Monthly Archives: November 2012

An afternoon with Microsoft Surface #

I’ve been excited about the Microsoft Surface. I want to like it, but given my experience with Microsoft products over the past few years, my expectations were low. Ever since Vista, workflows that should be simple have become more complicated, and software more bloated. Simple examples like the restructured control panels, User Account Control, frustrations with “Windows Genuine Advantage” DRM, and the “dumbification” of Media Center (the Xbox version too, which works only when the planets are in perfect alignment). Microsoft has increasingly made it more difficult to enjoy using their products.

In what might be a great example of confirmation bias, I couldn’t bring myself to like Surface.

Prior to the iPad Mini debut, I was chatting with the father of one of my scouts. He mentioned that most people at his work were looking forward to it for one primary reason: being able to run Office apps. I do a great deal of work in Word and Excel, not because they’re my preferred apps, but because they are the common denominator for collaborating with others, and because the most ubiquitous citation manager (EndNote) develops its plugins for Word.

I was at the mall—visiting the Apple Store, as it happens—and saw ads for surface plastered all over the escalators and central landing. “Microsoft Surface: Only available at the Microsoft Store,” the ads loudly proclaimed. A quick search on my phone showed the closest Microsoft Store was about a half-hour away. There wasn’t a Microsoft Store in the mall. Bummer. I wanted to try it out.

As it happens, there were a series of demonstration counters on the ground floor, that I’d somehow missed, directly under some of the huge advertisements for Surface.

Why is it only available at the Microsoft Store? Maybe Microsoft knows it’s not ready, and isn’t ready for the public to acknowledge that. Limited distribution doesn’t make sense unless the intent is to keep it from the public. Owning the hardware chain is a necessary step to producing a top device in the modern market, and providing top-notch support is equally important. Perhaps Microsoft doesn’t have the customer-support infrastructure in place for mass market yet. Maybe limited distribution is an ill-advised attempt to generate foot traffic in seemingly less-popular Microsoft stores. Whatever he reason, it’s an odd decision that will, in the long run, delay mass acceptance, which will, in turn, delay third-party developer adoption, neither of which are good outcomes for Microsoft.

With a four-year old in tow (she was very patient with me), I test drove the Surface. Not all of the controls were naturally intuitive, but some of the basic ones were sufficient: swiping from the edge, and the windows key got me out of most applications, but it was never clear when I was quitting, and when I was switching. It suspect there will be memory-related frustrations for typical users hat don’ actively manage the number of running processes. There were too many widgets and “gee-whiz” add-ons for me to like it. I don’t care about (most) stocks, and don’t want the distraction of having them pushed to me. The same with weather data (I have a window, and I know what season it is), and news tickers (in addition to being a distraction when I’m working, I don’t particularly trust the curation). I want quick access to the apps I need to complete my tasks. While I suspect a great deal of this is customizable, I believe most people won’t customize, but the default presentation will be an underlying annoyance. While part of the joy of being a geek is endless customization, I never really feel productive doing it.

Apps on the Surface, in general, were slow to load, and made seemingly slower by long animations. Interfaces were radically different, to the point of being confusing. For example, the email page puts the “To” and “Cc” on the left (in landscape), with a great deal of empty (unused?) space below, but the “Subject” field on the right, but not clearly editable. Standard UI affordances that identified editable space weren’t used consistently. In other apps too, the UI seemed learnable, but yet different.

I love the idea of the TouchCover, with its built-in keyboard. In practice, it didn’t respond well to how I type. I’ve read that it takes some getting used to, and I can see why that would be the case. The TypeCover, with its real keys, was much more natural for me. For a tablet to really fill the space between my phone and my laptop, it needs a keyboard, and I think Microsoft has a good innovation here.

In so many ways, Surface violated, or maybe more accurately, makes irrelevant, most previous experience with interfaces. It approaches interface design so differently, that everything is slightly foreign. There are some good ideas, and it’s learnable, but when everything is foreign, it’s by definition not intuitive. To add a Surface to my workflow would take effort before it felt natural, and that’s a barrier Microsoft needs to break to bring Surface mainstream.

It looks nice, but it’s not for me. Yet.

PHP mail() method fix #

After being away from programming for a while, I was working on a throw-away PHP script to email out grade notifications. Half-way through, I remembered the mail() function has never worked properly on my development machine. Sure, I could upload my script to a server, but it was too much hassle. It was only about 40 students, so doing it manually was not too much trouble.

A few days later, I was reading something online and it clicked: check the php.ini

Sure enough, nothing was specified, so PHP was trying to use the default. Sending mail from the bash command line worked fine:

~> printf "Subject: Test\nHello" 
    | sendmail -f [email protected] [email protected]

PHP, however, wasn’t working, even though it defaulted to sendmail. A quick which command sorted out why: the default sendmail path in php.ini was different than my actual sendmail path. ‘Twas quickly fixed, and now works like a charm.

There is still an issue with SpamHaus rejecting some emails at recipient’s servers, but stuff is at least getting sent properly now.

Comcast Humanitarianism #

Seth Clifford writes a frustrating story of his parents’ interaction with Comcast. Though never (yet) to the extreme level Seth describes, this always seems like the end game whenever I need to interact with Comcast or AT&T.

Update: Seth has written an even better follow-up.

H/T Jim Dalrypmple.

Hacking Stripe’s Capture the Flag #

Note: I wrote this at the end of August, but never posted it. There are some excellent walkthroughs of the levels online.

I finished the “Capture the Flag” hacking event put on by Stripe, an online credit card processor. (It’s not a hugely impressive ranking, but finishing was not a trivial task! About seven thousand people started, I was 549 of 978 finishers.)

It was neat, and I learned a handful of things along the way, most notably a vulnerability in SHA (also, here), and I built a web server in Python. I hadn’t previously done for more than a few lines in Python, so using a new language was a pleasant challenge. (@Stripe: Maybe some Clojure next time? I haven’t used that before either, but I’d like to!) The first levels were pretty easy, and I made it through the first five pretty quickly—it would have been even faster if not for family obligations like dinner and putting the kids in bed. For level 6, the chat rooms really helped out (I started lurking the chat rooms around level 4), and had it not been for the chat rooms pointing to an article on SHA vulnerability and suggesting a look at the level’s log files (which led me to notice another vulnerabilty that had to be leveraged as well), I wouldn’t have made it.

I ended up on the final level before anyone had captured the flag, as one of just over 100 people to get there (at the time). I ended up staying awake all night, somewhat to the detriment of my other projects. By the early morning, around the time there were about 10 people completing the last level, someone was kind enough to connect the dots of what I’d deduced from the code and inferred from the chat room. I knew from the chat room, for example, that I’d need SSH access on a server belonging to the “company”, and had been able to leverage previous hacks to depost my SSH key and gain access, but wasn’t sure yet how to use it.

I finished my code a little while later, and did a first run, and was able to pare down the password space by about 1/3. I was tired though, and not particularly interested in the leaderboard, so I took a long (and much deserved) break. When I came back the next afternoon, there were so many users hammering the server that the port-counting method I used became ineffective. I kept tweaking my code, and eventually switched part of my code to Ruby to make it easier for me to edit/tweak. Ruby’s not my primary langauge either, but I’ve played in it enough—and used Prototype.js, which uses Ruby idioms—that I’m comfortable with basic tasks. Things would have moved faster if the final server had accepted PHP. It was frustrating that it didn’t; the hacked Level 2 didn’t expose the PHP binary to the command line but it executed PHP in the webserver as part of my exploit. (At least, PHP wasn’t in $PATH. As I wrote this, I figured out a way to find the path to the binary, but the servers are now closed so I can’t go back and attempt it.)

Switching to Ruby was, in the long run, I think, a mistake on an over-loaded server. Someone in the chat suggested they were able to significantly improve their success rate by implmeneting a particular piece in C instead of using an interpreted language. I spent some time in XCode and mostly completed the part I needed. At the same time, I was still running my Ruby code in the background, and went through several runs not making any progress because there was so much noise on the server (which was not helped by several users that thought they’d achieve success by port scanning as many servers as they could). I had other things to take care of, and dropped the project for a time, as I wasn’t making any progress.

I tried again the following morning, and there was still a great deal of jitter in the results, and again, I didn’t have time to finish up my C solution. I didn’t touch it at all over the weekend, which turned out to be enough time for the completion list to jump from the dozen or so it had been when I started to more than five hundred. When I checked Monday night, nearly every request was went through fast enough with the Ruby solution that there was no need to switch. (By way of comparision, my first effort was successful in excluding a test only about 2 out of ten tries, while the test run on Monday succeeded more on than 9 out of 10, which made checking the 4,000 tests I needed to run—four sets of 1,000, with each set dependent on the previous one—super easy, and my program runs were completed in a couple of hours of running in the background.)

Update (1 Nov): One of the prizes (the only prize, actually, apart from recognition) was a free T-shirt from Stripe. Mine arrived yesterday. It’s a lightweight, navy shirt, 50/50 cotton from American Apparel, with what seems to be excellent build quality.

Stripe CTF award shirt

Hire Tom! Hire Tom!