SSL remains fairly terrifying

Moxie Marlinspike‘s presentation on SSL Stripping, while 5 years old, is both fascinating and terrifying. I’m not sure I’ll ever turn my secure VPN off again. At the same time, I’m not sure if it really does me any good.

The 55 minutes of his talk are very much worth it. Some moments from the video:

“when looking for security vulnerabilities … it’s good to start with places where developers probably don’t really know what they’re doing but feel really about the solutions they’ve come up with.”

“A padlock, who’d of thought … it doesn’t inspire security.”

“[EV Certs]: Now we’re supposed to pay extra for the Certificate Authorities to do the thing they were supposed to do to begin with.”

And the most important to remember, which is also the least assuring:

“Lots of times the security of HTTPS comes down to the security of HTTP, and HTTP is not secure.”

Major props to Zack, who prodded me to watch this many times before I finally ran into it again today.

CC by 2.0 licensed photograph by minhocos

Amazon’s petition for exemption to fly drones commercially

Amazon filed a petition for exemption with the FAA last week so that they could fly prototype drones outdoors as part of research and development for their future Prime Air offering. It’s a quick read, with a couple fun points:

Because Amazon is a commercial enterprise we have been limited to conducting R&D flights indoors or in other countries.


We will effectively operate our own private model airplane field, but with additional safeguards that go far beyond those that FAA has long-held provide a sufficient level of safety for public model airplane fields – and only with sUAS.

It’s pretty amazing to think that Amazon would have made this much progress—eight or nine generations—without flying anything outside. One of the items listed in their request was the mention that their drones flew up to 50mph with 5lb payloads. How big is this facility that they’re testing in?

Or is this a lie that many working on serious commercial efforts with drones right now is telling?

photo of lettuce taken with Pressgram

Current Thoughts on Pressgram

Pressgram is an iOS app with a great story and a great tagline.

The best way to filter & publish photos to your WordPress-powered site.

I’ll admit not paying much attention to anything beyond my assumption of the concept for the last 6 months, though I was still excited to try Pressgram almost immediately when the app launched to the public last week. And while I have some reservations, my overall outlook is hopeful and I’m planning on finding ways to use it.

First thought.

Pressgram is just as much a service as it is an app. Terms of service are an unavoidable thing when running a service. In order to keep operating and avoid liability issues, the terms will likely be written in favor of the service rather than the user. This doesn’t mean the user loses all rights, or that the service is out to get the user, it’s just legals.

That said, terms of service lead to things like content moderation. Not necessarily a bad thing for a community sharing photos with each other. Not necessarily an ideal thing for publishing to your own site.

Which leads into my assumptions, or wishful thinking. When I first heard of Pressgram, my brain went straight to how it would be great to have an app on my phone that would take pictures and publish them directly to WordPress. I’ve been trying to find the right workflow for a while that does just that. The WordPress app is probably pretty close right now, but nothing is perfect.

Second thought.

Pressgram sends photos to a central server (or servers) first and then proceeds to push them out to whichever services were selected—Twitter, Facebook, WordPress—while also focusing on providing that photo to other Pressgram users through the feed.

In order to do this, Pressgram needs authorization. With Twitter and Facebook, OAuth provides a layer of separation between our passwords and Pressgram. With WordPress, we have XMLRPC over HTTP, which requires a username and password for each connection. This isn’t really any different than when uploading photos through a browser. The only difference is that Pressgram needs to store this username and password combo on a server somewhere so that the user isn’t bugged for it every time a photo needs to be published.

So my feeling around this is that it’s kind of a bummer to give over my site’s username and password in the hopes that it is well taken care of. There are ways to mitigate the worry. With my single author site, I can just create another author user and assign a unique password for use with Pressgram. With more complex sites, there is likely room for a plugin that provides one off authorization passwords for use by apps that rely on XMLRPC. I guess it’s even likely that it exists already.

All that said, I have a pretty short wish list at this point:

  1. Some transparency around password management. What is being done on the server side to protect users’ WordPress sites?
  2. Photo uploading from iOS app directly to WordPress over XMLRPC, no middleman.

Those are my ramblings, hopefully more constructive than fleeting tweets. I’m going to knock around some plugins to solve my near term worries so that I can keep using the app and I’m definitely looking forward to seeing where it goes. All in all John Saddington has done a great job thus far.


Tracking Your Heart Rate Via Webcam

I remember being fascinated by the Eulerian Video Magnification work when some of the videos were being spread around, so I was excited to see the Webcam Pulse Detector project pop up on Quantified Self as I was scrolling through some missed feeds this morning.

It didn’t seem too difficult to setup for somebody with some linux familiarity and I set off to make it happen on my laptop.

The entire process took a couple hours. Some of that was due to missteps in installing OpenCV or not using sudo in the right place. The rest was due to the unavoidable—some packages just take a long time to install.

Seeing it finally work is really, really cool. Using my forehead, the app seemed to consistently track my heart rate at around 54-57bpm. At the same time I measured my pulse at my wrist as 60bm. I’ll need to track the consistency over time and with non-resting heart rates as well, but that seems like an acceptable variance so far. Pretty cool stuff.

If you want to give it a go and you’re running OS X 10.8.3 on your machine, I’m embedding a gist with the commands I had to use to make this work along with some comments inline.

There were also plenty of resources that proved invaluable in actually finding the right answers for installing some of these software packages:

Apple TV, AirPlay and Incorrect Expectations

It’s so hard to figure out ahead of time what is supported by this AirPlay stuff. Or at least it was for me it seems. So here’s what I know for some other lost soul stumbling through the damn wilderness one day.

The Apple TV (newest revision as of 01/23/2013) will play audio for music to wireless AirPlay speakers. It will not play audio for videos to wireless AirPlay speakers. The audio for your videos – Trailers, YouTube, etc – is passed through HDMI or the digital audio output connection.

The iPad (gen 3 retina), iPhone 5 and Macbook Air can each be mirrored onto the Apple TV and both sound and video will be passed. However, the audio will follow the same restrictions laid out above and will not be played through your wireless AirPlay speakers but through the HDMI or digital audio output.

I was able to get the Macbook Air, connected to the monitor via HDMI, to stream audio via AirPlay for the video I was playing, but the audio was about 4 seconds off and seemed to be causing the laptop a lot of pain.

Short version – only expect audio from music on any of your devices to play wirelessly. Do not expect audio from video on any of your devices to play properly. If you achieve a different result… please share!

My next step is to try one of these HDMI to HDMI + Audio adapters as I’m trying to do all of this without a real TV, just a DVI monitor that doesn’t support audio over HDMI. Fingers crossed.

My New Debit Card

Got my new debit card, and it’s apparently @needadebitcard proof. But…

ING just sent us our new debit cards and they’re pretty cool looking. I guess it’s slightly comforting that an imprint can’t easily be made, but I’m not sure how important that really is.

Within the last 6 months, I’ve run into two cab drivers in San Francisco and one gas station on Prince Edward Island that could only take credit card payment via imprint. Granted, cash would have been safer both times, but you have to do what you have to do.

What would be more interesting is if they finally adopted the EMV chip and made traveling in Canada and Europe a bunch easier. It’s such a pain to be the hold up in a checkout lane that has to convince the person at the register that your card won’t work that way and needs to be swiped.

A great writeup on ‘The Web We Lost’ from @anildash

In ‘The Web We Lost‘, Anil Dash does a fantastic job of describing the cycle that the web is going through. Though you should ignore this post for the most part and go directly to the source, I’ll highlight my favorite of the points:

Ten years ago, you could allow people to post links on your site, or to show a list of links which were driving inbound traffic to your site. Because Google hadn’t yet broadly introduced AdWords and AdSense, links weren’t about generating revenue, they were just a tool for expression or editorializing. The web was an interesting and different place before links got monetized, but by 2007 it was clear that Google had changed the web forever, and for the worse, by corrupting links.

And he’s correct in saying that the web is a cycle. It is up to us to make use of it for good as it comes back around.

The technology industry, like all industries, follows cycles, and the pendulum is swinging back to the broad, empowering philosophies that underpinned the early social web.

The Web We Lost – Anil Dash

Additional suggested reading for @helenhousandi’s ‘owning what you share online’ request from the other day.

That’s a long blog post title.

I just remembered some of Dave Winer‘s writing on the subject of user generated content vs running your own server and it’s worth a read when thinking about owning your data online.

Here’s a few:

:) – Dropbox Photo to WordPress

This didn’t work out as perfectly as I wanted, but it’s still pretty cool. I took this picture from my phone and saved it to my Dropbox folder. Ifttt then grabbed it and created a post in WordPress for me. The biggest problem is that it creates a post using the Dropbox URL for the photo, not by uploading the photo to my WordPress install and creating something (with thumnail options) from that. I think a plugin may be in order rather than Ifttt, but still pretty cool!

Skype And Apache

If you all of a sudden have trouble starting Apache on your Windows system, either through XAMPP or otherwise, and you also have Skype installed, this screenshot is for you.

Disable port 80 in Skype

I’m not entirely sure why Skype would choose to tie up port 80 by default, as that configuration has to be so unlikely for the average user, but they do. So if you’re having trouble starting Apache, uncheck that little box first.

I wouldn’t normally create a post for this, but if you don’t get the search terms right, you run into a bunch of ‘tutorials’ that take forever to just say the words ‘Skype uses port 80′. Sometimes all you need is a little screenshot. So now this exists, and it can now provide more juice to other similarly helpful posts such as Apache and Skype from Otto, which I ran into after being amazed at the other several hundred word tutorials.