First, maybe surprisingly to some people, I really appreciated having it on the Xoom. It’s disabled by default, you have to click on a flash plugin to actually start it. So right there you have all the advantages of the iOS approach, since it doesn’t autoplay or drain the battery or anything. But if you click on it, you can watch the movie and while I wouldn’t say it’s a pleasure to use it’s definitely usable. I’m really hoping HTML5 starts to catch on quickly but in the meantime being able to just click on a Jon Stewart video someone posted and play it is nice. Definitely miss that on the iPad.

Second, Android notifications are still significantly better than iOS notifications. Notifications on my iPad are somehow uglier and more annoying than on the Xoom, which is surprising considering we’re talking about Apple vs. Google.

Third, the native Google apps are generally pretty good on Honeycomb, and while Mail is fine on iOS it doesn’t really stand out as being great like GMail does.

Finally, and also surprisingly, apps on the Xoom seemed somewhat more stable than on the iPad. In particular Facebook and Mint make a daily habit of crashing on my iPad while on the Xoom a crash was pretty rare. Maybe that’s because it was the stock build of Honeycomb, and on other (vendor “enhanced”) tablets Honeycomb is more crashy but I didn’t really notice it much.

I can’t really think of a fifth. Like I said, the iPad is without a doubt a better product. The apps (including the stock apps) are for the most part better written, better thought-out, and much smoother.

There: full disclosure. Now hopefully I can talk about things other than mobile on this blog again.

One of my major faults is that I’m an impulsive buyer. The majority of the gadgets I own are only sitting on my coffee table because of impatience.

I’m not your everyday, run of the mill, impulsive buyer though. I know better. I do my research before buying something: oh, I do my research. I’ll read every article or review available, Google X vs. Y every day hoping something new pops up, watch all the Youtube reviews I can find, even the ones with the annoying techno background music. By the time I show up in a store my mind has been made up. I know the better product and I’m set out to buy it.

Unless that better product is sold out. If that happens, rather rather than doing the logical thing and waiting for a month I’ll find a competitor, come up with a few token justifications for why, well, this one is obviously the better choice, and buy it.

Attention Apple: please make enough iPads next time

This is why I’m now the “proud” owner of a Motorola Xoom. After spending weeks comparing the Xoom to the iPad 2 and deciding the iPad came out on top, I waited approximately 5 days for the iPad 2 to be in stock before taking a stroll to the Verizon store. I picked up a Xoom, decided it was not completely a piece of crap because it didn’t fall apart in my hands, and promptly dropped $600 on it and committed to a 2 year data plan. See, I know better.

Always look on the bright side of life

So what were my token reasons for getting the Xoom?

Well, it’s Android, and I have an Android phone (because I didn’t want to wait for the iPhone 4…seeing a pattern here?) So obviously getting an Android tablet just makes sense…right? Then I can use my Android Market account for all my apps, share apps and data across the phone and tablet and…um, other things too I’m sure. Just as soon as somebody writes some Android apps that are actually worth getting.

My other reason is…I’m a developer! Rather than complaining about a crappy selection in the Android Market I should write some apps! Which actually gives Android the advantage I think, because I have no desire to learn Objective-C or become an insufferably superior iOS app developer when I can be the scrappy underdog and do Android development with Mirah. (I’m a Bills fan, scrappy underdog is pretty much how I live).

So long story short, in order to justify a silly purchase of a Xoom I’m going to write a badass Honeycomb app in Mirah and it’s going to be awesome and I’ll be so glad I didn’t get a stupid iPad 2.

Image from Flikr user c2k2e

Skeptics

I want to start by saying that I understand a lot of people are going to be skeptical about this topic. There’s a lot of money and power at stake so parties with a vested interest will of course try to make things sound worse than they are. At the same time make sure the hype doesn’t desensitize you to actual problems: stuxnet directly targets the critical infrastructure of an industrialized country that’s an enemy of the U.S. That’s a big deal, and we need to know what it means.

Cyber

To kick off a series of blog posts about cyberwar I really need to talk about the term cyber. It’s making a comeback, showing up in everything from government reports to news articles to product packaging. But there’s a backlash against its use as well, to the point where if you use the term among certain people you’ll be laughed at. There’s an important dynamic at play here that directly relates to the issues I’m going to talk about over the next month, so let’s take a step back and look at the term “cyber”.

The cyber prefix was popularized by William Gibson in his science-fiction books about hacking in the 1980′s. Interestingly, many of the same people who love William Gibson are the ones who balk at the media’s use of the word “cyber”. Why is this?

Fear

The oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown.
– H.P. Lovecraft

We can all see the physical world and understand how it works. We understand its laws and how they protect us: a deadbolt very obviously prevents a door from opening. But what about the Internet? What does the lock icon in my browser mean and how does it protect me? The Internet is a mystery to all but the initiated. It’s usable without being innately understandable. And that makes it scary. People who don’t think twice about handing over their credit card to a waiter won’t use online banking because they understand one and not the other.

Fear is the best salesman: of products, of attention, and of political power. People give the government more power when they get scared, people read articles and watch news programs about things they’re scared of, and people buy products that address their fears.

The term “cyber” capitalizes on this. It takes the known and makes it unknown. We understand fraud and how to fight it, but do we understand cyberfraud? Cyber is the candy coating of fear around banal topics.

Knowledge

Readers of William Gibson, on the other hand, understand the Internet. They don’t fear cyber because they know cyber. So when they see the media use the term to sow fear they fight back. And when they see other people use the term innocently they assume ignorance. So why do I use it?

I’m resigned to the fact that language changes by the will of the majority. I can fight the man all I want but cyber isn’t going away. Instead I want to make cyber known. Certain things should scare us about cyber: I’m terrified of the fact that computer code can access nuclear power plants. But in order to deal with the truly scary things we need to fight through cyber-nonsense.

Note

If you’re interested in this topic, you should read the Economist’s articles on cyberwar. They’re behind a paywall but if you’re a subscriber check them out. And although I don’t want to promote paywalling, you might also take it as an opportunity to subscribe because it’s an excellent newspaper.

First, the short version: if you want something that just works seamlessly with your computer, music library, videos, etc. and you have no problem going iTunes only, iPhone is the only answer. If a non-computer person asked me what phone to get, I would say iPhone hands down.

On the other hand, if you like to tinker and customize things or want a lot more control over the basic functionality of your phone you should probably get an Android phone. The best example of this is that you can change the phone dialer and keyboard on most Android phones without any hassle…iPhone users might say why would you want to, Android users are probably saying why wouldn’t you want to.

The other basic difference is whether you would rather sell your soul to Apple or Google. If you go the Apple route, you get seamless management of your phone, music, videos, etc. through iTunes (and Mobile Me, although I never used that). If you go Google, the Android integration with Google’s cloud services is amazing. The GMail app on Android is light years better than the Mail app on the iPhone and having all your contacts in the cloud is scary but powerful.

Also you can’t talk about Android vs. iPhone without talking about the differences in how the carriers, vendors, and developers work. Android is an operating system available on a wide variety of hardware platforms and a wide variety of carriers. iOS (iPhone OS) is available on AT&T on Apple phones. The Apple advantage is the AT&T won’t muck in the OS to “add value” (read: subtract value), the Android advantage is that you’re not stuck with AT&T or a single vendor.

In terms of adding value, Sprint added a ton of crap to my EVO so unless you value crap I’m not seeing it. I’m not sure why they thought it would be a good idea to make their customers angry by preloading a weird set of half-baked apps you can’t remove, but they did. What marketing genius thought that the EVO user market would be interested in NASCAR? Also the quality of the Sprint apps is AWFUL, they don’t conform to any of the Android UI standards, crash constantly, and in general the UIs look like they were designed by a retarded 6 year old with crayons. The only one I occasionally use is Sprint TV, which lets me watch recently aired TV shows, but it’s so buggy that it’s almost unusable (if the data connection drops, playback stops and since you can’t resume or fast-forward you need to watch it from the start again).

HTC (manufacturer of the EVO) DOES have a good set of added apps…they obviously care about the Android platform because rather than ignoring Android like Sprint they enhance it. They have a bunch of good widgets and apps that really takes advantage of what Android gives you.

Also even though Apple is able to keep AT&Ts hands off the phone, AT&T definitely still has an influence on the iPhone. I bet they have a bigger say in what gets approved on the app store than either Apple or AT&T will admit and they’re obviously the only reason it took the iPhone so long to get tethering.

Anyway, back to features. Another philosophical difference between Android and iOS is that Android has a standard set of 4 buttons (home, menu, back, search) while Apple really only has the home button. Of the three buttons that Android has and iPhone doesn’t, 1 is a bad idea, 1 is a great idea, and 1 is an alright idea.

Menu is a crutch for application developers and should have been left off…Apple had the right idea here. Things get hidden under menu when they could easily be found elsewhere. The back button on Android is something Apple should probably steal because it’s a great idea. Basically the back button always goes back one screen, even if it’s between different applications. So if you’re reading an e-mail and get a text message, you can look at the message and hit the back button when you’re done to jump right back into e-mail. It sounds simple, but is very useful. The search button is exactly what it sounds like…not a terrible idea, but I don’t find myself using it often.

Speaking of getting a text message, one of the most powerful features of Android is the notifications system. This is another case where Apple should probably rip them off, because it just plain works better. It’s hard to explain in writing, but either ask someone with an Android phone to show you or check out a video on youtube because it’s very powerful.

There’s obviously many other differences, the hardware silence button on the iPhone is missing on my EVO and Google Navigation on Android is a lifesaver when you travel for business. These little things tend to be a wash, really you just need to make a decision based on whether you’d rather have a well-put together phone that is harder to customize or a more hacked together phone that’s cake to customize.

This is something that I think people in information security tend to forget. We can spend millions of dollars on intrusion detection, web application firewalls, and threat assessments. We can train our users, make sure our servers are in compliance, follow secure coding guidelines, and do code reviews.

So we tend to think our infrastructure is pretty secure, certainly more so than a barely locked bike in Porter Square. But in the end, attackers only need to find one hole in your million dollar infrastructure. And even the most qualified people have bad days and make mistakes (for example, not noticing that a bus stop had a gap you could pull a bike lock through). So what does this mean?

It means that you’re going to have an exploitation and it’s going to suck. So the question you need to ask yourself is, if my application is exploited in some way, how much damage will there be? And how can I minimize that?

The easiest way to do this is to stop doing things you don’t need to do: if it isn’t core to your business why are you taking the risk of screwing it up by doing it yourself? For example, use third party payment gateways rather than dealing with storing/processing credit card numbers yourself. Don’t collect information you have no intention of using (big sites break this rule ALL THE TIME). Use OpenID and OAuth rather than building your own authentication and caching passwords to other sites.

These are just examples, but the basic thought process should be “if I stop doing this will my bottom line suffer?” If the answer is no, there’s a chance whatever you’re doing has a better chance of hurting you than helping you. Even if the answer is yes, you still need to balance the value of doing it with the potential costs if it gets compromised.

Once you start having this thought process for every potential feature, piece of infrastructure, or module of code, you’re moving past information security to information assurance and risk management.

What’s the difference? Information security is about minimizing vulnerability while information assurance is about minimizing risk. Risk is generally considered to be threat, vulnerability, and consequences. In this case, you’re reducing your risk by minimizing the consequences of a successful attack.

A side note is that even though locks are only there to stop honest people, it doesn’t mean to stop locking your bike. It’s cheap and effective against unmotivated attackers. So don’t use this as an excuse to stop doing code reviews, pen tests, and patch compliance (although obviously balance the costs of these things with the value of doing them). Instead, use it as an excuse to move beyond code reviews, pen tests, and patch compliance to doing true risk management.

But wait, don’t give up yet! Autotest will read the RUBY environment variable to point to the Ruby binary you want to run tests with.

So, if you either export RUBY=/path/to/jruby/binary or just say RUBY=/path/to/jruby/binary before your autotest command on the command line autotest will still run with C ruby, meaning you can use the autotest-fsevent gem, but will invoke your tests using JRuby. Sweet!

RUBY=/usr/local/jruby/bin/jruby /usr/bin/autotest -rails

Add in Nailgun support to this and you’ve got some awesomely fast tests…in JRuby no less. Bet you never thought you’d see that sentence.

There’s a lot of reasons that I think this, from requiring 60 votes to pass normal bills (majority rule what?) to giving a ridiculous amount of power for what amounts to not dying or getting voted out. But what is it today?

The Senate recently passed a bill that will pull Amtrak’s federal funding (aka the funding that keeps them around) in six months if they don’t start allowing guns on their passenger trains.

I’ll give you a minute to think about that. Really think about it…maybe let your mind wander to, say, airplanes and the TSA.

No, really, what? I’m not allowed to bring a pocket knife or bottle of water onto an airplane, but the Senate is requiring that Amtrak ignore its own safety precautions and allow guns? Granted, the guns have to be locked up and unloaded, but can you imagine the TSA allowing that on an airplane or, even more ridiculous, the U.S. Senate passing a bill requiring it?

The reason is of course that they can throw the gun lobby a bone without looking like they’re being soft on terrorism. Because terrorists would never attack trains, right?

But no, we’re content to horribly overreact to rare events that already happened (terrorists flying a plane into a building) and ignore rare events that haven’t happened yet or common events that aren’t quite as spectacular (running a train crossing and getting plowed over, which kills or seriously injures 2400 people a year in America).

Ah, risk management, how governments suck at it. Turns out, financial companies aren’t all that hot at it either! And let’s not get started on IT risk management.

RANT OVER.

It’s unfortunate but right now some of the biggest hangups for web applications are due to the crappy state of current browsers and operating systems. Sure, Firefox has a great extension system, Safari is lightning fast, and OS X is pretty as a pony. But they’re all still clunky if all you want to do is use cloud services. And with Google Apps like Docs, GMail, etc etc that’s becoming more and more reasonable. 99% of what I use my Mac for is web browsing, IM, note taking, e-mail, and writing. All of which you can do with Google Docs. So why does my Mac need to restart approximately every 4 hours to apply an update?

Google would love nothing more than for me to use Google Docs online, but to do this now for me involves a lot of unnecessary overhead. And the integration isn’t as good as it could be. So I stick with Word, Adium, and…well I still use GMail but anyone using a desktop mail client these days is a sucker.

Anyway, the reason I bring this up is it has some important implications for security. The architecture will apparently be a minimal Linux kernel with Google Chrome running on top of it as (in theory) the only userland application. This means that the Linux kernel can be VERY restrictive it what it allows to be modified, making rootkits much harder to get in place. Any malware at all, in fact, would be tricky to place without exploiting both Chrome and the kernel. They could use a similar signed code technique as XBox to ensure that only Chrome and their helpers run. Plus “retarded-user” syndrome would become less important because running local malware intentionally would be impossible.

Plus, with a built-in auto-update mechanism like Chrome fixes could be deployed almost as soon as they come out, in contrast to the month long patch cycle of even the most agile companies. The security of Google Apps becomes incredibly important, but updates to those ARE instantaneous and if you’re using cloud services there’s no more risk here then you’re already taking.

Overall I’m expecting a lot out of this for the tablet/netbook market. Obviously this wouldn’t be your full-scale desktop or laptop, but as a netbook it would be awesome. And I want one.

On the other hand…

There’s a lot of big name sites out there that are terrible at this in the stupidest ways. I’m a programmer and security guy and even I realize how bad some of this is, yet somehow multi-million dollar companies are still churning out terrible websites.

First up is Citizens Bank, whose own website is passable (not great, passable) but who apparently outsourced their credit card payment site to the lowest bidder (aka the janitor’s 14 year-old nephew). The first issue is that they have a warning page before leaving the site about how the content isn’t their responsibility, and if you look (let’s be honest, you didn’t) the SSL certificate is signed by a third party. Super, my bank wants me to trust this random company with my credit card, even though they warn me that I shouldn’t trust them.

Moving on, assuming you want to pay your bill, you’ll click through despite the warning. I’m going to ignore the obvious uglyness of the page and move right on to what happens when I try to pay my bill. They have a field for when I want the transfer to take effect, which is not unusual. But rather than having an “ASAP” button or filling it out with the next available date automatically they leave it blank. And if it’s after 5pm that day, today is invalid. So inevitably I fill out todays date, which is too late, and it won’t let me submit it. It doesn’t say “oh by the way this won’t take affect until tomorrow” or automatically fill in the next available date or anything. You need to actually find that date yourself and enter it.

Sure, it’s not a huge deal, but with just a tiny bit of effort I would be much less pissed at Citizens Bank when paying my credit card bill. American Express gets this one right, by the way. You can choose “as soon as possible” or enter your own date, which makes it very easy to just pay your bill in as few keypresses as possible.

The next site that’s been pissing me off is most car rental sites. I was trying to rent a car for tomorrow, so was looking at different locations around Cambridge. I checked a few different sites, so was filling out the dates and times to compare prices.

The problem is that I was planning on driving back Sunday night, so wouldn’t be getting in until 9pm. Naturally, all of the locations were closed at that point so I wouldn’t be able to return it. The problem is, I wanted to try say, 6pm to see if it worked. I wasn’t on the page for the location I found anymore, since I clicked on the “reserve a car from this location” link, so didn’t have the hours for the location. And the error message didn’t either! It said the location was closed, but not when it was open! So I had to search for the location again, open that page, find the hours, and fix it. Another car rental site, on the other hand, just told me the hours in the error message. Magic!

The other issue most of those sites had was when they didn’t have any cars available they would return an obscure error message and code. Just one sentence in red on the reserve a car screen, not a new page saying sorry or anything. I don’t want to be coddled, but come on. And why even have a 4 digit code from your system, it doesn’t help me at all.

The last one is from people I would really expect to know better, Pragmatic Programmers. They released a magazine in PDF, epub, and mobi formats…but not HTML! Come on guys, everyone knows Acrobat is terrible, was there really anything in there you couldn’t have done in HTML? Were you going for the glossy, professional magazine image? Because let me tell you, instead you hit the overglossy, full-of-yourself magazine image (see: the New Yorker…that’s right I said it).

I don’t see how designers or developers let this happen. Even a little usability study will instantly make the problem obvious, or something as simple as the developers trying to use it themselves. Honestly one of the best ideas for making sites better is to force the developers to use it day-to-day. Obviously not an option for some sites, but for others it forces the developers to think like users because, hey, they are users.

Naturally it’s not substitute for actual usability testing but it’s better than nothing.

And in the meantime more people need to complain when websites are hard to use. Don’t put up with crap just because you don’t have a choice, write an e-mail to the admins or fill out the comment form. Eventually they’ll get the message.

1. So, I moved from Charlestown to Cambridge, and wanted to transfer my Internet and cable.  You’d think being that this is the 21st century they could somehow flip a switch or two in their office and turn on my new service, but you would think wrong.  Instead I have to take a day off work and hang out at home so I can have the privilege of paying them $35 to come to my apartment and flip a switch or something.

2. Thinking the whole ordeal was over, I let my guard down.  Bad idea.  They apparently SORT OF transferred my recurring payments over, enough so they still charged my credit card but not enough so my bill was actually paid (I’m not sure where exactly the money went).  I noticed when they shut off my service for non-payment, despite the fact that my bill showed 0 due.  Actually in one of the rare cases of me being impressed I was able to get a very nice guy at Comcast support who tracked down the problem and fixed it.

3. Unfortunately, my modem still wouldn’t connect.  I have a wireless router, but even when I tried it directly it didn’t work.  So I took an hour out of my day to talk to some guy on the phone who actually tried to sell me phone service as we troubleshot the problem.  Eventually he did some magic (naturally nothing was wrong on my end, they apparently forgot to do something or other) and it worked.

4. Still on the phone with the guy, I asked him whether I would have any trouble setting it up with my router, knowing for a fact that I WOULD because they detect the MAC address and only allow the registered one to work.  As soon as the word “router” came out of my mouth, the guy said it was a problem with my router.  Note that this is before I even said I was having problems, I would just asking if I would (to see what he would say).  Not only is the explanation complete bullshit, it’s also a complete lie!  He literally said that if it worked with my computer it’ll work with the router, which is not even remotely true.  UGH, how can a company lie to their customers so blatently and still be one of the biggest cable companies around.

5. Oh that’s right, my only other choice is DishTV, which I can’t use because I can’t hang anything on my apt.  RCN is also apparently around, but I heard they’re no better.  Gotta love legal monopolies that force me to pay $140/mo to a company I can’t stand!

6. The speed I get is just terrible, I can’t even watch normal res videos on Hulu without it being ch-o-p-p-y unless it’s 4am on a weekday.

7. The DVR/cable box GUI is laggy as all hell, apparently they haven’t discovered the concept of separate threads for GUIs.  I end up getting like 20 button presses queued up and then they all go at once.

8. My remote stopped working since they switched out my cable box, and all they told me was to change the batteries.  It works sort of half and half, so I admit that it could have been the batteries.  Which is why I tried that before I called them…and told them that…and they told me to change the batteries.  Thanks guys!  Good advice!

9. If I have a series recording set to anything except “only new”, the DVR insists on re-recording things I’ve already watched once I delete them.  I guess they can’t be bothered to keep a history, so they just check to see if it’s in your list before skipping it, so if you delete it from the list they think it’s new.  Idiots.

I’m sure there’s more, but that about sums it up.  Comcast: worst company in the world.