My window to the world


Again: use your ISP DNS for better performance

By Mauricio Freitas, in , posted: 19-Oct-2012 11:25

Just finished reading a blog post that shows, once again, that people should use their ISP DNS for better performance when it comes to distributed content.

In New Zealand this is even more important because using a local CDN cache gives broadband users a huge advantage instead of fetching resources overseas through a long undersea cable.

There's a dynamic table where you can check the performance loss/gain depending on which CDN you're targeting. Here is one for Australia:

This table shows how much slower a download will be, based on where the CDN is resolved to.

A positive percentage means performance is worse, negative means performance is better. The first one is Google DNS, the second is OpenDNS.

You see now that using those DNS in Australia (and New Zealand, but unfortunately there's no data in the table for our little country) can make things really bad.

Using your ISP DNS will point to the local cache. Using other DNS will instead point to somewhere else in the world.



Trade Me’s security problem: Wheedle

By Mauricio Freitas, in , posted: 1-Oct-2012 13:13

Just last week we found out someone is bringing big guns to a fight, as Stuff told us Neil Graham was starting an online marketplace business to compete with the one and only Trade Me.

The new web site, called Wheedle wasn't ready for prime time yet when it was first mentioned online and after a few hours of hiccups it was taken offline until its official launch date, 1st October 2012.

In the brief moments the site was up (and down) Geekzone members started reporting some of the bugs around the site (and here as well). The discussion listed simple things such as listings showing completely unrelated images, to a bit more disturbing problem: pages showing someone else's user names and information.

It is great to see since then the mixed up identities problem seems to have been fixed, but other things popped up.

Right now I can imagine some Trade Me folks talking around a whiteboard:

  • Tech Guy: We have a problem with Wheedle.
  • Non-Tech Manager: Sure, it's a worthy competitor, backed by someone with deep pockets to go for the long run.
  • Tech Guy: Not that, but. . . They store their password in plain text, instead of encrypting it before storing in the database.
  • Non-Tech Manager: How do you know this?
  • Tech Guy: I registered there and just clicked the "Forgot my password". The email came with my password instead of link to reset it. It tells me the password is stored in plain-text.
  • Non-Tech Manager: So? That's their problem. If someone finds a vulnerability and manage to download database contents from their server it's their breach of privacy, not ours.
  • Tech Guy: Sure. But reports tells us a good number of people reuse the username and passwords in more than one site.
  • Non-Tech Manager: Are you saying if someone used their same Trade Me email or username and password to register on Wheedle then a bad guy in [insert country with lots of bad guys here] could try those on Trade Me and in some cases actually gain access to accounts?
  • Tech Guy: Hmmmm, yes.
  • Non-Tech Manager: Holy shit, Batman!

We can use another scenario: there is something for sale on Trade Me, and armed with a third party list of valid emails addresses for the buyer a scammer could send out an email pretending to be the seller on Trade Me, saying something like "the item didn't sell, I can offer to you very cheap" and then get the unsuspecting buyer to deposit the payment into someone else's account for laundering.

You might say no one would fall for that. Think again. People fall for simple scams all the time.

I don't know what security they have implemented server-side, but sanitizing input data on the client side is no way to go on life:

If this is done on the client side only, then anyone with interest could easily craft a local page to bypass this weak strategy and send something malicious to the server, potentially gaining access to information stored there through SQL Injections.

The question that popped in my mind was "how long before Trade Me" forces people logging into their site to change their passwords?". Simply put, any third party vulnerability can affect Trade Me as an unintended consequence.

What can you do?

  1. If you are planning to register on any other site make sure you use a different email address, user name and password.
  2. If you already registered on any other site then go there now and change your email address and password.

Just do one of those two things and you will be a lot safer.

And for those on Twitter who said we shouldn't be criticising newcomers. I'm happy to support a new online marketplace in New Zealand but security should be part of design since Day 0. I hope this is something for them to consider, and good luck the days ahead.

UPDATE: just found out that Whedle also use cookies to store plain text username and password for the duration of a session. While cookies are not a problem, storing this in plaintext on anyone's computer could allow spyware to download the credentials from a user's computer, without even have to break into Wheedle's servers. Screenshot by @CooperNZ:



Can we trust app reviews?

By Mauricio Freitas, in , posted: 1-Oct-2012 09:57

Scratch the whole thing. As pointed out below, a change in policy means that now all reviews always show the reviewer's first name, instead of the tag name.

Apologies for raising a red flag where none is needed. I will keep the post below as evidence that I can err as well.

Looking around the New Zealand Windows Phone Marketplace we see very few apps with lots of reviews. Those with many reviews are mainly the big names in games, plus the very good New Zealand made ones. That's why I was curious when I saw the new ASB app for Windows Phone had 39 reviews and a five star rating - every single review was a five stars review.

Then I looked at the names of people reviewing the ASB app: (in the order I see in the Marketplace): Regan, Andrew, Joanne, Simon, Matthew, Ben, Bobby, Royce, Keith, Annabel, Stephen, Darren, User, Jack, Geoff, Peter, Tim, Leighton, Jeff, Bruce, Alastair, Craig, Andy, Angela, Jonathan, Eby, Danil, Karan, Vinesh, Danny, Brian.

Nothing strange there. But let's look at other app reviews.

  • On Sale New Zealand: keithpatton, attaelayyanm, mohitsb, ryancrawcour, jamesfwarren, vmcoll, MulberryQuasar, Fallaenae, darylooh.
  • NZ Radio: User, Shane, Keith, MackinNZ, xStally, iczephyr, UrbanKiwi, SomeBluehippo, GotItWrong, Gavin, mohibtsb, RootedEvergreen, snakes1704, Player531062019.
  • Supermarket Finder: Bruno, seanjackson24.
  • DayOut: tomisbetterthnu, tianhai.
  • NZ Cell Sites: John, Player371984687, Evil Red Diablo.
  • God Defend New Zealand: davidgladstone.
  • NZ Weather: Gortdon, User, Klem0n, dhrot.
  • Weather NZ: Kevin, Keith, SomeBluehippo, suprrudey, Phivii, Mudz12, Evil Red Diablo, tomisbetterthnu, Shiny Empire, wim mertens, Obfukaster, guvnor255.
  • The Official All Blacks Application: User, Klem0n, Player584951968, SatanicAntz, JeffBridges21, iczephyr, stewartisland, sumerman1, CosGirds, AdvisoryCloud, MisterOlly, bigdogphone, scozzard, PeskyBeaver, sista001, Phile Whitehead, Keithpatton, Crispo66, matteusvelloso, nzigel.
  • Fruit Nija: Nick, Steve, Damien, NZ Infection, ArkhamZBest, CurbsideCupatea, RevivalV3, tomisbetterthnu, Pb Elements, FancyAardvark1, normanstrange, CoolestKiwi, Chaks Corner, BrainOffline, PeanutG85, APEKTRON, minalg, M Doms, coaxke88, AtomicSharky, TropicalRajput, The Mega Me.

Ok, I will stop here. Can you see a pattern?



What will be Windows Phone 8 update strategy?

By Mauricio Freitas, in , posted: 15-Sep-2012 09:30

Now that we know Windows Phone 8 and Windows 8 share some of their code, I wonder. Will we finally see an update policy for Microsoft's mobile platform that reflects the one we are used to in our PCs?

For years Microsoft has released operating system updates every second Tuesday of the month (second Wednesday New Zealand time). Only in cases of a real treat such as a zero day exploit has Microsoft released an "out of band" update. This policy has been going on for years and still most people I talk to and remind "tomorrow is Windows Update day" say they never knew it.

On top of those monthly updates Microsoft releases Hotfixes, which are patches that fix small problems in specific areas. For example there's a patch that fixes a problem when plugging a USB hub in a specific type of computers with specific drivers and so on. These only need to be applied if you are experiencing a very specific problem.

Every few months or years Microsoft releases a Service Pack for its operating systems, which contains all the previous updates and hotfixes all in one. It's Microsoft's policy not to release new features in Service Packs.

Then there are other software updates targeting applications such as Messenger, Movie Maker, Skype, Security essentials and others which are not essential part of the operating system but offered by the company.

I wonder if Windows Phone 8 would follow the flawed model implemented with Windows Phone 7, or the more advanced and logical model adopted by the company by its PC operating systems and applications until now?

Perhaps Microsoft should separate the applets built-in inside Windows Phone 8 and consider those as applications instead of core, and release them independently of the operating system.

For example a new feature implemented in its mobile email client could be delivered to users around the world with more speed than before. Instead of waiting for the whole Windows Phone 7 process of sending an entire operating system to OEMs then waiting for those to customise each image to different devices, then waiting those to be sent to each mobile operator around the world for approval, then the slow staggered delivery perhaps Microsoft should consider making these updates to apps independent of the entire chain and deliver them directly to end users.

This would speed up adoption of new features, use existing Windows Update infrastructure and get slow OEMs and mobile operators who are not actively supporting the ecosystem completely out of the picture when it comes to happy users. The chain of approval would only ever exist for core operating system functions.

This is completely different from the strategy used by other smartphone platforms too, and could be a differentiating point.

Somehow I think Microsoft would never do that though.



A few quiet yarns

By Mauricio Freitas, in , posted: 11-Sep-2012 11:13

For months Ryan Ashton (LinkedIn login required) has invited me to attend "A few quiet yarns" in Auckland. For months I politely declined seeing I am based in Wellington. Then I was attending the Microsoft TechEd 2012 and the September event was happening just that week, so I went along with Paul Spain.

Ryan describes the event as

"A few quiet yarns" is a distinctly Kiwi styled event where the emphasis is on meeting people in a social sense to find out who they are and what their story is, forming a relationship that sets the scene for business engagement or introduction to a relevant contact of your own.

Everyone gets introduced to every one by Ryan Ashton, event organiser the recent maximum test was 135 attendees - this makes it a very personal event where the barriers to engagement are reduced.

No "hard selling" is allowed and typically, "no fees, no speeches, no sponsors" is the catch phrase, however, sometimes there might be short guest speakers or debates under the name "Town Hall Session" - an extension of the distinctly kiwi style where important matters were discussed by everyone who attends.

I first met Ryan while he was working at ICONZ, now working for Fronde and had no idea of how capable he's of connecting people. Seriously, at the start of the evening he took the stage and recited everyone's name and occupation before telling people to go on and introduce themselves to each other. Incredible memory skills there!

Join the group here to get invites to the next evenings: http://www.linkedin.com/groups/Few-Quiet-Yarns-4037178/about



Legal video, movie and TV downloads and streaming options in New Zealand

By Mauricio Freitas, in , posted: 30-Jul-2012 12:39

Last updated 30 OCTOBER 2014

In another post I started a list of legal music downloads in New Zealand, and thanks to so many suggestions from folks in the comments and Twitter I decided to compile a similar list for movies and TV episodes.

I don't see as many options for downloading or streaming movies and TV series as we can find for music, but here are the ones available in New Zealand now:

Like I said in the previous post, just because you pay for downloading something doesn't make it legal - it could be that someone is just getting your money while not having the legal rights to distribute the movie. The list above is only of legal video, movie and TV services available for New Zealand users.

Also movie and TV services in New Zealand have long delays when releasing new content, unlike the music services. This is probably one of the reasons why so many people buy music, but pirate videos. We just wish the industry would catch up with times.

If you know of any other options, post in the comments...



Legal music downloads and streaming options in New Zealand

By Mauricio Freitas, in , posted: 30-Jul-2012 08:46

Once again I see someone starting a discussion on Geekzone asking if downloading music from some file sharing site is legal under the Copyright (Infringing File Sharing) Amendment Act 2011...

Their reasoning for the question is because currently the technology for tracking file downloads is heavily biased against peer-to-peer (P2P) distribution, and in their eyes if it's not P2P then it would be legal, right?

Wrong. Breaking copyright is still illegal, regardless of which technology is used. Paying a Russian site for music does not make it legal - you are probably giving your money (and credit card details) to someone who doesn't hold the rights to distribute content.

We keep asking for new forms of digital content distribution, and while movies and TV series are still behind the times, there are some good music options in New Zealand, including downloads to own, streaming, free, paid, reward points, or a combination.

Pick your choice from this list of music services available in New Zealand, and be legal:
If you know of any other options, post in the comments...

UPDATE: I have posted a list of legal movie and TV downloads and streaming in New Zealand as well.



How advertising delivery can be bad for your web site, your readers and advertisers

By Mauricio Freitas, in , posted: 19-Jul-2012 20:11

Another advertising order for Geekzone, another reason to be happy. But I'm actually sad - sad for my readers and advertisers.

You probably know by now I try to get maximum performance out of the servers we use. I also work hard, using different software, services and techniques to get the site as fast as possible.

Many people use ad blockers for different reasons. Some say they find the ads slow down their PCs, others say ads may be vector for malware. Some say ads slow down web page load times.

To solve this last problem we use different approaches: we use Google DFP for ad delivery (and gain speed thanks to their world wide network of caches), use Javascript asynchronous loading, and enable single request for ad delivery.

Assuming we are hosting the creatives (ads) with Google DFP, a single call will be all its needed to get the image and parameters to show it on the page.

If the advertiser is using DoubleClick (a Google company agencies use to manage a campaign workflow) , Google is smart enough to get the ads out exactly like it would do with hosted creatives - that is in a single call.

Between advertisers and publishers there's almost all the times an agency that represents the publisher, trying to sell available inventory. These agencies get paid a commission on each sale they manage to complete. They also like to know how many impressions and clicks campaigns are getting. As a publisher using Google DFP I can easily give agencies access to real-time reports for their campaigns. But I haven't seen any agency that takes advantage of this feature.

Instead, these agencies load the tags supplied by the advertisers into their own systems. In turn they give the publishers their own tags. And we obviously need to load our own scripts to manage the delivery.

So instead of having one script that loads and ad with a single call (the Google DFP and Google DoubleClick integration), we have a script that loads the agency script than in turn loads the advertiser script than in turn loads the ads.

This ads an incredible latency to the whole ad delivery system. Usually these ad agencies don't have servers closer to end users. They don't use CDNs. Things get slow. And when things get slow users navigate away. And when users navigate away then don't see the ads.

For all purposes Google DFP delivered the code and counted one impression. But by the time the browser loaded the second script and is waiting to load the third script the user might have closed the window or clicked a link to go away. So the agency doesn't count the impression. Then they complain there's a difference between my counter and their counter.

Another important thing: Google DFP is smart enough to deliver more impressions of those ads that perform better. In other words, if the advertiser supplies more than one ad then Google DFP will make sure it shows more of the ads getting a higher number of clicks. If we run an agency tag we lose control and can't count the clicks, meaning all ads are delivered in a balanced manner. This mean the optimization that could benefit the advertiser and attract more clicks is lost.

At the end advertisers lose the opportunity to get more clicks, our reader sees pages slowing down, and agencies act as a middle man that really is trying to do more than they should do by getting technical where they don't have the capability and don't actually ad any value.

This is not a rant at one specific agency. Most agencies work like this. They just don't understand that a fast web means more business for everyone.



Broadband in New Zealand according to OECD: a six month update

By Mauricio Freitas, in , posted: 19-Jul-2012 10:30

About six months ago I posted some New Zealand broadband statistics collected from the OECD Broadband portal. These numbers have now been updated by the OECD, and here is the latest numbers after six months:

1. Fixed broadband subscriptions per 100 inhabitants

December 2011: #17 (26%, 1,138,830 connections)
June 2012: #17 (26.9%, 1,174,790 connections)

Although not a change in position, a very small increase in connections.

2. Wireless broadband subscriptions per 100 inhabitants

December 2011: #14 (54%, 2,380,709 connections)
June 2012: #9 (67.5, 2.946,260 connections)

What an incredible jump for wireless broadband. This includes 53.7% mobile broadband as part of a mobile plan and 12.9% dedicated mobile data subscriptions. The other connections are satellite and terrestrial fixed wireless.



Windows Phone updates: no better than the old Windows Mobile updates

By Mauricio Freitas, in , posted: 17-Jul-2012 14:53

This was supposed to be a long blog post. I have deleted everything and will leave just this: the Windows Phone 7 update experience is terrible. I wish they would at least once actually copy something from another company.



freitasm's profile

Mauricio Freitas
Wellington
New Zealand


I live in New Zealand and my interests include mobile devices, good books, movies and food of course! 

I work for Intergen and I'm also the Geekzone admin. On Geekzone we publish news, reviews and articles on technology topics. The site also has some busy forums.

Subscribe now to my blog RSS feed or the Geekzone RSS feed.

If you want to contact me, please use this page or email me freitasm@geekzone.co.nz. Note this email is not for technical support. I don't give technical support. You can use our Geekzone Forums for community discussions on technical issues.

Here's is my full disclosure post.

If you'd like to help me keep Geekzone going, please use this Geekzone Amazon affiliate link when placing any orders on Amazon.

A couple of blog posts you should read:

Social networks presence

View Mauricio Freitas's profile on LinkedIn


My Blog by tags...

Blog...
Entrepreneurship...
Media...
Personal...
Technology...
Viral Marketing...
Web Performance Optimization...
Windows...
Windows Phone...

Other recent posts in my blog

Trackers - How technology is h...
Geekzone is a ESET NetGuide We...
Windows Phone and Android apps...
Minister for Economic Developm...
Your NAS and the Bash vulnerab...
Going to Microsoft TechEd New ...
State of Browsers Geekzone Mar...
Free speech...
Testing the Kingston DataTrave...
Telecom enforces SSL email, us...

New posts on Geekzone