#!/usr/bin/python
#^34567891123456789212345678931234567894123456789512345678961234567897123456789$
import feedparser, datetime, time, pickle, os, urllib, os.path
dlto = '/home/sneak/rt/tfiles/'
url = 'http://www.ezrss.it/search/index.php?show_name=House&' + \
        'show_name_exact=true&date=&quality=720P&release_group=DIMENSION&' + \
        'mode=rss'
tsfile = os.environ['HOME'] + '/.housedownload.ts'

try:
        lastcheck = pickle.load(open(tsfile))
except:
        lastcheck = time.mktime(
                datetime.datetime.now().timetuple()
        ) - (30*86400) 

feed = feedparser.parse(url)
list = []

for entry in feed.entries:
        dt = datetime.datetime(*entry.updated_parsed[0:6])
        ts = time.mktime(dt.timetuple())
        if ( ts > lastcheck ):
                list.append( [
                        time.mktime(dt.timetuple()),
                        entry.enclosures[0].href
                ] )

for item in list:
        fn = dlto + '/%i.torrent' % item[0]
        if not os.path.exists(fn):
                urllib.urlretrieve(item[1],fn)

lastcheck = time.mktime(datetime.datetime.now().timetuple())
pickle.dump(lastcheck,open(tsfile,"w"))

I never thought I’d say this, but here it is: Perl can go suck it now.

I’m gone from Facebook, now and forever. Save the following info to your address book:

• My email address (and AIM screen name) is sneak@datavibe.net. (…and has been for well over a decade.)
• My website is http://sneak.datavibe.net (you’re on it now.)
• My forever-permanent phone number is +1 (312) 361-0355. (SMS texts and voice calls are both accepted.)
• My regular short “status updates” can be found at Twitter: http://twitter.com/sneakatdatavibe
• All of this and more, provided conveniently as a v-card file for automatic address book import: download

Staying “Safe” on Facebook, In A Nutshell

• The settings-checker tool over at Reclaim Privacy
• The list of settings which must be set to opt out of “Instant Personalization” of third party sites, as posted by the EFF
• Account -> Privacy Settings -> Basic Directory Information (at the top) -> “View settings” -> “See my friend list” -> “Custom” -> “These people” -> “Only Me”

Part Two

I’m deleting my Facebook account, and I’d like to take a moment to tell you why. Hopefully, this will provide you with a bit of perspective, should you wish to do the same.

The primary reason has nothing to do with Facebook’s policies, per se. Let me start with a little bit of backstory.

I’ve had the same email address for somewhere around 12 years. It’s published on my website (in easy-to-save vCard format, even), comes up on the third Google result for Jeffrey Paul (without quotes), and is accessible via Facebook, Twitter, and anywhere else I happen to frequent on the tubes. Most importantly, it’s on my business card, which I make a point of handing to very nearly every single person that I ever meet. (I’m at 1500+ and counting.)

I get a lot of email, both personal and business, and have great and well-worn battle-tested systems for triage and processing of this never-ending stream. Server-side rules executed on incoming mail with Procmail, coupled along with client-side searching and indexing via Spotlight or keystroke commands in mutt, combine to make my email one of the most useful tools I have at my disposal. Even further, I have an iPhone that gets my mail, as well, when I’m not in front of my laptop. Late last month I added an iPad to that lineup, bringing my total number of email-receiving devices to three.

All of that out of the way, here’s the rub. Facebook has a messaging system that allows anyone to send Facebook Messages to anyone else on the site. Despite all of the huge amounts of existing infrastructure in place to handle email, many of my friends choose to send me Facebook messages instead of email, perhaps out of convenience.

Facebook could, knowing the email addresses of both me and any message-sending friend, compose an email to me and send it to my inbox, with the “From” address listed as my friend, delivering the message quickly and efficiently and allowing me to handle it on my own terms. Unfortunately, this doesn’t allow them any ad revenue, so instead they store the message forever on their server, accessible only via the web. I don’t get to archive it, I don’t get to index it for search (as all of my other emails), I don’t get to control their retention of it, nothing.

Now, if this was all they did, it wouldn’t be very useful, so they do actually go through the process of sending me a notification email, containing a preview of the message itself, asking me to click a link to log into Facebook should I wish to reply to the message. Now, I have two different unread flags to reset – one in my email inbox, and one on the Facebook website. If you’ve ever sent me a Facebook message, chances are I’ve ended up reading it twice.

The whole process is just an eyeball-capturing technique, leveraging your friends’ desire to contact you in a transparent and tacky maneuver to get you to look at ads.

However, the long-term reason I’m leaving Facebook is much less understood or publicized. A lot of people are now looking at Facebook very critically as a result of their new privacy modifications, and I think that that’s a poor choice. Sure, it’s evil-overlord stuff to divulge your demographic information to the third-party websites you visit, but that’s peanuts compared to what I’m about to explain.

The stock answer, of course, to these issues about controlling access to the personal information that you put online, is simply to not put information into your Facebook profile that you wouldn’t want to be public. Unfortunately, this is completely ineffective. I’ll explain.

Facebook realizes that their core asset is something called a “friends graph”. Your friends graph is simply the list of people with whom you’re connected, e.g. your friends list. In the case of Facebook, it’s an undirected graph – that is, friends connections are bi-directional.

This doesn’t seem like a very big deal until you consider just how much data your friends graph reveals about you. Last year, a pair of students from MIT developed a tool called Gaydar that can make surprisingly accurate inferences about a user’s sexual preferences simply based on the data that their friends make public about themselves. There have been lots of examples of this technique, both above-ground and non, since.

This, in short, blows the whole idea of a “no-data Facebook profile” out of the water. Add enough friends, and a number of things are going to become obvious: age bracket, hometown, current town, sexual orientation, musical tastes, preferred recreational activities… and these are just the beginning. All sorts of things can be inferred with a high degree of accuracy from your friends graph alone, just from the data that your friends make public.

If this stayed within Facebook, I’d probably be okay with it, as Facebook’s motives are all pretty clear-cut; that is, advertising revenue and the stickiness to ensure that it continues into the future.

In poking around in the developer documentation a few months ago, I found that any third-party Facebook application (think Farmville and the like) can now access your friends graph, just from one of your friends using the app. The Facebook terms of service for third-party applications says that they can’t permanently store or otherwise use this data, but that’s irrelevant for the purposes of this discussion. Of course, you can block applications, but when I first discovered this, the default was for _any_ application that your friends began using to be able to access this data. Presently, there are over half a million active applications on the “Facebook Platform”.

I’m not sure if this is still the case, and a quick look through the developer documentation indicates that it’s probably not. However, your name and unique Facebook identifier are still available to third-party apps your friends install, which means that a good picture of your friends graph can be charted by an unknown third-party.

It gets worse. Now, thanks to the Open Graph system that Facebook is pushing, they’re partnering (read: getting paid by) other sites to leverage this data so that these sites can tailor your browsing experience. This means that the age-old idea of pseudonymity on the web (websites identifying you only by a random unique identifier) is out the window. Zuckerberg, et al are now selling your name and friends graph directly to third parties without your consent.

A lot of websites have jumped on this bandwagon, as increasing stickiness and personalization is a great way for them to get the jump on their competition. However, now you’re not only spraying your personal information across all of Facebook’s servers, but they’ll also happily proxy it to hundreds of third-party sites.

The terms of service with which they bind these sites is irrelevant. This data, then, becomes effectively public, with no controls available to you to prevent it from spreading into any manner of publicly searchable databases. Anonymity is very important, even for those that have nothing to hide, as it allows untrusted third-parties to interpolate data about you that you’ve never explicitly provided and don’t wish for them to have.

Facebook’s illustrated repeatedly that they don’t give a damn about user privacy, which has spawned a huge amount of backlash and publicity as of late, which is a good thing. Most people don’t give any second thought to providing Facebook with tons of personal data, which may or may not be a mistake. The real problem lies, though, in their publicizing your friends graph. Personal data you can withhold, but your friends graph speaks huge volumes about you even if you never provide them with anything directly.

So, in closing, I’m gone from Facebook permanently, and I hope very much that you’ll consider doing the same.

FYI, for the non-technical types, note that when you “delete” your Facebook account, nothing is actually deleted— instead the data is simply flagged “do not use” in their database, allowing them to un-flag it and restore you to full operation should you decide later to change your mind. I’m not sure if it’s possible to ever actually delete your data in full from their systems, but at least this way I won’t be automatically sold out to every single partner webpage that I visit.

Add in the fact that it’s light, searchable, and the publishers can easily sell on it (and not have to “revise” their editions each year, as iTMS-sold purchases can’t be resold anyway), and you’ve got a win-win for both students and textbook vendors.

PS: Apparently I was completely incorrect in my previous prediction about the iPad likely being totally locked down with DRM from top to bottom. While I am not ruling it out for OS 4.0, it would seem that apparently Apple isn’t as worried about the hackers as it initially seemed. My guess is that the percentage of people actually jailbreaking is probably low enough that they’ve just decided to not go to the effort of locking it down. (Additionally, any super-cool features that the hackers come up with in the natural course of hacking will, of course, eventually be poached by Apple for the OS or replicated by a legitimate app vendor in their App Store.)

Us: Here, listen to this all the way through, and then tell me you’re not into music.
Us: http://www.youtube.com/watch?v=LQYDiu2RpDc

…

Them: wow that was really repetitive
Us: and awesome
Them: nope
Us: yeah, you have no soul, sry. thank you, drive through

I’ve been long thinking about the Internet and the applications thereof, and I’ve come up with a number of various theories regarding the future. A small list of them follow.

On 13 August, 2008 on my now-defunct LiveJournal blog, I first wrote that I believe firmly that the IPv6 transition mechanism ([RFC 3056]) known as “6to4 will eventually save the Internet.”

Once IPv6 becomes more prevalent in the datacenter and (non-access) service provider world (which is, comparatively speaking, the Easy Part), many end-users will need and want v6 connectivity for various applications. Access provider networks can be upgraded (unlikely) or, much easier, they can just deploy one or more 6to4 relay(s), giving their customers easy outflow into the IPv6 Internet. The clever idea behind the 6to4 system is that it uses the existing v4 address for incoming IPv6 data to your network, and a predefined address as the destination for outgoing v6 data (192.88.99.1), easily anycasted by your provider. Included for free are a huge quantity (a /48) of IPv6 addresses for each and every individual v4 address. This means that anyone with a single publically-reachable IPv4 address is already capable of being on the IPv6 Internet with enough unique IP addresses to do anything imaginable, including run any of the largest organizations in the world.

The tipping point for IPv6, it seems, is coming into view soon, which brings me to the second one: We are 7 years or less from the day when you can ‘Use The Internet’ as an end-user without a v4 address and not miss too much. Don’t expect access providers to have upgraded all (or even most) of their infrastructure by then, as all but the largest or most shrewd have mostly (and necessarily) all but ignored IPv6 whilst struggling to stay afloat in their highly competitive industry (while per-unit pricing and profit margins both continue shrinking). Even after the time when their customers are asking about it, they can continue to (mostly) ignore it, focusing on maintaining their existing v4 networks and just replacing or flash-updating CPE and adding 6to4 relays in key spots, providing good, workable access with a minimum of infrastructure adjustment. My guess is that v4 provider backbones (serving to support 6to4) will exist for a very, very long time. (Even after 10 years, when end-users no longer receive or want v4 addresses.)

There is a corollary to this, too, which is that if you are an ISP today and have enough customers to warrant office space other than your own basement, and furthermore you are not right this moment providing an outbound 6to4 relay on 192.88.99.1 for your customers, you are Not Doing Your Job. Same goes for NAT router firmware makers that aren’t enabling 6to4 by default (here’s looking at you, Linksys). In case of the latter especially, as the cost is effectively zero.

Also, on the mobile side of things, eventually wireless companies will be forced by the market (like all access providers) to give v6 address, making your handset reachable by the Internet at large and ending the no-externally-initiated-connections bullshit they’ve managed to be unique in pulling off thus far with their NATed and firewalled v4 service offerings.

My next one’s not very unique or clever, but I think people are still underestimating the potential implications. Widescale deployment of IPv6 will enable all sorts of network applications we haven’t thought of yet. Stuff from little things like controlling your heater’s thermostat from your cellphone (or iPad-like-device) to new forms of “cloud computing” wherein the cloud is p2p and comprised of your and all your friends’ WiMax-speaking 1TB-of-flash-memory phones. The potential cool things made possible by restoring end-to-end connectivity are practically limitless. Think big, all the way up to new L4 protocols. These things can replace all sorts of old interfaces (off the top of my head I can think of several, including MIDI, S/PDIF, DMX, infrared remotes, home automation, X10, and DECT, and I’m sure you can come up with more if you ponder it). Now think of them across the WAN, from fixed devices in your home or office to mobile devices that you and everyone you know carries with you all the time, or various iPad-inspired touch-interfaces, sitting on or mounted to your/their coffee tables, desks, and walls. There are some serious implications here when Everything Can Talk To Everything Else.

Today, I’ve got another new one. The coming deployment of DNSSEC will drive all sorts of cool new security applications, and kill off many current ones by making them redundant. According to the operators of the current root name servers, the root zone (the basis for all hostnames on the Internet) will be cryptographically signed using DNSSEC in July of this year.

I think that when DNS infrastructure can provide validated data, people will begin putting all sorts of keys and certificates in there for a variety of apps. Why do you need a PKI for SSL on the web (think of your webserver certificate) when you can put your server’s public key into your domain’s dns zone, your authority for which is signed by the delegating registry?

Another idea that came to me today is that the .in-addr.arpa (and the IPv6 variant .ip6.arpa) zones are quite severely underutilized. While PTR records for IP-to-name mappings are the primary use of this zone presently, there’s no rule that says you can’t have other RR types in here— it’s a DNS zone like any other. Once the zone is signed (eliminating the need for a now-redundant non-DNS certificate chain), you could put the fingerprint of your IPSec opportunistic encryption public key in here… or your that of your SSH service’s key.

Here’s the last one, and is quite radical, and thus the most likely to be flat-out wrong, but I’m going to throw it out there anyway. Right now, we’ve a huge hodepodge of various systems and protocols for realtime communications. Starting with the legacy systems such as phones, both wired and wireless, and the horrible necessity of phone numbers (which predate DNS, a system specifically designed to fix this problem), to various IM protocols, centralized (AIM, MSN, Skype, etc) and not (XMPP/Jabber/Google Voice), SMS (a weird hybrid designed as an overlay on the phone-number system when digital packet-based communications first became widespread), and various other VoIP hackery for backward-compatability, we have to know so much about who and how we’re communicating just to use the options available to us.

I recently found myself explaining to my father about just how much I have to know (and think about) my intended recipient’s choice of telephone handset and service provider when deciding whether to send them an email, email with attachment, SMS, or MMS from my phone. Think about that one for a moment. This process really shouldn’t be more than “send communication X to person Y”. To drop a horribly overused cliché: Think of your grandmother.

Even when everyone has a phone that sends and receives emails and IMs in real-time, you’ve still got to pick which to use by some weird social meta-logic. Presently, I still can’t configure incoming emails (a sound, with no popup) on my iPhone to notify me like SMS messages (sound + popup), or vice versa. All the way from Cupertino, a long social-construct arm reaches out and reminds me of the accepted differences encoded in our cultural implementation of these protocols, even though they’re pushing the same strings of text over the same airwaves. Details aside, they’re still somehow perceived (and charged!) differently.

With IPv6 and a signed DNS infrastructure, I think personal identity (and the communications identifiers tied to them, formerly email and phone numbers and IM names) will eventually be consolidated in DNS. Some will own their own domains, others will use those assigned by a service provider, but all will be relatively static and offer more flexibility than now. Why do you need a phone number when you can have the IP of your VoIP handset(s) in a dynamically-updated DNS record, right alongside your MX records showing where emails to you should go?

Consider the case when your phone’s off or out of the network: Why do you need to have a voicemail service if a user can use the same identifier to send you an email with an audio attachment as they do to make a realtime voice call to you?

(Corollary here: SMTP will outlive you, me, and everyone you’ve ever met.)

This kind of stuff is actually almost possible now, but we’ve not yet seen the collapse of the old models yet. People receiving your business card (an artifact that will never die, if only as a memory aid for hostnames) still expect to find your phone number, not just a hostname backed by an AAAA record pointing to a device ready to accept incoming SIP calls.

With everyone eventually responsible for their own DNS namespace (via various interfaces from identity service providers), my guess is that your email address will become something like *@hostname (e.g. whatever@sneak.datavibe.net), rendering the old user-at-host notation (e.g. sneak@datavibe.net) obsolete, or merely as a tracking identifier, such as the user+extra@hostname (e.g. sneak+blog@datavibe.net) notation of modern-day. Furthermore, when someone receives an email (with attached cryptographic signature) from your hostname, verifying the signature with your key from DNS is a trivial operation. This would certainly be an effective tool in helping combat the huge amounts of spam floating around, too.

Via OpenID or its logical successors, a hostname can serve as an authentication endpoint, effectively enabling Single-Sign-On (SSO) by replacing your username and password pair that you currently provide to dozens or hundreds of different websites.

We’ve already seen the registration (or registration restrictions) for every four-byte (a.bb) domain name in existence, as far as I know, as I’ve been unable to find a one-byte subdomain in any two-byte TLD. For another example, in the .com zone, every single three-byte subdomain (i.e. z6n, 77a, q46.com, etc.) has been registered. I recently had trouble finding a five-byte (aa.bb) domain to purchase, but eventually found a slew of them in the oft-overlooked .tc TLD (named for the Turks and Caicos Islands, a British territory in the South Pacific).

The famous webcomic xkcd was named when its creator sought a four-letter domain in .com using only a-z. (They’re all taken now.) An arbitrary string, but evidence that virtually anything can be turned into a (wildly successful) brand or identifier, given the right circumstances.

When I named my then-new company last spring, I searched for a similar four character alphabetic text string available in .com, .net, and .org. I found one, but the .com variant was already taken had to be purchased from a squatter for a few hundred bucks. Even with that, it still has a ‘q’ in it.

I never really paid much heed to the land rush around domain names (both the first wave in .com and the later ones in newer TLDs and various countries), but I guess I was short-sighted. One day, your hostname (and the other then-authenticated data provided via the DNS) will serve as your identifier for all electronic communications, both for authentication (identity) and reachability.

There are a lot of cool things ahead of us. Until such time that all of this stuff comes true, I can be reached at sneak@datavibe.net (or future_of_the_internet@sneak.datavibe.net after).

Each email is examined by a program called SpamAssassin on the way through. It looks for common traits of spam, giving the message “points” for each individual spammy characteristic identified. The points are tallied and if the message scores 5.0 or higher, it gets a special tag in the subject line before ending up in the user’s mailbox (or forwarded to their “real” email). 6.0 or higher and it gets automatically deleted instead. The idea behind this is that a message that might be legitimate but looks spammy will still be delivered to the end-user (albeit with a tag which they can auto-filter), where stuff that’s pretty clearly spam doesn’t even get a chance to take up disk space in their junk folder.

Only 559,299 of the messages for the year, or 10.23%, have a score of 5 or less. That leaves about 4.9 million individual spam messages, on a server that handles the primary email addresses for only about 15 people, or about nine hundred spam per person, every single day of the year. Also note that we’re not catching 100% of the spam, a (very small) percentage of spam that’s sent is clever enough to slip in with scores in the high 4.x range, as we’re not the only ones with access to SpamAssassin.

It’s also worth noting that over four million (the vast majority) of those spam had a score of over 10. They’re not even trying, at that point.

Statistics like this make me sad about humanity. Somebody out there is buying fifth mortgages, penis pills, and fake diplomas to keep this bullshit industry churning away.

The most famous analog synth in the world is undoubtedly the TR-808 drum machine, now that Kanye’s gone and made it a pop-music phenomenon. They sound awesome, but, in my opinion, they’re not really that feature-rich, considering all the hype. Push buttons, enter sequence, and drum go boom, click, and crash, and all the other noises you’ve been made familiar with from the last 25 years of hip-hop. Narrow the search range down to analog bass synths, and you’ll find yourself looking at the number 2 spot, the classic Roland TB-303 “bassline”. Due to awesomeness and general techno-fetishization, this thing’s been (rightfully) documented to death, in case you care.

(Some might say that my argument against the 808 could also be made against the 303, at least in stock form.)

Unfortunately, they’re kind of expensive these days, being old and rare and highly sought-after, so various others have taken it upon themselves to make sound-alike synths, with varying degrees of success. My favorite from this group is called the x0xb0x, a schematic clone* created by Limor Fried, better known as ladyada.

(*……meaning that the synthesis circuitry of the x0xb0x is as faithful as possible, down to the exact make and model of the transistors and other audio-path components, to the original TB-303.)

I built my first x0xb0x a few years ago when I was living in New York. Parts cost, then, was around $450, purchased as one big kit from ladyada’s then-relatively-new electronics kit vending business, Adafruit. I got kit number 400, the first from the fourth batch of 100. After number 999 went out the door a year or two later, she found it harder and harder to source the original transistors used in the 303 (remember, this thing was discontinued in 1984), especially in the quantities needed for making a hundred kits at a time.  These days, I’m not sure that you can buy a full x0x kit from Adafruit any longer, a turning point I hadn’t expected quite so soon.

Fortunately, she still sells the pre-made circuit boards (even if she decided to stop, the manufacturing files are open-source— anyone could ship them off to a fab and have a run (or just one) of them made). Same goes for the aluminum faceplate and backing plate, although that’s less important now for reasons I’ll explain in a second. Also, the case and the rest of the parts can be ordered from any electronics supply house. A 200KΩ resistor from 2010 is the same as a 200KΩ resistor from 1970.  It really boils down to those weirdo transistors that the engineers at Roland picked out back when they were designing this thing.  Being in the analog synthesis path, they are the soul of this machine, and are critical to an accurate reproduction of the sound.

I went out and about today to run errands (not the least of which was buying a 9VDC power supply for my Doepfer MIDI-to-DINSYNC box), and came back to the office, checking my mail on the way in.

Inside was this.

Contents: weirdo transistors!

This is how they look in use in a x0xb0x.  (These are the old ones from Adafruit, now in x0x #400, not the new ones that came today.)

I’ve picked up 3 full sets of the rare parts, just in case. I hadn’t really expected the Adafruit kits to dry up so fast, so when I found a reliable vendor for the rare parts (at a slight price premium, unfortunately), I decided to stock up. Mostly because I recently heard about an awesome new development…

The TB-303, as far as synths go, is relatively user-unfriendly. In addition to a notoriously difficult sequencing interface, it has only a few knobs with which to modify the sound. For a lot of acid techno enthusiasts, these six little silver knobs have proven to be more than enough. It’s got a lot more potential locked up in there, though, and so an Australian by the name of Robin Whittle decided to make an inboard modification to the TB-303, called the Devilfish, to add (among other things) several additional knobs and switches to adjust synthesis parameters formerly untouchable within the innards the device. Getting one of these things installed is not a trivial matter, and involves round-trip insured shipping to Australia, as well as parts and labor for the add-in board itself (not to mention the drilling of new holes in your treasured rare synth). Devilfish-modified 303s have sold for as much as $3,000 USD (albeit in perfect condition). Welcome to the cult of acid.

After (presumably) being hounded by a large percentage of the thousand people who built their own clones from kit form, he issued a statement that he wouldn’t be making any Devilfish mods for the x0xb0x. Enter Brian Castro, a x0xb0xer who made an add-on board for the x0xb0x, called the x0xi0. This adds most of the additional parameters of the devilfish mod, as well as a ton of additional input and output ports not included in the original x0xb0x design. The kit, at around $500, comes with two add-in boards (one for the top, one for the I/O ports on the back), all the parts, jacks, knobs, and knob-caps, a new faceplate (with the additional holes), and a new backplate (again, a zillion additional holes for I/O).

It looks really awesome (top and back) and sounds even better. For just around $1,000 USD in parts and the fun (for me, at least) of putting it together, it seems to me that this is just about the most bang for your buck you can find in the world of analog bass. Having already built one x0xb0x (with plans for more), this mod seemed like a no-brainer. It even brings down the total cost a bit, as I don’t have to order or have fabricated the plain x0xb0x faceplate and rear panel.

I’ve just ordered my x0xi0 mod (going into #400), and circuit boards for two more x0xb0xen. Holding off on the rest of the parts for now, as I don’t know when I’ll have the time to assemble more full synths, but you can bet that that x0xi0 is going in to the existing one within a day or two of arriving on my doorstep.

Audio samples and fresh pictures will be forthcoming.

That said, when the iPad came out, nobody was more excited than I. I immediately committed myself mentally to buying one the day it came out.

Those of you who run some variant of Windows or Linux on your netbook were quite likely much less impressed than I. It doesn’t have a built-in USB port, card reader, keyboard, or video output. The screen is small, and relatively low-resolution.

If you’re looking at this thing as a computer, then yes, it falls woefully short. Unfortunately, if you’re saying these things, you (as a computer user) don’t know shit about user experience, or why this thing’s going to change the world. These things are going to replace actual notebooks, not notebook computers. I have a client that thinks that anyone who’d pay $500 for an iPad when you can buy a $300 general-purpose netbook is certifiable. The technologist in me thinks he’s short-sighted and uninspired (to say nothing of the Apple-shareholder-me).

(An aside: This whole debate reminds me very much of a recent thread on a local Berlin discussion board about the Berghain nightclub, started by someone who was butthurt about not being let in after waiting forever in a long line. From the outside, it’s impossible to distinguish something that is actually the best in the world from something that isn’t and just shamelessly exudes pretension instead. The problem is that you actually have to taste the kool-aid, at least one time, to know if it’s the Real Deal or not. Same goes for Apple products, or Berghain. Some try it and finally understand, and some casually dismiss it as wankery. PS: It’s OK to feel sorry for those in the second group.)

Then, as the days wore on, I came to think about the device more and more. All of the reasons I’m in love with it are still there, and that’s why this article is written with a heavy heart— it’s not that I came around to the computer-nerd arguments (which are all still invalid), but additional data points that I hadn’t considered before.

The iPad is powered by a new processor, called the Apple A4. In April of 2008, Apple purchased a chip manufacturer called PA Semiconductor, and, with it, about a hundred battle-hardened CPU design engineers. Presumably, due to the lead times involved in such projects, it was only a few nanoseconds later (propagation delay) that they were all put right to work on this “new, world-changing chip” to be used in the iPad.

Take a moment right now to review the history that Apple’s had with unauthorized use of their software on mobile devices. From iPhone OS 1.0.0, jailbreaking, the unlocks in hardware and software on both the iPhone (1st Generation), iPhone 3G (2nd Generation), and iPhone 3GS (3rd Generation), and the recent developments of things such as Hackulo.us (the nexus of the nascent iPhone warez scene, distributing de-DRMed .ipa applications fresh from the App Store), Apple’s been constantly contending with those that want to use their software and hardware in unauthorized ways.

Of course, Apple wins any-which-way, as they are in the business of selling the hardware on which you’re going to be running this hacked/pirated/homebrew software, so it’s not a total loss, or even a loss at all. But anyone who’s looked at the App Store revenues (as well as the gigantic industry that’s sprung up around iPhone app development in the last few years) can see that they’re not going to be content with “just the hardware” for very long.

Now, to be fair, the majority of these mods (even jailbreaking, the hacking of the iPhone OS to run unauthorized software, was initially only developed to run the unlocker apps) were a result of the iPhone being carrier-locked. People wanted the iPhone OS, so they wanted the iPhone, so they wanted an unlock. Now, though, the cat’s out of the bag, and part-and-parcel with the unlock comes unfettered access to the filesystem and the object code that lives within it.

I’m a technologist, this is what I do, all day, every day.   Take a moment here to go (re?)read about Trusted Computing (sometimes called Treacherous Computing by those in the industry), a not-so-new technology coming down the pipe (like it or not), pushed (at least initially) by the Big Media conglomerates (the movie and music rights-holders) and the platform vendors (Sony (PS3), Microsoft (Xbox and Windows and Windows Mobile), Apple (iPod, iPhone, iPad)) who enable their ability to push their swill into your media center room and/or office and/or daily commute.

(Warning to cryptography nerds – a vast oversimplification is coming.) Basically, TC in a nutshell is this: Your computer has a special cryptographic root certificate inside of it, in hardware, that is consulted by the CPU before executing code. When it boots, before executing the bootloader, it checks to ensure that the cryptographic signature on the bootloader is trusted by the certificate stored in hardware. If not, no go. This bootloader then does the same thing on the OS, and the OS with the drivers and apps, all the way down the chain, ensuring that no unauthorized code (for a simple example, think DeCSS/Handbrake) can run.

In theory, it’s awesome, because it’s the ultimate end-game for viruses, spyware, trojans, and the like, as they’d never be properly signed, and they’d never get to run in the first place.  In practice, though, the cryptographic authority is rarely held by the owner of the hardware, but instead by the hardware manufacturer (who are puppets of the Big Content rights-holders, or, in the case of Sony, the same organization).

Anyone want to place any bets on whether or not the Apple code-signing CA certificate is in the iPad’s ROM? (I’m willing to put my money on the fact that the A4 will contain, on-die, the sha256sum of Steve’s pancreas XOR’d with the DNA from Clarus the dogcow.)   Do you really think that Apple, with all of their adherence to DRM and closed software ecosystems is going to let even one byte of unsigned code run on any iPad, ever? They’ve custom-built the silicon, and, for the very first time, the Trusted Computing dream is about to be realized in practice, on a grand scale.

DRM absolutely doesn’t work without a trusted computing base to work on, which every single DRM vendor has found out, in practice, in the last four or five years. As general-purpose computing devices (such as your laptop) are now integral in the media stream, they can’t be excluded without hurting content sales. (Thus, things like PlayFair, a program that strips iTunes DRM.) The solution is to control the whole system, so that programs like this aren’t allowed to run in the first place. The problem with that, though, is that anyone who made a default-deny Trusted Computing laptop that wouldn’t run existing unsigned programs would find themselves with a warehouse full of laptops.

However, Apple’s building an ecosystem in which your computer arguably doesn’t have anything to do with the movies or TV or music you buy and consume. As has been pointed out over and over again, the iPad is not a laptop.

Normally, this wouldn’t bother me, as I’m not so much a freedom-fighter as I am a practical user. Unfortunately, Apple’s not just a Benevolent Overlord who uses their (currently partial, soon total and absolute) control of their app ecosystem to stamp-out piracy, but also uses it (in ways that may eventually turn out to be illegal) to stamp-out competition and immoral content.

I was a user of GV Mobile, the GrandCentral/Google Voice interface app written by Sean Kovacs, before Apple deleted it from the App store. One day, it stopped working, and I could no longer get updates through Apple, as they’d deleted it due to it infringing upon their (and AT&T’s) revenue stream by sending and receiving SMS over IP through Google, effectively for free, though they gave some other reason. It was so blatant that Google got the FCC involved.

Fortunately, the iPhone OS has been jailbroken (at least on that hardware), and I was able to load the updated version of GV Mobile via an unauthorized method (it’s in one of the Cydia/Icy repositories). If this hadn’t been possible, I’d have switched to a phone that sucks more, just to get the functionality that I want. Thankfully, the latest iPhone is still hackable – I can write a program, right now, and run it on my hardware.

Today, I saw this article:

http://www.intomobile.com/2010/02/18/is-apple-nipple-clamping-down-on-sexual-content.html

Basically, this guy sold an app via the App store that had boobs in it. (With the proper content rating, of course.) Now, as someone who generally appreciates boobs (although I’ve never used his app), I think this is a good thing. Apple has other ideas, changed their mind about the implications of boobs, and removed his application.

It’s one thing when your closed-ecosystem exists to protect your defined profit centers. When it’s used to keep me from looking at nipples… well, this means war.

My prediction is this: Apple will use their experiences with the iPhone OS and three full generations of iPhone hardware to ensure that the iPad is, for all intents and purposes, unhackable. Doing the Trusted Computing thing isn’t hard, in theory – it’s just that nobody would buy a computer that wouldn’t run apps. Apple, in their infinite wisdom, has done an end-run around the entire computing industry, both by creating a huge library of apps within their walled garden (get the eyeballs, and the devs will follow), and then by inventing a computer-that-is-not-a-computer. Nobody’s going to bitch that you can’t run Photoshop on the iPad.

If there are jailbreaks for the iPad, they will take a long time to come out, and even then they may not be wholly effective at running unauthorized apps. When you own the hardware (in the ‘0wnz0red‘ sense, not the property rights sense) that much, locking it down completely is a relatively trivial engineering matter.

I’m the kind of person who believes that I should be able to run whatever apps (or even OSes) that I want on my computing devices. The iPad is one of the most revolutionary computing devices ever conceived, and I was an immediate convert when I realized what this thing’s going to be capable of doing. After thinking about Apple’s history with DRM and the closed-loop of app distribution, I realized that I probably won’t be able to do the things with this device that I really want to. (Examples: syncing via WiFi or Bluetooth, mounting SMB shares to play music from, FLAC playback, streaming music via 3G from an internet server, etc.) As a result, until it’s been jailbroken (which, depending on the diligence of Apple’s engineering team, may be never), I won’t be buying one.

The problem is that as long as Apple wants total control over the platform, innovation will suffer.

Even if only in the realm of “apps that let me play with boobs”, that should be enough, y’think?

-jp

It seems to me that nobody who designs WordPress themes keeps the basic elements of UI design in mind. It took me several hours just to find the theme I’m using now (called Manifest), and even that wastes over half of the screen real-estate available in the default configuration, causing unnecessary scrolling. Who hard-codes pixel values in 2010, when 24″, 1920×1200 displays are $400? (Column widths of 500px, at that!)

So, after a bit of CSS hackery, I’ve got a new website and blog configuration that I’m at least not unhappy-with. Perhaps I will design a custom theme at some point in the future, though I do despise doing web design, it seems that the only way to get things done right (without having to pay a professional) is to delve in myself.

Also worth a mention is a new blog I’ve found, run by a designer I’ve recently met through a common friend. His blog KinoSport easily takes the cake for the best layout I’ve seen on a webpage in quite some time.

One of the clients that the updates will disable is called Vuze, and is an open-source program written in Java. Apparently, lots of people like to take advantage of the source code to modify Vuze (formerly called Azureus) to report false data to the tracker (run by the torrent site), thereby cheating the ratio (upload to download amounts) requirements put in place by the site admins.

Their solution? Ban Vuze from the tracker, solving the ratio cheating problem— or so it would seem.

However, it’s not quite that simple. Just as the amounts uploaded and downloaded on a given torrent are reported to the tracker by the client (and thus subject to interference by a malicious user), so is the name of the client software. See the problem yet?

If the reason they’re really banning Vuze/Azureus from their tracker is for ratio cheaters, then an honest, non-ratio-cheating user could, in clear conscience, modify their program to report a different version string to the tracker, thereby evading the ban. This is irrelevant, though, because…

…the fact also remains that the cheaters (currently ignoring the site rules) could perform this same modification, continue using the banned client, and continue cheating the ratio rules, rendering the entire policy change pointless.

It’s worth noting that I’ve been a Waffles.fm user for well over a year, maintaining an respectable upload-to-download ratio (1.6x), with a huge amount uploaded (~200GB, if I recall correctly). (This entitled me to a similar amount of downloading.) I’ve donated money to their organization to support the continued maintenance and operation of the site. I’ve encoded albums specifically for upload to the site, meticulously tagging and formatting according to their strict rules.

I pointed the deficiencies in their client-banning logic on the Waffles.fm forums this afternoon. (An aside: I don’t use Vuze. I use ‘rtorrent’, a command-line program, making me completely unaffected by these changes.) Two hours later, I logged in to download some Joy Division, only to find that my account no longer existed. A single, logical comment on their new policy and they saw fit to vaporize my account.

To be fair, it’s their site, and they can run it how they’d like. I’m certainly not entitled to service from them.

I posted much the same analysis on the What.CD forums, who had today announced the exact same policy change in tandem with the Waffles.fm administrators. They deleted my account minutes later, as well. I asked them on IRC about it, and they said that I was encouraging users to break their rules, and that furthermore, I knew it.

If you run a site that has a strict set of rules and a forum post posing simple questions can be seen as enough of a catalyst to cause a statistically significant percentage of those users to break your rules, perhaps your policy of administrating your userbase should be reviewed. Until today, I’d never consider cheating my ratio or modifying my client to evade the wishes of an admin. It’s quite sad to see that a community that I enjoyed as much as Waffles (and, to a much lesser degree, What) is policed by such reactionary and illogical moderators.

This whole thing will probably just make me get a fresh invite and make a new account (having multiple accounts, even when not evading an explicit ban is a huge rule violation) and use a hacked client to cheat the ratio system to recover the ~100GB of downloads I’m “owed” (in the loosest sense of the term). Their mods are really just making the whole situation worse by burning up their community goodwill.

So… anyone got a Waffles invite? (Don’t send it to the usual email…)