Buyer Beware!

These are the down and dirty facts about iPhone 3.0

1. Broken keyboard.

Here’s screenshot of viJournal M. As you can see, the numeric keypad is supposed to pop up. The spacebar, shift/caps and the delete keys are hidden, but functional. The number and symbol key (.?123) however, does not work. The app will still accept your input, but you’ll get a passcode mismatch because…

the confirmation screen now shows the correct keypad. Since it will fail all the time, you need to enter your passcode again.

This time, it is fixed.

2. Login fails

I’m sure as hell I typed the correct password here. iPlurk works so it’s not a Plurk API issue

3. Cert is invalid, therefore I wont do https

The default SSL certificate of the iCal server in OS X Leopard server has “Default” as its CN (Common Name). Of course, you’ll get a domain mismatch there. Now, iPhone wont connect to servers via CalDAV if your SSL certificate is invalid which is not exactly a bad thing because the only acceptable SSL cert is the one that came from a CA (Certificate Authority)[1]. I’m not sure if self signed certs will also cause this error message.

I’m not sure if you can change the default SSL cert of iCal in Leopard Server to make this work, or you need to RP (Reverse Proxy) it. It is http anyway.

4. YouTube#!@#$%^&*

Scott Forstall mentioned that you can now use your account in the YouTube iPhone app. You could probably subscribe to channels, make comments, etc. All of these would’ve been very nice IFF YOU CAN CONNECT TO YOUTUBE!!!!!!!!!

5. Bandwidth saving

Just kidding Imagine Facebook without the pictures. Might as well call the social network “book” then.

6. More UI bugs

My most expensive app has bad UI. FML

Despite the shortcomings of 3.0, there’s this one feature that I really liked.

Very very accurate. Note that I’m using only the 2G iPhone so I dont have GPS.  Also, that blue dot looks a lot better than the one before where that crosshair like thing shows the vicinity where you are.

Despite the number of new features in 3.0, I’m still having some regret in upgrading.  It kinda reminds me of the time when Leopard first came out.  Apps need to be “Leopard-compatible”.  Maybe it’s the 3rd party apps’ fault.  That YouTube bug is unacceptable.  thatProblem is, since 3.0 is not official, they will probably release their updates  once 3.0 is out.  More info on 3.0’s shit can be found here and here.

[1]This is just a personal opinion. Let’s not go into a self-signed versus CA cert war here

it’s email migration time again!

That’s right, folks. After the grueling 72hr dovecot-to-gmail (Google Apps) migration ~1.5 years ago, it’s that time of the decade where we are going to do it in reverse!

In fairness to Google, their migration API back then was weak (or non-existent?).  Mails have to be sent one by one via SMTP.  Lucky for us, Gmail-to-IMAP isnt that painful, thanks to imapsync.

imapsync is a tool for facilitating incremental recursive IMAP transfers from one mailbox to another. It is useful for mailbox migration, and reduces the amount of data transferred by only copying messages that are not present on both servers. Read, unread, and deleted flags are preserved, and the process can be stopped and resumed. The original messages can optionally be deleted after a successful transfer.

Usage is very simple:

./imapsync –host1 imap.gmail.com –port1 993 –user1 user@gmail.com –passfile1 /home/user/passwordfile –ssl1 \

–host2 mail.domain.com –port2 993 –user2 user –passfile2 /home/user/passwordfile –ssl2

It’s safer to use –passfile than –password so that your password does not show in ‘ps’, in case there are other users in the server.  imapsync is written in perl and requires additional modules:

Mail::IMAPClient
IO::Socket
IO::Socket::SSL
Digest::MD5
Digest::HMAC_MD5
Term::ReadKey
Date::Manip

Your IMAP folders may not appear on your mail client. You may have to manually subscribe to your folders.

Internal DNS on Amazon EC2

While looking for a way to name instances and update the /etc/hosts file, I came across Tim Dysinger’s blog entry.  It’s a ruby script that parses AWS metadata to get the internal IP address of the running instances in your AWS account and its respective keypair – perfect for /etc/hosts entries.  Obviously, the caveat here is that you need to generate 1 unique ssh private key for every instance you are running because key == internal dns name.  You’ll be managing a lot of ssh keys in the end.

This is perfect for situations where your instances interact with each other (load balancers in front of app servers with database servers at the back?).  It’s very handy calling your instances lb0, app23  or db3 instead of something like ec2-xxx-xxx-xxx-xxx.compute-1.amazonaws.com.  Automatic, too.  If you’re running the script as a cron job, your /etc/hosts file gets updated if you run new instances.

#!/usr/bin/env ruby
%w(optparse rubygems EC2 resolv pp).each { l require l }
options = {}
parser = OptionParser.new do p
  p.banner = "Usage: hosts [options]"
  p.on("-a", "--access-key USER", "The user's AWS access key ID.") do aki
    options[:access_key_id] = aki
  end
  p.on("-s",
       "--secret-key PASSWORD",
       "The user's AWS secret access key.") do sak
    options[:secret_access_key] = sak
  end
  p.on_tail("-h", "--help", "Show this message") {
    puts(p)
    exit
  }
  p.parse!(ARGV) rescue puts(p)
end
if options.key?(:access_key_id) and options.key?(:secret_access_key)
  puts "127.0.0.1 localhost"
  EC2::Base.new(options).describe_instances.reservationSet.item.each do r
    r.instancesSet.item.each do i
      if i.instanceState.name =~ /running/
        puts(Resolv::DNS.new.getaddress(i.privateDnsName).to_s +
             " #{i.keyName}.ec2 #{i.keyName}")
      end
    end
  end
else
  puts(parser)
  exit(1)
end

Just pass on your AWS access key and secret key as parameters, pipe it to /etc/hosts and you’re good to go.

Restricted shell access using rssh

I hate FTP*.  Srsly.

It’s insecure. Passwords are transmitted in plain text. A handful of remote root sploits have emerged in the past and most of them target the daemon from Washington University.

It’s a pain in the ass to work with packet filter, whether you’re connecting to a FTP server behind a firewall or you’re the one behind a firewall.

FTP is a protocol that dates back to when the Internet was a small, friendly collection of computers and everyone knew everyone else. At that time the need for filtering or tight security wasn’t necessary. FTP wasn’t designed for filtering, for passing through firewalls, or for working with NAT.

There are alternatives like FTPS (ftp+ssl) and webdav (although with webdav, you can’t use user quotas). Personally, I prefer scp/sftp as replacement for ftp. The whole session is encrypted. It’s immune to bruteforce through public key authentication. You dont have to memorize passwords. It’s secure as long as nobody gets your private key or nobody discovers a remote buffer overflow for openssh. Using scp/sftp as an alternative to ftp would mean you have to create system accounts for your users. Of course, any sane sysadmin wouldn’t want lusers to have shell access to your servers. You dont want their processes running amuck in your system, wasting valueable cpu cycles. Changing their login shell to /sbin/nologin wont work. Apparently, services that tunnel through ssh (rsync, cvs, etc) require that users have an interactive login shell. How do you do this? I came across rssh.

rssh is a restricted shell for use with OpenSSH, allowing only scp and/or sftp. It now also includes support for rdist, rsync, and cvs. For example, if you have a server which you only want to allow users to copy files off of via scp, without providing shell access, you can use rssh to do that.

Installation is simple. Just change the users’ login shell to the rssh binary and create a config file called /etc/rssh.conf where you define which subsystems are allowed. Supported subsystems and daemons are scp, sftp, rsync, rdist and cvs. The following directives are allowed:

allowscp
Tells the shell that scp is allowed.

allowsftp
Tells the shell that sftp is allowed.

allowcvs
Tells the shell that cvs is allowed.

allowrdist
Tells the shell that rdist is allowed.

allowrsync
Tells the shell that rsync is allowed.

umask
Sets the umask value for file creations in the scp/sftp session. This is normally set at login time by the user’s shell. In order not to use the system default, rssh must set the umask.

logfacility
Allows the system administrator to control what syslog facility rssh logs to. The facilities are the same as those used by syslogd.conf(5) , or the C macros for the facilities can be used instead. For example: logfacility=user logfacility=LOG_USER are equivalent, and tell rssh to use the user facility for logging to syslog.

chrootpath
Causes rssh (actually a helper program) to call the chroot() system call, changing the root of the file system to whatever directory is specified. For example: chrootpath=/usr/chroot will change the root of the virtual file system to /usr/chroot, preventing the user from being able to access anything below /usr/chroot in the file system, and making /usr/chroot appear to be the root directory. Care must be taken to set up a proper chroot jail; see the file CHROOT in the rssh source distribution for hints about how to do this. See also the chroot(2) man page. If the user’s home directory (as specified in /etc/password) is underneath the path specified by this keyword, then the user will be chdir’d into their home directory. If it is not, then they will be chdir’d to the root of the chroot jail.

user
The user keyword allows for the configuration of options on a per-user basis. THIS KEYWORD OVERRIDES ALL OTHER KEYWORDS FOR THE SPECIFIED USER. That is, if you use a user keyword for user foo, then foo will use only the settings in that user line, and not any of the settings set with the keywords above. The user keyword’s argument consists of a group of fields separated by a colon (‘:’), as shown below. The fields are, in order:

username
The username of the user for whom the entry provides options

umask
The umask for this user, in octal, just as it would be specified to the shell

access bits
Five binary digits, which indicate whether the user is allowed to use rsync, rdist, cvs, sftp, and scp, in that order. One means the command is allowed, zero means it is not.

path
The path to which this user should be chrooted

Example:
user=pow:011:10000: # umask=011, rsync only, with no chroot
user=pow:022:00110:”/usr/local/my chroot” # umask=022, cvs and sftp allowed, with chroot

Note that spaces before or after the = sign are allowed, but chrootpath’s with spaces require single or double qutoes.

Problem solved!

*: I’m referring to using ftp with authentication. For me, either run ftpd in anonymous only mode to serve files publicly or dont run it at all. Why can’t it die like telnet? Let’s leave telnet and tftpd to routers and switches and use ssh/sftp/scp to our servers.

How to trunk 2 asterisk boxes

This is how I did it. Let’s assume that the two Asterisk boxes are located in Manila and Cebu. Might be useful to our company’s future sysadmins.

On the Manila side (192.168.1.1)

1. Download, burn, and install trixbox

2. Secure the box
o Disable unnecessary daemons
o Disable root login
o Enforce PKI
o Change default passwords for admin and maint

3. Setup 2 interfaces. 1 for private and the other for public. Setup static routes for VPN, if any.

4. Login to web UI using maint.

5. Go to PBX -> PBX Settings and click on Trunks on the left side

6. Click on Add IAX2 Trunk

Outbound Caller ID: hidden

Dial Rules: 032+NXXXXXX

Trunk Name: To-Cebu (you can call it whatever you want, but for this example, let’s call it To-Cebu)

PEER Details:

deny=all
allow=g729&ulaw&alaw
type=friend
host=192.168.2.2 (public IPs also work, but better do it over VPN)
qualify=yes
context=from-internal
secret=putyoursupersecretpasswordhereok?

7. Click the Submit changes button at the bottom

8. Click the Apply Configuration Changes at the top

9. Click Continue with reload

10. Next, click on Outbound routes on the left.

Route Name: To-Cebu

Dial Pattern:

43XX (considering that the extension range for the Cebu Asterisk is 4300-4399)
0|32. (because Cebu’s area code is 32)

Trunk Sequence: IAX2/To-Cebu

11. Submit changes and Apply Configuration Changes

On the Cebu side (192.168.2.2)

1. Repeat steps 1-5

2. Click on Add IAX2 Trunk

Outbound Caller ID: hidden

Dial Rules: 02+NXXXXXX

Trunk Name: To-Manila (you can call it whatever you want, but for this example, let’s call it To-Manila)

PEER Details:

deny=all
allow=g729&ulaw&alaw
type=friend
host=192.168.1.1 (public IPs also work, but better do it over VPN)
qualify=yes
context=from-internal
secret=putyoursupersecretpasswordhereok?

3. Click the Submit changes button at the bottom

4. Click the Apply Configuration Changes at the top

5. Click Continue with reload

6. Next, click on Outbound routes on the left.

Route Name: To-Manila

Dial Pattern:

41XX (considering that the extension range for the Manila Asterisk is 4100-4199)
0|2. (because Manila’s area code is 2)

Trunk Sequence: IAX2/To-Manila

7. Submit changes and Apply Configuration Changes

On Both Asterisk

1. Create the extensions on both servers.

2. Setup DNS. The hostname must have internal and external records, for convenience’s sake.

You’re all set, for now. You can now call softphone users in both offices.

More to follow.

Fring Science

I’ve been using Fring before during the 1.x firmware days. It was the first IM client to support Yahoo! Messenger. The functionality is okay but the interface could use a little makeover.

Fast forward several months. Fring is back, but on the Apple AppStore this time. When it comes to functionality and eye-candy, Beejive wins over Fring by a mile lightyear. Excluding the price factor, any normal user would ditch Fring for Beejive.

Fring has an edge over all IM clients.  It supports SIP, including your very own Asterisk.  With Truphone, well, you’re just confined to their service.  It’s no X-Lite but it provides the basic features of a soft phone.

The different SIP providers above are merely templates.  There are only 3 important fields when configuring a subscription: User ID (extension number), Password and Proxy server.  Select Other at the bottom to register to your Asterisk box.

What I like best about Fring is that you can also receive calls, with caller ID.  There’s a nice SIP client before (siphone was the name, I think) but it only allows outgoing calls.

Fring also supports call history and access to your address book.

Now, can you say “unlimited calls” ?

What Are You Working On?

Yammer is a micro-blogging tool launched at TechCrunch50 in September 2008.  What makes Yammer different from other microblogs like Twitter or Plurk is that Yammer is designed for the enterprise.  “What are you working on” versus “What are you doing”.  Of course, this isn’t really followed by the letter.  It is inevitable that microblogging tools are transformed into some form of chat. When you sign up to Yammer, you will see (and optionally follow) people signed up using the same email domain as yours.  There is also no 140 character limit on Yammer.

I dont think they have released their API yet, but the only clients I’ve seen are the official ones: desktop, iPhone and Blackberry.

Updates and notifications are also available IM, email and SMS (supported by a few carriers only).  The Yammer website  also has an AJAXified timeline, which was recently applied by Twitter also.

This is the Home screen of the official Yammer client for the iPhone.  The iPhone client is nice.  It works the way it’s supposed to. It’s stable, responsive and it simply works.

You can see all the members of your domain under the Directory screen.  The application has a knack of hiding stuff.  Tap on “fetch more” to… fetch more.  It results to faster loading time and lower memory usage.

Feeds can be filtered in different ways.  ALL is like the public timeline, but you are confined to those who signed up with the same email domain as yours.  FOLLOWING is like your friends timeline in Twitter.

The Settings screen manages your Yammer account.  My main gripe here is handling multiple accounts.  Obviously, this problem doesn’t apply to everybody.  Compared to other microblogs, ou only need one account and you can follow every person on the entire world.  In Yammer, you can only follow someone in the same domain.  Let’s say you follow your colleagues on Yammer but you also want to follow your friends in your non-profit organization, and then your charity institution, and then your fraternity and so on and so forth.  Hopefully Yammer will find a way, or maybe Yammer is just isn’t designed for that.

Yammer is free,  but admin privileges cost $1 per month per member of your network.   Since Yammer is designed for the enterprise, it has some security featues not available on other microblogging tools.  You can specify a subnet that is allowed to login via web or application.  You can also set the minimum length and complexity of users’ passwords.  You can add a custom logo.  Lastly, you can also remove a member from a network or delete a post.

Frankenstein

I dont like Neurox Leopard anymore.  I’ve been using it since 1.1.1 IIRC.  The themes that I like have truncated icons,  so I made my own theme.  I’m not sure, but I think the Springboard truncates the icons after 60 pixels.   Most themes have icons with >60px in width or height.  They have to be resized to 60×60px

Thanks to those who submitted their themes in Cydia, I now have my very first “frankensteined” Summer/Winterboard theme!  I’m not going to distribute this theme, so there’s no need to give credit to the individual makers of the icons.

The iTunes icon is mine (sort of). First, I tried to look for iTunes icons in Google Images.  I found a few and I opened one in Gimp.  It turns out it’s not transparent yet.  I’m not a graphics artist so I know shit about transparency.  After some googling, I found out that I need to add an “alpha” layer, aside from the usual RGB layer.  Using the magic lasso thing, I cleared the background, scaled it to 60×60, saved it as .png and loaded it to my phone.  After respringing, transparency win!  It’s transparent but it’s fugly.  It’s so fugly I dont wanna post it here.  The edges are so crooked, there’s extra shadow at the bottom, etc. All in all, FAIL!

Attemp #2: I “extracted” it from iTunes.app in Leopard using ‘Get Info’ -> click the icon on the top left -> Edit -> Copy then Preview -> File -> New From Clipboard.  I removed the shadow at the bottom using Gimp, scaled it to 60×60, scp’ed it to the phone, resprung, and there you go. iTunes icon WIN!

I haven’t decided on a dock and background image yet.  It already looks kinda nice without one.

iPhone 2.1

Update includes:

• Decrease in call set-up failures and dropped calls  (I haven’t really had any dropped calls since I first used my iPhone)
• Significantly better battery life for most users
• Dramatically reduced time to backup to iTunes  (Now it only takes around 10-15 mins what normally takes 3 hours to finish)
• Improved email reliability, notably fetching email from POP and Exchange accounts  (Opening mails in Mail2web is still sluggish. As long as push notifications are fast, it’s fine by my standards)
• Faster installation of 3rd party applications
• Fixed bugs causing hangs and crashes for users with lots of third party applications

• Improved performance in text messaging  (SMS.app is more responsive now, but still no forwarding or MMS)
• Faster loading and searching of contacts  (Finally!)
• Improved accuracy of the 3G signal strength display  (I don’t have 3G)
• Repeat alert up to two additional times for incoming text messages  (Every 5mins. This is pretty handy)
• Option to wipe data after ten failed passcode attempts  (I dont wanna wipe out my phone besides I dont use passcodes and it looks to be broken on 2.0.2)
• Genius playlist creation  (I only have 2 genres: punk and grunge)

It took me >5 fucking hours to update and jailbreak 2.1. Why?

• I gave up after an hour of backing up my iPhone on iTunes 8. The progress bar is not even on the 25% mark.  I want to be able to restore to 2.0.2 in case my upgrade to 2.1 fails and I dont want to redo my games all over again.
• I fucked up my WinXP box.  As of this writing, the latest version of Quickpwn is Windows only.  Command-line shell access is required and thanks to my sister’s iPod, Windows is infected with this bar311.exe malware, which runs a shutdown script everytime you spawn a command prompt.  I tried to erase it in the registry, but I might have accidentally deleted an important key.  Now, any user who logs in is automatically logged out right away.  Sucks.  I should have just followed (again) that howto in TPC.
• The XP installer I used is an old one.  It only has SP1 slipstreamed.  I had to download the 300+MB Service Pack 3 because iTunes 7.7 requires at least SP2

NOTE:  To those wondering by Genius is not enabled on their iPhone 2.1, first you have to enable Genius on your iTunes 8 (IMS Account is required) and then sync.

There are some changes that weren’t included in the changelog.

• Making a screenshot now makes that camera shutter sound.
• The album name and artist now appears at the bottom of the song title in iPod.

• Apple must have changed the spacing between icons in Springboard.  Now, my dock icons are cut on the top part

UPDATE: This is actually a known bug in iPhone 2.1 and Winterboard.

• Load Earlier Messages.  I cant say if hiding older messages will show an increase in performance of the SMS app.

Getting things done with OmniFocus

OmniFocus is a GTD application by the Omni Group.  It is available in two variants: a desktop version and an iPhone version.  It’s basically a to-do app on steroids.  Aside from the usual ability to jot down tasks, you’re able to do more such as attach pictures and audio  to each tasks, categorize tasks into contexts, see what is due soon (“soon” is relative, and customizable), set deadlines and flag tasks. Plus, OmniFocus is  location aware.

I’m not really a list junkie, but being someone with the memory of a goldfish, I really need apps like this.  OmniFocus promotes planning ahead  and makes you more productive.  Jot down tasks the night before and then when you go to work the next day, you already have list of things you need to accomplish.

Here’s the main screen.  It gives a quick view of the sub menus of the application.

At first, the Inbox puzzled me.  What is this for if you can already categorize tasks into Projects of Contexts?  So, I asked a fellow OmniFocus user.  He said he puts uncategorized tasks in his Inbox.  Your wild ideas.  Having this kinda squeezes out your creative juices.

The Projects section doesn’t quite work for me.  At work, I only have one project, which is IT. There’s really not a point it creating a project under here if it always will default to that.   For some reason, OmniFocus automatically creates a Miscellaneous project if you create a task without a project.

You can attach pictures and voice recordings to your tasks.  This comes in handy when additional text notes are just not enough.

Tasks can also be flagged for easy reference.

OmniFocus for iPhone supports synchronization to MobileMe. If you dont have a MobileMe account, any Dav folder will do. It also supports SSL (even self-signed certificates) and HTTP authentication.

Core Location at work.  It’s been said that the first generation iPhone’s location service could be off by as much as 5 kilometers.  Not really a ‘must-have’, it’s very cool to have location services on your GTD application.  I think this is the only location aware GTD app in the AppStore.  The next fully-featured GTD app would have to be Things.  Things also has synchronization, but only to the desktop application.  Not on the “cloud”, as they would say.

All in all, OmniFocus is a great application.  Mobility is very important for GTD application.  On the average, you’re in front of the computer 8 hours a day, but you have your mobile phone with you all the time.  If you’re in a taxi cab you remember a task that you’re supposed to to tomorrow,  you’re not going to whip out your laptop and start writing notes.  Might as well write it on a piece of paper.  While OmniFocus is already a great app, I have a few wishes:

• Alarm – It would be nice to have iCal-like alerts when you reach your deadline.  And, no. If I want notifications, iCal is not a place to put your tasks. It’s a calendar FFS.
• Faster loading time – It takes about 7s on my phone for OmniFocus  to load, and I only have about less than 50 tasks in it.
• Faster sync – Even on (wireless)LAN, it takes quite a while for synchronization to finish.
• Address book integration – With a single tap, you can call a person or send an email while inside OmniFocus. I have People and Phone contexts in OmniFocus.  I use it to remind me when I have to call or talk to somebody.