Buhjillions

The WordPress web-interface for writing blog posts is OK, but I do miss some of my favorite word-processing features. The blog-posting facility in Word 2007 didn’t impress me, but I’m on a Microsoft kick this week while trying Windows 7, so I thought I’d take Windows Live Writer for a spin.

Although it presents you the option to start a blog on Windows Live, it claims to play nicely with WordPress’s publishing API. I was skeptical, since I host my own blog (powered by WordPress), rather than having it on WordPress.com, but I’ve so far been impressed. Setup was very easy and totally automated: I just gave it my login credentials and the URL to the main site. It quickly discovered that I hadn’t enabled the publishing API, but helpfully gave me the URL of the options page to enable it. It also detected and downloaded my theme so it can give a full preview of what my post will look like on the site.

The botton of the window has three tabs: “Edit,” “Preview,” and “Source.” “Edit” is a WYSIWYG text editor, which helpfully defaults to the appropriate fonts for my blog, but doesn’t include the sidebar or other elements from my theme. “Preview” shows the post as it will look on the page—complete with sidebar and the previous post sitting underneath it. “Source” gives the HTML underneath the post, and unlike previous Microsoft forays into web publishing, it gives clean, sensibly formatted HTML.

Inserting images is also painless, as illustrated by this bunny with a pancake on its head.  The one thing it is missing in terms of the WordPress system is a way to set the tags for the post.  There’s a tool for inserting tags, but all that does is insert some HTML into the post for tagging to external sites like Technorati or del.ico.us.  All in all, it’s a welcome and viable alternative to using the Web-based tool.

UPDATE (13 Jan): As helpfully pointed out in comments, there is a way to set the tags for the post.  It’s in the post Properties, accessible with <F2>.  Win!

Downloading the Windows 7 Beta was a little more difficult than it should have been, but I was admittedly jumping the gun a little bit.  The public beta was briefly posted, only to be withdrawn because the servers couldn’t keep up with demand.  (It’s now back up.)  Being the impatient man that I am, I managed to find a BitTorrent link to the DVD iso.  It surprises me, just a little, that more companies don’t include a .torrent whenever you have the option to download large files.  I’m not sure if MS thinks that it isn’t secure, or looks amateurish, but I have to say that posting a link and then taking it down doesn’t look so good either.  BitTorrent, or peer-to-peer technology in general just makes so much sense for this kind of application: that is to say, getting a large chunk of data downloaded to a large number of people quickly.  (If you’re unfamiliar with peer-to-peer, it does this by breaking the file into pieces and passing the pieces around from person to person rather than everyone trying to get it from a single server.)

Windows 7, like in previous versions, allows you to install without a Product Key and enter it later, so I loaded it up right away, confident that I’d be able to get one when Microsoft reinstated the public download site.  Upgrading from XP, there was no option to try to migrate my programs and settings, only a clean install was available.  This didn’t bother me, but might turn off some people who’ve skipped Vista when it comes time to upgrade to Win7.  Vista users, apparently, can upgrade with their programs and settings more-or-less intact.  The install was very smooth, and took a little over half an hour.  It had no problems setting up my hardware.  In fact, the only drivers I’ve downloaded myself so far are the Dell drivers for the “advanced” features on my touchpad (aside: advanced is in scarequotes because I liked the Synaptics touchpad on my old Dell much better than the Alps one on my current D630).

The interface improvements are pleasing, and run smoothly and responsively on my laptop (Core2Duo 2GHz, 2GB RAM, Intel 965 Integrated graphics).  Especially nice is the updated taskbar, which gives live thumbnail previews of the windows as you mouse over it, and the new-to-me Window Flip 3D alternative to Alt-Tab.  Annoying is its insistence on changing the theme to a heavy black color every time I open something from the Control Panel.

I also BSoD’ed (the instantly familiar blue screen of death) once while watching a DVD in VLC Player.  It’s nice to know that fail still comes in white text on a blue background.  But other than that, it’s been a nice experience.  Outlook, in particular, loads lightening-fast, and I haven’t had any issues with program or hardware incompatibility.  Looking forward to giving BitLocker whole-disk encryption a go, as well as seeing what the gaming performance is like.

So, I’ve decided to use my Saturday to geek-out and try some new computer stuff.  While Microsoft is making a somewhat lackluster presentation at CES compared to the likes of Sony, Palm, and Dell which have announced slick-looking gadgets, in terms of things to try right now, two Microsoft betas have caught my attention.  The first is Live Mesh, the subject of this post.  I’ll write something a little later about Windows 7.

I noticed that Microsoft’s Live Mesh service won a “Crunchie” from TechCrunch.com, so I decided to give it a try.  At its core, it’s a service for syncing files and folders among multiple computers.  But, in addition to updating your different machines, it includes a “Live Desktop,” which is a 5GB storage area in Microsoft’s cloud to allow you to get access to your most important files on any computer with an internet connection.  It also includes remote-access software, which is nothing new, but is accessible with just a click or two (at least in theory–my desktop crashed the first time I tried it).  It certainly seems much more sensible than the complicated setup one needs to do on both ends which is currently par for the course.  It also has some sharing features, but as far as I can tell, these require others to sign-up and sign-in, which will limit their usefulness severely (especially while the service is still in beta).

I’ve installed it on my home desktop and lappy, and will give it a go on my office computer when I get in on Monday.  I have to say, I’m not particularly impressed with the syncing so far from an interface perspective: the size totals for transfers don’t make a lot of sense, and my lappy started uploading even though I told it to sync a new folder taken from my desktop.  These may just be initial hiccups, so I’m willing to give it the benefit of the doubt.  We’ll see how diligent it is at keeping the files up to date without intervention.

The “most emailed” story in the NY Times today is about the prices and costs of sending text messages from a mobile phone.  Mobile phone companies charge an arm and a leg for these–in terms of markup on costs it has to be the single most lucrative service they offer.  US carriers charge 20 cents per text, and UK carriers charge 10p for pay-as-you-go text messaging, which doesn’t seem like much until you consider how little data they’re actually carrying.

Text messages are limited to just 160 characters, which can be encoded into just 140 bytes.  To give you an idea of just how little that is, I compared it to the size of the web-version of the NY Times story linked above.  Just the basic HTML (i.e. no images) is 89,986 bytes (or about 88 KB).  That’s about 642 text messages, which is more than my monthly allowance.  Including images, this figure jumps to 858,333 bytes, or 5,360 text messages, more than I send in several years.  On my iPhone, my monthly plan includes unlimited Internet data, and I can download the NY Times article (over the relatively poky GPRS connection) in about 20 seconds.  Yet my plan only includes 500 text messages: an amount of data that could be transmitted in a second over standard connections.

A space scientist at the University of Leicester calculated that sending text messages cost more per byte than data from the Hubble Space Telescope.  It’s all to create the illusion of scarcity so the carriers can keep charging their exorbitant fees.  I remember seeing signs in India for text messaging at 0.08 Rupees per text, about 2 tenths of a cent.  This means US carriers charge 100 times more for their text messages.

The NY Times article goes into a little more technical detail to explain that text messages are actually packed into what’s called the control channel, used to send instructions back and forth from handset to cell towers.  These channels get used whether there are text messages or not, so an increase in volume adds little to operating costs.  The messages don’t appear on the high-bandwidth channels used to transmit voice, further supporting the conclusion that text message pricing has nothing to do with the actual costs of carrying the data.

Fortunately, as the NY Times article explains, Herb Kohl, the chairman of the Senate antitrust subcommittee has taken the first steps in attempting to get the carriers to account for their behavior, and several lawsuits have been filed accusing the companies of price fixing.  All I have to say is, “about time.”

The Oxford Bodeian Library‘s collection is one of the main tangible things that makes Oxford a world-class research institution.  The troves of primary sources, obscure titles, and first editions make it a mecca for historical and literary research.

This is a promise which I don’t think the Oxford Libraries live up to in practice, because the University has not invested enough in updating the tools people use to find what they’re looking for.  The ability to quickly and efficiently find information in Oxford’s catalogs is hampered by outdated and poorly designed interfaces, and incomplete records.  The experience is not worthy of the excellent collection and international reputation the Libraries have.

We live in a world of speedy full-text search of almost the entirety of the Web, accessible instantly from any computer and many mobile phones.  As a result, libraries have a tough act to follow to make finding printed materials as quick and cognitively intuitive.  The databases libraries maintained about their collections seemed monstrous in a time before Google, but they are now very limiting: title, author, some keywords, and a bewildering string of letters and numbers aren’t much data for smart search to chew on.  Web search engines also exploit links between different pages to form their results, but collections databases are relatively flat.  Full text search might be coming, but there’s truckloads of books to scan between now and then.

So no, I don’t expect the library website to be as good as Google, but I don’t think that complete and humane are unreasonable expectations.

By complete,  I mean that I expect all records from all collections in the Oxford University Library Services to be accessible by web-based search.  As it stands, for example, Oriel College Library’s catalog is only available via telnet.  Unless you were a nerd before 1995, (or use the libraries at Oxford) you might never have even heard of telnet.  Telnet is a text-only interface designed in 1969 as one of the very first internet standards.  It’s slow, clunky, unintuitive, and there’s no way to save anything you’re doing and come back to it.

I could go on for pages about what makes websites humane, but the redesigned SOLO (Search Oxford Libraries Online) interface is a big leap forward from the previous system.  Standard web-browser behaviors, like using the forward and back buttons or saving results as bookmarks don’t break it.  It has advanced search features like boolean operators and the ability to search particular libraries.  Unfortunately, if the material is not on the shelf (which it isn’t always clear about) it simply plunks you back into the old, ugly, inhumane system to request it from the stacks.

As a scientist, I don’t often research using books. I’m much more likely to look up journal articles, which unless they are old or obscure, are very likely to be online.  Every once in a while, though, I’ll want a paper which isn’t online, and it’s good to know that the library has my back (old and obscure is Oxford’s specialty).  I’ve noticed that when using search tools by Ex Libris, a little button appears beneath many results that says “Find It Oxford.”  Ex Libris know what stuff Oxford has in its catalog and clicking it takes me to an Oxford page.  Unfortunately, this is in the old, ugly interface, and it dead-ends: giving me information about the holding but not allowing me to do anything with the information, like request it from the stacks.  If I want to do any of that, it’s back to top level interface (but at least this time, title in hand).

So, things are looking up, but Oxford’s Library access is still sub-par.  Its number one priority, at this point, should be getting all books and all the libraries available to be searched via SOLO.  The first thing researchers care about is completeness.  They can’t trust a tool that they know won’t give them all the results.  Then, it should cut the last vestige of the old system away and build a humane system for stack requests.

The icing on the cake, for me, would be seeing the full text of every title they have whose copyrights have expired accessible via the internet.  They’re partnering with Google, starting in 2005 for book scanning, but, as far as I can tell, library users have yet to see any of the benefits.  The Oxford website claims this will take three years, but my opinion of “official” Oxford timelines sinks the longer I am here.

It always impresses me the number of machines that can be made to work again just by banging on them.

The gasman was at my house today looking into why the radiators on the top floor don’t heat.  The first thing he did was take the plastic knobs off the valves and then proceed to pound on them with a wrench.  He explained that the valves have wax in them which expands when heated.  This pushes a pin into place to close them, but occasionally they get stuck in the closed position.  Banging on them frees up this pin and allows the valve to open.  Several minutes later, they were heating again!

Our washing machine also responds favourably to a good thrashing.  It occasionally develops a error with the (electronic) front panel which stops the washing cycle and causes the machine to beep incessantly.  A quick slam near the front panel and it picks up where it left off as if nothing had happened.

Some machines need to be explicitly designed to be resistant to shock and vibration—aviation comes to mind immediatly.  But many ordinary machines seem to get “stuck” for lack of a more precise word.  Corrosion, disuse, or foreign matter clogging up the works.  A quick shock to the system is sometimes all it needs to get moving again.  Maybe in the future, before calling the repairman, I’ll be less hesitant to take matters in my own hands and start by swinging something heavy.

They used to call them 3D accelerators, and eventually “graphics processing units” or GPUs, but these days graphics chips are so programmable that we might as well start calling them “general processing units.”  (DVDs play the same game with “digital video disc” taking on the wider “digital versatile disc” moniker .)  Graphics chips are becomming more powerful and more programmable—they’re becomming a lot like having just an extra processor in your system.

This has two main consequences:

Graphics programmers will start to explore alternate rendering paradigms like ray-tracing or voxel rendering.  Ars Technica has a great interview with Tim Sweeney of Epic Games on this subject.  Sweeney’s point is that with really programmable and really powerful GPUs, the rendering APIs like Direct3D and OpenGL become a crutch and limit innovation and creativity in creating graphics.  Developers will just write their own renderers using other established or hybrid paradigms.  GPUs become little more than extra processing power.

Secondly, GPU hardware gets general enough to get repurposed for other processor-intensive tasks.  I remember my computer architecture teacher telling me in 2005 about biology researchers using GPUs to accelerate floating-point intensive simulations.  Now I’ve just read, in another Ars Technica piece, about a commercial software package that uses GPUs to accelerate password cracking.

We’ve known since Alan Turing’s time that all information processing hardware is equivalent up to some small overhead.  Building specialized hardware for specialized tasks can yield performance gains, but only for large tasks where this overhead is non-trivial.  The so called “physics accelerators” which are starting to appear on high end gaming machines seem to be doomed to failure for this reason.  Hardware accelerated audio was just a blip on most gamers’ radar 8 years ago.  Why create a dedicated processor for physics/audio/graphics when you could instead just upgrade to a CPU with more cores…

My iPhone was gimped, but not yet dead.  The problem was with the “home” button, and being the only button on the front face, you can imagine it gets used frequently.  It had lost the crisp, original clickyness and trying to press it was like using a sausage to play a snare drum.  Sometimes I’d press and get no response, sometimes a double click, whisking me away to the favorites list instead of the home screen.

After dealing with the pain that is Vodafone (my previous carrier)’s repair service, I was reluctant to go down that dark path, and just dealt with my limp iPhone for a couple weeks.  Remembering that my 1 year warranty would expire in November, I finally got around to making the call to get some reparations.

Fortunately, as I discovered, Apple’s customer service and repair arm is a class act, even in a country where the bar has been set pretty low.  The first phone call to Apple went well: short wait to talk to a rep with fluent language skills, and a competent sounding manner.  He issued me a repair ID and ordered a returns kit sent to my house.

Now, the story hits a few bumps in getting the returns kit delivered.  Of this I hold no malice against the rep I spoke to; it was a simple misunderstanding.  When he read the address they had on file, I assumed he left out the house number for brevity, but as it turns out, it just wasn’t there.  So UPS received an address with the correct street, but no house number.  As helpful as I have found the order tracking website in the past, once there was a problem the cryptic “delivery exception” messages were of little use in deciphering what the problem was.  Fast forward about a week, several phone calls to UPS, and several mornings wasted waiting up for the deliveryman who seemed to need a signature to deliver me what is essentially an empty box; I called Apple to have them deliver to my lab instead.  I had my kit the next day.  This time didn’t bother me too much, since the iPhone still worked OK, but if I had a dead phone, I’d have been pissed at UPS (and probably Apple for hiring them).

Opening up the returns box was almost like unboxing a new gadget from Apple.  Carefully laid out were all the things I’d need to ship my iPhone to Apple, right down to an included paper clip to open the SIM card tray on the iPhone.  Also included was a pre-paid envelope and address label to ship the iPhone to Apple.

Once it shipped, I could use my repair ID to track the status, but it turns out I needn’t have worried. Apple sent me an email once my iPhone arrived, and, 3 hours later, after they shipped a replacement.  That impressed me—3 hours after my gimped iPhone arrived at their repair center a replacement left destined for me. Unfortunately, this was on Friday afternoon, and the replacement didn’t arrive until Monday.  Since they picked up the entire tab including shipping both ways, I couldn’t begrudge them for not splurging on Saturday delivery.

The difference between this and Vodafone’s service, which they charge £7 per month for, is like night and day.  I knew where my iPhone was at any time via the web, even during transit using UPS tracking.  When Vodafone repaired my phone I gave it to a man in the store and just waited until the predetermined pickup day.  Several times (yes, I had several repairs) I returned on the appointed day to be simply told that it hadn’t returned yet and that I should come back tomorrow.  Apple took 3 business days (5 including the weekend) to return my iPhone, while Vodafone typically took a week.  Apple proactively informed me about the progress, while Vodafone didn’t even let me know when there was a delay.

Good customer service includes the tenet that a customer’s problem is your problem until it’s resolved, and it includes keeping the customer in the loop.  Good customer service is something Apple UK has, and Vodafone doesn’t.

“Unboxing” Photos of the Return Kit below:

There’s another problem with passwords which deserves its own post: what do you do when you forget one?  It’s bound to happen, right?  With so many passwords floating around in our heads, we inevitably forget one entirely or forget which password goes with which account.

Sites can’t just tell you to get lost when you can’t remember, so they need a Plan B to authenticate that it’s really you, and not some attacker.  Now, if you have an existing relationship with the entity you’re trying to reset your password, it makes it much easier.  If I forget my login password at work, I walk down to IT and either talk to someone in there that knows me, or show somebody my ID card.  They reset my password, and I’m off to the races.

But most sites on the internet don’t know me and haven’t issued me any kind of physical token I can use to prove that I’m me.  So, they punt.  They fall back on one of two methods: security questions, which are the slow-pitch softballs of the security world, or they simply pass the buck to somebody else to authenticate you, namely, your email provider.

Security questions are basically another form of password; information which is nominally secret, but much easier for you to remember.  The age-old bank security question of your mother’s maiden name, or the name of your first pet, or your elementary school.  Because these are usually questions about your past, they’re easy to remember, but also very easy for an attacker to guess or find out the answers.  The well publicised break-in on VP candidate Sarah Palin’s Yahoo Email account provides a good example of why security questions aren’t really secure at all, if the alleged first person account of the break-in is to be believed:

The intrusion, according to this account, was carried out via Yahoo’s password reset feature. Though the original post has been deleted, it was copied and reposted to several other blogs.
In the post’s telling, the exploit took no more than 45 minutes and simply required searching the Internet for basic personal information, such as Palin’s zip code, birth date, and where she had met her husband.

Of course, being a VP candidate is sure to have made it easier to find the biographical information required for this attack, but the point is that the answers to security questions aren’t usually well kept secrets, and enough digging by a determined attacker can punch right through them.

Many sites forgo questions and use the strength of your email authentication.  They send you an email with a temporary password, or a code to enter to be able to create a new password.  This means that your email account should be the most sacred of all your passwords—strong, unique, and changed often—because if it is compromised an attacker will have “the keys to the kingdom” of many of your other accounts.  Of course, this style of authentication doesn’t help email providers like Yahoo!, Gmail, or MSN/Hotmail.

And, in this respect, Information Cards are no better.  They can be lost in a computer crash, accidentally deleted, or not transferred to a new computer.  This means that sites that use them still need to punt on security in exactly the same way.  There are such things a “managed information cards,” which are issued and secured by a trusted third party.  If the user has an existing relationship with the third party (their employer, for example), they can be reissued access in a more secure way.  But this is really no different than resetting a site password via your work email account (on which you can gain access securely).  In both cases you and the site agree that if you lose your credentials, then you both should trust your employer to securely deliver you new ones.

Photo is Eric Tipton from the Duke University Archives.  Licensed under Creative Commons.

Every new site that provides a personal service needs to authenticate you the next time you return.  They need to make sure you are able to access your account and others are denied.  The standard way to do this is to have you create a secret password to identify yourself when you return.  And there begin your troubles, noble websurfer.

Most people don’t just have one web-based service they use, they have between a few and a few dozen.  The safe thing to do, of course, is to create a unique password for every site you sign up for.  One for Gmail, one for Amazon, one for PayPal, one for your internet banking, one for… you get the idea.  Strong passwords are very random, with plenty of crazy symbols and odd capitalization.  Of course, the way the human brain works, the longer and more random the password, and therefore the stronger, the harder it is to remember!  If your mind is anything like mine (which is to say, human), you’ll know the futility in trying to create and remember unique, secure passwords for each site that requires one.

So, we cheat.  We create relatively weak passwords.  Or, we reuse them.  Or both (in college, every private multiplayer game we created was always secured by the password “spandex”).  Reusing passwords is particularly Bad News Bears because you can’t know what the site you’re sending it to will do with it.  Will they store it securely?  Will they sell it to criminals in Russia?  Are they criminals in Russia?  So if you currently use the same password for http://somerandomforum.tk as your bank or email account, you might want to reconsider.  As you might imagine, the extent to which I follow my own advice depends on the perceived risk of getting a password stolen, and the potential damage an attacker could do with that particular password.

And, there are other problems with passwords.  Even if we could all remember hundreds of complex passwords and the sites they belong to, they’re still vulnerable.  They can be captured by eavesdroppers if used over an unencrypted channel, or users can be fooled into giving them away in a phishing attack.

A recent (well, August. I’ve been busy) NY Times piece introduced me to an alternative to passwords.  It’s called an Information Card, and is in essence the digital equivalent to an ID card.  Under this system, the computer does the heavy lifting of creating a unique token for each site you visit, so a malicious site can’t use the information it gains to break into your other accounts.  It also will only transmit the information over a secured channel, so there’s essentially no way eavesdroppers can intercept your credentials.

However, there are still ways to attack this system, even if the author, Randall Stross, doesn’t seem to think so.  In one breath, he quotes Scott Kveton (of the OpenID foundation) as saying, “there is no silver bullet, and there never will be.”  Then, in the next, he goes on to talk about information cards as if they’re some kind of panacea.  They aren’t.

MS Windows Cardspace, an implementation of information cards

Essentially, you are trading keeping a secured secret in your head (a password) for a secured secret on your computer (an information card).  This means that if an attacker gains access to your computer, they can steal your cards.  And, since the cards are simply bits of data, they can be copied, meaning they can be stolen without you ever noticing they’re gone—that is until you notice accounts being compromised.  A PIN is no defense; attackers might design viruses or worms to steal them after you’ve entered your pin, then silently delete themselves, removing any evidence you’ve been compromised.

Still, relying on keeping your computer secure does seem like a safer bet than passwords, at least for the time being.  If the movement gains momentum, it might do some good.  Also, smart-card readers of various sorts are becoming relatively standard on business laptops.  In the future, an information card could be embedded on one of these smart-cards, this would make them hard to steal and very hard to duplicate.

I’d be tempted to try it out on spikecurtis.com, but its designed to work only with SSL-encrypted connections, which I don’t have the credentials for.  The only site I know of that uses them now is Microsoft’s Live ID, only in beta, and only with IE 7 (there is a Firefox plug-in, but it doesn’t work with Firefox 3).