Correction: Web 2.0 Sucks For Reviews

There’s an interesting phenomenon taking place lately that I find a bit disturbing. It has to do with how consumers are leveraging their newly discovered online powers of opinion. In principle, I think empowering people by given them tools to communicate with one another is a good thing – people should be able to be heard, and share ideas and comments on everything, including the products they chose to buy or not. But when it comes to software applications and services, reviewers are all to ignorant of how permanent their actions are compared to how rapidly what they’re reviewing can change.

Take for example the smackdown currently being handed to EA’s “Spore” on As of this writing it has 3,000 ratings, 2,500 of which are one-star reviews filed by users upset by the copy protection software it uses. The majority of these reviews come from users who likely haven’t played the game, mind you, they are merely protesting the copy-protection system they’ve heard about. I’m not saying DRM protection is a good thing, but it does seem like the punishment here is a bit excessive. Spore is doomed to never rise much higher than “two-something star” rating no matter what EA does to improve it or address their users concerns. This would require receiving nearly 2,000 more 5-star reviews, which is over double the total number of reviews that the most popular video game ever made (World of Warcraft) has received in the four years it’s been listed on Amazon.

The first Spore review, alone, has been marked as “helpful” by over 6,500 people, most of whom are presumably deciding not to purchase the game. This in spite of the fact that the review is no longer accurate (EA revised the Spore DRM less than two weeks after the game’s release.) That’s $325,000 in lost revenue. From a single review. Ouch.

Amazon’s review system, like nearly all such systems on the web, is designed to let people review immutable things like books, CDs, or even Tuscan Milk – products that don’t change over time. But software is dynamic – it can be updated and improved, even after you bought it. And this is something that simply isn’t taken into account; not by sites that let you comment on products, or forums, or any other myriad channels we users pay attention to. What’s needed is a way to temper the relevence of reviews and comments based on how a product evolves over time. In the meantime, it would behoove people to be a little more circumspect in what they review and how they review it.

Javascript UUID Function

[UPDATE – 1/3/2010: For the latest/greatest implementation of a JavaScript UUID function, please check out my node-uuid project.  Any future improvements/enhancements to this code will be made there.]

[UPDATE – 9/1/2011: ‘Seeing reports of UUID collisions in the wild.  Johannes Baagoe has a write up on why Math.random() can’t be trusted.  I’m not entirely sure I buy this, but I’m certainly less confident than before about the uniqueness of UUIDs generated using only Math.random().]

Here’s a little JavaScript treat: Math.uuid.js is a function for generating different flavors of UUIDs in JavaScript. The function supports RFC 4122-compliant UUIDs (or GUIDS), like this:


… as well as non-standard random IDs of arbitrary length and radix. For examples of the types of IDs it can generate, or to see performance data, check out the Math.uuid.js Test page.

I put this together after discovering that nobody had published a really thin javascript implementation for generating UUIDs. Googling around turns up several decent scripts, but all of these suffered from one drawback or another (IMHO). One common problem results from trying to produce “version 1” ids, which the RFC defines in a way that is supposed to guarantee the uniqueness of the ID. But javascript doesn’t have an API for getting a guaranteed-unique anything – the best you can do is use Math.random() as a hack workaround which, strictly speaking, shouldn’t be used when uniqueness must be guaranteed. Using JavaScript to generate a version 1 UUID could be construed as misleading.

The more correct solution is to do what Math.uuid.js does – create “version 4” ids, which are defined as randomly generated (see RFC 4122, section 4.4). This avoids making an unfulfilled promise of universal uniqueness, while allowing for much simpler code. Also, in javascript where Math.random() has to be used for UUID generation, the theoretical uniqueness of these ids is better than version 1 implementations since all 122 bits of field data are randomly generated. That makes for a staggering 5.3 x 10^^36 possible ids. If every person on the planet filled up a terabyte hard drive with nothing but random UUIDs, there would only be a one in 7 trillion chance that two of the UUIDs would be the same. That’s the theory.

The practice is probably a little different. The uniqueness depends on how random the numbers generated by Math.random() are. Generating truly random numbers is a notoriously tricky problem, solved in different (imperfect) ways across browser platforms and OSes. It’s difficult to say for sure what the real-world uniqueness of these numbers ends up being, but I suspect it’s more than sufficient for most purposes. Regardless, this is a weakness that all javascript UUID generators will be subject to, unless they rely on an externally-provided unique value. For example, one could use AJAX to fetch UUIDs generated by a site like, but that has it’s own set of issues.

Update 1/22/10: Math.uuid.js includes an Math.uuid2 Math.uuidCompact – an alternate implementation for RFC4122v4 UUIDs designed to be as compact as possible, and Math.uuidFast() – an implementation designed for performance.

Update 06/03/10: Several people have expressed concern over how random the Math.random() method is. (E.g. “If two clients load the random() lib at the same time, will they start with the same seed?”) After doing a bit of research into how various OSes handle random # generation , I’m pretty satisfied that this unlikely to be an issue.  Seeding is done from a variety of sources of almost pure random numbers – mouse movement, built-in hardware support (e.g. by measuring noise in electrical circuits), various unique device IDs, BIOS checksums, memory usage statistics… and so on.

How To: SMC Barricade 7004WBR + HP-5MP + MacOSX

I’ve written previously about my HP-5MP printer. One of the things I love about it is that I’ve been able to get it to work with every computer I’ve ever had in my house – PC, Mac, Linux, you name it. Not only that, but for probably the last 8 years, I’ve been able to share it with all those computers by having it plugged into an SMC Barricade 7004WBR router/wi-fi gateway/print server.

Getting this setup to work with the MacBook I’m using (MacOSX 10.5.3) was a bit of a sticky wicket however, but I managed to get things going. For the sake of posterity, and the one and half other people out there who might care, here’s how to go about it. The trick is to use the native CUPS web interface instead of the Mac’s Print and Fax preferences, as follows …

  • On your Mac, go to to get to the CUPS interface
  • Click “Add Printer”
  • Choose “LPD/LPR Host or Printer”
  • For the Device URI, use “lpd://hostname/printer_queue_name“. Where hostname is the IP of your router/firewall/print server and printer_queue_name is the name of your print queue. In my case these were and “lp”, respectively, for a URI of “lpd://”
  • In the next couple pages, choose the make and model of your printer. (This is where the CUPS UI really shines – there are TONS of printers supported. I suspect that explicitely specifying the correct info here instead of using the generic Postscript driver is what finally got my printer working.)
  • Tweak the options for your printer if needed (I left mine alone)
  • “Add Printer” to save the new printer configuration.
  • Go back to the CUPS home page and click “Manage Printers”. From there you can print a test page to make sure everything is working correctly.

Mutual attraction authentication

“Hi, this is Mark from Experian. We’re calling to update your contact information…”

That’s how I was greeted when I answered the phone just now. This was nominally someone from one of the big 3 credit reporting agencies calling to make sure they had current contact information for their database. Harmless enough, right?

Well… probably. But I tend to be pretty guarded about giving out my personal information. It’s remarkable to me that these companies expect people to simply pick up the phone and start answering questions about names, phone numbers, addresses, and whatnot, without ever questioning whether or not the caller is who they say they are. 99% of the time I’m sure it really is someone from Experian, or Wells Fargo’s Loan department, or the Census Bureau. But the cost of misplaced trust the other 1% of the time can be pretty high. Thus I typically answer with a curt, “I’m sorry, but I don’t give out personal information to callers. Can you please give me the contact information for the person I should talk to about this?”

This invariably illicits a brief pause of confusion as they process this unexpected resistence. They’re not used to having people question their veracity. After taking a deep breath, they try again: “Um, sir, I’m the person you can talk to. I’m with First National Trans-Federal Mutual Corp” they repeat, implying, “it’s okay, we’re Big Business, you can trust us!”, which leads to a proverbial fork in the conversation.

The low road, the easy route, is to just play dumb. These folks may not understand the problems of mutual authentication, but they are wonderfully well-prepared to deal with someone who’s, shall we say, cognitively challenged. They’ll regurgitate some thank-you-for-your-business and can-we-talk-to-the-head-of-your-household speech before eventually giving up.

But occasionally I get into a benevolent mood and elaborate on why it is I don’t trust them. More often than not this leads to the same speech. But sometimes I’ll find myself debating the security of 512-bit RSA encryption, and modern applications of Merkle’s Puzzle in telemarketing… at which point I know i’m talking to a scam artist and not a real customer support person.