Nov 172014

Word­Press was designed for pub­lic web­sites, not private ones, so pass­word pro­tec­tion can be a little clunky. For­tu­nately there are plu­gins to help, but (as always) there are trade-offs to be made. 

When all you want to do is add a pass­word to stop search engines index­ing and out­siders read­ing the con­tent, but you also want make it as easy as pos­sible for people to use, there’s the Pass­word Pro­tec­ted plu­gin. As it says, it doesn’t pro­tect the images or oth­er uploaded con­tent.

If you also want to pro­tect the media, you will need to give people an account on the Word­Press site (with user­name and pass­word). Then you can use the htac­cess edits detailed at This works, but in many cases you just don’t want to give lots of people accounts on the sys­tem, or make groups of people share an account. So it’s a trade-off — how import­ant is password-protecting the images versus the admin­is­tra­tion over­head of user accounts with the asso­ci­ated username/password ease of use issues? If you do want to use user­names and pass­words, per­haps giv­ing a group of people a shared account, I’d recom­mend also using one of the plu­gins that helps with finer-grained access con­trol, such as Mem­bers, to stop people being able to change things you don’t want them chan­ging (such as pass­words for the shared account).

Oct 302014

I’ve been try­ing out Google App Engine, for which I signed up with the Google account where I just enabled 2FA. Of course, that means chan­ging the way I update the uploaded tri­al applic­a­tion; the stand­ard Google pass­word has to give way to either a spe­cific application-based pass­word, or OAu­th 2. OAu­th 2 is obvi­ously (to me) the bet­ter way to go.

The doc­u­ment­a­tion is reas­on­ably straight-forward. It even works as doc­u­mented, assum­ing you’re signed in with the right Google account on your default browser. My work­flow is a little dif­fer­ent — my main browser (Fire­fox) is signed into my main Google account, and I sign into my oth­er Google account (which I’m using for this devel­op­ment pro­ject) on Chrome. Copy­ing the URL from Fire­fox to Chrome to allow the appcfg applic­a­tion access to that Google account worked; it’s refresh­ing to see. I get tired of web applic­a­tions that use some hid­den JavaS­cript magic and give you non­sensic­al res­ults if you copy a URL from one browser to another.

There’s some­thing appeal­ing about OAu­th 2, even if it appears a little too magic­al at times (a bit like git; when it works it’s magic­al, when it doesn’t, good luck!)

Oct 272014

Two-factor authentication is generally seen as a good idea; there's a certain amount of hand-wringing over the fact that more people don't turn it on. The problem is, it's one of those things where you sign up for disruption over the next few days, for uncertain reward. The reward is uncertain because you can never tell whether turning on two-factor authentication stopped someone hacking your account or not, just like you can't tell whether having an alarm company sign outside your house dissuades someone from breaking into it. My main email account has been on 2FA for ages, but I decided to add it to one of my secondary accounts as well, given that lots of people seem to mistakenly use that email instead of their own.

Tim suggested I used the authenticator app for my Google account 2FA, instead of using the SMS system. Just a hint: set it up while you still have access to your text messages since SMS is used for the bootstrapping authentication. You need to sign up for Google 2FA in the first place 'on a computer' (not specified whether a tablet is sufficient? I used the desktop). You are sent an SMS to authenticate yourself, and then you get another one when you want to authenticate the Authenticator app. After that, you don't need your SMS system, as long as you have the device with the Authenticator app on it.

But then there are the other apps, which now need application-specific generated passwords. Adium for Google Talk, for example, or email with Thunderbird. Setting each one up doesn't take long, but I'm sure some time in the future I will have forgotten and be wondering why I can't log in with a valid password.

And I understand what's going on, more or less, and think the short-term hassles are worth it. There are lots of people who don't have a mental model of passwords or authentication, who see only the pain and not the gain (since the gain is only in the absence of a potential future pain). Businesses are supposedly implementing 2FA fairly rapidly, but I'd be surprised if people in general were outfitting their personal accounts with 2FA at anything like the same rate. Mind you, I also suspect those surveys apply mostly to bigger companies in particular industries; anecdotal evidence I've heard points to a lower real adoption rate.

Sep 042014

August ended up busy, busier than I inten­ded. Bal­is­age was as usu­al full of inter­est­ing dis­cus­sions although some of the people I’d hoped to see weren’t able to make it this year. I took part in a pan­el on Math­ML, figured out (finally) there is an over­lap between the over­lap­ping markup dis­cus­sions and the DOM Level 2 Range spe­cific­a­tion, and gen­er­ally enjoyed myself.

Not long after that I left Design Sci­ence; I was dis­ap­poin­ted it didn’t work out the way I’d hoped, but I did learn a lot about Math­ML and type­set­ting math­em­at­ics that I didn’t know before.

I’ve spent the last couple of weeks talk­ing to people about dif­fer­ent pro­jects in health­care and pub­lish­ing, wheth­er it’s some­thing for me to work at or not. It’s good to be able to take time occa­sion­ally to see what’s out there, what people are work­ing on. I’ve also been get­ting ready for the XML Sum­mer School (there are still a couple of spots left in some of the courses if you’re inter­ested in attend­ing). And I’ve been work­ing on learn­ing plans for my chil­dren since their teach­ers are on strike. Khan Academy, Codec­ademy, and vari­ous work­books to refresh last year’s skills to start with. I hope the strike is resolved before I have to do too much more plan­ning.

At least we man­aged to spend a few week­ends at the cab­in for relax­a­tion among­st all of that.

Jun 242014

I’ve been work­ing at Design Sci­ence for a couple of months now, as Seni­or Pro­duct Man­ager con­cen­trat­ing on the Math­Flow products. So I figured I should enable Math­ML sup­port on my blog. It’s not hard, but like everything in tech there are a few nig­gly details. Many of those issues are caused by WordPress’s over-eager help­ful­ness, which has to be reined in on a reg­u­lar basis if you’re doing any­thing at all out of the ordin­ary. Like edit­ing your posts dir­ectly in HTML rather than using some pseudo-WYSIWYG edit­or.

The­or­et­ic­ally, show­ing Math­ML in a browser is easy, at least for the sort of equa­tions that most people put in blog posts, even though not all browsers sup­port Math­ML dir­ectly. You just use the Math­Jax JavaS­cript lib­rary. On Word­Press there is even a plu­gin that adds the right script ele­ment, the MathJax-Latex plu­gin. You can make every page load Math­Jax, or use the [math­jax] short­code to tell it when to load.

The wrinkle comes with Word­Press’ tend­ency to “cor­rect” the markup. When you add the Math­ML, Word­Press sprinkles it with <br/> tags. Math­Jax chokes on those and shows noth­ing. Since the tags don’t show up in the edit­or view, you need some way of stop­ping Word­Press from adding them. The best way I’ve found is with the Raw HTML plu­gin.

But there’s a wrinkle with that too. For some reas­on if you use the short­code ver­sion of the begin and end mark­ers ([raw]) the edit­or decides that the XML char­ac­ters between those mark­ers has to be turned into the char­ac­ter entit­ies, so for example the < char­ac­ters are turned into &lt;. To stop that, you need to a) check all the check­boxes in the Raw HTML set­tings on the post, and b) use the com­ment ver­sion (<– raw –> and <– /raw –>) to mark the begin­ning and end of the sec­tion instead of the short­code ver­sion.

Once it’s done it’s easy to add equa­tions to your pages, so it’s worth the extra few minutes to set it all up.

A couple of examples taken from the Math­Jax samples page

Curl of a Vec­tor Field
Stand­ard Devi­ation

and one from my thes­is from way back when

Mar 072014

Langara is a loc­al col­lege offer­ing degrees in a num­ber of sub­jects, includ­ing Com­puter Stud­ies. I know one of the instruct­ors there, and he asked me to give a talk at their monthly Com­puter Tech meetup. As a top­ic, I picked Sim­ple Prin­ciples for Web­site Secur­ity, a short­er ver­sion of talks I’ve given at the XML Sum­mer School.

Apart from the fact that I was recov­er­ing from a bout with the vir­u­lent stom­ach bug that seemed to be going round Van­couver at the time, it was fun. A good bunch of people, decent ques­tions, and the stu­dent news­pa­per took advant­age of the oppor­tun­ity to write a column and make a video about basic inter­net secur­ity. One of my aims in this talk is to make the audi­ence para­noid, point­ing out some­times the bad guys really are out to get you, and talk­ing a bit about risk ana­lys­is and the trade-offs involved in writ­ing down strong pass­words (using a pass­word man­ager is bet­ter, of course). And the door prizes for Langara stu­dents were quite impress­ive!

Thanks to Ray­mond for invit­ing me, and Gail and Holly for organ­ising everything. I put the slides up at slide­share if you’re inter­ested.