Coding Horror

One of my most eye-opening early experiences was a tour of a local manufacturing plant during high school. One of our tour guides was a MIT trained engineer who accompanied us, explaining how everything worked. At the end of the tour, he gave each of us a picture of a spider he had taken under one of the electron microscopes they had at the facility. He labelled it "Boris the Spider" after the Who song. I kept that photo in my school locker for months.

As a college-bound high school junior, I was impressed. I thought my Apple II was the neatest tool ever, but this guy had a freaking electron microscope. He was articulate, intelligent, and on top of that, one of the coolest people I had ever met. And he graduated from MIT, one of the best engineering schools in the country. During lunch, I asked him how much of his schoolwork applied to his current engineering job. His response?

I can't think of a single thing from my MIT classes I've used on the job.

This blew my mind. What's the value of a marquee college degree if none of the skills you learn are useful on the job?

At first, I was incredulous. But after considering my own high school educational experience, it started to make more sense. And certainly after attending college for a year, I knew exactly what he meant. The value of education isn't in the specific material you learn-- it's in learning how to learn. In Knowledge Access as a Public Good, danah boyd presents Wikipedia as a perfect example of the latter:

Why are we telling our students not to use Wikipedia rather than educating them about how Wikipedia works? Sitting in front of us is an ideal opportunity to talk about how knowledge is produced, how information is disseminated, how ideas are shared. Imagine if we taught the "history" feature so that students would have the ability to track how a Wikipedia entry is produced and assess for themselves what the authority of the author is. You can't do this with an encyclopedia. Imagine if we taught students how to fact check claims in Wikipedia and, better yet, to add valuable sources to a Wikipedia entry so that their work becomes part of the public good.

Passively reading the material in an encyclopedia or textbook is learning, in a sense. But learning how to research and question the material you read-- and, as in Wikipedia, how to update it so you're adding to the communal wealth of knowledge-- is a far more valuable skill. This kind of participatory, hands-on experience outstrips any kind of traditional classroom textbook. Why read textbooks when you can help write one? There's no substitute for learning on the battlefield.

Nowhere is the importance of learning how to learn more critical than in the field of software development. Programming is, almost by definition, continuously learning: your entire career will be one long, unbroken string of learning one new bit of technology after another. Every ten years the software development field reinvents itself, and it's our job to keep up.

If you don't like learning new things, you will despise software engineering. It's all we do. That's why learning how to learn is such an important skill for software engineers. In our field, how only lasts about five years, but why is forever.

As part of my new advertising initiative, Microsoft and I are teaming up to donate $10,000 in support of open source .NET projects.

Why am I focusing on .NET open source projects? In short, because open source projects are treated as second-class citizens in the Microsoft ecosystem. Many highly popular open source projects have contributed so much to the .NET community, and they've gotten virtually no support at all from Microsoft in return. I'd like to see that change. In fact, I'll go even further-- I think it must change if Microsoft wants to survive as a vendor of development tools.

Of course, I'm not the first person to make this observation:

• Scott Hanselman

  It's a shame that Microsoft can't put together an organization like INETA (who already gives small stipends to folks to speak at User Groups) and gave away grants/stipends to the 20 or so .NET Open Source Projects that TRULY make a difference in measurable ways. The whole thing could be managed out of the existing INETA organization and wouldn't cost more than a few hundred grand - the price of maybe 3-4 Microsoft Engineers.

• Ayende Rahien

  The open source community in .NET is big, but it is only a fraction of the size of the open source community in other environments (Java, for instance). This disparity can be explained by looking at the basic facts of the .NET community: there's one central vendor, Microsoft. This puts Microsoft in a position where they have the ear of every .NET developer, team lead and architect. And Microsoft isn't doing anything to foster a healthy OSS community around .NET.

• Dave

  In my company's commercial application we depend upon DotNetNuke, Nant, log4net, NUnit and other open source tools. Those open source projects help support us. In fact, without DNN, we would probably be out of business because our developments costs would be too high. In turn, my company helps support Microsoft through the purchase of licenses and MSDN subscriptions. Yet Microsoft does not complete the circle by financially supporting any of those open source projects.

• Joe Brinkman

  I believe it is in Microsoft's best interests to identify a handful of open source projects to support, especially where those projects fill a void in the Microsoft product line, or where the project promotes the adoption of Microsoft products. However, I think the project bears even more responsibility to identify how they can benefit a potential corporate sponsor, and then actively pitch the idea to the corporation whose sponsorship is being sought. The project should care more about developing and growing this relationship than the corporate sponsor, since the project could well die without the support, while the corporation only loses one of many potential opportunities.

Here are my initial thoughts on splitting up the $10,000:

• Three donations of $2,500 for the most worthy established .NET open source projects.
• Five donations of $500 for new, up and coming .NET open source projects.

I'd also like to see this become a yearly event. As long as my advertising revenues hold up, I'm certainly willing to contribute a percentage back to the community every year.

All of this will be determined by popular vote, of course. Let's start by getting together a list of candidates. I'm soliciting nominations. Which .NET open source projects do you find most useful?

I was saddened to read this blurb from danah boyd's outstanding "MyFriends, MySpace" presentation at Harvard:

My activist self wanted to believe that the users are aware of [ads], but sadly, that's not the case. To them, seeing ads means that the service is free. Kids are so used to being blasted with ads that they don't notice them.

I am no fan of advertising. I hate the fact that most websites are plastered with obnoxious, barely relevant ads. I've considered advertising before, but I rejected it. I don't want to be part of the problem. Even as a hypothetical, I couldn't come up with any tangible advertising benefits for anyone but myself-- and even then, not without taking on significant risks:

• Loss of credibility. Do you advocate the products your ads are hawking? Are you pandering to drive page views or writing what you feel? Who are you writing for, exactly? Your advertisers? Your audience? Yourself?

• Design Suffers. Ads are eyesores, virtual billboards cluttering the digital landscape of a website. Got whitespace? Fill it with another ad, naturally. Maximize that revenue stream, layout be damned!

• Lack of Professionalism. In traditional journalism, there's strictly enforced separation between the writers and the marketers selling ads. In a one-man blog shop, this isn't possible, so questions of impartiality are unavoidable.

But there's a certain.. inevitability.. to online advertising, as Clay Shirky wrote:

This model, which generates income by making content widely available over open networks without charging user fees, is usually called 'ad-supported content', and it is currently very much in disfavor on the Internet. I believe however, that not only can ad-supported content work on the Internet, I believe it can't not work. Its success is guaranteed by the net's very makeup - the net is simply too good at gathering communities of interest, too good at freely distributing content, and too lousy at keeping anything locked inside subscription networks, for it to fail. Like TV, the net is better at getting people to pay attention than anything else.

That was a few years ago. Now the battle is long over. Advertising has won so completely and decisively that it's hard to imagine any other revenue model working online. A handful of websites can pull off pay-only services, but it isn't even on the radar for most.

Advertising sucks. But you know what else sucks? When people point out how stupid you are to throw away five figures worth of potential income. Repeatedly. At length. So the question becomes this:

Is it possible to advertise responsibly, with respect for your audience-- and yourself? I think it is, if you're careful.

One of my favorite references on responsible online advertising is the Modern Life blog. Like so many of my favorite blogs, it's not updated nearly often enough. But Stuart Brown's piece on balancing AdSense with user experience offers the best advice I've seen so far:

1. Use the AdSense heat map to judiciously select one or two places for ads, rather than blasting them across your page.

2. As a courtesy, turn off ads for Digg, Reddit, and other popular referring URLs. This audience doesn't appreciate ads, and they're the least likely to click them anyway.

3. Reward frequent readers by keeping your new content free of ads. Use time-delayed ads that only display on articles after they've aged for a week.

4. Always offer full content in your RSS feed. Don't force people to click through to your site and see your advertisements.

It's sensible, original advice that's respectful of readers. The advertising section of Ethical Blogging 101 is also spot-on as well. Heck, read his entire blog while you're there. It's all great.

Stuart only talks about AdSense in his posts. AdSense is easy enough to plug in to your website, but is generic AdSense really the right choice? In The 7 Levels of Revenue for your Blog, Google AdSense is the absolute bottom of the barrel, a choice of last resort. There are other options:

Notice that the top 3 tiers of the advertising pyramid are all sold directly. I prefer this approach. You retain maximum control over exactly what is advertised on your website. Instead of an ad network deciding what gets displayed, you decide. It's a relationship you control.

If you're going to clutter up your website with advertising in the first place, why not do it as effectively as possible? Don't use the Ronco spray-on advertising approach -- e.g., indiscriminately placing low-value Google AdSense units in every nook and cranny of your page. It's a better experience for you, and your readers, to be much more selective. I'll never understand bloggers who place their own personal desire for an additional few grand of income over basic respect for their readers.

By now, you may be wondering if this is a rather tedious, long-winded way of saying that I'm about to start advertising on this blog. You're right. It is. But I have one more bit of advice to offer before I do, and it's arguably the most important one of all.

I will be donating a significant percentage of my ad revenue back to the programming community. The programming community is the reason I started this blog in the first place. The programming community is what makes this blog possible. It's an open secret amongst bloggers that the blog comments are often better than the original blog post, and it's because the community collectively knows far more than you or I will ever know.

So, what's significant? Let's start with $5,000.

I've personally benefited most from the .NET open source community, which I feel is radically under-served by Microsoft, so I'll be contributing this money to one or more .NET open source projects to maximize its impact. And what's even more exciting is that I have a verbal commitment from Anand Iyer, a MS Developer Evangelist, for Microsoft to match my contribution. That makes a cool $10,000 we will be contributing to support open-source .NET projects!

Update: My $5,000 was awarded to the ScrewTurn Wiki project in April 2008. Sorry it took so long.

As much as I abhor advertising, I'm tremendously excited to have the opportunity to share my advertising revenue with the larger .NET programming community. For me, that's the tipping point. Giving back to the community is what makes the pain of advertising worthwhile.

If you've used a computer for any length of time, you've probably clicked through hundreds of End User License Agreement (EULA) dialogs. And if you're like me, you haven't read a single word of any of them.

Who can blame you? They're mind-numbing legalese. As a software developer, I understand that choosing a software license for my code is helpful to my fellow developers. But who, exactly, benefits from an end-user license agreement?

I'm an end user, and I don't recall anything good ever coming from clicking that "I accept" option. It's just another meaningless hoop I have to jump through before I can actually use the software. For all I know, the EULA could specify that the software is going to install a keylogger, steal all my passwords and financial information, send incriminating emails threatening the president, format my hard drive, and then sleep with my wife. How would I know? I blindly clicked that big, fat accept button, same as I always have.

Short of writing software to read the EULA and automatically flag such problems – a conceptually brilliant solution to an intractable problem – what's a poor "end user" to do?

The EFF points out a few common problems with EULA agreements you might want to watch out for:

1. "Do not criticize this product publicly."
   

   Hidden within the terms of many EULAs are often serious demands asking consumers to sign away fundamental rights. Many agreements on database and middleware programs forbid the consumer from comparing his or her product with another and publicly criticizing the product. This obviously curtails free speech, and makes it more difficult for consumers to get accurate information about what they're buying by inhibiting professional watchdog groups like Consumer Reports from conducting independent reviews.

2. "Using this product means you will be monitored."
   

   Many products come with EULAs with terms that force users to agree to automatic updates – usually by having the computer or networked device contact a third party without notifying the consumer, thus potentially compromising privacy and security.

3. "Do not reverse-engineer this product."
   

   Some EULA terms harm people who want to customize their technology, as well as inventors who want to create new products that work with the technology they've bought. "Reverse-engineering," which is often forbidden in EULAs, is a term for taking a machine or piece of software apart in order to see how it works. This kind of tinkering is explicitly permitted by federal law – it is considered a "fair use" of a copyrighted item. Courts have held that the fair use provisions of the US Copyright Act allow for reverse-engineering of software when the purpose is to create a non-infringing interoperable program.

4. "Do not use this product with other vendor's products."
   

   Vendors use EULAs to make consumers agree that they won't use products that evaluate the performance of the software they've bought, or that can be used to uninstall all or part of the program. Essentially, clicking "I Agree" to such a EULA means that you're not supposed to reconfigure your computer to touch or remove the software you've just installed. These kinds of EULA terms have become popular lately because many vendors support free versions of their products by packaging them with third-party programs that serve ads or gather information about consumer habits for marketing companies. If users uninstalled such ride-along programs at will, the vendors might lose revenue. For example, Claria (formerly Gator) is a company that delivers pop-up ads and pays to have its GAIN software bundled in free versions of popular file-sharing program Kazaa.

5. "By signing this contract, you also agree to every change in future versions of it. Oh yes, and EULAs are subject to change without notice."
   

   Put simply, this means that when you install iTunes, you are not only agreeing to all the onerous terms in the box, but you are also agreeing to future terms that may appear in the iTunes Terms of Service months or years from now. These terms are subject to change without notice, and you don't even get a chance to click through this future "contract" and agree. Mere "continued use of the iTunes Music Store" constitutes your agreement to contractual terms that you may not be aware exist. These kinds of terms are ubiquitous in EULAs and in Terms of Service for countless products.

6. "We are not responsible if this product messes up your computer."
   

   The disclaimer of liability for faulty software is perhaps the most important function of a EULA from the manufacturer's perspective. And it's bad news for the consumer. This term purports to supplant traditional consumer protection and products liability law. Clicking yes on EULAs containing this common clause means that the consumer cannot file class-action lawsuits against the vendor for faulty products, or for products that do not do all the things that the company advertised they would.

I've presented only the summary highlights; I highly recommend reading the rest of the EFF article for much more detail. Unfortunately, following any of the EFF's advice requires reading the EULA in minute detail, a time commitment that few are willing to make.

What I've pictured above are known as click-wrap licenses. Clicking through indicates assent to the license. But did you know that the physical act of opening some software can subject you to shrink-wrap license terms? Cory Doctorow calls shrinkwrap licenses an epidemic of lawsuits waiting to happen. I'm not sure about the lawsuit epidemic, but the jury is definitely still out on whether or not clickwrap and shrinkwrap EULAs are enforceable – or even meaningful.

Clickwrap and shrinkwrap agreements all start with the phrase READ CAREFULLY, in caps. The phrase means, "IGNORE THIS." That's because the small print is unchangeable and outrageous.

Why read the "agreement" if you know that:

• No sane person would agree to its text, and
• Even if you disagree, no one will negotiate a better agreement with you?

Given the insanity of our current predicament, not reading the EULA could very well be the most rational course of action.

In How to Clean Up a Windows Spyware Infestation, I documented how spyware can do a drive-by infection of your machine through your web browser. To be absolutely clear, I never clicked on any advertisements, or downloaded and executed any files. All I did was open a GameCopyWorld web page in an unpatched, original circa-2001 version of Internet Explorer 6.0.

Yes, I know this is a spectacularly stupid thing to do. But I'm glad I did it. I got a small taste of the experience awaiting casual users when they browse the web without the latest patches and updates. I think every technical computer user should have this experience, so they can see first hand, on their own machine, the profound evil that we're up against. Sure, we can recover, but we do this stuff for a living. I'm trying to imagine what my mother or father would do if this happened to them. They'd probably have to buy a new computer.

When the only viable solution to sickness is to kill the patient, you have a problem of epidemic proportions.

Adam McNeil, of Webroot Software, was kind enough to lend an investigative hand and duplicate the GameCopyWorld scenario. His findings are exhaustive and eye-opening:

After researching the GameCopyWorld.com website I can confirm that the site is utilizing 3rd party exploits in order to deliver malware. The exploits in question appear to be delivered through a series of advertisements within the gamecopyworld.com website.

GameCopyWorld displays a "Find Your Love at Bride.Ru" advertisement. That advertisement "refers" to linktarget.com in order to display an advertisement for the DVD software produced by Slysoft.com. That advertisement "refers" to 39m.net which in turn creates an <iframe> to buyhitscheap.com. Buyhitscheap.com in turn calls fkdomain.info who attempts to deliver a series of exploits to a users system in hopes of installing a trojan dropper. The fkdomain.info site attempts to exploit the following: (there could be more but these were the exploits I picked out of the code)

• Apple QuickTime with an RTSP Buffer Overflow error
• WinZip FileView ActiveX CreateNewFolderFromName Method
• Microsoft Windows Shell Code Execution Vulnerability
• Byte Verify Exploit

The dropper creates files that in turn download additional files as well as create threads within the Internet Explorer browser.

Webroot SpySweeper detected the following spies after allowing the installer to run over night.

• Virtumonde
• Visfx
• ZenoSearchAssistant
• PurityScan
• Trojan Downloader Matcash
• Trojan-Downloader-Zlob
• BookedSpace
• Trojan-Downloader-WaveRevenue
• Trojan.Gen
• Trojan-Downloader-Prez
• MaxiFiles
• TargetSaver
• Trojan-Poolsv
• Trojan-Dropper-Zomavis
• Webhancer
• Web Buying
• Command
• Core Adware (CoreAdware is known to use Rootkits {core.sys} to mask its presence.)

In addition to the above listed spies, I have also recorded a large number of unclassified (not for long) files and registry entires that were added to the box as well.

Seeing as how these exploit files were delivered via 3rd party advertisements I'm not sure it is entirely accurate to place all of the blame for this Drive-by with GameCopyWorld.com. It's possible that they allowed a third party to attempt exploits on a users machine, but then again it's also entirely possible that one of these advertisers has slipped in these exploits without their knowledge or consent. It's impossible to know if this exploit was delivered intentionally or accidentally.

I've never used any Webroot products, but when an employee takes his own personal time to investigate a public scenario so thoroughly, that speaks very highly of the company. They're clearly one of the good guys. But the fact that I have to maintain a mental "safe list" of software companies-- these are OK, these are questionable-- is itself disturbing and unhealthy. It's symptomatic of just how sick the Windows software ecosystem has become. It's nearly impossible to tell the good guys from the bad guys. Do a web search for "spyware" and you'll get dozens of results, some of which are for companies that installed the spyware in the first place. Can you tell them apart? Could your parents?

Tracing this massive security epidemic all the way back to patient zero doesn't take much detective work. It originates with Windows NT 3.0, when Microsoft chose to set up default users as Administrators.

This infection was only possible because I was logged in as an administrator. Choosing not to run as an Administrator is easily the single most important security tip for a Windows machine, whether you're running XP or Vista. Worried about your parents getting infected? Need to create an account for a teenager? Set them up as regular users. It's not a panacea, but it goes an awful long way towards solving the problem. As a test, I logged in as a normal user, and I was unable to duplicate the GameCopyWorld infection in any way-- even with a completely unpatched, circa 2001 version of Windows XP. Running as a normal user really works.

Aaron Margosis' blog is the best source of information on running as a non-administrator. His list of reasons why you shouldn't run as an Administrator is hair-raising stuff:

If you're running as admin, an exploit can:

• install kernel-mode rootkits and/or keyloggers (which can be close to impossible to detect)
• install and start services
• install ActiveX controls, including IE and shell add-ins (common with spyware and adware)
• access data belonging to other users
• cause code to run whenever anybody else logs on (including capturing passwords entered into the Ctrl-Alt-Del logon dialog)
• replace OS and other program files with trojan horses
• access LSA Secrets, including other sensitive account information, possibly including account info for domain accounts
• disable/uninstall anti-virus
• cover its tracks in the event log
• render your machine unbootable
• if your account is an administrator on other computers on the network, the malware gains admin control over those computers as well

..and lots more

I'll admit I am not the best role model on this count. Personally, I lost my enthusiasm for limited user accounts when Microsoft didn't have the guts to make standard users the default-- as they absolutely should have-- in Windows Vista. I swore they would. Instead, we got got hybrid administrator weirdness and "Cancel or Allow" oddities.

I guess that's yet another thing we can sacrifice at the dark altar of backwards compatibility.

I understand the pressure to be backwards compatible. There's no end of Vista blowback based on minor driver compatibility issues. The "if it doesn't work, it's automatically Microsoft's fault, even if the software or hardware vendor is clearly to blame" mentality is sadly all too common. But given the massive ongoing Windows security epidemic, was defaulting regular users to Administrator accounts-- exactly like Windows XP, Windows 2000, and Windows NT before it-- really the right decision to make?

I'm not so sure.