Dear web-design fiends:

Please check spelling and use the appropriate words when putting up your portfolio sights… if you want future work.

It happened again. In the course of my work, I’ll run across a small business or non-profit in desperate need of a website refresh. I then refer the business to a former student (many of whom have completed web-development classes), and both are happy.

But not this time… because of a simple spelling error. Actually, the word is correctly spelled, but it’s the wrong word – “bare with me” is not the same as “bear with me” – and given the basic purpose of a website is to communicate – it’s a major failing.

Quality has to extend to all the parts… or what’s the point?

Why I block Javascript.

This subject surfaces from time to time, especially when I’m conversing with the bleeding-edge web design community. “You do WHAT?” followed by a lot of strange looks and laughter is the typical reaction. Then I’m told all about how JavaScript has been “modernized” and “browsers are sandboxed” and other nice things.

I run a variety of browsers; the current desktop has Firefox (with NoScript); Chrome; IE 4; IE 6; IE 8; and Lynx. Most of the time I browse with Firefox/NoScript. Yep, it slows me down, and there’s the minor annoyance of having to set temporary JavaScript execution privileges. This post will attempt to explain why I do things the way I do. Standard disclaimers apply.

First two-word explanation: Zeus Trojan.

The Zeus Trojan is a password-stealer which is usually deployed via JavaScript malware which was introduced to the victim by way of an infected website. As JavaScript has “matured” it also allows for much-improved obfuscation and cross-linking and all sorts of nice ways to operate an attack vector dynamically (to the point where most Zeus variants check location data and refuse to infect systems in certain countries).

For US-based small business (and local government) there is no protective cap on money stolen via identity fraud – and this is the standard use of Zeus. Once the credentials are acquired the thieves can empty a bank account in a matter of hours – and there is no legal recourse against the bank. The money is gone; the victim is not going to get it back.

A part of my professional practice deals with security – no, I’m not going to enter a forum with all the scripts executing. I only look foolish.

…and as I’m writing this post, in over the transom flies this notice – Google has awarded $60,000 as a prize in the Pwnium competition, for a method to overcome Chrome’s “sandbox” feature and run code on a fully-patched Window 7 system. All that is necessary is for someone to browse to an infected website – viewing the page is sufficient to load and execute the payload. A little bit of JavaScript acts as an enabler – there’s no need to bother with an exploit attempt if the browser is something else.

Another reason not to automatically run JavaScript is a common Facebook malware attack – the click-jacking survey scams which pop up several times a day. Click-jacking is a specialized attack vector on Facebook which work by having the victim click on a link – which leads to a survey – and also “spams” the link as a status post from the victim. If you run with JavaScript enabled you’re usually taken straight over to the payload page – which is typically a survey… but it might be something worse.

By not running JavaScript I get stuck on the interstitial dispatch page; this is where the Facebook click-jack link leads; and this page contains various JavaScript functions to identify the victim. Typical contents of these pages include a bit of geolocation which is used to decide which survey to play. From time to time, I see ones where the dispatch code includes a mechanism to reject the entry if location appears to be in .ru, .ua, .by or .ge  – authorities in these countries only track cybercrime if local users are affected. Generally speaking, if the interstitial page contains the ru-ua-by-ge code, the payload page is loading something other than a simple survey.

But security isn’t the only reason to avoid JavaScript.

Second two-word answer: Existing Investment.

This probably comes as a shock to many web designers – but companies don’t rush right out and buy the latest technology just because it got a great writeup on reddit or slashdot or wherever, or even if it’s the best seller on Amazon or the Apple store. There are a lot of systems out there with no capacity to execute JavaScript (embedded devices) or where internal policies discourage its use. I’ve been writing web-apps for more than a decade which require no JavaScript or even cookies on the browser in order to maintain state… and I know that some of these clients are not going to change those devices or policies for at least several years. Have you discarded your car simply because its OBDC works at a glacial 1200 bits/sec on a serial port?

Not executing JavaScript allows me to see how these clients perceive the “outside world” and thus better understand their mindset. It is very interesting to see which major companies’ websites are still functional without JavaScript (although not all the bells and whistles may work).

Keeping up the pace…

Starting tonight the assignment for the 232 crowd (web architecture) is to build a blog on a hosted platform, and update it three times a week.

If I assign it, I should be able to do it.

Famous last words, but perhaps not.

The in-between-class question today has centered around hosting providers – which will be the subject of a homework assignment, I think… but not just yet. First we have to cross this bridge – getting the first “real” content up (as opposed to “un”-real, which is how I classify Google-Sites content).

Initially, student blogs will be linked to the class webpage inside the  college portal. Upon approval by students, selected blogs may be featured as links from this blog… but again, only with explicit approval of the affected student(s).

Almost time for class…

Back to the grindstone…

…making new webmasters and developers and support engineers.

Yep – it’s a shiny new semester.

It’s about now that I begin to envy the established bloggers – the ones who find it easy to write hundreds, or thousands of words a day… but enough carping, back to work.

Today I received a welcome piece of news – the server I donated to the college has been placed in a datacenter rack and is operating. We’ll see how well that works out, but if all is well, then we will have a Linux system accessible throughout the college network – but isolated from the “real” world. It will also have more compute and storage resources than the antique RS-6000 publicly available… and allow for server-side programming. In time we may mount a BSD VM – for shell work only, to demonstrate the differences between System V and BSD styles… but first we need to get the base system verified.

I rebuilt my apple* server this week; it is up and running but without any significant content as yet. Also the homebrew barebones ESXi server is running quite nicely, and in use as a staging and testbed server for cloud operations.

User interface designers and system architects should read the book  Traffic: Why We Drive the Way We Do (and What It Says About Us) by Tom Vanderbilt (link to Amazon) – especially chapter three – and apply the knowledge to your designs. You might also learn some useful driving tricks. This is the best thing related to computing I’ve read this year. So far.

With the new semester under way, the intent is to update the blog at least weekly, perhaps more often than that.

[note: I do not have an Apple-branded machine in working condition. But I do have a server named for a fruit.]

ON the question of the day: Google+ or Facebook?

Once again the muse lives elsewhere, but a comment thread on Facebook deserves a better discourse than that limited media can sustain.

This morning, most of the world woke up to find massive changes in the User Interface of Facebook – many of which were “inspired” by Google+. Venting, fist-shaking, etc. ensued. Meanwhile, Google took the opportunity to take the wraps off a bit, and open Google+ to everyone. It’s still classed as “beta” but now anyone can join.

If you haven’t figured it out yet, I’m in the early adopter camp. Stuff comes swinging by, I take a look, sometimes getting just a tippy-toe wet, other times jumping for full immersion. Thus I’ve been using G+ for about three months. Color me a bit skeptical at this juncture.

It’s not a replacement for Facebook.

On the other hand, I wouldn’t put too much stock in Twitter or LinkedIn – they are the most threatened by this development… especially LinkedIn. It might be why LI put its IPO back on the shelf. They may have waited a bit too long.

I don’t think we’ve found the “winner” in the social space as yet – I think FB and G+ represent the peak of an era which is about to end. They backed the wrong technology.

Google especially reminds me of Samuel Pierpoint Langley in the 1890s. He was head of the Smithsonian Institution, a learned man, with all the establishment of the day backing his experiments in heavier-than-air flight. His devices flapped their wings.

As we know, two bicycle mechanics from Ohio came up with the proper answer, and while it involved wings, it was the profile of the wing, not the flapping, which was critical.

I think there are the equivalents of the Wright brothers out there, toiling along in a garage somewhere, about to launch the new social media upon us  — and they will center around the phone. It’s this last which Facebook and Google have so neglected.

 

 

Ruminations on a semester finished…

Summer School is over. Done. Kaput.

This was an experiment, on two levels. One, for me to take a course prior to teaching same; and second, adapting a semester-long course into a six-week quickie version.

Note to self: do not teach advanced classes during a six-week session. There is not enough time for the knowledge to sink in – the eureka moment arrives a bit late for most students.

Second note to self: students do not necessarily recall much if anything useful from prior semesters; even down to the trivia of how to log in to computers in our Hands-On-Lab (procedure has been the same for six years now). Do not expect students to have practiced any of the skills taught in prior courses.

Taking a class in preparation to teach it was an eye-opener. I have a much better idea of where the confusing parts are, which parts will be easy, and how problematic a lecture-intensive class is for non-native English speakers.

I do hope the students this fall read the book before class. It makes it easier on me and they’re more likely to pass the quizzes…