DISQUS

@Craiig: Thanks for the suggestion. That might be a good idea, though it's not immediately obvious how I would apply a hill climbing algorithm.

The main problem is that with proportional width fonts the accuracy of all subsequent guesses depends a lot on the accuracy of the characters guessed so far. Perhaps it could backtrack if it notices the accuracy of even the best guess drops below a certain threshold.

It would definitely help if I could speed up the time for each individual test, but I think I'm pretty much at the mercy of Photoshop and my machine.

I don't remember the specifics of hill climbing algorithms from my AI courses well enough to see how to apply it to this. Any ideas?

@Robert: Yup I already fixed it ;)

Thanks.

Thanks for the link back here!

@Justin: I think I left out this step:

"Double-click the Smart Object layer to open it's source document, and adjust the variables listed at the top of the JavaScript to match the names and layers."

@Scott:

Sorry, that README is outdated, use the Makefile in the "Demo" folder.

@Galley:

This blog post never mentions the iPhone. What more do you want clarified?

@Matt:

"SSL only prevents man-in-the-middle attacks if you never accept an invalid certificate when the warning pops up in your browser."

Yes, that's exactly why I'm all for Firefox 3 being more strict with invalid certificates.

I certainly wouldn't consider every WiFi access point "least likely avenues for a potential attacker". Without SSL, a kid with a laptop and Wireshark sitting in Starbucks can see your email.

@Scott:

That vulnerability appears to be specific to SSL VPNs, not browser's SSL. Not sure if it's applicable to browsers.

@Jeremy:

GoDaddy, etc gets you simple domain verified SSL certificates for $30 ($15 if you find a good deal). And as Gen pointed out, StartCom offers free certs.

Sure anyone can get an SSL certificate very easily, but only for domains they control. Now, try getting a CA signed SSL certificate for bofa.com, I dare you.

Whether or not the SSL certificate industry is "a racket" or not is irrelevant to the security SSL offers. As long as they're not issuing certificates for domains to people who shouldn't have them, it's a secure way to authenticate and encrypt sites (not taking into account the "user interface" problem of users blindly dismissing warnings).

There absolutely needs to be some way to verify a key belongs to the website you're accessing. SSL uses a CAs. PGP uses a "web of trust". I think SSL's solution is a pretty good one.

I'm all for some open solution that wouldn't cost anything while remaining secure, but until then we're stuck with paying the CAs.

@Prince:

Your article is highly misleading, as evidenced by John Gruber citing it and telling everyone that MobileMe is encrypted when it's really not. Whether or not you explicitly state such things, it's irresponsible to imply that the service is more secure than it really is, but I'm glad at least Gruber issued a correction.

"It also pointed out that because of that architecture, using SSL to secure the browser (as many claimed was necessary for security) would secure the files of the app itself, which really is unnecessary."

And I already pointed out that this is simply not true. If the app itself can be hijacked (and without SSL it could be) then all bets are off. But even if you were right, it doesn't matter in MobileMe's case since even the data isn't encrypted!

"The unnecessary panic is caused by security experts talking about marginal risks and suggesting that MobileMe is hopelessly insecure. That’s why you have comments here talking about how the iPhone presents a risk when being used at Starbucks, and questions about Macs exposing your data."

I would hardly call the fact that anyone with a packet sniffer on the same network (WiFi especially) as someone using the MobileMe site could read all emails, contacts, calender events, and files, a "marginal risk".

And yes, just as people have taken your article to mean MobileMe is more secure than it really is, it seems some people have taken my article to mean IMAP and desktop syncing are less secure. I've issued a clarification, I suggest you do the same.

El Aura:

MobileMe Mac syncing appears to use SSL/TLS.

Regarding SSL and MITM: Sort of. Technically self signed certificatess can protect against MITM attacks, but the "user interface" issues causes problem in practice.

If you use a self signed certificate you will get the same warning you would get if you were subject of a MITM attack, thus there is no way to tell the difference, and many users will end up ignoring the warnings.

However, the first time you access a page with a self signed cert, you can tell the browser you trust that cert and you will no longer get the warnings. Now, in the future if you're the subject of a MITM attack the cert won't match the trusted one that you originally added, and you will get a warning.

In that case, a self signed cert can protect against MITM attacks, but you need to make the effort to add the cert the first time you visit the page in each browser you use, and that's assuming you can even trust it (ideally verified through some out-of-band mechanism).

So self-signed certificates can be used securely. The problem is that if the browser were to not warn me about self-signed certificates I would have no idea if a MITM attack were occurring. Additionally, by making the warnings easy to dismiss, users get in the habit of blindly dismissing them. Firefox 3's changes make it much harder for users to accidentally ignore the warnings.

DNS poisoning is one way to perform a MITM attack. SSL with a CA signed certificate is pretty much the only defense against that, since no one should be able to obtain a valid cert for bankwebsite.com (for example) that doesn't throw up warnings on user's browsers. I can generate a self-signed certificate for bankwebsite.com, but the browser will warn the user.

@Eric:

A quick peek at the MobileMe Mac sync traffic shows that it is encrypted. As Mo pointed out, they also provide IMAPS email, which is encrypted, so you Mail.app and iPhone mail is secure.

It's just the web portion of MobileMe that isn't encrypted. Arguably this is the piece that would most require encryption, since most people would be using it from public or otherwise untrusted networks.

Darren: That's not a standard property or anything, I just use it to store the current transform values. (in JavaScript you can add arbitrary properties to an object at any time, and this was a convenient place to put them)

Nope, I've been busy with other things. Since iPhone 2.0 has GPS now there's not much reason to continue pursuing this stuff.

Though it would be nice to be able to use Bluetooth mice and keyboards with the iPhone.

Or perhaps Opera Mini isn't web friendly?

Shreyas: Thank you for your response. That does make sense. Yahoo is in the fairly unique position of being a major email provider and OpenID provider, I didn't consider that.

However, I still don't like the solution of a Yahoo-specific login button on 3rd party sites. Allowing users to type in "yahoo.com" is great, but I doubt most users will be aware of that feature.

The biggest problem with OpenID is educating the users. I do think it's great that Yahoo is trying to make it easy for average users to use OpenID, but it will only be effective if users understand that OpenID is bigger than just Yahoo and a few sites that have "Sign in using Yahoo" buttons.

Now, the real question I have is does Yahoo plan on being a relying party so I can log in with my own OpenID? I'm guessing that's unlikely...

Carsten:

That's correct, but my issue is that the URL is obscure by default and most average users won't know that they can select an easy to remember OpenID, thus they won't be getting a "true" OpenID experience. As a result, for a site to allow those users to log in via OpenID they must provide a Yahoo-specific button.

I don't understand Yahoo's decision to not use easy to remember OpenID URLs by default.

While it's great that Yahoo is getting behind OpenID, their implementation is pretty awful. I wrote about it extensively here:

http://tlrobinson.net/blog/?p=33

Thomas Ptacek:

Yeah I don't do much checking of the input, so there's certainly the risk of buffer overflows... but then again, the program gives the user the ability to compile and execute arbitrary C code, so it's not something you want running as a network service, etc...

It's an interesting idea, but...

What you're talking about is essentially dead-reckoning using an inertial navigation system, like those used in spacecraft and submarines... These systems require all sorts of crazy gyroscopes and accelerometers, and the iPhone's simple 3-axis accelerometer is no where near suitable for that kind of thing. Just check out the Wikipedia page to get an idea of how complex they can be: http://en.wikipedia.org/wiki/Inertialguidan...>

I tried to do a basic inertial nav system for the iPhone accelerometer mouse I was working on, and it's just not accurate enough and too difficult to do without gyros (at least as far as I could tell from the few hours I spent experimenting).

The much simpler version is a basic pedometer, which someone has already implemented for the iPhone (although I haven't tried it)

Ehh... I disagree completely.

Various social networks have some common and some unique FEATURES, but that's not what makes them special, it's the USERS that matter far more.

The top three social networks these days all started with different type of core user. They represent a very diverse spectrum of web users:

LinkedIn was for professionals, Facebook was for college students, and MySpace was for bands, teens, and perverts.

As others have noted, simply adding one or two new features to any of them isn't going to change the culture and stigma of a social network.

That said, it's a nice feature and is certainly can't hurt. I don't foresee any kind of "backlash" against this type of feature, unlike the News Feeds (although that backlash seems to have fizzled a couple months later)

"One where we can build apps that talk to the accelerometer in the iPhone."

Funny you should mention that... I just posted this little demo video I made of an app that sends the accelerometer data from the iPhone to a computer for display and other fun stuff:

http://tlrobinson.net/blog/?p=25