#FF00AA

Hi! My name is Cédric Bozzi, I make websites and iOS apps, and this is my blog about technology (mostly a Twitter archive, really).

 

Twitter Work Contact

4 November 2008

Fluid JavaScript API

Fluid SSBs automatically include some additional JavaScript APIs in all browser windows that can be accessed by either webapp developers via remote scripts or Fluid users via Userscripts. This API is very similar in nature to the window.widget API from Dashboard Widgets.

Oooh. I just added « window.fluid.dockBadge = “1” » to web is pink, it’s cute. (And it also works in Cruz, as you might expect.)

5 November

Pimp My Mac

If you feel the need to personalize an Apple laptop with a bunch of stickers, that’s a pretty elegant way to do it. Although it looks like the circle isn’t centered correctly.

I can never believe the pictures of laser-engraved MacBooks where the engraving doesn’t take the apple into account all. And it isn’t that much better when the illustration stops with square edges wherever the source pictures happened to end.

7 November

Gizmodo reviews the Griffin Clarifi iPhone Case

And the macro lens turns out to work. Cool. Sure, you’re not going to pay $35 just for the stupid QR code iPhone applications (wherein “stupid” qualifies the idea of offering — sometimes selling — barcode-reading applications for a cameraphone with no macro capability), but if you feel like you need to have a case protecting your iPhone there’s just no reason to use any other one (as the Clarifi doesn’t look half bad, either). And if, like me, you’re on the fence about having a case, then the added functionality makes a good argument. As a matter of fact, I’m two bankruptcies away from ordering one online right now.

13 November

New: RSS daily digests

In preparation for the possibility that I might start posting news on #FF00AA and Beware The Frog again (not that it’s in any way likely to happen) you, yes, you, my fifty remaining loyal — or lazy — readers, can now switch to a new RSS feed with only one article per blog and per day, summarizing all posts from that day (the way tweets were already presented).

For garoo.net (which aggregates all my posts from all my blogs, remember), the new feed is there; for the individual blogs, replace “index.xml” with “daily.xml” in the URL or use any modern browser’s feed auto-discovery.

 

P.S. As usual when you change something about your RSS feeds, all apologies for the bunch of articles appearing as unread in your aggregator.

iPhone for 99 €

As leaked a couple of days ago — and the 16GB version is only thirty euros more; it’s gonna be a very iPhone Christmas. (Well, except for the fact that, as far as I can tell, there’s still no way to gift an iPhone with Orange.)

Glue Toolbar

File under “Good ideas that Facebook needs to steal, because in the current market a small start-up will never reach the critical mass needed for it to work” (although Facebook has already screwed the pooch as far as interaction with third-party websites is concerned): Glue is a Firefox toolbar that recognizes when you’re viewing a web page about a book, movie, restaurant, and so on, and displays reviews about it from your friends — and it works even if you’re looking at a movie page on Amazon and a friend of yours reviewed it while visiting the IMDb (hence the plug-in’s name). But it doesn’t work if your friends aren’t using Glue.

Safari 3.2

Paypal had threatened several times to prevent Safari users from accessing their sites because the browser didn’t have anti-phishing measures to prevent morons from clicking a link in a fraudulous e-mail and not realizing they didn’t end up on the real paypal.com; you can now imagine that the reason they relented on the boycott side was that Apple was able to promise them that such functionality was coming in the following months. Actually, they probably reiterated the threat rather recently just because they figured the change wasn’t coming fast enough.

The new Safari is available in Software Update, and I haven’t tried it out yet because I’d have to reboot. (And, if I sound dismissive of Paypal, I have to admit they weren’t completely wrong, and something needed to be done against phishing, because whatever you do users won’t suddenly bother to be more intelligent. It’s just that I’m biased against Paypal, even though — or all the more as — I have to use them.)

14 November

Gmail voice and video chat

It’s funny how Google Talk has completely disappeared and has been assimilated into the Gmail web interface — clearly Google isn’t so motivated by the idea of pushing desktop applications separate from the web experience. Or, well, pushing any of their secondary products at all, come to think about it.

Unfortunately Gmail voice and video chat is not available for PowerPC Macs.

Oh yeah? Well, I didn’t want to install your stupid plug-in anyway! So there!

 

Seriously, though: a restrictive plug-in just to be able to detach Flash windows from the main interface? That’s so Microsoftian.

15 November

Steve Jobs demos the iPhone

I read two mentions of “kremlinology” in relation to Apple rumors over the last week; looks like the comparison was not abusive.

When he demonstrated the iPhone in January 2007, Jobs showed the favorites management of the phone application by adding Phil Schiller to his favorites and removing… Tony Fadell (at the 5:50 mark on the video). More than eighteen months before the head of the iPod division left Apple in one of the most commented executive switcharounds of the year.

Since it was the launch of the iPhone, and everyone must have assumed at the time it was coming out of the iPod division (which it didn’t, turns out, because Cocoa Touch won over the idea of another custom OS*), nobody thought anything of it. Well, nobody outside of Apple — I guess everyone on campus knew what that was about, and Fadell just spent all of 2007 biding his time, and hoping the iPhone would crash and burn.

Google advertising Chrome

With Google, honestly, it’s hard to tell whether a project is just a “hobby,” to speak in Jobsian terms, or a definite, determinate endeavor. Probably because they never know themselves and change their minds from one day to the next.

So let’s not jump to conclusions, and just note that Google is actually shelling out real money to advertise Chrome on a third-party site, with a big and prominent campaign outside of the AdSense blocks, rather than linking to it on YouTube or mentioning it for a few days on the Google home page.

For a first try, LinkedIn is probably the best place on the web to be plugging Chrome: computer-literate users who might be tempted to try out a better browser (as opposed to Facebook or YouTube users who couldn’t care less), but don’t already know about it because they’re not authentic geeks.

 

(Oh, I guess you could motivate Facebook users to switch if you could demonstrate in a video that Chrome is the only browser that manages to load that goddamn home page in less than ten minutes.)

16 November

Gmail video chat on iChat

Oohh… didn’t try it personally, but it’s got to be true if they’re saying it is. We finally have something that can work to replace MSN on dating sites.

All you have to is create a new Jabber account in iChat and enter your Gmail address as your Jabber login […]

Server: talk.google.com

Port: 5223

Check SSL and self-signed certificates

 

P.S. A subsequent post update seems to indicate that this is just iChat video chat running on top of the Google Talk Jabber servers, which is nothing new and isn’t compatible with Google’s actual video chat. That’ll teach me to trust another blog and write about something without testing it.

Failed launch for Google’s voice recognition

On Friday morning, when Google announced its updated iPhone application, everyone was as dubious about the functionality (is there really a point in sending an mp3 to Google’s servers, and hoping to evade voice recognition errors, rather than typing a short query with your keyboard? cool as hell, no doubt, but useful?) as about the launch date — knowing the App Store’s approval process as we do.

First, let me be clear about one thing: this is a great idea, and one day, far in the future, voice input to various pieces of hardware around us might become a part of our everyday life. But right now, I’ll eat my hat if this thing is reliable enough - and we’re talking street conditions, crowded coffee house conditions; in short, normal situations - to use on an everyday basis. I bet that two times out of three Google’s software will misunderstand you and give you the wrong results. And I bet that in the end, the majority of users who try the feature out will go back to standard (virtual) keyboard input.

Google’s updated iPhone application could arrive as early as today, though we’re all familiar with how consistent Apple’s approval process is. Still, when it does arrive, Google’s Mobile App for iPhone will remain at the wallet-friendly price of free.

 

Two days later, it’s Armageddon! Apple completely screwed Google, Google is dead, Wall Street is gonna collapse!

For tech bloggers, this was bigger than Barack Obama.

Sometime Friday they found out Apple wouldn’t be pushing it, despite the fact that Google submitted it for review earlier in the week and got a thumbs up for Friday. One source says they’ve had little direct contact with Apple during the review, instead getting their updates via the standard iPhone developer tool, which has said “in review” for the last few days.

Who knows why Apple delayed the application, or why they tend to treat every application developer equally poorly. But in this case Apple really screwed up in our opinion.

I hate bloggers, and reporters alike.

Did I just read, in the same article, that Google had never had any definitive information from Apple, yet decided to announce publicly that the update would certainly come out on Friday, and now it’s Apple’s fault if the application is late?

I’ve already written and talked about how awful the App Store’s process is, but counting on predictable, reasonable release dates now, knowing what we know about how it works, makes Google double as stupid as Apple.

 

Anyway… as far as commenting on the application and functionality itself, I’m waiting for it to be downloaded onto my iPhone, just like I was two days ago. (And I wouldn’t be surprised if the updated application was restricted to the U.S. territory, like version 1.0 originally was. There was no apparent good reason at the time, but now there might be.)

Socializing Windows Live

Speaking of botched launches, I’ve kept several tabs open in my aggregator for days now, waiting for the announced Live redesign to come online — and it hasn’t.

The new profiles look nice, and it seems like Microsoft is moving globally from MySpace- to Facebook-inspired design, which can only be for the best, but why would you want to announce that before it’s online, and without giving even an idea of when it’s going to happen?

You need to pre-announce a Hotmail redesign because millions of people use Hotmail and are going to be destabilized by the most minor change (by the way, I assume the recent compulsory move to a new interface was linked with the new Live, which purports to integrate all services more tightly — at last); same thing for Facebook, with the added coolness of allowing users to beta-test the new layout months in advance. But the Live and Spaces home pages? Nobody uses those, Microsoft is wasting a bunch of blog coverage on something that isn’t online, or in beta, yet — don’t think you can entice people to check out home.live.com every week, they’re too busy checking their Facebook news feed.

Speaking of which, since I’ve been reloading my Live home page every day since Wednesday, I’ve had time to realize that most of what you may see on the new Live is already there, only hidden by a completely obscure interface. Yes, the Facebook-like news feeds are there, as are friend lists and profiles and some integration of Spaces, Photos and SkyDrive; it’s just that nobody has actually been using those, so there’s no content.

Still, one shouldn’t underestimate how a good layout and interface can make a web service gain users, especially when it’s as ubiquitous as Windows Live (everyone has an account there — well, more usually several). And you shouldn’t underestimate Microsoft’s historic capacity to turn on its heels and suddenly throw enough money and talent at a market to overcome it.

Windows Live has advantages over Google — Microsoft knows how to tie services together, whereas Google is only beginning to figure it might be beneficial — and over Facebook — Live can be as tied to Windows and ubiquitous as Microsoft wants, and probably has more users already thanks to Hotmail. The war isn’t over, it hasn’t even begun yet.

18 November

Jerry Yang Leaves Yahoo

Yeah, all start-up founders can’t enjoy Jobsian “second comings” when they’re hired back to be CEO again.

i strongly believe that having transformed our platform and better aligned costs and revenues, we have a unique window for the right ceo to take ownership over the next wave of mission-critical decisions facing the company.

In other words: the board will shed as much blood as Ballmer demands before he considers buying the company again.

 

I love (as in: I’m gonna have nightmares tonight about this memo) that in 2008 the founder of Yahoo still adds the exclamation mark at the end of the company’s name, and doesn’t use a single uppercase letter in the entire memo. I’m not sure how exactly, but it makes perfect sense and explains a lot.

Google Mobile

There it is: the updated Google application for the iPhone is available — you can ask iTunes or your iPhone to look for updates, or install it if you haven’t already. And it’s pretty much what you’d expect.

Voice recognition works pretty well, and it’s surprisingly fast (when it works; the application tends to hang for a bit when the servers don’t understand the query — maybe they ask the iPhone for more information then?), but it’s not very useful, and you can get results just as easily and quickly by using the keyboard. Particularly with Google offering type-ahead suggestions while you formulate your query, not to mention that keyboard-based searches return results from your address book (the Google app kinda sorta wants to be your iPhone’s Quicksilver) where as voice recognition only searches Google for now — which isn’t quite surprising, technically, but is a pity, because voice dialing is one of the most requested missing features on the iPhone. (The same day comes out “the only voice dialing application for iPhone that supports French language,” but it doesn’t have a free demo.)

Still, it’s a nice technical demo: the interface is clever, detecting automatically that you have the phone next to your ear and playing a sound so you know you can speak, and the data sent to Google’s servers is amazingly light (a couple hundred bytes — yes, bytes — as phoneme recognition is evidently handled by the application itself — so there shouldn’t be anything stopping them from adding voice dialing pretty soon). Interestingly, the system can differentiate same-sounding words by context (“bear market” vs. “bare ass” in Gizmodo’s classy example), which seems to indicate that Google isn’t recognizing words so much as comparing your vocal input to a database of all queries ever typed more than once, and how they’re supposed to sound. For better results, they’ll eventually have to tweak their search algorithms to handle homophones.

All in all, the most useful functionality remains geolocation (not sure whether it’s new to this version, or just a recent addition): if you type (or say) “pizza” or “sushi” you’ll get classic results plus a list of nearby restaurants. But the results aren’t as good (they don’t take distance into account as well) as those you can get by typing the same query into Apple’s Maps application — and voice recognition couldn’t understand “Starbucks.”

Which means that, if you can speak English with a vaguely American accent, you just owe it to yourself to install Google Mobile, and park it with those other applications you only keep on your phone to wow your iPhone-less friends.

 

Incidentally, that implementation of voice recognition that would be much more interesting on a Google/T-Mobile G1 phone, which doesn’t have a virtual keyboard and requires sliding the screen out and switching to landscape mode whenever you want to type anything. And, on the G1, voice recongition could be available directly from the home screen, and not restricted to a third-party modal application.

Did they think of having an API-accessible proximity sensor on the Android specification?

Numberkey Transforms iPhone Into Sweet Wireless Numberpad

It’s silly and unusable, but it’s so cuuuute!

MacBook Owners Enraged As Apple Blocks Some Displays

We already knew that the other “advantage” of switching to DisplayPort was that this standard includes HDCP (which is, basically, DRM on your TV cables), so owners of new MacBooks shouldn’t be surprised that their laptop uses it; there is a surprise, though, in how many of iTunes Store downloads include HDCP — and you can play them from an older Mac onto any secondary screen, but a new MacBook will only play them on the internal screen or the upcoming 24-inch DisplayPort Cinema Display.

People are reporting this on non-HD movies though. That seems likely to be a bug. No studio should be enabling HDCP on SD movies. I doubt that it is intentional.

Considering that iTunes gleefully ignores HDCP if your computer doesn’t handle it — and that Apple’s only HDCP-compliant monitor is only now beginning to ship — it’s hard not to see that as a bug that’s going to be fixed.

But then, in the world of DRM, there’s no such thing as common sense.

19 November

“Why the Drudge Report is one of the best designed sites on the web”

Many news sites have lost their balls. They’re afraid to really call out one big story. They may have a leading headline, but it’s not all that obvious or different from the others. It may be a font size or two bigger, but it’s not confident. They hedge. Drudge, on the other hand, says “this is the story of the moment” with a huge headline.

The site feels like a chaotic newsroom with the cutting room floor exposed. I think that’s part of the excitement — and good design.

Sometimes he will post an email or a memo on his site, but it’s 99% links out to other news sources. […] This is one of the secrets to building traffic: The more you send people away the more they’ll come back.

 

Of course, it’s a post on 37 Signals, who have a thing for minimal design.

Google Mobile cheats the iPhone’s public API

Wondered why there aren’t more iPhone applications using the proximity sensor to detect when you want to speak to them? Well, that would be because the corresponding API functions are undocumented.

As in, you’re not supposed to know about them; you’re not supposed to use them; Apple is not supposed to accept in the App Store an application that uses them.

Not that I think it’s a big deal (the iPhone SDK is still relatively fresh and unstable, which is the main reason why some functionality may be restricted; and I don’t find it horrifying that Google might get a bit of preferential treatment, as they are a partner providing integral services to the iPhone), but it’s an interesting tidbit. And maybe I’d actually be outraged if I’d shelled out the $100 to be an iPhone developer.

 

Plus, they can’t really prevent third-party developers from using that API from this point on, right? Yeah, right. Of course they will.

Let Me Google That For You

Heh.

 

After all, give a man an answer, and he’ll come back tomorrow asking for more. Teach a man to search Google, and you’ll have to offer tech support when he ends up downloading malware while cruising shadier purveyors of adult entertainment and file sharing software.

20 November

Gmail themes

Of course (what with Google’s rolling rollouts) themes aren’t available on my account yet, but some of the screenshots look really nice and/or fun.

I really don’t want to whine right now and about something like this, but… come on, Google! Some consistency? Please? Many Gmail users are also Google Reader and, of course, Google users; don’t you somehow think it would make some kind of sense for your different services to look alike for them?

And sorry about the abuse of italics, but it’s supposed to convey the pleading you can’t hear in my inner voice right now. The way Google operates, as a conglomerate of loosely integrated, separate start-ups, is exhausting to watch, really.

Augmented reality in Flash

I wasn’t going to test it, because you’ve got to print a special symbol and my webcam is crap and CPU-intensive Flash applications are a pain on my computer, but I just couldn’t walk away from the page without checking, because I couldn’t believe it actually worked and I had to try.

And it actually works and you absolutely need to try it for yourself.

So you print a symbol (with a big black outline and “Hiro” — for some reason — written on one side to indicate the orientation), authorize the Flash app to access your webcam, and present the symbol to the camera. Bam! an animated 3D monster appears.

There’s nothing extraordinary about the technology (it’s been presented in digital imaging showrooms for twenty years, and Sony uses it on the PS3’s Eye of Judgment game), but what amazes me is that it’s working in a Flash app — no additional install necessary, nothing.

Of course, on my iMac I only get 5 to 10 fps with 100% CPU usage, but that isn’t that much different from what I get just displaying my unmodified webcam image in Flash. And nobody uses an iMac G5 anymore. (Hint, hint, jingle bells.)

Google Kills Lively

I’d like to say that it’s slightly suicidal to launch a product like Lively today with no Mac version — many early adopters, bloggers and buzz makers are using MacBooks now, and won’t open a Windows session just to chat in an even less functional clone of Second Life.

But, really, it’s not like it ever made sense for Google.

 

Lively didn’t offer Google any relevant data. And that, ultimately, is what killed Lively.

The world of Google — everything on which Google focuses its time and effort — is built on relevant data. A portion of that world involves making that data searchable. But the far more lucrative portion of that world involves analyzing how users are accessing that data and finding ways to monetize those behaviors.

 

 

21 November

Apple re-invents the 90s

There’s one thing I miss from my 1998 Nokia 6110, and it’s not the metallic purple/green paint: you could just look at the screen whenever you wanted and know what time it was and whether you had new messages. It’s been bugging me for years that those fancy modern phones with pretty, shiny color screens had taken such a dramatic step back in usability, and most people didn’t seem to care one bit (with only a few clamshell designs adding a tiny external screen to that purpose).

Well, it must be bugging some Apple engineers, too; they have patented the idea of cutting icon-shaped holes in the screen’s primary backlight, and putting LEDs behind them that will turn on, and possibly blink, when the backlight is off and you have new incoming notifications.

I was initially going to write that this was one of the new functionality that would make you want to buy the 2009 iPhone, but come to think of it I’m not so sure it’s not just a case of patent trolling: it seems to me that cutting holes in the screen’s backlighting will require a lot of engineering to retain homogenous lighting over the whole screen (looking at my iPhone last night in the dark, I realized what a feat it must already be to achieve such perfect lighting on such a big screen and such a thin device), whereas it would be so much simpler to just put a couple blinking lights above or below the screen, near the speaker or Home button — at least as long as the iPhone is bigger than the screen itself.

Which reminds me: why the fuck aren’t there blinking lights to notify of new messages already? (Answer: because some Apple engineers care, but Steve doesn’t.)

iPhone 2.2

Here it is, and it presumably requires updating iTunes first.

  • Street View works fine, but I’m not quite sure how usable, or useful, it might be: sure, you can check out what your destination is supposed to look like, but moving along a street yard by yard is so slow and frustrating, you’re not going to do much with it (I guess where it really shines is when streets or roads are not labeled).

  • Public transit directions don’t work in Paris (unsurprisingly); walking directions do, but they don’t seem to interact with Street View, which is too bad.

  • The new Safari address bar feels awkward just by virtue of being different; more importantly, Google searches still don’t send you to the iPhone-optimized results.

  • Downloading podcasts on the iPhone is definitely cool; what’s cooler yet (and couldn’t have been known before iTunes was updated, I guess) is that, when you sync your iPhone back, those podcasts appear in iTunes with a “subscribe” button.

  • And, finally, you can disable auto-correction on the keyboard. I’ll have to test it over a longer period of time, but from my first tries it feels like it’s really worth having to type a little more slowly and be spared the obnoxious false corrections (which I think might be more of a problem in French than in English). Disabling auto-correction also seems to disable the magical “I’ve invisibly made this key smaller because I don’t think you wanted to press it, Dave” functionality, which is a relief because I anticipated they might forget to do that.

 

Street View and the other new Maps functionality aren’t included in the iPod touch upgrade, and I’m not surprised at all: that’s perfectly in line with Apple’s idea that the Touch can’t be given new functionality after it’s been sold, for accounting reasons. I’ll just never, ever understand how it made sense for anyone not to use the same accounting rules for the iPod touch as for the iPhone and Apple TV.

Google SearchWiki is live

…and I’m not the only one not seeing the point.

 

So you can post comments about websites. Woohoo, the web needed that so much. (Incidentally, they’re supposed to be public, but I couldn’t find what I’m supposed to do to see other people’s comments.)

And you can rearrange results… but the ranking is only affecting your own search results (at least for now; but it’s so easy to game I don’t see how they could get any significant data from that). I guess you could see a tiny benefit if you’re the kind of person who uses Google in lieu of bookmarks, but then the “I’m feeling lucky” button doesn’t even acknowledge your personal ranking (at least for now, again).

Still, you can press the “x” to remove a page, and I guess it’s always nice to vent your frustration at an unrelevant search result by deleting it, but…

Oh, right, so it’s a placebo?

22 November

Sony Vaio LV

I don’t care about Sony’s iMac knockoff anymore than you do; I just wanted to note that it has a trackpad on the keyboard. Glee! Apple, are you paying attention?

Okay, of course they aren’t — but they’re so in love with multi-touch technology these days, it’s not beyond the realm of possibility that they might get to it one day. Only if Steve Jobs has a non-MacBook computer either on his desk or in his living room.

Remove your MacBook’s battery, lose 40% of its power

I couldn’t believe this, but the knowledge base entry is real: if you take the battery out of a MacBook or MacBook Pro (not sure is strictly all models are concerned, and the entry dates back to August 2008), the processor speed will be reduced.

This prevents the computer from shutting down if it demands more power than the A/C adaptor alone can provide.

I guess it may make some kind of sense, from an electrical engineering point of view, but unless you’re using a MacBook Pro on a MacBook adapter (in which case, if I remember correctly, the battery was known to take eons to charge) it seems like the problem would be pretty rare — otherwise you’d have heard by now of lots of people draining their battery by watching HD video on their MacBooks while connected to a power outlet.

And it seems to me that there could be much more elegant approaches to that edge case than forcefully and secretly cutting down 40% of your computer power when all you wanted to do was extend the life of your battery, and avoid having it explode on your desk in the middle of the night. (Although I think batteries are basically just as likely to blow up even when removed from the computer. You can’t stop progress.)

It’s just a little bit counter-intuitive that you can set your CPU to full power while on battery alone, but it will slow down without warning if you’re on A/C alone. Or maybe the system does reduce CPU speed while on battery, regardless of what energy settings you’ve chosen? After all, the Mac knows best.

23 November

Of approving applications

Two concurrent stories that should surprise nobody who’s ever really thought about what it means to have a service going through all submissions to decide what’s acceptable for publication — no matter what the criteria are.

[BdEmailer] is the “the first wide email iPhone app that supports client SMTP.” That means, in essence, that it duplicates an exact function of Apple’s Mail application on the iPhone and touch. That’s kind of a huge deal, because up until this point we’ve been led to believe that this duplication of functionality is one of the company’s red flags when it comes to approval. […]

Apple… what the hell is going on? You refused MailWrangler and Podcaster for similar reasons, yet BdEmailer passes through your review process, SMTP functionality intact?

I have this friend who submitted an application to Apple for review. After a few weeks, it came back with one of those embarrassingly stupid rejection letters that said more about the person reviewing the application than it did about the application itself. In a nutshell, the application violated one of those user interaction rules that seem to exist in certain pompous minds rather than in the actual Apple Human Interface Guidelines. […]

After a day or so of calming down, this person decided to go ahead and resubmit the application. And did so without making a single change to the application. […] If you think for just a second, you’ll figure out the punch line, and you’ll be right: that application was accepted into the store, exactly as is, without any changes whatsoever.

Does “Add This Tweet to Favorites” work in Twitterific for anyone?

24 November

The iPod touch 25% faster than the iPhone?

The most clear difference is that fact that the iPod Touch’s processor was quietly boosted to 532MHz (up from 412MHz) with the 2nd generation model introduced in September. Meanwhile, the iPhone 3G, Original iPhone and 1st Generation iPod Touch continue to run at the original 412MHz.

Hmm.

I guess it makes sense to limit the iPhone’s CPU speed in order to extend battery life, but what puzzles me is why Apple wouldn’t limit the Touch to the same speed, if only to preserve some sort of consistency across the platform.

Are they really serious about making the iPod touch a gaming device? Or are they just using it to beta-test the 532MHz processor?

It seems that there are additional factors, however, as there are performance differences even found between the models that run at the same speed. […] Due to the heavy 3D nature of his game, Fessler speculates the GPU speeds could have been tweaked as well, but there is no hard evidence of this at this time.

If anything, that changes my perspective on the rampant speculation that Apple would be planning to design custom CPUs for future iPhones: I thought they’d try to avoid segmenting the platform any more than they absolutely needed to, but it now seems entirely possibly that they don’t give a damn about that.

How podcasts work with iPhone 2.2 and iTunes

Selecting “get more episodes” launches mobile iTunes and usually brings up the podcast in question. This doesn’t always work if the naming of the podcast in the iTunes subscription differs from that on cloud iTunes (the Store), or if the podcast is one of the three or four that isn’t listed in the cloud iTunes podcast directory.

I hadn’t realized (because I hadn’t tried the “Get more episodes…” button, but only subscribed to a new podcast straight from the iTunes Store) that the iPhone 2.2 had no concept of what the podcast’s feed URL was, and was only sending you to a title-based search on the Store.

And I disagree with the writer’s assertion that it only affects “the three or four” that aren’t listed in the iTunes Store. The point of podcasting and RSS is that it’s free, as in beer and speech; so far, iTunes was a decent RSS aggregator, allowing you to subscribe to any podcast feed — yet now Apple is relegating unlisted podcasts to second-rate citizenship, punishing their subsribers who want to listen to them on an iPhone or iPod touch.

Some people may have a good reason not to submit their podcast to the iTunes Store (not everyone is trying to get thousands of listeners, after all); besides, some podcasts can actually be rejected for offering “questionable content.” I can’t see any good reason for those to be excluded from over-the-air downloading, when iTunes could just as simply give the feed URLs to your device.

That’s monopoly abuse of the worst kind, that doesn’t benefit Apple in any way but is just born of the developers’ laziness.

 

Oh, and the Ars article also points out an interestingly related missing feature of the iPod application: it only displays podcasts for which you already have episodes on your iPhone. If, like me, you delete episodes immediately after listening to them, your device won’t allow you to download new shows from those “empty” podcasts; if you’re away from your computer, you’ll have to remember the podcast’s name and search for it in the Store.

Obamafy

I’ve never managed to get a .qtz plug-in to work in Photo Booth or iChat (presumably because I don’t have an iSight), but this looks cool.

And you can probably use it to make interesting variations in Quartz Composer.

TaskPaper 2.0

No matter how clever it is (screencast here), it’s just a text-based task manager, and $30 is a tiny bit steep for that.

I’m still waiting for my ideal task manager that lets me easily embed attachments of all kinds and formats right into my tasks, and read them back easily, all in a simple, streamlined interface.

A new/renewed Gmail security flaw?

The mis-reporting of this story is killing my brain cells right now. So a couple people got their domain name stolen, and held for ransom (that seems to be a popular sport, I probably shouldn’t tempt fate), because the thief had somehow installed a filter on their Gmail accounts that forwarded and deleted emails from their registrars — stealing a domain name is easy that way, you just need to intercept password reminders and confirmation requests and you’re done (that may depend on how thorough your registrar is, but there isn’t all that much they can do… it’s just that password reminders are evil, but users expect them).

The article most linked is a guy imagining how it might have happened, and I can’t get over the fact that so many reporters link it without thinking. Nevermind that the proposed “proof of concept” requiring knowing the target’s numerical Google account identifier (I’m willing to believe there is a way to find that out, but it definitely involves targeting a specific person, which is anything but efficient); the author also needs your session key to form a complete URL:

Obtaining the at variable on the other hand can be done by tricking a user into visiting a page that contains malicious code that subsequently steals a cookie from the user called GMAIL AT which is the same as the at variable, just named differently. Once the cookie is stolen the malicious code creates a hidden iframe with a url containing the variables that authorize Gmail to create a filter for your account.

As simple as that. Only it’s not. There’s just a tiny, silly bit of security in modern browsers that prevents web pages to access an external site’s cookies. I’m sure there are still a few Explorer 6 installs around the web that are vulnerable to some kind of cookie-stealing exploits, but they ought to be fairly rare — and those users deserve to have their domain names stolen anyway. (Plus, they’re using Hotmail, not Gmail.)

But you don’t just create “a page that steals a cookie from the user”; when that kind of thing happens, it’s called a brower vulnerability, not a bug in Gmail. If you want to steal someone’s cookies, what you do is intercept their wi-fi connection. (Which isn’t what the attackers did in that case, either; more about that in the rest of this article.)

For the record: I don’t care that an invididual blogger doesn’t understand cross-site scripting and writes like he’s an authority on browser security; I mind that all technology blogs and news sites link to his post indiscriminately.

 

That leaves us with the original post, from the guy who did get his domain name stolen. I’m willing to accept that the attacker didn’t just have his password, even though the most successful hacks often involve social engineering, but I’m interested in this part of his post, where he quotes an article about a 2007 Gmail vulnerability involving filters:

This filter will automatically transfer all emails matching the rule. Keep in mind that future emails will be forwarded as well. The attack will remain present for as long as the victim has the filter within their filter list, even if the initial vulnerability, which was the cause of the injection, is fixed by Google.

Now, the interesting part is that update on the above GNU Citizen link states that vulnerability was fixed before 28 September 2007. But in David’s case, the incident took place in December, 2-3 months later. So, was the exploit really fixed back then? Or was it a new exploit in David’s case? And most importantly is there a similar security flaw in Gmail NOW?

You know what? I don’t want to insult your intelligence, and this story is already bugging me enough as it is, so I’m just going to let you find out how the logical flaw that resides between those two paragraphs, without adding my own emphasis.

I’ll list as aggravating evidence the fact that the author’s first tip for fellow domain name owners and Gmail users includes: “Also make sure to disable IMAP if you don’t use it.” Because, yeah, that will totally make your account safer from Javascript-based attacks. (And half the blog posts about this event also copy-paste this bit. Good grief.)

 

And I’m not saying here that it’s impossible that a cross-site scripting vulnerability might be back on Gmail; it’s just that I haven’t seen much reason to think that there is, and I’d be willing to assume that whatever anti-XSS measure Google implemented shouldn’t have suddenly disappeared from the site — even though regression can happen to anyone. What I’m reacting to is not the accusation against Google, but the way it’s quoted verbatim all around the board. Not that I should be surprised, by now, but I can’t help myself.

 

The moral to this story, though, besides “those damn technology reporters could fact-check if their life depended on it,” is that you shouldn’t use web-accessible mail accounts for anything remotely important (domain names, PayPal or bank accounts, etc.) — well, you shouldn’t use clear-text email at all, but you can’t really avoid it. There will always be security flaws everywhere, and having a web interface is only making yourself more insecure.

And you should totally log out of Gmail when you’re done reading your mail. Like, do as I say, don’t do as I do.

25 November

Student Writes to Steve Jobs, Gets Free Final Cut Studio 2

Gee, Steve Jobs has to be fiercely bored these days.

“Dumbing Down the Cloud”

Just to grab me, you have to:

  • Make it look and feel like magic.

  • Work flawlessly in the first 10 minutes. If you can’t survive 10 minutes of critical analysis, I’m gone.

  • Provide additional, unexpected awesomeness.

A nicely argumented writeup of Dropbox, the excellent (and excellently free) file sync / web access solution that will very unfortunately and undeservedly get slaughtered by Microsoft Live Mesh and whatever half-baked solution Google will launch at some point. (Notice how I didn’t include Mobile Me in the list?)

In the mean time, do install it, and welcome to the future. That way at least you’ll know what you’re losing in a year or two, when you’re dragged to another, more famous service by your clueless social circle. (Or when Google buys out Dropbox and proceeds to sink it.)

26 November

Set Mail’s sending account via keyboard shortcut

I’m never going to bother (I always forget to set the right e-mail account when I send a new mail anyway, adding a keyboard shortcut won’t change that), but you can magically set shortcuts for your e-mail accounts in System Preferences, as if the account drop box was just a menu.

I wonder if that could work in other places where you wouldn’t expect. Can’t think of one where it would be useful, off the top of my head.

Google Assures Gmail Perfectly Secure, Users Stupid

With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information. Attackers sent customized e-mails encouraging web domain owners to visit fraudulent websites such as “google-hosts.com” that they set up purely to harvest usernames and passwords. […]

Several news stories referenced a domain theft from December 2007 that was incorrectly linked to a Gmail CSRF vulnerability. We did have a Gmail CSRF bug reported to us in September 2007 that we fixed worldwide within 24 hours of private disclosure of the bug details. Neither this bug nor any other Gmail bug was involved in the December 2007 domain theft.

And I see no reason to doubt any of this. Like I wrote in my comments about the news coverage, the simplest and most efficient way to hack anything has always been social engineering; it’s much more efficient to harvest logins and passwords in bulk and check out who owns domain names than to set up hidden filters on every Gmail account you can possibly hack and request random GoDaddy password reminders, hoping to hit one of the accounts you’ve hacked. Or, even less efficient, target a specific domain owner.

The hidden forwarding filters weren’t the essence of the hack; they were just set up as a convenience, so that the attackers would minimize the time they had to spend logged in on the web interface, and to make sure that the victim wouldn’t also receive the transferral confirmation messages through POP, IMAP, or accidentally opening their Gmail page at the exact right moment.

 

By the way, Gmail does favor that kind of hacking in that it never deletes an e-mail unless you insist very hard; so that an attacker with access to your archive is sure to find out whether you have domain names, and where. Chances are they’ll even find a password reminder in there without having to request it. Assuming your registrar password isn’t the same as your Google account, of course.

And Google is also contributing to Gmail fishing by using the same credentials on all their sites. It’s bad enough that social networking gizmos ask for your Google or Hotmail password so that they can “conveniently” read your address book; the more legit, distinct services exist where you are supposed to input your Google credentials (including App Engine sites), the more easily people will give them to anyone who asks.

 

Now… should I be scared that the “google-hosts.com” example given in their blog reminds me of something? Or is there a legitimate address that sounds like it?

I don’t usually type my passwords when I have any doubt on who’s asking (I even changed my Twitter password after I found out that an iPhone application stored it on the developer’s server without warning), but nobody’s above making a mistake sometime.

And, I, like, totally change my Gmail password every week. No, every day. Like, I’ve always had an iCal alert reminding me to change it every six hours (along with my domain name passwords, server access credentials, and credit card number).

 

You know that all the passwords in the world are useless if you’ve truthfully answered the “secret question,” right?

 

P.S. Cross-promoting Blogspot is nice and all, but when I’m arriving to googleonlinesecurity.blogspot.com from TechMeme, how the hell am I supposed to be sure it’s an actual official Google blog?

QuickTime 7.5.7 fixes (some) HDCP issues

Apple released today a QuickTime update specifically for owners of new MacBook/Pro/Air laptops — those with HDCP-enabled DisplayPort that prevented them from playing all sorts of iTunes Store videos on an external display.

The weird part is, they apparently only removed HDCP from standard-definition videos (which was an obvious bug, as the “HD” in HDCP stands for high-def — oh, wait, actually it doesn’t, but it might as well if the committees hadn’t tried to muddy up the acronym), so they’re basically confirming that it is supposed to be active for HD videos — thereby punishing early adopters of the brand-new laptops.

I guess it couldn’t be avoided, Apple had to use HDCP at some point to satisfy their iTunes Store partners, but wouldn’t it have been safer to wait until DisplayPort had been adopted on every computer for a couple years before actually pulling the switch? I know I shouldn’t complain that they aren’t being more deceitful, but it’s just strange; are the studios breathing that hard down their neck that they couldn’t wait?

27 November

Ars gets a 24-inch Cinema Display

The real nicety of the display is that Mac OS X knows when you have attached the display to use its integrated devices. That is, when you’ve hooked it all up, it will use the iSight in the display instead of the notebook’s, and it will use the USB audio on the display and disable the output on the notebook. That is, until you plug a set of headphones into the port on the notebook, at which time the display’s speakers will disable and route the audio directly to your ears automatically.

Nice touches.

First µTorrent Mac Beta

The interface is pretty good (Transmission is more streamlined, but µTorrent feels surprisingly native to Leopard — quite the refresher after I tried using Azureus/Vuze for a few months), the feature set is adequate, and it takes 120% of my Mini’s CPU with no transfers at all — I’m not the only one, so it’ll get fixed.

If you’ve got an Intel Mac with Leopard (it will be available for PowerPCs after some bugs are fixed) and you need to download Linux ISOs, feel free to try for yourselves. It’s supposed to be faster than Transmission, I guess.

Mac Mini Apple Pie

Featuring a laser-cut logo because why not?

28 November

L’amendement anti-ripose graduée saute

Le Conseil européen des ministres Télécoms a décidé de supprimer l’amendement 138 du Paquet Télécoms. Cet amendement avait par ailleurs été adopté par les députés du Parlement européen le 24 septembre dernier.

Ah bon, c’est possible, ça ?

Déposé par les euro-députés Guy Bono, Daniel Cohn-Bendit et Zazana Roithova, l’amendement 138, qualifié d’anti-riposte graduée, garantissait qu’aucune “restriction aux droits et libertés des utilisateurs finaux ne doit être prise sans décision préalable de l’autorité judiciaire”. Il allait à l’encontre du système de la riposte graduée contre le téléchargement illégal voulu par Christine Albanel dans le projet de loi Création & Internet.

30 November

O’Reilly: “Why I Love Twitter”

Several good points about Twitter’s success that all web service developers should pay attention to. Especially this one, which is applicable to any web 2.0 site:

Twitter even lets competitors (like FriendFeed or Facebook) slurp its content into their services. But instead of strengthening them, it seems to strengthen Twitter. It’s the new version of embrace and extend: inject and take over. […]

There’s a real lesson to Facebook here about giving other services (like Twitter) access to their social graph. They have the best one going, but because they try to keep users coming back to their interface, and even the applications built on their service have to live in Facebook, they end up as a ghetto rather than a true internet service. It’s the data, not the interface! Let other people use your data, build on it, and it will still belong to you. Hold it too tight, and they will compete with it.

With just a little catch — Twitter has no business model whereas Facebook is kinda sorta not very far from being profitable if they wanted to, if I remember correctly.

Archives

2001 01 02 03 04 05 06 07 08 09 10 11 12

2002 01 02 03 04 05 06 07 08 09 10 11 12

2003 01 02 03 04 05 06 07 08 09 10 11 12

2004 01 02 03 04 05 06 07 08 09 10 11 12

2005 01 02 03 04 05 06 07 08 09 10 11 12

2006 01 02 03 04 05 06 07 08 09 10 11 12

2007 01 02 03 04 05 06 07 08 09 10 11 12

2008 01 02 03 04 05 06 07 08 09 10 11 12

2009 01 02 03 04 05 06 07 08 09 10 11 12

2010 01 02 03 04 05 06 07 08 09 10 11 12

2011 01 02 03 04 05 06 07 08 09 10 11 12

2012 01 02 03 04 05 06 07 08 09 10 11 12

2013 01 02 03 04 05 06 07 08 09 10 11 12

2014 01 02 03 04 05 06 07 08 09 10 11 12