Assetbar: drinks and recipes

Update May 15: Thanks to udim who references an arstechnica article: 

“Gmail is susceptible to a man-in-the-middle attack that allows a spammer to send thousands of bulk e-mails through Google’s SMTP service without fear of detection. This attack bypasses both Google’s identity fraud protection mechanisms and the current 500-address limit on bulk e-mail. “ 

The ortinal article points out: “As of 3:00 PM today 5/12/2008, the flaw we have reported remains unpatched and exploitable. We have ran a new experiment where we were able to use our attack to send 2,000 messages using one Gmail account.

We would like to clarify to the security community that we have contacted Google about the issue more than a week ago and no response was provided despite our clear intent of cooperation regarding this matter.”

———

styshop.com and fly6666.com are scams.  Both somehow hijacked my gmail account, but Gmail removes the Sender’s Origin IP, which makes tracking the breach difficult.

Sorry guys. All my gmail contacts just got spammed again, courtesy of something calling itself styshop.com.  It’s the same thing that happened January 1, but that time the company was using fly6688.com. They’re the same vile organization, and I still don’t know how they perpetrate their crimes.

In both cases the message actually was sent via my gmail account.  Not a forged header, but really sent via my account.  That means that either

1. the jerks have a trojan app running on one of my machines, or
2. the jerks have hacked into my gmail account.

I’m guessing it’s (2)  because (I think) the only machine on the network with gmail credentials is a new laptop.  But then (1) is also a candidate since I’ve changed my password since the last bomb.

But, I can’t tell because gmail stripping off the senders’ origin IP.  Boo, gmail

GMAIL SHOULDN’T STRIP OFF SENDER’S ORIGIN IP.

Received: by 10.70.78.7 with HTTP; Wed, 14 May 2008 09:58:15 -0700 (PDT)
Message-ID:
Date: Thu, 15 May 2008 00:58:15 +0800
From: "Israel LHeureux"
Reply-To: israel@g-edited-mail.com
To: xxxx@teleflip.com, xxxxx@tmomail.net,
	xxxxx@messaging.sprintpcs.com, xxxxx@sprintpaging.com,
	"xxxxx@mms.mycingular.com"

Yahoo includes “Received: from IP”

This makes it easy to see where the message originated.  Yea! yahoo!

From Bessie Wilkes Mon Jan 18 19:14:07 2038
Return-Path:
Authentication-Results: mta293.mail.mud.yahoo.com  from=yahoo.com; domainkeys=neutral (no sig)
Received: from 58.121.1.29  (HELO mta293.mail.mud.yahoo.com) (58.121.1.29)
  by mta293.mail.mud.yahoo.com with SMTP; Mon, 21 Apr 2008 02:43:31 -0700
Received: from 156.4.20.60 by ; Mon, 21 Apr 2008 06:34:04 -0300
Message-ID:
From: "Bessie Wilkes"
Reply-To: "Bessie Wilkes"
To: isl4fal@yahoo.com
Subject: Top high-quality meds- Cialis,Viagra Online
Date: Tue, 19 Jan 38 03:14:07 GMT

 
With Yahoo mail, I can see that the sender’s origin IP (58.121.1.29) and use whois to trace that IP back to Hanaro telcom in Seoul, Korea.

With Gmail, I see that mail was originated…by HTTP.

k thx bye.

Change my password again. Look for trojans again.  I just wish gmail would give me satisfaction.

In the spirit of Derek Trotter  (411Eater)  I’ve also contacted the gentlemen at the site “tomtom” sty.shop@hotmail.com He’s currently helping me with a DVD player, but I suspect the transaction won’t actually go though.  

Hey jerks, knock it off:

styshop.com is registered by wei li (cpylyl@hotmail.com) . No address

fly6688.com is registered by wang le (wangle@126.net) +299.1087625690 West Century Boulevard Inglewood, CA 16783 Los Angeles, MI 85052-8119

forestdj168.com is registerd by wang tao (wangtao@hotmail.com) +1.12017752711 washington, WA 07322

Coming up for air here just to let everyone know how excited I am about our progress. We’re getting ready to bust out some amazing action.

Our first beta products demonstrated our scalable database technology. Next we showed off a two week implementation of twitter–on the same distributed db platform with built-in scaling. (BTW, I do hope the Twitter folks can fix their site soon. Rip out the guts and start over with a good architecture. We have an existence proof that approach works.)

But now it’s getting really , really exciting, because we’re about to show off our platform as it was initially conceived.

Getting our progress on

The architecture and design discussions from 2 years ago are still crystal clear in my head, as are the struggles we had with packaging the technology. “How can we do this in a way that isn’t too complicated? How can it be easy and make sense for users?”

Along the way, we’ve seen other efforts to attack this monster; none with success. This is a beast. From our position, their short comings (and ours) were apparent, and we knew we weren’t ready to win.

Even a year ago, we still were unsure exactly how to package, or productize our technology, so we experimented in some other areas to gain experience.

That experience (and our own knocks) has certainly paid off, because now we are finding a way to package, to productize our initial ideas. And I’m super excited because this time feels different. It feels like it will work.

We learned our lesson about over-featurizing, for sure, so our plan is to start with a modest release.

It’s been another wonderfully productive day, so it’s time to hit the sack.

Cheers!

As they say, March is a funny old month, isn’t it? Everything is changing, renewing and starting afresh. Before we embarked on the Great Simplification Makeover in our feature-laden reader, we decided to take a quick detour and see what we could learn in the name of science, exploration and discovery.

Like bumping around the town like when you’re driving a range rover

Q: Can we disaggregate our features have them stand on their own?

Our first stop was messaging. We have wonderful messaging components built into our architecture. We had previously asked if there was any interest in us making a twitter-proxy and the post garnered quite a bit of interest. But somehow a direct clone didn’t seem interesting enough to persue. How would you grow the user base?

Ben franklin with the kite getting over with the key

Then opensocial came along and we raised our eyebrows. There was much fear and trembling that myspace OS apps would be just useless widgets. But, do they have to be? We decided that it would be fun to learn the OpenSocial API and see if we could adapt part of our core to make a useful OpenSocial messaging app, a la twitter.

Rock well to tell dispel all of the old fables

Twitter’s bare-bones app seem to successful enough, so we tried to de-featurize our app as much as possible. Although, since we DO allow inline pics, and any-type-of-file attachements up to 7MB, and public or private messages, I guess it’s more pownce than twitter.

The hard part was not exposing the Assetbar native features such as comment threading, search, view counts, “messages new to me”, more robust ACLs, etc. Sigh. But score a win for keeping with our goal to make something really, really simple. We threw those advanced features on the ground and curb stomped ‘em.

…and kicking the new knowledge

A: In about 15 man days of developing, including dealing with myspace’s OpenSocial container (which, ahem, could be better), we disaggregated an Assetbar feature and made it a standalone app. I’m pretty proud of that. We didn’t just make a “cute puppy of the day” widget either, but we still made it quickly. And we learned a ton.

The power of OpenSocial or rather, NOT being a destination site is that i-chitchat users should be find and message with their friends no matter WHAT social network they’re on, with no distinct i-chitchat login. Grab your old myspace credentials and hit up myspace.com/ichitchat to take a look.

It will be interesting to see what it actually takes to make it run on bebo | hi5 | orcutt and soon Yahoo. Heck with a little FBML, I suppose it could be on facebook, too. No separate login, just a some casual group TXT with attachments, and maybe more.

Ponce de leon constantly on,

The fountain of youth not robotron

So hooray to OpenSocial and myspace.

This was a fun break that should ultimately benefit our reader… There’s already something very cool crystallizing.

tinker...tinker...tinker

Some of you aren’t getting fresh posts in your feeds as we update servers, add more machines and generally re-jigger our back end from old style to new style.  Thanks for your patience.

Found this cartoon in a mostly uninteresting New Yorker article on Google. And while it’s not surprising, I did learn that Google has rallied some big name talent to their washington dc team:

By the end of 2007, Google’s overriding concern was that it avoid comparisons to the Microsoft of 2000. “No question that people here regularly discuss Microsoft’s experience and use that as a cautionary tale,” Schrage says.

The modest one-man operation in Washington has expanded considerably and now includes about thirty people, among them Robert Boorstin, a former speechwriter for President Clinton; Johanna Shelton, a former senior counsel to Representative John Dingell, chairman of the House Energy and Commerce Committee; and Pablo Chavez, a former chief counsel to John McCain.

In October, 2006, the company established its own PAC, called NETPAC, and since then it has hired three outside firms to lobby on its behalf: the mostly Democratic Podesta Group; King & Spalding, where Google works with former Senators Connie Mack and Dan Coats, both Republicans; and Brownstein Hyatt Farber Schreck, which hired Makan Delrahim, the former Deputy Assistant Attorney General in the Bush Justice Department’s Antitrust Division.

OK, folks. Especially if you’re reading this from Europe, it’s time to register for the Plugg conference!

March 19, 2008 | Le Plaza, Brussels

We’ve been accepted as one of the startups who will get a chance to pitch the audience and see if they want to hear more.

Plug is a one-day web20 type conference for companies who have ties to Europe. There are speakers, of course, but the coolest angle is that 20 startups will get to pitch the audience for 2 minutes. The audience will then select three winners who each get 10 minutes to show off their sauce.

Fast, exciting. Should be fun, too.

How do we pitch assetbar in 2 minutes? How will we do it on March 19th? Register and see!

Cheers,

-Israel

Learn more about plugg here.

Simplify.

No special Valentines Day image here folks–we need to simplify.

Duh, I know it’s best to start with feature A, and forget B, C, and D. But I’m a feature junkie and I suck at staying simple. I always blurt out “If we can do A and B, then why not add C and D too? ” After all, it’s just software.

But alas, I need to re-learn the simplicity rule to make Assetbar a better experience for users.

In his first review of Assetbar, Marshall Kirkpatrick over at RWW says:

As for the RSS reader, it’s cool in its formative stages. Scalability, sharing, time sensitive metadata, super simple reviews and off-site integration with my feed reader are all part of my “dream come true feed reader” vision.

Hey, that’s great! I was really hoping that a professional feed junkie like Marshall would appreciate the features.

BUT, we need an “a major UI overhaul”. Or more damningly: “I’m not about to use Assetbar in its current state but the concepts here are fascinating.”

The thing is, I actually agree with Marshall. I agree 100%.

In fact, Louis Gray has been rooting for a UI overhaul since we first showed it to him, and last night I let him know that we are starting on that.

The surprise in our pre-relase isn’t our over-complicated-by-Israel UI, it’s that our SQL free, single stack architecture and scaling design is working like a champ. Despite a few niggles, it’s outperforming my best expectations. We’re adding 10’s of thousands of assets every few hours, all personally searchable and with an unprecedented amount of metadata on each. All on surprisingly few servers. Go DBfilesytems!

So the bottom line is that we are really excited to improve Assetbar UI so it’s simpler and easier. And kill all the JS cruft that makes rendering slow. Our team can make that happen, if I get out the way and don’t screw it up.

Thanks for the critiques, folks–we have our marching orders.

And I still have lots to learn.

-Israel

The stories of twitter going down frequently don’t need repeating here. Instead, I want to ask the community if there is any interest in addressing the problem.

As many are aware, Twitter’s problem with scaling is not RoR, it’s not Joyent NTT, or … Twitter’s scaling problem is exactly the same thing that makes it valuable: their database of users. And getting a traditional SQL /Relational DB to scale horizontally is pretty tough. Sharding works for some apps but not others.

It so happens that our new distributed database technology is rather well suited for twitter-style high-volume reliable messaging. If there is sufficient community interest we could help solve downtime by putting together a “twitter-proxy” that keeps twitter users on twitter, but provides an additional layer of data accessibility in the ecosystem. Not compete, just help keep users happy.

Consider the messaging problem:

Nothing is as easy as it looks. When Robert Scoble writes a simple “I’m hanging out with…” message, Twitter has about two choices of how they can dispatch that message:

1. PUSH the message to the queue’s of each of his 6,864 followers, or
2. Wait for the 6,864 followers to log in, then PULL the message.

The trouble with #2 is that people like Robert also follow 6,800 people. And it’s unacceptable for him to login and then have to wait for the system to open records on 6,800 people (across multiple db shards), then sort the records by date and finally render the data. Users would be hating on the HUGE latency.

So, the twitter model is almost certainly #1. Robert’s message is copied (or pre-fetched) to 6,864 users, so when those users open their page/client, Scoble’s message is right there, waiting for them. The users are loving the speed, but Twitter is hating on the writes. All of the writes.

How many writes?

A 6000X multiplication factor:

Do you see a scaling problem with this scenario?

Scoble writes something–boom–6,800 writes are kicked off. 1 for each follower.

Michael Arrington replies–boom–another 6,600 writes.

Jason Calacanis jumps in –boom–another 6,500 writes.

Beyond the 19,900 writes, there’s a lot of additional overhead too. You have to hit a DB to figure out who the 19,900 followers are. Read, read, read. Then possibly hit another DB to find out which shard they live on. Read, read, read. Then you make a connection and write to that DB host, and on success, go back and mark the update as successful. Depending on the details of their messaging system, all the overhead of lookup and accounting could be an even bigger task than the 19,900 reads + 19,900 writes. Do you even want to think about the replication issues (multiply by 2 or 3)? Watch out for locking, too.

And here’s the kicker: that giant processing & delivery effort–possibly a combined 100K disk IOs– was caused by 3 users, each just sending one, tiny, 140 char message. How innocent it all seemed.

Now, are there any questions why twitter goes down when there’s any kind of event?

This is where we (potentially) come into the picture: we’ve spent the last 2 years developing a web architecture built on our horizontally scalable distributed database, and this kind of [lookup | message passing | writing] is what it eats for breakfast. We haven’t had any twitter-sized days, but we are seeing the architecture scale as designed.

You know how Yahoo News or Google News or NYTime or CNN shows everybody the same stories, and after you read them, the front page is boring? It’s a big database problem–you have to keep track of what every user has read, and SQL falls short. Our system is designed to scale horizontally so it can keep track of what hundreds of millions of individuals have read, and then show users the [highest rated | most viewed | etc.] stories that are new to them. But since we don’t have a deal with any news guys yet, we’re building out the most database intensive feed reader on the planet. It has plenty of nifty features not found in Google Reader, Bloglines, etc. But that’s an aside.

The Idea: twitter-proxy for the people

Addressing Twitter’s downtime could be pretty straightforward. It could work much like a (psudo-reverse) proxy:

1. You enter your twitter credentials on the proxy site
2. You can post your tweets to the proxy. If twitter is up, we’ll post there, too.
3. We’ll get your friend list and GET and store their tweets in our db.

When twitter is up and fully functional, twitter proxy contains a mirror of all the tweets from each to the twitter-proxy registered members, and the people they follow.

When twitter is down, you can still post a tweet to twitter-proxy. That message will immediately be available to anyone who is in our system. (How are they in the proxy system? Either they registered directly, or they are being followed BY someone who registered, so we automatically grabbed their status updates.)

Ground rules:

1. You should be able to access this system with nothing more than your existing twitter credentials. No separate login.
2. We would expose a twitter-compatible API so outside clients would “just work”. (e.g. change the /etc/hosts file to resolve twitter.com to another IP)

Twitter is the new mail

Because twitter has done such a great job with their API, the net effect of a twitter-proxy is that you could could still send and receive your twitter messages, directly from twitter, or via twitter-proxy. If your friends are sending SMS messages to twitter, they would still end up at twitter-proxy.

The win is that when twitter goes down, there is another component of the ecosystem that can be alive and healthy. Messages sent via the twitter-proxy system would get to every user on the proxy system. (again, either registered directly, or was followed by someone who did register.) And twitter users stay twitter users. No one is split off to different, competing platforms.

We don’t have any experience with a SMS->HTTP gateway, so if twitter is down, the only way to get messages to and from your friends via the proxy is HTTP. That means a web page or web client. But hey, use your iphone if you’re out and about.

Moreover, we should be able to support fast Search, and the RSS/Atom feeds of people’s tweets would be available in real time, too. Built into the system could be other nice-itys such as “how many people viewed this tweet” and top-read tweets (+ that are new to you.) It’s up to your imagination.

Caveats

First of all, we won’t embark on any twitter-proxy system if the twitter folks aren’t cool with it. We would need their OK, first.

Second, enough of you–twitter diehards–need to tell us you want such a system. From where we’re at, it shouldn’t take long to build it, if there’s enough demand.

If you want it–let us know, loudly.

Thanks for reading.

-Israel

You know you like the Google Reader’s river view and J-Key. So yeah, we got that now for Safari and FF. Pour another bowl of cereal and keep reading.

Like the great engineers over at Google Reader, we’ve decided to pre-fetch some assets off screen, and mark them read only when they become visible in your browser. A good idea and really good for speed.

OH, do you see our handy new feature? Instead of a slightly-untruthful “Mark all as read” button, we’re providing a very honest, very flexible “Skip older than…” button. You choose the dates of what you want to skip, and you can alter the dates any time you change your mind. See this reputable 3rd party graphic for more details:

Y’all got WINGS?**

OF course there’s more. We mentioned our keyboard shortcuts, but we didn’t show you the FLAVA , namely that you can rate and skip to the next asset with one click. Rating what you consume is good for the people.

Think of [j] [k] [l] as 1 star, 2 stars and 3 stars. Give a little feedback right at the moment of consumption and you’ll be thankful for years to come. And others will thank you, too. In addition, [;] shares a asset and [h] jumps back to the previous asset. For our German keyboard using friends who have the ö key in the same location as the US keyboard’s semicolon, you can use [ö] for sharing too. (Internationalization win.)

Can you fine Gentlemen tell us about the other new features?

Yes there are additional great features in this release. Features so sweet that Flava Flav + Morris Day are going to have some words with you about that in an upcoming post.

Until then, ride the river and read 10 times as fast.

-Israel
** Question: When was the last time your search term only returned one result in the Google? This one rocks it with and without the apostrophe.

Update: Now that this post is in the Google, you’ll need search without the apostrophe to only get 1 hit.

There are plenty of blog posts in the world.

In the first 5 hours, with just a handful of intrepid pre-release users QA testers, we added 100,000 assets to the system.

That’s quite a bit for the first few hours, but we’re still small potatoes: Paul Querna commented that Bloglines gets 5-7M new posts every 24 hours, or about 10-15X our current rate. Still, it’s encouraging to see that the basic architecture is working well, and I’ll gently forecast that…no, on second thought, I’ll keep my mouth shut and get some work done.

Do you have what plants crave?

Right now we’re working to speed up Javascripts, and lower the CPU and latency in validating feeds.

Bug update: We had some problematic issues with some posts that published in a blog, but shared on Google Reader, then published with Feedburner. We weren’t figuring out the original, original source correctly. We try to avoid multiple copies of same asset, even if it is published via multiple sources. Duplicates are boring to users, they screw up asset stats, and waste disk space. Still, if you syndicate your content though too many services which subtly change the content we might not be able to de-dupe it properly. But now WE won’t see logfile errors and now YOU can have the feed validators running again. And they’ll be faster.

Happy viewing.

This post brought to you by:

2001 Kientzler Riesling (Geisberg) Alsace Grand Cru

I think Kietzler’s got electrolytes. It’s got what plants crave.