Category Archives: Software

“User-Agent” Headers Holding Back The Web

Every time you visit a website the name and version of your browser is sent to the service. In fact with every requested image, video, and style sheet the same data is sent again and again. This not only wastes bandwidth, it also subtly encourages web makers to rely upon it as a shortcut to make services work consistently across platforms. Later browsers then include more tokens in their “User-Agent” header to maintain compatibility with these fragile services. Over time the header becomes larger and the web more brittle. For example, Internet Explorer 11 identifies itself as “Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko”. Can you tell which part communicates that it is Microsoft’s Internet Explorer?

Of course it’s impractical for every web site/service to test every possible combination of browsers and platforms. So those of us developing sites and services only test the most popular browsers at the moment. Over time this leads to a web which caters to a mix of the most popular browser of the past and present, depending upon the time any given service was last made. As more and more devices leverage HTTP for the Internet-of-things this problem may grow more complex. Web standards and feature detection can help.

With well defined standards and run-time detection of features it’s possible to avoid the trap of ‘sniffing’ the browser from it’s UA headers. And while cutting edge features and services may benefit in the short-term from taking the shortcut of browser detection, they can also leverage vendor-specific prefixes of features in flux. Once standardized the prefixes can be replaced with official and non-prefixed names.

My experience detecting significantly different platforms such as mobile or internet-of-things (IOT) devices do still have some valid uses for the UA header. But ultimately they may be better served by a new, simpler header or more platform-independent designs. Until then Mozilla’s recommendations are a reasonable place to start.

In recent years even the once-dominant Microsoft notes the weaknesses and problems with UA headers. Sadly, my experiments sending an empty or minimal UA header have found too many sites broken to recommend the approach to non-technical users.

How about you? What do you think of UA headers?

VirtuaWin Vs. Windows 10 Virtual Desktops

VirtuaWin‘s virtual desktops has long provided the ability to expand your Windows work-space without adding extra physical screens. Now that Windows 10 includes its own virtual desktop/work-space feature I’ve found it both an improvement and a small step backwards. After a few months with both let’s break down how they compare.

Here is a table documenting my findings as of January 2016. (Since Windows 10 and VirtuaWin may evolve in the future I’ll try to keep this up-to-date.)

behavior or capability VirtuaWin Win. 10 Desktops
Boss key to hide other screens Yes No
Compatibility issues with some Intel drivers Yes No
Customize number of screens Yes (up to 20) Yes (100+)
Customize shortcuts Yes No*
Jump-to-screen shortcuts Yes No
Show a window on all screens Yes No
Switching from windows with admin. privileges Yes Requires extra key press
Switching from certain** modal windows No Yes
Vertically aligned screens Yes No
Windows with admin. privileges appear on all screens (bug?) Yes No
Wrap around when switching from first/last screen Yes No
*It’s possible to make alternative shortcuts for Windows 10 desktops using 3rd-party tools like AutoHotKey.
**My LockyWindow product has used a modal window when unlocking to prevent manipulating the underlying KeePass window. VirtuaWin’s switching feature is disrupted by such windows.

While VirtuaWin is more feature packed I personally don’t miss most of the capabilities absent in Windows 10’s desktops. Those most lacking were the jump-to shortcuts and the option to wrap around from the first/last screen. Still, the ability to switch away while administrative windows have focus is much appreciated. Window management in Windows 10 Desktops also feels more user friendly than VirtuaWin’s tray pop-out.

How about you? Do you use virtual desktops? If so which solution works best for you?

VeraCrypt Is Too Slow And Complex

Now that more Truecrypt weaknesses have been revealed the open-source solution taking its place appears to be VeraCrypt. Yet its extra-secure encryption of the system partition adds so many rounds booting is slowed and the extra PIM concept mandates an extra step to every startup. This situation makes it even less suited to non-technical users than TrueCrypt before it.

Steve Gibson may be ready to recommend VeraCrypt, but I don’t think it’s ready for the masses; up to version 1.15 anyway. After clocking my boot time with system encryption it took an extra 85 seconds. Talking non-technical friends and family through even basic use of TrueCrypt volumes was challenging enough. VeraCrypt’s additional Personal Iteration Multiplier certainly adds more security. Still, the extra step and forgettable-yet-necessary element is only making it less novice friendly.

Another long term problem is VeraCrypt’s lack of Secure Boot support. This prevents booting with whole-disk encryption on machines locked down within UEFI’s boot-loader signing. Hopefully VeraCryp support will be done before Secure Boot becomes widespread.

Now having tried the built-in encryption features of Windows, OS X, and Ubuntu Linux the VeraCrypt software does still offer a nice cross-platform solution. The VeraCrypt UI is also easier than Linux, though it has a way to go before being as easy as Windows and OS X. With a little UX love and simpler defaults VeraCrypt has the potential to offer a compelling alternative for regular folks.

Secure KeePass’s Window With LockyWindow

Having used KeePass for years I’ve longed for a way to secure the window while still auto-typing with shortcuts or integration plug-ins. So recently I made LockyWindow as a paid plug-in for the professional edition (v2) of KeePass password safe.

Unlocking the window can be done with the master password or a customizable quick-unlock PIN. The locking period can be customized to fit your preference. One can also lock or unlock using the shortcut or menu item.

You can find out more on the product page at PaulRRogers.com/lockywindow.

Despite SuperFish, Bundled Software Is Not All Bad

Recent news surrounding Lenovo‘s shipping the insecure adware known as SuperFish has stirred up more hate for bundled software. Yet I’d guess we have all relied upon pre-installed software and enjoyed the benefits of additional bundling. Most devices and PCs come ‘bundled’ with operating system software such as Microsoft Windows or Apple OS X. Other less controversial categories include media software (think DVD or Blue-ray codecs), games, office suites, and security tools.

Samsung is a company known for its bundle-ware. So much so that Korean courts have ordered them to allow customers to remove the software from their phones. On the other hand I’ve found some of their offerings quite useful:

  • Calendar and tasks are solid and Exchange compatible
  • Customized tray is quite convenient
  • Integrated power-saving mode has helped with battery life
  • Samsung Knox allows me to encrypt my phone without rooting
  • Timer and alarm clock apps are both solid and easy to use
  • Voice recorder is solid and advertisement free

Knox was apparently so well received that Google has integrated it into Android. My other, non-Samsung phones have also included a mix of useful, and not-so-useful bundles. A few of the best included the Swype keyboard and a handy automation feature.

Of course not all bundled apps are appreciated: Samsung’s Magazine app is not my first choice, the sketchbook is not the most obvious, and I’m not a big fan of Uber’s ride-sharing app being automatically installed with a recent update. That being said, on the whole the good ones far outweigh the others.

Bundling can have downsides besides annoyance or security bugs. When platform makers have too much power, such as a monopoly, their bundling can be anti-competitive: swallowing up whole markets. Still, from the customers perspective the lower prices, (sometimes) enhanced ease-of-use, and heavy discounts on bundled software are tough to resist. Besides gradually giving more and more money to fewer and fewer companies is a disadvantage few customers probably consider when they’re shopping.

Imagine buying a new PC and not being able to play DVD’s or music without paying extra? That was the case with the original Xbox because of the added cost to license the patents. Today most devices can playback media using common, patented technology because those licenses are already part of a bundle. Likewise most can open a PDF document, a spreadsheet, and update their own hardware drivers without extra effort because of bundled software. So next time you encounter a new device with a desktop full of icons remember there may be some treasure hiding there.

FocyOverride Gives You Control Of Browser Focus

You can control the default form focus with this new, premium Firefox add-on. As a long-time KeePass user I often found myself clicking on the same user/e-mail field time and again to begin auto-typing. A few years back I made this to override the default page focus, or lack thereof. Now I’m offering this as a product so you too can take control of Firefox’s form focus.

It can also highlight focused inputs, select input content, and help with voice control by blurring focus so elements can be called out. Upgrades are free for life, and a money-back guarantee is included.

For more information see the product page at PaulRRogers.com/focyoverride.

Issue Tracking Needs Are Specialized

Different companies have different kinds of issues and ways of managing them, so I probably shouldn’t be surprised there are many software and service solutions available. And as an engineer it’s tempting to fall into one of two extremes: build it from scratch or buy something and deal with it.

Do-it-yourself was my preferred approach as a young and ambitious programmer. After all, what could be better than a custom-built solution? However, within five years of making and maintaining such solutions I found myself in the get-it-and-forget-it camp. Another five years later I think I’ve settled somewhere in the middle.

My first experience with issue-management systems was on-line support forums. These were simple message boards requiring a lot of moderation. Shortly thereafter I was exposed to a somewhat custom, Lotus-based solution. This time though, as a support technician handling the problems. Since the solution required Lotus, and only worked within the network, it seemed ripe for replacement with a web-based frontend. Studying web programming made me eager to try my hand at making something better.

Building custom intranet solutions came next with employment at a company branching out into other industries. It was interesting to see how the various needs could be met with custom software. At first simple comment systems were enough for employees to keep track of their customer complaints, notes, and follow-ups. Of course e-mail and IM were also being used heavily to supplement.

In time, however, maintaining so many different systems became burdensome for only two or three developers. Increasingly I also saw patterns in the various needs that also fit some existing solutions.

One of the first to be used in house was Trac, and it worked well for our needs initially. Integration with software repositories was nice. Some add-on’s for things like discussion boards worked well enough. The wiki, its integration, and its export options were my favorite features. At one point I even used the mantra “If it’s not in Trac it doesn’t exist” in a push to unify the disparate repositories of knowledge.

Over time though it’s simplistic reports and lack of built-in, multi-project support were too problematic. Other solutions were tried with varying levels of success and failure. One of the most lasting was Altassian JIRA and it’s wiki offering. Customization options did not appear obvious or immediately better to me at the time. Though, some in management were more familiar and appreciated it’s built-in flexibility.

Experiments along the way pushed the boundaries of such trackers; pressing them into service as the official source of truth, customer complaint tickets, feature tracking, road-mapping, to-do/task management, time tracking, and discussion. Ultimately I’ve come to realize that specialization is needed; even if it takes the form of creative use of, extension software for, or rethinking about existing solutions. And at times it is better to have many, separate solutions than keeping it all in one.

Adventures In Self-Hosting: Owncloud Review

After using it as my primary file-sync and backup service for about 10 months I’ve concluded Owncloud still requires an hour or so per month for a tech-oriented person, but it’s worth it. With enough persistence, and tolerance for some lingering quirks, Owncloud could work for you; whether or not you know how to setup a server.

Disclosures by Edward Snowden and limits to Dropbox’s free accounts have made Owncloud an increasingly tempting option. Whether Dropbox, Apple, or any other 3rd-party-cloud claims they cannot read our data the biggest players all still control the software which handles the keys. So if they get curious or a government warrant appears then they can always push an update to read whatever we have not encrypted ourselves. This didn’t particularly concern me as I’ve little to hide from the authorities. But every well-intentioned backdoor has the potential to be exploited by less trustworthy types. Dropbox’s 2G limit (16G with enough referrals) also proved limiting as my collection grew.

So around December last year I began trying to self-host Owncloud with a Raspberry Pi and Owncloud version 5. Since it lacked authentication logging I had to add it manually. Thankfully more recent versions already have this built-in. It worked well enough–if slowly at times–for the first few months.

Once my wife began using the server along with me problems started cropping up: disappearing files, logs complaining about locking, and upgrade trouble. This was around version 6.0.x, and Sqlite seemed to be the culprit as it’s not intended for multiple users. Manually migrating to Postgresql did the trick; things were back to normal. Version 7 should include official support for Sqlite-to-Postgresql migrations.

If you’re working with a lot of different files often then Owncloud feels a bit slower to sync than Dropbox; though, it’s not perfect either. Pauses or network outages also seem slightly more disruptive to Owncloud.

Another caveat is that both Dropbox and Owncloud don’t work very well with Git clones. They’re slow to sync because of the many files involved, conflicts can get messy, and file locking can get in the way. So if you’re working with projects checked out of Git then you’d be wise to keep your clones in a non-synced folder. Checking in often or backup another way should suffice. If not then Gitlab is a popular, self-hosted alternative to keeping local-only clones.

Each major release of Owncloud brings welcome new enhancements, and aside from my Sqlite issues, the upgrades have been relatively painless. I’d definitely recommend it for a business of any size or technical individuals. Perhaps some packaging tools or OS distributions can make the process easy enough for even the most basic user to get their own cloud.

Update: Owncloud’s client now makes selective sync much easier, and it has coped with my careful selection arrangement nicely. Also, there is a alternative known as Seafile which transfers multiple files more quickly than Owncloud while also offering self-hosting.

User Input Is Often Like Water, Finding All The Cracks

Makers of software and technology services must walk a delicate balance between allowing users the freedom to enter their choice of input without allowing compromise of the system. Traditionally systems have assumed users have the best of intentions; this can lead to positive emergent behavior and growth. But as more business has moved on-line so have thieves and other malicious users. It’s no wonder that malicious input is now the number one threat on OWASP’s top 10 list.

Water seeks the path of least resistance as it flows, making rivers crooked. Likewise as the volume of user input increases it also seeps into more and more areas of weakness. And as the developers of services address these weaknesses it often adds complexity that bends and contorts their systems. E-mail software has become increasingly complicated because of it how it is used, misused, and creatively adapted.

At times the data itself becomes deformed to fit within whatever bounds cannot be broken, similar to water filling a form. Twitter‘s 140 character limit has led to or expanded creative use of text including: hash-tagging (‘#’), at symbol (‘@’) nicknames, URI shortening services, etc.

Despite the advantages of allowing liberal input my experience has been that it’s usually best to start strict and loosen up later. Trying to deny values or data that people have become accustomed to is a challenge. The push back may be too much to overcome, meaning the producers must live with that data forever or try to slowly deprecate it.

In extreme cases systems are like submarines in the deep sea which must withstand constant, destructive pressures. Without careful management and design user behavior and contributions can become the tail wagging the dog. This can be beneficial in some cases; though, it can also lead to unmaintainable expectations. An example in the larger software ecosystem is seen as the free software movement advances and some users (at times myself included) come to expect software at very low or zero cost despite the costs involved in their production.

What do you think?

Moving To Windows For Speech Recognition

Practical speech recognition options for non-Windows operating systems are few. Yet after years of overuse my hands needed a break from the keyboard and mouse. After a few months with SphinxKeys on Linux, some experiments with Simon Listens, and reading about the limitations of Dragon Dictate for Mac the only viable option was to return to Microsoft’s OS.

As a child in the early 1990’s I grew accustomed to Microsoft‘s DOS and consumer editions of Windows. College and a job at a very Apple-friendly company led to spending a lot more time with Linux, enterprise Windows, and OS X. As newer versions offered speech recognition and text-to-speech I toyed with these features like everything else. Sadly those brief trials left me with the impression that they were not ready for everyday use. Years later, typing and mousing around had caught up with me. In late 2013 there was no denying it was time to revisit speech recognition, and much more seriously.

By this point I was years into Linux and loving it: powerful shells, federated package management, light resource usage, lots of software choices … besides voice input. While Linux has several speech tools they all seemed impractical:

  • IBM’s ViaVoice was sold and died out
  • Palaver sends voice data through Google, incompatible with my job requirements
  • Platypus didn’t work with my version of Dragon
  • Simon Listens was cumbersome and never worked for me
  • SphinxKeys only simulated keystroke input
  • Vedics didn’t compile and seems out-of-date

There are more options on Linux. Though, after trying so many I had already found more success with Windows.

Around this time an old copy of Dragon NaturallySpeaking (circa 2007) turned up at a local thrift shop. Spending some time with it revealed how useful the different modes were, showed the promise of the software development kit, and piqued my curiosity into the tools others had built on it. Sadly it didn’t support 64-bit and integration into existing software was very limited. Apart from Microsoft Office it didn’t have a lot to offer out of the box. Reviews of later versions seemed to reaffirm that the software wasn’t going to work for my needs.

Microsoft began offering Windows Speech Recognition with Windows Vista. And after using it for a few months on Windows 7 I can say it does a passable job with a good, properly configured microphone. Integration with built software like Internet Explorer and Windows Live Mail is solid. Other applications like Miranda IM work reasonably well too. Too bad most fall back to the annoying, if usable, dictation pad. Patience and persist help in the hunt for the most practical solutions.

WSR can be resource intensive. My computer’s memory usage climbs a bit. Things also get slower as I keep many programs open. Using a lot of tabs in IE or Firefox caused the most slowdown; making scrolling a chore. Underpowered computers like netbooks, Celeron-equipped laptops, or older desktops only served to disappointed. Your mileage may vary.

While WSR works alright as is it really needs customization options to fit a wider variety of workflows. There are a few tools out there:

The first two also offer versions that work with Nuance’s Dragon products which helps avoid lock in. At this point I’ve settled for WSR Macros with some AutoIt tweaks to get voice clicking without the mouse grid and other things.

Today my voice does about 15% of the work. It helps most with e-mail, instant messaging, blogging, clicking, and window management. After seeing Tavis Rudd‘s presentation on programming by voice I hope to achieve a similar proficiency. Until then the experiments will continue as time permits.

Have you ever tried speech recognition? What did you think? If you’d like to share please comment.