State of Mobile Apps Before the iPhone

iPhone too closed?

Before complaining about the iPhone being too closed, keep in mind what the state of mobile phone apps was like before the iPhone.

A $1.99 ring tone, wallpaper, or app delivered "over-the-air" would earn the developer less than 50%. About 95¢–$1.10 went to the wireless carrier and about 10¢–15¢ went to the short code provider (SMS aggregator) - not to mention the 2.5¢–5.5¢/SMS sent.

Each purchase required at least two SMS text messages to be sent to the buyer in order to meet the carrier's double opt-in requirements. Additionally, the wireless carriers would only allow content to be sold which could be "consumed by the phone". In other words, none of the carriers would allow you to walk up to a vending machine and make a purchase that would show up on your phone bill.

Also, every developer had to negotiate a deal with each wireless carrier in order to get them to support your SMS short code. If a carrier didn't approve your short code application then no wireless subscribers on that carrier's network could access your service.

Short codes are expensive (the short code, SMS aggregator, etc. typically costs more than $2000+/month) resulting in a $15K-$30K per year expense not including the costs of sending each SMS.

It has been less than three years since the iPhone's introduction and how quickly we forget what it used to be like.

You can see the details in this two year old SMS white paper.

How to tell it's not a cloud.

People always ask what is cloud computing? - and it's not always simple to explain. Perhaps it's easier to just explain what cloud computing is not.

1. If you can’t buy it on your personal credit card… it is not a cloud

2. If they are trying to sell you hardware… its not a cloud.

3. If there is no API… its not a cloud.

4. If it takes more than ten minutes to provision… its not a cloud.

... and 12 other things that cloud computing is not via James Governor.

Here's what I think cloud computing is all about.

Too Much Energy Efficiency?

Is it possible for technology to be too energy efficient? Looks like that's the case. New LED traffic lights don't produce enough heat to melt the snow that builds up around them.

What's so sacred about 140 characters?

Why 140 characters? The obvious answer, which I'm sure you know, is so that a tweet can fit into the 160 character limitation of an SMS text message. In other words, the Twitter user name (which can be up to 15 characters) followed by the 140 character tweet can all be packaged nicely into a single SMS text message.

Which begs the next question: Why restrict a tweet to the limits set by SMS when this is the World Wide Web? One of the "limitations" of e-mail and the Web is that you need Internet access for connectivity. In developed countries, we take Internet connectivity for granted. Having spend some time living in East Africa I was amazed to see how important SMS was to the locals who don't own computers, printers, or even have an e-mail address. But, nearly all of them had pre-paid cell phones and they used SMS just like we use e-mail (they also had trivial SMS to e-mail and e-mail to SMS bridges).

Additionally, their cell phone networks have features which I wish we had here in the US. Basically, people in developing countries have substituted the computer, printer, and Internet with the cell phone, fax, and the carrier's wireless network. This is how most of the world gets "online" with technology.

Imagine if Twitter didn't just go after the consumer market who own computers and smart phones with Internet access (I'm guessing about one billion people), but, instead, what if Twitter went after every person on the planet who's an active cell phone subscriber (which will reach 4.6 billion by the end of 2009). Now, that would be a fantastic communications tool!

iPhone Bandwidth on Edge, 3G, & WiFi

Script Kiddies SSH Attack Solution

Are you tired of seeing attacks against port 22 (SSH) on your public servers?

The attacks generally look like the following log snippet which is a simple dictionary attack (usually against root or admin).


Nov 15 07:41:58 static-171-163-154-171 sshd[5470]: Failed password for rootfrom 68.152.76.202 port 50818 ssh2
Nov 15 07:41:58 static-171-163-154-171 sshd[5472]: Invalid user password from 68.152.76.202
Nov 15 07:41:58 static-171-163-154-171 com.apple.SecurityServer: authinternal failed to authenticate user password.
Nov 15 07:41:58 static-171-163-154-171 com.apple.SecurityServer: Failed to authorize right system.login.tty by process /usr/sbin/sshd for authorization created by /usr/sbin/sshd.


You could try reporting the offending IP address, but the attacking computer will frequently turn out to be a compromised Windows machine owned by grandma and grandpa.

Solution
Your best bet, after ensuring that you're using a strong password, is to have SSH listen on a port other than 22, such as 8080. Since port 8080 is usually used as an alternative to port 80, attackers will try using the http protocol to exploit it, which will fail before the attack even has a chance to begin. At this point, script kiddies will move along since there are so many other servers, with vulnerabilities, to choose from.

eBay Hacked?

Today, I received some automated spam, related to eBay, through an HTML form submission on one of my websites. While researching it I opened Terminal on my Mac and typed:

whois ebay.com

Imagine my surprise when I scrolled back to the top of the results and saw this.


My immediate thought was that eBay was hacked! But, it turns out that's not the case. Running whois on the Mac just returns all results beginning with ebay.com and some people have taken advantage of that.

It's even worse if you run a whois on microsoft.com.

AWS: Two Account Credentials

Amazon Web Services (AWS) now allows each AWS account to have two credentials. In other words, one AWS account can have two active Access Key ID and Secret Access Key pairs.

Do not confuse this feature with yesterday's announcement by AWS on Multi-Factor Authentication (MFA) which is similar to a SecurID fob.

Two AWS Account Credentials
AWS supports multiple concurrent access keys. This allows you to rotate keys without impact to your applications' availability. AWS recommends that you rotate keys on a regular basis. To rotate keys, create a new key below, update your applications to use the new key, and then deactivate/delete the original key.

You are allowed two access keys at any point in time, and the keys may be in the following states:

So What?
This new feature can ensure a smooth transition when rotating your keys. In the past, when you created new credentials it overwrote your old credentials. You were out of luck if you missed an application or web service that was using the old credentials. Now, you can create new credentials and update your apps. If you notice an app no longer working when you click "Make Inactive" then you can reactivate the old credentials while you fix the problem.

You can find more details when you access your AWS security credentials.

Twitter Redirects: Nice and Clean

Twitter's website begin counting clicks inside of tweets. Obviously, they do this to track stats, i.e. how many people click on links from the Twitter web site.

The interesting thing is that they're passing on the simple referrer that you'd expect. In other words, instead of the referrer looking like:

http://twitter.com/link_click_count?url=http%3A%2F%2Fadjix.com%2Fsx4d&linkType=web&tweetId=3696834541&userId=-1&authenticity_token=8c678e082a5ee88d47f03b05cf6f6887b8903acd

It simply looks like:
http://twitter.com/joeMoreno

This is very clean for link tracking websites like Adjix which track clicks by IP address and referrer:


Update: Just discovered a clear downside - when the Twitter website is slow, clicking on these links are painfully slow since you have to first be redirected by Twitter's servers.

Twitter's "Track" Command: Gone But Not Forgotten.

Twitter used to have a fantastic real time search command: Track

Sometime in 2008 it seems to have been turned off - probably because it generated too much SMS (text messaging) traffic.

Fire!
During the San Diego Wildfires of 2007 I was splitting my time between San Diego (Carlsbad) and Santa Cruz (Capitola). The wildfires broke out over the weekend when I was in the Bay Area. By Monday morning two separate fires were threating our home in Carlsbad. I went to sleep, Monday night, trying to prepare myself, mentally, for what it was going to be like once our home burned down.

Tuesday, as I drove down to Carlsbad, I wanted every piece of information I could find about the fires. Listening to XM channel 247 (emergency channel - a wordplay on 24/7) helped, but it was too broad since it was covering all the fires burning in San Diego, Orange County, and L.A.

This is where Twitter's Track command was a saviour (keep in mind that there were no iPhone apps back then). I simply texted some keywords to Twitter and every time someone's tweet contained one of those words it was relayed to me via SMS. I had Twitter track "Carlsbad" and the major road near my home, "Palomar".

Retweeting wasn't as popular back then as it is now so I received very few duplicate tweets. Nearly every tweet that I received - and I was receiving a new tracking tweet every five minutes - was helpful:
"It doesn't look like the fire's reached Carlsbad."
"Winds dying down and reversing direction - I can see flames from Carlsbad."
"Voluntary evacuation south of Palomar Airport Road."
"KPBS reports that fire in San Marcos, near Carlsbad, is 20% contained."
etc.

Luckily, the closest both fires got to our home was about four miles. Now, if only Twitter could bring back the Track command and ignore retweets.