james mckay dot net

Anyone who has ever tried to edit Wikipedia will have encountered wikitext, the rather esoteric syntax used for markup on its pages.

Wikitext is, in theory at least, simpler than HTML. Two single quotes delimit ''italics'', while three single quotes indicate '''bold text'''. [Square brackets] indicate external links, [[double square brackets]] indicate internal links, and so on. A lot of other wiki software uses similar syntax. For example, Trac, a popular open source bug tracking system, uses a very similar markup language, and since you can also embed HTML in it, and even use a fairly sophisticated macro language, it allows very fine-grained control of the contents of the page. For the novice, there is a helpful toolbar at the top of the edit box, so that you can easily mark up various parts of the text as bold, italics, hyperlinks, and so on.

However, in late 2007, it somehow feels wrong. As wrong as it felt not being able to get broadband in late 2005.

Perhaps there is a place for wikitext, as a fallback to improve accessibility when JavaScript is not available. And some things are simply not possible (yet) without it, such as typesetting mathematical equations. However, in terms of usability, it sucks. Apart from having to navigate away from the main article page, you have to scroll through the box to find the part of the wikitext corresponding to where you want to make the change (not obvious in an article with a lot of footnotes, references, tables and the like). It also creates a distinct range of systemic biases, which is a problem that Wikipedia itself acknowledges. How much nicer it would be, if clicking on “edit” on a section of a wiki page were to bring up an in-line rich text editor where what you see is what you get.

Web browsers have now had rich text editing capabilities for over seven years. This feature was first introduced in July 2000 in Internet Explorer 5.5, and nowadays every major browser supports it one way or another. It needs a lot of fiddling about with JavaScript in order to work properly on all of them, of course, but there are several popular and mature libraries and components such as FreeTextBox, TinyMCE and FCKeditor that handle this very well, so that’s pretty much a solved problem. Even cleaning Word HTML and producing valid XHTML — once common objections to rich text editors — are solved problems too.

There are many rich Internet applications these days that raise the bar significantly in terms of quality of user experience. Slick, good looking, easy to use sites are becoming more and more commonplace, and while ones such as Google Maps or EyeOS still have a bit of a “wow” factor, it’s getting easier all the time to develop them. With libraries like jQuery, for instance, you can implement a Google Suggest-style Ajax search facility in a couple of hours.

With it becoming increasingly easy to create elegant rich Internet applications, and the tools to do so being readily available, free and open source, having such an awkward and clunky way of editing content is beginning to look very last millennium. It’s time it went the way of the dinosaurs.

Comments (2) »

Posted at 12:30 in Programming, Wikipedia

Over the past week or so I’ve been moving to a new computer at work. This is partly because my old machine had been going for nearly two years without a re-installation of Windows and was beginning to get cranky as a result, but also because I needed to move to Windows Server 2003.

Yes, you read that correctly: I am now using a Windows Server 2003 box as a workstation.

There is actually a very good reason why you would want to do something like this: SharePoint development. You can not install SharePoint on Windows XP or Windows Vista, which means that up to now we’ve had to remote desktop into our main development server for much of our SharePoint work. It works up to a point, but that way I don’t have all my other tools such as Reflector, Paint.net, Tortoise Subversion and Dreamweaver immediately to hand and set up the way I like them, I have to spend an inordinate amount of time shunting files to and fro across network shares (a very annoying faff), and I haven’t been able to make the most of my dual vertical monitor setup.

Now as Windows Server 2003 is built on the same code base as Windows XP, you would think that you are simply dealing with a souped-up version of XP on steroids. However, in practice, things are never that simple.

Out of the box, Windows Server 2003 is not configured for any of the cool stuff. It has a whole raft of settings that you tend to just take for granted when it’s running on a box in a server cabinet or a data centre and only ever gets accessed by terminal services. These let it take all the boring bits in its stride, but if you want to use it as a workstation, you have quite a bit of leg-work and tweaking to do. However, there is a pretty comprehensive guide on how to get it to behave like a workstation rather than a server, so it seems that if you want to run both MOSS 2007 and Lego Star Wars on the same box, it is possible. In theory, at least.

Windows XP hardware drivers tend to be up to snuff, at least insomuch as Windows XP drivers are up to snuff in general, but I had quite a struggle getting the video card to work correctly, and eventually I had to disable DirectDraw and Direct3D accelerations to stop it crashing altogether. I am not sure whether it’s the driver, the video card or the OS that’s at fault there, but since my work doesn’t involve anything that requires DirectDraw or Direct3D acceleration, fixing it has had to take a back seat.

The only real downside is that the current version of Windows Live Writer stubbornly refuses to install. It’s a bug or a design flaw in the installer, and there is apparently a workaround for it, but you can blog from Word 2007, so for the time being I won’t worry too much about that. However,I don’t think I’ll be in much of a hurry to deploy Windows Server 2003 similarly at home, especially when you consider that Windows Movie Maker is also absent.

And yes, perhaps I could have waited for the Windows Server 2008 RTM. However, with a survey at the start of this week showing that even after about nine months, 90% of IT professionals have concerns about migrating to Vista, and half of them have no plans to deploy it, I don’t think I’ll worry too much about that just yet either.

Comments (3) »

Posted at 23:52 in Miscellany

How does your website handle users who have forgotten their password?

Chances are, you ask for their e-mail address, look them up, extract their password from the database, and e-mail it to them. Nice and simple, and convenient for the end user, and easy to program.

Unfortunately, it is seriously and dangerously flawed.

Almost everyone re-uses login details across multiple web sites. It simply is not realistic to expect them to do otherwise. As a result, if an attacker manages to compromise your user database, they will be able to impersonate your users on potentially thousands of websites, including some that store their credit card details.

Never think you are immune to this. It happened to Reddit, a popular user-generated news site similar to Digg, and it can happen to you. It is very difficult to be 100% sure that your database will never fall into the wrong hands: unless you have enterprise-level security staff, infrastructure, procedures and budget, every single person involved with your data will be a weak link in the chain, from the developers to the DBAs to the dodgy geezer who comes in as a contractor to do the building’s networking. Do you know where all the copies of your data are — even the partial, out of date ones that your developers use for testing? Are you sure there aren’t any hanging around on backup CDs, USB key disks, laptops, or old PCs that you are throwing out?

No, you should never store your users’ passwords directly in a database. Instead, you must use a salted hash: a one-way encryption algorithm which makes it impossible — or at the very least, computationally very expensive and impractical — to reverse engineer them into the original password.

Unfortunately, this means that you can’t send password reminders to your users. Instead, you have to send them a single-use link to a page where they can reset their passwords on confirmation of their e-mail address. Because of this, some people prefer to sacrifice security in favour of convenience here. In fact, if the comments that were left on Jeff Atwood’s blog when he wrote about this subject are anything to go by, sometimes this design decision is imposed on developers, against their recommendations, by their managers.

I think that Mats Helander comes up with the best response to this, when he says that it should be illegal to store passwords in a database in plain text:

Many comments on Jeff [Atwood]’s blog lamented the fact that sometimes your boss will decide for you that passwords should be stored in plaintext (or two-way encrypted using a secret key, which the hacker will of course be able to obtain as readily as your password list, meaning it’s as good as plaintext). One often suggested reason would be a requirement that the system must be able to mail back a user’s forgotten password.

In my opinion, this is one of the very rare cases where I think the law should get involved, protecting the developer from having to compromise my security in order to keep his job. The developer should be able to say “No boss, that would be against the law”.

I couldn’t agree more. Really, the extra complexity introduced by the “reset password” option is very minor, and given the potential consequences of losing your data to an attacker, seriously compromising my security in favour of convenience in this way is inexcusably reckless, especially in a day and age when identity theft is a serious and growing problem.

Comment on this »

Posted at 00:55 in Security

One thing that irks me a bit is when developers deride “functional programming” as something for complete n00bs and script kiddies who haven’t a clue about writing software.

The most common offenders seem to be some advanced PHP developers who know something (perhaps quite a lot) about object oriented programming, think it’s the greatest thing since sliced bread, consider themselves smart (with some justification) because a lot of developers simply don’t “get” OO and they do, and look down on what they call “functional” programming.

Now they’re mostly right, but they’ve got their terminology wrong. What they actually mean is procedural programming.

There is a big difference.

Procedural programming is where you view your code linearly, as a set of instructions to be executed one after the other. You write a series of instructions outlining what you want to do, extracting commonly used bits of it into procedures and functions. You think in terms of do this, do that, if-then-else, and so on. It’s useful for small quick-and-dirty scripts, it’s very easy to learn, and it’s the way that most people start off programming. It’s software development at the level that trendy designers in Brighton who do beautiful stuff with Flash and Photoshop can understand.

However, it gets a rough press from OO geeks, since more often than not you end up with things like copy-and-paste code, global variables all over the place colliding with each other, and functions with parameter lists that reach into double figures. And when your app reaches the size and complexity of, say, WordPress, it becomes pretty unpleasant to maintain.

Functional programming, on the other hand, is a bit closer to rocket science. Joel Spolsky describes functional paradigms as considerably harder than OO, and considers them a good discriminator between really brilliant developers and the unwashed masses, along with concepts such as pointers and recursion. Most of the trendy designers in Brighton would struggle with many of the concepts, and the real experts in functional programming tend to congregate in places such as NASA, Google and MIT, writing massively scalable search algorithms and the code that keeps the Mars rovers entertaining us with panoramas of the Red Planet.

It’s where functions take on a different nature altogether: they are first class objects, and you can pass them as parameters to other functions, or have them as return values. Differential calculus is one such example: you pass a function, such as y=x³, into the “differentiate” function, and it returns another function, y=3x².

It gives you useful and powerful features such as closures — where the function runs in the context of its scope as it was when it was created — or iterators (the yield statement) and it allows you to do very fancy things with very little code. Things that would require fancy design patterns such as Abstract Factory, Decorator and so on in classic OO, and even fancier hoops to jump through in merely procedural languages. It is used at a fairly basic but very effective level in jQuery, for example, which allows you to produce jaw-droppingly fancy Ajax-enabled websites with only a few lines of code. However, that is only scratching the surface: once you really get into it, you have to grapple with highfalutinalia such as fixed point computation, monads, and much more.

Perhaps I’m being a bit pedantic here — you tend to get that way a bit when you spend a lot of time coding — but the next time you are tempted to knock “functional programming” just bear in mind that by so doing, you are inadvertently dissing people who are a lot smarter than you.

Comment on this »

Posted at 15:22 in Programming

By some strange quirk of Google, I tend to hover around the top of the listing for a search for "James McKay". Here in Blighty, I seem to be jostling for the top spot with a criminal defence solicitor in Elgin, Scotland, but in most of the rest of the world, "I’m feeling lucky" sends the average punter to yours truly.

Now this namesake of mine may or may not be a distant relative, but he is not me. Unless of course it is somehow possible to simultaneously be both a web developer in the south of England and a criminal defence solicitor in the north of Scotland and be totally unaware of the fact. However, while that may be the case on TV programmes like Stargate SG-1, it doesn’t happen in real life.

We also both share our name with, among others, the author of a book on ferrets, a nineteenth century Canadian politician, a historian at the University of Birmingham, and thousands of other random individuals in Scotland, England, the USA, Canada and everywhere else you could possibly imagine. There are no less than 147 of us on Facebook.

As you can imagine, occasionally I get e-mails or Skype messages or whatever out of the blue from people whose names I don’t recognise, addressing me as if we’ve known each other for years. Just to make things slightly complicated, we may actually have met before. Is it really appropriate to say bluntly to them, "Sorry, who are you?" in such cases?

I may have met them when I worked with my father, for instance. As a well respected Bible teacher, author and public speaker, he enjoyed something of a minor celebrity status in some Christian circles, and inevitably some of that rubbed off onto me, and as a result, I got to meet a lot of people. Unfortunately, I am not the best person in the world at remembering people and putting names to faces, so that complicates things a little bit.

Facebook friend requests are easy. Especially if we have a mutual friend: I can fire off a message to them and ask them to jog my memory and spare me any embarrassment, if I am still puzzled by the person concerned’s profile page. Other means of communication are slightly more complicated, however, since I am then faced with the task of breaking it gently to them that rather than being the close friend they expect, I may in fact be a complete stranger.

Don’t let this put you off from getting in touch with me of course. I’ve no objections to widening my social circle, or renewing old acquaintances, and as long as I can establish that you’re not an axe-murderer and you’re not trying to sell me viagra, cheap mortgages or pirated software, I won’t mind. And please don’t be offended if my memory of you falls short of your expectations: if we have met, you may just have fallen foul of the absent minded side of me, especially if it’s been a long time. However, if you are looking for a criminal defence solicitor, a ferret expert or a historian, I’m afraid I can’t help you.

Comment on this »

Posted at 23:30 in Miscellany

It’s now about two months since I decided to quit editing Wikipedia, and I think it’s been the best decision I’ve made so far this year. Wikipedia can be pretty distracting if you take it too seriously, and in fact the best advice I can give to anyone thinking of becoming a regular Wikipedian is: don’t.

I’ve decided that I’m not going to make any anonymous edits either. When I see stuff on Wikipedia that is blatantly biased, untrue and even downright stupid, it takes a lot of restraint to avoid clicking the "Edit" button, but I’ve decided that the best thing to do is just resign myself to the fact that Wikipedia is a soapbox, it is a social networking site, it is an indiscriminate collection of information, and it is pretty much everything else that it claims it isn’t, and trying to keep it right is like painting the Forth Bridge.

For a while I’ve been wondering on and off whether I could just dispense with Wikipedia altogether. As an experiment, I’ve added an entry for en.wikipedia.org to my hosts file on my work computer to block it off completely. It gets a little bit frustrating when I come across a link on someone’s blog to a Wikipedia entry on something I don’t properly understand, but hey, there’s always Google to help me seek out more reliable sources. It’ll be interesting to see how long I can go without it, but I rather suspect that before too long I won’t even notice it.

Comment on this »

Posted at 17:59 in Wikipedia