futtta's blog

I by chance discovered a severe security vulnerability in iGoogle’s Facebook-gadget (more than 1 million users!), which allows an attacker to log into an other user’s Facebook account, bypassing authentication.

I contacted the author and the Google security team and they confirmed there appears to be a problem which they’ll look into. While they do so, I would strongly advise everyone not to use the iGoogle Facebook gadget. Once the hole is closed, I’ll provide more info on how this could be exploited.

I like Facebook. I like sharing stuff there, I like liking friends’ activities and I like friends sharing and liking my links and posts. But I really, really don’t like Facebook’s Like buttons and similar boxes! Because I see some serious problems with the like button;

1. The page containing the “like”-widget loads and renders significantly slower (i.e. performance impact)
2. Facebook can track me visiting this page, even if I don’t click on “Like” (i.e. privacy issue)
3. When I do click “Like”, I have no way of checking what will be shown on Facebook. And indeed the buttons are already being used to spread spam, malware is expected to be next (i.e. security risk)
4. “Liking” a page enters me into a relationship with the page owner, allowing them to “publish updates to the user [and] target ads to people who like [their] content” (i.e. 2nd privacy issue, severely aggravated by the security risk)

No, call me old-fashioned, but I’m much more at ease with the normal Facebook share-mechanism;

• a simple link, so no performance impact
• no contact with Facebook unless clicked on, so tracking of my surfing behavior is not possible
• an intermediate screen shows what you’re about to share, meaning a much lower security risk
• no forced relationship with the  page owner, i.e. “avert 2nd privacy-risk: CHECK”

But as I can’t force site-owners to remove the “Social Widgets”, I can only install something like No FB Tracking to disable the virus that is the Facebook Like-button. And whine about it on my blog, off course.

Een paar kleine ditjes en datjes, het moet hier niet altijd proper uitgewerkt zijn:

• Dropbox is tof, maar niet perfect: op Android een file aan je Dropbox toevoegen doet pijn aan het gat en de Windows-versie wilt ook thuis de proxy van het werk gebruiken (auto-detect proxy werkt niet).
• WP-YouTube-Lyte zit aan versie 0.4.1, de afmetingen van de player zijn nu configureerbaar. Het ding is al bijna 2300 keer gedownload (cumulatief voor alle versies) en op basis van de downloadcijfers na een release gok ik dat het op een site of 300 geïnstalleerd staat.
• Van cijfers gesproken, afgelopen maandag met deze blog de 100.000 pageviews gepasseerd, dank daarvoor anonieme passant.
• Ik draai al een week ofzo op Firefox 4 beta1 (zowel op Windows als op Ubuntu), lekker stabiel voor een eerste beta. Tabs on top is inderdaad logisch en html5 video (met WebM) op YouTube lukt nu ook, maar aan de nieuwe theme en add-on manager is nog “wat” werk. Beta2 zou eerstdaags uitkomen, maar het is nog wachten op de grote javascript snelheidswinst (waarmee FF terug dichter bij de concurrentie zou moeten komen).

En nog wat: als het gesprek even stilvalt, vragen mensen niet meer naar het weer, maar naar je mening over de slaagkansen van droomkoppel De Wever & Di Rupo. Ik zeg dan dat ze moeten slagen en dat ze dat zelf ook weten want dat het er anders niet goed uitziet voor onze portemonnee en dan verwijs ik naar een interessant artikel dat ik daarover op Apache las en het gesprek valt weer stil.

When a good friend of mine bought a Sony Xperia X10 Mini Pro (that small dude does have a keyboard) and couldn’t find JungleDisk in the Android market, I went looking for alternatives (I had already looked into cloud-based storage/ backup back in 2007) and found Dropbox.

Dropbox is an Amazon S3-based cloud-storage solution with client software for just about every system, Android included. Moreover it offers an API for platforms or applications that need Dropbox access as well. The basic account (with 2Gb storage) is free (sign up here and some more free storage thank-you-very-much), so I installed it on the Windows laptop at work, on my Linux “disktop” and on my HTC Hero and (at first sight) all seems to work exactly as advertised (free, easy, cross-platform).

And now that I have external storage that allows sharing files with anonymous users, I could offload some files from my own server? But more importantly; I really should look into reworking that old backup shell-script again (I’ll have to get dropboxd up and running first though). Or maybe I’ll just install WP Time Machine to automatically back up just this blog to my Dropbox-account?

Google announced “App Inventor for Android“, a Java Web Start based IDE that allows everyone and your mother to create innovative Android-apps by simply dragging & dropping blocks around;

Granted, this isn’t the web-tech approach I was hoping for (just frigging copy/paste Palm HP’s WebOS’s MOJO, will you Google?), but this sure seems like a great leap forward! Now let’s hope people will do more then let their cat purr on our phones.

If you want to play around with App Inventor, you’ll have to apply for access first. While eagerly awaiting an answer from Google, you can already take some pictures of you cat or you could browse the documentation and the tutorials.

Lots of exiting things happening in Android and HTC Hero-land these last few weeks:

• June 22nd: I flash my HTC Hero with VillainRom 10.3 (i.e. Android 2.1 aka Eclair + HTC Sense)
• June 23th: Google releases the source code for the blazingly fast Android 2.2 (aka Froyo)
• June 23th: CyanogenMod announces that he and his team will create CM6 based on these sources for a great number of HTC devices, including the Hero CDMA (the US model for Sprint)
• June 29th: HTC finally pushes out Android 2.1 for Hero in Europe
• July 1th: The VillainRom-guys announce VillainRom 12 based on that new ROM
• July 3th: Lox, one of the CyanogenMod developers, announces the first Hero (GSM) Froyo-build
• July 5th: HTC released the kernel sources (based on 2.6.29) they used for Hero
• July 5th: Lox & co are working on a merged HTC Hero GSM and CDMA build based on the official kernel sources

So I flashed my Hero again, with VillainRom 12 (clearly more responsive then 10.3, a few bugs are solved as well) and I’m looking forward to flashing CyanogenMod 6 once that’s stabilized. Because, after all, Hero’s like their Androids fresh, don’t they?

I flashed my HTC Hero again, this time with an Android 2.1 image from Villainrom. Why not wait for the official update? Well, we’ve been waiting for quite some time now, the HTC-update might not even work on a rooted device and a colleague of mine was running Villainrom 10.1 for over a month now and was quite pleased with it.

So if you want to go rogue as well, go Villainrom using this installation guide. And in case things happen that aren’t described in that detailed howto, here are 5 things I had to learn the hard way;

1. Formatting your SDCARD when on a Modaco rom might not work, having a colleague nearby who can format for you on his handset or PC might help.
2. If flashrec complains “Could not run command” but your device is already rooted then forget about flashrec, you’re a superuser now
3. nandroid+ext might not work, just perform a normal nandroid backup
4. market downloads sometimes don’t work, in my case this was solved by resetting privacy and location-sharing settings to their (permissive) default settings
5. Villainrom provides OTA-updates, but these aren’t always applied, re-downloading and re-applying the update did the trick for me.

My first Android 2.1 impressions; clearly snappier (and tests show 2.2 to be a lot faster still), some great apps on the market that weren’t there for 1.5 (Google Goggles looks great!) and most importantly; one of the best mobile browsers around (as confirmed by Quirksmode Webkit tests). So yes, I love my Eclair!