Mailbox.app – First Impressions

I got access to mailbox.app last night around midnight, have been using it all day.

My very brief review:

  • The ability to mark emails to “read later” seems clever and works fairly well. It’s smart enough to know if it’s 1am and you tell it to read an email tomorrow, you actually mean at the beginning of the next day. All “later” email get’s placed in a gmail label [mailbox]/later.
  • The short/long swipe interface is cute and works fairly well. But get’s tedious with multiple emails. The app needs a better way to preform actions on multiple emails at once.
  • Overall the UI is great, in general.
  • I noticed that the pending email badge count is actually the number of email threads in your inbox, instead of the number of unread messages. This is acts as a great little nudge to inbox zero.

That’s all for now.

Hyper-local Weather Forecasts

The future is here. Today the Weather Network rolled out “PointCast” a service developed in house (over the past 15 years!) that provides 1-km forecast and weather data.

That’s a screenshot of my weather at home vs the “Winnipeg” weather station (likely) 10km away at The Forks. As you can see, it’s quite different.

From The Globe and Mail:

The technology works by taking information from weather stations across the country and using computers to predict what is likely to happen in between those stations over the next hour. Users can either enter their postal code or use the GPS function on their phones to find out the weather in an astonishing 800,000 zones across the country.

Pretty rad.

Gawker Hacks [update: no Digsby]

If you missed it, Gawker Media’s username/password database was hacked and paswords decrypted! This is very very bad. Lifehacker, has a comprehensive post about the compromise.

They only left out one little piece of info, your password may have been exposed even if you’ve never logged in to a Gawker site. Multi-IM client Digsby is owned by Gawker and Digsby username/passwords are also in that database! Seriously, this is bad. No more blogging after midnight…This was totally incorrect, my apologies. I didn’t read the email very well (or possibly at all). Thanks for the comments from the Digsby team. I incorrectly made the connection based on the password Gawker had on file; it was an old password I was sure I had only ever used for IM clients.

Again, if this is the first you’ve heard this, here are the important links:

I ♥ Instagram

Instagram is the latest little app to gain popularity with iPhone-nerds everywhere. The app takes all the good parts of online photo sharing and condenses them into a really slick package. They’ve included a good selection of dorky filters that will make almost any subject a lot more interesting than it actually is. Combine this with a really easy to use UI for liking/commenting you end up witha  really great experience. I feel like this is what the Flickr app should have been.

Speaking of Flickr, Instagram doesn’t hoard all your pictures like some apps might. It’s able to simultaneously cross-post to Twitter, Flickr, Facebook, Tumblr and Foursquare. The last two surprising, I haven’t come across an app that posts to those services before.

It’s great, but I can’t quite put my finger on what specifically excites me about this app so much. I guess it’s just made taking iPhone photos fun again.

In any case, it’s free and I think you should check it out.

Firesheep: A Valid Reason to Fear WiFi or How To Hack Your Wife’s Facebook

Just in time for Halloween, a developer by the name of Eric Butler has released Firesheep – a truly terrifying security tool. It’s so simple to use it makes script kiddies look like rocket surgeons. All you have to do is install the Firefox extension, that’s it. With the extension installed at the click of a single button you can collect any session cookies floating around the WiFi network you’re connected to and use those cookies to browse any website the victim logs in to. To reiterate, if you’re on a public (or unsecured) wifi hotspot anyone else on the network has the ability to view your Facebook account, without any technical knowledge at all.

As you can see in the screenshot. Firesheep gives you a nice list of all user logins you’ve collected, including their profile pictures for your convience; clicking one logins you in to the social network as that user, giving you full access to everything they have access to.

While this type of attack has always been a vague hypothetical possibility and there have always been tools available to take advantage of this sort of exploit, it is has never been this simple. It’s the equivalent of putting a “give me money” button on the side of an ATM. Facebook, Twitter and friends are going to have to take notice.

What Not To Worry About

  • Private WiFi. If you know and trust everyone on the WiFi network you’re connected to at home or at work, you probably shouldn’t worry too much. You’re still just as vulnerable to the attack on a private or encrypted WiFi connection. But without open access to the general public, it’s a lot easier to catch the person messing with your account.
  • Passwords. This exploit works without ever knowing your password. No respectable website stores your password in plain text and even if someone gets into your account, most websites will not allow a user to change the password without entering the current password.

How To Protect Yourself

Firesheep is taking advantage of the fact that your session data is being sent over wifi in plain unencrypted text. The only effective protection against this is full end-to-end encryption using HTTPS aka SSL. A lot of websites like banks or government services enforce HTTPS connections due to the sensitive nature of the transactions. Most social networks may offer HTTPS if you type it into the address bar (ex. https://facebook.com/ or https://twitter.com/), but since encryption slows down connections somewhat and is a little more taxing on server hardware, no social networks require you to connect with HTTPS. I suspect this will change within the next couple of weeks, if not sooner. In the mean time there are some steps you can take to make your browser use https.

  • If you use gmail, they provide a handy setting to force gmail to always use a secure connection. Details here. Enable this if you haven’t already. This is not necessary, gmail went 100% SSL earlier this year.
  • For other sites always include the ‘s’ after https when logging on to a website. This should work with any major website. Update your bookmarks now.
  • Right now, I’m serious…
  • ….
  • Unfortunately, updating your bookmarks is not enough. Even when you log in via a secured connection Facebook and many others do not continue to send your traffic over secured links as you click around the site. Meaning, as soon as you leave that first httpS page, your may begin to expose your session details.
  • If you use Firefox, Techcrunch has an article on configuring Force-TLS an add-on that forces sites to use HTTPS. Details Here.
  • If you use Chrome or Safari, there are a few Greasemonkey extensions you can install that do similar things. This one covers a lot of sites. Take a look at the directory for more.
  • Do not user Internet Explorer.

That said…

If you’re wondering who that neighbour with open WiFi has been messaging on Facebook, it’s never been easier to find out. Download the extension (disclaimer: don’t actually do this, it might be illegal).