Evil Registration Codes

I hate having to use registration codes when installing software, but have accepted it as the way things work.

Today however I got to enter one that’s 80 characters long. That’s right, 80.

Nothing says “we hate our customers” more than making them enter 80 random characters into a text field before they can install the product they purchased.

Audio/Video Funny

“Smack My Bitch Up” Performed By The Beatles

Beatles - Smack My Bitch Up

This is just silly, but it’s pretty interesting to watch. They really were rock stars of their time.

Apple Mozilla Security

On Gatekeeper

Gatekeeper is without question a bold move to prevent malware from impacting Mac OS X, but it will likely turn into a legal and ethical mess. Before I explain why, I’ll give a very high level overview. There are three options:

  • Mac App Store – Only run applications from the Mac App Store.
  • Mac App Store and identified developers – Only run applications from the Mac App Store and developers who sign up with Apple to get a key.
  • Anywhere – This is how every Mac and PC today operates out of the box.

The default in Mountain Lion is App Store and identified developers. As MacWorld’s Jason Snell explains:

Apple says, if a particular developer is discovered to be distributing malware, Apple has the ability to revoke that developer’s license and add it to a blacklist. Mountain Lion checks once a day to see if there’s been an update to the blacklist. If a developer is on the blacklist, Mountain Lion won’t allow apps signed by that developer to run.

It’s worth noting that at least today the authentication is only done on first run from what I’ve read. However it’s not impossible for Apple to later check an application on each run to make sure it’s not on the blacklist. That could even happen before the feature ships this summer.

What’s concerning is that Apple will now essentially be the gatekeeper (get it?) and thus pressured to control what users can or can’t install on their computer. Lets be honest, most developers will never get their users to open system preferences and change this, so getting “identified” is essentially required to develop on Mac OS X if you want more than geeks to use your software.

Apple in the past has been pressured to remove Apps from the iOS App Store. It’s likely (read: guaranteed) to be pressured to blacklist developers who write apps which are controversial. Anything that could be used for piracy from a BitTorrent client to VLC which uses libdvdcss (the library hasn’t been legally challenged ever AFAIK but pressuring Apple is a way around the court system) could be targeted. Apple has a bit of a history banning apps for all sorts of reasons including being negative towards Apple.

How would Apple deal with pressure from patent claims? What about a desktop client for WikiLeaks, like the one that was pulled from the App Store? What about a game distributed by Planned Parenthood or some other organization that tends to draw controversy? There’s also the international issues here (Nazi images and Germany, privacy violations and EU). What about more indirect things like Firefox which can run 3rd party code via plugins and addons. Mozilla refused to kill MaffiaaFire. Could the Feds have went to Apple?

These are all hypothetical situations technically since the feature hasn’t even launched and Apple hasn’t given any clear policies. That in my opinion is the big problem. Apple as far as I know hasn’t given any guidelines to what would put a developer on the blacklist? Is there even an appeals process?

I’m pretty sure we’ll learn more over the coming weeks. The cool guys over at Panic are pretty optimistic about the feature, so I guess we’ll see.


How To Configure SSL For Apache Securely

I’ve been doing some reading up on best practices for SSL. From what I can gather, and seeing what other big sites are doing this seems to be the best practice as of today. This is assuming you’re in an OpenSSL 0.9.x (via mod_ssl) and Apache2 world, which is the majority of Linux/Unix based environments. Use a 2048 bits key SHA1 signed cert. Which is now pretty much standard.

SSLHonorCipherOrder On
SSLProtocol -ALL +SSLv3 +TLSv1
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

That will disable potentially insecure cyphers and help mitigate a BEAST attack. Note that this disables SSL 2.0 which shouldn’t be necessary for the vast majority of visitors. I don’t think many websites still support it.


On The iOS-ification Of Mac OS X

Tim Cook spoke at the Goldman Sachs Technology and Internet Conference. Everyone was paying attention to information about Apple’s cash, and labor issues. They overlooked this juicy nugget of information:

Still, Cook doesn’t think the iPad will lead to the death of the personal computer as we’ve known it for the past 25 years or so. “I don’t predict the demise of the PC industry, I don’t subscribe to that,” he said, although admitting that tablet sales were eating into Mac sales and were likely having the same effect on the PC industry, which is essentially stagnant. It seems pretty clear that Cook thinks of the iPad as a different product from the PC/Mac, unlike some industry observers who would prefer to lump the two together.

While everyone is insisting Mac OS X is just going to merge into iOS and talking about iOS-fication of Mac OS X, clearly Tim Cook at least for now sees it differently.

I don’t think Apple would benefit by cannibalizing the desktop/laptop market. It’s somewhat high margin and eventually the tablet margin will drop as competition ramps up. Tim Cook knows that. Apple’s PC market share was never huge, but it was enough to grow the company for many years, and has been quietly gaining strength, even in the corporate world.

PC’s are still much more flexible and capable than any mobile product. Keep in mind almost nobody can take a photo they took on an iPhone and put it on paper without a desktop. Printing had been figured out by the time the IBM 5150 shipped. It’s worth noting however that this is likely at least in part due to patent wars and not really a technical limitation.


Twitter Client Gripes

Like many in my trade, I keep a Twitter client open all day. 140 characters works very well between compile times, reloads, uploads. I still use RSS extensively, but Twitter fills the gaps nicely as my brain is always looking for information to absorb (feel free to follow if you don’t).

To this day it amazes me that I can’t find a perfect Twitter client. Tweetie back in its day was pretty damn close, but since it was bought by Twitter, it went downhill to the point of being unusable on the iPhone. Amazingly priced at “free” it’s not worth the price. These days TweetBot is as close to perfect as I can find on the iPhone and I’d recommend it to anyone who is frustrated with Twitter for iPhone.

Largely due to neglect the Mac client is still usable to me, however it’s hardly awesome. Why doesn’t “command /” reliably bring the window to focus? Why can’t I set my preferred url shortener? The developer console has lots of weird select and focus issues. I could go on…

From where I sit, these are the most annoying things Twitter still hasn’t figured out:

  • Search Blows – This one everyone always complains about. Search isn’t good, and only goes a few days back. It’s a miserable experience.
  • Amnesia – Twitter has a very limited memory. You can only search a few days back. Your timeline can only go so far back. Even DM’s can only be retrieved a mystery period back. Everything eventually disappears. I actually backup my tweets to a MySQL database so I can search anything I’ve ever tweeted. Most don’t have this luxury. Perhaps they should just partner with Google and let Google handle their archive/search problem. Let Google pay for the data, and for the right to solve this problem.
  • DM Downgraded – This one is pretty specific to the new Twitter “Let’s Fly” UI. Direct Messages, are very obscured and buried. Yea I get it, you want everything out in the open. It’s annoying however to hide useful and sometimes important UI.
  • Incomplete Clients – There’s no interface that seems to do everything. If you want to know how many RT’s or Favorites posts have, the best UI seems to be the website. If you want to use a custom URL shortener, Twitter for iPhone has you covered. Twitter for Mac has no UI to show what client a tweet was created with, mobile with its limited screen size does. It also has no way to see RT stats for a tweet. Want to be notified when you have a mention or DM? iPhone or desktop client is best (that’s not the web clients fault). Amazingly these UI’s all come from the same company. Facebook (now) does a pretty good job on feature parody across web/mobile clients.
  • What are favorites/lists – I don’t think anyone has fully figured out what these really are and how they should be used. Is there a value to maintaining a list? It seems most use favorites as bookmarks to read later, some use it for marking tweets they really like. I know I’ve done both. Facebook hasn’t figured out lists completely either, though I feel they’ve at least given them a useful purpose for power users.
  • Spam – I think if a user signs up and just @replies a link to 50 people, an algorithm should be able to detect they are a spammer and stop it.
  • Placeholder – The thing that annoys me the most is they still haven’t figured out how to leave a placeholder on your timeline. Why can’t I just pickup where I left off? I need to search for it. Facebook never solved for this problem either. Amazon’s Kindle (and apps) solved for this brilliantly. Surely Twitter could adopt an API to solve for this. As someone who restarts their browser often due to work I’m doing, this makes the web UI unusable.

So what am I ignoring in terms of annoying Twitter client things?


Use SSL By Default

Twitter is now the latest site defaulting to HTTPS. Kudos to them. I love seeing the web get more secure, even if it’s one site at a time.

If you’ve got a site where login is required, please make sure to use SSL. It’s not that costly anymore. Even this blog uses SSL where necessary.

It’s not needed for general public consumption things (like this webpage), but anywhere a session can be hijacked or confidential data could be transfered, SSL is a good idea. When not possible to default, at least make it an option (I do this for

Around The Web Audio/Video

Beer Bottle Excavator Trick

Excavator Trick

Assuming this isn’t faked somehow, this is pretty impressive.


The Programmer’s Curse

It's Alive

Programmer’s Curse [proh-gram-er-s kurs] – When a professional programmer sees a problem they think “I can solve this by implementing ________”. They then go on to build something in a manner similar to a mad scientist in an old sci-fi movie.

It’s often associated with eccentric behavior, ingestion of caffinated beverages, late nights and repeated cursing during debugging because it’s “so close”.

Screen capture from the awesome Young Frankenstein

Apple Security

Path’s Privacy Folly Proves Shift In Privacy Views

Path uploaded address book data from its users in order to provide “social” functionality. After this became public they deleted all address data and apologized.

Everyone is ignoring the worst part of this. While very bad, it’s not that Path actually uploaded their address book (I’d venture most store it in “the cloud” already, so true privacy is out the window). The worst part is that Path didn’t even think this would be a problem until it became news. Even 2 years ago I don’t think there was anyone other than malware developers who would think uploading an entire address book of contacts without an explicit approval would be an OK practice. That is a huge cultural shift.

If Path were a desktop app in 2010, they would be competing with AntiVirus and Spyware blockers who would be racing to provide protection to their users.

In just a short time, a practice that would be reserved for illegal and dubious software was adopted by what seems like a mainstream startup. It’s electronic moral decay.

Apple doesn’t get a free pass either. Why in iOS 5 a sandboxed app can access an address book without alerting the user is beyond me. Addresses, calendar data, geolocation, and the ability to make a call are sacred API’s and should have obvious UI and/or warnings. Geolocation does have an interstitial alert. Phone calls have an obvious UI. Address and calendar data need to have an alert before the app is granted access.