I’m pretty much out of ports on my TV. I’ve got a Motorola set-top box/DVR from ComcastXfinity (a crappy early model with hardly any disk space), a PlayStation 3, an Apple TV, and a Roku 2XS. I need the ATV for AirPlay from my iPad or MacBook Air, plus YouTube; I need the Roku because I watch a lot of Amazon streaming video. I can get Netflix and Hulu on any of the devices. For recent pay-per-view movies, I prefer Amazon to the alternatives (Comcast or Apple), simply because of price and variety. I’d love to dump one of these devices, which would have to be the Roku, but that would mean using the PS3 for Amazon Video, and the PS3 UI is utter crap.

So I’m stuck with this device setup. Unfortunately the Roku 2XS has been a disaster. I bought it 18 months ago to replace an original Roku which had fried, and it’s always been glitchy. It becomes catatonic about once a week, requiring a power cycle to fix it. But this evening the power cycle failed to produce the normal startup screen of bouncing purple letters. I unplugged and replugged it a couple of times, then tried a factory reset by sticking a paperclip in the “reset” hole for the officially-recommended 15 seconds (and then some). Nothing.

In frustration I grabbed my MBA and started to browse reviews on Amazon.com, looking for alternatives to the Roku. About 15 minutes later, the Roku 2XS suddenly came to life, and displayed a white (not purple) logo. I re-paired the remote, configured the Roku and all of my services (really strong passwords are great until you have to enter them repeatedly using an on-screen keyboard!), and I was back in business.

That weird 15 minute delay suggests to me that the Roku 2XS has some kind of hardware problem, probably heat-sensitive. Since it only has a 90-day warranty (what kind of nonsense is that?), I’m going to have to replace it. I wish I could find another device which would do the job, but I guess I’ll be going for a Roku 3. Hopefully we’ll be getting an official YouTube app for it soon.

I spent several hours today disinfecting my other website (Speaking of Clouds, also reachable as GeoffArnoldConsulting.com) after a WordPress hack attack. As is often the case, I was saved by the incompetence of the hackers, who had modified my .htaccess files in such a way that it created an infinite redirection loop. (Hint: you’re not going to get far if your URL begins with “htttp:”.) This loop meant that the site became inaccessible, which was immediately noticed by Montastic, the service I use to monitor all of my sites. (Highly recommended.)

Unlike this blog, Speaking of Clouds is hosted at DreamHost. This is not particularly significant: DreamHost has always provided excellent service, and their customer service guys were immediately responsive when I contacted them. However I’m running on a multiuser system, rather than in my own virtual machine or zone, which meant that certain diagnostic and troubleshooting tools weren’t available. I couldn’t restart the Apache process, or compare logs across multiple websites.

The eventual cleanup was relatively straightforward. Ssh in to the host. Take a recursive listing of the entire filespace, so that I could tell what was changed when. Back up everything. Examine logs. Clean up all of the .htaccess files. Change the keys. Log in to the dashboard. Reinstall WordPress 3.4.1. Identify all of the bogus PHP and HTML files (made easier by the atrocious spelling and grammar of the hackers). Change all the passwords. Reinstall all the plugins and themes. Delete (rather than disabling) everything I’m not actually using. And then back everything up. And all the while, I had three terminal windows tailing the relevant log files.

I must say that I would rather been slogging through the mud at Silverstone, though….

UPDATE July 12, 2012:
This story continues to develop. Yesterday I received an email from a Russian Lithuanian company (evuln.com), advising me that my site appeared to be hacked, and providing a little bit of more-or-less accurate advice on cleaning it up. The email concluded:

If you are not able to fix this “redirect” problem on your own then we will be glad to help you for a reasonable price.

Oddly, the description that they gave of how I was hacked was slightly inaccurate, and so I ssh’d back into speakingofclouds.com to check. Sure enough, it had been hacked again. I cleaned up as before; this time I touched every file in my WordPress subtree, so that any changes would be immediately apparent.

This morning, I logged back in, and found that my .htaccess files had been changed again. This time I was able to match the modification time to the exact HTTP log entries, and this is what I saw:

94.23.116.27 - - [12/Jul/2012:05:45:44 -0700] "POST /wp-content/uploads/.cache_000.php HTTP/1.1" 200 365 "-" "Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0"

So somehow an executable PHP file had been hidden away in my uploads directory, and was being used to inject stuff into my WordPress configuration. I quarantined the file, then looked around to see if this was a known exploit. I only came across one blog reference, here.

It seems like one really obvious security fix for PHP would be to prevent it from executing hidden files. A quick check suggests that this hasn’t been implemented, though.

UPDATE December 11, 2012:
I’ve received several emails from eVuln.com complaining about this blog piece:

I am concerned about your blog post. It influence our online reputation. I’m sorry about our letter, we just wanted to inform you about security issues in your website.

Since I did no more than state the facts, accurately, I’m not sure what they’re complaining about. In the unlikely event that anyone actually reads this piece and cares about what I wrote, I encourage you to visit the eVuln Labs website and draw your own conclusions.

More anon.

Well, 2011 has given way to the New Year, and AT&T have failed to fulfill their promise to upgrade the Android software on all of the 4G phones which they sold in 2011. Back in the summer I embarked on an experiment to see what life outside Apple’s walled garden would be like. The results are in: it sucks. Battery life is awful, system freezes are common (often with the phone feeling dangerously hot), and app management is broken (somehow I have acquired two copies of several apps). I could go on, but why bother?

The main takeaway from this is that Samsung and AT&T (and probably other carriers and manufacturers) haven’t understood that Apple changed the rules with the iPhone, by bringing the PC (and Mac) upgrade model to mobile communications. Backward compatibility is mandatory. Software and hardware upgrades are decoupled. Bugs are fixed. OS and app features are delivered regularly. I’m sure Google hoped that the Android ecosystem would follow this path, but if so they’ve completely failed to convince their partners.

So what to do next? Yes, of course I can root the device, find and install a ROM image of unknown provenance, etc. But I resent the need to do this*, and I’m distinctly uncomfortable doing so on a device which is used for corporate communications. I could dump the Infuse and buy an iPhone 4S, but after only 6 months on the contract it’s a relatively expensive proposition. And the final insult is that most of the tools for hacking Android phones seem to be Windows based, and I don’t have any Windows machines lying around.

File under #FAIL.
–
* And that’s assuming that I don’t inadvertently brick the device. For those who haven’t explored this stuff, here’s the simple version of the instructions for a popular ROM:

• Ensure you have both root and CWM. See the reference post if you do not have both of these.
• Copy ROM .ZIP to SD card
• Shut phone off. Hold Vol Up + Vol Down and Power on device
• Wipe Data and Cache (Wiping data will remove your installed applications and settings. You have been warned!)
• Flash CM7 zip
• Reboot. You will get stuck at Samsung screen. This is normal.
• Pull battery, and reboot into recovery (Hold: VOL+ VOL- Power)
• You should now be in ORANGE -OR- BLUE CWM
• Go to “mounts and storage”
• Select format /system
• Reflash CM7 zip
• Don’t forget Google Apps as well. You can get the gapps easily using Rom Manger -> Download ROM -> Scroll down to Google Apps). Google Apps download link is also at the bottom of this post
• Reboot into CM7 goodness, made possible by LinuxBozo

Wall Street and even some Apple fanbois were disappointed that Apple chose to release a minor upgrade to the iPhone 4 rather than a kick-ass, “this changes everything” iPhone 5. But I was delighted. Let me explain.

A few months ago, I decided to see what life was like on the other side of the “garden wall“, and I replaced my iPhone 4 with a Samsung Infuse 4G. Thin, big gorgeous screen, powerful CPU, bags of memory, the latest Android OS, and “4G networking” (whatever AT&T meant by that – certainly not LTE): I was determined to test “the best of the rest”.

Unfortunately, it has not been a great experience. The startup logo from AT&T exhorts me to “Rethink Possible”, and I have done so: I realize that it is possible that someone could create a crap product and try to compete with Apple.

What came I say about this puppy? (This is not a compliment: I’m not a dog person.) The battery life sucks. I’m lucky to get through 8 hours before the warning messages start appearing. OK, I’m syncing both IMAP and Exchange email in the background, but I’m usually in range of a WiFi AP. Often, I’ll take the phone out of my belt holster and it will be hot, as though it’s been running some CPU-intensive app, but Task Manager shows nothing running. Even so, the power just melts away. I’ve tried many of the apps that have been created to deal with this weakness of Android (and that should tell you something right there!), but nothing helps.

So of course I charge it whenever I get the chance, and at night I put it in a cradle next to my bed, with an alarm set. Unfortunately the phone insists on waking up, beeping, and turning on the screen when recharging is complete – usually at 3AM. This does not endear it to me or my loved ones.

There are lots of other annoying glitches, some of which are still mysterious. There is some package – not an app: no apps are running – which will occasionally vibrate the phone. If I power cycle the phone, it goes away. Because I receive corporate email on the phone, I’ve configured it to require a passcode to unlock it. However whether I have to unlock or simply swipe seems totally random.

But the most infuriating problem is the random hangs. I get one or two a week, and I usually have to power-cycle the phone by holding down the power button. Sometimes that doesn’t work, and I have to resort to sliding off the back case and popping out the battery. This evening, I encountered a new problem. I was riding on the Green Line under Boston streets; I fired up the Amazon Kindle app, and everything froze. I power-cycled the phone, and when it came back most of my apps were unavailable. Touching the generic icon produced the bizarre message that the app was not installed. Eventually I left the subway system, powered the phone off and on, and everything came up OK. From browsing similar accounts on the web, it looks as if Android needs to sync with MarketPlace on powerup. This is, obviously, absurd.

Yesterday I was just about ready to give up on this piece of crap, buy a new iPhone 5, and swallow my pride (and the penalty for early upgrade). But Apple came to my rescue by releasing the iPhone 4S, which is not quite compelling enough to make me switch back. Yet. So I’ll wait until I’m eligible for a penalty-free upgrade in January, 2013 (sigh!), or whenever the iPhone 5 actually appears. Thank you, Apple!

The amazing thing about this crisis is the extent to which suffering and responsibility are completely out of proportion with one another. If you think about the people who are really suffering in the developed world today, none of them were executives at major banks, none of them were politicians involved in the construction of the euro, none of them were senior financial policymakers in any government, etc.

…via Matt Yglesias at ThinkProgress

Like many people, I decided to buy an HP TouchPad last weekend. In my case it was mostly nostalgia: my first mobile wireless data device was an HP-200LX with a RAM Data Modem. But I digress. So last Sunday I went to Best Buy, and struck out. Fry’s ditto. So I came home and decided to try the HP online store. To my amazement, I was able to buy a 32GB TouchPad for $149.

Or so I thought.

That was August 21. On August 22, I returned to the HP site, and the entire online store had vanished. There was no record of my order, my login at a different storefront wasn’t accepted….

On August 24, after receiving a cryptic transactional email from HP I went back to the HP site. Now there was a link to a special page for customers who had bought over the weekend. I logged in, and saw a line item for my order, which was shown as having been placed on August 22. Clicking on the line item brought up detailed order page, which showed that the item had been ordered on August 24, was due to ship on August 24, with an estimated delivery date of… August 24:

Of course the shipping information was blank. But it gets better. At the bottom of the page there was a link to Line item detail. This brought up the following gem, showing the estimated delivery date as August 26!

It is now August 28. None of the information concerning my order has changed since August 24. And (obviously) I haven’t received my TouchPad.

Anyone care to guess when it might arrive? I’m not holding my breath….

UPDATE: This just gets better and better. I tried to ask HP about the status of the order using their email tool, and got the following error:

UPDATE #2: Sunday on Labor Day weekend seems like the perfect time to update the order status – and someone at HP did exactly that! Apparently it’s being delivered today! (I’m not holding my breath.) Here’s the status:

In an uncharacteristic spasm of organization, I just piled up all of my t-shirts on the bed and sorted out the non-keepers. There were 33 of them. Quite a few passed the first test – “Do I like this shirt?” – but failed the second: “Am I really going to wear this in the future?”

I should probably go through the same exercise for the 411(!) iPhone/iPad apps on my computer. At the very least, I guess I should get rid of the iPhone versions of apps which I have in both formats (iPhone and iPad). But it’s hard for me to shake off the conviction that eventually I’m going to own an iPhone again. After the first few weeks of going Android, I feel that AT&T, Samsung and Google are going to have to work hard to keep me as a customer. (And maybe that’s the problem – all three of them have to get it right. Who is The Weakest Link?) Of course the current spate of lawsuits – Apple v. Samsung, Oracle v. Google, and LodSys v. everyone – may render the question moot. We’ll see. (I think that last sentence merits its own #FAIL tag.)

If you are reading this at geoffarnold.com (directly or via RSS feed), you can ignore it. Nothing to see here, move along, etc.

However there is a good chance that you’re seeing this text in some other blog or feed. There are many sites which monitor blogs for posts meeting certain criteria and then repost them, in whole or in part. I find that most of them cue off the “Atheist” in my tag line (or the fact that this blog is include in many atheist blog-rolls); others scan the posting for keywords like “Android” or “smartphone”.

None of this should be surprising, so why am I even bothering to write this? Well, I just came across a blog which reproduced an entire posting of mine (minus the formatting, links, and Creative Commons license) without any attribution whatsoever. The site in question is “In God We Lust dot com”. (I’m not including the actual URL; you can work it out.) I decided to write this posting simply to see how mindless the scraping bot is at that site. I’m including a statistically improbable phrase – strontium warhorse eaters – to make it easy to search for non-attributing scumbags.

So if you’re reading this and you don’t see a link back to geoffarnold.com, you now know what kind of site you’re looking at.

[UPDATE, 12 hours later] Looks like this scraper site is even more dumb than I thought. It’s pulling stuff off PlanetAtheism (which reposts my stuff with attribution) and reposting it twice. And it is possible to get back to my site: the link looks like a PlanetAtheism FeedBurner, but through some kind of magic it leads back to my original.

Speaking of PlanetAtheism, I would prefer it if they would post excerpts, with clear links, rather than reproducing full articles. I don’t rely on advertising, but many people do.

I’m starting to pull together plans for a business trip. The idea is that I’ll go to the Boston area for a meeting, fly on a couple of days later to Bangalore, then back home to San Francisco. A typical multi-city trip, reminiscent of my days at Sun. Naturally, I begin by visiting the travel sites: Yahoo Travel (powered in part by Expedia) and Orbitz. History suggests that the best schedule will probably involve multiple carriers….

But there’s a problem: each site offers only a few choices. After a moment, I realize that I’m not seeing anything from American Airlines (and precious little from their oneWorld partners). AA has decided not to play ball with the Internet travel sites, and they’ve reciprocated.

Fine: let me try the American website. This is a disaster. (Somebody teach AA about user interface design, quick!) How about their partners in crime, British Airways? That’s even worse: do they really expect me to do SFO-BOS via LHR?!

American may think that it makes sense to try to pull travellers from the aggregator sites to their own website, but doing this means giving up on the multiple city, multiple carrier market. I always though that this was one of the most profitable segments in the airline business. Maybe there are too few of us for American to worry about, but alienating business customers seems monumentally stupid.

One of the nice things about the iPod/iPhone/iPad/iTunes ecosystem is that all my apps and other content is sharable across my devices. I can browse the iTunes Store on my Mac or my iPad, find an app that I like, buy it, and after sync’ing it will be available on my iPhone. Nifty. And to do this, I simply need to use my iTMS account password on all of the devices I use.

But sometimes this is not the behavior that I want. Take my current project: to prepare an iPad as an ACS device for Tommy. I want to install a couple of apps on this device, and I want any members of the family to be able to update those apps as needed. But I don’t want everyone having access to all of my apps, and I certainly don’t want to give everyone my password.

The solution seemed obvious. I’d create a second iTunes account, with a new name (email address) and password. Initially I’d link this to my regular credit card, and I’d buy the necessary apps. Then I’d link the account to a restricted credit card number – something like Bank of America’s ShopSafe – and I could hand over the password secure in the knowledge that the iPad could not be used to compromise my primary account or to buy lots of apps.

Seemed obvious. The only problem was that it didn’t work. Worse, both my new iTMS account and the old one were locked out, with iTunes reporting that my credit card had been declined. I called my card provider. “No, no problem here. No holds, no unexpected transactions.”

There was another unexpected side-effect. I’d purchased the nw iPad at the Apple Store in Palo Alto, and told them to email the receipt to me as usual. Normally the email arrives very promptly (sometimes before I get home), but on this occasion it was delayed for a few hours. And when it was sent out, it went to the email address corresponding to the new iTunes account. It looks as if the Apple Store billing system simply picks up the last email address that was used in any kind of interaction involving your credit card number….

I decided to contact Apple. It turns out that the only mechanism is to use email via a web form. I submitted two complaints, one for each account. I got auto-generated email acknowledgments for both, followed by a bland “we’re looking into it” for just one of them. (They’re probably going to miss their advertised SLA on the second.) And then I searched the Apple support forums.

There were hundreds and hundreds of complaints about this issue. One of the many discussion threads was over 14 pages long. The impressions that I took away were of a system with hair-trigger fraud detection and a completely inadequate customer service model to cope with the inevitable false positives. I was hoping for something of the quality and responsiveness of Amazon.com, but this feels more like AT&T. (Sorry, that’s unfair to AT&T.)

Just before I wrote this blog piece, I tried to buy a $0.99 app on my iPhone. The credit card was declined: they still haven’t sorted it out. I’m tempted to create a brand new account for Tommy’s iPad, with a new Yahoo Mail address and a different credit card. However there’s no way to delete an account, so it’s unclear if this would help.

UPDATE: My primary iTunes account has started working again. Haven’t had a chance to check out the secondary. No email from Apple, despite their assurances. (Not even a automated “ticket closed” message.)