By now, most iTunes users have already downloaded and installed iTunes 10. We've already given you the low-down on the biggest addition to the new version of iTunes—the Ping social network—but we also wanted to give our impressions on two "improvements" promised in the release notes: look-and-feel and performance. While we agree that iTunes is "faster and more responsive," we're not sold on the revised user interface.

"Enjoy performance improvements which make iTunes faster and more responsive"

Let's face it, performance is not iTunes' strong suit. I have a decent-sized library of some 6,700 tracks, for a total of 30GB of storage space—I can listen to music for nearly 51 days straight without ever hearing the same song twice. That is not a small music library, but it certainly doesn't compare to many people I know that complain that an iPod classic still isn't big enough to hold their library.

If music was all that iTunes had to manage, juggling those 6,700 tracks wouldn't be much trouble. But it also keeps track of movies, TV shows, music videos, ePub and PDF books, iPhoto libraries, iPods, iPhones, iPads, audio books, iTunes U content, podcasts, Internet radio stations, other local iTunes libraries on the network… well, you get the idea. Apple has piled additional functionality on software that originally started life as a Mac OS 8 MP3 player to the point where it is practically bursting at its Carbon seams.

For those with large libraries hoping for a full Cocoa rewrite, this is not the iTunes update you've been looking for. But while iTunes 8 and 9 got progressively slower—it got to the point that switching to iTunes to skip a track or stop it to answer a phone call was a five to ten second trial of patience—Apple promised that iTunes 10 would offer faster performance.

After playing with the new version for the better part of a day, we can honestly say it is a little snappier. It certainly doesn't suffer from the unresponsive UI that plagued iTunes 9 on my aging original Core Duo MacBook. Specific genres and artists load instantly in the browser. Flipping through albums in Cover Flow seems especially fast. And the new list view with album art scrolls like butter.

We're not sure what Apple is using behind the scenes—it's certainly not Cocoa, and Apple didn't respond to our questions about what specific enhancements had been added. After using both iTunes 9 and iTunes 10 with Activity Monitor running, it does seem that iTunes is using more threads and may be using a little more (about 5 percent) CPU time than before. It's not more efficient, but it is perceptibly faster—at this point, it's a trade-off we can accept.

We still hope for a fully turbo-charged, block-using, GCD-enabled, Cocoa-fied version of iTunes with blazing performance. iTunes 10 isn't there yet, but the tweaks that are there are welcome.

"Explore many look-and-feel improvements throughout iTunes"

Now, iTunes 10's new "look-and-feel" is an entirely different matter. Immediately noticeable is the cringe-inducing vertically aligned window controls. Admittedly, it does save a few pixels of vertical space, since Apple got rid of the title bar entirely. But the Human Interface Guidelines are there for a reason—to provide users with a consistent paradigm for interacting with applications. The common wisdom is that you shouldn't break the HIG unless there is a compelling reason. In our opinion, a few pixels of vertical space isn't a compelling enough reason, especially considering all the comments we have heard from colleagues and readers who find it confusing.

Thankfully, you can get rid of this style with a hidden terminal command. Quit iTunes 10, and enter defaults write com.apple.iTunes full-window -1 in a Terminal prompt. Relaunch iTunes and—voilà!—the standard window controls return.

Another major change is that Apple has pretty much removed all the color from iTunes sidebar. In previous version of iTunes, the icons representing different media, playlists, and devices in the left-hand sidebar came in a range of colors. Now all the icons are subtle, monochromatic shadows of their former selves. All the shapes are distinctive enough for the most part, but the low-contrast grey makes it more difficult to find what you are looking for at a glance. Instead of thinking "green" for the iTunes Store or "purple" for Genius Mixes, you'll have to pay more attention to the shapes and text labels. It may be more visually "refined," but in our opinion usability is hurt.

Yet another questionable UI tweak is that all the buttons along the bottom of the main iTunes window have lost their button shape. Instead, they appear as a series of—you guessed it—grey shapes that give only a vague clue they clicking them might do something. The style is reminiscent of the tab bars used on iOS applications, except even there the active tab has a rectangular button shape around it, giving users a subtle clue that the other icons could be clicked to activate them. In its default state, none of the buttons are active—those that are get a nice blue highlight fill—and so a user would have to rely on curiosity and pop-up tool tips to figure out what the buttons do, once they figure out that they are buttons in the first place. It's not terrible once you get used to it, but new users might miss these buttons entirely.

There are a couple smaller changes that we are neutral about, and two that we like. Apple has changed the volume control to make it thicker, and it has a subtle machined aluminum look. Being bigger makes it easier to target, especially with a trackpad. Apple also changed how some of the top-level categories in the sidebar are collapsed. Instead of using standard disclosure triangles, rolling over these categories (like Genius or Playlist) will reveal a "show" or "hide" text button to the right. Clicking the text will show or hide the stuff underneath these headings, but double-clicking them works the same, and is easier in our opinion.

The two changes we do like, however, are the redesigned list view column headings, and the new list view with album art icons. The new column headings are larger, with more space above and below the heading text. This makes it easier to target using a trackpad while also being more visually appealing. The added list view with small album art icons is also a nice touch for those who think visually but have too many albums to rely strictly on the album art or Cover Flow views.

It will be some time before we know what impact Ping will have on the iTunes user base, or whether TV rentals will be compelling enough to get more users watching (we suspect they would be more appealing for users of the new Apple TV when it comes out next month). The new iTunes UI might leave a lot to be desired, but at least Apple has made some effort to improve the overall performance.

Perhaps iTunes 11 will finally be the version that sheds the last vestiges of Carbon cruft. Hopefully Apple engineers will also give at least a passing nod to the Human Interface Guidelines when designing its UI.

Read the comments on this post

Le PS veut ressusciter cette forme de police qui vit exploser la délinquance sous Jospin. 

When Google launched its Chrome Web browser in 2008, it was clear that the product had considerable potential. Its emphasis on performance and a its intriguing minimalistic user interface attracted a lot of well-deserved attention. Today, exactly two years later, Chrome has over 80 million users, a 7.52 percent global market share (21.87 at Ars, making it the second most popular browser here behind Firefox), and is gradually creeping into the mainstream.

It wasn't entirely clear at first if the browser would have real staying power or if it would be cast aside unfinished like so many of Google's other ambitious *cough*Wave*cough* experiments. But Google's commitment hasn't waned, and it's increasingly evident that the browser is an important part of Google's platform strategy and long-term aspirations for the future of the Web. To mark Chrome's second anniversary, Google has announced the official release of Chrome 6, a new major stable version of the browser.

The new version brings significant JavaScript performance improvements, some user interface enhancements, built-in synchronization capabilities, and an autofill feature that can automatically populate form data. We took a look at those features last month, when Google rolled Chrome 6 into the beta channel.

Google's Chrome team iterates quickly and has adopted a very rapid and incremental development model. Starting with version 6, they intend to push out new stable release every six weeks, a faster pace than most other browser vendors. Coupled with Chrome's aggressive and highly effective background updater, this will mean that users will always get the latest and greatest features.

We spoke with Google about the two-year anniversary milestone and the company's plans for future Chrome development. Performance remains a top priority and will continue to be improved as the browser evolves. Google cites hardware accelerated rendering, which will arrive soon in the Chrome developer channel, as one of the key areas where they are working on performance. The company is also preparing to launch a developer preview of the Chrome Web Store so that third-party developers can start working with the feature.

Google also has a compelling vision for enhanced synchronization. When the company first announced its synchronization plans last year, it was revealed that Chrome would use an XMPP-based protocol so that it could offer highly transparent push synchronization. This feature is fully integrated in Chrome 6, but Google plans to continue advancing it in future versions. The eventual goal is to create a "stateless" browsing experience where the user can log into any Chrome instance and have instant access to all of their settings, bookmarks, history, and add-ons.

One of my biggest complaints with Chrome is the lack of tab overflow handling. I identified this problem in my very first review, and it still hasn't been adequately addressed after two years. Google says that it's exploring options for better tab handling, but hasn't decided how it wants to proceed.

Google recently demonstrated some highly experimental tab features that offer insight into how Chrome tabbing might eventually be enhanced. Compared to something like Mozilla's Panorama feature, Google says it wants to create something more automatic that doesn't require much user intervention.

Chrome has made considerable progress over the past two years and appears to have a bright future ahead. Version 6 is available for download from the company's Web site, but existing users can expect to receive the update automatically.

Read the comments on this post

Tomorrow, Zeiss will formally announce the 35mm f/1.4 Distagon for Canon and Nikon...

Fluid Forms is a 3D printing and laser-cutting company that produces a wide range of objects based on maps, satellite images, and other photos. They started off with topographical maps of physical places printed in sterling silver with pinbacks, and now they've expanded their repertoire. The new offerings include necklaces with steel charms based on your photos, or maps (inexplicably, these are marketed as "necklaces for men," though I can't imagine why they're not unisex -- the same charms are also available as earrings) and acrylic/wood clocks with finely cut lines reproducing streetmaps.

I love the idea of using "emotionally significant" places as motifs for jewelry and other decorative items. On the 3D printing side, it's a clever way of giving everyone a ready-made, personally important 3D mesh to use as the basis for an object.

Certain models of HP combination printer and scanner devices contain a feature that could allow for corporate espionage, according to researchers at web security firm Zscaler.

I think Tim Bray is right about what makes the new generation of tablet computers, led by the iPad, actually useful:

    

A tablet is, crucially, a more shareable computer. A laptop, with its fragile hinge-ware and space-gobbling keyboard, is just not comfy to share. A tablet is easier to bring to the café, easier to hand across the table or along the sofa, easier to seize in the heat of the moment, easier to hold up in triumph, easier to set aside when you need to meet someone's eyes.

Here's how that played out for me this week, somewhat unexpectedly. I was the official photographer for my cousin's wedding last weekend. That morning, I was preparing myself to take hundreds of pictures with both my film and digital SLR cameras. But, having just picked up the digital camera kit for my iPad earlier in the week, I thought it might be useful to bring the iPad along as a quick backup device onto which I could dump the digital files from time to time during the day. (Sometimes I'm a little paranoid about backups.)

After the ceremony itself, as everyone was settled in for the buffet brunch, but before speeches began, I plugged in the adapter and my camera's SD card and got most of the photos imported onto the iPad. (The process was a little flaky: after the first few hundred, the Photos app kept quitting, and though it remembered what it had imported, it would only do a few more pictures at a time before crashing again.) I didn't get everything backed up right then, but it was enough, especially since pictures of the ceremony itself were safe.

Then, as I flipped through the photographs to check them out, I realized something: I could pass the iPad around. My cousin and her family and friends could see pictures of the wedding, in a beautiful large picture-frame style that was easy and intuitive to flick through, before the event was even half over. They loved it.

Later that evening, I'd had a chance to get home, change clothes, and import the rest of the pictures before heading over to my aunt and uncle's house for the wedding after-party. There, more people, including the groom and his mom (who was visiting from Toronto), were able to see all the pictures on the iPad, the same day I'd taken them. A few of the group portraits included the groom's extended family—who, it turns out, had never all been in a photo together before, ever. He and his mom both got teary-eyed looking at them.

A few months ago I might have brought my laptop to import photos onto during the wedding. More likely, I wouldn't have bothered. And I certainly wouldn't have passed it around, since it's more awkward, fragile, and complicated to use when viewing pictures—particularly standing around in a crowded room of people who've had a few drinks.

I'm in the process of putting the best pictures from the wedding online, and I'll give everything to my cousin and her husband on DVD too, but the immediacy and poignancy of being able to display the pictures right there, during the events of the wedding day, made the iPad well worth what my wife paid for it in June.

Apple became the biggest fish in the very small touchscreen tablet pond when it launched the iPad this past spring. But more fish will arrive starting mid-month when Samsung launches its Galaxy Tab mobile device in Europe (US and Asia will get it "in the coming months"). After being rumored and teased for weeks, Samsung officially unveiled its entry into the burgeoning market at the IFA show in Germany on Thursday.

The Samsung Galaxy Tab is a 7" widescreen touch tablet powered by Android 2.2. The Tab will use the same TouchWiz UI used on Samsung's line of Galaxy S smartphones, which gives it a very iOS-like look and feel. Also following the iPad's lead, the device has a metal back, black bezel, bottom speakers, and even a 30-pin connector.

At the heart of the device is the same 1GHz ARM processor and PowerVR GPU core that powers the Galaxy S phones, and is in most respects equivalent to Apple's A4 processor. It also includes 802.11n WiFi, Bluetooth 3.0, and 3G connectivity; assisted GPS capabilities; accelerometer, gyroscope, and magnetometer sensors; and comes with either 16GB and 32GB of built-in flash storage.

However, there are a few areas where the Galaxy Tab separates itself from the iPad. The display is a 1024 x 600 pixel, 7" diagonal 16:9 wide touchscreen. The smaller size makes the overall device smaller, and at under 5" wide it's almost pocketable. The smaller size also gives the device a higher pixel density of 171ppi versus the iPad's 132ppi, though its widescreen orientation does sacrifice screen real estate. Those that primarily use the device for viewing HD content, however, will really appreciate this design choice.

The device also includes both rear- and front-facing cameras; the iPad's omission of cameras has been heavily criticized. At the rear is a 3MP autofocus camera with LED flash, while on the front is a 1.3MP fixed focus camera. In addition to stills, the Tab can record 720 x 480 resolution video.

To expand storage, the devices accepts up to 32GB MicroSD cards.

On the software side, the Tab includes the mobile version of Flash 10.1—Apple's iOS devices famously lack Flash compatibility—but the jury is still out on whether that is a benefit or not. It's compatible with a wide variety of audio and video formats for media playback, including being the first DiVX-certified tablet. Like Samsung's other Galaxy devices, it features the innovative Swype soft keyboard. And Samsung is targeting the popularity of the iPad as a full-color e-reader by including a Kobo-developed "Readers Hub" which is compatible with ePub, PDF, Kobo, and Adobe DRM'd content, including books, magazines, and newspapers. By virtue of running Android 2.2, it also includes all the Google apps like Navigation and Latitude, and can access software from the Android Marketplace.

Samsung's Galaxy Tab is the first in a number of Android tablets that have been announced or rumored for release late this year or early next year. Samsung has not yet announced pricing, exact ship dates, or carrier partners for 3G data service, but it says the device will first launch in Europe in mid-September, to be followed by US and Asia sometime later this year.

Read the comments on this post

Twitter officially disabled Basic authentication this week, the final step in the company's transition to mandatory OAuth authentication. Sadly, Twitter's extremely poor implementation of the OAuth standard offers a textbook example of how to do it wrong. This article will explore some of the problems with Twitter's OAuth implementation and some potential pitfalls inherent to the standard. I will also show you how I managed to compromise the secret OAuth key in Twitter's very own official client application for Android.

OAuth is an emerging authentication standard that is being adopted by a growing number of social networking services. It defines a key exchange mechanism that allows users to grant a third-party application access to their account without having to provide that application with their credentials. It also allows users to selectively revoke an application's access to their account.

Some of the more technical aspects of this article will be easier to understand if you have a basic familiarity with the standard and the problems that it is trying to solve. We published a primer earlier this year that you can refer to if you are looking for additional background information.

The OAuth standard has many significant weaknesses and limitations. A number of major Web companies are collaborating through the IETF to devise an update that will fix some of the problems, but it's still largely a work in progress. The current version of the standard—OAuth 1.0a—is an inelegant hack that lacks maturity and fails to provide clear guidance on many critical issues that are essential to building a robust authentication system.

Website operators who adopt the current version of the standard have to tread carefully and concoct their own solutions to fill in the gaps in the specification. As a result, there is not much consistency between implementations. Facebook, Twitter, and Google all have different variants of the standard that have to be handled differently by third-party applications. Twitter's approach is, by far, the worst.

Not so secret consumer key

Applications that communicate with OAuth-enabled services can use a set of keys—called the consumer key and consumer secret—to uniquely identify themselves to the service. This allows the OAuth-enabled service to tell the user what third-party application is gaining access to their account during the authorization process. This works relatively well for server-to-server authentication, but there is obviously no way for a desktop or mobile application that is distributed to end users to guarantee the secrecy of its consumer secret key.

If the key is embedded in the application itself, it's possible for an unauthorized third party to extract it through disassembly or other similar means. It will then be possible for the unauthorized third party to build software that masquerades as the compromised application when it accesses the service.

It's not quite as bad as it sounds, but the problem is how Twitter is using the key. It's very important to understand that a compromised consumer secret key doesn't jeopardize the security of the users of the application. The key can't be used to gain access to the accounts of other users, because accessing an individual account requires an access token that individual instances of the client application obtain automatically on behalf of the user during the authorization process.

The function of the consumer secret is really just to let the remote OAuth-enabled Web service know who is making the request—kind of like a user agent string. In the context of a desktop or mobile client application, it's basically superfluous and shouldn't be trusted in any capacity.

Against all reason, Twitter requires every single application—including desktop and mobile software—to supply a consumer key and a consumer secret. To make matters worse, Twitter intends to systematically invalidate compromised keys. This means that when somebody extracts the key from a popular desktop Twitter client and publishes it on the Internet, Twitter will revoke access to the service for that client application. All of the users who rely on the compromised program will be locked out and will have to use other client software or the Twitter website in order to access the service.

To restore access after a key is exposed and invalidated, the developer of the compromised application will have to register a new key, embed the key in a new version of the program, deploy the new version to end users, and get the users to go through the authorization process again. This is going to be especially challenging for developers who rely on distribution channels like the iPhone application store, which have a lengthy review process. They could find themselves in a situation where their users are locked out for weeks when a key is compromised.

When this happens, the users will simply get authentication errors and will have no way of knowing the cause. They will likely switch to a different client application rather than waiting for the developer of their preferred client software to issue an update with a new key. It's obvious that this could be enormously problematic for client application developers—the risk alone could potentially deter developers from wanting to write software that works with Twitter.

When some concerned third-party developers brought this issue to Twitter's attention, the company refused to change course and responded by saying that they expect developers to take a "best-effort security" approach to protecting the integrity of their keys. Twitter acknowledges that it will always be possible for a determined attacker to extract the consumer secret from a desktop or mobile client application, but the company believes that such attacks will largely be deterred if developers take basic steps to obscure and obfuscate their keys in their source code.

The issue here is that Twitter wants to use the keys as an abuse control mechanism to centrally disconnect spammers and other unwanted users of the service, but OAuth was simply not designed to be used for that purpose. The idea is that centrally disabling a spammer's consumer secret key will lock out all of the spammer's user accounts, theoretically simplifying spam control for Twitter. It's unlikely that this naive strategy will work in practice, however.

Any spammer with a hex editor can trivially compromise the keys of popular applications and use those keys to evade Twitter's abuse controls. By using the consumer key and consumer secret key from a popular third-party Twitter application, a spammer can make it harder for Twitter to lock out all of his spam accounts at once without also locking out a large number of legitimate users of the compromised application. Even if individual spammers aren't sophisticated enough to know how to extract the keys, they can easily buy consumer secret keys from people who know how to get them out of mainstream Twitter clients.

There are a lot of other scenarios where "best-effort security" and a little bit of obfuscation aren't going to be a sufficient deterrent. For example, the developer of a popular commercial third-party Twitter client might compromise and anonymously publish the consumer secret key of a competing application so that they can get it temporarily disabled. In addition to those kinds of obvious business incentives, mischief makers might compromise keys just for the lulz.

I repeatedly attempted to make Twitter aware of the problems with its OAuth implementation, but the company largely ignored my concerns. When I opened a support ticket, it was promptly closed and I was directed back to the developer mailing list, where I received no response from Twitter after writing several posts outlining my concerns. My attempts at responsible disclosure were unsuccessful.

Compromising Twitter's client for Android

In order to evaluate the viability of Twitter's "best-effort security" strategy, I decided to see how difficult it would be to obtain the OAuth consumer secret key from Twitter's own official client application for Android. As I expected, it was trivially easy. I used the Astro application on Android to back up the Twitter application to an SD card and then copied it from the SD card to my computer.

The next step was to extract the contents of the Twitter APK package and attempt to figure out which one contained the relevant value. After briefly poking around the contents of the package, I settled on the classes.dex file as the most likely place. I used the strings command at the command line to extract all of the contiguous textual strings from the binary dex file. I used the grep command to filter the output and identify strings of sufficient length. After glancing over the list of potential candidates that I had extracted from the dex file, I was quickly able to find the OAuth consumer key and consumer secret:

Code Sample Removed from Kindle Feed due to limitations in Kindle Feed Format.

These keys are particularly significant because Twitter has configured them to enable access to special APIs which aren't generally available yet that can be used to exchange login credentials for an access token—an OAuth flow that is intended for mobile applications but could also be used to bulk-authenticate accounts. As a courtesy to Twitter, I have replaced the last six characters of each key with the letter X so that spammers can't simply copy and paste it out of this article. My decision to not disclose the entire keys is not going to help Twitter much, however, because practically anybody with basic knowledge of command line tools, Android development, and OAuth will be able to access the keys handily. If this is the extent of Twitter's "best-effort" security, we should all be appalled.

After I obtained the keys, I was able to put them in my own client application and use them to authenticate my user account and post a message. The keys come from version 1.0.3 of the official Twitter client for Android, which was published in the Android Market this week. It's very likely that the administrators at Twitter will respond to this article by invalidating the key that I've partially published above and issuing an updated version of the program with a new key. One can only hope that they will at least try to take steps to obscure the key better next time.

Referring to the standard

Twitter's approach to OAuth is obviously misguided, but it gets even crazier when you compare the company's implementation against the actual standard. The OAuth specification itself describes the secret key security issue and says explicitly that implementors should not do what Twitter is trying to do:

"In many applications, the Consumer application will be under the control of potentially untrusted parties. For example, if the Consumer is a freely available desktop application, an attacker may be able to download a copy for analysis. In such cases, attackers will be able to recover the Consumer Secret used to authenticate the Consumer to the Service Provider. Accordingly, Service Providers should not use the Consumer Secret alone to verify the identity of the Consumer."

Part of the problem is that the specification doesn't provide much guidance about what implementors should do instead, which has forced them to improvise. Facebook and Google Buzz have both come up with reasonable solutions and offer desktop-appropriate OAuth authentication flows that do not require a secret key or require the end user to go through a complicated copy/paste process.

Google's relatively pragmatic solution is to allow client applications to supply a bogus placeholder instead of the actual consumer secret key. In every API call where a consumer key and consumer secret are required, the developer simply uses the text string "anonymous" as a stand-in. Google Buzz supports an xoauth_displayname parameter that the application can optionally supply to identify itself, but this is used solely to advertise the program in the user's messages.

Facebook, which has a clean OAuth implementation based on the OAuth 2.0 specification draft, goes a step further than Google and simply allows desktop applications to omit the consumer secret entirely. Getting an application up and running on Facebook tends to be much easier than on many other OAuth-enabled services.

As Google and Facebook have demonstrated, there are obviously reasonable solutions to the key secrecy issue. Twitter continues to stubbornly ignore those solutions despite the serious problems with its own approach.

Twitter's OAuth implementation and open source clients

Requiring third-party developers to embed a consumer secret key in the source code of their Twitter client applications potentially puts free and open source (FOSS) client software at greater risk of key exposure than closed-source client software. The key would be visible as plain text in the source code, where anybody could find it and use it for their own purposes. Indeed, one can already easily find dozens of OAuth consumer secret keys by using Google's code search engine.

Twitter felt that allowing FOSS Twitter clients to use OAuth posed an unacceptable risk. The company warned that it would invalidate any OAuth keys that it found published in the source code of FOSS client applications. This was deeply troubling to the developers who maintain such software, including me. I am the developer behind Gwibber, a GPL-licensed microblogging client that is used in Ubuntu and other Linux distributions.

Twitter initially said that the only real solution for FOSS Twitter client developers is to have each individual end user register their own application key to copy and paste into the program. The process of registering Twitter application keys is somewhat unintuitive because it is intended for application developers. It's simply not reasonable to expect regular end users to walk through those steps. Several prominent FOSS Twitter developers objected to Twitter's position on this issue, including TTYter developer Cameron Kaiser and Spaz developer Ed Finkler.

In response to the concerns raised by the FOSS community, Twitter committed to implementing an alternate OAuth authentication mechanism specifically for FOSS applications. The alternate authentication flow would allow users to register a sub-key that they could paste into the application. It would still involve an extra copy-and-paste step, but it would offer a simpler user interface than the standard key registration system.

It was really a bad idea, one that only became necessary in the first place because of Twitter's misguided requirement that desktop applications use secret keys. Despite promising to have it ready for FOSS client applications, Twitter still has not completed this system. It made it available experimentally to a small handful of developers, but it's not production-ready or intended for widespread use.

By turning off Basic authentication without offering a suitable alternative for FOSS clients, Twitter effectively made it impossible for FOSS client applications to continue functioning normally. This is especially troubling for Linux users, because Adobe AIR (which is used by virtually all cross-platform closed-source Twitter clients) does not always work well on the Linux platform.

Linux users aren't the only ones negatively affected, however. Twitter clients that are developed as browser add-ons are written in JavaScript and are necessarily distributed with their source code available as plain text. This includes some extremely popular Twitter clients, such as ChromedBird.

Most FOSS client developers have simply chosen to embed their keys in their source code with the hope that Twitter won't notice. I was about to give up on Gwibber, but Canonical intervened on my behalf (special thanks to Ken VanDine) and negotiated a compromise with Twitter that will allow Gwibber to continue using the service.

Despite claiming to love open source and using an awful lot of it on the backend, Twitter doesn't seem to care very much at all about FOSS Twitter clients or their users and developers. Finkler expressed frustration yesterday about the ongoing absence of the FOSS OAuth system that Twitter had promised.

It's unclear when or if Twitter will change its OAuth implementation to make it less hostile to FOSS clients. If Twitter does the right thing and eliminates the requirement for desktop applications to use secret keys, it would effectively resolve the problem for FOSS clients.

Bugs and other technical problems

Aside from handling the consumer secret issue poorly, Twitter's OAuth implementation has a number of bugs, defects, and inconsistencies that pose challenges for users and developers.

Third-party developers are finding that it is maddeningly difficult to debug client-side support for Twitter's OAuth implementation because Twitter tends to spit out very generic 401 errors for practically every kind of authentication failure. It doesn't provide enough specific feedback to make it possible for the developer to easily troubleshoot or isolate the cause when authentication is unsuccessful.

This is especially frustrating in situations where authentication is failing because of a bug or defect in Twitter's implementation. For example, authentication will sometimes fail if the system clock on the end user's computer is running slightly fast. This issue has to do with the timestamp that is embedded in the requests, but it's not entirely obvious what causes it to occur.

On the matter of timestamps, the specification itself only says that each API request must have a higher timestamp value than the previous request—a requirement that could obviously wreak havoc if the user ever changed their system clock while using the software, but wouldn't necessarily cause the clock-skew authentication failure that is commonly experienced. Developers can't see exactly how this stuff works on Twitter's side, and it's not adequately documented, so they are left to guess.

Another similar problem is that Twitter's authentication servers will report an authentication failure in cases where the service is simply overburdened and doesn't have sufficient capacity to address the request. Twitter has acknowledged this problem and wants to find a solution, but isn't sure how to fix it and don't know when a fix will be made available.

Authorization issues

So far, this article has largely focused on the technical deficiencies of Twitter's own OAuth implementation. For the rest of the article, we will be looking primarily at broader OAuth issues that also affect many other implementations. We will still be discussing OAuth in the context of Twitter, but it's important to keep in mind that the following issues are widespread and aren't necessarily specific to Twitter's implementation.

The manner in which OAuth relies on page redirection to facilitate the authentication process poses some unusual challenges that are difficult to address. One issue that has been raised is that the user remains logged in on Twitter (and might not even realize it) when he or she goes through the legitimate redirect-based authorization process that is initiated by a third-party website. This could be a problem if the user is using a computer at a public location, such as a school computer lab.

Say, for example, that a user logs into an online game and then authorizes that game to access their Twitter account. When they are done playing, they will likely log out of the game so that the next person to use the computer won't mess with their game account, but they might not realize that they need to log out of Twitter too due to their use of the OAuth authentication process that they performed during the session.

It's not clear exactly what the right behavior should be, but it's arguable that Twitter should log the user out after handing authentication to the third-party service in cases where the user wasn't already logged into Twitter before initiating the authentication request.

Another somewhat related issue is that the "Deny" button on the authorization page is really just a cancel button. If you are prompted to authorize an application that you have already authorized and you click the Deny button, Twitter will not revoke the application's existing authorization to access your account. Again, this is a situation where it's not really obvious what behavior the user should expect.

The word "Deny" has a very specific meaning that is somewhat misleading in the way that it is used on the page. I think that implementors should either change the denial button to use the word "Cancel" or make it revoke existing access in cases where it exists. Perhaps the user should be prompted. As previously stated, this is not a Twitter-specific issue—the same problem exists on Google's authorization page, too.

Phishing risks

Twitter doesn't have any kind of vetting process or validation procedure to ensure that consumer key registrants are who they claim to be. For example, there is absolutely nothing to stop me from registering a Twitter OAuth application key claiming that my company is Apple and my product is Mac OS X. When a malicious person registers a key that pretends to be a legitimate product, the company that makes that product has to go through a lengthy arbitration process with Twitter's administrators and demonstrate that they own the trademark in order to get the falsely registered key invalidated.

This problem is not unique to Twitter, but Twitter exacerbates the risk of phishing by failing to use appropriate language on its authentication page. When Twitter presents users with the option of granting access to an application, it warns the user to only allow the authorization to proceed if they trust the party requesting access, but they don't warn the user that the initiator of the request and recipient of account access could, in fact, be somebody other than the entity stated on the authorization page.

Arguably, Twitter will be able to partially mitigate the risks of such attacks by finding and invalidating fraudulently registered keys. One of the advantages of OAuth is that the malicious application will have its access to user accounts revoked when the key is invalidated. A more serious problem is when phishing attacks are perpetrated with a compromised key that came from a legitimate third-party application.

OAuth supports a callback parameter that allows the party initiating the authorization request to specify where the user's access token (the token used to access a user's account) should be sent when the authorization process is completed. A malicious individual with a compromised consumer key could request authorization in a manner that appears to be on behalf of a legitimate application, but could have the key sent to their own server so that they can control the user's account.

The user would see a normal Twitter authorization page on the official Twitter website with the name of a legitimate and safe application, but they would unknowingly be granting access to the malicious third-party that initiated the authorization request. This is especially dangerous because all of the things that users have been trained to look for to spot phishing—like the URL and the SSL certificate—will appear exactly as they should, giving the user a false sense of security.

Twitter has taken some reasonable steps to limit the risk of such an attack. Specifically, Twitter has blocked keys that are registered for the desktop from using the callback parameter. Any consumer key that is registered on Twitter for a desktop application key will only be able to use the so-called out-of-band (OOB) authorization method, which doesn't rely on redirection. This is one of the few things about Twitter's approach to OAuth that actually makes good sense. Unfortunately, it doesn't protect against such a phishing attack in circumstances where a key that has redirection enabled is compromised.

The consumer secret key for a Web application is stored on the servers of the company that operates the application, so it is unlikely to be compromised. The problem is that there are a lot of mobile applications that rely on the redirection method and configure their Twitter consumer keys to function in Web mode. This is because a very common practice for mobile applications is to use the redirection authorization method in conjunction with a custom URL handler that is registered with the platform.

The URL handler trick makes it possible for the Twitter website to hand the user's access token directly back to the application when authentication is complete. In cases where that approach is used, the application's key necessarily has to be configured as a Web key, even though it is used in a desktop application. If that key is compromised, it is susceptible to the previously described phishing attack. (It's also worth noting that there is a risk of some malicious application overriding the URL handler settings to make itself the recipient of the access token.)

Ideally, OAuth implementors should require application developers to supply the callback address when they configure their key and should not allow that setting to be overridden by the client application in a request parameter. Twitter has a field in the key configuration that allows the developers to specify a default, but they still allow client applications to use the dangerous callback override parameter.

Security is hard, let's go shopping!

Individual implementations aside, the general concept behind OAuth's redirection-based authorization process materially increases the risk of phishing. The people behind the standard are fully aware of that fact, but they don't believe that the issue should necessarily be addressed by the standard itself.

They have argued for quite some time that end users should simply be more careful and implementors should come up with best practices on their own. This is because the purpose of the OAuth standard was to mitigate the password antipattern, not to holistically solve every security problem.

"OAuth cannot help careless users, and phishing is all about not paying attention to what you do. There has been some interesting discussion about phishing on the OAuth group and the bottom line is, it is far beyond the scope of the protocol," OAuth contributor Eran Hammer-Lahav wrote in 2007.

Unfortunately, there are advocates of OAuth who are less honest than Hammer-Lahav about the standard's scope and limitations. Some proponents of the standard misrepresent its maturity and suitability for adoption while downplaying its weaknesses and risks.

When people try to raise concerns about the problems, OAuth advocates tend to argue that developers who don't like OAuth are simply lazy or don't care about security. Some of the people behind the OAuth standard try really hard to convince end users that they should expect OAuth support everywhere, even in contexts where it doesn't really work or make sense. Their attitude is that developers should man up and learn to live in the brave new OAuth-enhanced world where solving the password antipattern takes priority over every other security issue.

To be clear, I don't think that OAuth is a failure or a dead end. I just don't think that it should be treated as an authentication panacea to the detriment of other important security considerations. What it comes down to is that OAuth 1.0a is a horrible solution to a very difficult problem. It works acceptably well for server-to-server authentication, but there are far too many unresolved issues in the current specification for it to be used as-is on a widespread basis for desktop applications. It's simply not mature enough yet.

Even in the context of server-to-server authentication, OAuth should be viewed as a necessary evil rather than a good idea. It should be approached with extreme trepidation and the high level of caution that is warranted by such a convoluted and incomplete standard. Careless adoption can lead to serious problems, like the issues caused by Twitter's extremely poor implementation.

As I have written in the past, I think that OAuth 2.0—the next version of the standard—will address many of the problems and will make it safer and more suitable for adoption. The current IETF version of the 2.0 draft still requires a lot of work, however. It still doesn't really provide guidance on how to handle consumer secret keys for desktop applications, for example. In light of the heavy involvement in the draft process by Facebook's David Recordon, I'm really hopeful that the official standard will adopt Facebook's sane and reasonable approach to that problem.

Although I think that OAuth is salvageable and may eventually live up to the hype, my opinion of Twitter is less positive. The service seriously botched its OAuth implementation and demonstrated, yet again, that it lacks the engineering competence that is needed to reliably operate its service. Twitter should review the OAuth standard and take a close look at how Google and Facebook are using OAuth for guidance about the proper approach.

Read the comments on this post

In celebration of its 50th anniversary, the Fujitsu company has released a ScanSnap unit with a traditional lacquered finish, but — and this is the painful part — it appears to only be available in Japan:

The S-1300 and S-1500 units can fold up to look like a decorative box on your desk, which is as clever as it is beautiful. Fujitsu announced the commemorative document scanners by way of a manga advertisement, and you can see both pages of the advertisement online: Pages 1 and 2.

In addition to the stylish new exterior, it looks like the 50th anniversary ScanSnap models might also come with two tea cups and a sushi mat (although, I don’t think the raven is included):

Now, I’m crossing my fingers and hoping the Fujitsu company considers releasing decorative models in more markets. To learn more about getting your paper clutter under control with the help of a ScanSnap, check out our article “Scanning documents to reduce paper clutter.”

Happy anniversary, Fujitsu! And, thanks go to reader Jen for letting us know about this item.

Like this site? Buy Erin Rooney Doland's Unclutter Your Life in One Week from Amazon.com today.

Pop quiz—which US Internet service provider made the following statement about a network upgrade?

During the construction of this network we have given a lot of thought... to the business model in the US, and how we could do things in a different and more interesting way. The natural model when you have a simple duopoly capturing the majority of the market is segmentation: maximize ARPU [average revenue per user] by artificially limiting service in order to drive additional monthly spending. But fundamentally this is the wrong model for a service provider like us, and we have looked to Europe for inspiration. The model pioneered by Iliad under the Free brand is a better fit, both for us and for our customers.

As the marginal cost of providing more bandwidth or less, and providing POTS voice or not are both minimal, we have adopted a simple flat rate model instead of the more typical US model of "$5 more goes faster"... I believe that removing the artificial limits on speed, and including home phone with the product are both very exciting.

Yeah... it wasn't one of the major ISPs. Instead, it was Sonic.net, California's largest indie ISP. The company has been in business since 1994, but the FCC's eventual decision to deregulate wholesale broadband services put the company in a tough spot, where it couldn't access the highest-speed components of the network at a competitive price. So Sonic.net has been building out its own "facilities-based" network around San Francisco, though it still requires access to the telco-controlled copper local loop to a customer's home.

The new network, called Fusion, allows Sonic.net to offer ADSL2+ service along with its own telephone service (this isn't VoIP, but actual POTS). The company currently sells one offering to residential users through Fusion: for $50 a month, they get uncapped ADSL that runs as fast as their line can handle (up to 20Mbps) along with free nationwide phone service. Users who want more bandwidth can order up a second telephone line and "bond" the two for speeds of up to 40Mbps by simply paying another $50.

Sonic.net CEO Dane Jasper explained his unorthodox approach to selling broadband in a discussion this week with Benoit Felten, a Yankee Group broadband analyst, on Felten's private blog. Felten, who's based in Europe, notes that the US market "is often considered to be a static duopoly," but he points to initiatives from ISPs like Sonic.net as refreshing alternatives.

"In an era where the buzzwords about broadband and the internet seem to be caps and hogs," he notes, "it's reassuring and exciting to see someone trying to buck the trend and offer what customers want as opposed to what he thinks customers should get."

Read the comments on this post

Datacolor has released SpyderLensCal, an accessory designed to take advantage of the autofocus micro adjustment feature of recent digital SLR cameras.

Read more and comment »

Apple is trying again with Apple TV in an attempt to be the center of the digital living room. The concept isn’t new since Google, Microsoft, Netflix, Amazon and others are also targeting your living room. Here’s our ranking of the digital barbarians at your door.

It was a dark and stormy night on December 18, 1908. Okay—maybe it wasn't so dark and stormy. But it should have been, because that was the night Thomas Edison tried to hijack the motion picture industry.

"With his beetle brows, long wispy hair, and beatific look, Edison might have seemed the addled inventor," writes the historian Neil Gabler, "but he was a shrewd businessman and a fearsome adversary who was never loath to take credit for any invention, whether he was responsible or not."

Edison assembled representatives of the nation's biggest movie companies—Biograph, Vitagraph, American Mutoscope, and seven others—and invited them to sign a monopolistic peace treaty. Since 1891, when the Wizard of Menlo Park filed his first patent on a motion picture camera/film system, his lawyers had launched 23 aggressive infringement suits against other production outfits.

Sometimes Edison won. Sometimes he lost. But the costs of these battles overwhelmed his rivals, and that was the intent.

"The expense of these suits would have financially ruined any inventor who did not have the large resources of Edison," one of his lawyers boasted, "and it could hardly be expected that he would be able to prosecute simultaneously every infringement as it arose."

Thus his victims sold their patents, making the Edison movie empire ever larger.

But the old man wanted it all, so he assembled his rivals and proposed that they join his Motion Picture Patents Company. It would function as a holding operation for the participants' collective patents—sixteen all told, covering projectors, cameras, and film stock. MPPC would issue licenses and collect royalties from movie producers, distributors, and exhibitors.

To top it all off, MPPC convinced the Eastman Kodak company to refuse to sell raw film stock to anyone but Patent Company licensees, a move designed to shut French and German footage out of the country.

"The negotiations were finalized in December," Gabler notes, and by early January, "the company made its announcement that the old laissez faire of the movie business was being abruptly terminated."

Make no mistake, had Thomas Edison succeeded in this scheme, he would have killed the motion picture industry or at least delayed its flowering by a generation. The good news is that the Patents Company foundered for a couple of years, then was declared in violation of the Sherman Anti-Trust Act by a federal court.

But why did MPCC fail even before its legal demise? We have here an object lesson that the Internet empires of our time ought to consider. In essence, Edison's forces thought that they could dominate their industry via legal control over technology, in tandem with a cynical alliance with morals groups. Giving the public the kind of movies that it really wanted came last on their list of priorities—which was the cause of the Edison Trust's downfall.

The system

By 1908, the public's demand for silent films was already insatiable. "For the millions of urban working-class people and new immigrants, going to the movies represented not only an affordable amusement but an extraordinary fascination," writes the film historian Eileen Bowser. "It is possible that motion pictures have never had such a devoted and enthusiastic audience since these early years."

To this day scholars struggle to count the number of "nickelodeons" that operated at the time. Most of them ran about three or four short silent films over the course of a half hour and charged a nickel for the service. At least 2,500 operated in that year across the United States. Five years later there were 14,000.

Immigrant-stuffed Chicago was America's number one movie loving city. It boasted 407 theaters in 1909—in a region of two million people. "The foreigners attend in larger proportion than the English speakers," noted the Saturday Evening Post around this time. "This is doubtless because the foreigners, shut out as they are by their alien tongues from much of the life about them, can yet perfectly understand the pantomime of the moving pictures."

For the mostly lower-middle class Jewish and Catholic entrepreneurs who ran these theaters, the big challenge was providing consumers with a steady stream of new movies. The easiest way to get a film was to buy it from a producer. But individual production outfits took too long to come up with new fare, and given the short shelf life of a film, it was smarter to rent.

Enter the distributor: "It was a logical step for a supplier of lantern slides and optical goods, such as George Kleine in Chicago, to add a stock of films for rent or sale," Bowser notes.

But this was the vulnerable nexus upon which Edison and his allies pounced—the need for a predictable stream of product. The Patents Company created a subsidiary called General Film Exchange to enforce its rules and take its fees. General Film Exchange set up a strict procedure for collection and distribution. On Mondays, its administrators bought a predetermined quota of movies from the same five producers. On Wednesdays, they purchased films from another fixed group.

The compliant trade press told exhibitors what releases would be available when, and that was that. Movie house owners could not choose among these films, especially if they served small towns. They also couldn't hold films over due to popular demand.

"General Film did not usually allow for extraordinarily popular films by buying extra copies," Eileen Bowser adds. "Since an expensive production sold for the same price as the cheapest, the incentive was lacking, for both exhibitor and producer, to improve."

Blue bloods

Edison justified this rigid system as a form of moral quality control. "In my opinion, nothing is of greater importance to the success of the motion picture interests than films of good moral tone," he declared. These remarks pandered to a veritable army of decency reformers, furious that immigrants (who many of them disliked) were enjoying movies without being properly supervised (by them).

Bluebloods occasionally made forays into urban nickelodeons—mostly for the purpose of writing outraged commentaries like this:

The audience also sat still for one or two high-class films without any fuss, although we are sure they didn't understand what they were looking at any more than they would a Chinese opera. ... I would have been more comfortable on board a cattle train than where I sat. There were five hundred smells combined in one. One young lady fainted and had to be carried out of the theater. I can forgive that, all right, as people with sensitive noses should not go slumming. But what is hardest to swallow is that the tastes of this seething mass of human cattle are the tastes that have dominated, or at least set, the standard of American moving pictures.

Patents Company statements assured the public that General Film stood as a barrier against "cheap and inferior foreign films" (especially of French variety) and that its distributors served the "better classes" of the community. The cartel insisted that it was fully in sync with the National Board of Censorship, a coalition of state level film monitoring groups whose activities the Supreme Court would sanction in a crucial 1915 court case, Mutual Film Co. versus the Industrial Commission of Ohio.

That ruling declared that the content regulation of movies did not violate the First Amendment guarantee of free speech, and it would not be reversed for more than 35 years.

The IMP

But looking in from the outside of this system were a younger generation of distributors who did not fit into Edison's rigid model. The most important of these was a rather unimposing man (five feet, two inches tall) who had come to the United States from a small southwestern German village. Carl Laemmle wandered about the turn-of-the-century US doing whatever he could—working in drugstores, farms, clothing stores—until he bumped into a Chicago nickelodeon and found religion.

"One rainy night I dropped into one of those holes-in-the-wall five cent motion picture theaters... " Laemmle recalled. "The pictures made me laugh, though they were very short and the projection jumpy. I liked them, and so did everybody else. I knew right away that I wanted to go into the motion picture business."

It was 1906. He immediately pooled his entire family's resources into a local venture, including the family itself, who sold tickets and performed janitorial services at what Laemmle called "The Coolest Theater In Chicago" (this referred to its well-ventilated structure). Then came a second nickelodeon, which meant greater need for movies on demand.

When a distributor let him down, he started his own rental service. When even his own distribution company couldn't meet the need, he launched a production outfit: the Independent Motion Picture Company (or "IMP," for short).

Eventually Laemmle renamed the firm Universal Pictures. "That's what we're supplying—universal entertainment for the universe," he proclaimed to his collaborators at the new company's founding meeting. Later he admitted that he had glanced out the window during the gathering and noticed a service truck with the logo 'Universal Pipe Fittings' painted on the side.

Defiance

Laemmle is probably best remembered for the hijacking of Florence Lawrence, one of the first movie stars. Lawrence had signed up at Biograph Pictures. But Laemmle offered her something few performers enjoyed at that point—name recognition. Unlike the Edison Trust studios, IMP's boss understood what the public wanted—longer, more dramatic films, full of actors with whom people could identify.

So he not only whisked his new prospect away from Biograph, he floated a rumor that she had been killed in a street automobile accident. Millions of newspaper readers glommed onto the story as Laemmle announced the good news: Florence Lawrence was alive and well, now in production with Laemmle's newest picture: The Broken Oath.

Around the same time, Laemmle announced that he would not cooperate with the Edison Trust. He would buy his raw stock, films, and equipment from abroad, or from any manufacturer or producer willing to work with him. In response, the Edison Trust bombarded IMP with infringement suits—289 filings that burdened the company with almost a third of a million dollars in legal fees.

Meanwhile, General Film detectives constantly harassed IMP's production sets, looking for non-licensed equipment. IMP and other non-Edison movie companies countered this with evasive action.

"Cameramen kept several cameras on a set," cinema historian Janet Staigler writes. "When detectives arrived to catch them illegally using licensed equipment, the workers would pull out a non-infringing camera. Cameramen also used non-infringing exteriors but installed infringing mechanisms in the camera."

As this set-to-set combat wore on, theater owners and other independent producers openly rooted for IMP. Once cowed by Edison's operation, now they rushed to buy movies from the defiant company.

"Our business grew by leaps and bounds," recalled one IMP employee, "and where during the previous week we had shipped one program to a city, a week later we were dispatching three, four, and five times that many."

Slowly but surely, the Patents Company discovered that even its deep-pocketed legal department could not afford all the infringement suits that it had launched, especially after the independents began sharing lawyers and pooling the costs of these actions.

For the cartel, "costs of pursuing infringers must have been more than any court-ordered repayment," Staigler notes. "For the independents, fines for patent violation were less than profits from filmmaking."

Demanding recognition

But what ultimately did the Edison monopoly in was the assumption that its legal/technological dominance over the trade, and its moral stance, would trump the public's demand for ever more creative motion pictures. Unlike the independents, the MPCC system did not invest in its network. Consumers would simply have to watch Edison Trust fare, the monopoly's principals figured.

They didn't. Instead, they flocked to Laemmle and his fellow independents' "illegal" movies, which were longer and of better quality. Even the Trust's inner circle knew this. "We... pass on pictures we know will get us nothing but unfavorable comments and cancellations," one confided. "We haven't the power to throw out the distinctly bad pictures, nor the courage, because as poor as they are, they represent a certain sum of money invested in negative production."

Edison and his cohorts never understood that they were involved "in much more than an economic battle to determine who would control the profits of the nascent film industry," Neal Gabler writes. This was a conflict between an older generation of Anglo-Saxon Protestant inventors and a new generation of immigrants.

For the Edison group, the movies "would always be novelties." The possibilities for film had reached a plateau, they thought. They could not be improved, and so the Trust established a business model designed to stabilize profits by limiting the number of players and minimizing risks. Since the cartel charged the same predictable fees for the same number and type of short movies, there was no incentive to innovate, which in any event was seen as unnecessary.

But for the independents, almost all of whom had begun as theater operators, "the movies would always be much more than novelties; they would be the only means available of demanding recognition." Laemmle and his colleagues had everything to gain by making better, more technically daring films, and marketing them in new and original ways.

Thus the Edison Trust was sunk, even before a federal court agreed with prosecutors that the Patents Company and General Film had broken every antitrust principle in the book, "terrorizing exchanges and exhibitors" and driving away competitors by "arbitrary, oppressive, and high-handed methods."

The sage took his defeat like a good sport. He was, after all, still America's beloved inventor. At the end of the conflict, Edison dropped by to dedicate Universal's new all-electric movie studio, now located in a pleasant southern California town called Hollywood.

Take heed, tech giants of today. Some of your companies or services aren't much older than the Edison Trust was when it collapsed. How much of your current business strategy is based on offering new and original products, and how much of it is based on laws, courts, and the fact that you got there first?

"Show me a thoroughly satisfied man and I will show you a failure," Thomas Edison once warned. He ought to know.

Further reading

• Eileen Bowser, The Transformation of Cinema
• Neil Gabler, An Empire of Their Own: How the Jews Invented Hollywood
• Janet Staigler, "Combination and Litigation: Structures of U.S. Film Distribution, 1896-1917," Cinema Journal, Vol. 23, No. 2 (Winter, 1984)
• Paul Starr, The Creation of the Media

Read the comments on this post

No one’s happier than I am that Apple hasn’t thrown in the towel with its living room efforts. After much neglect, the new Apple TV, announced today, is a step in the right direction: sleeker in size, more capable in content access, network savvier in its diskless approach to media, and — the clincher — more wallet-friendly at US$99. That’s a winning combination, I think.

On the other hand, this new generation of Apple TV doesn’t appear to do too much more that I can’t already do with the older Apple TV and the Netflix Instant Watch-capable Blu-Ray player that I currently have in my living room. In fact, it’s telling that it’s still called just “Apple TV” without some new suffix indicating that it’s a second generation product. For all intents and purposes, it’s the same as what I already have.

That’s fair. I’ve always thought the core Apple TV feature set makes for a device that can do well in the marketplace, and its new price point and other alterations give it a fighting chance.

However, when rumors of an Apple TV reboot first started gaining momentum, what I hoped for was that Apple would undertake a bigger challenge than just making it a more attractive device for consumers. Much in the same way that they fixed the mobile space with the iPhone, and much in the same way they’re trying to fix the problem of true consumer computing with the iPad, I hoped that they would also try to fix the living room. This is a challenge that I wrote about in a general way a year ago in a blog post called “The Living Room Problem,” but luckily for those reading now, I’m going to revisit those sentiments here.

Oh Wire, Oh Wire Do We Have to Put up with This?

As a consumer experience, the living room is something of a disaster: a sprawling, schizophrenic mess of rat king wires hanging off the back of inscrutable devices sending cryptic signals to one another under the auspices of an alphabet-soup of initialisms and branded nomenclature — HDMI, DVI, component video, Blu-Ray, progressive and interlaced resolutions, Dolby, DTS, etc. — and that’s not even mentioning the terminology that intersects with personal computing.

No one I know thinks this ecosystem is elegant, and only a few people I know really understand how to navigate it. It’s complex and bewildering, and the only way to become acclimated is to throw yourself into the thicket of technical manuals, message boards, customer service calls and afternoons spent in trial-and-error fiddling. So imagine how my child’s babysitter feels when she wants to watch TV after putting the baby to sleep: it’s so bad that she’s often actually has to read a book instead.

On the other hand, let’s say you’ve got figured out how to get an XBox 360 or a media PC hooked up to high-definition television. As far as mastering this collision of advanced technologies goes, you’re doing pretty good. But did you realize that you’re almost behind the curve already? Your HDMI linkups may soon be outdated by the coming HDbaseT standard and your Blu-Ray player (if you even bothered to upgrade to those discs) may one day be left behind by the forthcoming, even more capacious BDXL.

I’m trying to sound like I know what I’m talking about here but I really don’t, and that’s the problem. I’ve invested countless hours into jerry-rigging a reasonably usable home theater but I have to admit that I barely understand how to fix it when something goes wrong. Moreover, the technology keeps changing, and as it does, the problem keeps getting worse. Few enough people understand this stuff now, and I can only guess that even fewer will understand it in five year. .

Opportunity Pings

The living room is a technological opportunity rife with potential. It commands so much attention from nearly every family in every first world country and could make a major technology powerhouse out of any brand, new or old, that can truly make it usable.

The problem is that every company out there that’s addressing this opportunity, from Sony to Samsung to even Apple, is actually trying to solve the wrong problem. None of them are really asking how they can fix the living room problem. Rather, they’re focusing on establishing their brand in the living room, positing completely unrealistic scenarios in which a consumer buys only, say, Samsung-branded components (e.g., its absurdly useless WiseLink protocol) without acknowledging the reality that the components of most home theaters make for a decidedly heterogeneous world.

As I wrote in the aforementioned blog post:

“…A rational, user-focused business model is still sorely missing. This is the free market at play, industrial competition in full effect: every device manufacturer, content creator and software publisher is competing to create the most commercially competitive subset of video entertainment or peripheral, but doing so in nearly complete isolation from one another.

“Fundamentally, they’re all incapable of getting on the same page and creating a coherent, consistent, transparent user experience for the teeming masses. In this current state of continual volatility in the business models driving home entertainment, there are so many market-driven, irreconcilable differences between all of the constituent parts of a home theater setup that a resolution to the mess seems discouragingly unobtainable. What’s needed is a consortium or a standards movement or an open source project, but one that spans across the many industries and players that are involved, and that can somehow resolve some of the biggest intellectual property challenges facing media today. Somehow. Design has done what it can for the time being; to get over this hump, it’s a business problem. And, as with almost all unresolved business problems, it’s the end users who suffer.”

I once asked a design consultant who had worked with a lot of companies in this arena, from technology manufacturers to cable providers, what their take on the living room problem was: did they think that we lacked the technology to create a superior user experience that real people can use, or was it that we lacked the will? He prevaricated, but in doing so he essentially gave me his answer: we lack the will. In my opinion, the new Apple TV is a nice product, but it demonstrates to me that Apple also lacks the will to fix the living room.

If you have a lot of windows open at once, you may find yourself doing a lot of rearranging. If you want to keep an eye on your frontmost window, though, you can move windows without focusing them. More »

Apple held its annual fall media event Wednesday. During the event, Apple CEO Steve Jobs unveiled a new line of iPods, as has become tradition, including a new shuffle, a multitouch-enabled nano, and an A4-powered, FaceTime-compatible iPod touch. The company also revealed details of iOS 4.1 for iPhone and iPod touch, as well as iOS 4.2 for iPad.

iOS updates

Jobs kicked off the event by announcing iOS 4.1. The update addresses a number of bugs that have affected the proximity sensor of the iPhone 4, as well as issues connecting some Bluetooth devices. Jobs said that the update speeds up iOS 4 running on the iPhone 3G, which suffered from sluggish performance for many users.

The update also brings a few new features for iOS 4-compatible devices. Apple added a high dynamic range option to the camera app, which helps address inherent tonal range limitations in the tiny image sensors used in mobile devices. In typical Apple fashion, there's nothing to tweak or adjust; just tap the HDR button in Camera to turn it on. When taking an image, three exposures will automatically be taken and combined to reveal more detail in shadow and highlight areas.

iOS 4.1 also brings the official launch of Apple's Game Center. Game Center is a built-in, systemwide social network for games. Like OpenFeint and Plus+ before it, it offers a centralized place to view achievements and compare scores with other users. It also includes a system to challenge other players in head-to-head competitions.

iOS 4.1 will be a free update made available to all iOS 4 users next week.

Jobs then gave a sneak peek of iOS 4.2, slated for release in November. This version will be the first version of iOS 4.x for the iPad, and will bring all the features that iPhone and iPod touch users have been using since June, as well as the new features of 4.1. It will also bring a couple of long-requested features to the iPad: wireless printing capabilities and AirPlay—wireless streaming of audio, video, and photos.

iPods

After discussing iOS, Jobs moved on to new iPod hardware. First up was a new iPod shuffle. Changing the controversial design of the third-generation shuffle, which removed the physical controls from the device itself, the fourth generation device brings back those original button controls. The new device looks like a smaller second-gen shuffle. Like the third-gen, though, it still has VoiceOver control.

The new iPod shuffle comes in five colors with a 2GB capacity, and sells for $49.

Jobs then unveiled a radically different iPod nano. The company removed the famous click-wheel that has practically defined the iPod since the very first version. Instead, the tiny device is now dominated by a multitouch-enabled screen.

The hardware itself resembles what might happen if an iPod touch and an iPod shuffle made a baby. Like the shuffle, it has an aluminum case and a clip along with hardware buttons for volume and hold buttons.

The screen features iOS-like icons for all the available features, such as playing music or videos, and makes use of multitouch. One feature uses a two-finger rotate to change the orientation of the screen, useful for when the device is clipped in an awkward orientation.

The new seventh-generation iPod nano comes in seven different colors, including a Product (RED) version. The 8GB model is $149, and a 16GB version goes for $179.

Jobs bragged that the iPod touch outsells portable Nintendo and Sony gaming devices combined, making it the most popular portable gaming device in the world. To "make it even better," said Jobs, Apple made it thinner than the previous version. Despite shaving off size and weight, it also comes equipped with the same high-resolution Retina Display that debuted in the iPhone 4, the same A4 processor in the iPad and iPhone, the gyroscope motion control, and a front-facing camera for FaceTime chatting.

The new iPods are all available next week, though preorders begin today.

Read the comments on this post

Despite hype and promise of virtualization, many companies are avoiding the tech for mission-critical applications. A new survey helps to explain why.

Delicious Library is, by all accounts, a very successful Mac OS X application. The software has won numerous accolades, including two Apple Design Awards and a Macworld Eddy. Creator Wil Shipley often brags about how much money he makes from sales, and won't hesitate to mention how fun it is to drive the Lotus Elise he bought with profits he's earned.

Despite his bravado, however, Shipley can admit when he makes a mistake. On the release of the 2.5 update to Delicious Library, he told Ars that the ambitious plans for Delicious Library 2.0 ending up resulting in a finished product that, while beautiful and impressive looking, performed poorly for some users. That's why version 2.5 consists largely of bug fixes and performance enhancements, and instead of adding features takes a few away.

"So, the big realization with 2.0 is that I tried to do too much," Shipley told Ars. "Which is, you know, like being in a job interview and saying your biggest fault is you work too hard. But it turned out to be a big disservice to my customers," he explained.

The original Delicious Library used an XML-based database file to keep track of all your books, CDs, and DVDs. Perhaps its most interesting feature was the ability to use an iSight as an inexpensive barcode scanner. But the XML-based database became a performance issue as collectors with large libraries—the sort that would be heavy users of the software—began cataloging all their media.

For Delicious Library 2, Shipley wanted it to be a "really valuable" update since, as a major version, it would be a paid upgrade. To improve performance, the old database code was stripped out and replaced with new code based on Apple's CoreData APIs. That change alone would be upgrade worthy, since "people with over a couple hundred items could add, remove, or edit an item and it wouldn't take 30 seconds to save—it'd take 0.03 seconds."

But that wasn't all; Shipley also wanted to add whiz-bang new UI graphics and animations made possible with CoreAnimation APIs, as well as improve display performance. "We rewrote the entire display layer, as well, and got it so we could scroll through thousands of items and maintain 20fps or so on any decent hardware," he said. That's a bigger deal than it might sound, though—"it took the entire iPhoto team like three versions before they could handle that many hi-res images," Shipley noted.

So Delicious Library 2 would ship with a whole new back- and front-ends—in effect, it was like a whole new product. But Shipley didn't stop there; instead, DL2 piled on new features, including a whole list of new product categories it could track, like video games, tools, and other items. It also added web exporting with iWeb integration, a companion iPhone app (which was later dropped due to API limitations set by Amazon), library sharing with friends, improved AppleScript support, and more.

The problem is, the sheer amount of changes meant potential for bugs and other problems. "Let's say, for instance, 80 percent of these features worked great," Shipley explained. "I'd think, 'Yay, I did good, I added a bunch of great stuff to the new version, it was definitely worth $20 to existing customers.' But, that's not how the customers see it—hey see the 20 percent that's buggy, and they think, 'This is crappy… he released software that didn't work.'"

Shipley said there were a variety of reasons that some of the bugs got through testing. For instance, a memory leak in the display of PNG graphics led to major performance hits and eventual crashes for users with thousands of items. Unfortunately, no one expected users with these huge libraries to attempt to publish their collections to the web. "Who has that kind of time? Well, it turns out, die-hard collectors do," Shipley said.

Other problems came from attempting to adopt Apple's latest technologies in Leopard, and later, Snow Leopard. So the bugs in new APIs were reported to Apple in the hope they would be fixed, but sometimes required less-than-ideal workarounds in the interim.

Ultimately, however, the user isn't concerned with the causes of bugs, only that they happen. And when the bugs cause problems or crashes, users stop using new features, or the product entirely. "It teaches you shyness—[users] are afraid to try things because the machine will 'punish you,'" Shipley said.

The take-away? "If I'd just cut the flaky features, and only shipped the stuff that was really solid, people would have had a much better impression of the app," Shipley told Ars.

And take away he did. SFTP-based web publishing was removed recently since it relied on a external library that was produced by someone else, and Shipley couldn't guarantee its performance. For version 2.5, iWeb publishing was removed, since the format Apple uses is private and difficult to reverse engineer. "We thought we had it figured out, but re-publishing something in iWeb would remove all the graphics we added."

In addition, Shipley hired an additional developer, and the pair made it a goal to ramp up performance and eliminate the top 20 bugs. "The decision was, make stuff work or cut it," Shipley said. Those top 20 bugs were responsible for 90 percent of user complaints, he explained.

"Honestly, this should have been done a long time ago," Shipley said. But two major roadblocks prevented that work from happening. First was Snow Leopard, which required a lot of work to keep DL2 compatible. The other was the revised iSight used in newer iMacs released since late 2009. The fixed focus point was different because the screens were so large that users were sitting farther away. But that little change required four to five months of work completely reengineering the barcode scanning algorithms.

Still, the 2.5 update improves performance from ten- to a hundred-fold on large libraries. And, there is an extensive number of bug fixes, from the common to the esoteric. Even better, 2.5 is a free and automatic update for all Delicious Library 2 users.

And, with its main product in a stable form, Shipley's company Delicious Monster is now free to work on new software. While Shipley wouldn't give us any specifics about what he has in store, we do know that it will be something for iOS. Would it include a way to scan or photograph items in your collection to add them to a library. "You might imagine that," Shipley teased cryptically.

Read the comments on this post

Recently we've been exploring how the book industry is adjusting to electronic books. There are pros and cons to eBooks, but regardless the industry is moving to digital formats fast - even to the point of the Oxford English Dictionary considering not publishing another print edition.

Some book publishers aren't just adjusting to eBooks, they're embracing them with open arms. Moving Tales is one such publisher. It recently released a book as an iPad app, called The Pedlar Lady of Gushing Cross. Moving Tales, as the name implies, is a producer of animated books. It's a mix of movies and books, but does it work?

Moving Tales aims to "bring stories to life," through multimedia features such as 3D animation, music, voice overs, sound effects, alternate views and animation of text "using the iPad's accelerometer." The company also makes use of features native to a tablet-like device, such as page swipe or tap for page turning and what it describes as "extras to ensure no two viewings [are] alike."

The Pedlar Lady is a book about "the journey of a poor pedlar woman who, guided by the shifting line between the real and the unreal, discovers a surprising and wonderful treasure." It costs $4.99 in the App Store.

The story is told almost as if it's an animated film, with voice over and sound affects optionally accompanying the animation. The words are also present of course, allowing you to read the text sans sound if you prefer.

Novelty, or The Future of eBooks?

The overall effect of The Pedlar is akin to a graphic novel, in that the animation is a core part of the experience.

With traditional works of fiction, the reader uses her imagination to bring the text to 'life.' And that's much of the fun, as anyone who has seen a movie version of a novel before reading the novel will attest. If you see the movie first, when you read the book you then have a set picture in your mind about what the characters look and act like. Whereas if you read the book first, you fill in those details in your own mind - even adding bits of yourself or people you know to the fleshed out characters in your head.

Reading this iPad book took some of that internal magic away from me, but arguably added enough magic of its own to compensate.

So is this the future of eBooks? My answer is that it's one future. There are certain works of fiction that would lend themselves well to animation and sound effects: childrens books, poetry books where the poet wants to augment their words with the help of animation, books with strong imagery where animation would enhance the experience (the short stories of Edgar Allan Poe, for example).

Many other books will be best left to the reader's visual imagination, or are simply too wordy or complex to convert into an animated story.

This form of eBook also is very insular, in that it has no social features and no links to external Web content. This perhaps says more about what Apple allows an iPad application to easily do. Still, it's worth noting that eBooks are capable of a much more expansive experience than what Moving Tales presents.

The Pedlar Lady is an impressive eBook though, visually stunning and stylishly delivered. What are your thoughts on animated eBooks? Also let us know in the comments if you've come across similar eBooks - on the iPad, PC, or other devices.

Discuss

Carl Zeiss has introduced the Distagon T* 1,4/35 wide-angle lens in Canon EF (ZE) and Nikon F (ZF.2) mounts. This manual focus lens, with its large f/1.4 aperture, is made up of 11 elements in 9 groups. With an equivalent focal length of 50mm on APS-C cameras, it can be used on both digital and analog SLRs. Priced at €1649, the lens will be available in the first quarter of 2011.

One of the greatest features in the Webkit-based browsers (Apple’s Safari and Google Chrome) is WebSQLdatabase, the ability for a web site to store information in a SQLite database on your browser accessible via JavaScript. This allows web developers to build database-enabled applications that run entirely in the browser, without requiring a server. This is very useful for mobile devices, which in the US enjoy flaky network connectivity at best. One very handsome example is the iPad-optimized Every Time Zone webapp.

SQLite is probably the most important open-source project you have never heard of. It is a simple, streamlined and efficient embedded database. Firefox stores its bookmarks in it. Google distributes its database of phishing sites in that format. Sun’s industrial-strength Solaris operating system stores the list of services it runs on boot in it—if it were to fail, a server would be crippled so that is a pretty strong vote of confidence. Adobe Lightroom and Apple’s Aperture use it to store their database, as do most Mac applications that use the CoreData framework, and many iPhone apps. In other words, it is robust and proven mission-critical software that is widely yet invisibly deployed.

WebSQLdatabase basically makes the power of SQLite available to web developers trying to build apps that work offline, specially on mobile devices. No good deed goes unpunished, and the Mozilla foundation teamed up with unlikely bedfellow Microsoft to torpedo formal adoption of WebSQLdatabase as a web standard, on spurious grounds, and pushed an alternate standard called IndexedDB instead. To quote the Chromium team:

Q: Why this over WebSQLDatabase?

A: Microsoft and Mozilla have made it very clear they will not implement SQL in the browser.  If you want to argue this is silly, talk to them, not me.

IndexedDB is several steps backwards. Instead of using powerful, expressive and mature SQL technology, it uses a verbose JavaScript B-tree API that is a throwback to the 1960s bad old days of hierarchical databases and ISAM, requires a lot more work from the developer, for no good reason. To add injury to insult, Firefox 4′s implementation of IndexedDB is actually built on top of SQLite. The end result will be that web developers will need to build a SQL emulation library on top of IndexedDB to restore the SQLite functionality deliberately crippled by IndexedDB. If there is one constant in software engineering, it is that multiple layers add brittleness and impair performance.

Of course, both Mozilla and Microsoft are irrelevant on mobiles, where WebKit has essentially won the day, so why should this matter? Microsoft has always been a hindrance to the development of the web, since they have to protect the Windows API from competition by increasingly capable webapps, but I cannot understand Mozilla’s attitude, except possibly knee-jerk not-invented-here syndrome and petulance at being upstaged by WebKit. WebSQLdatabase is not perfect—to reach its full potential, it needs and automatic replication and sync facility between the local database and the website’s own database, but it is light years ahead of IndexedDB in terms of power and productivity.

I am so incensed by Mozilla’s attitude that after 10 years of using Mozilla-based browsers, I switched today from Firefox to Chrome as my primary browser. Migrating was surprisingly easy. Key functionality like bookmark keywords, AdBlock, FlashBlock, a developer console, and the ability to whitelist domains for cookies, all have equivalents on Chrome. The main regressions are bookmark tags, and Chrome’s sync options are not yet equivalent to Weave‘s. At some point I will need to roll my own password syncing facility (Chrome stores its passwords in the OS X keychain, which is also used by Safari and Camino).

With all the focus we have been putting on cases for the digital devices, we may as well share some of the best ’skin’ options around. Recover is one of those options; outfitting wood based skins for the iPad, iPhone and Macbooks. “Recover wooden skins are precision laser-cut from authentic wood veneers. Each unique piece is hand sanded, stained, and lacquered in Recover’s Portland-based woodshop to ensure long lasting beauty and protection.” The real deal and they look great.

Many more looks at the Recover Wooden Skins after the click.

(...)
Read the rest of Recover Wooden Skins (1 words)

---

© 2010 Selectism for Titel Media. Author: Jeff Carvalho | Permalink | No comment | Add to |
Post tags: Accessories, Design, recover, skins

Palm's webOS smartphone platform introduced some compelling innovations when it was first released in 2009. The next major version of the operating system, which is currently under development, brings some noteworthy feature improvements and new capabilities for developers.

The first beta release of the webOS 2.0 SDK, which was made available this morning, offers developers an early look at some of the new functionality. The new feature lineup includes substantial enhancements to webOS multitasking and support for deeper extensibility in several key components of the platform.

When HP acquired Palm, the PC hardware giant vowed to accelerate the development of Palm's mobile platform and commit resources to bringing it to additional form factors. The new features that are on tap for webOS 2.0 are impressive and reflect positively on the direction that Palm is heading under its new ownership. We discussed the SDK update with Joe Hayashi, Palm's vice president of product management, platform, and tools. He offered some insight into how the new features in the SDK will open up new opportunities for third-party developers who write software for the webOS platform.

Palm has extended the card-based multitasking capabilities of webOS with a new card-stacking feature that will group together related tasks. This will simplify task management and make it easier for users to navigate between applications and individual cards. Hayashi says that it has some similarities with Mozilla's Tab Candy concept, in the sense that it uses grouping to enable task organization. When the user clicks a link in an e-mail, for example, the browser window that opens to load the link will be grouped with the cards for the e-mail message and the e-mail inbox.

Another new feature that will be introduced in 2.0 is the Exhibition display, which is like a docking mode that will trigger when a device is placed on the Touchstone charging station. Exhibition applications are designed to passively display information, which will rotate or stream. The mode is open to developers, which means that third-party applications will be able to supply their own Exhibition interfaces.

Palm is also letting third-party developers extend Synergy, the webOS contact, calendar, and messaging synchronization service. Synergy currently integrates with a number of popular online services and social networks, but there are still many that could be added. New APIs in the webOS 2.0 SDK will allow developers to develop their own Synergy adapters that will work with new kinds of backends.

The webOS global search is also getting an overhaul. It has a new feature called Quick Actions that will allow it to be used as a launcher in addition to a search tool. Developers will be able to define Quick Actions for their own applications and make their application data searchable through the interface. These steps will make the global search feature more like Quicksilver and other keyboard-driven launchers. Palm is branding it as "Just Type" and says that it will support many common operations right out of the box, including sending an e-mail or searching the Web.

One of the most compelling enhancements for developers in webOS 2.0 is the new JavaScript Services system, which is based on the Node.js framework. It will allow developers to write background services for the platform in JavaScript in addition to C. These background services will use JavaScript APIs to support native filesystem access, low-level network programming, and other capabilities that were typically done with C or Java in previous versions of webOS.

Hayashi says that the JavaScript Services system has made it possible for Palm to replace the bits and pieces of remaining Java code in webOS with simpler and more maintainable JavaScript. They were able to drop the need for a Java runtime, thus reducing the overhead of some of the background services. Effectively, developers can now use JavaScript at every level of their application on webOS—for lower-level programming in addition to high-level application development.

Hayashi says that these are the first developer-centric features that Palm will be making available in the webOS SDK. He says that not all of it will be available in this first beta, but more will be coming soon. He also indicated that there will be more user-facing changes coming later. He says that one of the key focuses for webOS 2.0 is to make the platform more accessible to developers, allowing third-parties to add value on top of Palm's technology.

He also stressed that Palm is committed to making it easier for developers to bring their existing skills and Web applications to the platform. An important part of that strategy is to improve the webOS Mojo JavaScript library so that bits and pieces of it can be used more easily with popular third-party libraries such as JQuery.

Developers who want to start working with the new SDK can download it from the Palm Developer Center website.

Read the comments on this post

What's the best way to do one-time or recurring billing for your online business? That's an important question for the growing legion of independent service providers transitioning countless business transactions onto the web.

That which is most popular may not be the best, but it's a good place to start looking. Popular online invoicing service FreshBooks posted today two pie charts (below) quantifying the most popular services used by FreshBooks customers to bill their clients, both inside and outside the US. PayPal may be the winner in one-time billings, but not by much. In recurring billings, it's not even close to number one.

This kind of aggregated data analysis sure is interesting, I love this kind of stuff. Imagine what sorts of other charts and graphs could be generated from the data found in other online services. Someone ought to create a consultancy that specializes in helping companies come up with ideas for that, like YCombinator-funded Leftronic does for internal company data.

Discuss

Move it to the left. Move it to the right. Move it higher. No, move it lower. Make it Webbish - but not too Webbish.

Have you ever wanted to provide your clients with a visualization of audience browser window sizes that is based in something outside of opinion?

It's one thing to have an opinion on where something should appear in a user interface, but how about some real data and visuals to back up the opinion?

Google Browser Size

If you've had such discussions, this might be a solid justification for loading up your design in Google Browser Size from Google Labs.

Let's take a look at ReadWriteHack as an example:

First, notice the the various contours and labeled percentages. Next, notice the rulers along the sides. You might have already gathered that these contours represent the percentages of Google visitors with their browser window size and the rulers are simply the sizes in pixels.

Or, in Google Labs' own words:

The sizes represented in this contour are client area sizes, not browser window sizes. This means they represent the size of the browser without the title bar, toolbars, status bars, etc., and thus give a true representation of how much content can be seen by a particular segment of the Web-using population.

While keeping things above the fold may sound clich�, there is some real science going on here. This can be an effective way to render examples and apply A/B testing as well.

You might say... this looks a lot like Bacolicio.us. Sort of, but in the example below you'll see what makes Google Browser Size different.

Let's add some bacon. Or, better yet, just steal the concept and code behind Bacolicio.us with the concept of Google Page Size.

baconbrowsersize.html (this will open in new window i.e. target=_blank)

You'll notice that the functionality is lost for clicking through anything where the overlay is visible. That's not ideal so maybe we can just get this to work by pasting in the following when we want to quickly test on Google Browser Size.

Now that is a useful line you can paste in your Location bar window. More importantly, it's really another way to test your own image overlays. Simply replace the reference to the image above to a URL of your choosing when using Google Page Size.

It's not clear how actively Google Page Size is being developed but there is a link requesting feedback. After all, this is Google Labs we're talking about here.

That said, the image used in the image overlay might give a us hint. The image is simply named 2009-11-18-day_google_com_100.png so perhaps this hasn't been refreshed in about a year. Or, perhaps this Google Labs project graduated into Google Analytics.

Discuss

Adobe has released Photoshop Lightroom 3.2, Camera Raw 6.2 and DNG Converter 6.2. These are final versions of updates that were originally posted as 'release candidates' on the Adobe Labs site, and are now available for immediate download. The latest versions provide final RAW support for sixteen recent cameras, including the Canon EOS 60D and Sony Alpha NEX-5. The updates also add more than 120 lens profiles and fix a number of bugs.

Surveys indicate people think this is a good thing

Humanity is in general genetically predisposed not to take surveys, according to new research. However there exists a proportion of mutant freaks whose genes make them want to respond to surveys.…

TOKYO, August 31, 2010Canon Inc. announced today that it has successfully developed the world's largest*1 CMOS image sensor, with a chip size measuring 202 x 205 mm. Because its expanded size enables greater light-gathering capability, the sensor is capable of capturing images in one one-hundredth the amount of light required by a professional-model digital SLR camera. At 202 x 205 mm, the newly developed CMOS sensor is among the largest...
(read more)

Economist Makoto Watanabe worked out a formula designed to calculate the best time to buy an airline ticket if you're looking for the lowest prices. The answer, according to his forumla: eight weeks before your flight. More »

Google is going after consumers with last week's news about Google Talk being able to make calls now, and binding to GoogleVoice accounts as well. Well Skype isn't sitting still, so while Google chases the no money crowd, Skype is following Willie Sutton's line when asked why he robbed banks. "Because that's where the money is" as the telecom disruptor goes upmarket and upstream into the Business and Enterprise realms with the renaming of Skype for SIP to Skype Connect.

According to today's announcement Skype Connect already has over 2,400 active global customers and is now certified to work with PBX and UC products from Avaya, Cisco,

SIPfoundry, ShoreTel and other OEMs. My client's FreeTalk Connect offering is one of them and for small business provides the best option to blend Skype Connect (SIP) and Skype for Asterisk, plus PSTN lines all in one box. What's more, the PSTN port provides easy access to E911, something that Skype Connect doesn't offer but which other PBX suppliers can offer.

What's neat here is that Skype Connect also works with older TDM PBXs or Key Systems which can now add Skype calling capabilities through third-party IP gateways from AudioCodes, Grandstream and others. Skype has also created the Skype Manager, a simple web-based tool, to allow IT managers to set-up Skype Connect and control Skype usage in a company as well as adding new dedicated customer support which includes real-time chat, another longstanding challenge that was in the way of Skype being totally business friendly.

With Skype Connect they have made their first formal stab into the business community, and clearly thought through the pain points that exist. Now the ball gets passed to the various equipment vendors and manufacturers to better explain why Skype should be in their business, and become their carrier of choice.

This may be the most diverse and useful infographic we've come across in a long while. Ever wonder how to get a job as a beer taster? Rid yourself of acne? Get free porn in a hotel room? It all awaits you!

Researchers have finally observed a special type of wave that has eluded experiments for almost 25 years. The Peregrine soliton, a special type of large wave that can retain its size and shape while traveling at a constant speed, has finally been demonstrated using light pulses traveling through fiber optics. Studies of the Peregrine soliton could help us model the rogue waves that can cause sudden disasters in the ocean, and give definite limits for a large class of solutions to the non-linear Schrodinger equation.

In waves and optics parlance, a soliton is a single wave that retains its shape while traveling at a constant speed for significant distances. This type of wave can only happen in certain media, like water, where movement is unrestricted. For example, as a water wave moves, it tends to break and curl forward. But sometimes its forward motion is sufficient that the wave will continually catch itself and can't break, resulting in a soliton.

A Peregrine soliton is a special type of soliton that is very large and isolated compared to its surroundings. Researchers have long thought of the peregrine solution as, among other things, a model for rogue waves in the ocean, huge towers of water that come seemingly out of nowhere (though often during storms) and knock over things like cruise ships.

While rogue waves haven't been witnessed too often, they are suspected to be the cause of several freak accidents on the ocean. The sinking of the MS München with all hands during a storm in 1978 is most often attributed to a rogue wave. Another rogue wave 100 feet high hit the Aleutian Ballad during an episode of Deadliest Catch, and a fictionalized rogue wave capsized an ocean liner in the movie Poseidon.

How an enormous wave could arise in often chaotic media like light and water confounded scientists for some time. They worked out the theory that the large wave must be formed as a combination of smaller waves, but it had never been experimentally demonstrated.

To make an artificial Peregrine soliton happen, researchers took a nonlinear fiber optic channel and sent through light waves called "breathers." Breathers are nonlinear waves that are have concentrated energy and are either localized in space and oscillate in time, or vice versa.

By timing the size and spacing of the breathers just right, researchers were able to get them to combine into a large, solitary wave—a Peregrine soliton. The scientists also found that waves that were more localized in space and time came together into a Peregrine soliton more easily. This may be the reason that rogue waves are relatively rare and seem to happen more often during storms.

Now that they have proved a Peregrine soliton can be created in the lab, the authors hope that meteorologists will be able to use this information to search for and forecast oceanic rogue waves. As a nice side benefit for mathematicians, many implications of the Peregrine soliton extend to nonlinear math in general. The nature of its formation and dynamics should place limits on a set of solutions to the nonlinear Schrodinger equation.

Nature Physics, 2010. DOI: 10.1038/NPHYS1740  (About DOIs).

Read the comments on this post

As far as we know, Oracle has stopped developing OpenSolaris in the open. For those of us, who would rather have Opensolaris become a real openly developed operating system, ptoject illumos came to life. Thanks to Garrett d'Amore et consortes. On the illumos wiki page there is a nice instruction on compiling your own post build 134 illumos source.
Already much work has been put in the source tree to liberate it from dependency on /extra repository and new putbacks arrive all the time.
If you'd like to check it for yourself, here is the link to How to build illumos guide.

Every year, Orbit Books's summer intern conducts a survey of fantasy novel cover-art for the year. This year, Orbit is releasing the data as a series, with commentary. Fascinating stuff: 'We have concrete evidence that the big three fantasy cover clichés ("castles", "glowy magic", and "swords") are in decline. The 50% reduction in castles can only mean one thing.'

The Chart of Fantasy Art, 2009 (via Making Light)

Don't ask me what voodoo they used but scientists have created dry water. Well, they originally invented it back in 1968 but they've recently re-discovered it and this time, found an actual use for it. More »

Rogue archivist Carl Malamud's 10 Rules for Radicals is the transcript of his keynote at the 19th World Wide Web Consortium conference in 2010. It's a thrilling and often hilarious account of his adventures in liberating different kids of information and networks from various bureaucracies in his storied and exciting career. Malamud has instigated the liberation of American law, the Blue Book describing the workings of the telephone system, the EDGAR database, the video archives of the National Technical Information Service, and many others. On the way, Malamud boils his experience down to ten amusing and useful rules for people who want to do the same work, including "When the authorities fire the starting gun [and authorize the experimental liberation of some data], run as fast as you can, so when they get that queasy feeling in their stomach and have second thoughts, it is too late to stop," and "Get standing: one can criticize government all one wants, and they'll often ignore you. But, if there is something clearly wrong and against the law and you can document that malfeasance and wrongdoing, they have to talk to you. If you have standing, you can insist."

It's all so engagingly written, and so useful, that it is truly a must-read for anyone interested in the history or future of universal access, open networks and free societies.

10 Rules for Radicals (Thanks, Carl!)

Piping logs to syslog is pretty useful for automating log rotation and forwarding lots of different logs to a central log server.

To that end, the command-line utility ‘logger’ is nice for piping output from utilities like pg_standby without having to add syslogging code to the utility itself. Another thing is that logger comes by default with modern packages of syslog.

Here’s an easy way to implement this:


restore_command = 'pg_standby -d -s 2 -t /pgdata/trigger /shared/wal_archive/ %f %p %r 2&>1 | logger -p local3.info -t pgstandby'


Related posts:

1. Customizing the RPMs from pgrpms.org
2. Snow Leopard and PostgreSQL: installation help links
3. Greg’s THREE talks at PostgreSQL Conference East

In 1998, Eberhard Faber stopped making the Blackwing 602 pencil, and its cult users have been pining for them ever since. An unsharpened Blackwing can sell for $40 on eBay. One person told me his eBay auction for a box of Blackwings went to a "song writer/composer who's worked with Barry Manilow and on feature films, and chooses to only write music using the Blackwing 602."

Today I received in the mail two pre-production Palomino Blackwing pencils, made by California Cedar. Keeping in mind these are pre-production pencils, here are my impressions after using the pencil for a few minutes.

More photos and notes after the jump (click images to embiggen).

APPEARANCE

• The color of the new Blackwing (NB) is flat black. The color of the original Blackwing is (OB) is a lustrous charcoal gray.

• NB has a gold band painted near the top of the wood, OB does not.

• OB has a black band painted on the ferrule, NB does not.

• OB has stamped motto HALF THE PRESSURE, TWICE THE SPEED, NB does not.

• OB has pink eraser, NB has white eraser.

SMELL OF WOOD

• NB has a stronger, spicy smell. Reminded me of Indian food. Not unpleasant. OB's smell is faint, but this could be due to its age (at least 2 years old).

PENCIL LEAD TEST (preliminary)

• NB is softer and darker than OB.

• NB is quieter on the paper.

• OB holds a point longer than NB.

• I also compared the OB and NB to a Palomino HB, one of my favorite pencils. The Palomino actually seems closer to the OB than the NB does!

• A cheap pencil I found in my daughter's desk was so close in quality to the OB, NBm and Palomino HB that I found myself wondering why I was caring so darn much about pencils.

PRELIMINARY CONCLUSION

I like the OB for sentimental reasons. If the NB ends up looking almost exactly like the OB and costs under $2.00, I will by it. Otherwise I will use any HB that ends up in my hand.

Here are some photos comparing the different pencil leads I tried:

It has been 15 years! Chrome Bags have come a long way from their early beginnings. Today they celebrate their short (but going for the long) legacy with a special all black make-up of their messenger. All the expected details that make Chrome bags what they are are included. The special brand tag is great as well. Concepts has them.

More looks at the Chrome Anniversary Messenger Bag after the click.

(...)
Read the rest of Chrome Anniversary Messenger Bag (1 words)

---

© 2010 Selectism for Titel Media. Author: Jeff Carvalho | Permalink | No comment | Add to |
Post tags: Accessories, bags, chrome, messenger

My head is starting to hurt with all the back and forth among my Enterprise Irregulars buddies about the relationships between the complex concepts of Multitenancy, Private, and Public Clouds.  A set of disjoint conversations and posts came together like the whirlpool in the bottom of a tub when it drains.  I was busy with other things and didn’t get a chance to really respond until I was well and truly sucked into the vortex.  Apologies for the long post, but so many wonderful cans of worms finally got opened that I just have to try to deal with a few of them.  That’s why I love these Irregulars!

To start, let me rehash some of the many memes that had me preparing to respond:

-  Josh Greenbaum’s assertion that Multitenancy is a Vendor, not a Customer Issue.  This post includes some choice observations like:

While the benefits that multi-tenancy can provide are manifold for the vendor, these rationales don’t hold water on the user side.

That is not to say that customers can’t benefit from multi-tenancy. They can, but the effects of multi-tenancy for users are side-benefits, subordinate to the vendors’ benefits. This means, IMO, that a customer that looks at multi-tenancy as a key criteria for acquiring a new piece of functionality is basing their decision on factors that are not directly relevant to their TCO, all other factors being equal.

and:

Multi-tenancy promises to age gracelessly as this market matures.

Not to mention:

Most of the main benefits of multi-tenancy – every customer is on the same version and is updated simultaneously, in particular – are vendor benefits that don’t intrinsically benefit customers directly.

The implication being that someone somewhere will provide an alternate technology very soon that works just as good or better than multitenancy.  Wow.  Lots to disagree with there.  My ears are still ringing from the sound of the steel gauntlet that was thrown down.

-  Phil Wainewright took a little of the edge of my ire with his response post to Josh, “Single Tenancy, the DEC Rainbow of SaaS.”  Basically, Phil says that any would-be SaaS vendor trying to create an offering without multitenancy is doomed as the DEC Rainbow was.  They have some that sort of walks and quacks like a SaaS offering but that can’t really deliver the goods.

-  Well of course Josh had to respond with a post that ends with:

I think the pricing and services pressure of the multi-tenant vendors will force single-tenant vendors to make their offerings as compatible as possible. But as long as they are compatible with the promises of multi-tenancy, they don’t need to actually be multi-tenant to compete in the market.

That’s kind of like saying, “I’m right so long as nothing happens to make me wrong.”  Where are the facts that show this counter case is anything beyond imagination?  Who has built a SaaS application that does not include multitenancy but that delivers all the benefits?

Meanwhile back at the ranch (we EI’s need a colorful name for our private community where the feathers really start to fly as we chew the bones of some good debates), still more fascinating points and counterpoints were being made as the topic of public vs private clouds came up (paraphrasing):

-  Is there any value in private clouds?

-  Do public clouds result in less lock-in than private clouds?

-  Are private clouds and single tenant (sic) SaaS apps just Old School vendors attempts to hang on while the New Era dawns?  Attempts that will ultimately prove terribly flawed?

-  Can the economics of private clouds ever compete with public?

-  BTW, eBay now uses Amazon for “burst” loads and purchases servers for a few hours at a time on their peak periods.  Cool!

-  Companies like Eucalyptus and Nimbula are trying to make Private Clouds that are completely fungible with Public Clouds.  If you  in private cloud frameworks like these means you have
to believe companies are going to be running / owning their own servers for a long time to come even if the public cloud guys take over a number of compute workloads.  The Nimbula guys built EC2 and they’re no dummies, so if they believe in this, there must be something to it.

-  There are two kinds of clouds – real and virtual.  Real clouds are multi-tenant. Virtual clouds are not. Virtualization is an amazing technology but it can’t compete with bottoms up multi-tenant platforms and apps.

Stop!  Let me off this merry go-round and let’s talk.

What It Is and Why Multitenancy Matters

Sorry Josh, but Multitenancy isn’t marketing like Intel Inside (BTW, do you notice Intel wound up everywhere anyway?  That wasn’t marketing either), and it matters to more than just vendors.  Why?

Push aside all of the partisan definitions of multitenancy (all your customers go in the same table or not).   Let’s look at the fundamental difference between virtualization and multitenancy, since these two seem to be fighting it out.

Virtualization takes multiple copies of your entire software stack and lets them coexist on the same machine.  Whereas before you had one OS, one DB, and one copy of your app, now you may have 10 of each.  Each of the 10 may be a different version entirely.  Each may be a different customer entirely, as they share a machine.  For each of them, life is just like they had their own dedicated server.  Cool.  No wonder VMWare is so successful.  That’s a handy thing to do.

Multitenancy is a little different.  Instead of 10 copies of the OS, 10 copies of the DB, and 10 copies of the app, it has 1 OS, 1 DB, and 1 app on the server.  But, through judicious modifications to the app, it allows those 10 customers to all peacefully coexist within the app just as though they had it entirely to themselves.

Can you see the pros and cons of each?  Let’s start with cost.  Every SaaS vendor that has multitenancy crows about this, because its true.  Don’t believe me?  Plug in your VM software, go install Oracle 10 times across 10 different virtual machines.  Now add up how much disk space that uses, how much RAM it uses when all 10 are running, and so on.  This is before you’ve put a single byte of information into Oracle or even started up an app.  Compare that to having installed 1 copy of Oracle on a machine, but not putting any data into it.  Dang!  That VM has used up a heck of a lot of resources before I even get started!

If you don’t think that the overhead of 10 copies of the stack has an impact on TCO, you either have in mind a very interesting application + customer combination (some do exist, and I have written about them), or you just don’t understand.  10x the hardware to handle the “before you put in data” requirements are not cheap.  Whatever overhead is involved in making that more cumbersome to automate is not cheap.  Heck, 10x more Oracle licenses is very not cheap.  I know SaaS companies who complain their single biggest ops cost is their Oracle licenses. 

However, if all works well, that’s a fixed cost to have all those copies, and you can start adding data by customers to each virtual Oracle, and things will be okay from that point on.  But, take my word for it, there is no free lunch.  The VM world will be slower and less nimble to share resources between the different Virtual Machines than a Multitenant App can be.  The reason is that by the time it knows it even needs to share, it is too late.  Shifting things around to take resource from one VM and give it to another takes time.  By contrast, the Multitenant App knows what is going on inside the App because it is the App.  It can even anticipate needs (e.g. that customer is in UK and they’re going to wake up x hours before my customers in the US, so I will put them on the same machine because they mostly use the machine at different times).

So, no, there is not some magic technology that will make multitenant obsolete.  There may be some new marketing label on some technology that makes multitenancy automatic and implicit, but if it does what I describe, it is multitenant.  It will age gracefully for a long time to come despite the indignities that petty competition and marketing labels will bring to bear on it.

What’s the Relationship of Clouds and Multitenancy?

Must Real Clouds be Multitenant?

Sorry, but Real Clouds are not Multitenant because they’re based on Virtualization not Multitenancy in any sense such as I just defined.  In fact, EC2 doesn’t share a core with multiple virtual machines because it can’t.  If one of the VM’s started sucking up all the cycles, the other would suffer terrible performance and the hypervisors don’t really have a way to deal with that.  Imagine having to shut down one of the virtual machines and move it onto other hardware to load balance.  That’s not a simple or fast operation.  Multi-tasking operating systems expect a context switch to be as fast as possible, and that’s what we’re talking about.  That’s part of what I mean by the VM solution being less nimble.  So instead, cores get allocated to a particular VM.  That doesn’t mean a server can’t have multiple tenants, just that at the granularity of a core, things have to be kept clean and not dynamically moved around. 

Note to rocket scientists and entrepreneurs out there–if you could create a new hardware architecture that was really fast at the Virtual Machine load balancing, you would have a winner.  So far, there is no good hardware architecture to facilitate a tenant swap inside a core at a seamless enough granularity to allow the sharing.  In the Multicore Era, this would be the Killer Architecture for Cloud Computing.  If you get all the right patents, you’ll be rich and Intel will be sad.  OTOH, if Intel and VMWare got their heads together and figured it out, it would be like ole Jack Burton said, “You can go off and rule the universe from beyond the grave.”

But, it isn’t quite so black and white.  While EC2 is not multitenant at the core level, it sort of is at the server level as we discussed.  And, services like S3 are multitenant through and through.  Should we cut them some slack?  In a word, “No.”  Even though an awful lot of the overall stack cost (network, cpu, and storage) is pretty well multitenant, I still wind up installing those 10 copies of Oracle and I still have the same economic disadvantage as the VM scenario.  Multitenancy is an Application characteristic, or at the very least, a deep platform characteristic.  If I build my app on Force.com, it is automatically multitenant.  If I build it on Amazon Web Services, it is not automatic.

But isn’t there Any Multitenant-like Advantage to the Cloud?  And how do Public and Private Compare?

Yes, there are tons of benefits to the Cloud, and through an understanding and definition of them, we will tease out the relationship of Public and Private Clouds.  Let me explain…

There are two primary advantages to the Cloud:  it is a Software Service and it is Elastic.  If you don’t have those advantages, you don’t have a Cloud.  Let’s drill down.

The Cloud is a Software Service, first and foremost.  I can spin up and control a server entirely through a set of API’s.  I never have to go into a Data Center cage.  I never have to ask someone at the Data Center to go into the Cage (though that would be a Service, just not a Software Service, an important distinction).  This is powerful for basically the same reasons that SaaS is powerful versus doing it yourself with On-prem software.  Think Cloud = SaaS and Data Center = On Prem and extrapolate and you’ll have it. 

Since Cloud is a standardized service, we expect all the same benefits as SaaS:

- They know their service better than I do since it is their whole business.  So I should expect they will run it better and more efficiently.

- Upgrades to that service are transparent and painless (try that on your own data center, buddy!).

- When one customer has a problem, the Service knows and often fixes it before the others even know it exists.  Yes Josh, there is value in SaaS running everyone on the same release.  I surveyed Tech Support managers one time and asked them one simple question:  How many open problems in your trouble ticketing system are fixed in the current release?  The answers were astounding–40 to 80%.  Imagine a world where your customers see 40 to 80% fewer problems.  It’s a good thing!

- That service has economic buying power that you don’t have because it is aggregated across many customers.  They can get better deals on their hardware and order so much of it that the world will build it precisely to their specs.  They can get stuff you can’t, and they can invest in R&D you can’t.  Again, because it is aggregated across many customers.  A Startup running in the Amazon Cloud can have multipe redundant data centers on multiple continents.  Most SaaS companies don’t get to building multiple data centers until they are way past having gone public. 

-  Because it is a Software Service, you can invest your Ops time in automation, rather than in crawling around Data Center cages.  You don’t need to hire anyone who knows how to hot swap a disk or take a backup.  You need peeps who know how to write automation scripts.  Those scripts are a leveragable asset that will permanently lower your costs in a dramatic way.  You have reallocated your costs from basic Data Center grubbing around (where does this patch cable go, Bruce?), an expense, to actually building an asset.

The list goes on.

The second benefit is Elasticity.  It’s another form of aggregation benefit.  They have spare capacity because everyone doesn’t use all the hardware all the time.  Whatever % isn’t utilized, it is a large amount of hardware, because it is aggregated.  It’s more than you can afford to have sitting around idle in your own data center.  Because of that, they don’t have to sell it to you in perpetuity.  You can rent it as you need it, just like eBay does for bursting.  There are tons of new operational strategies that are suddenly available to you by taking advantage of Elasticity.

Let me give you just one.  For SaaS companies, it is really easy to do Beta Tests.  You don’t have to buy 2x the hardware in perpetuity.  You just need to rent it for the duration of the Beta Test and every single customer can access their instance with their data to their heart’s content.  Trust me, they will like that.

What about Public Versus Private Clouds?

Hang on, we’re almost there, and it seems like it has been a worthwhile journey.

Start with, “What’s a Private Cloud?”  Let’s take all the technology of a Public Cloud (heck, the Nimbulla guys built EC2, so they know how to do this), and create a Private Cloud.  The Private Cloud is one restricted to a single customer.  It’d be kind of like taking a copy of Salesforce.com’s software, and installing it at Citibank for their private use.  Multitenant with only one tenant.  Do you hear the sound of one hand clapping yet?  Yep, it hurts my head too, just thinking about it.  But we must.

Pawing through the various advantages we’ve discussed for the Cloud, there are still some that accrue to a Cloud of One Customer:

-  It is still a Software Service that we can control via API’s, so we can invest in Ops Automation.  In a sense, you can spin up a new Virtual Data Center (I like that word better than Private Cloud, because it’s closer to the truth) on 10 minutes notice.  No waiting for servers to be shipped.  No uncrating and testing.  No shoving into racks and connecting cables.  Push a button, get a Data Center.

-  You get the buying power advantages of the Cloud Vendor if they supply your Private Cloud, though not if you buy software and build  your Private Cloud.  Hmmm, wonder what terminology is needed to make that distinction?  Forrester says it’s either a Private Cloud (company owns their own Cloud) or a Hosted Virtual Private Cloud.  Cumbersome.

But, and this is a huge one, the granularity is huge, and there is way less Elasticity.  Sure, you can spin up a Data Center, but depending on its size, it’s a much bigger on/off switch.  You likely will have to commit to buy more capacity for a longer time at a bigger price in order for the Cloud Provider to recoup giving you so much more control.  They have to clear other customers away from a larger security zone before you can occupy it, instead of letting your VM’s commingle with other VM’s on the same box.  You may lose the more multitenant-like advantages of the storage cluster and the network infrastructure (remember, only EC2 was stuck being pure virtual). 

What Does it All Mean, and What Should My Company Do?

Did you see Forrester’s conclusion that most companies are not yet ready to embrace the Cloud and won’t be for a long time?

I love the way Big Organizations think about things (not!).  Since their goal is preservation of wealth and status, it’s all about risk mitigation whether that is risk to the org or to the individual career.  A common strategy is to take some revolutionary thing (like SaaS, Multitenancy, or the Cloud), and break it down into costs and benefits.  Further, there needs to be a phased modular approach that over time, captures all the benefits with as little cost as possible.  And each phase has to have a defined completion so we can stop, evaluate whether we succeeded, celebrate the success, punish those who didn’t play the politics well enough, check in with stakeholders, and sing that Big Company Round of Kumbaya.  Yay!

In this case, we have a 5 year plan for CIO’s.  Do you remember anything else, maybe from the Cold War, that used to work on 5 year plans?  Never mind.

It asserts that before you are ready for the Cloud, you have to cross some of those modular hurdles:

A company will need a standardized operating procedure, fully-automated deployment and management (to avoid human error) and self-service access for developers. It will also need each of its business divisions – finance, HR, engineering, etc – to be sharing the same infrastructure.  In fact, there are four evolutionary stages that it takes to get there, starting with an acclimation stage where users are getting used to and comfortable with online apps, working to convince leaders of the various business divisions to be guinea pigs. Beyond that, there’s the rollout itself and then the optimization to fine-tune it.

Holy CYA, Batman!  Do you think eBay spent 5 years figuring out whether it could benefit from bursting to the Cloud before it just did it?

There’s a part of me that says if your IT org is so behind the times it needs 5 years just to understand it all, then you should quit doing anything on-premise and get it all into the hands of SaaS vendors.  They’re already so far beyond you that they must have a huge advantage.  There is a another part that says, “Gee guys, you don’t have to be able to build an automobile factory as good as Toyota to be able to drive a car.”

But then sanity and Political Correctness prevail, I come back down to Earth, and I realize we are ready to summarize.  There are 4 levels of Cloud Maturity (Hey, I know the Big Co IT Guys are feeling more comfortable already, they can deal with a Capability and Maturity Model, right?):

Level 1:  Dabbling.  You are using some Virtualization or Cloud technology a little bit at your org in order to learn.  You now know what a Machine Image is, and you have at least seen a server that can run them and swapped a few in and out so that you experience the pleasures of doing amazing things without crawling around the Data Center Cage.

Level 2:  Private Cloud.  You were impressed enough by Level 1 that you want the benefits of Cloud Technology for as much of your operation as you can as fast as you can get it.  But, you are not yet ready to relinquish much of any control.  For Early Level 2, you may very well insist on a Private Cloud you own entirely.  Later stage Level 2 and you will seek a Hosted Virtual Private Cloud.

Level 3:  Public Cloud.  This has been cool, but you are ready to embrace Elasticity.  You tripped into it with a little bit of Bursting like eBay, but you are gradually realizing that the latency between your Data Center and the Cloud is really painful.  To fix that, you went to a Hosted Virtual Private Cloud.  Now that your data is in that Cloud and Bursting works well, you are realizing that the data is already stepping outside your Private Cloud pretty often anyway.  And you’ve had to come to terms with it.  So why not go the rest of the way and pick up some Elasticity?

Level 4:  SaaS Multitenant.  Eventually, you conclude that you’re still micromanaging your software too much and it isn’t adding any value unique to your organization.  Plus, most of the software you can buy and run in your Public Cloud world is pretty darned antiquated anyway.  It hasn’t been rearchitected since the late 80′s and early 90′s.  Not really.  What would an app look like if it was built from the ground up to live in the Cloud, to connect Customers the way the Internet has been going, to be Social, to do all the rest?  Welcome to SaaS Multitenant.  Now you can finally get completely out of Software Operations and start delivering value.

BTW, you don’t have to take the levels one at a time.  It will cost you a lot more and be a lot more painful if you do.  That’s my problem with the Forrester analysis.  Pick the level that is as far along as you can possibly stomach, add one to that, and go.  Ironically, not only is it cheaper to go directly to the end game, but each level is cheaper for you on a wide scale usage basis all by itself.  In other words, it’s cheaper for you to do Public Cloud than Private Cloud.  And it’s WAY cheaper to go Public Cloud than to try Private Cloud for a time and then go Public Cloud.  Switching to a SaaS Multitenant app is cheaper still.

Welcome to crazy world of learning how to work and play well together when efficiently sharing your computing resources with friends and strangers!

Microsoft.com is attacked "between 7000 and 9000 times per second" by script kiddies. [ZDNet]

Seven special 100th anniversary products on sale from October

I stumbled across http://webkit.org/specs recently, which is basically a nifty listing of all custom extensions Apple/Webkit has made to web specs, written up as specs themselves so that other browsers can implement them:

• Squirrelfish Bytecode
• Timed Media Elements
• CSS Effects
• Extensions to CSS 3 Media Queries
• The 'pointer-events' property

There were some on here that I had ever even heard of. The first is the Timed Media Elements spec, which is a fancy name for basically CSS that can control playback of video and audio:

Another interesting spec contains extensions to CSS Media Queries, basically making it possible for user agents to query whether CSS Transforms, Animations, 3D Transforms, and Transitions are available so you can apply different style sheets for platforms that support these CSS effects:

Who are you, and what do you do?

Hello! I'm Salvatore Sanfilippo, 33, and I'm a programmer working for VMware developing Redis, a NoSQL open source database. In my past life I was a computer security guy developing HPing and researching TCP/IP vulnerabilities.

What hardware are you using?

I mostly use the following three computers:

A Macbook Pro 13" running Mac OS X, as my desktop and primary development computer. No additional monitors or keyboards, I feel well with the 13" display.

A Linux Ubuntu system running on a Dell T3500 with 24 GB of RAM. Most of the times I use this other computer from ssh.

An iPhone 3G with a flat internet plan.

And what software?

Development tools: zsh, vim, git.

Clients: Google Chrome, Adium, TweetDeck, uTorrent, Colloquy.

Web applications: Gmail, Github, Flickr, search.twitter.com.

My search engine is currently duck duck go, using !google very often when the result page I get via DDG is not what I expected.

Backups: Time Machine.

In the past my desktop was running Linux as well, I used fvwm2, for more than 10 years, with this minimalistic setup. Now I miss it a bit... but switched to Mac OS as it delivers a much better "just works" experience for me, every time I want to do Skype, print a document, or alike.

What would be your dream setup?

For me user experience is all about speed. I love 2D-games alike interfaces where you click and things appear with zero-delay (do you remember Fast Tracker?). Everything should be instantaneous, loading web pages, checking the email, compiling code, and so forth. With simple graphics.

I would love a much faster gmail client: a resident client similar to the current web interface but with vi / emacs bindings, and zero latency.

I hope to get an SSD disk ASAP in order to improve my MacBook Pro latency. What I don't like is that Macbook with smaller displays have slower CPUs and less memory, I want a 13" computer with tons of speed (this is possibly hard for battery size concerns).

I'm looking for a search engine designed for skilled users, I hate that Google is starting to abandon the "strictly AND" approach. If I search for "foo bla zap" I want to get pages where foo AND bla AND zap are present.

I wish browsers had a better way to handle bookmarks, much more similar to delicious, but resident (I know you can use tags with new browsers, but the bookmarking experience for me is a pain with the current interface provided by Chrome/Firefox).

I would love the ability to transfer all the context of a computer I'm using into another computer in a matter of seconds. Time Machine makes this feasible on hardware upgrades, but we are nowhere near to an experience where switching device will lead to the same environment, applications, user data. Computers should be just like "white" devices where you load your environment. Web apps are fixing this in some way but at the cost of more latency.

If there's a workplace environment that's as casual as the tech world, it's Hollywood. And in that informal setting, Paul Feig is an anachronism. Every day, the director of TV shows like Freaks and Geeks and The Office wears a suit and tie to work.

Last week Put This On ("a Web series about dressing like a grownup") interviewed Feig, and his answer to the question "Why a suit?" is applicable to anyone who's sitting down for a job interview: It's about projecting competence and a sense of power.

This post is brought to you by Gillette.

Feig was a T-shirt-and-jeans guy up until he created the acclaimed Freaks and Geeks. It was around that time that he realized that in meetings with studio executives, the casually dressed people were being pigeonholed.

"I always hated the feeling of being identifiable as the creative type in the room. They would always sit you on a couch that was lower than everybody else," he said. "I didn't like the power dynamic of it."

The show's host, Jesse Thorn, acknowledges that a suit isn't always the best option for an interview.

You're not necessarily dressing to be the best dressed guy in the room, you're dressing to project competence, he says. And that can take various forms: "If you're interviewing to be an ad creative, it's not the time to wear your funniest T-shirt, it's probably the day to wear your simplest."

But there's no denying that when you dress in a suit, you're going to project confidence.

"Somehow getting ready this way and being dressed up makes you feel... It's like when I look at the president, I think, 'The president looks like he's in charge - he's wearing a suit and tie,'" Feig says.

Photo by Martin Boulanger

Discuss

The MPEG Licensing Association—the group responsible for handling the necessary patent licensing for use of MPEG video codec standards—has announced that it will not charge royalties for AVC/H.264 encoded video that is made available to view via the Internet for free. The group earlier this year had extended its limited moratorium on licensing fees for free Internet video until the end of 2015.

Today's announcement by the MPEG LA extends the time period of the moratorium for the life of its "AVC Patent Portfolio License," effectively making free-to-view H.264 encoded video royalty-free indefinitely. The MPEG LA noted that licensing fees will still be in effect for video that consumers pay for, such as AVC-encoded Blu-ray discs, on demand services like Hulu+, and pay-to-download services like iTunes.

The move to effectively eliminate licensing fees for free Internet video is likely an effort to prevent Google's new WebM standard, built with technology it gained from acquiring On2 last year, from gaining any serious traction as a de facto Web standard for video. Despite Google's backing and support planned for Chrome, Firefox, and Opera browsers, the MPEG LA has suggested that the VP8 codec used by WebM is likely covered by patents held by its member companies. If WebM does prove to be encumbered by the same patents as H.264, which is already widely used for online video, there would be little reason to switch away from H.264 in its favor.

Read the comments on this post

The idea of the day ain't directly from me, I'm just helping with a very thin subpart of the problem. The problem, I can't say much about, let's just assume you want to reduce the storage of MD5 in your database, so you want to abuse bit strings. A solution to use them works fine, but the datatype is still missing some facilities, for example going from and to hexadecimal representation in text.

create or replace function hex_to_varbit(h text)
 returns varbit
 language sql
as $$
  select ('X' || $1)::varbit;
$$;

create or replace function varbit_to_hex(b varbit)
 returns text
 language sql
as $$
  select array_to_string(array_agg(to_hex((b << (32*o))::bit(32)::bigint)), '')
    from (select b, generate_series(0, n-1) as o
            from (select $1, octet_length($1)/4) as t(b, n)) as x
$$;

To understand the magic in the second function, let's walk through the tests one could do when wanting to grasp how things work in the bitstring world (using also some reading of the fine documentation, too).

=# select ('101011001011100110010110'::varbit << 0)::bit(8);
   bit
----------
 10101100
(1 row)

=# select ('101011001011100110010110'::varbit << 8)::bit(8);
   bit
----------
 10111001
(1 row)

=# select ('101011001011100110010110'::varbit << 16)::bit(8);
   bit
----------
 10010110
(1 row)

=# select * from *TEMP VERSION OF THE FUNCTION FOR TESTING*
 o |                b                 |    x
---+----------------------------------+----------
 0 | 10101100101111010001100011011011 | acbd18db
 1 | 01001100110000101111100001011100 | 4cc2f85c
 2 | 11101101111011110110010101001111 | edef654f
 3 | 11001100110001001010010011011000 | ccc4a4d8
(4 rows)

What do we get from that, will you ask? Let's see a little example:

=# select hex_to_varbit(md5('foo'));
                                                          hex_to_varbit
----------------------------------------------------------------------------------------------------------------------------------
 10101100101111010001100011011011010011001100001011111000010111001110110111101111011001010100111111001100110001001010010011011000
(1 row)

=# select md5('foo'), varbit_to_hex(hex_to_varbit(md5('foo')));
               md5                |          varbit_to_hex
----------------------------------+----------------------------------
 acbd18db4cc2f85cedef654fccc4a4d8 | acbd18db4cc2f85cedef654fccc4a4d8
(1 row)

Storing varbits rather than the text form of the MD5 allows us to go from 6510 MB down to 4976 MB on a sample table containing 100 millions rows. We're targeting more that that, so that's a great win down here!

In case you wonder, querying the main index on varbit rather than the one on text for a single result row, the cost of doing the conversion with varbit_to_hex seems to be around 28 µs. We can afford it.

Hope this helps!