XKCD this week had a wonderful piece of commentary about the way we choose passwords.
Four randomly chosen common English words make for a remarkably good password. Randall Monroe's example uses a word-list about 2,000 words long (11 bits per word). The beauty of this suggestion is that you can choose any 2,000 different words you like and even assume that the attacker knows your word list and it will still have about 44 bits of randomness in. And 2 to the 44 is a pretty damn big number.
This is very similar suggestion to one made by Thomas Baekdal a few years ago that:
"this is fun" is 10 times more secure than "J4fS!2"
I'm pretty sure that's wrong, but in a slightly subtle way.
Tagged: Social, Security, Technology
Posted at 07:46 EDT, 12th August 2011.
Twitter's a pretty handy way to vent about something good or bad that's happening.
Here's a really simple way to flag that:
They're just hashtags. They're as short as can be, but I think their meaning is pretty clear.
Tagged: Web, Upbeat, Social, Technology
Posted at 06:48 EDT, 21st September 2010.
As a part-time political nerd, I'm keen to keep informed about British politics, particularly in the run-up to a general election. I do a lot of reading, but I also watch programmes like the leaders' debates.
I'm a registered voter, but I happen to live overseas. Given the sorry state of global television distribution by television channels, that causes some hiccups.
I'm not concerned that I can't get access to these videos; with a fair dose of technical knowledge it's pretty simple. I am concerned that it is wrong to make it harder than it need be for any potential voter to get informed.
I hope that for the upcoming debates, the television channels will make them available to all, as easily as possible. If you agree, please let them know (see the links at the foot of this post).
Update at 07:39 EDT, 23rd April 2010 – Some success
I've been shopping for a new DVD player recently, and have been quite surprised by the attitude of so many shops when I ask which of their players are multi-region.
I'd really like a multi-region DVD & Blu-ray player, but that hardly seems like an option. I expect I'll get an encumbered PS3 later on, and a multi-region DVD player now.
A typical response from shops that sold decent electronics was 'We don't sell that sort of thing' and to suggest I try a cheaper, dodgier part of town.
This is tricky for me as I'm looking for two distinct kinds of quality. I want both:
- a well designed, constructed and built machine, with particularly good upscaling to 1080p, so it looks good on our HD telly.
- a lack of anti-user features that will mean some of the discs I own won't play because of where in the world they were originally sold.
They are both about a smooth and pleasant user experience, but one is the side of that the industry pushes, the other is about how the industry tries to segment markets in both time and space.
The Web is becoming more fragmented, and not quite so World-Wide. More and more often, I get to sites that can't show me what I'm there for because of where I seem to be coming from.
I know there's nothing in the internet's protocols that reliably dobs in where you are coming from, so it never really gets in the way.
Having recently moved from the UK to Canada, I naturally want to keep in touch with the old country. Moreover, I watch a number of things from our southern neighbours. As a geek I have no trouble routing my traffic so that I can see the end result. It's always a little clumsy but works in the end. If the BBC let me pay for an overseas TV licence, I'd likely jump at the chance.
I've been misidentified as German, Swedish and, very occasionally, Polish. If it's just Google taking a best-guess as to which site you'd likely prefer with a clear link back to what you actually asked for, that's fairly harmless.
[Image from the NASA Earth Observatory, by Reto Stöckli, based on data from NASA and NOAA. Thank you.]
The UK's Home Office has been running a consultation, entitled Keeping the right people on the DNA database.
I'm gravely sceptical about the entire episode and, throughout, the document tilts heavily towards keeping DNA for a long time because that will – supposedly – make us safer.
David Mery has had some choice words and a very thorough response to the Home Office's proposal. I am not so thorough, and kept my contribution to the section of which Ben Goldacre rightly asked 'Is this a joke?'.
The consultation closed yesterday, here is my contribution, written from the vantage point of my academic high horse.
Testing Web pages is a pretty complex task. Very often we settle for too little, checking little more than:
- that our markup validates against the spec
- that a simple link-checker doesn't find dead links
- & that some monkey-testing doesn't turn up any glaring errors
Those are good checks to make, but we need to do a lot better.
I want to make some declarative statements about what is expected of different pages, and have them run routinely. For complicated pages, that depend on user-supplied, database-held or offsite data, I'd like to run the tests on any pages I might ever ship, and give the administrators a decent stab at recreating the error and damn-well fixing it.
Thankfully, the CSS people have done a fine job of allowing you to pick out parts of an HTML document and then apply styles to them. Better yet, we've just about reached the point where smart designers can express what they want in CSS, without needing to write anything terribly complicated.
This is a little idea for how to do that. There's no implementation yet, but I'm looking for feedback on doing it this way. The basic idea is to express some useful, human-level tests in a CSS-like language that make sense to more than code-nerds, and use them to test individual Web pages, or entire sites, and be more confident that they do all that you expect, and nothing that you don't.
Update at 11:03 EDT, 8th April 2009 – Minor tweak to the examples.
Tagged: Web, Technology, Code
Posted at 10:48 EDT, 8th April 2009.
I've got a little more diligent recently about using encryption where I can. In particular, several sites allow you to use an encrypted connection, but don't force it:
Tagged: Tips, Security, Technology, Web
Posted at 06:03 EDT, 28th June 2008.
Mary & I were both overcharged on a recent jaunt around London. The barriers beeped and didn't let me out, so the station staff opened the barrier to let me through. The barriers did let Mary out, but it turned out she had been charged two lots of the we-didn't-see-you-touch-out-so-we'll-take-four-pounds.
(Oyster is London's RFID-based ticketing system. You can put travelcards on them, but I use it as a pay-as-you-go card. It charges you for each journey and they promise not to charge you more than the equivalent travelcard. In practice this goes wrong a bit: it's a very complex system, and the software must be a nightmare.)
I've always been quite wary of the Telephone Preference Service (and its sibling the Mail Preference Service). It makes me nervous that the do-not-spam list is held by an organisation that promotes direct marketing.
After getting more marketing calls, and this weekend a spam text message from Firezza (a local pizza firm, no link-love from here), I finally signed up for the TPS for my mobile number and our home number.
The RIAA's head of technology deployed some twisty logic at a recent trade event:
(Recently) I made a list of the 22 ways to sell music, and 20 of them still require DRM.
… Any form of subscription service or limited play-per-view or advertising offer still requires DRM. So DRM is not dead.
So, because he cannot think of very many ways to do without, it must be workable as a technology. In the sense that they'll keep pushing it, I'm sure it isn't dead yet. For customers who just want their media to just work, however, DRM isn't really going to cut it.
PVRblog points to an interesting and quite thorough comparison of Comcast's recent drop in HD quality, including some pretty damning screen captures.
There's a real problem with defining 'HD' as at least a certain number of dots and damn the compression. Quality is a richer game than that. I think we may also need a THX-style, "does this look crap, call this number", and a meaningful, policed brand that means High-Quality, High-Def. Do content owners care when their programme is beaten up so badly it appears on the consumer's television as a bruised and battered mess?
Digital Spy are reporting that Sky have recently dropped component video out from their new HD set-top boxes.
After reporting that some people were seeing harsh restrictions on their TiVo for HBO's new (fantastic) John Adams mini-series, Molly Wood has a response from TiVo. It was all a mistake, apparently.
This highlights how it is very hard to make DRM fail gracefully, certainly from the end-user's perspective.
It's a little thing, but if we are to have a hope of educating users to protect themselves online that reputable sites don't behave just like the fraudsters.
Here's a quick spot of fuckwittery from Harvard Business Review.
When you tune in to a programme, you want to know that it is the programme the creators intended you to see. Television, like so many things in public life, is still a trust thing.
I believe in our broadcasters, whatever the rumblings last year around a few cases of misbehaviour. But being able to trust what we're watching goes well beyond production.
We receive our programming by more routes today than ever before. Moreover, some of those routes can't necessarily be trusted.
With a little mathematics and a little programming, we could be sure that the recording we borrow from a friend, fetch from an archive, or record from a cable company, really is the genuine article.
We can reinforce trust in what we're watching, however it happened to arrive. Signed television could enable distribution that embraces, rather than fights, the ability of modern technology to make fast, perfect digital copies. Swarm technologies make it easy – and cheap – to send the same digital file to lots of people, especially if it is at all popular. Broadcasters could release material more widely, knowing that it would be seen in the proper context. They would save themselves the headaches of using a DRM-speedbump that has never kept a piece of content off the pirate networks, but that does prevent a significant number of viewers from using legitimate sources.
I have a design for a fairly simple scheme for cryptographically signed television, be it downloaded or streamed. I plan to post that very soon, but first I'd like to run through a few ways this could make television distribution online more potent, for viewers and producers alike.
The front page of Halifax's online banking has an extravagantly stupid 'feature'.
Somehow, they have managed to publish their warnings about phishing attacks so that they look like, well, a bit of a phishing attack!
The sign-up for SemanticCamp London is open.
If you are near London and interested in using the Web with meaning, then grab a spot before they are all gone. It'll be on the 16th and 17th of February, at the Department of Computing at Imperial College (or 'work' from my point of view).
We also have some good pubs nearby, for refreshments afterwards.
Tagged: Technology, Web, Social
Posted at 07:00 EST, 9th January 2008.
A couple of weeks ago, Matthew Cashmore of backstage.bbc.co.uk published a very interesting interview with Anthony Rose, head of Digital Media Technology at the BBC.
I was impressed by Rose, generally. He seems to be pretty clued up about what's possible with the technology, which I suppose is no great surprise given his background at Kazaa. I'll get into some of the contradictions I see in what he says in another post, but first there is one comment he made that particularly grates.
He says, just over 2 minutes in (emphasis mine):
The good news is, as you move to streaming, at this time, there's no requirement for DRM.
We put quite complex back-end controls to make sure that our rights-holders' rights are still protected. In other words the content is only available in the UK, and we make it hard to nick the stream.
I'm very pleased that the BBC have made a version of their catch-up service, iPlayer, that isn't tied to Windows and Internet Explorer.
There are a few good things, programmes are addressable at the episode/programme level, not just the series. That's a great thing, and as I've said before, the BBC's new Programme Support is a fantastic step forward for Tv metadata.
The quality is fairly good, but variable. It's obviously worse than television, and quite a bit worse than recordings people distribute amongst themselves using BitTorrent or Usenet. HIGNFY S34E09 was pretty watchable, full-screen on a 21 inch monitor, from across the room. Last week's Film 2007 was unwatchably blocky, for me. The BBC (and their Trust, and the rightsholders) should recognise that that is what they are competing with, and if the normal distribution mechanisms are worse, we'll get good, shiny, socially acceptable alternatives built by the crazy people.
A long time ago, I wrote gallery.future-i.com, and I was particularly exercised about using clean URLs (and still am).
One place I feel I did a really nice job was in making the search URLs pretty nice, e.g. a search for 'mary' lives at:
I did that in the middle of 2001, and I expect plenty of others did similar things by then, too. For me, the tricky bit is all done by Apache's mod_rewrite, which takes incoming requests to your web site, and let's you rejig it to pass parameters to scripts without exposing all that grunge to the outside world. It isn't the only way to do it, but it is powerful and effective.
My annoyance now is that Amazon have a patent on a very similar technique, covering URLs for search results of the form
http://somedomain/flibble, filed in 2004.
I was impressed by Amazon's A9 when it launched, principally for the clean URLs for search.
That doesn't mean they own the idea, which is plainly in play before that. And don't get me started on parallel invention, making it all the sillier.
I hope the patent boils away in a sea of prior art.
[Via Buzz Out Loud #589, Slashdot coverage]
The BBC have a great new Web site – BBC Programme Support (more info from Tom Scott of the BBC). This is especially good for Web nerds like me, but it will help make link-centric television work for Real Human Beings, too.
There are a few quirks in how things are listed right now but I'm sure they'll shake out in due course. What's great about this service is that the Beeb is committing to long-term, stable URIs for their programmes, with a single, clear link for each show, irrespective of how and when it is shown or repeated.
Oh no, hang on, it doesn't.
iTunes slipped up and put the wrong episode of Stargate Atlantis on their store. It was the first filmed, but the fourth episode of the season. It is wrapped in the usual tasty DRM wrapper and it hasn't aired anywhere yet. Strangely, though, the video has made it onto the usual torrent sites.
So much for the notion that DRM keeps content off the ad-hoc networks.
(Sorry for the long gap in posts here – things have been pretty busy since August. I've either been away, working hard or both for quite a while. Things are settling down now, and I've lots of nearly finished articles coming soon.)
So, Google are shutting down their DRM-backed video sales and rental service. Instead of giving customers the video they 'bought' or a proper refund Google are giving them a "bonus" voucher to spend through Google Checkout, which rusts in 60 days.
Back in the day, we understood the simple cases of:
- you have bought this
- you have borrowed this
- and, you have rented this
DRM intends to make the middle case go away, and skew the first to be a wierd and different thing. If we choose to build technology that breaks these norms, we're going to need much clearer language than 'download-to-own' and 'buy' to cover all of the new possibilities for worse-than-before media.
Chris pointed at a piece in the NYT where they say:
Streaming video, unlike downloads, never resides on a viewer's computer. It usually cannot be replayed as a downloaded file can be, which is another reason that content creators like it.
Pay attention, especially any lawyers hanging around at the back.
Here's the important difference between streaming and downloading:
- when you download something you are sent a bag of bits in any old order
- when you stream something you are sent a bag of bits and can start watching them before they've all arrived
That makes streaming harder to do, as a server, and theoretically nicer for the end user. The down-side is that once you have that harder performance problem of sending enough bits quickly enough it gets tricky. You can buy yourself better performance by distributing some (or all) of the information from a central server, but that gets expensive.
The next thing you can do is just to use fewer bits, that makes it both cheaper, and the technical problem gets easier. The consequence is to make the quality suck, to the point of being unwatchable for me. Content owners are well placed to compete on quality, right now they're losing to the ad-hoc torrent people.
I'm unsurprised at recent developments at Oxford as over-zealous proctors fine students for misbehaviour using evidence from Facebook.
I think there's some real trouble with people understanding quite what they're publishing, and to whom.
Worse than that, I think people have a false sense of security when they tag their updates as 'friends only' on sites like Twitter, Facebook and so forth.
I'm a Harry Potter fan. I like the books, and I really don't want spoiling about the last book. According to Torrent Freak, poor quality scans of the book are already kicking about over BitTorrent.
Now I'm not surprised, but I think – in this case at least – the publisher is winning.
Update at 12:42 EDT, 19th July 2007 – Tracing leaker via EXIF metadata
It's a depressing thought. There's a site you love, you have poured heart and soul and energy into it.
More and more frequently, I find myself fighting the corner of not doing "search engine optimisation".
Tagged: Technology, Rants, Media, Web
Posted at 13:13 EDT, 14th June 2007.
So Joost have signed up some more advertisers.
While having some more big names advertising is good for Joost, I'm a little troubled. All the ads I've seen so far on Joost have been short logo & tagline affairs, placed between programmes. A return to 30 second ads, even in very short breaks, in the middle of programming is going to feel much more annoying.
While using my Halifax Visa card online recently, I bumped into the Verified by Visa programme.
It's a nice idea, in theory, but the implementation I saw was woeful. It was depressingly similar to a phishing attack, warmly assuring me about security by chatting about it in the Web page, while hiding the parts of my browser that can tell me that more sensibly.
Like most geeks, I try and educate my less geeky family and friends about how to behave safely with technology. Things like this make that job harder.
Update at 17:51 EDT, 21st April 2007 – Follow-up: Guardian coverage
I've been stuck in a few conversations recently about Web accessibility, which has led me to think a little more about what the proper balance is between shinyness and usefulness.
In short, I don't want to poke people in the eye – they usually don't deserve it.
Tagged: Technology, Rants, Web
Posted at 05:01 EST, 9th March 2007.
The FT has a slippery grasp of DRM. In a story titled 'Apple sparks battle over copyright', they opened with:
Apple's demand that record companies do away with copyright protection for songs they sell online has set up a bitter battle between the two camps as they prepare for broad-ranging contract negotiations.
Now, that's just plain wrong.
Tagged: Technology, Rants, Media
Posted at 03:01 EST, 9th February 2007.