Looking for new music or old favorites? Check the Pitchfork 500

Dave DeAngelis, an awesome researcher and great friend, recently showed me the Pitchfork 500 playlist on everyone’s favorite Internet jukebox, Grooveshark. The Pitchfork 500 is actually a 500 song review from the music geniuses at Pitchfork.com; Grooveshark allows users to create and share playlists, so people have taken the review and created the accompanying playlist.

For the past week I’ve been listening to the 500 song playlist that covers virtually every musical style from 1978 to now. I’m deleting roughly 1/2 the songs, but I’m discovering a lot of great new stuff, old favorites, and deeper tracks from bands that I knew little about. If you’re looking to find some new music or you want to enjoy a wide variety of old favorites, give it a listen.

Phishers, the devil’s in the details!

Phishing is presumably big business (although maybe not). Because email is very cheap to send, phishing has a low barrier for entry. Usually, Gmail’s spam filter is so accurate that I don’t see the phishing emails, however, recently some Blizzard themed messages have gotten through. I get the impression that the emails are crafted by foreigners who lack the finesse necessary to deceive people–a good thing, no doubt. As with most pursuits, the devil is in the details. Let me illustrate with the most recent email to pierce Gmail’s phishing armor:

Hello, thank you for shopping at the Blizzard Store!

StarCraft II®: Wings of Liberty™: 6129523855006794206159153

To use this key to activate the game, simply follow these instructions:
1. Log in to your Battle.n Account – Or Create a Battle.net Account

2. Verify your e-mail address. (If you have previously verified your address, skip this step.) From the main Account Management page, click the ‘verify this e-mail address’ link. Then, check your e-mail account for a verification e-mail. Click the link in this e-mail to verify your e-mail address.

3. Return to the Battle.net account management page, then click on ‘Code Redemption’.
4. Enter the above CDKey in the code field.

5. Once you have successfully redeemed this code, you will be able to play the game.

NOTE: If you have previously chosen to gift your digital purchase, attaching this key to their Battle.net account will prevent you from being able to redeem this key with your Battle.net account.

Order Date: 2010-8-10
Order #: 2573775

(1) StarCraft II®: Wings of Liberty™ – $59.99

Credit Card Number : ****-****-****-9527
Credit Card Type : Vista
Item Subtotal: $59.99
Tax: $0.00
Shipping & Handling: $0.00
Shipping Tax: $0.00
Grand Total: $59.99
===========================================

If you have any questions or concerns about your order, please contact us at:

Phone: Toll-free at (1-800-592-5499)
Website: http://us.blizzard.net/account

Live phone support is available seven days a week, 8:00AM – 8:00PM Pacific Time.

Thanks for shopping with us!
Blizzard Customer Service

I like the use of ® and ™! Those are definitely nice touches. However, Blizzard begins by greeting you with the name on the account. Moving on, the CD key should have dashes. Whoops. Next, we see “Battle.n Account – Or Create at Battle.net Account.” Within a few words, they misspell Battle.net and give you the proper spelling. Then there’s the gratuitous use of capitalization throughout. Seen here on “Account,” “Or,” and “Create.” Throughout, there are a few small, unprofessional and inconsistent bits, like the lack of carriage return between items 3 and 4. Then “CDKey” is lacking a space… Another awesome failure: the “Vista” credit card type! A couple lines lower, the “Shipping Tax” itemized seems off.

To be fair, if you were expecting a StarCraft email (sadly, the phishers are two weeks late) and gave only  a quick glance, the email could work. It is apparently sent by Blizzard Entertainment! However, digging deeper in the email header we see more incorrect details:

from Blizzard Entertainment
to seth@sethholloway.com
date Wed, Aug 11, 2010 at 8:46 PM
subject Battle.net Account Management
mailed-by hotmail.com

Mailed by hotmail? Phishy. Details, details!

Also, it’s important to hover over links before following them… This is probably my favorite part: “wowsuppor-check-blizzard.com.” I guess wowsupport-check-blizzard.com was already registered And, of course, official Blizzard emails direct you to us.battle.net instead of blizzard.com. Details!

Another detail that reeks of fraud is the use of “WoW”/”wow”, which refers to another Blizzard product, World of Warcraft. Account management, StarCraft II, and World of Warcraft blend into one weak attempt at phishing.

I believe that every critique should come with a suggestion, so here’s my suggestion: buy a legitimate copy of StarCraft II and copy the official email exactly, changing only the link (from official site to your faked site). Then, replicate their website and direct people to the fake. To Blizzard’s credit they do not make copying the page easy because they cleverly use dynamically rendered Ajax elements with obfuscated JavaScript and XSLT. They also have a lot of content and they update the pages regularly. Another idea: direct them to your domain, infect their computer with malware, and quickly forward them to battle.net so they’re none the wiser.

If you want to step up to the big leagues, you’ll have to concentrate on the details!

Rails 3 document.on error

I’m working through Agile Web Development with Rails, 4th Edition. Overall, the book is well written–readable, nice depth and breadth, great example (ecommerce site)–and I would recommend it highly; however,  Chapter 11, adding Ajax support to the cart, has given me hell.

I spent hours working through the example a couple times, diffing my source against the source code provided, starting and restarting the server, trying multiple browsers (Safari, Firefox, Chrome), grepping for errors,  and googling. Finally, I arrived at the solution:

To remedy this problem, I updated my public/javascripts/prototype.js file from the prototype download page. At the time of writing, that was http://prototypejs.org/assets/2010/5/13/prototype.js

Debugging

Here are the steps I followed to track down the problem.

First, I noticed that the page was refreshing everytime I pressed an “Add to Cart” button. I made sure the necessary files were in place and the javascript input was defined for the create method I was Ajaxifying. To ensure the button was properly defined, I viewed source and ensured the element had an attribute data-remote=”true”. Despite proper HTML and Ruby, the development.log showed that I was still retrieving the page as HTML instead of JavaScript

Started POST “/line_items?product_id=3″ for 127.0.0.1 at Sun Jul 18 21:06:41 -0500 2010
Processing by LineItemsController#create as HTML
Parameters: {“product_id”=>”3″, “authenticity_token”=>”Dsv044fqfo7H46jLYx3e6qnbCgqk3Tcoij6pqbOQZx4=”}

So I checked the browser errors. Firefox showed

Error: document.on is not a function
Source File: http://localhost:3000/javascripts/rails.js?1277734011
Line: 136

Inspecting the element in Chrome I saw

Uncaught TypeError: Object #<an HTMLDocument> has no method ‘on’

Looking at the rails.js file, line 136, we see

  document.on("click", "*[data-confirm]", function(event, element) {
    var message = element.readAttribute('data-confirm');
    if (!confirm(message)) event.stop();
  });

Between the errors and the rails.js file, we see that none of the included JavaScript files nor the browser defined the method. A new Rails 3 patch will upgrade prototype from 1.6.1 to 1.7rc2, so future generations will not experience this fun.

Flash, you sneaky bastard!

Flash, the popular multimedia platform that helps make websites more interactive, has cookies separate from your web browser’s cookies. They’re called local shared objects (LSO) and they may be a security hole–like all things Flash

There are a number of directories where the flash cookies may be stored. For example, on Mac OS X, LSOs are stored in two locations:

• ~/Library/Preferences/Macromedia/Flash\ Player/#SharedObjects/
• ~/Library/Preferences/Macromedia/Flash\ Player/macromedia.com/support/flashplayer/sys/

And there are more possible! For a detailed list, check the list of locations on Wikipedia’s LSO entry.

You can manually navigate to these locations and delete nasty ad-tracking/malware-hosting objects; however, while deleting unwanted cookies is worthwhile, it’s not a good long-term solution. I recommend you update your Flash settings (this interface also allows you to delete your LSOs) now! There are several tabs to look through, but don’t worry–it’s quick. Make sure you deny access to your camera and microphone! For finer grained control, the Firefox extension Objection helps track and eliminate Flash cookies.

Whatever your strategy, I wish you luck!

Get notifications when concerts come?

Does anyone know of a website or method to be notified when your favorite artist is coming to town?

For example, I’d love to see Mike Doughty, Ben Folds, and They Might Be Giants in concert, but I always miss the ticket sales. I’ve tried to check their websites periodically, but I forget for a few months then miss the show. I’ve listened for announcements on the radio, but I do not listen to the radio consistently enough. Most recently, I’ve subscribed to RSS feeds from my favorite artists and this method is working, although I feel it is suboptimal.

My brother just mentioned a similar experience where he missed seeing the guitar-thumping virtuoso Andy McKee. (If you don’t know what I mean when I say “guitar-thumping virtuoso,” check Andy out below.)

While not the pressing issue in the world, not receiving relevant and timely updates for artists seems to be a common issue. Is there a solution? Show your 1337ness and help me out. Any tips would be appreciated!

Designing Based on Data

After my last Usability course this semester a designer/peer, Andrea Richeson, were chatting. She asked me if the course had changed the way I think about designers. I did not have a good answer at the time because I fancy myself a bit of a designer: I’ve created several websites (MPC, SE, SSE, SethHolloway.com) and I constantly build/tinker in both virtual and physical spaces. Beyond considering myself a programmer and designer, I found usability testing to be an amazingly practical part of creating something for people. The methods are similar to my favorite software development methodology: agile development–get the requirements, do a small piece, fix what is broken and ensure people like the effort so far, repeat. After some reflection I can say the course did not really change my view on design, it gave me a framework for evaluating and altering design based on user data.

Fresh out of the class with a solid understanding of the art of usability testing, I was taken aback while reading a New York Times article about a designer who left Google and went to Twitter. He left Google because of their rigid adherence to trusting data. I am confused how a designer could disagree with trusting data. If you do not like this approach, you don’t believe in (1) the way they collect data or (2) trusting the users. The article does not explain how Google collects their data nor does it explain the designer’s disdain, but from what I read I think Google’s approach is perfect.

Google receives millions of unique visitors per day and they are known for changing elements on the page (think of the whimsical, dynamic elements like logo changes and the “Feeling Lucky” button), so it is not hard to believe that Google would put up different designs of the same page. Now, a fraction of the millions of users sees one design and another fraction sees the other design. From the web server’s standpoint, data collection is fairly easy–especially with AJAX-enabled dynamic pages: just stream events to the server for logging. Later, a human can analyze the data and make decisions. With sample sizes in the thousands, statistical validity is almost guaranteed!

The approach is wonderful: people’s behavior determines the best design for the job and the data is collected without the user’s knowledge. What’s better than getting people’s feedback without their knowledge? Hidden camera shows have always exposed wonderful insights, but we can only get at the truth when people let their guard down.

That is how I imagine the data is collected and the approach seems infalible, thus I must conclude that the designer does not believe in trusting users despite the flawless data collection methods. Even outlandish designs can yield positive results. I’m sure I’m missing nuances, but I side with Google. I believe in designing based on data because it keeps us moving towards usable, pleasing designs.

Wicked awesome new theme

Lane isn’t the only one changing his theme! After upgrading to the impressive new WordPress 2.7 I found the beautiful Gears theme and edited it to fit my tastes. I hope you enjoy the updated look. Integrating Google Analytics into the new theme took a couple tweaks, similar to putting Analytics into the default theme. If you need help adding Analytics to Gears, send me a message and I’ll try to help.

So, what do you think? Is Gears, as customized by yours truly, not wicked awesome?

Let Google do the heavy lifting!

I love Google. They represent so many positive ideas about technology and offer an amazing suite of tools. Gmail is fantastic. I adore Google Calendar. Google Scholar is the only site I need for research. Google Reader is the best RSS feed reader on the market. Google Docs works a like a charm and is infinitely handy. I have entrusted my workflow to Google and had positive results. They’ve taken over the heavy lifting and ushered in an era of browser-based productivity that I agree with wholeheartedly. I’m excited today to use yet another Google server: I added Google Analytics to the site

In last week’s Introduction to Usability course we discussed good and bad websites, and one student selected Google Analytics as a good website. The Analytics page provides all the necessary statistics on your sites traffic including their IP address and corresponding location, the number of unique visitors, and timing. It was characteristically Google: clean, easy to use, and hugely useful. I had no idea the service was free!

Inspired by the class I checked into Google Analytics further and signed up. I added http://www.sethholloway.com to the service and they generated the necessary javascript–they even told me where to place it (though I already knew enough HTML to insert the scripts)

Here’s the generated javascript:

<script type="text/javascript">
  var gaJsHost = (("https:" == document.location.protocol) ?
                   "https://ssl." : "http://www.");
  document.write(unescape("%3Cscript src='" + gaJsHost +
                          "google-analytics.com/ga.js'
                          type='text/javascript'%3E%3C/script%3E"));
</script>
<script type="text/javascript">
  try {
    var pageTracker = _gat._getTracker("UA-7555904-1");
    pageTracker._trackPageview();
  } catch(err) {}
</script>

And the only change necessary to gather statistics from across the blog is contained in header.php. From your WordPress admin panel click Appearance->Editor->Header (header.php). Then locate this bit of code and insert the generated code where I placed the comment below:

<?php if ( is_singular() ) wp_enqueue_script( 'comment-reply' ); ?>

<?php wp_head(); ?>

//PASTE GOOGLE ANALYTICS CODE HERE AND REMOVE THIS LINE

</head>
<body>
<div id="page">

That’s it! So simple! So useful! If you haven’t already signed up for Google Analytics, do it now. The service is free, incredibly helpful and easy to use; even better, installation will take you less time than heating up that Hot Pocket!

Do we need AV software?

Do we need AV software? It is naive to think that safe practices will protect you–there are simply too many ways to get into a system. You need something to protect your computer, and good AV software won’t hurt.

I was reading a lifehacker article asking readers about antivirus (AV) software. The range of knowledge conveyed in the comments is ridiculous. Some users claimed they never had a virus. There are known botnets with over a million machines. I doubt that all million machines are owned by a single individual, which means there are multiple users who are either willingly allowing someone to use their machine, or the multiple users are unaware of the heist. With the sophistication of modern viruses (rootkits, automatic replication, dynamic signature changing, etc), it is silly to claim you would even know if you had a virus.

A couple users claim that there had never been a virus for Linux. I don’t even know where to start on that one. Definitely false. Any script kiddie could gain access to a Linux system that had not been hardened. There are a number of measures a system administrator can take to mitigate threats on Linux, but not every Linux user is a sys admin. Services like ssh being on by default increase the risks greatly. The power of a Linux command line and access to powerful development tools make subsequent attacks easier to launch.

People seem to define virus strangely. Some viruses like vundo trigger a lot of pop-ups, but won’t necessarily crater your system. Other viruses that do not brick your machine are passively collecting information, waiting for further instructions, or launching attacks. You don’t even have to open a file to be at risk. You don’t even have to be online; infected USB keys (and other input devices) can infect a computer that isn’t online.

It’s not just dumb users either. Viruses come from your friends and people you trust. Elaborate social networking hoaxes are being performed everyday, and everyday they get more convincing. Malware distributors have some of the most professional websites online. Their UI and interface design mimic trusted providers so a quick glance will not immediately reveal a problem. You have to realize and appreciate the ingenuity of the nefarious Internet warriors–they’re smart, creative, and talented.

Comparisons have shown that no one piece of antivirus software will catch all viruses, so your best bet is to

1) be safe:

• Don’t open links in emails. Type the URL into the address bar on your own.
• Be mindful of what your friends are sending you. Would Suzy really send you a link to get rich quick?
• Avoid the worst of the web (pornography, gambling, warez)

and 2) run a few different tools:

• AVG (or avast!) – Antivirus
• PeerGuardian 2 – IP Blocker
• Ad-Aware – Antispyware

So do we need AV software? Yes. You can never be totally safe, but you can mitigate your risks. Use common sense, a few tools, and perform frequent backups. Good luck!

Get Things Done: Related work… or Why don’t tech sites use modern technology?

As I perfect my PhD workflow I’m learning a lot. I’ve gotten much more efficient at finding related work and target conferences; I’ve improved my writing and organizational skills; I’ve found a number of tools that make my life easier (for example I use Google Docs to track references and write drafts so that I can view them from any Internet-connected computer). However, now I’m at the point where I know my topic and I need to stay current on the research. From what I can tell, most academics do this by reading the program from conferences related to their work. That’s fine as a backup, but there’s got to be an easier way! Why not automate the delivery of related articles or entire conference proceedings?

As a dedicated RSS fan (RSS feeds are a great way to keep up with the latest news!) I would love to subscribe to my 10 conferences and have them publish to my reader as soon as the proceedings are available. However, IEEE and ACM do not publish papers or articles via RSS! I understand conferences are big money makers so you may want to make people pay for the content, but I get emails and magazines from IEEE that I could receive instead as an RSS feed. Groups that represent the height of technological research are 10 years behind the times!

Thanks to blogs, twitter, facebook, and the raft of immediate media, everyone is a publisher. IEEE and ACM seem to be following the print newspaper style which is not 1) economically feasible or 2) good for spreading your brand. Don’t try to horde content in hopes of making more money. I get more interesting research from Wired than I do from IEEE because IEEE withholds the work. (That’s hyperbole of course–my job is to cruise for papers and UT has an amazing infrastructure in place for doing so–however, Wired does make it much easier to find interesting technology).

Until I find another way, I plan on setting up Google alerts (sent to my RSS reader) to notify me of conference proceedings and/or make related work searches into RSS feeds (i.e. get a notification when a new rolling alarm clock is discussed). Does anyone else see the irony in all this? Has anyone found an easier way to stay up to date with research in your area?