Memo to CEOs: When you have a privacy or security leak, admit it, fix it, and move on.

There’s a hilarious story over on Google Blogoscoped about a massive privacy leak on SmugMug and the company’s attempts to deny that it’s a bug or could be easily fixed.  Such denials were popular in years past but most companies have learned better.

The hole is that the "private" galleries over on SmugMug have easily guessable URLs like http://www.smugmug.com/gallery/4210001, http://www.smugmug.com/gallery/4210002, etc, so it’s easy to enumerate and crawl all of the private galleries. 

This is easy to fix– just include a long, unguessable identifier in the URL (a GUID like b87ef4f0-d03e-11dc-95ff-0800200c9a66, for example.) 

When informed of the problem, SmugMug called it expected behavior and claimed that the guessable URLs were essential to sharing.

Thanks for writing. This is expected behaviour. A private gallery just means that that gallery will not show up on your Smugmug homepage but it is accessible by knowing the direct URL to it.

The CEO added that their system "wasn’t built for guids" and that it would be an "extremely expensive proposition" to add them. Classic!

Memcached caching is used by many sites to improve scalability. Facebook is reputed to have 3 terabytes of memcache storage distributed across 200 servers. We recently added memcached based caching of Mergelab public feeds. This post is intended to share with other developers some of the existing Rails caching techniques and tools that we used.

Read more on the Mergelab blog

Looking for software companies to work at in Seattle?

Adam MacBeth has put together a useful map of Seattle software companies, filtered down to those that have either revenue or funding.  (Too bad Google Maps doesn’t let you layer more information and filtering capabilities on such a map.)

People who embed videos on the web frequently tell their readers to fast forward to a specific point to get to the "good stuff", for example here.

It’s dumb that readers have to do that manually.  If Flash video players were slightly smarter, the author could create an easy-to-type hyperlink that would cause the embedded video to skip to a specific section of the video and start playing.

For example, an embedded player could note that you had navigated to the anchor "#youtube-6-30" and automatically skip to a point 6 minutes and 30 seconds into the video.

Power users ought to be able to create their own "virtual edit" of a video by specifying a sequence of time segments to play back.  A blogger might create their selection of highlights from the presidential debate to accompany their post, for example, without having to actually re-encode the video. 

I can also imagine authoring tools on sites like YouTube that would make it easy to create your own virtual edit.

Even with such tools, however, I think it’s valuable to have a simple, typeable convention for hyperlinking into the midde of a video as described earlier.

I was surprised to find that most out-of-the-box configurations for Rails and Apache are not set up to allow the browser to cache static resources like Javascript and images. This leads to slower page load times and bad looking rendering.

On Apache, this is very easy to fix using mod_expires.  I simply added the two highlighted lines below to our site configuration file in conf.d.  The Rails helpers like image_tag automatically appends a timestamp to the resource URLs, so updated versions of the resources will correctly be fetched by the browser even when an older version is cached.

<Directory "/var/www/example/public">
  Options FollowSymLinks
  Order allow,deny
  Allow from all
  ExpiresActive on
  ExpiresDefault "access plus 10 years"
</Directory>

As Alan notes, we just rolled out another round of Mergelab updates;  here are the main things we fixed and improved for this release.

1. We made it easier to add people to your news feed:

• You can now import people from Yahoo and Hotmail as well as Gmail. 
• You can also add a person manually– if you paste in an email signature or other freeform text, the site will automatically extract email addresses and web links for that person.  These will be used to discover news items about that person.
• You can subscribe to news about a person from a shared feed.

2. We added an RSS feed of Mergelab updates. Now you can view news about your friends on your portal of choice. 

Civilization, to be honest, is a hack. It’s a rough draft, a crude prototype of the way things should and must be.  We’ve progressed and grown at a fast and exponentially increasing pace, but only by ignoring critical questions of sustainability and scale. 

An old adage about writing software says "Plan to throw one away; you will, anyway."  It’s essential to create prototypes to gain a better understanding of the right requirements and design. It’s just as essential to throw away the prototype and replace it with something more durable, and to plan to do so. Push a prototype too far, and you have a system that collapses catastrophically at scale. The longer you cling to the throwaway code, the harder it becomes to get rid of it.

Our problem today is that we live under the delusion that our system is designed to last. Modern governments and economies haven’t been around for long, and they have no track record of surviving global challenges like resource depletion or climate change.  It’s a matter of blind faith or stubborn hope that we’ll avoid collapse.

Changing course is hard to even imagine, much less do. It’s close to a sacrilege in the modern religion of progress to slow growth or sacrifice consumption on behalf of future generations. Technologically, socially, and economically, there are so many things we don’t know about how to build systems that will last.

Oil and global warming are just particular symptoms of a systemic, hard-wired flaws in the way we think about the world and plan for the future.  At an almost genetic level, we are built to act as if resources are infinite. Perhaps only the trauma of collapse and recovery can reshape people’s core values and assumptions around sustainability. In that event, "planning to throw one away" means works working to minimize suffering and maximize the knowledge retained during any crisis. 

Some might say it’s overly pessimistic to think that collapse is inevitable and even necessary. Can we engineer a smooth transition between the current prototype and the next iteration in civilization’s design? There are certainly things we can do.  We can’t redefine human nature. We can’t do "big design up front". But we can at least redefine our metrics of success and reward based on the strengths and weaknesses we recognize in our current societal prototype.  Our market incentives and metrics are screwed up, for example;  it’s no surprise that short term thinking dominates and that greater depletion is defined as greater success.

I hate to end on a bummer, but If I’m honest with myself, it’s hard to imagine this "soft landing" scenario working out in the medium to long term.  Our leaders are too timid and too corrupt. People are too unwilling to sacrifice or redefine success, and too preoccupied fighting with each other. I’m unfortunately more inclined towards the "plan to throw one away" point of view. I think things will hold up OK for my lifetime, but I worry a lot for my kids based on our current trajectory.

I just discovered ultitv.com which has a large number of Ultimate game videos available for download for a modest subscription fee.  For example, the dozen videos in the UPA 2007 collection are $8.   These include all of the UCC 07 finals plus a number of highlight films.  Each download is 150MB+.

Despite some limitations I’ll get into later, I was pleased to find this site. 

It fills a need that isn’t met by either the free video sites or mainstream media.  The highlight videos you find on YouTube are fun to watch but show you very little of actual game flow if you want to try to learn something. 

And coverage on old-school TV is shamefully lacking.  You might find footage of the 2006 extreme moto-parachute-kite-skating championship. but you won’t see Ultimate.  (Does anyone know of any good coverage that I’m missing?)

The limitations of ultitv are in the ordering process and in the resolution; I believe there’s a business opportunity to provide a better platform for video publishers like Ultitv.

You order subscriptions via Paypal and you need to wait for someone to manually add your credentials to the site.  (To the sites credit, this happened by the next morning for me.) 

As for resolution, the (quicktime) videos are only 320×240 pixels, a far cry from hi-def. Don’t expect football style multi-camera coverage of course, but the video does show the whole field with captions on fouls and dead space edited out.

I’m certainly willing to pay for the convenience of having an edited, high quality, quickly downloaded game, especially for something that’s not quite mainstream.  If they don’t exist already, I can imagine paid video hosting services that provides e-commerce, hosting, and video conversion technology to sites like Ultitv in exchange for a share of the revenue.

Update:

It’s found ultitv clips aren’t actually the entire games, they’ve been edited down to fit in around 20 minutes and 150MB.

Here are ultimate clips on Google Video longer than 20 minutes, including some championship games.

See also the Ultimate Frisbee page on Squidoo, which links to a set of free Ultimate video sites, including the utlimate section of cstv.com

Steve Jobs says the whole concept of Amazon’s Kindle is fatally flawed because people don’t read anymore:

“It doesn’t matter how good or bad the product is, the fact is that people don’t read anymore,” he said. “Forty percent of the people in the U.S. read one book or less last year. The whole conception is flawed at the top because people don’t read anymore.”

Infuriating!  After less than a month of owning my Blackberry Curve, the trackball stopped working.

Remember old school mechanical mice and how they could get clogged with lint? 

That is exactly what happens with the Blackberry, except that, in a stunning bit of bad design, the Blackberry was built without an easy way to clean the trackball. The problem is made worse by the fact that most phones live in pockets that attract lint and are handled directly by greasy fingers.

Pinstack.com suggests possible fixes.

As a first resort, you can try cleaning the trackball with an alcohol swap.

If that doesn’t work, you can carefully remove the plastic retaining rip around the trackball and take the entire trackball unit out for further alcohol cleaning.  That was enough to get things working for me.

If even that fails, you can disassemble the entire trackball unit for cleaning, but I was terrified by the prospect of working with such tiny, easily breakable parts. 

If you do have to replace the entire unit, this site has it for cheap ($12 plus shipping) compared with $50 and up elsewhere.  (I haven’t ordered from them so I can’t vouch directly for this site.)

But I digress. The Blackberry should never have been designed with an easily gummed part that can’t be cleaned.

Previous Blackberries I have owned have died premature deaths due to other avoidable design flaws; for example my last Blackberry died because the power socket on the phone plug became detached under the constant strain of being plugged and unplugged.

RIM really needs to get their design act together or customer will migrate to more durable phones!