I am in the process of creating a new Firefox add-on that will hopefully change a bit how we navigate some sites. Until now, keyboard navigation for the vast majority of sites has been simply unusable. Even though websites have a layout that can easily use a keyboard, it often relies on either remembering shortcuts or tabbing through. You are almost exclusively limited to a mouse when using a full-featured browser such as Firefox, Chrome, and IE.

Personally, I hate using the trackpad on my laptop. After extended use, the heat and the friction take a toll on my fingers. I have an external USB mouse, but that often becomes a bother as the laptop is moved around from one location to another. Yes, wireless mice, but again we’re not really fixing the problem.

For simple navigation, it’s almost a crime that I cannot tab between links and major components of a web site’s navigation.

The tabindex HTML attribute has gone largely unused when browsing the web. Perhaps for a myriad of reasons – it’s hard to re-order manually, and for many web developers it’s not worth the time or effort.

Even for everyday use, it becomes ridiculous how crappy it the tab key can be. Think about this:

• For a Google search result, the tab key must be hit 12 times before it focuses on your search text. Another 3 tab strikes before it takes you to the first result. Another 5 times or more to get to the second result – not counting Google’s quick links.
• For planet.mozilla.org, each tab key will go through every anchor link in each person’s blog post. Oh, and it takes 6 tab keystrokes to go to the first article.
• For reddit, it can be a little better. If you just use tab, you’ll go through each “share” link first. Which is stupid. If you activate “jump to content” it will go through image->link->domain->usersubreddit->comments. Which is still a lot for one result.

This is how I would order the tab key on a Google search result:

Possible tab order on google

I would probably use the top Google bar the least when doing a google search. Each time you hit tab, it will cycle through the search box, 1st result, 2nd result, etc. until you hit n-th result.

This would be great in an ideal world. A Firefox extension could do this, but for my purposes my extension does not do this. It doesn’t map the tab key. It instead uses the key right above it. Like tab, CTRL+` will cycle forward and SHIFT+~ will cycle backwards.

I call it tabcomplete. It’s not as pretty as tabcandy. I think a large part of my user-base wouldn’t be most users. Users seem content on using the mouse, and that’s fine. But for a guy who works in vim, this is a nice to have extension.

I’ve been listening to a few music podcasts, mainly TATW and ASOT, and am really enjoying some tracks (were have you been all my life Bart Classen? Oh. In the Netherlands…). And I really want to have some in my iPod Cowon iAudio 9.

This was not easy.

I really do wish to support artists, I really do. I purchased a ton of CDs (400+ songs, and yeah it cost me >$400) because I can’t always go to their concerts. I want to avoid having to illegally acquire this stuff. But it feels that I can only do it on their terms, for crappy technical boner-inducing-big-brother reasons, and I have to sacrifice my requirements.

What are my requirements? High bitrate MP3/WAV/FLAC. No DRM. I vote with my wallet a lot, and this is something I can get behind.

Really, I want to pay you. I was even willing to pay trackitdown.net a premiuum of $2.50USD for a WAV (for something I probably can’t hear the difference between). Oh, until I found this little gem :

All of the tracks downloaded through our website are ‘watermarked’ with a special form of copy protection that uniquely identifies the owner of each track.

– trackitdown.net HowTo (How to suck apparently)

I know I’m a little bit of a niche. Forgive me for going against the status quo and not buying on iTunes and wanting it under a free (as in speech) lossless codec. But honestly, anyone who wants your music for free gets it for free. I’m going out of my way to try to pay you and be fair to both of us about it.

Luckily, I have found BeatPort, which almost fits my needs. I dislike their flash-only website, having manually to convert wav to flac and fill in metadata, and the unfortunate restricted tracks for some songs. But they seem to be the most fair – to me at least.

(originally posted in February, but got lost in time)

I have been busy making my own implementation of SHA-1. To better learn about why so many people depend on it for basically everything from SSL to tamper detection mechanism. I have a bigger project idea, but that is not important right now. What is important is that SHA-1 does everything in big endian, and I am on x86-64 which is a little endian machine.

Remember that a big endian machine has the most significant byte first, and little endian has the most significant byte last.

For example, let’s say I want a 64-bit integer to hold the number 1. This is how it’ll be stored:
Big endian:
1 = 0000 0000 0000 0000 0000 0000 0000 0001
Little endian:
1 = 0001 0000 0000 0000 0000 0000 0000 0000

SHA-1 stores the size of the message as a 64-bit integer in the last block during padding (each block is 512 bits). Since I have a little-endian machine, I wrote a function that correctly switches endian and now, the 1 appears as the as it should.

However, SHA-1 loops through each block in 32-bit integers.

*((unsigned int*)0000 0000 0000 0000) = 0
*((unsigned int*)0000 0000 0000 0001) = 16 million and change on little endian machine instead of 1 as I expect

so the second time, I have to do another endian change, this time a 32-bit endian change, so that it appears as :
0001 0000 0000 0000

so I get back 1.

This is a PITA, and a frustrating one. Mainly because I couldn’t figure it out for a few days. But feel so accomplished for figuring it out. Accomplished and embarrassed.

I have been suspiciously absent from my blog, even though I don’t blog very much. Truthfully, I have been getting a lot of nothing done. Socially, the experiment is a failure, as I haven’t been able to make new friends. Relationship with my ex is still in a wild state of flux (we almost went a whole month without a fight!), and I have gone completely AWOL on any contributing to AMO.

On the positive notes, I have and continue to learn more about cryptography even though I haven’t finished (hell, you can say I barely started) reading the Handbook of Applied Cryptography which is a fascinating book that is low level. I have finished, and testing, a working implementation of SHA-1 and MD5 hash. It’s for a slightly bigger project that I had in mind.

My work is going very well. Since being assigned Tester/Release Manager (it’s not quite as involved as Mozilla release manager, believe me) I have been learning about NSIS installers and C++ testing frameworks, which is always fun and exciting and strange.

Moving on, I hope to have a working implementation of AES in March, even though I am mathematically challenged and will have no practical solution for it (it will be a solution without a problem). There are still several bugs assigned to me in Remora that I plan on finishing. I will still need to make a actual effort to get socially involved. I still have two goals that really should have started in January that includes:

• Getting my gun licence
• Going to the gym

My work will also be evolving soon to tackle our next release of the SmartSwipe. Totally not sure how much to give away, but it’s a tight deadline.

Ah, it feels good to reflect back on the last few months and have a plan for the future.

If you ever want to use a crypto library in Python, you’ll be sad to note that there isn’t one built into Python impressive repertoire of modules. In fact, you’ll most likely hit pycrypt on your Google search to find one. And there is some dirty work you’ll have to do if you want to use symmetric cryptography using this library. And one of the hard/easy parts is knowing the difference between ECB and CBC.

Here, we start initializing the AES object using CBC mode:

>>> from Crypto.Cipher import AES;
>>> aes = AES.new('some key here', AES.MODE_CBC, 'INIT_VECTOR')
Traceback (most recent call last):
File "<console>", line 1, in <module>
ValueError: IV must be 16 bytes long

oops. You’ll have to make you’re initialization vector 16 bytes long. Also, your key has to be 16, 24, or 32 bytes long as well. Let’s do something better :

>>> aes = AES.new('J2-+sfd%932mIt:{', AES.MODE_CBC, 'wir&/>H54mgd9a";')

ah! much better. Even if it was me smashing my hand against the keyboard. Now let’s encrypt/decrypt something important.

>>> aes.encrypt('the answer to life the universe and everything is 42')
Traceback (most recent call last):
File "<console>", line 1, in <module>
ValueError: Input strings must be a multiple of 16 in length

You’ll have to do the dirty work remember:

>>>> ciphertext = aes.encrypt('the answer to life the universe and everything is 42195479204957')
>>> ciphertext
'f0\xa9\xf9f&X)\x0e\x08=\x06\x97\xcbF\xddK\x1a\xa6i\x1d\x02"}\xd9\\\xaa\xb6\xd9J\xe3Q\x07\xaev\x012\xbf\rPN\xd2\xf9\xf7$\x93\xe0/\xcb\xae9\x91K\xd01\xab\xb7\xdb\reR\xff\xef\x1c'

Much better. Now lets decrypt it:

>>> aes.decrypt(ciphertext)
'\xc8\xaf.\x97\x05\x80\n\xe9\xe6\xc4Ju\x04\xbe\xa1Nfe the universe and everything is 42195479204957'

Woah! That isn’t the whole message! So what’s going on?

Remember that initialization vector you set in the beginning? That sets the stage for the first block. But each block becomes the initialization vector for the second block, and so on. So when you decrypt, it is using the initialization vector from the block before. That’s why the first 16 bytes are screwed up. This is a feature of CBC, but not ECB:

>>> aes = AES.new('J2-+sfd%932mIt:{', AES.MODE_ECB, 'wir&/>H54mgd9a";')
>>> ciphertext = aes.encrypt('the answer to life the universe and everything is 42195479204957')
>>> aes.decrypt(ciphertext)'the answer to life the universe and everything is 42195479204957'

And yes, this is a feature. Read the block cipher modes wikipedia article for a better explination. So what’s the answer? Simply, to call aes.new() again before calling decrypt!

I have two wishes for Santa Claus this year: stable software and freshly baked bread.

My first wish won’t be granted. So he is obligated to fulfill the second one for sure. And the second wish is becoming a non-trivial task.

Sasketchewan, where I currently live now, lies in what is considered Canada’s breakbasket. We learned about it in school. They apparently grow a lot of wheat here. Wheat, as you may or may not know, is one of the critical ingredients in most breads.

So why is it that I can’t find a goddamn bakery that makes fresh goddamn bread in the middle of this goddamn breadfactory?

I went to four “bakeries”. Two didn’t sell bread at all, just pastries. One only sold a variety of toast. And the last one, which was only a 10 minute bus ride from my house, and recommended to me by a co-worker, closes at fucking 5pm (isn’t that when most people finish work and fresh bread is something on their mind?)

What the fuck.

When having a discussion with my co-workers about this, here is how they manage to get bread:

1. Get a breadmaker and have your girlfriend make it for you
2. Get your girlfriend, which works in a bakery, to get it for you when she leaves work

Either solution requires a girlfriend. Fuck this shit.

It happened a few days ago, and it was bound to happen sooner or later. My sister could no longer log into her account on her Windows XP machine. When you tried, it went to a black screen with only the mouse cursor shown. The common symptoms of a broken computer, like one caused by a virus infection.

Normally, this sort of thing would be a geeks nightmare. One would have to spend time to fix it or reinstall Windows XP. There are supposedly tools to fix this (System restore and such) but past experience has shown this rarely fixes the problem.

But I was prepared this time. When I first set-up my sister’s machine, I made her a limited user. And it was one of the better decisions I made. I simply created her a new account, and everything worked and she was happy to have her computer back with AIM and MSN and iTunes (though not the music, though that can easily be copied over).

This has some pitfalls. I have to log in to do random stupid stuff like change the clock time, install new software, and update Firefox. But these hassles, even when combined, have paid off for themselves by not having me sit in front of a broken computer.

Managing her account from Regina is gonna be hard though. And I don’t have much time to resolve this problem.

Yesterday, I accepted an offer to work at NetSecure Technologies which is a company based in Regina doing Firefox extension and C# work (mainly the former. I never worked with the latter, and they are aware of that). This also means I have to relocate to a city who I know nothing about. In fact, I will likely be a typical snobby Torontoian for the year contract that it is for.

Unfortunately I will be leaving my current employer PPX. Good people. But I am excited about my new job responsibilities, and think it will be a better fit for me.

This was originally written early September. The patch was live late September. And 4 weeks of results later, this post. My apologies if I mixed past and present tense

The number of add-on downloads was always an interesting figure to me. Over several months, one of my add-ons was getting over 100 downloads a week without any promotion. But my ADU remains almost constant every week. It may increase by a few, but compared to the number of downloads, it only seemed like I got an abnormally low number of conversions. Less than 15% of users who downloaded my add-on turned into a ADU.

This didn’t seem right, so for 0.7 release of Safe extension, I added some code that sent me some info whenever someone uninstalled from the Add-ons Manager.

According to the add-ons dashboard, I had 78 ADU users for version 0.7 (submitted 2009-08-14. Averaged over a period of 1 week.).

How many downloads since it was uploaded? About 659 (I likely uploaded it late evening, so it might be less then that). So about 11% of the users that downloaded the extension didn’t uninstall it. But how many users chose to uninstall it using the Add-ons manager?

Ten.

So what of the other 500+ users? How did they uninstall my extension? I wondered whether web crawlers were downloading my extension. 500 seems like an awfully big number. Maybe a broken crawler? Well, actually, it turned out that AMO’s robot.txt did not exclude robots from downloading extensions at all. And how often a crawler visits is determined by the provider. Google cache takes a snapshot around once every week for me.

I realized that these numbers won’t be accurate because there are more ways to uninstall an add-on, including new profile or deleting the add-ons folder from the profile. But these seem like rare cases. Certainly not responsible for such a misleading number.

I filed and fixed a earlier bug to have robots.txt exclude crawlers from the /downloads/ path of each of our localized versions of AMO.

After 4 weeks, my stats have leveled off and the number of downloads have dropped by about 10 a day. My add-on downloads dropped from >10 to about 3 a day. This won’t be considerable to popular add-ons (AdBlock Plus shows no difference, they are still getting 80,000 downloads a day). Looking at the statistics on AMO, total downloads have dropped over 100,000 a day since the stuff went live last month. Good stuff.