Class A, Baby!

Usually I blame the Chinese for every shortage or surfeit, and while they are definitely participating in this particular drought, it would be difficult to pin the blame wholly on them. Much of the problem lies closer to home.

You see, the world is running out of IP addresses. An IP address is like a computer’s phone number on the Internet. When you type muddledramblings.com, you start a complicated series of interactions (“I don’t know where that is, but I know who to ask…”) out there in the Interwebs and eventually it is resolved that what you’re looking for is computer 173.245.60.121. You get the same answer for JersSoftwareHut.com and jerryseeger.com. (That’s actually an IP owned by CloudFlare, who sends things on to the actual IP of 66.116.108.197. But that’s not what matters here…)

At the time of this writing, jer.is-a-geek.com resolves to 98.210.116.58, the IP of my home router. The actual number may change, but there will always be an ip address used up by the router. (Don’t bother going there; there’s nothing to see unless you use ssh and already have a key installed on your computer. (The key file itself is locked with a password I may have forgotten.))

Anyway, the IP address is a finite number, and so there is a limit to the total number of computers connected directly to the Internet. This is a very, very big number, but when they came up with the number they didn’t think people’s toasters (and telephones, and cars) would be connected to the Internet. (In your house, most likely your computers and other gadgets go through a router or a modem. That router has to have a unique ID, but the rest of your network uses a special range of IP’s reserved for internal networks. So, your household only eats up one of the limited supply.)

We are starting to reach the limits of the IP system, just as in the US there was a shortage of telephone numbers. (Some of the reasons we ran out of phone numbers are similar as well, as I’ll mention in a bit.)

With phone numbers they split areas into smaller chunks, and created new area codes. While there was the inconvenience of people’s area codes changing, everything still worked.

The Techno-Wizards who run the Internet saw the IP problem coming some time ago, and set out to solve it. What they came up with was IPv6 (currently we are using IPv4). The only problem: the two systems are not compatible. So now a new network based on IPv6 is being deployed, and the people on it can’t look at Web sites that have IPv4 addresses without some sort of middleman. Sucks to be one of those guys. (Muddled Ramblings is now visible on the IPv6 network thanks to CloudFlare.)

Meanwhile, at work, my team needed an IP address for one of our servers. We were advised by a coworker to just go ahead and grab a block of 256 addresses, so we’d have them if we needed them. Really? When IP addresses are running out?

Yep. It turns out that long ago, organizations who were on the ball could buy up huge blocks of IP addresses on the cheap. MIT bought a Class A* block, as did Stanford (who has given it back, I believe), the Army National Guard, IBM, HP (they have DEC’s block now, too, I think), and Apple. Each Class A block has almost 17 million IP addresses, and represents a significant chunk of all the IP addresses available.

The US military has several blocks, and the British military has some as well.

Oh, and Amateur Radio Digital Communications has a Class A, along with Prudential Securities. Ford and Daimler. Three or four pharmaceutical companies. (I imagine Merck or whoever bought one, and their competitors followed suit out of habit.)

I think you might now be getting a glimpse of a core problem. The huge blocks of IP addresses were allotted to whoever asked for them, with no requirement that the organization actually show that they needed them or would not hoard them. Does Ely Lilly have a side business as a data center?

A possibly-apocryphal story I was told the other day: Back when IPs were up for grabs, someone at Apple proposed that they snag a Class A. The powers that be decided against the move, so he got the purchase of the block wedged into the budget for something completely unrelated. It turns out to have been a pretty savvy move. Now every IP address that starts 17. belongs to Apple.

Of the companies on that list, I’d certainly say Apple has more business owning a Class A block than many of the others. Whether the US Military really needs all those huge blocks I’m not qualified to argue. But the fact remains that while we would be running out of IP addresses eventually anyway, the careless and haphazard way they were originally handed out exacerbated the problem mightily.

I mean, does the Department of Social Security in the UK really need 16.7 million IP addresses? Really?

* The term ‘Class A’ is a little out of date, but reads better than ‘/8 block’

Note 1: I got my information here and there on the Internet, then found it all here.

Note 2: This episode contains a lot of parenthetical comments, part of my crusade to address the global overabundance of parentheses. I encourage you to use a few extras as well, until supply is back in balance with demand. (As usual, I blame the Chinese for the surfeit.)

The Rise and Fall of Adobe Flash

A long, long time ago, I wanted to make lava lamp buttons for my Web site. I wanted the shape of the lava blobs to be random and mathematically controlled, and it had to be done with vector graphics – animated gifs would have been huge to provide something that even remotely felt random, and back in those days most people connected with dialup modems.

I searched high and low for a vector animation tool and couldn’t find one. There was Macromedia Director, which I used extensively back then, which put out files for Web play in a format called Shockwave, but it wasn’t a true vector-based program. Not the right tool for lava lamp buttons, that was for sure. I’d started playing with a java applet to draw my buttons, but it seemed like vector animation was something the Web really needed. I mentioned this to a friend of mine, and he said, “Oh I know some guys with the tool you’re looking for.” At the time it was called FutureSplash.

I mentioned FutureSplash to my boss. It was going to be huge, I predicted. His response: “Maybe we should buy them.” (Ah, those dot-com boom days, how I miss them.) Three days later Macromedia announced that they had bought FutureSplash (for a lot more than we could have paid) and contracted the name to Flash.

The rest is history — until the present.

There was even a time when I imagined that a lot of the Web would end up as Flash. Or at least it should. Flash had a lot of things right that HTML had managed to screw up. You could do a lot more, and with Flash the Web experience began to approach the quality of experience people had in other parts of their computing lives.

Macromedia and later Adobe seemed to go out of their way to prevent Flash from taking over the Web. Creating Flash became ever more complex and ever more expensive. Nowhere was the simple “baby Flash” that Joe Amateur could use to build a nice site without first getting extensive training and shelling out a few hundred bucks for tools.

Meanwhile, Flash designers didn’t help in those early years, either. So much Flash became “look what I can do” rather than “look how I can make your visit to my Web site better” that Jane Surfer started resenting Flash. “I waited 60 seconds to download this?” A good example of that sort of waste is at the top of this page, in fact. There are a couple of fun things in the banner, but they don’t enhance the Muddled Experience very much.

Now, the world is shifting again. If you’re reading this site from your iPad, you don’t see the banner at all. No Flash in iOS. This is something the other tablet manufacturers have made a big deal of—but maybe not for very much longer. Microsoft’s next tablet OS won’t support Flash, either.

HTML, the platform I get paid to dislike, is becoming HTML, the platform I get paid to deal with. HTML5, CSS3, full SVG support, and robust JavaScript libraries make possible just about everything Flash can do, without Flash. That’s a lot of things to learn and manage to get a job done, however. Before, a designer could just master Flash and be confident that their work would look right wherever the Flash plugin was installed.

What’s needed is a tool like Flash that, after you’re done designing, outputs your masterpiece in Web-standard format, with HTML, CSS, and JavaScript. When something like that comes out, the handwriting will be on the wall for Flash.

And here it is. Adobe, makers of Flash, have announced Edge, the animation tool that will eventually replace Flash. It looks pretty good. It doesn’t do anything remotely close to what Flash does (no mention of audio that I’ve found, for instance, so my banner would have to forego the theme song, and interactivity will have to be handled outside the tool as well, as far as my first glance tells me), but it does a great deal, and when you’re done the product will work in all modern browsers, including mobile ones. Adobe has applied their long, long experience making animation tools to make the user interface slick and clean (though you will want a really big monitor).

Flash will be around a long, long time yet; it still lets a developer build Web-based user interfaces that would be a pain in the butt to create from HTML and the rest of the alphabet soup. That gap is narrowing, however, and as Edge gains in features (and, alas, complexity), the marginalization of Flash will accelerate. I’m impressed that Adobe said, “If Flash dies, we’ll be the ones to kill it.” They really are the right people for the job. Now all we need is “baby Edge.”

Seven? Really?

A few days ago the Firefox team let forth a new major release. 7.0.1. Seven. That’s a lot of progress since earlier this year when they floated Firefox 4.

Most software companies would have labeled this release 4.3. The Firefox team has eschewed the first dot and has decided to make any release with a feature change a new major release. There is no n.1; the first decimal digit is entirely vestigial. There was no 4.1. There was no 5.1 or 6.1 There will be no 7.1, just 7.0.1. This might sound stupid, unless you have Inside Information. Which I have, thanks to Wikipedia.

The Internet Explorer team at Microsoft, sworn rivals of Firefox, are nonetheless ok guys who want to make this whole Web thing work. Back in the day when the Firefox team kicked the ass of the web world and released a browser that not only defined standards but provided the tools to help Web developers code to those standards, team FF were the guys to beat. On the release of FF3, the boys at Microsoft sent the team a cake. Firefox 4 was similarly honored. And FF5. And so on.

And now we see the real reason behind the accelerated numbering. Each major release gets a cake. If I was in charge, there’d be a new major version every Thursday.

* The firefox team joked about sending a cake to Microsoft to honor IE 8 (or 7 or 9 and you shouldn’t ask me to remember shit like that), but they would send the cake along with the recipe. Open-source cake. But (as far as history records) they didn’t. Would’a been funny. There’s talk and there’s action, and seriously you don’t want to be on the losing side of that with Microsoft.

3

Your Most Important Password

I’ve mentioned passwords before, but today I’d like to tell you about the most important password in your possession, the single password that keeps the hordes at bay.

Take a moment to think about the passwords you use for your various secret stuff. If you’re like me, you have your ordinary password for unimportant stuff, then you ratchet up the entropy for sites that involve money. For a long time I had two passwords, my ‘secure’ one and my ‘other’ one. Now I’ve started taking my passwords a lot more seriously, which means keeping a file of all my passwords, itself protected with massive encryption and the most awesome passphrase ever. No one’s getting into that file.

But here’s the thing: they don’t have to. There’s another password I have that’s just as powerful and easier for a bad guy to use. My primary email password.

How does that password drop my trousers universally? Simple: if someone had access to my email, they could click “I forgot my password” on every site in the world and harvest the responses. If the evil robot cleared out the emails before I read them, I’d be none the wiser. And I’d be fucked.

You might think your online banking password is the one you must protect most diligently, but your email password will hand them your bank account along with everything else. This is the password to protect and change regularly.

As an aside, you can make things a little tougher for bad guys by modifying your email address when you register for stuff. For instance, if I register at xyz.com, I might use vikingjs+abc@mac.com for my email address. The cool thing about ‘+’ is that it doesn’t change the delivery (the above will go to vikingjs@mac.com) but you can sort your email based on the suffix, and you can track who gave your email address away. Most significantly, if some wrongdoer has your email password, they still have to guess the +suffix part for each site before they can use the “I forgot my password” feature. If your email password gets out, that second line of defense could really save your ass.*

Also, know that if your email provider gets hacked, you could be hosed. There is one major company (rhymes with achoo!**) that seems to have a hard time keeping the wrong guys out of your account (although I think it’s the address book that has been compromised, and not direct access to your emails). There are likely others that do a better job keeping their names out of the press when they spill your information.

So, to flog the horse: If bad guys gets access to your email, they own you. Protect that password diligently. Change it fairly often. Use email+suffix@whatever.com when you sign up for stuff. In databases around the globe, your email is quite literally your entire identity.

* I read somewhere that hotmail and some others don’t support the + in emails. I haven’t tested personally, but if your provider is one of those, drop them immediately and find a better service.

** I’m pretty sure I have stock in a company that ends oo!, so I’m not just slinging mud here.

Damn Lies and Statistics

I read recently that WordPress “powers” more than 14% of the top 1,000,000 Web sites. (“Powers” in quotes because actually it’s electricity that powers them — lots of electricity.)

This site is also a WordPress site, and I started to wonder: Am I in the top million? A million, is, after all, a very big number, and this site does get regular traffic.

Which all begs the question, how the hell do you define “top Web site” and how does anyone know what they are? Presumably “top” sites are the ones that get the most visits, but even “visit” is tricky to pin down, and once you have a working definition there’s still the question of how the heck you measure it. Throw in game sites where a visit can last for hours — does that count for more than someone dropping in to see if there’s a new episode up in their favorite blog?

How about traffic from robots? When a robot tries to spam this site, does that count? How would the counting mechanism differentiate that from a legitimate visit?

For that matter, what’s a “site”? Does wordpress.org count as a single site, or is each blog hosted there counted individually? Is the difference whether the owner bothered to register their own domain?

All that aside, the slightly-depressing truth is that this is probably not one of the top million sites, no matter how you figure it, even counting spam-bot visits. Yep, there are probably more than one friggin’ million Web sites more popular than this one. Most of those sites will have a specific purpose — sites for businesses both local and international, political and news sites, comics, and so on (and of course porn).

I have a hard enough time sticking to a single topic in a given episode that the idea of staying on a subject for the whole damn blog is ridiculous. But I digress.

Most content? I’d probably be in the top million in that category. There’s a lot of stuff here. Oldest still-active sites? I might even crack the million line with that measure. How many sites have been continuously active since 2003? That’s like, a century in Internet time.

So I probably get the top-million most persistent award, if nothing else. Maybe I should make that a tagline for the site when I un-Flash the banner: “One of the million most persistent Web sites in the world!”

2

Who, Me?

I was recently farting around with my Facebook profile. I uploaded a new profile image (which doesn’t really look very good as a thumbnail but apparently it doesn’t save my old profile photos, so now I’ll have to find the original to go back), and while I was at it, I glanced through my other profile information.

My profile is scant, not so much because I’m trying to protect my privacy as because I can’t imagine why anyone would care about most of that stuff.

In fact, the only ones who might be interested in any of that stuff are the ones who with the overt goal of invading my privacy. So, why not help them out? There’s a field I can fill in for my political leanings. It occurred to me that ‘anarchist’ would be fun, but ‘communist’ would be more provocative. Even though communism is an economic system. People get mixed up about that.

Hobbies? How about ‘recreational explosives’ and ‘euthanasia’? Maybe ‘book burning’ to keep people guessing.

Senate Committee Chairman: So, on your Facebook profile you declared yourself to be a communist! And a bomb-throwing murderer!
Yours Truly (trying to remember): Did I?
SCC: Yes! You also burn books, so you’re obviously not completely evil, but we demand an explanation!
YT: Simple. That’s not me.

And that would be the truth. I am not a Facebook profile. I’m not even a blog, though blog-Jerry and public-Jerry do have a lot in common.

East-Coast people often say they hate how ‘fake’ Californians are. In fact, Californians say the same thing about other Californians. But what does that actually mean? My theory: Californians don’t express anger as openly as others, and they don’t lean forward when they listen to you (the way southerners do), so they must be fake.

Whatever. Everyone’s fake. I’m fake. And seriously, that’s the way it should be. You know the me I’ve learned to project since my earliest days. The one who plays nice, gets along, and tries to make the world a better place (usually). You don’t want to know me the way I know me. I don’t want to know you that way either.

Then there’s the person you imagine when you read this blog. Not the same as the person you find when you run into meat-me at the frozen yogurt shop. Blog-me might be a little more articulate, since he reads most things he says before he says them. Blog-me talks about different things, sometimes more introspective, and doesn’t really worry so much about boring people.

Blog-me is a different person. A different fiction.

So why not Facebook-me? Why not create some whacked-out extremist commie bomb-thrower and be that guy?

There’s a good reason not to, actually. It’s hard enough work maintaining the personas I already have. All the -me’s are pretty lazy.

Bad Behavior, CloudFlare and Google Bot

This blog has several layers of protection from the evils of the outside world, but those layers don’t always get along. One problem that I had is pretty common among CloudFlare users, and the documentation provided by the relevant players has a hole in it – a key nugget of information that can make all the difference.

The nugget follows in due course.

My first line of defense from ne’er-do-wells and miscreants is CloudFlare. They stop most of the bad guys before they even reach my site. Still, for some sorts of attacks, when there’s doubt it’s better to let the bad guy through. It may turn out to be a good guy.

A program called Bad Behavior is my next line of defense. It sits on my server and quickly spots liars and weasels. For dangerous-looking attacks, that’s the limit. But, when there’s doubt and the site itself is not at risk, Bad Behavior will let the attack through.

At this point, ‘attack’ means ‘comment spam’. Everything else is stopped before it reaches this stage. Most of the comment spam has been stopped as well, but some has been given the benefit of the doubt. That’s where Akismet comes in. This layer spots the rest of the comment spam, and it can be much more aggressive since it doesn’t actually delete the spam, it puts it into a bin for future review. So, legitimate comments can be rescued by an alert blog admin.

It works pretty well. Three spams actually got through all the layers last week, the first time any have gotten through in quite some time. Somewhere, a spammer popped a bottle of bubbly.

So comment spam is pretty well thwarted. Hooray! Unfortunately, for a while I had a pretty big problem. Search engine robots were being denied. I fell off Google and Yahoo! and all the rest, and traffic to this site dwindled.

Note: according to this article, Bad Behavior has been updated to avoid the following problem. Yay! You should still install the CloudFlare plugin and the Apache module if you are able.

Here’s what was going on:

  1. Googlebot said ‘hey, muddledramblings.com, show me page x’.
  2. The request must get past CloudFlare. No problem. They see it’s the real Google bot and pass the request on to my server.
  3. Bad Behavior is next. They look at the incoming message and see something that claims to be a Google bot but It’s not coming from Google. It’s coming through CloudFlare. Bad Behavior says, “You are a lying sack of dingo dung and a false Google bot. You are obviously evil and you may not pass.” Google is shut out. The other legitimate robots are cut off as well.

This problem is pretty easy to fix, but not quite as easy as WordPress admins would like to hope. CloudFlare has code that you can install on your server that will straighten the whole problem out. Basically it tweaks incoming messages so that the original source appears instead of CloudFlare. This bit of fix-it code is available as a WordPress plugin, so you can install the plugin and rest easy.

But that’s the thing that tripped me up and is not explained in the docs. In the case of working with Bad Behavior, the WordPress Plugin is not enough.

The catch is that Bad Behavior does its magic before the CloudFlare plugin can do its magic. So, even with the CloudFlare plugin firmly installed, Bad Behavior will reject Google bot and all his pals.

There are two simple solutions: 1) Install the CloudFlare Apache module, which kicks in before anything else is run. This is preferable to the WordPress plugin anyway, because it’s a system-wide solution. 2) If you don’t have that level of control over your server, turn off Bad Behavior. It’s a shame to lose that layer of protection, but not devastating; there’s some overlap between what CloudFlare stops and what Bad Behavior stops. You still have two layers and your own alert management to fall back on.

Ubiquity Solutions: Evil or merely Overwhelmed?

Note: Wow. This got long, and somewhat technical. For today, some of you might want to look at cute pictures of cats instead. I won’t mind.

I noticed the other day a huge rush of spam comments from ip addresses starting 108.62. I did a lookup and found that the whole block is owned by an outfit called Nobis Technology Group. Most of the addresses also mentioned Ubiquity Server Solutions. They are a massive hosting and colocation service. Basically, they supply the hardware and infrastructure, and their customers set up Web servers and whatnot.

Some of those customers (or the customers of the customers) send out a lot of spam. A truckload. In some cases the customer of a customer of a customer might have been lax and his server got hacked and turned into an unwitting spambot. In other cases the people using Ubiquity’s servers are likely institutional spammers.

Brief aside: Why does comment spam even exist in the first place? Google plays a big role there, with a number called Page Rank. Part of Page Rank (at least historically) was that more links pointing to a page make it land higher in Google searches. So, the spam comment isn’t to get readers of a blog to buy Doc Marten shoes, it’s to get that particular site to land higher in Google’s results when someone searches for them.

The thing is, Google doesn’t publish page rank numbers anymore, and they steadfastly maintain that the comment spamming actually hurts your results in a search. That hasn’t stopped many companies from promising higher sales and taking people’s money in return for smearing their name all over the Internet.

Google could go a long way toward eliminating this sort of spam by publishing page rank again, only now include the amount the rank was hurt by spamming activities. My shoe salesman above is not going to keep paying when Google shows the opposite of the desired result.

So anyway, using CloudFlare’s threat control, I blocked an entire range of ip addresses allocated to Ubiquity’s servers. Then another. I didn’t like this solution; I had no idea how many legitimate potential blog visitors I was blocking. After reading more, the answer surprised me.

The folks at Ubiquity point out that they have terms of service that prohibit using their infrastructure to spam people. When I sent them a complaint, they were professional and courteous. They asked for more specifics, then said they’d sent a complaint to the culprit. Only after they’d asked what my domain name was.

Question: Did they send a message to the culprit saying ‘stop spamming people’ or did it say ‘stop spamming that guy?’

On other blogs where people have ranted about Ubiquity, representatives of the company have responded with measured, rational responses, explaining what a huge uphill battle it is for them, and asking the community to keep sending reports when spam comes from their range. Those reports make it possible for them to put sanctions on clients who are in violation of their terms of service. It is a huge problem and not easily solved.

And yet. Other hosting companies don’t seem as bad, from where I’m sitting.

One of those responses from a Ubiquity representative threw out the argument (I’m paraphrasing from this) “While it’s theoretically possible to monitor all data to weed out the 500MB/s of spam from the 2GB/s of legitimate traffic, that would be really expensive and we wouldn’t be able to compete in this market.” My first takeaway: they think 20% of the traffic from their servers is unethical. Wow. Now, that’s reading a lot into a statement like that, so take it with a grain of salt. Also, it was in a comment to a blog post and may well have been a typo in the first place.

But still, it makes me wonder. And a request coming in to a server for data (legitimate traffic like a request to load a Web page) is fundamentally different than robots on a server sending unrequested data OUT (a high percentage of which will be spam), and sending emails (almost all of which will be spam). A small random sampling of GET and PUT messages outbound from their data centers would probably smoke out the most egregious violators pretty quickly, and not require a lot of hardware to implement. (Not sure how I feel about this from a privacy standpoint.)

Once I got the message that Ubiquity had sent their complaint to the spammer involved, I unblocked that range. Sure enough, in a few minutes more spam came through. I sent the report and back up went the blockade. In my casting around the Internet I read assertions that were not contradicted (so must be true!) that said that NO legitimate traffic would come from those IP’s anyway; they were the addresses of big servers and not IP’s that would appear when Joe User is surfing. So there’s no downside to blocking them. (I’ll put the blocked ranges in a comment below, if you want to follow suit.)

Although, as I put the blockade back up, I had a thought: If I complain about every violation, and cc Google, then the cost of NOT clamping down more effectively on the host’s clients goes up. At some point, if enough people complain enough times, the cost of fixing the problem at the source becomes less than the cost of continuing to do business they way they are now.

That goes not just for Ubiquity, but for all hosts, and for Google and the other search engines. There is no incentive for them to play nice unless we create one.

Yep, I’m proposing fighting spam with a deluge of emails, and I’m probably too lazy to do it effectively.

Of course, this blog is hosted at a data center that almost inevitably will have spammers. Do I want to pay more for my own hosting because my data center has to install a bunch of spam detectors? In my case, I’d be willing to pay a bit more to know my host is doing the right thing, but I think I’d be in the minority. That makes it really difficult for one host to unilaterally decide to take the high road. And you’d be alienating about 20% of your customers, if Ubiquity’s off-the-cuff numbers are an indication.

2

CloudFlare = Awesome

So by now you’ve probably heard of “the cloud”, but you might be vague on what the cloud actually is. That’s OK, the cloud is by nature vague. In short, it’s just a name that applies to what the Internet has been trying to do for a long time: information without location. You put a photo up in the cloud, and it’s just “out there”, not on any particular server, not in any particular data center, not in any given country. Could be there are copies of it all over the place, and when someone wants to look at the picture, The Cloud serves up the copy closest (in Internet miles) to the person who wants to see it.

This requires a lot of expensive equipment. Google and Amazon are the biggies in the cloud, but there are others as well, who, for a price, will host your data in a ‘cloudy’ way. In return, people around the world can load your stuff faster.

This humble blog is in the cloud. When you load a page here, roughly half the time the request doesn’t even reach my server (protected in a bunker somewhere in Nevada), but is instead served up from one of CloudFlare’s data centers around the globe. It’s pretty sweet, and has reduced the strain on my server (not that it’s working that hard anyway) while improving the Muddled Experience. The cost for this service? Nothing. It’s free.

I totally win.

CloudFlare also blocks a few hundred spammers each week, before my server has to go to the trouble of blocking them. They compile usage stats and provide other interesting information, and cut the load time for the blog about in half.

They’re a friendly bunch, too; when I suggested upgrades to their interface they wrote back with specific questions as well as thanks. A site they hosted was attacked from China a while back, and it brought down part of their network. They were right up front about the issue and what they were doing about it, and advised people on how to ‘de-cloud’ until the crisis was over. Not everyone was happy, but I was impressed. Soon after reading those communications I signed up.

How can they offer something like this for free? It’s the upsell, of course; they offer premium services. In addition they create a platform for other companies to sell stuff to me. Some of those services are pretty cool, too, though I haven’t dipped my toe in those waters yet (for instance, there’s a free service that checks your site now and then to see if it’s been hacked).

Overall, I can’t think of any reason NOT to use CloudFlare. Check ’em out and tell them Jerry sent you!

A New Privacy Invasion to Fight

They are probably not unique, but spokeo.com has robots diligently combing the world for your personal information. What they have on you might be surprising. And, while it is possible, they don’t make it obvious how you can delete (or at lease hide from public view) the data about you they have gathered for profit.

Telephone numbers, addresses, relationships, and of course age are only a few of the things about you that they are selling.

So: time to get your profiles off of spokeo.com. If anyone out there knows of similar services out there, let’s consolidate the “quit making profit by selling my personal data” list.

NOTE: These instructions might be more complicated than necessary, but this method is what I tested.

  1. Go to spokeo.com
  2. Enter your name. Scan the matches for any that might be you. You will have to delete each profile individually.
  3. Select a profile. In the window that pops up, select “see it all”.
  4. You will go to a screen that tries to sell you the service, including “See all available information, including photos, profiles, lifestyle and wealth data.” Now you remember why you’re dong this.
  5. Copy the entire URL from the address bar of your browser.
  6. Down at the bottom of the screen is a teeny, tiny little link that says “privacy”. Click that.
  7. Paste in the URL.
  8. Supply an email address. TIP: you can tag your address with a plus sign. For instance, instead of getoffmylawn@damnkids.com you can use getoffmylawn+spokeo@damnkids.com. That way any email they send to you will be tagged. (This opens up a different discussion that I will leave for another day.)
  9. Try to decipher the CAPTCHA, then submit.
  10. When the email arrives, click the link and your data will be “removed”. I don’t honestly expect the data is actually deleted, but at least it’s a little more hidden.
  11. Repeat the process with any other profiles that might be you. You will have to use a different email tag each time.
  12. Write a robot that automatically deletes records from their database. If I had the skills I’d do it myself. With robots they gather, with robots we take away.

I recommend that you don’t do this “later”, or “tomorrow”, but now. If you have any troubles, leave a comment and I’ll clarify the instructions. If you know of other “services” like this one, let’s add them here!

2

Harlean on the Move

This is just a quick note to tell folks that Harlean Carpenter (who is a fiction) has moved her blog from MySpace (which is becoming a fiction) to Blogspot. Right now she’s moving her favorite posts from the old to the new, so you can get a nice ‘best-of’ album right now to introduce youself to her inimitable style. Check it out!

Advance Notice of Unplanned Outage

Just a quick note to tell you guys that I’ve run into technical difficulties renewing the muddledramblings.com domain name. LiveRack sucks. Never, ever, register a domain with LiveRack.

Actually, I’m not sure you’d be able to register with them even if you wanted to; their payment acceptance portal seems to be broken. Thus, I cannot renew this domain. There is no way to contact anyone at LiveRack. A long time ago they listed contact information but never answered queries, now they don’t even bother pretending. LiveRack sucks. Never, ever, register a domain with LiveRack.

So, I decided now would be a good time to move the domain to a new registrar. I’d tried this some time ago, without success, because LiveRack did not respond to the request. This is, as you might have surmised, because LiveRack sucks. If I were you, I’d never, ever register a domain with LiveRack.

So, with time running out, I put my nose to the grindstone and got the right codes to move the domain despite LiveRack’s unresponsiveness. But, wait! It can’t be that easy… The domain is too close to expiring to move. I have to renew, then move. But I can’t renew, because LiveRack sucks. There was a time, long ago, when LiveRack didn’t suck. Those days are long gone. You see, these days there’s really no way to describe LiveRack without using the word “sucks”. I wish I’d never registered my domain with LiveRack.

Tomorrow I’ll try LiveRack’s renewal again, in case they’ve fixed it, and I’ve appealed to Enom to intervene as well. LiveRack is a reseller for Enom; LiveRack’s only role was to process my payments. Now they can’t even do that, apparently, which leads me to the inescapable conclusion that LiveRack sucks.

So, in a couple of days, muddledramblings.com may stop working. I’m still hopeful, but I wanted to let folks know ahead of time.

Oh, and if anyone asks you about LiveRack? Well, LiveRack sucks. Under no circumstances should anyone register a domain with them. Seriously.

Cool Stuff on the Internet

Hey! Are you familiar with Hyperbole and a Half? Now would be an excellent time to check it out. Perhaps those already well-versed in hyperbolic lore could recommend particularly choice archival stories for newbies to peruse.

And as long as you’re looking at other sites that don’t take six years to load the way mine does, the November 24 Astronomy Picture of the Day just reinforces the growing urge inside me to head north in the next couple of years. APOD is awesome more often than not – I’m tempted to write a little program that turns each day’s picture into my desktop image. Not sure how that would fly on days like this one, however.

1

Evil Flash Cookies

NOTE June 1, 2019: This is a rather old post, and most major browsers have addressed this problem directly. I ultimately solved the problem by simply not installing Flash. It’s dead tech.

For a long time now we’ve been aware of browser cookies. These are little bits of data that a Web developer can set on your computer to keep track of your visits, or which ads you’ve seen, and things like that. Cookies are regulated by your browser and you can set up rules to reduce the amount that other people learn about your habits.

Way back in the day the makers of Flash realized that it would be handy to store little bits of information on the user’s computer as well. They developed LSO’s, otherwise known as Flash Cookies, to do that. This site uses an LSO so the banner animation doesn’t run every time you change pages. (See my rant about html.)

Advertisers and less benign sites also use LSO’s, and this has people worried. There are fewer restrictions on what LSO’s can do compared to cookies, and management of these little bits of information is not done through the browser. Many people out there in the Wild Wild World of the Web have said “There’s no way to manage them! aaaah! AAAAAAH!” in mildly hysterical voices, but that is simply not true.

So, just how worried should you be? If you do nothing to manage the cookies on your browser, then you probably don’t need to get too worked up about their somewhat-more-evil cousins. You’re already telling the trackers all they want to know. The potential for outright evil is higher with Flash LSO’s, but not that much.

Still, it’s a good idea to control who leaves what on your computer, and LSO’s are a good place to start. There are two complimentary strategies – control what gets saved, and clean up after.

Control What Gets Saved

First, let’s look at how to keep most of the unwanted items from being saved in the first place. This is done by managing the settings of your Flash Player. You do this through a control panel on the Macromedia Web site. You can access this panel any time by right-clicking any Flash on your page (including the banner of this site) and choosing “Global Settings…”. This control panel is written in Flash and when you make changes it will save your settings to your computer – in an LSO file.

Let’s look at what’s already on your computer. Choose the Web Storage Settings panel:

Flash Web Storage Settings Panel

The Web Storage Settings Panel

I cleaned everything out recently, but you can see that since then I’ve been to two places that put Flash cookies on my machine. Only muddledramblings.com is actually storing anything; www.kfox.com had stored something on my machine, but it has since been cleaned up. Even after you clean up a site’s cookies, Flash will remember you were there, and if you set special rules for that site, it will remember them, too.

So at this point the easiest thing to do is probably to make Flash forget everything and clear out all the cookies stored on your machine. If you’re curious you can go down the list and see what’s there. “Delete all sites” is probably your best bet, however.

Now your Flash Player has totally forgotten where you’ve been. It’s a good time to set rules for how Flash should behave when you encounter a new site. Click the “Global Storage” tab:

Flash Global Storage Settings Panel

The Global Storage Settings Panel

Note: these settings will not affect sites that already have storage allocated.

There are two things you can do to limit who puts stuff on your computer. The first is to move the slider to 0 KB. This will force any flash animation to ask permission before storing something on your machine. If you check Never Ask Again, you have effectively turned off all Flash cookies from everywhere. That’s pretty drastic, and may break some of your favorite sites, though.

The second thing you can do is uncheck “Allow third-party blah blah blah”. That allows the Web site you’re visiting to store stuff, but no one else. For instance, let’s say that on this page I had advertising. This setting would allow only Flash from muddledramblings.com to save stuff, but an ad served from eviladvertisinggiant.com would not be allowed. Basically, only Flash that comes from the domain showing in your browser is allowed to store stuff. That way my site will still work correctly but others won’t be able to track you.

Note that in a few cases, Web sites put their own Flash stuff on different servers (there are good reasons for doing this), and this setting might break those sites. You can turn off the restriction temporarily and allow that site to run, then turn the restriction back on. There is no way that I know of to say set the “Allow third-party…” value for a particular site.

OK, now that you’re keeping most of the drek off your machine, it’s time to tackle the other prong in our battle for privacy: cleaning up unneeded LSO’s.

Periodic Cleanup

In general, benign LSO’s only need to save stuff while you’re on the site. When you go back, it’s not going to harm anything if previous data has been deleted. Any information they do store from session to session might just be snooping. For the most part, then, we can just empty out the stored data and never notice a thing.

What NOT to delete
There are two kinds of LSO’s – those set by the flash animation, and those set by the Flash Player to store information about a site. Deleting the second type can actually undermine your security if you’ve made special restrictions for specific sites using the control panel above. Also, for some few sites (pandora.com, in my case), you want Flash to remember your info between visits. As you decide on a cleanup strategy, keep that stuff in mind. There is one LSO used to store the settings you made from the control panel above, and I strongly recommend that you NOT delete it. Both the cleanup methods I mention below preserve that file by default.

Having said all that, don’t let the decisions stop you from moving forward. In the following techniques just using the defaults will work just fine for almost everyone.

BetterPrivacy
NOTE June 1, 2019: BetterPrivacy doesn’t exist anymore, because Firefox absorbed this functionality. You can learn more about Firefox cookie management here.

This is by far the best solution — If you use Firefox. Users of Firefox have access to BetterPrivacy, which provides lots of options for which LSO’s to clean up when, controlled from a pretty nice user interface. By default BetterPrivacy leaves the Flash Player preferences alone, but if you make different settings for specific Web sites, BetterPrivacy will delete those unless you tell it not to. If you do put special restrictions or grant special permissions to a site, be sure to protect the settings.sol file for that site.

If you keep your browser open pretty much all the time, you can set BetterPrivacy to clean up the LSO’s periodically.

I don’t use Firefox that much. What am I to do? A Web search will tell you there’s a Mac application called Flush, but don’t bother. As of this writing, it’s completely broken. I didn’t find a good solution for non-Firefox Mac users out there, so I made one. You don’t have to thank me, it’s what I do.

Jer’s LSO Cleanup script for Mac
First I set up a simple cron task that just deleted the folders where LSO’s live. That was too ham-fisted, however, since it also deleted beneficial LSO’s, as mentioned above. Then I wrote a little script. I used Python to write it simply because I’d never used Python before, and it seemed more appropriate than php. You are welcome to use the script as well, but there’s a little fiddling involved. Nothing major, but you’ll be using the terminal.

Right-click to download lsoclean.sh here.

OK, now for the fiddling:

  1. Download the file and put it somewhere that won’t clutter up your life. (I used /usr/local/bin/)
  2. (optional) Edit the file to choose your paranoia level and what sites you don’t want to clean up. The default leaves LSO’s from your own computer (for Flash developers) and from pandora.com
  3. Tell the OS that the file is actually a script that it can run. To do this open Terminal.app and type chmod +x /path/to/lsoclean.py. TIP: if you just type chmod +x (with a space after the “x”), then drag the file from wherever you put it into the terminal window, it will automatically fill in the path. Neat!
  4. (optional) The script can now be activated by typing the full path to the file in the terminal, but that’s not very convenient. Better to set up a way to have the thing run every so often. There are plenty of ways, like using AppleScript (ptui) or iCal (which would have been clever of me), but the simplest (if geekiest) is to set up a cron task. You can use CronniX to avoid editing the crontab file directly. Here’s what I did:
    1. Download CronniX here.
    2. Run it. It’s a little… incomplete. Start by clicking “New”
    3. Choose the “Simple” tab
    4. Check the boxes next to Month, Day of Month, Hour, and Day of Week. Leave Minute unchecked and set to 0.
    5. In the command field, put the full path to the script file. (You can copy it out of the terminal window where you dragged the file before.)
    6. Click Apply, then Save
    7. Quit CronniX

    You have now set up the task to execute the script once an hour.

  5. Test: Visit some sites that use flash, and look in ~/Library/Preferences/Macromedia/Flash Player/#SharedObjects/8JA5UY2L (the last bit is random) to see the .sol files.
  6. After an hour, go back and see that they are gone! Hooray!

CronniX

The CronniX UI when everything is set to go.

That was a quite a bit of fiddling for those not versed in the ways of cron, but now you can forget it ever happened. If you find yourself having to reenter information in a Flash-based Web site and it annoys you, add the domain for that site to the list in the script.

If anyone wants to take this little script create a reduced-fiddling version with automator or whatever, I’d love to provide that for download here.

Conclusion

You’ve just struck a blow against invasive advertisers! Hooray! Now the ads you see will be less focussed on what you are interested in. That’s OK, because it nobody’s damn business what you’re interested in. Now you can carry on with your life like none of this ever happened.

3

Appreciating Fonts

The look of this blog when viewed on a Windows machine has always subtly annoyed me. I’ve been using the default font setup for WordPress, which uses Lucida Grande first, and if that is not available it uses Verdana. Verdana to me looks, I don’t know, thin or stretched or something. Loose. Unfortunately most Windows boxes don’t come with Lucida Grande, so Verdana is what most people experience. Today I decided to do something about it.

It’s possible now to tell a broswer to load a font from the Web when displaying a particular page. I could quite easily put @font-face directives in my files, load copies of Lucida Grande onto the server, and I’d be done (except for Internet Explorer, and those people can get by with Verdana). Unfortunately, although technically pretty simple, that course of action would not be legal.

There’s a font on Windows called Lucida Sans Unicode (or something like that) which is very similar to Lucida, but is not nearly as good for italics and bold face. This will be my fall-back solution.

For a while today, however, I thought I might go look for a new font, something that caught the spirit of this blog, yet was easy to read on a screen and had a nice ink density. On top of that, it had to be free or at least reasonably priced, and it had to include good italic and bold versions, and it had to include the wacky Czech diacriticals for those few episodes where I use them, plus the full range of punctuation including a variety of dashes, copyright symbols, and stuff like that.

I came up empty. Making a good font is not at all simple, and the people who make the great ones quite understandably want to be paid for their work. If I found one that measured up to Lucida Grande in usefulness and that would give this site a unique feel, I might be tempted to pony up.

The closest thing I could find was a font called Liberation, which is a favorite in the Linux world. At this writing, those without Lucida Grande will see that font (unless you’re using Internet Explorer). It’s OK, but the text is actually a little smaller for the same font size. That certainly is annoying. I haven’t looked at the text on enough different screens to know for sure, but I think right now the lettering is too small.

How’s it looking for you, my windows-using readers? Do you have any favorite fonts? I think with screen resolutions improving, it’s even possible to consider a serifed font these days.