This feed contains pages in the "bogus" category.

Today while watching a Cisco talk about their Spam product, I realized that the current state of spam is never going to change. It's not because there isn't an effort to block spam, but because there is an effort to block spam.

At first thought it sounds odd, but it's the same problem as with pretty much everything. There is no money in fixing the current e-mail system, while there is a lot of money to be made in providing new solutions to block spam. Someone with a tendency to go with conspiracies would most likely claim that it would be in the best interest of some companies to fund sending spam.

Of course I'm not claiming this, but it would actually make sense.

But it's the same as with spam, spammers will be in the business just as long as there is money to be made from spamming. The companies working against spam are in the business just as long as there is spam going on. If spamming stops or someone develops a real solution to end all spam, the companies will go out of business or at least will have to look for other venues for income. And most companies don't like to invent new things, but rather sell the old product over and over.

I just hope that in the future the same companies will figure out that it's in everyones best interest to create a new end-all solution, even if it means that their current products will become obsolete. Instead they should focus on transition solutions as well as capitalizing on the fact that it's a lot of work to rework the current e-mail system.

It doesn't hurt to dream.

Posted Wed Feb 11 15:21:55 2009 Tags: bogus

Some people consider the gnome usability guidelines a nuisance and some consider certain applications way too simplistic. While it is really hard to get the usability right, it's well worth it.

We need to keep in mind that as computer oriented people we tend to see things differently. Things that are simple to us aren't really that simple to the "normal people". But one of the simple things we can do the insure that the software we write serve the people it's designed for is to remove all not needed pop-ups and questions.

A good way to detect these would be to ask yourself why would a user choose anything else but the most logical option. It's kind of hard to explain, so lets pick an example:

Firefox is updated, the first question it usually asks after upgrade is about incompatible extensions. The user is presented with choices, check for updates or cancel. Now, we are dealing with internet browser so the user should be connected to the internet so there is no problem with checking for the updates, we can rule out that scenario. The other scenario that I can come up with is that a developer doesn't want to update some certain extension.

So at least I can't come up with any reasonable scenario why someone would want to select anything else but to upgrade the main option of upgrading the extensions. Why not just leave out the option and instead do the upgrade automatically. If you wish to be transparent, you can show the user that you are doing the upgrade. Or you can do like some applications do and just do it without bothering the user with the options.

I know I sound like a Google fanboy, but Google generally gets this right. Their applications skip out all upgrade related notices and just do the upgrade. Regular user doesn't want to upgrade because the user has been scared with incompatibility notices and upgrade checklists for so long. Just going ahead with the upgrade in complete silence keeps their software up to date as well.

Another example would be from few years back: The Ubuntu installation. Back in the day Debian was working on Debian Installer, which is also used as the main installer in Ubuntu alternative installation media. Debian Installer is capable of doing most things silently, but with Debian it by default asks a lot of questions. It doesn't matter, since most people who install Debian can be categorized as developers. But in my opinion, the thing that made Ubuntu a success was that it doesn't ask the questions that can be answered without asking the user.

So, back to usability. There are basically 2 camps, the "normal" users and the developers. Developers want and need to see a lot of the backend behaviour, just to debug problems. Currently a lot of the open source software is focused towards developers while they are gaining grounds on the "normal" population as well. We should start focusing on the users for a change.

Posted Sun Jan 4 13:48:56 2009 Tags: bogus

After beating a dead horse once, you have to do it again.

Quite some time ago now, I ran in to an article where Wietse Venema was interviewed about security focused programming. He is the guy who initially started writing postfix. While he does have some good insights in to why the internet is getting more insecure, there are some things that I think he is missing.

While I understand that reinventing the internet is pointless, there are some things that need to be reinvented. The SMTP protocol is one of those things. The protocol itself was designed for a completely different type of a network. It doesn't do any authentication or verification for the sender. It basically trusts everything that is fed to it. Now, Wietse offers nice ideas on counteracting spam, but the inner problem still persists. The reason why we have so much spam in our mailboxes is because of SMTP.

I was about to write some code and put my money where my mouth is, but today I ran in to yet another scheme to stop spam and realized that I would eventually forget to write this all down before I get the time to write some code. The scheme I ran in to is EmailReg.org which allows you to register the mail servers that are allowed to send mail for your hosts for a nominal(?) fee of $20. While this nominal fee will keep some of the spammers off the lists, it's still reinventing the wheel and trying to fix a symptom of the problem.

There are similar projects, that work with different types of protections. There is SPF, DomainKeys, Sender ID and many more that aim for similar solutions.

I'm not saying that we don't need those kinds of solutions, but rather the solutions are solving the symptom and not fixing the problem. The only real solution is to replace SMTP with something more suitable for the task. The thing that comes in to mind is XMPP. XMPP is a protocol designed for XML packet routing. It's mostly used as an instant messaging platform, but it's not a huge leap to transfer mail through the protocol.

XMPP as a protocol is designed on an age when spoofing and spamming was already a problem and it has safeguards in place to prevent malicious activity. The protocol is suitable for transferring e-mails already so no real modifications are needed for the protocol. Only thing that needs to be done is to document the common practice.

Changing an internet protocol is a large task and one can't take it lightly. The beauty in it all is that most mail servers are already capable of supporting multiple transport protocols. Initial versions of Sendmail delivered the mail through FTP (with some obscure extensions), so switching protocols isn't really that far fetched. Today, Sendmail supports various protocols while the most commonly used one is SMTP. Same goes for postfix and other mail servers. So implementing a new protocol isn't really out of the question.

I'm sorry that I wasn't able to write the code to back this all up, but at least the idea is out there in written form. It shouldn't be too complicated to implement this and get things started. The change won't happen over night, but it has to start somewhere.

Posted Tue Nov 18 00:34:41 2008 Tags: bogus

Sometimes you just can't avoid beating a dead horse. I know that this rant doesn't really change anything.

A few days back the admin of one of the best online radios announced that they will be dropping the torrent downloads for the shows. For me this was bad news, since I've been getting a valuable service from them through the downloadable files. I understand their reasoning and I'm not complaining about it, I did voice my concern, but other than that, I'll survive.

What caught my eye was the clear separation between the people who liked the service and who disliked it. I can understand the people who support the service, because like me, they depend on the service for certain reasons. But the reasoning of some of the people who supported the discontinuation made me think. The service users were quickly labeled as freeloaders who wanted everything for free. There was some hinting that downloading the shows is related to stealing the music.

While the download service is free, it made me think why the people who download the files are labeled as freeloaders. Of course I can't speak for anyone else but myself, but the fact that the downloads are free doesn't change anything for me. I could have easily listened to the same shows online, but instead I chose to use the service provided and downloaded the show to a medium that I was able to listen when it suited me best. It's analogous to timeshifting, it allows me to listen to the show when it's more convenient to me.

The common argument for most music industry representatives is that making music should be related to work and the people behind the music should get paid for their hard work. I definitely agree with them. The problem for me is that the music I want to listen is rather marginal around here, so I can't just go to a store and buy the music I want. I could order the music online and pay for the costs of shipping the music here. While music industry has been in a stand still for quite some time they are starting to move to the right direction. There are some labels that already offer their releases as digital downloads. The problem here is that usually it's either crippled (DRM protected) or bad quality.

I wish there was a service that allowed me to pay a (reasonable) monthly fee and granted me access to the music I like. The service would have to allow me to download the files and play them in my car or where ever. I'd also love to see a feature that would allow me to tip the artist, just to make sure that at least some of the money heads their way too.

PS. Afterhours is offering a replacement service for the torrents, which serves the same purpose. On-Demand listening, but the problem for me is that it's still online.

Posted Mon Nov 17 23:57:15 2008 Tags: bogus

It's no wonder people hate dealing with certificates. I'm one of those people who really hate handling certificates. For some reason Linux lacks simple tools to manage certificates. Debian has one set of tools and I bet quite a few other distributions have their own set of tools. So nothing generic.

In my opinion the problem lies in OpenSSL, which is an overly complicated piece of software. Sure it's able to encrypt your fries at the local fast food place, but most people never use anything more than the x509 module. And even that is complicated.

I'm not saying that it should be point and click operation, but what I want is a tool that allows me to create, renew and verify SSL certificates. Which is pretty much the most common thing you do with OpenSSL.

Now, lets assume you have a certificate and a key that you want to check if they match. Can you say from the top of your head how to do that? If so, you are either dealing with this stuff daily or you looked it up from a manual. The correct "magical mumbo jumbo" is:

server:/tmp# openssl rsa -noout -modulus -in /etc/ssl/private/some.key | openssl md5
94c5fa8b0fe1baa6e8dfcdec75444620
server:/tmp# openssl x509 -noout -modulus -in signed.crt | openssl md5
94c5fa8b0fe1baa6e8dfcdec75444620

Now, how easy was that. It only took me 10 minutes to construct that line. Most of the time went to searching Zimbra scripts for the correct magical line. The reason why I went through the scripts instead of the manual is that I had already seen the scripts do a appropriate check. And there is no way I could have constructed that in that kind of a time frame just by using the manual.

Usually I think that people complain too much when they can't figure out how to make ls or something work like they want. A certain degree of manual reading is good for you, but in this case it's too much. In any case, I'm posting this rant as a reminder for myself so that the next time I can just look it up from here.

Posted Wed Oct 29 15:57:26 2008 Tags: bogus

Sometimes I get the urge to vent a bit. Here goes...

It really annoys me to see websites that are designed in a stupid way. There are a lot of ways you can design a website and quite a few of them lead to problems that the designer didn't think about.

Designing websites isn't always easy. You need to be able to figure out all possible corner cases and prepare for them. Usually things go wrong right in the beginning. Developer picks a tool and decides that the tool is really nice and sticks with it. The thing is that the tool doesn't really make the website. It helps you to create one! A big part of creating a website is fine tuning the output of the tool.

The most common problem with web layouts is the orientation to the content. Most designers think that website should behave like a newspaper and have columns. Usually the right column has a menu and left column has ads or some other "relevant" information. The problem is that while doing this, designers usually opt for tables and images. Now, this presents us with a problem images fail to scale well and the table becomes static in width. What does the designer do? Opts for 800x600 or 1024x768 layout, depending on who they assume to be their target customers. This leads to horrible layouts, like the following.

While allowing the text to flow properly on the full window will get you some initial readability complaints, this is caused by the fact that people don't use 800x600 or even 1204x768 windows. Shocking, isn't it?! So we have web designers creating websites for window sizes that nobody actually uses.. What is the point in that?

Another thing that bugs be a lot is the use of JavaScript and cookies. Don't get me wrong, both of them are a good thing. There are a LOT of websites created with dynamic html which works really well. The problem is that too many sites rely on JavaScript and cookies when there is absolutely no need for either of them. Most of the common JavaScript tricks can be done with plain and simple CSS and too many sites use session to store data when there is no need to use a session. What makes things worse is the fact that hardly any of these sites check if cookies work or offer alternative navigation if JavaScript isn't available.

I just visited UPS which first presents me with a nice page about selecting my location. Since I use NoScript to block all scripts (yes, it makes the web a friendlier place) it alerts me about not being able to run scripts. Since there is very little on the page, we could assume that this is one of those "change the value of this drop-down and automatically submit"-scripts. Selecting the correct language and selecting submit brings me to a blank page.

Inspecting the front page a bit more reveals that the JavaScript actually changes the link to point to a completely different page. What this means is that if you ever visit the UPS front page with a browser that doesn't support JavaScript at all, you can't access the content at all.

In fact the whole selection is quite pointless. Yes, it brings me to the 'Finnish' page. The language is still English and there is hardly anything different from most other countries. Why was I forced to select my country? Why didn't the website guess? There are pretty accurate IP databases out there that can pinpoint the city you are accessing the site from. Language can be detected from the headers the browser gives your website. The whole front page is pointless and wastes my time.

In the end of this all ranting I must say that getting a website right doesn't happen by chance. It is possible with a lot of hard work and patience. And I appreciate those who manage big sites and get it right.

I was going to give more examples, but had a hard time finding them...

Posted Fri Jul 18 23:35:15 2008 Tags: bogus

It's not a secret that I have a strong dislike towards personal firewalls. It's not because I don't know how to use them and hate them because they don't behave like I expect. On the contrary, I don't like them because they work exactly how I expect them to work.

So, what's wrong with personal firewalls? There are 3 major reasons: Too complex to use, they are part of the problem and they are pointless anyway.

Window clutter is one of the biggest reason why personal firewalls should never be installed for any beginner. The amount of alerts, which are mostly false, that are displayed to the user is huge. If even one alert is too much for a novice, what will the novice think when the computer shows 10-20 alerts. Most of the alerts are completely pointless and use terms that are hard to understand. The dialogs usually have multiple options which have the power to scare away even the more experienced users. I understand why the makers of personal firewalls made the choice of including the excess alerts. If the user paid money for the product and it never told the user that "Hey, I'm doing some real work here and caught this bad guy!" the user would thing that the product was poor and would feel bad about the product.

Many personal firewall products bring in a new step for the regular upgrades. Like any other product out there, personal firewalls suffer from security flaws too. So users of personal firewalls are brought to believe that they are more secure if they install the product, while they are actually exposed to one more product that needs the be kept up to date. A product that listens to all incoming traffic, a product that is always in the open. And if you think about the general user who never upgrades unless given a strong reason to, the product will not be upgraded. To be fair, many personal firewalls already come with auto-update tools. The problem with these tools is that they need user interaction or worse, need to be initiated by the user. This is another decision made by the people behind these products. Since most personal firewalls are aimed towards the bit more experienced users, those people want to be in control. The problem is that personal firewalls end up more often on the novice desktop.

In the end, personal firewalls are a smoke screen. Personal firewalls are doing a job that someone else should be doing in the first place. I never run personal firewalls on my computer. Instead I go through the trouble of removing applications that listen to the network, that are not needed anyway. There are a lot of those. Disabling services that are not in use is a good idea in any case. Only additional value that personal firewall brings is that it is able to block applications that listen to the network even and you can't manually stop them from doing that. Usually there aren't too many of those.

Just to be clear, I don't have any problems with firewalls in general. Even if they are embedded inside an OS, there are good uses for a firewall in every computer. I have a network firewall and it's configured to be strict, but still not worried even if I'm outside of my own network.

Personal firewalls are here to fix a problem that is going away already. Most modern operating systems are already closing excess ports. Various Linux distributions are already heading this way. Microsoft is heading that way, with Vista they made a huge leap forwards on this front.

Posted Wed Jan 30 07:34:27 2008 Tags: bogus

I have mentioned quite a few times in various discussions (and in a previous post) that I don't see a bright future for Debian. For some time now I've felt that Debian doesn't serve me as a distribution.

Today, this feeling got even stronger when I run in to certain issues with my server. Actually, the spark for this post was caused by this post in the Debian developers mailing list. The post reminded me about the fact that other distributions work really hard to please Debian and the developers behind it.

All in all, the situation is kind of reversed. If Debian wants to hold on to its position as the distribution this needs to change. Debian should be the one that provides these kinds of tools. If you look at Ubuntu and the tools that have been provided by canonical like launchpad (even if it is proprietary) and Ubuntu's Debian patches repository it becomes quite obvious that we really need tools to allow better integration to derivate distributions. The Utnubu team is doing a good job, but we still need tighter integration with the derivates.

Ubuntu is a good example to pick on because it's big. In some areas it's getting bigger than Debian itself. In a way, this is a good thing, but the developers should start looking at it as such. The end users will never understand the relation of derivates, but bringing more people to use the platforms known as Linux or Debian in itself is a good thing. On other areas it's not such a good thing, I personally see Ubuntu as a desktop distribution, but better integration would help to bring the features from Ubuntu to Debian that matter for the core distribution and allow the server side to be taken care of some other derivate or by Debian itself.

This brings me back to my original topic, my server. I'd love to use Debian on servers, but with the current state of the distribution I don't think it's worth it. Debian etch has been frozen for way too long. I understand that the distribution needs to be close to perfect at the time of release, but in the current state that will never happen. This in turn will cause way too long release cycles and problems like the glibc versions. To me, this means that I won't be having the latest software with as many bug fixes (upstream) as possible.

Remember, I'm not running a business class server here. It's just a home server, I couldn't care less for business grade fine tuning, as long as it runs I'm happy.

What I'm noticing from my own behaviour is that I'm starting to steer away from Debian distributions on business servers too. This is because of the problems I'm having at home. If I know that something is causing problems on small scale I'm not going to give it a shot in a large scale. This has nothing to do with the original point, but it is interesting to notice.

Posted Fri Apr 6 23:07:45 2007 Tags: bogus

I have some strong opinions about forums. It's not that they aren't useful in many ways. It's the fact that forums are pain to navigate. Just look at this list on Firefox Add-ons.

So if forums are so bad, why are they more popular than ever. Mostly because they are easily accessible. Anyone with a web browser can access them. There are things that bother me, some are being addressed and some tried to be addressed in the past. I'll address a few problems here:

Logins are a web wide problem. Just about every site out there has separate login. Bulletin boards are no exception. Luckily there is a new standard in the works that is addressing this. Yes, I'm talking about OpenID. For example there is the phpbb-openid, which is a plugin for phpbb that allows one to log in with OpenID. So yes, I see this problem going away in future.

Navigation is hell with forums. This is usually a design error, but It's interesting to notice that even commercial forums suffer from this problem. There were some projects to address this. Like the forumzilla project, which is an extension to thunderbird that tries to present forums as structured mailboxes. This is the biggest problem with all forums and I don't see this improving.

Tracking new content is never easy. With mailing lists we have threads that extend to multiple levels. With blogs we have RSS. So what do we have for forums, threads and RSS. One could think that everything is just fine, but It's not. When you combine threads with RSS you get a huge mess. Now you can select if you want to see new messages or new threads. Neither of these will help you track the contents in the forum. So what you are left with is manual polling and when you combine manual polling with the navigation mess, you usually want to take your life before too long.

Forums are a good medium, but when ever I run in to one I get the urge to hurt myself. Forums work quite well if you are willing to put some serious effort in to tracking them. But for a casual visitor like me forums are usually the final straw.

Posted Sun Mar 25 22:10:43 2007 Tags: bogus

There are times when you must wonder how wrong things need to go before anyone does anything about it. From time to time you run in to pages that fail to work or have some obscure workaround to fix the bugs in certain majority browsers.

Now, lets play a game. Spot the error!

Install the Firebug extension to your copy of Firefox. Enable it and head to this page: Yle Opinportti: Kielimatka kiinaan (It's in finnish, but you get the point)

Spot the error? So it turns out that there is a trick to make some obscure modification to the behaviour of that certain major browser.

the madness doesn't stop here. There is a new HTML5 standard in the works by the WHATWG. Initially the standard recommends that Ogg Theora and Ogg Vorbis SHOULD be supported. This is good. It takes a turn for the worse when Apple suggested (i have no problem with apple, just the suggestion) that Ogg* should be replaced with MPEG4 which is more efficient.

Efficient is good. It's not good when it's proprietary. Web should be open and usable by everyone, even if they can't pay for the privilege. Please, stick with Ogg* variants, it's a good recommendation.

Posted Sun Mar 25 13:01:41 2007 Tags: bogus