Be careful with your Safari Extensions

My Macworld compadre Lex Friedman on Safari extensions:

Safari can update your extensions automatically. Included in the extension is a URL that the developer may optionally provide, and Safari checks that URL on occasion to see if a new version of your extension is available. If it is, Safari will install that new version silently.

Lex raises an excellent point (plus, he got fireballed!), but I would argue that explicit update notifications would not make extensions any more secure.

First, there is nothing that prevents an extension from advertising itself as harmless and get nasty with your computer behind the scenes, updates or not. In other words, it’s not the updates that make an extension insecure. Second, in my experience users will blindly click on just about anything that stands between them and doing whatever it is that they want to do. I’ll be the first one to honestly say that I cannot remember the last time when I read all the release notes that came with an update or any kind¹. Besides, even then, what guarantee do I have that the developer is telling the truth? In the end, it all boils out to whether you trust whoever issues the update or not.

Not all is lost, however. In order to be installed, extensions need to be signed using a digital certificate, which is issued by our friends at Apple to every developer who wants to distribute extensions. Without a certificate, extensions will not install  There is a good reason behind this: if an extension were found to be disruptive or malicious, Apple can simply revoke that developer’s digital certificate and effectively yank the extension from under the feet of every single user that has installed in one fell swoop. This won’t prevent a malicious update, but it will certainly stop one².

To me this approach is far, far superior to the corresponding update mechanism in Firefox, which takes the geek approach, believes that people will know what they’re doing and notifies them that an update is about to take place. But most people don’t know what they’re doing and, once something is installed on your machine, you’re on your own.

Personally, I’m on the fences as to whether the fact that Safari updates extensions silently is good or bad—I think that notifications would be useful, but ultimately pointless. However, I think the right question to ask is: will Apple act swiftly enough to prevent an extension that is proven to be malicious from becoming a problem?

⇥ What antenna problem?

It took six hours of standing in line on an uncharacteristically cold summer night¹, but I finally have an iPhone 4, which means that I can tell you the truth about the antenna problem: I have no idea what these people are talking about.

I live in an area where my provider has reasonably good signal, with four bars on both my old 3G and the new handset. As shown countless times by countless talking heads on countless media outlets, if i touch one of the black gaps on the side of the phone, the number of bars decreases to two, but I haven’t noticed any degradation in either data rates or voice in day-to-day usage. In areas where there is less signal (like, ironically, my local Apple Store), I can make the signal go down to a single bar or no bars, though this still doesn’t affect my ability to make phone calls in a manner that is substantially different from my old phones; in other words, I honestly can’t see any difference and, had there not been so much noise made about this issue, I likely would have never noticed.

It almost looks like the press has latched on to this problem—in my eyes completely irrelevant—and keeps picking at it the way one picks at a scab that’s healing. It’s the itch that some people just don’t seem to be able to let go of and, frankly, it seems like a pretty small problem to be so worked up about.

Now, if the press really had wanted something to complain about, they certainly could have spent a few words on the way Apple has handled the launch of the iPhone 4. It’s been a complete disaster, at least here. Far from being the smooth even that one would have expected from a company that, say, has launched three of these before, the whole affair bordered on the ridiculous: Apple’s website had no information until the morning of the launch and, were it not for press leaks and a small sign that appeared at the entrance of the stores in the days before the launch, there was no official confirmation that a phone was coming on July 30th, or what the pricing would be. To top it off, the Rogers activation system was down most of the morning—because, you know, it’s not like they were handling a major launch or anything.

I can’t speak for what happened south of the border, but based on what my friends told me, things weren’t that much smoother there, either—particularly for those decided to forego pre-orders and stood in line so that they could get their handset early on the morning, only to find out that many of those who had pre-ordered theirs had, in fact, received the phone the day before the official launch.

Of course, one can say that it’s just a hiccup. Or—excuse me while I laugh—that the company was so overwhelmed by demand that it couldn’t handle the load. But, honestly, who buys that? An organization like Apple isn’t “caught off-guard,” and certainly not twice in a row². This is a publicity move, pure and simple. Apple wants the big lines and the impression of tight supply to drive media coverage—and, of course, the latter laps it up without ever questioning how a multi-billion dollar company can’t seem to launch their flagship product in a way that doesn’t upset so many customers³.

This said, the iPhone 4 is a beautiful device. The construction feels solid—dense, even, as if you’re holding a device that is packed to the gills and has absolutely no empty space inside. The screen, as advertised and widely reported is that good. Pictures look like they have been painted on the glass, rather than being generated by a screen underneath it. And speed, especially coming from a 3G, is quite simply amazing. The phone itself seems to have improved considerably: I no longer have trouble having a conversation with someone on my home line, which probably precedes the discovery of America and therefore tends to attenuate the signal slightly, and the Prius’s Bluetooth handsfree no longer sounds like the Hypnotoad while undergoing a colonoscopy while I wait for a call to engage. Oh, and FaceTime is loads of fun, too.

100 million Facebook users’ details published online

MSNBC:

“As I thought more about it and talked to other people, I realized that this is a scary privacy issue. I can find the name of pretty much every person on Facebook,” he wrote.

So of course he thought that the right way was to collect all 100 million and put them up for download. What an imbecile.

Ontario Announces Tighter Restrictions For Young Drivers

CityNews on new restrictions for young drivers in the Province of Ontario:

Drivers 21-years-old or younger caught with alcohol in their system will face an immediate 24-hour licence suspension, a 30-day licence suspension and a fine up to $500.

Of course, we could just teach kids that drinking in excess and driving is a stupid thing to do—but, hey, that would mean actually doing the job of a parent. Instead, let’s simply make it a crime to drink a beer¹.

⇥ PHP 5.2 support ends just as its adoption begins

In case you missed it, the PHP team has just released 5.2.14, which effectively ends active support for the 5.2 branch¹:

This release marks the end of the active support for PHP 5.2. Following this release the PHP 5.2 series will receive no further active bug maintenance.

The logic behind this decision is… puzzling.

Several large projects—WordPress and Drupal among them—recently announced that they intend to push support for 5.2 into their products with their next major release. For example, Drupal 7 will accept 5.2 features, and the WP folks are just working on EOL’ing their support for PHP 4.

This means that a large number of people are just beginning learning, using and stress-testing PHP 5.2. Remember—these projects have very large user bases, so even moving a small percentage of adopters over to a different platform means a big shift. Perhaps—just perhaps—it might be better to reconsider canning 5.2. If, from a technical perspective, the move from 5.2 to 5.3 is an easy one, there is a huge psychological barrier to finally adopting 5.2 only to have it yanked from under your feet.

The real issue at hand, however, is the fact that these large user communities are not engaged in the PHP world, and vice-versa. Ignoring the hundreds of thousands of Drupal and WordPress integrators and developers is bad for both PHP and for those products; we should, instead, try our best to open a dialogue between all the communities that are centred around PHP and ensure that everyone’s interests are properly represented.

This is not to say that the fact that WP has only now decided to move to PHP 5.2 should necessarily affect the progress of PHP, nor that the PHP developers should take a “we don’t need you” attitude toward projects that are based on the language. Ultimately, it’s up to these projects if they want to actively contribute back to PHP or not, and that is the only way for them to effectively affect the development of the language itself.

However, PHP development is too unevenly connected to downstream adopters. Some—particularly framework makers—have an unusually high level of participation in deciding how PHP evolves, and that needs to change.

At least year’s WDC, a small conference organized by Microsoft, I made this very same point and managed to bring a room full of developers into complete disarray in less than five minutes—which means that, in addition to the fact that my ability to drive a bunch of people up the wall in no time flat has not changed over the years, there is plenty to talk about.

[Update: the latest 5.2.x release is 5.2.14, not 5.2.11 as I originally stated. Thanks to Ilia for pointing that out.]

The GPL: legit, but may contain malicious code

WooThemes’s official Twitter account, in response to a request on whether a site giving away all their GPL’ed themes¹ for a low fee is in breach of the license:

[I]t’s legit, but we don’t promote it as the themes are outdated & may contain malicious code.

So that’s it, then: the GPL is great until someone copies your commercial work and openly resells it, at which point making subtly unfounded allegations is the best way to save face.

Copyright silences 10-year-old

From MSNBC:

Bethany and her parents couldn’t afford the fees, so Bethany decided to remove the words and music form her video and run it as a “silent movie” instead.

She should have posted a video dressed as Chaplin and giving these idiots the finger for three minutes. Disgusting.

⇥ Graphr for iPhone · Say it with a smile(y)

It is with a certain amount of pride that I announce the release of Graphr (iTunes link), my new iPhone app that allows you to copy and paste special characters like ☺, ⌘ and ✈ directly into any iOS app that supports text, including Mail, Twitter and Safari (or even the OS itself, if you want to create fancypants folders). Simply launch it, choose one of the eighty symbols it supports and then paste it directly into your favourite app using iOS’s copy-and-paste feature. Because it’s an iOS 4 app with minimal memory footprint, you can switch in and out of it in a heartbeat, making it the perfect companion for your day-to-day device usage.

Graphr also learns which symbols you use most often and moves them to a location that is more readily accessible so that they become easier to find. As you use the app, you will notice that your favourite characters will slowly move towards the top-left corner of the screen (note that it takes a while for the algorithm to kick in). Plus, it’s iPhone 4-compatible, taking advantage of that device’s Retina Screen with high-resolution graphics for its button frames and text.

Why Graphr?

Graphr is an app that I have wanted for a long time. Unicode characters are handy for a number of reasons; first, they are there: most OSs support them, so I don’t see why we shouldn’t be able to use them on iOS the way we do on other platforms. Plus, they are succinct: writing “YYZ✈MCO” is just as clear as “I’m flying from Toronto to Orlando” in Twitter parlance, but only requires seven characters. And those “I ♥ You” e-mails, while corny, always impress!

Graphr is inspired by GlyphBoard, a web-based Unicode symbol picker that features a great concept but that is ultimately impractical for everyday use, mostly because switching back and forth between Safari and any other app (including other Safari windows) takes too much time. By writing a native iOS 4 app and supporting fast switching, however, I can keep Graphr loaded and switch back-and-forth between it and other apps very quickly, thus making it almost an extension of the built-in keyboard. The app doesn’t support anything before iOS 4, because, frankly, the usage experience would be abysmal—can you imagine quitting your apps, launching Graphr, copying a character and then relaunching your other app on older iOS versions? Besides, GlyphBoard already does as good a job of that as possible under the circumstances.

Why not more features?

Graphr is the app I wanted to build—in fact, it didn’t even occur to me to release it to the public until after it was pretty much finished. Even though it doesn’t necessarily look like one, it’s pretty much built like a keyboard and, therefore, must be as simple and intuitive to use as one. And so it is: launch it, click on a button, and you’re done. There are no secret handshakes, no settings, no geeky character tables or codes. The app tries to learn how you use it and adapt to your specific needs rather than asking you to “tell it” something you may not even be aware of.

This is not to say that there are no features to add. For example, the app is built for right-handed users, a “leftie mode” that pushes popular symbols to the top-right corner instead of the top-left corner would be useful. Likewise, the symbols that the app supports are based on a thoroughly unscientific survey of web pages and tweets with some biases thrown in for good measure, which may or may reflect reality for everyone else.

Also, unlike Glyphboard, Graphr doesn’t allow you to copy more than one symbol into the pasteboard at a time. I considered this feature (obviously—it was staring right at me), but ultimately decided that having more characters and a simpler look was more important.

Why free?

Graphr is completely free, although it features iAd ads. This is not because I think the app is cheap or useless—quite the contrary. First, it’s an app that provides value over time; therefore, asking people to pay upfront doesn’t reflect the return that they will get out of it. With iAd, if you load the app and only use it once or twice, I will maybe make a few cents from showing you a couple of ads. If, on the other hand, you become a regular user, I’ll make more revenue over time. Of course, people are also going to be more likely to try out a free app, which doesn’t hurt, either.

Incidentally, I could have made the same decision for some of my other apps, but, well, iAd simply wasn’t available when I developed them, and I’m not about to show Google ads—the fast food of online advertising—alongside my work. Apple’s ad platform appeals to me because it has a high bar of entry, making it more likely that high-quality, brand names will appear next to my name. It’s not so much that iAd generates more revenue—it’s that using iAd is a bit like having lunch at the French Laundry while your favourite actor strikes up a conversation with you. As far as ads go, I want to be a foodie.

Times loses almost 90% of online readership

The Guardian:

The Times has lost almost 90% of its online readership compared to February since making registration mandatory in June, calculations by the Guardian show.

Making people pay or register to access your content causes a loss of readership ¹. Big surprise.

But let’s look at this from a different perspective. Let’s assume the Times had a million readers before the paywall went up, in which case a 90 percent drop would mean that they now have around 100,000. Let’s also assume that the Times used to sell ads and rake in a $10CPM fee (which is probably high—but it doesn’t matter).

If every one of those readers read one page, they would generate $10,000 in advertising. If every one of the 100,000 “paywall” users forks $1 to buy access for one day, they generate $100,000 in fees. In other words, it would take ten times as much usage from ten times as many people in order to generate the same revenue without the paywall.

Now, I’m no big fan of paywalls, but maybe these people have realized that newspapers are in the business of selling content and not eyeballs?

Headway Themes is now licensed under the GPL… uhm, no, wait. It isn’t. Well, sorta.

Grant Griffiths on split-licensing the PHP code of his themes under the GPL and the images/CSS/JS files under a proprietary license:

The split GPL license still allows us to retain enough teeth that we can bite someone in the butt if they violate our own license for Headway.

I fear that Grant hasn’t quite thought this whole affair through. But let’s take a look at the Headway ToS themselves:

All WordPress themes produced by Headway Themes are released under the GPL version 2.0 license (http://www.gnu.org/licenses/gpl-2.0.html GNU/GPLv2). Specifically, the PHP code portions are distributed under the GPL version 2.0 license.

Are “all themes” released under the GPL or the PHP portions? I think the intent of the author are fairly clear, but this language introduces contradiction in a legal document—not a good start. You’ve just given a prepared attorney a way to show that your language is ambiguous and a reasonable third party could interpret it in a way other than the one you claim is the correct one. And believe me, they’ll latch on to this like the Shuttle on the Space Station.

The Headway Themes Proprietary Use License is a GPL compatible license…

Who has decided that it’s compatible? What happens if a court should decide that it isn’t?

You are authorized to make any necessary modification(s) to Headway Themes to fit your purposes. You may not however redistribute or release modifications as GPL or otherwise.

Wait, what? You get to release under the GPL but I can’t? Sorry, but the GPL says the exact opposite:

4.  You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License.

Incidentally, you also don’t get to choose which pieces of the GPL your code is subject to:

7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License.

See how confusing things get? And that’s without even counting the fact that a clever lawyer may well point out that the CSS, JS and image files are derivative of the theme because they cannot be used meaningfully outside of it (much like GPL proponents claim that the theme itself cannot be used meaningfully without the underlying WP code).

I hope that Grant got legal advice… uh-oh:

While I know Matt would rather we would have gone 100% GPL, we felt more comfortable with a split GPL license.  We actually modeled our license which we have included in a revised TOS after what Jason has at Press75.  Below, you will see the exact language we now have which according to Matt Mullenweg is “100% legal.”

These people are playing with fire.