It's Fixed in the Next Release

Observations on Everything
Although "It's Fixed in the Next Release" is a mantra from software development (or rather technical support), the intent here is to apply the phrase to a broader context, for example, "It's fixed in my next reincarnation." This broad interpretation means that the entries here cover vastly unrelated subjects.

If you're looking for a tightly focused blog with short, pithy entries, you are in the wrong place (although there are some). Here, blogging is about content.

I have done one thing to make things easier on non-technical readers. All of my comments that deal with specific aspects of software development are in a category that doesn't show up in the main list. you have to select It's a Code, Code World to see these posts.

Almost everyone who looks at the history of North America through the lens of current times is appalled at the brutal decimation of native populations, at slavery, and at the complete absence of any concept of human rights.

It occurs to me that 50 to 100 years on, survivors of the environmental apocalypse will look at us in a similar way. Sadly, we'll be even more culpable. We've known the planet was destined to become overpopulated with humanity for at least 30 years, and our response has been indistinguishable from nothing.

Polar ice caps are disappearing more quickly than even the most alarmist had expected. Climate change wreaks trillions of dollars of damage on our economies. Critical ecosystems collapse and even species we deem to find attractive border on extinction. Meanwhile, we worry about bailing out car manufacturers.

It looks to me like we'll just keep on trying to get by and maintain our "standard of living" until there's a real environmental crisis, until we pass the "tipping point". Then we get to try to put our lives back together in the face of huge population migrations, limited food resources, war, disease, and eventually feudalism. Then we'll "buy locally" — there won't be any other choice!

Our legacy will be that we're the ones who ushered in the Second Dark Ages. Our barbarism will make the early history of the continent look like innocence. The worst, the saddest, part is that it might be too late to change a thing.

There is no question that the Liberal Party of Canada needs to pick a new leader, and fast. Not only do they have to do it quickly, but they have to do it right.

While Michael Ignatieff might be the right choice, and might even be the winner at a convention, Bob Rae's observation that a process of installing him is "undemocratic" carries some weight. Simply installing Ignatieff based on polling results and some "consultation" with riding leadership may be prudent, but it's not smart.

I put "undemocratic" in quotes for two reasons. Firstly, the word has been horribly misused over the past few weeks. All the political drama we have just experienced has been nothing but democracy. Those who call it otherwise are merely uninformed. Anyone who says "I voted for Harper, not Dion" is in desperate need of education on the political system that this country uses. On the second count, the normal process that the Liberals use to pick a leader is anything but democratic. To anyone who wants to argue this, I merely observe that this was the process that got Dion the leadership in the first place.

The "transferable delegate" system might make for great television, but it has clearly been demonstrated that not only is it out of touch with the party grassroots, it doesn't pick the best leader. Time to chuck this tradition along with Mr. Dion. This time, let's lose the baby and the bath water.

This gives the Liberals an amazing opportunity to demonstrate that there is a fix for the problem. What they should do is quickly set up an online leadership voting system. They should mail cards with a security PIN code to every party member in good standing. Party members should then be required to combine this PIN with some piece of personal information that's on file, such as the member's phone number and year that they joined the party. There will need exception handling process for those who have problems, but I guarantee that they'll get a democratically elected leader in a short period of time and at a lot less cost than a convention.

The catch to all of this is that we're talking about a party that can't manage to get a critical video for a national address done on a reasonable schedule, and even then they can't do a job that wouldn't embarrass a grade seven student. It's painfully evident that the Liberal communications people are under siege at best, or woefully incompetent at worst.

Still, an online leader selection process would be relatively straightforward. I'd even be willing to help implement such a system, because I think real democracy is important. Then we can talk about moving federal elections to a Single Transferable Vote system (in particular, BC-STV) and then maybe we can get on to building governments that are formed from meaningful, relevant, and functional coalitions. It is possible.

I'm well aware of the value of site analytics. Most of my sites make extensive use of them. But at the same time I'm aware of a user's absolute right to not be tracked, be it anonymous or not. When it comes to my personal information, I'm usually happy to let most sites drop in a statistical tracking cookie, but I almost always set the lifetime of those cookies to "session only".

Basically, I'm happy to let someone know how I navigate their site, because that information is likely to result in improved usability. What I don't like is disclosing how many times I visit a site over a period of time, and what my multi-visit user patterns are like.

With browsers like Firefox and now even Internet Explorer providing easy tools to manage cookie acceptance and lifetime, more and more users who don't want to be tracked are limiting cookies. This is giving marketers a more challenging time and skewing their statistics. Poor babies.

Some marketers are fighting back. What's not commonly known is that Adobe's Flash Player lets sites store cookie-like information as well. Now Adobe hasn't quite caught up with the concept of individual liberties, so the default configuration of the Flash Player is to allow local storage without any explicit user permission. Adobe pretty much has a monopoly when it come to this sort of thing, so there's little incentive for them to change.

So now marketers who claim to seek to improve customer service have a method where they can gather data even if their customers have taken explicit steps to prevent it. News Flash: That is NOT good customer service! It's really rather offensive customer abuse.

Some time in the past few months, TD Bank decided to join the ranks of companies who have elected to bypass their customer's wishes. I recently connected to my online banking site, and got asked for permission to allocate local storage to an invisible bit of Flash. So I cranked open the page and found this link: https://easyweb46w.tdcanadatrust.com/dojo111/dojox/storage/Storage.swf?baseUrl=/dojo111/dojo/. At least its name reflects its purpose.

Anyone familiar with the big Canadian banks has become accustomed to dealing with these arrogant behemoths, protected from significant international competition by legislation, and reading from some version of a dictionary where the meaning of "service" is very different from the commonly accepted definition. Really the only surprising thing is that they haven't found a way to charge me 25 cents per byte of information that they want to store on my computer.

But you don't have to be subject to corporate whims. These things are configurable. Don't go looking through your browser, plugins or program settings for the control panel, though. Follow this link to your Flash Player control panel. This looks like a screen shot of what a control panel might look like, but don't be confused: it's a live presentation of your current settings. Click on the second tab, "Global Storage Settings". There's a reasonably good explanation of the settings below the panel, but if you move the slider to the left until it reads "None", then every site that tries to save data in flash will have to get your approval first. If you don't want to be asked, set the "Never Ask Again" check box. Then go to the last tab, "Website Storage Settings" to take a look at which sites have left tracking codes on your computer. Delete all the ones you don't trust.

Now you have control of your information again.

Bob Rae announced that he will be seeking the leadership of the Liberal Party today. "I'm running because I believe I have the judgement, the character, the values and the experience to lead at a very difficult time in the life of our country," said Mr. Rae.

It's not exactly clear which leadership he's talking about. If he had said "a very difficult time in the life of our party," I would probably be in agreement. He and Michael Ignatieff are both pretty strong candidates, but I think Mr. Rae stands a better chance in a federal election. I find Ignatieff to be a little distant... he might very well make the best Prime Minister, but that's no good if you can't win an election. I also don't think Mr. Rae's much-discussed stint as Ontario premier is anywhere near the liability that it's been made out to be.

But watching today's press conference, I got the distinct impression that Rae is saying that he's got what it takes to be PM during hard economic times. So he's got some magic plan to win the leadership race and topple Harper's government in the next nine months or so — that would be quite a feat — or he expects the recession to last a good three to four years, the most likely time we'll be called to the polls again.

Now this downturn may very well last that long, but it sure doesn't look good to come out looking like that's your expectation. Looks like poor judgement, which makes the statement self-contradictory.

"Joomla!" had an extremely serious security issue arise earlier in the week. I'm pretty deeply involved in the project, and I happened to be on the Bug Squad chat when the news broke. The issue was not a SQL injection problem, as many sources have assumed but reported as fact. Ironically, it had to do with defeating a session security feature. The security problem was a programming error. "Joomla!" goes through extensive procedures to defend against SQL injection, and from version 1.5 onward, such a vulnerability in the core code is highly unlikely. [Extensions are another matter. I strongly recommend that users only install open source extensions that have either been audited or that have broad community support.]

Even though this problem caused a fair bit of damage, I'm very proud of how the "Joomla!" team responded to the problem. This was a worst-case scenario: the exploit was published with no advance notification, and it was dead simple to implement.

The first we heard of it was a post on the Dutch "Joomla!" forums. One of the Bug Squad team mentioned this in chat on August 12th at 15:50 EST. We immediately took steps to verify the issue, and then once confirmed, to remove the details from the forum post. A patch was made available for testing at 16:10. A full package release was made available for testing at 18:19. Announcement of the release was made on joomla.org at 18:57, and by 19:40 update packages were also available. That's three hours and 50 minutes from report to full public release. If that's not a record I'll be surprised.

What is distressing is that a large number of security focused sites reported this as a SQL injection vulnerability, along with a variety of other erroneous or misleading information. Almost a week later, many have corrected their errors, but several have not. Considering that the "Joomla!" team responded so quickly, and that complete information was posted as the first item on the joomla.org web site before the exploit became widely known, this suggests that many of these sites simply repeated each other's misinformation, rather than taking even the smallest steps to verify the report.

Granted a sample size of one event is not sufficient to draw conclusions, but if this is any indication of how "trusted" security information sources behave, then it is no wonder that whole security field has a serious credibility issue. These kinds of reports are extremely serious matters, with a lot of potential for damage. Certainly the timeliness of information is critical, but hopefully not at the expense of accuracy. The security community has a deep obligation to perform the simplest verification of facts before rushing to publication.

I kind of like republican Presidential candidate John McCain — as a person. He seemed to have great personal integrity until last week, when his campaign started running attack ads against his Democratic opponent, Barack Obama.

Unfortunately for him, this ill-advised manoeuvre seems to have been engineered by a bunch of old dinosaurs who are completely out of touch with the reality of the Internet. I guess nobody told them that big television advertising dollars no longer get you exclusive access to the attention of the populace. Oops.

The McCain ads sandwiched Obama's image with those of Britney Spears and Paris Hilton, deriding him as a mere celebrity, not ready to lead. I've always maintained that Ms. Hilton plays her public image as a lot dumber than she really is (don't get me wrong, I'm not giving her Rhodes Scholar either), and this week Paris Hilton shot back at the use of her image in that ad.

Analysts have said that the main advantage of the McCain ads were that they got widespread news coverage, and that having segments of them lead the news gave them huge extra exposure at no cost. Unfortunately for them, it looks like Hilton's spoof, likely shot for a few tens of thousands of dollars and featuring McCain being referred to as "wrinkly white-haired guy", is going to get almost as much exposure.

In general, I think attack ads are crass and desperate (particularly when run by a party that is in power outside an election, but that's another post entirely), and it's good to see them backfire. The only real downside of this parody is that there will probably be an embarrassingly large number of ballots filed in November with Paris Hilton as a write-in candidate.

To conclude, here's the Internet 101 summary for anyone contemplating an attack ad:

In a wired world, be careful about where you lob the muck. It's a lot easier to fight back than you think.

This weekend the Toronto Star announced the death of the SUV. One of the reasons this came up has to be the closing of the General Motors truck assembly line in Oshawa. It seems that as the price of gas gets above about $1.25 per litre (or $4/gallon in the U.S.), the number of people who "need" an unsafe gas guzzling SUV drops off pretty quickly. Now these same people "need" to unload their luxury land barges. There's nothing like a flexible definition of needs.

This is a good start. There's going to be a lot fewer road trips in the family road boat this year. Some people will argue that this is a bad thing, that families should be able to get out there with their kids to see all that this vast country has to offer. These people haven't actually seen a family in one of these vehicles. The parents are happily enjoying their time "together" while each kid is in their own isolated space with individual DVD players and noise-reducing headphones. They see as much of the countryside in their basements. Besides, a lot of travel options remain open. Our geography is every bit as dramatic from a train. Better yet, on a train it's a lot easier to get your kids to come out of their multimedia shells and look at something without risking a major accident.

This one probably isn't new, but it's worth noting. An associate recently got this bogus "security warning". Appropriately named "irony", the message warns the user that "Security Center has detected Malware" and directs the user to a site where they can download a patch. Click on the image for a full sized version.

The "patch" will install malware on the user's computer. At least they can't forge the link as belonging to Microsoft, but this could easily fool an unsuspecting user.