Page 11ish:

I had come to realize that my sense of myself had changed very little over the fifteen years or so. Despite getting married, having children, moving several times, and switching careers, I didn’t feel profoundly like I was profoundly different than my 30 year-old self; so why should I see my 60 year-old self as a different person? (The Grant study’s participants likewise showed a great consistency over the decades in their personality and psychological makeup.)

The paper talks primarily about risk profile and personality, but I think this is true about a number of my traits. While I also see my personality and risk profile relatively unchanged with age, I also constantly focus on how I’ve changed over those years, why, and for better or worse? “What part of me do I most want to be gone in 5 years?” or “What would I rather see in myself that I don’t see yet?” Every year, my goal is to be ashamed at how naive, foolish, and unfocused I was the year before – my hope is that this strategy will push me to be always more focused, productive, responsible, and good to my family than I am today.

Download here: https://github.com/adamwulf/Columnizer-jQuery-Plugin/zipball/1.5.0

GitHub here: https://github.com/adamwulf/Columnizer-jQuery-Plugin

Project page here: http://welcome.totheinter.net/columnizer-jquery-plugin/

My sister is traveling to Sri Lanka and has a longer than expected layover in Mumbai. I log onto the internet, purchase a hotel for her while she’s on her flight, and a driver picks her up at the airport.

So far so good.

That international purchase triggers an alarm on my account, so the next day when I’m shopping for groceries my card gets declined.

Even supposing a mastermind criminal stole my card and bought $400 in Mumbai, here’s what just happened:

1. master mind steals card

2. master mind buys so much stuff for $400 in Mumbai

3. hapless customer buys a ham sandwich

4. sandwich declined!

Guys, if you’re smart enough to know that 99.99% of my transactions are in Portland, Oregon, and suddenly there’s a transaction in Mumbai. If you do anything, please reject the Mumbai transaction and continue letting me buy my groceries in Portland, Oregon.

Your state-of-the-art-from-the-year-2000-security is not making my money any safer, it’s just annoying the hell out of me.

I hate you Capital One.

In Google+, like many websites, there is a Send Feedback button. It is unassuming.

But when you click it, you don’t get a boring “yeah what?!” text box, instead, in true Google fashion, the Google analyzes the page before the form shows:

And then it asks you to draw on the page to annotate your feedback!

You can draw boxes and select elements on the page. It’s quick, easy, slick, amazing, neat, and useful.

Extremely polished stuff. If i were to guess, the quality and usefulness of the feedback they receive is unparalled compared to other sites feedback mechanisms. Extremely cool stuff. I wish they would package it up as a product, maybe paired with Google Analytics, and let any site user embed that feedback system into their own site. Extremely cool.

And the fact that it’s on Google+ is particularly interesting. Its such an easy to use and useful tool that I wish I could use it to share content with others. Browse to site, “neat!”, click share/crop tool, click “post to Google+”, done. Reminds me of Scoble’s interview of Convofy (forgive Scoble’s lousy recording, but that few minutes of the video is pretty slick stuff.)

Update:

Turns out it may very well be its own Google product according to this Quora question. Tell Google here to be notified if/when it’s released.

If you’re going to sign up as well, then you can use this referral code to get 10% off your commission rates:

Referral Code:

TH-R112943

 
Happy Trading!

Glasses-free 3D Time Crisis on iPad:

This is Time Crisis 4 for iPad. It uses Glasses-free 3d for a stunning gameplay experience. This is true anamorphic 3d, which means you don’t need glasses to get a full 3d effect. Just tilt the iPad and the iPad2′s camera tracks your eyes so everything looks like real 3D! Watch the video from cnet below for a quick what’s-what on how it works.

I predicted games like this 4 years ago with the release of the first iPhone. The combination of the front facing cameras and accelerometers in the iPad 2 make this an unbelievable gaming experience.

The Bad News:

This is still not real! There have been exactly zero first/third person shooters that use anamorphic 3d for awesomeness. The screenshot above is a [pretty impressive, i may say] photochop by yours truly.

Ladies and gentlemen, this is the year 2011. We have robots driving robot cars and playing robot tennis. Random people sending iPhones into outerspace just because they can. How do we still not have awesome anamorphic shooters on the iPad?!

The Good News:

For a relatively small development budget you could have a proof-of-concept-version-1.0-anamorphic-3D-on-rails-first-person-shooter-for-iPad-2-and-iPhone-4, and you would make $10 million.

Free Business Idea:

Step 1: Just build something like:

1. Use anamorphic 3d first person shooter. Something akin to a Time Crisis for Area 51.
2. Easy gameplay: spray and pray style shooting, tap to reload. that’ll be 98% of it right there.
3. Just make 10 minutes of gameplay, and then repeat it.
4. Maybe some aliens? Or zombies?
5. Or both?!

Step 2: Collect money

1. Turns out people have a long history in falling over each other to give away their money to pretty-graphics-and-novelty.

Or, if you just like to program a lot:

Email me. Twitter me. Linkedin me. Get in touch. We won’t wait for the world any longer. We’ll do this thing.

Leaving Jive is bittersweet. The people I worked with are amazing, I still believe it’s the best collection of engineering talent in Portland. The company is going places. I’m proud of my work there. I’ve been doing heavy lifting in JavaScript for nearly 6 years, but I’ve been stretching my iOS wings, and Visere gives me the opportunity to work on mobile development full time. It’s incredibly exciting to be working in a tiny startup again!

And this move solidifies it for me – I love small companies, and not just small: tiny. At Visere, I’m employee number 9. It’s such a breath of fresh air for my day to day responsibility to include: project planning, UI/UX design, marking, recruiting, coordinating, budgeting, sales, and of course, programming. I love the variety, I love the chaos, I love fighting for life, for market share, for mind share. And most of all I love the product I’m working on.

To date, Visere has been primarily focused on contract design work: you may know it from products like Microsoft’s Courier tablet, the Uncommong iPhone app, or Motorola Droid branding. We’re also working on a product very much our own, and I hope to have much more detail on it soon .

This might just be the best blog post I have read this year. It’s nominally on patients with delusions of parasitic infestations, but it’s so much more.

I saw a patient recently for parasites.

I get a sinking feeling when I see that diagnosis on the schedule, as it rarely means a real parasite.  The great Pacific NW is mostly parasite free, so either it is a traveler or someone with delusions of parasitism.

The latter comes in two forms: the classic form and Morgellons. Neither are likely to lead to a meaningful patient-doctor interaction, since it usually means conflict between my assessment of the problem and the patients assessment of the problem.  There is rarely a middle ground upon which to meet. The most memorable case of delusions of parasitism I have seen was a patient who  I saw in clinic who, while we talked, ate a raw garlic clove about every minute.

“Why the garlic?” I asked.

“To keep the parasites at bay,” he told me.

I asked him to describe the parasite.  He told me they floated in the air, fell on his skin, and then burrowed in.  Then he later plucked them out of his nose.

Much more here.

In his recent TED talk he mentions that the Tylenol incident led to tamper-proof caps — a perfect example of what Schneier likes to call “security theater”:

As a homework assignment, think of 10 ways to get around it. I’ll give you one, a syringe.

So far this is typical Schneier. It’s a great point, but one I’ve heard him make many times before. In the next sentence, though, he breaks new ground:

But it made people feel better. It made their feeling of security more match the reality.

Bruce Schneier used to mock the theatrical dimension of security. Now it seems his thinking has evolved — and in a really interesting way. He’s alway viewed security in a relativistic way, and as a game of economic tradeoffs. Here he twists the lens to bring something else into focus: the relationship between how secure we feel and how secure we are.

This hit home for me, because is exactly the same way I feel about product development, especially mobile development. We can fight all day about mobile web vs mobile native, but that’s only half of the issue. An equally important piece of software development is making sure to set and exceed user expectations.

When developing software, step 1 should be: “What are my user’s expectations? Can I change those expectations before they even launch my app? How should those expectations change how I design the user experience?”

So far it’s been a good read, nothing terribly groundbreaking. The advice seems to come down to this simple process:

Confronted with apparently difficult measurements, it helps to put the proposed measurement in context. Before we measure we should ask five questions:

1. What is the decision this is supposed to support?
2. What really is the thing being measured?
3. Why does this thing matter to the decision being asked?
4. What do you know about it now?
5. What is the value to measuring it further?

All in all, simple stuff, but a great crash course and overview for finding metrics that matter, especially for new managers / leaders.

— begin old post —

I use Eucalyptus to read books on my iPhone. I love the feel of the app and the ease of downloading new books. The iPhone’s small backlit screen bothers me occassionally for reading. It’s almost perfect. What I’d love in an e-Reader:

1. It should do three things exceptionally well:
   1. read books (like Eucalyptus)
   2. read RSS (like Byline)
   3. surf the web (like a CrunchPad)
2. Should still ‘feel’ like a book, much like Eucalyptus does. It’s near perfect in this regard. Touch screen required.
3. Color screen (backlit is ok but not preferred)
4. Super easy to download / purchase books
5. Connect over wireless or cell network
6. 5″ x 8″ screen – ish, something about the size of those lousy romance novels in the supermarket checkoutline, and the thickness of an iPhone. The concept below literally folds like a book, showing 10″ x 8″ of screen space. awesome!

The iPhone hits just about all of this list, except it’s backlit and too small. Also, Eucalyptus is only free books, and the Kindle app (a) sucks to read on and (b) doesn’t have in app store.

The Kindle proper (device, not iPhone app) is larger, which is nice, and has a better screen for reading, but frankly, it’s ugly as sin. If they made blackberries in the 80s, they would look like a Kindle. yuck.

All this brings me to an article that came across Harper Studio (via Corr77, thanks!)  describing a French concept e-Reader / netbook from Editis. Click the image below for the 5 minute concept, skip to about 10% to see the eReader section, and yes, it loads exceptionally slow, but it’s worth it imo!

I’d love a netbook that actually looked and acted like a book. Swipe left/right to turn the page, tap for HUD screen, coverflow for book covers, etc. Turn it on it’s side, and the bottom becomes a HUD style keyboard and screens turn into netbook goodness. Fold it up to protect the screen and minimize footprint, throw in the bag and go.

I’d buy three, easy.

Highlights of the Khan system: Students learn single concepts at a time: step by step by step. First addition, then harder addition, then addition with decimals, then subtraction, etc. Each singular concept has tutorial videos as well as infinite computer generated problems to solve, and every problem has step-by-step hints available to help walk students through solving a problem.

My favorite part – by far – is the game machanics built into the system. A skill tree maps all of the provided concepts together, and the student earns “Energy Points” for every problem solved. This is just itching for energy point micropayments to upgrade your character/profile page. Even integrations with “real” games where you can spend Khan energy points on game time / upgrades / etc. It’s like Eve, but for real life and real skills.

Watch the video below and find out how your child will learn differential equations both faster and better than you ever did.

Khan Academy provides literally hundreds of videos ranging from basic arithmatic to organic chemistry to the Paulson’s bank bailout plan. The videos are on YouTube, iTunes U, and iPhone apps. Absolutely tons of content. Absolutely 100% free. Incredible.

Aurora – precursor to Jotlet

Everything was themeable, the entire chrome could change w/ a click of the button, and check out that amazing logo in the top right: one of Buck‘s first ever logo/headers This version was built pre-Firebug, worked in IE6, everything was built in tables. Liberal use of iframes also going on here.

But the data presented at the Brussels meeting made it clear that something strange was happening: the therapeutic power of the drugs appeared to be steadily waning. A recent study showed an effect that was less than half of that documented in the first trials, in the early nineteen-nineties. Many researchers began to argue that the expensive pharmaceuticals weren’t any better than first-generation antipsychotics, which have been in use since the fifties. “In fact, sometimes they now look even worse,” John Davis, a professor of psychiatry at the University of Illinois at Chicago, told me.

Before the effectiveness of a drug can be confirmed, it must be tested and tested again. Different scientists in different labs need to repeat the protocols and publish their results. The test of replicability, as it’s known, is the foundation of modern research. Replicability is how the community enforces itself. It’s a safeguard for the creep of subjectivity. Most of the time, scientists know what results they want, and that can influence the results they get. The premise of replicability is that the scientific community can correct for these flaws.

But now all sorts of well-established, multiply confirmed findings have started to look increasingly uncertain. It’s as if our facts were losing their truth: claims that have been enshrined in textbooks are suddenly unprovable.

more here.

Alex Payne on Adobe AIR:

Humans are gifted with extremely sensitive bullshit detectors. The average computer user may not internalize the difference between an AIR app and a native app, but he knows when something doesn’t feel right or work correctly. Your tech-stunted uncle may not ever request a “native app” by name, but he’ll sure complain about his computer acting funny. People aren’t dumb.

You better believe that this isn’t just about AIR. As mobile apps become a mandatory part of doing business, more and more cross-platform mobile frameworks are cropping up. As with every cross-platform framework to date, only one in a pile of the resulting applications might even begin to pass for native. These apps just ain’t right, and people can tell.

I’ve said it before and I’ll say it again: cross-platform code is good, but it should never define the user interface.

more here.

From the Cultured Code’s FAQ page on cloud sync:

We will be doing a large scale test with quantifiable data to estimate server and bandwidth costs. It is not yet clear whether or not it will be necessary to pass any of those costs to the user base. This should not be taken as indication that there will, or will not, be any cost. A final decision will be made later based on the aforementioned testing.

They need to offer a cloud service for free. Its like they don’t understand how unhappy many of their customers (and former customers) are.

The company also doesn’t understand the concept of ‘if you don’t have anything to say, keep your mouth shut.’

[via Federico Viticci]

Now open Twitter for Mac. Tap and drag from top to bottom on your Magic Mouse or Magic Trackpad and the list scrolls down- as you’d expect for any normal Mac app. Except that Twitter still feels like an iOS app even though its on my Mac, and this won’t change anytime soon.

I can’t get over how awkward it feels to have the same scrolling gesture produce the exact opposite results. I suppose it’ll eventually become second nature, but I suddenly feel all upside-down when I’m working on my Mac!

Any one used Smart Scroll before? How long until OS X changes scroll direction to match iOS?

OAuth is a fantastic login protocol that allows disparate web applications to all use the same login provider. However, I’ve discovered that its use in native mobile applications is borderline dangerous, and in this post I’ll describe why.

Last year I released my first (and still only) iPhone application. Even though my app doesn’t use OAuth, the then recent Twitter/OAuth fiasco stoked my interested in mobile OAuth. I was particularly curious how OAuth providers protected their passwords in their mobile SDKs.

I downloaded the Facebook SDK and poked around in the iPhone simulator, and frankly I didn’t like what I saw. In less than an afternoon, I was able to build an app that could steal a user’s password as they logged in through Facebook Connect, all 100% transparent to the user, 100% transparent to Facebook, and 100% transparent to Apple. In a word, this is not a good sign for OAuth and native mobile apps. To be clear, this affects every single OAuth provider and mobile platform, not just Facebook and iOS.

Despite numerous web searches, emails, and even code submission to Facebook, I haven’t seen anyone talk about this problem on the web at all. Seeing as how the Facebook Connect SDK is almost 2 years old, and many other companies are following suit with OAuth in native mobile SDKs, I think this conversation is long overdue.

In this post, I’m going to explain how and why OAuth in native mobile apps does not secure your password, and why you should still be wary when logging into Facebook/Twitter/Google/anything through any app except their respective official native mobile apps. I’m writing this post to expose the still weak security for single sign on services in native mobile apps. I am not providing any source code, though after reading this post I’m sure you’ll agree that eavesdropping on an OAuth transaction in a native mobile app is extremely easy even for a novice programmer.

The Problem

The purpose of Oauth is to let application developers use Twitter/Facebook/anysite’s login mechanism, all while keeping the password 100% secret from the application developer. In this world, if the application turns out to be an untrusted malicious application, all the user needs to do is turn off access from that application on Twitter/Facebook/anysite’s settings page.

However, native mobile application developers are still able to access (steal) your password even when using OAuth for login, all 100% undetected. This means that for native mobile apps, using OAuth is not any more secure than using Basic Auth, and Twitter’s API change from Basic Auth to OAuth does nothing to protect user’s passwords from malicious application developers.

To be clear, this affects every OAuth implementation in native mobile apps, across iOS, Android, and [I believe] Windows 7.

When your password is safe: Web Apps

As our first example, let’s take a look at web apps – this is true for both mobile web apps and desktop web apps.

OAuth succeeds in protecting the user’s login information because the web browser is a 100% trusted agent and ensures that the application code on the web app’s domain name cannot access any information on the OAuth providers domain name. This is called Same Origin Policy.

For example, when [insert malicious web app here] begins an OAuth login, the browser opens a window/redirects/iframes to the authentication provider (probably Facebook, Twitter, Google, etc). Due to the browser’s security, it is impossible for the malicious app to eavesdrop as the user types in their password. After the user enters their username + password into the legitimate login screen, approves (or disapproves) the web app from accessing it’s account, and is then redirected back to the potentially malicious web app.

At no point in this transaction does the malicious web app have access to the user’s login credentials. Browser security prevents any scripts on the malicious site from interfering/listening to/intercepting the login credentials. It’s this trusted and neutral 3rd party browser that makes this negotiation possible. The phone’s built in browser acts as the trusted middleman during the OAuth transaction.

Once the user discovers the malicious apps evil plot, all the user needs to do is login to the OAuth provider’s trusted site and remove the malicious app from their trusted apps. done.

You’re safe, the world is happy, and OAuth saves the day. Not so in native mobile apps, let’s take a look:

When your password is not safe: Native Mobile Apps

In native mobile apps, the mobile application itself takes the place of the browser, so there is no longer a trusted neutral 3rd party browser to act as the trusted middle man in OAuth transactions – the mobile app itself acts as both the OAuth client and the OAuth middle man!

So what does this mean? It means any native mobile app implementing OAuth can steal your login credentials, completely transparent to you the user, the OAuth provider, and even the phone manufacturer/carrier.

Since the mobile app hosts a tiny instance of the web browser inside of itself, that app can see/do/act on anything inside the web content it shows – no exceptions. This means the Same Origin Policy we discussed above is now out the window. Even though the native app uses WebKit to do the rendering/browsing, that native app can also do absolutely anything to any webpage loaded inside of it, including stealing passwords, without the loaded website even knowing.

I’m not going to show any code, but I’ve verified in code that this is in fact possible. I’ve effectively stolen my own Facebook password using Facebook’s provided iOS OAuth library. It only took minor modifications using entirely publicly available APIs in iOS. The exact same attack could be used in any app that logins with Twitter, and is not specific to iOS – this affects Android (and presumably Windows 7 though I haven’t looked at their API).

How the attack works:

1. Malicious attacker builds native mobile app and uses any publicly available OAuth SDK from Facebook/Twitter/anyone
2. The attacker loads the legitimate OAuth login screen using a web view available from the phone’s public SDK
3. The attacker runs JavaScript on that webview object, attaching JavaScript event handlers to any <input> element on the page
4. When the value of an <input> changes, the injected JavaScript notifies the wrapping native application about the change
5. User authenticates, and OAuth transaction is completed as normal – except the malicious app has been listening to every keystroke! Password: compromised!
6. Malicious app uploads credentials to anonymous server in China

Since the attacker is (a) using publicly available APIs to (b) inject JavaScript on the authentication page (even if the page is over SSL), the malicious app developer is able to listen as the user types in their credentials. The OAuth provider has zero visibility that this attack is going on; there is no way to mitigate it from the provider side. Even a walled garden app store wouldn’t be able to weed out malicious apps based on (a) static analysis of code or (b) watching for malicious network traffic.

This is all because the embedded browser in native applications cannot be the trusted middleman in the OAuth handshake.

Mobile Web: 1, Mobile Native: 0

Currently, the only secure way for OAuth to exist in mobile is for mobile web applications. These applications still run in a trusted 3rd party browser that prevents cross domain script execution. Since mobile native apps fill the role of OAuth client and trusted browser, the user’s login credentials are not secure.

It should be noted that OAuth’s website makes no mention of using OAuth for native mobile apps, but clearly mobile app developers are still using it to solve the elusive secure authentication problem.

Again, this affects 100% of OAuth implementations in native mobile applications, regardless of OAuth provider or mobile platform.

Solutions?

For a long time, Twitter provided only basic auth for it’s API, but its more recent OAuth API isn’t actually any more secure. I believe that the only way to allow secure OAuth within native mobile apps is to have a more strict web browser API for native app developers, and to properly notify OAuth providers when their service is being accessed from an insecure mobile browser. Unfortunately the safest solution right now: don’t use OAuth.

I’m not sure what the correct long term solution is for login in native mobile apps, but OAuth currently falls very short. Mobile still has a long way to go to keep users passwords and data safe.

I used 101domain’s list of TLDs to spur my creativity. I really wanted to get “ad.am” or “re.ad”, but the second level domain has to be at least 3 characters, so I kept looking until I finally thought of “ada.ms”. Perfect! Especially so for a URL shortener; http://ada.ms/hff-promo will read as “Adam’s HFF Promo”. There was just one catch – the domain was unavailable.

Hoping I could bargain with the current owner, I did a quick whois of the domain and found this:

The domain was indeed registered, and (apparently through 2020!), but it was listed as suspended. Now I’ve been a bit lax with some of my domains in the past, and I know that “suspended” usually means “expired but with grace,” and the only reason registrars don’t outright throw the domain back into the wild is so that they can create another impending event – “quick! renew before someone else…. (probably no one?) snatches up your precious nearly-almost-but-not-quite-expired domain!!”

Since I was currently browsing a middle man’s website at 101domain, I decided to seek out the true source of .ms domains and find out for sure. I’d no idea who the final authority on .ms domains is, but the “mninet” from the whois was all the Googling it took to find out. I double checked the suspended status on their website – just in case – and found that it was, in fact, unavailable for registration. Strike two.

Down but not out, my last ditch effort was to email the Montserrat registrar directly:

Hello,

I have found that the domain name ada.ms is currently suspended. Is this domain available to be registered? If not, how long does the domain need to stay suspended before it could be registered? I’d be very eager to register this name if at all possible, and appreciate any information you could give me.

Thanks,

Adam

This was late Friday night. Hopeful, I went to sleep.

After an eventful weekend (we bought our Christmas tree!), I awoke extremely excited to see this in my email:

Adam,

That name will be Deleted to allow you to Register it.  Look for it around 10AM EST.

Regards,

.MS Domain Management

Fantastic! And the casual “Look for it around 10AM” combined with the relatively rareness of .ms domains made me hopeful I wouldn’t be victim to domain sniping in the final moments. I refreshed my iPhone every 2 minutes for the next 2 hours waiting for the domain to become available. Sure enough – the ada.ms became available (it was closer to 11AM EST) as I was sitting in a coffee shop right before work this morning. 30 seconds later, my payment was pending and the domain was mine!

For now, I’ve kept with my plan and setup ada.ms as my custom bit.ly extension, but I’m open to other ideas. While the custom bit.ly domain is pretty cool, I’m a little bummed that the root domain redirects to bit.ly instead of allowing me to redirect it to welcome.totheinter.net – that small feature is for only $995 / mo for Enterprise customers. Instead, I might try using .htaccess, but it feels like a hack. Bit.ly already puts 1 hop between you and your destination. Using that hack would put another hop in between that . Either way, I’m more than happy for now, and I’m actually really excited to start using it to send out links. In fact, I have to force myself not to use it so I don’t turn into an overzelous link spammer peddling every mildly amusing link I come across .

Lesson learned: short domains are awesome.

Lesson two: Sometimes all it takes is a polite email for opportunities to open up, even when the door seems closed

And be sure to click the Tweet This button below the post – your twitter followers will undoubtedly be in awe of your internet savvy when they see the fancy ada.ms link back to the post!