• Start test names with “should”

    The purpose of a test is not just to enforce some behaviour on the code under test. When the test fails it also should provide enough information to understand which behaviour failed, where it failed, and (at least superficially) why it failed. If the only output of a failing test is just a binary value like “FAIL”, that test is only giving one bit of information to the developer. A good test framework will also print the test name and a call stack. We can’t change the call stack much, at least not without changing the semantics of the test, and how to actually write the test itself is a whole other story, but what does a useful test name look like?

  • Why I'm not working on vCard validators

    The vCard 3.0 validator is ten years old. The standard has moved on, Python has moved on, and I'd like to think I've learned a thing or two as a developer. But I'm not working on any vCard validators, and probably won't be for the foreseeable future.

  • Mitre10 web site dark patterns

    Dear Mitre10

  • If you can't support your users, tell them!

    Most free and open source projects these days have plenty of documentation for producing a good bug report. This is really helpful, and we should continue improving our reporting tools and documentation. There's a special warm feeling following the submission of a bug report with exact version numbers (of course the most recent stable), idiot-proof steps to reproduce, anything relevant from /etc, /proc and env and maybe even a core dump. Many projects will answer these quickly and either repair the defect or explain where you went wrong in assuming how the program should work. FOSS at its finest, and respect all round.

  • Stop asking your students to write command line UIs

    How often have you used a UI like this?

  • Insecure Links Highlighter browser extension

    Insecure Links Highlighter simply puts a thick red border around insecure links on all websites:

  • How to recover password after shortening

    Writing secure software is hard. At the same time, some things are so fundamental that failing to implement them is just inexcusable. One of these is that you must not limit the password length. (At least below some crazy limit like a thousand characters. Long before that your password is no longer the weakest link in even the most secure systems in the world.) Enter my new router, ironically named the Orcon Genius. It's a bog standard consumer router, and like most routers it came with an insecure admin password. I promptly replaced it with a long, generated password, but afterwards I could no longer log in. I suspected a shoddy implementation, so I cobbled together a script to try logging in using every substring of the password. After about half a second it spat out the correct password, verifying that this router only saves the first 15 characters of the password. The script is very simple:

  • These companies work against your freedom

    Most companies have never done anything sufficiently evil to deserve going on this list. This list is reserved for companies which have done at least one thing that was so bad they should not be forgiven for it. I will try my very best never to do anything benefiting them economically, and I hope you will too.

  • How broken is Samsung UK support?

    This is how broken:

  • The HTTPS-only experience

    EFF recently announced that "We're Halfway to Encrypting the Entire Web." As a celebration of this achievement I've started an experiment: as of yesterday, no unencrypted HTTP traffic reaches this machine*.