, linked data and semantic web, dynamic and computed hypertext, and its application in digital humanities.

HT2015 will focus on the role of hypertext and hyperlink theory on the web and beyond, as a foundation for approaches and practices in the wider community.

Submission Instructions for HyperText 2015:

All submissions should be formatted according to the official ACM SIG proceedings template and submitted in PDF format

So much lack of self-awareness.


Your daily reminder that politicians don’t understand technology or the modern world. In Parliament yesterday, Andrew George MP (Lib Dem, St Ives) said: “It’s run from a call centre in Newport 200 miles away, and also it uses logarithms which actually involve them asking a patient in my constituency, ‘Um, are you conscious?’.”

Hansard corrected it from “logarithm” to “algorithm”. It may just be an instance of “mis-speaking”, but I’m genuinely worried that the people who run our country mostly don’t know the difference between a logarithm and an algorithm. And worse, they probably don’t know even care why not knowing that is a problem in a society based so heavily on science and technology. Scary.

Gross ignorance of science and technology would also explain David Cameron’s suggestion to ban messaging services that use encryption, and why such a suggestion would prompt security experts to say that he is “living in cloud cuckoo land”.


End Sexual Violence in Conflict Hack, solutionism and political engagement for hackers

Today, I listened to an activist talking about the Global Summit to End Sexual Violence in Conflict which is taking place this week in London. An impassioned plea for political solutions to a global problem—the use of rape and sexual violence against both men and women as a weapon in war and conflicts. Nobody can object to that, surely.

What I heard in the discussion about this conference is the same as what I hear when a wide variety of political campaigns are discussed: to make an effective change, we need to understand the cultural, social, religious and political contexts of the places where this takes place. This is not moral relativism: it’s not to excuse rape or sexual violence. But to formulate an adequate response in terms of policy, one must understand the politics, the society, the culture, the religion, and work in a sustained and committed way with local activists and civic society. Otherwise, you’ll go in, enforce some ham-handed solution that’ll smell like imperialist meddling, of the White Saviour coming to save the impoverished natives.

To change a society, you need to understand it, or your efforts won’t connect with the people in that society. You’ll just end up sounding like a big, clueless phony. That kind of political engagement is hard work.

At the same time activists realise this more and more, we see it being applied less and less in the technology industry.

Running alongside the Ending Sexual Violence in Conflict event is a hackathon. As hack days/hackathons go, this has a laudable goal. I don’t think anyone thinks more sexual violence in conflict is desirable.

But the use of hack days to try and solve social problems itself seems like a bad hack. I hope I’m wrong: it’d be great if tools get developed at the EndSVCHack event that serve the important social goal of the activists trying to fight against rape and sexual violence.

I just don’t buy it though. If you sat me down and asked me to build tools to support those trying to help the victims of sexual violence in conflict zones, there’s a lot of issues one would face. Okay, first of all: linguistic. I speak English and I know enough French that I can get by in a restaurant. I had a quick Google to find out where the chief problem zones are with sexual violence in conflict.

The International Campaign to Stop Rape and Gender Violence in Conflict lists four countries with significant issues—Burma, Colombia, the Democratic Republic of the Congo, and Kenya. I know very little about the context of what is going on in any of those countries, and I have a funny feeling most programmers living and working in London probably don’t know much about these countries beyond what they can glean from Wikipedia.

If the sort of activism and political campaigning that needs doing needs to be smart, culturally-aware and so on, hackers are going to fail to appreciate that context in a two day process.

Next problem: institutional. Let’s say something gets built during that two days that is actually suitable for use by governments and/or NGOs that are trying to reduce sexual violence in conflict zones. How is that going to be used by the organisations working in the field? How is it going to be maintained? Who is going to train people working in the country? Plenty of hacks get built at hack days and then disappear. The hackers have jobs and lives they need to get back to. They may be able to crank out an app prototype, but the time to polish it, release it, maintain it and adapt it to the needs of the different societies in which this is trying to run—well, unless there’s some plan there, most of the hacks won’t be there a month later.

I’ve written about this before with regards to FloodHack: I’m not opposed to these kinds of thing, but I’m just very sceptical that they will have any results. If you wished to produce hacks to support NGOs trying to eradicate sexual violence in conflict zones, a hack day might not be the best way of doing it. Imagine instead if we had a fund which NGOs could apply to in order to get a couple of programmers for a few months. If you’ve got them there for a few months, then the programmers can actually understand the context of the problems they are solving—maybe go out into the society where the issues are. When they build things, they can do so knowing that there’s some institutional context—an NGO, a government etc.—that will maintain what they build.

The trend to think “oh, big social problem, let’s run a hack day!” seems to be a clear example of what Morozov calls “solutionism”. Apps don’t solve all social problems. Technical efforts to help solve difficult, very culturally-specific social problems seem a poor fit for the hack day format.

But I wish them luck and I hope my scepticism doesn’t discourage people from trying.


An Ajax loading wheel is not a “user experience”. It is a waste of the only life you have animated in miniature.


Stating my opinion on State

What is an opinion? What is the point in having opinions? I would suggest that your answer to these questions is very much dependent on who you are and what you value in society.

But let me answer just for myself. The value in opinion is dependent on whether your opinion is informed, whether you are a reasonable person in command of the relevant facts, whether you are aware of your suspceptibility to erroneous thinking processes and capable of overriding them. The opinion you come to would ideally be structured. That is, it would have some kind of factual premises, some set of reasonable procedures you use to in order to reach certain conclusions, and the areas where you have had to settle for subjective feelings or emotions spelled out in a way that people can see how you reached your opinion. You expect that the holder of an opinion can justify that opinion in some fashion by appealing to the premises, the reasoning procedures and so on.

Perhaps my opinion on the subject of opinions is based on my personal and educational background—undergraduate and postgraduate degrees in philosophy. But I’m not dogmatic about this: I don’t think all opinions need to follow from some kind of pure reason or hew to the truth conditions of logical positivism. We can say intelligent and informed things about the subjective realm, about art and music and our emotions and personal experiences. Even with those, we can aspire towards understanding, to providing reasons and arguments, even if those reasons are subjective or presuppose some view not shared by others.

If that is close to your understanding of the nature of opinion, let me congratulate you on being a member of a proud philosophical tradition stemming back to the ancient Greeks. I have bad news for you and for your intellectual ancestors—Socrates, Hobbes, Descartes, Hypatia, Hume, Darwin, Russell—or whoever you pick for your hand from the grand deck of intellectual Top Trumps cards. All of you are out of touch with the modern world of business, advertising and consumerism. And if you are out of touch with those, then by extension, you are out of touch with their offspring: technology, media and the intersection of those things—social media.

It is with this background that I tested out State, a relatively new social media/technology startup based in London that is seeking to build a “global opinion network”, where the user can “have [his or her] opinion counted and see where [they] stand relative to others”. State has $14 million in funding, according to TechCrunch, and intriguingly has professional bullshit peddler Deepak Chopra on their board of advisors according to GigaOm.

I have been giving it a try: I mean, it should be a perfect fit—I have opinions. More than that, I’m a loudmouthed grumbly person who likes sharing my opinions with only minimal solicitation. Sounds like my sort of service. I was encouraged to join partly because a former colleague of mine had just started there and encouraged me to give it a try.

State is indeed a very interesting service, not so much because I think it will be either popular or important. I don’t think it will be either of those two things. But as a perfect encapsulation of exactly what the future holds for social media and society, you couldn’t do much better.

When one joins State, one is encouraged to find topics and to state one’s opinion on them in the form of a number of single word ‘opinions’, of the following form:

  • Lady Gaga: amazing.
  • David Cameron: bastard.
  • Tom Daley: phwoar.
  • Jedward: annoying.
  • UKIP: wankers.

You get the drift.

In fairness to State, you can then attach a comment to one’s statement, to qualify or expand on it. But the primary index of one’s opinions is this single word expressive grunt: awesome, amazeballs, fab, OMG, fail, omnom. The designers of State looked at Twitter and decided it was not short-form enough and so have stripped from it any content besides the hashtags.

Of course, my predictions of what will become popular is very fallible and though I personally do not see State having much success, it could end up being the next big thing. If it does, it won’t be long until people from the worlds of marketing, business and media swarm on to it, demand some kind of API to extract opinions from the State platform and have them displayed in executive summary form on a Big Data-powered dashboard platform. Engineers will scurry around so that senior figures in consumer-facing industries who have a stake in public opinion will be able to see an algorithmic summary of what exactly the interconnected plebiscite thinks of their brands, their celebrity representatives, their preened political spokesmen, all helpfully quantified into a stock ticker-style ‘metric’.

The helpful grunts from social media will be put through “sentiment analysis” and the opinions of the consumer will lead to a happier, better world where marketers can slice us, dice us, mix together our opinions with our demographic data, quantify whether our preferences satisfy key performance indicators and lots of other important measures.

Opinions in this new world of social media aren’t opinions: they are signalling grunts for marketers. Are you doing better than your competitors? Count up the positive grunts and the negative grunts, calculate the balance of grunts and see if you are getting more grunts than the other guys. The consumer has so much choice on where exactly to post their grunt: on Twitter (with a hashtag, perhaps), on Facebook (by liking posts and pages), on Google+ (if that still exists) and finally now on State. As a system of grunt aggregation, State is impeccable.

Where it falls down is on that boring rational philosophical stuff I started with. In the epistemology of State and many similar social media sites, opinions don’t have supporting reasons. They don’t derive from any confrontation with evidence or experience. They don’t allow for refutation or reformulation or revision. You can refute an argument; you can’t refute a grunt. Ambivalence leads to confusion: thinking a politician is a vicious, dastardly shitbag but admiring his Machiavellian success doesn’t easily translate easily into a simple aye or nay vote for that person.

It’s quite telling that for an opinion platform, I am actually unable to express my opinion of State on their own platform but have to resort to constructing paragraphs of prose and posting them on my own website. But then, I’d like to think my opinion on this topic has reached the point where it is no longer a grunt but some kind of at least vaguely sophisticated take on the place of a piece of technology in society.

Of course, in the consumerist zeitgeist, complex thought is rather embarassing. If a consultant tells you something is impossible or unethical or complicated, you just sack them and hire a bullshit-peddling yes-man to tell you that everything will be fine, and that pigs will fly so long as they practice positive thinking. Why bother weighing up a complex interlocking argument when you can grunt an opinion about a hashtagged blipvert or whatever it is some advertising creative has come up with this week?

If you want to grunt about things, I highly recommend State. As grunt publication and aggregation platforms go, it is exquisite—wonderfully designed, superbly executed, beautifully illustrated and rather addictive. If you want to express something more like an opinion and less like a grunt, you might want to read a writing manual and start a blog, as well as prepare for being ignored by the decision-makers in society because they’ve collectively decided that grunting is more important than well-considered opinions.


On cultural fit

Yesterday, I posted about sexism in a job ad. But one of the things that concerned me about the ad beyond the sexism is the absurd levels that companies now go to with “culture fit”.

From that ad:

He’ll like comics, will code for fun, probably wear band t-shirts

I’ve seen other job adverts like this that ask for a completely superficial level of cultural sameness.

And it is utter bullshit. What damn difference does it make whether I like comic books or wear band t-shirts? I happen to not do either of those things. Unlike seemingly everyone in hackerdom, I don’t actually like beer. I don’t read comic books (the genre just doesn’t do anything for me). The thought of spending any time in some shithole Shoreditch bar listening to grimy indie rock is utterly unappealing to me. (Similarly, stuffing five pound notes into a young lady’s g-string doesn’t do much for me either.)

Why should this nonsense matter? Why does what I do in my spare time affect my job? If I went into a job interview and they asked whether I go to church or whether I’m single or married or in a long term relationship, that’d be highly inappropriate. Society—and employment law—rightly tells employers that race/ethnicity, religion, sexual orientation, gender, marital status and age are not criteria they can legitimately use to decide on whether to employ someone. But apparently, music and fashion and what types of alcoholic beverage I consume are now things that employers can use to inform their decision making as to whether I would be good slouched in front of Eclipse or TextMate all day banging out code.

Think about it in terms of your superiors at work. I don’t give a fuck whether my manager spends his or her weekends seeing the latest hipster grunge act or dressed to the nines for a night at the opera house. It’s far, far more important that they are competent, capable, sincere, have experience and can enable me to be a better person in my work than the sort of music they listen to, or whether they are into microbrews or read comic books.

What this actually represents is easy to work out: an attempt to hire people just like them—from the same class background, racial/ethnic background and age range, using culture as a proxy. A crude, cynical way of doing discrimination by the backdoor. You don’t want a woman on your team? She doesn’t have cultural fit. Don’t want a middle-aged parent on your team (because, gasp, you might have to pay them well, not require them to do Red Bull-fuelled all-nighters, and let them have time off for little Timmy’s piano recital)? Cultural fit issues. Don’t want black queer men around calling out your racist homophobic brogrammers? Treat ‘em like shit because they don’t “fit” your “culture” (even if your workplace culture is the sort they study in Petri dishes rather than put up in the British Museum).

I’m pretty sure that writing this post means there are now certain cultures I now won’t fit in. Oh well.


No, I'm not going to download your bullshit app

How we used to read the news, back in the era of the Web:

  1. Go to newspaper website.
  2. Click on story.
  3. Read.

How we read news in the era of fucking stupid pointless iPhone apps.

  1. Go to website.
  2. Be told you aren’t allowed to read the website.
  3. Be redirected to an App Store.
  4. Download the app. (This may involve typing in a password. Which may involve shuffling over to your password manager app to find your password.)
  5. Wait while a multi-megabyte file downloads over your temperamental, expensive 3G connection.
  6. Open the app up.
  7. Familiarise yourself with an interface that has cryptic, weird gestures that aren’t actually revealed to the user and behave ever so slightly differently from every other similar app.
  8. Struggle as the badly-implemented statefulness gives you a spinning loading wheel (on iOS) or flashing progress bar (on Android) because you had the audacity to use your mobile device on a slow or unreliable connection.
  9. Attempt to find the story you wanted to read using a layout and information architecture that’s completely different from the layout and information architecture of the website that you’ve grown familiar with, because some arsehole decided that the process of reading the electronic equivalent of a newspaper needs to be “disrupted” because he’s been reading far too much Seth Godin or some other bullshit.
  10. Realise that the app shows you different things depending on whether it’s in landscape or portrait mode. Now you can look like an utter nob on the Tube rotating your iPad around so that you can zoom further into the Page 3 stunna’s tits.
  11. Not be able to share the story with your friends because it’s not a page on the web with a Uniform Resource Indicator. Because why do you need universal addressability when you’ve got shiny spinny touchy magical things to rub your sweaty greasy fingers all over?
  12. Take time to download updated binary files the next time the application is updated in the App Store, that’ll provide you “new functionality”, even though there is no fucking functionality you actually want other than reading the fucking news.
  13. If you are on Android, be sure to install some anti-adware software in case the app comes with some delightful bit of creepy privacy-intruding out-of-app advertising.
  14. Give up, go to newsagent, buy paper edition, throw smartphone off a fucking cliff and start a letterbomb campaign against all the idiots who thought that turning newspapers into “apps” was a good idea.

In the “web vs. apps” war, I think you can infer which side I’m on. I wouldn’t download a BBC app or an NPR app for my computer. Why would I want one on my phone? Do I buy a separate radio to listen to different stations? No. The functionality is the same, the only thing that differs is the content. Apps ought to provide some actual functionality, not just blobs of content wrapped up in binary files.

Maintenant disponsible en version française


The release of the iPhone 5 seems to have set off more Internet debate about smartphones. I’m completely uninterested.

I have a smartphone: a Samsung Galaxy S2. It makes phone calls. It has some neat applications. The Gmail app on Android is superb. But beyond that… it’s a phone.

People debate smartphones as fetish objects. On Facebook, Robert Scoble said that holding the new iPhone sold me. There’s nothing wrong with a few fetish objects or things that look nice. I don’t spend a lot of time just holding my phone. I spend time either using my phone or having my phone in my pocket. I just can’t understand spending hours waxing rhapsodic or worrying about this stuff. I mean, someone gave me a very nice bottle of eau d’toilette a while back, and I enjoy both the design of the bottle and wearing it but not to the point where I’m going to go and argue about the bottle designs of different brands of fragrance and express disappointment if a particular perfume manufacturer fails to innovate sufficiently.

People are overthinking this shit. They are phones. Unlike the Windows v. Mac v. Linux fights of yesteryear, it isn’t like anyone actually uses these things for anything important.


Tech journalists: take my tech test

It’s a recurring theme in the argument about journalism: that journalists don’t know what they are talking about. With the magical powers of science, I want to see if that’s true. Below is a series of questions I have come up with to test whether it’s actually true or not. And by science, I mean a hastily constructed pop quiz.

Here’s the deal. If you are a technology journalist, please answer truthfully. I know all journalists are truthful and honest—I’ve been watching the Leveson Inquiry. See how many you can get right.

If you get less right than you think you should, consider whether you should be writing about technology.

Above is a sample of some code written in a programming language that was introduced in the last decade.

Please identify the name of the programming language and the broader family of programming languages that it is in.

If you can, please identify the name of the creator of the language.

Programming languages fall into two types: dynamically typed and statically typed. Please identify whether this is a dynamic or a static language.

Above is a sample of some code written in a different programming language.

Please identify the name of the programming language.

If you wished to produce a game to sell on the App Store for iPhones/iPads, which of the two languages you have identified above would be more suitable to build such a game in given the constraints placed on developers in the iOS ecosystem?

2001:0DB8:AC10:FE01:0000:0000:0000:0000

Above is a sample of a string that identifies something. Please can you identify what it is for.

WEP, WPA and WPA2 are types of what?

FAT32, ext4 and HFS+ are types of what?

You have probably heard of NoSQL. Please choose the odd one out: Redis, Riak, CouchDB, MariaDB, MongoDB, eXist.

I was going to ask a complicated question, but it’s now past 2am and the question I was going to write involved me reading assembly code, and I took the executive decision that I couldn’t be arsed.

Anyway, all of the questions above are on topics that have been covered or mentioned at least once on either TechCrunch or ZDNet. Even if you have no plans on writing about those topics, it’s something you presumably need to vaguely understand in order to be able to read the writings of other tech journalists.

Before you say “ah, but writing about technology doesn’t mean you have to be a geek”, let me ask you this: would you read what a music journalist has to say if they can’t identify the bands that are discussed in their own newspapers and on the websites they write for? What about a motoring journalist who had no idea what an axle was? A politics journalist who couldn’t tell you what a party whip does? A journalist covering the financial markets who has no idea who sets the interest rates? A wine reviewer who doesn’t know whether chianti is red or white? A science journalist who doesn’t understand the difference between an element and a compound? A religion writer who was a bit shaky on the difference between Protestantism and Catholicism? If not those, why do we accept journalists writing about technology who couldn’t tell you what a compiler is?


EasyTether... is actually easy, and works

I’ve finally got USB tethering working between Mac and Android. I followed these instructions from AskDifferent (the StackExchange site for Apple and Mac related questions). You have to install a piece of software called EasyTether on your phone, and then carefully follow the instructions in the app which include installing drivers on your computer. It takes about 10 minutes.

But if you do that… it actually works. I’ve set up 3G connections before on Linux, for instance, which have required me to write AT strings and so on. (Which, you know, why? It’s 2012, for fuck’s sake.)

So why, given that any decent Android phone has a portable USB hotspot mode which basically makes it so your phone can rebroadcast the 3G signal as a wifi hotspot.

Two reasons come to mind.

Firstly, battery usage. You don’t need the wifi running in either your phone or on your computer. Less battery usage is obviously good.

But the far bigger reason is that you actually get a better connection. One thing I’ve noticed with both MiFi dongles and with the Android portable hotspot is that when you dip in and out of a mobile signal area, it’s very slow to reconnect. You spend a lot of time in TCP/IP-free limbo. This never used to be the case with GPRS: you’d get very quick reconnection, obviously at an unacceptably low speed.1

I’m writing this on the train home, and I’m getting service in areas that I wouldn’t when using portable hotspot. Portable internet that isn’t infuriating is good. That I have about an extra hour of battery life on my laptop is a nice bonus.

  1. I’d like to reiterate a fundamental point: speed is one of the least important aspects of broadband connections. Reliability, latency, usage caps and so on is far more important than speed, depending on the application you are using. For pottering about on the web, downloading a few MP3s, what’s the damn point of having super-duper-ultra fast broadband? You can give me fifty megs a second, but if I can’t afford to use more than a gigabyte of data a month, it’s basically a toy.


I'm not an experience-seeking user, I'm a meaning-seeking human person

After an evening of cynicism last night, reading a bloody awful article by a pompous twit, and travelling on bloody slow trains, and then logging on to Twitter and seeing a bunch of bloody fools debating things they are completely ignorant of without even a modicum of philosophical charity, I found something which restored my trust in the human race: psd’s talk at Ignite London. It combines giving naughty link-breaking, data-sunsetting corporate types a spank for misbehaviour with an admiration for I Spy books. I had I Spy books as a kid, although mine were products of the late 80s/early 90s and had the Michelin Man, although in not nearly as an intrusively corporate way as Paul’s slides of current day I Spy suggests. Do forgive me: I’m going to do one of those free-associative, meditative riffing sessions that you can do on blogs.

The sort of things Paul talks about underly a lot of the things I get excited about on the web: having technology as a way for people to establish an educational, interactional feeling with the world around them, to hack the world, to hack their context, to have the web of linked data as another layer on top of the world. The ‘web of things’ idea pushes that too far in the direction of designed objects (or spimes or blogjects or whatever the current buzzword is), and the way we talk about data and datasets and APIs makes it all too tied to services provided by big organisations. There’s definitely some co-opting of hackerdom going on here that I can’t quite put my finger on, and I don’t like it. But that’s another rant.

I’ve been hearing about ‘gamification’ for a while and it irritates me a lot. Gamification gets all the design blogs a-tweeting and is a lovely refrain used at TED and so on, but to me it all looks like “the aesthetic stage” from Kierkegaard applied to technology. That is, turning things into games and novelties in order to mask the underlying valuelessness of these tasks. Where does that get you? A manic switching between refrains. To use a technological analogy, this week it is Flickr, next week it is TwitPic, the week after it is Instagram. No commitment, just frantic switching based on fad and fashion. Our lives are then driven by the desire to avoid boredom. But one eventually runs out of novelties. The fight against boredom becomes harder and harder and harder until eventually you have to give up the fight. There’s a personal cost to living life as one long game of boredom-avoidance, but there’s also a social cost. You live life only for yourself, to avoid your boredom, and do nothing for anybody else. Technology becomes just a way for you to get pleasure rather than a way for you to contribute to something bigger than yourself.

In Kierkegaard’s Either/Or, the alternative to this aesthetic life was typified by marriage. You can’t gamify marriage, right? You commit yourself for life. You don’t get a Foursquare badge if you remember your anniversary. The alternative to aestheticism and boredom is an ethical commitment. (And, for Kierkegaard anyway, ultimately a religious commitment.1) And I think the same holds true for the web: you can gamify everything, make everything into Foursquare. Or you can do something deeper and build intentional, self-directed communities of people who want to try and do something meaningful. Gamification means you get a goofy badge on your Foursquare profile when you check into however many karaoke bars. A script fires off on a server somewhere and a bit changes in a database, you get a quick dopamine hit because an ironic badge appears on your iPhone. Congratulations, your life is now complete. There’s got to be more to life and technology than this. If I had to come up with a name for this alternative to gamification that I’m grasping for, it would be something like ‘meaning-making’.

Gamification turns everything into a novelty and a game (duh). Meaning-making turns the trivial into something you make a commitment to for the long haul; it turns the things we do on the web into a much more significant and meaningful part of our lives.

In as much as technology can help promote this kind of meaning-making, that’s the sort of technology I’m interested in. If I’m on my deathbed, will I regret the fact that I haven’t collected all the badges on Foursquare? Will I pine for more exciting and delightful user experiences? That’s the ultimate test. You want a design challenge? Design things people won’t regret doing when they are on their deathbed and design things people will wish they did more of when they are on their deathbed. Design things that one’s relatives will look back in fifty years and express sympathy for. Again, when you are dead, will your kids give a shit about your Foursquare badges?

A long time ago, I read a story online about a young guy who got killed in a road accident. I think he was on a bike and got hit by a car while driving home from work. He was a PHP programmer and ran an open source CMS project. There was a huge outpouring of grief and support from people who knew the guy online, from other people who contributed to the project. A few people clubbed together to help pay for two of the developers to fly up to Canada to visit his family and attend the funeral. They met the guy’s mother and she asked them to explain what it is that he was involved in. They explained, and in the report they e-mailed back to the project, they said that the family eventually understood what was going on, and it brought them great comfort to know that the project that their son had started had produced something that was being used by individuals and businesses all over the world. This is open source: it wasn’t paid for. He was working at a local garage, hacking on this project in between pumping petrol. But there was meaning there. A community of people who got together and collaborated on something. It wasn’t perfect, but it was meaningful for him and for other people online. That’s pretty awesome. And it’s far more interesting to me to enable more people to do things like this than it is to, I dunno, gamify brands with social media or whatever.

This is why I’m sceptical about gamification: there’s enough fucking pointless distractions in life already, we don’t need more of them, however beautiful the user experiences are. But what we do need more of is people making a commitment to doing something meaningful and building a shared pool of common value.

And while we may not be able to build technologies that are equivalent in terms of meaning-making as, say, the importance of family or friendship or some important political commitment like fighting for justice, we should at least bloody well try. Technology may not give us another Nelson Mandela, but I’m sure with all the combined talent I see at hack days and BarCamps and so on, we can do something far more meaningful than Google Maps hacks and designing delightful user experiences in order to sell more blue jeans or whatever the current equivalent of blue jeans is (smartphone apps?).

The sort of projects I try to get involved in have at least seeds of the sort of meaning-making I care about.

Take something like Open Plaques, where there are plenty of people who spend their weekends travelling the towns and cities in this country finding blue memorial plaques, photographing them and publishing those photos with a CC license and listing them in a collaborative database. No, you don’t get badges. You don’t get stickers and we don’t pop up a goofy icon on your Facebook wall when you’ve done twenty of them. But you do get the satisfaction of joining with a community of people who are directed towards a shared meaningful goal. You can take away this lovely, accurate database of free information, free data, free knowledge, whatever you want to call it. All beautifully illustrated by volunteers. No gamification or fancy user experience design will replicate the feeling of being part of a welcoming community who are driven by the desire to build something useful and meaningful without a profit motive.

The same is true with things like Wikipedia and Wikimedia Commons. Ten, fifteen years ago, if you were carrying around a camera in your backpack, it was probably to take tourist snaps or drunken photos on hen nights. Today, you are carrying around a device which lets you document the world publicly and collaboratively. A while back I heard Jimmy Wales discussing what makes Wikipedia work and he said he rejected the term ‘crowdsourcing’ because the people who write Wikipedia aren’t a ‘crowd’ of people whose role is to be a source of material for Wikipedia: they are all individual people with families and friends and aspirations and ideas, and writing for Wikipedia was a part of that. As Wales put it: they aren’t a crowd, they are just lots of really sweet people.

What could potentially lead us into more meaning-making rather than experience-seeking is the cognitive surplus that Clay Shirky refers to. The possibilities present in getting people to stop watching TV and to start doing something meaningful are far more exciting to me than any amount of gamification or user experience masturbation, but I suspect that’s because I’m not a designer. I can see how designers would get very excited about gamification because it means they get to design radically new stuff. They get to crack open the workplace, rip out horrible management systems and replace them with video games. Again, not interested. The majority of things which they think need to be gamified either shouldn’t be, because they would lose something important in the process, or they are so dumb to start with that they need to be destroyed, not gamified. The answer to stupid management shit at big companies isn’t to turn it into a game, it’s to stop it altogether and replace the management structure with something significantly less pathological.

Similarly, I listen to all these people talking about social media. Initially it sounded pretty interesting: there was this democratic process waiting in the wings that was going to swoop in and make the world more transparent and democratic and give us the odd free handjob too. Now, five years down the line and all we seem to be talking about is brands and how they can leverage social media and all that. Not at all interested. I couldn’t give a shit what the Internet is going to do to L’Oreal or Snickers or Sony or Kleenex or The Gap. They aren’t people. They don’t seek meaning, they seek to sell more blue jeans or whatever. I give far more of a shit what the Internet is doing for the gay kid in Iran or the geeky kid in rural Nebraska or a homeless guy blogging from the local library than what it is doing for some advertising agency douchebag in Madison Avenue.

One important tool in the box of meaning-making is consensual decision making and collaboration. There’s a reason it has been difficult for projects like Ubuntu to improve the user experience of Linux. There’s a reason why editing Wikipedia requires you to know a rather strange wiki syntax (and a whole load of strange social conventions and policies - you know, when you post something and someone reverts it with the message “WP:V WP:NPOV WP:N WP:SPS!”, that’s a sort of magic code for “you don’t understand Wikipedia yet!” See WP:WTF…). The reason is those things, however sucky they are, are a result of communities coming together and building consensus through collaboration. The result may be suboptimal, but that’s just the way it is.

Without any gamification, there are thousands of people across the world who have stepped up to do something that has some meaning: build an operating system that they can give away for free. Write an encyclopedia they can give away for free. All the gamification and fancy user experience design in the world won’t find you people who are willing to take up a second job’s worth of work to get involved in meaningful community projects. On Wikipedia, I see people who stay up for hours and hours reverting vandalism and helping complete strangers with no thought of remuneration.

It may seem corny, and it’s certainly not nearly as big of an ethical commitment as the sort Kierkegaard envisioned, but this kind of commitment is something I think we should strive towards doing, and helping others to do. And I think it is completely at odds with gamification, which seeks to basically turn us all into cogs in some kind of bizarre Skinner-style experiment. We hit the button not because we are getting something meaningful out of it, but because we get the occasional brain tickle of a badge or get to climb up the leaderboard or we get seventeen ‘likes’ or RTs or whatever. Gamification seems to be about turning these sometimes useful participation techniques into an end in themselves.

Plenty of the things which make meaning-making projects great are things any good user experience designer would immediately pick up and grumble about and want to design away. Again, contributing to the Linux kernel is hard work. Wikipedia has that weird-ass syntax and all those wacky policy abbreviations. Said UX designer will really moan about these and come up with elaborate schemes to get rid of them. And said communities of meaning will listen politely. And carry on regardless. Grandma will still have a difficult time editing Wikipedia.

When I listen to user experience designers, I can definitely sympathise with what they are trying to do: the world is broken in some fundamental ways, and it is certainly a good thing there are people out there trying to fix that. But some of them go way too far and think that something like “delight” or that “eyes lighting up” moment is the most important thing. If that is all technology is about, we could do that a lot easier by just hooking people up to some kind of dopamine machine. Technology should give us all our very own Nozickian experience machine and let us live the rest of our lives tripped out on pleasure drugs. I read an article a while back that reduced business management to basically working out how to give employees dopamine hits. Never mind their desire for self-actualization, never mind doing something meaningful. Never mind that the vast majority of people opt for reality with warts than Nozick’s experience machine—the real world has meaning.

The failure of meaning-making communities to value user experience will seem pretty bloody annoying, if only to designers. There are downsides to this. It sucks that grandma can’t edit Wikipedia. It sucks that Linux still has a learning curve. Meaning-making requires commitment. It can be hard work. It won’t be a super-duper, beautiful, delightful user experience. It’ll have rough edges. But that’s real life.

A meaningful life is not a beautiful user experience. A meaningful life is lived by persons, not users. But the positive side of that is that these are engaged, meaning-seeking, real human beings, rather than users seeking delightful experiences.

That’s the choice we need to make: are technologists and designers here to enable people to do meaningful things in their lives in community with their fellow human beings or are they here as an elaborate dopamine delivery system, basically drug dealers for users? If it is the latter, I’m really not interested. We should embrace the former: because although it is rough and ready, there’s something much more noble about helping our fellow humans do something meaningful than simply seeing them as characters in a video game.


This post is now on Hacker News, and Kevin Marks has written it up on the Tummelvision blog.

  1. This is one thing I disagree with Kierkegaard very strongly on. But not for any high-falutin’ existentialist reasons. I just don’t believe in God, and more importantly, I don’t believe in the possibility of teleological suspension of the ethical, which makes the step to the religious stage of existence rather harder! I’m not even sure I’m in the ethical. It could all be a trick of my mind, to make me feel like I’m some kind of super-refined aesthete. Or it could be rank hypocrisy. But one important thing to note here is that the aesthetic, ethical and religious stages or spheres of existence, for Kierkegaard, are internal states. The analogies he uses don’t necessarily map onto the spheres. So, you don’t have to be the dandy-about-town, seducing women and checking into Foursquare afterwards to be in the aesthetic. If you are married, that doesn’t mean you are in the ethical stage. Nor does being overtly religious or, rather, pious, mean you are in the religious stage. Indeed, the whole point of Kierkegaard’s final writings, translated into English as the Attack Upon Christendom is that Danish Lutheranism was outwardly religious but not inwardly in a true sense.


HOWTO: Build an HTML 5 website

Everyone is going on about how they are making “HTML 5 sites” and going on and on about how HTML 5 is giving them a hard-on or something equally exciting.

So, I’ll show you how you join this amazing club.

Open up your text editor and find some HTML file or template.

Look for the bit right at the top. It is called a DOCTYPE. It’ll look something like this:1

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML+RDFa 1.0//EN"
    "http://www.w3.org/MarkUp/DTD/xhtml-rdfa-1.dtd">

Now, delete all that and replace it with:

<!DOCTYPE html>

Save the file and push it out onto the web.

Congratulations, you are now using HTML 5.

Give yourself a big pat on the back. Listen to some cutting edge spacey techno or something. ‘Cos you are living in the future, man. Your techno-halo is so bright, I need to put on two pairs of shades indoors.

You are now officially signed up in the fight against SilverFlash and a minion in Steve Jobs’ campaign for the open web or something. (Because embrace-and-extend is so much nicer when it comes from Apple and Google than when it comes from Microsoft and Adobe.)

You can also go to your boss and justify a huge champagne and coke-fuelled party with hookers and everything because you are now fully buzzword compliant. You can get venture capitalists and TechCrunch and other people who wouldn’t know a DTD from an STD2 to give your huge, manly testicles a thorough tonguebath – sadly, only rhetorically – because you are smart and hip enough to be using HTML 5. Pow! Bam! Shazam! You are like a cross between Nathan Barley and Rambo!

Or, you know, you could actually learn what HTML 5 is. Let me give you a clue: it is quite a lot like HTML 4. That’s part of the philosophy of the damn thing: it is continuous with what you are already doing rather than a radical shift! It is that cliché: evolution not revolution. It’s like the difference between OS X Leopard and Snow Leopard.

Once you realise this important truth, you can drop the buzzwords, and just quietly educate yourself on some of the quite nifty new things you get to do on the web, get your rather excitable colleagues to calm down before they feint in pre-orgasmic excitement, and maybe try and nudge the community at large into realising that HTML 5 is a few new bits and bobs they are adding to HTML, not some hybrid of Jesus and Vannevar Bush riding down on a pterodactyl/unicorn hybrid giving out ultratight Fleshlights to anyone who slings angle-brackets so they can prepare for the giant fight between HTML 5, evil browser plugins and mobile app stores.3

You can adopt HTML 5 really quite slowly: if your site sucks now, making it “HTML 5” won’t make it not suck. Even better, don’t start with HTML 5. Start with CSS 3: the nature of CSS is that it is much easier to fiddle with a stylesheet, add a few things like media queries and so on.

Be patient and don’t rush into this. Include only technologies that improve your site and the experience of using it. Not because some fucking bullshit web design blog you found on Reddit is jabbering on about how it is the most awesomest thing ever invented since someone discovered you could have sex while eating sliced bread or some other crap like that. It’s not. It’s an evolutionary step from existing HTML on the web that gives you a few shiny new things that might make life easier.

Now calm down. I’ve just washed my clothes and I don’t want you jizzing all over them when you discover the joys of the section element.

  1. Yours will be much more boring. It won’t have cool shit like RDFa in it because you suck.

  2. To be fair, DTDs and STDs share a scary resemblance in lots of ways. You can prevent the transmission of DTDs by adopting RELAX NG for all your XML schema validation needs.

  3. Again, the whole native vs. web thing is fucking stupid. The only reason it is happening is because people seem to think that everything needs to be an app. You know, if the thing is more like a web page, you put it on the web. If it is more like a desktop application, you put it in an app. Content? Web. Functionality? App. This also resolves all the stupid nonsense about app store approvals. Why have we reached a situation where people are putting content in an app? You know, people are downloading blobs of Objective-C compiled object code that contain satirical political cartoons. Then they are complaining when Apple ban the ‘app’. What the fuck is that all about? Put that shit on the web. Apple can do what they want to apps, but why let them tell you what you put in your content. Let them approve functionality, not content.

    There was a time many moons ago when you had to download a Windows application – actually, you had to have a Windows application sent to you on a CD-ROM – in order to order groceries from Tesco. This is the app world we live in today, and it is totally idiotic. Apps are things like Vim or Firefox or Unreal Tournament 2004 or iTunes or The Gimp or Final Cut Pro. If you wouldn’t download a Windows or Mac app to read Wired Magazine, why are you downloading a damn iOS app?

    What is so stupid about this is that while Apple and Android and whatnot train everyone up into using app stores, what’s the reaction of plenty of people in the open source community: don’t worry, the web will do it. (Or worse: we’ll make an open web app store!) But it’s bullshit. The web is a pretty damn retarded application platform. I mean, it is okay in a pinch, but I’m not betting on a decent Ajax version of Vim, Half-Life 2 or Adobe Illustrator any day soon. And why would I want to use Google Docs when I’ve got thirty years of hard work by Donald Knuth and Leslie Lamport sitting there ready to churn out absolutely awesome pixel-perfect print documents from my damn command line. Plain text, Vim and Git (or Emacs and Mercurial or some other combination thereof) will beat the socks off whatever cloud vapour out there.

    You do actually sometimes need native code on actual hardware, not seventeen layers of JavaScript indirection bouncing back and forth between a server that doesn’t respond half the time and a browser that’s filled with security holes and memory leaks. Why do I want this when I have a command line here that does the job quicker and easier and works when I’m in a fucking train tunnel? And don’t even think about saying “Google Gears”.


LazyWeb idea: Read My Docs

Here’s an idea that came to me after reading about all the different teams and infrastructure on the Ubuntu Wiki:

Read My Docs

A web service to connect people willing to proof-read and provide constructive feedback on open source software documentation. Projects could post announcements of newly written or radically revised documentation including manuals, tutorials, guides, man pages, READMEs etc. Each announcement would have a comment page, and links back to issue trackers and/or version control systems so that contributors could submit back either comments, issues straight into the issue tracker or even diffs/git pull requests/hg patch queue requests etc. (this is made easier by the use of distributed version control systems).

Each announcement would be marked up to specify the intended audience of the documentation: end user, developer, expert, absolute newbie etc. In addition, if announcements were specific to particular language or technology communities, these could be noted using tags so that one could drill down and find those things.

Language communities where packages are released through a central repository such as RubyGems, PyPI, Haskell’s Hackage etc. could have newly released packages automatically announced to the site so that developers with a specific interest could keep an eye on the quality of documentation and improve it.

A community could perhaps build around such a site and they could build up good practices that could be documented, leading to a positive spiral of better and better documentation. Some kind of intelligent game mechanic could potentially be applied so that instead of people rushing around cities checking into venues on Foursquare, they would get goofy badges and points and mayorships and leaderboards and so on for doing something useful like writing better documentation.

The end result? A small army of documentation fairies who would improve open source documentation across a wide range of projects, languages, communities and Linux distributions without having to join any of those communities. And hopefully a fun way for people who aren’t programmers to ease the documentation burden from the people who’d much rather be writing code.


Handwriting: still useful

I’ve never understood people who deem skills obsolete long before they actually are. A while back, someone started a wiki listing obsolete skills. Some skills truly are obsolete. But most of the time, just as with technology, when someone says a particular skill is obsolete, there’s usually a pretty good chance that you will still need to do it. Programming in FORTH may be less commercially useful these days than programming in Java or Python, but the programmer who knows FORTH has a valuable skill even if he doesn’t find himself using it very often. (I’ve got an RPN calculator app installed on my iPod touch…)

Being able to use a typewriter is one of those things. Everyone tells me that typewriters became obsolete in the 1970s. Strange. I was born in the mid-80s and still remember that in 1995, I was using a manual typewriter for a school report even though we had a PC. And the skills I learned using a manual typewriter – namely, the ability to touch-type – are pretty useful now I’m chucking around Ruby code in Vim or academic citations in LyX.1

I’m used to people telling me that typewriters are obsolete technology, and skills like being able to change dot-matrix printer ribbons or operating a rotary phone are now obsolete. But I never expected handwriting would ever end up in the same category.

Most schools still include conventional handwriting instruction in their primary-grade curriculum, but today that amounts to just over an hour a week, according to Zaner-Bloser Inc., one of the nation’s largest handwriting-curriculum publishers. Even at institutions that make it a strong priority, such as the private Brearley School in New York City, “some parents say, ‘I can’t believe you are wasting a minute on this,’” says Linda Boldt, the school’s head of learning skills.

Parents are finding it strange that schools are spending time teaching children how to actually write? What the fuck is that all about?

I’ve got an iPad. I’ve had a Palm Pilot in the past. I’ve got a laptop. And I still write by hand a hell of a lot. Why? Because it is fast. And it is especially quick if you want to jot down something other than linear text. If you want to draw a diagram, doing it in a notepad is a hell of a lot less painful than doing it on almost any computing device I’ve ever used.

This is partly my objection to most smartphones: when I use a laptop or desktop computer, my fingers can keep up with my brain. I can just about do similarly when I’m writing longhand. If I’m using an iPhone/iPod touch or a Blackberry or whatever, it takes a bloody long time to take notes. I guess if you can’t touch type on a full-size keyboard, being forced to use a smudgy little iPhone keyboard that big of a step down.

So, imagine, we don’t teach kids how to write by hand. How do they answer exams in school and in university? For many subjects, undergraduate and postgraduate, you still have to do pen-and-paper exams.

What if you want to become a reporter? If you are in Afghanistan reporting on the war, you may not have the chance to take an iPad with you.

What if you simply want to leave a note on the fridge reminding one’s family members or flatmates to buy some milk when they next go to the shops? Oh yeah, I’m just going to login to my computer and tap it out in a word processor and send it to the damn laser printer hoping that some idiot hasn’t left it without paper or toner? I like computers more than most, but even I’d just grab a post-it note in that situation. I like pen and paper for the same reason I prefer using Vim over Microsoft Office: it is simple, powerful and failure-resistant.

It is the old tale of the reluctant geeks again: while everyone else breathlessly adopts technology very quickly, those of us who know the technologies in unhealthy amounts of details are a fair bit more conservative about changing systems that work. And, well, handwriting actually works pretty well. The pundits have gotten equally breathless about e-books, but I expect I’ll still renewing my library card to borrow physical books for the next decade or three.

As with e-books, there may come a time when technology has far outpaced the need for writing by hand. 2010 is not that time. The fact that we have to resort to neuroscience to justify teaching basic writing skills is absolutely pathetic.2

  1. In fact, compared to the bad joke that is most inkjet printers, I’d rather be using a manual typewriter.

  2. Ray Tallis’ article Neurotrash feels an appropriate link here.


Walt Mossberg travels to Paris with iPad instead of laptop.

Bully for Walt Mossberg. The tech media really is getting rather ego-centric...