Foo Hack » In the Minds of Users Isaac Schlueter on Web Development Tue, 03 Nov 2015 06:34:16 +0000 en Routers and Ethics Fri, 25 Jul 2008 17:35:46 +0000 Isaac ...Read More]]> I just moved into a new apt, and my neighbor has a wireless router that is completely open (no MAC whitelist, not even WEP or WPA). shows me the Netgear login screen, and the default Netgear password works. Curious and a little concerned, I logged in and poked around.

They have all the default settings, and the logs just show the same two computers connecting over and over again. Clearly, they bought it, plugged it in, it worked, and so they stopped caring.

We all know what the unethical course of action would be. You could easily route every bank’s IP address to a phishing site. Or, just install a packet sniffer on the router that will faithfully log any POST requests that they make, then look for anything looking like a password. If they use the same password twice, try that password everywhere. Once you have access to their email, game over.

If you just wanted to be annoying, you could block access to all the most popular websites for the 15 minutes when they always seem to connect, so that it’ll start working seemingly randomly just about the time that they’re calling the cable or DSL company in a huff. Or, expose their computer to the internet and just wait for various bits of malware to wriggle in.

Those are all of course completely evil. The real question is, do you protect them from their own ignorance? Do you leave their wifi network completely open, or lock it down? And, do you change the password?

I decided to leave their network open. If they want to share their internet connection with the world, far be it from me to tell them they can’t. That’s a lovely thing to do for the universe. And I don’t see a problem with using it once in a while until I get my own set up.

I did change their password. Clearly, that doesn’t matter to them. I know better, they don’t, I’d want someone to do that kind of thing for me. It’s a little presumptuous, but it also might keep them from being victimized by identity theft.

There’s an interesting lesson here. No one likes your control panel. Most users will use the defaults, always. These kinds of things are nice when you really want fine-grained control, but completely annoying, complicated, and tedious for most users. They just wanna check their email, play some scrabulous, download some porn, and go back to their normal non-technical lives.

We can of course blame the victim. How could they be so stupid to have their router open to the world. Don’t people think?!? But it would be very hypocritical for me to say that, and I don’t think I’m unusual.

  • I have never read the owner’s manual of a car I’ve driven.
  • I have only a few times read the full drug information on any medications I’ve been prescribed, and then only because I was really bored.
  • I plug it in. I turn it on. I only mess with it if it’s broken (or interesting.)

The difference is that, in any of these cases, the default value is not likely to be harmful. If you don’t change your oil at the right time, your car’s performance will suffer; but as long as you change it once in a while, it’ll keep moving. If a doctor is prescribing a medication, it’s probably not going to kill you, and if there’s any serious risk, they’ll usually tell you what to watch out for. Most electronic devices don’t have access to your bank accounts.

As software and hardware engineers, if our defaults put users in an unsafe situation, where their credit and savings are placed at risk, then we’ve failed them, and we’ve acted unethically.

Whiting out ads: Is AdBlock even Necessary? Mon, 17 Sep 2007 17:01:49 +0000 Isaac blocking Firefox users because they feel that the AdBlock Plus plugin is "tantamount to theft." This attitude is woefully wrongheaded---even without the plugin, you can't stop Banner Blindness. ...Read More]]> I read an article last week in the New York Times about AdBlock, a Firefox plugin that whites out ads if they are served from certain large advertising servers. Apparently, a rather large number of people are getting very vocal and outraged at this, calling it theft, and so forth. They’re even blocking Firefox users from visiting their sites. (Via a Twitter update from Jeff Atwood.)

I found it somewhat interesting that the Big Three (Google, Yahoo!, Microsoft) in the online advertising business seem to have no comment. Also, I wasn’t surprised. At least here at Yahoo!, it’s pretty well known that online advertising is not as effective as high-quality partnerships when it comes to driving revenue. The entire “brand universe” thing is all about getting a brand’s fans to interact around the brand, and thus drive interest. Advertising is secondary to building a strong relationship with the partner. The reason why search marketing is so much more lucrative than rich media ads is that some users actually notice textual sponsored search results, because they are so often relevant.

The “Block Firefox” crowd is misguided, but not for the reasons that AdBlock’s defenders tend to cite. Ultimately, AdBlock doesn’t matter. If your main revenue model is from “dumb” ads—even if they’re YPN or AdSense, which are some of the smartest “dumb” ads on the market—then you’re bound for failure, or at least mediocrity. At the best, unless you work the system and create thousands of adsense-spam sites, or you’re in the Viagra business, your ads will be ignored and you’ll never make very much money. At the worst, you’ll damage your brand and your users will move on. (Note that “smart” ads can potentially be much better. I actually think that Jeff Atwoods ads on Coding Horror are helpful fairly often—but I still don’t see them most of the time.)


As far back as 1997, research showed that users ignore advertisements with alarming consistency. Banner Blindness is so pervasive that it makes “highlighted” text invisible and even affected the results of an election.

As Nielsen so aptly pointed out, the election was not a case of “stupid voters.” It’s a case of normal, intelligent people, habituated to a specific set of situations, falling victim to a stupid design that isn’t ergonomic. “In fact, tech-savvy voters are more likely to be hit by banner blindness than people who never use the Internet.”

There are plenty of cases like this. The conventional wisdom about the best places to put things is often wrong. Recently, I needed to look up a word. I usually use Merriam Webster, but their site was taking a long time to respond for some reason. So, I punched up And I, an extremely web-savvy user who has spent about 70% of his waking hours over the last 15 years online, sat and stared at the screen for a full 5 minutes before I could figure out how to get a word defined.

That bears repeating:

On, it took me 5 minutes to figure out how to get a word defined. In that amount of time, I could have found the word in a paper dictionary. Major catastrophic UI failure. Dead on the table, flat lining, going towards the light. The nurses are pumping the bag on its face, but there’s no use. The old battle-hardened UI surgeon comes in the room and proclaims, “He doesn’t need a doctor, he needs a priest.”

How is this possible? Well, in a classic fit of hubris, they put the input field up in the header, most likely on the (extremely incorrect) assumption that “that’s the most visible spot.” Wrong, wrong, wrong! The header is for your logo, navigation, and maybe some useless doodads. It is nearly the least visible spot on your page, especially if its colored differently than the rest of the page! If your site is called “”, then the dictionary is main content, and that goes dead-center on the page, where the user’s eyeballs will fall if they’re looking straight ahead. In fact, it would be better to take a cue from Google, and have nothing but the input box on the page.

To make matters worse, just below the header, they put an advertisement. My mental adblock kicked in, and blanked out the header and the ad—completely and organically obscuring the input field from my mental model of the page. Worse, the field is labeled “search”, rather than something more useful like “enter your term”. When I did find the field, my instinct was to type “get definitions” or something like that. (I didn’t, of course—I’ve been trained over the years to cope with bad design.)

Fast Forward — 99.9% Wasted

On television, many people either zoom past the commercials on their DVR, or they leave the room, or, even more often, they just ignore them. The more you watch TV, the less you interact with commercials. The more often you use the web, the less you need AdBlock, because the easier it gets to ignore the ads, to the point where you don’t even notice that they’re there. The thought of intentionally clicking on a banner ad is on par with walking to work naked.

There’s an old saying, “I know half my advertising dollars are wasted, but I don’t know which half.” Online, it’s not half, it’s 99.9% wasted, and with click-through tracking, you know exactly which 99.9%. Your money is wasted when you buy banner ads, because users don’t see them. That’s not to say that advertising online is a waste—it just has to be done smarter, because the users adapted almost immediately.

Take, for example, Smirnoff Green Tea. The “ad” (and the West Coast response) came out long before you could buy the product in stores. They uploaded the videos to the internet, and let users pass them around. The trick is, users wanted to see these ads, because they provided real entertainment value in addition to very subtly pushing a product. Or, look at the BMW short directed by Guy Richie and starring Madonna, or the other BMW vids with Clive Owen. They’re too slick to be an ad, and funny enough for everyone to tell their friends about it. And they just happen to make the BMW M5 seem like the coolest car on the road.

In a less high-budget approach, consider the snippets above the message-list in GMail. About 80% of the time, they’re the things that I chose to put there: Slashdot and other news feeds, mostly. That other 20% of the time, they’re contextually related to either the news feeds that I normally view, or the message(s) I’m viewing now. I see those, because my brain doesn’t see them as an “ad”, but rather as potentially relevant content that I may be interested in.

Evolved to Ignore

Millions of years of evolution has made us very good at picking out relevancy in a sea of details. Once upon a time, it helped us find the materials to make tools, the footprints of our prey, and the plants that were edible. Even as you read this sentence, yuor brain will likely skip right over the spelling error, since it doesn’t matter. A human only has so much attention and mental energy, and survival depends upon the judicious use of it. The more information you’re exposed to, the more noise you have to tune out, and the mental cost of making these choices ads up quick. So, we delegate certain rules to the subconscious, like “Ads are always pointless. Flashy text is a gimmick. Don’t bother me with it.” The ad doesn’t even make it to the conceptual level of analysis—somewhere between the eyeballs and the higher brain functions, it hits a spam filter and gets discarded.

Wladimir Palant said it well: [T]here is only one reliable way to make sure your ads aren’t blocked — make sure the users don’t want to block them.

I’d go a step further than his statement: Even if the “block firefox” crowd were to find a way to detect AdBlock, it wouldn’t matter. I used to find online ads annoying. Now I don’t find them anything, because I can’t see them, and as such, I’ve never felt a need to install AdBlock. (The occasional rich-media ad that breaks the page layout does annoy the piss out of me, though.) There will never be a way to block users who ignore ads, and the percentage of people who are completely blind to ads will continue to increase as more people use the web. The revenue stream, which has been drying up since the 90s, will get ever drier as more brand owners realize that there are more effective ways to meet their marketing objectives. If AdBlock is relevant to your site, you’re already in trouble, and it’s just going to get worse from here.

Font Size vs Zoom — The only thing that’s wrong with YUI’s grids.css Mon, 10 Sep 2007 17:00:54 +0000 Isaac ...Read More]]> In the course of a recent code review, I got into a discussion with fellow Yahoo Webdev Nate Koechley, the engineer behind the YUI grids CSS.

YUI Grids is designed to give the developer a few microformat-style grid layouts that can be easily mixed and matched to create many different types of pages. It does something like what Blueprint does, but without a lot of Blueprint’s problems. I’ve been using it since it was released for internal use back when I was first hired here, and have really come to love the skeleton that it provides for building a page.

However, there’s one mistake about it that I routinely alter in my pages’ CSS. Standard or not, I have a personal gripe with flexible layout pages.

As someone with just-correctible-enough-to-drive vision (and maybe not even—I have a lot of trouble with street signs at night), I frequently bump up the font size in my browser. A big selling point that got me to use the very buggy beta Firefox 0.2 was that it could increase the font size of ANY web page, whether the designer “allowed” it or not.

People like me don’t browse from page to page with the font size increased. I scan through headings and links, and when I find something interesting, I increase the size to read it, and then zoom back out when I’m done. (Sort of like the iPhone: zoom into the newspaper article, read it, and then zooms back out to see the whole page.)

When I do this, I can’t stand for the columns to change widths. It drives me crazy. I add this to my CSS almost every time:

#doc {

When I say that it’s the “only thing that’s wrong with grids.css,” I really mean it. I can’t praise it enough, and highly recommend that every developer use it on every page they build. But fix the width.

On Aug 10, 2007, at 9:15 AM, Nate Koechley wrote:
Tell me more about this. In general you prefer the page width to be fixed even as the text within it grows? I definitely understand that the introduction of a horizontal scroll is bad, but you dislike expansion even before it exceeds the vierport’s size? [sic]

Short Answer: Yes and yes.

Long Answer:

This is a tricky issue that the hardware and software worlds just don’t address very well. (Hopefully they will someday.) To make things more complicated, every user thinks that they’re 100% dead-on right, and we all seem to have a slightly different opinion about how it should work. I don’t claim to be an expert typesetter, but it is an ergonomic issue that I regularly run into and think about quite often.

Line Length Measurement

You hear stuff like, Lines of text should be about 4 inches (500px, 50%, etc.) wide at the most to be readable. Really, that’s not the case. Look at a billboard—the ideal text width there is about 30 feet, some 10000pt font-size, or a skywriter which is even longer and bigger. Just consider how many millenniums it took for hand-written text to reach a good state, and then how many centuries it took to really apply those learnings to machine-printed text. If you want to see text layout done very very well, look at the print world.

Visually, size is measured in degrees. A column of text should be about 10-15 visual degrees. (10 degrees is about the width of your fist at full arm’s length.) The font size just needs to be big enough that you can make out the letters at whatever distance away you have to move the page to get it to that 10-15 degree width.

Lines that are shorter than this are easier to scan for relevant details, but harder to “savor.” That’s why newspapers usually have very narrow columns and text in books takes up almost the whole page. If the column is too narrow, you’ll tend to bring the page closer to your face–which is why newspapers can get away with very small text. It’s rare that someone reads a newspaper at arm’s length. (As people get older, and the muscles that focus the eyes on items up close start to weaken, many will wear glasses to zoom the text up to a comfortable width for reading at arm’s length.)

Physical Resizing

So, the width of a column should be about 10-15 degrees for most text (narrower for “scannable” stuff, like sidebars and alerts, wider when we are being really thoughtful and analyzing the concepts.) We’re unconsciously going to “zoom in” by moving closer to the target until this ideal width is reached. The font size should be such that it can be read easily from a distance that brings the visual column width to a comfortable range. So, you slide your chair until you’re at the right width, and then adjust the font size. Or, you resize the browser until the columns are where you like them, and then move the font around until it’s readable.

Most of the time, this is largely unconscious, which is good. However, you almost never want the line length to scale up with the font size, because the line length is already good—but the text is too small for the eyeballs to focus on it. (If it’s not, then you really need zoom, not a font-size change.) When I bump up the font size on a YUI grids page, the line length expands to occupy about 30 degrees of visual space, which is too much. The natural instinct is to slide my chair back, which means that I can’t read the text easily, or more likely, just get annoyed and move on.

This also ties into discussions about wide-screen vs. multi-screen, pixel density, and maximize behavior. Even if we say that we want to always have a fixed width, what may be perfect on one display may be obnoxious on another. I have a 24″ monitor that is 1920px wide, but my browser window is usually around 1024. Sites that work well on 1024×768 (or 800×600) will be abusive on a 50″ 1080p HD display, and vice versa. What we really need is a way to easily zoom in and out with one action, and adjust the font-size as a separate action. Also, it has to be so easy to do both that the user is hardly aware of the work involved—that’s the really hard part.

Moving Forward

Browsers tend to blur the distinction between zoom and font-size; they get users and developers to share in the error by frequently saying one when they mean the other. Opera Mini on my phone has a “zoom” feature that only changes the font size. IE 7 zooms images and column widths when you change View > Font Size. In the 2 seconds here and there that I’ve managed to play with it, it seems like Safari on the iPhone is probably the best implementation to date of zoom and font-size both done independently and well. OSX provides a “zoom” feature that’s pretty easy to use, but it feels klunky to zoom the whole OS just to read a web page.

Kathy Marks wrote up a great list of the best fonts for the web, and also has some great resources at the bottom of that page about typography. And of course, there’s iA’s classic article: Web Design is 95% Typography.

I should point out that full-width designs are good for some particular cases, but probably wrong for most. In the cases where it makes sense to size the page to the browser’s width, I don’t think it falls into this sort of problems. Flexible-width pages, however, are a nightmare. Fixed-width isn’t perfect either, but it’s better.

What we really need is separation between “zoom” and “font resize.”