Matching Pair 1.1

Matching Pair is an iOS game for all ages.  The objective is to find all matching pairs from a set of playing cards that has been randomly shuffled.  A matching pair consist of two cards that have the same color and rank.  For example, the King of Heart and the King of Diamond are a matching pair, since they are both red cards and they are both Kings.

Version 1.1 will soon be available for download on Apple’s iTunes App Store.  Download version 1.0 now to get version 1.1 as a free upgrade.

Matching Pair 1.1 includes critical bug fixes, usability enhancements and social network integration. Specifically this release:

  • Fixed bugs that periodically caused the application to crash when the user is logged in to Game Center.
  • Integrated with Facebook to allow the user to share game results with friends on Facebook.
  • Added Settings screen to allow the user to change game settings, reset Game Center Achievements and login/logout from Facebook.
  • Improved playability by automatically closing one of the face-up cards (new setting), when the user selects another card with 2 cards already opened.
  • Introduced different levels of gameplay by adding a new ‘Match Color Pair’ setting that allows the user to specify whether a matching pair must have the same color.
  • Added 2 additional Leaderboard categories for games played with the ‘Match Color Pair’ setting turned OFF.

For more information, check out the Matching Pair Product Page.

This slideshow requires JavaScript.


Dissecting a Phishing Scheme

Phishing is a scheme used by identity thieves to steal private information such as login credentials, credit card numbers, and social security numbers.  They impersonate legitimate websites such as banks and online commerce sites, and they use that facade to trick ordinary people like you and I into divulging the private information.

Phishing EmailJust today I received an email in my Yahoo account claiming to be Customer Service for PayPal, requesting that I update my PayPal account asap for security reasons.  The email seemed legitimate at first.  Check out the screen snapshot of the email (to the right) and be the judge yourself.  Upon further inspection, I noticed some subtle warning signs.  The email came from the domain and the reply-to email is set to; nothing that suggest the email came from PayPal.

Phishing WarningFurthermore, the entire email is actually constructed as an image that’s hyperlinked to the Phishing site.  It’s almost impossible to click on the email body without getting redirected to the Phishing site.  Luckily, most modern Web browsers (I’m running Safari 4.0 and FireFox 3.6 on Mac OS X) have built-in security that detects and warns against visiting a Phishing site.  Notice the Phishing website’s domain name doesn’t match the domain name for PayPal (, yet another warning sign.

In the spirit of  investigative journalism, I ignored the browser warnings and proceeded to visit the Phishing site.  The screen  snapshot (to the right) shows a website impersonating PayPal’s home page.  Upon further inspection, the site appears to be constructed using screen snapshots of PayPal’s website.  Very deceptive.  Unfortunately, if you try to login (please do not try it) with your credentials, you have just compromised your PayPal account.

So I logged in with a bogus Username and Password, and the Phishing site happily accepted it.  The site proceeded to request more information from me, claiming it will be used for identity verification purpose only.  The screen snapshot (to the left) shows a web form that attempts to collect the most sensitive and private information for verification purpose:  date of birth, mother’s maiden name, home address, bank name, credit card number,  ATM pin, and Social Security Number.  Are you kidding me?  Of course, I didn’t provide the requested information.  Here ends my investigative work.

Unfortunately, Phishing schemes and scams are becoming too prevalent.  By the time I published this blog (12 hours after receiving the email), I noticed the Phishing site had been removed.  Hopefully, the site was removed by the good guys before too much damage was done.  Regardless, I wrote this blog as a way of educating myself as well as my friends and family members who read my blogs.  Phishing come in various forms, and the identity thieves are constantly reinventing themselves.  To protect yourself, please become educated and be vigilant on the Web.

If you find this Blog useful, please forward it to others who may benefit from learning more about one of the most common threats on the Web.  Please feel free to share your experience in the Comments field below.

To learn more about Phishing schemes and ways you can protect yourself, checkout the following resources:

An Earthquake for the New Year

Just moments ago, I felt a tremor while working in my home office.  Both the ground and the walls shook.  It lasted for about 6 to 8 seconds.  Before I could react, it was over.  For those of us who live in the San Francisco Bay Area, we know exactly what we felt.  It was an earthquake.  In fact, a number of you quickly posted your reactions to FaceBook.

I guesstimated that it was no larger than a 4.5 quake.  To verify, I visited the USGS Website.  USGS rated the quake at 4.1.  On the website, USGS also provides a Did You Feel It tool that allows anyone to report an earthquake.  By answering a number of questions (6 pages worth of voluntary data), you help to define the location, duration, and the intensity of the quake.  I was among the first to submit the form for today’s quake.  But amazingly, over 10,000 people also reported the event using the tool within the first hour.

The map on the right (above) visualizes the earthquake’s intensity as defined by the thousands of people who reported the event.  The chart on the left defines the intensity relative to the distance from the quake’s epic center.  I downloaded the snapshot around 10:50am, although the original map on the USGS site continues to be updated as more people report the event.

As a long time resident in earthquake country, I think it’s pretty cool that we the community can help in gathering data for tracking and measuring earthquakes when they occur.  Maybe someday in the near future, we will be able help in predicting earthquakes as well.  So the next time you feel a tremor, first ensure yours and your family’s safety.  But don’t forget to ask yourself and others:  Did You Feel It?

CalDAVing my Calendars

With my iPhone, I now have access to view and update my personal calendar whenever I need it.  Previously, I relied on my work calendar to track the personal events that occur during normal business hours, e.g. dentist appointments.  Outside of work, I maintained a separate calendar on my personal laptop for tracking personal activities (outside of business hours) and recurring household events such as wedding anniversary and birthdays. However, unless I’m in front of a computer,  my personal calendar was generally inaccessible to me.  I needed a better solution for managing the various calendars that run my life.  With the help of the Internet, I’m able to setup a system that provides access to my personal calendar whether I’m working, at home, or on the road.

By using Google Calendar as a centralized repository,  I’m able to view and update my personal calendar from my iPhone, the iCal calendar on my laptop as well as the iCal calendar for work.  Both iPhone and Apple’s iCal calendar supports CalDAV, an Internet protocol for accessing and managing remote calendars.  Since Google Calendar also supports CalDAV, I’m able to subscribe to my Google Calendar from my CalDAV enabled clients.  Google provides some very helpful Web pages on connecting to Google Calendar from both iPhone and iCal.  I have also found useful resources in the Blogsphere.  The setup for connecting all 3 CalDAV clients including testing took less than 1/2 days.  Once I migrated my personal calendar onto Google Calendar, it was viewable from my iPhone as well as the iCal calendar on both my personal and work laptop.  Even better, when I add, update or delete an event from my Google Calendar using any of the 3 calendar clients, it automatically propagates to the other 2 calendars.

For really sensitive or personal events, I’m choosing to use a local calendar (doesn’t sync with Google Calendar) on my iPhone or the iCal calendar on my personal laptop.  The iPhone and iCal calendar are synchronized whenever I update my iPhone via iTunes.  Given I largely leverage Google Calendar for my personal calendar needs, this setup has worked very well for me so far.  The only noteworthy gotcha was the duplicate alerts on newly created events.  I soon realized that Google Calendar was assigning a default alert, in addition to the one set by the CalDAV client.  In my case, the remedy was to simply disable the default alert in Google Calendar.  Although I’m very happy with the current setup, I look forward to spending more time learning about CalDAV.  Given its flexibility, I anticipate it will make it possible to  interconnect my calendar with my friends and family members to ease planning of special events.

Stay on the “Happy Path”

Do you use Google to search the Web?  Isn’t it great that Google returns a search result of relevant information for just about anything that you enter.  In software engineering, there’s a term that describes such predictable and reliable outcome.  It’s call the “happy path” and it defines the default user experience when the software works as intended.  I first learned about it in college.  It has been a while, but I think the
subject still has a lot of relevance today, especially in Web application design.

Imagine your reaction if Google errors out or returns no search results, every other time you use it.  That would not be a good user experience.  So how do you factor in the happy path into the design and the implementation plan for your application?  Whether you are building a Social Media Website or an IT application for internal consumption, the process starts with good product or business requirements.  When you write the high level requirements and use cases, you are defining the happy path.  Good requirements should specify how the application process the end user’s request to deliver a user experience that meets or exceeds the end user’s expectations; focuses on the desired functionality.  In the case of Google Search, I’m guessing that the original requirements may have been written as follows:

Build a search engine with a simple user interface that accepts the user’s input, intelligently determine the most relevant Web resources, and present the user with the search results sorted by popularity.

Good requirements also facilitate great design.  When evaluating your design options, you should focus on a design that engages the user and keeps the user on the happy path.  Some Web applications calls for rich interactions (RIA).  In the case of Google Search, as simple design seems to work very well too.  Either way, a streamlined user experience will definitely appeal to the users and enhance conversion rates.  Your design should also account for how the application recover when something goes wrong.  There’s a popular saying “Sh*t happens“, and it definitely applies to anything on the Web.  Most users will tolerate some mishaps,  but you really should do your best to minimize the impact to the user experience.  Your average Joes won’t put up with HTTP 404 or 503 errors, but they will appreciate good humor such as the case with the Twitter Fail Whale.

Finally, how do you ensure that you are on target with your design?  It is important to test out the new functionality and verify the outcome against the original requirements.  In-house User Acceptance Testing (UAT) is a common practice for IT applications, and external Web applications without established communities.  Since UAT involves a controlled group of testers (generally superusers), be sure to provide all users with a feedback loop.  Public beta testing and user-driven designs seem to be very popular among Web 2.0 applications.  GMail which was launched in 2004 has retained its beta status despite its success and mass adoption.  Facebook with over 200 Million users engages the user community through the Facebook Blog.  Both are tremendously successful in attracting and retaining users.  Although there’s not a singular approach to engineering great solutions, there’s definitely one common theme:  Stay on the happy path.  After all, who doesn’t appreciate software that simply works.

My April Fools Day

Yesterday, I experienced April Fools Day in all its glory.  Like the day before, I was taking CalTrain to San Francisco to attend the Web 2.0 Expo.  It was only the 2nd day of the conference, but I felt I was starting to develop a commuter’s routine.  Unlike the day before, I decided to park at the nearby free parking lot which required an extra 3 minutes walk to the Sunnyvale CalTrain station.  Unfortunately, I didn’t pad my travel time.  By the time I arrived at the train station, the 7:13am express train had arrived.  I tried to rush thru the ticket purchase process, hoping still to jump on that train.  As I completed the electronic ticket purchasing process, The train doors had closed.

So I missed the 7:13am train, but luckily the next train arrived at 7:18am.  I jumped aboard thinking I will still arrive in San Francisco by 8:20am in time for the first conference session that starts at 8:30am.  As the train pulled away, I inspected my ticket and realized that I haven’t purchased enough fare.  The CalTrain fares are based on zones.  To travel from Sunnyvale to San Francisco and back, I needed to purchase a round trip ticket from Zone 3 to Zone 1.  In my rush to make the 7:13am train, I had purchased a round trip ticket from Zone 3 to Zone 3; not so smart without my morning Starbucks.

I decided to jump off the train at the Mountain View station to purchase additional ticket fare, since you cannot purchase tickets onboard (VOC to CalTrain:  How about placing a ticket machine aboard the train for people who forget to buy the ticket at the station)  Of course the ticket machine wasn’t nearby, so I needed to run to the machine and rush thru the ticket purchase process again.  This time, I managed to purchase the correct ticket fare.  Except as I turn around, the doors on the train had closed.

By now, I was starting to realize that this was no ordinary day and that somebody (perhaps myself) was pulling an April Fools joke on me.  The next train (at 7:37am) a local commuter train would take me to San Francisco by 8:48am, so I opted to wait for the 7:57am express train that eventually got me to San Francisco by 8:42am.  For 1/2 hour, I waited at the Mountain View station, enjoying the fresh morning air and the free WiFi courtesy of Google.  It also provided me with the time to pause and reflect on the experience.

So why didn’t I give myself more time yesterday?  This morning, I was determined to not repeat yesterday’s mistakes so I left the house 5 minutes earlier.  By the time I arrived at the station and purchased my ticket, there was still 1 minute to spare.  Through iteration, I think I have finally perfected my commuter’s routine.  Unfortunately, the Web 2.0 Expo ends tomorrow.  As I wrap up on this blog entry (aboard the CalTrain ride this morning), I believe there’s a lot of lessons to be learned from sharing this experience.  Of course, I hope you enjoyed my April Fool’s Day story as well.

Embargoed Countries & Software Downloads

Recently, there has been lots of news coverage on the Russian warships visiting Cuba.  The event has renewed memories of the Cuba Missile Crisis and the Cold War, which led the U.S. to impose a permanent economic sanction and trade embargo on Cuba.  While the original embargo was oriented towards import and export of certain goods between US and Cuba, over time the scope of the ban has been extended to cover most products and services including technology products such a computer software.  Similarly, the US government has mandated embargo treatments for several other countries as well.

If you work in the software space and you deliver or receive your software electronically, you may have unknowingly been subjected to these embargoed country checks.  U.S. based companies and their international subsidiaries are required by U.S. laws and regulations to take appropriate measures to comply, by restricting software delivery to non-embargoed end users.  Depending on your business model, targeted markets, business volume and risk tolerance, the compliance mechanism can span the spectrum from manual verification for low volume offline channels, to fully integrated solutions for high volume electronic software delivery.  If you are a Sun customer, partner or employee, please be aware of Sun’s policy on this matter.  By the way, this is my personal Blog and it does not necessarily reflect Sun’s official views.

Unfortunately, the embargo country check applies to even “free” software delivery, where no actual commerce is conducted.  Since most of these software downloads tends to be anonymous transactions,  the end user’s country is generally determined base on the end user’s IP Address.  Vendors such as Digital Envoy and Quova offers IP geo location services that fulfill such business needs with high degree of accuracy.  Most CDN providers (e.g. Akamai) also bundles IP geo location into their download services.  But because the Internet is constantly growing and evolving, false positive matches do occur, denying legitimate end users access.  For these rare events, it’s important that a closed loop process is in place to address the end users’ needs in a timely manner and to minimize the business impact.

While I understand the government’s intention in imposing trade embargoes and economic sanctions on selective countries, I question the actual value when it start to impede on the freedom and the inclusiveness of the Internet.  Try to visualize the Internet experience from the perspective of the children in these embargoed countries.  Educational and children Web sites like and depend heavily on software such as Java and Adobe Flash to provide an enriching and interactive experience. Yet, it seems quite silly that these children would be banned from downloading these commonly distributed software.  That would be like watching TV in black and white, while the rest of world enjoy the vividness of high definition (HD) TV.

I’m not a lawyer, nor do I fully understand these government policies in detail.  Perhaps I’m under-appreciative of the potential risks that companies subject themselves to, by not complying to the letter of these laws.  However, it just seems like the affected parties are not necessarily the intended parties.  After all, there are ways to circumvent or spoof the embargoed country check mechanisms.  My point is that while compliance is important, companies operating on the Web should strike an appropriate balance between compliance to government laws and regulations, and the voice of the under-represented user communities.

Do you have any thoughts on this subject?  Please feel free to share your thoughts in the comments field below.