Oct 272014

Two-factor authentication is generally seen as a good idea; there’s a certain amount of hand-wringing over the fact that more people don’t turn it on. The problem is, it’s one of those things where you sign up for disruption over the next few days, for uncertain reward. The reward is uncertain because you can never tell whether turning on two-factor authentication stopped someone hacking your account or not, just like you can’t tell whether having an alarm company sign outside your house dissuades someone from breaking into it. My main email account has been on 2FA for ages, but I decided to add it to one of my secondary accounts as well, given that lots of people seem to mistakenly use that email instead of their own.

Tim suggested I used the authenticator app for my Google account 2FA, instead of using the SMS system. Just a hint: set it up while you still have access to your text messages since SMS is used for the bootstrapping authentication. You need to sign up for Google 2FA in the first place ‘on a computer’ (not specified whether a tablet is sufficient? I used the desktop). You are sent an SMS to authenticate yourself, and then you get another one when you want to authenticate the Authenticator app. After that, you don’t need your SMS system, as long as you have the device with the Authenticator app on it.

But then there are the other apps, which now need application-specific generated passwords. Adium for Google Talk, for example, or email with Thunderbird. Setting each one up doesn’t take long, but I’m sure some time in the future I will have forgotten and be wondering why I can’t log in with a valid password.

And I understand what’s going on, more or less, and think the short-term hassles are worth it. There are lots of people who don’t have a mental model of passwords or authentication, who see only the pain and not the gain (since the gain is only in the absence of a potential future pain). Businesses are supposedly implementing 2FA fairly rapidly, but I’d be surprised if people in general were outfitting their personal accounts with 2FA at anything like the same rate. Mind you, I also suspect those surveys apply mostly to bigger companies in particular industries; anecdotal evidence I’ve heard points to a lower real adoption rate.

Jun 242014

I've been working at Design Science for a couple of months now, as Senior Product Manager concentrating on the MathFlow products. So I figured I should enable MathML support on my blog. It's not hard, but like everything in tech there are a few niggly details. Many of those issues are caused by WordPress's over-eager helpfulness, which has to be reined in on a regular basis if you're doing anything at all out of the ordinary. Like editing your posts directly in HTML rather than using some pseudo-WYSIWYG editor.

Theoretically, showing MathML in a browser is easy, at least for the sort of equations that most people put in blog posts, even though not all browsers support MathML directly. You just use the MathJax JavaScript library. On WordPress there is even a plugin that adds the right script element, the MathJax-Latex plugin. You can make every page load MathJax, or use the [mathjax] shortcode to tell it when to load.

The wrinkle comes with WordPress' tendency to "correct" the markup. When you add the MathML, WordPress sprinkles it with <br/> tags. MathJax chokes on those and shows nothing. Since the tags don't show up in the editor view, you need some way of stopping WordPress from adding them. The best way I've found is with the Raw HTML plugin.

But there's a wrinkle with that too. For some reason if you use the shortcode version of the begin and end markers ([raw]) the editor decides that the XML characters between those markers has to be turned into the character entities, so for example the < characters are turned into &lt;. To stop that, you need to a) check all the checkboxes in the Raw HTML settings on the post, and b) use the comment version (<-- raw --> and <-- /raw -->) to mark the beginning and end of the section instead of the shortcode version.

Once it's done it's easy to add equations to your pages, so it's worth the extra few minutes to set it all up.

A couple of examples taken from the MathJax samples page

Curl of a Vector Field
Standard Deviation

and one from my thesis from way back when

Jan 212014

In principle I’m in favour of the ‘log in with X’ way of doing things (modulo user experience issues such as trying to remember which service you picked to sign up with in the first place). There is, however, more to it than that in some cases. Example: using the online repository service bitbucket.

Signing up in the first place with one of my Google accounts worked as expected. The next step, of adding a git repository and pushing files to it, was a little more complicated. You need to use a regular password for git push and, of course, bitbucket doesn’t have the password for my Google account. And I didn’t have a regular password for the account, having set it up using my Google account, so I had to go through the password-reset dance to create a new password that bitbucket is allowed to know.

In other words, for these sorts of services I need a password that the service is allowed to know; logging in with other services is an add-on but not a replacement. This isn’t hard to understand when you stop and think about what’s going on (in the browser the service relies on a lot of browser redirects which aren’t available in the command line), but it did take me a minute or two to figure out that I would have to reset my heretofore blank password to get one that I could use. (Bitbucket also supports SSH identities and I’ll probably set that up instead of the password.)

Oct 222013

I see the discussion about how best to structure your HTML+CSS to be both appealing to the reader and easy to maintain is continuing; see The Semantic CSS Debate for some of it and links to more. What particularly struck me was this sentence:

I now find myself actively advocating against libraries like bootstrap due to the long term maintainability issues their approach to CSS causes.

On the surface, this appears to be one issue that templating systems can help solve. Whether you use XSLT to generate a web site from Word documents or XML, or something like Jekyll (which I use for the Textuality web site), or a database-driven system, to generate the site, you should be able use both a framework such as bootstrap and your semantic content. You do have to be prepared to put in an intermediate step, that of generating the output from the input and plan in advance for the fact that you may wish to switch from format a to format b.

This seems to me to be a logical way of doing things, or maybe it’s simply because I’m steeped in the idea of creating the data in a format that can be transformed to an appropriate output format. This idea does make the choice of output format (in this case precisely which HTML + CSS framework to use) somewhat less daunting, or rather, the cost of changing it later somewhat less (although not negligible since the transformation system needs to be changed).

Disclaimer: yes, I do write my blog posts using pointy brackets. WordPress provides a templating system which enables changing styles fairly readily; all I write by hand is the content within the main content block.

Oct 142013

I’m on my third Android phone now, and apparently there is no way to delete the previous phone(s) from my Google Account. The Android Device Manager support page tells you how to find the phone and wipe it, but I wiped them before passing them on to new homes. And I don’t care about their current locations. You can hide a device from the list, but not delete it, and I’m puzzled as to why. Do they need a list of all previous owners of any device? Why?

And, the page to revoke access to Google accounts from these old devices still looks something like this:

Google account revoke access page

and doesn’t tell you which device or account is meant by ‘Android Login Service – Full Account Access’. I guess I could turn off each one in turn and see which I need to turn back on, but it should be possible for Google to put some identifying information there to help with the process, even if it’s only the date on which access was requested.

Oct 092013

One of my website clients has a Drupal site, and it was time to upgrade from Drupal 6 to 7. Drupal is one of those vastly complicated, able-to-do-anything platforms that is part blogging software, part CMS, and part playground for PHP developers, with the inevitable result that Drupal 7 is a worthwhile upgrade over Drupal 6, but requires more than a little time to figure out what needs doing. Thanks to Shane at Left Right Minds who pointed me in the right direction on several occasions. With power comes complexity and there are many ways to get things wrong.

As always, the basics are clear: use a development site for the upgrade to get all the issues out of the way while not affecting the production site. Allow more time than you think you will need. Ensure an adequate supply of chocolate and/or coffee. Take breaks as needed.

Copy the files on the production site to the development site (which I’m calling {yourdevwebsite}). Create a backup and restore that on the development site. Next time: turn off caching and clear the cache before making the backup. Make sure caching is turned off while developing.

List all the modules on the current site, see if they have Drupal 7 equivalents. Spend some time figuring out whether the new versions are worthwhile, or if there’s a better way to add function X in Drupal 7 (asking an expert, like Shane, is really helpful at this stage).

Upgrade the core by installing Drupal 7, solve any issues. If the previous sysadmin changed the defaults so none of the menus appear to work, go to {yourdevwebsite}/admin/structure/menu to reset them to the defaults.

Drupal 7 allows upgrading modules from a URL, yay! So the process of upgrading modules turns into a fairly simple one , if no errors crop up. The first step is to determine the order in which to upgrade the modules – Backup and Migrate should be the first, Content Construction Kit (CCK) second since it requires some field conversion. Then Date, Token, and Views (never underestimate the power of a View). Once you have those basics done, upgrade the other modules in whatever order makes sense. I like to order things so I fix what’s on the front page of the web site first, then the other pages.

  1. Go to {yourdevwebsite}/admin/modules/install, add the link for the latest stable Drupal 7 version, and install.
  2. Enable the module, then run {yourdevwebsite}/update.php
  3. Fix any errors.
  4. Run the backup to back up the changes.
  5. Configure the module, adjust menus, etc, until the module more or less does what you need. Final tweaking can wait until all the modules are installed, but get the main functionality in place for each module as you upgrade it.
  6. Repeat for your list of modules

Be aware, some modules just don’t work in Drupal 7 and for those you need to find another way to get that functionality. Some modules (e.g., Calendar) changed the way they work between Drupal 6 and Drupal 7. Some modules use the standard configuration methods, others (Calendar again) are configured using different methods.

Drupal 7 lets you split libraries and the module. For example, a good way to install the CK editor is to get the download from the web site and put in /sites/all/libraries. Then install the CKeditor module, which will use that library via the libraries API.

IMCE is a nice image and file browser/uploader.

When it comes to updating themes, be aware that even if the theme has the same name as one in Drupal 6, it will probably have significant changes. Responsive design techniques and the availability of more base themes contributed to this, as well as the changes due to the actual platform. Expect to spend more time than you expected to tweak the theme back to something approaching the original look and feel (assuming that’s what the client wants).

Allow time for training people on the new features. Even an hour or two helps.