You’re not safe on the Internet (but you could be)

It’s a wonderful Friday evening. You’re out enjoying it with some friends, eating dinner at a classy Italian restaurant, telling stories and laughing together as you share a delicious bottle of wine. It’s the perfect end to the week.

As dinner wraps up, you hand the waitress the first card you grab from your wallet, a debit card, and don’t think twice. Moments later, she returns and asks you, quietly, if you have another card they can try. Looking at the debit card in her hand, you put two and two together, and a sinking feeling creeps in.

You pick up your phone and check. Sure enough, your account has a $0 balance. You just deposited your paycheck last week, and have been careful to keep a reasonable balance in there. And it’s gone. All of it.

You can’t begin to understand what happened, as you frantically call the bank, your night utterly ruined. But someone knows. The one who drained your account. The one who entered just the right username and password. The same password you use on a dozen sites. The same one you used to order flowers three years ago on a local boutique’s site. The same site whose password database was quietly hacked last week.

The Internet is a wild place

Most people on the Internet only see the tip of the iceberg. They’re on Netflix, Google, YouTube. They’re playing mobile games, ordering from Amazon. The Internet is like a giant mall with the best shops and arcades.

There’s more to the Internet than you may see. Darknets, where identities, weapons, drugs, and the darkest of pornography can be bought and sold. Cyberwarfare and espionage between countries of all sizes. Enormous “botnets,” or networks of compromised computers just like yours that are used to attack networks and crack passwords. Teams of hackers who work to find vulnerabilities in sites or in people and exploit them for amusement, financial gain, or just to make a statement.

This isn’t a reason to fear the Internet, to fear shopping online or visiting new places. This is a reason to respect it, and to be safe.

The line of fire

“But nobody will come after me!” you might think. “I’m not important. Who would target me?”

The problem with that line of thought is that it assumes a person is going after you specifically. That’s often not the case. Hackers and botnets go after many, many websites. They’re looking to hit the motherload. For instance, here’s some of the bigger sites hacked lately, and how many people were affected:

Ever use any of these? Me too.

So what happens next? Well, automated systems will harvest the results and begin trying these combinations of usernames/passwords on all sorts of different sites. Google/gmail, banks, dating sites, anywhere. And how big are these botnets? They can reach up to the 10s of millions of computers.

You are not specifically being targeted, but you’re in the line of fire. And this is going to keep happening, over and over again.

So let’s protect you from this. I’m going to teach you about three things:

  • Using passwords safely
  • Two-factor authentication, a second layer of protection and alert system
  • Identifying and ensuring secure connections to websites

And in case you’re wondering, yes, you are the target of my post. So keep reading.

Passwords: Your first line of defense

Most people on the Internet treat passwords like they’re a cute little passphrase to get into a clubhouse. We’re trained by our computers to pick something memorable to log us into our desktops, a code that “protects” you from others in the house who might want to check your e-mail. Much like a standard lock on your door protects you from your neighbors simply walking in.

Nobody ever really teaches us properly. It’s common to use your dog’s name as a password, or your birthdate, or something equally easy to remember and crack. It’s also common to use the same password or set of passwords on many different sites and services, which is how our fictitious Friday night was ruined.

This is extremely important to get right. Here are the rules for protecting yourself using passwords:

  1. Never use the same password for more than one site.
  2. Pick a long, strong password with uppercase and lowercase letters, numbers, and symbols, without any dictionary words.

That’s basically it. Seems simple enough in theory, but how do you keep track of all those passwords? You’d probably have 50 of them!

Don’t worry, there are tools that make this super easy.

1Password

This is one of my favorite tools for staying secure.

1Password is a tool for keeping track of your accounts and generating new passwords. It works with your browser and remembers any password you enter, and makes it really easy to fill in passwords you’ve already entered.

When you’re creating a new account or changing passwords, it’ll help you by generating strong, secure, nearly uncrackable passwords. For example, here’s one it just made for me: wXXgVzb8Zp(zwmjG7zBGkg=iT.

It’s available for Mac, Windows, iPhone, iPad, and Android. It’s free for iPhone, iPad, and Android, and costs only $35 for Mac and Windows (which is a bargain for what you’re getting).

Let me show you how it works.

I’m about to log into an account on Facebook.

Instead of typing my login and password, I just click that little keyhole icon next to the address bar, which will pop up any 1Password entries I have for Facebook.

Once I click “Facebook,” it’ll fill in my username and password and log me in. It’s just that simple.

When you’re signing up for a new account, use the Password Generator, like so:

Once you create the account, 1Password will remember the password for later. Look at that thing. Nobody’s cracking that!

This all works for any site, and even works on your iPad/iPhone:

1Password is great for more than passwords. It can keep secure notes, information on your credit cards or bank accounts, or really anything else you have that you want available but locked away.

In order to access your stuff in 1Password, you only need to remember a single password of your choosing. Make sure this is a strong one, and that you don’t forget it! Write it down if you have to.

Buy 1Password and use it. Look, $35 is nothing compared to the potential fallout of being involved in the next several major security breaches.

LastPass

LastPass is an alternative to 1Password, and is great if you’re an Android user. Usage is pretty similar to 1Password.

I don’t personally have a lot of experience with LastPass, but a lot of people love it. You can learn more about it on their site.

Pen-and-paper password journal

I’m sure you’ve been told before that it’s a bad idea to write down your passwords, am I right? Afterall, if you write them down, then gee, anyone can get them!

That’s not entirely true. The fact is, you’re more at risk reusing one or two weak passwords on the Internet than keeping dozens of strong passwords written down on paper in your home.

Let’s be clear, this is not the best option, and if you’re going to do this, keep it secret, keep it safe. Still, it’s better than not having strong passwords. If at all possible, use 1Password or LastPass, but if you absolutely must, write them own on a dedicated journal that you can keep safe somewhere. Don’t lose it, and always use it for every password.

Two-Factor Authentication: Second line of defense

You’re now using stronger passwords, and you have friendly tools to help manage them. Good job! The next step is making sure that only you can log into your most important websites.

Many sites and services (Google, Apple, Dropbox, Evernote, Bank of America, Chase, and many others) offer an extra security layer called “two-factor authentication.” This is a fancy term for “We’ll only log you in if you enter a code we’ll send to your phone.” When enabled, these services will require something you know (your login/password), and something you have (your phone).

Let’s take Google, for example. You can set things up so that after entering your username and your brand-new secure password, Google will send you a text message with a 6-digit code. Once you receive the text (which only takes a second), you’ll enter it on the site, and you’ll be logged in.

Now why would you do that? To prove that you are the one logging in, and not someone who’s figured out your password. The cell network’s going to make sure that text is only going to your phone, and you’re going to prove it’s you logging in. (Some services will require that you use a specialized app, or a hardware device that fits on your keychain, but most will work with text messages.)

Imagine someone did get a hold of your password, and tried logging in. You’re still going to get that text, but that person will not. He/she won’t be able to log in as you. You’re safe! It’s also going to be a dead giveaway that your password was compromised. You’ll want to change it right away.

Basically, this is both your gated community and your alarm system.

This is pretty easy to set up at most places. Here are some guides:

You can find more at twofactorauth.org. Just click the icon under “Docs” for any service you use that’s green.

I’ll be honest with you, this will feel unfamiliar at first, and you might be tempted not to do it. Trust me, though, this is worth turning on for as many services as possible. You’ll be glad you did next time one of these companies announces a security breach.

Identifying and ensuring secure websites

Let me briefly explain how the Internet works.

When you connect to a website, the browser will usually try to access it first over the “HTTP protocol.” This is the language that browsers and web servers speak. This communication is in plain text, which means anybody that listens in can read what’s being posted. This is sort of like handing a piece of paper to someone, and having them pass it along to the next person, and so on, until it reaches its final destination.

That’s very bad if you’re sending anything confidential. Passwords, for instance. It’s important that you learn to identify when you’re on a secure website.

You know the address/search bar on your browser? Look to the left. If you see http://, or you don’t see anything but an icon and a domain name, you’re on an insecure website.

However, if you see https://, or a lock icon, or a green banner, you’re good! This is using HTTPS, an encrypted connection, meaning that nobody in-between can listen in. That’s more like writing your letter in gibberish that only you and the final recipient understand.

For comparison, these are secure:

This is not:

Always look for these before filling out any forms. If it’s not showing a green banner or lock, you don’t want to give the site any sensitive information.

If you see a green banner, it’ll show the name of the company or organization. This is showing that the encrypted channel and website have been verified by a “certificate authority,” an entity that issues certificates for these encrypted channels. It means they’ve checked that, for instance, ally.com is owned by Ally, and not by someone pretending to be Ally.

If you click the banner or the lock icon, you’re going to see some more information about the connection. Most of this will be highly technical, but you should see some blurbs about who verified the authenticity of the site, and some information on the organization owning the site.

Most websites these days are moving to encrypted HTTPS connections, and most will automatically redirect all requests from HTTP to HTTPS. This is good, but you can go a step further and have your browser always start out using the HTTPS connection whenever possible. This takes almost no effort, and is worth doing.

This is done with a browser extension called HTTPS Everywhere.

If you’re running Chrome as your browser, simply install it from the Chrome store.

If you’re running Firefox, install it from the Firefox add-on store.

Did you do it? Great, you’re done! You’re now a little bit safer on the Internet!

Putting it all together

I threw a lot of information at you, but hopefully you’ve learned a lot and will put it into practice.

So let’s summarize. If you follow the above, you’ll:

  • Be at less risk for identity and financial theft the next time there’s a major security breach, since your passwords won’t be shared.
  • Be alerted when someone tries to log in as you on any service with two-factor authentication enabled.
  • Have passwords strong enough to be unguessable and nearly uncrackable, for all sites and services you use.
  • Know how to identify secure websites, so you don’t leak passwords or other private information to anyone who’s listening in.
  • Automatically connect to the most secure version of a website whenever possible.

Not bad for a little bit of work. Hopefully by now, you realize that this does matter, because you, I, and everyone else really is a target, simply because we’re all part of something large enough to be a target.

So pass this around. Tell your friends about what you’ve learned. Educate your kids. Stay safe on the Internet.

A better web through spreadsheets

I’ve spent the past couple of days basically living in spreadsheets, crunching sales data, entering equations, building pivot tables and forecasts, and painstakingly toggling cell borders… Your typical spreadsheety stuff. (And I didn’t go crazy at all.)

While spreadsheet work is a task an engineer would often dismiss, loathe, and try to pawn off onto an intern or manager, I’ve come to realize the opportunity we as an industry have missed.

 

A world on a web

The World Wide Web has been a part of most people’s lives for a couple of decades now. It has transformed society, and we take it for granted today. Before the web, communication wasn’t quite so pleasant. We had to visit our friends in person if we wanted to talk or play a game together. The events of a wild party stayed mostly in the minds of the participants, and couldn’t easily be shared with millions of people around the world. We didn’t even know that cats and cheeseburgers went so well together.

That's not what I meant!

That’s not what I meant!

It was the dark ages, and frankly, we should be embarrassed to even talk about it.

Then a wonderful man named Sir Tim Berners-Lee created the Web. There were probably other people involved, but it doesn’t matter really. The point is, he did a pretty great job and we should all buy him a drink if he’s in town.

Let me briefly explain how the web works on a technical level, using a common analogy of computers as tactical submarines. Imagine you’re in a US submarine (your computer) and you want to get some cat pictures from the guy in the Russian submarine (a Russian server). You know where in the sub he is (a “URL”), and know that the only way to get to him is through an unsecured port (we call this a “HTTP port”) or a mostly-secured-but-sometimes-not port (“HTTPS port”).

You’d load a torpedo with a letter asking for cat pictures (these are “packets”) and fire it off through their port (“HTTP/HTTPS”) into the location of the guy with the pictures (“URL”). Being trained to handle this, the torpedo would be intercepted, a new one stuffed with cat pictures, and fired back at your submarine.

This is the primary use of the web. Not so much torpedoes.

This is the primary use of the web. Not so much torpedoes.

That’s… basically how the web works.

Oh and there’s also HTML. This is the universal language of web pages. It comes with a family of other technologies, like CSS, JavaScript, VBScript, Dart, Silverlight, Flash, Adobe Flex, Java, ActiveX, and a myriad of innovative plugins.

Where was I? .. Oh yeah, spreadsheets.

(Spreadsheets are more like Battleship. A5! B12!)

 

The missed opportunity

We have built the world’s communication, social interaction, and repositories of cat pictures on top of the web, and therefore HTML (and co).

What I’ve realized over the past two days is that building it on top of HTML was a mistake. We should have built it on top of spreadsheets.

We could have had this!

We could have had this!

Hear me out.

Spreadsheets have been around a long time, and unlike HTML/CSS/JavaScript, people just naturally understand them. They’re simple, intuitive, and fun!

In the dark times before tab-based browsing, a time when browser manufacturers thought window management should most resemble the winning animation of Solitaire, Spreadsheets had multiple tabs. The right technology coud have put us years ahead of where we are now.

As developers, we face religious wars over table-based layouts vs. non-table-based layouts. We waste thousands of man years on this. Spreadsheets, being nothing but table-based, would have saved us all a whole lot of trouble.

It took a long time for the world to realize JavaScript could be used for more than scrolling status bar updates and trailing mouse cursors; it could be used to write useful things, like Facebook and Twitter! All the while, spreadsheet power users were writing complicated macros to do anything they could ever want. I mean, look at this guy who wrote a freaking RPG in Excel!

Look at those graphics.

Look at those graphics. Look at them.

Spreadsheets are inherently social. You can save them, edit them, pass them out to your friends. You can’t do that with your Facebook wall. Ever try to save or edit someone else’s webpage? Yeah, I bet that worked out great for you.

Developers, how many different third-party APIs are you dealing with in order to generate some meaningful statistics and reports for your app/startup? How much money are you paying to generate those reports? How much code did you have to write to tie any of this together? In the spreadsheet world, you’d just stick some pivot tables and graphs on the page and call it a day, spend some time with your family.

None of this nonsense with disagreements between slow-moving standards bodies that keep going back-and-forth on everything. Instead, I think we’d all feel comforted knowing we could leave this all in the hands of Microsoft.

 

What can you do…

I know, I know. It seems so obvious in retrospect. I guess all I can say on their behalf is that the web was once a new, experimental project, and such things are rarely perfect. Even my projects have some flaws.

Sir Tim, call me. We’ll get this right next time.

Breaking back into your network with the Synology Web UI

Have you ever left town, or even just took a trip to the coffee shop, only to find that you’re locked out of your home network? Maybe you needed a file that you forgot to put in Dropbox, or felt paranoid and wanted to check on your security cameras, or you just wanted to stream music. I have…

The end of a long drive

Last night, I arrived at my hotel after a 4 hour drive only to find my VPN wasn’t working. I always VPN in to home, so that I can access my file server, my VMs, security cameras, what have you. I didn’t understand.. I was sure I had things set up right. You see, I recently had my Xfinity router replaced, and had to set it up to talk to my Asus N66U, but I was absolutely sure it was working. Almost sure. Well, I thought it was working…

So I tried SSHing in. No dice. Hmm.. Any web server ports I exposed? Guess not. Maybe port forwarding was messed up somewhere?

Ah HA! I could reach my wonderful Synology NAS’s web UI. If you haven’t used this thing, it’s like a full-on desktop environment with apps. It’s amazing. Only thing it’s really missing is a web browser for accessing the home network (get on this, guys!). After spending some time thinking about it, I devised a solution to get me back into my home network, with full VPN access (though, see the end of the story for what happened there).

Christian’s step-by-step guide to breaking in with Synology

No more stories for now.

To get started, I’m assuming you have three things:

  1. Remote access (with admin rights) to your Synology NAS’s web console.
  2. A Linux server somewhere both sides can log into remotely (other than your local machine, as I’m assuming yours isn’t publicly connected to the network).
  3. A local Linux or Mac with a web browser and ssh. You can make this work on Windows with Putty as well, but I’m not going into details on that. Just figure out SSH tunneling and replace step 7 below.

All set? Here’s what you do.

  1. Log into your NAS and go to Package Center. Click Settings -> Package Sources and add:
  2. Name: MissileHugger
    Location: http://packages.missilehugger.com/
  3. Install the “Web Console” package and run it from the start menu.
  4. Web Console doesn’t support interactive sessions with commands, so you’ll need to have some SSH key set up on your linux server’s authorized_keys, and have that key available to you. There’s also no multi-line paste, so you’ll need to copy this key through Web Console line-by-line:

    Locally:

    $ cat ~/.ssh/id_dsa

    On Web Console:

    $ echo "-----BEGIN DSA PRIVATE KEY-----" > id_dsa
    $ echo "<first line of private key>" >> id_dsa
    $ echo "<second line of private key>" >> id_dsa
    $ ...
    $ echo "-----END DSA PRIVATE KEY-----" >> id_dsa
    $ chmod 600 id_dsa
  5. Establish a reverse tunnel to your Linux box, pointing to the web server you’re trying to reach (we’ll say 192.168.1.1 for your router).

    Remember that Web Console doesn’t support interactive sessions, or pseudo-terminal allocation, so we’ll need to tweak some stuff when calling ssh:

    $ ssh -o 'StrictHostKeyChecking no' -t -t -i id_dsa \
          -R 19980:192.168.1.1:80 youruser@yourlinuxserver

    The ‘StrictHostKeyChecking no’ is to get around not having any way to verify a host key from Web Console, and the two -t parameters (yes, two) forces TTY allocation regardless of the shell.

  6. If all went well, your Linux server should locally have a port 19980 that reaches your web server. Verify this by logging in and typing:
    $ lynx http://localhost:19980
  7. On your local machine, set up a tunnel to connect port 19980 on your machine to port 19980 on your Linux server.
    $ ssh -L 19980:yourlinuxserver:19980 youruser@yourlinuxserver
  8. You should now be able to reach your router. Try it! Open your favorite browser and go to http://localhost:19980
  9. Clean up. Delete your id_dsa you painfully hand-copied over, if you no longer need it, and kill your SSH sessions.

Epilogue

While this worked great, and I was able to get back in and see my router configuration, I wasn’t able to spot any problems.

That’s when I realized my Mac’s VPN configuration was hard-coding my old IP address and not the domain for my home network. Oops 😦

Hope this helps someone!

ThinkPad T520/W520, NVIDIA, Wide Gamuts, and You!

Update: Linking to a better color profile below.

Update 2: I narrowed down the ACPI issues, and have a better solution.

I recently purchased a brand new, maxed out ThinkPad T520. My old laptop was 4 years old, and while I absolutely loved it (and still do!), an opportunity came up to get a T520 with a nice discount. So I took advantage of that. I like large screen resolutions, as I tend to have a few thousand windows on screen at any given point in time, so I went with the 1920×1080 option, and put Ubuntu Linux on it.

And let me tell you, for an Ubuntu-certified laptop, it sure didn’t work out of the box.

Optimus!

It took a lot of effort to get Ubuntu working, due to some hardware problems. The biggest issue was the display adapter. The T520/W520 (and I believe the T420, etc.) come with two graphics chipsets: An Intel something-or-other, and an NVidia 4200M. By default, this is in “Optimus” mode, meaning that the OS can essentially switch between the cards for performance/power savings reasons, depending on use.

Not surprisingly, this does not work on Linux.

Your system will try to use the Intel card. You won’t have any 3D, and try as you might, that NVIDIA card just will not work. It’s maddening, but there’s a solution. One with its own set of problems, but at least it gets you there..

The trick, it turns out, is to go into the BIOS, go into the video settings, and switch to “Discrete Graphics” and disable auto-detection of Optimus. Once you do this, your NVIDIA card will work! You’ll get 3D, and it’ll be fast and smooth and so wonderful.

If you can boot, that is.

Once I switched over, I found I could no longer boot. Now this was 4:30 in the morning and my brain stopped functioning, so I wasn’t making all the connections. All I know is that booting locked up, and when I went into recovery mode, I started seeing I/O errors on my brand new 160GB SSD. Figuring it was just my luck, I decided I’d call Lenovo in the morning and get a new one. If this sounds at all familiar, stay calm! It’s not your SSD, and your system is not hosed. It’s ACPI.

(Of course it’s ACPI… Nobody ever said it was the Year of the Linux Laptop.*)

Update: I previously said that passing acpi=off in grub would fix things. That disabled battery and other stuff, though. The new solution below is far better. Suspend/resume and brightness work!

So, to fix that, go back to Intel graphics, edit your /etc/default/grub file, and set GRUB_CMDLINE_LINUX_DEFAULT to:

GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi=noirq"

Unfortunately, you won’t get Suspend/Resume, and I think the battery monitor is busted, but you’ll get Hibernate. It’ll mostly work. Sometimes. It’s Linux, afterall.

I’m not sure if this is needed anymore, but you may also need to add this to the “Device” section in your xorg.conf:

Option "RegistryDwords" "EnableBrightnessControl=1"

Once you have a working X/Unity/Compiz/3D/Minecraft setup working, you may notice some problems with colors….

Wide Gamut

The T520/W520/T420/etc. line of ThinkPads have a new 95% Wide Gamut LED display. It makes everything all bright and nice. And it butchers your colors.

Applications that support color management should in theory compensate for this. Not all apps do, though. What bothered me was my web browsing experience. Every color was broken, and as someone who writes webapps, I needed accurate colors. I was about to throw out this laptop before I managed to figure out a solution.

Modern Ubuntus should come with a Color Profiles control panel under System -> Preferences. From here, you can load ICM profiles and get things working. That will solve some of your issues, so let’s start there. Note that this is in Ubuntu 11.04 (I think), but I’m running 10.10 (I thought originally 11.04 was the source of my problems), so for me I had to:

apt-get install gnome-color-manager

And here, I the Color Profiles applet was causing problems, and I couldn’t directly use it, so I installed dispcalGUI, which allowed me to load in a profile and install it into Color Profiles, and activate it.

On some site, I found a working color profile (ICM file). I don’t know where I originally found it, but you can download it here. Note that this is only tested on my 1920×1080 display, so YMMV.

I’m not confident that this profile is 100% correct, but it’s close. At least as far as I can tell.

You’re free to try that profile, but I found a better one which preserves the crispness of the display with the actual accuracy you’d want on the web. WordPress is even looking correct now.

NotebookCheck’s review of the ThinkPad W520 links to a color profile that works much better.

Firefox Color Profiles

Now, you’ll still notice problems with Firefox and Google Chrome. Chrome doesn’t seem to understand color profiles, but Firefox does. You just have to tweak it.

In Firefox, go to about:config. In there, search for gfx.color_management. Set gfx.color_management.mode to 1, and then set gfx.color_management.display_profile to the path of that ThinkPad ICM file I linked to earlier.

Restart Firefox. You should now see more or less correct colors!

Now it’s not perfect. The ThinkPad screen is very bright, and some things can get a bit washed out and perhaps slightly tinted. As I type this, I’m noticing that the WordPress UI is a bit off, and things blend together more than they should (lots of light grays on a bright screen). But it should be much better than it was!

If you use a T520/W520/T420/etc. and have other solutions or tips for color management on Linux, I’d love to hear about them! And hopefully this saved someone else hours or days of rage.

* Thanks to James Farwell for the “Year of the Linux Laptop” snark.

Augmented Reality

An article appeared on Digg.com yesterday talking about a possible leak about the Nintendo Revolution/Wii. It referred to a video that was linked to in the comments. This video gave a demonstration of Augmented Reality, and while this technology is only rumored to be in the Revolution, it’s still fascinating to watch.

Augmented Reality basically allows for real-time merging of a live video stream and 3D graphics in such a way that the 3D objects can in a sense react to changes in the real world. Virtual tanks running around a real table and bumping into things, for instance, or holding a weapon in your hand and walking around with it. Now if only they had a good way of projecting this out into the real world without bulky, expensive equipment.

It will be very interesting to see if any of these rumors about Augmented Reality integration in the Revolution are true. E3 is coming up, so we’ll finally know what Nintendo is actually up to. Hopefully it will live up to expectations.

New Server

Well, if you’re reading this, then the move of ChipX86.com to a new server has been successful. I’ve slowly been moving sites such as galago-project.org to a new GSX VM provided by a friend and co-worker of mine. While Linode is a fine service, it has become somewhat problematic for me lately, and I’ve been wanting to get off a UML-based system.

If people have any issues at all with ChipX86.com, please report them.

20 Ways to be a Good User

I don’t expect anybody who should read this to actually read it. A couple of users the past few days have inspired me to write this little guide.

  1. If you request support in a channel and nobody is around to answer within two minutes, make sure to voice your frustration and leave immediately. Make sure that you stay for no longer than four minutes in total.
  2. If a developer tells you the answer you’re searching for is in a piece of documentation easily accessible, refuse to read it, perhaps citing an inability to read. Your time is important, and the developer should know the answer.
  3. Don’t read instructions or information in detail. Glancing over it should be enough. If glancing isn’t good enough, repeat your question. Don’t add any additional information to this question, or it might confuse the situation.
  4. Remember, you use this software. You have rights. The developer’s personal life, work life, or stress level is completely irrelevant. If they don’t provide the level of help you expect, remember that this is not your fault, but theirs. They owe you support, and be sure to complain loudly in as many forums as possible.
  5. NEVER thank someone for their support. They’re working for your needs, and don’t deserve any gratification. Besides, thanking them gives them a sense of control, which you should attempt to keep for yourself.
  6. Your problem is the most important. The developer may have other people they are trying to help, but it’s unlikely that their problems are more important to yours. Be sure to explain this, loudly if necessary.
  7. If you are influential at all, your opinion matters more than anybody’s. Follow the previous rule, as it will definitely produce a positive outcome. Be sure to relate the developers in question to members of organized totalitarian political parties.
  8. The more supportive you are of a developer’s software, the more support you deserve.
  9. Don’t use punctuation or bother with the spell checking. This slows down the communication between you and the developer.
  10. Insult the developer. This establishes control which, as previously mentioned, is important. Support should be thought of as a battle. Popular insults include “asshole,” “mother f**ker,” “dipshit,” and “newb.” Insulting their mother is another good way of establishing control.
  11. If your problem is very important, make sure to complain loudly about the software in general on several popular forums. The louder you complain, the more likely it is that the developers will fix your problem.
  12. If you’re confused by the “support” that the developer is giving you, don’t feel bad, as this isn’t your fault. This is the developer’s fault. Developers live in a different world. They’re nerdy, geeky, socially inept people who aren’t able to clearly get points across. Tell them this, as they probably don’t realize it. It is sure to ease the communication.
  13. As a user, you’ve come to know this software, probably better than the developer. If the developer says something about the software, take it with a grain of salt. They’re only the creators. You’re the one that uses it.
  14. Don’t waste time by upgrading to a recent version of the software. The bugs you have are important, and upgrading may introduce new bugs. It’s best to get the current bug resolved. If necessary, inform the developer that they need to create a patch release. This is especially important if the software is several years old.
  15. You represent the majority of users. Your feature request is everybody’s feature request, and it isn’t a hard to implement, really. The developer should be able to do it RIGHT NOW. Drill this in to the developer when they start stating bullshit like “that feature requires a rewrite of our codebase,” or “that feature conflicts with this other feature,” or “we’ve never heard of anybody wanting this feature before.” They’re just lazy.
  16. If you have a family member or close friend that tells you a fact about a piece of software, and the developers try to tell you that your family member or close friend is wrong, they’re just jealous. They don’t want to acknowledge your family member or friend’s expertise, especially if your family member or friend can “program” Microsoft Office onto your computer.
  17. Documentation is essential to a program. Many developers will claim they have not had the time to produce extensive documentation, citing work or personal life or other bullshit as “reasons” for not spending time on this. Often, they will ask you to do it. Have no part in this, as it’s a trap. If nothing else, they will try to take credit for your hard work.
  18. It is your responsibility to fill out as many feature requests and bug reports as possible. Do not check for duplicates in the bug tracker, as the more redundant bugs that exist, the more likely the developer will notice and fix these bugs, or implement the features.
  19. Sometimes you just have to switch to a competitor’s program. Your problem may be trivial, according to the developer, but it’s still a problem, and if there is one problem, there may be many. What are the chances that the competing program would cause problems?
  20. If the program is open source, fork it. You can do it better. To gain press coverage, post on all the forums and popular news sites. You’ll gain more respect and developers this way.

I hope this has helped all the users out there.

NOTE: For the sarcastically-impaired (if you live somewhere in the vicinity of Betelguese, this includes you) do not actually take this advice.