Archive

24 hours of Android

Published
by
lennon
on November 10, 2008
in Uncategorized
. Comments

After many frustrating delays, I finally managed to get my new G1 handset up and running on my T-Mobile account. It is, in short, a quirky but highly-promising device, and unless some major new deficiency rears its head in the coming days, I will count myself a happy Android user for some time to come.

I’ve been a BlackBerry user for the last year, and have also spent a decent amount of time messing with friends’ iPhones since the original 1st-gen release. In terms of polish and consistency, the Android UI lies somewhere between these two poles: you need to do a bit more context-switching in normal app operation than is required on the iPhone, but 3rd-party apps aren’t the unpredictable crapfest they are on the CrackBerry.

Performance is also somewhere between these two — while the entire system is quite stable, and response to hardware events (button presses, incoming calls, etc.) is good, some of the apps could obviously benefit from further performance optimization, as they tend to get bogged down on screens with a lot of redraw, or fail to offload as much processing into background tasks as they should to maintain UI responsiveness.

The keyboard is an almost-unmixed blessing. I’ve become a bit too accustomed to the layout of my BB Curve, so I’m not quite back to full “touch typing” mode on the G1, but I’m already far more proficient and confident in my typing than I’ve been able to get on the iPhone touchpad. Having the ability to close the keyboard and use the entire screen for text, images, or video is a definite win over the split-face Blackberry layout, as I’m one of those masochists who actually tends to read long-format text (blog posts, Wikipedia entries, and email) on my mobile device on a regular basis.

The Android platform application ecosystem is obviously far less mature and complete than the iPhone App Store. While I have a decent Twitter app (Twidroid) and SSH client (ConnectBot), there aren’t many compelling games or productivity apps available yet. Of course, I’m a coder, so there’s one obvious solution for this: write the damn things myself. Once things settle down a bit with the new job, I’m hoping to have some time to do just that.

Overall, though, I think the most interesting thing about Android is not what it offers in terms of competition for Apple, Microsoft, and Nokia (though that is a compelling argument in and of itself). What I see foreshadowed when poking around in this system is an absolutely kick-ass netbook or non-real-time embedded operating system. Given the performance Android is able to maintain on the ARM-based G1 hardware, I think it would scream on an Atom-based ultraportable like the ones Wind and Asus are manufacturing these days, especially if both a touchscreen and usably-large QWERTY keyboard were available on the system.

Android may not do much to stop Apple’s ascendence to smartphone domination, but it does offer a glimpse of how a truly usable, efficient Linux desktop environment might work.

Where the rubber meets the road

Published
by
lennon
on November 6, 2008
in politics
. Comments

The election is over. We (meaning the progressive youth vote) won. Time to lean back, relax, and enjoy the victory, right?

Wrong.

Now that we’ve elected Obama, increased the Democratic majority in the House and Senate, and (in Oregon, at least) added a bunch of smart, young, enthusiastic new legislators, it is incumbent upon the electorate to help set the policy agenda. We can’t afford to let our current momentum die down one iota if we want to insure that the promises of the campaign season are actually fulfilled.

For myself, that means moving into a “citizen lobbyist” role. I’ve started the groundwork for that (along with a few of my like-minded friends) with Policy in Motion, but we haven’t yet completely figured out how to sip from the massive firehose that is an active legislative body.

I definitely believe that having one party control most major offices + both legislative bodies in the state means that transparency and access to information will be especially critical. Working towards open government, using both technological and volunteer-driven tools, is going to be a huge part of that. (And it just so happens to be part of Obama’s transitional agenda, as well.)

Regardless of the issues we choose, our government is not magically going to serve us well, simply because we voted in the right column on Nov. 4th.

Update: Digby seems to agree, at least in principal.

Give me a break

Published
by
lennon
on November 5, 2008
in Uncategorized
. Comments

Breaking news! The T-Mobile G1 has been jailbroken! Wired “broke” the story here. I was briefly interested, if only because I wasn’t aware jailbreaking was needed on an Android device to get full local access, but apparently, the fact that you have to download and run a local terminal emulator on the handset means that only 1337 h4x0rrz should attempt this epic hack.

The gist? Run an instance of telnetd, then find out the phone’s WiFi IP address, and connect from your desktop machine. Good God, what will those crafty hackers think of next!

Seriously, though, I just love how this combines an obvious chain of Linux commands with a total lack of warning about the fact that this little root-shell backdoor is completely unprotected, and will in fact give everyone else on your wireless network the same superuser access to the phone that you just set up for yourself.

Want to give a recent G1 “jailbreaker” fits? Do a quick nmap scan for devices with port 22 open on the local coffee shop network, telnet in, and go nuts — restart core UI services, disable the cell modem, or stuff a bunch of porn in their personal image folder.

What? Is there something happening today?

Published
by
lennon
on November 4, 2008
in twitter
. Comments

You try to go bowl on a Tuesday night, and suddenly find yourself in the midst of a huge party with a bunch of people cheering every time someone mentions the name “Obama”. I can’t help feeling I missed something…

Since I did happen to have my laptop with me, though, I got roped into helping to maintain some live stats on local returns for races the Bus worked on this year. There’s going to be some live-blogging going on, and some twittering, so fellow info-junkies should be able to keep themselves busy.

Update (5:49 pm): We just lost power in the “nerd quadrant” at Grand Central Bowl. Thankfully, the laptops kept chugging, but the display relay connecting us to the projectors downstairs croaked pretty much immediately. (Power restored as of 6:03pm.)

Update (6:19 pm): The NY Times results already have the Dems up three seats in the Senate. I’m starting to feel better already.

Update (6:38 pm): This is looking like a good night to be one of those horrible Portland liberals.

Update (7:35 pm): Had to sneak in and out of the press area for some food. Getting back into the building was much harder, since there’s a line a block long outside to get in. WTF? Since when did a bowling alley become the place to be for election night?

Update (8:01 pm): CNN is calling it for Obama. The crowd here has gone, well, pretty much apeshit. I’m enjoying the ambiance for a moment before digging in to the local returns.

Update (8:20 pm): McCain is giving his concession speech. I could be truly happy if Deschutes county will just start reporting numbers.

Update (9:05 pm): After a frustratingly long wait, Deschutes county finally posted results for the Stiegler/Burley race (the last Bus Project candidate with no numbers posted). With that, it looks like every single candidate the Bus walked for this year is winning. Hell, yeah!

Update (9:51 pm): They’re all still winning. I’m almost tempted to leave and go across the street to get good beer.

Document replication: CouchDB vs. DVCS

Published
by
lennon
on October 31, 2008
in code
. Comments

My friend (and CouchDB committer) Chris just posted an excellent overview of the application-hosting potential of CouchDB on his blog. My first response was: okay, you’ve convinced me. Post-election, I’m porting the minimal Sinatra app backing Misfict to CouchDB, since it’s really just a minimal JSON storage engine at its core.

My second reaction was to find it a bit funny to see E4X making an appearance in this day and age; like most XML-centric tech, I had sort of assumed that the coming of JSON and YAML had sort of killed it, at least amongst the web-dev early adopters. It guess it just goes to show that everything old is new again, especially in the fast-moving world of web development tools.

Regardless, perhaps the most compelling picture Chris paints in his post is the idea of capitalizing on the off-line replication features of CouchDB to allow groups of people to separately work on a collection of documents, then merge their changes together at some point in the future. He leans heavily on a classroom metaphor, but I think the real potential may be more in the area of groupware and collaborative editing. Knowledge workers have been looking for the “holy grail” tool which combines the power of Word’s “track changes” with mixed on- and off-line authoring for a long time, and I think we’re finally building the infrastructure that will make that class of application relatively easy to build.

Looking over the CouchDB documentation, though, I still think there’s one major piece missing from their replication and conflict-resolution story: automatic merging of non-conflicting edits. Unlike a DVCS like Git, CouchDB still doesn’t (AFAIK) allow multiple contributors to edit different elements of a single document, and then commit those changes, without manually replaying edits from other contributors.

Since JSON is much more structured than raw text (which Git and other DVCS systems deal with handily enough), it seems tractable to examine potentially conflicting updates and to see if they’re isolated to different child nodes of the JSON document. Furthermore, given the degree to which CouchDB has already embrace the map/reduce model, I think you should be able to distill the conflict-resolution algorithm down to two steps: generate a “diff” in the map step, which just notes the original document ID and the changed attribute/subtree elements, and then a “reduce” which attempts to create a new document by applying those changes to the original document.

Regardless, I think it’s an interesting time to be involved in web development. The idea that you could grab just a subset of a larger data store, work with it both on- and off-line, then share your changes with a group of colleagues is a powerful one, and I applaud anyone (like Chris and the rest of the CouchDB team) working to make it possible.

Big changes

Published
by
lennon
on October 29, 2008
in Uncategorized
. Comments

So, I’ve been sitting on this for a while now, but finally get to make a wider announcement, now that the “i”s have been dotted and the “t”s have been crossed:

I’m leaving Reed College in a few weeks, and starting a new job at Sun Microsystems to work on Project Kenai. It’s a big change for me — I’ve been hiding out in academia for almost four years now, so switching back into the commercial world is both exciting and scary.

Kenai is a fascinating project, which I hope to talk about a lot more in the near future. I can say already that it’s one of the more ambitious JRuby on Rails projects out there, and that I’m excited to see what we can do with the full Sun hardware + open source software stack underpinning a high-volume Rails site. In addition, I’m going to get the chance to work more closely on UI and interaction design, which is an area in which I look forward to expanding and updating my skills.

Reed has been a great place to work, and I can’t say enough good things about everyone else in the IT organization here. That being said, I’m really psyched about getting to focus almost entirely on writing code and implementing features, and working in a small, distributed group within the larger Sun umbrella.

New toy: misfict

Published
by
lennon
on October 18, 2008
in Uncategorized
. Comment

Being home alone with a head cold doesn’t leave one with a lot of excuses not to knock off a quick project. I had been mulling over the idea of building a version of the classic “storytime” party game as a webapp for a long time, and since I also wanted to spend a little more time working with jQuery’s AJAX and JSON support, it seemed reasonable to tackle both at the same time.

So, without further ado, I present misfict, the micro-serial-fiction engine. The process is simple: read the last line someone else wrote, then post your own idea for the next sentence in the story. Eventually, we should end up with a lovely stream-of-consciousness story co-authored by anyone who cares to drop a few words into the bucket.

I may build in some sort of cap for the number of sentences before a story is finished, or periodically declare a “chapter break”, but for the time being, the story will keep going as long as anyone is writing.

PS. any perceived relation between the release of this project and the upcoming start of NaNoWriMo is strictly a coincidence.

PPS. If you’re interested, all the code is available on GitHub

PPPS. (last one, I promise) I got the misfict.com domain, so the link above has been corrected to point there. Also, there’s an RSS feed. Now, go write something.

Tradition

Published
by
lennon
on October 13, 2008
in Uncategorized
. Comments

2008

A Well-Deserved Pint, cont. 		2007

take 3

2006

another well-earned pint
2005

a well-earned pint

There are security holes, and security holes…

Published
by
lennon
on October 13, 2008
in code
. Comments

I was reviewing a Perl CGI script a co-worker sent to me for troubleshooting last week, and came across this little gem (excerpted but not changed in any meaningful way):

use CGI;
use LWP;

my $ua = new LWP;
my $req = new CGI;

my $res_id = $req->param('rid');
my $img = $req->param('img');
my $url = "http://somehost/cgi-bin/fetch.cgi?id=$res_id";

$req->get($url, :content_file => $img);

open FH, $img;
unlink $img;

print $req->header(-type=>'application/octet-stream');

while (<FH>) {
        print $_;
}
close FH;

How horribly bad is this script? Well, it allows no less than the deletion/overwriting of any file writable by the web server user. While that won’t allow injection of shellcode under most configurations, it would allow an attacker to delete logfiles, insert malicious replacements to files in upload directories, and generally mess with your system in all kinds of ways.

Even better, it completely misuses the Content-Type HTTP header to force download instead of inline view, instead of using the semantically-appropriate Content-Disposition: attachment route to force a download dialog box to appear on the client.

There are doubtless millions of lines of code like this out there in the world, and (at least in Perl-land) almost all of them could be caught with the simple addition of the -T (”taint check”) flag to the #!/usr/bin/perl line at the top of the script.

Registration, ACORN, and fraud

Published
by
lennon
on October 10, 2008
in Uncategorized
. Comments

I’ve twittered about this already, but I think that it’s worth repeating: collecting redundant and invalid voter registration cards is not the same thing as fraudulent voting. I repeat: by registering people multiple times, or even submitting invalid registration cards, ACORN (and every other voter reg group) is not committing voting fraud. They are simply doing a bad job of actually registering voters.

The whole reason that voter registration is required before you’re allowed to vote is so that the local and state election boards can have a chance to verify your eligibility. If you submit more than one registration, it may cost them a few minutes of work to update or reject your registration records, but it won’t allow you to vote more than once.

So, if it doesn’t let people “vote early and often,” why in the hell would ACORN, as an organization, have such a poor record regarding bad registrations? It’s simple: they require their workers to meet a certain quota in order to get paid. I’ve done a bit of volunteer voter registration, and while it’s easier than many other types of direct-contact political work — fundraising and candidate canvassing are both harder, if only because of their inherent partisan focus — you still have good days and bad days out on turf.

Try to imagine yourself in the following position: you’re a high school or college student trying to make a little money over the summer, while still doing something a bit more proactive than flipping burgers. Furthermore, your meager paycheck is dependent on hitting your quota each and every week, and you’ve heard horror stories of the poor-performing workers who got canned just last month.

Now, imagine you’re two registrations short of your quota for the week. Would you be even a little bit tempted to fake one, or press that nice stranger who insisted they were already registered to do so again, in order to save your job? I suspect that most people, if they’re being honest with themselves, would answer at the very least that they might be at least a little bit tempted. I know that I would, which is part of the reason that I’m not very interested in doing any paid political work — as a volunteer, the temptation to cheat goes away.

(Please note that I’m not trying to defend this sort of behavior as ethical, but it is at least understandable.)

Personally, I think the interesting argument isn’t even about whether ACORN does a good or bad job of supervising their staff, or encouraging the right behaviors. The real debate we should be having is whether paid voter registration does more harm than good. The same question extends to signature-gathering, an especially hot issue in Oregon given the recent flood of bad ballot measures.

I personally haven’t decided one way or the other, but I think that a much more constructive discussion is there, waiting to be had, once we get past the current baseless accusations being leveled at ACORN and its partner groups.