How To Clone ePassports

How to clone ePassports (the ones that use RFID).

Yet another piece of evidence that shows the technology is not ready for prime time. I’ve mentioned several times before what a failure RFID deployments in high security situations has been. This is just another example.

[Via Bruce Schneier]

Web Development


Pretty big news from the jQuery camp today. Both Microsoft and Nokia will be making it part of their development platforms.

Extra interesting is that they aren’t forking, but utilizing the existing code under the same license, and will contribute and participate like everyone else.

I’ve been using jQuery on sites for quite a while now (about 2 years). Seeing more and more support for it just makes me feel that it was an even better decision.

Congrats to the jQuery team.

Around The Web

What Is Money?

What is money?

Here’s an amusing video from 1947 titled “What is Money?” Considering the economy right now, not a bad one to watch.

[Hat tip: The Consumerist]

Apple Mozilla

Mobile Browsing UI

It’s interesting to watch mobile web browsing UI develop. This is really the first time since web browsers existed that they have received a large overhaul. Sure things like tabs are “major”, but when you really look at it, Safari, Chrome, IE, Firefox are all strikingly similar to the original Mosaic (this is 1.0 running on Windows XP):

NCSA Mosaic UI

I’m not sure who’s idea it was to put the title in the UI like that, especially in a time when displays were small. That was a gigantic waste of space. The address bar in this version is read only, you need to select open and enter your URL there. Other than that, it’s pretty much the same browser UI since 1993. That’s right, 15 years of really the same user interface. The window to the web has always looked that way. There’s now bookmarking, a fancier address bar, favicons, and a search box. Firefox goes nuts by letting users install add-ons. Overall: Not very different.

There’s a few reasons why it hasn’t changed too much. First of all, it’s a pretty good design. Minus some quirks which were worked out pretty fast, it’s effective. If it wasn’t the web wouldn’t have caught on. Secondly, people know how to use it already. Why make people re-learn?

The mobile space is different yet surprisingly the same. Like days of old there’s a need to conserve screen space. Unlike days of old there’s no reason to believe it will get bigger since small phones are always desirable. Until screens are foldable, the iPhone is about as big as you’ll see. Even when phones get thinner and lighter, the screen size won’t likely get any larger since it will be awkward to hold and put in your pocket.

With a touch screen you can only make items in the UI as small as a fingerprint. Any smaller and they are unusable to people. A stylus while clunkier and more awkward allows for a much more compact UI. This leaves very little space to get a lot accomplished. Too add to the complexity of the problem websites are designed for big displays meaning there’s a lot to cram into a small space.

Apple’s allegedly making a pretty interesting change to iPhone 2.2. Safari will break out the search box into a more desktop-like separate box. This results in a smaller address bar and the reload icon being moved inside the URL bar. I think the reason for this is to better parody the desktop, and remind users they can search from the browser chrome.

iPhone 2.2 Safari With Search Box

To be perfectly honest, I’m not sure the address bar is even needed in a mobile browser on a touchscreen device. Unlike a desktop you can’t type directly into it because of the small size. Your essentially going to another UI to enter the text anyway. Why not just make it a button? You could argue you need the address bar as a way to know where you are. Of course you can likely merge it with the Title to accomplish that. All that’s needed in the main UI is the title and hostname. That can be all in the title of the window. I think I’d prefer a back button more than the address bar on a mobile device. Of course if I could tap or tilt the device to go backwards or forwards that would be cool too. One less thing for the UI.

The most similar to this is Fennec.

On a side note, thanks to Apple’s insane SDK licensing and app store policy it is unlikely to ever live on an iPhone. Maybe one day Apple will realize that just like 3rd party applications (something they were originally against), an even more open device would be even more enticing. But I digress.

Nintendo DSAnother concept I’d really love to see and experiment with is a dual screen format. Similar to that of the Nintendo DS. This would be perfect for a flip phone style smart phone. As phones can be made thinner folding them over is an option to keep the physical device small enough for portability but the display size can then be doubled. By the time the iPhone can be made half the thickness (remember the iPod G1 was much thicker than it is now) this is feasible.

There are several fun things about this design. First of all you essentially Optimus Maximus keyboard on your phone. Secondly you can now separate the content from the chrome in applications. Perfect for things like web browsers. This is also handy for watching movies as controls don’t overlay video but are still available. It also would be great for multi-tasking.

That’s where I predict things will ultimately go. We’re once again in the era of Bar form phones. Anyone remember the Nokia 1100/5110/3210/3310 fad a few years ago? Then flip phones came back in style. The flip phone style also has the advantage of protecting the internal display from scratches and involuntary button pressing.

It will be fun to see how the interface evolves. I’m relatively certain despite all the different UI prototypes surfacing right now regarding web browsers, as they mature they will adopt features from each other and become surprisingly similar to each other.

iPhone Safari image via Wired. Nintendo DS image via Wikipedia Commons]



I also would love to see camera:// and <input type="camera"> in HTML5. Thirding Daniel Glazman and Asa Dotzler.

With the proliferation of user generated content from YouTube to video comments, making video easier to use in a more standardized way is better for the web. Considering the growth of online video, in particular user generated video, it seems to be an obvious fit.

Google Hardware

The “gPhone”: T-Mobile G1

Google G1 PhoneSo the infamous Google Phone aka gPhone is finally out. The big news is that it is the first to run Android, which I shared my thoughts on a few months ago. Now that the press has been all over it, here are my observations:

App Store

The fact that there is no company (yet) restricting what you can install on it is awesome. Apple has seriously dropped the ball in this regard. I’m still thinking Apple will eventually loosen up just like the original “no applications” stance. I’m also thinking T-Mobile, if not other providers will want to clamp down on what users install to ensure nothing competes with their offerings and eats too much bandwidth. Not to mention security, or “security” depending on how you look at it. Just wait. They already block VoIP. It will expand in time.

The Network / Bandwidth Cap

T-Mobile’s 3G network is enough of a reason to say no. It’s way to small and new. Likely because of this, they snuck a little clause in the terms (via limiting you to 1GB of 3G data, then essentially crippling the service for the remainder of the billing period:

If your total data usage in any billing cycle is more than 1GB, your data throughput for the remainder of that cycle may be reduced to 50 kbps or less. Your data session, plan, or service may be suspended, terminated, or restricted for significant roaming or if you use your service in a way that interferes with our network or ability to provide quality service to other users


Android is Linux. I love Linux. That said, love polished software most of all, and I love the UNIX-ness of Linux most about Linux. That said, the iPhone’s UI is way more polished even in the demos, which we all know are way better than reality. That said, iPhone OS is at 2.1 now and Android is just taking off. There’s time for future polish.

Another gripe is the attachment to Google services. What happened to “do no evil”? Google released Chrome which kept your default search engine (even if it was a competitor). The phone on the other hand requires a Google account. Lack of Exchange support isn’t a great thing. I bet this is because of it’s open source nature. Apple simply licensed ActiveSync from Microsoft. I’m not sure if Google could do this for Android itself (though an application running on Android potentially could). The licensing could be tricky. Push mail for Gmail is a nice touch though.


Google G1 PhoneHaving a keyboard is nice. Totally not worth the size though. USB adapter for a headphone jack? It’s 2008, that’s not acceptable. No multitouch? Come on. It does have a Qualcomm MSM7201A which is a 528 MHz ARM9 chip from what I understand. Not sure if it’s underclocked or not. The iPhone has a 620 MHz ARM11 underclocked to 412 MHz. It has 192 MB RAM compared to the iPhone’s 128 MB and a 3.1MP camera, compared to the iPhone’s 2MP. Using an SD card for storage is a mixed blessing. One one side you have expandable storage (awesome). On the other hand, no built in storage (suck). You’ll need to buy a card if you want more than 1 GB, meaning most of the hardware cost savings between it and the iPhone will be gone.

From a size perspective, it’s slightly larger in most ways and heavier. That’s likely mostly due to the keyboard.

Gizmodo has a great hands-on discussing their initial impressions. Pretty much matched my feelings from seeing the demos, and having played with the Android emulator.

So far the iPhone is still the clear winner, but it’s only one phone on the the Android platform thus far. It’s not a threat yet, but it’s not eliminated either.

Apple Mozilla

Death To SquirrelFish, Long Live SquirrelFish Extreme (SFX)

Looks like SquirrelFish is already “dead”. There’s now SquirrelFish Extreme (SFX). You can see some benchmark comparisons here.

In the past few months, TraceMonkey, V8 and SquirrelFish.

I suspect the next place is going to be improving DOM performance. At some point JS performance (in feel) is going to be limited by the ability to display what’s been processed. Part of that will be DOM speed. There’s also gfx speed, which Mozilla has already done some good work in prepping for. Utilizing Cairo has been a good start. There’s discussion of OpenGL and taking advantage of the GPU. Once this “my JS is faster than yours” phase is over, that’s where I expect things to go.


Remote Controlled Door Lock

Lock maker Schlage announced it’s new LiNK lock. Essentially you can control your lock via a website which communicates with your locks via wireless connection to a base station you keep in your home (included in the kit).

One could say this is an extension of a garage door opener, but in many aspects it’s not. First a garage door opener is generally not accessible via the internet (likely the easiest point of entry). There is also a secondary door between the garage and the home, which can be locked, and possibly a home alarm which needs to be dealt with. As for the car itself, it also needs to be started. It’s a multi-step process to do anything real.

I’d be curious to know if it uses 802.11a/b/g/n or some proprietary protocol over 2.4GHz spectrum (most likely). I doubt it’s using Bluetooth due to problems with distance.

I suspect these locks will be hacked by the next DEFCON. Between the website, the base station, the wireless signal, and the lock itself. There’s plenty of surface area for vulnerabilities. This is just too tempting.

In The News

Flight Attendants Ask American To Block Porn

Flight Attendants have asked American to block porn via internet access offered on board the aircraft. Of course this is pretty laughable if you really think about it. Anyone who is willing to view porn on a full airplane likely has enough on their hard drive, and several DVD’s that will last the entire flight. A big advantage to the local material is no waiting for it to download, and more viewing time. This isn’t anything new.

Of course you can also try visiting a list of plane crash videos, sure to freak out someone on the plane, especially if you turn the volume up.

You can also settle for movies like Alive (1993), Air Force One (1997), Snakes On A Plane (2006), Executive Decision (1995), or if you really want to be daring, United 93 (2006). Airplane! (1980) is a favorite, though likely not very controversial.

Or you could use a VPN, easy enough to pipe data through your own home, and around their likely-DNS based filtering.

Airlines rules are intentionally written very vague so that they can make decisions at whim and remove or prosecute passengers. Even a political message on a shirt is enough. I recall a story with visible merchandise from a competing airline being enough as well.

Google Networking Spam

Google Mail Fail

Found an interesting header when doing some tests with mail filtering:

Received: from ([])
        by with ESMTP id k29si2692710qba.7.2008.;
        Sat, 06 Sep 2008 14:48:06 -0700 (PDT)
Received-SPF: softfail ( domain of transitioning does not designate as permitted sender) client-IP=;
Authentication-Results:; spf=softfail ( domain of transitioning does not designate as permitted sender) smtp.mail=user@domain.tld
Received: by with SMTP id d5so1543676qbd.6
        for <>; Sat, 06 Sep 2008 14:48:04 -0700 (PDT)

See the problem? Look closely. In particular look at this line:

Received-SPF: softfail ( domain of transitioning does not designate as permitted sender) client-IP=;

Look at that IP. RFC 1918 states the “20-bit block” (172.16/12) is for private internets. Google is softfailing emails because it’s sent through it’s own mail servers. Google’s own SPF record looks like this:

;               IN      TXT

;; ANSWER SECTION:        292     IN      TXT     "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ?all"

I really don’t understand why Google is doing this. They should have their SPF checker whitelisting mail sent from their own servers. SPF is intended to verify the sender. When sent locally it’s pointless and can only be harmful. They can still do other spam checks.

From what I can tell, this seems to happening about 50% of the time, meaning this is something deployed on some but not all Google clusters.