Click or scroll down Circle me on Google+ Fork me on GitHub Follow me on Twitter Ask me on Stack Overflow Gild me on Reddit Code Ninja, Entrepreneur, Idiot ChalkHQ — consulting, prototyping, mentoring — resolve innefficiencies in your startup's workflow — online open-mic / creative space The Dirac Equation (click to WikiPedia) A maxim Sun Tzu references in his magnum opus The Art of War

If you know the enemy and know yourself, you need not fear the result of a hundred battles.
If you know yourself but not the enemy, for every victory gained you will also suffer a defeat.
If you know neither the enemy nor yourself, you will succumb in every battle.
Fork me on GitHub


actionscript ad-hoc networks Adobe AIR anonymous Apple array Browsing convert Debugger Error Facebook file permissions Flash Flex fonts function future Google Google Plus grid hackers html javascript logs loop network p2p php privacy regexp Security Server social ssl technology terminal time Twitter upgrade Web 2.0 Web 3.0 Web 4.0 Web 5.0 wordpress

Featured Posts

  • Javascript: Undefined parameters
  • The Web, A Look Forward
  • Let Postfix send mail through your Gmail Account – Snow Leopard
  • Archives

  • April 2013
  • December 2011
  • July 2011
  • June 2011
  • March 2011
  • February 2011
  • January 2011
  • November 2010
  • October 2010
  • September 2010
  • July 2010
  • May 2010
  • Categories

  • Code
  • Design
  • Opinion
  • Security
  • Tools
  • Uncategorized
  • Latest Posts

    Javascript: Undefined parameters

    When writing a function that expects arguments you may need to ensure an argument has a default value.

    function badPractice(a) {
        var _a = a || 'a was undefined?';

    I see this a lot in open source code and frequently at companies and agencies and it concerns me. In very few cases it's intentional, in most cases the developer doesn't expect to get unpredictable input.

    // expected behaviour
    badPractice() // 'a was undefined?'
    badPractice(void 0) // 'a was undefined?'
    // unexpected bahaviour
    badPractice(0) // 'a was undefined?'
    badPractice(false) // 'a was undefined?'
    badPractice(null) // 'a was undefined?'

    The problem is that if you pass a falsey value for a, the expression will set a to the default value.

    function goodPractice(a) {
        if(a === void 0) {
            a = 'a was undefined';   
    // expected behaviour
    goodPractice() // 'a was undefined'
    goodPractice(void 0) // 'a was undefined'
    goodPractice(0) // 0
    goodPractice(false) // false
    goodPractice(null) // null

    Ok, so this is a major improvement. Not only are we properly checking for a truly undefined value, but we have a consistent pattern with instances when we actually need to run more code within the conditional or require finer control over the conditional logic itself. void is just an operator that evaluates any expression to undefined, by convention we use void 0. Even if we have var undefined = 5; somewhere in the code void 0 will still be evaluated to a true representation of undefined.

    The problem with the good practice approach is that the majority of Javascript developers aren't familiar with void 0 — especially not beginners. While you can train yourself to read it as "undefined" it still takes a second for the reader to translate the words void 0 into "undefined".

    So let's follow best practices, be explicit, and follow a consistant pattern.

    function bestPractice(a) {
        if(typeof a === 'undefined') {
            a = 'a was undefined';
            // other conditional logic here
    // expected behaviour
    bestPractice() // 'a was undefined'
    bestPractice(void 0) // 'a was undefined'
    bestPractice(0) // 0
    bestPractice(false) // false
    bestPractice(null) // null

    What is Identity

    Every few months I delete my Facebook account citing lack of ethics in their business model and the way it's being executed. The FTC agrees with me, Austrians and Germans agree with me, and the Privacy Commissioner of Canada agrees with me. Facebook consistently seeks to undermine the illusion of privacy they present to us, and to violate laws and the rights of its users to perpetually maintain a "social graph" that contains mind-bogglingly detailed information about each and every person on the service including what websites you visit (that have a like or connect button installed), and what actions you do and personal information you share on many of these sites. I then inevitably sign up again to access their API in order to stay current as a developer where clients need to access people, and if their target audience is on Facebook; the client needs to be on Facebook too, and I better know how to give them that access.

    What does Facebook have to do with identity? There's a new feature in Facebook's account settings that allows you to link your Facebook account with what are considered other identity providers (ie: Google, Yahoo) using OpenID. This means you can log into Facebook with credentials from these other services; and/or if you happen to log out of Facebook and into say Google a Like button on someone's blog would still recognize you as logged into Facebook. So what's in a username when a username is only weakly linked to your identity?

    An email address is strongly linked to your identity; I can send you an email, but because email addresses are easy to spoof I cannot be sure an email is really from you without extra layers of security that aren't for the average user, or a really good Turing test which is unfeasible especially in the age of social networks where relationships are just as easy for anyone to discover and spoof. An email address is analogous to a driver's licence. Underage people create accounts with fake birthdays to get around COPPA just as they get a fake licence to buy beer. It's unfeasible for the average person to create fake driver's licenses as it is for them to hack into someone's email account; but fairly trivial for people to acquire the knowledge to use both technologies for identity theft or spoofing.

    In the real world your identity is a culmination of the information that resides in other people's brains and in 'the system' about you. You are the impact you have on the world. In a court of law where identifying you can mean the death penalty or not, the only thing more convincing than DNA is DNA plus photo evidence plus eye-witness testimony plus a trail of other evidence. It is fairly trivial to plant some DNA as it is to hack into someone's online accounts; it's easy to brute force, phish, or Firesheep an account and gain access to credentials. In a digital world gaining access to and duping the bits used as a digital passport is easy, it's hard to post a thousand status updates, photos, and blog posts over a period of years as someone else while over those years interacting with other real people in that person's life. Because identity is a culmination of the impact you have.

    People get upset when they can't access the first of their ten thousand tweets; no matter how trivial it was; because it's perceived as a part of their identity. Our history and our breadcrumbs are our identity. Our interaction with the world is accumulated validation that we are who we unconsciously present ourselves to be. When logging into online banking or anything else that requires extra security we set up secret questions and answers about our identity; and symbiotically depending on what parts of my life history is exposed to a given observer the nature of their perception of my identity is accordingly changed —Yet I wouldn't go so far as to say that we have multiple identities because of it. If two people are looking at the same sculpture from two different angles, then there are not two sculptures; only two representations of the same sculpture. There are no two people in my life who have the exact same account and there is no person including me who has the full account of my identity. The vast majority of our lives are forgotten or not known even to us. For example if someone found an old journal that belonged to your great great great great grandfather, reading it would add to your knowledge of your identity; it would uncover a part of your identity. There is no reason why a computer program could not be one of the mediums to store and retrieve parts of your identity, but your identity follows and remains attached to you.

    Your family impacts your identity and so does your social interaction, as well as your knowledge and experience acquired. Identity rubs off and is transient. I am who I am because of who everyone else is. It's not just attached to my consciousness or my physical body, but both, and everything else those two things have together or individually interacted with either physically, digitally, or vicariously. Identity is a culmination of the impact you have on the world. Any website where you make an account wether strongly or weakly tied to your identity is merely a representation and thus an extension of it.

    There are no social networks. There are only tools and services with social features. Google+, Facebook, and Twitter are all broadcasting and link discovery tools, and they are all ways to waste time. Forget about the motives and business models of the companies and their inherent overlap. Google+ gives you more finely tuned and personal search results, Twitter allows for trends to be easily sparked and monitored, and Facebook exposes your breadcrumbs to help you find people and discover parts of their identity that would otherwise be hidden to you. None of these things are inherently good or bad in theory and none of them are a complete picture of you.

    The idea of only using one social network, or only having one ultimate online identity is not only silly (because they are all merely representations of your identity), but it leaves you vulnerable to exploitation. You should have many online accounts and many places where you publicly aggregate and maintain a list and links to those accounts so that if one goes out of business you still have breadcrumbs, and so that if one gets hacked you can mention it on all the others. You should use different login credentials so that it's totally unfeasible for anyone to gain access to the majority of them, and so that the patterned imprint of your identity on the web becomes easy to tell apart from what a given hacker would do with your account if they gained access to one of them. You should treat everything you post as public because it ultimately is and consider it to be public domain. The notion that these companies respect what's in their TOS is a marketing gimmick, although you can still use tools given to differentiate these public parts of your identity it is and should be seen merely as a form of curation rather than any form of security; and you should seek to maintain aspects of your identity privately, offline, and between close relatives and friends.

    Inside Google+

    After waiting patiently since Wednesday afteroon for my invite to work(It's 4:30am Friday right now) It finally did.

    Foot in the door

    The first thing you're asked is if you'd like to enable +1 on non-Google sites. Right off the bat, compared to Facebook, the explanation of where and how my content will appear on non-Google sites if I enable this feature is very clear. I'm enabling it for now but there are some security/privacy risks which I'll get into in a future post.


    You also get a link to the Privacy Policy before signup. Google's Privacy Policy incorporates their Google-wide policy — which if you have a Google account you've already agreed to (~1660 words), and if you use the mobile version of G+ it instead incorporates their mobile specific policy (~1070 words). If you upload a photo to Google+ you're also agreeing to the Picasa Privacy Policy (~795 words). If you use the +1 button you're agreeing to the +1 Privacy Policy (~420 words). The Google+ (Plus) specific policy adds (~1035 words) of amendments so it totals around 3500 words, as Google already had hundreds of millions of users who'd already agreed to their sitewide policy and Picasa's there's only around 1500 words of new policy for their social layer. Contrast this with Facebook's Privacy Policy (~5850 words), which you have to click through from an overview page describing privacy controls (~1260 words), an expansive Privacy FAQ, 25 external privacy information links, 8 minutes of video explaining Privacy on Facebook, as well as the Privacy Policy of every app you use on the Facebook platform. In addition to Google being an order of magnitude more concise, the Google+ Privacy Policy is also written in much clearer wording. Look forward to my deconstruction of the Google+ Privacy Policy in a future post. What stands out is:

    • that participants added to any group conversation may be able to see the entire history of the conversation. Since anyone in a conversation can essentially add anyone else, consider everything you post to Google+ public.
    • If you use a third-party app like TweetDeck to post to Google+ the developer of the app has access to all the information you have access to. So consider everything you post to Google+ public as anyone of your contacts may use a third party app giving that developer access to all your posts.
    • During the next step in the signup process you're shown a window requiring that you connect Picasa Web Albums to your Google+ account, so your photos are available to you. Your albums' visibility settings aren't changed, but people they are shared with can now share them with anyone else. So consider photos you share on Google+ public.

    While these last three points may change the way you use Google+ at least they're upfront about how little control you have of a post once you post it online. Other social networks would prefer you not realize this.


    annnnd I'm in.

    It looks incredible, very clear and fresh. The interface is snappy and responsive and shows me little messages the first time I do something telling me what's about to happen.

    No ads to be seen anywhere, hard to say at this point if that's because it's a "limited field test" or as competitive advantage. It would be great if when I'm looking at my social timeline I'm not bombarded with ads as apposed to Facebook where the ads mention my friends' names and is awkward and uncomfortable. Better targeted ads on other Google properties, and a clean social experience.

    Hangouts are awesome, and simple to use.. Can't wait to try it out with some people when invites go live again. You'll need to download the Google Talk plugin. Google Talk is also integrated with G+, you get the same chat widget that's been around in GMail for a while except there's no dialpad and it's integrated with circles.

    Photos looks really good, instead of a gallery of evenly sized thumbnails you have a dynamic spread of recent photos with a little bubble showing the number of comments each one has, clicking on a photo opens a better looking lightbox where you can see photo metadata, fly through the entire album, and photo comments are on the side so I can scroll through comments and leave one while still looking at the photo.

    Your account settings are very clear, easy to understand, and well organized. There aren't many settings you need to configure. The first panel "Account overview" lets you manage your account and provides two links at the bottom to Delete your profile and remove associated social features, and to Close account and delete all services and info associated with it. They've also devoted a section of your account settings to Data liberation which is a simple set of 6 links to download all your data.

    Things you can keep private —like who you're friends with, are very simple to control. Deciding "who gets to see what" is ingrained in the way you post and use the site, and it's clear that Circles are about managing who you're sending posts to, not creating an air-tight controlled network where your data is 100% private. This is a good thing, Google's not obfuscating the ultimate lack of control a given person on the internet has over their content once it's posted online, they're instead making it clear that it's up to the people you choose to trust and share with to respect your privacy —which is in fact the case on other social networks and anywhere else on the web; including email, despite what those sites would lead you to believe through branding or convoluted privacy policies and UI.

    Google makes it very easy to:

    • See what data they have
    • Download your data to your computer
    • Remove your data from Google's servers


    There's a little option arrow on each post that let's you disable comments/resharing, but if I'm not looking at the Stream when I post then I don't have those options. There also doesn't seem to be a global way to disable resharing.

    Yeah it's a field test and no one's using it yet, but when G+ does go live, I'd expect there to be a better way to find interesting people to follow. I'm talking your Scott Siglers, Leo Laportes, Gina Trapanis, and Keith Malleys. Right now (and rightly so) it's more geared towards finding your friends and family.


    It looks like any computer in my house can now signup for Google+, but people are still getting a "capacity exceeded" message. Invites have also been temporarily disabled, but if you want an invite just email me your gmail address or post it in the comments below, and I'll invite you when I can.


    Google+ was announced yesterday and is currently being field tested. Scheduled to be slowly rolled out to users.

    What is Google+?

    It's a social sharing layer being added to Google. Their answer to Facebook, Twitter, Skype.

    (scroll down for videos and demos)

    I'm leaving Facebook as soon as Google+ opens — or as soon as I get an invite and can invite the people I care about.


    Facebook is hella boring, only a few people post more than once a day, there's a stalker mentality, endless privacy fuck ups, and over time the software has become complicated and bulky not less. The Facebook iPhone app is really badly executed from a design and usability perspective. Google+'s Sparks where they feed people interesting news based on their interests will finally give "non-broadcasters" something to talk about and share. It's like mushing Google Alerts and StumbleUpon into Facebook.

    Group video is huge a pain with Skype, and there's no iPad version; the iPad compatible version is just a tiny square. Call quality is frequently terrible, and it's awkward for people to start a video conversation. Working with a distributed team and trying to keep track of everyone's hours; when they're knee deep in code, or out to lunch is reason enough to get a personal assistant. Google+'s Hangouts is like a living room in your office that's actually in your social network. People can join and leave when they're available, videoconferencing where the video being shared or person talking loudest takes center stage. It's like a really natural Sococo that doesn't force you to play with little avatars.

    Twitter's character limit is irritating now and I don't want to post to 3 social networks anymore. Every social sphere is on every social network, and Facebook privacy is non-existent. So I'm just posting multiple public messages to randomly dispersed people, and a lot of overlap. Yeah, you can go to a Twitter profile and quickly see a person's updates and absorb a lot of information in a glance from a set of guaranteed-concise updates; but who does that? Yeah you can get your public updates indexed by Google but only a few, a feat not even possible on Facebook. And quite frankly I don't care about all of a person's updates. Using Google+'s Circles to target who get's a given update means fewer, and more meaningful updates — rather than forcing wordplay and brevity.

    With Twitter you think about what you post more and how to word it to make it fit, but that's conformity and a focus on structure over content. What you end up seeing is the Twitter version of the people you care about. I want to see the real version. I want to see the thought they had in the moment, worded the way they talk without all these barriers, and supplemented by links; videos; and images —and I want the interface to be clean and minimalist. Twitter's custom backgrounds and colours are a huge flaw.

    Twitter also goes down a lot, and only lets you access your last 3200 tweets. Both traits seem a bit ridiculous for a social network that encourages you to post every off the cuff thought.


    Here's the interactive demo, make sure you hit "Take the tour" to get it started.


    Here's a link to the full Google+ playlist, just go into Fullscreen and it'll play though them all


    Dropbox has been getting a lot of flack recently for misleading users. Their attempt to address these issues on their blog is ridiculous; their marketing department spinning nuance into very serious security claims leaves them with a permanent stain on their brand, one of being utterly untrustworthy and incompetent. They tried to walk the line of ambiguity and it's come back and ruined what was once a shining example of a consumer brand done right.

    Here's a link that highlights that incompetence, and here's an excerpt from a recent post on the Dropbox blog illustrating how full of shit they are:

    For example, one help article formerly stated that “files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user’s password, so we’ve separated the two points for clarity.

    Another statement read “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this.

    In summary, anything you put in Dropbox should be considered public, just like Facebook and Twitter. While all your data in Dropbox is "encrypted" the keys to decrypt all your data is accessible and stored with Dropbox in the cloud, not with you. Meaning the encryption is totally meaningless. Aside from the fact that Dropbox now openly co-operates with anyone who makes a request to peak at your files, any hacker that gains access to the Dropbox servers or codebase can easily get your encryption key and your data is compromised.

    Facebook is a Vector

    I recently started using Facebook and Buzz along with Twitter as public publishing tools. Facebook still sells itself as being for your friends and people you know, which is still completely false. Everything you post on Facebook is public-regardless of your privacy settings, and permanent-regardless of whether you delete it from your wall, but that's besides the point.

    The issue I'm writing about today is one where Facebook allows any website to post to your wall as you without your consent (ie: identity theft), as long as you're signed into Facebook. Most people are permanently signed in even when all Facebook tabs and windows are closed by means of a session cookie your browser saves for weeks. Today in my newsfeed there was a link to a video of the tsunami in Japan.

    When you click on the link you get taken to a fake youtube page, and are told to verify your age to watch the video. Clicking on the "Verify my age" link takes you to an annoying ad for a malware toolbar, while secretly using your Facebook account to post the link to your own wall and like it. Clicking anywhere else takes you to other sites that infect your computer with viruses and malware.

    This malware spreading site happens to be using a live analytics service called and if you look at the ping response you can see that there are constantly around 10,000 people on the site over the five minutes I kept hitting refresh.

    The fake youtube site isn't hacking Facebook or your account, it's simply taking advantage of a gaping security hole in Facebook's API. Any website can embed a hidden Like button, and if you happen to be logged into Facebook on that computer that website can post anything to your wall.

    How does it work?

    A website loads a hidden Like button on their page, which is just an iframe calling with some GET variables. The website uses Javascript to trigger the click action of the Like button posting anything they feel like to your profile without your consent or knowledge. Your friends see the link, trust you, click on it and begin spreading it themselves.

    How can Facebook easily prevent it?

    Liking a 3rd party webpage should popup a little box that asks for your pin number. Your pin number should be set in your Facebook account settings and be a 4 digit number separate from your password that you're prompted to change every month. This way posting content is a conscious effort on your part, and 3rd parties can't use hidden Like buttons to post to your wall.

    Why Twitter Can’t and Shouldn’t Expand Beyond 140 Characters

    Richard MacManus over at ReadWriteWeb posted an article today detailing Why Twitter Must Expand Beyond 140 Characters. This is a counter post detailing the opposite.

    Twitter No Longer About Constraints

    Twitter and Facebook are not in competition, they serve two very different functions. Twitter is for following brief status updates from people and things you’re interested in, while Facebook is for sharing your life with close friends and family in an efficient detached manner.

    That Extra Click: The User Experience Issue

    There is a user experience issue with having to click a link to read tweets that are longer than 140 characters; but the issue isn’t with Twitter, it’s with the external service which is not a good fit for Twitter. Having to click to get extra content—ie: Twitter’s simplicity (and it’s open API), is what made it so successful and able to have such a vibrant ecosystem of apps and experiences. The new Twitter layout solves a significant amount of extra clicks showing plenty of externally linked media from tweets on the Twitter website without leaving the experience.

    Will Twitter Producers Pollute Twitter With Long Tweets?

    It’s irrelevant how often people post long tweets. Twitter can’t drop the 140 character limit because it was designed to be used with SMS. Many people still write and read tweets via SMS on their mobile phone, and allowing longer tweets wouldn’t solve anything. Those people would still be limited to only 140 characters, and any tweets longer than 140 characters would be sent to their mobile phone all wonky and separated or broken up.

    Other Languages Already Send Long Messages on Twitter

    This just refutes the last point. But it also provides a solution, if you want longer tweets, learn Chinese.

    Twitter Needs to Expand Beyond 140 Characters to Continue Growing

    This is just false. Twitter’s brevity is it’s value as the character limit urges elegance, and allows it to be integrated beautifully with even small simple devices and web apps. Twitter is in the middle of transitioning to the new layout, and there’s a ton of room for Twitter to expand in terms of analysis and practical uses of their vast sums of data.

    Twitter keeps hitting record usage levels and their service is becoming more and more mainstream as it becomes popular around the world. More important than character limits is expanding their infrastructure for uptime ie: they can barely handle 140 characters, but perhaps more importantly for access.

    Being able to Tweet from anywhere in the world in the face of a government shutting down the internet – via SMS and Google Voice, and perhaps in the future self healing P2P networks is a must. Getting an image of your country’s secret police force throwing molotov cocktails at protestors from rooftops to the world is at the very least facilitated by the fact that there are hundreds of services that easily integrate with Twitter and a hundred different ways of getting an image like that onto many different services and getting the Tweet out. If Twitter starts expanding to overshadow its simplistic ecosystem as a status distribution network, preventing posting of such pictures to a mass audience will simply mean blocking the twitter website. All your eggs in one basket.


    Internet Trails and Privacy Concerns

    The French National Institute of Computer Science just published a study, where they analyzed over 10 million usernames from various websites and social networks, finding that many people use the same or similar enough usernames across services allowing malicious bodies to build pretty comprehensive profiles of you. They released a tool to analyze the uniqueness of your online usernames. You can read the study here as a freely downloadable PDF.

    The take away is to use distinct usernames for different services, and make sure you only use your real name if you want all that account info to be associated with the real you.

    via [TorrentFreak] via [Cornell]


    New Subscription Models Abound

    Apple has announced a new subscription service for iOS read: recurring in-app purchases. Apps will be able to take advantage of Apple’s system but publishers are required to give Apple a 30% cut and are not allowed to raise the price of subscription to accomodate the lost revenue. Content makers still have the option of managing subscriptions externally bypassing Apple’s new subscription management service where they’d keep 100% of revenue as per usual.

    • The benefit to subscribers is increased privacy control with your name and email address, and you can subscribe to more content without worrying if the publisher has safeguards for your credit card information.
    • The benefit to publishers is that it’s easier to build a reputation for content. The alternative route would be to make an app and give free subscriptions until you build a reputation and then setup a whole billing mechanism and suddenly start charging your subscribers – which is a bumpier ride.

    Google also just announced Google One Pass which is essentially the same concept but with a focus on the internet as a whole and built as an extension to their Google Checkout system. The key difference between the two services is that Apple is offering an optional subscription management system for apps in their app stores, while Google is offering one for the entire internet and mobile apps “who’s mobile OS terms permit transactions outside of the app market.” Unless Apple blocks using the One Pass API via their terms – like they did when Adobe added compile for iOS as an option in Flash Professional CS5, it seems like iOS market share will be the ground under contention here.

    On the other hand Apple would likely negotiate separate deals with the big publishers, and having more subscription options for up and coming publishers – even if they’re not getting that 30% cut, still means more content targeted for iOS. With more and more apps being made with Android as a primary consideration Apple stands to gain by opening it’s doors to One Pass letting those publishers consolidate subscriptions in one service. I guess we’ll see how this evolves.

    [AppleGoogle] via [Ars Technica]


    Apache Virtual Hosts and Multiple IP Addresses

    Here's a pain in the ass issue if you're exhausted, it's 4am, and you can't see straight. If you make a weird error with this either subdomains for anything but the first IP address won't work, or incorrect subdomains on secondary IPs will still resolve to the first specified IP's default VirtualHost definition. Or some other unexpected behaviour that will drive you insane while you question DNS, Browser, and OS caching mechanisms and resolvers which most likely have nothing to do with the issue.

    Things to remember.

    The ServerAlias line should only be one line. Each alias needs to be separated by a space.
    The first defined VirtualHost for a given IP is that IP's default.
    Make sure ports.conf and httpd.conf are included in Apache2.conf
    ports.conf should look like this:

    NameVirtualHost 55.11.515.151:80
    NameVirtualHost 88.22.828.279:80
    Listen 80

    and httpd.conf should look like this:

    #turn off indexing globally
    Options -Indexes
    DocumentRoot /serv/sites/
    DocumentRoot /serv/sites/
    DocumentRoot /serv/sites/
    ServerAlias *
    DocumentRoot /serv/sites/