Note: On May 22 I spoke on this topic at Ignite Seattle 24. If you’re familiar with the Ignite format, you’ll realize that it demands conciseness, so I wanted to expand on my talk.
This is part one of the expanded write-up; I’ll post part two, along with my slides, tomorrow.
A few weeks ago, a pretty nasty vulnerability in the OpenSSL software that’s used by many popular websites on the internet was discovered. It quickly became known as the Heartbleed bug, and a security company called Codenomicon compiled a fantastic write-up on its impact and how to recover. To quote from their site:
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.
As you can likely tell, this bug was bad news for thousands of system administrators who had to scramble to figure out if they were affected or could have been affected. But it actually gets worse, because as a result of the nature of the bug, a vulnerable site cannot determine whether they have been exploited or not: an attacker can come in, exploit Heartbleed, and get away with some of a site’s crucial data, all without leaving a trace.
As a result, the only safe assumption any system administrator could make is: if my site was vulnerable, I have to assume it’s been exploited. Cue massive sysadmin panic.
The user impact of Heartbleed
Because the OpenSSL library is so common across the internet, many many sites were affected by this bug. And because system administrators could not be sure if their sites were actually exploited (but had to assume they had been), users also had to assume that their data on any vulnerable site—particularly their passwords—were compromised. As a consequence, widespread media reports popped up advising users to change all their passwords now!
In practice, this wasn’t fantastically good advice, because users actually needed to wait for sites to update in order to ensure they were once again secure, lest they change their password only to have it stolen the following day. But much of the press coverage nevertheless advised a blanket password change.
Changing all your passwords is pain and misery
The problem with this advice is, of course, that for just about all users, changing their passwords is an exercise in frustration. Oftentimes it goes something like this:
1. Go to site 1/32 that you need to change passwords at.
2. Try to log in with a password you don’t fully remember.
3. Go through the multiple-step “forgot password” flow to recover your old password.
4. Finally sign in.
5. Change your password.
And of course, a few days later you go back to the site where you hit the awkward final step of the password change process:
6. Try to sign in and wonder “What the heck did I change my password to?!”
So yeah, no fun.
What can you do today to make this better?
You can already make your life better by going one of several routes to change how you deal with passwords. The obvious choices are to use a password manager app, or to sign in everywhere you can with a common account like your Facebook or Twitter.
Using a password manager
1. When you sign up for a new website, they will automatically generate a unique (and secure) password for that site.
2. When you subsequently go to sign in to the site, they’ll automatically populate your secure password into the password field so you can easily sign in.
These features alone are sufficiently compelling that many security experts recommend using a password manager in general. However, password managers do have several drawbacks. Using them on mobile tends to cost money or is a pain, and they can cause “but what if I need to log in at a friend’s house/at an internet café” stress. But most critically, they’re password managers in name only: when you need to change your password, you still have to manually go to every site and update your password. For many users, myself included, this just makes them not worth the trouble.
Sign in with Facebook, Twitter, or similar
The least painful, most “dad-friendly” way to minimize the number of passwords you have to worry about is to just sign in everywhere you can with your Facebook, Twitter or (one of a half dozen other services) account.
Unfortunately, this has a few major drawbacks.
First and foremost, you’re putting all of your eggs into one basket: hopefully one that’s relatively well-secured, but one basket nevertheless. This makes your Facebook account a juicy target, but more importantly it leaves you vulnerable to the whims of a single company deciding to, say, close or suspend your account for whatever reason.
It can also lead to a different kind of awkwardness when you visit a site: the question of “oh man, did I sign up here with Twitter or Facebook or what?!” I can say from my own experience that I have this dilemma depressingly often.
Finally, it’s simply not a solution for all of your password needs. Your bank is probably never going to let you sign in with your Facebook account, and this is probably for the best.
So if those two options aren’t good enough, what can we do?
As an end user, not much—at least not yet. However, if you’re in a position of power at one of the major players on the web, there’s one thing you could do that will make this easier for everyone in the long term: work to standardize how different sites across the internet allow a user to interact with their passwords.
There are likely many approaches one could take to standardization, but the one I’d like to propose is a common password management API. Stay tuned for more details on how, why, and why I’m not crazy tomorrow.
If you use Delicious with the Opera browser like I do, you might have found yourself frustrated because the official Delicious bookmarklet just shows up as a blank icon when dragged to the Opera toolbar. I was, too, so I decided to tweak it for my own purposes.
If you just want the fixed-up bookmarklet…
I reused the Opera icon used to bring up the Bookmarks menus. You can simply hold down shift, then drag and drop this button to your toolbar:
You’ll end up with something like this:
If you’re curious about how it works, or want to change the icon…
Opera lets you make custom buttons rather easily, though not many people are writing about this ability any more. Back in the day, though, there were whole sites to help you make your own custom buttons.
That site documents the format for these buttons:
ButtonX, "General Title"="Action, parameter1, parameter2, Action Title, Icon"
Now, the Opera toolbar configuration is kept in the standard_toolbar.ini file, which, at least on recent versions of Windows, will be somewhere in the following directory (adjusted for user name and drive letter):
If you add the Delicious bookmarklet from the official page, you’ll find that it gets added with the action shown here:
If you compare that to the format above, you have the button name, the title and action, and then the arguments to that action. What you don’t have are the Action Title or the Icon. So, all you have to do is add them, separated by commas, to the end of the line and hit save. (Note that you should keep Opera closed when you’re editing this file.)
In my case, the name of the icon I used is “Panel Bookmarks.” You might be asking yourself, how do you find the names of other icons you can use? Well, there’s an old page for that, too: it will load images from your current Opera skin and show you what you’ll get for each image name. It’s possible that this doesn’t show all possible icons, since it’s a bit outdated, but it’s reasonably comprehensive.
Pick an icon you like, and voilà: a version of the Delicious bookmarklet that isn’t hideously broken in Opera.
In Jostein Gaarder’s remarkable novel “about the history of philosophy,” Sophie’s World, the plot kicks off with the title character receiving an anonymous postcard in the mail, asking a seemingly simple question: “Who are you?”
The simplicity is, of course, a deception. It often seems the more important something is, the more difficult it is to articulate, not to mention fully understand and apply. This is true of everything from scientific concepts, where the theories that come closest to explaining our universe are often some of the hardest to grasp, to the techniques and skills that, in art or sport, push a performer from just good (and therefore nothing special) to great (and famous, and popular, and so on). And it’s also true of the things that apply to each person individually: figuring out what makes you happy is critical to, well, happiness, but for most of us it is an elusive, lifelong quest. Understanding personal happiness, though, is just part of answering that question: Who are you?
I haven’t gotten any mysterious postcards lately, but the question has been on my mind as I try to move from a perception of myself I’ve recently realized is rather amorphous to something more crisp and definite.
The power of identity
A person’s understanding of who they are guides a remarkable percentage of their day-to-day behavior. Robert Cialdini, one of the most notable researchers on influence, notes that identity is an incredibly strong lever in triggering an activity: for example, if you believe yourself to be a person who cares about the environment, you’re more likely to donate to forest conservation. This may seem self-evident at first glance, but it turns out that if someone asks you to reaffirm that you care first, you’ll donate more money than if you’re asked without that initial appeal to your identity.
This is but one (paraphrased) example. Your identity also determines the things you like and dislike, and the amplitude of your reaction to discussions about a topic are strongly determined by how close you hold it to your identity. Paul Graham notes that most online discussions of religion and politics inevitably turn into flame wars because these things are so core to most people’s identities, and recommends you keep your identity small to avoid getting into petty fights about things that may not ultimately be important.
Keep your identity broad
The problem with keeping your identity small, though, is that a “broad” identity is one of the things that makes a person interesting. Graham writes that “the more labels you have for yourself, the dumber they make you,” but oftentimes those very labels allow you to bond with people, make impassioned (and well-reasoned) arguments, and accomplish improbable things.
Some of the most fascinating people I know are those who have integrated a broad and varied set of beliefs or activities into their identity. These people achieve the most remarkable things. And more often than not, thanks to their broad identities, they’re the ones with the largest, most diverse networks of friends and compatriots.
A broad identity doesn’t—or at least shouldn’t—mean you cannot have reasonable discussions about what you believe as long as you’re mindful of why you have those beliefs and are willing to re-examine the assumptions that led up to them. All it means is that you have a diverse range of interests. Subjectively, I suspect it also means you are happier, because you have more groups you feel you belong to.
Who am I?
While I’ve never been shy about my opinions on a wide range of topics, I have been extremely hesitant in letting things become a part of my identity.
I know from past experience that when I identify with something, it is a long-term commitment: once I joined AIESEC in college, I dedicated several years of my life to it, traveled to a number of countries, and attended over a dozen conferences. I remain involved as an alumnus to this day. I spent more than four years writing for my college’s newspaper. But those activities set a high bar: I am hesitant to do things I’m not sure I can fully become invested in.
Some parts of my identity, like the extent of my nerdom, are also things I keep private most of the time. I’ve probably seen more Japanese television, both live action and animated, than most people attending anime conventions, but I no longer feel like this is a large enough part of my identity to attend myself.
The net result of all this is that while I find a lot of things interesting, I haven’t been inclined to commit to some small set of them. And the outcome, predictably, has been that sometimes I bore even myself. I feel increasingly that my unwillingness to expand my identity has held me back from experiences that could have a material effect on my happiness.
Even if I risk being manipulated by cunning influencers or getting into online flame wars, I will expand my identity, though I don’t yet know in what direction. I think the benefits will be worth it.
A few weeks ago I was chatting with an acquaintance who wanted to learn to code. He was stuck in a bit of analysis paralysis, trying to decide on the “best” programming language, IDE, framework, etc. to learn was. I’ve been there too: at one point in my life I literally flipped a coin on whether I was going to go learn Ruby or Python.
My advice to him was simple: just pick something and run with it. As Teddy Roosevelt supposedly said, “In any moment of decision the best thing you can do is the right thing, the next best thing is the wrong thing, and the worst thing you can do is nothing.” So we talked about what he wanted to do (build a game), what he had already considered (Java, because that’s what Minecraft is written in), and what criteria he was using to pick something (not terribly well thought out ones) with a goal of landing on a decision.
As we had this discussion, I thought back to how I’ve made these decisions myself, and I realized that once I was done rationally narrowing my options to ones with a similar set of pros and cons, I had a worrisome tendency: to choose less popular options, even if they made my life harder.
How my contrarianism let me down
To give you an example, last year I attempted to go through Michael Hartl’s excellent Rails Tutorial. This is a fantastic free way to learn Rails: it aligned with my goal (learn how to build a web app the right way, rather than cobbling together a bunch of PHP spaghetti), and it would walk me through all the steps required to build and deploy just such an app. But it’s also an opinionated tutorial, in that it recommends you use specific tools as you go along: Git for source control, Heroku for deployments, Blueprint CSS for layout (though the latest version of the tutorial has now switched to Bootstrap).
Being the contrarian that I am, I wasn’t having any of that. I decided that I was going to use Mercurial for source control, YUI CSS to help layout content, and deploy to my own VPS. This would have been just fine if I could competently use all of those tools, but I really couldn’t. The net result was that I expanded the amount of stuff I had to learn exponentially: not only was I learning Rails and Ruby, but now I had to add to that working with a CSS framework, managing my own Linux server and jumping to distributed source control for the first time. Whereas the tutorial gave me the bits of information about its chosen tools I would need to know, I now needed to intentionally ignore them and figure out the corresponding way to accomplish things in my chosen tools.
You might have inferred the results of these decisions from my word choice. Having to spend so much time working on incidental things slowed my progress through the tutorial dramatically, things got busier at work, and I ultimately got distracted. I gave up on the tutorial around chapter 7. And this isn’t the first time I’ve had a similar experience.
Geeks are contrarian by nature
I think I’m not alone in making these mistakes, and I think they’re especially prevalent among people in software for one major reason: Engineers and geeks have a strong tendency to be contrary. Many people end up in these areas precisely because of an unwillingness to accept the status quo in some area, and to fix something most of the world doesn’t perceive as broken.
The recent debate on Hacker News about whether it is a good thing or not that lots of sites are adopting Bootstrap is just one example of this. Just as this tool becomes popular, the programming community begins to push back against it. I guarantee there’s a non-trivial number of people who will now resist using Bootstrap, even if the attention it’s gotten is going to build a strong ecosystem around it that will make it perhaps the best choice for their uses.
Sometimes this might have a great outcome: we’ll get another tool that does something a little different and is perfect for a different set of scenarios and people. But that’s what happens when an expert decides they don’t want to use the tool because it doesn’t meet their needs, not when a newbie (like me) is steered away because “it’s overpopular” and “all sites built this way look alike.”
As we make choices about what to invest our time and effort into, let’s keep in mind that making life harder in one area is a great way to reduce the bandwidth you have to invest in other things. I’ll certainly try to fight my contrarian urges; I hope you will as well.
Anyone who’s ever traveled in my car will tell you that I have a pseudo-quirky taste in music. While many contrarian people listen to indie music for their I’m a unique snowflake fix, my preference is to listen to popular music produced in other countries. The result is that my music collection is an incredibly eclectic mix of languages: plenty of English and Russian, languages I actually understand, but also everything from French and Japanese to Kazakh and Indonesian.
You can probably imagine the struggles I have finding this range of music on modern subscription services like Spotify or Zune Pass. While music from the most popular French or Spanish artists is generally available, going just a few steps off the beaten path gives me either no matches or an album listing with a sad “unavailable” sign next to any albums by that artist. The situation in stores like iTunes and Amazon tends to be better, but I don’t necessarily want to buy every song right away, and there’s still quite a lot missing.
The utter lack of support for foreign music is frustrating because I know I can simply navigate to YouTube and find multiple videos that will do a perfectly adequate job of letting me listen to songs by most any artist I can think of.
I realize my musical tastes are hardly representative of most people’s, of course. But everything I’ve said about foreign music applies to many indie musicians, particularly ones that may not yet have a deal with a notable record label.
Content licensing is fun!
There’s a simple reason for why YouTube has far and away the largest selection of music online: Unlike the subscription services, it doesn’t need to acquire a content license before it will allow users to listen to a particular song (and view some sort of video). Rather, YouTube relies on two means of getting content:
- Major services that promote artists by uploading their music videos directly to YouTube, like VEVO
- Fans, listeners and creators upload videos of music they like on their own
VEVO and company cover the same general set of music pre-negotiated licensing tracks do, but it’s the second method that gives YouTube’s music collection its incredible breadth. And to keep things legal, Google has added lots of functionality for record labels to monetize music on YouTube, with the ability to display ads on videos that feature a song, block them in particular markets or to take them down entirely.
And the collection is just the tip of the iceberg…
While YouTube is unrivaled in its collection, it’s also got quite a few other things going for it. First and foremost, it’s incredibly low friction: I don’t need to sign up or log in to an account, launch an app, or wait for anything to download: I just open the site in my browser, type something in the search box, and before I know it, I’m listening to whatever it was I wanted to hear. Plus, I can instantly share a link to that video with all my friends, and be pretty confident that they will be able to hear the song with the same minimal amount of friction.
YouTube’s existing functionality does a reasonable job of covering other key music site functionality, like the related videos section letting people learn about new, similar artists they might like. Over the past few years, YouTube has also added quite a few music-specific features, like artist-specific “YouTube Mixes” and upcoming concert information.
YouTube isn’t the solution
There’s at least one difficult-to-solve problem that prevents YouTube from being the One True Music Service, though: the fact that it’s a video site, and every musical track is tied to an only sometimes interesting clip.
This is fine when you’re consuming music on a computer with a fast internet connection: just play the video in the background as you go about your other business. But so much of our music consumption happens in other contexts where the videos make YouTube an unlikely option. After all, no one wants to wait for a video to download on a slow mobile data connection when they aren’t planning on paying attention to the video anyway. And that assumes people have a data connection at all. Playing videos also uses more battery life, and most modern mobile devices can’t multitask with videos the same way they can with music.
Ultimately, unless YouTube one day decides to make audio a first-class citizen on its site, that limitation will continue to prevent it from being usable as a music service outside the house.
And what of the music services?
There’s no question that music services offer an experience that is more optimized for straight-up music, and features like upcoming concerts are either already available or easily added.
The collection question, though, is harder to fix, and it has mystified me for a long time. Given that YouTube is successful with a model where the legality of an upload is determined after the inclusion in its playable corpus, why hasn’t a single music service emulated the model? Indeed, why hasn’t Google’s own music service gone down a path where any user-uploaded content is included in its database and playable by anyone else unless a record label desires otherwise?
Perhaps YouTube is truly just a historical accident that the record labels wish they could put back in the bottle. But shouldn’t that historical accident serve as precedent for the possibility of other sites that follow the same model? SoundCloud is one audio-focused site that relies on user-generated content, but it’s explicitly not focusing on music.
Until someone builds that service, I will have to continue relying on YouTube for discovering and trying out artists, and assorted unlicensed means for actually acquiring music the industry hasn’t bothered to make available to me.
I took a roughly two-week vacation this holiday season. It was my first real vacation since starting my job back in May, and the first time that I ran out of reasons to push off reflecting on how my life has changed since leaving college and, perhaps more significantly, leaving AIESEC.
While I have a number of reasons to be happy with my year, my self-evaluation was mixed, largely because of one reason: I found myself falling back into an old, familiar trap. I’ve been fighting it for much of my life and only started overcoming regularly in the last few years; it is a problem I share with a large swath of the world. It is, quite simply, that I am far too likely to take things as they come.
The pitfalls of going with the flow
The value of being able to adjust to whatever comes your way is critical and should not be underestimated. Many of the best experiences I had while traveling came about as a result of letting things happen spontaneously—from getting treated to an intense Russian sauna experience in Ust-Kamenogorsk to a bizarre trip from Munich to Barcelona via Barcellona, Italy (don’t ask).
However, the same attitude that works well for day-to-day decisions can be disastrous for major life decisions. In these cases, going with the flow is the equivalent of taking the path of least resistance: the path that does not challenge you to develop yourself, or, worse, can lead you thoroughly astray. It can happen in any facet of life: the job you get, the college you go to, the hobbies you take up. And while for most people with a middle class upbringing this path leads to the inescapable gloom of mediocrity, for many people across the world the “path of least resistance” leads to poverty, drug addiction and crime.
Acting with intent
If going with the flow can become the antithesis of personal growth, acting with intent is the catalyst that makes it happen. When a person acts with intent, they are aligning their actions towards a specific purpose.
Actions with intent are generally goal-driven, but even more than that, they are deliberate: the critical element is in making a conscious decision—“I have decided to do this, for the following reasons.” This type of action is the outcome of a process that—despite its simplicity—I have always found hard to put into practice.
Changing my approach
Driven by the desire to make improvements, I’ve spent much of the holiday reading about various frameworks for goal setting and methods for productivity improvements. To my chagrin I found that none of these felt quite right to me: I could not see myself following through on any of the more intense ones, and the more basic ones struck me as things I wouldn’t think about often enough.
Instead, and partially inspired by a post by a good friend of mine, Justin Hsu, I’ve concluded that the way to keep myself accountable is to boil my goals down into a single question: Am I acting with intent?
This isn’t a “theme” for the year; it’s much too vague and too broad for that. Rather, it is an ongoing sanity test for me, as I make decisions and choose to do (or not do) certain things throughout the year.
I’m still working through applying the aforementioned process to setting my own goals, and I’ll share it as I do. But the entire way, I’ll be asking myself that same question.
If you haven’t been here for a while, you might be surprised by two things: one, that the site looks different again, and two, that I didn’t bother preserving all the comments that my posts had accumulated over the past few years.
This is not because I don’t love you, but rather because my insistence on using odd random scripts like Chyrp meant that I had to transfer my blog posts into this (WordPress-powered) system manually. That was sufficiently little fun in and of itself that moving comments did not seem worthwhile. My apologies.
Now that this site is running WordPress, though, I can do nice things like using Windows Live Writer to update, and take advantage of the vast ecosystem that surrounds the most popular blog engine. And ultimately the goal of that is to enable me to blog more often—something I’ve committed to for 2010.
Till then, please let me know if anything doesn’t look right.
If you have no wish, how can it possibly come true?
—Seth Godin, Ruby Slippers
If you haven’t heard of Microsoft’s new search engine, Bing, you should try it out. It actually works surprisingly well. Unfortunately, the Opera browser does not currently include Bing in its search box, so you have to add it manually. Here’s how:
- Go to the Bing home page at bing.com. Look at the pretty picture and read the fun captions. Then right click on the search box and select “Create search.”
- In the Create Search box, you can leave the “Keyword” field blank, or assign it a letter or two to quickly perform a Bing search from the address bar.
- Click on “Details.” Tick the two check boxes that appear: “Use as default search engine” and “Use as speed dial search engine.”
- Click “OK”
And you’re set!
I signed up for the pretty cool URL-shortening service tr.im today, mostly because of the statistics it enables users to view about each link. (Yes, there are issues with using URL shorteners, but if you have to use them, you may as well use a good one.) To make using it more convenient, I wanted to add a button to my browser to automatically shorten a URL.
They had a convenient bookmarklet that worked in Opera, my web browser of choice, but when I added it, I realized all custom buttons get the same default icon in Opera, the “new bookmark” icon. I was already using that for my delicious bookmarklet, and I didn’t want two stars I’d get confused between in my menu bar. So I whipped up a custom button using Opera’s “Fit to width” image. The screenshot shows how it looks. If you’re using Opera and want to add it, just drag this link to a menu bar:
My name is Arcadiy, and arcadiy.org is my website. Funny how that works.
I write about life, technology, my random side projects and whatever else strikes my fancy. I make no promises about the utility or entertainment of anything here. However, I would love to hear your thoughts on anything I mention.
In my day job I'm a Program Manager on SkyDrive.
You can read (or look at) more by me in my momentstream.
- No public Twitter messages.