Author Archive
Security Is All About Obscurity
It is commonly argued that “security through obscurity” is false security. I think this whole debate is poorly defined. Ultimately security is all about obscurity and nothing more. Take password for instance. “123456″ is the most common password, so if you are smart, you would not use it. Your birthday would be more obscure but it is still relatively easy to crack, especially by someone who knows something about you. So, you might use the name of your cat. But, you might feel that this too might be crackable. So, you combine the name of your cat with the name of your first grade teacher. And, so on… The more important the information you are trying to protect, the more obscure you make your password. This is security through obscurity. There is no security system that does not use security through obscurity. Even fingerprint scanners rely on obscurity. The chance of someone sharing the same fingerprint as yours is 1 in 64 billion. Again, this is not perfect. It is still relying on obscurity; the only difference is the degree.
The technique that is defined as the opposite of security through obscurity is security by design. This is where the whole debate becomes confusing. Contrary to the common assumption, they do not stand in contrast to one another. The key difference in security is whether the vulnerabilities are known or unknown, which is an entirely separate issue from whether the system is obscure or not. There is no such thing as security by design. Two separate issues are presented as part of one and the same, so we become misguided, and adopt or implement the wrong solution. The more obscure the system, the better, period. And, separately, the less unknown vulnerabilities we have, the better. Just because there are some correlations between the two, does not mean that they are part of the same mechanism. (An example of known vulnerability is password where we know that it can be cracked but accept it as a compromise.)
By contrasting “security by obscurity” with “security by design”, we are muddying up the whole issue, and getting distracted from what really matters. Everything else being equal, a more obscure system (e.g. proprietary system) is superior to a less obscure system (e.g. Open Source system). For instance, a completely proprietary system could have 100 security experts looking for vulnerabilities and an Open Source system could have 10 people doing the same. The latter is a double-whammy. Those who believe in “security by design” might get a false sense of security from the fact that the latter is “Open Source”. So, these two aspects of security need to be separated in our debate.
Another problem I see with this debate is that it’s too theoretical. Security ultimately is a practical problem and it is also a matter of probability. By definition, it is impossible to have a system free of unknown vulnerabilities. So, what is implied by the term “security by design” is not achievable. Given this reality, we need to think in terms of probability. That is, we need to be using more inductive reasoning, not deductive. Here is an example of deductive reasoning:
1. All men are mortal. (premise)
2. Socrates was a man. (premise)
3. Socrates was mortal. (conclusion)
This is what most computer programmers prefer because they don’t like to believe that the world has any gray areas. If 1 and 2 are true, it’s impossible for 3 to be false. It’s a world of black and white. Here is an example of inductive reasoning:
1. Socrates was Greek. (premise)
2. Most Greeks eat fish. (premise)
3. Socrates ate fish. (conclusion)
We should add “probably” to 3. This is how we should be thinking about system security because there is no such thing as perfectly secure system. It’s all about managing the probabilities.
One of the issues that I do not see discussed when debating about security is the probabilities of the motives. That is, what is the most likely reason why hackers would break into your system? In the majority of cases, I would say: Because they can. Other motives may include: fun, amusement, notoriety, sense of superiority, vengeance, etc.. If we were to take 1,000 random cases of security compromises, I would guess that the cases where the intruders wanted specific pieces of information, would be a minority. WordPress blogs are hacked constantly. What do these hackers get from these blogs? In most cases, nothing. They just vandalize the sites and nothing more. It’s essentially a key-in-ignition syndrome where knowing about vulnerabilities motivates people to do something they know they shouldn’t. In the case of Open Source content management systems like WordPress, knowing one vulnerability opens up literally millions of possibilities. It’s like seeing the key in the ignition of every car you look. This is a practical issue that needs to be taken seriously. Using such a system dramatically increases the probability of security compromises. What is theoretically and academically more secure becomes a moot point in the real world.
Installing a Japanese lock on your door in the US is security through obscurity (or I should just say “security”). If someone who does not know anything about locks were to pick this lock, it would probably make no difference whether it’s a Japanese or common American brand. But things in real life do not happen as they do in labs or academia. American thieves may know how to pick Medeco locks but are much less likely to know how to pick an obscure Japanese lock. These are probabilities that we need to take into account when considering security. Ultimately security is all about managing these probabilities because there is no such thing as perfect security. “Security by design” is unknowingly basing its arguments on the assumption that security can be perfect. When you throw out that nonsense, we are left only with probabilities. And to know the probabilities, we need to study the real world.
—posted by Dyske » Follow me on Twitter or on Facebook Page
For BP, There Is No Such Thing As Bad Publicity?
Today I was trying to learn more about the new strategy to stop the oil leak in the Golf, and came across this illustration below. The first thing I noticed was the BP logo in the upper right corner. Many people have pointed out how bad BP is with public relations. It stuck me as odd that they would stamp their logo so proudly on this illustration that explains how to stop the oil leak. Why would they want to associate their brand with something so negative?
Earlier today, I walked by the BP gas station on Houston and Broadway here in New York City, and noticed that someone had splattered dark brown paint over the BP sign. To me, branding the illustration of the biggest oil leak in American history with a logo is just as damaging to the brand as this brown splatter, except that the order is reversed; instead of defacing the logo, slapping the logo on something that’s defaced. Such an odd thing to do.
—posted by Dyske » Follow me on Twitter or on Facebook Page
iPad and the Future of Publishing
Popular Science+ on iPad
Now there is a lot of excitement about iPad saving the publishing industry. Even though I love my iPad, I doubt that it can do anything for the print media. The only real difference between an iPad-optimized website and an iPad App is the price expectation. We come to associate the Web as a free medium whereas we expect to pay for “Apps”. But this will change rather soon. The prices of iPhone apps keep dropping, and if any apps are more than 99 cents, people complain that it’s too expensive. It’s just a matter of time before the vast majority of Apps are free.
Although the novelty of iPad magazines like Popular Science+ may be worth paying for it now, the excitement will wear off pretty soon. Ultimately I don’t think there will be any advantage with reading magazines on an App. Google has done a great job of optimizing Gmail for iPad, and I actually prefer using it within the browser over using iPad’s native email App. Gmail has many great features, some are built-in by default, while others can be added. The features like labeling and filtering would not work on iPad’s email App. There is no chat or SMS features from within the email UI either.
App-based magazines will have the same problem: While some features are going to work better on the App versions, others will be better on the Web versions. The App version could only be used on the device you installed it on, while the Web version could be accessed from any device, iPad, iPhone, or desktop. Your own machine or someone else’s. You have to manage your copy of the magazine App; installing, upgrading, and backing up. The Web version would not require any of them.
As more websites start to take advantage of HTML5, the differences between the App versions and the Web versions will be virtually none. There will be less and less reasons to publish anything as Apps.
Also, less popular magazines could create an iPad version and make it free to take the audience away from more popular magazines, which could force all the magazines to go free.
Another situation publishers are facing now is that the brand names of magazines and newspapers are less relevant now for the readers. Because of the efficiency of the search engines, I can find relevant articles in any publications. I don’t really care who published them. I’m often reading articles from magazines that I’ve never heard of. And, I surf from one publication to another.
The same phenomenon is happening on TV. Because of DVRs, we no longer care what channels our favorite shows are on. In the old days, people were loyal to certain network channels, and watched whatever shows that came on those channels. This was mostly due to the fact that we could not watch what we wanted whenever we wanted. We were at the mercy of network schedules. DVRs and other on-demand video technologies freed us from this. Now we can search and play what we want to watch, just like on the Web. The concept of “network” is no longer relevant.
The same holds true for magazines. Much of the existing conventions and our reading habits are tied to the physical limitations of printed media. Because it did not make sense to print and sell one page at a time, they published a set of articles at a certain time interval. This is no longer relevant.
Furthermore, with printed magazines, we could only buy and carry a limited number of them, so we were stuck reading everything in the magazine we bought. This too is no longer relevant. With the Internet, we have access to thousands of magazines at our fingertip. There is no reason for us to read all the articles in one magazine cover-to-cover. We can jump from one great article in one magazine to another great one in another magazine. We don’t really care who published them. In the end, it’s the content that matters. This is yet another disadvantage of App-based magazines: It’s disruptive to have to go from an App to another App. It’s much easier to surf within a browser.
In the early days of blogs, most of them had no specific topics. Now, the idea of general interest blog is almost an oxymoron. On the Web, there is no point in grouping a variety of unrelated contents because the Web itself is doing that. There has to be a good reason why you would want to group contents into one site. I would rather follow a particular writer than to follow a general news media outlet like New York Times. The latter is too general to be useful. The differences between various news media outlets are too subtle. “New York Times” is just a way to group a variety of contents, and what ties them together is their editorial vision. But the difference between their editorial vision and that of, say, “Washington Post” isn’t great enough to offer any real value in those groupings. In our digital age, such groupings are no longer relevant.
In comparison, “Engadget” and “Gawker” are groupings that make sense. Many of these popular blogs started out as ordinary blogs operated by one person, but they have now become institutions. Blogs are becoming closer to traditional media as traditional media are becoming closer to blogs. I believe somewhere between the two is the future of publishing. iPad is a great device, but I do not think that it can save the traditional business model of publishing. If anything, it will probably accelerate the demise of it.
—posted by Dyske » Follow me on Twitter or on Facebook Page
DoGood — How They Abuse Good Cause to Make Money
I just came across this website, DoGood, which provides a browser plugin called DoGooder that swaps website publishers’ banner ads with DoGood’s banner ads. Their rationale is that the banners they serve are all Green-related or philanthropic. I just published an article about documentary filmmakers who exploit good causes to promote their own careers. This is another example of how people exploit their association with good causes. The trick is to use the cause as a disguise so that the audience does not notice the exploitation.
What they are doing is stealing. They are stealing the contents (intellectual properties) that the advertisers paid for. Whether the advertisers are “good” or evil (or “generic”) is besides the point. Even if the products that they are selling are not “good” or “philanthropic”, these advertisers have the right to make their own decisions about the good causes they may want to contribute from their profit (or not). Advertising is a way for them to increase that profit.
DoGood accepts website publishers’ requests to be on their exemption list if they too serve Green-related banners. This would basically mean that most major publishers like New York Times would be exempted from it, which in turn means that DoGood will be stealing mostly from the little guys who barely make money from their websites.
On their website, DoGood assures publishers that they will still get paid for their ads, presumably because the plugin will still act as though it is requesting the real ads from the ad servers. But if the ads are not displayed, nobody will ever click on them. For the publishers, these clicks are the real sources of their income.
If DoGood was a plug-in written by some college student who makes no money from it, I wouldn’t have any problem with it, but DoGood is a private business. Even though they claim to donate 50% of the profit, they are still pocketing the other 50%. Even if DoGood was a non-profit organization, they would still be paying salaries to themselves. There are plenty of web-based projects where unpaid volunteers pitch in their time to keep them going. That would be an acceptable solution too. But DoGood is a business. Let’s not get fooled.
Any money that DoGood receives from their advertisers (not just their profit, I mean any money they receive) equates to the value of the goods (banner impressions) that the advertisers were supposed to receive for the money they paid, but were stolen by DoGood. And, also the clicks the publishers lost. Remember: DoGood does not provide any content. There is nobody working hard at DoGood writing articles, creating artworks, or shooting photographs. So, they have zero cost for generating contents.
It’s like the music sharing programs. There is a big ethical difference between those that make no money and those that do. I have no interest in protecting the music industry but if any music sharing services were making profit from letting their users share MP3 files without paying any licensing fees to the music publishers, I would find it unethical too. If such a service were to donate 50% of their profit, would it make their business ethical? I’d say no. If donating 50% of the profit makes anything OK, hell, let’s sell drugs or steal other people’s properties, and donate half of it.
Furthermore, the problem with this type of Robin-hood-esque self-righteousness is that it disregards the rights of others and disrespects the differences in opinion about what constitutes good and bad. They put themselves up on a moral high ground and force others to eat their moral standards. To add insult to injury, DoGood is making money from that process. I would question the integrity of any organizations that pay DoGood to deliver their ads.
Let’s not get fooled by these shrewd people who abuse good causes for their own benefit.
UPDATES AND CORRECTIONS:
In the discussion that follows this post, the founder of DoGood Faisal Sethi and I debated the details of this post. I initially said that I did not misunderstand anything, but there is one thing I did misunderstand and should correct. The criteria for being on their exemption list is not based on what banners the publishers serve. They are evaluated by the content of their sites, and this evaluation is “subjective”, meaning DoGood decides what passes as “good”.
They actually do not discriminate the banner ads they are swapping. That is, even if the publishers are serving philanthropic banners, DoGood will replace them with their own philanthropic banners, essentially depriving the publishers of their rights to decide what is “good”. He tries to argue this by saying the users can at any point view the original banners by a mouse click, but this is clearly a disingenuous answer. Who would deliberately choose to see banner ads?
Faisal emailed me and said that he no longer wishes to continue this debate, so the discussion is closed. The reason why he does not want to continue is because he believes I’m accusing him of deliberate misconduct. I’d like to clarify that. From the tone of my writing above, I admit that the readers could interpret it that way. So, I should clarify: I do not believe what they do is a deliberate misconduct (like Spammers). I think they are blinded by their own self-righteousness. This is why I described them as “Robin-hood-esque”. Their “good” intensions are misguided and therefore have grave consequences for many publishers and content creators. This is what I’m concerned about and tried to debate about.
—posted by Dyske » Follow me on Twitter or on Facebook Page
Should Facebook Have the Power to Decide Who Gets Banned?
I didn’t know that your Facebook account could be banned so easily. My own account is fine, but I discovered that many people have had their accounts disabled. Once your account is disabled (Facebook doesn’t tell you why), you disappear completely. No trace of you, like you never existed on Facebook. This leads me to question the current laws protecting consumers. I’ll discuss that a bit later; first, here are the results of my research on this topic.
When I Googled for “Facebook disabled”, I found many people complaining about their accounts getting disabled. One person created a whole website dedicated to it. This writer on The New York Observer described the social consequences of getting banned from Facebook. Craig Daitch on Advertising Age sounds quite angry about the whole thing.
I found many different reasons for the ban. One of the comments said that Craig Daitch repeatedly sent requests to one person to be a friend. The writer of the Observer article was banned because he cited a part of someone else’s profile on his blog. I also found someone getting banned from using a software utility that saves your Facebook contact info. Apparently, you could also get banned from sending too many private messages to people you don’t know, having too many friends, or just using Facebook too often. In most of the cases, it was Facebook’s automated script that flagged and disabled these accounts. So, be careful, if you are very passionate about promoting your political cause on Facebook.
Although it is important for Facebook to control certain user behaviors (such as Spammers and stalkers), it is also important that we users have some say in how such policies are established and enforced. You might say, “But Facebook is a business. They own it, so they should be able to do whatever they want.” Legally this is true, but I think the laws should be changed for any product where its primary value is derived from the sheer number of users. In many cases, the reason for the popularity is actually the popularity itself. People flock to it not because it is the best product, but because they feel socially pressured to. Microsoft Windows is the best example of this. Most people who use Windows are not particularly happy with it; they use it because they are required to at work, and the businesses use it because that’s what everyone else uses.
It’s like how English became the most popular language in the world. Many students around the world are required to study English in school, but it’s not because English is the best language; it’s simply because it is the most popular. In order to increase efficiency, stay competitive, and promote better communication, we often have to do what others do out of no choice of our own. When such a situation is established for a product or a website, the company who owns it should not have complete control over what they can do with their users. After all, they are deriving great values from us; the values that they didn’t create themselves. What we want in such a product isn’t so much the product they created but the other users. eBay, Craig’s List, Apple’s iTunes, and some Google products are good examples.
These products and websites take full advantage of so-called “user-generated content”. The vast majority of the contents we enjoy on Facebook are not generated by Facebook, we the users generate them. What a sweet business! In comparison, sites like NYTimes.com have to spend a lot of money generating their contents, but they don’t get any more money from their advertisers than Facebook does (for the same number of impressions and click-throughs).
Since we are all contributing contents to Facebook, we deserve to have some say in how Facebook regulates their users. For this to happen, the laws have to change (I think). This goes beyond the concept of monopoly. (Perhaps closer to the legal concept of “public figure”.) Even for a relatively small site, if the contents are user-generated, the users should have some say in its user policies. It’s only fair; don’t you think?
—posted by Dyske » Follow me on Twitter or on Facebook Page
Getting off on the Power to Control Access
Access Control List (“ACL”) is a way to control user access to a website. It manages different groups of users like administrators, managers, employees, customers, etc., where each group accesses different areas of the website. ACL comes built into many web development platforms. We are using CakePHP which has a sophisticated ACP built in, but we’ve never used it before. So, I recently looked into how ACL is implemented on CakePHP. After Googling about it for about an hour, I found a whole bunch of articles and blog posts about how “hard” it is. I then created a test project with ACL to look into the details of it. Oy. I now see what everyone is complaining about.
Personally, I have no idea why anyone needs this type of complex access control. What sort of systems are people building that actually require this level of complexity? A system for CIA?
In the past, I’ve simply added another column in a users’ table called “security_level”. I’ve never even bothered to create “groups” table, because we’ve never come across a situation where it was necessary. (I simply store the security_level value in session and check it wherever I need it.) I’m a pragmatist, so I never bother to create anything that the reality does not require. Having 3 different levels of access seems to take care of pretty much everything.
From a point of view of a pragmatist, I see a serious problem with having a complex ACL. If you need a complex ACL, it means that you must be managing a system that is used by thousands of people working within a complex organizational structure. When you have a complex ACL with thousands of users, managing the access list becomes a full time job. As the security needs change in the real life, someone has to modify the ACL to reflect the new reality. Having the ability to fine-tune the privileges of individual users means that nobody could possibly have a clear picture of what everyone is accessing unless you specifically look it up on the system. This can easily create security holes that nobody is aware of. For instance, one specific user may have access to a top-secret area of the site that nobody is aware of, until someone suspects something and looks him up on the system. (For instance, you meant to temporarily grant him access to a very specific section of the site, but you forget to revoke it later.)
In other words, complexity of a security system is itself a security risk. So, a complex security system defeats the whole point of having a security system. When you simplify the security system, it may create some inconveniences in reality, but the simplicity allows many people to intuitively understand how the security works, which makes it more secure with less room for mistakes and holes.
For instance, with my scheme of just having 3 levels, all I would need to know is what security_level you have. I would then immediately know what you can access and what you cannot. Not just me, but everyone else who has the same security_level would know what that means. Every user in this situation can act as a potential auditor who can keep an eye on other users. Once you start fine-tuning each individual, nobody would have any idea who has access to what, and who should have access to what.
Am I wrong here? What am I missing? Why is everyone going nuts trying to implement such a complex ACL? In reality, the number of websites that actually require that type of complexity would be very small, and those who require it can afford to write their own ACL (such as large government institutions or financial institutions), so what is the point of writing a reusable library? Wouldn’t it make more sense to create a reusable library that is very simple, so that 99% of websites can use it with ease?
I find that many programmers, especially those who studied computer science in college, tend to get so excited about certain abstract ideas like flexibility, scalability, re-usability, and controllability, that they ignore what the reality needs. It reminds me of hardware geeks who get really excited about building super-fast computers even though they have no use for them personally. (All they do is to run benchmark testing utilities to prove their speed.) This lack of central coherence is often absurd.
I think the power to control users is a particularly exciting area for some programmers because it involves controlling actual power (political or organizational), and because the programmers often get to be in the most powerful position (“superuser”). But, they really need to stop masturbating and start focusing on what the reality really needs.
—posted by Dyske » Follow me on Twitter or on Facebook Page
Whole Foods Boycott Turns Politics into Personal Attack
As you may already know, the CEO of Whole Foods, John Mackey’s opinion piece on Wall Street Journal has spawned a Facebook Group to boycott Whole Foods. And, according to the article on Mashable, the damage the group has caused is now real. Personally, I do not believe that boycotting a business for the political opinions expressed by its CEO is a proper way to resolve political differences. In fact, I believe it’s ultimately harmful for us all, particularly for this healthcare debate.
Let’s face it, there is no perfect solution for our healthcare problem. Every solution will have its own shares of pros and cons. Everyone will have to make compromises, so it’s only fair that we listen to different views, opinions, and ideas. It’s not a game where we try to win by any means necessary.
You can boycott Whole Foods for their business practice, but not for the CEO expressing his opinions. Doing so is like your boss firing you because you voted for someone he doesn’t like. When we face someone who is far more powerful than we are, we tend to become blind to our own abuse of power because it is very small in comparison. Individual consumers do also have power. It is true that the CEO of Whole Foods is far more powerful than we are, but this is a matter of principle. For instance, even in a fight with someone much bigger and stronger than you, the fact that you are much weaker does not justify the use of violence. This is why Gandhi’s strategy worked because he refused to resort to the same dirty strategy that the British empire was using.
“Abuse of power comes as no surprise” because when we have it, we don’t realize that we have it, because we only look at the people who are more powerful than we are. Power is of course a matter of degree. Boycotting a business is certainly an expression of our power. The only difference is the degree.
Would you fire your employee for expressing his political opinions? Most of us would say no. If so, why “fire” Whole Foods for the CEO expressing his political opinions? I would “fire” Whole Foods if their actual business practice bothered me, but not for the CEO expressing his political opinions.
My power to “fire” Whole Foods is tiny, but to me, it is the same exercise of power as firing my employees just at a much smaller scale. So, if I do not believe in firing someone for his political positions, I would not do that to a business, even if they are much more powerful than I am.
A company that I once did some consulting work for, lost one of their big clients one year. After a little research about the client, they discovered that one of their executives saw Planned Parenthood listed as a client on the company’s website, and that prompted them to end their business relationship. It was a financial retaliation over political differences. This type of hostile strategies to fight our political opponents can only divide us further. Do we ultimately want to get along with one another or do we want to divide ourselves further? If we want to get along, why couldn’t we see this type of situation as an opportunity to get to know one another and to see the point of view of the other?
Now that the damage of the boycott is real, the fight has become personal. If John Mackey is angry enough, he could stop hiring people who express any support for Obama’s healthcare reform, although I really doubt that Mackey would do such a thing. If this is a proper way to do politics, then why stop at Whole Foods? Why don’t the Democrats boycott all businesses whose CEOs are Republican, and the Republicans boycott all businesses run by Democratic CEOs? Why should we boycott only the businesses whose CEOs expressed their opinions publicly? How about the quiet ones? They are saved just because they are quiet?
It’s easy to see how this type of strategy can escalate to a point where both sides simply become more resolute about their own opinions, unwilling to consider any other ideas or solutions. It becomes a matter of winning, not of finding the best compromises. The American politics is already too personal and hurtful. Do we need to make it any worse?
—posted by Dyske » Follow me on Twitter or on Facebook Page
Beta-testing Typotheque’s Font Embedding Technology
I had the opportunity to beta-test Typotheque‘s new font embedding technology. Great job. It worked very well. I secretly applied their fonts on one of my clients’ website so that I can see how it works in the real world situation. Here is before I applied their font:
http://clintonstreetbaking.com
This site makes an extensive use of browser fonts (very little GIF type). So, it was a good candidate for testing this. If you add the argument to the URL “?font=fedra”, the site will be rendered with Typotheque’s Fedra font:
http://clintonstreetbaking.com/?font=fedra
You notice that the browser first renders the page with standard fonts and re-renders it with Fedra. This re-rendering flicker is a bit annoying but unfortunately it’s a limitation of the browser and there is nothing anyone can do about it at the moment. I hope that the future browsers would check the font embedding first before they render the page.
The only requirements for using Typotheque’s font embedding technology are:
<link rel="stylesheet" href="http://test.typotheque.com/WF-008291-000085" type="text/css" />
And, after inserting this code, you can specify one of their fonts as if it’s a browser font. For instance:
p { font-family: "Fedra Sans Book"; }
That’s really it. Naturally, if you try to use these lines of code on your website, it won’t work because your domain name has not been registered with Typotheque.
They use only CSS to achieve the same thing Typekit does. I cannot say this automatically means better because I’m not aware of the security implications behind Typotheque’s implementation. (I believe the only reason why Typekit uses Javascript is to strengthen the security.)
For now, I believe Typotheque is interested in selling only their own fonts. If so, the security is not a big issue because they would not be liable to anyone else, even if their fonts get pirated. But as soon as they start accepting fonts from other designers, security would be an important aspect to scrutinize.
The administration site for purchasing, licensing for the web, and registering your domain is very well implemented. I had no problem. The user experience was excellent. As I said before in the thread about Typekit, building this type of system isn’t going to be realistic for independent font designers who are not programmers. So, services like this would probably be quite popular in the future. Perhaps Typotheque could even license their system to other foundries who are interested in distributing embedded fonts on the Web.
I would imagine that in 5 years, we will no longer be generating GIF images for non-browser fonts. I can’t wait. The font rendering on Windows would have to improve significantly too. Browser fonts render beautifully on Macs, but on Windows it’s still pretty crude. (Maybe this changed since Vista, but I wouldn’t know because I don’t got no Vista.)
Because the DPI is low on computer monitors (compared to print), at first, I would probably use embedded fonts only for headers. Sooner or later, more font designers will design browser-specific fonts. Web 3.0 will probably have a very distinct look because of the font embedding technology.
—posted by Dyske » Follow me on Twitter or on Facebook Page
Should Your Business Contacts Be on Facebook?
This is a dilemma that many people face when they receive friend requests from their business associates. In fact, some people deliberately avoid signing up with Facebook because they do not want to face this dilemma. Those who do not want business associates as their Facebook friends commonly express their desire to keep the business world separate from their personal world. Some people are even critical of others who do not keep the two worlds separate, seeing them as cunning businessmen who view every friend as a potential business.
I believe this is a symptom of the corporatization of our culture. A hundred years ago, most people assumed that they would be running their own business one day, either by starting their own from scratch or by taking over the family business. In this type of small-town environment, you did business with people who lived in your own neighborhood. They were both friends and business associates. There were no clear lines. After all, wouldn’t it be nicer if we could do business with our friends and mutually benefit as a result? Why do we feel the need to separate business from personal?
Here is my theory: It’s because working for a corporation forces you to create two separate personas, and because you don’t like your own business persona. Wanting to keep the two worlds separate is an expression of self-hatred. When you work for someone else, you are not allowed to be who you are. You are representing the company you work for. In other words, you are acting a role in the script written by the corporation. Every company has a culture with its own values, codes, standards, philosophies, objectives, etc.. You are getting paid to represent those things. When you are in the army, you have to kill people even if you are against harming others. The same holds true for working for corporations; you are not going to agree with everything they believe in. You often have to put yourself aside and act in the interests of the corporation. That’s what you are getting paid for. This is fine while you are still young, and still learning about the world and the life in general, but sooner or later, you have to be yourself and express yourself as you naturally are. That’s what evolution would want you to do too. Otherwise, you will eventually forget who you really are.
It’s true; some people do see every friend as a potential customer, and they don’t drop the business persona ever. I agree that this is tiresome and annoying, but the reason why this is annoying is because they decided to let their business personas take over their true selves. This is what most people assume when they see someone who does not draw the line between business and personal; they assume that the business side takes over the personal side. But it does not have to be that way. What if you let your true self take over your business persona? That is, you eliminate your business persona altogether. This is basically what happens in a small community. Everyone knows everyone else. One person’s problem (personal or business) is everyone’s problem. In such a community, there is no point in creating a business persona.
Our culture now has become so corporatized that we have forgotten what it is like to be ourselves. We simply assume that keeping up two separate personas is a requirement in life. We’ve accepted it as a reality and learned to cope with it. But, deep down, we don’t like it. We crave to be ourselves, so we try to guard our private world as if it’s a sacred sanctuary. And, when someone from the business world tries to invade our sanctuary, we feel repulsed. We need a space to be ourselves and stop acting a role in the corporate theater.
But, here is the good news. I believe this concern about keeping up two separate personas is overblown. It’s like the soldiers who were hiding in a jungle for years after the end of World War II. Many people still believe that putting up a generic business facade is the best way to succeed. Not just individuals, but many businesses still believe this. They try not to offend or turn off any potential customers by presenting themselves in the most generic and conservative way possible. I believe that this is a dangerous strategy in today’s digital world where filteration of information is super-efficient.
Let’s suppose you need to print new business cards for yourself. You know how efficient the search engines are these days, so you wouldn’t just search for “printer”. You would search for “business card printer”, because a company that prints business cards all the time would probably be cheaper than a generic printing company who prints anything and everything. Well, you know that you could be even more specific. So, you search for “business card printer in New York”. Guess what? Even that returns too many results. So, you want to be even more specific. You then search for “eco-friendly business card printer in New York”. Now you have a more manageable number of choices. Who knows, you might even be able to find an eco-friendly business card printer in New York who voted for Obama, if that’s what you want.
Let’s think about what we just did. Every time we tweaked the search words, we essentially eliminated businesses that present themselves generically. The more generic they are, the quicker they get eliminated. This is the world we live in now. So, if you put up a generic facade that does not offend or excite anyone, you get eliminated quickly. If this is true, why bother trying to put up any facade? Why not just be yourself so that other likeminded people can find you easily and quickly?
Let’s get back to our original topic of discussion. Facebook can be a great business tool if you did not put up a business persona, that is, if you insisted on being yourself. Then, you can accept any friend requests. I often write and post things that are potentially damaging to my business, but I go ahead and do it if I sincerely believe it, because there will always be a small number of people who share the same opinion or view. It’s OK even if a lot of people are offended by it because it’s better to have a few people who really like me than to have hundreds of people who do not think anything of me. Being generic is the most dangerous thing to be in today’s world.
—posted by Dyske » Follow me on Twitter or on Facebook Page
New Site for Clinton Street Baking Co.
We just revamped the site for Clinton Street Baking Co. It was surprisingly a lot of work. You’d think re-designing an existing site would be easier, but this was almost a complete overhaul. DeDe, the co-owner, put a lot of thoughts into how best to present her restaurant on the Web. It was a true collaboration.
The vast majority of restaurant websites are poorly designed and built. Some are just bad while others are just a bunch of fluff and flash, reminiscent of all the flashy websites circa 2001, when Websites were built more for the sake of amusing people than for the sake of serving real purposes.
We wanted Clinton’s site to be highly functional and informative. We used our own content management system (blockCMS) to build it. Instead of doing extensive work in wireframing, we built a scaffolding site with the CMS. This allowed us to collaborate easily with DeDe.
Wireframes work fine as long as people who are viewing them are well versed in web development, but most end-clients aren’t (after all, that’s why they hire other companies to do it.). Even if you are an experienced web developer, it’s not easy to visualize interaction. So, if a scaffolding site can be built rather quickly, we often skip the wireframing stage.
Once the scaffolding site is up and running with a content management system, the clients can start interacting with the site, and add/edit the contents. Discussions about what is working and what is not working, what needs to be added or changed, become much easier when you have a website that you can interact with. It’s a great way to communicate with the clients.
The original site was 4.5 years old and it was definitely looking dated. The first sign of Web 1.0 is its page width which assumes a 800 x 600 computer monitor as the lowest common denominator. (Now, most sites assume 1,024 x 768.) Another problem with Web 1.0 sites is that fonts are too small for high density LCD displays. Even though we gained more pixels as our canvas, we are not putting more content into it. We are basically using more pixels to render the same amount of content, which means that the resolution (DPI) is going up.
Hopefully this new site will be able to serve the needs of Clinton Street Baking Co. for the next 5 years at least.
—posted by Dyske » Follow me on Twitter or on Facebook Page
