Back in March-ish of 2011 I got an Android phone. It was an Optimus V, which means it was cheap (about $150, no carrier subsidy) and limited, but was available with an actual reasonably-priced no-contract plan ($25/month). Since I can’t bring myself to pay the crazy rates you Americans seem to pay your phone carriers, this was a good deal.

In July of this year I got myself an iPhone 4S. Virgin started offering them, but I wound up going with Straight Talk instead, since Virgin only offered the lowest storage capacity and wouldn’t let you activate a phone you didn’t buy from them. I’m paying a little more for the service, but it’s still reasonable ($45/month, unlimited everything).

I feel like talking about the experience of switching. What I liked about Android, what I like about the iPhone. I know some people who are really invested in their phone OS, but I am not one of those. I think I can be relatively unbiased here.

Still, this is all utterly subjective. It’s what I like and didn’t like, and what matters to me.

Hardware, with an asterisk

A big caveat: I had a cheap Android. It had poor performance, low memory, almost no onboard storage space, a so-so screen, a not-overly-large battery, and all in a flimsy plastic case. I’ve not used any of the higher-end Android devices. By all reviews it was fantastic for the price, but still… I’m not going to dwell greatly on the hardware differences.

I do think it’s fair to note that you can’t get that sort of experience with an iPhone. The worst iPhone out there is, at least, that way because it’s 5 years old.

So, up-front, the device quality of the iPhone is a lot higher. Better performance, lots of storage, good battery life, ridiculously good screen, vastly better camera. Also, as a personal-taste matter, I think the iPhone has much nicer industrial design, but your mileage may vary.

Mind you, I sort of liked knowing that my phone was cheap. It might have been flimsy plastic, but I didn’t have to worry about dropping it the same way I do this $800 lump of crackable-glass.

Now, the stuff which I think is fairer to compare: software differences!

I rooted my Android and ran a custom ROM. I like that I could do that. I don’t like that it was the only way I had of getting a sort of up to date version of the OS. At the time I switched, Gingerbread was still the most-recent Android version available for the Optimus V, even with custom ROMs. So I like knowing that, for the next few years, I’m guaranteed to get updates promptly and without having to fiddle around with warranty-voiding matters.

iOS and Android feel about equally flexible to me. Technically this is false, since Android has a lot more flexibility, but for my purposes they’re equivalent. Rooting your android and running a custom ROM feels about the same as jailbreaking your iPhone. It’s true that I can’t easily switch to a different keyboard layout without jailbreaking… but I stuck with the default keyboard on Android anyway, and I like the iOS keyboard.

I liked the account manager on Android. Setting up my iPhone involved entering passwords repeatedly, whereas on Android I just had to enter them up-front and apps would ask permission. This is improving a little with Twitter and Facebook integration, but my Google credentials were the real killer.

I miss the Google integration. GMail and Google Voice are so much better on Android. Google Maps on Android was a vast improvement over the Google Maps app on iPhone. The new Apple Maps app looks promising, and finally picks up parity on the turn-by-turn navigation, but may also have some teething issues to work out.

I like knowing that if an app is mentioned, it’ll be available for me to use. On Android, a lot of apps were restricted and not flagged as available for my device. This is sort of a “cheap Android” issue, but it came up enough that I want to call it out separately.

I like that installing apps on the iPhone reliably works. Fuck “package file invalid” errors. I got those all the time on Android, and as far as I can tell they happened because there was insufficient room on a partition to uncompress a downloaded package file. I would call this another “cheap Android” issue, but Google’s utter failure to write a Market app that could notice the problem and provide a helpful error message or workaround just leaves me bitter. This error, on its own, was a major driver in getting me to upgrade my phone… and in persuading me that moving away from the OS that had this as a persistent issue was worth a shot.

I kind of miss Intents. Being able to set default apps was useful; the iPhone locks you into things like Mail, Maps, Photos, and Safari. They’re perfectly servicable apps, mind you, I’d just like knowing that if I discovered something vastly better I could seamlessly switch.

I like Siri. I find I mostly use her for the “remind me to do X when I get home”, or “add Y to my shopping list” features, rather than the search-related stuff. I could probably get an app to do the same on Android, of course.

My shopping list being shared with my wife over iCloud as a built-in feature is awesome. I had an app for that on Android, but it’s something I had to buy. That said, my having to visit the iCloud website to set up this sharing is ridiculous, and I bet almost no non-technical users have ever noticed it.

I’m a fan of the iPhone’s lock-screen camera mode. You can start taking pictures without having to unlock the device, which I never saw an equivalent of on Android. My 3 year old daughter uses it to take pictures of me sleeping if I didn’t put my phone away the night before. :P

My wife switched as well, and asked her if there was anything she had to add. She says she likes “knowing that things will just work”. I’d say it’s a bit of a cliched point, but then I remember what she went through while trying to make a bluetooth keyboard work reliably on Android. Another example would be plugging into car stereos: the iPhone works easily, since almost everything has support for it, while the Android functioned as an external USB hard drive of MP3s… which is rather more awkward. Syncing music with your iPhone is also far, far easier than syncing music with an Android device, if only because there’s a clear default “this is how you do it” state.

No, there is too much. Let me sum up.

Android:

• good: accounts, Google apps, changing default apps, “freedom”
• bad: experience depends vastly on the exact handset you own, long-standing Market bugs, upgrade schedule is atrocious

iPhone:

• good: app availability, Siri, retina screen, iCloud, no bad devices, reliable upgrades, “it just works”
• bad: Maps not up to Google’s standards yet

I’d say that I’m happy with my iPhone. Next time I want to get a new device I’ll still consider an Android. I gather that a Nexus is the way to get iPhone-equivalent upgrade support, so I’ll certainly look at that. Still, unless something on Android looks like more than just a quantum leap ahead, I’d imagine I’ll be sticking with the iPhone.

I’m on vacation at the moment, in Chicago, and my experience of staying in a hotel here has caused a fairly predictable reaction in me. It has made me realize: I am not the customer here. Or, to be more precise, I do not represent the primary demographic this hotel considers its customers to come from.

First, a few observations:

1. In-room wifi is not free. (This is really the big one.)
2. The hotel maintains a few restaurants/bars which sell really over-priced and under-alcoholed drinks.
3. The hotel maintains a convention space. It’s been hosting things most nights I’ve been here.

From this I conclude that the hotel has geared its offerings to appeal to people who aren’t paying for their own room. People with an expense account. If my employer was covering my travel costs here, I’d be fine with charging wifi to my room, and adding on meals/drinks regardless of whether they’re reasonably priced.

The customer is a business that can afford to send employees out to travel for some reason. Thus the purchasing decision will be made based on factors that I don’t care about, like whether there’s meeting spaces, or how close it is to some convention. In particular, the customer isn’t the person who’ll be staying at the hotel, or even who’ll be directly paying for anything involved with the hotel.

Interestingly, if I go to an objectively worse hotel, say a Motel 6, I am the customer. I’m a probably cost-conscious consumer who is picking between similar options, and since I’m also the person who’ll be using the service they have an incentive to directly appeal to my own irritations. Free wifi, free breakfasts, etc.

Note: it’s not really the money that matters to me, it’s the sensation of being nickel-and-dimed. I bought a room, and you’re not giving me an amenity that the cheapest motel will throw in for free? Really? That’s why I don’t think the explanation is that the hotel expects its visitors to be people well off enough to not care about the extra fees. Even if the money’s no object, the attitude is a pain.

This is a slight departure from my normal choice of topics, I’ll admit.

Last year I decided that I wasn’t happy about my weight. I’d been slowly gaining weight for the last few years, as a fairly predictable consequence of a sedentary lifestyle and liking for food. I topped out at 240 pounds, which left me rather… chunky. Realising that I hadn’t seen a picture of myself I felt happy about for some time wasn’t fun.

Despite all the social features built into the apps I’ve been using, and my relatively active twitter use, I believe this is the first time I’ve mentioned anything about this to other people online. So now you know!

In September I started out by counting calories, using Lose It!. I tried a few such apps, but that was the one that felt like the best fit for me, giving me easy data entry and a convenient “given your height/weight, eat X calories to lose Y lbs per week” which updated itself as I updated my weight.

Why counting calories? I like data, and I like how tracking data tricks you into changing your behavior. The simple act of having to write down everything I ate made me conscious of where my calorie intake was coming from, and I thus made changes in my diet to avoid having to write down something horrible.

Note that I didn’t really start eating better… my diet is almost exactly what it was before, I’m just eating less of it. I particularly didn’t try following any sort of fad diet (low carb, shangri-la, paleo, whatever).

This worked out quite well. After one month I’d lost 13 pounds, which was encouraging. So at the start of October I joined a gym with my wife, who talked me into it because she wanted some company while she worked out.

I mostly used the gym for running, with minor amounts of weights. For my whole life I’ve been someone who couldn’t run for more than a minute or two, even at times when I’ve otherwise been relatively fit. But again an app helped me out; in this case the couch to 5k app. It managed to provide a sequence of running workouts that took me from running 90 seconds at a time to running for a solid half-hour.

This probably doesn’t sound like a lot to many of you, but I find it incredibly weird to know that I can run for a half hour at a stretch. That is seriously at odds with my self-image. In a good sort of way, admittedly.

How has it gone since then?

Pretty well! December held steady because I spent almost the entire month out of town, eating more at holiday parties, with very few opportunities to exercise. But that plateau has ended now I’m home again, which is encouraging.

As you might note from that graph, I set myself a fairly arbitrary goal of 200 pounds, on the theory that after I lost 40 pounds I would stop and evaluate myself and see how I wanted to proceed from there. I’m getting quite close to that now, and I’m happier about how I look, but have pretty much decided to set another goal of 180 pounds and then again stop to see how I feel. Given how it’s gone so far I’m optimistic that I’ll get there before too long. :D

It turns out that the secret to losing weight is diet and exercise. Who knew, right?

One of my sites got hacked. How?

1. My wife tried out a number of WordPress themes while setting up her blog a year or two ago.
2. One of them contained something called timthumb.php, which just this August was found to have a great big security vulnerability.
3. Someone exploited this vulnerability, probably by scanning for every possible theme that contained it and put a cracker console in the cache directory of that theme.
4. They used this console to find and edit every .htaccess on that user account to include a some malicious code. (This was several sites, because I was lazy.)
5. It redirected to a quite nasty URL whenever a referrer from a longish list of search engines was seen.

So that’s not terribly nice. I take some small comfort in knowing that at least I have a lot of company. Also, I feel validated in moving off WordPress.

The cracker console was actually quite interesting. If you’re curious, you can see it on this gist, slightly expanded for readability (or just a screenshot).

It was obfuscated by being a big string that ran through preg_replace using the e flag, which executes the result. Yes, this is a genuinely insane feature. That turned some unicode-escaped characters at the beginning into eval(gzinflate(base64_decode(', which revealed the rest of the huge string to be a base64 encoded gzipped blob of source code.

The lesson I’m taking from this is: security is hard to enforce when themes that non-technical people are expected to use can contain executable code. Or even technical people… I wouldn’t have caught that if I’d been looking for a WordPress theme.

Google released their Google Reader revamp. Certainly prettier, though I’m not entirely convinced right now by the increased vertical space used by the list view.

Puzzling oversight is not importing my existing Reader friends into a Google Plus circle. Seems like a really obvious thing to do, and yet they’re giving everyone a chance to decide to jump platforms instead of following a painless migration path.

I suppose that Google is in a privacy bind here. Google Plus has that nice, easy option to post things that are visible to “your circles”… so creating a new circle means they’re exposing private information. But not creating a new circle means excluding existing relationships from their new network. Tricky.

Anyway, the rather painful migration path actually provided is:

1. Go to the import/export page on Google Reader
2. Export the “List of people that you follow”
3. Read JSON enough to extract identifying characteristics and try to track these people down (importantly, it doesn’t include email addresses)

I rather doubt this will be widely employed.

I’ve never really touched rake before, but since switching to Jekyll I’m finding that it’s becoming an essential part of my workflow. In the limited area of blogging, at least.

rake is a version of make in which you define all your targets in Ruby. Because practically anything would be an improvement over Makefile syntax, this is pretty easy to work with. I’m not a huge fan of shell scripting at the best of times, so mixing it in with something else is… not desirable. I still find Ruby less intuitive than Python, but that’s my prejudices talking.

To elaborate… what does posting a new entry look like for me?

1. rake server to start up an automatically-rebuilding local webserver copy of my blog
2. rake post[raking-jekyll] to make a new post with the YAML front matter boilerplate
3. Actually edit the newly created post in an editor
4. rake deploy to rsync the local copy to my hosting over ssh

Any part of my routine which looks like it might be scriptable has been replaced with a rake target. For example, the post target:

1. Copies a template file
2. Names it according to the current date and provided title
3. Adds an expanded version of the current date into its YAML front matter so sorting will work correctly if I post multiple times a day

Since I rarely know the current date without having to look it up, that certainly saves me some effort.

Here’s my Rakefile, if you want to use anything from it. It’s probably not properly idiomatic Ruby, but it does at least work.

Pretending innocence, I ask why all these high profile websites have their homepages covered in spinning images?

• CNN (screenshot)
• The New York Times (screenshot)
• Mashable (screenshot)
• Fox News (screenshot)

Okay, obviously enough, I’m messing with them. But how can I do that?

The answer is cross site scripting (“XSS”).

XSS is surprisingly common, and nigh-universally is caused by poorly escaped user inputs. Even user inputs which, as in this case, they obviously don’t think of as user inputs. It happens when content is injected into a page, which results in the loading of arbitrary JavaScript onto that page.

As such, I own your interaction with those sites. If I was malicious I could be harvesting your cookies from them, redirecting you to phishing sites, recording everything you type, or just snooping on everything you view. As an example of why someone might want to do this… in the case of these particular sites, stealing your cookies (document.cookie) would let me post comments as you. I could thus spam those sites using legitimate accounts that I don’t have to go through the hassle of creating myself.

I’m not doing this, because that wouldn’t be nice. All I’m doing is reversing links and spinning images, because I think that’s cute.

In this case, all these sites have screwed up by including a little bit of HTML from an ad network (EyeWonder) on their site. This HTML accepts an arbitrary URL as a parameter, and loads it in a <script> tag. This is quite a common way for ad networks to ruin your day, often in the name of “frame busting”.

If you’re wondering who might be vulnerable to this exact hole from this exact ad network, Google can help you with that. Hint: it’s a lot of sites. I just grabbed the first three big names to demonstrate with.

Here’s the offending HTML:

This would actually be pretty easy to fix, note. A little bit of checking of the input, to restrict it to scripts hosted only on known-trusted domains would be enough to make exploiting it almost impossible. (I say “almost” because someone sufficiently resourceful might find one of these “trusted” domains isn’t as secure as they hoped and slip a script onto it. But it at least raises the bar.)

If you’re curious what I’m doing to make these pages spin, check out this gist which includes the spinner script. Essentially it’s just making an iframe which shows the root of the domain, and then manipulates the contents of that iframe, which it’s allowed to do because the script is running on the same domain.

In short: never trust user input. Also, don’t trust your ad networks to know/care about security.

This post brought to you by my coworker Paul Banks pointing out the existence of this fun little hole on CNN. I then added the spinning myself, because it looks nice and spectacular.

I’ve just redone my website using Jekyll. It is now completely static. No PHP, no database, nothing like that.

Why did I do this?

• It’s quite soothing knowing that all my content is version controlled.
• I am now nigh-immune to traffic spikes. I was using caching with WordPress before, so it had never been an issue even when I was on the HN frontpage, but there’s some peace of mind in it.
• WordPress had a history of security bugs which wasn’t comforting. Since nothing on this new site is executable I feel pretty secure now.
• My site is now ridiculously flexible. Jekyll forces almost no structure on you, leaving you free to change things around as you please.

I’m happy with the end result, but the process of getting there was not without pain.

The initial difficulty came from Jekyll’s documentation being somewhat lacking. I found myself somewhat confused about minor details like “how does a layout work?”. After I’d cribbed that together by examining other sites posted with Jekyll, I discovered that the template data docs were inaccurate / misleading, implying the presence of a post variable which failed to exist. It turned out to be something that’s merged into page if you’re viewing a post.

I don’t completely blame Jekyll for this being opaque. Jekyll uses Liquid for its templating language, which claims to be aimed at designers… and I feel it would benefit from some sort of debugging mode that dumps the current scope for examination.

I resorted to reading Jekyll’s source, which cleared up a number of things. However, I view it as a bad sign that I felt I had to do this. Not that a command-line driven static website generator is ever likely to be a mainstream product, but still, it’s the principle of the thing.

Pagination worked, but was completely lacking in configuration. Since part of my goal was to have my URLs remain the same as they were in WordPress, I had to change this. I did so with a horrible monkey-patching hack of a plugin. Specifically, I made a copy of the pagination module from Jekyll’s core into my _plugins directory and selectively edited it to change the pagination urls.

In the process I noticed a bug in the core code, and submitted a pull request to fix it. So horrible monkey patching might at least pay off this time.

Also utterly broken was the related posts feature. No matter what, it always seems to think the most recent posts are the most related to anything. It’s possible that running with --lsi would have helped with this, via complex semantic analysis, but that takes forever and I’ve seen others complain that it doesn’t really help. So there’s more monkey patching going on via Lawrence Woodman’s related posts plugin, which I took and edited so it worked based on tags instead of categories.

One thing I haven’t fixed, which I’d like to, is making the automatic regeneration of your site during development / writing a lot smarter. Right now it notices a file has changed and so it regenerates every single bit of content on your site. This does mean that the live generated site always has recent/related posts up to date everywhere… but it’d be nice to have some sort of --quick option that ignored that stuff in favor of a faster development cycle.

Because of the utter staticness, I naturally cannot have my own comment system in use any more. So I’ve switched to Disqus, which adds commenting to the site via JavaScript. It feels sort of weird to be outsourcing a component of my user experience like this… but they seem to be trustable. Widely used, and their monetization plan is fairly transparent.

If you’re interested you can see the repo for my website on github. It contains, in its default / post templates, markup that’s compatible with any WordPress theme that’s based on Toolbox, which might be of use to some.

Like I said, I’m happy with how it turned out. I wouldn’t recommend this at all for a non-technical person, but if you want to dig in and get your hands dirty then Jekyll is quite workable.

(Expanding slightly on my response to this HN thread.)

First: to be on all shared hosting everywhere. I.e. you need to be really easy to install, and preferably not involve long-running processes that shared hosts might choke on.

Second: to be beginner friendly. No requirement of understanding MVC, or running commands in a shell (hi RoR!). Pure instant gratification. Someone’s first step into using PHP is likely going to be “I want the current date in the footer of my page”, or “I want a random image on my homepage”, or something like that. Anything like that you can handle by taking your existing page and dropping a tiny snippet in where you want the change to happen. <?=date('Y')?> is a potent thing to someone who has never programmed before.

Note: For point 2 many of the things serious programmers hate about PHP are actually advantages. All the functions in one big namespace? That’s great! A newbie doesn’t have to try to understand <? import datetime; print datetime.date('Y'); ?>.

It’s easy to replace PHP for serious developers. We like advanced features, and care about a sane default library. We’re willing to use complex tools to get a payoff.

It’s hard to replace PHP for non-programmers who just want to tweak their static page in notepad so it has one cool new feature, or install a blogging package on their cheapo shared hosting.

To sum up: if you don’t address both of these points then you haven’t killed PHP. You’re competing with Python or Ruby or whatever. PHP will carry right on ignoring you, because you’re not addressing its fundamental use case.

I need to bear in mind that the threshold for the Hacker News front page is a bit lower late at night on Friday, and perhaps only submit my less inane, random, and opinionated stuff in that timeframe.

Oh, who am I kidding? It’s great for getting views.