Your data is precious

Following LinkedIn’s large password leak, I have seen a dangerous thought spread to friends and colleagues:
“so what if my LinkedIn password has leaked? What can they do? Look for a job for me?”

That is based on wrong assumptions about what an attacker wants and can do. And it is mistaking the low value you get from a service with the value of your data. Your data is PRECIOUS. Maybe not to you. But everything can be sold, and you’ll always find someone interested to buy it. Let’s see a few creative uses of your Linkedin account:

Analyze your data

You might think that what you share is of no use to anyone except potential recruiters, but by mixing your resume, shared links, private messages, all the data you put on the website, I could build a nice profile and sell it to advertisers. Did you put your address and phone number somewhere in your profile? Awesome! I have a lot of targeted advertisements for you!

Obtain access to your other accounts(email, Facebook, Twitter, Viadeo…)

With your email address and your password, I could probably guess the password for other services. Almost nobody has strong and different passwords for every service. Would you like to see your Facebook or Twitter account compromised? I don’t think so.

Oh, remember to use a strong password, or even two factor authenticatiob for email. A lot of password recovery systems sues emails, so if your mailbox is compromised, your accounts will be compromised.


Nothing ca be done with your account? oh, you have contacts. And maybe, a well referenced profile. I’d be able to send spam links to all your contacts with the user feed, and put them in your profile, to improve the ranking of my websites. Sure, there’s no harm to you, if you don’t care about losing credibility or annoying your contacts.

Using the contact list

Oh, yes, I could sell your contact list, that’s easy money!

While I’m at it, I could have fun with your friends and colleagues:

  • ask them for money, nude pictures, confidential information, etc.
  • tell them that your email account has been compromised, and that they must address their emails to another address controlled by me
  • obtain access to their accounts with social engineering
You may be insignificant, but that’s not necessary true of your contacts. In social networks, your network has a value, and you must protect it. It is your responsibility to make sure your friends and colleagues don’t get compromised through your account.
It reminds me of the 90s, when I often had this dialogue:
Me-You should put an antivirus and firewall on your computer.
You-Why should I? There’s nothing interesting on my computer, why would anyone want to infect it?
Me-I receive from you 10 emails a day, and all of them contain a virus.”

I hate the web

I first experienced Internet at the glorious time of the 56k. It was slow, hard to browse, and full of badly designed websites. But it was fun to discover. At that time, people were still trying to figure out the answer to “what the hell can I do here?”, were experimenting a lot, and shared their results.

Then the internet bubble grew and… I won’t waste time telling that story, that’s not my goal here. Let’s go forward a little, to that new trend, the Web 2,0.

It was the beginning of social media, users producing content, companies investing a lot to reach those users. And somewhere, something went wrong. It was quiet at first. People were wondering how to get a better rank in search engines, how to blog, how to create a buzz. Some of them were really trying create value, and share it with the right users. But others didn’t think like that. They found a way to make money out of thin air.

How to be successful on the Interwebz

Take a lot of incompetent people, more or less linked by a common interest-let’s say “being famous”, as an example- and able to communicate with each other thanks to social networks. One of them will see a post somewhere describing someone famous, and will share it with the rest. He will share other articles for a few months, and all the incompetent fools will be pleased  to learn about how famous people became famous.

Then, he will begin to write articles that rephrase the ones he sent a few months ago. All the incompetent fools will thank him for sharing his insight in being famous. And if he doesn’t find anything to write, he will rephrase one of his own articles, with a catchy title like “top ten ways to create a viral video” and a lot of bullet points. And some of the incompetent fools will share these articles (mostly because they’re not smart enough to go and find the original content by themselves).

Little by little, he will be recognized as an expert in being famous, and will start a consultant job, and will be overpaid to teach the incompetent fools how to be famous. And then, those incompetent fools will start to share themselves, and blog, and become consultants and make money. Don’t you recognize something?

The Ponzi scheme web 2.0 expert

That’s the Internet we see now, and I find it disgusting. No real content, people quoting each other, and experts telling us “Get rich following my method, it worked for me, why wouldn’t it work for you?”. Social networks gave the crooks an easy way to legitimacy. Why would you bother working hard, when you can quickly get exposure by preaching to the incompetent crowd?

If you follow most of the news, you will think that those people talking about SEO, copywriting, web marketing or community management are the ones building the web. They’re not. Internet is there thanks to a lot of quiet system administrators, developers and electronics engineers. They’re not necessarily following new trends. They’re at their origin.

If you want real content and real value, look for these people. If you want to build something useful, learn from them but follow your own path. Inventing is not about repeating what smart people say, but contradicting them.

I hate installers

And I’m pretty sure a lot of people will agree with me. They’re an usability nightmare. They still look the same since Windows 95 (I think it’s even older than that, but thankfully, I’m too young to have known previous versions). The *click next* *click next* *click next* *click Finish* ugly grey thing is driving me crazy.

So, how can we improve user experience on installation? First, let’s recall the classic installation process.

The (ugly) state of the art

Someone tells you about this amazing new software that you just have to try. Or you just know you need it to get your work done. So, you google it a little (for the ones that are still stuck in the 20th century, you buy a pack of CDs in a shop), you quickly find the editor’s website. It’s a shiny website full of marketing tricks to persuade you that you want to download it. Or it’s Sourceforge. Whatever, you find a way to download it.

That was the easy part. You’re already bored and looking at pictures of kittens, because the download took a long time. But you really want to install the software, so you start the installer. And the nightmare begins.

  1. First, the UAC prompt (for those of us that use Vista/2008/7). It tells me that the installer needs admin rights, and that this piece of software has no verified publisher. Whatever, let’s just click ok.
  2. Before launching the real installer, the file I just downloaded uncompresses and starts another installer.
  3. First window, asking me which language I want to use. Click next.
  4. A window asking me to agree to a reaaaaaaaally long piece of US piece of shlegal text. Click next.
  5. A window asking me if I want a simple, advanced or custom installation. Click simple then next.
  6. A window asking me (it really asks a lot, can’t it figure it out without my help?) where I want to put my software.
  7. Now, if I’m lucky, the “next” button has been replaced by “install”. Or there’s yet another window to sum up my installation settings. Click install.
  8. Yay, it’s the revival of DOS for Windows users. I see a lot of file names scroll on the window, too fast for me to read their names (I don’t really care anyway).
  9. Is it done yet? No, now it asks me if I want to put the a shortcut in the quicklaunch bar, or on the desktop. Sometimes, it will even ask me if I want to launch this application on startup. Click next.
  10. If I’m really lucky, I go to the next step directly. If I’m not, it wants me to update my DirectX version, or to install the new wonderful browser bar that I really need (go back to step 3).
  11. \o/ the last screen. Asking me to choose yet another thing: do I want to read the README.txt file? Do I want to go to your website? Do I want to launch the program right away?
  12. Well, in fact, I didn’t go up to this step. I died of boredom long ago.

And this is what I have seen for the past 15 years (well, I didn’t include all the weird installation errors that I have seen). So much for innovating and improving the life of the users. The first interaction people have with software done by your company is the installer. For me, that means a lot. If they’re too lazy to get this right, I’m probably to lazy to try their software.

Now, let’s go back to the interesting question: how can we improve the user experience of installers?

The (easy) critics

I would like to say “install a Linux, use a package manager and let’s roll” (yes, I KNOW you thought of it), but since the CoApp project isn’t ready yet, we will have to find another way to please Windows users.

Let’s go point by point:

  1. About the UAC, I can’t force you to buy a code signing certificate. But if you can afford it (between $90 and $300 a year), it can make your software look a lot more professionnal. And you can use your WinQual account, which is really nice.
  2. Why would you uncompress a lot of files right now? Is your installer a Java ERP? No? Then, only uncompress the files when I ask you to install them.
  3. For this one, I have mixed feelings. The default setting shouldn’t be English, but the detected language of the OS (come on, it’s not that hard to do). One thing you have to get right: if you ask for a language, it’s not only the language used in the installer, but it will be the language used in the installed software. I shouldn’t have to choose the language two times.
  4. For the EULA, I don’t really know what I can do, as I am not a lawyer. But I’m not really sure that a legal agreement written in english and referring to US law complies to my country’s laws.
  5. This one is obvious. How many of your users will need the advanced settings? yes, the whining 0,1%. The other 99,9% will just use simple anyway, so why would you ask them to choose? And what options could be so important that you need to treat them as advanced?
  6. OK, this one is easy. Most people will not even choose another installation folder. One thing that I would really love (but there, it’s a matter of taste): don’t use a path like c:\Program Files\MyCompany\MySoftware, but c:\Program Files\MySoftware. People install a software, not an advertisement for your company. And not finding your installation folder later because you’ve hidden it deep under a meaningless folder name is definitely not nice.
  7. Oh, my installation settings. Think about it. If I’m a dumb user just wanting to install quickly, I don’t care about these. And if I care about my installation settings, I know exactly what I chose. So this one is useless.
  8. OK, the scrolling list of files. I know it’s useful if you’re debugging your installer. It’s useless for me. Just put a pretty progress bar. If you really want to display things, instead of writing “uncompressing pouet1.png, copying pouet1.png, uncompressing pouet2.png, copying pouet2.png”, write “installing shiny new themes”.
  9. I have mixed feelings about this one. I would say: let the user choose for the desktop shortcut, don’t ask for a quicklaunch icon (the user will know how to drag and drop the desktop shortcut on the bar), and definitely don’t ask to launch at startup. Be a responsible developer, don’t waste CPU cycles, and save the planet.
  10. For DirectX, do whatever you want. I would prefer that you warn me about the update before I get to step 8. For the adware bar, just stop it. If you want to make money with your software, just sell it. But if you really don’t care about user experience, go ahead and install spyware on your user’s computers. I’m sure they will love that.
  11. Do you really think people will read some quickly written presentation of your software in Notepad? No. Do I want to go to your website? Seriously, that’s where I downloaded the installer. While I’m at it, I’m trying to find some documentation on your website, but there’s nothing useful there. Do I want to launch your application? This one makes me laugh. What will happen if I click yes? In 90% of the installers, it will launch the application. With Administrator’s rights. Seriously, isn’t that obvious? So, two possible fixes: learn to drop the rights of a Windows app, or don’t even launch the application at install time.

The (really easy) fix

Well, that doesn’t look so hard to do, right?  I’ll sum up my ideal installer’s behaviour:

  1. Sign your installer with a code signing certificate recognized by Windows (you can leave that part if you have no money).
  2. Start immediatly with a good looking screen, showing the logo or a good picture of your software, and in small in a corner, the logo of your company. And a well written presentation of your application. If the installer will install other applications, warn the user there. You should have detected the language of the user befor launching. Provide a droplist to change the language on this screen, but put it out of the way (like, in the bottom left of the window).
  3. Next, the EULA. If you find a way to get rid of it (maybe put the agreement on the website, wher it’s easier to read), or to simplify it, do it.
  4. Put all the installation options on the next screen. Only show the ones the user really needs to look at. Add an “advanced settings” button, and again, put it out of the way. You have the permission to use a good looking effect to switch from simple to advanced view and vice versa. By installation options, I mean the install folder, the desktop shortcut, the eventual plugins, etc. Don’t forget to show the disk space needed for installation. The next button should now be an install button.
  5. Use a good looking progress bar, and meaningful log messages. Maybe provide an error logfile somewhere if something went wrong. You can show some good marketing messages and pictures there. I don’t guarantee that people will look at them, but if they’re waiting, try to prevent the boredom from showing up.
  6. The last screen, yes! If you really don’t want to listen to my advice, at least remember to drop the admin rights before launching the application. Instead of asking if the user wants to see the README, provide links to the documentation (on the disk, or on your website), tutorials, screencasts.

And now, that’s an installer I would like to see: 5 screens, 5 clicks in the best case, no useless clicks in the worst case. Quick and easy. Don’t hesitate to add some eye candy. Anything can look better than those grey installers we’re used to.

Oh, and a last thing, which will content a totally different sort of users: please, please, provide a silent installation, with all the options accessible from command line. the system administrators will love you.