Android Web Market Review

This afternoon Google held an event focused on Android, specifically Honeycomb, its tablet centered version of the Android operating system.  There were several neat things that were shown off.  I will let Engadget provide you with the specifics if you are interested.  Here , Here and Here.

One other thing before I talk about the New Android Market in the browser.  Google choose to stream this event live, for free, for anyone with a browser and a copy of flash.  Proving Google is all about being open, this was open to all devices (well nearly).  You could even watch it live on your iPad if you watched the TWIT stream which was in a non flash format.  The main stream looked and sounded great. This is really the way it should be and I applaud Google for making their event viewable for all.

For me the biggest thing announced was the new Android Market . This in your full size browser on your computer.  This is unique, the competition doesn’t  have this feature and instead force you into their walled garden that is iTunes to buy or browse your apps on a computer. This requires you to be at your computer. The Android Market has nothing like this, proving Google’s openness. You can download apps from anywhere you have a desktop and cell service.  At the Library, at work, at a Friends house you name it.  Use any old computer, find your app in the web browser press install and your done, more on that in a minute. The design of the new store is clean and fresh.  It has large graphics, screenshots of the application, a description and then users reviews.  It also has a related apps bar on the side.  The website also has featured apps and the ability to search for applications and then filter your search results by lots of things such as price (Free or Paid) etc.

The neatest thing is the ability once logged in to the store is once click install and purchases all from your computer.  It is very simple.  First you find the application you want to install, next you click install.  You are presented with a screen that shows what services this app uses and you have to agree.  If this was a paid app you are then presented with what your funding source is.  Click OK and the payment processes.  Now within about 3-4 seconds your phone the app is pushed to your phone.  The download and install starts automatically.  In your Notifications menu you will notice a small down arrow to show you are downloading the file, just like if you downloaded any application.  It then installs and that is it.  The website also
allows you to link to specific applications with emails or IM.  There is even a direct Tweet button on the page of every app so you can easily publish apps to your twitter stream. No longer do you have to share the name of the app and how to get there with your friends you can just give them a link.

In app purchase is not a huge thing for me but it is for developers.  In the past it has been hard to do and as a result many developers believed the marketplace did not work for them.  Now that this is available it helps to solve these problems.  It also shows that Google is listening to developers and making chances to improve the process so it  Android ecosystem continues to grow and flourish.

The web Android Market is a game changer for Android, its users, and developers.  I predict app downloads will increase greatly just because it is so easy to try apps.  It is also much easier for payment of apps as well since you can easily change your payment source.  I showed this to a few people at work today and they were blown away with how easy it is.  Apps kind of scare some people, but now they feel more comfortable because things are larger and the experience of using a web browser is better than on the small phone of your screen.  You can open many tabs now in your browser when comparing like apps too. It’s slick and just works! Way to go Google, keep up those innovations!

Some screenshots of the process.

An App’s Homepage

What happens when you click install

Install screen, Click OK and thats it.

Solstice Lunar Eclipse

On December 21st 2010 a Solstice Lunar Eclipse occurred at 1:40am that was visible to the USA.  This was a quite rare event.  According to NASA a lunar eclipse occurred on the same date as the winter solstice only once before, in 1638.  Thankfully we will not have to wait another 372 years to see the next winter solstice lunar eclipse which will occur on December 21, 2094.

I have tried before to photograph various eclipses without much success.  Being at night in the winter in Nebraska it can frequently be cloudy or just too cold to go out at 2am to take a few photographs.  This morning was different.  It was reliantly warm,  28F with no wind and clear.  Before going to bed I set my alarm to get up and snap a few photos.  I am lucky because my street has very few street lamps and my neighbor’s Christmas lights were off by the time the eclipse was occurring, because of this I sat right out side my front door to take the photographs below.

To capture these photos I used my Canon 7D in manual mode, Sigma 70-200 F 2.8, Manfrotto tripod, 3rd party remote. I turned off automatic focus because I was trying to focus on such a small area of the sky.  I used Live view to frame the shot because it was easier to see at this angle and I was able to magnify the image 10x to get the focus tack sharp.  This really worked well with a combination of apertures, shutter speeds and low ISO settings.  Enjoy my photos below.

Visit my Flickr Stream for more of my photos: http://www.flickr.com/photos/eos_liquidretro/

If you want to know more about this eclipse NASA has a great webpage about it: http://science.nasa.gov/science-news/science-at-nasa/2010/17dec_solsticeeclipse/

Other photos from around the world can be found here: http://www.huffingtonpost.com/2010/12/21/lunar-eclipse-2010-photos_n_799618.html#212892

Firesheep Vs Blacksheep the new security threat

Over the past several months or so, the Internet has been abuzz about sheep, yes sheep.  Let me explain.  On October 22 2010 at ToorCon 12 http://sandiego.toorcon.org/ a Firefox plugin was released called Firesheep. Firesheep is a tool that makes it very easy for HTTP session hijacking (also called sidjacking) to occur. The tool allows the attacker to capture the session cookie and then log in using that cookie to have full control of the account to do things such as change your Facebook photos, update your Twitter status, etc.

The primary attack vector is on open WiFi hotspots, like those in coffee shops, airports, and other public places. This is not an exploit in Firefox or your operating system, but rather the problem of open WiFi and the website your connecting to. Firesheep does nothing new and can not be patched.  This can be done with any packet sniffing tool for your platform. What it does do is make it very easy for just about anyone to launch a Firesheep attack on an open WiFi hotspot.

Solutions
The ultimate solution to end all Firesheep attacks is the use of SSL on more than just login pages.  On most websites this is something that the the website must first make the internal changes and then the end user must implement with a setting change.  This is not ideal (as it should be on by default but its better than nothing). Facebook says they are evaluating implementing this.  The first major website that has made changes (Source) to protect its users from Firesheep is Microsoft with Hotmail and many of the other Live services. However this setting is not on by default; users must enable it in their settings.  I hope that with time all websites with private, or user data will make this change a default, like Google has done with Gmail.

Many web companies cite the increased cost in implementing full time SSL connections for their users.  While it is true that an SSL connection does increase the server load the difference is very small.  Google was really the first major Internet service to move a very large service to be encrypted with SSL by default for the entire session with Gmail. A Google engineer has talked about the cost of switching over to full SSL for all Gmail users in this blog post here http://techie-buzz.com/tech-news/google-switch-ssl-cost.html

“all of our users use HTTPS to secure their email between their browsers and Google, all the time. In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.”

They concluded that there was not a significant increase in cost or server utilization by implementing this. That being said Google has a ton of servers and a lot of resources to work with so this may not be true for every website.  However the myths of the past that this would be an incredibly expensive process and not worth it are simply not true anymore.  Implementing SSL for the entire session (versus just at log-on now) is the only true solution to this problem.  Many websites say they are working on this now and plan to implement it.  This is a good thing.

Here are some solutions that you can do to prevent being a victim of a Firesheep attack.

Be aware of the network you are on.
Know that if you’re on a open hotspot that you’re vulnerable to attack.  It’s probably not the  best idea to be logging into sensitive websites, checking email, Facebook, paying bills, etc.  If you do need to do these things consider some of the options below.

Use a minimum of WPA encryption.
While everyone in their homes should be running a minimum of WPA (preferibly WPA2) many businesses and other public places offer free WiFi that is unencrypted.  Users need to put pressure on business owners and administrators to implement the WPA protocol to protect users.  WPA offers an individualy encrypted session between the user and the router by default.  This does not protect you 100% but protects you from local Firesheep attacks which are the main threat. Many businesses have in the past not wanted to do this because of not wanting to be asked thousands of times per day what the password is or dealing with any complications; however it must be done today because of this and other security risks.  Listening to Security Now podcast #273 they came up with a great solution: put the password in the SSID.  For example the SSID might be (Joe’s Coffee Free WiFi-Password = Joe) or something similar.  This would allow a user who is browsing for the free WiFi to see the password and be secure.  It was suggested that the best way to do this would be to demonstrate the attack to a shop owner; heck, maybe you would get a free drink out of it too.

Use SSL
Some websites that have the option to force SSL (Secured Socket Layer) through the entire session but do not have it turned on by default (Microsoft Hotmail for example) so enable it.  This can be enabled on the security tab of the settings page. Regardless of if you’re on an open or encrypted hotspot, SSL protects you and is the ultimate solution.

Sign Out
Signing out is something everyone should be doing anyways.  Since this tool exploits a session cookie, if you end your session, the cookie that the attacker may have caught becomes worthless.  It is also just the proper way to close a session and is a must on any public computer.

HTTPS Everywhere
HTTPS Everywhere is a plugin for Firefox that is produced by the Electronic Frontier Foundation (EFF) that forces encryption with many major websites.  The EFF is a foundation thats goal is to defend your digital rights. This includes Net Neutrality, privacy and security. Many websites support full HTTPS traffic but make it difficult to use.  HTTPS Everywhere makes this process nearly seamless for the websites it supports.  This is a project that is still in development but is stable and works well.  I have been using it for a few weeks now and noticed no ill effects.  It works on the following websites: Google Search, Wikipedia, Twitter, Facebook, bit.ly, GMX, WordPress.com Blogs, New York Times, Washington Post, Paypal, EFF, Tor, LXQuick, and others. You must install this plugin directly from the EFF’s website https://www.eff.org/https-everywhere as it is still in beta.  Once the plugin goes to a 1. release I expect to see it on Mozila’s plugin page as well.  I hope they will be coming out with a Chrome version soon as well.

Blacksheep
Is a Firefox addon that monitors for Firesheep activity on the network .  It does this by broadcasting fake credentials to sites that are know to be targeted by Firesheep and then when someone does try logging into these fake sites it alerts you with a drop down box in the browser.  It is little more than a notification and offers no real protection to your personal information.  You can download it here if you are interested http://www.zscaler.com/blacksheep.html

VPN
VPN’s offer secure tunnels back to a connection that you trust such as your home or office.  All traffic will flow through this connection so you avoid someone who might be spying on the open hotspot at the airport your on. They require some setup but are what enterprises use to securely connect users back to the office.  They work just as well for the average user as well.  There are many free and paid ways to do this so here are a free ways to do it.  OpenVPN Other options compiled by Lifehacker http://lifehacker.com/5487500/five-best-vpn-tools

In conclusion this is a big deal. Everyone should be aware of it as you travel this holiday season.  Often times travelers hunt out free WiFi connection anywhere they can.  Open WiFi is dangerous, it always has been but with Firesheep it becomes much easier for someone to exploit for nefarious reasons. To protect yourself, consider setting up a VPN connection to your home, if you must use open WiFi connections to check sensitive email or social media websites.

Other Sources not specifically listed in the article but used
http://www.grc.com/sn/sn-273.txt
http://techie-buzz.com/tech-news/google-switch-ssl-cost.html
http://codebutler.com/firesheep
http://www.slate.com/id/2275850/pagenum/all/

Adobe Reader X Quick Review

I originally wrote this article for HijinksInc.com
_________________________________________________
Background
Last week Adobe released a new version of Adobe Acrobat, version X.  This is a new version of the program that many of us use every day.  In the past people shied away from new versions of Acrobat reader because over the years the program had become bloated and slow.  However this new version offers important security benefits and speed improvements that make the upgrade worth it.

As many people know Adobe Reader has become one of the favorite attack vectors for hackers and malware over the past few years for a number of reasons including.

  1. The install base is huge! Most new PC’s come with it preinstalled, if not almost everyone needs a PDF viewer and Adobe’s is the most popular.
  2. Quarterly updates that Adobe releases are too slow and infrequent, Only if an exploit is really bad does Adobe decided to do an out of cycle update.  Even with these updates few people know that the program needs updated.  The automatic updates in version 9 have been better but still seem to fail most of the time.  Manual updating seems to be required.
  3. The ability to run things such as Javascript in a PDF exist and are on by default.  Just about everyone does not need this feature and it represents a large place to exploit.
The Good
Security
The biggest feature of version X is the introduction of a Sandbox.  A sandbox provides isolation  of the program from the operating system, to lessen the chance of security exploits.  Adobe does a great job in explaining all about the sandbox features in these two blog posts, Sandbox Post 1,  Sandbox Post 2, Sandbox Post 3, Sandbox Post 4.  This is such a big thing from a security angle that the SANS institute has recommended that everyone install Adobe Reader X to get this feature.  https://isc.sans.edu/diary.html?storyid=9976

Speed
Surprisingly this new version is faster than the old version 9.  It appears to be less bloated and quicker responding.

Other changes
I noticed the voice that will read text to you if you want seems to be more like a human.  The flow is greatly improved. The interface has been tweaked slightly to have more of a beveled edge, silver stainless steel look.  I like it.  Its nothing revolutionary but a nice, clean change.  The updater also now allows for you to set it to automatically download and install updates.  Hopefully this works well and allows the program to stay up to date without much user intervention.   I do hope Adobe changes their company policy and moves to a monthly update policy on the second Tuesday of the month, like Microsoft.  This will make the task of corporate administration much easier on the administrator.

The Bad
By default two security settings are on, when they should be disabled for increased security.  They pertain to features that a very, very small percentage of users actually use.  If for some reason you needed these someday you can easily turn them on, but for maximum security they should be off.  Adobe has even recommended doing this when the program has had problems in the past.
So to disable these settings go under EDIT—> Preferences —-> Then on the Left hand side choose JavaScript and then at the top of the page, uncheck the box that says “Enable Acrobat JavaScript

The second option that needs changed is under this same menu.  Choose Trust Manager on the left hand side of the page, then at the top of the page uncheck the box that says “Allow Opening of non-PDF file attachments with external applications”

The other bad thing is that despite these new security features the very people you are trying to keep out are trying to take advantage of this new release to push their spamware most of it dubbed “Adobe Acrobat 2010” THIS IS FAKE and Malware, DO NOT INSTALL.  The SANS institute has a nice post about this as well, even with photos! https://isc.sans.edu/diary.html?storyid=9982

In conclusion when combined with the new security features and increased performance this seems like a great thing to have if you like the official client.  Here is a direct download for Windows ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.0.0/en_US/AdbeRdr1000_en_US.exe

Offutt Air Force Base Air Show 2010

The annual Offutt Airshow this year was on August 28th and 29th.  I went on the 29th with @Rossnelson and had a great time.  Security was really tight, we had to go through metal detectors and then most people were wanded after, they did not give second chances of removing more metal to go through again.  They were also  not allowing bags in so I had to carry my camera around my neck the entire day and only bring one lens.  I brought the 70-200 and was glad I did.  One last thing about the security was that Ross was wearing a t-shirt from the band Bad Religion and he got a talking to going through security about it.  The guard thought he might be trying to make a political statement and said he may have to turn it inside out if asked to do so. Luckily other service men knew of the band and let us through.  Security was nearly as tight as an airport.  I guess this was because we were on an active air force base.

The day was long and hot, people took cover as the day went on under the wings of aircraft.  I loved seeing people sitting in lawn chairs under the huge wings of a B-52 or under the fuselage of a B1.  We walked around and saw all the static planes which were too many to list.  We then watched the aerial show which was good.  My favorite by far was the F-22 Raptor. It was such an impressive fighter plane. The thrust vectoring really made it very maneuverability and agile.  It also was so stable at any speed it seemed.

This was the first time shooting anything similar to sports on with my Canon 7D.  I used Al Servo and a combination of Auto focus Expansion when on the center point. It put emphasis on the center point (or where ever you wanted it) but also included one above, below, left and right.  It worked well. for slower moving planes.  For the really fast ones I used the new zonal function AF selection and choose the center group. This grabbed the center 11 points and used them. As long as you kept the points on the object and the AF drive engaged (I did this manually with the AF button) it worked well.  I was amazed at how well it would track planes coming at you quickly or going away from you.  The hardest part was panning quick enough to keep it in frame.  For sports this camera is a huge step up from my old Canon 20D.

Here are a few photos from the day more can be seen at Flickr in this set here.

More can be seen at Flickr in this set here.

Granada – Al Alhambra

Wednesday we went to visit Al Alhambra. Al Alhambra is a Moorish military post that includes an impressive palace and grounds. We visited the gardens first and they were very impressive. The entire complex has water features all over it which are feed from the melting snow up on the mountain top and brought down to the palace and grounds by an aqueduct system built by the Moors. Water in the Arabic culture was one of the most important things to the existence of life. Al Alhambra and the gardens feature a great deal of water, many fountains, basins, gutters, to harness the power of water. That evening we went back to tour the main palace. Inside was very detailed and amazing carvings and decorations and many of the rooms had fountains in them.

Health Update: The guys are on the mend but still feeling it a little bit of the bug, the girls on the other hand are feeling the worst of it, and are staying back at the apartment while the guys go out and explore Sevillia. We hope tonight to take in a Flemenco show in Sevillia.

Toledo Part II

Here is a quick update with a few more photos from Toledo. We summed it up pretty good in the previous post about what we did, but here are a few photos from the ride around the city. The train station in town is very impressive. All of its windows are stained glass and much of the inside is decorated with detailed colorful tiles and woodwork. We are currently in Granada and the last photo of this post is from the train ride from Madrid to Granada. Time provided I will be posting a blog update about Granada in the next day or two.

An update on the health of the family. Steve and Jon are both getting better with antibiotics. The girls in the family think that they might be catching it too but only time will tell. Right now we are all trying to get lots of sleep in between sights.

San Isidro festival and Toledo

On Saturday we went to the San Isidro festival in Madrid. San Isidro is the city’s patron saint so they have special activities and most of the city shuts down for the day. We went to the park and walked around with thousands of other people, taking in the sights of the vendors and people in traditional costumes. It was similar to a fair. There were many different stalls with traditional foods as well. It reminded us of Czech days in Wilbur, NE, but much bigger.

Then that night we walked up to the Gran Via (a large street with lots of retail shopping and businesses, kind of like Michigan Avenue). That night it was a celebration of its 100 years. We lucked in to being in exactly the right place to watch a ten minute long light show that was projected on the large Telefonica building. It detailed the history of the Gran Via and the Telefonica building. Jon got video of the entire thing and will post it here when we get back home.

Toledo
Jon came to Toledo in high school as part of a short foreign exchange program during spring break in 2006. He stayed with the Canto family while he was in the city and we had plans to meet them once again for a night of Tapas. However, Steve has been sick most of the trip and had been getting worse. It is not possible to find a clinic here and you must go to the hospital if you want medical care on the weekends. Julia and her family met Steve and Jon at the hospital. Julia acted as translator for the doctors, who did not speak any English. He has a massive infection, and they even called in an ear specialist. Julia says they called him “pobrecito” and said he must have been in quite a lot of pain. They gave him a prescription for pain killers and antibiotics. The night with the Cantos was able to continue as planned, and we hope they are able to come to Nebraska some day. They were invaluable at the hospital and treated us to wonderful local tapas, wine, and great company.

This morning Jon woke up feeling sick as well. However, when we went to the pharmacy they were willing to give us as many antibiotics as we wanted. The price for them was also extremely low; the pharmacist said that many people from the United States come and ask for 15, 20 boxes so they can stock up.
We went to the Cathedral and Toledo and also took a little tourist train ride around the city to get better views of the surrounding countryside. It has all been very beautiful.

Photo & Video update 31.5 GB 1200 Files

This post was ghost written by Christine