Could I have been doing some drunken internet shopping? It has only happened once before, and it’s a long time ago. I watched an excellent movie, Deep Rising, after coming home from a long night out and decided I just had to buy it on DVD. It was impossible to come by in Norway, but luckily I managed to dig it up in an obscure American online store. A few weeks later the DVD arrived in the mail. With P&P, import tax and an unfortunate exchange rate, the price of the thing easily exceeded three times the normal price of a DVD. And after seeing the movie again I learned a hard lesson in life: Drunken internet shopping is a really bad idea. The movie was crap.

If I had been riding the plastic VISA dragon again, this registered packet from Amsterdam could potentially contain anything. Maybe it was a tiny prostitute or some dope?¹⁾ Should I worry about plain clothes cops hiding in the snowdrift outside the post office?

As it turned out, I had nothing to worry about. Of course. What I received was my RIPE Atlas probe. RIPE NCC is an independent, not-for-profit membership organisation that supports the infrastructure of the Internet through technical coordination and it’s located in – you guessed it – Amsterdam.

With the Atlas, RIPE is building the next generation active Internet measurement system. It is currently in the prototype stage and will eventually scale up to thousands of measurement nodes distributed around the globe. A probe is a tiny hardware device that runs measurements in the RIPE Atlas system and reports these measurements to the data collection components. I’ve now connected one of the nodes to my network to feeds the Atlas with relevant measurement data. Or all my passwords and credit card numbers.

I’m not doing this only to do RIPE a favor. I’m suspecting the my ISP has overbooked their bandwidth capacity considerably in my area: Last week I was at home sick for a day and around noon I started a download that sped through at maximum speed. As one should expect, since I do, you know, pay for that speed. In the evening, however, downloads tend to just crawl along. The most likely culprit is someone with way too much warez to share. I suspect the downstairs neighbors; I’m pretty sure I can hear the PSU fans of a server when I walk past their front door.

With the Atlas probe I’m hoping to extract some measurements that show ping values skyrocket and bandwidth measurements plummet in the evening. It’s nice to have some sort of data when sending that angry (but polite) old-cranky-man e-mail to the ISP. And if I don’t get the data I want from the probe, I’m still contributing to the RIPE Atlas. If you also want to connect a probe to your network, you can use this form.

1) Just to clarify; I’ve never order neither (tiny) prostitutes nor dope (on the internet).

Encryption is the key to safe wireless internet usage and while all wireless routers available today support a range of different encryption standards, many are configured with no encryption or very poor encryption by default. As an example, let’s have a look at the wireless access points that are visible from my apartment.

No less than 16 wireless access points are in range of my computer. I found them by using a tool called inSSIder, which anyone can download and use to scan for available wireless access points. It basically does the same as your operating system when it searches for wireless networks to connect, but the information collected from the networks found is displayed in a very convenient way. The main point of interest here is the Privacy column, which tells us what kind of encryption each network uses. There is one network with no encryption at all, 6 with WEP encryption, 3 with WPA encryption and 6 with WPA2-AES encryption (displayed as “RSNA-CCMP” in the table). As you can see, the WPA encryption comes in two flavors; WPA-AES (WPA-CCMP) and WPA-TKIP.

Initially, the network without encryption seems like an interesting one: It will give you free internet access by simply connecting to it. Personally, I get a little nervous when I see an open wireless network like this. It might be tempting to use it, but in some cases it’s a trap!. Someone might have set up this honeypot to lure you to connect to it just to record everything you do while connected. And by everything I mean everything: usernames, passwords and credit cards numbers – every single piece of data that is transmitted between your computer and the internet. Remember that free wireless internet you use at the coffee shop and the pizza place? It might be that you are connecting to a honeypot, not the free wireless network. And even if you are connecting to the coffee shop’s network, anyone can eavesdrop on the connection as long as the connection is unencrypted. This is the reason why I never connect to an unencrypted network and neither should you.

6 of the networks above are encrypted with WEP. In terms of communication security, WEP encryption is almost as unsafe as a network with no encryption at all. A quick search on Google shows you just how easy it is to crack the WEP passphrase and eavesdrop on the traffic on a WEP encrypted network: This means that if your network is encrypted with WEP and there’s someone within range of your network who wants to know what you are doing on the internet, he or she is probably listening in right now. Is your ex hiding in the bushes with his laptop? Even if that’s not the case, you should immediately change the encryption on your wireless network to something else than WEP.

WPA might seem tempting. But no. WPA can also be cracked fairly easy, even if it’s considerably more complicated than cracking WEP encrypted networks. Even though some Japanese scientists did it in one minute (PDF), most people wanting to crack an encrypted network will target WEP encrypted networks because it’s so damn easy. To stay as safe as you can today, switch to WPA2-AES (might be WPA2-CCMP on some routers) and create one hell of a passphrase. It is possible to crack WPA2-AES, but it requires a lot of computer power and password guessing. By using a non-dictionary password you can be fairly safe that no one will be able to eavesdrop when you surf on your wireless internet connection.

Personally, I’m using WPA2-AES with a 64 character long password. It makes me feel safe, but annoys the hell out of everyone who visits and want to connect to the internet.

Worth it.

Since I wouldn’t mind making money by sitting at home surfing the interwebs all day while writing the occasional rant, I decided to add the necessary information Google needs to display both review and author information every time a search result contains a link to my site. Unfortunately, Google doesn’t just start to index the new information automatically, you have to fill out a form and submit your site for manual addition to the sites they display metadata for. But as soon as everything is configured, I can just sit back, relax and watch the money come flowing in.

Great stuff. In other site-related news, I’ve fixed the last.fm information in the footer so that it looks good not only in IE and Opera, but also in Chrome and Firefox. People have told me these are popular browsers. The number of views per entry has also been reintroduced, after I discovered the functionality could be combined with WP Super Cache. I’m not sure how well it works, though, because the numbers I see in Google Analytics and the views recorded by WP-PostViews are not the same. And on top of all this, a nice set of stars are displayed on every review I write.

I spend way too much time tinker with this site.

So why did you have to invite that other guy to the party? And not only did you invite him, you insisted I had to be his friend just so I could continue to spend time with you.

I’m of course talking about he unholy relationship between Spotify and Facebook. As of last week, Spotify began to require every new subscriber to have a Facebook account. Since I’m a long time Spotify subscriber, it didn’t actually affect me as current subscribers did not have to comply to the new requirement. But the concept that you need to have an account on a social network to be able to pay for a music service is just absurd. It’s like a grocery store demanding that you show them your pilot’s license before they’d sell you a loaf of bread.

All right, so not the best comparison, but you get the idea. Because of Spotify’s tight and unnatural integration with Facebook, I decided to move to another music service that should, theoretically, give me more or less the same service for the same monthly fee: A subscription service with millions of tracks available using a PC client and an Android client with offline mode. Same shit, different wrapping, basically. The service is the Norwegian WiMP (Wikipedia article).

Before I start this rant, I should tell that I once had very tight connections with Aspiro Group, co-creators of the service. A few years back (does time fly!), Aspiro Group bought a company I co-founded and I ended up sharing office space with the people building the WiMP service.

Anyway.

Even though Spotify and WiMP are theoretically the same type of service, they are also very different. Their choice of technology, streaming quality, editorial approach and the track availability make them stand light years apart.

WiMP scores high when it comes to how they present the music. There is a lot of effort going into making playlists, campaigns and presenting new releases. They also have some great music that is not available on Spotify, for instance Pink Floyd. The problem for WiMP, however, is that Spotify crush them in every other aspect:

Cross-platform

WiMP has decided to use Adobe Air to create a client that works on every platform supported by Adobe Air: Windows, OS X and Linux. This might have sounded like a great idea once, but the main problem with cross-platform frameworks is that you sacrifice performance for the convenience of not having to port your code to various platforms. Compared to Spotify, the WiMP client feels sluggish and non-responsive.

Sound quality

WiMP streams in 64 kbit/s HE-AAC  and 256 kbit/s AAC, while Spotify has chosen Vorbis as their codec, streaming in 160 kbit/s and 320 kbit/s. I don’t know much about codecs and I’m not audiophile, but the Spotify streams sound better to me (even before I learned the actual codecs and bit rates used).

Track availability

Spotify has 5 million more tracks in their archive than WiMP. When I imported my Spotify playlists in WiMP some of the greatest tracks got lost in translation. It’s great that they have Pink Floyd, but in my opinion, diversity is more important than having the big names.

Streaming technology

WiMP uses a classic client-server approach, while Spotify is using peer-to-peer technology. Peer-to-peer has both pros and cons. On the con side, other people are hogging your precious bandwidth. On the pro side, the buffering time is close to nothing and changing tracks and fast forwarding is practically happening as fast as it would if you were playing local music files. Using WiMP it’s sometimes very obvious that you are using a client that has to wait for a server somewhere to spin up a disk.

Android client

The WiMP client is more feature rich than the Spotify client. It has a better search system and you get the feeling that the music is a lot more available than on Spotify. Also, both clients have offline modes, which is a must for me. The shuffle feature on the WiMP client  actually works, which is not the case for Spotify¹⁾. So, all in all, the WiMP client should feel better than the Spotify client, yes? No. There are two things that seriously grinds my gears with the WiMP client. First of all, it doesn’t support play/pause and skipping tracks with the headset button. What the hell is that all about? In addition to this, you can’t be logged in on the mobile and the desktop clients at the same time. I used this a lot on Spotify: Listen to a great album on the desktop client, add it to a playlist and then log on to the mobile client to make it available offline. With Spotify, you’d only run into trouble if you actually started playing music using both clients, but with WiMP you’re not even allowed to log in with the mobile client before the desktop client logs you out.

Final thoughts

But in spite of all this, will I go back to Spotify? Unless the lack of support for the headset button²⁾ in WiMP drives me mad, I won’t. The only way to tell companies, in this case Spotify, that they have made bad a decision is to talk the only language they understand:

Money.

In my humble opinion, however, WiMP will have to have a good look at their choice of coding tools, streaming technology and quality if they have any ambitions of competing with Spotify. And a re-branding should also probably be considered – WiMP? Really? Yeah, I know it’s an acronym, but who wants to use a service calling itself a wimp? Excessive lack of confidence isn’t really that attractive.

1) Even though you never managed to implement a proper shuffle function: Shuffle playlist, playlist stops after three songs. Man, I can’t even begin to describe how annoying that was.
2) In case anyone working on the WiMP Android client is reading this, here’s the key event code used for the headset button: KEYCODE_HEADSETHOOK. Off you go to your computer, then.

That companies with millions and millions of registered users are unable to keep our information safe is rather disturbing. But a major side effect of one compromised account is that there is a good chance you’ve used the same username and password for a lot of other services as well. Someone gets their hand on your login information at Sony and they automatically gets access to your other accounts: Facebook, Flickr, Dropbox and PayPal. Crap!

One solution is to use a unique username and password on every site. But can be very inconvenient as the number of accounts increases. Another solution is to use two-factor authentication.

One way to implement two-factor authentication is to require that the user has access to a token that only the end user has access to. An example of this is a credit card with a PIN code. You need both to get money out of an ATM, with only one of them you can’t. Another way is to use a password together with a one-time code provided by a token. This is supported by WordPress, and it is a great way to secure your account. Here’s how you do it.

1. Install Google Authenticator on your phone (Android version 1.5 or later, BlackBerry OS 4.2 – 4.7, iPhone iOS 4 or later)
2. Install and activate the Google Authenticator WordPress plugin.
3. In WordPress, go to the users configuration, enable Google Authenticator login for your user and follow the instructions.

Easy as pie. Now anyone who wants to access your account need your username, your password and the one-time code. It’s very hard for them to get their hands on all three.

The flip side of things is that if you misplace your mobile phone you are screwed and will be unable to log in to your account. If you run your own WordPress installation, this can be resolved. You can dig down in the wp_usermeta table in the database, find the googleauthenticator_enabled setting and change its value to disabled. This SQL statement should enable you to log in again without using the Google Authenticator code. Replace XXX with your own user_id:

UPDATE wp_usermeta 
SET meta_value = 'disabled' 
WHERE user_id = XXX AND meta_key = 'googleauthenticator_enabled'

The Google Authenticator field will be visible during login, but you don’t have to enter anything.

Another unfortunate side effect is that you can’t use the WordPress for Android application because it doesn’t support two-factor authentication. Since this entry was written, the author has added support for the WordPress for Android application.

Amongst the new features are offline web application support, at the time of writing implemented by all the major browsers except for Internet Explorer. For the users of browsers that do support this feature, however, it means that parts of (or your entire) web application can be made available to them even if they for some reason are offline or if your production servers have taken a dive and the website is down. Of course this never happens in your production environment, but this can still be a good thing to know about offline web application support in HTML5 in case you have a friend who you suspect might find himself in this unwelcome challenge some day.

When a user visits your web application, the browser will check the HTML pages for a reference to a cache manifest file and if the reference is found, scan the file for information on how your web application can be cached offline. Naturally, this means that the user will need to visit your web application at least once for the client to save it for use in offline mode.

Adding offline support in your web application is surprisingly easy. It all starts out with some HTML editing. In your index.html file – or some file that contains an <html-tag>, I’m guessing you’re using some kind of template system – add a manifest attribute, like this:

<html manifest="/cache.manifest">
...
</html>

You’ve now created a reference to the cache manifest, the file that tells the client what can be stored for offline use and what cannot. Next, create the cache.manifest file in the root of your web application.

CACHE MANIFEST
http://www.example.com/index.html
/logo.png
/scripts/very-important-javascripts.js
http://www.example.com/styles/screen.css

As you can see, the cache manifest can contain both absolute and relative paths. Now, there is a small quirk you have to work through when it comes to the cache manifest. It has to be sent to the client with the text/cache-manifest content type or the client will not recognize it. If you’re working on an Apache-hosted web application, you can simply add the following to the .htaccess file, which is most likely located in the root of the web application (if the file doesn’t exist, feel free to create it):

AddType text/cache-manifest .manifest

This will make sure that the server sends the file to the client with the correct content type. The first time the user visits your web application, the client will now download the resources listed in the cache manifest and cache them locally. If the user disconnects from the internet and refresh the web application, all of those resources will be available offline. Magic!

In some cases, however, you want to explicitly stop the client from trying to cache particular resources, for instance a script used to track visitors. Here’s a modified version of our first cache.manifest file:

CACHE MANIFEST
NETWORK:
/tracking.cgi
CACHE:
http://www.example.com/index.html
/logo.png
/scripts/very-important-javascripts.js
http://www.example.com/styles/screen.css

Everything in the NETWORK section of the file will never be cached and made available offline. Trying to load the tracking.cgi resource while in offline mode will result in an error. The CACHE section of the manifest file contains all the other resources from the first file and will be cached and made available offline as in the previous example.

There is also an option to create a fallback for files that you don’t want the client to cache. Let’s for instance say that you want to use a different logo in offline mode, perhaps to indicate to the users that they are using your web application in offline mode. The following change to the cache.manifest file will enable this:

CACHE MANIFEST
NETWORK:
/tracking.cgi
FALLBACK:
/logo.png /logo_offline.png
CACHE:
http://www.example.com/index.html
/scripts/very-important-javascripts.js
http://www.example.com/styles/screen.css

Using the above cache manifest, the client will cache the logo_offline.png resource and show that instead of the logo.png resource whenever the web application is accessed in offline mode. Each entry in the FALLBACK section consists of two URIs. The first URI is the resource, the second is the fallback. Both URIs must be relative and from the same origin as the manifest file. It’s also possible to use wildcard notation in the FALLBACK section. Let’s say that you want all of the files in the /images folder to be replaced by one particular resource and all HTML-files to be replaced by another resource when the user is offline:

CACHE MANIFEST
NETWORK:
/tracking.cgi
FALLBACK:
/images /only-available-offline.png
*.html /offline.html

Note that there’s a major gotcha present when working with offline web application support. If you make changes to a resource listed in the CACHE section of the manifest, it will not be cached again by the client. The manifest file itself has to be modified for this to happen. Because of this, it might be a good idea to create the manifest files dynamically and create them whenever any of the resources they handle are modified. A generation timestamp somewhere in the manifest will ensure that the client downloads the latest version of any resources that it’s supposed to cache from the server. The timestamp can be included like a comments:

# 2011-06-04 21:00:44
CACHE MANIFEST
NETWORK:
/tracking.cgi
FALLBACK:
/images /only-available-offline.png
*.html /offline.html

As an extra bonus, it’s even possible for your end users to do changes, for instance change some numbers in a budget, even if he is offline. Most of the work to achieve this, however, is up to you, the web developer, and it involves using the local storage on the client, reading a DOM flag that determines if the client is offline or online and syncing the data with the web server when the client comes back online. But all that is outside the scope of this post.

As we’ve seen there are some pretty neat features in HTML5 and those features will become even neater when we start to think of great ways of utilizing them.

Sources:

• Building iPhone Apps with HTML, CSS and JavaScript
• Dive Into HTML5: Let’s take this offline
• HTML5 Rocks – A Beginner’s Guide to Using the Application Cache

This entry is also available at BEKK Open.

Why am I rambling on about Korea? Because of last weekend’s F1 race from Yeongam, of course. It all started very wet, as I told you all about in the previous Formula 1 thread. So very, very wet. Even though it dried up after a while, race control decided to start the race behind the safety car. Boring. But after quite a few laps, the safety car left the circuit and the race started for real. Championship leader Mark Webber, decided to celebrate that fact by being a bit to throttle happy on the curb, resulting in a spectacular spin where he managed to take poor Nico Rosberg with him and smash both cars to tiny pieces.

The Korean Grand Prix turned out to be a complete disaster for Red Bull when Sebastian Vettel’s engine blew up and caught fire with only ten laps left. In the end it was Fernando Alonso who took the checkered flag – his fifth win of the season. With the results from Korea and only two races left, the championship is still wide open, with several drivers having the championship title within reach.

Here are some selected pictures from the Korean Grand Prix, all borrowed from the official Formula 1 gallery. Enjoy!

¹⁾ If all you see here are squares, you need to install some better fonts on your computer. But since you probably would have the right fonts installed if you’re able to read Korean, you’re not missing out on anything if squares are all you see.

Two days ago¹⁾, the package finally arrived from Hong Kong. Among the wonderful things I’d forgot I ordered was a great laser pointer slash LED flashlight keychain thingy, a decorative muilticolored LED snow ball and – wait for it – four (4) LED shot cups!

The multicolored LED snow balls are just excellent. One of them had disintegrated on the trip from Hong Kong to Norway, so I’m very happy I bought two. I considered taking a picture to show you how nice the working snow ball looks, but a single photo would not justify the relaxing feeling that will engulf your entire being when you turn it on. Because of that, I instead decided to bring you a continuous set of pictures, also know as a “video”:

Batteries are even included, believe it or not. Another set of gadgets that came with batteries included were the LED shot cups. If you fill the cup with a liquid, the cup will start to flash a blue light like crazy until it’s empty. This makes it very hard to just sip your shot, a well-known trick when you’re served a shot you really don’t want. Here’s a video of the cup as well.

There’s a word in Norwegian for things like the LED shot cups: “Harry”. A possible English translation could perhaps be “redneck”. The video does not really show how the LED shot cup works; my cellphone does not record enough frames per seconds to show how fast the cup is blinking. With four of these in a dark room you should be careful when the shots are served if you suffer from epilepsy – the party might end a bit earlier than planned.

So, if you have a little money to spare or a desperate need for flashing shot cups, decorative multicolored snow balls or other amazing stuff, look no further: DealExtreme.

¹⁾ You might be wondering why I’m writing this today, on the two-great-games-are-released-Friday. How can I possible both be playing computer games (which I am right now) and write at the same time? The reason is that I’m talking to you from the past: This entry was written yesterday and scheduled for publishing today. Way to plan ahead!

I used to have an HTC Hero, which also was a good phone, but the screen was a little too small and the CPU a bit short on horsepower. It used a mini USB connector for charging, while the Desire uses a micro USB connector. Of course it would be preferable that it too used the mini USB, but as far as I understand, micro USB is now the new standard for charging connectors on mobile phones. Fingers crossed.

Anyway. I could use an extra micro USB cable to use at work. Let’s face it, the battery capacity on smart phones has something to be desired, and having a charging cable laying around is always a good idea¹⁾.

Where to find a cheap micro USB cable? Why, Deal Extreme of course!

They have a micro USB cable for the low, low price of $2.30. With free shipping. Cool. The problem with Hong Kong based Deal Extreme is that they have just that; a lot of extreme deals. Also, if you buy stuff for less than NOK 200, you don’t have to pay import taxes when the package arrives in Norway. NOK 200 is about USD 32 at the moment, meaning that it’s possible to cram a lot of extreme deals in one small package before the import tax kicks in.

And before I knew it, I’d ordered more crap than you can imagine: One 6-Inch 2.4GHz Antenna for Wifi/WLAN/Wireless Router and Access Point (not really crap, because I actually need it), two Multicolored LED Decorative Snow Ball (these are actually really nice), a Compact USB PC Webcam (300K Pixel), one 2-in-1 LED + Pointer Flashlight (great when I do one of my many presentations and whenever the light goes out), four (4) LED Shot Cups (parties will never be the same again). And the micro USB cable of course.

Here’s to the package not being held up in customs.

¹⁾ I haven’t tried the HTC Desire battery trick yet, but I will soon.