mitxela.com

There's something about midi.org...

10 Apr 2016

I was moved to tears when I saw the new website for the MIDI association. It's comically terrible!

Normally I wouldn't give a toss about this except they used to have a very useful set of quick reference pages on the midi specification. These now redirect to the new site, where the same information is presented over many more pages in a larger font, padded with blog adverts and – I shit you not – high resolution images of acoustic guitars. Because acoustic guitars sure have a lot to do with the electrical specification for MIDI.

I've mirrored the two most useful bits of the old site here.

Cookies, the Legislation and the Grand Misunderstanding

29 Mar 2016

It's been seven years since I last posted a rant here. Rants tend to have a time limit on them; usually, eventually, the problem gets sorted out. I deleted the oldest rants a while ago, they were no longer valid or interesting. Maybe this one will become invalid too. I hope so.

Before this rant can even begin, I have to tell you about the moronic law that was passed by the UK government a few years ago regarding cookies. And before I can talk about that, I want to just cover the basics to make sure you're on board about what a cookie actually is.

Imagine you're in a queue at your local council. There's a man shouting at one of the desks. A woman with too many children is struggling to silence them. Little wooden beads on red metal wires have long lost the interest of any infant who would have played with them. You're tired, your knees ache as much as your head. You want to sit down, and you can, because the queue uses paper tickets.

These paper tickets are a lot like cookies, and are subject to the same rules. It's your responsibility to hold on to it. Nothing stops you tearing it up, throwing it away or giving it to someone else. You could tell the establishment that on principle, you do not accept paper tickets. Fine, but they would probably take no notice, and you would never advance in the queue.

When they announce who's next in the queue, they do so over an insecure channel (a loudspeaker, or a display board that everyone can see). Nothing stops you scribbling out your number and forging that of someone else's, and getting to the clerk's desk first. They might notice your handwriting, and this is one way that cookies differ from paper tickets, there is no handwriting.

At the end of your visit, it is expected that you throw away your ticket. It was intended to last for this session only. It has expired, but there's nothing stopping you keeping it.


Queues and raffles use paper tickets to identify you, and there are two reasons we don't complain and argue about privacy:

Similarly, most of the time with cookies we want to be identified. Here's another analogy.

I go to my bank to make a withdrawal. I show my bank card or passbook to the cashier, or I sign some paper, and convince her that I am the owner of the account. Then she does the transaction and hands me my money. Why should she trust that the person she handed the money to was the same person who proved they owned that account? Because I was standing there the entire time.

But when we browse the web, each page view is a separate request to the web server, and initially there's no indication that it's the same person making each request. This is a little like me walking in to the bank, saying I'd like to make a withdrawal, and then leaving. A moment later I walk back in and show my bank details, then leave. I enter for a third time and expect the money to be handed to me. Well, maybe they still would if I was easy enough to identify. My hat and glasses might be unusual enough to single me out, but anyone could fake those.

My facial features are probably harder to fake, but I can't change them. Not without a certain amount of pain anyway. So if a criminal found my doppelgänger, or gave someone plastic surgery to look like me, they could swindle me repeatedly. Every time I left the bank after a transaction, they could walk in and say, "Me again, I'd like to empty the account." And they could do this every time, until I changed my face.

On the internet, these identifying clues are things like what browser you're using (hat and glasses?) and your IP address. IP addresses are difficult to fake, but not unique - yours can change, or you may even share it with the rest of the office.

So we come to the concept of logging in. I prove to a website who I am, once, by giving my password. In return they hand me a cookie. This is identical to the paper ticket, except instead of assigning numbers sequentially, they choose a very large random number that (hopefully) is impossible to guess. This is called the session ID. I show this session ID with every request, and the website believes who I am.

Of course if the channel is unencrypted, anyone listening could steal that session ID and pretend to be me. But encryption is outside the scope of this rant.

There are other uses of paper tickets, and there are other uses of cookies. This website, for instance, uses cookies. The title images are re-drawn in a different font for each time you visit. The only way to do this is through a cookie – the images themselves check and set this cookie, and all it contains is the name of the font. This makes all of the images on the home page the same font, but when you close your browser and visit later, they will all be in a different font. This cookie does not identify you in any way.

Another cookie this site uses is to optionally disable the fade effect between pages. This task could be better achieved through HTML5's localStorage, since there is no need to send this information to the server, but I use a cookie for maximum compatibility (and I wrote the site before localStorage existed).

In both of these cases, if you refuse the cookie I don't care, it's only your user experience which will be affected.



If you're thinking that all this about cookies is super-obvious, I'd agree with you. But apparently the folks in charge have no idea about what cookies are or what they do.

Tracking, and the Right Thing To Do

If websites can identify you, of course they can track you. Your browser is only supposed to show the cookies to the website that set them, but companies get around this by embedding frames to other domains. But if you don't want to be tracked, don't play the game! Remember that you are in control of what your cookies are and what they do.

The need for cookies and their legitimate uses means that disabling them entirely is not an option. In addition, most websites that want to track you will punish you for not accepting them – you'll always be stuck at the back of the queue. But there's a way of satisfying all these sites without letting them track you:

As simple as this seems, it solves all problems. Tracking cookies are normally set with expiry dates several years in the future. By accepting them for the session the website functions perfectly, but when you close your browser it completely forgets who you are. The next visit it thinks you're a new customer. For certain forums and sites that I really do want to stay identified (logged in) I white-list them and they behave perfectly too.

This is how I've had my browser configured for more than ten years. This is what everyone should do. But it seems that almost no one does.

The Law

Instead of educating everyone on the ways of the online world, the government brought in a baffling law. It's baffling because I cannot tell if it was devious in its motives, or just good-willed and moronically stupid.

It seems that the law stated: all websites that 'use cookies' must tell you that they do so.

(I actually tried to look up what the law said exactly. It is was brought in as "The Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011" and was again amended in 2015. However the two minutes I spent trying to read these documents was not sufficient to get past the legalese. I'm basing my rant on what companies and websites actually do.)

I'd wager that 99.9% of websites use cookies in one form or another, so what, every website in existence has to warn you? Apart from anything else, anybody ignorant enough to learn something from these warnings is unlikely to care and will just close it without thinking. And since every website will have this warning, it becomes meaningless. To close the box you have to 'agree' to their terms – convincing the user that it is the website, not them, that is in control of their cookies.

BBC cookie message

I like the BBC, and I think this message and their system is well-intended. But those 'settings' are all cookies, and by 'accepting' them you are handing control over to the website as to whether or not you are tracked. Would you rather meekly ask a website not to track you, or simply prevent tracking from being possible in the first place?

Google cookie message

At least Google doesn't bother with the pretence of giving you a choice.

The Joke

None of this post so far has been rant. All of that above was just preamble. I thought that the people of Britain would rise up and overthrow this idiocy. You want to know what grinds my gears? You want to know the great irony to it all?

In order to close that warning box, the website has to remember that you've closed it. How does it do that? Via a cookie of course.

Yes. You have to permanently accept a cookie, or else always be hounded with the same message about cookies every time you visit the site. Anyone who has their cookies set up the correct way, as I described above, will be punished for it by being shown a message about cookies every time on every site they ever visit.

I have put up with these messages for years. No one cares because everyone else is willing to play the game.

The result of the law is that ordinary people continue to be tracked, and people who do the right thing are punished for it. Since tracking data is so valuable to marketing companies, and it would be a disaster if everyone configured their cookies the correct way, I cannot help but suspect an evil motive behind the law. Either that, or the people in charge are just really, really stupid.



Next time, on mitxela.com/rants: Google's crusade on unsecured websites – not everyone has something to hide.

Tune in in another seven years.

Out with a Haiku

25 Sep 2009

This was once a blog.
It might have been amusing
but now it is dead.

I got rather bored
of writing crap about me.
Hence no more updates.