chir.ag/tech

Deep Linking, Hot Linking, and the TV-Links arrest

2007-10-20T03:43:36-07:00

"TV-Links (now dead) is a site which links to sites like Google Video and YouTube, which host clips of TV shows. Today, the Gloucestershire County Council, in association with a group called the FACT, raided the site�s servers and arrested the 26 year old man from Cheltenham who ran the site... This is what is known as Deep Linking (wikipedia article). There have been a few legal cases about this already in different parts of the world."
- by The New Freedom blog.

The author is confusing Deep Linking with Hot Linking. Deep Linking is when you link to a web page within a site other than the home or a major section page. Hot Linking is when you embed a resource from another site on to your own site without re-hosting the media yourself. Websites like reddit and Fark deep link. TV-Links was hot linking.

I'm completely in favor of deep linking except where someone is clearly abusing your content, say by linking to detailed search results on your site by spidering every form field value. I'm in favor of hot linking provided due credit is given and single-click link to the hosting server is provided. Flickr thumbnail galleries, most video embeds, JavaScript widgets from Google including Adwords are technically hot linked but they all link to the hosting site and give them full credit.

What TV-Links failed to do was link to the appropriate YouTube, Veoh.com, and Google Video pages for the FLVs (Flash videos) they were playing on their site, within their own custom Flash video player. Since Veoh has MD5 type hash in their FLV url, there is practically no way to find the web page for a given Veoh video via it's FLV url. It's not easy for average users to find the YouTube or Google Videos page for a given video within TV-Links either. Submitters would upload a "Seinfeld" episode to Veoh and title it "DFPGDSFY4353FG" to ensure nobody can ever find it on the hosted site in a search for "Seinfeld episodes." Then they would submit it to TV-Links and correctly title it "Seinfeld Season 3, Episode 6." Veoh and YouTube/Google Videos have enough on their hands already and since we don't have good video fingerprinting technology yet, these videos would never be found pro-actively and completely ignored by the hosts.

TV-Links could have easily placed the original Veoh/Google/YouTube embeds on their site but they chose to directly hot-linked the FLVs. They reason they did this is of course to prevent copyright owners from easily finding the source of the video because then they could just as easily click the "Copyright Claim" buttons.

Copyright is a complex issue and as someone that runs a video aggregator, I feel truly sorry for the TV-Links guy. The video sites and the copyright holders both stand to lose as a result of his site. Video sites incur bandwidth, storage, and compliance costs while copyright holders could experience lower DVD sales. Music is different from TV shows. We listen to the same song 30 times. How many times will you watch the same episode of 24?

I know there was a lot of wonderful content on TV-Links but I'd say a majority of it, while being older material, nevertheless violated the rights of the copyright holders. Only reason TV-Links became so popular is because most of the videos worked as they weren't deleted immediately due to the aforementioned reasons. Why did TV-Links stay up so long? I don't know. Personally, I'd like for TV-Links to come back but if it does, what message does it send to others? That as long as you upload content illegally on server A and link to it from server B, it's acceptable?

Additional notes: There isn't an easy technical fix for the video sites to prevent the hot links as Flash deals with embedded media in it's own way. Most browsers don't send the referrer when viewing embedded videos. So playing a video on Veoh.com sends the same headers to the FLV host server as watching it on TV-Links. Additionally, most browsers now prevent 3rd party cookies (so no sessions) and Flash from 3rd party hosts does not always get full privileges to access the DOM (to avoid XSS exploits). Since video sites want their embeds to play on sites like Facebook and Myspace, they pretty much have to let anyone with valid headers stream their content.

There are Flash RTMP streams and more complex content distribution network services to stream FLVs but that adds to the cost tremendously. A Flash stream server is magnitudes more expensive than a cheap lighttpd box with ample storage.

Also, it wasn't just the simple links to the illegal content that is the issue here. Like I said, he wasn't just providing a list of illegal content. He was making it viewable in his and only his site. That means you cannot go to Google to watch that episode of Seinfeld, you HAVE to watch it on his site. Thereby, his site was a very crucial component of copyright violation. Without his site, you could never find David Attenborough's Secret Life on Plants on Veoh. That goes more than just linking to illegal content

On your site, you can provide a link to 1-10-100 illegal videos on Google or YouTube. That would constitute simple deep linking to copyrighted material, which in itself is illegal but mostly tolerated when it comes to video as copyright holders can file a DMCA request with the video host to bring down the video. His site bypassed that entire mechanism for copyright holders to even file a claim. That's why they're pissed and why he was arrested. I just hope they don't try to set any examples by completely ruining his life as a warning to others.

Name that Color JavaScript library

2007-09-04T23:18:03-07:00

11:10 pm) A lot of people loved my recently released Name that Color app that helps you find the name of the closest matching color for any RGB value. Many suggested releasing the code or making some sort of web-service to let others use the same library in their projects. So here is the Name that Color JavaScript library for all to use, embed, and extend.

Reddit OCDs

2007-08-27T00:19:07-07:00

I spend a lot of time on reddit, sometimes too much. While I have no qualms (yet) about the amount of time I spend there, I do have a lot of issues about HOW I spend my time there. Here are some of my reddit obsessions. I wonder if I'm the only one with these:

If more than one person replies to my comment and I feel like replying to one of them, I feel obligated to say something to the rest of the repliers too.
Every single link on the Hot & Recommended pages must be purple. Really bad headlines for articles that I don't want to read, must get the 'hide.'
Must click on my username every few minutes to check which of my comments get up and down votes.
Discover patterns within the up/down vote stream for each comment. E.g. a two-three sentence long comment made early on in a rising article can get 10-30 up votes and up to five replies even if it is not a great observation while detailed, informative comments made three hours after a link hits Hot page will get 10 up votes but rarely any comments.
Open Hot, New, Recommended pages in three different tabs with the mail icon showing red in all. After reading the mail from Hot tab and closing it, click on the mail icon in other tabs and get disappointed to find no new comments.
Click on the New page and smile when over 25% of articles are purple and ensure every article with a red (friend) submitter is purple.
Must click every hidden comment to see why it has negative points. Act furious upon reading it and then promptly down vote it.
Battle my inner-self to decide if the logical, sane, and factually correct comment at X votes that I disagree with should get a down vote because its parent/child comment that I agree with and have already awarded an up vote to, also has X points now. I have the opportunity to reverse the fate of the comments! Should I take it or just let it go?!
After submitting articles, refresh the New page every 30 seconds to track their gradual fall off the page. Each time an article gets a bump of more than 5 slots, rejoice for a moment before realizing and lamenting at the predictability of my actions: "Now due to a construct in my mind that makes their falling and their flight symbolic of my entire existence, it becomes important for me to get up and see their last second curves toward flight. It's almost as if my life will fall unless I see their ascent" - Cake.
Bemoan the prevalence of mildly-amusing [pic] and [video] links and not enough well-researched, well-written, unbiased articles as I up vote every funny street sign, fully aware of my own hypocrisy.

Top Seven Flash Animations of Ultimate Doom

2007-01-01T16:07:24-08:00

We've all seen amazing Flash animations over the years. Here's looking back at seven that totally kicked ass. Yes, you have seen most of them. Yes, they are worth seeing again. And again.

All your base - What Top Flash list would be complete without AYB?
Xiao Xiao - A whole series of ass-kicking stick-figures
End of the World - Hokay, we're definitely going to blow ourselves up
Drop de Bomb - Daylight come and...
Animator vs Animation - Stick-figure thinking outside the box
People's Mario - Amazing quality and equally hilarious
The Ultimate Showdown of Ultimate Destiny - No, really. It is.

Black magic causing database server timeouts

2006-12-23T23:05:25-08:00

After coming across the case of the 500-mile email again, I was reminded of a pretty severe problem just as unexplainable that we had at our company last year.

The day after an unscheduled closing (hurricane), I started getting calls from users complaining about database connection timeouts. Since I had a very simple network with less than 32 nodes and barely any bandwidth in use, it was quite scary that I could ping to the database server for 15-20 minutes and then get "request timed out" for about 2 minutes. I had performance monitors etc. running on the server and was pinging the server from multiple sources. Pretty much every machine except the server was able to talk to the others constantly. I tried to isolate a faulty switch or a bad connection but there was no way to explain the random yet periodic failures.

I asked my coworker to observe the lights on a switch in the warehouse while I ran trace routes and unplugged different devices. After 45-50 minutes on the walkie-talkie with him saying "ya it's down, ok it's back up," I asked if he noticed any patterns. He said, "Yeah... I did. But you're going to think I'm nuts. Every time the shipper takes away a pallet from the shipping room, the server times out within 2 seconds." I said "WHAT???" He said "Yeah. And the server comes back up once he starts processing the next order."

I ran down to see the shipper and was certain that he was plugging in a giant magnetomaxonizer to celebrate the successful completion of an order. Surely the electromagnetic waves from the flux capacitor were causing rip in the space-time continuum and temporarily shorting out the server's NIC card 150 feet away in another room. Nope. All he was doing was loading up the bigger boxes on the pallet first and then gradually the smaller ones on top, while scanning every box with the wireless barcode scanner. Aha! It must be the barcode scanner's wireless features that probably latch on to the database server and cause all other requests to fail. Nope. Few tests later I realized it wasn't the barcode scanner since it was behaving pretty nicely. The wireless router and it's UPS in the shipping room were configured right and seemed to be functioning normally too. It had to be something else, especially since everything was working fine just before the hurricane closing.

As soon as the next time out started, I ran into the shipping room and watched the guy load the next pallet. The moment he placed four big boxes of shampoo on the bottom row of the pallet, the database server stopped timing out! This had to be black magic! I asked him to remove the boxes and the database server began to time out again! I did not believe the absurdity of this and spent five more minutes loading and unloading the boxes of shampoo with the same exact result. I was about to fall down on my knees and start begging for mercy from the God of Ethernet when I noticed that the height at which the wireless router was placed in the shipping room was about a foot lower than the top of the four big boxes when placed on the pallet. We were finally on to something!

The wireless router lost the line-of-sight to the outside warehouse anytime a pallet was loaded with the big boxes. Ten minutes later I had the problem solved. Here is what happened. During the hurricane, there was a power failure that reset the only device in our building that wasn't connected to a UPS - a test wireless router I had in my office. The default settings on the test router somehow made it a repeater for the only other wireless router we had, the one in the shipping room. The two wireless nodes were only able to talk to each other when there were no pallets placed between them and even then the signal wasn't too strong. Every time the two wireless routers managed to talk, they created a loop in my tiny network and as a result, all packets to the database server were lost. The database server had it's own switch from the main router and hence was pretty much the furthest node. Most other PC's were on the same 16-port switch so I had no problems pinging constantly between them.

The 1-second solution to this four-hour troubleshooting nightmare was me yanking off the power to the test router. And the database server never timed out again.

Tagline Generator - Timeline-based Tag Clouds

2006-11-14T01:28:26-08:00

Many people have asked me how they can make their own timeline-based tag cloud like my US Presidential Speeches Tag Cloud. After a lot of cleaning up, I've finally released the complete PHP 5 source code that works pretty well with very basic configuration.

The Tagline Generator is a simple PHP codebase that lets you generate chronological tag clouds from simple text data sources without manually tagging the data entries. Once you have populated the data source and configured the generator, it makes a list of all the unique words that have been used and counts how many times each word is used. Next it identifies the different variations of words and combines them under the most common variation using the Porter Stemming Algorithm. E.g. "promised", "promises", "promising", and "promise" might be grouped under "promises".

Then it removes the most common words like "the", "and", "this", "that" and some not so common language-specific words like "hitherto", and "notwithstanding". Once the commonly used language-specific words are removed, it makes a "tag cloud" in which the more commonly used words are shown in bigger font size than the less frequently used ones. Additionally, it tries to figure out how long ago a given word hit its peak usage and brightens the recently used words while fading away words haven't been used in a while.

Demo: To view a demo and start using the Tagline Generator yourself, check out the Tagline Generator page.

Spam Bombed

2006-08-04T08:06:36-07:00

5,666 junk emails in five hours, before I turned off my mail server. Here's what it looks like: Spam Bombed. I need an external MX-based spam filtering company.

Basically the spammers are sending junk email pretending to be me. They used [random_names]@mydomain.com as 'From' to send lots and lots of junk email around the world. Either the receiving servers accept the message or identify it as spam and bounce it back. If they accept it, their mail users will see a spam pretending to come from me. If they bounce it, then I get a copy of the spam attached to the email. No matter what, the spammers get to show their spam to someone. So either way the spammers win. Either way, I lose.

Of course this is distributed junk mailing too. So 100 computers around the world sent hundreds of junk mails in my name. And I get the honor of experiencing the thousands that bounce back.

Anatomy of typical spam

2006-07-15T12:36:15-07:00

I'm often bombarded by over 1000 spam emails per hour on two of my dedicated servers that each host 30-40 domains. Using multiple DNS blacklists and custom filters helps cut that number down significantly, until the spammers find new IPs and new ways to bypass my pattern-match text filters. Every once in a while I look at a few spam emails to see if I can identify new patterns and block the most common ones.

I randomly selected one of the spams I hadn't yet deleted from my Thunderbird junk mail folder and decided to pick it apart. Today, instead of going after common spam words and typical spam subject lines, I wondered if there is a pattern in the headers, the way a junk email travels, that can help me identity and stop spams from IP addresses that haven't been blocked yet. It wasn't until I started running IP WHOIS and domain WHOIS on everything in the email that the truly global nature of spam hit me.

Here's the email I analyzed with complete headers and only a few details [edited] by me. Hover on a link to see the country information. Clicking on links will not do anything, no matter how tempting it is to have perfect sex in your life.

Envelope-to: [edited]@chime.tv
Delivery-date: Sat, 15 Jul 2006 12:02:09 -0400
Received: from [60.6.118.44] (helo=glorymail.com)
	by server.chime.tv with smtp
	id 1G2mal-00062M-W3
	for [edited]@chime.tv; Sat, 15 Jul 2006 12:02:09 -0400
Received: from 200.23.242.202
  (SquirrelMail authenticated user
         [edited]@colourconfidence.com);
  by glorymail.com with HTTP id Ab44qw9z008048783;
  Sat, 15 Jul 2006 16:07:43 +0000
Message-Id: <IOOCIh.squirrel@200.23.242.202>
Date: Sat, 15 Jul 2006 16:07:43 +0000
Subject: Can you satisfy your girlfriend?
From: "Derek" <[edited]@colourconfidence.com>
To: <[edited]@chime.tv>
User-Agent: SquirrelMail/1.4.3a
X-Mailer: SquirrelMail/1.4.3a
MIME-Version: 1.0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Antivirus: AVG for E-mail 7.1.394 [268.10.1/389]


<html>
<body>
Or you are afraid that she meets with someone who is better
than you in bed? Use licensed Viagra and Cialis pills from our
drug store. Now you are the best, you have perfect sex in
your life! That is US Druq store with quaIity ED
medications!<br><br>


CIick here: <a href="http://nnqthf.calmcrush.com/?couacwanoghy">
US Drugs onIine store</a><br><br>


To make your life better .Even your sexuaI partner won't know you
are using Viaqra if you'll buy it here.<br><br>


CONFlDENTlAL and SECURE purchase .lnstant shipping!
</body>
</html>

If that techno-mumbo-jumbo was too dry for your taste, here's the itinerary of the adventurous Ms. S. Pam: Set sails from China [60.6.118.44] on route to United States [chime.tv ?]. While reminiscing the memoirs of her voyage, she strongly recommends you shop at this one store, USDrugs Ltd, that has offices in New York, US and Mumbai, India. And be sure to let the store know she sent you [referrer ID: couacwanoghy] so she gets some brownie points ($$$). The store [calmcrush.com] is in fact owned by a Croatian. Not satisfied with her story of travelling just a few countries, she makes up a saucy encounter story to tease you. Before leaving China, she claims, she had been vacationing in Mexico [200.23.242.202]. It was there that she met a colorful Englishman [colourconfidence.com] and they hit it off. In fact, they had such a glorious time, he even accompanied her half-way into the US [glorymail.com]. And now, she's at your door-step, awating your warm welcome.

Back to techno-babble, now what can I do about it? This one single email shows links to China, United States, India, Croatia, Mexico, and United Kingdom! Clearly the email claims to have originated in Mexico by someone using the web-based SquirrelMail. Unless I'm mistaken, it's saying that a user from colourconfidence.com authenticated with (i.e. logged into) SquirrelMail hosted on glorymail.com servers. In my experience, unless colourconfidence.com and glorymail.com are on the same server (definitely not according to their IPs), it's not possible for SquirrelMail to authenticate. I often log in to SquirrelMail on https://abcd.com using user@xyz.com as long as both abcd.com and xyz.com are hosted on the same server.

Analyzing which servers an email has been through (all the Received: headers) seems pretty much useless because everything except the last one can be faked quite easily. One thing each mail server can do while receiving email is verify if the IP that is sending the email is the same one that received the email in the previous Received: header. E.g., in the above case, is the server that received the supposedly "original" email [glorymail.com] the same as the one that is sending it [60.6.118.44] on to the next one? If no, then either [60.6.118.44] is lying or it is some internally chained server setup that receives emails using [glorymail.com: 69.25.142.7] and forwards it using [60.6.118.44]. I'm sure there are setups like this, but they would normally not be on entirely different IP blocks: [60.6.118.44] vs [69.25.142.7]. With an allowable subnet of 255.255.0.0 between the receiving and forwarding IP, this can in fact work to minmize faking of received headers.

Of course, there's not much spammers gain by faking headers except to confuse a few servers. Once potentially fake headers are regularly blocked, spammers will stop faking and just hit the recipient's server directly, like the next email shows:

Delivery-date: Sat, 15 Jul 2006 14:33:10 -0400
Received: from [88.64.177.85] (helo=S-3QY5813Q55LG1T)
	by server.chime.tv with esmtp
	id 1G1o0v-0005WJ-O7
	for [edited]@chime.tv; Sat, 15 Jul 2006 14:33:09 -0400
From: "Buford" <[edited]@popstar.com>
To: <[edited]@chime.tv>
Subject: Get the freshest But without any results
Date: Sat, 15 Jul 2006 20:36:25 +0200


Yo!
Masculine performance has never been so easy to increase
with these products. Order our magical stuff now for the
amazing prices, and we will dispatch it right away


World famous brands which keep men happy all over the world


See our offer: http://www.sherifidk.com 


We thank you for being interested in our products

All I know here with certainty is that [88.64.177.85] sent me that spam. [88.64.177.85] isn't on SBL/XBL or any other major DNS blacklists. I'm sure it will get on a blacklist if the spam continues, but it does no immediate benefit to me as my mailbox already received 14 spams from that IP address.

Spam is such a big problem because SMTP is so simple. With just a few headers (or commands), anyone can send an email to anyone. It's easy to identify spam when it has lots of headers that raise red flags. But when it's as simple as a "Hey let's have lunch at this restaurant: http://URL" email that your friend might send, how can you block it? More and more I'm noticing, there are no spammy keywords. No Viagra or Cialis. Or \/1aGr4 either. It's plain text with simple URLs with real domains in the "From" header.

Any filters to block simple spams as such will only result in blocking of legitimate emails. There are so many ideas on how to block spam but none work for every occassion. E.g. Hold off emails from first-time senders till they click on a URL to verify their authenticity. Great, more work for sender and impossible for automated senders to verify (i.e. emails from online merchants). Now the receiver has to add every automated sender to some list. Of course, spammers can fake the from address to be same as major auto-senders: checkout@amazon.com. Well, now you start verifying if IP of sender that claims to be checkout@amazon.com is same as that of amazon.com [72.21.206.5]. What happens when Amazon migrates servers to new IP block? Everyone in the world, change your filters. Filters, even highly intelligent ones, are not the answer.

Then there's Sender Policy Framework. It is promising though it has its issues. The biggest problem is of course, getting the entire world to use it - making every sysadmin in the world spend an hour and half to set up SASL SMTP is asking for a bit too much. It can happen but not anytime soon. Especially since Microsoft has, as usual, come up with their own way of doing this: Sender ID.

Comparing implementation, adoption, and technical qualities of both these and many more email authentication frameworks is not my intention today. Today, I just wanted to show how globalized spam is, from origination to destination, from point of sale to the hidden beneficiaries. Moreover, it is next to impossible to fix the problem of spam based solely on the content of individual emails. Or by catching the people that make money through spam. As long as the cost of catching spammers is greater than sending spam, it's not going to happen. Just like corruption has to be fixed from outside the system, so has to be done with spam. While the tech luminaries fight over which framework to adopt globally, I keep getting 40 spams each time I hit "Get Mail."

All I want them to do is just pick one so every one in the world can use it. I don't care if we choose the easy but inferior or select the difficult and efficient framework. Just get on it already. Don't pull an RSS vs Atom, HD-DVD vs Blu-Ray, Kari vs Scottie for no good reason.

Can you stop my spam already? kthxbye!

Please don't lock me out

2006-07-11T13:04:05-07:00

I hate how my /tech 'blog has somehow become a rant against big tech companies' ridiculous policies. Today's star is surprisingly my favorite domain registrar: GoDaddy. I have two accounts and over fifty different active domains registered via them and I love the price, the ease, and the service. Many complain about their service but I've called them over 10 times in last six months and I've had nothing short of a stellar experience and great help each time.

So obviously my rant is towards something else: Namely, their lock-out policy. It is common for OSes, software, and websites to lock your account for about 30-minutes to a few hours if someone tries to log in using incorrect password repeatedly. It sounds like an ideal protection against dictionary attacks and brute force methods. If you forget your password, you have about 3-5 attempts to get it right. If you still can't recall it, it doesn't make a difference if you have to wait for 30-minutes due to lock-out because you need to contact a sys-admin anyway to help reset your password. You have nothing to lose because of a lock-out. After all you forget your password in the first place. If someone else is trying to log into your account by randomly guessing passwords, they will be locked out in just a few attempts and will have to try again later. If this happens, say at your workplace, account locks might even help find who was trying to log in as you. Good security measure.

Where's the problem you ask? When it's a website that anyone in the world can access and in addition to (or instead of) usernames, it uses serial numbers for Customer IDs that anyone can guess. Like GoDaddy. If my username is 'mycompany' and someone wants to login as me, they need to know TWO pieces of information - my username and my password. If they know my username but not my password, they will lock me out for 30-mins to 24hrs by failed login attempts. That's ok. My username is not published anywhere. However, if they can also login using my Customer ID (which happens to be a simple 7-8 digit number), the thieves can unknowingly lock me out with absolutely no prior information. With ZERO pieces of information, they can cause harm to paying customers of a company! Think about the disservice to the real paying customers.

Once a month for the last 3-4 months, someone randomly tries to log in to my GoDaddy account. I doubt whoever it is knows my username or email. Chances are they just make a random 7-8 digit number and try a bunch of different passwords. They fail (thankfully) and GoDaddy locks me out (unfortunately). Now I'm prevented from buying a new domain for next few hours through no fault of mine. I have to call GoDaddy, go through the Reset-My-Password process, and come up with a new strong password each time just to log into my own account. I am now mad at GoDaddy because of some script kiddie in Indonesia. If this persists, I will consider switching registrars. With over $1500/year of my money going to GoDaddy for domain registrations, domain transfers, and SSL certificates, I expect 24/7/365 access to my accounts at my fingertips.

Dear Bob Parsons, I love reading your 'blog. Keep it up. However, make it so that nobody else in the world can lock my account just by guessing random numbers. I can go to GoDaddy right now and lock out whoever Customer ID 4294659 (or 50301231 or 89412123) is by trying to log in a few times with that ID# and password "HAHA!" If the poor schmuck that has that Customer ID tries to buy www.new-special-domain.com in the next 24-hours, GoDaddy won't let him even login. Business lost. Paying customer angry.

Solution is to require a strong password (and GoDaddy already does when you have a credit-card on file) and stop locking accounts when a Customer ID is entered. Keep locking if invalid username/passwords are entered if you want, but never if invalid customer#/password is entered. Thanks.

Irony at Enterprisingly Mobile speeds!

2006-05-05T13:35:45-07:00

It is hard to believe that in this era of instant-everything, there exists a modern technology company ushering the next generation of security and identification tools that is for some reason putting me through an archaic process just so I can get a minor upgrade.

I wanted to reprogram the awesome barcode scanner that I've deployed at my work: Symbol PPT8846 Wireless (8800 = batch, 8846 = wireless) and instead of regularly deploying minor updates to the scanning software, I now want to create a web application that runs on an Intranet server and can be accessed wirelessly by the barcode scanner. That way when business needs change, I simply change the code on the web server and instantly all the barcode scanners adapt to the new system. Having already programmed the barcode application in .Net CF using Symbol's SDK, I figured this would be as easy as adding a WebBrowser control to the .Net application and using Navigate("http://myserver/"). Except after much time-wasting I find that I need to upgrade the OS on the device from Windows CE .Net 4.1 to 4.2.

Symbol offers the upgrade for a $25 fee. Sure sounds fair. It'll make my life easier and pay for itself immediately by saving hours I spend updating and deploying software. Except I can't buy the upgrade on symbol.com - they stopped processing credit cards! I had to go through a reseller (highly-recommended, got my hardware from there). This software isn't sold online so I ended up calling. The order took just minutes to place and I clicked 'Send and Receive' on my email client so I can get the URL to download the software. After five minutes and no URL, I called up the reseller to ask why I never got the email with the URL. That's when I found out the most hypocritical order-processing system an "Enterprise Mobility" company can implement: "Yeah. We've sent your order to Symbol. And THEY will send you an email within 3-5 business days with the URL to download the upgrade. It is completely out of our hands as a reseller and trust me, we hate this slow system too. Thanks, can I help you with anything else?"

So let me get this straight. Symbol.com, a technology leader in barcode scanners, RFID readers, and hand-held devices, takes THREE to FIVE DAYS to send me an email with a URL to download a single FILE????? I am not an impatient person. I can wait three weeks for Dell to assemble my new NAS device. I can wait a week for a vendor to mail me a DVD. However, I CANNOT wait FIVE DAYS to download a file that I have already paid for and should be able to download instantly. I'm sorry but this is absolutely pathetic and completely backwards for a company that has executive-level speakers going around the world giving seminars on expediting order-processing.

If you asked me what's the definition of irony, this is it, at it's finest. Last month I attended a very informative seminar hosted by a Symbol speaker. He was indeed very experienced and clearly explained what RFID can or canot do. The #1 thing he mentioned though is that by using Symbol's RFID tools, one can ensure immediate order-processing because out-of-stock inventory can be a thing of the past. Order-processing! Order-processing! That's what Symbol wants me to improve. And they take just "3-5 business days to send me an email..."

*sigh* I still love the Symbol products. The technology really is good and very developer-friendly. Highly-recommend the PPT8846. Works great without any problems. Symbol support even replaced an internal battery for free when it was failing.

Update - May 8th 2006, 3pm: I received the download file from Symbol and am in the process of upgraging the OS. Even though I got the file much earlier than I was told to expect it, the fact of the matter still remains - no automated way to download online purchases.