Tag: opinions

My take on the intellectual property debate

Despite the fact that I fear I’m not totally qualified to have an opinion regarding the ongoing debate over intellectual property, sometimes, I think about the problem too and I certainly do have an opinion.

To say it with the tongue of the usenet, IANAL, but bear with me when I finally take the time to write down my own ideas on the IP debate:

When you take a look at todays landscape, you’ll clearly see clashing interests. On one side, you have the authors (I am one of these in a sense – I write software) that more or less wish to make a living with their work. Then you have the people selling the work created by the authors and then you have the consumers which should pay to actually consume the work produced.

Of course, we don’t want either the authors nor the resellers to starve to death, so there must be some incentive for the consumers to actually consume the goods and to compensate for the authors and even more so for the distributors work.

That’s what we have created the term intellectual property for.

Even though you as the consumer get to consume the work of the author, that’s all you can do. In theory, you can’t resell, redistribute, copy or whatever else you’d want to do with the work of the initial author. You pay for your right to consume the initial work. If you want to do more (like creating a derivative work), you naturally have to pay more (per copy of that derived work you distribute) – at least that’s what society works like.

Let me make an example. DRS, the swiss national radio station created wonderful audio plays about a certain private investigator called «Franz Musil». The first two parts of the series of plays (currently, there are five of them if I counted correctly) will never ever be available on CD for us consumers to buy:

In the production they used tiny pieces of music for which they don’t have the license to sell on CD.

Even though the original part of that audio play is immense compared to those small pieces of music, the original publisher of the pieces in question still has a say on the distribution on something completely different and orignial that has come out of the initial work.

Later audio plays contain music they created themselves and these plays are actually available to buy on CD. This whole situation is bad for us the consumers (the plays are really good), DRS (they’d like to sell their original work) and the initial author of the music in question (because fewer people now hear his work).

Especially in the matters of software, it gets even worse tough: While copyright law protects the work as a whole, there’s the discussion about patents that actually manages to protect bits and pieces of your idea as an author.

Let’s say I write a poem and I distribute that using the old and known methods (via some publisher), then that poem is protected by the publishers copyright (I had to sign off all rights I had on the poem to that company for them to do the work).

If someone takes my publishers poem (remember, it’s not any longer my poem. It’s the publishers), sets his own name below it and sells it, then he violates my publishers copyright. So far so good.

But imagine that my publisher went further ahead and besides taking all rights to my work also patented the «method or apparatus to put letters in context to form a meaning»… (don’t laugh – todays understaffed and underqualified patent offices can clearly be fooled into granting such a patent)

Now my publisher not only made sure that my poem can’t be copied, they also made sure that no one else will ever be able to write a poem by lining up characters.

Now let’s go ahead to distribution to consumers, but let’s stay with my poem (which is the only poem in existence due to act of spelling now also being my distributors property).

Naturally, my distributor wants to maximize the cash they can make with their newly acquired poem. On one hand, they have expensive lawyer-bills to pay and on the other, they try to use their new poem to get back the money wasted on less successful poems that came before the one I have initially written (just to say it once and for all: I don’t write poems. And if I would, I would never assign the copyright to a publisher).

Now, for a poem, you have a fixed-sized group of recipients: People capable of reading (and thus violating that patent granted earlier) and interested in poems.

So to maximize income, the publisher must make sure that everyone of the targeted group goes ahead and pays the distributor that new poem. Besides advertising for it to reach an initial amount of people, the publisher makes sure that everyone reading that poem pays for doing so one way or another.

One way is to sell books. The other is to publicly perform the poem, while getting payed both from entrance fees and third party sponsors. Or they create an audiobook and sell that.

Of course, if the publisher sells a book to one person, they obviously would want to sell another book to a friend of that person. This is why copying is disallowed.

To further maximize profits, the publisher now sees a way to make the initial person actually buy more than one copy of the same book: A book you buy destroys itself after a set number of days. And you can only read the book while in one predefined room. When you move to another location, the book renders itself unreadable.

All that magic protecting that book can of course go wrong due to various reasons and in that case, the publisher can make the person go ahead and just buy another copy of the same book…

And this is what’s fundamentally wrong.

People are not used to not own something they pay for.

When I buy myself an apple, I can eat it when I want and where I want. When I buy myself furniture, I can place it where I want and I can sell it to whomever I want. But when I buy a piece of music in the iTunes music store (using this as an example because it’s well-known), then I can only hear it on so many devices. If I buy the n-th new computer, I need to buy the song again. Also, I cannot resell the song. And one day, when Apple is gone or running the Music Store is no longer interesting for them, my Songs will stop working too.

When I buy a book, it’s my responsibility to handle it with care and if I succeed in doing that, then the book I buy today is still readable in hundreds of years. No external influence not ultimately under my control can take away that book from me. No company going out of business, no company losing interest in providing me with a “license” to read my book.

The more time passes, the more patents are granted and the more strict DRM is put in place.

And – now we finally come to the core of the whole thing – the more strict distribution of new content is handled, the more expensive creating derivative work gets, the more our society gets stuck.

I postulate that no person is able to create truly original works. Everything one creates is influenced by outside factors. News postings. Books. Music. Other software: Either you accept that outside influence and improve upon that or you get slowed down more and more, always hitting walls because “someone was already there”.

With enforcing distribution limitation and patenting and thus restricting the building blocks of future work, society slows down scientific and cultural evolution. Or it passes control over that evolution fully to big distribution companies that actually have the money to pay all the royalties needed.

Individual authors (no matter what profession) lose their capability of creating and releasing novel work because each and every possible building block is protected and owned by a big company.

The final goal of the current society will be a conglomerate of two to three big companies owning all rights to all new scientific and cultural advancement. These companies will be constantly paying themselves royalty fees for the patents and copyrights they violate between each other.

If you want to be an author, you are not allowed to create any work until you have a contract with one of these big companies. Working will only be possible in close proximity to a lawyer because the big companies still want to maximize their earnings and thus watch closely to minimize the cost of the new work created.

When we reach that point, all advancement of civilization (which is by a big part defined by advancement of culture) comes to a halt and we end up back in the middle ages where only a few enlightened people (monks) where able to create cultural works (because only they could write). Everyone else had to work for their survival and pay taxes.

In an ideal world, copyright and patent law gets radically changed by allowing to freely create derivative works as long as there is a certain percentage of new content in the created work and the original content is attributed to.

Let’s say 60%, though this obviously must be tweaked by people far more intelligent than I am.

If I write a poem, in the ideal world, I can keep the copyright and I can distribute it however I feel. Or I can ask a publisher to do that work for me while I keep the initial copyright on it. The more work the distributor has to do to advertise my work, the more I will be paying him. No changes here, beside the fact that I retain the copyright.

The distributor still tries to sell the product. But as creating derivative works is now permitted in some boundaries, expenses for both legal and technical protection go down. The publisher can once again focus on what they were payed to do in the first place.

If someone really likes my poem, she can go ahead and take it to create a new, better poem. Maybe longer. Maybe with a completely different message. Maybe the new author just takes out a verse or two. Maybe the whole poem. It doesn’t matter.

When she is finished, she roughly checks that there’s 60% of novel art in it and then goes ahead to distribute the poem – either herself or via a publisher.

This model, by the way, works. It’s in use today. Everyday. It’s an invention by geeks like you and me. It’s called Free Software. It doesn’t even have a limitation that defines a percentage of new content to allow for redistribution under ones own copyright.

Despite creating a platform where knowledge can be openly shared, people are still able to make a living out of their work. The money is in the services rendered for a specific need. Customize a piece of software for a specific working environment. Publicly present that poem from the samples above at some poetry event. Provide the end user with a package of multiple poems collected together in one book…

There are so many things still to do and which are completely doable without forcing all scientific and cultural advancement of society to stop or at least go through a lawyer and through courts.

We are the new generation. It’s our task to see the shortcomings of the current system. It’s our task to see opportunities to create a new and better system.

It’s our task to fix this problem once and for all.

The whole Free Software movement is a big step in the right direction. Thank you, Free Software community. You show us the way we all have to go.

Let’s move!

Oldstyle HTML – the worst offenders

More and more, the WWW is cleansed of old, outdated pages. In more and more cases, the browsers will finally be able to go into standards mode – no more quirks.

But one bastion still remains to be conquered.

Consider this:

<br><font size=2 face="sans-serif">Danke</font>
<br><font size=2 face="sans-serif">Gruss</font>
<br><font size=2 face="sans-serif">xxxx</font>

By accident, I had my email client on “View Source” mode and this is the (complete) body of an email my dad sent me.

Beside the fact that it’s a total abuse of HTML email (the message does not contain anything plain text would not have been able to contain), it’s an obscene waste of bandwith:

The email ALSO contains a text alternative part, effectively doubling its size – not to speak of the unneeded HTML tags.

What’s even worse: This is presentational markup at its finest. Even if I would insist in creating a HTML mail for this message, this would have totally sufficed:

Danke<br />
Gruss<br />
xxxx<br />

Or – semantically correct:

<p>Danke</p>
<p>Gruss</p>
<p>xxx</p>

Personally, I actually see reason behind a certain kind of HTML email. Newsletter or product announcements come to mind. Why use plain text if you can send over the whole message in a way that’s nice for users to view?

Your users are used to viewing rich content – everyone of them probably has a web browser installed.

And with todays bandwith it’s even possible to transfer the image and all pictures in one nice package. No security warnings, no crappy looking layout due to broken images.

What I don’t see though is what email programs are actually doing. Why send over messages like the one in the example as HTML? Why waste the users bandwith (granted: It doesn’t matter any more) and even create security problems (by forcing the email client to display HTML) to send a message that’s not looking any different than one consisting of plain text?

The message also underlines another problem: The old presentational markup actually lent itself perfectly for creating WYSIWYG editors. But today’s way of creating HTML pages just won’t work in these editors for the reasons I outlined in my posting about Word 2007

Still – using a little bit of CSS could result in so much nicer HTML emails which have the additional benefit of being totally readable even if the user has a client not capable of displaying HTML (which is a wise decision security-wise).

Oh and in case you wonder what client created that email…

    X-MIMETrack: Serialize by Router on ZHJZ11/xxxx(Release 7.0.1FP1|April 17, 2006) at
     02.10.2006 16:35:09,
    	Serialize complete at 02.10.2006 16:35:09,
    	Itemize by SMTP Server on ZHJZ05/xxxxx(Release 6.5.3|September 14, 2004) at
     02.10.2006 16:36:15,
    	Serialize by Router on ZHJZ05/xxxxx(Release 6.5.3|September 14, 2004) at
     02.10.2006 16:36:19,
    	Serialize complete at 02.10.2006 16:36:19

I wonder if using a notes version of september 04 is a good thing to do in todays world full of spam, spyware and other nice things – especially considering that my dad is working in a public office.

Word 2007 – So much wasted energy

Today, I’ve come across a screencast showing how to quickly format a document using the all new Word 2007 – part of office 2007 (don’t forget to also read the associated blog post).

If you have any idea how Word works and how to actually use it, you will be as impressed as the presenter (and admittedly I) was: Apply some styles, chose a theme and be done with it.

Operations that took ages to get right are now done in a minute and it’ll be very easy to create good looking documents.

Too bad that it’s looking entirely different in practice.

If I watch my parents or even my coworkers use word, all I’m seeing is styles being avoided. Heading 1? Just use the formatting toolbar to make the font bigger and bold.

Increase spacing between paragraphs? Hit return twice.

Add empty spacing after a heading (which isn’t even one from Word’s point of view)? Hit return twice.

Indent text? Hit tab (or even space as seen in my mother’s documents).

This also is the reason why those people never seem to have problems with word: The formatting toolbar works perfectly fine – the bugs lie in the “advanced” features like assigning styles.

Now the problem is that all features shown in that screencast are totally dependent of the styles being set correctly.

If you take the document shown as it is before you apply styling and then use the theme function to theme your document, nothing will happen as word doesn’t know the semantic data about your document. What’s a heading? What’s a subtitle? It’s all plain text.

Conversely, if you style your document the “traditional” way (using the formatting toolbar) and then try to apply the theme, nothing will happen either as the semantic information is still missing.

This is the exact reason why WYSIWYG looks like a nice gimmick at the first glance, but it more or less makes further automated work on the document impossible to do.

You can try and hack around this of course – try to see pattern in the user’s formatting and guess the right styles. But this can lead to even bigger confusion later on as you can make wrong guesses which will in the end make the themeing work inconsistently.

Without actually using semantic analysis of the text (which currently is impossible to do), you will never be able to accurately use stuff like themeing – unless the user provides the semantic information by using styles which in turn defeats the purpose of WYSIWYG.

So, while I really like that new themeing feature of Office 2007, I fear that for the majority of the people it will be completely useless as it plain won’t work.

Besides, themes are clearly made for the end user at home – in a corporate environment you will have to create documents according to the corporate design which probably won’t be based on a pre-built style in office.

And end users are the people the least able to understand how assigning styles to content works.

And once people “get” how to work with text styles and the themes will begin to work, we’ll be back at square one where everyone and their friends are using all the same theme because it’s the only one looking more or less acceptable, defeating all originality initially in the theme.

Mac Mail: Can software perform worse?

I’m a fan of Mac Mail (Mail.app). It looks nice, it renders fonts very nicely it creates mails conforming to the relevant RFCs and it basically supports most of the requirements I’ve posted back in 2003.

There are some drawbacks though. First one is no proper IMAP search support. This is not as bad as it sounds as the local full text index works very nicely (faster than our exchange server) and it’s even integrated into Spotlight.

Then, the threading support sucks as it’s not multi-level. This does not matter as much as back in 2003 though as my daily dose of technology-update now comes from RSS and blogs. Actually I’m currently not subscribed to any mailing list.

Everything else on that list is supported and the beautiful UI and font-rendering convince me to live with those two drawbacks and not use Mozilla Thunderbird for example which supports the whole set of features but looks foreign to OS X.

BUT. There’s a big BUT

Performance is awful.

Even though I’m using IMAP, Mail.app insists on downloading all messages – probably to index them. I know that you can turn this behavior off, but then it doesn’t download any message at all, rendering the program useless in offline situations. In Thunderbird you can make the program just download the messages as you read them and then use the contents of the cache for later offline display.

Then again: I have no problem with downloading and it even displays new mail while still downloading in the background. It does a better job at not blocking the UI than Thunderbird too.

What sucks is the performance while doing its thing.

I have around 3GB of mails on my IMAP server and before I could use Mail.app for the first time, the program downloaded the whole thing, utilizing 100% of one CPU core (it’s not SMP capable ;-) ), forcing my MacBook Pro to turn on the fans – it was louder than after playing 4 hours of World of Warcraft in Windows (via Boot Camp – it’s around twice as fast than the mac version).

It also took lots and lots of RAM making working with the machine a non-fun experience.

Later I decided to throw away two years worth of Cron-Emails containing a basic “Job done” which were filtered away on the server so I never noticed them. Deleting those ~22000 emails took two hours – again with 100% CPU usage on one core.

Even worse: Mail.app does not send an IMAP move command to move the messages to the trash (or just mark them as deleted). It actually manually copies the messages over! Message by Message. From the local copy to the server. Then it deletes them. And then begins the awful “Writing Changes to disk”, completely killing the performance of my MacBook.

Also annoying: Mail.app does not support IMAP folder subscriptions. It insists to fetch all folders – if you have a full calendar on your exchange server, it’s going to fetch all those (useless for Mail.app) entries aswell – and we know now how well Mail.app works with large folders.

My conclusion is: Mail.app is perfect for reading and writing your daily mail. It fails miserably at all mail administration jobs.

I’m going to stick with it none the less as reading my daily mail is what I’m doing most of the time. It’s just a good thing that Thunderbird exists and I’m going to use that for the next round of cleanup (hoping that Mail.app picks up the changes and does not take too long to mirror them to its local store).

Sure. Just dump your trash right here!

Boy was I pissed when I read my mail today:

Spam in Inbox

Dear Spammer. What do you think to get out of this? All links your post will be masked, so no page rank for you. And I will almost certainly not overlook something like this (400 comments in one night), so no chance in it persisting either.

I’m sick of cleaning up after you guys. Dump your trash somewhere else. /dev/null sounds like a nice alternative.

Oh, and MT: Why did your Spam filter not catch this?

Flattening Arrow Code

In an equally named article, the excellent (yes. Really. This is one of the blogs you HAVE to subscribe to) Coding Horror blog talks about flattening out deeply stacked IF-clauses in your code.

I so agree with the guy, though there seem to be two opinions in the matter of the points 1 and 4 in the list the article provides:

Replace conditions with guard clauses. This code..

Many people disagree. Sometimes because they say that Exceptions are a bad thing (I don’t get that either) and sometimes because they says that a function should only have one return point

Always opportunistically return as soon as possible from the function. Once your work is done, get the heck out of there! This isn’t always possible — you might have resources you need to clean up. But whatever you do, you have to abandon the ill-conceived idea that there should only be one exit point at the bottom of the function.

I once had to work with code a intern has written for us. It was exactly written as Coding Horror tells you not to. It was PHP code and all of it basically took place in a biiig else-clause around the whole page, with a structure like this:

if (!$authenticated){
   die('not authenticated');
else{
  // 1000 more lines of code, equally structured
}

This is a pain to read, understand and modify.

To read because the thing get’s incrediby wide requiring you to scroll horizontally, to understand because you sometimes find an }else{ not having the slightest idea where it belongs to, requiring you to scroll upwards for half a file to see the condition and to modify because PHP’s parser is inherently bad at reporting the exact position missing or spurious braces, which is bound to happen when you extend the beast.

But back to the quote: I talked to that intern about his code style (there were other things) and he mostly agreed, but he refused to change those deeply stacked IF’s. “A function must only have one single point of return. Everything else is bad design“, he told me.

Point is. I kinda agree. Multiple exit points can make it hard to understand the workings of a function. But if it’s a single, well definded condition that makes the function unable to continue or if the function somehow gets its result way early (like if it’s able to read the data from a cache of some kind), IMHO there’s nothing wrong with just stopping to work. That’s easy to read and understand and certianly does not have above problems.

And of course every function should be short enough to fit on one screen, so scrolling is never neccessary and it’s always obvious where that }else{ belongs to – at least without making you scroll.

Personally, I write code exactly as it is suggested in that article. And I try to keep my functions short. Like this, it’s very easy to understand the code (most of the time) and thus to extend it. Even by third parties.

Christoph, do you agree? And: No, I’m not talking about that sort-by-material-group-thing. That IS unclean. I know that (and so do you now *evilgrin*)

The myth of XCOPY deployment

Since the advent of .NET, everyone is talking about XCOPY deployment.

XCOPY deployment means that the applications are distributabe without a setup routine. Just copy the file(s) where you want them and that’s it.

We are being told that this is much easier and safer than the previous non-.NET approaches which – as they continue – always required a setup program.

The problem with those statements is that they are all false.

First the ease of use: Think of it: Say you want to install Cropper (which made me write this entry. I found that screenshot utility via flow|state). What you are getting is a ZIP-File, containing 5 files and a folder (containing another 6 files). Nearly all the files are needed for the application to run.

XCOPY deployment in this case means: Create a folder somewhere (Windows guidelines advocate you create that in c:Program Files which is a folder windows does not want you to mess with and per default does not display its contents) and copy over all those files, being aware not to forget a file or the folder in the archive.

But it does not end there: As you have to launch the application and going all the way through those folders, you will want to have a shortcut in the start menu or on the desktop. With this new and “better” method of deployment, you’ll have to do that yourself.

This is a tedious task involving lots of clicks and browsing. An unexperienced user may not be able to do this at all.

What an unexperienced user will want to do is to copy that application right to the desktop. But in this case this does not work well as the whole application consits of multiple interdependant parts. Copying only the .EXE will break the thing.

Compare this with Mac OS X

In Mac OS X, application also consist of multiple parts. But the shell is built with XCOPY deployment (not called like this, of course. As a matter of fact, it does not have a name at all) in mind: In OS X, you can create a special kind of folder which is a folder only on the file system. The shell displays it to the user as a single file – the application.

Whenever you move that “file” around, OS X will move the whole folder. When you double click the “file”, the application will launch (the binary is a file somewhere in this special folder. The shell is intelligent enough to find and launch that). When you delete it, the shell will delete the folder including it’s contents (of course).

This makes XCOPY deployment possible as the applications become one piece. You want it on the desktop? Drag it there. In the Application folder (without warnings about not being allowed to mess with its contents, btw)? Drag it there? On an USB-Stick? Drag it there.

Well. There’s one other thing: It’s the users data and the applications data. Most of the applications will be used to create data with them. And all application somehow create their own data (for saving things like the window state or position for example). As all modern OSes are multiuser ones where a user does not necessarily have to have write access everywhere, there’s the concept of the home directory. That one is yours. You may store whatever you want in there.

So naturally, this is the place where the applications should store data to0.

User data goes to a specific folder of the users choice. Per default, applications should suggest some Documents-Folder. Like “My Documents” in Windows or “Documents” in Mac OS. In most of the cases you don’t want to delete that on uninstall.

Application settings are in Windows stored in the Registry (under HKEY_CURRENT_USER – a hive that belongs to the current user like his home folder does. And actually, the file behind that is stored in the home folder aswell (USER.DAT)) or in the Application Data folder below the users home folder.

Mac OS X Applications are advised to use the Preferences-Folder inside the Library Folder inside the users home directory<./p>

Now. Application data is something you want to remove when you uninstall the application (which means deleting a bunch of files in Windows or one “File” in Mac OS). Application data is created by the application, for the application. No need to keep that.

In Mac OS, you can do that by going into the folder I’ve described above and delete the files – mostly named after your application. There are no warnings, no questions, no nothing. Just delete.

In Windows, editing the registry is off-limits for end-users and very, very tedious to do for experienced users (due to the suboptimal interface of regedit and because the whole thing is just too large to navigate it easily), so you generally let the stuff stick there. Deleting the Application Data in the same-named folder is also impossible for the end user: That folder is hidden by default. Explorer does not display it. And it’s hard as hell to find, as you have to manually navigate into your home directory – there’s not easy GUI-access to that. So that sticks too.

All in all, this means that windows is – at least in its current state – very unsuited for XCOPY deployment:

  • It does not help at keeping together things that must be together
  • Its complex file system structure makes it hard to copy the application where windows wants it to be
  • Manually creating shortcuts is not feasible for an unexperienced user
  • Uninstallation of Application Data is impossible

So, we found out that XCOPY deployment is not easy at all. Now let’s find out how it’s not true that only .NET enabled you to do this.

Ever since there is Delphi, there theoretically is XCOPY deployment.

Delphi is very good at creating self-contained executables.

With delphi it’s a breeze to create one single .EXE containing all the functionality you need. That one single .EXE can be moved around as a whole (obviously), can be deleted, can even be put right into the start menu (if you want that). It can even create the start menu shourcuts, delete application data – basically configure and clean itself

It can even uninstall itself (embed an uninstaller, launch that with CreateProcess and set the flag to delete the .exe after it ran). And it can contain all it’s image and video and sound data it needs.

Just because nobody did it does not mean it was not possible.

Face it: Windows users are used to fancy installers. Windows users are not at all used to dragging and dropping an application somewhere. And currently Windows users are not even able to do so as dragging and dropping will break the application.

OS X and now Linux allow for true XCOPY deployment of desktop applications.

Well, you say… then maybe XCOPY deployment is just for those fancy ASP.NET web applications?

Maybe. But after XCOPY you need to configure your webserver – at least create a virtual directory or host. A good installer could do that for you – if you want it to.

Microsoft too has seen that this XCOPY thingie is not as great as everyone expected, so they added the new “One-Click Install” technology, which is not much more than a brushed-up MSI file which does a old-fashioned install.

To really make XCOPY deployment a reality (btw, I’m a big fan of depolying software like this), there must be some changes within Windows itself. Microsoft, copy that application bundle feature from OSX. That one works really, really good.

Btw: Am I the only one that thinks “XCOPY deployment” is a very bad term? What is XCOPY? Who the hell still uses XCOPY these days? And when we are using the command line: COPY would be enough.

Frustrated by personal firewalls

As you may know, the company I’m working in develops barcode ordering solutions.

Now for me it’s very frustrating to see that whatever I do, those oh-so-good personal firewall and internet security and whatnot tools manage to screw the experience for the enduser. During developement, I’m always watching to adhere to common known-good practices in regards to handling the system. Works without admin rights? Yes. Uses systemwide functions wherever possible? Yes. Clean uninstall? Yes. Spyware free? Of course. Trojan horse? God beware! No!

None the less, PopScan gets majorly screwed here and then:

  • Norton Internet Security is per default configured to let only ‘Programs authorized by Symantec’ to access the internet. I don’t even try to ask how to get on that list – besides the fact that we’d never have the resources to do wahtever Symantec wants from us – if they provide such a possibility at all.
  • Whenever the offline version connects to the internet, a big scary warning from whatever personal firewall (besides Norton – that tool silently blocks everything that’s not IE and LiveUpdate) pops up telling the (not-knowing) user that something bad is currently happening. End-users are known to click ‘block’ here and accuse us of creating trojan horses
  • To circumvent many problems associated with installations on the client, we created the Web version of PopScan. And you know what: We’re still screwed. Java-Applets get blocked (how the hell should we get the barcodes in the scanner if not with Java or ActiveX??), PopUps get blocked (of course we don’t pop up any unrequested ones. The only popup used is for reading the scanner. With onClick=”window.open()”. It can’t be more ‘user-requested’ than this. Still… Some security program deemed it necessary to block that.

The worst thing about all that is: Those obviously broken programs that screw applications all over the place call themselves ‘Security Tools’ and with this, they seem to be automatically trusted by the end users. If a security tool tells the user “Trojan Horse Alert”, the user panics and blocks everyting. If a security tool just silently blocks certain internet connections (PopScan Offline uses Port 80 to communicate – using WinInet API – a less intrusive, less sneaky way for connecting to the internet does not exist), everyone blames the blocked program of not working.

To connect to the internet regardless of any PFW setting would mean to inject code into IE and use that to do your internet work. The better tools still detect that, but you can get around it by abusing the Windows Message Loop and simulating keypresses. But both solutions are actually trojany. And I’d never ever implement such a “feature”. It’s compomising stability and integrity. And it’s etically flawed. None the less: The tools force me to do something like this if I want to work it 100% of the caused in 100% of the installations

Those tools go way too far.

And don’t forget: It’s the nonexperienced users that get bitten: Those install security tools. Those don’t know what those tools do. Those trust them. Those make the wrong conclusions (PopScan can’t connect. PopScan must be broken).

It’s just frustrating. Why use lots of time to make a software non-intrusive and perfectly compliant to both technical and ethical standards when it’s blocked just like your average trojan horse trashing your installation and displaying advertisement all over the place?

Actually I think, those trojans are better off because they have code to circumvent the security tools.

As it currently stands I have the feeling these tools do block more legitimate applications then trojan horses. And this frustrates me. Greatly.

31337 OOP code?

In the current issue of php | architect, there’s an article about “enterprise ready” session management. While it provides a nice look about how to structure your application (besides the capital mistake of endorsing a multiple-entry application structure – but I’ll save that for another post) and about some design-patterns, I have one big objection to the article: It’s basically saying that the $_SESSION-things in PHP are not enterprise-ready. The article names three reasons:

  1. It is not OOP enough
  2. The Session-ID is guessable
  3. The storage location for the session-data does not work with load balancers

The article then goes fruther and writes a complete replacement for PHP’s session API

Now. Le’ts have a look those points:

Point 3 is valid. If you load balancer cannot guarantee that each subsequent request from a user goes to the same server, /tmp is not a good place to store session data. What the article does not tell you is that most load balancers actually do make that guarantee. Reading the session-data from a file, unserializing it, using it, serializing it, storing it to a file probably is faster than doing the same thing with a database. Maybe you should do some testing and then deceide – at least when you have the real enterprise-grade-load balancers at your disposal.

Point 2 is also somewhat true, but the workaround provided by the article is not any better than what PHP already does. I especially dislike taking a hash of the first two octets of the IP-adress for protection against session spoofing. Hey. 2 octets of IP-range are not checked. This are 65536 addresses. Say I want to spoof sessions on your site, instead of those 4 billions of users I only have 65 thousand to try it with, but let’s say even only 1% of the users in said range do some online financial transactions on your site, it’s worth it for me. I just make an accaount at a particular ISP and try out my range.

It’s unfair to say PHP’s session ID generation is weak because it uses the systems time (amongst other things) and then create a replacement algortihm using the systems time (amongst other things).

The idea with the second ID is somewhat valid, but does not protect at all against network-based attacks (listening on the network and sending a valid request)

My biggest concern – the one that actually made me write this – is point 1. Tell me: What’s better at

 HTTPRequest::getSession()->getValue('gnegg');

than

 $_SESSION['gnegg'];

As I see it, the first version has three distinct disadvantages:

  • Depending on the state of PHP’s optimizer, this involves two function calls (in PHP userland code – and maybe countless others in the backend) per variable you query (and with the proposed implementation one additional database query(!)). Function calls are expensive. This is inperformant. Not with two to three queries but with maybe 100 or 1000 per second
  • The second method is the one documented and endorsed by PHP. Any coder you will find will know what it means, and how to work with it. Whenever you hire a new coder, he immediately will understand your session management code and will be able to concentrate on the business logic. The first method does not have this advantage. It’s just another hurdle for the coder to take before being able to be productive. A needless hurdle
  • It’s more code. More to type. More work to do. Thus inefficient for your programmers.

Saying the first one is better because it’s more OOP is like saying “I am more 31337 than you because I’m using Windows”, or “rogues in world of warcraft are more 31337 than warriors” or … take your pick (a phrase involving vi and emacs springs to mind).

So. From the three points the author of the article had to present, only one, maybe two are valid. Does this justify dumping the whole session management functionality in PHP? No it does not. Dumping ready-to-use funcationality is always bad. Especially if the funtionality you want to dump is extendable (and thus fixable for your purpose).

The PHP session management can be customized! Just have a look at the manual. There is session.save_handler, session.serialize_handler. There’s even session.entropy_file

So after all, another of those people trying to be god-like by writing about the enterprise without really knowing what it means. The java world is full of such individuals. And now PHP is getting them too. The price for being known? Maybe.

Check for update

I’ve seen many pieces of different software.

Many of them provide the user with a way to go online and check for new versions of the program.

Nearly all of them have the corresponding menu entry in the “Help”-Menu.

Why is that so? Checking for updates does not provide you with help. Maybe, just maybe it can fix a problem you are having – but it’s nowehre near providing help.

If I wrote software, it would have this option in the Tools menu or – if the application had none – in the File-Menu, though it’s misplaced even there. As is “quit” for example…