Cool Beans

It's been known for some time now that OSX has a pretty bad Java bug that could allow an applet to run commands as the user. This issue is also known as CVE-2008-5353 and puts Mac users at serious risk of getting owned simply by visiting a website. Sun fixed this issue in a patch released in early December 2008-- that's more than six months ago as of this writing. I was almost starting to think up a conspiracy theory that Apple needed the vulnerability for something, but then I found that Brian Krebs of the Washington Post reported on the gaps between Sun's fixes and Apple's updates: an average of 166 days.

This big Java never-fix hole got a lot of press around May 19-22. It even motivated me to dig around Apple's feedback site and ask them to please fix it asap. Nearly a month later, nothing. Even with the release of the impressive and sleek Safari 4, the issue persists.

Remediating the Issue

Note: As of 6/16/2009, Apple released a Java update that addressed the purpose of this article.
The steps below are being left for posterity, but to fix, simply choose "Software Update" from your Apple menu.

One can do the widely publicized work-around: Turn off Java in your browser. In your browser Preferences there will be a checkbox "Enable Java" which we are told to simply un-check. I find this to be somewhat ridiculous. If we were asked to turn off Flash, there would be an Internet revolt. Disabling an entire application platform, to me, is not a suitable interim solution. This would be especially true for people who use services like Wuala, Hushmail's java-based authentication, or products like MindTerm's ssh applet.

So I went for a surgical method.

All credit for this one goes to Marc Schoenefeld of illegalaccess.org. I'd just stop at linking the site from here but I think there are a few other details worth mentioning about his published solution. Basically, the goal is to create some classpath trickery by compiling your own Calendar class and putting it before the bad one included in OSX's java library.

Let me go through illegalaccess.org's steps:

1. Find a non-OSX version of JDK 1.5.0_19, like the linux version.
• This was surprisingly difficult on java.sun.com. Apparently Sun doesn't want you to use it anymore. License agreements, End-of-Life notices, and finally a .bin file that I couldn't open in OSX, and had to bother my friend with an Ubuntu laptop to run and extract for me.


2. Open a Terminal. Locate and extract src.zip and find

   java/util/Calendar.java

• Be sure to stay in that "root" source directory where you can see:

  java/

3. Compile the class via command-line using:

• javac java/util/Calendar.java

• Several compilation warnings, but they can be ignored.


4. Create a new jar using:

• zip /chosen/path/FixedCalendar.jar java/util/Calendar*.class

• I decided to use

  /Users/username/lib/FixedCalendar.jar

  as the place where this patch jar file would reside.


5. Edit ~/Library/Caches/Java/deployment.properties 
• Set:

  deployment.javapi.jre.1.5.0.args=-Xbootclasspath/p:/chosen/path/FixedCalendar.jar

• Yes, keep the

  p:

  in there. That threw me off, but it should be there.

Google's Dan Morrill discusses Android 1.5

This meetup talk given by Dan Morrill of Google Developer Relations includes upcoming Android features for "Cupcake" 1.5, some code demos showing Dalvik VM versus native development benchmarks, and a few of Dan's favorite apps.

Admittedly, it's difficult to follow the technical parts of this talk in an audio recording only; especially as Dan modifies code and demos the k-means clustering application. But there are several fascinating knowledge gems about this rapidly-growing mobile OS.

Broken up in three parts as usual:

• Intro and announcements - 8.3MB, 9:03 minutes.
• Android 1.5 - 45.4MB, 49:36 minutes.
• Q&A session - 10.5MB, 11:26 minutes.

09 I/O splash screen

When Google VP of Engineering Vic Gundotra announced at the Day 1 keynote that attendees of Google I/O would all receive a free Android developer phone, the room of thousands went into an uproar of applause. I arrived late, so I was all the way in the back catching the tail end of the keynote. But wow did I catch the good part! Free unlocked developer phones? No way!

Since laying my hands on the phone, I managed to stay excited about it even almost two weeks later. What a way to get developers into coding for this relatively new mobile OS.

Having previously developed on Symbian S60, dabbled in QT, and a former member of the technical demo teams of the ACCESS Linux Platform, I settled on the iPhone's superior user experience; and basically surrendered any hope that competing mobile operating systems would be able to take a major hold in the market.

Even when Android SDK 1.0 was launched last September (2008), my reaction was "neato" but with a small degree of skepticism: "Yet another Linux-based mobile operating system by some consortium of vendors." Fast forward to today. It took Oprah-like generosity, an open SDK, and a very cool little phone for me to see how engaging it could be to develop on Android. I will delve into programming in another post. For now, let me talk about a few key hardware differences straight out:

The HTC Google Ion "G2" vs. iPhone

Media Player:

Google Ion and 1st Gen iPhone

The Google Ion, a.k.a. the HTC Magic, is definitely not (yet) a media player competitor. The included demo songs sounded horrible (both from a personal choice perspective, and in overall quality) so I deleted them and went to my own library. I loaded up some of my finest Amazon MP3s and was shocked to hear so many sound artifacts and the same loss of resolution (despite the high quality source of these music files). I should backtrack and mention that I listened via the USB-to-headphone adapter, which might the culprit. There is no headphone jack on this device. If I hadn't known any better I would have thought the MP3s were recorded on a voice-recorder using space-conserving settings. The player is likewise rudimentary, nothing at all like an iPod experience. I am almost certain this aspect of the OS will improve with upcoming phones/Android releases.

Video and Camera:

The Ion can record video (a plus) but playback is a crude 3-button interface. At least I'm primed and ready now to do my own cell-phone videos, something I've always wanted for my iPwn. However, you can only email the latest recorded video, and must copy off the microSD card to share any other previous videos (that's gotta be an easy bug to fix).

The 3.2MP pinhole camera auto-focuses. Decent for street documentary, I'd say. The auto-focus feature enables easy use of another favorite: The bar code reader. Using Compare Everywhere I am able to scan up a shopping list of books each time I go to Barnes & Noble.

Standby Time:

Battery life is really lacking on the HTC. Moderate usage with 3G enabled, wifi on, Bluetooth, and GPS will give you less than a full day (24hrs) of life before it needs to be plugged back in to the USB power supply. Forum posts blame background multiple processes (typically runaway apps). I have, several times now, had an app get stuck; then the battery would get really warm as it churned up CPU. I tried an app called Advanced Task Manager to possibly "kill -9" runaways like this, but no such luck. Only a full power-cycle was able to stop them.

Soft keypad:

I was really expecting a pop-out keyboard like the G1. The touchscreen keypad is comparable, but come on, how hard can it be to allow us to use Bluetooth HID profiles? I want to use my fold-out Bluetooth keyboard!

Trackball:

There's a little Blackberry-Pearl-like rollerball by the bottom buttons. I don't use it much, but one colleague explained it's best for moving the cursor around when editing text. Seems superfluous.

Phone calls:

This is what the phone is for, right? Call quality was fine, but being accustomed to the multi-tasking phone features of the iPhone, the HTC was disconcerting. When on a call, the screen just blanks after a few seconds. Even when the caller hangs up, the phone does nothing. You have to remember to press a button to call up any menu (like the dialpad or to hang up).

The Network:

The HTC doesn't have the right radio for other 3G netoworks, so if you like 3G you're stuck with T-Mobile. It is unlocked, though, so in theory it's compatible with any GSM network. I've tested it on AT&T EDGE with no problems. You can guess which phone I'd take with me when traveling, especially out of country.

Conclusion:

All in all, it is somewhat obvious this is a developer-focused phone. Both the hardware and the UX need some polishing, but it's lot sleeker and cool than the G1. I don't know if it's just my SDK excitement or the newness factor of being handed a free phone... my 1st gen iPhone is currently powered-off and calls are forwarded to the Ion. This is the first time I've honestly considered switching away from the iPhone. The HTC Ion with Android is very welcoming. If you're into programming at all, the barrier to entry is quite low.

Pick a Path

This month (June 2009) is a very exciting month in the mobile industry. There are several local events-- Google I/O, Palm Pre webOS launch, and WWDC --that are really shaking the way we think of mobile applications. Whereas before I thought the iPhone blew everyone out of the water, the gap is closing fast. Do I learn ObjectiveC and join a rabid app market? Do I jump into an open community of Google Android developers? What about webOS and the rave reviews that the new Pre UI is receiving? We are at a crossroad, and for programmers there are many new paths to explore.

Loic Le Meur of Seesmic

Went to a meetup (StartupSF) with a wise guest speaker, Loic Le Meur, founder and organizer of LeWeb Paris and CEO of Seesmic.

I am glad I recorded the talk because it was filled with insightful and contrarian views to competitors, reacting to negative feedback, and determining product features.

Have a listen.

• StartupSF Introduction - 11.1MB, 12:06 minutes
• How to Launch a Product with your Community - 32.1MB, 35:03 minutes. Update: 6/9/2009 view Loic's slides that Slideshare sync'd to this recording here.
  
• How to Launch a Product with your Community, Q&A - 41.1MB, 44:52 minutes.

Just wanted to poll you OSX users out there, how many of you actually use FileVault on your home (or work) systems? As far as I know, enabling FileVault user home directory encryption will make most of Apple Timecapsule's functions useless (e.g. point-in-time auto-backup and recovery).

I am already assuming that 99.99% of Windows users are not implementing TrueCrypt or PointSec whole-disk encryption, so I won't ask. However, OSX seems to make some efforts at making this easy to enable and run fully in the background.

The challenge with whole-disk encryption is that if you are good about backing files up, you need a way to do it on the backup side as well. This is not trivial, especially if incremental backups are part of the picture. One way I've seen is a combination of rsync.net and a utility called duplicity. But in my initial attempts, it has the same shortcomings as regular rsync, only that you cannot clean up the files as easy because you cannot view them at all on the remote location (a security feature).

I'm wondering how many actually secure their drives, or if important stuff just gets compartmentalized into encrypted .dmg volumes?

Unix time, the time calculated as seconds since January 1, 1970 UTC (not counting leap seconds), will reach 1234567890 today at 15:31:30 PST. This is a momentous event for geeks worldwide, but I highly doubt many will notice except for a small number of L337 tech people.

BTW, unix time 1234554321 lapsed earlier today at 11:45:21 PST.

The clue is right there in the name itself, technical people. The word technical finds its roots in the same soil as the word technique. These are people who are more captivated by technique than by application. Their attention is more engaged by how a system works rather than what a system does.
– Paul Glen, Leading Geeks .

This is an interesting take on geek mindset. I am sometimes amazed at how some geeks I know can spend dozens of free-time hours figuring out and understanding a particular technology only to not have any real deliverable produced from it. But for the most part, my peers, coworkers, and colleagues would much rather see something "just work" and curse the heavens when stuff breaks and they have to dig deep to figure it out.

Rare is the person who just pumps out personal techie projects; is both fascinated by the technical learning, but also just keeps applying the technology's potential. It's one thing to know a lot about a subject, but it's entirely another to be creative about it– that is, creating consistently. Technical people will have high regard for those who can bridge the gap of deep knowledge and applied pursuits. This is partly why there exists the startup stereotype of "the techie guy" partnering up with "the business guy".

One immediate parallel that comes to mind is the realm of amateur (wannabe professional) photography. Especially now with the advent of consumer digital photography, you will find lots of people who love to scour forums and pick apart technique and gear. Then you'll have those who just love to produce. They learn, but don't get caught up in the eliteness of certain technologies or methods. They constantly produce new work; and in doing so gain more expertise.

I'm not saying one or the other is better even though my admiration of producers is leaking through. I'm just pointing out that the disparity will always cause conflict between "just works" and "do it correctly" people. This blog itself was an exercise in my own attempt at "doing it right"at the cost of "what can it do". I chose Java on BSD with Tomcat and PostgreSQL when a much simpler LAMP (linux, apache, mysql, PHP) setup would been quicker and would have worked almost right out of the box. And now, after looking at Wordpress's newest versions (a popular free content-management software), I am wondering how much I am constrained by this [fascinating] technique I've implemented at Caffeinated Code;  Wordpress features and plugins are simply astounding. There are so many features available even though the Wordpress community's choices of implementation are somewhat contentious.

Continues Paul Glen,

This is not to say that geeks don't care about business, but it does run a strong second to technique.

I guess what we're all looking for is a kind of tech holy grail. Despite the many ideas of what technology should do, and despite the many arguments and attempts of how it should be done, we wish to create things that are both architecturally a masterpiece, and highly useful and usable.