I’ve been thinking a lot about browser compatibility as I’ve been working on Today’s Meet. My CSS is valid, but it doesn’t work quite right in IE6. The interface is completely JavaScript-based, and will only become moreso in the future. How much time should I put into making it all work with IE6?

None.

I know lots of people, usually in government offices or schools, who are stuck with IE6. For some reason, their IT departments have neglected to update their systems for over two years.

(Sure, some of these systems are running Windows 2000. This is a real minority at this point, though, and the rest have no excuse. If you’re running Windows 2000, and absolutely cannot afford to get new systems, get Firefox.)

I used to think I needed to support IE6 because this group is frighteningly large. But now I’ve come to realize—especially in the wake of this week’s news—that by supporting IE6, all I’m really doing is enabling these lazy IT departments to keep running dangerously out-of-date software.

IE6 is the Vicodin to lazy IT’s Dr. House. As developers we’re Drs. Wilson and Cuddy. Just keep handing it out.

How up-to-date is the rest of the software on a system that (apparently) hasn’t run Windows Update in 2 years? What other major security holes, accessibility issues, and compatibility problems would be solved by updating?

Not only is supporting IE6 annoying, it enables people to run software that is out-of-date and easily exploited. Are we really helping users, or are we just helping them get hacked?

So from now on, no more.

My personal projects will no longer support IE6. I won’t test in IE6.

IE7, Firefox 3, Safari 3, provisionally Opera (really, if it works in the first 3, it should work in Opera).  Keep your software up-to-date.

If you’re still using IE6, go get 7. (Then don’t use it until after the Windows Update patch.)

If you can’t run updates, but can install software, go get Firefox.

If you can’t do any of that, tell your IT department that running software 2 years out of date is unacceptable. Tell your boss to tell them. It’s a performance/security/accessibility/compatibility/etc issue.

And if you’re a developer, stop and think. Are you actually doing your visitors any good by supporting IE6? Or should you take all the time and effort you put into backwards compatibility and put it someplace more valuable?

Comcast (@comcastcares), JetBlue (@jetblue), Biggby Coffee (@biggbybob) and Starbucks (@starbucks), even Britney Spears (sorry, I refuse to link that one) have all shown up on Twitter with very real, human exchanges.

I’m not sure, behind the scenes, whether there are several people or one incredibly busy person at each of these companies, but they’ve decided to drop the corporate suit and engage their followers. They aren’t using Twitter as a broadcasting medium, but as a networking and conversation tool.

They get it.

Here is one of my favorite examples:

threeofus: @Starbucks Who actually types the tweets for Starbucks?

Starbucks: @threeofus Hi, I’m Brad, I work in the online team. How are you?

So what’s the trick? What did Starbucks/Brad do right?

• Use the First Person. “I,” “me,” “my,” all make your tweet feel more personal. No real surprise there. “We,” “us,” and “our” work, but not nearly as well. You sound like a spokesperson, instead of a person.
• Own the Conversation. By introducing and naming himself, Brad is taking ownership of the interaction. Even if Starbucks has 10 people reading and responding to tweets, threeofus can feel like she’s talking to one person.
• Engage. Read and respond to other users, especially @-replies. Read, retweet and share. If you’re only sending information one way, you aren’t part of the community. You can also use tools like Twitter search to find and respond to users talking about you or your company.
• Show Emotion. “This is so cool,” “Wow, long day” or even just “:-)” are all things that a person would say, but a press release never would. You don’t need to wear your heart on every tweet, but let some of your feelings come out—at least the good ones.
• Be Active. For most of us, Twitter is ambient information. You need to update regularly to get in to that stream.
• Don’t “Always Be Closing.” Don’t make every tweet a pitch or a request. That doesn’t mean you can’t pitch: I link my blog posts on Twitter, my friend @alecrj mentions his shows. But if every tweet sounds like an advertisement, then you sum up to an infomercial.

Here’s a comparison: Lansing’s alternative paper recently started twittering at @CityPulse. Right now, the biggest words in their tweet cloud are their URL, “city,” “pulse,” “check,” “out,” “pick,” and “up.” Every tweet is trying to drive me to their website or pick up a copy of the paper. They’ve sent no @ messages, used the word “I” once, and have gone a week at a time without updating.

And despite following almost 300 people, they’ve only got 100 followers.

This is what confuses traditional marketing about Twitter: the community won’t listen to you until you listen to the community.

Of course, there are robots on Twitter, too, and some are very popular, like @nytimes and @BarackObama. They are broadcasters, not community members. They perform very specific roles and are backed by very unique content. They add enough value that they don’t need to engage the community.

And yet, if they did, they would be even more powerful.

So do you and your company get it?

Here is a very typical “bad example” of why you need to escape user data before it goes into SQL queries:

(ed. The symbol « is a line break that’s not in the real code.)

The point, of course, is that you must sanitize your user input, or else this person would run this query:

Which grants the sneaky user all your admin privileges. Other versions have nefarious users dropping your users or articles tables.

The problem is: this is the wrong way to authenticate users. These examples are written for beginners to understand the importance of sanitizing input, but they also provide a model to those beginners for how user authentication works. And it’s a very bad model.

This is a long one, more after the break.

The only upside to authenticating this way is that you don’t expose any information on failure, that is, if I’m trying to hijack someone’s account, I can’t tell the difference between an invalid user name and a valid user name with a bad password. That’s good, but there are good reasons not to do this at the database level.

The “correct” way is not much more complex. Basically:

1. Look up the record with the username only.
2. Get the (hashed) password out of the database.
3. Hash the submitted password.
4. Compare the two hashes.

This is really not very hard to implement. In PHP:

What’s going on here? Basically, we’re looking up the user by the username. If we don’t find a user, we throw out an error. If we do find a user, we re-encrypt the password they supplied, and check it against the encrypted password we already have. If they don’t match, we throw out an error. If they do, the user is allowed to log in.

There are two key differences between this method and the method so often espoused by tutorial writers:

1. This method stores an encrypted password instead of plain text.
2. This method differentiates between bad usernames and bad passwords.

#1 should be obvious. Never store an unencrypted password. It’s extremely dangerous: if someone ever gets a look at the table, they can just read the users’ passwords—which may well be the same as their bank password (no it shouldn’t be, but it probably is). And it’s unnecessary. Every server-side language implements the MD5 hash, which is weak but works. Better options (like PHP’s crypt()) can use algorithms like Triple-DES, SHA1, Blowfish, or at least MD5 with a random salt.

But wait, #2, I said it was better not to distinguish between a bad username and a bad password, right? Well… yes, to the end user. In either case, I should display a message like “Bad username or password” to the person who tried to log in.

Internally, however, I want to know what happened. Is someone targetting known users, or just trying random combinations? How did they find real usernames? Where should I be improving security?

You’re also minimizing the number of user-submitted strings that get sent to the database. There are fewer opportunities for you to accidently allows an injection attack. If you have a policy on username syntax, you can keep yourself even safer by not talking to the database if the username is bad:

(I’ve omitted logging or real error-handling here. In a live version, I would probably wrap most of this in a try block, throw one of three types of exceptions, and do some logging in the catch block.)

Obviously we still escape the username, to make damn sure, but this gives us another place to get information. Did someone actually enter '; DROP TABLE users; -- into our login form, or did they just mistype their password.

I’m going to end with a request: if you’re about to write a tutorial for beginners, please be aware of what you’re modeling in your examples. If you’re doing something you would never do, for the sake of simplicity or because it’s not the focus of the tutorial, point that out. Link to another tutorial or at least mention that it’s a bad way to do something.

Don’t send a quiet message that wrong is OK.

If you don’t know where, lots of websites will help you, even Google Maps.

Don’t assume that the polls will come true even if you skip voting. Vote.

If you’re still undecided (have you been living on Mars, in a cave, under a rock, with your eyes closed and your ears covered for the past 2 years) or think the candidates are “the same,” I urge you to check out their websites: BarackObama.com and JohnMcCain.com and read about their positions.

I assure you, they are very different.

As David Sedaris said, it’s like being offered the chicken dinner or a plate of shit with broken glass in it, and asking how the chicken is cooked. No matter which side you’re on.

The following does not constitute rigorous proof. Just observation and conjecture.

For an experiment, I went to Google News and searched for “mccain” “palin” “obama” and “biden”, all separately, and just looked at the total results. (I looked on the second page because Google’s duplicate-finding algorithms usually seem to pare down results by the time you get to page 2.)

Here are the results:

• obama — 433.631
• mccain — 416,804
• biden — 86,164
• palin — 202,033

Obama and McCain are fairly even (unsurprising, since most articles that mention one mention the other). What shocks me is that Sarah Palin, who almost no one in the country had heard of until two months ago, has already caught up to half of the candidates, who have been on the trail for a year and a half.

Unless Michael Palin has been making tons of news, lately?

She’s got two and a half times the press of Joe Biden, who’s been a US Senator for 35 years, so probably has some old mentions in there.

We see a similar trend in the regular Google search:

• obama — 206,000,000
• mccain — 146,000,000
• biden — 37,900,000
• palin — 107,000,000

Here I attribute the difference between Obama and McCain to Obama’s lead among young voters. But Palin has even more momentum here, half of Obama and two-thirds of McCain. (I re-ran this search several times, because Google said it was customizing my results based on my recent queries.)

Why?

McCain picked an ambitious, photogenic campaigner. He, on the other hand, is an occasionally ornery, but usually soft-spoken old man. Barack Obama is a well-spoken Black man with a thousand-watt smile. Biden is the soft-spoken older man on that ticket.

Unfortunately for Senator McCain, he also picked an unknown, inexperienced Governor who usually sounds like a high school student who didn’t read the book, and looks like Tina Fey. Comic. Gold.

I realize that picking someone less exciting that John McCain may have been difficult, but picking someone much more interesting, and not in a particularly good way, was definitely a bad choice. Yes she energized the base. She also energized every comedian and reporter. So much so that they forgot about John McCain.

They are “voting for the chick.”

For disclosure, I only identify as a Democrat because they’re as far left as I can get and still have a realistic chance of winning. I’m roughly in the left side of the British Liberal Democrat party.

But, if I was a Republican, I would be angry about this. As a liberal, it’s just funny.

Yeah yeah, do it in ASP.NET, I know. While I like C# as a language, I kind of hate ASP.NET as a framework, so what are you gonna do? Java was an option but the start-up time was too long for this project.

My first Google search for “PHP SQL Server 2005″ turned up the Microsoft SQL Server 2005 Driver for PHP. “Well great!” I thought. It’s just a PHP extension, very easy to install on Windows. But I didn’t know the horrid depths into which I was about to sink.

The Microsoft driver comes with an example application and database. The application assumes you are connecting to a local database. There is scant information about remote databases.

The driver defines this function:

sqlsrv_connect($host[, $connectionOptions[, ...]]);

The example application tells you to set $host to (local). Supposedly this works. However, after scouring the internet for several days, and trying every permutation of hostname, Windows networking name, port, IP address, white space, and several other variables that shouldn’t have been in there, I’ve decided it doesn’t talk to remote servers nicely.

PDO’s ODBC driver, on the other hand, and a quick visit to www.connectionstrings.com, worked wonderfully.

Here is how I needed to create the PDO object. I hope this is useful for someone else:

(ed. The symbol « is a line break that’s not in the real code.)

$host     = '1.2.3.4';
$port     = '1433';
$database = 'MyDatabase';
$user     = 'MyDatabaseUser';
$password = 'MyDatabasePassword';

$dsn = "odbc:DRIVER={SQL Server}; «
 SERVER=$server,$port;DATABASE=$database";

try {
  // connect
  $conn = new PDO($dsn,$user,$password);
} catch (PDOException $e) {
  // fancy error handling
}

Education generally falls behind every other sector in computer technology integration and internet use. A typical fast food employee uses a computer more during the day than a typical middle school student. (What are cash registers but custom computers?) At almost any business you can expect employees to use networked computers for everything from sales and inventory to customer service to internal work and communication.

But beyond simply using the box, private companies in every sector generally have up-to-date, professionally designed web sites that (at least try to) provide useful information or services to customers. Been to your or your kid’s school web site lately? Universities are usually “OK,” but they get worse as you go down.

In any other sector, you are likely to find online collaboration tools, meeting planners, digital resources for employees, use of messaging tools like internal e-mail (Exchange servers), private IM, Yammer/Laconi.ca, internal wikis, public and private blogs… you get the idea.

But not in education.

Education is part of the problem, but it is not the whole problem. Many people talk about how teachers and schools fail to use computers and the internet well in their classrooms. Many schools treat the computer itself as a goal, rather than as a tool to do new things, or do old things better and faster. Teachers generally fall behind the private sector in computer literacy. Yes, all these things are true.

But we, we the tech sector, the web 2.7.4 crowd, we are part of the problem, too.

How often does a new tool support education? Offer suggestions or support for teachers? Provide educational pricing? Provide the EULA and Privacy Policy education legally requires?

The people who become teachers are often the people who did well in school, who see no reason to change anything because, to them, it works. In the tech world, “where did they drop out of school?” is a legitimate question. Your typical programmer has at least one degree in Computer Science, but the real success stories—Bill Gates, Steve Jobs, Mark Zuckerberg—the ones who made real money, are drop outs. School didn’t work for them—for us—so what do we owe school?

When Yammer launched, they gave a simple business plan: for companies that wanted to “claim” and control their networks, they would charge $1 per month per user. A small start up might pay $5 to $20 a month. Even a big company is probably paying only a few hundred dollars per month. A university, on the other hand, could be stuck paying tens of thousands of dollars per month, or skipping the service entirely. Which do you think they’re likely to do?

What was Yammer’s response? “Our product [...] is not geared toward educational institution [sic].”

Many schools have prohibitions against using Google services for anything work-related because, if you don’t pay for use (update: Google Apps for Education is free, my bad) their educational services, their Terms of Use (read Section 11) could allow them to share sensitive student data.

You’re a school? You don’t matter. Only cool people matter.

Let’s change. Let’s remember that the community of “tech-savvy” users, while growing, is still a minority. Let’s encourage teachers and schools to use the tools we create, so people come out of school ready to use these tools.

It is possible. Ning is experimenting with education. But how do we make tools ed-friendly?

Fix your EULA and Privacy Policy, or provide a second one for education. Don’t be the next Google Chrome. (Frankly, everyone should be reconsidering their EULA right now. Why do some people need so many rights to my content?)

Offer suggestions to teachers. I know: it’s not really a priority. You’ve got bug fixing, paying customers, searching for VC, coming out with the next version. But it’s not terribly difficult. Got a user forum? Add a section for education. Got a wiki? Add an education page. Blog? Throw up a post for teachers once in a while, or better, get guest posts from teachers who use your tool.

Provide educational pricing. Schools have less money every year. If you can work out a deal to make your product free to schools, do it. But it’s not hard: just charge schools less. Think of this as an investment. If they use your product as students, they may well want to use it when they graduate and have to pay.

Or, provide an ad-free version to schools. This is the Ning method. If your business model doesn’t involve charging directly, be aware that schools often take issue with displaying ads to students. It’s the same investment as above: hook them young.

Schools lag on the internet because there is resistance on both sides: educators are reluctant to integrate new things into their curricula, and the new tools rarely give a damn about schools and students as users.

Changing the tech side won’t solve the problem. Schools need to adapt, too. (Where would you look for a Windows 95 computer if you needed one today? I’d check the local elementary school. It’s probably in a lab, or hidden in the back of a classroom.) Schools need to treat computers like tools, and the internet as a tool, and the tools we build on the internet as tools, and use those tools effectively. That will take time.

In the meantime, let’s try to reduce the resistance on our side, so when they come around, educators feel welcome.

Edit: I need to proofread better, even with angry rants.

I had to go through and repeat a few hacks. For example, 2.3.x didn’t allow you to do get_sidebar($name), so I’d hacked the “get_sidebar()” function. And I replaced the still-broken Atom feed reading widget with James Wilson’s Google Reader Widget.

Then I finally got fed up with the default “Search” widget, which doesn’t look like the other widgets at all (no title), so I started hacking into that one. Then I realized “why hack, when I can extend?”

So, here it is, Better Search Widget.

All it does is add a search widget with a customizable title, submit button, and field size. Quick-and-useful. You can see the results in the sidebar.

If you decide to use it, leave a comment and I’ll check out your blog.

Chrome certainly looks like a modern browser, with tabs along the top and an address bar and a “Most visited” home screen, it will seem familiar to anyone who’s moved past Internet Explorer 6.

And yet, my Twittersphere has been full of comments like “Nice, but not nice enough to make me drop Firefox/Safari.”

While there are some visual improvements, such as an extremely small “chrome” (the parts of the browser around the page area) footprint, the big changes are “under the hood.” Chrome is built for tabs—each tab is an isolated process; no one tab can take down the whole browser—and is built for JavaScript-heavy “web 2.0″ apps—Chrome’s new V8 JavaScript engine executes a full order of magnitude faster than the current browsers, in my experience.

And all of those “under the hood” changes are open source.

Chrome is not a browser.

Chrome is Google’s way of making a point: modern web browsers have not kept up with the web itself.

More and more, the web is becoming an interactive application, and most browsers are not built for it. They display pages, and running applications is an afterthought. While we’ve seen huge improvements in JavaScript execution in the past few years, speed is still a limitation for developers. Applications are also much more likely to crash than static pages (go ahead, just try to crash a browser with just malformed HTML) and isolating tabs will give necessary boosts to speed, stability, and security.

Kris Abel of CTV.ca said it best: “Google’s entire business takes place throughout the internet itself and so they see their interests served regardless of which company takes web browsing to the next level, in fact they see their interests served if all companies do exactly that.”

I’m not switching to Chrome. I doubt very many people will find it useful as a primary browser. I don’t expect many user-interface improvements, like Firefox’s vast add-on library or the accessibility features of Firefox 3, Opera or IE8.

I do expect any future version to have more “under the hood” improvements, and I hope that the makers of Firefox, Opera, Internet Explorer, and any new browsers that spring from this, will re-evaluate their own products and move in this direction.

Because when the browsers get better, the web gets better.

Good. What came up?

Look at the first page of results and ask yourself these questions about each one:

1. Is it really me?
2. Did I create this?
3. Do I control this?

You need to be able to say “yes” to all of these for at least the top two or three results. (As I write this, the RSSmeme page repeating my Google Reader shared items has crawled above my blog, and I’m upset about it.)

Creating Identity

I’m lucky. My last name is very rare, so even if you Google just “Socol” I come in second—only to my father, and ahead of Wikipedia. You may not be so lucky, saddled with a name like Jones or Smith or, even worse, you might have the same name as a celebrity. You may have an uphill battle.

People with common names need to get creative. It can be as simple as adding an initial—my friend became Alec R. Johnston to distinguish himself. Something a little more creative—Lisa Bettany named her blog Mostly Lisa. Or you can geek out, like Ben Lew, who uses the name n0s0ap. (Those are zeros.)

Ben uses the name n0s0ap on del.icio.us, flickr, Last.fm, Digg, Twitter, etc. Lisa uses a combination of “MostlyLisa” and “LisaBettany.” I use a combination of an old name, “UrbaneExistance” (I know it’s spelled wrong) and “JamesSocol” for all new registrations.

But all of us, Alec, Ben, Lisa, and I, make sure our real names are linked to our identities. It’s no Clark Kent: n0s0ap is Ben Lew, with the glasses on or off.

Owning Identity

Do you own your own domain name? Why not? Go buy it. Now. Go!

I have this conversation with friends all the time. Would you want someone signing your name on paper documents? Of course not, so why would you let them do the same thing online? I own jamessocol.com, jamessocol.net, and jamessocol.org, just so no one else does. Even if you do nothing but have it redirect to your social network of choice, you should own your name.

If your name is taken, reread the last section and get creative.

Now, about those social networks. You don’t need to be on every one, but get on a few, build a profile, and put your name on it. You can create and control your own Facebook and MySpace pages without knowing a single HTML tag. Once you’ve got a name, whether it’s your real name or something else, use it. last.fm/user/you. twitter.com/you.

Controlling Identity

The best way I’ve found to control what the web knows about you is to start your own propaganda campaign. Put your name on a lot of things, preferably with links back to your own site.

An easy way to start is by commenting. Blog comments help the most, since you spread that influence around the whole internet, but within MySpace or Facebook posting real, meaningful, interesting comments on profiles and walls will make sure people think of you when they hear your name.

If you have the time, try blogging. There are a lot of blogs with great advice, but you can always just “write what you know.” Once you find your voice, the writing flows.

What else? It depends what you like. If you take pictures, get a Flickr stream. Last.fm is a great way to share and find music you like. GoodReads is a similar site for books. Twitter is great for finding people with similar interests and building connections. LinkedIn is a professional social network, particularly good for people in marketing or new media. Blogger, while not the best blogging platform, has some good community features. There is a lot out there.

Be Yourself

Don’t let someone else be you! Own your own identity and be proud of it. It will help you build authority and when a potential employer or client googles you, they’ll get a good idea about you from the first page of results.

What else, 2.0-savvy readers? What did I forget?