Fishpool

To content | To menu | To search

Sunday 1 January 2012

Dusting off the looking glass

By Osma on Sunday 1 January 2012, 14:16

It's that time again... to make a few statements I can feel ridiculous about later on. I did take an advance position back in October regarding Internet platforms, so no need to touch that topic again just yet (especially after the additional HTML5/Flash comments in November). As before though, let's take a look at what my hit rate is.

#1 Oracle's jostling on Java patents will hurt Java as a platform: yeah, although it's hard to notice, what with the chatter on cloud platforms instead. Still, you've got to write that cloud-hosted application in some language, and though evidence is sparse, it seems to me that more devs are picking other tools. Somewhat insanely, PHP still ranks well in those selections, which proves that these things don't follow any observable logic, though.

#2 Amazing natural motion control applications during 2011: well, not really, yet. XBox Kinect has supposedly continued to sell well, though Microsoft hasn't given any sales data since last March (when they announced 10 million units sold), but applications are rather lame. Some pretty amazing research stuff going on though, which will ultimately enable computers to truly augment live views into the real world.

#3 Flash and new computing devices: see the other posts, linked above. Progress is steady but impact will take several years. As for the long-term view; while my daughter already understands that tablets and phones are for looking at stuff and playing, and keyboards are for banging, I maintain hope that in the next couple of years, she will be able to interact with computers by speech as well as gestures. We'll still need to invent the new human-computer interface best practices for that age, though.

Facebook/Timeline did finally launch before end of 2011. What do you think of it? I haven't seen a reason to change my view since October, although the "social reader" apps like Washington Post's or Guardian's certainly are annoying. Don't know if I should expect media companies to learn how to interact with people, though.

Now, the predictions. This one's gonna be difficult. Not because the world would be ending this year, but because it seems like quite a few macro trends are converging. Lots to feel optimistic about: locally, the interest in growth entrepreneurship and globally, new forms of peaceful citizen democracy, and the ever-continuing development of technology (gene therapy and data-driven, preventative medical treatments are exciting). A few that I hope will turn out well, though it's going to be a bumpy road: the ongoing Arab Spring as well as the Russian pro-democracy movement, the Euro crisis, which could still lead to yet another banking collapse. And finally, some political and regulatory changes that are quite worrying, even if I've tried to avoid a position on politics, and especially politics outside the EU. Still, these bother me for both their privacy as well as anti-competitive aspects and lack of due process: ACTA, SOPA, NDAA. Still, these are hardly going to bring the Singularity around quite yet, dystopian though they seem.

However, I don't want to pretend I care about or follow politics closely enough to understand why these things always come years behind and over-reach, so I'd rather focus on something more tractable. In terms of professional interests, the trend toward hosted, multiplayer gaming is, by now, quite unstoppable. We're moving on from the Social Games 1.0 of Facebook Canvas, though, and the future is more for games where the players' actions impact each other. The challenge is, we need to learn to design these games so that while they truly have group interaction in their core, they still remains games; that is, masterable, repeatable and somewhat predictable experiences people can continue to enjoy, and a source of richness their lives might otherwise be lacking.

As always, comments welcome. This year this post was quite hard to focus on anything in particular, and maybe you have better insight. Let me know. In any case, Happy New Year! Whatever you do, make 2012 matter.

2 comments no trackback

Friday 9 December 2011

Driverless cars, and a complete rethink of in-city traffic management

By Osma on Friday 9 December 2011, 15:17

Diverging slightly from my usual topics, Koushik Dutta's post prompted me to put into writing what I've been thinking for a while about the future of both public and private transportation. People reading this blog have probably all heard by now that driverless cars are coming along nicely, and that Google has already demonstrated a vehicle capable of autonomous road traffic, at least while being supervised by a human. This was announced a year ago.

Now, the technology certainly isn't perfect yet. It's debatable how perfect it needs to be, in order to be better and safer than a human driver, but we can probably agree it's not quite there yet. It's also quite clear that communities and regulation will have a hard time swallowing the idea of 2-ton lump of metal going about without a driver in a city at deadly-to-pedestrians speeds (anywhere 40km/h upwards would qualify), let alone perhaps while carrying children. This is not happening in the near term.

At the same time, there are problems the technology already is capable of solving, and I'm not talking about reducing highway inter-car braking distances or autonomous warehouse navigation, both of which are already in place for some high-end models, and factory automation, respectively. No, I mean daily problems on the streets of every metropolitan area.

In my home town of Helsinki, traffic isn't really a problem. There are a few places where, for 25 minutes in the mornings and 30 minutes in the afternoons, traffic slows to an average of 15km/h rather than 30. However, downtown parking IS a problem. I've long conjectured that if only 10% less people wanted or needed to park in downtown, there would be no parking problem. Where you now have to drive around a couple of blocks to find a space, there would be 5 free spaces in every block. That's more than enough. This is the nature of bottlenecking issues - you don't have any, until you do, and then it's bad immediately.

Public transportation will not fix parking, because public transportation will go from every place to every other place, and allow people to conveniently transport more than they can carry themselves. People need cars for these purposes, as well as for many conveniences. Yet every private car spends an overwhelming majority of its lifetime parked. This is why parking is such an issue. In a city like Helsinki, we don't really need less cars, we need less parked cars, and that can also be solved by having more of them on the road. The bottleneck would obviously move toward traffic conditions, but there will be a sweet spot.

What if you could have a car of the size you needed, at the time you need it, at costs much lower than constant taxicab use? If you are an in-city occupant, as I am, would you care to own a car, with all the associated worries of insurance, maintenance and so forth, even if parking was no longer a problem? I would not. Well, I don't own a car as it is, so I don't qualify for the question, but what about you?

Collective car services have sprung about in the recent years in many municipalities. We have City Car Club, Zipcar is known across USA, and so forth. Yet a problem with these services is that the parking spots the cars are at are not immediately adjacent to most people, and the companies need relatively complicated logistics for making sure cars are available in all places. This means that the customers need to often reserve a car ahead of time.

But what if cars could take themselves from where there are too many, to areas where there are fewer, and to customers who need one immediately? You could have exactly the kind of car you need at a couple of minutes of notice, just like you can have a taxicab in most places where there are enough of those.

And what does all of this have to do with community acceptance? Well.. Lets accept as a given that it'll take a while before we'll be ready for automated cars carrying passengers around on streets where people are driving, moving at regular traffic speeds. But what about having empty cars move themselves through preassigned routes, on specific lanes, at lower speeds, yielding to all human traffic? How many municipalities suffer from too many cars around bad enough to consider arranging for those special routes? I'm guessing there are a few.

This is a disruptive thing, and to many different industries at once. Car companies will need more service capability and less manufacturing capacity, if more and more of private cars resemble taxicabs in their replacement and maintenance schedules. Taxis will be challenged by automated cars, but only when the passenger is willing to do some driving themselves - and many taxi customers are specifically looking for not just a car, but also a driver. But public transportation will also be challenged, because for many, the choice between a car and public transport is a balance between the inconveniences of longer pedestrian distances and indirect routes versus finding a parking spot.

3 comments no trackback

Monday 14 November 2011

Flash is dead? What changed?

By Osma on Monday 14 November 2011, 13:10

So, Adobe finally did the inevitable, and announced that they've given up trying to make Flash relevant on mobile devices. Plenty has been written already about what lead to this situation, and the "tech" blogosphere certainly has proved their lack of insight in matters of development again, so maybe I won't go there. Flash plugin has a bad rap, and HTML5 will share that status as soon as adware crap starts to be made with it. It's not the tech, but its application.

So, lets focus on the developer angle. Richard Davey of Aardman and PhotonStorm is offering a developer-focused review into the alternatives. TL;DR; Flash is what's there now, but learn HTML5 too. Yeah, for web, I would agree.

However, that misses the big picture as well. Choosing any tech today for the purpose of building games for Web is deciding a future course by the back-view mirror. Web, as it is today, is about a 500M connected, actively used devices market. Sure, more PCs have been sold, and about that many are sold both this and next year, but the total number of devices sold doesn't matter - the number of people using them for anything resembling your product (here, games) does. So, I'll put a stake in the ground at 500M.

In comparison - iPad and other tablets reach about 100M devices this year, and projections look like about as much more next year. I would argue that most of them will be used for casual entertainment, at least some of their active time. That makes tablet-class devices (large touchscreen, no keyboard, used on a couch or other gaming-friendly situations) a significant fraction of the Web market already, and that will only be growing going forward.

Mobiles are a class of their own. Several billion devices already, maybe about a billion of them smart phones, some projections claim another billion smart phone-class devices to be sold next year. Just by limiting the market to only those devices which sport installable apps, touch screens, significant processing power (think iPhone and Android devices, possibly excluding lowest-end Android and the iPhone 1.0 and 3G), you're still looking at a potential market of 1 billion devices or so. Now, phones are not in my book very gaming-friendly - the screen is small, touch controls obscure parts of it, play sessions are very short, the device spends most time in a pocket and rarely gets focused attention, and play can be interrupted by many, many things. Still, as we've seen, great games and great commercial success can be created on the platform.

However, lets not pretend that a Web game could ever have worked on either a tablet or a phone without significant effort, both technical and conceptual. The platforms' underlying assumptions simply are too different.

So, how would you go about choosing a technology for creating a game for the future, instead of the past?

The choices are:

  • Native, writing for iOS only. Decent tools, except when they don't work, one platform, though a relatively large one with customer base proven to be happy to spend on apps.
  • Native, writing for iOS and Android. Perhaps for Windows Phone too, if that takes off. Welcome to niche markets or fragmentation hell.
  • Native, but with a cross-platform middleware that makes porting easier. Still, you're probably dealing with low-level crap on a daily basis.
  • HTML5, if you're willing to endure an unstable, changing platform, more fragmentation, dubious performance, and frankly, bad tools. Things will be different in a couple of year's time, I'm sure, but today, that's what it's really like. I would do HTML5 for apps, but not for games, because that way you'll get to leverage the best parts of web and skip on the hairiest client-side issues. In theory you'll also get Web covered, but in practice, making anything "advanced" work on even one platform is hard work.
  • AIR, if you continue to have faith that Adobe will deliver. In theory, this is great: a very cross-platform tech, you can apply some of the same stuff on Web too, get access to most features on most platforms on almost-native level, performance is not bad at all, and so on. Except in practice HW-accelerated 3D actually isn't available on mobile platforms, its cousin Flash was managed to oblivion, and perhaps most crucially, Adobe's business is serving ad/marketing/content customers, not developers. I keep hoping, but the facts aren't encouraging. For now though, you'd base your tech on a great Web platform with a reasonable conversion path to a mobile application, caveats in mind.
  • Unity, if you're happy with the 3D object-oriented platform and tools. You'll get to create installable games on all platforms, but lets face it: you will give up Web, because Unity's plugin doesn't have a useful reach. Here, the success case makes you almost entirely tables/mobile, with PC distribution (in the form of an installable app, not a Web game) less than a rounding error. This is probably what you'd be looking for in just a few years time anyway, even if today it looks like a painful drawback.
Conclusion: Working on tools? HTML5. Web game for the next 2 years? Flash 11. Mobile game? Unity, if its 3D model fits your concept. AIR if not, though you'll take a risk that Adobe further fumbles with the platform and never gets AIR 3 with Stage3D enabled on mobile devices out the door. Going native is a choice, of course, but one that exceeds my personal taste for masochism.

On the upside, Unity is actively doing something to expand their market, including trying to make Unity games run on top of Flash 11 on PC/Mac, so in theory you might be getting the Web distribution as a bonus. Making code written for Mono (.NET/C#/whatever you want to call it) run on the AS3/AVM Flash runtime is not an easy task though, so consider it a bonus, not a given.

Thursday 13 October 2011

Where the chips fall - platform dominator for 2012

By Osma on Thursday 13 October 2011, 13:50

It's been about a year since I put my prognosis skills on the line and tried to predict where technology and consumer products are heading. Since today is National Fail Day in Finland, perhaps it's time to try again. Lets see how right or wrong I end up being.

Last year I noted a couple of things about mobile platforms and of the software environments best suited for creating apps on them. While this year has seen a lot of development on those fronts, little of it has been in surprising directions. HTML5 is coming, but not here yet. If WebGL and Intel's River Trail project were supported by the Big Three (IE, Firefox and WebKit, ie Safari/Chrome), that'd make an amazing game platform - but at least the latter is research-only at this point, and IE9 isn't going to support either. In the meantime, Adobe finished Flash 11, which now has hardware-accelerated 3D in addition to a pretty good software runtime, and, after only 10 days out, already has 42% reach for consumer browsers (at least judging by stats on habbo.com). Like I've said a long time, Flash gets a lot of undeserved crap due to the adware content created on it. We won't get rid of that by changing tech, and platforms should be judged by their capabilities in the hands of good developers, not by mediocrity. And, as far as mobile goes, the trend continues -- iPhone and Android battle it out, now also in courts as well as in consumer markets, while everything else falls under the wagon. If you're creating an app -- do it either with a cross-platform native toolchain, or with HTML5. If you're doing a game, do it with Unity or Flash, and build a native app out of it for mobile.

The interesting thing, to me, is playing out on the Internet. Google+ came out as a very nice product with well-balanced feature set, but (fairly predicably, though I was rooting for it) failed to catch the early adopter fancy for long enough to displace Facebook in any niche. Facebook, on the other hand, scared (or is going to scare) 40% of their audience by announcing Timeline (eek, privacy invasion!). Brilliant move -- you can't succeed today without taking such leaps that nearly half of your audience will be opposed to them, at least initially. Smaller changes simply aren't meaningful enough.

So, I'm betting on Facebook. I'd also guess that once they get Facebook Credits working outside of the Canvas, they're going to demand that any app using Facebook Connect log-ins will accept Credits for payment. I'd hazard a guess they're even going to demand FB Credits exclusivity. They'll fail the latter demand, but that won't stop them from trying it. Having your app's/game's social publishing automatically done by Facebook simply by feeding them events, and not having to think about which ones are useful to publish, is just such a big time saver for a developer, no one will want to miss out on it.

Not even Zynga. They're doing this destination-site, we're-not-gonna-play-inside-Facebook-anymore strategy, but continue to use Facebook Connect for log-ins. That's not because FB Connect is so much more convenient than own username and password (though it is), but because even they can't afford to let go of the "free" access to people's social network. That's the power of Timeline and the new, extended Graph API.

The chips are still in the air. When they fall, I think Facebook will be stronger than ever, but strong enough to displace the "rest of the Internet"? No. As a developer, I want to push Facebook the data for in-game activities, because that saves me time doing the same thing myself. As a publisher, I'm unsure I want Facebook to have all that info, exploiting them for their purposes, risking my own ability to run a business. As a consumer, it makes me uneasy that they have all that info about me, and while I can access and control quite a lot of it, I can't know what they're using it for. I don't think that unease will be enough to stop me or most other consumers from feeding them even more data of our lives, likes and activities. Still, they're only successful doing this as long as they don't try to become a gatekeeper to the net - nor do they need to do that, since they get the data they want without exerting control over my behavior. Trying to fight against that trend is going to be a losing strategy for most of us - possibly even for Google. Apple and Microsoft won't need to fight it, because they're happy enough, for now at least, to simply work with Facebook.

Wednesday 28 September 2011

MVP is about proof of potential

By Osma on Wednesday 28 September 2011, 21:16

Among the people I interact with, and in the places I frequent, a question that comes up a lot is "what exactly is a minimum viable product?". Perhaps that tells you something about me, but let me tell you something more, and offer one answer to the question.

Back at the end of the 90s, between preparing for having a great bash for the Millenium and various other activities of the sort, I was also learning how to apply the software skills I had acquired to some sort of purpose which would pay my bills. I ended up, to a large degree by accident, to spend about four years of the rise and height of the dot-com boom at what I to this day consider the best possible school for creating great Internet apps for end users: the Helsinki offices of Razorfish, then-legendary marketing, technology and management consulting agency, now simply a legend.

In those days, we would at times come across a situation in which a pitch for a project, a client relationship, or a business idea consisted mostly of what we called the "Photoshop application" - a web site consisting of screenshots of something that had not been built. Coming from a developer point of view, and being rather proud of the skills we had collected, like any 20-something developer is, we saw these as something to laugh at. It's just a bunch of screens, it doesn't do anything! Anyone could come up with that!

Now, in some cases that's probably true, anyone could have come up with that. They weren't all great. Some were, and I would grow to respect the skills and effort people who took design seriously would apply to coming up with both great interaction, and beautiful looks for software. These are things not to be underestimated, because impressions matter a great deal, and nothing kills a budding consumer relationship faster than a dead-end transaction flow. There's something more than that to designing applications on the screen level, though, and listening to a recording of Bill Gross (of Idealab) talking at Stanford reminded me of one part of it.

At the end of that talk, he recalls the story of Carsdirect, of giving the founder a small budget and 90 days to prove there's a business. In other words, to find out whether anyone would buy a car from this site, without talking to the dealer. Turns out that once they got the web site up, in the first day four people did just that - buy a car. They would have to go and buy them from local dealers themselves and deliver the cars to their first four customers. However, what was NOT important to proving the business opportunity was whether they would be able to form a dealer relationship with auto makers, figure out the logistics of car delivery up front, and so forth. For the four first customers, it was enough to drive the cars from the dealer's lot up to their driveway one at a time, by the founder!

This is the MVP - the minimum viable proof of business. The front-end of a business is where value is delivered. Sometimes you can prove that with just by showing Photoshop images of the service to prospective customers. Sometimes you need to have a prototype site up that looks and feels like a real business. What you will not need is to figure out the supporting processes, back-end business logic, and a whole partner value network to prove business potential. Sure, those are things that you will need to figure out to turn a profit - but without the front-end facing the customers and acquiring sales, there's no revenue, there's no business, and there's no chance of profit, never mind how wonderful your back-end would be.

Looking back, I'm not sure I knew this back in the days. I was lucky to have people around me who did. Today, I still see a lot of people thinking of future businesses worry about the back-end processes before they've figured out whether there is a front-end business. Tackle the front-end first. Sometimes Eric Ries's "spend $100 on Google AdWords and see if you get any clicks" is enough to do that, sometimes you do need a web site resembling a real service. Do not waste your precious runway building out something to support even the first 10 customers through the entire product delivery before you have one customer, though! If you get even one customer, you're learning a ton about how your next product version is not what you though it would be.

Wednesday 6 July 2011

Zynga's ARPU doubling? Not quite

By Osma on Wednesday 6 July 2011, 17:20

Apparently today the pundits and analysts around have come up to reviewing Zynga's ARPU figures from their S-1 filing (Inside Social Games, Eric von Coelin). Something seemed fishy in these calculations, and since I'm home for a day, I had the opportunity to review the filing figures on a computer, rather than just a tablet. Yep, people, you're comparing apples to oranges. Zynga's monetization rate is improving, but it's nowhere as dramatic as you're making it look. Did you already forget, they defer revenue? You can't compare GAAP deferred revenue to non-deferred DAU/MAU figures! Use the bookings data instead.

This is what the S-1 filing states about the difference:

"Bookings is a non-GAAP financial measure that we define as the total amount of revenue from the sale of virtual goods in our online games and from advertising that would have been recognized in a period if we recognized all revenue immediately at the time of the sale. We record the sale of virtual goods as deferred revenue and then recognize that revenue over the estimated average life of the purchased virtual goods or as the virtual goods are consumed. Advertising revenue consisting of certain branded virtual goods and sponsorships is also deferred and recognized over the estimated average life of the branded virtual good, similar to online game revenue. Bookings is calculated as revenue recognized in a period plus the change in deferred revenue during the period. For additional discussion of the estimated average life of virtual goods, see the section titled “Management’s Discussion and Analysis of Financial Condition and Results of Operations—Revenue Recognition.”

Zynga is of the opinion that bookings more accurately represents their current sales activities, and I fully agree. After all, this is not subscription business we're talking of! If you're as hard-core geek about these things as I tend to be, the description of when a booking turns into revenue is discussed on pages 62-63 of the filing: 

"Durable virtual goods, such as tractors in FarmVille, represent virtual goods that are accessible to the player over an extended period of time. We recognize revenue from the sale of durable virtual goods ratably over the estimated average playing period of paying players for the applicable game, which represents our best estimate of the average life of our durable virtual goods"

That deferring means that during periods of rapid growth, ARPU monetization appears to decline, while on the other hand periods of flat or declining traffic would seem to improve ARPU, due to the recognition of earlier deferred revenue against current, not earlier userbase. 

With these covered, what are the actual sales figures? The average daily Bookings to DAU rate is somewhat higher than the Revenue to DAU rate, at $0.051 (B) in Q1 of this year vs $0.042 (R). Both seem to have plateau'd on that level since growing from a year-ago $0.030 (B) / $0.017 (R). Respectable, but not earth-shattering -- and the growth, while impressive, isn't quite "more than doubled".


2 comments

Tuesday 21 June 2011

On software and design, vocabularies and processes

By Osma on Tuesday 21 June 2011, 08:55

Having recently witnessed the powerful effect establishing a robust vocabulary has on the process of design, and seeing today the announcement of the oft-delayed Nokia N9 finally hit TechMeme front page, I again thought about the common misconceptions of creating software products. It's been a while since I posted anything here, and this is as good a time as any to do a basics refresher.

A typical axis of argument sets software engineering somewhere between manufacturing and design. I, among many others, have for years argued that the relationship of software to physical manufacturing almost non-existent. This is because while the development process for a new physical product, like any involving new creation, starts with a design phase, the creation of a specification (typically in the hundreds of pages) is where the manufacturing really only begins. The job of the spec is to outline how to make the fully-designed product in volume. In comparison, by the time a software product is fully-designed and ready to start volume production, there is no work left - computers can copy the final bits forever without a spec. There's more to that argument, but that's the short version. Creating software is the design part of a product development process.

So, goes the line of thinking, if software is design, then it must be right to always begin a software project from zero. After all, all designs start from a blank sheet of paper, right? At least, all visual designs do... No good comes from drawing on top of something else.

If this truly was the case, what do you think they teach in art schools, architecture departments, and so on? Technique? For sure, but if that was all there was, we'd still be in the artesan phase of creation. History? Yes, but not only that. An important part of the history and theory of design is establishing lineage, schools of thought, and vocabularies which can serve as a reference for things to come. All truly new, truly great things build on prior art, and not just on the surface, but by having been deeply affected by the learning collected while creating all which came before them.

Not having actually studied art, I have only a vague idea of how complex these vocabularies are, and this is an area where a Google search isn't going to be helpful, as it only brings up the glossaries of a few dozen to at most a hundred basic terms of any design profession. This is not even the beginning for a real vocabulary, since those describe to a great detail the relationships of the concepts, ways of using them together, examples of prior use, and so on. However, even from this rather precarious position, I will hazard a statement which might offend some:

Software design, in terms of the vocabulary required for state of the art, is more complex than any other field of design by an order of magnitude or more. The practical implication of this is that no new software of value can be created from a "blank sheet of paper".

This will require some explanation. Let's tackle that magnitude thing first.

Any complete software system, such as that running within the smart phone in your pocket, measures in the tens, if not hundreds of millions of lines of code. LOC is not a great measurement of software complexity, but there you have it. In terms of other, more vocabulary related measurements, the same system will consist of hundreds of thousands of classes, function points, API calls, or other externally-referable items. Their relationships and dependencies to each other typically grow super-linearly, or faster than the total number of items.

By comparison, the most complex designs in any other field are dwarfed. Yes, a modern fighter jet may have design specs of hundreds of thousands of pages, and individual parts where the specs for the part only are as complex as any you've seen. Yes, a cruise ship, when accounting for all the mechanical, logistic and customer facing functions together may be of similar complexity. And yes, a skyscraper design blueprints are of immense complexity, where no one person really can understand all of it. However, a huge part of these specs, too, is software! Counting software out of those designs, a completely different picture emerges.

None of these designs would be possible without reusing prior work, components, designs, mechanisms and customs created for their predecessors. Such is the case for software, too. The components of software design are the immense collections of libraries and subsystems already tested in the field by other software products. Why, then, do we so often approach software product development as if we could start from scratch?

Why was it that the N9 reminded me of this? Well, if stories and personal experiences are to be trusted, it seems that during the process of creating it, Nokia appears to have "started over" at least two or three times. And that just during the creation of one product.. As a result, it's completely different, both from a user as well as a developer standpoint to the four devices which preceded it in the same product line, and two (three?) years late from it original schedule. Of course, they did not scratch everything every time, otherwise it would never have finished at all. But this, and Nokia's recent history, should serve as a powerful lesson to us all: ignoring what has already been created, building from a blank sheet instead, is a recipe for delay and financial disaster.

Software is design. Design needs robust vocabulary and the processes to use them well, if it is to create something successful.

Monday 23 May 2011

Nordic Game followup

By Osma on Monday 23 May 2011, 11:04

A week ago Thursday, I gave a presentation in Malmö on Nordic Game Conference's second day on a couple of related topics, slides below. I spoke about the lack of truly social interaction in this generation's "social games", and reflected on what a social game where players actually play together looks like. As you might guess, Habbo has been a social playground for a long time.. 11 years, in fact. The slides themselves are, typically for me, a bit difficult to understand since they're mostly just pictures. You should've been there :)

True Social Games - NG11 - Slides

Wednesday 16 March 2011

This is a top blog? Really? Thanks, I guess

By Osma on Wednesday 16 March 2011, 12:00

So, apparently a media analysis company named this blog a "top Finnish tech blog" of February. I'm not really sure why, given I post here pretty infrequently, and the majority of my small readership comes from USA (26%, versus Finland 9%, UK 8% and Germany 5%). This is out of about 1000 monthly visits, most of which are coming via search engines to a few older, more reference-style posts like these about wireless sharing and RAID optimization.

The only post I made in February was a rant about about passwords. I wonder if it was that, or the previous posting about web identities which made them pick me on the list. I doubt either will be an influential post over a longer period, and certainly have not collected a massive amount of traffic since their posting. Perhaps it's just the fairly good search ranking some of those reference posts seem to have gathered. The list is a pretty random bunch -- F-Secure, a few daily/weekly gadget blogs, and a couple of relatively infrequently updated blogs sort of similar to this one.

But what does it mean to be named a top blog? Well, they've brought in 3% of the traffic since they released the list on Feb 28th. That gets them spot #7 on traffic sources to Fishpool.org, and 9% share of the hits to the front page. There were 10 individual articles in the archive that got more landing visits via references and search engines, though.

Thanks, anyway. I'll try not to have this influence my writing in the future :)

Update: 24 hours later, the tweet about this post has generated 3 times as much traffic as the top-10 listing has done in 2 weeks. I suppose posting this, I've donated more publicity, little as it has been, to Cision than they did to me - and I suspect that is the point of their blog listings in general.

Tuesday 8 February 2011

Passwords are a broken system

By Osma on Tuesday 8 February 2011, 10:34

..and I'm not even referring to the multitude of website passwords this time. I thought earlier OpenID would be the fix to those, but apparently not -- perhaps OAuth 2.0 and Facebook will be, though.

No, this time I'm talking of personal computer passwords. I don't have a huge amount of recent first-hand experience with how Mac and Windows work in this department, but the Linux/GNOME experience, connected to some presumably sensible company network access control, is certainly busted. Or, perhaps it's just me, and I'm doing something wrong - in which case, I would love to hear from someone who knows how to do this right.

I have:

  1. an encrypted home/user partition on my laptop hard drive, for which I have to type in a password to get the computer to boot. Never mind that the operating system partition (which doesn't contain anything secret, since the OS is downloaded off of Fedora Project's web site) isn't encrypted, so the computer ought to be able to boot without the user partition password -- it doesn't. That's a separate peeve. This is password #1.
  2. a password for my user account, since GNOME login facilities seriously under-appreciate using an account without a password. Never mind that I already proved who I am by typing in a password during boot - well, the last boot that was on average 19 days and 78 suspend-resume cycles and 42 laptop-bag trips ago. As far as I can tell, there is a valid reason for having this password, though I could imagine switching that to fingerpring recognition. Password #2.
  3. a password for the GNOME built-in passphrase storage keyring, which automatically collects things like network WPA passphrases, ... well, that's about it, really, but anyway, it makes life somewhat bearable. Password #3. In fact, all that stuff is actually stored in a keyring with a very long random string as a key, and a separate keyring holds a copy of that, locked using the password #2 -- when things work. This is what is supposed to let me type in a password once, and have the system usable.
  4. a password for my company account which lets me in to things like the intranet. One of many, many, many work-related passwords in various systems, internal and external (mostly external), which are infeasible to synchronize to one-time authentication at least today. This one is special though, because it's practically impossible to get any work done without it. Password #3 (I didn't count the one above, because it's not supposed to exist).
  5. a KeePass keyring pass phrase, because the GNOME keyring a) doesn't have decent UI so it could be used for manually managed passwords b) because of above, there are many of those c) that I need to also use on other devices, so this keyring is synced to those devices. Password #4, for those who are counting.

That's just the start, but without these, nothing works. Now -- password policy best practices often say that passwords must be changed periodically, in order to ensure various guarantees of dubious value. I ask you this - what happens, when one of the above passwords must be changed?

As good as my memory seems to be with random alphanumeric strings of letters and digits, I simply can not maintain four of them in memory along with the credit card PIN, phone number PIN, VPN token password, GMail password, Facebook password, and so on an so on, if I'm supposed to also get any work done. Especially not if one needs to be swapped out to a completely new random thing every now and then. So, I do what any human would do: try to minimize their number.

Because I'm relatively security conscious, I don't do that by using the name of my childhood pet on every system from the most security sensitive to every second web site that appears to require its own password. No, what I do is try to use the same password in all five of the above cases, because a) they're all needed in sequence anyway, b) I can't do effectively anything without access to all of them. I still need to type it way too many times, but at least that keeps the memory fresh.

Except -- changing any one of those places doesn't change any of the others. Not even the supposedly-integrated 1, 2 and 3. So, I end up with 5 instead of 1, and I don't know which is which. New "enter password to keyring 'default'" dialogs pop up on my desktop, prevent anything else from receiving any keyboard input, accept nothing as a valid password, and prevent me from working for 45 minutes. 

I did figure out how to solve it, though -- prevent GNOME Keyring from accessing the 'default' keyring (for which there is no typable password to begin with), force it to change its login password to the new login password, and then re-enable access to the main keyring with all the WLAN pass phrases and other assorted stuff. However, it still wasted a lot of time, and would probably have stumped anyone else I know (I'm pretty hard core with this crap, sad to say).

Broken? Yes. How to fix it? Hell if I know. Perhaps posting this rant would prompt the LazyWeb to point me in the right direction. Having to follow a 20-step routine to change one password isn't the fix, though.

one comment

- page 1 of 23