This week we learned, thanks to a February 2012 internal Samsung document marked “top secret” and unearthed by Apple as part of its ongoing patent infringement proceedings, that we were right and those more credulous news outlets were wrong.

When Strategy Analytics was telling the world that Samsung sold 2 million Galaxy Tabs in six weeks, the truth was that it took Samsung all of 2011 to sell half that many.

Lying, cheating, bastards.

An interesting article by Peter Cohen on whether OS X should get more of a flat design. It makes sense to me.

This is one of my favorite apps of all time.

Next Tuesday, April 15th at 6am PDT, we’re opening up some spots in the Glass Explorer Program. Any adult in the US* can become an Explorer by visiting our site and purchasing Glass for $1500 + tax – and it now comes with your favorite shade or frame, thanks to feedback from our current Explorers. The number of spots available is limited, so mark your calendar if you want to get in.

Don’t do it.

“Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected,” an Apple spokesperson told Re/code.

Great news.

Amazon.com today announced that it has reached an agreement to acquire comiXology, the company that revolutionized the digital comics reading experience with their immersive Guided View technology and makes discovering, buying, and reading comic books and graphic novels easier and more fun than ever before.

Nautilus:

The light that a city emits is like its glowing fingerprint. From the orderly grid of Manhattan, to the sprawling, snaking streets of Milan, to the bright contrast of Kuwait’s ring-roads, each city leaves its own pattern of tiny glowing dots. See if you can ID these cities based on the way they shine.

I got 13 out of 16 right but I definitely guessed on at least three of them.

The Fender Passport EVENT with Bluetooth® connectivity is a self-contained portable audio system that includes everything you need for great sound anywhere you go. Carry your Passport as you would a suitcase, and simply flip open the cabinet release latches when you’re ready to set it up. Inside you’ll discover two full-range speaker cabinets, a powered mixer, a microphone and all the cables you’ll need to get started.

Fender also announced a new Passport Venue.

This guy is an asshole.

[Via BGR]

Slash’s solo albums have been great. I can’t wait to hear the new release.

I really like the tone of Engl amps. I’ll be getting these amp and cabinet models.

I just loved this essay about banning “feigned surprise”, a pretty common response in the programming universe.

“Feigned surprise” (when someone gasps and says something like: “you don’t even know about monads?”) is a method of belittling someone and lording your superiority over them.

As a writer, I try to assume that anything that might be puzzling to me might be puzzling to the reader. A piece of information that I find interesting and, at least at some point in the recent past, was new to me, might be new and interesting to the reader. That new information is a gift to me, one that I absolutely love to share with the reader. Feigned surprise is the enemy of that gift.

Here’s a link to hacker school, mentioned in the linked essay, in case you are interested.

Follow the link to the site, then type in your favorite URL. The site will attempt to send the malformed Heartbeat request to your URL and report on what comes back.

For example, if you enter amazon.com, it will come back and say “All good, amazon.com seems fixed or unaffected!”

I tested a number of sites and found some that were straight-out susceptible and others that responded with messages such as “timeout” or “broken pipe”. To see what these mean, read the FAQ.

Big thanks to Filippo Valsorda for creating the test.

I never thought I’d say this about an ad in the newspaper, but this is cool.

“Greg has been planning to retire later this year after nearly 20 years at Apple,” said a company spokesman. “He has made vital contributions to Apple products across the board, and built a world-class human interface team which has worked closely with Jony for many years.”

The design shakeup at Apple will result in Christie soon leaving the company, with all software designers now working directly under Ive with the rest of his industrial design team instead of within Federighi’s engineering group. Sources say that Christie’s upcoming departure is significant and stems from a falling out with Ive.

Greg Christie is an important figure at Apple and will certainly be a loss for the company, but it makes a lot of sense for all design teams to report to Jony Ive. The news would be much worse if it was Ive leaving.

Soon, you will have to download Facebook’s messaging app in order to chat with people using the service.

Minimal Sudoku is an easy to use, clutter-free classic sudoku game which is designed for iOS 7. It’s ad-free and offers different levels for everybody from casual gamers to addicted masters of sudoku.

I like minimal things. You can also purchase higher levels if you wish through an in-app purchase.

Big day for Dropbox. Mailbox for iOS and Mac:

Mailbox for Mac has been another labor of love for our team. It’s the product of painstaking iteration (over, and over, and over) to build the lightest, fastest, most delightful desktop mail client ever. You can watch a demo of the app during the Dropbox keynote (available on the Dropbox blog later today), and sign up to get early access here. We’ve still got quite a bit of work to do, but we’ll be adding people to the beta as quickly as we can.

Carousel:

We’d like you to meet Carousel: a gallery for all the photos and videos from your life. It combines the photos in your Dropbox with the photos on your phone, and automatically backs up new ones as you take them. Carousel sorts all these memories by event so you can easily travel back in time to any photo from any date. And unlike other mobile galleries, the size of your Carousel isn’t constrained by the space on your phone, which means you can finally have your entire life’s memories in one place.

Bloomberg BusinessWeek:

For 15 years, Frere-Jones and Hoefler seemed charmed. They made typefaces that rendered the stock charts in the Wall Street Journal readable and helped Martha Stewart sell cookbooks.

In January, Frere-Jones filed a lawsuit against Hoefler, saying that their company was not actually a partnership, but a long con in which Hoefler had tricked him into signing over the rights to all of his work, cheating Frere-Jones out of his half of the business.

Sad, fascinating story. Watch the two men in happier times in the short film, “Font Men”.

Instantly watch Sesame Street, Sesame Street Classics, and Pinky Dinky Doo episodes, all presented in a secure, ad-free, and child-friendly environment.

I wish this was available when my kids were young.

The user reported an error to Apple in the Maps app on April 6 and was given an option to receive a notification when the issue was resolved, with Apple sending a push notification on April 8 indicating the problem had been fixed.

That’s certainly better than having your feedback go into a black hole and never really knowing what’s going on.

It’s definitely getting there.

As you can see from the pictures below, the demolition part of the work seems to be complete. There are no buildings left standing. There is a lot of work being done by heavy construction machines throughout the field.

Great pictures.

I would not have made the connection from Uber to same day package delivery, but once you see the logic, hard to punch a hole in it. They are leveraging their existing GPS tracking infrastructure.

Instead of pushing a button and getting a ride, UberRUSH lets users push a button to summon a courier, who will ferry small packages across Manhattan by foot or bike. And according to reports, the sender and receiver will be able to track the delivery’s progress in real time, much like waiting for an Uber ride to show up. But this is hardly a new concept. Countless others are trying to build businesses using app-powered bike messengers.

The salient point here is that, with its new courier service, Uber is going after the big boys. With the logistical expertise it has built up over the past four years of perfecting its ride-sharing platform, Uber is sketching the outlines for a challenge to the Amazons, eBays, and Googles of the world, hoping to win a much larger war for same-day delivery.

Love them or hate them, Uber has become a force to be reckoned with.

I remember doing some of these things years ago when I first started using Photoshop.

We have plenty of considerations to design for when crafting web sites. Web accessibility is not a new design consideration, but is still very important, no matter the size or speed of device we’re testing on. The Web Content Accessibility Guidelines (WCAG) tells us our content should be distinguishable and requires we “[m]ake it easier for users to see and hear content including separating foreground from background.”

I’ve been reading about the Heartbleed bug, trying to understand how it does what it does, how a hacker could use the vulnerability to gain access to your data.

If you have not heard of Heartbleed, read this, which was posted last night.

Is Heartbleed bad?

In case you’ve been out of the loop, Heartbleed (CVE-2014-0160) is a vulnerability in OpenSSL that allows any remote user to dump some of the contents of the server’s memory. And yes, that’s really bad. The major concern is that a skilled user could craft an exploit that could dump the RSA private key that the server is using to communicate with its clients. The level of knowledge / skill required to craft this attack isn’t particularly high, but likely out of reach for the average script kiddie user.

I’m not well versed in this sort of thing, but here’s my take on how this works.

First, a script is run against a vulnerable server. The vulnerability allows a raw chunk of RAM to be retrieved from the server. The exploit is repeated until a chunk of RAM is retrieved containing a GET request. For the exploit to have value, the retrieved RAM has to also contain an authentication cookie. Different servers, different cookies.

Once a cookie is retrieved, you build a new request using that cookie and, since the cookie matches an existing session, your request is considered part of the existing session and you now have control over that session. Once you control a session, you are, in effect, logged in to the server.

If you see a hole in my explanation, please clarify in the comments for the benefit of other readers. This seems a pretty big hole to have skated through all this time.