I have discovered a number of security vulnerabilities in Bluesky and atproto. Each time I’ve found something new, I’ve chosen to report it to Bluesky at email@example.com, as requested at https://bsky.app/.well-known/security.txt, and provide them with details. Bluesky has responded to only one of these reports, one time, 4 days after submission, saying “We appreciate the report, and we’ll be taking a closer look at the issue.”. They did not follow up on that report and they have not responded to any of my other reports.
A Blog Post With Every HTML Element
I could, element by element, continue to add support (mostly by making CSS updates for each element to fit in with the rest of my style choices) as I came across specific needs for them, but not one to shy away from an exhaustive exploration, I decided to write this post and attempt to use every element.
A goal of the post, was to avoid delaying other future posts with CSS updates on a previously unused element, but in reality it took a year and a half to make all the updates for just this post! I am using the MDN Web Docs list of HTML elements as a reference which has more than 100 tags divided into a few categories, which I will also use in this post.
Memoirs from the old web: The KEYGEN element
The purpose of the <keygen/> element was to allow a web browser to generate a private/public keypair upon submitting a form, in a way that allowed a web browser to be enrolled in a new client certificate.
Why some GitHub labels are illegible
essentially the text of the label will be colored white if perceived-lightness<0.453 and black otherwise. However, when the perceived-lightness is very close to the threshold, we don’t trigger the min or max and actually get some sort of grey color for the label.
the door close button
Elevator control panels have long featured two buttons labeled “door open” and “door close.” One of these buttons does pretty much what it says on the label (although I understand that European elevators sometimes have a separate “door hold” button for the most common use of “door open“). The other usually doesn’t seem to, and that has lead to a minor internet phenomenon. Here’s the problem: the internet is wrong, and I am here to set it right.
How I experience the web today
An interactive experience!
Into the Breach Design Postmortem
In this 2019 GDC session, Subset Games co-founder Matthew Davis details the Into the Breach design process from early drafts to the final balancing decisions. Davis dives into years of cut content and iteration to show how Subset Games approached the difficult design challenges of making Into the Breach.
Why Keyboard Shortcuts don't work on non-US Layouts and how Devs could fix it
This is most annoying when the most important keyboard shortcuts are inaccessible. A very common shortcut is / for accessing search functionality. Unfortunately, there is no /-key on most international layouts. Adding modifiers to produce this key with your layout rarely helps. For example, on my German layout, / is produced via Shift+7. Most web applications will ignore this. Similarly painful is when Electron apps use [ and ] for navigating backwards and forwards.
If you use a US layout, you might be surprised to hear about these problems. But rest assured, they are not new and I am not the only one who is affected. We are at a point where it is easy to find users complaining about this for almost any popular web application.
In Defense of Interactive Graphics
Knowing that the majority of readers doesn’t click buttons does not mean you shouldn’t use any buttons. Knowing that many many people will ignore your tooltips doesn’t mean you shouldn’t use any tooltips. All it means is that you should not hide important content behind interactions. If some information is crucial, don’t make the user click or hover to see it (unless you really want to). But not everything is crucial and 15% of readers isn’t nobody. So there is a lot we can do with interaction, and I am going to point out three examples below.
Citi Can’t Have Its $900 Million Back
Last August, Citigroup Inc. wired $900 million to some hedge funds by accident. Then it sent a note to the hedge funds saying, oops, sorry about that, please send us the money back. Some did. Others preferred to keep the money. Citi sued them. Yesterday Citi lost, and they got to keep the money. I read the opinion, by U.S. District Judge Jesse Furman, expecting to learn about the New York legal doctrine of finders keepers—more technically, the “discharge-for-value defense”—and I was not disappointed. But I was also treated to a gothic horror story about software design. I had nightmares all night about checking the wrong boxes on the computer.
Uniwidth typefaces for interface design
Uniwidth typefaces, on the other hand, are proportionally-spaced typefaces, but every character occupies the same space across different cuts or weights. What this means in practice is that no matter which weight you set your text in, it will never change its length or cause text to reflow.
GNOME has no thumbnails in the file picker (and my toilets are blocked)
The file picker is the pop-up box thingy that appears when you’re opening a file, usually when uploading something online. The GNOME desktop environment uses the file picker package GtkFileChooser. This file picker does not have a thumbnail view. It is broken software. Thumbnails are not a cute little extra, they are essential. This is as bad as a file picker that doesn’t list the name of the files, only their creation date, or inode serial number. It is broken software.
Personally, not a big deal, but fair point.
In short, I enjoy and appreciate The Times. And after paying over $300 a year for nearly a decade, and having read the Times on a near-daily basis for my entire adult life, I feel I qualify as a good customer. And they repay me by deliberately annoying me several times a day, every day, when I attempt to read the product I’m paying them for. How could one not find this outrageously annoying?
Input events on X have an old world and a new world
One of the important consequences of this split between core input events and XIE events is that events that look identical at the core input event level (for example, as shown by xev) may be different at the XIE level (as interpreted by libXi and then toolkit libraries, and perhaps as shown by xinput). This means that some programs will treat them exactly the same because they’re indistinguishable and some programs may react to them differently. This can cause rather odd issues, but that’s a story for another entry.
Greetings and salutations internet person! Have you ever pissed off a customer so much they bought a domain and stood up a website to shit on your asinine and boneheaded business practices? GE just did.
I just wanted a tall, cold, refreshing glass of water at 3am only to be greeted by a fucking atomic countdown on my trusty cold water and ice dispensing pal.
Experiences with email-based login
The way it originally worked is that you would sign up with your email, and to login a “magic link” with a secret token would be emailed to you, which will set the cookie and log you in. I did it like this after a suggestions/discussion at Lobste.rs last year, and I thought it would be easier to implement (it’s not) and easier for users (it’s not).
In Praise of AutoHotKey
People think it’s weird that I do all my development on a Windows machine. It’s definitely a second-class citizen experience in the wider development world, and Windows has a lot of really frustrating issues, but it’s still my favorite operating system. This is for exactly one reason: AutoHotKey.
AHK is an engine for mapping keystrokes to scripts. I wouldn’t call it particularly elegant, and it’s filled with tons of redundancy and quirks. Even its fans admit how nasty the language can be. But it hooks into the whole Windows system and makes it easy to augment my workflow. It’s given me a far greater degree of control over my computer than I ever managed to achieve with another OS.
The Decline of Usability
In which we delve into the world of user interface design.
It’s different and therefore must be better.
What Outranks Thread Priority?
This investigation started, as so many of mine do, with me minding my own business, not looking for trouble. In this case all I was doing was opening my laptop lid and trying to log on. The first few times that this resulted in a twenty-second delay I ignored the problem, hoping that it would go away. The next few times I thought about investigating, but performance problems that occur before you have even logged on are trickier to solve, and I was feeling lazy. When I noticed that I was avoiding closing my laptop because I dreaded the all-too-frequent delays when opening it I realized it was time to get serious.
A lot of effort for a rather unsatisfactory conclusion, but I won’t spoil the surprise.
Big Tech Is Testing You
Large-scale social experiments are now ubiquitous, and conducted without public scrutiny. Has this new era of experimentation remembered the lessons of the old?
Physics, chemistry, and medicine have had their revolution. But now, driven by experimentation, a further transformation is in the air. That’s the argument of “The Power of Experiments” (M.I.T.), by Michael Luca and Max H. Bazerman, both professors at the Harvard Business School. When it comes to driving our decisions in a world of data, they say, “the age of experiments is only beginning.”