Updating the homepage

It finally was time — time to update the main site (homepage) of www.woodall.com, to make it mobile-friendly and modern.

When I started with the Internet the whole idea of a small consultancy having its own outpost on the web was avant-garde – I registered woodall.com in October 1995 and went live immediately, and in the summer of 1997 brought the hosting in-house, where it remains to this day.

The main site exists mostly as a tool repository – only about a dozen pages were ever in the ‘official’ linkage and there are dozens of pages reachable only by typing in the URLs directly… or from offsite links.¹ Keeping the main page updated hasn’t been a priority.

Then one fine January morning a note popped in on email – Google was going to start lowering my page scores because the site was not “mobile-friendly.” Ahem. Something must be done. And now, it is.

Expect to see various changes in the site layout and background photos as I experiment with what works best, but for now, there’s a new site out there. And it looks far better than the old.

¹ After examining the logs it’s clear there are only three of the ‘hidden’ pages still being accessed – so after a bit of legerdemain with mod_rewrite those items are now restored.

Ink-stained rant

One of the tasks tonight was printing out student work; it needs to be printed so I can grade it and hand it back. Nowadays most students won’t print their own work… usually, I think, from the cost involved.

The big cost is ink. My usual printer for everyday use is a worn Epson Stylus C-120. It uses four colors but five cartridges -doubling up on black – and if I were to use Epson-brand ink, the cost for one set of cartridges would be about  $60. Each cartridge holds 12 ml of ink – thus Epson ink costs $1,000 per liter, or a bit less than $4,000 to the gallon. And you thought gasoline was high-priced?

I don’t use Epson inks. I print way too much to go that route.

For the first couple of years I used a CISS – Continuous Ink Supply System. This is a set of 5 cartridges with tubing which loops outside the printer to a set of tanks holding bulk ink. The cost of the CISS was $35 – for 100 ml of ink in each tank! Re-inking costs were about $30 per 500ml – far less than name-brand.

CISS systems expect to be used, a lot. Daily works best. Otherwise the inks slowly draw back down the supply lines into the tank. If the time between use is too great, the inks may clot up a bit at the feed end of the tanks… at which point it’s easier to pull the system out and replace it rather than fix it. Been there, done that. These inks are dye-based and not particularly stable, but work just fine for daily print work (mostly text).

For now, I’m using generic dye-filled cartridges bought on Amazon – the vendor name changes with each purchase, but on average I’m paying $1.25 per cartridge… everything is working fine, except the ‘status’ messages from the Epson printer driver software.

Epson’s printer drivers give a visual depiction of remaining ink; and a warning pop-up when the capacity is ‘low.’ What I’m finding out is that ‘low’ is… a marketing ploy as opposed to any sort of reality. Two days ago I got the pop-up, urging me to buy ink as I was ‘low’ on black. Earlier tonight when I started to print, the indicator was at the bottom, indicating imminent emptiness – or so it seemed. Two hundred and four pages later, the indicator is still at the bottom… and the black ink is still printing nice and strong.

Tsk tsk tsk.

Dear web-design fiends:

Please check spelling and use the appropriate words when putting up your portfolio sights… if you want future work.

It happened again. In the course of my work, I’ll run across a small business or non-profit in desperate need of a website refresh. I then refer the business to a former student (many of whom have completed web-development classes), and both are happy.

But not this time… because of a simple spelling error. Actually, the word is correctly spelled, but it’s the wrong word – “bare with me” is not the same as “bear with me” – and given the basic purpose of a website is to communicate – it’s a major failing.

Quality has to extend to all the parts… or what’s the point?

Carolina [cable] hospitality

One of the tasks to carry out during my three week sojourn in NC this spring was to fix up the problems with TV/Telephone/Internet Access at the beach house.

Our family beach house is a condominium – ostensibly the complex provides cable TV and Internet, but the Internet is shared-access wifi with the rest of the complex, and we prefer dedicated access. For years that meant dealing with CenturyLink – a telephone company so bad it changes its name every few years in a futile attempt to regain credibility.

Of late, though, the incumbent cable carrier has made a play for business, and thus my parents decided to change over to Time Warner Cable (Eastern Carolina division). They ordered the service while they were in temporary quarters (the condo was being repaired from 2011 hurricane damage).

The telephone port worked fine… they had no idea how to work the set-top box… and the goofball contract installer couldn’t leave well  enough alone on the router and reset it back to factory default.

And by the time I arrived, while it was working, we had not seen an invoice for service.

So I initially went on-line to figure out where the issues were, and ran into a problem – I couldn’t get in, because the billing system is separate from all the other systems – and it needed the account number, which I didn’t have (no invoice yet!) and wanted the phone number. I put in the phone number for the unit – no dice. Put in the NJ home phone. No go. Put in my personal and then business line numbers. Still nothing (we’ve had all these numbers at least 15 years). Finally tried the phone number from the temporary quarters – and that worked!

So I got in that far, but couldn’t change the phone number… and found security was based on “last 4 digits of the subscriber SSN” – which didn’t match either parent’s SSN, apparently. And of course  TWC also wanted a “customer code” which was on the missing invoice.

Thus it meant heading off to Newport to the cable office.

…and after a 30-minute drive, finding a line to stand in, and eventually getting to two agents who worked diligently for about 40 minutes to fix all the problems in the billing. Turns out the contract installer decided to “correct” the information in the work order and screw things up. (Somewhere,  a village is missing its idiot.)

Now we know the account number; have set up payment methods, turned off pay-per-view and international calling for the summer rental crowd (no more calls to India or Singapore), and even negotiated a better rate for the service.

The office agents were competent and thorough – far superior to telephone and online agents. At least cable systems have actual staffed offices where you can get things done; the supposedly superior telephone companies do not (union labor made that too expensive years ago).

I reset the router back to our normal setup, after booting off the leeches… and finally all is well.

And two days later it was time to pack up and come home (to NJ).

Wonder if any of it will work properly in the fall.

Why I block Javascript.

This subject surfaces from time to time, especially when I’m conversing with the bleeding-edge web design community. “You do WHAT?” followed by a lot of strange looks and laughter is the typical reaction. Then I’m told all about how JavaScript has been “modernized” and “browsers are sandboxed” and other nice things.

I run a variety of browsers; the current desktop has Firefox (with NoScript); Chrome; IE 4; IE 6; IE 8; and Lynx. Most of the time I browse with Firefox/NoScript. Yep, it slows me down, and there’s the minor annoyance of having to set temporary JavaScript execution privileges. This post will attempt to explain why I do things the way I do. Standard disclaimers apply.

First two-word explanation: Zeus Trojan.

The Zeus Trojan is a password-stealer which is usually deployed via JavaScript malware which was introduced to the victim by way of an infected website. As JavaScript has “matured” it also allows for much-improved obfuscation and cross-linking and all sorts of nice ways to operate an attack vector dynamically (to the point where most Zeus variants check location data and refuse to infect systems in certain countries).

For US-based small business (and local government) there is no protective cap on money stolen via identity fraud – and this is the standard use of Zeus. Once the credentials are acquired the thieves can empty a bank account in a matter of hours – and there is no legal recourse against the bank. The money is gone; the victim is not going to get it back.

A part of my professional practice deals with security – no, I’m not going to enter a forum with all the scripts executing. I only look foolish.

…and as I’m writing this post, in over the transom flies this notice – Google has awarded $60,000 as a prize in the Pwnium competition, for a method to overcome Chrome’s “sandbox” feature and run code on a fully-patched Window 7 system. All that is necessary is for someone to browse to an infected website – viewing the page is sufficient to load and execute the payload. A little bit of JavaScript acts as an enabler – there’s no need to bother with an exploit attempt if the browser is something else.

Another reason not to automatically run JavaScript is a common Facebook malware attack – the click-jacking survey scams which pop up several times a day. Click-jacking is a specialized attack vector on Facebook which work by having the victim click on a link – which leads to a survey – and also “spams” the link as a status post from the victim. If you run with JavaScript enabled you’re usually taken straight over to the payload page – which is typically a survey… but it might be something worse.

By not running JavaScript I get stuck on the interstitial dispatch page; this is where the Facebook click-jack link leads; and this page contains various JavaScript functions to identify the victim. Typical contents of these pages include a bit of geolocation which is used to decide which survey to play. From time to time, I see ones where the dispatch code includes a mechanism to reject the entry if location appears to be in .ru, .ua, .by or .ge  – authorities in these countries only track cybercrime if local users are affected. Generally speaking, if the interstitial page contains the ru-ua-by-ge code, the payload page is loading something other than a simple survey.

But security isn’t the only reason to avoid JavaScript.

Second two-word answer: Existing Investment.

This probably comes as a shock to many web designers – but companies don’t rush right out and buy the latest technology just because it got a great writeup on reddit or slashdot or wherever, or even if it’s the best seller on Amazon or the Apple store. There are a lot of systems out there with no capacity to execute JavaScript (embedded devices) or where internal policies discourage its use. I’ve been writing web-apps for more than a decade which require no JavaScript or even cookies on the browser in order to maintain state… and I know that some of these clients are not going to change those devices or policies for at least several years. Have you discarded your car simply because its OBDC works at a glacial 1200 bits/sec on a serial port?

Not executing JavaScript allows me to see how these clients perceive the “outside world” and thus better understand their mindset. It is very interesting to see which major companies’ websites are still functional without JavaScript (although not all the bells and whistles may work).

ON the question of the day: Google+ or Facebook?

Once again the muse lives elsewhere, but a comment thread on Facebook deserves a better discourse than that limited media can sustain.

This morning, most of the world woke up to find massive changes in the User Interface of Facebook – many of which were “inspired” by Google+. Venting, fist-shaking, etc. ensued. Meanwhile, Google took the opportunity to take the wraps off a bit, and open Google+ to everyone. It’s still classed as “beta” but now anyone can join.

If you haven’t figured it out yet, I’m in the early adopter camp. Stuff comes swinging by, I take a look, sometimes getting just a tippy-toe wet, other times jumping for full immersion. Thus I’ve been using G+ for about three months. Color me a bit skeptical at this juncture.

It’s not a replacement for Facebook.

On the other hand, I wouldn’t put too much stock in Twitter or LinkedIn – they are the most threatened by this development… especially LinkedIn. It might be why LI put its IPO back on the shelf. They may have waited a bit too long.

I don’t think we’ve found the “winner” in the social space as yet – I think FB and G+ represent the peak of an era which is about to end. They backed the wrong technology.

Google especially reminds me of Samuel Pierpoint Langley in the 1890s. He was head of the Smithsonian Institution, a learned man, with all the establishment of the day backing his experiments in heavier-than-air flight. His devices flapped their wings.

As we know, two bicycle mechanics from Ohio came up with the proper answer, and while it involved wings, it was the profile of the wing, not the flapping, which was critical.

I think there are the equivalents of the Wright brothers out there, toiling along in a garage somewhere, about to launch the new social media upon us  — and they will center around the phone. It’s this last which Facebook and Google have so neglected.