Two years ago BlackBerries dominated at Control Group. Back then, if you picked up one of the orange Nerf balls that dotted the CG office landscape and threw it, chances were that you would hit someone who kept a BlackBerry Curve in their pocket. I have fond memories of the original Curve with its beautiful screen and extremely tactile keyboard, as it was the last BlackBerry I ever carried.

As an early adopter, I made the jump from the Curve to the first Android device, the G1. This began a change in the office where everyone was looking for a way to get away from the BlackBerry and get on to something else, be it an Android, iPhone, or Windows Mobile. Within a year, iPhones and Androids were quickly becoming the norm.  It got to a point where we had a New Year’s prediction that CG would be a BlackBerry free company by 2012– and it was almost correct. How close did we get?

From a company that was at a time 100% BlackBerry, we now have the following:



So what changed that caused such a radical shift? In short, the mobile landscape did, and what didn’t change was the Blackberry.

With a new emphasis on touchscreen devices that did more than just act as an email life vest, BlackBerry held fast to what made them the king. While they still focused on enterprise level email with Exchange servers, Apple and Google were providing media rich devices with more screen real estate and features than any BlackBerry had ever offered. As its competitors updated and perfected their devices, they took aim at the mighty BB… the iPhone with stronger Exchange functionality, and Android with it’s unique ability to sync seamlessly with Google Apps, as well as increased Exchange functionality.

A series of rushed products like the BB Storm and the BB App World just further showed that RIM didn’t get it. With a new line of hybrid touch devices still featuring the iconic keyboard, they’re still left with an OS that is tricky to code for at best, and has such a small market share that many developers don’t even bother writing apps for it.

RIM’s ace in the hole though, is the wildly successful BB Messenger. While it’s not enough to reel back the customers they have lost, it’s their bargaining chip with other mobile companies. Recent news suggests that RIM is being shopped around to their competitors, more specifically to Samsung. Fearing it is not long for this mobile world, they are trying to keep alive by licensing their software or by being bought out, either completely or by selling divisions.

It feels a bit premature to start writing a eulogy for the BlackBerry but it’s about that time to start notifying the family that this is likely Gramma BB’s last Thanksgiving. Even as a faithful Android user, I still reminisce about the old BlackBerry days when fast email and a good keyboard was all I needed. You could go 3 days without putting your BlackBerry on a charger, you didn’t have to worry about how much built in storage it had, and you didn’t have to worry about apps or games… it was a simpler device for a simpler time.

Share this:

In response to an internal thread on this article…

I’m right there with folks crying foul when Apple does wrong, but I don’t buy this one. Apple’s “bastardization” of the ePub format helps push the format forward, just like Opera and Mozilla’s modifications to HTML yielded HTML 5, Microsoft’s modifications led to OpenXML and practically everybody’s Wi-Fi implementations led to 802.11n. I’m not saying it’s on as grand a scope as that, but I do think it’s a small part of that same sort of momentum. All Apple did was add some extra CSS tricks that weren’t present in the ePub standard and then tweaked the MIME type so the files identify themselves as being slightly different than standard ePub files. If nobody built on top of open standards like this, then nobody would use open standards because they would develop uselessly slowly.

And while e-ink displays are indeed better for reading than LCD’s, I take issue with the headaches-because-of-refresh claim. There is no refresh on LCD’s, just per-pixel changes when the image changes. Tablet LCD’s are the same as your desktop display, which folks read on all day long without issue.

I still prefer a tree-killing paper book to both, though!

Share this:

CG Partner Scott Anderson scored some of the music for Famous Person Talent Agency: Pearls of Asia, a Sundance nominated film!  He’s headed to Park City for the Festival tomorrow.

Congrats Scott!  (And good luck.)

Share this:

Colin notified Zappos on Thursday that there was a security issue with their site.  Check out the email thread…  It seems like they weren’t aware of the breach at the time.

On Thu, 12 Jan 2012 18:31:15 -0800 (PST), c….@gmail.com wrote:
(Sent from http://zeta.zappos.com – the Zappos of Tomorrow (today!))
Contact By: email

—– customer message to follow —–

Hi there,

My browser detects the log in fields on you site as insecure. – I proceeded against this warning and I when I tried to check out none of my crdit card or shipping info was present – this info has always been a part of my zappos account and I am suspicious why the site would ask for me to
re-enter it.

Could you please have someone take a look at this?

Thanks,
-Colin

On Fri, Jan 13, 2012 at 5:54 PM, Zappos.com  wrote:

Hi Colin,

Thank you for contacting the Zappos VIP Customer Loyalty Team. I hope you’re having a fantastic day so far!

I am very sorry that we have worried you. Our awesome (and quite hunky) security staff will go to great lengths to ensure the safety of our customers payment information. Not only are we PCI compliant, not only do we encrypt connections using SSL technology, we also encrypt payment information traveling within our company as well so that even our employees can’t view it. Lastly, all payment information is encrypted while in storage within a network that is firewalled off from the rest of the company and the internet. We have even submitted a patent request for the unique and stringent way we’re protecting credit card data!

We saw some off and on hiccups with our site today and one of them was that information, both shipping and billing, were not appearing in accounts. It is not gone, for some reason it was just not displaying correctly. This has since been corrected and we should be good-to-go!

I hope this helps clear up any concern, Colin! Please let us know if there is anything else we can assist you with, we are in Las Vegas so the lights are never off!

Have a terrific day!

Your friend at Zappos,
Kelsey W.
Zappos Customer Loyalty Team

On Sat, 14 Jan 2012 08:46:49 -0500, “Colin O’Donnell” <c….@gmail.com> wrote:

Hi Kelsey,

Could you also have you security team look in the “Insecure Login field detected”? this error was produced by my chrome password manager extension
www.lastpass.com

I believe this warning relates to the page being SSL encrypted, but the login fields coming from another non-encrypted source. – I actually abandoned my shopping cart and will not proceed with the purchase (or
future ones) because of this warning.

Thanks,
-Colin

———- Forwarded message ———-
From: Zappos.com <cs@zappos.com>
Date: Sat, Jan 14, 2012 at 9:56 AM
Subject: Re: Security concern
To: c….@gmail.com

Hi Colin,

Thank you for contacting the Zappos.com Customer Loyalty Team. I apologize for the delay in responding to your email.

I can see you are a VIP customer and it would be my pleasure to assist you!

I apologize for any confusion or inconvenience caused. Unfortuantely, you may have received the error message because of compatibility issues with the Chrome browser on our site. I have heard of other customers having issues with our site when trying to use the Chrome browser, as well. You may want to try placing your order with another browser to see if you still receive the same error message.

For your reference, I’ve included a link which will direct you to our     Zappos.com Safe Shopping Guarantee, Secure Shopping, and Privacy Policy. Please click the link below to view:

http://www.zappos.com/protecting-your-personal-information

I hope the information provided helps you. If you have any additional questions or concerns, please feel free to contact us at any time. We are here for you 24/7. Have a wonderful day Colin!

Thank you,
Kesh
Customer Loyalty Representative

Share this:

A few weeks ago I was in the Anthropologie store in SoHo looking for specific dress.  They didn’t have it in my color/size so I asked the salesperson if she could see if another store had it in stock.  She said that they could order it and ship it to me for free right from the store and save me the trip.  Sweet!

Then she directed me to wait in a very long, holiday-time-in-New York City-sized line.

Twenty minutes later I finally reached the cash wrap.  To my surprise, the cashier pulled out an iPhone from her pocket, scanned the barcode of the sample dress with it, scrolled to the right size and color I was looking for, swiped my credit card with an attachment on the phone, and I was on my merry way.  Sweet?

Not so much. Why even bother with the iPhone and all of its wonderful functionality if I still had to wait in line for 20 minutes?  Isn’t the whole point of a mobile device its mobility? I couldn’t believe how much of my time they wasted when they just didn’t have to.

It’s like someone at Anthropologie said, “Hey, iPhones are cool!  Let’s get them so we can order stuff for customers direct from the store so they don’t leave without paying for something.  The end.”  There seemed to be no consideration of the iPhone’s real value to the customer experience.  To me, they could have used a catalogue and rotary phone and it would not have made a difference in my experience.  The cashier had the power in her hands!  Unfortunately, the salesperson on the floor was the one who should have had it. (Or hell, I could have had it!)

We see this all the time these days.  Companies buying the hot, new technology and using it in the same cold, stale way they’ve always done things.  In this case, it’s not only a waste of money, it’s damaging to the customer experience.  As companies start implementing technology that’s familiar to consumers, missteps like this become more obvious and frustrating and could actually damage the brand.

Put it this way, if there was no iPhone and they had to use an inventory management system I knew nothing about, I wouldn’t be writing this blog post. But I have an iPhone and I know why it’s awesome– instant gratification.  And so here I am venting about Anthropologie making me wait in line for 20 minutes despite having an instant gratification device right there in her heather grey, merino wool pocket.

Share this:

The automotive lineup for CES 2012 next week includes the debut of the Ford Evos concept car, a sensor-rich vehicle that is designed to connect to the cloud, all for the benefit of user experience. What a great approach! Why aren’t all occupiable spaces, including cars, designed like this? Let’s look at the car concept. What do the cloud and sensors bring to driving experience? In short, it could make driving as forward-thinking as an iPhone. The concept car features include connectivity with entertainment and content; energy management based on environment and locality; parental controls; and smartphone integration. Other auto companies are working on similar ”cloud connected” and sensor-rich concept cars, and it’s hard to knock any of them for taking another five years — the estimated time to get real vehicles into showrooms — to perfect the technology. I can’t wait!

That said, during this five-year span, countless buildings, schools, Starbucks, Walmarts, etc. will be built without the forward-thinking technology frameworks for really enhanced user experiences. There are sensors, sure – like temperature management, which can effect productivity by gigantic numbers. But why is it not pervasive and evident, in ways that people can really notice and appreciate? Is it cost? Is it the building process? Is it the profit model? Maybe it’s all of these, but if there is meaningful benefit to user experience, shouldn’t the architect be thinking about technology frameworks – the way they think about new exotic building materials that only they have access to? It should be noted that it isn’t only architects that can leverage these tools and frameworks – retail marketers, advertisers, product managers, and property owners can reap benefits.  But architects have more opportunity to thread infrastructural thinking into the program and design of the space.  (I have spent much of my career working in both architecture and technology, which is why I pick on architects.)

What could an architect do with a rich technology infrastructure like the Evos concept? I’m open to suggestions, but the answer is likely a combination of the internet of things (sensors and other hardware), my digital self (i.e. Facebook, Linkedin, and particularly smartphones, which are broadcasting all the time), a robust web-services community, and great user experience design.

Here are some things that it’s not: The Jetsons, where everything has a robotic arm. It’s also not exactly “responsive architecture,” at least the physical part where buildings deform to meet changing conditions or provide some interactivity. And it’s not a marketing element, like lobby displays, although the best ones, like the Cosmopolitan Hotel in Las Vegas, are beautiful and certainly benefit user experience.

If not robotic arms for better services, then what? We can use tech infrastructure to augment and improve the delivery of services. A great example is the gate redesign work that’s happening at some of the major airports. Why should the airport gate look like a bus station and serve terrible food anymore? OTG Management, an innovative airport food and beverage operator, has revolutionized the gate holding area by making major restaurant improvements (actually good food) and extending that enhanced experience throughout the terminal with food delivery service via iPad-based menus and ordering systems, along with charging stations and comfortable seating. Now travelers are able to relax and dine from any seat.

Also, instead of deforming a building physically, perhaps we can deform it digitally. Shopkick allows a retailer to install a small transmitter that can communicate with local phones. Shoppers can pull out their mobile devices and get rewards and offers based on their digital and physical histories. Invisible to those that don’t want it, but a new experience for hardcore shoppers.

Instead of “screensaver” signage for effect — again, some are beautiful — perhaps we can conform the content to the viewer base. Techstars startup Immersive Labs is developing an outdoor advertising technology that uses cameras (as sensors) and facial recognition to tailor content to viewers, as in Minority Report. Not everyone wants “billboards” at their school or hotel, but this same capability is a fantastic tool for user experience design.

These aren’t the end-all, be-all examples but useful data points. There are many. For instance, Walmart Labs is making lots of social and mobile aquisitions – Grapple and Small Society, and I haven’t seen the new master store…but then again, I don’t get to Walmart much living in Manhattan.

For most users, this sense of super connectivity could be disturbing. As mentioned above, it’s going to be up to the designer, particularly the user experience designer, to turn this potential nightmare into a pleasant dream. User trust is essential – see Toby’s article on 5 Practices for Securing User Confidence for more.

Share this:

The pillaging of private data by mobile apps may be coming to an end as users are becoming more vigilant and savvy. Look no further than the growing backlash from the most recent update of the LinkedIn Android app. About a week ago, LinkedIn released an update with the note in the changelog, “Fixed several bugs reported by our members”, but said nothing about changing permissions. Bad move. The app’s user rating is taking a major hit.

While providing no new features or benefits, the app now requires “Read Sensitive Log Data”, which allows the application to access general information about what the user is doing with the device.  This could include personal or private information. But who knows what info they’re pulling or why? …LinkedIn doesn’t tell us.

With the growing spotlight on data and privacy issues, consumers are moving away from blind trust and more towards vigilance.  Like the public’s rejection of Path Intelligence’s tracking of cell phones in the mall, users are uninstalling the LinkedIn app and flaming it in their reviews.  Mobile app developers and firms like Path Intelligence could learn a few lessons from the browser cookie. While Path’s system and LinkedIn’s app take user information and offer no explicit benefits to the customer, cookies provide a more personalized, user-friendly web experience because of the data.  And they can be disabled. Privacy is a two way street. People are willing to give up some personal information to a trusted partner with the understanding that they’ll get something in return—and their information won’t be abused.

LinkedIn’s rating is dropping like a rock because they took their users for granted and figured they would install any update and accept any permission, even if there was no tangible benefit.  They have also failed to respond to the community’s feedback. It’s been over a week and they have yet to change the description of the app.

To fix this debacle, LinkedIn needs to jump in immediately and update their description with a solid explanation as to why they need these new permissions, and put it in user focused terms. However, rolling it back altogether would show a greater interest in protecting the privacy of their customers (who are, in essence, their products).

This is a lesson to all app developers, but especially those dealing with social features: The users are starting to pay attention. You need to treat your community with respect. Take only what you need and give more than you take… or get ready for the backlash.

Share this:

Deploying code is a big part of our job and we’re always looking to increase our efficiency when deploying applications. Recently, we decided that our goal is to package every application as a single file archive that can be easily built and deployed. We want our continuous integration system to spit out a single file per project that can be used to deploy the everything. PHP offers a way to store PHP apps into one single file, a PHP Archive or “phar” file, so we began our experiments with phar archive deployment.

To test deployments of PHP apps in a phar archive, we generated a very basic Yii Framework-based web application for testing: a “yii/” directory with the Yii Framework files and a “webapp/” directory with the web application files (e.g. “index.php” and “protected/”). We also protected the “yii/” directory with an “.htaccess” file and deleted some runtime data to save up space in the phar archive we wanted to build.

We modified our configuration to serve phar files with the PHP module and whitelisted phar files in the Suhosin PHP extension configuration. We generated a testing “index.phar” archive and put it in the DocumentRoot along with a bootstrap “index.php” file with the following content:

<?php
include ‘phar://index.phar/webapp/index.php’;
__HALT_COMPILER();

An error occurred when the application loaded in the browser: realpath() was not able to determine the location of the “protected/runtime/” directory in the web application. This function seems to be having issues when used inside phar archives and there was no point in storing runtime or user data inside of it.  So we needed a real directory outside the phar file for that. We then overrode realpath() in the bootstrap file with the “runkit” PHP extension.

In the overridden function, we expunged the “phar://” and the “index.phar/webapp/” path components and returned the results when the Yii Framework was trying to determine its runtime directory. If a path was beginning with “phar://” we simply returned it, and if none of those conditions were met, we simply returned the value returned by the original realpath() we made a copy of in the bootstrap file. To correctly display css files stored in the phar archive, we also used “mod_rewrite” to redirect requests to “/index.phar/webapp/css/”. We created the “protected/runtime/” and “assets/” directories outside the phar archive in the DocumentRoot, and we protected the newly created “webapp/protected/” directory with an “.htaccess” file.

We also noticed that captcha images were not being displayed because a needed “ttf” font that ships with the Yii Framework was not found at runtime: dirname() was not able to return/determine the whereabouts of the directory inside the phar archive where that font was. We overrode dirname() to extract that file at runtime from the “index.phar” archive into a temporary location, if not already there; the overridden dirname() was coded to return this new path, or the value returned by the original dirname() function in all the other cases.

As you can see, there are a lot of overrides required just to make a simple application work. We’ve stopped our work on phar archive deployment because managing all of these overrides is unworkable. We also have no assurances that the overrides will be appropriate for a more complicated application.

We’re going to try some other experiments to get closer to our goal of a single file deployment for our applications. Our next experiments will be around automation the creation of tarballs with custom code to deploy them appropriately.

Is anyone else using phar archives to package their applications? We’d be curious to know if anyone else has had better luck. Any comments and ideas are welcome!

Share this:

I like this blog post from the Harvard Business Review.

Control Group has a culture that attracts certain kinds of people. Sure, the culture changes as the company does, but there are certain things that definitely stick from iteration to iteration. I think that our acceptance and interest in innovation is one of them.  I think that we should all be innovating. Everyone has something to contribute, no matter what your title or role is.

So as an FYI, R&D is open to everyone and we will be scheduling more of those drive-bys to accommodate more schedules and interests.

Share this:

OS X’s UNIX layer is a wonderful compliment to its excellent GUI. As with any other flavor of UNIX though, there are some peculiarities that can make configuring things frustrating until you know what the rules of engagement are.

I was recently asked to create a reshare of a SAN volume for a client. I selected the file sharing protocol SMB because we can control what permissions are applied to new files and folders. This functionality is especially important since there’s no centralized authentication system to coordinate permissions within this setup. Unfortunately, an apparent bug in the Server Admin GUI for OS X Server 10.6.8 made this goal far more difficult to achieve than just clicking a few options.

The prescribed method for controlling newly created file and folder permissions is to select one of two options for “Default permissions for new files and folders:” under Protocol Options. I wanted all new items to be fully open to everyone, so I selected the option, “Assign as follows:”, and chose “Read & Write” for Owner, Group, and Everyone. A bit of testing showed that this adjustment was ineffective. Everything was still being created with the default permissions of r/w for the owner, read-only for everyone else (i.e., 744 for files, and 755 for folders). Replicating this setup on another server showed that the problem was not unique to the original machine.

Thanks to the aforementioned UNIX layer, I had another way of achieving my goal.

Although it’s found in the same place (/etc/smb.conf) as other UNIX flavors, OS X’s smb.conf file is a unique beast. Note the following comment at the head of the file:

; Parameters inside the required configuration block should not be altered.
; They may be changed at any time by upgrades or other automated processes.
;
; Site-specific customizations will only be preserved if they are done
; outside this block. If you choose to make customizations, it is your
; own responsibility to verify that they work correctly with the supported
; configuration tools.

Scanning through the file showed that there was no entry for the SMB reshare that was currently being served. However, running the command testparm showed that there was indeed a configuration entry for it:

[Volume_Name]
comment = Volume_Name
path = /Volumes/Volume_Name
read only = No
strict locking = Yes

What the heck? Where is this mount coming from? It turns out that OS X Server is pulling share information from an auto-generated file - /var/db/samba/smb.shares. However, we’re clearly not meant to alter this file, as per the leading comment it includes.

The trick is to include our share specific permissions settings at the bottom of /etc/smb.conf under an entry for the volume name. Ergo, you’d add the following:

[Volume_Name]

create mask = 0777
directory mask = 0777
force create mode = 0777
force directory mode = 0777

You’ll obviously want to adjust the included entries and their relative settings to suit your security situation. Also, note that the section name must match the entry listed by testparm for the association to work.

Additionally, I found that I had to include a setting to disable UNIX extensions for everything to work. Your mileage may vary. Rather than edit the untouchable global block, I added another section at the bottom of smb.conf in the following manner:

[global]

unix extensions = no

Curiously, SMB-attached users will see everything as being owned by them, with no access to anyone else:

-rwx——  1 administrator  staff      0 Nov 22 16:46 test_via_smb

Fortunately, this is only for appearances. In reality, new files and folders are being created as specified. Here’s the same file viewed from a fibre attached workstation:

-rwxrwxrwx   1 <uid>            wheel     0 Nov 22 16:46 test_via_smb

Hopefully this bit of knowledge will save someone else some time. Systems administration is ultimately a group effort!

Share this: