Archives for July 2008

5 Steps to Upgrade From a Hacked iPhone to an iPhone 3G

I know what you’re thinking: “Matt, I hacked my original iPhone. Now I want to share in the iPhone 3G fun, but I’m worried that something horrible will happen if I upgrade to the iPhone 3G.”

Buck up, fellow iPhone hacker. I’ll tell you how to upgrade from your hacked Apple phone and keep all the settings you love from your original iPhone. The good news is that it’s not hard and there’s a set of five steps that will combine the comfort of your old settings with the joy of the new 3G iPhone. I’ll lead you through the steps.

1. Upgrade iTunes and sync your old hacked iPhone

Upgrade to iTunes 7.7 (or whatever the latest version is). Plug your hacked iPhone into your computer and make sure that you sync. When you sync, a backup of your iPhone’s settings data is stored in iTunes. Recharge the power in your old hacked iPhone and turn it off. If you want to be ultra-safe, see my post about how to backup iPhone data.

2. Buy an iPhone 3G

This step is time-consuming, but not hard. Apple has a page for its stores and after 9 p.m. you can check the Apple iPhone availability to find a store that has the new iPhone 3G. Hint: if there are multiple stores in your area, call each to see which has the shortest wait. When you buy the iPhone 3G, you don’t need to mention to the salespeople that your previous phone was hacked. Just buy the iPhone 3G and let them activate the phone in the store.

3. Restore the backup of your hacked iPhone to your iPhone 3G

(If you decide to “start fresh” with your new iPhone 3G and don’t want to restore contacts, bookmarks, music, etc. from your old phone, skip this step.)

Resist the temptation to start immediately customizing your iPhone 3G. You’re just going to override any changes when you restore your old iPhone’s settings anyway. In particular, make sure you keep the passlock (where you have to type a PIN to unlock your iPhone) off for the time being. Go home and plug your new iPhone 3G into the same computer with iTunes 7.7 where you did a sync on your old iPhone. iTunes will ask if you want to register your iPhone. I registered my iPhone, but I don’t think it was necessary — looking back, I think iTunes asked me to register to get permission to send me email offers. Next, iTunes will ask if you want to try 60 days free of MobileMe. I didn’t want that, so I declined. Only after those two offers did iTunes ask if I wanted to set up the new iPhone 3G as a new phone or restore from a backup. The choice looks like:

iTunes offers to restore iPhone

Choose to restore from a backup and the last sync of your old hacked iPhone should be offered as a choice. Let iTunes restore the backup data and settings from your hacked iPhone to your new iPhone 3G. Once it’s done, pretty much everything should be like it was on your hacked iPhone. The iPhone 2.0 firmware adds some new options, so make sure you explore the settings menu and set any new options the way that you want. Also, if your iPhone is configured to fetch email, your email passwords on the new iPhone 3G will be empty. You will need to re-enter your email passwords.

Finally, if you want to use the Apple App Store, you may need to add a credit card or authorize your computer to purchase things, even if you only want to download free applications. I have a personal policy not to put my data where I can’t get it back out, so I tend to buy MP3s instead of buying music with proprietary Digital Rights Management (DRM) from the Apple Store. As a result, my computer had never been authorized to buy things from the Apple Store. To authorize your computer, in the iTunes program click Store->Authorize Computer… and enter your Apple ID. Once your computer is authorized, you might need to click Store->Check for Purchases… if you tried to download an application from the App Store before your computer was authorized.

4. Upgrade your old iPhone to firmware version 2.0

The iPhone running software version 2.0 has been hacked, so there’s no need to keep running old firmware on your old hacked iPhone. Plug your old hacked iPhone into the computer running iTunes 7.7 and make sure that iTunes is running. Under the “Devices” entry on the left hand side of iTunes, when you click on the iPhone device, you should see a screen with a “Check for Update” button. Click that button. I was running firmware version 1.1.1 and at first it offered me firmware version 1.1.4. So I exited iTunes, restarted iTunes, and clicked “Check for Update” again. Then it offered me firmware version 2.0. Click to install firmware version 2.0 on the old hacked iPhone.

5. Erase the settings and data on your old iPhone

One nice thing about the iPhone’s firmware version 2.0 is that it adds a “secure wipe” that attempts to erase all data completely from your iPhone. That means you can sell the old iPhone or give it to a friend without worrying about all those crazy pictures you took, the 1-900 numbers in your contacts, the SMS messages that reveal things you want to keep private, etc. Here’s how to erase everything on your old iPhone. Eject the phone in iTunes, disconnect the phone from the computer, then press Settings, then General, then Reset, then Erase All Content and Settings, then Erase iPhone. You may have to confirm a couple times that yes, you really want to wipe your iPhone. The process takes about an hour, so I connected my iPhone to a cable that was plugged into a power outlet to ensure that the iPhone wouldn’t run out of power in the middle of wiping it.

When the iPhone is finished erasing itself, it’s suitable for giving to a family member or selling on eBay or whatever.

Generic Malware Debunking Post

Yup, I’m about to do another blog post where someone says that a website is clean but it doesn’t look like it to us. I did a very similar post in January 2007, and in that post I said

I’ve checked out a quite a few “we don’t have any malware” reports at this point, and I’ve yet to see a false positive — the sites in question have each had some malware on them.

Would you believe that a year and a half later, that’s still true for me? It may be possible that our malware flagging system has false positives, but I can’t recall a single case that I’ve seen where there wasn’t some security hole or malware that was a true issue for the website owner. If you want to know why, read Google’s white paper about how we detect such stuff — it’s called The Ghost In The Browser Analysis of Web-based Malware and it was written by Niels Provos and several other Googlers.

In fact, just last week I handled a very similar case where Google proactively reached out to a website that had a scripting flaw security. The deja vu from my January 2007 post plus the situation last week made me want to write a generic malware debunking post. 🙂 Are you ready? Here we go:

$ACCUSER = Brett Glass
$FORUM = Dave Farber’s Interesting People mailing list, specifically this email.
$LONG_ACCUSATION = (I’m going to quote Brett’s whole email here, just for context)


Google has been a strong supporter of the agenda of Free Press, an
inside-the-Beltway lobbying group which has spent hundreds of
thousands of dollars lobbying for regulation of the Internet under
regime known as “network neutrality.” While some of the tenets
included in this agenda are not reasonable, one of those that IS
reasonable is the notion that large corporations such as Comcast
should not block content with which they disagree.

However, Google — itself a large corporation — appears to be
blocking a site which expresses opinions with which it does not
agree on this very issue. When one does a search for the terms
“neutrality” and “” (the link

will perform this search for you), many of the pages and documents
on the site — in particular, white papers expressing views with
which Google disagrees — are tagged with a warning that “This site
may harm your computer.” One cannot click through to the documents
and pages in Google’s search results without cutting the URL from
the page and manually pasting it into one’s browser.

The Web site, operated by a group known as the “Progress and
Freedom Foundation,” does not appear to contain any malware. When
one queries Google as to why the site was blacklisted, it claims
that “Part of this site was listed for suspicious activity 1
time(s) over the past 90 days.” Yet, we could find no malware or
other exploits in the blacklisted PDF files, some of which contain
very well presented and cogent arguments against the agenda which
Google has been actively supporting.

Could it be that Google (whose motto is, reportedly, “Don’t be
evil,”) saying, “Do as I say, not as I do?”

–Brett Glass

P.S. — What’s especially interesting is that if one queries Google
using just the term, “” (you can use the link

to do this query), one can see that the majority of the supposedly
dangerous site is not blocked. But most or all of the documents
expressing viewpoints on “network neutrality” are.

$SHORT_ACCUSATION = “Google blocked a site with opinions that it disagrees with. Worse, the query [] seems to show that only urls under are labeled as potentially harmful, and that is the directory where many of the documents that disagree with Google are.”

Given what we have so far, my generic debunking would begin like “Dear $ACCUSER, I saw on $FORUM where you mentioned that Google is flagging a website as malware. You said that $SHORT_ACCUSATION. I wanted to give you a little more background and context to let you know that Google did see an actual malware attack via a real security hole. The other thing you need to know is that Google flagged the site because of the security hole, not because Google agrees or disagrees with any particular content on the site.”

Then I’d give a little background history on all the different ways that Google helps users and webmasters avoid malware. Most of the background would come from this overview post. Since that post was published in mid-2007, Google has done even more to protect users:

– Niels Provos and his colleagues published another technical report with more details about the malware detection framework and what it discovered (more info here).

– Google launched a Safe Browsing API so that third party applications can benefit from Google’s list of malware and phishing urls. If you appreciate that Firefox 3 has better security, one of the reasons is that Firefox 3 utilizes the Safe Browsing API.

– More recently, the anti-malware folks at Google launched a Safe Browsing Diagnostic page where you can enter a url and get a ton of really useful information.

The last one is especially impressive. For example, check out the Safe Browsing Diagnostic page for

Safe browsing page for

That page gives a ton of helpful info to site owners and anyone else who is interested in why a particular site or url was flagged as potentially harmful.

All that would go quite far to reply to people that had questions about their site being flagged for malware. But this post is getting quite long, so let’s get back to this specific report in this case. The original person who reported this situation had already noticed that not all of was flagged. If you do a site: query on Google, you only see warnings for .

If you visit, you’ll see that it’s a web form. It looks like stored their data in a SQL database but didn’t correctly sanitize/escape input from users, which led to a SQL injection attack where regular users got exposed to malicious code. As a result, normal users appear to have loaded urls like hxxp://www.ausbnr .com/ngg.js and hxxp://www.westpacsecuresite .com/b.js <--- Don't go to urls like this unless you are 1) a security researcher or 2) want to infect your machine. Notice that even in this case, Google didn't flag the entire site, just the one directory on the site that appeared to be dangerous for users. I never like it when people accuse Google of flagging a site as malware just because we don't like it for some reason. The bright side of this incident is that will find out about a security hole on their site that was hurting their users (it looks like has disabled the search on the vulnerable page in the last few hours, so it appears that they're responding quickly to this issue). Flagging malware on the web doesn't earn any money for Google, but it's clearly a Good Thing for users and for the web. I'm glad we do it, even if it means that sometimes we have to write a generic malware post to debunk misconceptions.

iPhone 3G: Come on in, the Water’s Fine!

If you read all the press on Friday, it sounded like a full-out iPocalypse as Apple’s in-store activation of the iPhone failed, which left a bunch of people steamed. I left a Summize search for [iphone] up in my browser; there were probably 10K+ twitters on Friday that mentioned the iPhone.

By afternoon I noticed that Twitter complaints about the activation and 2.0 firmware were dying off, so my wife and I decided to do a “date night” to wait in line for an iPhone at Valley Fair Mall in Santa Clara. We showed up at 3 p.m., waited in line for two hours and 45 minutes, and had our iPhones ready and activated by 6 p.m. The line moved slower than last year because this year Apple required that you activate the phones in the store. If you don’t want to wait in long lines, a good strategy for Apple products is just to show up later in the day after the initial surge subsides. Last year we waited until evening to buy our first iPhone and the line was only five people long.

Here’s what you need to know: the activation issues were resolved by Friday afternoon, and most of the lines at Apple stores should be pretty manageable now. Apple provides a page to check local iPhone availability. The page looks like this:

Locations to buy iPhone

All three Apple stores in Silicon Valley have iPhones in stock, for example. If there are multiple stores in your area (check this page for Apple store locations and phone numbers), call each one to see who has the shortest line.

I like my iPhone 3G a lot, and plan to do several iPhone-related posts. The main thing you need to know right now is that any snafus on Friday were temporary, and it should be pretty doable to get an iPhone 3G now if you want one.

Cool: Google Releases Protocol Buffers Into the Wild

I love that Google just open-sourced Protocol Buffers. Think of Protocol Buffers as a very compact way of encoding data in a binary format. A programmer can write a simple description of a protocol or structured data and Google’s code will autogenerate a class in C++, Java, or Python to read, write, and parse the protocol. Given a protocol buffer, you can write it to disk, send it over the network wire, and do any number of interesting tricks. Any medium-sized company (and quite a few startups!) should find Protocol Buffers very handy.

You may want to read this paper about the Google cluster architecture if you haven’t already, because I’m going to remind you of two things about Google that are pretty obvious in retrospect. You can think of the Google cluster architecture as a bunch of moderately powerful personal computers connected by ethernet. That’s not quite correct, but it’s a pretty good abstraction. In that model, you have pretty good disk/RAM/computational throughput, but network communication is much more limited. That leads to the first nice thing about Protocol Buffers: they’re very compact going over-the-wire via network.

To understand the other nice thing about Protocol Buffers, bear in mind that in the Google cluster architecture, there are many different types of servers that talk to each other. Question: how do you upgrade servers when you need to pass new information between them? It’s a fool’s game to try to upgrade both servers at the same time. So you need a communication protocol that is not only backward compatible (a new server can speak the old protocol) but also forward compatible (an old server can speak the new protocol). Protocol Buffers provide that because new additions to the protocol can be ignored by the old server. That lets you upgrade different servers at different times (check out the “A bit of history” section in that overview). Protocol Buffers are especially appropriate to represent requests and replies between a client and a server.

(By the way, congrats also to the folks that worked to release this code outside of Google. Making open-source code available to the outside world is a great way to build goodwill with developers.)

There are over 10,000 .proto files in use at Google, and Protocol Buffers are a vital part of Google. If you’re a programmer, why not try Protocol Buffers out for yourself?

The business case for goodwill

Carolyn Y. Johnson has a great article about companies that listen online today in the Boston Globe. She mentions that Comcast and Southwest monitor Twitter for frustrated users and Dell for improving its customer service as well as providing a site called IdeaStorm where people can provide feedback. Dell has implemented over 50 of the suggestions from the IdeaStorm site.

I’ve talked about listening online before, because I think everybody at Google should do it to some degree. Google is pretty good at hearing outside feedback, although there’s always more we could (and should!) do. Here’s what I said last time:

Some of the most dynamic teams at Google are the ones that listen to bloggers and respond. ….

My ideal would be if every Google project had someone watching the blogosphere for feedback. It could start as simply as a persistent search in Google News and Google Blogsearch for mentions of that product. That would help us spot if a particular project is causing headaches for someone. We should get the listening locked in first.

Both Google News and Google Blogsearch provide RSS feeds for search results, so you can search for your product name, turn it into a feed, then add that feed to Google Reader to see new mentions of your products. If you’re logged in, you can even customize Google News to create a “Google” section or only news about your favorite topic.

I wrote the quoted paragraph above in 2006. In 2008, you’d monitor more places. Monitor Twitter with Summize, which can provide a feed for a query. Monitor FriendFeed by adding “&format=atom” to the end of a search url (hat tip to lifestream blog for getting that info from Bret Taylor at FriendFeed).

By the way, it’s not just companies that benefit from feedback online either — most organizations can get good suggestions. Ubuntu’s brainstorm feedback site just received its one millionth vote on an idea and has its own blog. You can even download the code for Ubuntu’s brainstorm project and use it yourself.

The fly in this ointment is how to make a business case for listening. What are the metrics that argue for having someone engage with a community, listen to feedback, and push for changes? Any smart person intuitively knows that good community relations are a solid idea, but how do you prove that? In a company of size X, how many people should pay attention to or be dedicated to community relations? I’d be interested if other people have thought about the business case for goodwill, or know of resources that discuss this.