I'm appalled and amazed at the same time. I'm apmazed. It's not even a word, but I think a situation like this requires the invention of new words, although harsher ones are probably more fitting. You see, after an amazing DjangoCon Europe, I arrived home to a few odd Skype messages from Guan Yang with a dead link to his blog (http://guan.dk/skypetest) and a comment saying "let's see if they crawl this."
Today, Guan explained the reason for the weird link; an alleged back door in Skype has been discovered, in which Skype or Microsoft will make an HTTP
HEAD request to any link exchanged in Skype chats. While both the author of the above mailing list post, Adam Back, and The H Security have confirmed the back door, I was still shocked when Guan later dumped the following from his access log:
22.214.171.124 - - [20/May/2013:13:04:11 +0000] "HEAD /skypetest HTTP/1.1" 404 - "-" "-" "guan.dk" "guan.dk"
Performing a reverse lookup of the requesting IP address returns an AS number, AS8075, which Microsoft have been the proud owners of since 1997. According to The H Security, Skype responded with the following explanation for the behaviour to the German security company, heise online:
"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."
While the above legalese may indeed legally justify the request, I as a user feel absolutely violated that a large corporation like Microsoft will take links that I send in all privacy to my friends and make requests to the same URLs. Worst of all, under the pretence that all Skype communications are encrypted, I'm pretty sure that a fair number of sensitive URLs have been exchanged over the years. It wouldn't be a far fetched thought for someone to have constructed a, say OAuth 2.0-esque URL which, when requested, would result in the deletion of a resource, as an example to a colleague. Many web servers do not distinguish between
GET or even
POST requests, so, Microsoft's behaviour alone may actually wreck havoc. And I'm pretty sure, that this is even a way too complicated example of how this could be abused, especially considering how arbitrary tokens are thrown around these days. I know that you should always do things perfectly and securely, but, as the world has proven time and time again, no one ever does. Microsoft, of all people‚ should know this, which makes their actions even more apmazing and disgusting at the same time.
We all feared that Microsoft taking over Skype would have dire consequences. Yet, despite ever decreasing service quality, I've so far continued to use Skype, in the hopes that it was "just" pure neglect — something that is at times fixed with declining user numbers scaring executives into picking up the ball. But, as Microsoft has now proven, and has been pointed out by numerous rights movements in an open letter to Skype, our worst fears have become reality. Microsoft have absolutely no good intentions, or at least none which are backed by morals, and so they have now effectively ruined Skype.
My time as a Skype user is coming to a grinding halt as soon as I find a completely end-to-end encrypted alternative — and, for your own sake, I seriously hope that you consider going down the same path.
May 20, 2013 | Permalink →
Brad Frost has written an extremely interesting post on "performance as design". While his post is limited in scope to frontend web development, he makes a point that I feel applies to development across the board:
The road towards better performance doesn’t start with developers or technology stacks (though I’m certainly not suggesting those things are unimportant). It begins with a shared interest on everyone’s part in making a product that’s lightning fast.
The current trend in web development is to build something as quickly as possible without giving much attention to performance in any shape or form. Once things start to slow down, you fumble and replace bits and pieces until it's all fast and stable again — hence the stupid startup metaphors of building a plane in free fall or whatever. Twitter is the perfect example of this with their years of Fail Whales as they approached stability which used absolutely none of those hot, trendy technologies they started out with. But, even with lessons like Twitter, the trend persists. Anyone who dares go against it by having performance considerations during the initial design process are often shamed for being "premature optimisers" and told to go figure out their product before they even consider making it fast.
The thing is, though, as Brad Frost so brilliantly points out, performance is integral to a product and thus also its design. As design is to quite an extent a reflection of the culture that created it, performance thinking is by proxy integral to a culture that creates a great product. The "lean" club of non-optimizers are ruining product design by culturally neglecting one of the single most important user experience aspects of all; speed. Don't agree? Think about the last time you actually saw "fast as an afterthought" working in practise before you pull the "premature!" card next time.
April 30, 2013 | Permalink →
I've often expressed how deeply I am repulsed by the kind of people with a personal mission statement like the following:
“I want my idea to become a reality, change the world for the better, and get rich in the process”.
We all know them, and if you've attended startup events for the last couple of years, you'll have seen an ever increasing number of them storming around the room "networking" and gathering business cards, only to give you that magically exclusionary look of disgust when you make it clear that you do not use business cards because the world has moved on. But, for so long, I've been unable to pin point exactly what it is about these people, that I repulses me so much, beyond their mere attitude.
The aliased vigilante, Software Gunslinger has once and for all solved this in his provocatively titled blog post, "On the hypocritical nature of self-entitled entrepreneurship":
Then, lastly, you want to get rich in the process. The shorter the process, the better. Explain to me again how a new rich person is going to make the world a better place. No, seriously. Disparities in wealth distribution are one of the main reasons because the world is in such an horrendous state. Isn’t your argument self-negatingly hypocritical?
The bottom line is simple. This kind of people are trying to hide their goal — getting rich, preferably fast — behind what they think, people want to hear. The end result is an inevitable disparity in statements and opinions, and all of this stinks to high heaven of dishonesty. Hence the repulsion.
April 29, 2013 | Permalink →
Bryan Goldberg gives a pretty thought provoking perspective on the recent retroactive retraction of the tax deduction on sale of "Qualified Small Business" stock in California going all the way back to 2008 in his recent article on PandoDaily:
While the law stipulates that I must surrender this money, I refuse to acknowledge this as a tax at all. This is not a tax. This is an asset seizure plain and simple. The term “retroactive tax” is a despicable euphemism. It is no different than when Hugo Chavez used the benign-sounding “nationalize” to describe his seizure of private property in Venezuela.
March 26, 2013 | Permalink →
Icy, snow covered Stockholm in early spring is nothing short of breathtaking. I do not think I've ever seen so much style, beauty and elegance in one place. I'm sad to admit it, but Sweden has outdone us Danes with this one:
March 25, 2013 | Permalink →