iPhone 4S – The Next Logical Step

Now that we’ve had a month to digest Apple’s 5th generation of the second-coming of mobile telephony: The iPhone 4S I thought it was fitting to take a look at what this product really means in terms of Apple’s product cycles.

As one might speculate based on the name alone this is a fairly minor revision of the current-generation iPhone 4. The new device carries only a few minor hardware adjustments, but some very significant changes for the software itself (most of which the iPhone 4 will receive as well).

The most significant hardware changes are the upgrade to a dual core ‘A5′ ARM CPU, a completely redesigned 8MP camera and the integration of the voice-interface called ‘Siri’.

The first two pieces of this puzzle are fairly easy to understand. The new A5 processor will give the handset much more power, particularly for gaming or video intensive applications. The second new piece of hardware, the redesigned camera has a higher resolution sensor, larger aperture and an additional lens element, all of which are said to contribute to brighter, crisper, “better” photos than any of the previous iPhones.

The odd-ball of the bunch is Siri. This is something which might be described as an assistive technology, something designed for users who would have trouble interacting with the phone in a traditional manner. But if science-fiction has taught us anything it’s that we’ll all be talking to our computers in the future and the keyboard and mouse will be “quaint” figures of our collective social memory.

Siri was rolled out in Beta to the iPhone 4S and is the only iOS 5 device receiving the enhanced voice interface despite similar processing power in this past year’s iPad 2. The “beta” monicker is something that Apple has used only sparingly in years gone by and it tends to be in a fairly traditional sense of the word, being applied to products which are truly unfinished when they are made available to the public. There has been a great deal of speculation as to what this means for the future of Siri. Many feel that the technology will eventually make its way on to every Apple product from voice-enabled phones, to computers through to the Apple TV. The digital living room device is, in my opinion, the killer target for the new technology as it would allow a remote-control free experience (assuming it knew when to listen to you and when to ignore the sound coming out of your TV).

But all that aside I really wanted to focus on this one point: the iPhone 4S is the next logical step for Apple. After the initial release of the iPhone in 2007 it was followed up with the iPhone 3G which was arguably the first “complete” version of the handset in 2008. June of 2009 saw the introduction of the iPhone 3GS which was for all intents and purposes a revised version of the previous year’s model. 2010 introduced the iPhone 4 with an all new design and the first instance of an Apple device with an Apple CPU (the A4). After such a major upgrade nobody knew what would happen next. Speculation early in 2011 led many to believe (correctly as it turns out) that Apple would abandon it’s traditional June timeslot for iPhone launches eventually delivering the new phone in October.

The delay also led to a great deal of speculation that Apple must be using all this extra time to produce an absolutely killer new iPhone 5 which would revolutionize the phone market as much as the iPhone 4 had the year previous. The iPhone 4 is still one of the best selling single handset models ever, particularly if you focus on smartphone sales. As time dragged on so did the predictors, pundits and pranksters. We saw mock ups of super-sized, super-small, super-thin, dual screened, cloud-based, fat, thin, black, white, pink, polka-dotted, tutu-wearing, pipe-smoking, tap-dancing iPhones (OK, I made some of those up, but you get my point). When the new handset finally arrived, it was not the much touted iPhone 5, but a revision to the iPhone 4 complete with evolutionary hardware upgrades and a new piece of software that may someday change the way you interact with most of your technology.

It makes sense. The next iPhone will (probably) have a more significant redesign. The next iPhone will (probably) not be called the iPhone 5. The next iPhone will have Siri. The next iPhone — well, we’ll see it when it gets here, won’t we (or when it inevitably gets left in a bar somewhere in San Francisco).

Accessing HttpContext objects from other classes

I could swear I wrote about this at some point in the distant past, but I couldn’t find the article this week when I needed it to help troubleshoot an issue with another developer. The issue he was having was how to access objects from the executing web page’s HttpContext object from a class other than the CodeBehind of the executing web-forms page. Essentially he was looking for a way to map a web-path to a physical folder path without needing to hard-code it or know where the application was deployed on the server in question.

If done correctly, an application can reside anywhere in the file system and be deployed to a virtual directory at any depth without causing a problem with URL resolution. In the code-behind of a web-forms page, the code is simple:

string physicalPath = Server.MapPath("~/somefolder/myfile.xml");

However doing this from another page involves just a little bit more work:

Using System.Web;
string physicalPath = HttpContext.Current.Server.MapPath("~/somefilder/myfile.xml");

It’s really quite straightforward when you see it, and I can’t believe that I forget how to do it. This method will also provide you access to lots of other useful objects which makeup the “state” of the application from an HTTP perspective.

Aussie Geek Podcast – Episode 49

I didn’t realize until today that I completely forgot to do a post for AGP #48 but it’s too late for that now. I had a chance to produce the show again this week on what may (hopefully) be our last episode on our existing website before fully transitioning over to the Lifestyle PodNetwork.

Dave, Knightwise and I had a great time going over heaps of desktop apps and cool sites this week, taking a break from the recent deluge of Apple stuff and completely skipping over the wasteland that was this week’s mobile and tablet space.

Podcast Roundup – New (to me) Apple & Mac Podcasts

I was on the hunt for some new Mac and Apple podcasts after becoming frustrated with the amount of blatant fanboyism and un-necessary Microsoft and Windows bashing I was hearing on the shows I had subscribed to. I wanted more shows that take an even-handed approach like Mac OS Ken or a lighthearted approach like the Nosillacast. I put a call out on Twitter and Google plus for recommendations and was given a couple of great new (to me) shows to listen to.

Mac Power Users

This show is absolutely brilliant. I’ve only been subscribed for the past week or so, but I’ve gone back and reviewed the last 10 episodes.

Katie and David do a great job of covering topics in enough detail to provide a complete review without getting into too many inanities. There are typically two types of shows. The topic-shows provide a deep-dive on a specific topic filled with lots of tips, tricks and keyboard shortcuts. The other show type is a “workflow” show where they typically bring on a guest to talk about how they use Mac and iOS products to get their work done productively.

Typical Mac User

I listened to the Typical Mac User a number of years ago, shortly after

Victor started the podcast I suspect, and for whatever reason drifted away from it. When George Starcher suggested over G+ that I check it out again, I found that I really enjoyed it. I’ve listened to a few different episodes in the past week which ranged from uber-beginner intros to OS X Lion, through to highly-involved automator/applescript discussions The show provides a good balance of introductory, mid-range and technical discussion and offer a range of guests to get insights on different parts of the Mac community.

Guest Spot – Knightcast 0056 “The Best of KWTV Live”

I recently had the honour of being asked to be a guest on Knightwise’s podcast during his KWTV Live event in September. He took the opportunity to interview three different people about the current state of the three major operating systems, Linux, OS X and Windows. The three guests for the evening were:

Larry Buschey from Going Linux podcast
Bart Busschots from The International Mac podcast
Me from here, and of course the Aussie Geek Podcast

Larry spoke on the state of Linux and what drives Linux adoption; Bart covered the highlights and lowlights of OS X Lion in some detail; and I talked about the Windows 8 developer preview and the state of Windows tablet PCs.

Give it a listen!

Steve Jobs’ Impact on the World of Technology

This afternoon Apple released the sad news that co-founder and chairman Steve Jobs had finally succumbed to his fight with cancer. With that the world lost a man whose vision led Apple from the depths of irrelevancy to the forefront of day-to-day mind-share.

Revived Apple

Steve Jobs founded Apple Computer in the late 1970′s. The company has had its ups and downs over the years and Jobs was ousted from his leadership position only to be hired back on in the 1990′s when Apple was bordering on irrelevancy. Starting with the iPod and iMac in the early 2000′s Jobs and his leadership team helped make Apple one of the most recognized and relevant brands in the world.

Reinvented home computing

The early Apple II computers were some of the first to be placed in the home as the “family computer”. While they weren’t the only ones, they were certainly among the first and also among the most widely deployed. The number of people who can tell you today that their first computer was an Apple IIc, or Apple IIgs is lengthy; myself included.

Revolutionized portable music

While not the first company to produce MP3 players, or even hard-disk based MP3 players, Apple created a beautifully designed device in 2001 called iPod. Jobs took the position that existing media players were not particularly good, or usable. He assembled a team to create a new device as a part of Apple’s “digital hub” strategy. This was, at it’s core, a basic MP3 player with an internal hard disk which could store 5-10 GB of music, which at the time was all, or most, of most peoples’ digital music collections. iPod became the foundation of later forays into the personal electronics space which has become central to Apple’s position in the market.

Reimagined telecommunications

It has been called “the second coming of mobile telephony”, it is Apple’s iPhone. Jobs and members of his leadership team like Jonathan Ive released it’s first iPhone in 2007 and has revised it every year selling millions upon millions of devices every year. Apple has become a (the?) leader in mobile phone sales and development worldwide leading a device category that they helped create less than 5 years ago.

Redefined portable computing

With the launch of the iPad tablet in 2010 Apple helped to define a third product category which had, until then, been somewhat vaguely defined. Steve Jobs himself referred to the iPad and it’s successor the iPad 2 as devices that would usher in the “post-PC era”. While not everyone feels that iPads will replace their computers, they have certainly helped to define a product category where people will use devices to complement their “real lives” with their digital ones.

So there you go, a brief summary of the impact Steve Jobs has had on the worlds of computing and technology in the past 35 years. We can only hope that he’s inspired his teams at Apple so that the innovation of Apple, particularly over the past decade, will continue in years to come.

Three-week Ubuntu Experiment – Migrating to Open-Source

This past spring I made an attempt to move myself out of the shackles of the commercial software world and truly embrace open-source. I tried to move my primary machine off Windows 7, and onto Ubuntu Linux. I knew the transition wouldn’t be seamless but I’d heard so many good things about living in a Linux universe that I decided it was time.

The experiment did not go as well as I might have hoped, and despite my efforts to stick with it for some time, I eventually had to cut the experiment short. As I was preparing to re-image my system I started a blog post which I decided not to post at the time. I’ve included a short excerpt which shows my state of mind back in May, just after the experiment concluded.

I told myself I was going to stick it out for at least 3 months. But here I sit, not 3 weeks after making the decision to migrate my primary machine to Ubuntu, with the Windows 7 installation disk in hand. What could possibly have brought me to this point? Primarily, time. It’s going to take me about 8 hours of work to prep all the data on my system for the transition, wipe the linux partition, re-install windows, re-install the applications, re-install VMWare, re-install my Linux VMs (I do still have a use for them!). The problem is, things on linux generally have taken longer than they should. Some of this is due to the fact that I’m learning, and I’ve tried to ignore those. Others are generally due to the fit and finish of Ubuntu.

So what went wrong?

Problem #1 – 10.10 or 11.04?

I generally resist the temptation to move to the latest OS release, but when I tried setting up a Windows VM under VirtualBox in Ubuntu 10.10 the audio was mucked up. It seemed a bit slow too, but that may have been my imagination. So I tried installing the newly minted 11.04. The VM now worked like a charm, but that was a long multi-step process.

Problem #2 – Virtualization

Trying to set up a virtual machine that would start up at boot time (like a Windows service or any number of linux daemons) proved a nearly impossible task. After several hours of searching, tweaking, testing, and ultimately failing, I decided to abandon the effort and live with manually starting my VMs.

Problem #3 – File Sharing

Setting up network shares was probably one of the better experiences I had. I was able to set up a “public” share on the linux machine and access it from anywhere on the network… as long as I didn’t want to protect it with a username and password. That was going to require more voodoo and black magic than I was prepared to endure for such a simple task. Overall, not a bad experience.

Problem #4 – Flash in Browsers

Like it or not Flash is still an integral part of the web, and Flash in the browser was just one of those things that never quite worked right. When I talk about fit and finish of a product, this is what I mean. Blocky artifacts showing up on video players was the most common issue, though there were other things like playback and audio problems as well.

Problem #5 – Lack of Air Support

The fact that I felt compelled to write a blog post calling attention to a tutorial for getting Adobe Air installed under Ubuntu 11.04 speaks to just how difficult this didn’t need to be. On any other major platform, you can go to a website and simply click the install button. The rest is automatic. Not here though.

Problem #6 – Button Clicks

I constantly had problems just clicking on buttons. Sometimes in an application (Chromium comes to mind) but sometimes just within the Ubuntu environment itself. This kind of thing makes you start to question the faith you have in your OS.

Problem #7 – Learning Curve

I suppose it’s a bit unfair to put this here as it’s undoubtedly the same issue that would come up moving between any two major operating systems. The bottom line is that I have a young family with whom I like to spend the majority of my day. That means that when I decide to sit down at the computer to do something, I don’t really have the time to spend learning how to do things all over again.

There were a few things that were also pleasant surprises during this whole thing. Mostly to do with 3rd party applications.

CrashPlan support

CrashPlan was able to seamlessly match up my Windows backup to the Linux file system. This made it very easy to move everything over. I just hope it works as well in reverse.

AcidRip

Digitizing DVDs has never been easier. It took a couple of tries to get the quality settings just where I wanted them, but the process worked out really well.

Shell

I love the *nix shell, Bash in particular. This is the one thing I will truly miss when I move back to Windows. Having commands like rsync at my disposal, and built in SSH support are also fantastic. While this is something that has to be hacked into a Windows installation, it is available by default on OS X.

In summary…

The availability of good software to do most tasks is one of the key benefits of moving to an open source experience, but the truth is that the experience really didn’t live up to my hopes or my expectations. I’m getting to the point where I want my computing time to be spent creating, not just experimenting with different ways that I could set up my tool sets. And as time moves on, the number of free or open-source applications available on the major commercial platforms like Windows and OS X is growing. Once either of those operating systems is installed I can do everything I want to do without having to pay a license for another piece of software — and in many cases the applications are as good or better than the open-source tools available for the Linux platforms. Add to that the growing number of applications which reside in the cloud and are completely browser and platform agnostic and it starts to become a simple equation for me.

Is it worth the $150 or so that it costs to get my new computer preloaded with a commercial OS? Yes.

Turn off URL Trimming in Firefox

With the latest release of Firefox, Mozilla has decided that we don’t need to see the “http://” at the beginning of a URL. While this may be true for day-to-day browsing, it makes copying and pasting URLs a bloody nightmare.

Most applications detect a URL based on it starting with some sort of protocol directive (http://, https://, ftp://, mailto:). By removing that directive from the beginning of the URL Mozilla now forces us to type them in as we go, reducing productivity and generally being a pain in the behind.

For the record, this portion of the URL is still visible for https:// URLs to help everyone know that pages are encrypted using SSL/TLS. This somehow makes it even worse in my eyes, since this non-security related behaviour is different based on whether or not the application is encrypted.

You can, however, correct this abhorrent behaviour with a trip to the Firefox about:config page.

DISCLAIMER: Read the disclaimer on the about:config page.

Go to the about:config page in Firefox
In the filter box, type in: browser.urlbar.trimURLs
Double-click on the value to change from true to false

After making the change, that line will show up in bold to indicate that it has been changed from the default setting. This is helpful if you want to restore settings to their default at some point in the future — though in this case I can’t imagine why.

Happy linking!

Aftermath of a Hack

This site was hacked. While it’s still unclear exactly how it happened, or precisely when, sometime in the past 6 weeks my blog, at least 2 other websites and possibly my DreamHost shell account were all hacked. I’m generally a pretty security conscious person, but even I get lazy from time to time. It wasn’t clear to me just how dangerous that laziness could be until this week. I’m going to outline a bit below some of the issues which may have led to my problems, and talk about the steps that have now been taken to help prevent them from occurring again in the future.

The Problem

In retrospect I can see five things I did wrong, and all of them can be traced back to laziness or perhaps, to be less forbidding, they can be traced back to actions taken (or not taken) for the sake of convenience.

Error #1 – Out-of-date Software

Many of us take the time to make sure our operating systems and browsers are up-to-date and fully patched; but do we take the necessary time to make sure that all of our software is patched? Particularly things which don’t reside on our home computers? If you run your own blog, forum or other website and are responsible for your own updates can you say unequivocally that you are currently running the latest and greatest version? Software that is out of date by as little as one revision may have critical vulnerabilities which could allow for disruption of your site, or even execution of commands on your web server.

([aside: If you don't use Secunia's PSI product on your home PC at least once a month, you should.])

Error #2 – Abandoned Web Properties

This goes hand-in-hand with the out-of-date software but is, in some ways, a bit trickier to prevent. It is far easier to remember to update software on sites which you update and monitor on a regular basis. It’s far more difficult to monitor sites which have been, for lack of a better term, abandoned. In my case there were three separate sites on my account which were running versions of their software which were more than 12 months out-of-date. The reason was that I was no longer maintaining these sites and had, in essence, forgotten they were still there. I had hidden a couple of them by renaming the homepage which made it look (to the casual observer) like the sites weren’t there but of course all of the other pages were still in their normal locations and were full of holes.

Error #3 – Shared User Accounts

Sharing is good, right? Not in this case… I have a several different domains hosted under a single hosting account. DreamHost is really generous allowing customers to register any number of domains and attach them to the account. I host sites for myself, for family and for a couple of organizations I’m affiliated with. This in and of itself does not cause a problem. The security hole in my plan was that most of these domains were hosted on a single user account. This means that if that shared user account gets compromised, all of the domains which are run on that user account are potentially at risk.

Error #4 – Lack of Backups

The websites had no viable backups. Because no regular backups were being run of the account, it was virtually impossible to trace when the hack initially occurred. If there had been regular full or differential backups being made of the various websites it may have been possible to determine when the initial attack took place and roll all of the sites back to the way they were before they were compromised. In addition, if there had been any data loss (there does not appear to have been) the lack of backups could have meant the loss of many hours of work.

Error #5 – Reused Credentials

We hear it all the time – do not reuse usernames and passwords on your various accounts, particularly accounts you care about or are important. Account reuse increases the chances that a hack on one site can do more wide-spread damage than the initial compromised password should really allow. My main SSH credentials were a username and password that I had used on over 100 different sites and services. I know for sure that one of the web properties I use had these particular credentials released into the wild. Why didn’t I change the password? I don’t know. If that was the entry vector, it is quite possible that a number of other accounts of mine have also been compromised.

Overall Impact

The impact was (thankfully) minimal. Only two sites of value were compromised, and it appears that all of the data for those sites is undamaged. A number of other obsolete sites were compromised as well but as they are no longer actively used they are of no great loss. It also appears that some sort of mass-mailing script was being run from the account as well. My server-side user account had received over 27K “Message Undeliverable” replies from various web servers. I hate to think how many it was able to send successfully.

The Cleanup

The cleanup had to be done in phases, addressing each of the five defects individually. Some of them were very easy to change, others required quite a bit more effort to implement and verify. However before any of the remediation could begin, the site needed to be cleansed.

The very first step was to ensure that my local machine had not been infected or compromised. I was pretty sure that it was clean as scans are run every night, but it would be like trying to wash a car with mud. No amount of scrubbing with the muddy sponge would get it clean. The machine checked out.

The second step was to change the passwords for all of the users on my hosting account, and change the main password for the account itself.

Next, data from the websites that needed to be saved was exported. None of the code for the software running those sites was saved, only the data. There was no way to tell if the software was clean or compromised so I decided to take no chances. The application software is not that difficult to install, and I was willing to take the hit on setting up modules, components and themes anew.

Once the data was backed up I wiped out all of the data on the user accounts which were being preserved. This meant a full wipe from the file-system from the operating-system shell on the server. All files and directories including “hidden” and “special” folders were wiped out. Some of these operations required the assistance of a DreamHost technician.

Step #1 – Remove all unused or obsolete websites

This was taken care of as part of the cleanup activities mentioned above. Simply removing the affected websites greatly decreased the attack surface of the account and reduced the number of attack vectors which could be used to attack the websites and/or the account.

Step #2 – Remove all un-needed user accounts

In the case of any obsolete sites, test accounts or test databases, these were removed directly from the hosting provider’s control panel as they would no longer be needed. Much like response #1, there is no sense in keeping any old files or data hanging around where they might later become a liability.

Step #3 – Change the passwords again

Once all of the files, scripts, data, databases, directories, logs and anything else I could think of were removed from the sites, the passwords were rotated again. This was done in the off-chance that there were cached credentials or some other form of persistent authentication lurking somewhere in the ether.

Step #4 – Create new per-domain user accounts

For each of the domains that would be remaining active, a new user account was created specifically for that user. These accounts would be used to connect to and install the necessary software on the websites, as well as to run backup and maintenance scripts. Passwords for these accounts were set to extremely long strings of random characters as they would not be required for day-to-day access and maintenance.

Step #5 – Set up public key authentication

For regular access to these sites, I decided to go with public key authentication. By requiring a private key (stored in an encrypted volume on my main desktop) and a lengthy but easy-to-remember passphrase I could fairly safely rely on the same public/private key pair to secure access to all of the websites. I found out during this step that both PuTTY’s puttygen application and my hosting provider’s implementation of OpenSSH have an upper-limit on the length of the passphrase. It is still a very long upper limit, but I was surprised to find it. If you share access to a website keys can be installed for each trusted user using the same method.

Step #6 – Change passwords again (optional)

Once the public-key authentication is in place the account passwords can be changed at will without affecting the state of the affected keys. This means that I have effectively made the public keys the only viable way of accessing the site over SSH short of having access to the main hosting provider account to do a password reset. Admittedly this step is for the very security conscious (read: paranoid) as I was quite certain at this point that the passwords on the system at this time had not been compromised. This however is to be the first step in a regularly scheduled series of password rotations that the system will handle on my behalf as a part of standard system maintenance.

Step #7 – Reinstall all server-side software

Once all of the base security measures was in place and tested, I set up the application software I wanted to run on the web server. The key here is to do the set up using copies of the software obtained only from trusted sources. What a trusted source is will vary from software package to software package, but typically the main project site for an open-source project (not a mirror) or the vendor website are good places to start. In this case downloading the latest stable WordPress release from the main website <link>. I made sure not to rely on previously downloaded installation packages, getting the newest most up-to-date version I could lay my hands on.

Step #8 – Configure server-side software

Each software package is different, but going through all the configuration steps for your software package is important: don’t try to short-cut the process. In the case of WordPress we have to set up a MySQL database, set a number of hey/hash values which are used for authorization and cookies and finally set up the user accounts. I wanted to make sure that any passwords, keys or salt values were set using long randomly-generated strings. In my case I used the password generation function in LastPass. Other options would include tools like 1Password, RoboForm or Perfect Paper Passwords <Links>. The longer and more random the string is, the more difficult it will be to crack. I have been using values from 24 to 64 characters in length depending on the purpose. If you have a system that assigns default passwords for new user accounts, be sure to change those default system-generated passwords and replace them with your own strong credentials at this stage.

Step #9 – Set up extensions and themes for server-side software

Once I got the base configuration is in place it was time to add in the additional features I required for these sites. In my case it was a collection of WordPress plugins and themes. It is easy to forget that each extension, plugin or theme that you add to your website’s software package is in fact additional software that will be executed when the website is used. Just as with the base software package it is important to trust the source of your plugins and themes. If you are suspicious as to the origins of the software, choose something else. I also added the plugins and themes one at a time confirming after each step that there were no immediately visible defects.

Step 10 – Automated backup

The next step was to add a backup script for both the website and the associated database. By building this as a shell script it was possible to schedule full backups of the various sites and have them run on a set schedule. For now the script is very simple:

Extract the contents of the database
Zip the website and extracted database into a single archive
Send that file over SFTP to a location off-site from the server

There are other ideas for automation as well, but this post is long enough as it is. I will save those for later.

Lessons Learned

This could have been much worse. In many ways I count myself very lucky. I could have had all of my data wiped out, I could potentially have seen malware/scripts injected into my websites to capture login credentials or other sensitive information. This attack served as a warning and though I have had to spend a number of hours rethinking the way my websites are set up and managed, at the end of the day I will have better control over the sites I manage, better practices in place for dealing with security, and with any luck, better personal habits for dealing with information security.

Last, but certainly not least, a big thank you to the folks at DreamHost for confirming my initial diagnosis, helping to find the possible entry vectors, providing guidance on cleanup and purging, and just generally doing that great customer service thing that they do.

Mango Day for Windows Phone 7

Today Windows Phone handsets around the world begin to receive their official Windows Phone 7.5 “Mango” software updates. If you have a WP7 device check the Where’s my Update? page to see if your carrier is delivering “Mango”.

At this point it’s unclear whether the accelerated update process that worked for many of us when the “NoDo” update was released will be effective with “Mango”.

UPDATE 13:00: It appears that the old disconnect from the Internet trick still works!