Captcha This

A few weeks ago Google introduced No CAPTCHA reCAPTCHA. It is a new approach to recognizing whether we are dealing with robots or humans. It should be a modern alternative to good old CAPTCHA. And I say it was about the time.

Captcha was a good idea a few years ago. They give you garbled text and you write it down to prove that you are a human. State of OCR was such that no program could pass this with any meaningful accuracy. There was a further improvement with ReCaptcha where your input would be used to help with book OCR which also caused warm and fuzzy fillings.

But robots got smarter and captchas got more complicated to keep up. I don’t know about you but I average about 75% captcha accuracy on a good day. According to Google, most advanced robots reach 99.8% accuracy. If robots have a higher success rate than humans on a system that was designed to keep them out I believe it is a time for change.

New system aims to recognize behavior and to give various quiz tasks only if there is any doubt. This new API hasn’t been widely implemented yet so it is hard to know how good it really is. But, if it removes at least one stupid letter entering dialog, I will consider it a success.

So far I personally haven’t been presented by a single new dialog. However, I am not a robot so that is pretty much expected result by design. Based on examples Google has provided, it will be based on image recognition so hopefully robots will endure more pain than humans. Depending from where images are coming from, I also expect quite a lot of funny combinations.

Of course, there is a work involved for any site that is to support this. And my guess is that it will be a bit more difficult to implement than older ReCaptcha. Considering that even ReCaptcha didn’t take web world by storm although it was superior to self-created ones, it is pretty much safe bet that we will see old style captchas for a while.

But new captcha king is in town. May it stop our robot overlords.

PS: No, “abicl” was not correct answer for a picture above.

PPS: If 99.8% figure is for ReCaptcha captchas, I imagine that it is all but 100% for all those self-rolled captchas that think that having a line or two is protection enough.

Lollipop, Lollipop, Oh Lolli, Lolli, Lolli

As I saw today Android 5.0 (Lollipop) factory images, I got a twitch going on. Yes, I could wait OTA a week or so or I could install the newest Android OS on my phone immediately at the cost of data. It took me a whole second to know the answer.

First step was to install Java. I took latest x64 Java Development Kit and got that pest (temporarily) on my machine. Next step was to get Android SDK Tools. I opted to get it as a standalone install.

Upon starting Android SDK Tools, I just installed all packages offered by default. Nitpickers might say that you only need Platform Tools and Google USB Driver but I find it much easier to click Next, Next, Next until cows come home or all needed gets installed.

Last part of puzzle was actual factory image for Nexus 4. All files from it I unpacked in the same directory where fastboot.exe was installed. Since I took all defaults this was at %USERPROFILE%\AppData\Local\Android\android-sdk\platform-tools.

Now I powered off my mobile phone and powered it back on while holding Volume down button. This brought me into the FastBoot mode and I connected my USB cable only to have device not be recognized. Therefore I had to go to the Device Manager and right-click Android device with a yellow question mark. Selecting Update Driver Software and then pointing dialog to the SDK directory (%USERPROFILE%\AppData\Local\Android\android-sdk in my case) allowed installation of Google’s USB Driver.

Now I could start cmd.exe and unlock my phone:

cd %USERPROFILE%\AppData\Local\Android\android-sdk\platform-tools
fastboot oem unlock

This gave me a warning prompt on my mobile phone. To select Yes I had to use volume keys for the movement and power key for the confirmation. First step done.

Next step was to actually flash the phone. Fortunately Google provided nice script for that so I just started it (still in the %USERPROFILE%\AppData\Local\Android\android-sdk\platform-tools directory):

flash-all.bat
 sending 'bootloader' (2264 KB)...
 OKAY [  0.076s]
 writing 'bootloader'...
 OKAY [  0.294s]
 finished. total time: 0.374s
 rebooting into bootloader...
 OKAY [  0.004s]
 finished. total time: 0.006s
 …
 sending 'cache' (10984 KB)...
 OKAY [  0.375s]
 writing 'cache'...
 OKAY [  0.602s]
 rebooting...
 finished. total time: 87.058s
 Press any key to exit...

After two minutes your phone was be rebooting with a brand new OS. First reboot took quite some time (eight minutes on my device) so have some patience was needed.

After setting everything up I rebooted the phone once more into the FastBoot mode (power off; VolumeDown+Power). Then I started cmd.exe one last time and brought the lock back:

cd %USERPROFILE%\AppData\Local\Android\android-sdk\platform-tools
fastboot oem lock
fastboot reboot

And with that installation of Lollipop was over.

PS: Interesting tidbit: during initial Lollipop setup I could only see 2.4 GHz wireless networks. As soon as I was connected, 5 GHz networks became visible too.

Livin' La Vida Https

I had SSL enabled on my site for a while now. My hosting provider had it available as an option and I hated having my password travel unencrypted. However, as Google pushed for https, I started playing with the idea to use https exclusively. As you can (hopefully) see, migration was successful.

First order of business was to sort out redirects. I wanted regular http domain 301-redirected to the https one. As my server was using Apache, following directives were added to .htaccess file:

RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

In order to be compliant with HTTP Strict Transport Security, I also added new header just above conditions in the same file:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

My Suffusion WordPress theme kept using http to fetch ads and that caused browsers to omit them all together (you cannot load http scripts on https site). Therefore I also had to make a slight modification to it. In file ./suffusion/functions/shortcodes.php I had to change suffusion_sc_ad function to use https by removing protocol name from the URL:

function suffusion_sc_ad($attr) {
        $params = array('client', 'slot', 'width', 'height');
        $provider = 'google';
        $provider_type = 'syndication';
        $service = 'ad';
        $service_type = 'page';
        $ret = "<div id='".$service."sense'>\n<script type='text/javascript'><!--\n";
        foreach ($params as $var) {
                $ret .= "\t".$provider."_".$service."_$var = '".$attr[$var]."';\n";
        }
        $ret .= "//-->\n</script>\n";
        $service_url = "!!http:!!//".$service_type.$service."2.$provider$provider_type.com/$service_type$service/show_{$service}s.js";
        $ret .= "<script type='text/javascript' src='$service_url'></script>\n";
        $ret .= "</div>\n";
        return $ret;
}

Result of these three changes is that my site is now https-only without any functionality loss.

PS: Those checking the certificate will notice that I use CloudFlare and their Universal SSL. Do notice that using such service is actually one big man-in-the-middle attack since CloudFlare decrypts all traffic before encrypting it again when it contacts your site. It is not because they are evil but because they cannot provide you with their CDN services (and more) any other way. For any website traffic, I see no problem with such approach. However, for administration tasks, I would recommend having a separate https subdomain that leads directly to your server.

J a Bit

These days it is almost a common knowledge that J standing alone has a meaning of a smile. What you see as a J on the desktop suddenly becomes a letter J when viewed on (Android) phone. But why is that?

Answer lies in the dark times before the Unicode when only possibility to introduce new symbols was to actually swap some characters for them. It was quite a common practice to make fonts that consisted purely of symbols.

One of such fonts were Wingdings family. These fonts were then used in anything from Word to many custom programs. If your platform doesn’t support fonts or contains no Wingdings font (as Android), you would see symbols substituted for the letter characters.

Probably most commonly used in the emails are smiley symbols: J (J), K (K), and L (L). As Unicode became standard in communication, only smiley and frowny face survived. Other Wingdings characters remained just a curiosity and something you would get from Outlook users.

But maybe they will be coming back into fashion soon as Unicode 7.0 will contain most of them. Who knows, maybe even somebody makes an effort and J-weirdness becomes a history.

Getting a Visa

Three years ago I applied for US L1 visa. After getting all company paperwork in order, I had to fill DS-160 form before I could even come to the embassy.

Application process threw me down the memory lane since it required annoying precision when it came to education and previous work engagements. I usually know a year when most of important events in my life took place, for quite a few I even know a month. But this was probably first time in my life that anybody asked me about exact start date of my high school and college.

Then questionare took a stupid turn. I am sure that other country’s questionnaires are probably as dumb but I was surprised that anyone would include “Do you seek to engage in espionage, sabotage, export control violations, or any other illegal activity while in the United States?” as a question on their form. Maybe you could catch world’s-most-stupid-criminal this way but even that is probably farfetched idea. I would enjoy seeing statistics on this question. How many people ever answered yes?

Questions following that one were no better. I had to read most of them twice just to be sure I was not hallucinating and it took a super-human strength to answer them “no”. For example, one that asked about my involvement in genocide just begged for a description of my crimes toward pig population (hams, sausages, bacon; you name it, I did it). But alas I was a coward.

One explanation that I’ve heard about the purpose of these questions was that they allow legal system to stick Visa Application Fraud in addition to other convictions if you do naughty things you promised not to do. While this has a ring of truth to it, I personally find it silly at best.

After filling that again for my wife and for my kids I was ready for an interview process in the embassy…

This post is intended to be a light read and hopefully draw a few smiles here or there. Don’t take anything you read too seriously. It is intentionally overly generalized, takes into account only my personal experience, information might be stale, and I won’t be above lying for the comedy effect. Be warned!

Curious USA

I am a fairly new to States, just counting my third year as a resident. I have only ever lived in the Virginia and the Washington state and traveled through another fifteen or so. My experience is not only incomplete but heavily skewed toward north. Even worse, it is limited only to small towns with big IT companies around.

Historically I come from quite a small town within even a smaller country (Osijek, Croatia). I have traveled decent amount but almost always within Europe. In other words I have really limited experience of other countries and their customs.

Maybe it is all those factors together or maybe it is my confused person, but I found living in the USA full of interesting peculiarities and customs. Since most of my wonder happened at the very beginning of my life in USA I caught myself forgetting some details and even outright understanding a thing or two.

Since I will be on blog hiatus for a next few weeks as far as technical content goes, I might as well write some overly generalized easy going opinions. I plan to keep it light and hopefully readable.

Death of the Desktop Mapping

After a long time Microsoft is discontinuing its MapPoint and Streets and Trips offerings. On one side I didn’t expect this move - I even recommended using MapPoint to a friend just a few weeks ago. But I cannot say it was really a surprise. Considering its overlap with the Bing maps it probably had a good stretch.

I cannot say anything about Streets and Trips since I really haven’t used them although I know few people who swear by it. MapPoint is completely different story and a program I will miss a lot. Well, not really the program - I will miss its API.

MapPoint as a mapping program was quite humble. Not too bad albeit not really any better than all other offerings. I must confess that I rarely used it to search anything - for that web-based maps are God-given. But I did adore option of using MapPoint as cheap local Bing/Google maps alternative. It had it all: search for coordinates, conversion from coordinates to address, map image… It was a perfect tool for quick one-time mapping work. You buy it and do whatever you want to it on your local computer (or server) and, unless you need newer maps, there is no additional expense.

Its replacement, Bing maps, might be better but it does come at the cost. Licensing for Bing maps is ridiculously difficult and costly. For just a basic mapping application you are looking at steady monthly expense that can easily get into thousands of dollars. Compared to one-time cost of $400 for MapPoint, price hike is definitely noticeable.

Yes, Bing maps has a free offering for small project doing under 125,000 transactions but only if you are not using GPS functionality and you plan to create a Windows Store App. As soon as you utter Desktop usage, you are looking at the death by a thousand cuts.

Big business will probably live with this change just fine. They haven’t used MapPoint to start with and cost of Bing maps license is cheap enough for them. Small independent software developers will be affected the most with this change and there is no full replacement for MapPoint.

While there are some alternatives on the web, MapPoint was an unique flower that worked just fine without an internet connection. It will be missed.

No New Post Here

I had the every intention of writing April Fools’ post here. But then I noticed a prank that was so much better than what I have planned.

Source of History

If anything, Microsoft likes to keep its source code well hidden from a public view, even to the level of reading other people mail while mocking Google’s privacy policy (the pot calling the kettle black :)).

So it came as a surprise that Microsoft released MS-DOS 1.1 and 2.0 together with Word 1.1a source code to the The Computer History Museum. While these sources are far enough in past to be completely useless for anything competitive, I find them a precious part of history and very well worth checking.

MS-DOS source is particularly dear to my heart because it shows just how much functionality can be fitted in just 28 KB. Assembly code is quite annoying to follow (things tend to look a bit ugly when optimized) but it is well worth reading because of the comments. Not only they will help you understand code but, if you are old enough to have any DOS experience, they will also bring you on a memory lane stroll.

Since I was a stubborn WordPerfect fan at the time of Word 1.1a, its source didn’t evoke same level of emotions in me. But I definitely found some parts amusing to see. Especially document titled 86fun.doc that lists some facts only programmer can think of as a fun.

I find both programs miniatures well worth checking and remembering. Thanks Microsoft!

In the Year 2013

As always, first post of a year is reserved for a bit of statistics.

This year I have slowed-down posting a bit with only 74 posts since January. As usual 40% of posts is programming related, followed by 25% of Windows posts. Rest is such a mishmash of everything that I wont even go into analyzing it.

Traffic-wise it was a fantastic year - another 25% increase is greatly appreciated. Unfortunately huge 66% of traffic comes from places unknown so it is really doubtful whether it is even worth tracking this. Assuming same distribution of unknown locations as ones that were recognized, USA leads with 60% of visits. After that there is 20% visits from Germany and 15% from India. Other 216 countries cover the rest.

Google Chrome leads the pack with 40% visitors. Next one is Internet Explorer with 25% followed closely by Firefox. All other browsers are in traces. Mostly users came with desktop browsers (more than 95%).

Vast majority of search traffic to blog came in search for Windows 8.1 product key, probably because of my Installing Windows 8.1 (or 8) without a product key post. Another huge chunk were ones searching for VHD Attach and MagiWOL.

Pingdom claims 99.93% uptime (6h down) which is definitely helped by CloudFlare. While free CloudFlare account is not a perfect solution, it is definitely helping with site’s speed. For next year I will need to think of some other improvements.

And that’s all folks!