Infocon: green

 ∗ SANS Internet Storm Center, InfoCON: green

Handling Special PDF Compression Methods

Handling Special PDF Compression Methods, (Sun, Apr 19th)

 ∗ SANS Internet Storm Center, InfoCON: green

Maarten Van Horenbeeck posted a

The future is not Borg

 ∗ One Big Fluke

The New Stack has an interesting write-up about Google's long-secret Borg system. I can't say anything specific about this and I haven't read the paper.

What I will say is when I first arrived at Google in 2005 I felt like I was stepping into the future. Tools like Docker, CoreOS, and Mesos are 10 years behind what Borg provided long ago, according to The New Stack's write-up. Following that delayed timeline, I wonder how long it will be before people realize that all of this server orchestration business is a waste of time?

Ultimately, what you really want is to never think about systems like Borg that schedule processes to run on machines. That's the wrong level of abstraction. You want something like App Engine, vintage 2008 platform as a service, where you run a single command to deploy your system to production with zero configuration.

Kubernetes is interesting to watch, but I worry that it suffers from requiring too much configuration (see this way-too-long "guestbook example" for what I mean). Amazon's Container Service or Google's Container Engine may make such tools more approachable, but it's still very early days.

I believe systems like Borg are necessary infrastructure, but they should be yet another component you take for granted (like your kernel, a disk driver, x86 instructions, etc).

Accepting Our Lack of Control

 ∗ A List Apart: The Full Feed

It’s easy to forget that our users have ultimate control over how they view the web, even though it has been said before. As people making the web, we merely offer suggestions. These suggestions of ours should make it easier, not harder for people to access our content in the manner that best suits them.

Over the course of the last year I’ve worked on several projects for a wide array of products and sites. The common denominator across all of them was an end goal of a responsive site. Often that’s where the commonality ended, though. In some situations not everyone agreed or accepted that we lack control when it comes to how users experience our sites.

As I work and write CSS, I try to do so in a way that acknowledges that I don’t have ultimate control. For instance, I prefer to use rems with a pixel fallback, ensuring that my line heights are unitless and work with whatever unit the font is in. That has the added bonus of not having a negative effect on the children of the element. In addition, I often prefer to base my breakpoints on the content of a page, rather than a set of device sizes. That can make the code a bit harder to maintain, but it benefits users. When it comes to grids, I’m happy to use percentages and let the browser round for widths and gutters to make things work.

Of course all of those things mean we are giving up some control. When your line height isn’t an exact pixel number, you’re letting the browser decide and do some math. It may not look perfect. When you allow content to drive breakpoints rather than using standard breakpoints, you may have more complicated CSS to maintain. And with grids, as with line heights, when you allow the browser to do some of that work, the rounding may not always end up the way you desire.

I’ve come to a place of peace with this lack of control, and at times I even enjoy it. The reality is, users ultimately have a lot of control: they can change their base font sizes, they can zoom in, they may even be reading our content in a different application, such as an RSS reader. The user gets to decide how they want to view and use our sites and applications.

Not everyone I work with is as excited about losing some of the perfection, though. Many would prefer to be more precise with the CSS so that it looks exact in their browser of choice. But doing that would mean not allowing users to have as much control over the experience, and could mean a poor experience for some.

When confronted with concerns or objections from teammates who would rather have more perfect CSS, I do my best to outline the reasons behind these practices. We need to be user-friendly, future friendly, and accept the “ebb and flow of the web,” so that the things we build can be viewed on whatever device comes along. As Anna Debenham reminds us, many users are grabbing what’s convenient, not necessarily what will give them the perfect experience.

Learning to be ok with the ebb and flow of things allows us to think differently about how we can work with and use the web. As Frank Chimero writes in his wonderful essay “The Web’s Grain”:

So, those media queries we write? It might be time to stop calling them breakpoints, and instead consider them points of reassembly.

As I think about how I advocate for allowing the web to be the web, I’m drawn to Frank’s idea. Instead of making our sketches fit on the web, I’m trying to make our ideas and content work inside the various edges of the web as it appears across a myriad of devices.

Which brings us right back to what John Allsopp said so well fifteen years ago:

The control which designers know in the print medium, and often desire in the web medium, is simply a function of the limitation of the printed page. We should embrace the fact that the web doesn’t have the same constraints, and design for this flexibility. But first, we must “accept the ebb and flow of things.”

This tension of how we build for the web probably isn’t going away any time soon, but as Paul Ford reminded us last week: neither is the web—it will survive and continue on.

Eight Days in April

 ∗ Jeffrey Zeldman Presents The Daily Report: Web Design News & Insights Since 1995

I’VE BEEN BUSY this week:

And stay tuned for today’s Big Web Show episode, taping live at 2:00 pm Eastern.

Coming May 6: Sass Talk

 ∗ A List Apart: The Full Feed

To preprocess or not to preprocess? Every time we run a piece about Sass (which we’ve done a lot of lately), we get tons of thoughtful comments on both sides of the issue. Here are just a few:

There is no ‘dark side’ to pre-processors… Writing CSS Vanilla on a website with a large scale is just asking to be a maintenance nightmare in my eyes.
Iain Spad
I like writing vanilla CSS. It lets me have an intimate relationship with the code and it means I know everything that’s happening and why.
garek007
It’s not just garbage in, garbage out. It’s garbage in, 10x garbage out. But, used wisely, such tools are very valuable.
Matthew Gifford

Our next ALA: On Air event will continue these conversations. Join us on May 6 as our panel cuts through the clutter and shares how they’ve chosen to incorporate (or not) preprocessors and task runners in their work.

Event details

This event is free and everyone is welcome—but you have to register to participate in the Q&A. Here are all the details:

Wednesday, May 6
1–2 p.m. EDT
via Google Hangout
Register or get more details

We’ll have 30 minutes of conversation between our panelists, and then open things up to questions from attendees. Like we did with our last event, “Designing for Performance,” we’ll also share the full video and transcript after the live show ends.

Join our email list to get updates when new events, videos, and transcripts are posted.

The panelists

We’ve rounded up a few brilliant ALA contributors to participate:

Big thanks to Pantheon

Putting on events is a ton of work, and we couldn’t do it without the generous support of our sponsor Pantheon. Sign up for a demo to see Pantheon’s unified platform for building, launching, and running Drupal and WordPress sites.

Out of stock

 ∗ One Big Fluke

Effective Python sold out thanks to PyCon 2015! My publisher had to do an emergency second printing a few weeks ago because it looked like this was a possibility. Luckily, the book will be restocked everywhere on April 17. Amazon still has some left in their warehouse in the meantime. I'm happy to know people are enjoying it!

Exploit kits (still) pushing Teslacrypt ransomware, (Thu, Apr 16th)

 ∗ SANS Internet Storm Center, InfoCON: green

Teslacrypt is a form of ransomware that was first noted in January of this year [

Microsoft Patch Tuesday - April 2015, (Tue, Apr 14th)

 ∗ SANS Internet Storm Center, InfoCON: green

Overview of the

simple-scrypt

 ∗ go, web, go

simple-scrypt is a convenience wrapper around Go's existing scrypt library. The existing library has a limited API and doesn't facilitate generating salts, comparing keys or retrieving the parameters used to generate a key. The last point is a limitation of the scrypt specification, which doesn't enforce this by default. Using Go's bcrypt library as inspiration, I pulled together a more complete scrypt package with some "sane defaults" to make it easier to get started. The library provides functionality to provide your own parameters via the scrypt.Params type, and the public API should be rock solid (I'm planning to tag a v1.0 very soon).

scrypt itself, for those that don't know, is a memory-hard key derivation function (KDF) entirely suitable for deriving strong keys from 'weak' input (i.e. user passwords). It's often described as a way to 'hash' passwords, but unlike traditional hashes (SHA-1, the SHA-2 family, etc.) that are designed to be fast, it's designed to be "configurably" slow. This makes it ideal for storing user passwords in a way that makes it very hard to brute force or generate rainbow tables against.

Here's an example of how to get started with it for deriving strong keys from user passwords (e.g. via a web form):

package main

import(
    "fmt"
    "log"

    "github.com/elithrar/simple-scrypt"
)

func main() {
    // e.g. r.PostFormValue("password")
    passwordFromForm := "prew8fid9hick6c"

    // Generates a derived key of the form "N$r$p$salt$dk" where N, r and p are defined as per
    // Colin Percival's scrypt paper: http://www.tarsnap.com/scrypt/scrypt.pdf
    // scrypt.Defaults (N=16384, r=8, p=1) makes it easy to provide these parameters, and
    // (should you wish) provide your own values via the scrypt.Params type.
    hash, err := scrypt.GenerateFromPassword([]byte(passwordFromForm), scrypt.DefaultParams)
    if err != nil {
        log.Fatal(err)
    }

    // Print the derived key with its parameters prepended.
    fmt.Printf("%s\n", hash)

    // Uses the parameters from the existing derived key. Return an error if they don't match.
    err := scrypt.CompareHashAndPassword(hash, []byte(passwordFromForm))
    if err != nil {
        log.Fatal(err)
    }
}

The package also provides functions to compare a password with an existing key using scrypt.CompareHashAndPassword and to retrieve the parameters used in a previously generated key via scrypt.Cost. The latter is designed to make it easy to upgrade parameters as hardware improves.

Pull requests are welcome, and I have a few things on the to-do list to make it configurable based on hardware performance.

Facebook updated their open source patent clause

 ∗ One Big Fluke

Facebook published an updated version of their patent clause. I'm not sure if this new clause is better than the old one (update: see more from DannyB here). It's definitely more words. See this previous post to understand why the old one was bad.

Here's the wdiff between them (also in this gist):

Additional Grant of Patent Rights {+Version 2+}
 
"Software" means [-fbcunn-] {+the osquery+} software distributed by Facebook, Inc.
 
[-Facebook-]
 
{+Facebook, Inc. ("Facebook")+} hereby grants [-you-] {+to each recipient of the Software
("you")+} a perpetual, worldwide, royalty-free, non-exclusive, irrevocable
(subject to the termination provision below) license under any
[-rights in any patent claims owned by Facebook,-] {+Necessary
Claims,+} to make, have made, use, sell, offer to sell, import, and otherwise
transfer the Software. For avoidance of doubt, no license is granted under
Facebook’s rights in any patent claims that are infringed by (i) modifications
to the Software made by you or [-a-] {+any+} third [-party,-] {+party+} or (ii) the Software in
combination with any software or other [-technology
provided by you or a third party.-] {+technology.+}
 
The license granted hereunder will terminate, automatically and without notice,
[-for anyone that makes any claim (including by filing-]
{+if you (or+} any [-lawsuit, assertion or
other action) alleging (a) direct, indirect,-] {+of your subsidiaries, corporate affiliates or agents) initiate
directly+} or [-contributory infringement-] {+indirectly,+} or
[-inducement to infringe-] {+take a direct financial interest in,+} any [-patent:-] {+Patent
Assertion:+} (i) [-by-] {+against+} Facebook or any of its subsidiaries or {+corporate+}
affiliates, [-whether or not such claim is related to the Software,-] (ii) [-by-] {+against+} any party if such [-claim-] {+Patent Assertion+} arises in whole or
in part from any software, {+technology,+} product or service of Facebook or any of
its subsidiaries or {+corporate+} affiliates, [-whether or not
such claim is related to the Software,-] or (iii) [-by-] {+against+} any party relating
to the
[-Software;-] {+Software. Notwithstanding the foregoing, if Facebook+} or [-(b) that-] any [-right-] {+of its
subsidiaries or corporate affiliates files a lawsuit alleging patent
infringement against you+} in [-any-] {+the first instance, and you respond by filing a+}
patent {+infringement counterclaim in that lawsuit against that party that is
unrelated to the Software, the license granted hereunder will not terminate
under section (i) of this paragraph due to such counterclaim.
 
A "Necessary Claim" is a+} claim of {+a patent owned by+} Facebook {+that+} is [-invalid-]
{+necessarily infringed by the Software standing alone.
 
A "Patent Assertion" is any lawsuit or other action alleging direct, indirect,
or contributory infringement or inducement to infringe any patent, including a
cross-claim+} or
[-unenforceable.-] {+counterclaim.+}

Links from PyCon 2015

 ∗ One Big Fluke

Instead of writing a conference overview, here's an assorted list of links for things I saw, heard of, or wondered about while attending talks and meeting new people at PyCon this year. These are in no particular order and I'm missing a bunch I forgot.

  • "SageMath is a free open-source mathematics software system licensed under the GPL. It builds on top of many existing open-source packages: NumPy, SciPy, matplotlib, Sympy, Maxima, GAP, FLINT, R and many more. Access their combined power through a common, Python-based language or directly via interfaces or wrappers."
  • "ROS [Robot Operating system] is an open-source, meta-operating system for your robot. It provides the services you would expect from an operating system, including hardware abstraction, low-level device control, implementation of commonly-used functionality, message-passing between processes, and package management."
  • "GeoJSON is a format for encoding a variety of geographic data structures."
  • "GeoPandas is an open source project to make working with geospatial data in python easier. GeoPandas extends the datatypes used by pandas to allow spatial operations on geometric types."
  • "N-grams to the rescue! A collection of unigrams (what bag of words is) cannot capture phrases and multi-word expressions, effectively disregarding any word order dependence. Additionally, the bag of words model doesn’t account for potential misspellings or word derivations."
  • "A Few Useful Things to Know about Machine Learning: This article summarizes twelve key lessons that machine learning researchers and practitioners have learned. These include pitfalls to avoid, important issues to focus on, and answers to common questions."
  • "Compare randomized search and grid search for optimizing hyperparameters of a random forest. All parameters that influence the learning are searched simultaneously (except for the number of estimators, which poses a time / quality tradeoff)."
  • SainSmart 4-Axis Control Palletizing Robot Arm Model For Arduino UNO MEGA250
  • Nanopore sequencing of DNA
  • Advanced C++ Programming Styles and Idioms
  • "diff-cover: Automatically find diff lines that need test coverage. Also finds diff lines that have violations (according to tools such as pep8, pyflakes, flake8, or pylint). This is used as a code quality metric during code reviews."
  • "FuzzyWuzzy: Fuzzy string matching like a boss."
  • "Glue is a Python library to explore relationships within and among related datasets."
  • "Tabula: If you’ve ever tried to do anything with data provided to you in PDFs, you know how painful it is — there's no easy way to copy-and-paste rows of data out of PDF files. Tabula allows you to extract that data into a CSV or Microsoft Excel spreadsheet using a simple, easy-to-use interface."
  • "Blaze expressions: Blaze abstracts tabular computation, providing uniform access to a variety of database technologies"
  • "AppVeyor: Continuous Delivery service for Windows" (aka: Travis CI for Windows)
  • "Microsoft Visual C++ Compiler for Python 2.7: This package contains the compiler and set of system headers necessary for producing binary wheels for Python 2.7 packages."
  • "Ghost Inspector lets you create and manage UI tests that check specific functionality in your website or application. We execute these tests continuously from the cloud and alert you if anything breaks."
  • "Think Stats: Probability and Statistics for Programmers"
  • "The bytearray class is a mutable sequence of integers in the range 0 <= x < 256. It has most of the usual methods of mutable sequences, described in Mutable Sequence Types, as well as most methods that the bytes type has."
  • "git webdiff: Two-column web-based git difftool"
  • "Bug: use HTTPS by default for uploading packages to pypi"

If you ever wonder why people go to conferences, this is why. You get exposure to a wide range of topics in a very short period of time, plus you get to meet people who are excited about everything and inspire you to learn more.

Lyza Danger Gardner on Building the Web Everywhere: WAI-finding with ARIA Landmark Roles

 ∗ A List Apart: The Full Feed

Recently, as part of my research for a presentation about web accessibility for non-specialized teams, I asked around about how people were applying the HTML role attribute in their day-to-day web practice.

Their answers didn’t surprise me. Many expressed chagrin at their apparent ignorance, admitting they copied and pasted examples a lot. Some had a passing familiarity with a few prevalent roles, but sensed beyond that a gaping chasm of things they didn’t know. The prevailing tone was guilt. It’s not that people don’t care about accessibility, it’s that the topic can feel overwhelming among all the other priorities we have.

I’ve noticed a lack of easily-Googled, applied documentation for certain technologies or practices. On one end, we have specs, sometimes exhaustive. On the other end, we have a smattering of implemented examples. Synthesized documentation can be thin on the ground.

I can’t change the world, but I can add some analytical documentation about something specific: my nutshell-in-a-nutshell view of landmark roles in WAI-ARIA, as I understand them, and as it translates to more easily adding website accessibility to your daily workflow.

The Accessible Rich Internet Applications (ARIA) suite from the W3C’s Web Accessibility Initiative (WAI) is one piece of the web accessibility puzzle. Now, the first rule of ARIA usage is—I am not making this up—we do not use ARIA (unless we need to). Before you set out to use it, you should already have a solid authoring craft: careful, semantic treatment of content; proper use of attributes and textual alternates; sensitivity to contrast and font sizes. Support for accessibility leads to well-crafted HTML and vice versa.

How ARIA fits in

Applied ARIA in HTML is a combination of two things: roles and aria-prefixed attributes. Roles identify an element’s purpose, and attributes describe things about it (properties) and what it’s up to (states).

ARIA is a gap-filler for HTML semantics. It allows you to be declarative beyond what HTML elements and attributes currently provide, and lets you be explicit about the relationships and meanings of elements on your page. It also provides a mechanism to attach semantic meaning when authors, by perversity or necessity, use non-standard elements to represent other things (e.g. using a div as button).

The ARIA specification provides a standardized way for browsers and assistive technologies to evaluate HTML documents for people who access and use the web in different ways. There’s a lot to know about ARIA, and we don’t have all day, so today I’m going to focus on one important topic: landmark roles.

Landmark roles for daily use

The HTML element attribute role is the piece of the ARIA iceberg most often visible above the waterline, and the chunk of ARIA most immediately recognizable to web builders. <div role=“main”> (or even <main role=“main”>) may be familiar to some of us.

main is one of a set of eight defined ARIA landmark roles. All defined roles express an element’s purpose, but landmark roles serve as key milestones, allowing AT (assistive technology) to map the lay of the land of an HTML document. This is why they’re a great set of roles to start with. Landmark roles make navigation between areas of your page more efficient for different kinds of users. They help convey basic semantic intent and can serve as hooks and helpers for other technologies (or even humans reading your source).

Here are some landmark roles that can be used on practically every HTML page you write:

  • main: The main content of a document.
  • banner: The main header or masthead of a page; typically assigned to a header element.
  • navigation: A collection of links for navigation. A common usage is <nav role=“navigation”>.
  • contentinfo: A collection of metadata, copyright information and the like. Commonly applied as <footer role=“contentinfo”>.

Those other landmark roles

There are two further straightforward landmark roles you might be interested in: complementary—a chunk of content that supports main but remains autonomous, and search—an element containing your site’s search interface.

The application landmark role should be used with care, so read up first if you want to use it. form is also a landmark role, but arguably redundant if you use it on a form element (doesn’t <form role=“form”> seem repetitive?).

When are roles redundant?

Here’s where it gets foggy. I’m arguing that <form role=“form”> is redundant and yet suggesting <main role=“main”> (or maybe <div role=“main”>) is good practice. What gives?

Roles are semantic extenders. One of the things they do is provide training wheels for semantic elements that don’t exist or haven’t been adopted fully by all browsers.

It’s safe to anticipate that all major browsers know what a form element is—its role is implicit in the element itself. This is less reliable, however, with the main element. Presently, Chrome and Firefox require <role=“main”> on an element to make the semantic role available to assistive technology and IE is all, main? Never heard of it. So we role on until broad adoption.

Though I lean slightly toward not using <form role=“form”>, there are varying and vigorous views on this (and other aspects of ARIA). Don’t take my opinion as fact.

Where to next?

I talked about documentation being thin on the ground. That’s not untrue, but it gives short shrift to some fabulous efforts. There are some killer resources, like a11yproject.com’s accessibility checklist. That’s exactly the kind of applied reference web generalists need. Analytical documentation targeted at web implementors isn’t completely absent, although there seems to be a scarcity of it compared to other topics.

There is far more to ARIA and accessibility. While landmark roles are a great place to start, your growing understanding may lead you to other kinds of roles (there are four categories, of which landmark is one) and to aria-*prefixed state and property attributes.

What I’ve talked about here only begins to scratch the surface. But even if all you do is commit to using some of the ARIA landmark roles in your HTML, I am a happy person.

Reliably hosted by WebFaction.com