May 15, 2013

Here’s a Storify post assembled from a bunch of Tweets I just made inspired by the Google I/O presenation this year. Larry Page said there should be a part of the world set aside for unregulated research and science. Well, I think it should be called Google Island…

(if you’re viewing this through a news reader, the Storify content may not come through; if not, you’ll have to visit my site to see it)

May 9, 2013

TL;DR version: Sophisticated phishing attacks can be hard to detect for most. As software developers, we need to build better detection, prevention, and countermeasures into apps and services that relay and present these messages so users will be less likely to fall victim to them.

The Onion is a satirical news web site that looks like a legitimate news company. They make their living at spoofing the real news. So, they should be keenly aware of the fact that things aren’t always as they seem.

Well, recently, their Twitter account was hacked. Compromised by the “Syrian Electronic Army”. And now you can read about how they did it. The Onion’s tech team published an article about it: How the Syrian Electronic Army Hacked The Onion. Go read that now to get some context for what follows.

In short, it was a targeted attack. An email that was baiting the writers at The Onion to come and see an article about their organization. And look— it’s on The Washington Post! How exciting. The text of the link was an address that pointed to “…”, but the link itself pointed to another site entirely. I’ve come to call that kind of link a “forged link”; a fraudulent and deceptive hyperlink. The phrase also works in the sense that such a link is deliberately crafted to deceive.

How Forged Links Work

Stepping back a bit, for those that don’t understand how that works. An email message can be like a web page, where most anything in the email can be linked to a web site. Could be text, could be an image, or even white space. So, an address to something, like my own web site would be like this:

But see how it isn’t linked? It looks like an address, and it is, but unless it’s written this way, it won’t be usable:

<a href=""></a>

This is the HTML representation of a link, and this is how they’re written, but the bits in-between the < and > symbols are hidden from view when reading a web site or email message, since those are instructions to the computer; not really something for a human to read. But that was me being honest. What if I wrote this instead?

<a href=""></a>

and remember, you don’t get to see it that way in the actual email message. You’d see it like this:

Now then— the link to my site is still shown, and now it’s underlined, which means you can click on it. But, where you go when you click on it is somewhere altogether different. That’s how the forged link works. The link that the unsuspecting recipient at The Onion clicked on did not take them to “”, but instead, to a different web site that looked very much like a account login page. When that happened, it should have sent off alarms in the mind of the user— “why did that happen?”. But instead… at least for one or two that got this far… they entered their Google credentials and unknowingly sent them to their attacker. And, after sending the login information, they were simply passed over to their actual Gmail account, which probably displayed their email since they were likely still logged into Google.

Okay, Blame the User, Right?

The tech guys at The Onion give some advice on how to protect yourself from this kind of attack. But these recommendations put all the onus on the end-users:

  • “Make sure your users are educated…” Right off the bat— “the user was wrong, so teach them not to do that!”. Well, good luck with teaching everybody.
  • “The email addresses for your Twitter accounts should be on a system that is isolated…” Okay, so if we can’t avoid these attacks, might as well put their target a little further out of reach.
  • “All Twitter activity should go through an app of some kind…” Sure, cause nobody would ever attempt to obtain your HootSuite credentials.
  • “If possible, have a way to reach out to all of your users outside of their organizational email.” Not really anything preventative here, just disaster recovery planning.

Well, I prefer to place more blame on everyone else.

Antispam/Antiphishing Filters Failed

The fact that this email included a forged link like this and was not flagged in some way is frustrating. Computers are great at spotting a discrepancy like this— especially for pure-text links— and they should be helping us to be safe.

Of course, it could have been an image of a link to that was linked the bad web site. In that case, it may be necessary to use text recognition on images that are linked to see if they’re misdirecting.

The User’s Email Client (Gmail, Apple Mail, Outlook, etc.) Failed

If the message did reach the inbox, it should be flagged in a way to identify the forged link, and the fact that this is coming from a stranger (someone that has no correspondence history) and as such, links clicked on should be programatically and visually verified.

A programmatic verification would check the domain of the link against a database of known risky web sites.

A visual verification would involve (at a minimum) showing the user the actual link they’re about to visit. But it could also display a screenshot of the web page so they can see where they are about to go in a safe way before they actually visit the site.

Currently, some email apps offer some visual verification in the sense that if you put your mouse pointer on top of a link and hold there for a second or two, it will reveal the link address in a “tip” window. That’s cute, but not good enough.

The User’s Web Browser Failed

The user’s web browser allowed them to enter sensitive information (data into a password field) on a site they’ve never done that on before. The user should be warned— even before the keypress registers in the password field— that they are about to do something potentially risky. Something akin to this, but generalized for any untrusted web site asking for a login (and doesn’t call you an idiot, ideally).

And again, the web browser could check the domain against a database of risky sites (including all of these free web hosting services, God bless ‘em). A stronger warning should be given if the user is trying to enter sensitive information on a web site without a secure connection. These types of attacks rarely ever use a secure web site, since that requires money and creates a paper trail that can be followed.

We Can Do Better Than This

To sum up, there are many gaps to be filled in here. As software developers, we have to stop telling people that they are to blame for falling for these tricks. Let’s at least give them some better tools to arm themselves against the “Syrian Electronic Army” and other hackers out there.

May 3, 2013

Earlier this week, I got the following email from my Mom:

From: Mom
To: Brad Choate
Subject: Fwd: unauthorized access

I think you will tell me to ignore this. Right?

————— Forwarded message —————
From: Strife, C Frederic (FRED STRIFE MD) <[email protected]>
Date: Thu, May 2, 2013 at 4:31 AM
Subject: unauthorized access

Dear Valued Staff,

We suspect an unauthorized access on your account. To ensure that your account was not compromised, please click HERE     to confirm your identity and update your account.

(c) 2013 Webmaster Inc

Now, my Mom is not new to computers. She’s been using them since the ’80s. But she is susceptible to social engineering, because prior to the Internet, she wasn’t trying to be conned all the time. So, every now and then, she forwards an email like this to me, asking if it is legitimate or not. I typically just give a short “Nope; just delete that.” kind of reply, but this time, I decided to give her more to learn from. Here’s my reply:

To: Mom
From: Brad Choate
Subject: Re: unauthorized access

Yes, you can ignore an email like this. There are too many warning signs to even consider this is valid at all:

  • Who is “Frederic C Strife” and why is he emailing me about my account?
  • What is “Webmaster Inc.” (from the message)?
  • Why does this Frederic person think I’m part of his staff (from the message)?
  • What account is this in reference to in the first place?
  • What is the “” domain (from their email address)? You’ve probably not seen that address before.
  • What is the “” domain (from the link they want you to use)? “nf” is the domain for Norfolk Island, which is a small island near Australia. What would that have to do with any of my accounts?
  • Why is this email so short on information if it involves something so serious as unauthorized access to my account?

The email subject alone is enough to give me pause: “unauthorized access” — all lowercase, and a phrase that is purely meant to scare you and lure you into this trap.

At best, it was sent to you by mistake. At worst, it’s a link that will take you to a web site where it will attempt to install software on your computer than could contain a virus. But in this case, it is sending you to a web page that looks like this:

Webmail Phish Attempt

There’s nothing here that tells you you’re on a Google property. It isn’t explaining the situation further at all. It’s simply asking you to hand over your email address and password. They will then take it and attempt to use it to access your email. Why? To sift through it to obtain information about you, or useful things like information about other accounts. They could also change your password to lock you out of it. An email address is often used as a way to verify access to other accounts. They could request a new password for a bank account or your account (which could be discovered from your email history), which would send information to your (now compromised) email address for how to reset that password.

So, thanks for asking, but this is just a poor attempt to gain your email account credentials, pure and simple. Don’t fall for these.

More information on how to spot these right away:


This spammer was pretty lazy, actually. This is one of the more obvious ones. Some will mimic an email notification from a legitimate service like Gmail, or Yahoo! Mail. And the website itself is also pretty basic and not an attempt to appear to be any website you might recognize. Even the link in the email is unobscured. My guess is that they don’t really have to try. There are enough people that will simply click on that link and fill in a form like that without thinking much about it. (I did find it funny that they’re putting a captcha here… is this form being spammed?)

Be on your guard. As I explained to my Mom, obtaining your email account can open you up to other problems, including accessing other accounts that may be tied to your email address. At the very least, your email account could be used to propagate more spam and phishing attacks like this one.

Additional resources to educate yourself about phishing:

April 29, 2013

From year to year my work tools change. So, periodically I like to capture the state of my work environment on my computer. I’m a software developer (both web and iOS) who dabbles in design. Here’s the latest snapshot:

Bold items are essential apps. The others make life easier, but I could get by without them. Price legend (based on today’s prices; subject to change): $0 = free; $ = less than $10; $$ = more than $9.99, less than $20; $$$ = more than $19.99. I have more apps actually, but I can’t recommend them as strongly. I have given 5-star ratings to all of the above apps on the Mac App Store.

April 26, 2013

So I should probably give a bit of a recap to bridge the gap I’ve created from not posting here for a few years. Since then, the most notable change for me has been my work situation. It’s changed, but it hasn’t. Six Apart San Francisco merged with Videoegg to form Say Media. I transitioned to Say when that happened. Before that, I had already stepped back about a year or so prior from active work on Movable Type. MT lives on, under the care of Six Apart as it exists today in Japan, where it is in good hands.

Here at Say, I’ve had opportunity to work on a wide variety of products and services with Python/Django, NodeJS, Objective-C and yes, Perl too. We’re developing modern publishing tools as well as ad delivery tools (for web publishing, these go hand in hand). Say also owns a number of sites, like ReadWrite, SplatF, Remodelista and The Kitchn. One of my colleagues wrote about what we’re up to in terms of our direction and focus and sums it up nicely. And we’re hiring — if you’re interested, drop me a line.

And personally, while I’ve been away from my blog, I have been posting semi-frequently on Twitter, and on Please. Fix. That. where I rant about broken things I come across.

Other than that, the wife and kids are doing fine. We’re enjoying our 9th year in California. We own a house as of a couple of years ago and we have two parakeets.

There, you’re all caught up.

A few months ago I set my wife up with a Flavors landing page for her web site. She wanted to have her home page be more of a calling card and demote her blog just a bit, since she doesn’t post as often. I’m in the same boat, really, so I did the same for me yesterday. I wanted the new landing page to be reachable at “” and not a subdomain like “”, so I elected to relocate my existing blog and site content to “”.

Of course, this broke everything. To use a custom domain with Flavors, you have point your domain’s DNS record to an IP address they give you. Once you do that, you can’t route paths for links within your web site any longer. And Flavors gives you little control over how those links are handled: either they can give a 404 (“page not found”) error, or they can redirect anything they don’t recognize back to your Flavors page. And we all know, good permalinks never die.

So, one way around this is to use mod_proxy. This is an Apache module that can be enabled for just this purpose. Here’s the config I added to my VirtualHost entry:

ProxyPreserveHost On
ProxyPassMatch ^/$
ProxyPassMatch ^/(bradchoate/.*)$$1
ProxyPassReverse /

I’m using ProxyPassMatch so it is only enabled for the matching paths. If you just use ProxyPass, all paths underneath your site will be sent to Flavors, and that defeats the purpose. ProxyPreserveHost forwards my “” hostname on to Flavors, so they know which account to serve (mine, versus someone else’s). The second ProxyPassMatch was needed for their mobile interface. If you use this technique, just change “bradchoate” in that rule to your Flavors account name.

With these rules in place, everything seems to be working like I want. All of the Flavors page functionality is working like it was, and the rest of my web site is accessible to serve any links that exist on other sites.

I wish Flavors had better options for redirection; it would make it easier for their users to pass old links to a subdomain. In the end though, I prefer this solution myself. I don’t have to give up my domain and if I choose to stop using Flavors, there’s little to disconnect.

April 25, 2013

I’ve had a long hiatus from the blog. I regret getting away from long-form writing and feel the need to return to it. But I had to do something with my home page. I’ve decided to use to give the site a fresh coat of paint. Of course, handing over your domain to a third-party is not really a long-term solution, but I’m fine with this for now.

The unfortunate side effect of using Flavors is that they don’t really have any sort of redirection policy for 404s, except that they just forward back to the top of the domain. Naturally, this breaks every permalink I’ve ever published. I regret that and hope to rectify it in some way. For now, the solution is a bit manual: replace “www” with “blog” if you want to find anything published on the old site. (Update: mod_proxy to the rescue.)

So, here’s to 2013 and doing something.

February 17, 2010

Unicons is a little project I put together today, making it easier to insert some of those little Unicode symbols (like ☃ or ☺ or ✌) into web text fields. You know, the text fields you see on comment forms or Twitter.

The project is hosted at Github and feedback is welcome!

November 3, 2009


Belorussian translation provided by PC

I picked up an Apple Magic Mouse at the local Apple store Thursday night. It’s pretty nice! It’s amazing to me how Apple brought the mouse to the mass market (well, Dvorak didn’t like it) but have done a poor job in the design, until now.

What I like:

  • the slim design
  • even with batteries, this thing is light, but not too light
  • fewer moving parts, and no scroll wheel to keep clean
  • most of the top surface area is touch-sensitive
  • no more red light for the optical sensor!

What I don’t like:

  • it was a little pricey, but I remember paying $100 for the first Microsoft optic mouse

My other area of complaint can’t be summed up in a bullet. Basically, it’s the gestures. Apple has brought three slightly different sets of multi-touch gestures to the market in three different products: iPhone, the multi-touch trackpad and now the Magic Mouse. I’m going to look at five of these gestures in particular:

  1. clicking (or tapping for iPhone)
  2. content scrolling
  3. content magnification
  4. content rotation
  5. content navigation

iPhone (and iPod touch of course) multi-touch gestures are really, really natural to me, but maybe because I’ve been using them longer than these other devices. Gestures on iPhone for these five interactions are:

  1. clicking: single finger tap
  2. content scrolling: single OR two-finger slide up/down
  3. content magnification: two-finger pinch/spread
  4. content rotation: two-finger rotate
  5. content navigation: single finger slide left/right (as used for photo navigation)

It is interesting that iPhone recognizes both single and two-finger slides for content scrolling. I believe this is done with an eye towards what I am looking for and will elaborate on — a universal set of gestures.

Apple added multi-touch to their trackpads and some gestures to go with them. They differ from those on iPhone, namely because you aren’t interacting directly with a screen, but with an area that is controlling an on-screen cursor. This is a very different model from a multi-touch display which has no cursor to speak of. So, the multi-touch trackpad gestures are:

  1. clicking: single finger click and/or tap (MacBook trackpads can be configured to accept a tap as a click action but they are no configured this way as a factory default)
  2. content scrolling: two-finger slide; omnidirectional
  3. content magnification: two-finger pinch/spread
  4. content rotation: two-finger rotate
  5. content navigation: three-finger swipe left/right (as used to navigate backward/forward in a browser or navigating a photo album in iPhoto)

Now those are mostly the same, with the exception of the content navigation gesture.

So how about this Magic Mouse? Gestures are:

  1. clicking: single finger click (a tap on the surface does nothing)
  2. content scrolling: single OR two-finger slide; omnidirectional
  3. content magnification: none
  4. content rotation: none
  5. content navigation: two-finger swipe left/right (as used to navigate backward/forward in a browser or navigating a photo album in iPhoto)

The Magic Mouse may not support tap-to-click because it has a serviceable button, and having two ways to click would be kind of weird. But the multi-touch trackpads that also have a tactile click for the trackpad itself (including all the new MacBooks, save the MacBook Air which still has a separate button) and can be configured to support a tap to click as well. I personally prefer this configuration since there is less effort to do something that you do all the time.

As for gesture two… well, obviously, a single finger slide on the trackpad is the mouse equivalent of moving the mouse around. So we can’t expect Apple to change the trackpad’s single finger slide gesture to scroll content (unless they add an optical sensor to bottom of their laptops, but who wants to move their laptop around to move the cursor?). The other option is to use two-finger sliding to scroll on the Magic Mouse. Well… actually, that works too — you can use either a one or two-finger slide for scrolling.

What about the gestures for content magnification and rotation? The Magic Mouse is missing these for some reason unknown to me. The hardware should be capable of recognizing such gestures as recognized on iPhone/iPod touch and trackpads.

Content navigation gestures differ in number of fingers across all three: iPhone only needs one finger (granted, the use there is for full-screen pages, like on the Springboard and photo albums; this same gesture can’t be used for navigating forward and backward in Mobile Safari), the Magic Mouse uses two fingers and the trackpad uses three! The trackpad cannot use two fingers because two finger scrolling can scroll horizontally as well as vertically. And while you could conceivably use three fingers on the Magic Mouse (there may be a hardware limitation, but I doubt it), it’s kind of awkward to do so.

All in all, it’s a mixed bag. I can understand the decisions made around making these gestures differ from one context to another, but at the same time, it’s frustrating that they are different. This feels like an area where a real standard should emerge, one that can be used across these devices so consumers don’t have to re-train themselves when they shift from one device to another.

If I had my druthers, I would recommend the following as universal gestures:

  1. clicking: single finger tap and (Mac only) right-click: two-finger tap
  2. content scrolling: two-finger slide (single finger use for iPhone/Magic Mouse)
  3. content magnification: two-finger pinch/spread
  4. content rotation: two-finger rotate
  5. content navigation: three-finger slides

This affects all three multi-touch devices in subtle ways: for the Magic Mouse, Apple would have to support tapping the surface to behave as a click and support both two and three-finger slides for content navigation. They would also have to implement gestures for content magnification and rotation (I suspect they plan to eventually). For iPhone, recognizing three finger slides to navigate content in Safari would be great, as it doesn’t support any gesture for that interaction today. A three-finger slide could also be treated as page turns for other contexts where a single finger slide work now. For multi-touch trackpads, Apple would need to make tap to click a default configuration, so this behavior is supported without having to reconfigure your trackpad to use it.

With these minor adjustments, a single set of gestures can work across all these devices. Optimized versions of these gestures can still be supported — you should still be able to scroll on iPhone and the Magic Mouse with one finger, but the universal gesture would be two fingers.

It’s kind of strange to me that Apple has shifted from a position where they insisted on grounds of usability that a single-button mouse was “The Way” for so long to where we are today: a variety of input devices with rich and complex interaction features that also have varying control schemes. Hopefully some standard will emerge… I’m sure someone at Apple is thinking about this too.

Having said all that, I really do recommend the Magic Mouse, particularly for desktops and for the Mac mini which is where I use mine.

Finally, one last wish of mine: I’d love to see an alternate Magic Mouse driver written that makes this device function just like a multi-touch trackpad. I’d like to just leave this mouse stationary and simply use my finger on the surface as I would a trackpad. So single finger sliding would move the cursor, instead of moving the mouse itself. And if that were possible, I’d also prefer to use the mouse in a sideways orientation, since screens are generally wider than tall. Apple could do this as an alternate configuration for their mouse, but this feels like a third-party thing and one I would gladly pay for.

August 11, 2008

Did you know you can assign a keyboard shortcut that invokes any browser bookmark you’ve created? For example, I have a bookmarklet for sharing a link on I’d like to run that bookmarklet on the active page using Ctrl+Cmd+F. To do this, I can create a keyboard menu shortcut for OS X:

Friend Feed Shortcut

Creating the shortcut is easy: open your System Preferences and go to the “Keyboard & Mouse” preferences, then click on the “Keyboard Shortcuts” tab. Click the “+” button below the shortcut listing. Set the shortcut to apply to “Safari” (or “Firefox”) in the Application list, then type in the name of your bookmark (exactly as it is labelled in your bookmarks), and set a keyboard shortcut.

After you do this, you may have to restart your browser to try it out. I’ve also noticed that these shortcuts are not always recognized right away, due to the way the menu options for bookmarks are lazily loading until it is needed (Safari and Firefox both behave this way). Just click on the “Bookmarks” menu option if your shortcut isn’t already working; you only need to do that once after the browser has loaded.

I love this tip because it makes bookmarklets so much easier to invoke, and it doesn’t involve using any weird third-party software hacks to do it.



Powered by Movable Type