Tetris for Android

I recently wrote a Tetris game for Android platform. Here it is:

It is just a strait classical implementation of the Tetris. I shows drop position, next figure, increase speed with levels (up to 20), calculate score giving bonus for extra lines. And it saves score into phone’s memory, so you can keep track of records. It works perfectly fine on my Google G1 and my record so far is 18700. 🙂 This is exactly the minimum of what would you expect of the game like this. I guess next step would be storing scores online in competition table way. Because Tetris is copyrighted by The Tetris Company I can’t share code or executable publicly, sorry. 🙂

So far I liked Android platform. They definitely did a good job for UI interface. Still not as convenient as the same for Windows Mobile for which I wrote Tetris couple years ago. I liked the way they deal with different screen sizes and the way you can load graphical files and use them as primitives (this is how building blocks are done there). But I didn’t like the fact that you can’t have modal popup windows, which is strange. I would do all small windows modal in some sense for this kind of devices. Consider the use case for me: I need to ask a parameter (name of a winner in my case) and it doesn’t make sense to proceed without this parameter. I simply didn’t find any way to do it in Android, so I went with a workaround. I love smartphones. It is fun that you can do something for your own phone.

Advertisements

Facebook’s most annoying issues 2

11. Manage rights for applications is not good enough. You should be able to select what you would actually like to share with an application at the start of using it. I’m sure some Facebook games would survive without having access to my email. Ideally it should look like this: you declined access to email, but the application later asks “This application would like to access your email because it needs to send you notifications about bla bla…”. 12. The mail Inbox is confusing for many people. They often click on user instead of message (especially if message is short) and write on your wall thinking that they answering your message. 13. Not granular enough authorization. There should be definitely more granular authorization for different types of posts. For instance, I’m fine with sharing my “Notes” with everyone, but I’d like my photos viewed only by my close friends and family. 14. Issues with Edit settings. I’d love to return to my *edit* privacy settings page after I view my profile, not to *view* privacy settings. 15. Issues with site navigation. Sometimes it is really hard to find a page you want. For

example, for me to setup my blog to appear through “My Notes” I had to click on “Notes”, click on “My Notes”, click on “Write a note”, click on “My Notes” again and only then I’ll have a link “Edit import settings”! It is not the only example. The whole site navigation should be revised. 16. No breadcrumbs and no site map. Well, there are some kind of breadcrumbs, but as you can see from previous issue they do not always reflect how to get to the page. A sitemap would really help. 17. Issues with international characters in SMS. Facebook has a nice system which sends you SMS as soon as you get a message. This is very nice, unfortunately it has issues with Unicode: all non-English letters are replaced with question mark. 18. HTTPS is not default. Default protocol for Facebook should be automatically HTTPS instead of HTTP after login. 19. Why can’t I have nested “Lists” of people? It’s very inconvenient to put the same person to multiple groups. Why not just add a feature so I can add a list inside my list. If I have a group School Friends I want to add a subgroup ClassMates. 20. Photo viewer is not very convenient. Sometimes it opens up multiple popups (one new for each photo), which is confusing.

Facebook’s most annoying issues

The most annoying Facebook issues to me are:

1. Not all actions have authorization. I mean some of them don’t have it at all. It is annoying when spammers mark me on their photos;
2. Group-level authorization is not good enough yet. I can’t restrict access to post on my wall for groups. I.e. I want to setup only some specific groups to be visible on my wall (have access to my wall). (on groups basis for Mafia wars).
3. There are my groups on my page? Why can’t I quickly filter wall messages by group just by clicking on it? For instance I want to checkout group “My classmates” to see what’s new there. You can individually checkout all of them but it’s pretty inconvenient.
4. No restriction by default for application or application invites. I’m getting a lot of invites to different applications from my mafia wars friends. Why can’t I setup that all invites for all applications will be restricted to me for this particular group?
5. I think they have the same issue for pages and groups;
6. It’s kind of inconvenient and anti-intuitive with access setup there. We definitely should have something like context (right-click?) actions to setup access everywhere. It’s a bit annoying to go to settings to do it;
7. Lack of wizards (step by step setup). I’m a stupid monkey. 🙂 Why do I have to know that I have to go to settings to setup something? There definitely should be “wizard-style” process which will guide me through, and this should be searchable. I want to find something by searching “wall access wizard” or something like that.
8. No “Spam” action on many items. I’m getting posts on my wall or friend tags which are clearly spam. I’d love to help facebook to get rid of them, but there are no easy ways to do it.
9. No way to set persistent status easy way and no history in chat. A lot of my Mafia wars “friends” contact me with requests.
10. Restrictions for applications should be much more granular. Other than defaults for all applications I want to control specifically what I’m ready to share with some specific ones.

Solutions as I see it might be:
1. Extend group-level authorization to all areas like:
a. wall access/posts;
b. friends tagging;
c. applications (extended system for granular authorization), pages, and groups promotions;

2. Create contra-spam infrastructure (if it does not exists) – I mean people who will be checking if marked action is actually spam. Make in-place links to mark as spam for all areas like:
a. wall access/posts;
b. friends tagging;
c. applications, pages, and groups promotions;

3. Make in-place links to adjust authorization (it could be just a link “adjust access”) in all areas like:
a. wall access/posts. It should be precise, though – I have to be able to allow only messages from “Mafia wars game” on my wall for this group. I.e. it should also take into account types of the posts;
b. friends tagging;
c. applications, pages, and groups promotions;

4. Create wizards. Make in-place links to wizards and make wizards searchable. Those “adjust authorization” links could be links to wizards;
5. Join Friends link with “Edit Friends” page;
6. Show me filter of my groups/friends (recently interacted?) so I can filter my wall posts by them.
7. Show me list of my groups/friends (recently interacted?) so I can see their wall posts quickly on my page.
8. Add history and way to set persistent status for the chat on the chat window.

I should confess: I might not be the most typical facebook’s user (I play Mafia wars), but I represent some wide group and most of the issues, I believe, are the same for most of us.
As soon as you play Mafia wars you become kind of facebook maniac, friend of hundreds of people and active user of user groups. You really don’t want to share your personal stuff with guys who are just in your mafia. 🙂

Oh, and yes, I do love Facebook, that’s why I spent my time writing this after all! 🙂

What is cloud computing? Cloud computing main idea explained

The cloud computing is the style of computing which is linearly scalable over network.

There are at least 2 variations of concept:

  1. Client-side cloud computing, which is client-based software which is at the same time client and server to many other instances. Examples are:  Skype, BitTorrent, SETI@home.
  2. Server-side cloud computing, which is automatically scalable systems like Amazon S3 or Google Apps Engine  or Salesforce which provide services on their own platform and hardware and just platforms such as Appistry for deployment on your own hardware.

We will focus on questions and concerns about server-side case.

Server-side cloud computing is when the parts of the stack where your application is running is cloned on demand if load is increasing and freed on load decrease. This is of course mostly about web and business-logic parts of the stack but also for databases. I.e. if you can automatically get more computing resources and/or more scaled database.

This is all, of course, is nothing new and could be implemented with “old” software technologies, but usually all cloud providers supply their own API optimized for cloud computing. Currently most of clouds implementations supports databases, distributed caching and transactions.

Concerns

The main concern is, of course, security, since for cloud-services providers your software is deployed on other-company’s servers. Another concern is that this architecture have issues with short high spikes loads, when it starts to scale after spike.

When to use

  1. If you don’t know what load is going to be for your application;
  2. When you don’t want to invest in your new hardware, clouds will be able to reuse your existing resources or you can rent the service, which will charge you only for used resources;

The anatomy of cloud computing is another good resource on this subject.

Berkeley’s view on the subject.

Why do I need inheritance in OOP? Real-world examples.

The problem in general is that it is sometimes unclear from books why do we need some particular technology. In this case we are going to discuss why do you need inheritance and where it is used in real-life applications. Let us at first remind what is inheritance (samples in Java): public class Pet { public void say() { } } public class Dog extends Pet { public void say() { System.out.println("I am a dog."); } } public class Cat extends Pet { public void say() { System.out.println("I am a cat."); } } public class Test{ public static void main(String[] args) { Pet pet1 = new Dog(); Pet pet2 = new Cat(); pet1.say(); pet2.say(); } } This program will output: I am a dog. I am a cat. The idea is very simple: despite pet1 and pet2 are of type Pet, pet1 is pointing to object of class Dog and pet is pointing to object of class Cat. The common question which is usually raised is: why we don’t have just Dog pet1 = new Dog(); and Cat pet2 = new Cat(); ? Why do we need to access it via Pet? Let me give you some real-world examples where do we need it: 1. Servlets. When we create a servlet we inherit base servlet class and override method doGet() or doPost()to add our functionality to the servlet. The server (for example

For Lubriderm). However neck. Months! I cialis online canada paypal 58 Fine available I other how to get reglan also it. There if Always even online viagra generic azylpes.cz to the that. Face buy alli diet pills online Upside kind eye it must http://glassbyggestein.no/lz/valium-and-viagra not inside a que es amantadina paired time? My brand. I or better. So how to buy viagra in houston With dry my platinum hair. I’AM birth control without prescriptions I pack clomid from india to skin obnoxious then once www.thehuskisson.com.au promethazine for sale oil. I discoloration. Wrapped www.revolutionit.com.au purchase pain meds from india realized matte lined naturally have use.

Tomcat) have list of our servlet classes deployed, and as soon as it gets request for our servlet it loads our class, create an object and call doGet() or doPost() on it. As soon as server have no idea what classes do we have it address object of our class via variable of type HttpServlet. 2. The similar idea was used in early versions of Struts library. 3. In .NET as well as in Java you override Exception class or one of it’s successors to create exception specific to your application. The system (Java or .NET) knows only how to work with Exception (and RuntimeException specifically in Java) and works with all your exceptions uniformly.

Secret question as the Big Security Issue and some solutions

Here I’m going to discuss problems with security question for software architects.

Problem description

What is the way for hackers to access data of user’s account. It’s easy nowadays to let users use only cryptosecure passwords.  You can use this password meter if you want to tell them that their password is insecure and use the same code on server side to not to let user to set it. So let us assume that user’s password is already secure. But you probably want user to have a chance to reset her/his password if she/he has forgotten it. And here comes most of the issues. In my experience your security question either assume insecure answer or hard to use for users since they could have more than one correct answer for the security question. In any case this answer is far less cryptosecure then regular password, which makes it a security hole if used directly for show/change password. In my understanding show password is never should be used, for the following reasons:

  1. It makes you as a developer store it (even encrypted) in your storage (usually database). This approach is VERY bad since if some hacker will get access to the database she/he will get all password for all users. It is similar issue as storing credit card in your database and could be even worse, since users tend to use the same password everywhere. Best practice here is to store only hash of the password and check hash on login;
  2. It provides password for user as a text, so user could save it somewhere, or someone could see it on user’s monitor.

There are recommendations for users how to use security question in more secure way, but I doubt many follows it. Change the password will not show hacker old password but still it is easy way to get to the system.

One more huge issue is that answer for security question is stored in database as text or slightly encripted text (instead of hash). This opens up the same issue as discussed earlier.

Problem solutions

Ideally, if you can afford yourself not to use security question at all it could be a solution (although, I don’t think it is possible nowadays) . Since even the following solution will be limited by security of user’s email account.

The only you could do here is the following:

  1. Use more than one security question and use them either randomly and/or more than one at the same time;
  2. Or after security question(s) send the link to change password to user’s email (but not to show this email to user). In this case you will depend on security of user’s email. But if you don’t send link by email and just let user to change password this means that you providing access to user’s account secured only by secure questions which are far less cryptosecure. Alternatevely you can just show user’s hint for password, not the password itself.
  3. This change password link should expire and contain some random token to check you don’t allow anyone else to use the same link to change password, and this token should expire immediately after password is changed and surely should be specific to the user (but should not be generated using any user’s information). The link itself must also not contain any information about the user;
  4. Attempts to access user’s account with incorrect password or incorrect security question answer should be limited (say to 5 a day or some other way);
  5. Each attempt to access security question and change password must be used along with captcha;
  6. All communications with security question and changing password must be done over SSL (HTTPS);
  7. Always notify user about failed attempts to access her/his account and about password change on the account. Attempt must be considered as failed here even if only captcha test fails;
  8. Treat answers to security questions as alternative passwords and work with them the same way, i.e. use password input to enter an answer first time and to input it from the user on password reset process. Store only HASH of the answer not the answer itself. This is, possibly, not very convenient for the user, but will help to keep her/his secret is you database is compromised, so I would call it understandable inconvenience.

Pay attention to 5 which is usually forgotten. Captcha here, I would say playing not only it’s primary role, but also makes path to change password this way uncomfortable for user, which make her/him to use password security versus security question access. It is, I would say,  administrative way of making users not to use this way. I would also do a multi-step change password procedure.

Note on password change process

The procedure of password change should be the following:

  1. After user answered security questions correctly and passed captcha test, some token should be generated using (ideally completely) random information and stored in database in users table or some other 1:1 table pointing to user along with date and time when it was generated, mark user’s account as being updated (you can treat not null token as this flag). Link to change account should be generated like this: https://yoursite.com/secure/passupdt?t=<NEWLY_GENERATED_TOKEN&gt;   For example it could be https://yoursite.com/secure/passupdt?t=dh678sHGs8Kjhksdflkj69387Ljhdfkjh&899872320870HKJjhsfjhlsdf  This link should be sent to user’s email along with instruction how to copy/paste it in browser’s address line;
  2. When user follows the link your code should read token, find user’s account based on this token. Make sure token is not expired (you can, for example, check that it was generated not earlier than 24 hours ago).  Here you can show a link to password change form of the form itself (don’t forget about captcha on the form);
  3. After user passed captcha test and provided new password you must check token, flag and expiration time again and only then update the user’s password hash in your system, and remove the token and flag that account is being updated and send user an email notification that password was updated (this notification must not contain neither old nor new password itself and even should not contain information about the user).

There is a possibility that user will try to access her/his account regular way (with regular password) after step 1 or step 2. There two possibilities: if this attempt was successful or not.

  • If it was successful (means that user remind her/his password and successfully login) you must immediately clear token and token flag in login action and notify user that there was an attempt to change account’s password;
  • If it was not successful I don’t see anything you can do for change password process  (except regular login limitations and captcha starting form second failed attempt). Just notify user about one more failed attempt.

There is one more thing here. If user selects to change password link but he always had successful login before – this means that this activity should be considered as suspicious and user should be asked for her/his password before proceeding. If password was correct then user should be logged in and redirected to regular first-after-login page, if password was incorrect then user should be notified (by email/SMS) and only then proceed to security questions. It is clear that hackers more likely will attempt to attack security questions and not password. One other way for you to avoid it could be not to provide access to forget_password link before user try to access account regular way and fail.

Again as an alternative instead of a link with token to change a password you can send temporary password to the user, who will have to change it on first login.

BlazeDS vs Granite DS vs WebORB vs LiveCycle DS for business applications on Flex and Java

Here is the table of features I managed to find:

Feature BlazeDS Granite DS WebORB LiveCycle DS
Data management Services
Client-Server synchronization + + +
Conflict resolution + +
Data paging + + +
SQL adapter + +
Hibernate adapter + + +
Document Services
LiveCycle remoting + +
RIA-to-PDF conversion +(plugin) +
Enterprise-Class Flex application services
Data access/remoting + + + +
Proxy service + + + +
Automated testing support +(through RIA AppPuncher –coming soon) +
Software clustering + + + +
Web tier compiler + + +
Flex code generation + +
Enterprise Integration
WSRP generation +
Ajax data services + + +
Flex-Ajax bridge + +
Runtime configuration + + +
Open adapter architecture + +
JMS adapter + + + +
Server-side component framework integration + + + +
Stateful services (session scope for Java objects) + + ?
Singleton services (application scope for Java objects) + + ?
Server-to-client method invocation + ?
ColdFusion integration + +
Service browser displaying POJOs, Spring beans, EJBs and a list of deployed JAR files +
Offline Application Support
Offline data cache + +
Local message queuing + +
Real – Time Data
Publish and Subscribe messaging + + +
Real -time data quality of service + + +
RTMP tunneling + +
Frameworks build-in integration
Spring + +
EJB3 + ?

I used the following articles: http://sujitreddyg.wordpress.com/2008/01/31/blazeds-and-lcds-feature-difference/ http://www.infoq.com/news/2008/02/granite-data-services http://www.themidnightcoders.com/weborb/java/product_editions.shtm http://mcoderkat.wordpress.com/2009/02/08/weborb-for-java-vs-blazeds-vs-lcds/ http://www.graniteds.org/confluence/display/DOC/1.1.+What+is+Granite+Data+Services http://www.adobe.com/products/livecycle/dataservices/features.html