A while with Google Chrome

A few months ago, I decided to give Chrome a spin for a while. I started out by simply using it to do simple searches on Google and reading articles.
The next step I took was testing it on apps such as facebook and twitter. Then, I progressed to Gmail and complex web apps.

In the following sections, I will outline several pros and cons of Chrome, with some audio examples using NVDA.
/I am exclusively an NVDA user, and thus I never use Jaws, so please don’t ask me how Chrome works with Jaws, because I haven’t tested this. I know how to use Jaws, but just simply do not have a need for a commercial expensive screen reader in my day to day life.

As of June of 2017, Chrome accessibility can be described as mostly sufficient for day to day use, with a few caveats, which are being fixed. In some ways, it is better than Firefox, although it is certainly rough in a few areas.
However, a massive quality control checkup is needed on some areas, as outlined.
Also, keep in mind that Firefox has more than a decade of actual users beating on it and battle testing it, but now has a lot of legacy code that is going to make for some pain in the near future, for a while with the switch to multi process support. Firefox being an old codebase means that it is less buggy, and fantastic, but it also lags in some areas. on the other hand, Chrome is a newer codebase, and has been multiprocess from the start. More on this later.

The benefits

Speed in large complex web apps:

Simply put, Chrome outperforms every web browser in large web apps. If I take Firefox for a spin with Google drive it is very easy to notice lag.
If I press down arrow in the files list, Chromes response time is a lot faster.
This is an audio demo of Firefox, Chrome, and native Google drive.
In Facebook, Chrome is better for speed. I don’t have an audio demo of this, because I don’t want private info from Facebook being exposed to people. However, the effect is not as heavy.
Anecdotally, Twitter seems also faster when navigating from tweet to tweet, although less so than in drive. However, Chrome has other issues on twitter, which make it impractical, and I will discuss that later.
The moral of the story is that Chrome outperforms other browsers in most spaces, at least where speed is concerned.

Security indicators.

One of my favorite things about Chrome is that if you press shift+tab from the address bar, you are placed on a menu with security info. If you press the menu button, a panel expands with a dialog explaining the security settings, and anything this site has asked you permission to use, and the status of whether you granted it permission.
This is very accessible. I was honestly surprised by this. It is very nice.
Also, I get the different level of security indicators such as this site being verified as a company, or just secure, or even no security. (There should be a label of insecure or mixed security on the mixed security menu IMHO).
One of my annoyances with Firefox is as a blind user, I am forced to go view the certificate for this from the page info, and this is painful, and leaves many less experienced users vulnerable to phishing. The padlock is simply not accessible, and the “green” isn’t shown in any way.
I hope that when Google warns users if they put data into a form which is insecure, that this is made accessible, and alerts the user in a similar way to that which we get currently. It doesn’t seem this is blatantly obvious in canary, but it should be in the label of the form or such, so users don’t miss it.
My only annoyance with this is the Google official page seems to not explain this to a screen reader user as well. (In that menu click learn more to see what I mean). They should say what the alt text of this menu is, rather than just the color of the padlock.

accessible extensions bar

The Chrome extensions bar is accessible.
In Firefox, most less than advanced NVDA users, and the clear majority of JAWS users simply can’t get to the addon bar. It requires object navigation with NVDA, and has no built-in keyboard accessible way to get there, and arrow along it. This has always annoyed me, because there should certainly be a way with the keyboard to get to the descriptions 3.
In Chrome, this is a breeze. You simply press f6 from a web page, press tab or shift tab (Either will eventually work), and you are on the bar of extensions.
From here, you can press the arrow keys, do the twist, and eat cake. (Okay, those last two are obviously a joke and a fair bit random, but all people have been commanded to have fun in life, otherwise, they will turn into a prune).
Once on the extensions bar, arrowing along it lets you move to each extension, and you can activate each extension by pressing its button (Assuming the extension is accessible). My only complaint here 2 is that the Chrome bar doesn’t allow you to use single letter navigation.
Firefox doesn’t offer any way for keyboard only users to focus extensions list, or the Firefox menu for that matter (IMO this is a serious shortcoming).

Very simple UI.

The Chrome UI is very simple. For beginners, it gets out of the way.
This is one of the best things about Chrome. I am used to a browser with tons of menus, so it was very weird at first, but it made me realize how little I use the random features that are scattered about. Chrome has most of them still, just not as surfaced.

Shortcomings or annoyances.

Well, those are my noteworthy features. Here are some annoying things. Note that I list general bugs, but I don’t go into super detail on every little bug, because Canary is so rapidly improving that if I list bugs and say every little bug that annoys me, the list will be out of date in a month. That is indeed a good thing.

Chrome live regions are broken.

10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 said Twitter, but alas, I didn’t know!!!
What? twitter is accessible right? Yes, Chrome live region support is broken still in some ways. Some live regions don’t read, and some of them read twice. Aria-atomic is ignored sometimes, and other times, Chrome reads and spells live regions multiple times. In short, this part of Chrome is being worked on and badly needs love.
In a test I did, adding text to pages with innerText and innerHTML yields different results.
Aria-atomic is ignored completely, (It might be fixed in canary based on last minute tests I performed, but there are other broken cases), and acts differently based on the insertion method.
No one supports aria-relevant (From the SR side) so I didn’t test this.
Also, role=”alert” is very different than plain aria-live, and Chrome isn’t marking role of alert with “alert” roles in the IA2 tree.
I need to file a ton of bugs with Chrome for these cases, but I wrote up an aria-live workout page to test things with 3.
there are several controls on the page. The pages divided into 2 major regions, the first is to test polite live regions, and the 2nd is to test assertive live regions.
Within each section, there are many controls.
there are buttons to update the live region for each subsection with the innerHTML and innerText methods, and there are buttons to do each of these things 10 times (to see how well it does at updating the live region multiple times).
The atomic ones should speak hello and then the unique number.
finally, the toggle button which says ” toggle ouch” toggles an alert being thrown every 2 seconds which says ouch. This is designed to test whether the browser properly is working with the alert role.
every time a button is pressed on the page from the regions other than the full-page controls, the status bar updates. The status bar should be treated as a live region as well.
this page is not user-friendly, it’s simply something I wrote so that I can make sure I understand what’s going on before I filed bugs to fix live region support.
in short, this test page that I wrote is giving me the ability to test Chrome live region support against other browsers and the aria spec, and make sure it is working as intended.
when using Google Docs with NVDA in Chrome Canary, the experience was quite decent, even though these applications use lots of life regions. This was after a few bugs were hunted, so the experience will probably be less than stellar on the stable version.

editor bugs

every browser vendor ever has hated doing editors. Editors are extremely hard to get right. After all these years of accessible Firefox and constant effort to make it better, we still don’t have a bug free editor. This is no different in Chrome.
when I say editor, I mean the edit control and associated code for making such things as typing into text fields and complex rich edit support work.
this problem is hard to solve, because there are simply a ton of edge cases. There are no shortage of editor bugs in Chrome, and most of them are very hard to reproduce, which makes reporting them a challenging task. Fixing these bugs is an ongoing job.
I’m sure this will get better over time, but do not be surprised if blank lines report as full of the text on the line before them, or such.

Quality control help needed

Google needs to have stronger accessibility policy in the quality control department.
It is the case that dialogues all over Chrome, (and other Google products) have unlabeled buttons.
This has always been the case, and it seems to happen more with Google products than with other major companies.
It is also common for new apps to be released with tons of easy to fix and easy to catch accessibility bugs, which could be fixed by giving all employees accessibility training and baking awareness of accessibility into developer culture, no matter what role a developer plays.
for a company this size, I am surprised and very disappointed that something as important as the extensions dialog and download manager have simple accessibility bugs such as unlabeled buttons.
A lot of these simple problems, such as links with base 64 encoded gobbledygook text, can be detected with automated testing tools, and could be caught before they ever go live.
Lack of page structure should be caught in code review, and a user should at least be testing core dialogs such as history for usability.
A strong accessibility policy can rocket a company towards fixing these problems. I urge that a strong accessibility policy is implemented in the next few years, which helps to address some of these problems before they ever arise.

Download manager

the download manager has an unlabelled button after each download.
When enter is pressed to download a new file, there is no feedback given to the user that file download is in progress, and until the user presses F6 a few times to land on the new area of the screen which popped up, the user will be clueless to the fact that this exists.
Once a user is in the new download area, they can tab to the controls in it, but the button to open the downloaded files more options is not labeled. Also, it is not clear to the average user that pressing enter on the download will launch the file (potentially causing trouble if it launches an executable program or such).

extensions store

The extension manager’s main page is accessible. However, installation of extensions is where the roses die.
Trying to install an extension is like drinking an entire soda at once. It hurts.
the tabs (I assume) on the top of the page with extensions, apps, and such, are simply links, where a list or tab control would make it feel more like an app.
There are radio buttons, which are half checked labeled “and up”.
Worse, is a very weirdly labeled set of links on the homepage. Snippet below.

klejemegaoblahjdpcajmpcnjjmkmk...
ngghlnfmdgnpegcmbpgehkbhkhkbkj...
kcahibnffhnnjcedflmchmokndkjnh...
lomnfkdphjhajchdfmimbipjciepnn...
kmmpkhpajpecmpdmmbpjmkmcmfdahk...
klejemegaoblahjdpcajmpcnjjmkmk...
ngghlnfmdgnpegcmbpgehkbhkhkbkj...
kcahibnffhnnjcedflmchmokndkjnh...
lomnfkdphjhajchdfmimbipjciepnn...

This is an excerpt of a chunk of the links on this page which I see.
Along with this, are a myriad of unlabeled links, a complete lack of structure for the entire page, and no headings.
From a usability point of view, this page has no value whatsoever for a screen reader user in its current form, other than the search field.
If rated on Wcag2, it isn’t even level A compliant, not even close. I can’t list everything needing fixed here if I want to, because I don’t know what is being presented.

Other notable page quality control issues.

  • The history page is a structure desert too.
    The same is with the bookmarks page.
    These two pages need a complete accessibility rework.
  • The settings page has seen some love in the last few months. If you still see problems, report them.
  • Some dialogs can’t be read in browse mode, and that issue just got triage, so I know it’s being investigated.
  • There aren’t labels for access keys in the menus.
  • lately, right click menus don’t gain focus when the apps key is pressed. This issue was tracked, and triage.
    However, it was a regression and hasn’t bubbled out of canary, so that’s good news. [5]:

Developer tools

The Chrome Dev tools is not accessible enough. As a developer, I understand that some people depend on dev tools for their job. If dev tools aren’t accessible, a blind person can’t develop for Chrome very easily.
It may be the case that if a developer can’t read the JavaScript errors on their page, they lose their job. I really think dev tools needs careful thought at being fixed in Chrome, and that it isn’t sidelined as a low priority issue, because a recent stack overflow survey found that almost 2% of developers are blind, and only 4% of despondence of the survey chose to disclose their disability. 4
If I as a developer (In that two percent) cannot debug my code, I lose my job. If I lose my job because the dev tools aren’t accessible, it is quite frustrating, degrading, and not pleasant, aside from the fact that blind developers face lots of other challenges getting a job in the first place.

Conclusion

Chrome is becoming a great competitive browser for screen reader users, and it is doing this in leaps and bounds. We have progress to make before it is a polished experience, but finally, there is competition in the accessible browsers market. I am very excited to see accessibility in Chrome now, (Back in the old days, when dinosaurs roamed the earth, and I was a boy, it had no accessibility at all). Jokes aside, I will continue to monitor Chrome closely, and keep using it, along with Firefox, on a daily basis.

How I rolled two factor authentication for ssh access to the server that powers this site.

Update: some details in this post are out of date. I’m not running the same hardware I was when I wrote this now, and converted to systemd.

SSh and two factors (or more) of authentication.

Best practices in IT security dictate that to harden a computer against attacks, one should require a user to enable two-factor authentication. In a two factor authentication scheme, the user who is submitting credentials to a service must submit two different forms of proof they are who they claim to be. (Note that by service, it is most often thought of as a website, but in this case the credentials are to the ssh demon). In my first blog post, we are going to explore possible setups for deploying two factors (or more) of authentication to the ssh demon, such that a user must either provide ssh key, or password. Then they must provide two-factor auth from google authenticator. My current setup is running on a Digital Ocean droplet, and is the cheapest option available (512 mb ram and 1 cpu core and 20 gb ssd storage). I am running Ubuntu 14.04 lts, and have an nginx server setup behind what I am protecting with two-factor auth. It is being used to serve the website you are reading.

Background:

In IT security, two-factor authentication is commonly known as a scheme where you harden a system by ensuring two forms of authentication. Usually you want something you know (password, SSH Key Password) and something you have (SSH key in encrypted form, google authentication codes, biometric thing, Yubikey or smart card). This is what I call the “something you know and something you have” rule. If possible, you need to (either by policy or by technical measures) force the something you have rule. It is hard to do by policy because let’s face it, people are lazy and don’t want to get their phone out to prove the something you have part.

Pre recs

You will need a Linux distribution (any UNIX should work, but I have only tested this on Ubuntu Linux). To keep consistent with what I have, disable root login over ssh, and ensure you have a firewall enabled but allow port 22 (or if you changed the port ssh is served on use that port). I also am using public key auth with an ssh key and a strong ssh key password. I also have sudo privileges on my regular account so that I can upgrade myself to root for any commands or use super user. If you disable root login without enabling sudo privileges for your account you will not be able to use the root account again and you probably don’t want to do that.

Warning:

Keep an extra ssh session open right now before you start. Do not log out of this ssh session or if you break things you may end up trapping yourself out of the server and there will be no idiot switch to enable ssh again. (Have fun using the machines real console). I had two ssh shells running, and logged out of one when I was done, and didn’t log out of that one until I knew things were working properly. Also backup the files I ask you to edit, just in case.

Let’s get started

First things first, (obviously) ssh into your server.

Required packages:

Now, get the packages for google authenticator. I assume you are not running as root and thus use sudo.

$ sudo apt-get install libpam-google-authenticator

Setting it up:

Now, run the google-authenticator command in the context of every user you want to have access to the server. I didn’t use match in the ssh demon file, and therefore, two factor is enabled for all users. There are ways to selectively use two factor for only certain users that I didn’t show. If you need to run google-authenticator as bob and you are logged in as root I think you can use the su command. Up to you to figure out that one. Alternatively, before continuing, make all users of the system run google-authenticator and follow the prompts. Do not continue until all accounts are secured with two factor.

$ google-authenticator

It asks if you want time based codes. I recommend you answer yes.

It asks if you want the config written to your ~ directory. You must answer yes.

Now it will display a qr code (maybe) a secret key, and some rescue codes.

Copy all the rescue codes down somewhere safe. Copy the secret key somewhere safe as well. Note that the rescue codes are your get out of jail free cards. If you lose them and lose your phone with google authenticator on it, you are locked out for good. (In other words, if you lose them change your secret key by running this step again).

Enter the secret key into google authenticator.

IMPORTANT: In order to make the something you have part of two-factor auth work, I really don’t recommend using a two-factor authentication app on the pc you are SSH’ing into. This basically removes the point of two-factor authentication because the something you have is gone. Use a phone or separate PC. Phones are nice because they really are something you have.

Now enter what you wish for these prompts.

When all is done, you should have a  .google_authenticator file in your user directory.

$ ls -a ~ | grep google

If it prints .google_authenticator you should be good to go.

Edit the config files

Use your favorite text editor for this.

$nano /etc/pam.d/sshd

Add this line to the file: For future reference, anything in triple quotes should be added or edited.

“””

auth required pam_google_authenticator.so

“””

One tutorial I saw said to add this to the top, but I added it to the bottom after it failed to work properly. This is just including the shared object (library) for google auth.

Now edit

/etc/ssh/sshd_config

$ nano /etc/ssh/sshd_config

If the ChallengeResponseAuthentication exists, set it to yes. Otherwise, add the appropriate line. Note it may be commented.

“””

ChallengeResponseAuthentication yes

“””

I now added this line to that same file.

“””

Authentication Methods publickey,keyboard-interactive

“””

This sets up a chain of events. If you don’t want to use a public key (I recommend public key crypto over passwords always), then don’t do this, and be aware that if someone logs into the machine with a public key, two factor auth won’t work because it is going to assume that if the user has a public key, they don’t need to enter a password and two factor token.  Log out and try logging back in and see if it worked. If not, you should not log out of the other ssh shell.

Typical chain of events:

  • User Malinda gives her username.
  • SSH shell asks her for public key challenge. Her client provides the appropriate key.
  • Since she is a good and security conscious user of her computer, she is required to type in her ssh key password before the challenge is complete.
  • Now she is asked for her account password. She provides it.
  • The system now asks her for a two factor auth token. She complies.
  • If the two above pieces of information are correct, then she is in. Otherwise, access denied, it asks for password and two factor auth again with no indication of password or auth was wrong.

Other Notes:

If you have a Yubikey, there is a Yubikey module At the Yubikey page. I haven’t played with it because I don’t have a Yubikey.

It is possible to disable password auth altogether so it just requires username>ssh_key>auth_code but I didn’t do that. To do so, see

https://sysconfig.org.uk/two-factor-authentication-with-ssh.html

Also, if you are a company with needs for high security or have multiple (pesky) humans to enforce two factor auth with, you can better enforce the two factors of authentication if you use the Yubikey. This is because it is much harder to install an application to do the second factor of auth. A Yubikey is a physical device and thus is truly something you have.

Enjoy!

Two math problems on money and sequences.

Math problem for the mentally curious

For those who enjoy a math problem to finish off a great day on this planet, here is a problem for you. I randomly came up with it while watching the democratic debate last night (must have been bored).  It is two problems, the second one follows from the first.

Problem statement!

Suppose you owe me money from a recent lone. Your unfortunate situation lets me demand money from you in either one of two ways. You get the choice to choose one of them .

Option 1:

You pay me 1 dollar a day for $$n$$ days.

Option 2.

You pay me 0 cents today (day 1), 1 cent tomorrow (day 2), $$0+1+2$$ cents on day 3, $$0 + 1 + \dots + i + \dots +(n-1)$$ cents on day n.

The dilemma:

[1]: At what day does it become not profitable for you to pay me with option two.

[2]: Additionally, create an expression to tell me how much money I will profit if you pick option 2. Hint: Negative profits for days 1 and so on, are possible until the day when statement 1 above is true.

Problem statement!  For problem 2

Suppose you owe me money from a recent lone. Your unfortunate situation lets me demand money from you in either one of two ways. You get the choice to choose one of them .

Option 1:

You pay me $$x$$ dollar a day for $$n$$ days.

Option 2.

You pay me 0 cents today (day 1), 1 cent tomorrow (day 2), $$0+1+2$$ cents on day 3, $$0+1+ \dots +i+ \dots +(m-1)$$ cents on day m.

The dilemma:

Find an equation for x and n that calculates what day it becomes not profitable for you to pay me with option two (in other words, figure out which day $$nx = m$$. Additionally, create an expression to tell me how much money I will profit if you pick option 2. Hint: Negative profits for days 1 and so on, are possible until the day where $$mx = n$$.

Crash Hero!

NVDA Developers and bug smashers! ATTENTION! This is an important announcement from the department of release stability management. Recently, a new member joined the NVDA community. Her name will remain anonymous, but you may refer to her as the crash hero. In fact, she is the first NVDA superhero. She exhibits her superpower in the form of an NVDA Add-on that can save all your crash dumps in a folder of your choosing on your computer and she does this automatically when NVDA reboots after a crash. She even asks you what you were doing before the crash, and logs it in a messages file. With her completely accurate perception of time and date, you will always know when crashes happened, because she names each crash as a timestamped folder inside your crashes directory. Let the crash hero save you from having to remember where to find the crash dump and keep track of what exactly you were doing before a crash occurred.

Now that I’ve introduced the crash hero, on behalf of the crash hero, I would like to invite you to experience the thrill of never having to open your temp directory and frantically save the crash somewhere when a crash happens in the middle of a homework assignment or business meeting. The crash hero will save crashes in your user folder by default, but by selecting the crash settings item in your NVDA preferences menu, you can pick a custom folder to log all of your crashes in! The crash hero is here, and the crash hero is ready to help you if you are someone who regularly runs snapshots of NVDA so that you or other developers can catch bugs before they sting the general masses.

Download:

https://files.derekriemer.com/crashHero-dev.nvda-addon

Source code (The crash hero is only made stronger by others contributing):

https://github.com/derekriemer/nvda-crashHero

Changes to Googles Youtube for IOS, and how to use it with voiceover.

Youtube was recently updated, and several voiceover changes were put in. At first, you may do what I did. “oh, damn, it, google, stop, breaking, things!!!”

It turns out that google actually fixed a lot of things in this version, making the user experience more streamlined and much more efficient. They did seem to break one thing though.

The story about the video player

In this update, you will find the traditional video player, and below it the video title. It used to be there was a more actions button near there, and there was also a button for expand description. All of that is gone. instead, you’ll notice voiceover says “actions available” just like home screen or mail or a lot of other IOS apps. The available actions are as follows, as tested on a video by sciShow space.

  • Activate item <default> (Likes the current video, there is no way the user would know this without trying it out for themselves)
  • More actions: Expands the options for share, and add to list.
  • Subscribe
  • [If subscribed to current channel]: send me /stop sending me, every notification for this channel.

Now, flicking left/right will bypass everything that used to be there, allowing yourself the ability to more efficiently move by flicking through the app. This is great. They’ve also now changed the like/unlike. To like a video, press the default action, this seems to like the video. Or flick down to more actions, and you may see numbers like 8k and 2k. The first is like and the second is dislike (I think). They aren’t currently labelled with like or dislike. There’s also a handy share button. The only thing missing is a way to view the video description. There may be features I don’t know about missing though.

The videos view

The videos view used to suck. You flicked right and it said “more actions” and other things. Now, simply flicking right sends you to the next available video. Again, you can flick down or up here to do the following:

  • “Activate item” <plays the video>
  • More actions, <Bring up a flyout allowing you to  do these things:
    • Express you aren’t interested in seeing this video ever again.
    • add to watch later.
    • add to playlist.
    • share …
    • cancel <can be activated by scrubbing as well>

This enhancement is really a nice move by google, I’m glad to see this. It was confusing at first, because I didn’t realize this had changed, but now that I figured it out, it’s quite welcoming.

Indentone has been deprecated

Say bye bye to the Indentone addon for NVDA! 🙂

A few months ago, I wrote about indentone. The addon is now in NVDA 2016.4, and thus the addon is not necessary. To turn on line indent reporting with tones, select document formatting from preferences, and then select report line indentation using tones (Alt+i). The combobox has 4 options:

  •  Off: No indent is reported.
  • Speech: the old behavior. If you use indentone, you don’t want this.
  • Tones: Just report indents with tones.
  • both speech and tones: Reports with both of them.

A tab is 4 spaces, this isn’t configurable. If your indent gets beyond 72 spaces, or 18 tabs, you will hear speech not a tone. This is so that we don’t hurt your ears. For the technically curious, the work happened on ticket #5906, and #6057 was the pull request.

Musically curious people will love that each space is represented with a quarter tone, giving a tab a whole tone. The first note, (0 indents) is an A3, at 220 HZ. There are 3 octaves of indents reported, and after that, the system resorts to speech. Mixed tab/spaces will report indents, which is something to be aware of. Also, stereo has been removed, as it is unnecessary and counterproductive on users who aren’t using headphones.

With Indentone in NVDA, I wish my fellow coders a much more productive life coding. Please enjoy this feature. Thanks goes to Jamie from NV Access for helping me design the NVDA implementation, Mick from NV Access for helping me track down a bug in the NVDA implementation after I looked at it stumped on how to fix it, Chris Toth of Accessible apps for convincing me to get this thing out to as many coders as possible, and Camlorn for some help getting the correct equation for figuring out what tone to play and the volume hack in the addon but not in NVDA (Yes, I did look at how you did volume in unspoken originally). With Indentone, blind people now have a very natural way to visualize indentation in code, and the excuses about indentation being useless for blind people should be minimized since technology to avoid this has now  been mainstreamed.

Indentone, making NVDA read indents as musical spacial tones.

Attention: This addon has been deprecated. See The indentone deprecation post for details.

I have decided to make an addon that lets NVDA report indents as tones. This for now is not an official NVDA Add-on which has gone through community review (see future work for more reasons). Here is how it works. When you are reading some code or text with indents, if NVDA sees 4 spaces, or 1 tab, it plays a note. Each indent level we increase, the add-on plays the next whole tone up. Example: c3 all the way on your left (one octave below middle c), 0 tabs. D3, slightly farther right, 1 tab. for each level of indent NVDA sees, it plays a note farther to the right, and up that many levels on a whole tone scale. Then, when indent level decreases again, the notes pitch decreases, and the tone moves back to the left a bit. NVDA previously played no tone for no indent (technical reason) (fixed in indentone0.3.0).

The readme is pasted here. for those who don’t care and just want a download link, go to the download heading level 2.

How to use:

Installation

Install this addon by pressing enter or double clicking it from the file manager. Then tell NVDA to install it by following the prompts.

Using

When NVDA  would normally speak indents, this addon should activate. If it doesn’t, please contact me.
This addon will detect changes in indent level and beep to inform you that an indent occurred. When the text you are reading is more indented than the last text you were reading, it beeps farther to your right than it did before.
Also, the tone will play one whole tone higher  than the previous indent level would. For example, no tabs will be all the way to your left at one octave below a middle c. The first tab will cause NVDA to play a D3 (one step up), 2 tabs an E3 (two steps up), 3 tabs an fSharp3 (technically 3 steps), and so on.
The 3 tabs will be slightly farther right of the C, and a middle c would be much closer to the center of your body than the c below that.
When the text is less indented than it was before (assuming it was already indented), NVDA will do the opposite. For example, lowering the tone and moving it to the left. The farthest right tab level is 3 octaves higher than the no indent level.

Future work

I may play around with panning the audio dynamically. This would allow me to start the beep at your left, and move it 1 indent unit over a time of about 200 milliseconds. The advantage of this is you could judge the difference in indentation that just occurred, while in parallell hearing the code you are currently editing, even if you don’t musically easily judge whole tone steps.
I am also probably going to experiment with integrating this into NVDA core (I’m going to open up a ticket about this after finals). I spoke about Indentone at NVDACon 2016 in a session about my add-ons. I received much great feedback, and I am excited to continue work on this.

Download and links.

https://files.derekriemer.com/indentone-0.3.0.nvda-addon

Source Code:

https://github.com/derekriemer/nvda-indentone