After day one of Cuil, I’m not super impressed

Half the UK day the site was down due to lack of capacity… guys if you want to beat Google you need to allow us to actually search… after all the primary reason people use Google is its search is quick, pretty accurate.. and seemingly always available.

Cuil, however, well, not so good on day one.   Several searches I ran came up with no results (on my name for example, which is very common - what are the chances of Google not knowing about a Dan Jones (at least one!))…. this may have been teething problems, but isn’t a good start.

In positives however, when I did try other searches, the results were slightly more accurate than Google.     The problem overall from my day one experience is the engine either comes back with good results… or nothing.

I’ll continue playing with Cuil today, and report my findings, but overall I’m having to stick with Google right now…

Do you like Cuil?

Recently (well 9 months ago) I started playing Eve Online for 3-4 months.   I stopped for various reasons at the time, lack of my time being the main one - and I have recently found myself playing again in a new light for past month…

For those uninitiated, EVE is a funny game, though its player driven economy is what really has interested my in my current fixation upon the game.

Unlike many games your experience isn’t determined by how many enemies you kill and a grind.   You train skills, and this continues when you are offline.    Basically the longer you have played the better you are.    But this does not mean (after a few months) you will not be able to contribute - new players join all the time, and the gains from training higher skill levels take longer for little additional benefit, meaning a newer player doesn’t need take long to get good.    That said, you will find it takes 3-6 months to learn the game - its complicated in a good way.

To explain EVE in detail would be really quite complicated, but in short the below is a description of those ingame dynamics that attracted me to it:

• One group of players, the miners, pretty much produce most of the minerals that can be used in the game to create item.    They mine asteroids, then refine them into minerals, which are the “building blocks” of the game.
• Another group, the Industrialists, take minerals, and use them to build items using “Blueprints”, which they purchase from the market.    There are 2 classes of item - Tech 1, for which you can buy a blueprint.   Tech 2 (better version), which you need to copy then research a blueprint (which is an expensive/time consuming thing to do).
• You then have “mission runners” - these are players focused on flying their spacecraft in PvE engagements (that is player vs computer generated opponents).   They earn money from bounties, and from goods dropped in the shells of the ships defeated.     These can be reprocessed to minerals or sold.
• You also have PvP, player vs player, where you can sign up with one of the 4 races in the game to fight other races in a galactic battle for supremacy - this is new
• But, making things more interesting, there are Corporations and Alliances.    Now these corporations and Alliances can “own” space in the majority of unoccupied (ie non central sectors of thegame).   In unoccupied space, there is no law, so any ship can fight any other ship… This leads to massive battles for supremancy.

Now onto my experiences - I actually run 2 characters in game (on 2 monitors, in true geek style).     One is industrial, one PvE currently- this to save on time, and make the most of the resources collected in PvE to the best of my ability (making the bad items into saleable ones)…

The industrial side of the game I’m really enjoying - making a mini-empire of equipment I buy low, and sell high - as well as equipment I manufacture then sell for whatever the local markets will bear.    The way EVE works is there are trading hubs (Jita, Rens) where everythign is pretty competitive, but people don’t want to take 30-60mins in real life to fly their ship to Jita to go collect items sometimes, so the local markets are fiercly competitive for items manufactured and sold locally, as well as items imported.      Getting more complex, some items are only sold in certain places, so money can be made taking these “rarer” items, and distributing around the game world, for a mark up you understand.

PvE is something else, its tricky, not just a click fest.  I’ve been playing with tactics and lost 5 ships in past 4 weeks due to not getting away quick enough when I bit off more than I could chew.    I’ll post more about this in future, but its the industry side I’m concentrating on right now.

Anyhow, I highly suggest you try this game, its a free download, with 14 day free trial available from the main game site above.

A tip though… with current exchange rates its cheaper to buy the game via  Shatteredcrystal/another time card vendor who uses USD as its currency.     As its €19.99 first month.. €14.99 thereafter, and the same in dollars - a shattered crystal GTC for 60 days (paid in dollars) makes sense for me, worked out at under £9 a month for me last time I done it - which is better than the direct EVE costs - and makes it one of the cheaper mmo’s.

Technorati Profile

I’ve had my iPhone since day 2 integrated with both me.com for bookmarks, contacts, email and calender, as well as to my work caldender via a test ActiveSync server @ work.

I must admit the fact that the iPhone can connect to two “push” services at once is mighty handy - and the fact that in calender’s combined view you can clearly see what appointments are work, which are personal… etc.   This all cleverly without having to load all your appointments into the one work calender.    You see, I’ve always tried to not use the Outlook caldender at work for personal items (the boss can see this!), instead relying on an old fashioned paper calender system my girlfriend manages - combined with an electronic diary at home in Outlook that I manage - and we kind of manage to keep in sync.   The problem is when I’m at work as I don’t carry the home Outlook with me.    With the fact I’m forgetful double bookings therefore result.   As the nice iPhone system allows me to have the home calender at work it’s proven to be very useful… without compromising my office calender’s functionality and filling it with friend’s birthdays, social events in evening etc.

Overall  the calender support is great and is the best calender of any of the mobile devices I’ve had in last 4 years..  the navigation is what makes a calender and Apple have got it spot on.

Email - not so great. I’ve been getting duplicates on my me.com address (I’ve forwarded/redirected my main email onto the me.com address. Bascially with regard to folder filing (which is essential) - sometimes filing a completed email to say Personal on the iPhone works fine - but on the me.com webmail I end with a copy BOTH in inbox, and in personal at this point. I move the former, and have 2 of the same email in same folder.

Push however is great, and a few of my friends are emailing now instead of sms’ing as they realise I get it just as quick and its far cheaper.

Bookmarks are what I’m starting to wonder how I done without. I have a sizeable list of security bookmarks at work, all folderised, and nice. At home it was less organised - so pre me.com I had to move it all into a “Home” folder, and categorise. Now I have work, home, and laptop all nicely synced bookmark wise - even though I run a diff primary browser at home (Safari, vs IE in office due to internal apps needing IE).    If I bookmark an item of interest in the evening, its on the work PC in the morning.   Can’t beat that.

Contacts, well I’ve had synced contacts between phone, Outlook etc for years - couldn’t live with a phone that doesn’t do it. Doing it over air does help a little as I don’t need to cable to work pc, home pc etc to do it.

So, me.com over with, the iPhone itself:

Following this link on battery life, you can see my response here as a comment, so I won’t comment on battery life except to say its plenty for my usage currently. With very heavy use it would need charging during the day I imagine, and its certainally not as good battery life as the new blackberries.

Being critical, when running many apps, it sometimes needs a hard reboot- I’ve had to do this twice since Friday - some of the appstore apps may not be quality goods.. Also slingplayer for iphone would be nice if they can get around to launching it.   Also Apple - where’s a2dp so I can not have to connect headphones for mp3 listening?

But apart from all that, its actually exceeding my expectations overall - the keyboard and user interface really set it apart from my Nokia/other phones in the past - its quicker to use and more stable on heavy use than they were. Also I’ve never considered looking up information on the web while on a call with a Nokia - something I’ve done several times on the iPhone since I’ve had it!

The multitasking beats my old N73 hands down - the best example I can give is on the N73 I couldn’t surf the web and listen to a mp3 simultaneously on the train, the mp3 would just keep breaking up as the page loaded. I can on a iPhone.

I just want to say from my experience the linked register article has it spot on one day 1 iPhone launch here in Ipswich via the O2 store.   That said I will still describe iPhone day as occured for myself.

I was no 1 in the queue, having woken earlier than expected.    I’m the kind of person that once awake just stays, so decided to make it down to the store with my mp3 player, arriving at 5:55 am.   2nd person arrived 5 mins later, followed by quite a few more at 6:30.    We got free coffee, orange juice and doughnuts while we waited (from 6:25 ish onward) and I have to admit it was quite a experience - very friendly launch.

All quite organised tickets handed out based on place in queue, and 1st 6 people got a 16Gb (me included), rest getting 8Gb’s (well those who realised that 8Gb was all on offer and available and decided to stay - virtually everyone wanted a 16Gb!).   50% new contracts, 50% upgrades.     By 7:30am all places in queue were filled - ie the store had ran out.   Judging by queue, the Ipswich o2 store I used had ~24-30 iphones, 6 of which were 16Gb’s.

The problems occurred once store opened.   O2’s internal system could not cope with the new contracts flowing nor the upgrades… the system kept dieing.     O2’s internal IT really does need a kick for not checking their internal systems could cope with the demand after the fiasco on Monday…     The manager of the store handled this very well though with little drama, helpfully going to contingency (paper system) for new contracts, and agreed to hold back stock for queue members upgrading (who have a ticket entitling them to a iphone later today/tmrw) - as they can’t do that without the systems in place.

I got a iphone 16Gb, have activated in itunes, but still currently have no cell service (presumably due to the manual activiation needing to be followed up instore later).    Wifi’s working well and overall very happy with the new phone - (even though its effectively a 16Gb touch now!).

me.com is also currently down so I can’t proceed in setting up contact/phone sync to that.

Overall impressions and a review of iPhone and me.com to follow next week, but the camaraderie and fun had during the wait for the iphone made the buying experience fun….

I’ve decided, I’m getting one (as mentioned in last blog post).

What swung the decision for me is the fact you can get 16Gb storage on a phone for mp3’s - with the size of my collection this will allow a decent amount of music for all occasions. + room for some movies and applications.

Note that in the past I was critical of the iphone (even I believe on this blog 18 months ago), but the 3 crucial things lacking then have been fixed

1. GPS
2. 3g/HSDPA!
3. 3rd party Applications

With these fixed I can’t resist getting one. Super monkey ball looks great - and excited about possibilty of GPS. Only thing I can fault really is the camera and lack of user replaceable battery. The touch interface I had tried on the old iPhone and although I think it’ll take some getting used to, I think I’ll grow to like. Also the excellent Cloud/Btopenzone roaming deal should be commented on as it should greatly increase data speeds in a lot of places I visit (liverpool street/city area for one). This doesn’t change my perception overall that Wifi will be surplanted by 3g cards where it is overpriced - coffee shops being a prime example.

I think the critical thing for Apple in terms of revenue generation on the iPhone will be MobileMe as this will allow full sync from PC to Mac, to iPhone for a very reasonable sum (in fact for less than I pay now for less email storage on another host…). If Apple get this right then it certainally will make me switch email hosts… cant’ wait for the upcoming trial. I have 2 PC’s, 2 laptops at home now - one is a work laptop admittedly so lets exclude that - however email sync is always painful between the 3 - I use imap currently… but I have no caldender/contacts sync, which this will fix at long last. This is a longstanding gripe of mine - exchange for the masses is finally here I hope!

Now I just need to prepare for the small queue (I do live in a small part of suffolk so not expecting a huge queue). I just hope they do have a 16Gb in store if I join the queue at 7:45am… if not I’ll just wait a few days/weeks until they do have stock. I’m not queuing at the crack of dawn - this isn’t that important to me!

Are you queuing?

According to the link below - Apple have reset a users password on the basis of a one line email (with quite poor english) which is recorded in the chaps own email file!

To quote the email in full “am forget my password of mac,did you give me password on new email marko.[redacted]@yahoo.com”

This really is quite awful because as the chap points out the mail address of the guy in question is nothing like his own.     Is this a case of poor process, or a proper process not being followed by outsourced IT staff…   as the guy points out he does have a security question - which he used himself to reover the account - but why didn’t the desk use this?

It really does worrys me a lot that apple has this problem - However I can argue that same has happened (in a limited fashion) in the company I work for with the outsourced data admin staff we use.   We recently discovered that a written process was not being followed to the letter correctly - resulting in stale user numbers and an incorrect license count for an piece of security technology we use.   This was audited at time of transfer, and was being done correctly at that time.   Then they stopped doing it correctly around 1 year ago - coinciding with a change of staff apparently.

The above said, we do have a process to check that password reset etc requests are beign done in a sensible fashion, and do random-test that silly requests like the above don’t get instantly done without question.

So I think a lesson in my case is - check your outsourced processes regularly for compliance with the standard.   In Apples case they should look to test their password reset, and other account security measures making sure their staff are up to the job.

The above said, and my concerns aside, I think I’m still getting a iPhone 3g on Friday, stock willing.  PCPro’s article suggesting its a “tipping”point for iPhone is certainally reflected in my office with several of us due to arrive at O2 pre-opening on Friday (we would have pre-ordered but some gremlins crept in with that).

Part of my current role (in fact the main piece now) is Web Application Security Testing. Which means I get paid to hack around with corporate and non corporate web apps (ie, Apps we buy vs app’s we build).

Web application bugs although currently looked by some to not be serious are gathering in momentum and becoming more common - only recently a lot of websites were compromised by Chinese hackers using SQL injection. XSS in particular can also be used to great effect in just one example of many to send a session cookie off site to hacker base - and thus giving them access to the logged in users data.

Over the past year I’ve tested around 40 apps in total, some complex, some simple. Major security defects have been found in all apart from one application during this time.
The fact is, regardless of the language an Web application is written in, it typically is vulnerable to one of the below 3 in my findings.

• SQL Injection
• Cross Site Scripting (XSS)
• Privilege Escalation

The above is not a full list, but its the basics and believe it or not even in 2008 SQL Injection is still the most common flaw we find! For a better view of what you should be doing to stop this, OWASP is a good website to start with.

Of these bugs SQL Injection and Cross site scripting are usually the easier to spot, and also to get developers to fix - and it is surprisingly easy to fix these first two by not trusting user input, and filtering it before it hits database in case of SQL injection, or is formatted back to users ( in case of XSS both preferably). There are good tools to test both in a semi-automated way in the form of a firefox extension here - we use this in combination with commercial tools to test for this in combination with manual testing (for SQL injection typically) with database traces running. Manual testing is far easier if you can see the queries being executed on the database (though you can’t do this in a black-box test where you have no access to remote database obviously.).

Privilege escalation however can be more tricky to both test and find in my experience at least. Its almost always a manual test - as the commerical and free tools do not do as good as job at finding this as they do the XSS/SQL bugs. In my testing I have found that some developers however still seem to think that simply hiding menu’s from a lesser priviledged user is a way to secure their application (though thankfully this is a minority!)..

One application I tested recently did at least get this right, but used a very predictable bash64 encoding to hash message ID’s within the messaging in the app (where critical data was being passed over this) They wrongly assumed the algorithm they devised was strong enough to protect themselves….. as it didn’t look predictable to the developers (who had no experience of that kind of work). The problem was they had negected to do a check when the page was loaded as to whether user had rights to read that message. That simple fix was enough to secure the app…

Where I work at least, we finally are integrating Web security at project design and initial build stages - so finally security is being taken seriously at day one (This is reducing the critical bugs found at testing) - Is this happening elsewhere?

Overall though is it not time for Web developers to take security more seriously? My hit rate on serious defects is showing that in some cases its the last thing on their mind when developing - and those that do make a effort, they sometime miss the mark leading to a nasty bug.

For information, the tools I use daily are : IBM Appscan, Paros, BURP, XSS/SQL-Inject, althugh these are not the only ones - I have a list that fills my screen - of various proxy’s, header modifiers, request modifiers etc, encryption tools etc.   I may write a blog post on a simple test methodology in the future that I use for the more simple applications tested if anyone is interested?

This is in reply to the recent excellent blog post from Matthew Sparkes at PC Pro.

I too own a big camera (Nikon D80) + some long lenses (well a stablised 18-200mm + a 70-300mm depending on the occasion, + some fast smaller fixed lenses - the 200-400 is sadly just a dream).

Not that I’m a pap or a professional photographer, I just enjoy photography.   It seriously is starting to annoy me (as it is Matthew) when I’m refused entry to gig’s or told to leave camera behind - especially when pictures are for my own enjoyment and not publication on net or otherwise.    Its even more annoying as the tickets to gigs, nor anything online say you’re not allowed to take personal cameras  - and it is the goons on the door responsible for policing a unwritten rule.

I see people with higher megapixel counts in small cameras being allowed in (and with similar zooms, just smaller bodies) - yet why am I refused entry with what is only a semi-pro camera with a prosumer lens (I’m not taking a pro lens to a gig without being in the press box!!).

Now, I have a dilema, should I just forget taking my proper camera equipment places, and just stick to consumer cameras ?- or should I complain every time I go to a gig?

Or should I simply do as I’ve been considering a few months now and actually just get a real publication to sponsor me for a press pass - get my pics published - and go to gigs as a bona-fide press member instead?