Last updated: December 11, 2017 02:23 PM (All times are UTC.)

December 10, 2017

  • There is no ethical impact of my job; I build technological systems and it’s up to others how they use them.
  • Software is a purely technical discipline.
  • There is some innate affinity for computer programming which you must be born with, and cannot be taught.
  • Allowing people who are unlike me to program can only be achieved by “lowering the bar”.
  • Compiled languages are always faster.
  • floating point calculations will introduce non-deterministic errors into numerical results.
  • OK, they introduce some errors into numerical results.
  • alright I understand that floating point calculations are imprecise not inaccurate, Mister Pedantic Blog Author, but I cannot know what that imprecision is.
  • at least the outcome of integer maths is always defined.
  • fine, it’s not defined. But whatever it was, the result of doing arithmetic on two numbers that each fit in a data register itself fits in a data register.
  • every computer on sale today (2017) uses two’s complement notation for negative numbers.
  • every computer on sale today uses a register width that’s a multiple of eight bits.
  • the bug isn’t in my code.
  • the bug isn’t in the library.
  • the bug isn’t in the operating system.
  • the bug isn’t in the compiler.
  • the bug isn’t in the kernel.
  • the bug isn’t in the hardware.
  • bug-free computer hardware is completely deterministic.
  • the lines on the hardware bus/bridge are always either at the voltage that represents 0 or the voltage that represents 1.
  • if my tests cover 100% of my lines of code then I have complete coverage.
  • if my tests cover 100% of my statements then I have complete coverage.
  • if my tests cover 100% of my conditions then I have complete coverage.
  • if I have complete test coverage then I have no bugs.
  • if I have complete test coverage then I do not need a type system.
  • if I have a type system then I do not need complete test coverage.
  • no hacker will target my system.
  • information security is about protecting systems from hackers.
  • if the problem is SQL Injection, then the solution is to replace SQL; NoSQL Injection is impossible.
  • my project is a special snowflake; I can reject that technique I read about without considering it.
  • my project is much like that unicorn startup or public company’s project; I can adopt that technique I read about without considering it.
  • people who do not use my language, technique, framework, tool, methodology, paradigm or other practice do not get it.
  • any metaprogramming expansion will resolve in reasonable time.
  • any type annotation will resolve in reasonable time.
  • OK, well at least any regular expression will resolve in reasonable time.
  • can you at least, please, allow that regular expressions are regular?

I’m sure there must be more.

December 09, 2017

Apple said it has fixed an undisclosed vulnerability in its HomeKit framework that...

December 08, 2017

Give end-users a persistent full-featured Windows desktop in the Cloud for business-critical desktop resources. Always-on, device-agnostic and with a completely customisable familiar Windows desktop experience from virtually any device. Simplify resource-intensive projects like compliance, security policy enforcement, new hires and contract resource provisioning by centralising administration and management, all within a single streamlined portal. Take the steps necessary to safeguard technology and intellectual assets against compromise, without increasing capital expenditure.

Considered harmless by Graham Lee

Don’t like a new way of working? Just point out the absurdity of suggesting that the old way was broken:

Somehow, the microservices folks have failed to notice all that software that was in fact delivered as monoliths.

What the Rust Evangelism Strike Force doesn’t realise is that we’ve spent decades successfully building C programs that don’t dereference the NULL pointer.

This is a sort of “[C|Monoliths] considered harmless” statement. Yes, it’s possible to do it that way, but that doesn’t mean that there aren’t problems, or at least trade-offs. “C considered harmless” is as untrue and unhelpful as “C considered harmful”; what we want is “C considered alongside alternatives”.

December 07, 2017

Using a free tool called Spinner, researchers identified certificate pinning vulnerabilities in mobile...

December 06, 2017

An upgrade to practices and technologies to eliminate the possibility of human error...
As part of its December Android and Pixel/Nexus security updates, Google has issued...

Object-Oriented Programming is quite simple: it’s just choosing what function to run based on the parameters to the function (whether through method sending like Smalltalk, polymorphic lookup like CLOS, or table searching like C++: usually pattern-matching like Haskell would be excluded here).

Object-Oriented Analysis and Design is the thing where we represent our problem domain, and our solution, as a collection of objects, often categorised into classes, where the classes have particular relationships, properties and behaviours. And that is the thing that programmers often struggle with.

Whether it’s hard because OOA/D is hard, or because the problem domains are hard, or because OOA/D is not applicable to the problem domains, is not addressed here.

December 05, 2017

TeamViewer says it has issued a hotfix to address a bug that allows...
A proof of concept attack developed by researchers target users of the development...

December 04, 2017

Researchers have found a variant of Ursnif Trojan they said is a “v3...

We’re looking for a friendly, organised Project Manager to join us in our Solihull office, to help us release cool things faster, better and smarter. You’ll be based in the creative team working on exciting websites and applications for high-profile clients including Asda, Nickelodeon and Carphone Warehouse. We’re a tech-focused business. We’re fun, fast-growing, open and ambitious. We’re […]

The post Project Manager appeared first on stickee - technology that sticks.

December 01, 2017

There’s been a lot of speculation about foreign involvement in the UK supply...

Reading List by Bruce Lawson (@brucel)

If you missed the earlier blogs and don't know what CyBOK is -...

Many of us have an allergic reaction to goal setting. We’ve set goals before and not stuck to them, so why bother this time?

If a person doesn’t have a goal, they can’t fail. That’s why so many don’t set goals: they don’t want to set themselves up for failure.

In the article To Whom Do We Bow, Mel Weitsman writes:

“If you think about all the things that you promised yourself you would do and didn’t do, and look back on that, you’d be amazed at all the intentions you had that you didn’t honour. Sometimes this holds us back.“

Getting over our past failed attempts at goal setting requires a mindset shift. Rather than seeing goals as these binary, success or failure metrics, try thinking of them as guiding principles. If you set a goal and you get 80% of the way there, you’ll be better off than if you didn’t set a goal in the first place.

That’s the way I see goals. They’re milestones in a bigger journey. They’re stepping stones to where and who I want to be.

3 mistakes people make when setting goals

These are the mistakes I’ve made and have observed others making when it comes to goal setting.

Mistake 1: Setting bad goals

The most common mistake is simply not thinking through your goals properly. You’ve probably heard of the acronym “SMART”. Yes, it sounds a little silly and comes straight from business school 101, but it’s worth keeping in mind when creating new goals. Let’s recap on what SMART means:

Specific – The more specific your goal, the better. You want to avoid vague, lofty goals.
Measurable – The goal should be measurable to keep you on track. Adding a number usually helps.
Achievable – Make sure the goal is realistic. Goals should push you, but they should also be possible. Do you have the time or resources to accomplish the goal?
Relevant – Is the goal relevant to your current situation? We’re all in different phases of life or business, so make sure the goal aligns with where you’re at.
Time-based – Put a deadline on the goal. As the saying goes, a goal without a deadline is just a wish.

Mistake 2: Setting too many goals

The mistake I make most often is trying to do too much. If you set too many goals, you’ll lack the focus to achieve them. I set 3-5 goals per quarter, which usually includes 1 or 2 bigger goals and a couple of smaller habit-based goals. Working in 12 week intervals has worked well for me. It’s a big enough chunk of time to make real progress, but small enough that you can review, change direction (if required), and set new goals several times throughout the year.

Mistake 3: Not reviewing goals on a regular basis

Most goals aren’t achieved simply because they’re forgotten about. I know I’ve done it. I’ve set a new years resolution, then gone about my year, only to find the resolution I’d written down 3 months later. If you don’t have a system for reviewing your goals, you’ll likely forgot them. Each week, or even every day, run by your goals. Reviewing your goals helps clarify what you should be working on. Each day, I try and do at least one thing that moves me closer to achieving my goals. It’s a great way to make progress on the things I care about.

The framework I use for setting good goals (and an example)

I like to escape from the day-to-day noise and really think about where I want to be heading before goal setting. I’m idea generating and note taking for weeks before I actually sit down to think about the goals I want to set for the next quarter. Don’t rush this process. I’ll often come up with 10 or more goals, before discarding or pushing back the things that are less important. Again, aim for 5 goals or less.

This is the framework I use for each goal that I create:

1. Write up the goal, making sure it’s SMART (specific, measurable, achievable, relevant and time-based).

2. Write your motivations for achieving that goal. These are short statements about why the goal is important to you. It’s good to keep these motivations in mind while reviewing your goals.

3. Set a reward for when you achieve your goal. This is often missed: we rarely celebrate what we achieve. Write down how you will celebrate. It could be buying something you want, taking someone out to dinner, or going to see a band or comedian you like. It doesn’t have to be expensive, but it should motivate you.

4. Finally, write down the next steps. What are a few simple actions that can move you towards your goal? You don’t need to plan out the entire project – in fact, you probably shouldn’t – you just want enough to get you started.

Here are some questions to ask yourself while putting together your goals:

  • What one thing do you need to do this year for you to consider it a success? That’s what you should focus on.
  • What goals can you set that focus on helping others? Personal goals are important, but setting goals that focus on other people can have a positive impact on your happiness.
  • What do you need to say no to in order to accomplish your goals?

Here’s an example of a goal I set this quarter. I had neglected my mailing list and wanted to start sending out monthly newsletter again.

Goal: Send out monthly newsletter on November and December 1st

Motivations
To get back in the habit of sending regular newsletters
To keep my list warm and engage with like-minded people
Drive traffic to my blog
To share what I learn

Reward
Buy a bottle of Ardbeg Uigeadail (one of my favourite whiskies)

Next steps
Move all subscribers to one list in MailChimp
Decide on new newsletter name
Modify existing email template to fit new format
Draft ideas for first newsletter
Schedule first newsletter in MailChimp on Monday 30th Oct

Now the important part begins

Goals by themselves are meaningless. Setting a goal is easy, it’s following through that’s difficult. To achieve our goals, we need a system we can rely on. Here’s how I do it:

1. Write down your goals using the format above. Get them down on paper (the act of writing by hand helps reinforce them).

2. List the projects that you’re working on that contribute to your overall goals. Prioritise as much as you can. Add the projects that don’t contribute to your list of goals to the “must avoid at all costs list”. You can come back to these but for now they’re not important.

3. Break down each project into actionable chunks. Each chunk should be something you can complete in a 1-2 hour sitting. Add them to a Trello board or your todo list system of choice.

4. Book time on your calendar to work through the items above. If it’s not in the schedule, it’s not going to happen. Every day, try and accomplish just one item. There’s approximately 251 working days this year; that’s a lot of progress you can be making.

5. Review your goals daily. Reviewing keeps you on track and focused. You’ll be more inclined to say “no” to things that don’t matter.

I often refer back to Will Smith’s analogy of the brick wall:

“You don’t set out to build a wall. You don’t say I’m going to build the biggest, greatest wall that has ever been built. You say I’m gonna lay this brick as perfectly as a brick can be laid and you do that every single day and soon you have a wall.”

And that’s the key to accomplishing your own goals: breaking them down into small actionable items and then consistently working on them one at a time.

November 30, 2017

A Cisco Systems security advisory is urges users of its WebEx platform to...
Researchers say a new remote access Trojan dubbed UBoatRAT is targeting individuals or...

We’re looking for a friendly, organised Project Manager to join us in our Solihull office, to help us release cool things faster, better and smarter.You’ll...

The post Project Manager appeared first on stickee - technology that sticks.

November 29, 2017

We’re looking for a friendly, organised Client Service Manager to join us in our Solihull office, to help us release cool things faster, better and smarter. You’ll be based in the creative team working on exciting websites and applications for high-profile clients including Asda, Nickelodeon and Carphone Warehouse. We’re a tech-focused business. We’re fun, fast-growing, open and […]

The post Client Service Manager appeared first on stickee - technology that sticks.

A major bug in Apple’s macOS High Sierra gives anyone with physical access...

November 28, 2017

For the second time in ten days, researchers at UpGuard released sensitive data...

November 27, 2017

Researcher Troy Hunt is credited for tipping image sharing site Imgur off to...
Qihoo 360 Netlab researchers reported on Friday that they are tracking an uptick...

November 26, 2017

In creating a pull request for GNUstep-base, the Free Software implementation of the Foundation library from Objective-C, I realised that if there was ever a time for GNUstep, now is it.

Although GNUstep may have been envisaged as an official desktop for the GNU system – a role now fulfilled by GNOME – it has always had another position as an alternative deployment venue for OpenStep, and then Cocoa, codebases. People have done this to obtain cross-platform support (I know of a test tool that was built for Mac, Linux and Windows using GNUstep), to take advantage of better, or cheaper, server deployment on Linux, or to act as an ‘escape lane’, a place to take your code if your platform vendor changes direction.

This ability to hedge against a vendor’s whims has come in handy before: in 2001, when WebObjects 5 ditched Objective-C support in favour of Java, Objective-C WebObjects applications could be deployed on modern platforms through GNUstep Web or on legacy WebObjects 4 systems. It may come in handy again.

Even if Apple do, indefinitely, support Objective-C, the plain fact is that their community does not. Conference talks, blog posts, and community discussion now take place using Swift, which for those with an interest in Objective-C or those supporting existing code makes it harder to gain help or even to feel membership.

A vendor-independent association of Objective-C developers all interested in giving their code a comfortable, stable home is now more important than ever. May all your messages have receivers.

November 24, 2017

Advice on presentations – including that given on this blog, is often geared toward the “showbusiness” presentation. We’re usually talking about the big conference talk or product launch, where you can afford to put in the time to make a good, slick performance: a few days of preparation for a half-hour talk is not unheard of.

Not every presentation fits that mould. There are plenty where putting so much time into the presentation would be harmful, but where is the guidance on constructing those presentations?

The minor event

If you spent a few days preparing for a sprint-end demo, or reporting back to your team on some study you did, you’d significantly harm your productivity on the rest of your job. In these contexts, you want to spend a small amount of time building your talk, and you still want to put on a good show: to make your team and your stakeholders feel happy about the work you did, or to make the case persuasively for the tool or technique you studied.

As such, in these cases I still build an outline for my talk outside of the presentation software, and construct my slides to follow the outline. I’ve used OmniOutliner in the past, I use emacs org-mode now, you could use a list of bullets in MarkDown or a pen and a sheet of paper. It doesn’t matter, what matters is that you get what you want to say structured in one place, and the slides that support the presentation done separately.

I try to keep these slides text-free, particularly if the presentation is short, so that people don’t get distracted reading them. If I’m reporting on progress, then screenshots of some progress dashboard make for quickly-constructed slides. My current team shows its burndown every sprint end, that’s a quick screencapture that tells the story of the last two weeks. If there’s some headline figure (26 stories delivered; 80% of MVP scope complete; 2 new people on the team) then a slide containing that number makes for a good backdrop to talking about the subject.

The recurrent deck

The antithesis of the conference keynote presentation style, the recurrent deck is a collection of slides you’ll use over and over again. Your approach to integrating with third-party APIs, your software architecture philosophy, your business goals for 2018…you’ll need to present these over and over again in different contexts.

More to the point, other people will want to present them, too: someone in sales will answer a question about integration by using your integration slides. Your department director will present your team’s goals in the context of her department’s goals. And this works the other way: you can use your CEO’s slide on product strategy to help situate your team goals.

So throw out everything you learned about crafting the slides to fit the story. What you’re doing here is coming up with a reusable visual that can support any story related to the same information. I try to make these slides as information-rich as possible, though still diagrammatic rather than textual to avoid the presentation failure mode of reading out the slide. My current diagram tool is Lucidchart, as it’s my company’s standard, I’ve used OmniGraffle and dia too. Whatever tool, follow the house style (e.g. colour schemes, fonts, iconography) so that when you mash up your slides and your CEO’s slides, it still looks like a coherent presentation.

I try to make each slide self-contained, because I or someone else might take one to use in a different presentation so a single idea shouldn’t need a six-slide reveal and a colleague will find it harder to reuse the slide if it isn’t self-explanatory.

A frequent anti-pattern in slide design is to include the “page number” on the slide: not only is that information useless in a presentation, the only likely outcome is a continuity error when you drag a few slides from different sources to throw a talk together and don’t renumber them. Or worse, can’t: I’ve been given slides before that are screenshots of whatever slide was originally built, so the number is part of a bitmap.

Good reusable slide libraries will also be a boon in quickly constructing the minor event presentations: “we did this because that” can be told with one novel part (we did this) and one appeal to the library (because that).

A proof-of-concept attack demonstrates how adversaries can abuse Microsoft’s Active Directory Federation Services...
In the past, cyber attackers have often been unaware of how much stolen data is worth to organisations. However, the implementation of GDPR means that organisations can be fined up to 4% of their global annual turnover or €20m, whichever is greater, if found to have a data breach. These fines effectively provide cyber criminals with a price point for criminals to understand how much the data is worth to organisations.
The way your product development process is set up has a big, but sometimes poorly visible,...

November 23, 2017

It seems that firmware vulnerabilities are just like buses, you wait for one...

My attention was drawn to a product called “mahabis”, and now the world seems ever so slightly but irrevocably a sadder place. It’s some kind of slipper for hipsters (so why are they not called “Slipsters”?) with a website full of moody stock photography models and portentous bullshit text. For example, they are not merely selling overpriced lesiure shoes —oh, no!— they are “reinventing the traditional slipper” so that wearing them becomes an “everyday adventure” of “finding perfection in the mundane”. This is not copywriting. This is copy-shite-ing.

In their Frequently Asked Questions (how frequently, by whom?) they claim to be “based out of london. our product is quintessentially british.” No it bloody isn’t, or you’d say “we’re based *in* London”. Sod off. And “tell me more about the company” isn’t a bloody question. It’s an imperative that no human being ever says. Except for Venture Capitalists, bank managers and financial journalists — and they are not human.

Dear Copywriter: sentences and proper nouns (like “London”) need to start with capital letters. Basic English punctuation is what I call “quintessentially British”. And tiny light-grey text on a white background is SHIT.

unreadable shit

Mahabis are apparently the “essence of chill”. Bullshit. Essence of chill, literally, is chlorofluorocarbons or other regrigerants. Or beer.

Like every pompous brand bereft of ideas, “all our products are simple, functional, but strive for a simple universal aesthetic. endless reduction till we find something that no longer needs the complexity of explanation”. If they don’t need explaining, why is there a page of instructions on how to out them on? With bloody diagrams. How hard is putting on some shoes?

And how much does a pair of Slipsters cost? £89! They also sell candles and stupid notebooks, which tells you all you need to know.

Abolish the internet now.

November 22, 2017

Backups are a last defense and control from having to pay ransom for...
Uber CEO said a 2016 data breach that exposed 57 million Uber user...

November 21, 2017

Intel released eight patches for vulnerabilities in remote management software and firmware that...

I frequently see posts/articles/screeds asking why people don’t contribute to open source. If it’s important that recipients of open source software contribute upstream, and you are angry when they don’t, why use licences like MIT, Apache, GPL or BSD that don’t require upstream collaboration?

Back in the day, Apple released their public source code under version 1 of the Apple Public Source Licence, which required users who changed the source to fill in a form notifying Apple of their changes. You could do the same, and not be angry.

November 20, 2017

US-CERT is warning of a vulnerability in Microsoft’s implementation of Address Space Layout...

The Case for RSS by Marc Jenkins (@marcjenkins)

David Sparks on why he prefers to use RSS:

The reason I’ve stuck with RSS is the way in which I work. Twitter is the social network that I participate in most and yet sometimes days go by where I don’t load the application. I like to work in focused bursts. If I’m deep into writing a book or a legal client project. I basically ignore everything else. I close my mail application, tell my phone service to take my calls, and I definitely don’t open Twitter. When I finish the job, I can then go back to the Internet. I’ll check in on Twitter, but I won’t be able to get my news from it. That only works if you go into Twitter much more frequently than I do. That’s why RSS is such a great solution for me. If a few days go by, I can open RSS and go through my carefully curated list of websites and get caught back up with the world.

When Google Reader shut down in 2013, I stopped using RSS. RSS felt like yet another inbox to attend to, so I ditched it and used Twitter instead. But in the past few months, I’ve returned to RSS and I’ve thoroughly enjoyed keeping up with a select few sites.

My return to RSS was based on two factors:

1) I’m using Twitter way less than I used to. I’m not enjoying it as much as I did. Twitter was how I kept up, but not anymore.
2) I’m using an iPad more. Reading RSS feeds on a tablet-sized device is a great experience.

I completely agree with Sparks advice on subscribing to high signal, low noise sites:

RSS is so easy to implement that it’s a slippery slope between having RSS feeds for just a few websites and instead of having RSS feeds for hundreds of websites. If you’re not careful, every time you open your RSS reader, there will be 1,000 unread articles waiting for you, which completely defeats the purpose of using RSS. The trick to using RSS is to be brutal with your subscriptions. I think the key is looking for websites with high signal and low noise. Sites that publish one or two articles a day (or even one to two articles a week) but make them good articles are much more valuable and RSS feed than sites that published 30 articles a day.

It's the Black Friday sales soon, and many of you will be thinking...

November 18, 2017

In the world of physics, there are many different models that can be used, though typically each of them has different applicability to different contexts. At the small scale, quantum physics is a very useful model, Newtonian physics will yield evidently incorrect predictions so is less valuable. Where a Newtonian model gives sufficiently accurate results, it’s a lot easier to work with than quantum or relativistic mechanics.

All of these models are used to describe the same universe – the same underlying collection of observations that can systematically be categorised, modelled and predicted.

Physical science (or experimental philosophy) does not work in the same way as computational philosophy. There are physical realisations of computational systems, typically manifested as electronic systems or pencil-and-paper simulations. But the software, the abstract configurations of ideas that run on those systems, exist in entirely separate space and are merely (though the fact that this is possible is immensely powerful) translated into the electronic or paper medium.

Of course one model for the software system is to abstract the electronic: to consider the movement of electrons as the presence of voltages at terminals; to group terminals as registers or busses; to further abstract this range of voltages as 0 and that range as 1. And indeed that model frequently is useful.

Frequently, that model is not useful. And the great thing is that we get to select from a panoply of other models, at some small or large remove from the physical model. We can use these models separately, or simultaneously. You can think of a software system as a network of messages passed between independent objects, as a flow of data through transformers, as a sequence of state changes, as a graph of single-argument functions, as something else, or as a combination of these things. Each is useful, each is powerful, all are applicable.

Sometimes, I can use these models to make decisions about representing the logical structure of these systems, transforming a concept into a representation that’s valid in the model. If I have a statement in a mathematical formulation of my problem, “for any a drawn from the set of Articles there exists a p drawn from the set of People such that p is the principal author of a” then I can build a function, or a method, or a query, or a predicate, or a procedure, or a subroutine, or a spreadsheet cell, or a process, that given an article will yield exactly one person who is the principal author of that article.

Sometimes, I use the models to avoid the conceptual or logical layers at all and express my problem as if it is a software solution. Object-oriented analysis and design, data flow modelling, and other techniques can be used to represent a logical model, or they can be used to bash the problem straight into a physical model without having thought about the problem in the abstract. “Shut up and code” is an extreme example of this approach, in which the physical model is realised without any attempt to tie it to a logical or conceptual design. I’ll know correct when I see it.

I don’t see a lot of value in collecting programming languages. I can’t count the number of different programming languages I’ve used, and many of them are entirely similar. C and JavaScript both have sequences of expressions that are built into statements that are built into procedures. Both let me build aggregations of data and procedures that either let me organise sequential programs, represent objects, represent functions, or do something else.

But collecting the models, the different representations of systems conceptually that can be expressed as software, sometimes called paradigms: this is very interesting. This is what lets me think about representing problems in different ways, and come up with efficient (conceptually or physically) solutions.

More paradigms, please.

November 17, 2017

Amazon said it will offer a fix for its Amazon Key delivery service...

‘Tis the season to be merry and celebrate – but it’s also the season to shop. A lot. From Black Friday all the way up...

The post 3 steps to make the most of your seasonal marketing campaigns appeared first on stickee - technology that sticks.

Reading List by Bruce Lawson (@brucel)

‘Tis the season to be merry and celebrate – but it’s also the season to shop. A lot. From Black Friday all the way up to Christmas and the new year, UK consumers will be looking to spend more than ever. The holiday season is the perfect time to attract more visitors and customers to […]

The post 3 steps to make the most of your seasonal marketing campaigns appeared first on stickee - technology that sticks.

Have you ever wondered what it's like to work in the NCSC Vulnerability Research...

November 16, 2017

Oracle pushed out an emergency update for vulnerabilities dubbed 'JoltandBleed' affecting five of...

Writing Wrong by Andy Wootton (@WooTube)

I’ve always admired skillful calligraphy and my handwriting isn’t awful, so I’ve thought for a few years that I’d like to try some simple lettering for an art-break from all the digital typing. I’ve bought some cheap cartridge pens with italic nibs in a range of widths. They are flat ended, so they make a broad stroke when used vertically and thin horizontally. I’ve always assumed calligraphers modified the width of the line by rotating the pen. They don’t.

I discovered that modern calligraphers use a pointed nib that splays with pressure, to vary line-width. Now, of course, I’ve realised that would be a lot easier to simulate with a pressure sensitive tablet, without all the messy ink. I can’t help it; I’m a software guy. I’m more about the tools than the medium and I like to have an undo.


The White House released a charter document on Wednesday outlining how the U.S....

On 3 November, the Queen and Uncle Timbo (Sir Tim Berners-Lee to you) came round to Lawson Towers to threaten me with a punch in the face and a karate chop if I didn’t co-edit the W3C HTML5 spec.

So I said yes — they look pretty frightening, I think you’ll agree.

Tim Berners Lee with fist raised, and the Queen making a karate chop gesture

There’s a pretty groovy and diverse team, including Patricia Aas who works on the Vivaldi browser; my friend and ex-Opera Devrel colleague, Shwetank Dixit who lives and works in India for Barrier Break, an accessibility organisation; ex-Opera chum Sangwhan Moon; long-haired digital trouble maker who does “Open Standards at GDS” (Government Digital Service), Terence Eden; Xiaoqian Wu of W3C and Steve Faulkner of The Paciello Group, another accessibility organisation.

I’m currently advising Wix Engineering on web standards. As an independent consultant, I’m not representing Wix, but obviously any relevant lessons we’ve learned by open-sourcing our Stylable CSS for Components pre-processor will be fed back to the W3C Working Groups.

A lot of people have asked me why there are two HTML specs – the Living Standard at WHATWG, and the HTML5.x specs at W3C. What’s the difference? And which should you use? The answer: it depends. (Well, this is web development, after all).

Spec implementors (primarily, browser vendors) implement from the WHATWG spec. The painstakingly algorithmic WHATWG document is exactly what we need so that browsers implement interoperably. But it’s hard for web authors (the million or so normal folk worldwide who write HTML to make websites) to get advice on how best to write good HTML from the WHATWG spec.

I’ve long used Steve Faulkner’s excellent guidance on HTML and ARIA, for example. The WHATWG spec is a future-facing document; lots of ideas are incubated there. The W3C spec is a snapshot of what works interoperably – authors who don’t care much about what may or may not be round the corner, but who need solid advice on what works now may find this spec easier to use.

For example, the WHATWG spec talks of the outlining algorithm, whereby a heading element such as <h1> changes its “level” depending on how it’s nested in <article>, <section> etc. I wish this actually worked, because it’s useful and elegant. However, as the W3C spec says “There are currently no known native implementations of the outline algorithm in graphical browsers or assistive technology user agents” and so advises “Authors should use heading rank (h1-h6) to convey document structure.”

I believe the latter spec is more useful to people writing websites today.

I’ve got lots of friends in WHATWG and believe it when I wrote that the strength of the web over last 7 years has been due to WHATWG. In my opinion, the work that WHATWG did saved the Web from irrelevance, while the W3C went meandering around XML-land instead. I’ve discussed this with some friends in WHATWG and W3C, too, to canvas opinion. They told me HTML needs a cute little mascot, so I’m stepping up to the plate.

I don’t want the W3C and WHATWG specs to diverge in substantive matters, and hope that useful authoring advice we produce can make its way into both specs.

Vive open standards!

November 15, 2017

Cisco Systems issued patch that fixes a critical vulnerability impacting 12 products running...

November 14, 2017

This month, Microsoft's Patch Tuesday updates tackle fixes for 53 security bugs in...

Midland Writing by Andy Wootton (@WooTube)

At the both junior schools and the senior school in my village, sports days were organised by competing ‘houses’, named after great Staffordshire people. I think I remember Walton, Wedgwood, Dalton, Spode, Minton, Garrick and at least once I was in Johnson. On Sunday I finally made the long-overdue pilgrimage to visit The Samuel Johnson Birthplace Museum & Bookshop in Lichfield, having greatly enjoyed a Summer-time visit to Erasmus Darwin’s house, only a short walk away.

Johnson went to Lichfield Grammar School then Stourbridge before going to Oxford. he left after about a year, enraged at an anonymous gift of new shoes, the last straw in his attempt to cope with his relative poverty. After his marriage and a failed attempt to open a new school in Lichfield, which only attracted 3 pupils, he ran away to London with his pupil, the great actor David Garrick, who remained a life-long friend.

I’d also been to visit Johnson’s rented London home at 17 Gough Square in the City of London where he worked from 1748 to 1759, mostly on ‘A Dictionary of the English Language’. Johnson also spent some of his later years with Mr. Henry & Mrs Hester Thrale of Streatham who owned the Anchor Brewery, where Johnson also had an apartment and he remained in contact with Hester until she remarried after her husband’s death, when he cut off their friendship.

I tried writing with a quill pen which reminded me that my attempt to learn some basic calligraphy had lapsed. Johnson’s father Michael was a bookseller. I didn’t know that this also meant bookbinder. The books arrived as printed blocks to be bound on site. Johnson was first published in Birmingham by John Baskerville, now a resident of Warstone Lane Cemetery.

Since, I looked at therange.co.uk where I knew I had seen calligraphy dip pen sets. The ones I had remembered are by Manuscript, https://www.calligraphy.co.uk/. They come with a nib tin bearing the logo of D. Leonardt & Co. of Birmingham. They have now moved to Shropshire, along with Joseph Gillot, now part of William Mitchell Ltd. https://www.williammitchellcalligraphy.co.uk/ They are the only remaining English pen manufacturers. In 1850, Birmingham manufactured half of the world’s pens.

I also learned that I’ve been using the wrong kind of pen. Italic pens are not the route to good calligraphy.


In my last blog I talked a little bit about sociotechnical systems, and the fact...
Shadow IT is the term most related to the risk associated with the...
Cyber attacks are becoming more frequent in the business world today. In light of this, cyber security has become one of the leading concerns for UK businesses. Research conducted by Serviceteam IT in August 2017, revealed over a third of respondents had experienced an increase in cyber security incidents in the past 12 months.

November 13, 2017

Phishing remains the biggest account takeover threat to Google users, surpassing keyloggers and...

November 12, 2017

I wrote a Web Component by Stuart Langridge (@sil)

I’ve been meaning to play with Web Components for a little while now. After I saw Ben Nadel create a Twitter tweet progress indicator with Angular and Lucas Leandro did the same with Vue.js I thought, here’s a chance to experiment.

Web Components involve a whole bunch of different dovetailing specs; HTML imports, custom elements, shadow DOM, HTML templates. I didn’t want to have to use the HTML template and import stuff if I could avoid it, and pleasantly you actually don’t need it. Essentially, you can create a custom element named whatever-you-want and then just add <whatever-you-want someattr="somevalue">content here</whatever-you-want> elements to your page, and it all works. This is good.

To define a new type of element, you use window.customElements.define('your-element-name', YourClass).1 YourClass is an ES2016 JavaScript class. 2 So, we start like this:


window.customElements.define('twitter-circle-count', class extends HTMLElement {
});

The class has a constructor method which sets everything up. In our case, we’re going to create an SVG with two circles: the “indicator” (which is the one that changes colour and fills in as you add characters), and the “track” (which is the one that’s always present and shows where the line of the circle goes). Then we shrink and grow the “indicator” circle by using Jake Archibald’s dash-offset technique. This is all perfectly expressed by Ben Nadel’s diagram, which I hope he doesn’t mind me borrowing because it’s great.

So, we need to dynamically create an SVG. The SVG we want will look basically like this:


<svg viewBox="0 0 100 100" xmlns="http://www.w3.org/2000/svg">
  <circle cx="50" cy="50" r="45" 
  style="stroke: #9E9E9E"></circle>
  <circle cx="50" cy="50" r="45" 
  style="stroke: #333333)"></circle>
</svg>

Let’s set that SVG up in our element’s constructor:


window.customElements.define('twitter-circle-count', class extends HTMLElement {
  constructor() {
    /* You must call super() first in the constructor. */
    super();

    /* Create the SVG. Note that we need createElementNS, not createElement */
    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
    svg.setAttribute("viewBox", "0 0 100 100");
    svg.setAttribute("xmlns", "http://www.w3.org/2000/svg");

    /* Create the track. Note createElementNS. Note also that "this" refers to
       this element, so we've got a reference to it for later. */
    this.track = document.createElementNS("http://www.w3.org/2000/svg", "circle");
    this.track.setAttribute("cx", "50");
    this.track.setAttribute("cy", "50");
    this.track.setAttribute("r", "45");
    /* And create the indicator, by duplicating the track */
    this.indicator = this.track.cloneNode(true);

    svg.appendChild(this.track);
    svg.appendChild(this.indicator);
  }
});

Now we need to actually add that created SVG to the document. For that, we create a shadow root. This is basically a little separate HTML document, inside your element, which is isolated from the rest of the page. Styles set in the main page won’t apply to stuff in your component; styles set in your component won’t leak out to the rest of the page.3 This is easy with attachShadow, which returns you this shadow root, which you can then treat like a normal node:


window.customElements.define('twitter-circle-count', class extends HTMLElement {
  constructor() {
    super();
    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
    svg.setAttribute("viewBox", "0 0 100 100");
    svg.setAttribute("xmlns", "http://www.w3.org/2000/svg");
    this.track = document.createElementNS("http://www.w3.org/2000/svg", "circle");
    this.track.setAttribute("cx", "50");
    this.track.setAttribute("cy", "50");
    this.track.setAttribute("r", "45");
    this.indicator = this.track.cloneNode(true);

    svg.appendChild(this.track);
    svg.appendChild(this.indicator);
    let shadowRoot = this.attachShadow({mode: 'open'});
    shadowRoot.appendChild(svg);
  }
});

Now, we want to allow people to set the colours of our circles. The way to do this is with CSS custom properties. Basically, you can invent any new property name you like, as long as it’s prefixed with --. So we invent two: --track-color and --circle-color. We then set the two circles to be those colours by using CSS’s var() syntax; this lets us say “use this variable if it’s set, or use this default value if it isn’t”. So our user can style our element with twitter-circle-count { --track-color: #eee; } and it’ll work.

Annoyingly, it doesn’t seem to be easily possible to use existing CSS properties for this; there doesn’t seem to be a good way to have the standard property color set the circle colour.4 One has to use a custom variable even if there’s a “real” CSS property that would be appropriate. I’m hoping I’m wrong about this and there is a sensible way to do it that I just haven’t discovered.5 (Update: Matt Machell mentions currentColor which would work perfectly for this example, but it only works for color; there’s no way of setting other properties like, say, font-size on the component and having that explicitly propagate down to a particular element in the component; there’s no currentFontSize. I don’t know why color gets special treatment, even though the special treatment would solve my particular problem.)


window.customElements.define('twitter-circle-count', class extends HTMLElement {
  constructor() {
    super();
    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
    svg.setAttribute("viewBox", "0 0 100 100");
    svg.setAttribute("xmlns", "http://www.w3.org/2000/svg");
    this.track = document.createElementNS("http://www.w3.org/2000/svg", "circle");
    this.track.setAttribute("cx", "50");
    this.track.setAttribute("cy", "50");
    this.track.setAttribute("r", "45");
    this.indicator = this.track.cloneNode(true);
    this.track.style.stroke = "var(--track-color, #9E9E9E)";
    this.indicator.style.stroke = "var(--circle-color, #333333)";
    svg.appendChild(this.track);
    svg.appendChild(this.indicator);
    let shadowRoot = this.attachShadow({mode: 'open'});
    shadowRoot.appendChild(svg);
  }
});

We want our little element to be inline-block. To set properties on the element itself, from inside the element, there is a special CSS selector, :host.6 Add a <style> element inside the component and it only applies to the component (this is special “scoped style” magic), and setting :host styles the root of your element:


window.customElements.define('twitter-circle-count', class extends HTMLElement {
  constructor() {
    super();
    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
    svg.setAttribute("viewBox", "0 0 100 100");
    svg.setAttribute("xmlns", "http://www.w3.org/2000/svg");
    this.track = document.createElementNS("http://www.w3.org/2000/svg", "circle");
    this.track.setAttribute("cx", "50");
    this.track.setAttribute("cy", "50");
    this.track.setAttribute("r", "45");
    this.indicator = this.track.cloneNode(true);
    this.track.style.stroke = "var(--track-color, #9E9E9E)";
    this.indicator.style.stroke = "var(--circle-color, #333333)";
    svg.appendChild(this.track);
    svg.appendChild(this.indicator);
    let shadowRoot = this.attachShadow({mode: 'open'});
    shadowRoot.appendChild(svg);
    var style = document.createElement("style");
    style.innerHTML = ":host { display: inline-block; position: relative; contain: content; }";
    shadowRoot.appendChild(style);
  }
});

Next, we need to be able to set the properties which define the value of the counter — how much progress it should show. Having value and max properties similar to an <input type="range"> seems logical here. For this, we define a little function setDashOffset which sets the stroke-dashoffset style on our indicator. We then call that function in two places. One is in connectedCallback, a method which is called when our custom element is first inserted into the document. The second is whenever our value or max attributes change. That gets set up by defining observedAttributes, which returns a list of attributes that we want to watch; whenever one of those attributes changes, attributeChangedCallback is called.


window.customElements.define('twitter-circle-count', class extends HTMLElement {
  static get observedAttributes() {
    return ['value', 'max'];
  }
  attributeChangedCallback(name, oldValue, newValue) {
    this.setDashOffset();
  }
  setDashOffset() {
    var mx = parseInt(this.getAttribute("max"), 10);
    if (isNaN(mx)) mx = 100;
    var value = parseInt(this.getAttribute("value"), 10);
    if (isNaN(value)) value = 0;
    this.indicator.style.strokeDashoffset = this.circumference - 
        (value * this.circumference / mx);
  }
  constructor() {
    super();
    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
    svg.setAttribute("viewBox", "0 0 100 100");
    svg.setAttribute("xmlns", "http://www.w3.org/2000/svg");
    this.track = document.createElementNS("http://www.w3.org/2000/svg", "circle");
    this.track.setAttribute("cx", "50");
    this.track.setAttribute("cy", "50");
    this.track.setAttribute("r", "45");
    this.indicator = this.track.cloneNode(true);

    this.track.style.stroke = "var(--track-color, #9E9E9E)";
    this.indicator.style.stroke = "var(--circle-color, #333333)";
    /* We know what the circumference of our circle is. It doesn't matter
       how big the element is, because the SVG is always 100x100 in its own
       "internal coordinates": that's what the viewBox means. So the circle
       always has a 45px radius, and so its circumference is always the same,
       2πr. Store this for later. */
    this.circumference = 3.14 * (45 * 2);

    svg.appendChild(this.track);
    svg.appendChild(this.indicator);
    let shadowRoot = this.attachShadow({mode: 'open'});
    shadowRoot.appendChild(svg);
    var style = document.createElement("style");
    style.innerHTML = ":host { display: inline-block; position: relative; contain: content; }";
    shadowRoot.appendChild(style);
  }
  connectedCallback() {
    this.setDashOffset();
  }
});

This works if the user of the component does counter.setAttribute("value", "50"), but it doesn’t make counter.value = 50 work, and it’s nice to provide these direct JavaScript APIs as well. For that we need to define a getter and a setter for each.


window.customElements.define('twitter-circle-count', class extends HTMLElement {
  static get observedAttributes() {
    return ['value', 'max'];
  }
  attributeChangedCallback(name, oldValue, newValue) {
    this.setDashOffset();
  }
  setDashOffset() {
    var mx = parseInt(this.getAttribute("max"), 10);
    if (isNaN(mx)) mx = this.defaultMax;
    var value = parseInt(this.getAttribute("value"), 10);
    if (isNaN(value)) value = this.defaultValue;
    this.indicator.style.strokeDashoffset = this.circumference - (
        value * this.circumference / mx);
  }
  get value() {
    var value = this.getAttribute('value');
    if (isNaN(value)) return this.defaultValue;
    return value;
  }
  set value(value) { this.setAttribute("value", value); }
  get max() {
    var mx = this.getAttribute('max');
    if (isNaN(mx)) return this.defaultMax;
    return max;
  }
  set value(value) { this.setAttribute("value", value); }
  constructor() {
    super();
    var svg = document.createElementNS("http://www.w3.org/2000/svg", "svg");
    svg.setAttribute("viewBox", "0 0 100 100");
    svg.setAttribute("xmlns", "http://www.w3.org/2000/svg");
    this.track = document.createElementNS("http://www.w3.org/2000/svg", "circle");
    this.track.setAttribute("cx", "50");
    this.track.setAttribute("cy", "50");
    this.track.setAttribute("r", "45");
    this.indicator = this.track.cloneNode(true);
    this.track.style.stroke = "var(--track-color, #9E9E9E)";
    this.indicator.style.stroke = "var(--circle-color, #333333)";
    this.circumference = 3.14 * (45 * 2);
    svg.appendChild(this.track);
    svg.appendChild(this.indicator);
    let shadowRoot = this.attachShadow({mode: 'open'});
    shadowRoot.appendChild(svg);
    var style = document.createElement("style");
    style.innerHTML = ":host { display: inline-block; position: relative; contain: content; }";
    shadowRoot.appendChild(style);
    this.defaultValue = 50;
    this.defaultMax = 100;
  }
  connectedCallback() {
    this.setDashOffset();
  }
});

And that’s all we need. We can now create our twitter-circle-count element and hook it up to a textarea like this:

<twitter-circle-count value="0" max="280"></twitter-circle-count>
<p>Type in here</p>
<textarea rows=3 cols=40></textarea>
twitter-circle-count {
  width: 30px;
  height: 30px;
  --track-color: #ddd;
  --circle-color: #333;
  --text-color: #888;
}
// we use input, not keyup, because that fires when text is cut or pasted
// thank you Dave MN for that insight
document.querySelector("textarea").addEventListener("input", function() {
  document.querySelector("twitter-circle-count").setAttribute("value", this.value.length);
}, false);

and it works! I also added a text counter and a couple of other nicenesses, such as making the indicator animate to its position, and included a polyfill to add support in browsers that don’t have it.7

Here’s the counter:

Type some text in here:

  1. I relied for a lot of this understanding on Google’s web components documentation by Eric Bidelman.
  2. All this stuff is present already in Chrome; for other browsers you may need polyfills, and I’ll get to that later.
  3. Pedant posse: yes, it’s a bit more complicated than this. One step at a time.
  4. It would be possible to have color apply to our circle colour by monitoring changes to the element’s style, but that’s a nightmare.
  5. QML does this by setting “aliases”; in a component, you can say property alias foo: subelement.bar and setting foo on an instance of my component propagates through and sets bar on the subelement. This is a really good idea, and I wish Web Components did it somehow.
  6. Firefox doesn’t seem to support this yet, either :host or scoping styles so they don’t leak out of the component, so I’ve also set display:inline-block and position:relative on the twitter-circle-count selector in my normal CSS. This should be fixed soon.
  7. Mikeal Rogers has a really nice technique here for bundling your web component with a polyfill which is also worth considering.

November 10, 2017

Long term readers will have noticed, and everybody else is about to be told, that this blog has had posts in the Responsibility category since 2010. I’m not rigorous in my use of WordPress categories, but it’s not much of a stretch to assume that most of those 40 posts touch on professional ethics, and that most of the posts on ethics in this blog are in that category.

In recent times, the idea that maybe the world of computing should take its head out of its butt and consider its impact on wider society has escaped the confines of goggle-eyed loon practitioners like yours truly and hit the mainstream. In the UK, newspapers call for change: the leftist Guardian writes “Big tech is broken”, and liberal centrist paper the Independent tells us that “Those of us with any sense of morality should hate Apple“. Editorials document how social media platforms, decrying fake news while running ads for anyone with the dollars, have supplanted democratic rule with new, transnational, shareholder-run government. They show how the new unicorn startups achieve their valuations by disrupting labour law, reversing centuries of gains in workers’ rights by introducing the neoserfdom of gig economies and zero-hour contracts.

Software is eating the world, and turning it into shit. You can no longer pretend that it isn’t happening, and that you are not playing a part. That supporting the success of your favoured multibillionaire transnational platform vendor isn’t helping to consolidate ownership of society among the multibillionaire platform vendors. That your part is just making the rockets go up, and that where they come down is a different department. That your job is not a position in society and without consequence.

IBM’s X-Force Research team reports hackers attacking Brazilian banks are using the Windows...

November 09, 2017

Microsoft published guidance for Windows admins on how to safely disable Dynamic Data...
Back to Top