Michi Kono

XM Radio has no idea what they’re about to do to themselves. Before I tell you what that is, a brief history lesson:

There’s a huge scandal going around right now regarding the corporate censorship of hosts of Opie and Anthony, a popular show on XM radio. The entire fuss is over a bit they did where a “bum” talked about raping the president’s wife, Secretary of State Rice, and Queen Elizabeth. When they were suspended for it, thousands of angry customers called in to XM radio to cancel, not necessarily in support of the show, but because XM advertised that its content is not censored.

To the surprise of many, people are now reporting that XM is not actually canceling accounts, but rather giving free credits (a few months). People are angry because they are trying to make a statement with their cancellation, and XM is trying to float their subscriber numbers for their shareholder meeting on the 25th.

I say, awesome. Let them commit fraud or whatever. If they really do keep these customers around for the next few months, there is a great opportunity to get even.

My advice is simple: Wait for the credits to expire and then issue a chargeback the moment they bill you. When they contact you about renewal, do not respond, react, type a reply, or say a word. Just hang up, delete the email, or trash the letter. If they are stupid enough to bill your account without your explicit consent, you have the full right to issue a chargeback, and your bank will side with you. Simply call up your bank and tell them you canceled the service months ago.

Most people don’t realize it, but chargebacks have huge penalties associated with them. While fraudulent chargebacks don’t really count in, a legitimate chargeback hurts. It usually comes with a $10-$30 processing fee. What people don’t know is that if a merchant has a large spike in chargebacks, they are assessed a secondary fine. This is in place to curb large scale merchant fraud or shoddy business practices where merchants take processing fees into account as a cost of business. This secondary fine is not as small and friendly as the processing fee…

I’m talking about millions of dollars in penalties applied directly to XM’s bottom line.

So be happy they haven’t canceled your account. Mark it on your calendars and screw over XM in six months.

Today, Microsoft’s made its biggest purchase in its history for six billion dollars in an effort to out-flank Google. They purchased aQuantive, a competitor in the online advertising industry that parallels – but doesn’t directly compete – with the pay-per-click model. The price is double what Google paid for DoubleClick. aQuantive is the largest online ad agency.

DoubleClick had a yearly revenue of $300 million versus the $442 million for aQuantive. The price for aQuantive was definitely not cheap, considering its net income from last year (“profit”) was $54 million. Ouch! What a deal for aQuantive!

aQuantive’s headquarters are in Seattle, making it a good buy in terms of geographic proximity. But was it a good buy overall? The answer isn’t clear.

Microsoft paid over double the total valuation of aQuantive ($2.8B). That’s a sizeable premium. In other words, the millions of investors across the world put the price tag of aQuantive at roughly $3B and Microsoft came in and bought them for over double. Microsoft must know something that nobody else in the world realizes — or they were getting really desperate to out maneuver Google.

But, if there’s one company in the world that recognizes the immeasurable value of being #1, it’s Microsoft. They bought their way into the top of the pay per action market, and they plan to abuse — er, excuse me — use it.

Still, I think it’s dumb that an operating system manufacturer is buying ad agencies. Just think of the parallel: Apple/Novell/IBM buying aQuantive. It makes no sense. It only makes sense because Microsoft is a monopoly trying to retain its power.

The largest purchase in Microsoft’s history is not a competing software company. It feels as if Microsoft has really strayed from its core vision ever since Billy-G left the helm. Ballmer, I hope you know what you’re doing…

But what do I know, right?

Update: here’s a history lesson.

Amazon has made it known that they will be selling DRM-free MP3′s in the near future.

Every song and album in the Amazon.com digital music store will be available exclusively in the MP3 format without digital rights management (DRM) software.

The most notable part is that these are DRM-free MP3s, by far the most popular music format.

The next few months will be critical in determining the direction of digital music. If actual sales don’t increase, music labels will see this test run as proof that file-sharing is the root of all evil.

Personally, I look forward to being able to buy and burn my own CD for $9.99 (digital album price from iTunes). Well, unless Amazon matches their prices — I prefer MP3 over AAC for the sake of consistency. =P

Today, at work, I hit the strangest PHP error. I thought I’d share. 

I wrote a logging script that tracks whenever something goes wrong. First, it tries to write everything to a raw file and then to the database. The thinking was that if something bad happened to the database, at least I would have a log entry in a regular file. Unfortunately, I didn’t take into consideration what happens when something bad happens to the file, which turned out to be far worse.

We noticed something was wrong when no errors were being logged, and yet the script was clearly failing to do its job. There were no PHP errors, no database records logged, and nothing changed in the log file. After careful scrutiny, I confirmed there was indeed an error happening, and it had to be logging. So I looked at the log file, and then I noticed this:

2147483647 ClientException.1.log

That huge number is the number of bytes in that file. 2,147,483,647 bytes = 2 GIGABYTES. The file was too big for PHP to want to open. I ran the PHP script by hand and it simply said the following message where I called fopen():

File size limit exceeded

When this error was encountered, PHP died with no warnings, errors, or notices. There was nothing in the PHP logs to show something went wrong — that was some kind of operating system level error message. The code — no, PHP — simply halted! No destructors, no cleanup – nothing. Even the output buffer was destroyed, which means if there was ob_start() anywhere in the code above, all of the previous output (echo) was lost.

Scary.

So next time your script is dying without an explanation, make sure you check how big the logs are.

Several months ago, my friend informed me that he was seeing a large volume of email spam coming from one of my legacy sites. After investigating, we found that my “contact” page was the source. A hacker was spamming people through the contact form on my website! The page in question was a simple PHP script where people could provide an email address and a short message that would be emailed to me. So here’s the question of the day: How did they make it email other people with their own custom email messages?

Most people may not be aware of this, but the culprit is the PHP mail() function. The relevant portion of the definition is as follows:

bool mail ( string $to, string $subject, string $message [, string $additional_headers] )

So most people would probably do something like this:

mail($to, $subject, $message);

But by default, this will create an email address with some ugly “from” address like, root@localhost. What if you want to have a “from” email address, such as the person who filled out the form?

mail($myEmailAddress, $subject, $message, “From: $fromAddress”);

But don’t you need to escape it? Well, a lot of beginners (like I did when I started out), don’t realize that “addslashes” does nothing. A hacker could provide additional headers in your script by typing in the following in your web-form:

me@fakeemail.com \r\n

Followed directly by another header:

Bcc : otherpeople@hotmail.com [ignore spaces]

The above code would send an email to otherpeople@hotmail.com through the BCC field. That alone doesn’t sound too threatening. However, it is actually possible to inject in a message body, attachments, other recipients, a new subject, etc. at this point. A hacker can completely re-format your original email. In essence, they can post data to your form to make it do something completely different than what you had intended.

And judging from the fact that I wasn’t getting emails, I would assume that they can suppress the original “to” email address as well, making the breach completely unnoticeable.

To fix this, make sure you filter arguments that get passed in as headers by removing the \r and \n characters.

$fromAddress = str_replace(array(“\r”, “\n”), ”, $formAddress);

As always, remember my code examples tend to use curly quotes that PHP won’t recognize.

So, is your form hacker-proof?

Further reading on this topic can be found here.

Note: I had a horrible time trying to make this post. Apparently, WordPress doesn’t like the word “Bcc[colon]” appearing anywhere in the post! How lame!?

You read it right: there are now iPhones on eBay – well, pre-orders.

Today is May 14th, and the seller is guaranteeing:

**the Apple iphone 8 GB will be in my hands 30 days from start of listing 5-11-07**

As in, June 11th, 2007. That is a lot more optimistic than most people are predicting to be the official launch of the iPhone. Apple has only confirmed “before the end of June.”

So this is either one very smart individual who is already planning to camp out to get the iPhone (and praying he gets it on time), or he’s already secured a pre-order. The seller has 99.00% positive feedback rating with 99 transactions, dismissing any immediate notions of fraud. There are a few other people who are selling the same thing. What do these people know that the rest of us don’t?

A short search indicates a few previous auctions have closed for above $1000. When PS3s can fetch four or five times their price, I know the iPhone can do it too. The relatively low closing prices are mostly likely because nobody is yet aware of these auctions existing.

E-Paper comes in a new size now: 11×14, and it measures only 0.3 millimeters thick, making it directly comparable to regular paper. This new version is also capable of 4096 colors (12 bit color), which is already comparable to modern mobile devices.

Update: Another source with a better picture.

I just realized a funny irony about Microsoft competing with Google. See, Google has some really advanced JavaScript when it comes to its Adsense scripts (look to the left of or below this article). If you’ve never thought about this process, here’s your chance. The JavaScript that makes these ad unit boxes must:

• Scan the page and send the contents to Google for analysis, get the response, and serve an ad accordingly (AJAX)
• Build an entire block of HTML from scratch (DOM manipulation – very annoying)
• Fire after the page loads, to ensure all of the content is in place (event handling)
• Override any CSS or other page altering scripts to ensure people can’t be tricked into clicking (CSS hacking!)
• Look and function exactly the same in all browsers

Well, the stuff I listed up there involves some of the most annoying aspects of programming in JavaScript (believe me). AJAX, Event handling, DOM manipulation, and CSS pretty much sum up the four pillars of “the most inconsistent things in JavaScript.” Thanks to IE, these tasks are a pain in the ass, when they really shouldn’t be.

Microsoft has to ensure their ads appear in all browsers, especially Firefox (#2 browser). You can’t sell your services to advertisers if it’s known that your ads break, and possibly misfire, when the wrong browser hits it. That means they’re forced to use a standards compliant implementation to do their ads.

This, of course, means they’re taking their own medicine and finding out what a horrible pain it is to support Firefox 1.5, Firefox 2.0, IE5, IE6, IE7, Opera, Safari, etc. It’s mostly a pain because of IE and its inconsistent and buggy support for the established JavaScript and CSS standards.

Maybe this is why they appear to be supporting some standards in IE7. Or, maybe they’re just building in the ones they use. Either way, this explains a lot.

As none of you probably realize (I mean, who even reads my JavaScript posts), I am an avid fan of JavaScript. I think it’s an awesome language that is very underestimated. Even Joel likes it. Anyway, one of the big problems with JavaScript is its inconsistencies between browsers. The first popular pioneer into cross browser scripting was Prototype, an open source library full of tons of useful functions and enhancements to the JavaScript language. It was quickly followed up by an extremely popular open source effects library called Scriptaculous. I was never a fan of Scriptaculous because of its bloat, but I have remained a steadfast supporter of Prototype.

That is, until yesterday.

Yesterday, I discovered MooTools, an amazing open source library that has all of Prototype and Scriptaculous’ functionality, and then some. After thoroughly examining its features, size, ease of use, and extensibility, I have concluded it is my new JavaScript library of choice. Some of the highlights include:

• A relatively similar naming scheme as Prototype, making porting a simple process for most scripts.
• Functionality that matches all of Prototype’s core methods, including AJAX functionality, DOM manipulation, and browser compatibility fixes.
• Really easy animation effects that give you an amazing amount of control (see below).
• Very active developers (they actually respond to questions within a day!)
• The compressed download is only 40kb (which is the one you’d be using).

I highly encourage web developers to check it out. There was a recent article on Slashdot that discussed some of the big libraries out there, but it completely omitted MooTools. Well, I have been looking for a few months now for a library to use for our application at work. I examined Scriptaculous, Yahoo UI, Dojo, jQuery, Open Rico, Mochikit, and various other small ones I came across. I stumbled for hours just looking for JavaScript libraries. At one time or another, I wrote something relatively advanced with each of these frameworks in an attempt to see how well the advanced functionality was designed.

• Scriptaculous suffers from insane bloat and heavy reliance on Prototype, a completely separate project — this problem was highlighted when a recent fix in Prototype broke Scriptaculous unless you switched to their unfinished beta release. This is unacceptable.
• Yahoo UI tends to require more lines of code to do the same things in other libraries. It is trying to do “everything at once.” It is also very bloated because it fragments itself across many files.
• Dojo is just huge (150kb, compressed). That’s a negative.
• jQuery is too fragmented, which actually hurts it in my eyes (others see it as really “customizable”) – it has way too many plugins that you can’t depend on since the developers working on them aren’t affiliated to the jQuery project. If you do too much advanced stuff, it can end up like Yahoo UI, except the fragments you are relying on are made by 40 different people, none of whom have any reason to help you.
• Open Rico is awesome for simplifying AJAX, but fails in the visual effects department due to over simplification of the process and requiring too many changes to the HTML (see their accordion example). It is, however, a great introduction for AJAX developers, in my opinion.
• Mochikit had a (barely) tolerable size (113kb, compressed), but I despise their coding standards (just look at their code sample variable names!) and I wasn’t happy about the complicity in using their library. It is not very beginner friendly, in my opinion. This is a deal breaker since I can’t ensure future maintainers of my code will be JavaScript experts.

The decision was clear: MooTools owned the rest.

On ease of use, it was the top due to its consistent naming conventions and predictable function behavior. Their methods all support “chaining“, which allows you to compress several complex lines of code into one, easier to read one.

What impressed me most for its ease of use was its animation methods. Take this simple snippet:

new Fx.Style($('some-element'), 'margin-left', {
  duration: 400,
  wait: false)
}).start(0, 100);

What’s that do? It takes the element called “some-element” and slides it 100 pixels to the right by changing the margin-left CSS property from 0 to 100 over a 400ms span. This might seem complicated to complete JavaScript beginners, but believe me when I say JavaScript animation literally doesn’t get simpler than this. I have shown you an extremely simple example, but with only another line or two, you can do stuff like this. Here’s an example of making something transparent:

new Fx.Style('popup-message', 'opacity').start(1,0);

Change the “0″ to a “0.5″ and the popup message only goes half way invisible before stopping. They’ve done an exceptional job keeping it relatively simple while still giving you full control over the effects (you can apply transitional algorithms too).

On AJAX, I was also impressed because they managed to keep it very simple, yet give you control of the process. For example, check out this amazingly simple AJAX code:

<form id="myForm" action="submit.php">
<input value="bob@bob.com" name="email">
<input value="90210" name="zip">
</form>
<script>
$('myForm').send();
</script>

That sends an AJAX request to submit.php. Of course, you could customize this and add in callbacks and cool loading images, but just the fact that you can do the entire AJAX request in one line like that is impressive.

They also have a ton of demos (my favorite one). Again, if you are considering a library for AJAX and visual effects, MooTools is by far the best one I have encountered.

Note: If you are looking for a library for only AJAX and not visual effects, MooTools can be downloaded in pieces, so it can fit your needs there as well. It also means later, if you change your mind, you can always download the visual libraries and not have to worry about compatibility issues.