Cruft

R.I.P Sweet dog.

Wed, 01 May 2013 18:47:57 -0400

R.I.P Sweet dog.

The Android Tumblr client doesn’t rotate to landscape...

Tue, 09 Apr 2013 09:37:33 -0400

The Android Tumblr client doesn’t rotate to landscape because portrait is the only way. #UI #fail

Side Effect Of Closing Reader: Mistrust

Mon, 18 Mar 2013 08:19:55 -0400

Side Effect Of Closing Reader: Mistrust:

Trust is difficult to develop and easy to lose. Even Google, which has a pretty loyal following is losing users trust by shutting down services. What is interesting to me about this reddit is not about another note taking service, but people’s response both sparky and sincere.

Knowing that few people bother to comment online and reddit is a somewhat specialized place, I have to wonder if this just the tip of the iceberg and resentment and mistrust isn’t more widespread.

Google Stops Enforcing Blocked Sites In Search Results

Sat, 16 Mar 2013 09:19:10 -0400

Is Google trying to self destruct or have they gotten so big they think they can’t fail? Over the last few years the company has shut down service after service which individually may have impacted a small percentage of their users, but perhaps collectively impacted more. I don’t know. What I do know is that the more things they shutdown that differentiates them from the others, the less likely I am to stick with them. The latest service to be shutdown is blocked sites.

A few years back, you could block sites from showing up in search results. This let users like you and I customize results and get rid of unwanted results. In my case, Experts Exchange is useless to me but they almost always take a high position in results. I blocked Experts Exchange and that was a good day. At some point, Google disabled the ability to block sites in anything but Chrome, obviously in a attempt to push folks to their own browser but for the rest of us, blocked sites remained blocked.

Last night I searched for something and there was Experts Exchange polluting my search results. I can go anywhere to get polluted results and I will.

Google, you’re now no different than any other search engine. Congratulations on making yourself mediocre.

Vaule is a two way street

Thu, 14 Mar 2013 17:30:14 -0400

For every service that I use which Google shuts down is one more reason why I have less and less reason to use Google for anything. While I know that Google gets value from me (individually and as part of an aggregate) using their service from data collection, ad serving, and so on, I too get value from using Google services and most importantly, from Google’s ecosystem.

Take that ecosystem away, and I have no reason to stay.

EA's Real Racing 3: Free And Worth Every Penny

Mon, 11 Mar 2013 17:53:12 -0400

I had already written about Android racing games and I was looking forward to Real Racing 3. I finally raced my way through Real Racing 2 and I had a blast doing it. I still play the game when I have time to kill and I enjoy the impressive graphics, the smooth game play, and the challenge. When Real Racing 3 came out,I picked it up. In this round, the game is free and EA is relying on micro-transactions to pay for the game. Also, rather than have challenging AI, EA is modeling the competitors on real players that drive as ghosts.

The game is a disappointment overall. Compared to Real Racing 2, the graphics are poor and jaggy. There’s none of the shadow effects that were WOW in RR2, and there is no playback of the last race. And yes, it’s noticeable. Then, there’s the game play.

In any muti-race event, you always start at the back of the pack regardless of your driving ability. In a 6 car field, that’s not bad. In a 22 car field, you have to smash and dash your way through the first few corners if you want to have a prayer of getting a podium spot but even then, you’re so far buried in the back you can’t hope to get in front. It’s feels fake.

In the driving, the physics are poorly implemented. If you happen to get some understeer in a few of the cars, you continue to slide out of control until you come to a complete stop. Other times if you nudge the wall, the car becomes attached as if by magnet. It won’t release from the wall without a violent jerk to the left, which causes you to go out of control.

The AI is pathetic. cars break far too early making progression easy in the first few races (if you can thread your way through 21 other cars) and then later, the cars come at you from no where and seem to have super human physics and push you along with no affect on their own momentum.

Finally, there’s no personalization unless you log-in with Facebook. If you don’t, you are a guest. Blech. Requiring a Facebook account is ridiculous and uncalled for.

To add some realism, EA added the requirement that damage cost you money—you had to pay for repairs. That’s fine. Driving like a demolition derby should have consequences, but you also have to pay for maintenance such as oil changes and so on. That’s too far is a way for the game to nickle and dime players so that they will be motivated to spend real money.

Real Racing 3 is a disappointment all around. I’m just glad I didn’t pay for it.

disalmanac: How do we feel about Shatner? A handy chart.

Thu, 07 Mar 2013 14:54:22 -0500

disalmanac:

How do we feel about Shatner? A handy chart.

When boss asks for a volunteer to deploy on the weekend

Wed, 27 Feb 2013 11:52:40 -0500

devopsreactions:

Submitted by Barbarius

Social Media Stickiness Survey Results

Mon, 25 Feb 2013 17:24:57 -0500

Here are the results from the social media survey I fielded on social media stickiness. The idea of stickiness is interesting to me and in this survey, I assumed (and asked mostly about) the effect of following others affect stickiness. The assumption being that stickiness is due to those you follow, not those who follow you. There’s an obvious Twitter bias in my questions too.

Not scientific. Just some fun questions. Thanks to all of you who took the time to answer.

Respondents had to choose the best answer that matched their motivations. The questions really asks if they use social media to interact/listen or broadcast. Most use social media to interact and listen. That’s heartening.

53.8% of respondents indicate that less than 30% of those they follow or important to them. That kind of surprised me. I wonder if the results would have been different if I broke it down by social media service.

About 64% of respondents said leaving a site would take 50% or more of the people they follow leaving for them to leave. IOW, the value of the social media experience is tied up in those you follow. I figured it would take more than a few people to leave to impact the visitation of others but I assumed that there would be more people selecting higher percentages. I also thought there were quite a few people willing to jump ship if less than 10% of those they follow left.

Half-baked Thoughts On Authentication

Fri, 22 Feb 2013 08:49:19 -0500

TL:DR Replacing passwords with tokens for consumer Internet services is doomed to fail. We need a federated authentication system that works for end-users, authorities, and relying parties.

While there has been an ever more vocal call to do away with passwords for authentication, there has been little talking about what to replace them with. Passwords are here to stay. Get over it. They are easy to for users to use. They are simple to implement and they don’t require any special hardware and software support on the client or server. There is extremely low friction to using a password.

Alternatives like biometrics, hardware and software tokens and other schemes like sending a code to a cell phone via SMS require other stuff to authenticate and add a great deal of friction. Biometrics and hardware tokens need hardware to read the authenticator. Do you have a finger print reader or card reader in your pocket? (Probably not) If you do, can you walk up to any kiosk or electronic device and use it? (No) You may have a soft token like Google Authenticator that is running on your phone (I use it and I like it, but it’s not perfect though getting better) but have you ever lost battery power, lost your phone, or left your phone at home by mistake? If you don’t have your token or can’t use it where ever you are, you can’t authenticate to any services that rely on it. That ain’t friction. That’s a wall.

Even if services did move away from passwords to biometrics or tokens, do you think they would all use the same kind? With biometrics, one company might want to use a voice print. Another might want to use a finger print. Yet another might want to use a retina scan, and so on. Some of these methods are painfully easy to defeat and don’t really improve the authentication process for anyone.

Tokens are great for well-defined communities of interest where the tokens have been initialized to an authentication server. Tokens can’t be initialized against multiple authentication servers so each service that uses a token will have its own. Carrying around a hard or soft token for each service isn’t a great idea. A) there’s the whole single point of failure if you lost your tokens or phone that contained tokens and B) token authentication usually requires a PIN combined with the token to authenticate and don’t you want to bet users will re-use pins across multiple tokens (What is a pin except a numeric password?) which leaves consumers as protected as using a password.

Using tokens or biometrics just won’t work in today’s world because:

Universal access is not assured because of hardware and software compatibility.
Making users manage a number of tokens is a non-starter.
Tokens are closed communities. They are not shared.
The variety of authenticators is dizzying adding overhead for users.
Users will find ways to defeat the “strength” of other authentication methods.
The management of tokens and biometrics in the general populous would be astronomical.

Passwords can be “strong” for some definition of strong. In my case, I will define strong as resistant to brute force (trying all password combinations) and dictionary (trying common words and combinations) attacks. It partly depends on how they are stored (salted hash please, using a slow algorithm) and partly depends on helping users create and remember passwords that are not weak. Paired with password managers like Keepass, LastPass, or 1Password which can generate long, complex passwords protected by a single password, there is a chance that password usage could be improved from a security standpoint by taking the work off the user to manage lots of complex passwords and make it harder for attackers to crack them. Still, password managers are a stop-gap. They become the point of attack, directly or indirectly which would be fruitful if successful. What we really need is a way to reduce the number of credentials that users carry.

The Case For Federated Single Sign-On

Yes, I mean single sign-on. Specifically federated single sign-on. Single sign-on is used in organizations to reduce the number of credentials employees need to manage. Applications integrate with the single-sign-on system letting users have one strong(er) password than many weak(er) ones which likely would be re-used anyway. The federated part is where we cross organizational boundaries.

We have the technologies such as OpenID, OAuth, OZ, SAML and so on—we can make the bits fly. I am not saying these protocols are perfect, but they are a start, at least in principle as well as implementation, down that road.

What we don’t have is the business environment that would entice various entities to either serve as identity authorities or to relegate their authentication to another service. Think about the end user. End users likely have an institution, or more than one, on the Internet that they trust and they have a relationship with. Those institutions like banks, trading firms, companies, etc have a vested interest in authenticating their users. It seems like they would be good candidates for being an authentication service for others.

We know this model can work and we have examples from social media sites like Facebook, Twitter, and so on that offer authentication services which other sites rely on for user authentication. For the relying party, they don’t need to store user credentials (good for everyone) though they can still collect other data—the data they care about. For users, we don’t have to remember yet another password (though I do have to remember which site I used which is a whole ‘nother problem).

The point is that federated single sign-on can be established and we have services that prove it. Of course the social media model I am referring to have some technical problems like being able to recover Facebook credentials in Chrome by chaining together a number of vulnerabilities but that’s a detail. The model works, focus on that. The other big issue is privacy. Facebook and Twitter want to collect as much data as they can about users and knowing which other sites they log into is just another data point they can exploit. What, you thought they were providing authentication hooks for the good of the world? So that model fails on the privacy front, but the privacy issues can be addressed technically or legally. I’d prefer the former, but companies generally don’t flaunt the law willy-nilly so a legal framework can provide adequate, if not perfect, privacy.

There are obviously risks involved that need to be addressed, particularly business risk. Companies that have stricter privacy and secrecy requirements like banks and healthcare have an ethical and legal responsibility to protect their customer’s data, so they need assurance that other authentication services are equal to their own from a security and risk mitigation standpoint. They need to be protected from suit in the event that a users account was compromised provided the authentication authority follows a set of established guidelines to protect the authentication data. In other words, a single failure in an authentication service means the entire system is broken and shouldn’t expose a conforming company to law suits. Those risks, and others, can be mitigated through legal instruments. A sticking point is international law and that might hinder a globally federated authentication system, but national framework might be OK.

A Proposal

What I am proposing are a set of requirements that a federated authentication system should meet to balance the needs of end users, authorities, and relying parties so that we can have a better, stronger authentication system world wide. This list is not meant to be complete nor are the line items meant to be specifications. I am suggesting goals that can be achieved today, I believe, with current technology.

Here is what I’d like to see in a federated authentication system:

For end users:

End users should be able to choose the authentication authority they wish to use.
End users should be able to change the authentication authority they wish to use.
End users should be able to remove relying parties when they wish.
End users should have the same experience regardless of the of the client device used.

For authentication authorities:

End users privacy should be protected so that the authentication authority can’t mine users data for behaviors, ever.
There should be standards and compliance rules dictating how an authentication authority is run, the authentication methods that must be supported, and the protocols that must be used.
There should be a recurring compliance program certifying authentication services practices.
The additional costs to be an authentication service should be minimized or distributed.
There should be significant monetary damages to authentication authorities for not complying with the standards and compliance practices.

For relying parties:

Relying parties should be able to dictate which kinds of authentication methods it is willing to accept.
Relying parties must accept authentication from any authorized authentication authority
Relying parties should be indemnified from harm if an authorized authentication authority is compromised
There should be no costs associated with using any authentication authority nor implementing the standardized API’s

RasberryPI, USB Power, and the Cable Conundrum

Mon, 11 Feb 2013 17:11:40 -0500

I picked up a Raspberry PI the other week and couldn’t wait to get to work on it. I grabbed a Fedora 18 Remix, transferred the image to an SD card, pluged it into my HDTV and was off to the races. I did notice, however, that when I plugged in my RaspberryPI, the NIC wouldn’t light up. Since I was planning on using this as a utility server (DNS, DHCP, OpenVPN, whatever), it needed to boot and get on the network reliably.

I already documented my trials with USB charging. Could this be the same problem. I did buy a wall wart and USB cable just for the RasberriPI, so it is likely. Out came the cable that shipped with my New Trent battery pack that I know has shorted the data pins and I plugged/unplugged numerous times and each time the Raspberry PI booted and the NIC lit. I suspect a correlation.

Now I just have to take one of my existing USB cables apart and short the pins. Maybe I should start a Kickstarter project since I can’t find a USB standalone charging cable anywhere.

Now I remember why I left Quora. I didn’t want to...

Wed, 30 Jan 2013 12:03:55 -0500

Now I remember why I left Quora. I didn’t want to participate in/support ridiculousness like this

Someone at Amazon needs to learn how to count and tell time....

Sat, 12 Jan 2013 19:43:00 -0500

Someone at Amazon needs to learn how to count and tell time. Today, I am at location 2356 of a book, yet my Kindle seems to think that location 19 from August 15th, 2012 is further along AND more current. #facePalm

1/30/2013 Update: I spent several hours with Amazon support over a few days tracking this problem down. The person I spoke with, Robert, was very helpful and Amazon finally tracked the problem to a software issue and it’s been resolved. That kind of support is what builds loyalty with me.

How to get root on a locked Asus Transformer Prime TF201 with JellyBean 4.1.1

Thu, 10 Jan 2013 17:15:21 -0500

Like most of you, I too lost root on my Asus Transformer Prime when I updated to Jelly Bean. I just didn’t get around to doing anything about recovering it until now. I tried installing TWRP and it failed. I had sent in my TF201 for repair and I think they locked the bootloader because I know I had unlocked it. That tells me either there is an error in the TWRP installer OR the bootloader was in fact locked. Thinking the latter was the more likely case, I decided to tried to unlock it. I had read that the Asus unlocker no longer worked on a TF201 on JB 4.1.1 but I figured I would try anyway.

*** If you follow these steps, it’s your responsibility. Standard disclaimers apply. You know the drill. ***

I grabbed the unlocker here: http://forum.xda-developers.com/showthread.php?t=1510737 and downloaded the one from the Asus site. Copied it to my SD card and ran it. I agreed to the big scary EULA and proceeded. It took a while but I got a network error message. Undaunted, I tried again. Hey, repeated actions do sometimes have different results. This time, teh app noted I didn’t have a Google account installed and did I want to continue anyway. Damn straight I did … and it failed saying something like “too Busy, try again later.” I had reset my TF201 to factory, so I added my Google account to my TF201 and tried a third time. This time the app asked me to login to confirm my account. I did and it unlocked. w00t!

I wonder if those who are on JB but didn’t unlock while on the ICS bootloader are screwed now while those of us who had unlocked while on the ICS boot loader but for whatever reason have a locked bootloader (I sent mine in for repair) are fine. Seems to be the case.

At this point, If I just boot up, I see the “The Device is Unlocked” message. If I boot into recovery (press VOL down + Power), I don’t see it.

Next, I followed the steps here (http://forum.xda-developers.com/showpost.php?p=26595675&postcount=2) to install TWRP. Success!

Then I grabbed the Superuser binary http://androidsu.com/superuser/ and dropped it onto the SD card. Booted into recovery (TWRP) this time and installed SU. Sweetness.

Oh really? I think Google just wants me to use Chrome.

Mon, 07 Jan 2013 11:49:14 -0500

Oh really? I think Google just wants me to use Chrome.

How to Live with Introverts

Sun, 06 Jan 2013 10:07:39 -0500

How to Live with Introverts

America's Real Criminal Element: Lead

Sat, 05 Jan 2013 08:57:36 -0500

America's Real Criminal Element: Lead:

New research finds Pb is the hidden villain behind violent crime, lower IQs, and even the ADHD epidemic. And fixing the problem is a lot cheaper than doing nothing.

Android Fragmentation is a Pernicious Myth

Thu, 03 Jan 2013 09:49:34 -0500

One of the oldest and most common myths that chaps my ass is that Android is fragmented. The first instance I found was in 2007, there may be earlier instances. It’s not fragmented and saying so doesn’t make it so. Android, like all software, has a version problem which is exacerbated by handset makers’ and carriers reluctance to update the OS, but that’s isn’t fragmentation. It’s a versioning and, that is not a semantic difference but a real difference in how it affects the end-user experience on all devices and OS’s.

Calling Android fragmentation is hyperbolic rhetoric. The word “fragmentation” is used to imply fracture, broken, a shattering of the OS so that nothing runs. Don’t deny it. The word elicits a fiction that is out of line with reality. Calling Android fragmented is meant as FUD. If you want to call Android fragmented, have a ball, but at least have the courage of your convictions and be honest about why you are saying it—furthering FUD.

Fragmentation occurs when developers have to recompile their application for specific platforms of the same OS. Linux, specifically Linux distributions, is fragmented. There is fragmentation in the distributions, the window managers, libraries, lots of things. What this means is that Linux developers often have to compile applications for each platform (Ubuntu, Debian, Fedora, etc) and possibly window manager. You can’t take a program compiled for Fedora and expect it to work on Debian in many cases. The result is extra work for developers to code, compile, distribute, and support multiple versions of the same application at the same time. It also means that I can’t take an application and simply copy it from one Linux install to another using a different distribution and have any guarantee that it will work. The current version of any application could vary across distributions. Some features may or may not be available across distributions. That, my friends, is fragmentation.

Android has a version problem which appears to complicate matters. The OS and SDK has undergone 10 major revisions since 2008. Having that many versions that quickly is bound to cause growing pains as developers have to decide which baseline version to support. Add to the number of Android versions, the explosion of handsets with varying types, displays, and hardware and yes, developing for the platform can be difficult. (A developer wrote an analysis of this matrix, which was impressive, but I can’t find it)

However, in the SDK are plenty of tools that allow developers to add backwards compatibility into the same source tree so that they don’t have to write multiple versions of code (and the libraries are getting better). There is extensive documentation on how to write an app for multiple display types. I’ve done it. It’s not that hard (none of my apps are available, they aren’t ready for public consumption). Some applications like games require special graphics processing so won’t work on phones without them or applications that require telephony won’t work on a tablet.

Since most users equate the the UI with Android, Google finally required handset makers using Android (well, supporting the Google Services Framework) to at least support the Holo theme bringing some consistency to the use experience. Some people look at the SenseUI and scream “OMG! It’s a new OS! Will my apps run!?!?!”

The fact is, you can take an application compiled for Android 2.x and it will work on any future version. You can write an application that supports both the new features in 4.X as well as running on older phones using the support library (obviously without the new features in the older OS). You can take that APK, the Android app package, and copy it to other device and Android versions (providing they are at or above the apps minimum version) they they run fine. That is not fragmentation.

Fragmentation isn’t likely to happen, either. At least not in a meaningful or impactful way. If some handset maker decided to fork Android to the point where new and existing apps required special support and compilation, then that would be a fragment and frankly would likely die in the market unless said vendor could quickly build up apps that users want. They would lose access to the hundreds of 1000’s of existing Android apps as well as new ones and they would have to convince app developers to support their fork. Good luck with that.

Week-end Project: Geek Desk

Mon, 24 Dec 2012 15:28:18 -0500

I work at home in front of a computer all day long. That makes for a lot of sitting which gets uncomfortable after a few hours. It’s not always convenient to get up and walk around. I may be on a call and I need to take notes, for example. I wanted a desk that I could work at while sitting or standing and it had to be motorized. I wasn’t going to move my laptop from one stage to another and back. I have a second monitor connected, headphones, a mouse, and sometimes other USB devices. Taking the 5 minutes to break down and reconnect wasn’t going to work for me. I settled on a GeekDesk MAX, large frame. I wanted a bigger desk with more lift capacity than the GeekDesk V3 and I wanted the pre-sets (convenience). I made a top from a solid core door.

I was concerned that the frame might be too spindly for a desk and that it might wobble in use, which would be a show stopper for me. It’s very solid and doesn’t wobble. I do notice as I type this that the monitor on my laptop is wobbling a just the tiniest bit, but it’s not really noticeable. On to the build!

Putting it together is a snap. It took me about a 1/2 hour. The desk ships with a Allen wrench and all you need to supply is a Phillips head screw driver and either a small adjustable wrench or a 5/16 socket.

The first step is attaching the legs to the feet which is done with 4 bolts and the included Allen wrench. That’s easy. The manual suggests, when attaching the cross member, to either have someone help hold up the other end or rest in on a box. I just put the leg on it’s side and attached the cross member with in sticking in the air (never mind the mess).

Then its a simple matter of attaching the other side.

Next I attached the crossbar to the top of the legs and snaked the cables for the two motors and the power back. The cables are quite long—needlessly long—and I wish they were shorter.

Then it’s just a matter of attaching the control panel, tightening all the bolts,

and testing it out. It worked great.

Finally, I attached the top which I made from a 30 inch solid core slab door from Home Depot. I spent more time working on the top (sanding, routing, painting) than I did putting together the entire desk.

Making the top was fun. The door is a 80x30x1 3/8 slab. The faces are nearly finished and there is a 1 1/2 inches of wood all the way around the perimeter while the core is particle board. It makes for a solid top. I first routed the edges with a 1/2 in half round pattern bit to get rid of the hard edges and then sanded the edges to get rid of tearout. Using a 2 1/2 inch hole saw, I cut out holes for cable runs. Next I sanded using 150 and 220 grit to a smooth surface. I primed with a latex grey primer, which I needed because I was using a bright red gloss. Then I did three coats, top and bottom, of the red sanding with 320 grit in between. I also stenciled on a helipad landing zone and spray painted it white.

I’m happy with the results, though this summer I am going to make a new top that has a light wrap around. I will either do it in wood or fiberglass. Wood is easier but fiberglass is more versatile.

A few things I would different. I’d probably take the extra step and use a wood grain filler on the top to make it very smooth. Even after 4 coats of paint, some of the grain shows through. I’d also use an enamel paint. The latex gloss I used from Home Depot dried in 24 hours but it can take up to 30 days to fully cure, if ever. The issue is that latex—especially one that is heavily colored like mine—doesn’t always fully cure to a hard shell. It feels dry to the touch, but rest something on it and it will stick in a few minutes. Not like glue, but a tack. Enamel on the other hand cures very hard. If I still find the top is sticking after 30-40 days, I may scuff sand and coat with an enamel.

Solution to Google Search Not Working In Firefox

Wed, 12 Dec 2012 10:40:34 -0500

Solution to Google Search Not Working In Firefox:

When Firefox updated to 17.0.1 yesterday, Searching Google broke in what seemed to me in a very weird way. I could run a search using the Search bar, but I couldn’t get to page 2 or any other page. New searches would result in the site bar, search box, and a white page. Oddly, if I went into Advanced Search, everything would return to normal for a while.

I tried removing all add-ons and even restarted in Safe Mode but the results were the same. Since I rely heavily on searches, Google primarily, this brought my work to a screeching halt. This only happened on Firefox, so in Chrome I searched for an answer and stumbled across this thread which offers some solutions. The reports about disabling Javascript for Google.com didn’t work for me, but as suggested in this answer, resetting dom.storage.enabled back to true (the default setting) worked. Just open a new tab, type ‘about:config’ in the address bar, then in the page, type dom.storage.enabled. When you see it, if the value is false, right click and toggle it to true. That’s it. The change takes effect immediately.

YMMV