Be careful of the examples you use. They stick

&gt; It’s important to realise this isn’t a customer-side issue; they shouldn’t have to consider the impact of every configuration option we choose to put in front of them. They don’t have the full context and knowledge, and expecting them to be experts in the nitty gritty of Canarytoken discoverability<p>Yes!<p>&gt; Going forward, we will show multiple examples of prefixes. A user looking to add a custom domain will see a variety of example zones when they visit the page, and the examples will cycle each time they open the configuration page. We want to convey that they have options in choosing the name, and we show them a variety of sample options. Our hope is that this will prompt customers to pick their own names, and if they do rely on our examples then those are now spread over a large list of examples.<p>No! They were so close and yet it sounds like they&#x27;ve still missed the point. The issue is that users don&#x27;t understand the &quot;why&quot; behind the prefix. Just randomizing the prefix that they&#x27;re shown does nothing to change that.<p>IMO, a better solution would be. 1. The shortest possible explanation under the field of why you shouldn&#x27;t use &quot;someprefix&quot;. 2. Prevent users from using &quot;someprefix&quot; as the prefix and show them the warning again. By eliminating the default option as an option, you force your users to leave auto-pilot mode and actually consider their choice.

Reminds me of a large company I worked at, I had some documents for developers how to set up some local environment thing they had to do exactly 1 time and never again. It was just a handful of terminal commands, all starting with the traditional shell notation like:<p>$ (some command)<p>Over the course of a year I got periodic complaints that it &quot;wasn&#x27;t working&quot; and I tried to find issues on my end and couldn&#x27;t. One particularly vocal dev came to me directly and insisted it was broken, so I went on a shared session with him, it turns out they were pasting the &quot;$&quot; into the terminal causing it to say: &quot;$: command not found.&quot;<p>That was the source of all the complaints, once I removed it, they stopped.

I gave what my company calls a “lunch and learn” presentation once of some interesting tools. People liked it and shared my deck around which was cool. But then my quick&#x2F;dirty examples started showing up in best practice (I loathe that term) decks shared to very large teams with my name at the bottom. A security guy, who I greatly respect, raised some questions and I had to go through the whole story with him and then find all references to my examples and fix them. It was pretty embarrassing.

Can we please use `example.com` for an example domain name instead of like `somedomain.com`? It can create accounts with emails that someone can actually intercept.

This is also an opportunity to think about the value of a piece of configuration. If an example configuration value works for 40% of users <i>without modification,</i> should that value even exist? Think Bash&#x27;s `HISTCONTROL=erasedups`, which shouldn&#x27;t be necessary to set in the 21st century. Or should it be auto-generated, like Docker&#x27;s container names?<p>In the very best case, the defaults are so good that an empty configuration does what most people want. Think ripgrep, …, welp, I can&#x27;t really think of many good examples. Browsers need extensions, Bash needs a decent prompt, even many pro cameras need to be configured to save raw images by default.

Oh, absolutely. If you give people an example (and you should), the overwhelming majority will copy the example <i>exactly</i> and then only change what they are forced to change <i>when it doesn’t work otherwise</i>. Therefore, prepare your examples accordingly.

I&#x27;m thinking if invalid characters in the examples given would be an acceptable solution. For DNS records this could be XML-like tags like &lt;someprefix&gt;.&lt;yourdomain&gt;.&lt;tld&gt;<p>On one hand, it prevents blind copy-pasting but on the other hand, your example is invalid.

A few years back, I recall reading about some automotive manufacturers who had just copied an example &quot;airbag arming authorization&quot; code&#x2F;value that appeared in a shared spec document (IIRC) for their vehicles. There was a Metasploit module created (for the Hardware Bridge) that would send CAN bus messages to just check&#x2F;verify if a particular vehicle uses this insecure arming code. For vehicles using this known code, an attacker with CAN bus access could deploy airbags on an unsuspecting target during vehicle operation. <a href="https:&#x2F;&#x2F;www.rapid7.com&#x2F;blog&#x2F;post&#x2F;2017&#x2F;12&#x2F;22&#x2F;metasploit-wrapup-21#nowavailableairbagauthentication" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.rapid7.com&#x2F;blog&#x2F;post&#x2F;2017&#x2F;12&#x2F;22&#x2F;metasploit-wrapu...</a>

An interesting thought is that the examples in your documentation don&#x27;t necessarily need to be static and the same for everyone.<p>For example, if a user is logged in, you can autofill the appropriate accounts&#x2F;domains&#x2F;ids&#x2F;etc to make the example work out of the box; and if some ID needs to be essentially random, then you can make it actually random when you generate the example.

Why is &quot;use more examples&quot; the solution? If the users are copy pasting the code, why not just generate random strings thereby showing an example and also fulfilling their own requirement of non-identifiable strings?

Very true. Good examples consume a lot of time. I was bitten a couple of times when the customer nailed me down with &quot;But this example can never occur&quot; and my futile attempt to justify &quot;But it&#x27;s an example!&quot;<p>Good examples make documentation worthwhile to read.<p>Good defaults make an application worthwhile to use.

Wasn&#x27;t the DMCA takedown of youtube-dl also caused by an example in documentation where they used a youtube link to some big name vevo artist?

The opposite is also true. It happens rarely, but I have been bitten by trying to configure something to be what I would like it to be, only to discover it had to be what was in the documentation for it to work, generally with nothing in the documentation itself to clarify.<p>Can&#x27;t think of any examples now though I&#x27;m afraid.

This isn&#x27;t quite the point of the article, but we allow people to apply for student discounts for our service, and provide the following example that we ask users to send to us over Intercom:<p>&gt; Hello, could I please apply for the student discount?<p>&gt;<p>&gt; [PLEASE READ AND DELETE THIS – After sending this initial message, please attach a proof of your student status, such as a photo of your valid Student ID so we can process this quicker!]<p>I don&#x27;t think any of the countless people that have asked for the discount have ever removed the &quot;PLEASE REMOVE&quot; part, and many don&#x27;t bother to send the proof until we ask for it either.

I&#x27;ve run into a number of networks in my area (private businesses, a couple municipalities, a couple law enforcement agencies) all using the 192.9.1.0&#x2F;24 subnet.<p>There was some overlap in these sites w&#x2F; respect to IT service companies involved in their setup. Best as I can guess it came down to one person who floated between the employ of a couple (or three) IT service companies leaving a swath of 192.9.1.0&#x2F;24 in their wake (or maybe training other technicians during their time at these companies). It seems like this work might have been done pre-RFC 1597 (which is, I think, the first place that what is today&#x27;s RFC 1918 address space shows up) but I think they were just following examples.<p>I&#x27;d love to know what examples motivated the us of this address space. I find some old Sun docs[0] referencing this address space, and RFC 2328[1] makes reference to it.<p>[0] <a href="http:&#x2F;&#x2F;bitsavers.informatik.uni-stuttgart.de&#x2F;pdf&#x2F;sun&#x2F;sunos&#x2F;3.0&#x2F;800-1323-03B_System_Administration_for_the_Sun_Workstation_198602.pdf" rel="nofollow noreferrer">http:&#x2F;&#x2F;bitsavers.informatik.uni-stuttgart.de&#x2F;pdf&#x2F;sun&#x2F;sunos&#x2F;3...</a><p>[1] <a href="https:&#x2F;&#x2F;www.ietf.org&#x2F;rfc&#x2F;rfc2328.txt" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.ietf.org&#x2F;rfc&#x2F;rfc2328.txt</a>

Any template strings are ambiguous unless there is more than one example.<p>For example, let&#x27;s imagine that there is an instruction saying that in a config file, there should be:<p>PASSWORD=[password]<p>Let&#x27;s say our password is &quot;admin&quot;. Then it could be that:<p>PASSWORD=admin<p>PASSWORD=[admin]<p>or even<p>PASSWORD=[password]<p>as it is not a place to actually store the password, but to select an authentication method.<p>Sure, sometimes (but not always!), it is possible to deduce how to fill the pattern.<p>If the field has some canonical value, go with a sane default e.g. &quot;canary.their-company.com&quot;, with a note that any other suffix works instead of &quot;canary&quot;. Sensible defaults save us a lot of brainpower (vide <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Convention_over_configuration" rel="nofollow noreferrer">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Convention_over_configuration</a>).

In-band signalling often seems to have this issue where it&#x27;s not 100% clear what is part of the message and what is part of the meta-message.<p>Edit: I think it&#x27;s mildly amusing and further drives the point hom that some people in this thread missed endnote 1, where you say it was not the actual prefix.

See also: Every zpool named &#x27;tank&#x27; <a href="https:&#x2F;&#x2F;serverfault.com&#x2F;questions&#x2F;562564&#x2F;why-are-all-the-zpools-named-tank" rel="nofollow noreferrer">https:&#x2F;&#x2F;serverfault.com&#x2F;questions&#x2F;562564&#x2F;why-are-all-the-zpo...</a>

&gt; Frankly it’s a reason enterprise software is often so terrible; tons of options you barely understand or know about, and are configured according to tutorials&#x2F;examples rather than understanding.<p>This article stresses that it&#x27;s not a &#x27;customer-side problem&#x27;, and what they&#x27;ll do to try to address it on their end.<p>But is there anything that enterprises can do in order to encourage people not to work blindly from tutorials? What do companies where workers avoid this pitfall look like?

This is such a great story and an important one. I always optimise examples for people copying and pasting, trying to make it as safe and meaningful by default as possible. It doesn&#x27;t matter why you&#x27;re copying and pasting - you may not have a lot of skills in this specific area, or you might be in a hurry. If you know what you&#x27;re doing, you can probably improve the code, but if you use it as-is, it shouldn&#x27;t come back to bite you!

I find it funny how people would just happily use `someprefix` as the subdomain. Isn&#x27;t it obvious that it&#x27;s meant to be replaced with another prefix?

40% !!<p>I could kind of tell where this article was going from the first paragraph, but i never thought &quot;some-prefix&quot; would be used by 40%. That is such a high number.

I think this is also true for trivial &#x2F; hypothetical examples. I used to work at a global company that would use &#x27;acme&#x27; as an example domain, including for emails and such. Because when we started, the domain didn&#x27;t exist so test emails would just disappear in void.<p>Until the domain was registered and is actively being used.

This reminds me of the association between tetanus and rusty nails.<p>Why would rust make the presence of bacteria more likely? Is it a food source? No, tetanus on a rusty nail was just an example used in an article many years ago.<p>Sadly, I cannot find a source for the idea coming from an article at the moment. :&#x2F;

&gt; When given an example, a significant number of users default to using that same example in their customisation. The behaviour is consistent across customers and configurations. This surprised us!<p>This is not surprising to me at all. Maybe the authors have never used an example before?

Ironically enough that this posting&#x27;s title seems to be ignored by people which cite parts of RFC 2606 which states at the beginning:<p>&gt; Updated by: 6761

How about generating randomish suggestion like<p>company-35642.domain.com

If I had a dime for every time I saw somebody copy and paste &quot;#myExampleWidget&quot; into production code ...

<p><pre><code> printf(&quot;Hello World&quot;)</code></pre>