Hard Work & Troublemaking

We want them to be skilled grammarians and wordsmiths and write bright and engaging headlines and must know Quark. But, often, when push comes to shove, we will let every single one of those requirements slide except the last one, because you have to know that in order to push the button at the appointed time.

Hank Glamann

The co-founder of American Copy Editors Society made this observation about ads for copy editor positions at American newspapers. Quark is the eponymous publishing software of Quark.

3 Ways Sites Know You’re Giving Them Fake Information

When it comes to forms on Web sites, they certainly seem to be thorough and demanding. They require certain details to seem accurate, and won’t rest until they get it. But how do Web sites know that you’re providing a fake phone number, like 555-1234? Or verify that your credit card is valid before you even submit the form?

Phone Numbers

Phone numbers are one of the many details you’re probably reluctant to give away to a stranger online. Like many pieces of information, the right tools can use a phone number to search through data related to the phone number, and so on, and they may arrive at your identity, demographic information, home address, employer, et al.

When someone doesn’t believe it’s necessary to give away their phone number, they may decide to use a fake phone number. They try “555-1234” and discover that the form knows!—well, sort of.

The phone numbers in 25 North American countries are detailed using the North American Numbering Plan, or NANP. That plan specifies the Numbering Plan Areas and their three-digit area codes; each Central Office (exchange) is given a three-digit prefix; and finally, there is a four-digit subscriber number. The result is a ten-digit telephone number that looks something like:

(123) 555-4321

So how does a form know that’s an invalid number? NANP has rules about what phone numbers are valid. For example:

  • The first digit in an area code or prefix can only be 2–9.
  • The next two digits in an area code or prefix can be any digit from 0–9. (However, NANP isn’t assigning area codes with a 9 as the second digit.)
  • In geographic area codes (like 503 or 971, not like 800 or 888), a prefix cannot be N11 (where N is any number between 0–9).

So all the validation program needs to do is check to see if any of these are true, and if it’s not, just say “Sorry, that’s not valid.”

But there are limits to these programs. While it’s possible to make a system that will call or text you to verify the validity and ownership of the number (in fact, many services like Twitter or Facebook will confirm the number to make sure it’s really yours), it’s fairly uncommon and can be costly depending on the sheer volume of form submissions.

You can meet the requirements of NANP to produce a possible number, but there’s no guarantee that the number isn’t actually in service. When in doubt, use a company’s own telephone number. The form validator probably doesn’t check for that.

Credit & Debit Cards

Here’s another one that may surprise you. Credit and debit card numbers can be validated without contacting your card issuer’s payments system. Do note that a valid number and a number backed by an account are two separate things.

Let’s start with those forms that automatically detect which network your card is on before you’ve even finished typing your number. That’s actually very simple: the first six digits of your card number aren’t unique. They’re the Issuer Identification Number (IIN), and they show who issued your card. Each network is made up of many issuers, so they can often be detected in the first two digits. For example, any card number starting with 51–55 is a MasterCard; with 4, a Visa; 65, Discover. (There are other numbers for these and other networks.)

Now on to the next part: How can a Web form guess if you’re putting in a card number that could be right? After all, it’s a waste of time (and possibly money, through payment gateway fees) to check every card number with the issuers for validity; there should be some sort of sieve to cut most errors or egregious brute-force attempts out.

Your credit or debit card has a bit of mathematical magic in it, intended to prevent those errors. Not only is it in your credit or debit card, but it’s in all kinds of systems to verify that the integrity of a piece of information is not compromised; for example, if someone accidentally fat-fingers the wrong number during data entry.

In a credit or debit card number, the last digit is the check digit:


The check digit is calculated using itself and all the other digits of the card number using something called the Luhn algorithm, also called the mod 10 algorithm. It’s designed to protect against just those kind of errors. To show how the validation works, I’ll check an account number.

The card number I’m going to check is 4242-4242-4242-4242. Seems like this wouldn’t be valid on first glance, but remember: a computer doesn’t see the number the same way we do. The card number validator is looking for an answer of 0; if it’s 0, it’s a valid number. If it’s any other digit, the number is bad. To find that answer, it will first take every second digit, counting backwards from the check digit, and multiply them by 2:

4 2 4 2 4 2 4 2 4 2 4 2 4 2 4 2

8 2 8 2 8 2 8 2 8 2 8 2 8 2 8 2

Then, the validator will sum all the digits:

8 + 2 + 8 + 2 + 8 + 2 + 8 + 2 + 8 + 2 + 8 + 2 + 8 + 2 + 8 + 2 = 80

Finally, the validator will get the modulus of the sum and the number 10. That’s a fancy way of saying divide 80 by 10 and look at the remainder. Because 80 is divided evenly by 10, the remainder—the modulus—is 0. The card number 4242-4242-4242-4242 is valid. It’s not associated with an account; actually, this number is a common test number for services like Stripe.

If the account number had totaled 144, the modulus would have been 4 (10 can go into 144 evenly only 14 times); because four isn’t zero, that card number is invalid.

These two checks—the Luhn algorithm and accepted card issuers’ IINs—combined is a sufficient and computationally inexpensive way to check card numbers before the form is even submitted and the final check between the Web site’s payment gateway and a card issuer is conducted.


This one’s actually a bit tricky. Usually it relies on having a collection of real names for streets, cities, and states/provinces, alongside possible addresses. Because of the scale of that information, this kind of verification (or at least the data) is typically outsourced to a third party. These aren’t foolproof. There may be a house at 700 Main Street and 750 Main Street, but not 725 Main Street. If 725 Main Street was entered into a form, the validator might think it’s a real address because 700 and 750 are real, or because a range of addresses are valid (700–800).

In Short

These forms don’t actually know if information is real or not. There are ways to check if information is genuine, by using it: calling you, checking with your card issuer, or sending a postcard to your address. Those methods are typically cost prohibitive for most Web sites to use, so they rely on the methods you’ve seen here (and many others!) to essentially guess if the information you supply is genuine.

Some terms of service will actually prohibit supplying false information under penalty of perjury, and until there is change in how those implied contracts are handled, someone may actually end up in trouble for entering a fake phone number. More often than not, a Web site is either legitimately in need of your information to make a purchase, to verify your identity, or to complete a task you’ve given. Unfortunately, sometimes they may just be collecting data about you to sell you things or sell others your things.

One last thing: validation is not verification. Just because a number can be issued or used doesn’t mean it’s in service.

Trust & Tech: Kids With Smartphones

(This is the first part of a series about trust and technology.)

Technology plays a big part in modern Western society. Despite 20% of American households not having access to the Internet at home or in their community, many companies have simply gotten rid of paper job applications: you apply online or not at all. And as this need increases, so too does the use of devices by minors.

In 2013, a Pew Research poll found that 37% of teens in the United States have a smartphone. Of those 12–17-year-olds, half of them used the Internet primarily using a smartphone. That means 18.5% of U.S. teens access the Internet primarily using their smartphone.

These devices hold an incredible amount of information, and that’s another reason that trustworthy computing is so important. Trustworthy computing means different things to different people, but in this case I mean the trust between a user and the systems they use. It covers security, privacy, reliability, and consent.

Legally speaking, minors cannot be bound to contracts, including Terms of Service. When you first start using software, the license agreement and terms of service that users are prompted with cannot be applied to them. However, the device doesn’t know that they aren’t adults, and those terms will be skipped by teenagers (not that adults are better!) and they will agree to them without reading them.

It’s a bad habit to get into, especially when most people don’t read the contracts they sign for phone service, social media, or employment. Inside that legalese is more than just standard limitation of liability or a class-action suit waiver. There are privacy terms that most adults wouldn’t be comfortable agreeing to, much less agreeing on behalf of their children.

Let’s consider for a moment everything you can use a smartphone for. There is a camera and microphone, a calendar, an address book, a Web browser, thousands of apps from Facebook and YouTube to Instagram and Snapchat, a GPS receiver which has assistance from cellular networks and Wi-Fi, notes, email—there is a lot of information about ourselves that we put on our phones. And you may not know it or consent to it, but Google, Apple, and Microsoft may be storing or sharing that information.

Now, I’m not saying that you should freak out. These are useful services, mostly trustworthy, that are not inherently bad. The problem is that most people don’t fully understand what they are consenting to, or if they even consented at all. This is a bigger problem when it comes to the data of minors. Without a full sense of what happens to the data they put in their phone that they may believe is private, information could be given to people who should not have it.

If an identity thief gets ahold of private information, parents/guardians could have a huge mess to clean up. If an abuser gets ahold of it, it could put kids in danger. And just imagine if an angsty teen’s journals get intercepted by the NSA: they could end up in trouble for making “terroristic threats”.

And as devices start to collect and store more information about you, like fingerprints for unlocking a device, your location history, and private health data which should be protected under HIPAA but currently is not, we really need to be taking a proactive stance on both our own privacy and security and that of teenagers and children.

So talk to your yutes. Make sure they’re educated about how significant the information is. Don’t discourage them from being creative and using their devices; they are genuinely useful and can be perfectly safe. Instead, encourage them to understand what happens to their information, the importance of privacy, and to read agreements. There are many resources to help you and yours understand the law, privacy, industry terms, and to advocate for you.

Just 7 Days Until Windows 10 Drops

Windows 10 is coming. Here’s what you should do to make the transition from Windows 7 or Windows 8 as smooth as possible.

  1. Make sure your computer is up to date. If you’re not sure, press Win + R, enter wuapp (Windows Update app), and press Enter. Then click Check for updates in the left sidebar. If there are important updates, install them. While you’re here, make sure that Automatic Updates is turned on under the Windows Update settings.
  2. Back up your data. This is really important! In the unlikely event something goes wrong, you don’t want to lose your files. There’s a great app called Bvckup that’s probably the best backup software you can get. Buy an external hard drive (at least as big as the one in your computer) and Bvckup, set them up, and you’ll be that much safer. Be sure you keep the software keys (serials) for anything you have installed, because that might not be backed up.
  3. Any programs you  have will probably work with Windows 10. This is more of a note than a step. If you’re using software that works with Windows 7 or 8, it’s unlikely to break when you upgrade to Windows 10. If it was released before Windows 7, it’s possible that it might not work with Windows 10. If something isn’t compatible with Windows 10, it will be automatically uninstalled and added to a list of uncompatible software on your Desktop.
  4. Don’t freak out if you don’t see it the day of release. Microsoft’s rollout is just that: not everyone will be getting Windows 10 on the 29th. If you reserved it, you will be getting it before those who did not. Likewise, Windows Insiders will be getting Windows 10 before reserved users. Also, Windows is a big piece of software and will take time to download on slower connections. Patience is a virtue (though that never really helped me have it).
  5. Find something to do for 30 minutes. Once you click Install, you’re going to have to live without that PC for around half an hour, give or take (depending on your computer’s performance). For your computer, it’s a complicated process. For you, it’s a mind-numbing session of staring at a screen. Unless, of course, you’ve got something else to do.
  6. Don’t panic! Things may look different, but chances are they still function the same way. If you need help, or a (re)introduction to Windows, Microsoft’s support site is actually pretty good these days.
  7. Say hi to Cortana for me.


You Need to Build for the OS, Not Your Brand

I wanted to make a few notes to those developers who want their apps to have the same brand-overpowering ‘custom’ experience across operating systems.
First, you’re creating an experience for a specific operating system. Each OS has their own specific, special interaction model. For example, all three mobile OSes implement the ability to go back in an application, but they each do it differently.

You’re building for the user, not your brand. 99% of users will not have an iPhone, Nexus, and Lumia next to each other comparing each platform’s app. In fact, it’s probably just you, as a developer, and you shouldn’t be doing interface comparisons on completely different systems anyway. It’s bad practice.

Developers need to stop making their applications about them when it’s about the user. Your experience should not be vastly different from the rest of the device. There’s probably a reason they chose to use that device, so you’re basically giving them the shaft. That’s not a way to make users happy.

The Web has made developers think they can customize their native applications to the point they’ve been removed from the OS itself and what the user is expecting. Once again, the Web is not native, and native apps are not Web sites.

So, in summary:

  • Design your app to look and behave like a core application on the user’s operating system. It should say ‘iOS’ (or whatever you’re developing for), not ‘[Your Brand Here]’. You already have someone using your app, you don’t need to keep selling it to them. It will annoy them.
  • You aren’t the user. You’ve heard it before, but apparently some people need to hear it again.
  • Don’t go against the grain or break the host OS’s interaction model because you don’t like it. That’s not a good enough reason.
  • Don’t use a custom font for anything in the UI. The system font across all three platforms—Windows, iOS, and Android—have been designed for readability and consistency. Breaking that is jarring to the user. It’s a bad idea.
  • Don’t make the user’s experience of their own phone inconsistent.

‘Back’ Is Different For Everyone

Not every mobile operating system is built equal. It’s not just their look or the size of their app stores. Let’s take a look at something you might not think is different: the ‘back’ button. It’s one of the most fundamental interface components for mobile devices, where space is limited.

iOS has a per-app back button in the top left corner, along with a left-to-right swipe gesture. If you open a Web page from an email message, you can only get back to the email message and its app by opening the app switcher.

Windows uses a system-wide back button that handles navigation inside an app and between apps. So, if you open a Web page in an email message, you can just press the single back button to close the page and go back to the message. Pressing and holding the back button opens up the list of apps in the order of interaction. It also allows a user to cancel an operation: a dialog can be dismissed by pressing the system’s back button instead of adding another button—cancel—in the mix.

Android has a strange combination of the two. It has two mechanisms for traversing both interaction paths. The primary path is the trail of interaction: you open one app, navigate through it, open a link in a browser, and the trail includes all of those. That means when you press the system’s back button, it goes back to the previous item in the user’s action history: a previous Web page, the email message you opened a link from, etc.

Android’s secondary path, used much less often, is the app’s own navigation layout, which is traversed using an arrow in the top left corner. This path is independent of a user’s actions, and will neither leave the current app nor traverse the interaction path. A usage example would be if one app opens another app to a specific item. Pressing the system’s back button at this point will go back to the previous app. If a user wants to stay in the app but go to a parent view, like a list containing that item, they would use the top-left back button within the app.

A Sad Day for Justice in America

I know it’s been a while since I posted, but I felt the need to say something today about a piece of news.

Once again, the American justice system has failed.

Ross Ulbricht, the now 31-year-old founder of the anonymous online marketplace Silk Road, known chiefly for its illegal drug trade, was sentenced to life in prison without the possibility of parole by Judge Katherine Forrest.

Life imprisonment of a 31-year-old for a non-violent crime. Forrest: You should be ashamed.

The only good news from this: what cash the Feds obtained from selling his Bitcoins at auction will count towards his fines. Fines that are insult to injury. Fines that, despite said sale, still amount to $17,837,921. He and his family are already struggling monetarily to handle his appeal process. How is he going to pay these fines while in prison for the rest of his life, Katherine Forrest? He likely cannot eliminate the debt through bankruptcy, either, so that’s out.

Here’s hoping that the appeal will fare better. Despite his crimes (which, according to available information, didn’t actually hurt anyone), he doesn’t deserve to have the rest of his life taken away from him. At this point, it’s about 50 years, ignoring how awful prison conditions are. If I had the option to not pay for the Feds’ continuing gross miscarriage of justice, I would absolutely opt out. But, as it stands, the United States’ Department of Vengeance continues to believe that imprisoning an intelligent person for his entire life is appropriate punishment for a non-violent crime. Even the domestic terrorist from Norway who killed dozens of children isn’t in prison for life. He wasn’t given the death penalty. That’s because the Norwegian justice system isn’t primitive and tyrannical like the American system.

A life sentence for a crime which only carries such a massive penalty because the Feds wanted to deal with organized crime kingpins whose organizations were violent and who couldn’t be arrested or convicted on other charges? It’s not American. It’s not a fitting punishment. It won’t rehabilitate him. It’s simply keeping prisons in business and the Feds’ power unchecked.

Coca-Cola Hecho en México

I seriously don’t understand why Coca-Cola doesn’t use sugar in the US/CA. It tastes so much better than corn syrup. Customer experience is what gives you more profit, not cutting corners. And if it doesn’t, at least you have the decency to care.

Posted from WordPress for Windows Phone. Because I’m cool like that.

« Older posts

Copyright © 2015 Hard Work & Troublemaking

Theme by Anders NorenUp ↑