Social Network Privacy poll

Some social network sites offer the feature for users to see who has visited their profile (footsteps).

Orkut for example introduced footsteps some time ago. A user is able to opt out of this feature (so she doesn’t leave footsteps anymore and can browse other people’s profiles anonymously), but if she opts out she also can’t see other people’s footsteps on her profile anymore. This resulted in many Orkut users creating second dummy accounts that they used to browse anonymously, while footsteps are still enabled on the user’s real account.

Would you see a problem if a social network site has footsteps enabled by default, and the user can opt out (to not leave footsteps anymore) but would still see other people’s footsteps on her profile (as long as those people didn’t opt out)?

What do you think?

Automating remote software updates in Adobe AIR applications

I just released the first version of AIR Remote Updater, an AS3 class to automate remote software updates in Adobe AIR applications.

It transparently checks version numbers, downloads the .AIR installer file if needed and triggers the AIR-native update process.

It grabs the version number directly from the remote .AIR file without having to download the entire file, eliminating the potential error prone need of having to put a separate descriptor file online along with the .AIR installer file.

Background:

An .AIR installer file is a PKZIP archive containing metadata files along with the packaged application files. The files contained in a .AIR installer file are, in this order:

  1. /mimetype
  2. /META-INF/AIR/application.xml (contains version info)
  3. /META-INF/AIR/hash
  4. /META-INF/signatures.xml
  5. packaged application files

The file we are interested in, /META-INF/AIR/application.xml (the “application descriptor file” that contains the version number), is always the second file in the archive. AIR Remote Updater uses FZip to stream in the remote .AIR until (and only until) the application descriptor file has loaded. We can then close the stream, uncompress that file and extract the version number.

More info and download here:
http://codeazur.com.br/lab/airremoteupdater/

FZip Update

We just released an update for FZip (the Actionscript 3 class library to load standard ZIP archives and extract/decompress contained files):

  • Added support for Adobe Air. The Adobe Air runtime provides a low level inflate method, making it possible to load any ZIP archive and decompress compressed files without the need of injecting Adler32 checksums.
  • Added FZipLibrary class for higher level access to files in a ZIP archive. “FZipLibrary processes files (based on file extensions) from an FZip instance and converts them into usable formats. Files can be converted to either a BitmapData or DisplayObject classes. Data embedded in SWF files (like classes) can also be retrieved. Flash’s built-in Loader class is used to convert formats, so the only formats currently supported are ones that Loader supports. As of this writing they are SWF, JPEG, GIF, and PNG.”
  • Bug fix: There was a problem with filenames containing special characters. Filename encoding now defaults to UTF-8. In case the filenames are encoded differently in your ZIP, you can specify the encoding in the FZip constructor.

Special thanks to Daniel Wabyick at Adobe for contributing the Adobe Air support!

Enjoy!

http://codeazur.com.br/lab/fzip/

NightmareHost

Hello -

This email is regarding a potential security concern related to your
'xxxxxx' FTP account.

We have detected what appears to be the exploit of a number of
accounts belonging to DreamHost customers, and it appears that your
account was one of those affected.

We're still working to determine how this occurred, but it appears
that a 3rd party found a way to obtain the password information
associated with approximately 3,500 separate FTP accounts and has
used that information to append data to the index files of customer
sites using automated scripts (primarily for search engine
optimization purposes).

Our records indicate that only roughly 20% of the accounts accessed -
less than 0.15% of the total accounts that we host - actually had
any changes made to them. Most accounts were untouched.

We ask that you do the following as soon as possible:

1. Immediately change your FTP password, as well as that of any other
accounts that may share the same password. We recommend the use of
passwords containing 8 or more random letters and numbers. You may
change your FTP password from the web panel ("Users" section, "Manage
Users" sub-section).

2. Review your hosted accounts/sites and ensure that nothing has been
uploaded or changed that you did not do yourself. Many of the
unauthorized logins did not result in changes at all (the intruder
logged in, obtained a directory listing and quickly logged back out)
but to be sure you should carefully review the full contents of your
account.

Again, only about 20% of the exploited accounts showed any
modifications, and of those the only known changes have been to site
index documents (ie. 'index.php', 'index.html', etc - though we
recommend looking for other changes as well).

It appears that the same intruder also attempted to gain direct
access to our internal customer information database, but this was
thwarted by protections we have in place to prevent such access.
Similarly, we have seen no indication that the intruder accessed
other customer account services such as email or MySQL databases.

In the last 24 hours we have made numerous significant behind-the-
scenes changes to improve internal security, including the discovery
and patching to prevent a handful of possible exploits.

We will, of course, continue to investigate the source of this
particular security breach and keep customers apprised of what we
find. Once we learn more, we will be sure to post updates as they
become available to our status weblog:

      http://www.dreamhoststatus.com/

Thank you for your patience. If you have any questions or concerns,
please let us know.

- DreamHost Security Team

Adobe Apollo and Last.fm: Proof of concept

I have been toying around with the idea to write an Adobe Apollo application that’s able to monitor your favorite media player (such as Winamp, Windows Media Player, iTunes, Rhythmbox, etc) for play back status and song information.

Last.fm provides an application along with plugins for pretty much all existing media players on all major platforms (Windows, MacOS, Linux, etc) that does exactly that. During installation of the Last.fm client, the user is prompted to install the required plugins for the media players she uses. When a media player executes and plays a song, the plugin establishes a TCP socket connection with the client application and sends status and song infos.

The problem: The Apollo runtime (alpha) that is currently available on Adobe Labs doesn’t provide any documented way of (a) talking to shared libraries, (b) launching executables or (c) serving as a socket server, and Adobe indicated that Apollo likely is not going to support those features in it’s 1.0 release version.

There is hope though. Afaik, the last word on launching executables at runtime from an Apollo app isn’t spoken yet, and there exist some undocumented hacks that enable Apollo apps to do just that. If Adobe should decide against letting apps launch executables, then the only way of solving it is to provide second installers that install a socket server of some sort to do the dirty work.

However, i sat down last night and wrote a proof of concept Flash application that can live in Apollo, which talks to a custom daemon via sockets. The daemon in this proof of concept runs as a Windows Service. I took the Last.fm iTunes plugin and modified a bit so that it also connects to that daemon. The daemon then simply echoes the messages it receives from the Last.fm plugin to the socket listener in Flash. Voilà.

Here’s a screenshot of the app in action (iTunes on top, Flash below):

iTunes talking to Flash

[Update] I also modified the Last.fm Windows Media Player plugin to work with my daemon. All plugins can be used simultaneously. See this screenshot (Windows Media Player on top, Flash below):

Windows Media Player talking to Flash

Note that this is only a proof of concept, and sources aren’t ready for release yet. I would very much like to make this an open source project (The Last.fm plugins are released under GPL), so if there are any interested developers out there who like to help, please contact me or leave a comment. Thanks!

Flashconference 2007, May 4th, Stuttgart, Germany

Just to let you know that i’ll be speaking at the 9th annual Flashconference in Stuttgart, Germany on May 4th. My presentation is about the new Actionscript 3 Flash UI Components that come with Adobe Flash CS3. I’ll give an overview on what’s new, what’s different with respect to previous components sets and Flex, if and how to use them and how to skin and subclass them. I was part of the CS3 components dev team together with the guys at gskinner.com so hopefully i have some interesting things to show. If things work out well i’ll probably also be showing some FC64 stuff i was working on lately.

If you’re in central Europe early May, please drop by. Among others, Mario Klingemann, Andre Michelle, Peter Elst and Marcos Weskamp will be presenting, and as the flashconference is taking place as part of the fmx (“12th International Conference on Animation, Effects, Realtime and Content”, May 1st-4th), there’s almost a full week of top notch events to attend.

Check out the full schedule here.

I’ll stay in Germany for two weeks and will be traveling Munich, Stuttgart and Bremen, so if you like to meet, please drop me a line!

DENG is back!

The DENG Modular XML Browser project finally has a new home. Over the last two years, i switched hostings twice (don’t ask), and DENG was scattered all over the internets, and many things got lost.

I finally sat down to clean up the mess and everything is in one place again. The project homepage features a small news section, the feature matrix, examples (i’ll add more every now and then, so be sure to check back), downloads (includes examples on how to integrate DENG into your Flash projects and HTML pages as well as the source code of course) and support (you can support us by donating via PayPal now, and we can support you via our forum and mailinglist, and we offer individual support too).

Nothing terribly new there, but i thought i let you know.

I’m working on DENG 2.0 (Actionscript 3 implementation) whenever i find some free time, so stay tuned. May take a while yet though until i have something halfway meaningful to show.

http://deng.com.br/

MSN, Yahoo!, ICQ and IRC in Flash 8 – 6kbytes.com

An old friend of mine from Argentina contacted me recently and showed off his work. I was impressed.

6kbytes.com integrates all your messenger accounts (MSN, Yahoo!, ICQ, IRC) into one slick Flash 8 interface. And it’s all free.

As far as i understood, communication is done via XMLSockets to a Jabber server that is used as a gateway to other messaging servers/protocols.

Good job, Francisco!