Julian Yap

Senator Al Franken on antitrust laws and privacy

2012-03-30T11:24:00-07:00

United States Senator Al Franken spoke to the American Bar Association last night on the topic of antitrust laws and privacy in the US. Page 18 to 27 discuss Google and Facebook.

… accumulating data about you isn’t just a strange hobby for these corporations. It’s their whole business model. And you are not their client. You are their product.

The Curious Case of Ben Brooks' Spitefulness

2012-03-12T08:57:00-07:00

In an article that was originally more harshly entitled “Harder than opting out of TSA screening” judging from the permalink, Ben Brooks requests a cancellation of his of Readability publisher account:

I asked them to do this five days ago and not only has it not happened, but they seem to just be ignoring the request.

That seems awfully shady.

Writing an article entitled “You Can Sign-up, But You Can Never Leave” seems a bit spiteful to me. “Never” is a long time but according to Ben, “never” counts as longer than 2 business days.

Why the delay?

From Ben’s screen shot, he emailed Rich Ziade (not their Support staff I might add) on 6:58pm on Wednesday night directly. Let’s also consider that Rich Ziade has been on vacation since Wednesday night according to Chris Dary.

Had Ben had emailed their Support staff of 2 people his opt out would have been processed within a day or 2 according to Chris.

It all seems very spiteful towards Readability and their small team. Ben even went to the extent of requesting that his web site be blocked by Readabilility.

Personally I feel that previously being announced as iPhone App of the Week and launching an Android version of their app today is a big achievement for the small team at Readability. They don’t deserve to be accused of being called “shady”.

iOS versus Android fragmentation

2012-03-06T13:58:00-08:00

Chris Sauve on Android apologists:

Some folks have told me that it is unfair to compare iOS and Android on this metric because iOS is effectively just three devices (iPod Touch, iPad, iPhone), whereas Android is a multi-manufacturer ecosystem with dozens of devices. This line of thinking is extremely frustrating to me. Developers and users don’t care that the two platforms aren’t the same. Users want the most recent features and security updates, and will demand them either directly (by complaining) or indirectly (by making a different purchasing decision), and developers want a unified base to minimize testing. Android apologists can list off the differences between the two all day long but it doesn’t change the fact that more versions with smaller share is worse for, at the very least, developers and users.

For all the press that Android’s recent release Ice Cream Sandwich has received, the fact remains that from latest figures it only runs on 1.6% of devices.

iOS 5 is the operating system’s most important release as it offers over the air updates. The adoption curve for any major or minor release of iOS is now measured in days as opposed to weeks.

The story of the compromised Linode VPS and further analysis

2012-03-01T17:40:00-08:00

An interesting story found on Hacker News where a VPS running on Linode was compromised. Most interesting was Marek’s support ticket log since it sounds like he is well versed technically. Here is some of my analysis and thoughts.

From the article, the root passwords were changed through the “Linode Manager” which would initially suggest a compromised Linode Manager account.

The support person rules out the possibility of a brute force login attempt and Marek then asks for the records of Linode Manager logins and notices no false login records. This would indicate to me a security compromise across Linode Manager itself through an alternative access method. Linode has also just released a status update to this security incident which indicates that 8 customers had their Linode Manager account compromised which would indicate what I said is true. The Linode Manager compromise then meant the attacker was able to target customers who ran Bitcoin servers.

The support ticket then concludes with Linode admitting that yes, the Linode Manager was accessed through compromised credentials through Linode’s customer support interface. Yes, this does mean that any Linode customer was vulnerable.

Through further research, the Linode wiki mentions the functionality of the root password reset:

Log into the Linode Manager and select the Linode that you wish to reset the password on. Shut down the Linode and navigate to the “Rescue” tab. From this tab, you can use the “Reset Root Password” utility to enter your desired password and apply the change. After the task has completed, you may boot your Linode and log in.

This sounds like the Linode VPS root password is reset through single user mode.

Linode should immediately disable root password resets through the Linode Manager. Root passwords should only be reset by a customer service representative and only after the identidy of the authorized user for that Linode VPS has been confirmed.

Linode also states that they are further reviewing their policies which is the correct course of action.

How GitHub Tamed Free Software

2012-02-25T23:34:00-08:00

“GitHub has changed the way that people approach development,” says Tom Preston-Werner, the company’s chief technology officer. “They realize that it doesn’t have to be so complex.”

From my experience, GitHub has really revolutionized the sharing of libraries and smaller code sets that you can easily clone and integrate into your own projects. Previously free software was about monolithic standalone projects (and larger code bases) and didn’t have the emphasis on smaller libraries. The structure of GitHub has also greatly simplified the process of contributing and importantly accepting code changes to an upstream project.

The other site I use often is Stack Overflow which in one sense further breaks down code in a social question and answer format. With Stack Overflow code is broken down into individual functions, modules and lines of code.

Interestingly the Wired article has a recent picture of Linus Torvalds and it looks like he is running Linux on an 11" MacBook Air.

Disabling third party cookies in Firefox. How it should be according to RFC 2109

2012-02-25T01:52:00-08:00

In the wake of the recent controversy of Google bypassing the Safari browser setting for disabling third party cookies, I decided to review my settings in Firefox which is my desktop browser of choice and implement the same setting. I have been running this mode for over a week now without any noticeable issues with general web browsing.

John Gruber on Daring Fireball has a great response to John Battelle who argues that accepting third party cookies is how things are “done on the open web”.

In further research I was interested to learn that in the first formal specification for cookies, RFC 2109, identified the privacy threat of third party cookies and explicitly states that third party cookies should be disabled by default.

In section: 8.3 Unexpected Cookie Sharing:

A user agent should make every attempt to prevent the sharing of session information between hosts that are in different domains. Embedded or inlined objects may cause particularly severe privacy problems if they can be used to share cookies between disparate hosts. For example, a malicious server could embed cookie information for host a.com in a URI for a CGI on host b.com. User agent implementors are strongly encouraged to prevent this sort of exchange whenever possible.

RFC 2109 was superseded by RFC 2965 in October 2000 but contains the exact same section and wording.

Below is how you implement disabling of third party cookies in Firefox for Windows and Mac.

Windows

Open Options → Privacy → Select Firefox will: Use custom settings for history → Uncheck Accept third-party cookies

Mac

Open Preferences → Privacy → Select Firefox will: Use custom settings for history → Uncheck Accept third-party cookies

Google commits to respecting the 'Do Not Track' header

2012-02-23T01:30:00-08:00

Julian Angwin of the The Wall Street Journal writes:

Thursday’s announcement means they will work to begin adopting and honoring the [‘Do Not Track’] system within nine months, according to the coalition, the Digital Advertising Alliance, which represents over 400 companies.

This is a big step in the right direction for user privacy.

Susan Wojcicki, senior vice president of advertising at Google, said the company is pleased to join “a broad industry agreement to respect the ‘Do Not Track’ header in a consistent and meaningful way that offers users choice and clearly explained browser controls.”

I’m pretty sure this is mostly in reaction to all the recent bad PR that Google has received but nonetheless it is good to have Google on board.

Google is expected to enable do-not-track in its Chrome Web browser by the end of this year.

That would be great to see.

Visual Innovators. The start of a tasteless viral ad campaign for Dell?

2012-02-22T10:34:00-08:00

The video’s slow reveal approach just reeked of ‘hoax’ or ‘viral ad campaign’. The subtle facial language smirks.

In a quick search on the web I couldn’t find anything which officially tied the campaign to Dell but the production values of the video indicate that a fair amount of funding must have gone into the project. To me that ruled out the chance that this would have been a random creator or a competitor’s smear campaign. The marketing department at Dell hired an ad company and approved this.

A quick whois search also shows that the domain claytonsotos.com was registered on February 2nd this year. The domain visualinnovators.com was only registered a few days ago on February 19th. A Tumblr account for Clayton Sotos exists with posts dating back to January this year.

I understand the concepts of a viral ad campaign but to me this comes across as tasteless. Is Visual Innovators the first in the series of a tasteless viral ad campaign from Dell?

Becoming an iOS Developer

2012-02-21T00:29:00-08:00

Josh Smith relays his experience moving from programming in Microsoft’s Windows Presentation Foundation to Apple’s iOS:

When you move to iOS, you will need to leave behind most of what you know about UI programming from the .NET world. Fundamental things like object-oriented programming, virtual methods, properties, and loops are still relevant, and having knowledge of those things is essential. But knowledge alone won’t be enough to get you up and writing an iOS app.

You will need to re-map your existing concepts and knowledge onto a new programming language, UI platform, APIs, operating system, IDE, keyboard shortcuts, debugger, error messages, etc. This takes time, and can be frustrating for people who are accustomed to being competent and productive in another environment.

It may take any decent programmer a week or two to pick up the basics of Objective-C or any language for that matter. The next steps and real challenges involve learning the frameworks and API’s. There’s a certain amount of basic knowledge you need to commit to memory and beyond that comes expertise.

What defines you as a software engineer is where you decide to devote your time and energy. Your brain has a finite capacity so you need to make conscious decisions on what you want to fill it with. You need to believe that taking those next steps will get you somewhere you want to go.

Google Tracked Safari Users, Bypassing Apple Browser Privacy Settings

2012-02-16T23:34:00-08:00

To get around Safari’s default blocking, Google exploited a loophole in the browser’s privacy settings. While Safari does block most tracking, it makes an exception for websites with which a person interacts in some way—for instance, by filling out a form. So Google added coding to some of its ads that made Safari think that a person was submitting an invisible form to Google. Safari would then let Google install a cookie on the phone or computer.

It should be noted that the default setting on Safari is to block cookies “from third parties and advertisers” unless a user interacts with the third party in some way. This is a perfectly fair default which increases the privacy for users and does not break any obvious web browsing functionality.

On mobile Safari (on the iPhone and iPad) a similar default is in place, albiet with a more cryptic wording. Theoretically, cookies from third parties and advertisers should be blocked in a similar manner as with desktop Safari.

Is it fair that Google purposefully circumvented these default privacy settings using a browser exploit? Definitely not.

Expect to see Apple to address this legitimate browser exploit in the next security updates to OS X and iOS.

UPDATE: Jonathan Mayer, the grad student at Stanford whose research brought this issue to the WSJ, has recently put up a detailed post with further technical details.

iOS App Access to Contact Data Will Require Explicit User Permission

2012-02-15T09:14:00-08:00

“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines,” Apple spokesman Tom Neumayr told AllThingsD. “We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”

A fair and reasonable response from Apple.

In terms of usability and actual user comprehension, I believe the alert box is the best way to ask users that a certain permission (such as permissions for Location and Twitter account details) is required. The main difference with iOS and Android is that iOS asks you for permission when you are performing a task which requires the permission at that time. If you never use a particular feature of an app which requires the Address Book permissions, you won’t be asked for that permission. Android asks you for permission(s) upon app installation which are usually blindly clicked through by users who just want to start using the app they downloaded.

Fair Labor Association Begins Inspections of Foxconn

2012-02-13T16:39:00-08:00

“We believe that workers everywhere have the right to a safe and fair work environment, which is why we’ve asked the FLA to independently assess the performance of our largest suppliers,” said Tim Cook, Apple’s CEO. “The inspections now underway are unprecedented in the electronics industry, both in scale and scope, and we appreciate the FLA agreeing to take the unusual step of identifying the factories in their reports.”

So Apple is the only participating technology company in the FLA and somehow people still believe Apple is the enemy?

Droid 4 by Motorola unfortunately doesn't run Android 4

2012-02-10T11:37:00-08:00

The newly announced Droid 4 by Motorola ships with Android 2.3.5 Gingerbread. I guess the “4” in Droid 4 doesn’t refer to Android 4.

The Samsung Galaxy Note (that 5.3" screen phone that advertised during the Super Bowl) also ships with Android 2.3.

Nearly 500,000 "App Economy" Jobs in United States

2012-02-08T00:46:00-08:00

“America’s App Economy – which had zero jobs just 5 years ago before the iPhone was introduced – demonstrates that we can quickly create economic value and jobs through cutting-edge innovation,” said Rey Ramsey, President and CEO of TechNet. “Today, the App Economy is creating jobs in every part of America, employing hundreds of thousands of U.S. workers today and even more in the years to come.”

The full study entitled “Where the Jobs Are” is worth reading. You can skip through the ‘Methodology’ part which just talks about how they came about the estimated figures.

Halliburton to ditch BlackBerrys in corporate transition to Apple's iOS platform

2012-02-07T01:24:00-08:00

The move comes after “significant research” into both Apple’s mobile platform and Google’s Android operating system led Halliburton to “determined that the iOS platform offered the best capabilities, controls and security for application development.”

RIM has lost the general consumer and now their enterprise market is crumbling to the pressures of the inability to compete with modern smartphones.

I feel the trend will be that more enterprises will move to iOS as opposed to Android, the main reason being platform security.

Speculative Developers

2012-02-06T16:11:00-08:00

If you want to develop apps, take your time and make something awesome. Make it fast. Make it beautiful. Make something you’re proud of. Don’t make 60 crappy apps: Make one really good one.

I tend to agree with this article which mostly outlines what David calls “speculative developers” or ones who “barf out as many apps as possible in the shortest time possible in hopes that they strike gold in the App Store lottery”.

I disagree with his suggestion of “make one really good one”. That’s a lot easier said than done and the example he mentions is Marco Arment with Instapaper. It’s the equivalent of buying only one stock and not diversifying your portfolio.

For independent developers, I would definitely recommend making something you are proud of first and foremost. Beyond that, focus on building a strong portfolio of applications to diversify your risk. Try and work on having apps in different categories in the App Store and targeting different audiences.

Not many developers can step up to the plate and hit a home run on the first swing. Ship, measure, learn, adapt and repeat.

Apple Clarifies iBooks Author Licensing Situation in New Software Update

2012-02-03T10:39:00-08:00

Here’s how the turn of events unfolded. Apple releases iBooks Author with loosely drafted EULA. Blogosphere overreacts. Apple says ‘Hmm, looks like some people really overreacted to the intention of the EULA, we will have legal clarify the EULA.’

Apple has clarified the “important note” which mentions the intended use of the software:

If you want to charge a fee for a work that includes files in the .ibooks format generated using iBooks Author, you may only sell or distribute such work through Apple, and such distribution will be subject to a separate agreement with Apple. This restriction does not apply to the content of such works when distributed in a form that does not include files in the .ibooks format.

Many people claimed that any content you created in iBooks Author remained trapped as well. Apple has also clarified that this is not the case:

[I]f the work is provided for a fee (including as part of any subscription-based product or service) and includes files in the .ibooks format generated using iBooks Author, the work may only be distributed through Apple, and such distribution will be subject to a separate written agreement with Apple (or an Apple affiliate or subsidiary); provided, however, that this restriction will not apply to the content of the work when distributed in a form that does not include files in the .ibooks format generated using iBooks Author. You retain all your rights in the content of your works, and you may distribute such content by any means when it does not include files in the .ibooks format generated by iBooks Author.

It is good that Apple has addressed these concerns promptly in what I felt was a non-issue at the time.

Google now scans Android apps in the Android Market for malware, spyware and trojans

2012-02-02T13:03:00-08:00

Today we’re revealing a service we’ve developed, codenamed Bouncer, which provides automated scanning of Android Market for potentially malicious software without disrupting the user experience of Android Market or requiring developers to go through an application approval process.

The service performs a set of analyses on new applications, applications already in Android Market, and developer accounts. Here’s how it works: once an application is uploaded, the service immediately starts analyzing it for known malware, spyware and trojans. It also looks for behaviors that indicate an application might be misbehaving, and compares it against previously analyzed apps to detect possible red flags. We actually run every application on Google’s cloud infrastructure and simulate how it will run on an Android device to look for hidden, malicious behavior. We also analyze new developer accounts to help prevent malicious and repeat-offending developers from coming back.

Good to see that Google now acknowledges this well publicized problem with apps on the Android Market and has put in some measures to prevent the spread of “malware, spyware and trojans”.

Mark Zuckerberg's desk at Facebook

2012-02-02T11:55:00-08:00

Zuckerberg still doesn’t have an office. I guess that makes it easier for Eduardo to walk up and smash his laptop.

Nice to see that he’s a fellow MacBook Air user.

Android developer recommended target specifications - Not such a rosy picture

2012-02-02T00:20:00-08:00

Localytics tries to paint a rosy picture for Android:

Across all apps using Localytics, a full 73% of Android usage came from devices running a variant of Android 2.3. While the build, known as “Gingerbread”, is not the most recent, from a fragmentation perspective it should be good news to developers that such a large majority of users are running the same Android OS version.

The problem is, when you have only 1% adoption of your latest Android 4.0 Ice Cream Sandwich operating system, developers won’t be targeting that version. By targeting Android 2.2 or 2.3, Android developers are in effect stuck in the past for a long time to come. The hype surrounding any new release of Android is greatly diminished since mass adoption isn’t possible in the short term. Imagine if Google announced Android 5.0 tomorrow with awesome new API features. It wouldn’t mean anything.

It should be noted that the figures that Localytics mentions for Android 2.2/2.3 usage are much higher compared to the figures put out by Google.

74% of Android tablet usage takes place on 7 inch devices with 1024 × 600 resolution.

That percentage for tablets will surely increase as the Kindle Fire is largely seen as the only successful competitor to the iPad.

If Android tablets get stuck in “7 inch device” land, that’s really going to effect the stigma associated with Android tablets and the markets it can appeal to.