comments edit

Pen I write this blog post with apologies to Dale Carnegie for the play on the title of his book.

Today, Jeff Atwood writes about the difference between writing and copywriting. His essential point is that good copyrighting is marketing and is boring. Good writing on the other hand is engaging and not boring. Understand the difference?

I think this dovetails nicely into another article I read recently at A List Apart entitled Calling All Designers: Learn to Write!

Derek Powazek points out that creating a good user experience goes beyond rounded corners and visual design. Good writing is an essential part of creating a great user experience. He sites Flickr as one example of getting it right. Rather than a button that says Submit they have a button that says Get in there. That really is friendlier isn’t it.

When you think about it, using plain casual English is much more natural for people to read. How often in the real-world do you hear people asking you to submit anything except when submitting a drug test or tax forms in triplicate?

So I took a look at my blog and noticed that in the front end, there is pretty much only one button that people use on a daily basis and it said Comment. So I changed it to Leave Your Mark and sat back waiting for the accolades to roll in on the improved user experience. Anybody hear crickets?

Well it is going to take more than changing a single button to improve the overall user experience here. I will actually have to start writing well and quit using this random copy generator. But these are definitely insights I want to take into consideration when I get around to tweaking and updating the admin interface to Subtext. What are areas in which we can improve the writing? How can we improve the user experience? Little touches add up to a lot in creating a great experience.

comments edit

I recently set up Payroll via Paychex for my company. It is an eye opener to see exactly what taxes an employer pays on top of the taxes already deducted from each employee’s paycheck. I mean, I always heard that my employers were paying taxes for me when I was an employee, but I never knew how much. Till now.

This is helpful when figuring out your total compensation as it is part of the hidden cost of going into business for yourself. Of course, we are a C-Corp so these figure may be different for other types of businesses. I wouldn’t know and this does not qualify as tax advice.

Tax Breakdown

Tax Rate
Social Security 6.2%
Medicare 1.45%
Federal Unemployment 0.8%
State Unemployment 0.8%

State of CA. This changes.

Some Notes:

Social Security has a wage base limit of $94,200. So if an employee makes more than that (including bonuses etc…), the employer will only be taxed 6.2% of $94,200.

Medicare has no wage based limit.

The last two taxes are only taxed on the first $7000 of wages per employee per year. So the employer pays 3.4% of $7000 for each employee assuming each makes $7000 or more a year.

So make sure these figure into your cash-flow estimates. Also, don’t forget that by law, most companies are required to carry Workman’s compensation insurance. That will cost you a small chunk of change per year as well.

comments edit

Since I had a rough week last week, I thought I would post something fun today. While some people are just jumping on the dual-monitor bandwagon, I have recently moved on to three screens.

Three Screens

Of course that is not exactly true. The two screens on the right are attached to my new Dell Dimension 9150 workstation. The one on the left is attached to my old Shuttle system. That there is running the VMWare Server that hosts Subtext’s CruiseControl.NET build server.

The only reason I got the third screen is that because of a deal they were offering, it actually lowered the cost of the lease to get this screen than to not get it. You can’t beat a deal like that!

Rather than using a KVM, I am using MaxiVista to remote control the computer via the third monitor. That works pretty nicely, though MaxiVista seems to hiccup alot.

comments edit

So in the hustle and bustle of trying to get my Yahoo account back (it has been returned), I forgot to show some love for JackAce of the Code Turkey blog. He and I used to work at SkillJam and he was the one who alerted me via email that my account had been jacked.

In this post, he describes the general tactic that an Instant Messaging based attack takes to spread itself.

He also provides some tips to avoid phishing and talks about what to do if you are phised. Be careful out there.

personal comments edit

Stop Fraud! So after getting my Yahoo password phished, my wife reminded me that we should put a fraud alert on our credit file. I first heard about this from my friend Walter a while ago, but we never got around to it.

This is a flag that the major credit bureaus (experian, equifax, and TransUnion) attach to your credit report. If someone (including yourself) tries to open up a new credit account, the lender is supposed to (though not required by law) to contact you by phone to make sure that you really do want to open a new account.

Keep in mind that this applies to applying for a new credit card, obtaining a car loan, purchasing a cell phone, etc…

Setting up a fraud alert is pretty easy. There are three major credit bureaus you can call, but I prefer to do these things online. If you go to https://www.experian.com/fraud/, you can apply for the initial security alert (90 days) via the internet. They will forward the alert to the other two credit bureaus so you shouldn’s have to call them. One other benefit is that they let you print out your credit history online for free.

If you live in California, the protections are much better. According to California Law SB 168, you have the right to freeze your credit record at each bureau. This makes it impossible to issue credit in your name, even for someone armed with your name, address, Social Security Number, etc… To do this, you do need to contact each bureau in writing and send in $10.

For instructions on the benefits of a credit freeze and how to contact each credit bureau, check out this page on the Fight Identity Theft website.

Apparently similar laws apply to the following states at the time of this writing (CT, IL, LA, ME, NV, NC, TX, VT, WA).

comments edit

Fish UPDATE:I am back in business. I have re-obtained control over my Yahoo account. So the IM messages you receive from me are really from me. I won’t make this mistake twice.

Never operate a computer while sleep deprived. In fact, I am starting to think people should be licensed to get on the internet much like you do to drive a car. I am absolutely mortified to admit this, but I got suckered in a phishing attack that occurred via Yahoo Messenger.

I received an IM from a former boss with a link to a geocities photo gallery. When I clicked on the link, it looked just like a Yahoo photo gallery. Thinking (or rather not thinking), “Oh yeah, Yahoo owns Geocities now, right?” I logged in to see the photos. Big mistake. Right then I had the sneaking suspicion that I had done something painfully wrong.

And today, it was confirmed when a friend emailed me to tell me that I got my password jacked. If you see an IM from me or anyone with the link http://www.geocities.com/ladivabev/photos_pics.html (or rather any geocities link) DO NOT CLICK ON IT.

I cannot believe I fell for this. I am usually excellent at spotting and ignoring these, but everybody has their off days. And lately, I have had a string of them. I recently accidentally deleted all my backup data on my external hard-drive. Sleep deprivation is a killer.

And if you receive an IM or Yahoo message from me, please know it is not from me until further notice.

comments edit

Well this recent phishing attack is clear demonstration of the inherent dangers of homogeneity. Biologists and epidemologists have known this stuff for decades. Having given out my Yahoo password would have been much more disastrous if I was using Yahoo for my primary email address. Fortunately I use Gmail. Imagine the damage had I given out my Passport password. Egads!

Unfortunately I do use Yahoo Messenger. But I also use MSN and Skype. One password does not connect the bad guys with everything I use to communicate. But it is enough for them to do some damage. When you get an IM from a credible source, it is hard not to resist. It naturally brings your defenses down. A clever example of social engineering.

comments edit

Prolific blogger Mr. Jeff Atwood, author of the CodingHorror blog, paid us a surprise visit last night. He is in town for a couple of days to do something or other unimportant. He tried to explain something about presenting Team System to important people but all I heard was “blah blah TS blah blah”.

After a fine dinner at the new Ford Filling Station (owned by Harrison Ford’s son) we gathered around the screen and had a chat with the not-so-prolific blogger lately, Jon Galloway.

Jeff and Jon

So that there is Jeff on the left getting cozy with Jon on the right, who couldn’t make it in person but would like to thank the academy via live video feed courtesy of Skype™.

Jeff is one of the few people who regularly reads my blog through one of these antiquated mediums called a browser. Which is actually great since he gets to experience the very cool drop-shadow effects I apply to my photos. Go CSS!

After a bit of plotting to overtake the planet and typical jokes at each others expense, we all went our merry ways. Except for me, I live here.

comments edit

Cruise Control Logo With many thanks to Simone Chiaretta (blog in Italian) for his effort, we now have a working CruiseControl.NET setup for Subtext. Check out the chrome (or lack thereof) on our CCNET dashboard.

Though we have some kinks to work out (the build is apparently broken according to CCNET), I am particularly happy about getting this up and running. As a distributed open source project, it is part of our master plan to follow agile development practices that are well suited to building Subtext. Continuous integration is particularly important for us since we are in different time zones and locations.

The CCNet server is running on Windows 2003 within a VMWare Virtual Server on my old development workstation. That makes our build server very portable should we decide to host it elsewhere someday.

Once we get the kinks worked out, you can download the CCTray system tray applet and keep tabs on the development of Subtext. You’ll know exactly who and when someone breaks the build. How is that for open source?

To get CCTray to work, make sure your firewall allows TCP traffic over port 21234. Then add the server build.subtextproject.com:21234.

Though for now, let’s be adults and keep the teasing to a minimum. I apparently broke the build, but I am betting it is a configuration issue with moving the virtual server from Italy to Los Angeles. Ciao!

comments edit

This is a story of intrigue.

Ok, perhaps that is a bit overblown. This is really a story of schizophrenia. It is the story of a method PageParser.GetCompiledPageInstance that exhibits a different behavior depending on whether or not you have the <compilation> tag’s debug attribute set to true or false.

The problem first came up when deploying the most recent builds of Subtext with this attribute set to false. This was the natural response to Scott Guthrie’s admonishment, Don’t Run Production ASP.NET Applications with debug=”true” enabled..

However, this affected Subtext in an unusual manner. Subtext employs an URL rewriting mechanism I wrote about before. It relies on the using an IHttpHandler that is created by calling PageParser.GetCompiledPageInstance.

I will spare you all the details and cut to the chase. GetCompiledPageInstance takes in three parameters:

  • virtualPath (string)
  • inputFile (string)
  • context (HttpContext).

In the initial request to the Subtext root, the values for those parameters on my local machine are:

  • virtualPath = “http://localhost/Subtext.Web/Default.aspx”
  • inputFile = “c:\projects\Subtext.Web\DTP.aspx”
  • context = (the current context passed in by the ASP.NET runtime)

The interesting thing to note is that there is an actual aspx file named Default.aspx located at http://localhost/Subtext.Web/Default.aspx. When the debug compilation option was set to true, this method would return a compiled instance of DTP.aspx (hence the URL rewriting).

But when I set debug="false", it would return a compiled instance of Default.aspx. Holy moly!

I confirmed this by attaching a debugger and going through the process multiple times. Using Reflector, I started walking through the code for GetCompiledPageInstance until my eyes started to burst. There is a lot of machinery at work under the hood. I eventually found some code that appears to generate a URL path differently based on debugging options. Not sure if this was the culprit, but it is possible.

Setting debug="false" causes the runtime to perform a batch compilation. Thus a request for /Default.aspx is going to compile all *.aspx files in that folder into a single DLL. Setting that debug value to true causes ASP.NET to compile every page into its own assembly.

My fix is a bit of a hack, until I can get a deeper understanding of what is really happening. As I see it, calling GetCompiledPageInstance with a virtualPath that points to a one file while passing in a different physical file path to inputFile is causing some confusion. Perhaps due to the batch compilation.

To remedy this, I simply have a check before we call GetCompiledPageInstance to check the end of the virtualPath for /Default.aspx (case insensitive of course). If it finds that string, it truncates the default.aspx portion of it. That seems to do the trick for now since this is pretty much the one place in which URL rewriting would attempt to rewrite a url that itself points to a real page.

For a nice look under the hood regarding the compilation option, check out this post by Milan Negovan.

Please keep in mind that this is a separate issue from deploying your compiled assemblies in debug mode or with debug symbols. This has to do with the ASP.NET runtime compiling the ASPX files at runtime.

comments edit

Yes, yet again I have purchased tickets to Burning Man scheduled for August 28 through September 4, 2006. And you better believe I am bringing the prep back!

Bringing Prep To The
Playa

I must be an addict for pain, discomfort, and Playa dust to return a third time. But I had such a great time last time, and the time before, that I just couldn’t hold back. And this time, I am dragging my buddy (and business partner) Micah along. Still working on getting Kyle to come again.

Tags: [BurningMan]

personal comments edit

I am absolutely livid with my company’s bank right now and I need to blow off some steam. We had two recent deposits reversed because of a missing endorsement. This is odd because I am always careful to sign every check. Well it turns out that they changed their endorsement policy on March 31 and didn’t bother to notify us.

The problem is not that the new requirements are so onerous, they are not, but that without notification, I have no way of knowing the new requirements. Adding to the problem is that they mail the checks back (I live walking distance from our local Washington Mutual) and it has been a week already and we haven’t received our first check back. As any small business owner knows, cash flow is king. When the checks arrive is more important than the amounts of the checks.

I absolutely detest the horrendous level of service banks provide. When I moved to Los Angeles, I started with Bank of America and they were the absolute worst experience I have ever had. But WAMU is closing down on that.

Well anyways, thanks for letting me blow some steam. I needed that.

math comments edit

UPDATE: I updated the article a bit to better explain decimal expansion to negabinary

Ok, here is where I go and really geek out a bit. Scott presents a simple javascript to display negative numbers as red. He takes a nice clean straightforward approach by using javascript to inject a CSS class on specific elements that have a negative number.

As his script merrily iterates its way through the page’s elements, it checks the values of the element to see if the first character is a “-” (dash). And this works just fine for the majority of you people so thoroughly stuck on the “decimal” system.

But as I pointed out in his comments, this discriminates against negative base numbering systems such as …drumroll… Negabinary!

Doesn’t negabinary sound like one in a long string of major villains to attack Godzilla and end up destroying Tokyo yet again?

Negabinary is a lot like binary’s evil twin. Rather than a base 2 system, negabinary is base -2. The beauty of negabinary is that there is no need for a negative sign (aka the sign bit). All integers, negative or positive, can be written as an unsigned stream of 1s and 0s.

To expand a decimal number into negabinary, you simply divide the number by -2 repeatedly. Each time you divide the number, you record the non-negative remainder of 0 or 1. Afterwards, you take those remainders in reverse order and there you have it, the negabinary expansion. Simple no?

Keep in mind that we are doing remainder division here. So -1/-2 is not one half, but 1 remainder 1. Likewise, 1/-2 is 0 remainder 1.

Huh?

Keep in mind this simple algerbraic formula: if a / b = c remainder d, then bc + d = a.

Thus, to expand decimal 2 in negabinary:

 2 / -2 = -1 remainder 0
-1 / -2 =  1 remainder 1
 1 / -2 =  0 remainder 1

Taking those remainders in reverse order we get 110. So 110 is the negabinary representation of decimal 2.

I remember learning that there were computing systems built (perhaps experimental) that used negabinary instead of binary. Apparently there are benefits to representing a number without a signed bit. Unfortunately, like a good evil twin, negabinary makes arithmetic operations quite complicated.

I was going to write up a whole exposé on negabinary, but the Wikipedia did a much better job than I would have. My memory of my college math lectures on alternate numbering system is pretty hazy. Throughout history, humans have tried out various numbering systems other than base 10. The Mayans used some sort of hybrid of base 20 and base 360. I kid you not.

So with a small alteration, we can adjust Scott’s script to accomodate negabinary enthusiasts.

comments edit

Downtown Los Angeles experienced a huge march today to protest bill HR 4437 and support immigrant rights and immigration reforms. I had been waffling about attending since I really hate driving to downtown (bad traffic and parking), but realized that since both my mother and my wife are immigrants, I ought to come out and show some support. An IM from my friend Kyle telling me I won’t regret it also served to jolt me out of my complacency.

Marching

Besides, my wife works on the corner where the march starts so I could just park nearby, have lunch with her, and join in the march. So I hopped in my car, grabbed a white shirt for my wife (everyone was encouraged to wear white), and headed off to downtown. Traffic was actually better than I have ever seen it on the 10 East.

When I arrived, I was greeted with the sounds of helicopters hovering overhead and people cheering. I was then assaulted by the smell of street vendor cooking in the air which instantly made me hungry and ready to part with some money despite the boycott. I proceeded to walk right through the parade in order to get to Akumi’s office.

Once there, I ran up to the roof to take some photos.

View from the roof of Akumi's
building

There are a lot of
people

The photos from the roof do not even begin to give you a sense of how many people were there. Multiple city blocks were chock full of people chanting, singing, and dancing. The air was electric.

Can somebody tell me where the march
is?

Even the little ones were into it.

A proud
American

Though this one was tuckered out.

Sleepy
Protester

The crowd was primarily latino. I had hoped to see a more diverse crowd show up in support, but I did manage to find the one other white guy.

Me and the one other white
guy

We took a shortcut to the end point of the march where everyone was gathering, but didn’t feel like braving the crowds much longer.

Rally

I stepped aside for a moment to get a better view for a picture and when I looked back, I could not see my wife. Since everyone was wearing white, it was easy for me to lose track of her. What was I going to do? Ask everyone if they’ve seen a woman wearing a white shirt, blue jeans, with black hair? That described half the entire crowd. It was a beautiful day out there.

UPDATE: I forgot to place a link to my photoset on Flickr. This contains more pictures that I took.

comments edit

ASP.NET 2.0 MVP Hacks and
Tips Scott Hanselman mentions a new book in which he is one of the coauthors featured on the cover. Yes, they do look like they are throwing the twelve sided dice on a table with meticulously painted miniatures. If you have no idea what I am talking about, you have never embraced the inner geek.

The reason I mention this is that In 2005 I wrote a post in which I presented an Abstract Boilerplate HttpHandler. This particular post was inspired and built upon Scott’s original (non-abstract) boilerplate HttpHandler. And now it comes full circle as Scott has borrowed from my borrowing, cleaned it up a bit, put a tie and suit on it, and then put it in a book.

Nice work! Now in order to one-up him, I will have to borrow from the book (which would be borrowing from a borrowed borrow) and get a Hollywood movie made. Keanu Reeves stars in Abstract Boilerplate HttpHandler I - The Pipeline of Opportunity.

So among this book of MVP hacks, they have inadvertently included a Haack.

comments edit

Zinedine Zidane I hear from a fairly reliable source that after the World Cup, Zinedine Zidane plans to move to Los Angeles to get into some kind of entertainment. That in and of itself is not exceedingly interesting. However, this source also tells me that Zidane has been offered a spot on the Hollywood United roster thanks to the other ex-French national team player, Frank LeBeouf.

That means that sometime in the near future, there is a small chance (you know how plans can change) that I may play in a soccer game against Zinedine Zidane, one of the world’s best players! Even though on the field, he will be just another opponent, I will probably bring my camera and try and get a pic with him before the game.

Although we would be in the same league, we are definitely not in the same league. Honestly, this all sounds a bit outlandish. I mean, he currently plays on Real Madrid for Pete’s sake! He is by no means over the hill yet. He could, if he wanted, join the MLS and completely dominate. Going from Real Madrid to our league would be a major drop in action.

On the other hand, if he really is retiring, a low key game once a week might be just the thing to keep in shape and not place such demands on his time.

In any case, does anybody out there know of any ex-professionals who are looking for a league in Los Angeles? Brazillian national team players are especially welcome. Whatever happened to Bebeto and Romario?

comments edit

Axe Well this post marks my 1000th post on this blog. Since I am totally on board with the base 10 system, that makes this noteworthy to me. If we all used the hexadecimal system (base 16), then this post would be my 3E8th post which really wouldn’t warrant me even mentioning it in the first place. Be glad we are on base 10.

So how shall I observe the 1000th time that you’ve been Haacked? Obviously by writing about ways to avoid getting hacked.

I have a nice brand spanking new workstation so I figured now is as good a time as any to make the jump to running as a non-admin. This is what the security folks refer to as the principle of running with the least privileges. This is also referred to as LUA which stands for Least-Privileged User Account or Limited User Account depending on who you ask.

Hopefully I am behind the times and most of you are already running as LUA. But just in case, I will continue to plod on. This will be my third attempt to run as a non-admin, but the tools have gotten better since I last made the dive.

Temporarily Elevated Privileges

One of my favorite approaches to dealing with privileges is the idea of temporarily elevating privileges. This is in contrast to the approach in which you use RunAs to run a program using another user’s credentials. There are two ways to do this.

MakeMeAdmin

First of of all, there is the excellent batch file MakeMeAdmin written by Aaron Margosis and announced in this blog post.

This batch file temporarily elevates your normal account to an admin. This is useful in those scenarios when you need to install software and you want the per-user settings to apply to your profile, not the administrator’s profile.

WinSUDO

WinSUDO was inspired by the MakeMeAdmin script, but consists of a client and server piece. Instead of relying on a command window, WinSUDO installs as a shell extension. Right click on a program in Explorer and select the Sudo menu option. I haven’t tried it just yet as the author is in the middle of a rewrite, but it’s worth keeping an eye on it.

Setting Shortcuts To Prompt For User

If you right click on a shortcut and click the Properties menu item. Then click the Advanced button. You can check an option to Run with different credentials. When you double click on the shortcut, it prompts you with an option to run as yourself, or run as a different user.

Create Your Own Control Panel Shortcut

Control panel applets are a bit of a challenge since the RunAs option is not there when you right click an applet or Control Panel itself. So I went ahead and created my own control panel shortcut.

  • Right Click on the desktop and select New | Shortcut from the context menu.
  • For the location, just enter control.exe. For the name, I entered Control Panel.
  • Right click on the shortcut and click Change Icon… (looks matter!).
  • Select the icon that looks like the control panel (see the image below).
  • Now click on the Advanced… button and check the Run with different credentials option.

Control Panel
Selection

Visual Studio Development {.clear}

The article Developing Software in Visual Studio .NET with Non-Administrative Privileges is quite helpful in outlining the issues you may run into as a developer.

One particularly challenging issue is debugging ASP.NET applications on your local machine as a non-admin. Since a normal user doesn’t have the rights to debug applications running in the context of other users’s accounts. The article suggests editing machine.config and configuring ASP.NET to run under your own account.

I really don’t like this solution. If you open up the Group Policy Editor (Start | Run | Type in “gpedit.msc” without the quotes) you can find a “Debug programs” policy option. I may try adding that to my account instead, but I need to find out if it would open up a security risk that totally invalidates the security benefits of running as a LUA in the first place.

Community

If you are interested in learning more, check out this site devoted to a community of PC users who want to run without admin privileges. They have some great pointers to articles and tools to help mitigate the royal pain it is to run as non-admin on Windows XP.

Conclusion

Hopefully this time running as a non-admin will stick. I will keep you posted during the next 1000 posts.

comments edit

Scott makes a great distinction between Open Source code and Source Out in the open.

Public Does Not Equal Open Source

I wanted to add to the discussion by pointing out two things. Often people make the mistake of assuming that any code posted on someone’s blog or in Google Groups is either open source or public domain. This is not necessarily true.

While it might be the intent of the author to make code published in a blog or Google Groups open to the public domain or freely distributed as open source, as the consumer of the code we cannot assume this to be the case. If the author does not state the license under which the code is available (either by just saying so or by referencing a license), then the author owns the exclusive copyright (assuming he or she wrote the code etc…).

I try to make a habit of asking permission from authors of useful code when I cannot find any license information on their blog. My blog is licensed under the Creative Commons Attribution license, so you can assume that any code snippets I post are licensed in the same way unless I specifically state otherwise.

I wrote on this topic in my Developer’s Guide to Open Source Software Licensing, which I know you read because developers just love reading up on legal topics.

The second thing I wanted to add to the discussion, and maybe I am way late on this, but I just recently learned about koders.com, an open source search engine.

It is a search engine that indexes various open source repositories and allows you to conduct searches through the source code. For each piece of code it returns, it presents the language, the location, the source, and the license.

This is an interesting way to take a look at open source code, though not without its quirks. Finding a method that you need can be difficult since the semantics of what code does and naming conventions are so different from project to project. But over time, this may become a useful tool.

comments edit

This weekend I went to see the Los Angeles Galaxy play with my wife and some friends. What a disappointing game that was! Despite having discount tickets (only $10) we felt totally ripped off. During the whole game, my teammate and I were joking that “Ronaldinho would’ve made that play.”

My wife and I now have a new song entitled What would Ronaldinho do? sung to the tune of South Park’s What would Brian Boitana do? I think I will have to start passing out WWRD bracelets.

The Galaxy are playing boring lackluster soccer so far this season. The game was a scoreless tie till the Columbus Crew scored in injury time with an ugly goal. Fugly. It takes FC Barcelona visiting to play a Mexican team for us to get us some decent soccer around here. I am hoping to get some tickets to that.

Speaking of the big R, have you seen the amazing Nike commercial featuring Ronaldinho as a kid playing in the Brazillian futsal leagues (like soccer but indoor with smaller teams and ball). It splices scenes of him playing as a kid with him now. He was amazing back then. Here it is on YouTube.

This was a soccer weekend for me. I had a fantastic game on Saturday in which we won five to one, only to be followed by a terrible three zero loss on Sunday. I need to quit playing on Sundays, because it always erases the good feelings created on Saturday.