The StackExchange sites have a weak spot for late answers. The voting and sorting system reward mediocre answers that are posted early over great answers that are posted months or years later. That means that the best answer is sometimes half way down the page and may never reach the top.
It is often problematic that the person who asked the question gets sole control over which answer is at the top via the green check mark that "accepts" the answer. I've seen them choose some really bone-headed answers as accepted on occasion. There is just no way for the community to over-ride them, even with at 10:1 ratio of votes on some other answer.
My other pet-peeve is the large number of separate StackExchange sites with somewhat overlapping topics. It is almost impossible to figure out where to post a question sometimes. Most of the sites have non-obvious rules about what is off-topic. You are likely to ask in the wrong place and get your question closed the way it is set up. For example if you have a question about the security of Google Analytics for your WordPress website running on IIS. You might ask it on Security, WordPress, Webmasters, WebApps, or Server Fault. Most people seem to just ask it on StackOverflow because it is the one they know.
It gets much more complicated once there is a load balancer involved. I end up redirecting the acme-challenge directory to a subdomain that gets hosted without a load balancer, generating the certificate there, and then having scripts push it to the load balancer.
The other problem I have is that certbot is not idempotent. Certbot doesn't check if the deploy scripts actually succeed or not, it just assumes they did. If they didn't, they will never get called again. Just running certbot auto-renew is not enough. You have to compare locally available cert to the live installed cert to know if a deploy is needed.
With all those extra check, it works, but it is several hundred lines of scripts.
The browser error messages are cryptic and inconsistent. None of them say what the problem actually is. None of them offer links to the blog posts or bugs announcing the revocation. The only way to figure out the issue is through searching.
Google is killing existing certificates without making any attempt to contact webmasters. Google should be putting alerts in Google Search Console for every site that will be brought down by this change. At least Firefox limited the scope such that all existing certificates were grandfathered in.
StartSSL was the only certificate authority at its price point. You didn't have to pay by the certificate. You didn't have to pay for the automated process by which you validated ownership of domains. You only paid for validations of who you are and who your company is. Once you were validated, you could issue as many certificates as you wanted for any domains you own. For a flat fee of $200 per year, I could get all the certificates I needed.
The only alternative that I have been able to find is LetsEncrypt. While it is completely free it has some major disadvantages:
LetsEncrypt doesn't offer wildcard certificates. I have a domain with about 60 subdomains. The lack of wildcard really hurts for me here.
LetsEncrypt only offers the most basic level 1 certificates. They only validate that you have control over your domain. They don't offer level 2 that validates who you are. They don't offer level 3 that validates who your company is. They don't offer the level 4 extended company validations that give the green bar in browsers.
But then why is the bookmarks bar below the URL bar. My bookmarks are more like the menu. They don't change based on which tab is open. Shouldn't the bookmarks go above the tabs?
Firefox bookmarks sync is much better than Chrome bookmarks sync. Firefox stored your bookmarks locally and updated them periodically from the cloud. Chrome appears to have to download everything when I start the browser. I get a blank bookmarks bar for a few seconds when the internet is slow and I open Chrome. This is one place where Firefox got the design right and Chrome has it wrong.
Push to production as soon as the (many) automated tests that you have pass. This means you should have comprehensive unit tests and tests that run in the browser, probably written in Selenium. You'll also want to script your release so that you can do it with the push of a button. Once the tests pass, and the mechanics of a release are trivial, there is little reason to hold up a release.
I worked for a top 500 website (East coast) for 7 years that did weekly releases. Since I left, they decided that wasn't fast enough and now release multiple times per week. I'm now self-employed on my own website and release within an hour of finishing development of a feature.
I started my development career writing firmware for laser printers. When you are shipping code on a physical product, the cost of bugs can be quite high. Especially when it leads to returns or recalls because customers are not satisfied. Our release cycles there were 6 months+. Quite appropriately, IMO.
On the web, the cost of bugs is much lower. In most cases it is the only cost of another release. Sometimes it could cost more because of downtime, but good automated test coverage mitigates that risk pretty well (especially if there is load testing involved). The worst case would be data-corruption, but I've never actually seen that in practice from a release, that has only been related to hardware failure or accidents in my experience.
Facebook has a real name policy as well. It hasn't hindered their growth. The problem is that Google+ has a real name policy, but doesn't require mutual friendship. This leads to a duplicate one way friendship problem.
Here is the use case: you want to add a friend who isn't on the network but you have their email address.
Facebook: You add the user by email. It goes to "friendship requested" status.
Google: You add the user by email. That email address is added to your circles
Then later, the user signs up for the social network, but not using the email address you supplied then friends you.
Facebook: You are friends!
Google: You are friends, plus you have a zombie email address friend in your circles. FAIL!
That and Google+ is full of bugs. For example you open a Google+ account at your own email address. Then you sign up for gmail. This changes the email address of your Google account to your new gmail address with NO WAY TO CHANGE IT BACK. The people in your circles are associated with your old email address. Google has DELETED all the friends from your circles. You then have to re-add all of them.
The IT department here used on of those "perpetual motion" drinking birds to test the video conference system. A week before the big meeting, they set up the link between our Boston office and our London office, put a drinking bird in front of the camera, and made sure that the connection remained stable enough that it wasn't going to drop during the three hours that we really needed it.
I always get jealous of IT folks when I see that they get to work with racks of equipment. It seems to me like it is building with Lego blocks for a living.
In addition to software installation and security, our IT folks plan out the hardware with the power and cooling requirements. I would have been fascinated by this stuff as a kid (and I still am).
Treat each of them the same as a digit in a captcha. Solve 5 of them at once with ten choices for each, and there is only a 1 in 50,000 chance of guessing.
Keep using the same domain name. Right now changing your domain name incurs a huge penalty from Google. You will lose 90% of your traffic for 8 months.
Use unique titles and meta descriptions for each of your pages. If the titles and meta descriptions on two of your pages are the same, one or both of the pages will likely go into Google Hell
Don't buy links to your site to boost your pagerank from unrelated sites. If Google sees links to your site on the same page as links to Viagra sites, you will likely get a spam penalty.
Ensure that your content is original and unique. If you use syndicated content, or syndicate your content to other sites, Google will realize that the content exists in two places and put one of them into Google hell.
If you do get into Google hell:
There is nobody at Google you can talk to.
Fix any issues that you can find.
Contemplate. Google hell is designed as a penalty box. However it can whack the white hat folks just the same. You may be in it because you did something wrong, you may just have gotten hit by friendly fire. It happens from time to time to most large sites that depend on Google for traffic.
Wait. You will generally get out of Google hell. In my experience it can be as little as one to two months for most things, but up to a year for domain name changes
Get the PR machine going. Google doesn't want a bad image. If you get artitles like this one in places that Google engineers are likely to see them, the problems may get fixed for you faster. Google will still never admit that there ever was a problem though.
Another example of an injection attack allow an attacker to send spam through a contact form that doesn't normally allow the recipient to be specified by the user.
A webmaster hosts a contact form on his website that allows users to fill out a form to contact him. He allows the user to specify a subject and a message but the recipient is hard coded to webmaster@example.com.
The message ends up looking like this:
To: webmaster@example.com From: thewebserver@example.com Subject: $subject
$message
Where $subject and $message are captured from the user on the website.
If the $subject is not properly sanitized, a bot could submit it with a new line in it and be able to start a new line in the headers of the email. That new line could be, for example, a large CC list of people to spam with his message:
Buy my weight loss pills! CC: spammee1@example.com, spammee2@example.com
For anyone interested in reading the findings without having to wade through it all, then go to page 36 and start with section 9.3 where a little further on it also refers to account terminations and how this occurs, section 9.6 is the bit that I guess most may be interested in...you never know, you may then decide to read it all
Google is (as of yesterday) now showing statistics about how many invalid clicks an adwords account has recieved. You can read all about it in the adwords blog
The list could be titled: Twelve ways to avoid being a monopoly or Twelve ways to avoid pissing off customers and third party developers.
If Microsoft really takes these twelve items to heart, it could be a big shift for them. It would certainly go a long way to change my perception of the company. I might even consider using Windows again at some point.
The cynic in me says that something is forcing them to say this and that they possibly don't really mean it. The options seem like:
The anti-trust litigation is finally changing them
Competition from Apple and Linux has them over a barrel
They want good publicity and they don't really mean it.
The stamina problem should not exist with Ebay's minimum bids. The minimum bid is always some percent above the current price. You wouldn't be able to endlessly bump the bids up by a penny. Your wallet will grow thin well before your opponent gets weak.
Another way to implement it would be to increase the time proportionally to the bid increase. For example a 0.1% increase in price would increase the auction time by 10 seconds, but it 10% increase in price would make the auction last another hour.
>> Great in theory, but what about time sensitive items? Ala tickets? I often bid on (and sometimes win) tickets off of ebay, and sometimes I win and get delivery (electronic tix) just hours before an event.
> Allow the auction owner to specify the amount of "over time" allowed.
Or even better from ebay's perspective: charge the seller extra to create an auction in which the time will be extended if somebody bids at the last minute.
Slashdot Mirror
You have a point.
The StackExchange sites have a weak spot for late answers. The voting and sorting system reward mediocre answers that are posted early over great answers that are posted months or years later. That means that the best answer is sometimes half way down the page and may never reach the top.
It is often problematic that the person who asked the question gets sole control over which answer is at the top via the green check mark that "accepts" the answer. I've seen them choose some really bone-headed answers as accepted on occasion. There is just no way for the community to over-ride them, even with at 10:1 ratio of votes on some other answer.
My other pet-peeve is the large number of separate StackExchange sites with somewhat overlapping topics. It is almost impossible to figure out where to post a question sometimes. Most of the sites have non-obvious rules about what is off-topic. You are likely to ask in the wrong place and get your question closed the way it is set up. For example if you have a question about the security of Google Analytics for your WordPress website running on IIS. You might ask it on Security, WordPress, Webmasters, WebApps, or Server Fault. Most people seem to just ask it on StackOverflow because it is the one they know.
It gets much more complicated once there is a load balancer involved. I end up redirecting the acme-challenge directory to a subdomain that gets hosted without a load balancer, generating the certificate there, and then having scripts push it to the load balancer.
The other problem I have is that certbot is not idempotent. Certbot doesn't check if the deploy scripts actually succeed or not, it just assumes they did. If they didn't, they will never get called again. Just running certbot auto-renew is not enough. You have to compare locally available cert to the live installed cert to know if a deploy is needed.
With all those extra check, it works, but it is several hundred lines of scripts.
This really sucks for customers of StartCom (StartSSL):
Basically Google (and to a lesser extent Firefox) have handled this really badly. I found out about this issue when I got a new certificate and it wouldn't work: StartSSL certificate gives SEC_ERROR_REVOKED_CERTIFICATE in Firefox and ERR_CERT_AUTHORITY_INVALID in Chrome
StartSSL was the only certificate authority at its price point. You didn't have to pay by the certificate. You didn't have to pay for the automated process by which you validated ownership of domains. You only paid for validations of who you are and who your company is. Once you were validated, you could issue as many certificates as you wanted for any domains you own. For a flat fee of $200 per year, I could get all the certificates I needed.
The only alternative that I have been able to find is LetsEncrypt. While it is completely free it has some major disadvantages:
But then why is the bookmarks bar below the URL bar. My bookmarks are more like the menu. They don't change based on which tab is open. Shouldn't the bookmarks go above the tabs?
Firefox bookmarks sync is much better than Chrome bookmarks sync. Firefox stored your bookmarks locally and updated them periodically from the cloud. Chrome appears to have to download everything when I start the browser. I get a blank bookmarks bar for a few seconds when the internet is slow and I open Chrome. This is one place where Firefox got the design right and Chrome has it wrong.
Push to production as soon as the (many) automated tests that you have pass. This means you should have comprehensive unit tests and tests that run in the browser, probably written in Selenium. You'll also want to script your release so that you can do it with the push of a button. Once the tests pass, and the mechanics of a release are trivial, there is little reason to hold up a release.
I worked for a top 500 website (East coast) for 7 years that did weekly releases. Since I left, they decided that wasn't fast enough and now release multiple times per week. I'm now self-employed on my own website and release within an hour of finishing development of a feature.
I started my development career writing firmware for laser printers. When you are shipping code on a physical product, the cost of bugs can be quite high. Especially when it leads to returns or recalls because customers are not satisfied. Our release cycles there were 6 months+. Quite appropriately, IMO.
On the web, the cost of bugs is much lower. In most cases it is the only cost of another release. Sometimes it could cost more because of downtime, but good automated test coverage mitigates that risk pretty well (especially if there is load testing involved). The worst case would be data-corruption, but I've never actually seen that in practice from a release, that has only been related to hardware failure or accidents in my experience.
Facebook has a real name policy as well. It hasn't hindered their growth. The problem is that Google+ has a real name policy, but doesn't require mutual friendship. This leads to a duplicate one way friendship problem.
Here is the use case: you want to add a friend who isn't on the network but you have their email address.
Facebook: You add the user by email. It goes to "friendship requested" status.
Google: You add the user by email. That email address is added to your circles
Then later, the user signs up for the social network, but not using the email address you supplied then friends you.
Facebook: You are friends!
Google: You are friends, plus you have a zombie email address friend in your circles. FAIL!
That and Google+ is full of bugs. For example you open a Google+ account at your own email address. Then you sign up for gmail. This changes the email address of your Google account to your new gmail address with NO WAY TO CHANGE IT BACK. The people in your circles are associated with your old email address. Google has DELETED all the friends from your circles. You then have to re-add all of them.
The IT department here used on of those "perpetual motion" drinking birds to test the video conference system. A week before the big meeting, they set up the link between our Boston office and our London office, put a drinking bird in front of the camera, and made sure that the connection remained stable enough that it wasn't going to drop during the three hours that we really needed it.
I always get jealous of IT folks when I see that they get to work with racks of equipment. It seems to me like it is building with Lego blocks for a living.
In addition to software installation and security, our IT folks plan out the hardware with the power and cooling requirements. I would have been fascinated by this stuff as a kid (and I still am).
Treat each of them the same as a digit in a captcha. Solve 5 of them at once with ten choices for each, and there is only a 1 in 50,000 chance of guessing.
Matt Cutts maintains a blog where he responds.
Here is the link to this particular response:
http://www.mattcutts.com/blog/google-hell/
- Keep using the same domain name. Right now changing your domain name incurs a huge penalty from Google. You will lose 90% of your traffic for 8 months.
- Use unique titles and meta descriptions for each of your pages. If the titles and meta descriptions on two of your pages are the same, one or both of the pages will likely go into Google Hell
- Don't buy links to your site to boost your pagerank from unrelated sites. If Google sees links to your site on the same page as links to Viagra sites, you will likely get a spam penalty.
- Ensure that your content is original and unique. If you use syndicated content, or syndicate your content to other sites, Google will realize that the content exists in two places and put one of them into Google hell.
If you do get into Google hell:Spider man's broadway debue now on YouTube
Web slinger becomes web singer.
If you are having trouble being gifted, try eating heavy metals rather than listening to heavy metal. That way you won't be gifted very long.
- Beaten with baseball bats
- Slammed by a large log
- Pushed off a cliff
- Hit by a truck
- Beaten by a gang
Google Video has a different videoIts not responding. Are there really enough slashdotters awake at 7:00 AM (EST) to bring down something from Sun?
Or is it just so large that the two people that are downloading it are now sucking up all the bandwidth?
In any case, anybody have a torrent?
A webmaster hosts a contact form on his website that allows users to fill out a form to contact him. He allows the user to specify a subject and a message but the recipient is hard coded to webmaster@example.com.
The message ends up looking like this:
Where $subject and $message are captured from the user on the website.If the $subject is not properly sanitized, a bot could submit it with a new line in it and be able to start a new line in the headers of the email. That new line could be, for example, a large CC list of people to spam with his message:
Which is why I would suggest using a contact form such as the one that I have written that has already thought about this sort of thing.
You mean like property tax?
Just type some javascript into the url bar:
javascript: document.forms[0].action = "?p=auto_submit";
Then you are good to go with any web browser.
This device was designed to kill the hotdog cutting business. All "safety" benefits of this product are masking the true intention.
- OptiRex
Google is (as of yesterday) now showing statistics about how many invalid clicks an adwords account has recieved. You can read all about it in the adwords blog
If Microsoft really takes these twelve items to heart, it could be a big shift for them. It would certainly go a long way to change my perception of the company. I might even consider using Windows again at some point.
The cynic in me says that something is forcing them to say this and that they possibly don't really mean it. The options seem like:
The stamina problem should not exist with Ebay's minimum bids. The minimum bid is always some percent above the current price. You wouldn't be able to endlessly bump the bids up by a penny. Your wallet will grow thin well before your opponent gets weak.
Another way to implement it would be to increase the time proportionally to the bid increase. For example a 0.1% increase in price would increase the auction time by 10 seconds, but it 10% increase in price would make the auction last another hour.
>> Great in theory, but what about time sensitive items? Ala tickets? I often bid on (and sometimes win) tickets off of ebay, and sometimes I win and get delivery (electronic tix) just hours before an event.
> Allow the auction owner to specify the amount of "over time" allowed.
Or even better from ebay's perspective: charge the seller extra to create an auction in which the time will be extended if somebody bids at the last minute.