That’s a harsh headline but it is unfortunately deserved. We should indeed hold Mozilla to a higher standard.
Sunday, December 17th, 2017
Monday, July 31st, 2017
Such a great primer on game theory—well worth half an hour of your time.
Friday, July 28th, 2017
Hadley points to the serious security concerns with AMP:
Fundamentally, we think that it’s crucial to the web ecosystem for you to understand where content comes from and for the browser to protect you from harm. We are seriously concerned about publication strategies that undermine them.
The anchor element is designed to allow one website to refer visitors to content on another website, whilst retaining all the features of the web platform. We encourage distribution platforms to use this mechanism where appropriate. We encourage the loading of pages from original source origins, rather than re-hosted, non-canonical locations.
That last sentence there? That’s what I’m talking about!
Saturday, June 3rd, 2017
This was my favourite talk from this year’s Interaction conference—packed full of insights, and delivered superbly.
It prompted so many thoughts, I found myself asking a question during the Q&A.
Thursday, January 19th, 2017
Following from that great post about the “zone of death” in browsers, Eric Law looks at security and trust in a world where certificates are free and easily available …even to the bad guys.
Monday, January 16th, 2017
A thoroughly fascinating look at which parts of a browser’s interface are available to prevent phishing attacks, and which parts are available to enable phishing attacks. It’s like trench warfare for pixels.
Wednesday, December 7th, 2016
Software is politics, because software is power.
The transcript of a tremendous talk by Richard Pope.
Saturday, December 14th, 2013
My debit card is due to expire so my bank has sent me a new card to replace it. I’ve spent most of the day updating my billing details on various online services that I pay for with my card.
- hosting providers like Digital Ocean and Engine Hosting,
- DNS managers like DNSimple,
- email providers like Fastmail,
- transactional email suppliers like Mailchimp and Postmark,
- code repositories like Github,
- and distributed storage providers like Amazon’s S3.
But there’s one company that will not be receiving my new debit card details: Adobe. That’s not because of any high-and-mighty concerns I might have about monopolies on the design software market—their software is, mostly, pretty darn good (‘though I’m not keen on their Mafia-style pricing policy). No, the reason why I won’t give Adobe my financial details is that they have proven that they cannot be trusted:
We also believe the attackers removed from our systems certain information relating to 2.9 million Adobe customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.
The story broke two months ago. Everyone has mostly forgotten about it, like it’s no big deal. It is a big deal. It is a very big deal indeed.
I probably won’t be able to avoid using Adobe products completely; I might have to use some of their software at work. But I’ll be damned if they’re ever getting another penny out of me.
Friday, March 23rd, 2012
An in-depth look at where Google is going wrong.
Thursday, December 18th, 2008
"Facebook has rolled out an identity system â€” Facebook Connect â€” with a slick UI that trains a gazillion tech-naÃ¯ve users to slap their identity credentials into any old website."
Sunday, June 29th, 2008
Good Reads is responsible for one of the most egregious abuses of trust â€” using the password anti-pattern to spam your address book. Micki has the details.
Wednesday, June 4th, 2008
Brothercake looks at the problems, issues, and alternatives to requiring a human to prove that they're not a bot.
Friday, March 14th, 2008
A cautionary tale that explains just why the password anti-pattern needs to die. Coding horror indeed: in this case, 1,777 GMail accounts were compromised.
Wednesday, December 19th, 2007
PPK points out a potentially dangerous aspect to Opera's actions, one that that the rest of us have missed: "Without consulting anybody, Opera is trying to give a political body the right to decide what does and what does not constitute a web standard."
Saturday, December 1st, 2007
Facebook's Misrepresentation of Beacon's Threat to Privacy: Tracking users who opt out or are not logged in. - CA Security Advisor Research Blog - CA
An excellent piece of research that shows how Facebook affiliates' cross-site scripting (Beacon) sends information back to the mothership regardless of whether the user has opted out.
Leisa joins in on the password anti-pattern. As she says, this is a question of ethics. I've already made my position clear to my colleagues and clients. Have you?
Wednesday, April 25th, 2007
Identity and authority
When Richard talks, I listen. That’s a lesson I learned even before Clearleft existed. Right now Richard is talking about civility online mentioning the specific example of Digg—something I’ve touched on in the past.
If there’s any truth to the Greater Internet Fuckwad Theory then anonymity online can exacerbate the lack of civility. A key issue here is identity: you’re more likely to be rude or aggressive when posting an anonymous comment on a blog post than when you’re posting to your own blog—a place that’s associated with you and your online identity.
Just to be clear, when I talk about identity here I’m not talking about the issue of consolidating scattered online identities (a job for OpenID and, to a certain extent, microformats). I’m talking about identity as a basis for trust.
In order for an opinion to carry any weight online, the person posting needs to establish trust. A lot of the time this simply involves providing background material: “this is me, here are my photos, here are my bookmarks, etc.”
If you can’t provide a backstory, it’s becomes very hard to establish trust. Take for example the recent discourse on Flickr when some asshats ripped off Dan’s logo. To begin with, everyone was quite rightly joining the fray in support of Dan—with the exception of the Chief Executive Asshat from the rip-off company. But then some people showed up and started taking the side of the asshat. The other commentators did some quick’n’dirty background checks by simply clicking on the usernames and found empty photo pages. This lack of history pointed pretty strongly to these people simply being sock puppets.
But if your history establishes your identity and consequently your trustworthiness, then how can you instil trust if you’re just showing up to the party? As Kaliya was at pains to point out in her talk at the Web 2.0 Expo:
Trust is not an algorithm.
It’s important to realise that there’s a big difference between trust and authority. Trust is a personal judgement, different for everyone. Authority is a top-down value. There may well be an algorithm for authority—based on past achievements—but on the Web, authority isn’t nearly as important as trust.
Richard’s musings were prompted by an article in The Times that falls victim to the usual trap of mistaking a lack of authority with a lack of merit, citing the usual examples of Wikipedia and political blogs. The argument is based on the idea that someone who is paid to write (encyclopedias, newspapers, whatever) is likely to be more authoritative—and therefore trustworthy—than someone who writes merely because they have a passion for the subject. In my experience, the opposite is true.
Take some recent articles in The Independent:
- Wi-Fi: Children at risk from ‘electronic smog’
- Danger on the airwaves: Is the Wi-Fi revolution a health time bomb?
These articles were written by journalists and so they have authority. Yet they are entirely without merit because the stories are sloppily-researched, hastily written and downright untrue. Authority, in this case, does not equate to merit. I am far more likely to trust a blog post by Ian Betteridge debunking the articles precisely because he wasn’t paid to write it.
The word “amateur” has come to mean “unprofessional and sloppy” in common parlance. But it wasn’t always that way. The word can also be used to refer to someone who does something out of passion and enthusiasm.
The problem with those articles in The Independent is not that they are amateurish: the problem is that they are professional.