Things Storm bookmarked this week 30/11/11

This week…

Adam: “An absolutely fantastic read on why working 100-hour weeks in the name of ‘start up glory’ is utter stupidity. Don’t waste your one and only youth! Also, amused that the ‘you can’t say fuck on the Internet’ gang are out in force attacking Amy, when the piece is so very well written!”

Liam: “My bookmark for the week is the british newspaper archive. It’s a really neat little web app that has taken thousands of hours of work scanning 200 year old newspapers and performing OCR to make them searchable on the web”

Andrew: “Today I learned you can mine gold from old motherboards. With the amount of unused tech knocking about the Storm office, I’m considering pitching the idea of jacking the website building in and investing in an office chemistry set..”

Dave: “So, Apple & Facebook have both done well by leveraging third-party devs – and it looks like Spotify will soon be following suit. It’ll be interesting to see what sort of applications come flying out of the Spotify API – I’m sure we’re in for some awesome mashups!”

Paul: “Groupon: ‘Nuff said, really.”

Mike: “Lots of interesting stuff this week but easily the best for me was this post by Russell Davies in which he says this: ‘…[in 2009]…it was already too late to be merely Thinking Digital and we had to try and get beyond that kind of trammelled and limiting mindset”. The point – in short – is that the collision of physical and digital should make for something interesting: ‘being digital should be more interesting than just being electronic’. As a man who thinks a lot about what mobile really means, builds internet-connected receipt printers and thinks about whether we should have a Bath Digital newspaper, this is music to my ears”

Storm news roundup 25-11-11

Our favourite web(ish) stories from the week…

Adam:

“Google Analytics made a nice change this week when they started collecting and reporting page load speed by default. Previously webmasters had to add an extra bit of JavaScript to their site to get GA to track page load times. Now that functionality is being provided by default. This measurement is taken on a sample of visits to your site. Out of the box the sampling rate is pretty low, so unless your site has a reasonable level of traffic getting significant results will take a while. However, for more accurate data you can increase the sampling rate at the inconvenience of adding some JavaScript.”

Paul:

“Apparently Facebook has shrunk the famous 6-degrees of separation down to 4.75. The effect isn’t much of a surprise as the number of people you can be “friends” with on Facebook far outstrips the number of people you can reasonably be friends with in real life.”

Dave:

“Google has been eyeing up a bit of a product killing spree of late. ’We’re in the process of shutting a number of products which haven’t had the impact we’d hoped for’ said Urs Holzle, Google’s vice president of operations. The Seven facing the chop are named as: Google Wave, Bookmark List, Friends Connect, Gears, Search Timeline, Knol and Renewable Energy Cheaper than Coal. I wonder how long until Google + makes this list?”

Mike:

“Yet another ‘marketing gone awry’ moment – this time from Littlewoods. 172 comments (and counting) later – and things have all gone a bit angry.

I’m not sure if there’s anything to be learnt from this, apart from the fact that social media marketing like this often seems to sit on a knife edge, just waiting to tip into viral success or viral horror. Certainly too there is very often a kind of mob mentality – once a tipping point is reached, it seems to become more and more likely that people will pile in, all rational thought long gone…”

Liam:

“The biggest names in the web all came together to sign a petition against a new bill going through the US government system at the moment called SOPA. It’s a complicated bill that changes the way responsibility for piracy is enforced, and if passed will likely also have impact for us in the UK, as many of these sites are in the US”. See http://news.cnet.com/8301-31921_3-57325134-281/google-facebook-zynga-oppose-new-sopa-copyright-bill/

Andrew:

“A great article on the meteoric rise of the world’s largest social network that you probably haven’t yet heard of, Badoo. The service’s unique compelling feature of connecting members up according to their profile pictures and location so that they may ‘Chat, flirt, socialise and have fun!’ has seen an extraordinary rise in popularity in very short period of time, and is now being used by over 120 million people worldwide. With this has also come a massive level of venture interest from A-list investors, with the company already valued at hundreds of millions of dollars, and that is without having even penetrating the US and UK markets.

Its a great example of an app with a great, simple function bursting into the seemingly impenetrable market of social networks and thriving, and just goes to show such a brilliant achievement is still very possible.”

Things Storm bookmarked this week 23/11/11

This week…

Dave: “I happen to have been involved in bunch of group discussions this week, which due to geographical constraints have taken place online. As such, I have been introduced to https://freedcamp.com. It is similar to google groups, only much easier to administer and less based around email. I must say first impressions are fantastic. With features such as Discussions, To-Do’s, File-storage and more, it’s a fantastically clean way to create discussions online. It’s core benefit is that your user isn’t tied to a group – so you can be in discussions with multiple groups of people.”

From me: My good friend and well-worth-following-on-Twitter-person @zambonini just posted a link to this which I’m going to steal as my bookmark of the week: http://facedetection.jaysalvat.com/ – yes, a Face Detection jQuery Plugin. What a ridiculously cool thing.

From Paul: “We’ve previously used the Formtastic gem for building forms in Rails, but the HTML is generates can be a bit… interesting, and awkward to change. So we’ve now switched to using the simple_form gem, which has the same DSL, but generates nicer HTML and is easier to customise. https://github.com/plataformatec/simple_form

Adam pointed this out to me – we haven’t read it yet, but he’s right – it does look like a very interesting piece on best practice when developing cloud-based applications.

 

 

 

The cookie monster

As many people will remember, a while back ICO caused a bit of a stir by announcing an…interesting…new law all about cookies.

In short, the law says this:

“The rules previously required websites to tell you about cookies they used and give you information about how to ‘opt out’. Most organisations did this by putting information in their privacy policy. The new rules require in most cases that websites wanting to use cookies get consent”

Even shorter: whereas you used to have to give the option to opt out of cookies, now you have to ask people to opt in.

The first question is how this affects behaviour. The best place to ask this question (thanks for the heads-up, Matt!) is the ICO site itself, which is one of the – presumably very few – organisations actually enforcing the law right now. The first thing you notice on their site is a horrible great banner slapped across the top, advising you to opt-in. Amusingly, it turns out they do actually place a cookie without asking your consent, because it is “essential for parts of the site to operate”. (Note this for later, folks, it may be your get-out clause…).

This is all pretty horrible visually but as ever those designer types will find a way. What is more disturbing is the effect this’ll have on the functionality underlying your site. A huge number of web sites and apps these days rely on the setting of cookies, often to retain state between visits. If you log into a site, go away for a bit and come back again to find you’re still logged in – that’s almost definitely a cookie at work.

This is all fine though, right, cos any visitor seeing that banner is just going to click the link for “a better web experience”? Um, no. Not in the slightest. Here’s ICO’s visitor figures, taken from a RFI.

I’ll leave you to work out when the cookie header was implemented:

(Note that this doesn’t mean that ICO lost ~90% of their traffic. It does mean that 90% of people didn’t check the box. If you’re web-savvy you’ll notice that viewing the ICO HTML source shows no sign of a Google Analytics tag when you first go to the site. Then if you check the box and consent, the GA code appears. The missing 90% is simply not being measured, rather than not being there…)

For those who missed the history, there was a panicked moment as ICO tried to enforce this law and then almost immediately decided that they were going to give businesses a year to comply. Just recently the conversation came up again on a forum I follow and in response I threw out a tweet to ask what my web developer friends were doing about it. Mostly the answers went all a bit ostrichey: heads buried, hands over ears and “we’re relying on the fact that something this ridiculous won’t happen”, or “that old law? That got buried, right?”. Well, no. ICO claims that from May 2012, organisations have to comply.

On the surface, this is clearly ridiculous. Not only do you – as MD of ecommerce site, or web developer, or web agency, or… – have to go back to all your sites and ensure that you have the opt-in available, but you also have to re-write any functionality which relies on cookies. If you don’t, you’re going to lose that 90% too, ‘cos people aren’t going to click your checkbox, either.

One of the worries which has been aired particularly amongst my museum / not for profit / government / public body web friends is that this will lead to a two-tier scenario. Commercial organisations clearly won’t take a 90% hit, or even spend the time retrofitting their technology to make it work in a cookie-less world – but those in these public bodies will be forced to comply.

The other bit that concerns many people greatly is that web analytics – which has undergone a rather lovely evolution since Google Analytics arrived on the scene – is going to be thrown back a good 5-10 years by this move. I remember spending entire days crunching log files back in the early 2000′s, and it’s not a world I want to return to. There are some solutions out there, but they’re not established in the way that GA is.

So far there seem to be few answers, and lots – and lots – of questions….

Three sure signs that you are doing something wrong when building a webapp

We all make mistakes, but there are three schoolboy errors I see committed by web developers on a depressingly regular basis which indicate that they don’t really understand what they are doing.  What’s really worrying is the number of major sites that commit these easily avoidable errors.

Not letting me use perfectly valid email addresses

I covered most of this in my previous blog item on validating email addresses in Rails but it’s worth repeating…

If you don’t let me use a ‘+’ in my email address I will hunt you down and beat you to death with a stone engraving of RFC5322

Almost every platform, language, toolkit and framework should come with something that will validate an email address, you’ll probably find it in the respective mail library.

If you are not using an off-the-shelf address validator you are wasting effort building something that will almost certainly be worse.

Unless you know RFC5322 back-to-front, don’t write your own email address validator.  And even then you should only be doing it if a suitable one doesn’t exist on your platform.

Did you know…

  • x@x.com is a valid email address (yep, domains can be one letter long)
  • !#$%&’*+-/=?^_`{|}~ are all valid characters in the local part (before the @) of an email address
  • that the characters “(),:;<>@[\] can be used in the local part if you want (but with some restrictions)
  • that something.police.uk and something.nhs.uk are valid domain names?
  • that ME@example.com and me@example.com are technically different addresses, but most servers will treat them the same (but this is just convention, not a standard).
  • me+you@example.com is a valid email address and for most mail servers will be delivered to the same mail box as me+foo@example.com although that’s also just convention and will depend on the mail server.

If you didn’t know all this then don’t write your own address validator unless you have a pretty good reason. You are almost certainly wasting your time reinventing the wheel.

Sending Passwords to your Users in Plaintext

There are two bloody good reasons why you shouldn’t be sending passwords in plaintext emails:

You have no idea who has access to that email

Between your systems and the user’s brain are a host of email servers, routers and networking gear, not to mention the user’s own computer.  Any one of these could be compromised, be it an insecure email system, the user’s own virus infested PC, or the unencrypted free coffeeshop wifi they are using.

Your user probably uses that password on every other service they sign up for

It’s a sad fact that most users are bad at picking passwords, and will reuse one for everything they sign up for.  If your service exposes their password to the world, you are not just compromising the security of their account on your service, but also many other services.

You shouldn’t even know the user’s password

If you are doing things properly, you should be storing the password as a hash using an algorithm like SHA2, not in plain text. If you don’t know what a hash is, put your editor down, and get googling.

By storing passwords in hashes you limit the damage done to your customers if your user database gets hacked.  If your plaintext, or badly hashed (MD5 is basically useless now), database of usernames, email address and passwords get’s exposed, chances are you’ve just handed out the keys to your users’ Facebook, Twitter, email and god-knows what other accounts.  I’ll bet a significant percentage of them are exactly the same.

If the PlayStation network can be hacked then do you really think your database is that secure?

Limiting the Length of Passwords

When a website limits the length of password I can use I start to get very worried about the security of the site. The length of a password is the single most important factor in how secure a password is.  If you limit the length of the passwords your users can use, you are actively limiting how secure your system is.

Obligatory XKCD comic complete with explanation

Lets get this straight: there are few (if any) good technical reasons for restricting the length of a password, except at the extreme upper limits, such as the maximum size of an HTTP POST parameter on your system

“But I need to limit the space it takes up in the database/I’m storing it in a fixed width column…”

Don’t forget, you should be hashing your passwords…

One of the key features of a hash algorithm is that the output is always the same length. A SHA-512 hash is always 512 bits long (64 8-bit ASCII characters), irrespective of how long the input data is.  That means that what you store in the database is always the same size, whether the user has a three letter password or a three thousand letter password.

“It would take too long to hash those long passwords…”

Aside from “Premature optimisation is the root of all evil”,  the two golden rules of performance optimisation are:

  1. You don’t have a performance problem until you can show me a graph of it.
  2. You don’t know what’s causing the problem until you can show me the output from a profiler.

As an example, SHA-512 can be computed at a rate of tens of millions of bytes per second on a fairly normal machine.  Stopping your users from using thirty or forty character passwords is not going to make much difference to how long hashing them takes.

Don’t forget, that hash will only be computed once per login.  Once you’ve authenticated the user you shouldn’t have to touch that password again.

If you have a busy enough service that the computing resources used to hash passwords is actually a major problem for you, then you’re big enough to throw more hardware at the problem.

But the Big Question is: Why are your doing all this work in the first place?

Seriously. Don’t you have better things to do with your time?

Pretty much every language or framework worth using has some kind of authentication system available.  If you use Rails then the gold standard at the moment is Devise, I’m sure there are good ones for Code Igniter, Groovy and the likes.

Why do more work than you have to, and risk screwing it up in the process when there are well used, heavily tested, and battle-hardened alternatives out there that you can just use and that will do all these things right first time?  With all that time you wasted writing an auth module you could have finished the important stuff in your application.

I’ll just leave you with this Stack Overflow question, in which the second answerer (is that really a word?), in trying to demonstrate that “An authentication library really isn’t that hard to write” disproves his point by having a massive SQL injection hole in his.

Storm news roundup 04-11-11

Our favourite web(ish) stories from the week…

Adam:

“Groupon has floated on the US stock market at a ridiculous valuation of $13bn. For a company that has never made a cent of profit that is quite amazing. Personally, my love affair with the service has ended. At the beginning of the year I was regularly buying deals from the site, however, in recent months the service has struggled to offer any genuinely local deals as business owners have realised they were being taken for a ride. It’ll be interesting to see how quickly and hard their share price tanks!”

Paul:

“As a Kindle owning Amazon Prime customer I was rather interested to learn that Amazon is planning a kind of lending library system for Kindle owning Prime customers, whereby you can borrow one book at a time from a selection of around 5,000 ebooks, changing it once a month. Unsurprisingly the big six publishers are not so keen and have decided not to join in, claiming that the scheme will damage sales. I’m not convinced that giving people one book a month will seriously damage demand for ebooks, I currently have three different books on the go on my Kindle and I doubt I’m alone. If anything it would probably encourage me to try books by authors that I’d not consider otherwise. Much like a real library then.”

Liam:

“My news for this week is this really rather awesome short online magazine celebrating 75 years of high definition broadcasting on the BBC. Did you know it was deemed High Definition back then because it was greater than 250 lines?!”

Andrew:

“A fascinating article on a dyslexic designers attempt to create a font specifically tailored to be easily read by sufferers of dyslexia. Having spent years struggling with his own dyslexia, 30 year old Christian Boer dedicated his time at graduate school creating the font, which has recently been made available to schools and organisations. Through a variety of tweaking, such as altering letter thicknesses at the bases of letters to make them appear weighted, Boer was able to stop dyslexic brains flipping letters such as “p” and “d” upside down, as can often occur when a dyslexic person is reading. It’s great to see designers impacting the field of science in ways such as this, and really goes to show how powerful a medium design can be.”

Dave:

“BREAKING NEWS: The twittersphere is in outrage as the @shippamspaste twitter feed has been axed by Twitter. The unofficial, satirical feed disappeared earlier today admit rumours that Twitter caved to pressure from Princes Shippams brand”

Mike:

“I’m a big fan of technology but rather more a fan of how we can use technology to get content across in interesting ways – and I’m particularly interested in the telling of stories. One of the first sites I totally obsessed about was the original [fray] – beautifully designed, intensely personal stories which still stand up more than a decade later. My current obsession is Letters Of Note – another wonderful content-rich loveliness. So when Twitter Stories launched this week my ears pricked up. Obviously, this is first and foremost a marketing piece (and there’s a tendency to cheesy HERO stories), but I also really like the simplicity of the idea and the way it is presented.”

Plugin of the week: Exclude Pages

As we said last week, sometimes WordPress plugins are complicated and sexy; other times they’re incredibly simple but nonetheless useful.

Our favourite this week is another simple one. All Exclude Pages does is display a checkbox next to your posts and pages. Unchecking the box hides the page. That’s it :-)

For top-level nav on your site which may well now be driven by custom menus, this is less useful than it once was, but for auto-generated menus and page lists, it’s a winner.

You can get it at http://wordpress.org/extend/plugins/exclude-pages/

We’re supporting Bath Digital Festival!

We’re thrilled to announce that Storm will be supported Bath Digital Festival, taking place at venues across the city in March 2012. 

The festival is a week long event celebrating the place of digital in all of our lives. Bath has a considerable impact on the digital sector, being home to a range of fantastic companies, networks and individuals who focus on developing the sector of technology, web and mobile. 

The team at Storm is really excited that the digital scene in Bath is being recognised and promoted through what promises to be a fantastic city-wide event. We’re currently working on the design for the festival logo and members of the team are taking a central role in organisation. 

To keep up with all the latest news regarding the event, have a look at the bathdigitalfestival.com

Things Storm bookmarked this week / 02-11-11

This week…

Dave tells ms that iMessage is coming to OS X: “iMessage is Apple’s new messaging solution for the iPad, iPod Touch and iPhone found in iOS 5. It allows customers to send SMS-like messages over standard data connections rather than expensive text messaging plans.” Also: “AirPlay mirroring is going to mean that meetings around the Storm flatscreen are going to be wireless :-) Can’t wait.

Liam chucked me a super-nerdy bookmark – the guide to Rails 3.1′s asset pipeline. I have no idea what this is so I’ll let him explain: “It’s a pretty scary concept to someone who learnt rails with static content in the public directory, but things like less will change your CSS developing life“.

From Paul – a live coding video from Ryan Biggs building some of an implementation of Conway’s Game of Life in Ruby using a Test Driven Development approach with RSpec: “It’s a good (if slightly long) intro to how to use RSpec, and the basics of TDD.

Adam pointed me to this rather useful “avoiding common mistakes using the new HTML5 elements and attributes” article. Handy.

For me, an oldish but very useful set of printable wireframing templates for hand-sketching new sites and mobile apps.