Keep the disclaimer at the start at the front of your mind.

This tool is fragile and not ready to be called alpha quality
It is definitely not ready to be useful on large programs
We will release it under an OSI license … soon

SNAP Presentation (PDF)

At first glance that does not sound very exciting, but look it is 4.9MB. 4.9MB! - It must be some sort of interactive, fully immersive 3D shopping experience that would put the old boo.com to shame. To require a 4.9MB download, plus an internet connection, I bet they have figured out a way to let you be hundreds of kilometres away and yet still sniff the ink and get paper cuts from paper specially selected for “your specific printer”. I’ll bet you can virtually bathe in Vivera ink and feel it squish between your toes.

I can hardly wait to try it, but I think I am going to try putting it off for a few days longer, so that anticipation will help me to truly savour the experience. Besides, I am a bit busy today, and figure I really should wait until I have half a day to properly devote to the delicious, invigorating ink repurchasing extravaganza that awaits me.

Thanks for your interest in my blog.

Unfortunately, I get so much fan mail that I cannot respond to all of it personally, but rest assured that I do read and appreciate all of it.

Cheers,

Luke Welling.

I am kind of flattered that he thinks this blog is important enough to waste $75 filing a Small Claims Court Complaint in Ontario.

I am pretty sure emailing me a blurry PDF does not count as serving me with the document, but what I know about Canadian law would fill a very short book. I guess I will need to read up on it one evening. I am still not sure any amount of reading will find a Canadian law matching the complaint “Un-authorized[sic] publication of my personal name (un-konwingly[sic] at first knowingley[sic] and willingly after) cuasing[sic] seriouse[sic] damage to my reputation”.

I do hope he is also suing the schizophrenic, voice hearing brother for the initial unauthorized use of his name. If me using it once is worth $10000 worth of reputation, then the brother plastering it all over the internet must be getting a huge bill.

When I am served properly, I guess I will have to reply. Until then, here is the blurry PDF of the complaint. It looks real enough to me, but I suspect the court might have more luck communicating with me if he included a country in my address.

The original of the Bryan or Seyed B. Mirkalami post may have been taken down by quityourdayjob.com.au, so you might have to look to a cache.

Anyway, here is the email in full. Unless somebody can point me to a law making it an offense to publish a name without authorization I am not going to lose sleep over it. I have looked back and my post on Jim Mirkalami does not seem defamatory.

Subject: Un-authorized publication of my name

Mr. Welling

My name is Jim Mirkalami and it has come to my attention that my name has been published within your website/s and blogs, without my authorization.

I hereby request from you to immediately remove any and all references made to this name and refrain from such publications in the future without my authorization.

Your immediate attention to this matter is greatly appreciated.

I will have no option but to commence legal action in an effort to protect my name, if my request is denied. I will be doing so a week today on Monday
April 7th, 2008.

Thank you
Jim Mirkalami

The summary for a story about botnets was decorated with blurry clipart that seemed familiar to me.

Talk about “rooster one day, feather duster the next”. The the logo from officepirates.com is now relegated to blurry clipart status. Although as I said back then, that venture elected to skip over the rooster stage, and take a more “turkey one day, feather duster the next” trajectory.

1. Jim Mirkalami Says:
February 6th, 2008 at 6:25 pm

I have been a frequent visitor of this blog for some time now, so I thought it would be a good idea to leave you with my thanks.

Regards,
Jim Mirkalami

It has that “almost certainly spam but hard to be dead sure” feel to it that a lot of spam comments have. Strangely although it is an optional field, he gives yahoo.com as his website. This seemed even stranger when you note he seems to have his own website (jimmirkalami.com) unless there are two single fathers of two with that name in Ontario.

It seems like a pretty uncommon name, so I google for him. The first few links are news stories alleging questionable ethics in Canadian Auctions for jewelry and Persian rugs. Curiouser and curiouser.

Of course, I am only guessing that it is an uncommon name. It could be the equivalent of Smith in the middle east. It certainly seems fairly popular in among Toronto rug merchants.

Here is my theory.

I’d be upset if the first google result for my (fairly uncommon) name led to a page that started “No charges laid …”.

Knowing a little about SEO and the way google ranks pages, I think you could fairly quickly bury those stories by commenting on a lot of blogs. It would be harder if the story was all over major media. Not many blogs have a pagerank that can compete with CNN or the NYT (pagerank 9), but Google ranks local media about on par with a popular blog. There are no shortage of blogs with a pagerank around 5 or 6. Google only gives canada.com 7.

The comments appear to be somewhat targeted. They seem to appear on blogs (but not always posts) that mention the word ‘auction’ or the word ‘Canada’. There are automated comment spam tools that will find suitable blogs for you, or in a little more time you could do it by hand from any of the blog search engines. A few days later he commented on another post of mine that does contain the word auction (because it is about ebay).

The text of that comment is

Jim Mirkalami Says:
February 8th, 2008 at 3:13 pm

I have been visiting this site a lot lately, so i thought it is a good idea to show my appreciation with a comment.

Thanks,
Jim Mirkalami

PS: I am a single dad! ;)

Other ones you will see around the place are:

Tammy kingston, on February 5th, 2008 at 5:18 pm Said:

Jim Mirkalami, the very globally highly regarded auctioneer, is a peaceful man single father of two beautiful children. He is also a regular reader of this blog. Great job you ppl!

Aslan, on February 7th, 2008 at 10:06 pm Said:

He is a kind and very loving man.

I don’t know who Tammy is. I get no useful search results for “Tammy Mirkalami”, but I am guessing she is from Kingston (which is near Toronto). I am guessing the Aslan above is more likely to be Aslan Mirkalami (owner of rugman.com) than a lion king from Narnia.

Does this variety of reputation management work? Sure does. A few days later, and at least the top 10 pages of search results for his name are all blogs. The negative press is presumably still indexed, but has dropped way down the list where only a dedicated searcher will find it. He many have overplayed his hand though, as the first result at the moment is a blogger calling him a spammer.

So here are some morals to this story.

• If you are going to have dissatisfied customers, make sure you have few enough that only local media cover the allegations.
• Commenting furiously on blogs will give you Google results that effectively act as noise
• Try to tailor the comments to the blogs a little. It would not take much more time, and would make the effort invisible.

Oh, and surely you already knew that whenever you buy anything (including rugs and jewelery) valuations from the seller are worth only slightly more than the paper your blog is written on.

This is being actively exploited. It would also be worth checking your old blog posts for subtly inserted links in the article text. You might find words that were in the original article now link to spam parking pages.

Every now and again though, I just can’t help taking the bait.

You used PHP to write WHAT?! by Kenneth Hess on CIO.com grates. PHP programmers in general are pragmatic. It is not generally a language chosen by purists and zealots who latch onto one tool and claim it to be perfect in every way, and appropriate for every task. There are plenty of people with deep PHP knowledge who could have written an insightful article fitting into the CIO series’ theme that no one language is right for all applications.

Pap annoys me more when it appears in something claiming to be mainstream media than when it appears in some loser’s blog. Traditional media, while possibly doomed, does employ editors and generally attempts to check facts.

Well, sometimes they check facts. Ignoring the subjective parts that are merely the authors opinion, this article has so many simple factual inaccuracies that it is laughable. I assume the author does not have a great deal of experience with PHP.

Given he claims you can port an application from one database to another with minimal effort by running find and replace to swap mysql_query() with mssql_query() it seems likely that he has never written a non-trivial application in any language. So his major claim that PHP does not scale is presumably based on conversations he had with the fairies that live at the bottom of his garden.

Maybe it is just that Java fanboys push my buttons more than Ruby fanboys. Maybe it is just that damning with faint praise is more annoying than overt attacks. Barack Obama is “articulate“. Australia is “lovely” and reminds Bill Bryson of Iowa in 1958. PHP is good for “Creating an intranet site”. Come on!

Actually, it is might not not even be the factual inaccuracies and unsupported assertions that irritated me most. When I hear “enterprise” used as an adjective and not a punchline I involuntarily clench and it is there five times on one page.

Postscript: A couple of days later, Terry Chay could not resist opening a can of Terry Chay on them.

At this time of year people are apt to get all warm and sentimental … Right up until their first trip to a mall on a Saturday when they go back to hating their fellow man and instituting an “If Amazon don’t sell it, you’re not getting it” policy on gift giving. December is very important to retail, and very important to retail sites.

I remember some good advice I read a long time ago. Vincent Flanders & Michael Willis in Web Pages That Suck suggested you “follow the big dogs”, in other words copy Amazon. Their reasoning was sound. You will likely get it wrong on your first try, you can’t afford to run usability studies of your own, and don’t want to spend months and numerous iterations getting it right. Learning from other people’s mistakes is always less embarrassing than learning from your own.

I have had to paraphrase here, because I opted to recycle nearly all my old books rather than ship them half way around the world. Had I wanted to check the accuracy of my quote, it would have cost me one cent to buy a second hand copy of that book.

While the long term relevance of most of the advice in old computer books is fairly accurately reflected by that valuation, it was good advice in 1998. If you were embarking on an ecommerce venture at a time when there was a shortage of people who knew what they were doing, best practice conventions were not settled and innovation was rapid there were worse philosophies you could have than “What Would Amazon Do?”

The same idea is popular today, and for the same reason. There is always a shortage of people who really know what they are doing, so there are plenty of people making decisions by asking “What Would Google/Amazon/Microsoft/eBay/PayPal/Flickr/Yahoo/YouTube/Digg/Facebook Do?” If you are in a space where nobody really knows the best way yet, copying the segment leader is a low risk, low talent shortcut to making mainly good decisions, even if does mean you are always three months behind.

The idea does not apply well to web application security. There are two main reasons for this: first, the big dogs make plenty of mistakes, and second, good security is invisible.

You might notice mistakes, you might read about exploited vulnerabilities and you might notice PR based attempts at the illusion of security, but you probably don’t notice things quietly being done well.

Common big dog mistakes include:

• Inviting people to click links in email messages.
  You would think that, as one of the most popular phishing targets out there, PayPal would not want to encourage people to click links in emails. Yet, if you sign up for a Paypal account, the confirmation screen requests that you do exactly that.

  

• Stupid validation rules.
  We all want ways to reject bad data, but it is usually not easy to define hard and fast rules to recognize it, even for data with specific formatting. Everybody wants a simple regex to check email addresses are well formed. Unfortunately, to permit any email that would be valid according to RFC2822, a simple one is not going to cut it. Which means that many, many people add validation that is broken and reject some real addresses. Most are not as stupid as the one AOL used to have for signing up for AIM, which insisted that all email addresses ended in .com, .net, .org, .edu or .mil, but many will reject + and other valid non-alphanumeric characters in the local part of an address (the bit before the @).
• Stupid censorship systems
  Simple keyword based censorship always annoys people. Eventually, somebody named Woodcock is going to turn up.
  Xbox Live is infamous for rejecting gamertags and mottos after validating them against an extensive list of “inappropriate” words. Going far beyond comedian George Carlin’s notorious Seven Dirty Words, there is a list of about 2700 words that are supposedly banned. By the time you add your regular seven, all possible misspellings thereof, most known euphemisms for body parts, racial epithets, drug related terms, Microsoft brand names, Microsoft competitors’ brand names, terms that sound official and start heading off into foreign languages, you end up catching a lot of innocent phrases.
• Broken HTML filtering.
  Stripping all HTML from user submitted content and safely displaying the result is often done badly, but is not that difficult. On the other hand, allowing some HTML formatting as user input, but disallowing “dangerous” parts is not an easy problem, especially if you are trying to foster an ecosystem of third party developers.

  The MySpace Samy worm worked not because MySpace failed to filter input, but because of a series of minor cracks that combined allowed arbitrary JavaScript. Once you choose to allow CSS so that users can add what passes for style on MySpace it becomes very hard to limit people to only visual effects.

  eBay has had less well known problems with a similar cause, but without a dramatic replicating worm implementation. Earlier this year scammers were placing large transparent divs over their listings so that any click on the page triggered a mailto or loaded a page of their own. I could not see examples today, so I assume they have fixed the specific vector, but giving users a great deal of freedom to format content that they upload makes ensuring that content is safe for others to view very difficult.

• Stupidly long urls
  The big dogs love long complicated urls.

        https://chat.bankofamerica.com/hc/LPBofA2/?visitor=&mse
        ssionkey=&cmd=file&file=chatFrame&site=LPBofA2&channel=
        web&d=1185830684250&referrer=%28engage%29%20https%3A//s
        itekey.bankofamerica.com/sas/signon.do%3F%26detect%3D3&
        sessionkey=H6678674785673531985-3590509392420069059K351
        97612

  Having let people get used to that sort of garbage from sites that they should be able to trust, you can’t really be surprised that normal people can’t tell the difference between an XSS attack hidden in URL encoded JavaScript and a real, valid, safe URI. Even abnormal people who can decode a few common URL encodings in their heads are not really scrolling across the hidden nine tenths of the address bar to look at that lot.

• Looking for simple solutions
  Security is not one simple problem, or even a set of simple problems, so looking for simple solutions such as the proposed .bank TLD is rarely helpful. This is not helped by the vendor-customer nature of much of the computer industry. The idea that you can write a check to somebody and a problem goes away is very compelling - buy a more expensive domain name, or a more expensive Extended Validation Certificate, or run an automated software scan to meet PCI compliance and you might sleep more soundly at night, but many users already don’t understand the URL and other clues that their browser provides them. Giving more subtle clues to them is unlikely to help. Displaying a GIF in the corner of your web page bragging about your safety might create the illusion of security and might well help sales, but it won’t actually help safety on its own.

You can’t follow the public example of the big dogs. They still make some dumb decisions, they still make the small mistakes that allow the CSRF and XSS exploits that are endemic and they are often not very responsive to disclosures. If a major site makes 99 good security decisions and one bad one, you won’t notice the 99. Unfortunately with security you are still far better off seeing how others have been exploited and critically evaluating what they say they should be doing, rather than trying to watch what they actually are doing.

Oh, and remember to stay away from malls on weekends in December.

Maybe I should have waited until I have had time to watch all of it and see if I want to encourage people to watch it, but here is in two parts anyway.
Part 1 and Part 2

We talk about books, Laura travails against frameworks, I talk about security, we talk about how we got into PHP, and I probably compare Java to something unpleasant.