They only left out one little piece of info, your password may have been exposed even if you’ve never logged in to a Gawker site. Multi-IM client Digsby is owned by Gawker and Digsby username/passwords are also in that database! Seriously, this is bad. No more blogging after midnight…This was totally incorrect, my apologies. I didn’t read the email very well (or possibly at all). Thanks for the comments from the Digsby team. I incorrectly made the connection based on the password Gawker had on file; it was an old password I was sure I had only ever used for IM clients.

Again, if this is the first you’ve heard this, here are the important links:

• Widget to check if your password has been compromised [salon.com]
• Lifehacker FAQ [lifehacker.com]
• The raw data [thepiratebay.org]

Speaking of Flickr, Instagram doesn’t hoard all your pictures like some apps might. It’s able to simultaneously cross-post to Twitter, Flickr, Facebook, Tumblr and Foursquare. The last two surprising, I haven’t come across an app that posts to those services before.

It’s great, but I can’t quite put my finger on what specifically excites me about this app so much. I guess it’s just made taking iPhone photos fun again.

In any case, it’s free and I think you should check it out.

As you can see in the screenshot. Firesheep gives you a nice list of all user logins you’ve collected, including their profile pictures for your convience; clicking one logins you in to the social network as that user, giving you full access to everything they have access to.

While this type of attack has always been a vague hypothetical possibility and there have always been tools available to take advantage of this sort of exploit, it is has never been this simple. It’s the equivalent of putting a “give me money” button on the side of an ATM. Facebook, Twitter and friends are going to have to take notice.

What Not To Worry About

• Private WiFi. If you know and trust everyone on the WiFi network you’re connected to at home or at work, you probably shouldn’t worry too much. You’re still just as vulnerable to the attack on a private or encrypted WiFi connection. But without open access to the general public, it’s a lot easier to catch the person messing with your account.
• Passwords. This exploit works without ever knowing your password. No respectable website stores your password in plain text and even if someone gets into your account, most websites will not allow a user to change the password without entering the current password.

How To Protect Yourself

Firesheep is taking advantage of the fact that your session data is being sent over wifi in plain unencrypted text. The only effective protection against this is full end-to-end encryption using HTTPS aka SSL. A lot of websites like banks or government services enforce HTTPS connections due to the sensitive nature of the transactions. Most social networks may offer HTTPS if you type it into the address bar (ex. https://facebook.com/ or https://twitter.com/), but since encryption slows down connections somewhat and is a little more taxing on server hardware, no social networks require you to connect with HTTPS. I suspect this will change within the next couple of weeks, if not sooner. In the mean time there are some steps you can take to make your browser use https.

• If you use gmail, they provide a handy setting to force gmail to always use a secure connection. Details here. Enable this if you haven’t already. This is not necessary, gmail went 100% SSL earlier this year.
• For other sites always include the ‘s’ after https when logging on to a website. This should work with any major website. Update your bookmarks now.
• Right now, I’m serious…
• ….
• Unfortunately, updating your bookmarks is not enough. Even when you log in via a secured connection Facebook and many others do not continue to send your traffic over secured links as you click around the site. Meaning, as soon as you leave that first httpS page, your may begin to expose your session details.
• If you use Firefox, Techcrunch has an article on configuring Force-TLS an add-on that forces sites to use HTTPS. Details Here.
• If you use Chrome or Safari, there are a few Greasemonkey extensions you can install that do similar things. This one covers a lot of sites. Take a look at the directory for more.
• Do not user Internet Explorer.

That said…

If you’re wondering who that neighbour with open WiFi has been messaging on Facebook, it’s never been easier to find out. Download the extension (disclaimer: don’t actually do this, it might be illegal).

The app details don’t give any information about how this is actually working. As far as I can tell the app makes a VNC-type connection to a virtual machine on Amazon EC2. Works like a charm.

Get it while it lasts though, seems like the sort of app Apple might pull from the App Store.

[iTunes Link]

Matt Howie – creator of metafilter -  gave iPlayPhone mention in his roundup of Recommended Kid Games.

AssociatedContent – a site I’d never heard of, but one that evidently gets over 24,000,000 visitors per month – ranked iPlayPhone #2 “Best Phone App for Kids on the iPhone.”

I’m going to go through a couple of different steps in the process and talk about some of the unexpected problems. I must say though, I was not very impressed. Nothing about the process is very “Apple-like.”

1. Opening The Account
After you’ve paid your $99 developer fee, there are still a number of legal/contractual hoops you need to jump through before you can atually upload an app for approval. As a Canadian developer, there were some additional hoops.

First, I’m not sure if you can actually sell an app without a GST number. I have a registered business, so this would not have been an issue for me.  But because of the way the sales work I would not be surprised if you were required to have a registered business.

Second, when purchases are made through the Canadian iTunes Store, Apple collects GST for you. This is good because it means you don’t have to worry about the accounting. In order for Canada Revenue Agency to allow Apple to do this for you, you need to fill out a specific tax form. By “fill out” I mean, physically. Apple has a PDF download of the doc available. But they require the original. You have to snail mail it! Apple suggests that they’ll process the doc within one week of recieving it.

Third, if/when you get paid, are are paid by Apple USA (in US Funds). When a US company pays an outside employee/contractor/etc those earnings are subject to international income tax treaties. If no treaty is specified, the IRS will compel Apple to withhold 30% of your earnings. For Canadian software developers, the tax treaty specified a 0% withholding. If you do not want Apple to withhold 30% of your earnings, you are required to obtain an “Employer Identification Number” from the IRS.

I put this off for awhile because I assumed it would be painful. To my surprise, getting this number was one of the most pleasant customer service experiences I’ve ever had over the telephone.

Fourth, this is fairly minor. Apple pays you via wire transfers. So you need to dig up some archaic routing numbers. Seemed to be a fairly common question for the CSR I spoke to at my bank. I imagine this could be a little more difficult to dig up if you use a Credit Union or something.

Once you’ve jumped through all these hoops, you’ll have all the information you need to fill out  the 4 or 5 contract and payment related forms in iTunes Connect. Then you wait. After a week of waiting for Apple to accept my forms, I emailed support. They did not respond, but it was magically up and running the next day.

2. App Approval
Getting an app approved is an entirely nebulous process. Once you upload your app, it just sits there in the “pending review” status until it gets approved. There’s no way to get any sort of updates, there is no indication of where you are in the queue. It’s frustrating.

My app took about 2 weeks to be approved.

3. iTunes Connect
iTunes connect is the web interface that you’re forced to use in order to manage everything related to getting an app into iTunes, getting paid, tracking sales, etc. It is easily one of the worst web apps I have ever used. From the looks of it, Apple just took the  mechanism they had in place to allow bands/labels to manage iTunes music sales and hacked in some hooks to allow app uploads. A lot of the terminalogy used seems to refer to album sales.

The interface is clunky. The site is slow. It doesn’t really work properly on an iPhone. The web-based app upload form doesn’t even really work – they encourage you to use a mac app to upload the application bundles (which works like a charm BTW).

I could live with all of these problems if I actually got decent download and sales statistics. But, you can only look at downloads/sales in a GIANT un-readable 2000px-wide table! (Or CSV – which is moderately useful when imported into a spreadsheet). You can’t compare stats, track trends or do anything really useful with the sales data.  The total sales aren’t even really tallied properly – they’re broken up by country, even though you’re paid by region. You can’t see your month-to-date or year-to-date sales. You have to compile and calculate all of this on your own.

Apple should be ashamed of this piece of junk webapp.

4. Payment?
Apple has hidden a really important tidbit of info in their documenation, something that might have discouraged me from selling my app if I had known ahead of time. Apple only cuts you a check if you have sold (the equivalent of) US$250 PER REGION! Long story short, I am probably never going to get paid for my app. The iTunes sales world is divided into 6 regions: USA and the rest of the world, UK, EU, CA, AU, JP. If you sell $240 in the US and $10 in Canada, you don’t get paid!

I can’t speak to the late payment, non-payment issues the internet has been talking about, I haven’t breached that $250 threshold yet.

I can tell that Apple just released my financial statements for March. Now, it’s really not terribly unusual for companies to release these sorts of finiancial statements 1 month behind, but I’d think a fully automated ONLINE store would be able to generate these reports instantly. In addition to the tardiness, the numbers in the finiancial statements are quite a bit lower than the weekly sales stats that iTunes connect was generating in March.

Conclusion

It sucks.

At the end of the day, Apple is not very friendly to their developers. There’s no oversite, no real point of contact with Apple. If you have a problem, there’s not much you can do about it. My suggestion is, don’t even bother trying to sell your app. Release it for free for the love of the game.

I’ve just released my first iPhone app – iPlayPhone – it’s a toy phone for toddlers. I built it for my 1yr old son who’s always running off with my phone. It’s simplictic but super fun. All the buttons play goofy sounds. The onShake sound totally baffles my son, he’s like “woah, i shake it and is makes sounds…weird.”

Here’s the iTunes link: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewSoftware?id=308425921

Problem: I import my blog posts to facebook as Notes via their import settings. I find that a lot of friends and family comment on those posts, these people don’t typically follow me anywhere else and – I can admit it – I’m a comment whore. I apprieciate the feedback. Unfortunately facebook only allows you to import one RSS feed. 

Solution: Create a Yahoo! pipe that includes all my blog feeds and sorts them by pubDate. Import that Yahoo! Pipes feed into facebook. 

Here is a link to my feed (you’ll need a Yahoo! account to view the source)

When I ran Chrome, I noticed a curious little quirk, Chrome was ignoring OpenDNS’ shortcuts and auto typo correction. I whipped out wireshark and took at what was going on.

By default, every time you enter a character into Chrome’s toolbar it fetches results from google.com/complete/search. Since google knows about every single website, Chrome is able to decide if you’re typing a valid domain without querying DNS. That is, it’s actually redirecting you to a google search results page at the HTTP layer, before your request queries any DNS info.
While it’s not neccessarily a bad way of doing things, it is somewhat annoying. 

Luckily, google actually built a great product!
This feature is totally customizable. 

To turn it off; pull up “options” under the wrench menu, click the “under the hood tab and uncheck “show suggestions for navigation errors.”