What we love about MobileMe:

• Absolutely fantastic web gallery for photos; best integration with iPhoto, simple, elegant, accessible
• very good AddressBook/Contacts sync between many Macs and iOS devices (iPhones, iPads, etc)
• very good Calendar/iCal sync between many Macs and iOS devices
• Find my iPhone feature (insurance if I lose my iPhone)
• Remote Data Wipe (insurance if my iPhone/iPad end up in the wrong hands)

Update: It turns out Apple now offers Find My iPhone and Remote Wipe for free with a free, limited functionality MobileMe account for iOS 4.2 devices (iPhone 4 and iPad). Yahoo!

I consider the MobileMe iDisk sharing to be unusably slow, especially when there are so many free alternatives. I can’t stand the MobileMe hosting platform, as I need ssh access, and MySQL or PostgreSQL server access with php to even consider web hosting.

I don’t even use MobileMe for email much because it lacks server-side spam filtering (filtering on my Macs is amazing, but then I see all the junkmail on my phone when viewing the same spool).

What we love about Dreamhost:

• direct ssh access to the server
• MySQL databases
• SpamAssassin protection on the email spool
• MailMan for discussion lists

I wish I had simple CalDAV and AddressBook services on the Linux server at Dreamhost; and I can get them, for a price… $50 (Australian) one time charge for AddressBookServer with 2 user license is not bad… And some of this is possible through free Google services (Google Calendar; Google Contacts, though they don’t sync with iPhone/iPad yet).

So, I am trying to figure out if I can consolidate the two services to save a little money. I am not unhappy with either; just unhappy at paying for two good services when I might be able to do only one.

Bluehost, Hostmonster, Hostgator all compete directly with Dreamhost and appear to offer comparable deals these days…

The gotcha is, no one has the gorgeous gallery software that Apple does; or do they? Please let me know… I have tried Gallery2 – and I am not impressed, and I want to own my own server space; so Flickr/Facebook/Picassa are not the solution for me though we use those services for specific tasks.

Am I stuck continuing to pay for both types of cloud services? Or has someone found something that syncs multiple devices, publishes photo galleries, and allows hosting all at once?

Guardian Article on Javascript based XSS Twitter Hack

The article mainly focuses on the recent Twitter exploit, and the dangers of server-side XSS exploits, but we can easily protect against this stuff at the browser level too with NoScript add-on to Firefox. FlashBlock and Click to Flash help with Flash issues, but Javascript is more pervasive and XSS is more commonly implemented in Javascript.

I have been seeing so many of these on Facebook lately and am concerned that people are visiting Facebook with vulnerable web browsers. If you are using any browser other that Firefox with NoScript active, and you think you are secure – please let me know what you did to fix your browser. This is the vulnerability that forced me off Safari and Chrome (both of which seem faster, but less secure than Firefox with NoScript and Flashblock).

If you want this website to link to your own site, send me an email or comment indicating so and I’ll review the request, but I won’t respond.

I am pretty sure that 99% of the link requests I get are spammers, but just in case… I wanted to cover it.

This is my personal site and I will only link to other sites if I really feel it’s necessary or pertinent…. otherwise… too bad.

Cross-site scripting hacks are potentially dangerous because they take advantage of your being still logged into a site (like Facebook, or your GMail account, or your bank) when you have closed or back-grounded that window and are visiting another site where the mal-ware lives… and the mal-ware knows how to manipulate the account you are still logged in on to do things you did not agree to.

Most commonly this is relatively harmless spam creation (the malicious javascript at MyLike.com checks to see if you are still logged into Facebook, and if you are it posts to Facebook as if you were doing it yourself, a bunch of “Likes” that you never really know about unless your friends comment about it), but it can also be used to pull information you did not with to share from your other accounts and even move money from your online banking account if you are still logged into it.

It is very important that you log out of sites when you are done with whatever transaction.

It is also important that you do not blindly trust all Javascripts and Flash executions that are coming in from random websites…. for this problem will be endemic as long as people allow javascript and flash execution by default on their web browsers.

HTML5 has great promise in eliminating the need for so much Javascript and Flash; but it is taking a while to catch on because web site designers are busy or simply too lazy.

For the interim, it is absolutely necessary to get a Javascript white-listing extension for your web browser; one that blocks all javascripts except those you specifically want to trust and run. It is also recommended you treat Flash content the same way and only allow Flash that you specifically trust; not as many Flash exploits have been discovered, yet… but they will show up as soon as everyone has blocked their Javascript security holes.

Sadly, there are not Javascript white-listing extensions available for all browsers, yet….

The one I know of is NoScript for Firefox, and it works much like Zone-Alarm (firewall) used to work for Windows (white listing applications that tried to get internet access, or black-listing them).

I’d love to know of other Javascript white listing extensions for other browsers.
So far, Safari has none. Firefox and all the Mozilla browsers can use NoScript. I have never tried Chrome, so I don’t know yet.

Running any white-lister requires a little patience, because using it properly means the default is to trust no one, and only allow those domains you know you both need and trust. That means that most websites will NOT work when you first install your white listing agent… and you’ll have to accept that the site is broken, or trust it’s javascripts explicitly… it requires a lot of patience at first and awareness.

It is, however, the only way to stop these crappy click-jacking cross-site script hacks.

Firebug is a simple Firefox plugin; download and install can be done inside Firefox; you then restart Firefox and click the little bug icon down in the lower right corner to activate the debugging tool.

Web Inspector is integrated in every recent copy of Safari, you run a command line to enable the tool:

defaults write com.apple.Safari WebKitDeveloperExtras -bool true

Once enabled, you can mouse over any web object in your browser and right click or hover to get a drop down menu, from which you select “Inspect Element” and then dig around in the Inspector for your tools.

I am sure there are similar tools for OmniWeb, Opera, Chrome, and even Internet Explorer; but I have no experience with them yet…

Making things worse a few guest blogs I help friends run had the same problem. So I upgraded to WordPress 2.1.2 (thanks to DreamHost for making that a “one click” per blog install) and huge thanks to the WordPress team for including the upgrade to Akismet plug-in 2.0 in that install. I am hoping that shuts down the vermin.

Makes one glad that LJ handles all this stuff for you… My LJ blog was completely un-impacted by the burst in spam activity over the weekend. Yay LiveJournal!

In case anyone is wondering I am wholeheartedly endorsing the “Net Neutrality” side of the argument, and here is exactly why:

1) when I first heard about the cable and telephone industry attempts to lobby for additional fees that they’d charge content and web service providers, I wondered “Why?” because Google, Amazon, AOL, and CNN already pay for all the bytes they deliver with very high bandwidth consumption rated fees. As more and more consumers stream video from YouTube or CNN – their fees go up already.

2) I have ZERO sympathy for the cable and telecom industry’s cries that rolling out broadband to every American home is expensive. We taxpayers have already unwillingly paid them huge subsidies and tax credits to roll broadband out to every home in America, at least twice (remember the Tauzin-Dingell bill anyone? What about the 1996 Telecommunications Act before that?). Where has all that money gone? They certainly did not use it for it’s intended purpose (roughly 25% of American homes do not have and can not get broadband at all). While 25% of us have no broadband choice at all, another 25% have only one choice (an effective monopoly situation, and I am in this group), and because there is no competition for our last mile connectivity problem, our rates are extortionate and irresponsibly high. So high, that broadband adoption for this group is very low because of cost issues. All the money that the telecom industry has spent on improvements (and it has not been that much) has been focused on crushing the competition and lobbying congress for yet another handout. I am sick of corporate handouts and I want the Telcos and Cable operators to be forced to repay the money already given them and to be forced to fund the start up costs of their own competitors just like was done to AT&T when that monopoly had to be broken up.

3) I do not trust Comcast, nor Verizon, nor SBC, nor TimeWarnerCable, nor Cox to fairly and reasonably manage variable bandwidth pipes to the content production sites. None of these companies is nimble enough to keep up with the rate of change on the internet. Many of them have competing vested interests in making it easier for you to see their content or that of their advertising partners and not the content you really want to see.

4) There cannot be real neutrality until there is real competition, right through to the home. Until then regulation is not only necessary, but very useful and very fair. It makes this whole public discussion possible.

5) Without Net Neutrality, innovation will be stifled. There are people who just do things. Content creation because they love it. It is an art. Sometimes this art becomes commercialized, that is fine. Sometimes commercial production houses actually create art, that too is fine. A neutral playing field allowing users to view whatever they like means there are plenty of room, and rewards, for both. A network where you need ABC’s network approval before your show can air is stifling to artists – some thrive with the guidance they’ll get from ABC’s professional staff. Others cannot produce at all in that environment. They make askaninja.com and rocketboom.com – and I value their content as much if not more than that coming out of the big commercial houses right now. TikiBarTV is the funniest thing on the web now, can you imagine it being aired on Bravo? Probably not.

6) Without Net Neutrality Democracy (big D) is stifled. It is only because ordinary people like you and me can easily create blogs and podcasts and vlogs and content that would slip through the mainstream media filters, or get censored out. This post would never make it in the New York Times. Yet this is an important issue that needs to be discussed. We need Net Neutrality to enable the bloggers of the world to write the news, especially since the corporate owned right-wing pandering mainstream media no longer actually does any investigative reporting anymore.

So my words here have probably converted no one, nor even convinced you to do some quick research and then contact your representatives in office about this issue. So please look at the following cartoons and links and let them convince you.

Thanks for lending me your attention for this long….

Fun stuff:
User Friendly Carton (May 21)
Ask A Ninja’s Net Neutrality Episode
User Friendly Carton (May 14)

Information about Saving the Internet:

http://www.savetheinternet.com/

http://www.wetmachine.com/totsf/item/511

Propaganda from the Telephone and Cable Lobby:

http://www.handsoff.org/

http://dontregulate.org/

Effective Rebuttal:

http://www.savetheinternet.com/=lie

So I moved my home pages and Blogger web log to scottnolan.org and scottnolan.org/blogger.html and copied all the files off Erci’s vampyr.org servers at Interland. Erci will be moving her site and blog over to the DreamHost systems soon too. Interland had great support and connectivity, but their billing was per domain, and as we are adding more domains soon, it was getting expensive. We’ll talk to the folks at La Belle about moving too, but they are paid for quite some time at Interland, so there is no hurry yet. We’ll be standing up a few new domains too (Arthur Murray DC and SGI Fortune District).

One of the other nice things about the DreamHost accounts is that they let us do imap/webmail with SpamAssassin protection and Mailman mailing lists (it’d be really nice to finally get the La Belle and Fortune District mailing lists set up properly for a change). They also have one button installs of things like WordPress, Drupal, TextPattern, MySQL, and phBBS – which will make our lives a lot easier.