I'm rewriting this post.
Every other post I've written over the past 3-5 days has had problems with lost line breaks. All my text runs together. It's as though Blogger had broken their age-old management of paragraph breaks. I've tried Safari 3, Firefox 3, ScribeFire, XP, OSX, Blogger-standard and Blogger-in-Draft.
My original post implied the problem was with ScribeFire, Blogger in Draft, and Firefox 3. Then I thought it was Firefox 3 and any version of Blogger. Now I think it's any version of Blogger with Firefox 3 and Blogger-in-Draft with Safari 3.
Basically Blogger is having a really lousy holiday weekend.
Be warned.
They'll fix this eventually. It's not hard to spot!
Saturday, July 05, 2008
Friday, July 04, 2008
How to know it's time to stop reading a blog
"Mobile Opportunity" has been an occasionally fun read for a veteran of the Palm wars, but every so often it says something like this:
That's just too odd.
On the other hand his link to the Register's Psion retrospective is party redeeming. The story reminds me of the sad tale of PenPoint -- I keep that book next to my OS/2 architecture book.
Mobile Opportunity: Symbian changes everything, and nothingYou might think he was excluding the iPhone OS because it's derived from a desktop OS, or you might think he excluded OS X because it's bound to hardware, but I've been reading MO for a bit. He really has no interest in the iPhone as a mobile platform.
...Here's the weird thought for the day: Microsoft is the last major company charging money for a mobile operating system...
That's just too odd.
On the other hand his link to the Register's Psion retrospective is party redeeming. The story reminds me of the sad tale of PenPoint -- I keep that book next to my OS/2 architecture book.
Dan's data reviews IDrive online backup, and mentions Mozy too
I suspect the "paid review" model will eventually produce the same results as PC Magazine of old, but it will take a while to corrupt Dan's Data. A recent review is very thorough and appropriately technical:
I've been looking for a good online backup solution for a while, to supplement my current Retrospect Pro USB disk solution. Apple's MobileMe might produce something, but it will be costly. I've about given up on Google -- they could deliver a service next week or next century.
DD says both IDrive and Mozy support XP and OS X. IDrive is setup for multiple accounts sharing the same space, that would work for me.
Incidentally, the primary reason to have offsite backup in Saint Paul MN is not fire, flood and quake, it's theft. True, smart thieves won't bother to steal hard drives, but most thieves are stone stupid. Elsewhere, fire and flood are right up there.
I wouldn't use these services as my primary backup solution, but as a supplementary solution they do interest me.
Update 4/11/09: Great comment below. At least some services (iDrive) don't back up OS X shortcuts/favorites -- which breaks some app data stores including some iPhoto and Aperture configurations. It's a good reminder to check how well security attributes are managed.
Review: IDrive online backup serviceDan's review of IDrive is pretty positive, though he only does XP stuff.
... The reason why I find IDrive particularly interesting, though, is that they're paying me via ReviewMe.com to write this review.
ReviewMe isn't one of those scummy services that allow payment to be conditional upon a favourable review, though. Whether I say IDrive is humankind's finest creation, or that it took both of my legs off at the knee, I get paid the same....
I've been looking for a good online backup solution for a while, to supplement my current Retrospect Pro USB disk solution. Apple's MobileMe might produce something, but it will be costly. I've about given up on Google -- they could deliver a service next week or next century.
DD says both IDrive and Mozy support XP and OS X. IDrive is setup for multiple accounts sharing the same space, that would work for me.
Incidentally, the primary reason to have offsite backup in Saint Paul MN is not fire, flood and quake, it's theft. True, smart thieves won't bother to steal hard drives, but most thieves are stone stupid. Elsewhere, fire and flood are right up there.
I wouldn't use these services as my primary backup solution, but as a supplementary solution they do interest me.
Update 4/11/09: Great comment below. At least some services (iDrive) don't back up OS X shortcuts/favorites -- which breaks some app data stores including some iPhoto and Aperture configurations. It's a good reminder to check how well security attributes are managed.
Blogger gets some real updates and Google moves away from Data Lock
There's still no update to the extremely antiquated BlogThis! blogger bookmarklet, but Google is, at long, long last, putting some energy into Blogger.
To see the new environment you need to be using FF 3 or Safari 3 (some versions of IE too) and running Blogger in draft. Today Safari 3 is showing the old editor, so things will be fluid.
The current big news is that Safari 3 is supposed to have full support -- which means it's a more viable browser for my use. The big future feature is promised FTP file upload and enclosures. Uploaded images are stored only in Picasa web albums.
I've run into these bugs and lost capabilities so far:
Altogether this is the best Blogger news since it became a somewhat reliable service about a year ago. Maybe Google can do product commitment after all.
Now if Google would only fix BlogThis!
To see the new environment you need to be using FF 3 or Safari 3 (some versions of IE too) and running Blogger in draft. Today Safari 3 is showing the old editor, so things will be fluid.
The current big news is that Safari 3 is supposed to have full support -- which means it's a more viable browser for my use. The big future feature is promised FTP file upload and enclosures. Uploaded images are stored only in Picasa web albums.
I've run into these bugs and lost capabilities so far:
- Items authored in the BlogThis! window are formatted incorrectly when edited in the new editor.
- Items authored using ScribeFire for FF are formatted incorrectly in the new editor and cannot be fixed easily. (SF has just been updated, so this may change.)
- Lists don't work fully. So if you save an item and try to add to a list, it inserts the row without a list tag. (known issue)
- The Save Now button closes the draft, so you have to reopen it (known issue)
- No formatting buttons in HTML mode (they will return soon)
- The new post editor: Dynamic image resize, drag and drop location. Changes to the HTML editor that seem of unclear value to me (solving a non-existent problem?). Full Safari 3 support? (But today 3.1.2 gave me the old editor, so they may be tweaking something).
- How to report HTML bugs with the new post editor: Add a comment to this blog post? Seems that won't scale.
- Star ratings. Readers only, personally I'd like to be able to rate my own posts too -- differentiate the ones I think are more interesting.
- Import / export of blogs. Back up all of your posts and comments to one Atom XML file on your computer, and import your posts from one blog to another.
- Embedded comment form. By incredibly popular demand, we’ve brought the comment form to your blog’s post pages, with support for Google Account and OpenID authentication.
New post editor. We’ve completely revised the post editor, bringing in drag-and-drop image placement and better HTML handling.
- Merge two or more blogs into one. Take the exported posts and comments from one blog and import them into another one.
- Move individual posts from blog to blog. After importing, select just a set of posts to publish and publish them with one click.
- Back up your blog to your own storage. You can keep your words safe and under your control in case anything happens to your blog, or us, or if you want to remove them from the Internet.
- Move your blog somewhere else. Our export format is standard Atom XML. We hope to see other blogging providers extend their Atom support to include import and export. And, if you decide to come back to Blogger, importing your export file will get you back up and running in seconds.
Altogether this is the best Blogger news since it became a somewhat reliable service about a year ago. Maybe Google can do product commitment after all.
Now if Google would only fix BlogThis!
Thursday, July 03, 2008
iPhone 2.0 is MUCH more expensive than iPhone 1.0 for current AT&T customers
I think Apple is still boasting of how affordable the new iPhone is.
This marketing swill is so evil.
For a current AT&T customer the cost has not fallen, it's gone UP a lot -- an additional $360 over two years. The increase is so large because the previous iPhone pricing was a great deal for a current AT&T customer. Current AT&T customers could buy an iPhone for the same cost as a new AT&T customer, and that's unheard of in the US mobile marketplace.
AT&T has now moved iPhone pricing in line with other "smartphone" pricing (which must make BlackBerry happier).
I've updated a prior post, here are some key excerpts ...
Current AT&T customers don't get the $200 discount on new phones. So for a current AT&T customer, the two year cost of a 16GB iPhone hasn't increased by $160, it's increased by $360.
A $360 increase over a two year ownership period is a substantial increase.
I spit in the general direction of Apple marketing.
This marketing swill is so evil.
For a current AT&T customer the cost has not fallen, it's gone UP a lot -- an additional $360 over two years. The increase is so large because the previous iPhone pricing was a great deal for a current AT&T customer. Current AT&T customers could buy an iPhone for the same cost as a new AT&T customer, and that's unheard of in the US mobile marketplace.
AT&T has now moved iPhone pricing in line with other "smartphone" pricing (which must make BlackBerry happier).
I've updated a prior post, here are some key excerpts ...
Ok, so for a new AT&T customer buying an iPhone the price has gone up by $160 over two years. Things are worse, however, for an AT&T customerThe Cost of the iPhone: More Per Month for Data - Bits - Technology - New York Times Blog
... According to a press release from AT&T, the carrier will no longer give a portion of monthly usage fees to Apple. Instead carriers will pay Apple a subsidy for each phone sold, in order to bring the price from $399 down to $199 for the 8 Gigabyte model. The company did not specify the amount of the subsidy. Subsidies of $200 to $300 are common in the industry.
What is more, consumers will now pay $30 a month for unlimited data service from AT&T, compared to $20 under the plan introduced last year. So even though the phone will now cost $200, consumers will be out more cash at the end of a two-year contract compared to the previous deal.
Tidbits: $160 more expensive ...
...SMS messages are no longer included in the data plan either, so you'll have to pay extra for them. Previously, the data plan included 200 SMS messages per month. AT&T's Messaging 200 plan, which includes 200 SMS messages, costs $5 per month, so it would seem likely that the iPhone 3G's SMS plan would be similar...
Current AT&T customers don't get the $200 discount on new phones. So for a current AT&T customer, the two year cost of a 16GB iPhone hasn't increased by $160, it's increased by $360.
A $360 increase over a two year ownership period is a substantial increase.
I spit in the general direction of Apple marketing.
The frailty of wireless encryption
WEP I knew was almost worthless. This is the most concise description of WPA limitations I’ve seen …
I suspect a good 20 character random password would suffice for most of us.
Update: A comment includes a nice link to a web site that helps create memorable passphrases.
Coding Horror: Open Wireless and the Illusion of SecurityThe implication is that other versions of WPA (WPA-2?) are less vulnerable. In practice, as Schneier would probably say, it comes down to the value of what you’re trying to protect vs. the cost of the attack. Security is not a binary thing, it’s a spectrum. Relative, not absolute.
… here are a few guidelines.
In the end, perhaps wireless security is more of a deterrent than anything else, another element of defense in depth. It's important to consider the underlying message Bruce was sending: if you've enabled WEP, or WPA with anything less than a truly random passphrase of 33 characters, you don't have security.
- WEP = Worthless Encryption Protocol
WEP, the original encryption protocol for wireless networks, is so fundamentally flawed and so deeply compromised it should arguably be removed from the firmware of every wireless router in the world. It's possible to crack WEP in under a minute on any vaguely modern laptop. If you choose WEP, you have effectively chosen to run an open wireless network. There's no difference.- WPA requires a very strong password
The common "personal" (PSK) variant of WPA is quite vulnerable to brute force dictionary attacks. It only takes a trivial amount of wireless sniffing to obtain enough data to attack your WPA password offline -- which means an unlimited amount of computing power could potentially be marshaled against your password. While brute force attacks are still for dummies, most people are, statistically speaking, dummies. They rarely pick good passwords. If ever there was a time to take my advice on using long passphrases, this is it. Experts recommend you shoot for a 33 character passphrase.
You have the illusion of security.
I suspect a good 20 character random password would suffice for most of us.
Update: A comment includes a nice link to a web site that helps create memorable passphrases.
Tuesday, July 01, 2008
Best review of the OS X ARDA root escalation vulnerability
I might follow the advice outlined here, though I may simply avoid installing software until Apple provides a fix. It is a bigger problem than I'd assumed when I first saw the Slashdot story:
The most important security measure for most OS X users is not to run as an admin user -- save the admin account for admin tasks. This security defect bypasses that protection.
TidBITS Safe Computing: How to Protect Yourself from the New Mac OS X TrojansFollowing these preventive measures may mess up future Apple updates however.
... Simply running the AppleScript command
osascript -e 'tell app "ARDAgent" to do shell script "reallybadstuff"'
runs "reallybadstuff" as root, without asking you for your password....
... the attacker exploits a vulnerability that gives them access to your user account, then he uses privilege escalation to take over your system as root, often installing additional malicious software. These combined attacks are common, although we don't see them often on Macs (in fact, I've never seen one on Mac OS X). The attacker will use something like a Web browser vulnerability to get his foot in the door, followed by the privilege escalation...
... The first major Trojan to leverage the ARDAgent vulnerability is called "PokerStealer" (identified by antivirus vendor Intego). Rather than using some sort of attack to get on your system, it pretends to be a poker game. When it's run, it uses the ARDAgent vulnerability to escalate its rights (without asking for your password) and installs malicious software like a keystroke capture program.
A more serious problem is that, as reported by Brian Krebs at the Washington Post, some bad guys developed a tool to bundle a package of malicious software into any downloadable Mac application. It uses the ARDAgent vulnerability to run these pieces without your interaction, like PokerStealer. The program needs to run only once, then it embeds itself in your system. Interestingly enough, Krebs reports that this tool was in development since May 2008. We can expect the bad guys to use all sorts of social engineering tricks (like writing little games) to get us to run their software on our systems.
To protect yourself, if you don't use (or plan on using) Apple Remote Desktop (which is different from Screen Sharing), you can go to /System/Library/CoreServices/RemoteManagement/ in the Finder, copy ARDAgent.app to your Desktop, right-click and compress it, and move the file someplace like your Documents folder. Then delete the original file. That way you just need to unzip and reinstall the file if you ever need ARDAgent down the road...
The most important security measure for most OS X users is not to run as an admin user -- save the admin account for admin tasks. This security defect bypasses that protection.
Subscribe to:
Posts (Atom)