Pebble Watch

So I ordered a pebble watch, back in April, right before their kickstarter really started blowing up.1 And as far as I can tell, that was a terrible idea.

First, ship dates.

Estimated delivery: Sep 2012

Yeah. That was a joke. Now ok, demand was much higher than they anticipated. So yes, it’ll take longer to get everything ramped up.

But here’s the problem. That wasn’t the issue. They completely missed their ship date even if there were only 5% of the orders.

HACKER SPECIAL […] Estimated delivery: Aug 2012

Yeah. The SDK wasn’t nearly done by August. This isn’t affected by the amount of orders. This is software. You write it once for everything.

And looking at the examples of the software, it looks like the UI of something Palm made back in the early 2000s.

The demo video on kickstarter shows a smooth working product, but with every update, there’s just more and more evidence that everything in that video was just made up.

Second. What it can do.

Out of the box? Pretty much nothing. Use it for cycling or running? Nope. Nothing out yet. The golf picture on the kickstarter page? Nope. Nothing.

What can you do? Change the watch face. Change songs. Notifications. And umm, that’s it.

Third. PR/Marketing.

With all that money, they really should’ve hired someone for PR.

Tilt your wrist and the backlight turns on. AMAZING FEATURE!1!!!1 Yeah, my $20 Casio does that.

Only watch to display fuzzy time. EVER! Yeah, no.

Fourth. iPhone support.

Here’s the deal. The iOS is locked down. That’s pretty well known. There’s not much that can really be done until Apple changes their policy.

But don’t sell me something knowing that it doesn’t work.

Receive important notifications

They actually got lucky on this one. iOS 6 added Bluetooth notification protocol (MAP). Using it on my car, its kinda hit or miss. I get text messages, but that’s it. Push notifications, email 2, and new voicemails don’t get alerted.

But when it was announced, iOS 6 wasn’t announced, including any new features it brought, so notifications on iPhone weren’t happening. 3

Their response? Oh, it’s for android, except the whole promo video revolved around the iPhone. They are the more likely ones to buy these things. 4

1. Around 3-4000th backer.
2. At least on exchange. Supposedly works with IMAP, but would much rather have push email than fetch.
3. But mister James, mister James, there’s an API for the watch! All the developers have to do is… Nope. Developers around the work are going to modify/rewrite all their apps to support a watch, that 100k total exist? No. Sure, some will, but the vast majority will not.
4. Not that android users are cheap or anything, but I’m pretty iPhone users have a much greater tendency to buy useless tech stuff.

You’re In My Server, Looking At My Plugins

Apparently, people realized that if they have their folders indexable, they could be indexed. OMG! And that you can view you plugins directory via Google. Holy crap!

First off, their google dork isn’t even right. Index of /wp-content/plugins should clearly be intitle:"Index of /wp-content/plugins" or else I’ll get your’s and this shitty post in the results.

But that’s not even that good. It only applies to people with their blog hosted in the root directory. If you have it in the blog/ directory, you don’t get hit.

So now, the query should be intitle:"Index of"+intitle:"/wp-content/plugins". This returns about 50k more results.

But what about the usefulness of this?

Let’s say there is a vulnerability in the “Share This” plugin.

We can try the directory way that’s supposedly so vulnerable. intitle:"Index of /wp-content/plugins" share-this.php 40 hits

Or a better method. We know that the plugin adds a link called “Share This” to every post. Don’t believe me? Scroll down a bit and you’ll see it. So we can search for “Share This” on pages with the word wordpress, since that’s usually in the footer, but not if it uses the word plugin, since it’s probably talking about the plugin itself or have wordpress or Share This in the title since it’s likely to also just be talking about the plugin itself. wordpress+"Share This" -plugin -intitle:"wordpress" -intitle:"Share This" 3.3 million hits.

Sure, there will be false positives, but there’s a much greater changes of having a much bigger impact. Who cares about the false positives? If it doesn’t work, it doesn’t work. Just move on. You could start it at night and have tried all the sites before even waking up, well, maybe, probably not, but you’ll have a lot more than 40.

I’m thinking the severity of the whole directory being exposed is a little dramatic. Yeah, it’s probably better if it wasn’t indexed, but it’s not killing anyone. Now, if you have a password in there, that’s a different case.

In fact, here is my plugin directory. (I have indexes off by default, mainly because netfirms doesn’t use Apache’s indexing thing)

% ls -lA wp-content/plugins
total 1400
drwxr-xr-x  2 2701791  552     512 May  8 18:41 404-notifier
-rw-r--r--  1 2701791  552    4667 May  8 18:41 404-notifier.tar.gz
drwxr-xr-x  3 2701791  552     512 May  7 22:18 PostToTwitter
-rw-r--r--  1 2701791  552    2134 May  7 22:16 PostToTwitter.tar.gz
drwxr-xr-x  2 2701791  552     512 Apr 21 16:03 akismet
drwxr-xr-x  2 2701791  552     512 May  8 18:41 comment-relish
-rw-r--r--  1 2701791  552    3536 May  8 18:35 comment-relish.tar.gz
drwxr-xr-x  2 2701791  552     512 May  7 22:18 easy-auctionads
-rw-r--r--  1 2701791  552    7542 May  7 22:16 easy-auctionads.tar.gz
-rw-r--r--  1 2701791  552   54904 Apr 21 15:20 goog.tar.gz
drwxr-xr-x  2 2701791  552    1024 Apr 21 16:20 google-sitemap-generator
drwxr-xr-x  5 2701791  552     512 Apr 21 16:49 gregarious
-rw-r--r--  1 2701791  552  109199 Apr 21 15:49 gregarious.tar.gz
-rwxr-xr-x  1 2701791  552    2025 Oct 25  2006 hello.php
-rw-r--r--  1 2701791  552    5152 Nov 16  2006 ol_feedburner.php
-rw-r--r--  1 2701791  552    1861 Jul 24  2006 sem-unfancy-quote.php
drwxr-xr-x  2 2701791  552     512 May  8 18:40 share-this
-rw-r--r--  1 2701791  552   14032 May  8 18:35 share-this.tar.gz
drwxr-xr-x  2 2701791  552     512 May  7 22:17 stats
-rw-r--r--  1 2701791  552    5213 May  7 22:16 stats.tar.gz
drwxr-xr-x  3 2701791  552     512 May  8 18:41 subscribe-to-comments
-rw-r--r--  1 2701791  552   16017 May  8 18:36 subscribe-to-comments.tar.gz
drwxr-xr-x  2 2701791  552     512 May  8 18:40 twitter-tools
-rw-r--r--  1 2701791  552   17148 May  8 18:36 twitter-tools.tar.gz
drwxr-xr-x  4 2701791  552     512 Apr 21 21:47 widgets
-rw-r--r--  1 2701791  552   26579 Apr 21 20:48 widgets.tar.gz
drwxr-xr-x  2 2701791  552     512 Apr 21 16:20 wp-cache
-rw-r--r--  1 2701791  552   47104 Apr 21 15:21 wp-cache.tar
-rw-r--r--  1 2701791  552   31091 Jul 26  2006 wp-db-backup.php
drwxr-xr-x  4 2701791  552     512 Apr 25 12:54 wp-syntax
-rw-r--r--  1 2701791  552  309747 Apr 25 12:56 wp-syntax.tar.gz

Yes, I download the zips then convert them to tarballs, that’s why all of my widgets are available in both formats.

But it also raises another question, how many of those do I have enabled?

404Notifier? No. PostToTwitter? No. akismet? Yes. Comment-relish? No. Easy-auctionads? Hell no. Google Sitemaps? Yes. Gregarious? No. Hello Dolly? Fuck no. Feedburner? Yes. Unfancy quote? Hell yes. Share this? Yup. Stats? Yes. Twitter tools? I had to check, but yes apparently. WP Cache? Yes, WordPress is too slow without it. DB Backup? Yup. WP Syntax? Yes, I likes me fancy highlighting.

10 out of 16 enabled. Does it mean that they can’t be exploited without being enabled? Not necessarily, but to an extent, yes. It should die when it gets to an add_action call, unless someone allows it to execute other PHP code or include other files before calling add_action. Though they probably shouldn’t do it in the first place. include($_GET['file']); comes to mind.

And if anyone is wondering where all the scripts are, I’ll have a couple of widgets soon and another couple of python scripts.

All of Google’s Toolbar Functionality, Without the Toolbar

I don’t like Google’s Toolbar, or really toolbars in general. Maybe it’s because it brings back memories of horrible IE interfaces with way too many, or that the logos are just bright and don’t fit in at all, or maybe it’s just that I like to see as much page as possible. But for whatever the reason, it’s got to go.

But I run into a problem, I like some of the features, mainly Web History and showing the current PageRank. Finding out about unread gmail messages. And even though I still mainly use regular old bookmarking, I guess the ability to bookmark the page might be useful. Thankfully, there are alternatives to them all.

First, Web History and PageRank can easily be fixed by the Search Status plugin. This shows the PageRank and Alexa rank for the current page/site. What’s good about this, Google records the Web History by using the PageRank lookup, meaning that we don’t need anything else for us to use the Web History app.

Download Search Status

Next, getting unread count of Gmail messages. There are a few plugins that do this, but the best one, imo, is Gmail Manager. This allows you to check multiple accounts (better than the toolbar), set the refresh rate, and won’t take up valuable toolbar space, since it sits at the bottom of the browser.

Download Gmail Manager

Finally, the bookmarking. There are quite a few extensions out there, but I didn’t like any of them, so I wrote my own Greasemonkey script. You’ll still need something to view the bookmarks, but bookmarking a page is as simple as a key press. Hit the Pause/Break button and the current page will be saved to Google Bookmarks. Nothing else. You need Greasemonkey to use this.

Download Google Bookmarks via Key Press User Script

And now I don’t need the Google Toolbar anymore. Yay!