New online image editor Pixlr is closer to Photoshop than web-based Adobe’s Photoshop Express. And Pixlr was created by one person.

Sweden-based developer Ola Sevandersson spent a year writing–and re-writing–his Flash-based image editor. He also maintained a full-time job as the development manager for a Swedish web community.

The reason Pixlr feels so much like a desktop app may be its menus. The standard top bar begins with File. Creating new images, or loading from your computer occurs via this menu, and it doesn’t feel buggy (except I cannot load in an image now, which could be caused by all the attention this project is receiving today). Other online image editors use HTML forms for uploading, or partially implement the desktop menu metaphor.

Maybe the best part: Pixlr is the only online image editor I’ve seen that has layers, which is a necessary feature for all but the most basic of edits. Yes, there are still some features missing, but this is already more usable for me than Photoshop Express, and other online photo editors. See links to our coverage of Pixlr’s competitors at the bottom of this post.

Webmonkey had a chance to talk to Sevandersson about Pixlr, his development process, and what he has planned for the tool.

How is Pixlr different from Photoshop Express?

The difference between PSX [Photoshop Express] and Pixlr is that while Adobe doesn’t want to create a free online replacement tool for their Photoshop Elements and other licensed software I just want to create an online tool that will satisfy the 80% of the photo enthusiasts needs. I am well aware of that it’s much more work left to do before Pixlr will accomplish what Elements do, but this is just the first beta launched.

How long did it take you to write Pixlr?

Yes, the first line of code was written in august 2007, but it was not full time and done by a single person. The code is rewritten several times to get the overall performance up and the app to work. To get the performance up and keep the size down I have written all of the controls my self and not used the built in flash controls.

Any plans to make money? A year is a long time for just a labor of love…

All you need is love and I love bitmap algorithms. The plan for Pixlr is to license the techniques and do small app spin-offs’, and there is some ides of a PRO app (Maybe on the desktop?).

What other features are coming soon?

Crop tool, text tool and more auto adjustments are the first things in the development plan. API and other development tools are on the wish list too.

The dotted line [to show selection as the user drags the mouse] will be added soon. Some features was ignored in this release, I just wanted to get the application out to the public so I could get some feedback and know if I was going in the right direction with the product.

See also:

• Adobe Photoshop Express Puts the Power of Photoshop Online
• Picnik API Offers Photo Editing Tools for any Website
• FotoFlexer Tricks Out Online Photo Editing With Desktop-Style Tools
• Fix Up Those Holiday Photos With Phixr

Let’s talk security and why you should take advantage of Gmail’s recent SSL feature, and why you might want to be careful using other non-SSL webmail services.

But first, make sure your connection is secured using SSL.

How do you know a connection is secured by SSL? The handy “s” after “http” will tell you. For example, https://mail.google.com is encrypted while http://mail.google.com is not. You can force an encryption by adding the “s” yourself, or by turning on “Always use https” from the Browser Connection settings of your Gmail account.

Why? Because without it, anyone can easily hack someone’s account and in two weeks it is going to get even easier. Mike Perry, a reverse engineer from San Francisco, announced his intention to release his Gmail Account Hacking Tool to the public. According to a quote at Hacking Truths, Perry mentioned he was unimpressed with how Google presented the SSL feature as less-than-urgent. It is urgent, and here’s why.

Before Gmail released the ability to automatically encrypt your Gmail connections, your browser/server interactions went something like this:

Your Browser: Hey there Gmail, I want in. Here’s my encrypted login.
Gmail Servers: Hey there, browser. I see your encrypted login fits what I have here. If you want to keep talking to me, I will need to see proof of your login, but don’t bother encrypting it for me. Here is your unencrypted email.

Your Browser: Great. I want to read this particular email, my Gmail login is: webmonkey@wired.com and my password is: monkeylove. My name is John Hanks Doe and my social security number is 123-45-6789.
Gmail Servers: Sure, here you go. I see you are leaving for vacation with the house unlocked this weekend. Say, is this your credit card information?
Guy packet sniffing your wi-fi from Starbucks: Cool!

It’s a little more complex than that (and a little less goofy and dramatic), but the theory is sound. Using encryption at login only is the equivalent of setting up a toll booth in the desert.

Here’s the exploit: All it takes to steal someone’s Gmail login account is to intercept any transaction since every single one, even images, pass a cookie which contains the session information.

Spoof the session, and you get free reign to the account — including the ability to change your password. Every non-SSL session is in plain text. With a little determination, any bored, disaffected youth could read your email and change your password within a day. Is it really that easy? Here’s a useful tutorial we found via Google search. When the Gmail Account Hacking Tool is eventually released, it couldn’t be any easier.

With SSL, however, the interaction looks something like this:

Your Browser: xz6RV-BRJViqzNJROECslw
Gmail Servers: jx3iC96D3kuZ_IWNrK461w
Your Browser: PxIryG_P3_3_vRENZdWxMQ

The real thing would be even longer in length, and perfectly unreadable. SSL requires a key generated on your end and on the Gmail server’s end. There’s no way for the local guy at Starbucks to get those keys and unencrypt the data by packet sniffing.

Makes you feel a little vulnerable knowing all your public information was so nakedly exposed over the past few years, huh? Did Google know about this?

It turns out they were well aware of it. The reason Google didn’t grant users the SSL feature before, according to Perry, was because SSL is expensive. It takes a lot of bandwidth and time on both the receiver and transmitter sides to generate keys and encrypt data. Slower data connections would experience a lagging Gmail experience.

Packet sniffing for session information is not a new thing, and is bound to get even more familiar due to how easy it is. Keep in mind, it is not just Gmail which passes account information outside of SSL encrypted connections. There are many sites around the internet that are still vulnerable to this exploit. Protecting your wifi connection with WEP isn’t foolproof either. Your best bet is to use SSL whenever you are transferring information valuable to you, and to avoid sites that don’t use it at all.

[Thanks to Hacking Truths for the tip.]

See Also:

• New Options Secure Your Gmail Connections
• New Gmail Features Protect from Snooping

Who says programmers can’t be funny? True, browsing through source code is will more often bring tears than smiles, but that doesn’t mean there aren’t some great nerd jokes to be found in the software that powers the web and your desktop.

A Reddit users recently posed the question: What’s the funniest code you’ve ever read? Submissions are still pouring in, but here’s a few highlights: did you know that the source code for the shutdown command in OS X calls a function named die_you_gravy_sucking_pig_dog()? Or how about, mod_python’s assbackwards Request Object attribute?

For something a bit more on the not-safe-for-work side, check out some the original code to Netscape Navigator 4, before Netscape’s lawyers censored out the profanity.

If you enjoy nerd humor — and we’ll admit, this is pretty much as nerdy as it gets — head on over and browse through some of the other gems that various programmers have posted.

[comic from Xkcd]

See Also:

• Jokes For Nerds
• Joke For Nerds: Get A First Life
• Jokes For Nerds: DVDRewinder

Working with Cascading Stylesheets is no easy feat. Between browser differences, varying site design requirements and client whims, writing reusable CSS can quickly become a frustrating process. CSS frameworks are one attempt to solve these and other common problems, but they are not without their own controversies.

Purists and those hyper-concerned about semantically valid markup often decry the class names and arbitrary div tags that frameworks seem to encourage. At the end of the day though, the truth about frameworks may be simply that your own is better than any stock version.

CSS guru Eric Meyer recently compared a number of popular CSS frameworks (including our favorite, Blueprint) during a talk at An Event Apart San Francisco, concluding that the one that’s right for you is… none of the above. Designer Jeremy Keith was there for the talk and offers a shorthand transcript, along with his own thoughts, on his blog.

While Meyer admits there are some uses, like quick prototyping or as a starting point for ideas, he feels that frameworks, much like HTML templates, aren’t a viable solution for most professional designers.

That isn’t to say you can’t take the elements of a framework you like — say a group of reset rules or font baseline rules — and hack them to suit your own work. In other words, there’s nothing wrong with reusable code, but the best reusable code is stuff you’ve written.

When I first encountered it, the Blueprint framework seemed like a brilliant idea. However, having now used it in a few projects, I often find myself fighting it as much as I’m using it. In the end I’ve found that the best solution is, as Meyer suggests, pulling out the elements I like and ditching the rest.

What sort of frameworks are you using or avoiding in your work?

[via Jeff Croft]

See Also:

• Blueprint: Beautiful CSS Grid Layouts Made Easy
• CSS Variables: Coming Soon to a Browser Near You
• Making CSS Accessible to All

At its core, the web is little more than a collection of links — pages strung together by interwoven, linked text. For search engines like Google these links are vital in determining the most relevant results for your query.

But what happens when links start to become more self-referential? That’s the question posed by Tim O’Reilly, who sees an alarming trend: sites like the New York Times, BusinessWeek and TechCrunch are starting to link to their own writing about other sites, services and companies rather than to those outside sites directly.

O’Reilly is worried that this trend will lead to what he calls “roach motel” links — all internal links that do little to help the user and exist primarily for search engines. “When this trend spreads (and I say “when”, not “if”),” O’Reilly writes, “this will be a tax on the utility of the web.”

He goes on to say that if such links are “purely designed to capture additional clicks, they will be a degradation of the web’s fundamental currency, much like the black hat search engine pages that construct link farms out of search engine results.”

It is certainly annoying when you expect a link to, say, Google, to take you to the Google homepage and instead you find yourself on a Monkey_Bites post about Google. But, if history is any indicator, it seems that Google and other search engines, are pretty smart about these sorts of things — especially since the link text offers an immediate clue as to where the link “should” point.

While trying to capture as much link traffic as possible and routing it to your own site may seem like a good idea now, there’s no telling when a few tweaks to the algorithms will make it hurt, rather than help, your search engine ranking.

As for O’Reilly’s suggestions for those practicing these sort of “roach motel” linking schemes, they’re good advice, but for the most part, as a content creator, you know when links should point out — ignore your instincts at your own peril.

[Photo Credit: Piutus, Flickr.com]

See Also:

• Yahoo’s New ‘Build Your Own’ Search Engine Nips at Google’s Lead
• Wikia Search Launches Wikipedia-Style Search Engine
• Search Engine Robots Agree Over Standards

Muxtape, one of our favorite ways to share playlists, has temporarily shut down due to unspecified pressures from the Recording Industry Association of America (RIAA). The company’s blog assures users that the shutdown is not permanent and Muxtape will eventually return.

Muxtape is one of many services that offer streaming music from user-created playlists — you upload the MP3 files, and others can listen to them, but there’s no built-in way for anyone to download the tracks.

While the company has offered few details about what what is behind the shutdown, it’s not hard to imagine that uploading MP3’s rubs the RIAA the wrong way. Many similar sites (like Favtape) use Seeqpod to serve MP3s, allowing them to sidestep concerns about hosting actual song files.

The Muxtape blog did offer a small update late yesterday evening saying, “No artists or labels have complained,” and reiterating that “the site is not closed indefinitely.”

Another possibility is that Muxtape has run afoul of the licensing fees associated with streaming audio — the same problem that’s haunting Pandora. However broadcast fees are generally handled by SoundExchange and not the RIAA.

Whatever the cause, at least for now, there’s no Muxtape for you.

See Also:

• Exorbitant Fees May Force Pandora to Shut Down Popular Radio Service
• Favtape Offer Full-Track Access to Your Pandora, Last.fm Favorites

Today Yahoo opened up their Digg-esque Buzz tool to allow links to any site. Previously, only about 400 publishers were included in the service (100 when it first launched). By allowing anyone to post to Buzz, Yahoo is possibly gaining better content, but also creating opportunities for gaming.

Digg has created a complex algorithm to attempt to combat spammers. The prize for making a link popular on Digg is a trip to its homepage, ensuring oodles of traffic for the linked site. Those that make it atop Buzz could find themselves with a real treat: a prime spot on the Yahoo home page. As Crocodile Dundee might say, “That’s not traffic, this is traffic.”

There’s no doubt, Yahoo is bringing Web 2.0 to the masses. The big question remaining is do they want it? Even though Digg has been doing this for years, it’s important to remember this is brand new territory for most of Yahoo’s user base. It’s still not clear if they’re comfortable “buzzing up.”

During the six months that Buzz was exclusive, Yahoo must have performed many tests to determine that its users wanted to participate. Prior releases would suggest the outcomes of these tests must have been positive.

One upside to Yahoo Buzz is that it’s so far not self-referential. If Digg had an announcement as big as this, you’d bet the home page would have Digg stories galore. That may just take time, the Up and Coming buzz shows a Buzz story is on the way.

As we mentioned when Buzz launched, it has some features that set it aside from Digg. There are a number of factors other than buzzing up that decide what makes it to the top of Buzz. Many of those metrics are Yahoo-specific, such as searches on Yahoo search and the number of times users email the page to friends.

I’m not convinced Yahoo Buzz will be successful as a destination, but the tool could be sprinkled throughout the other channels, similar to Yahoo Answers.

This news for publishers can only be positive. This is another way to get your content out there, and Yahoo’s audience of a half billion is a mighty number. In fact, why not buzz this post now?

[Full disclosure: Wired.com was one of the 100 publishers participating in the beta phase of Yahoo Buzz. Wired is also owned by Conde Nast, which operates Reddit, a potential competitor to Yahoo Buzz.]

[via ReadWriteWeb]

See also:

• Delicious Gets New Look, Loses Dots
• Tutorial: Tips for Better Blogging
• Yahoo Goes Web 2.0 with Answers

iPhone 2.0.2 software update is now out and available for all iPhones. It’s been two weeks since 2.0.1 was released.

It’s 248.7 megabytes. On my wifi connection, it takes about 20 minutes to download. According to Apple, this is what it is for:

“Bug Fixes.”

Same as 2.0.1. Case closed.

How do you find out if a user has entered a valid email address? Do you check for an at-sign, or is it more complicated? For many developers the answer is a regular expression, a little bit of code that can describe text patterns using wildcards and other special characters. If you’re new to the topic, we have a great regular expression tutorial.

Here are four regular expressions (often called regexes) that all validate the format of an email address. They have increasing degrees of complexity. The more complicated, the more accurate each is at matching only email addresses.

1. Dirt-simple approach

Here’s a regex that only requires a very basic xxxx@yyyy.zzz:

.+\@.+\..+

Upside: Dirt simple.

Downside: Even invalid email addresses like xxxx@yyyy.zzz, or even a@b.c, make it through.

2. Slightly more strict (but still simple) approach

Regular-Expressions.Info provides a basic email validation regex that tries to be a little smarter:

[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}

Upside: Only allows email address-friendly characters, restricts domain extension to only two to four characters.

Downside: It still allows many invalid email addresses, and misses some longer domain extensions (.museum, for example).

3. Specify all the domain extensions approach

Reddit user teye points to his regex, which only allows domain extensions that actually exist:

([a-z0-9][-a-z0-9_\+\.]*[a-z0-9])@([a-z0-9][-a-z0-9\.]*[a-z0-9]\.(arpa|root|aero|biz|cat|com|coop|edu|gov|info|int|jobs|mil|mobi|museum|name|net|org|pro|tel|travel|ac|ad|ae|af|ag|ai|al|am|an|ao|aq|ar|as|at|au|aw|ax|az|ba|bb|bd|be|bf|bg|bh|bi|bj|bm|bn|bo|br|bs|bt|bv|bw|by|bz|ca|cc|cd|cf|cg|ch|ci|ck|cl|cm|cn|co|cr|cu|cv|cx|cy|cz|de|dj|dk|dm|do|dz|ec|ee|eg|er|es|et|eu|fi|fj|fk|fm|fo|fr|ga|gb|gd|ge|gf|gg|gh|gi|gl|gm|gn|gp|gq|gr|gs|gt|gu|gw|gy|hk|hm|hn|hr|ht|hu|id|ie|il|im|in|io|iq|ir|is|it|je|jm|jo|jp|ke|kg|kh|ki|km|kn|kr|kw|ky|kz|la|lb|lc|li|lk|lr|ls|lt|lu|lv|ly|ma|mc|md|mg|mh|mk|ml|mm|mn|mo|mp|mq|mr|ms|mt|mu|mv|mw|mx|my|mz|na|nc|ne|nf|ng|ni|nl|no|np|nr|nu|nz|om|pa|pe|pf|pg|ph|pk|pl|pm|pn|pr|ps|pt|pw|py|qa|re|ro|ru|rw|sa|sb|sc|sd|se|sg|sh|si|sj|sk|sl|sm|sn|so|sr|st|su|sv|sy|sz|tc|td|tf|tg|th|tj|tk|tl|tm|tn|to|tp|tr|tt|tv|tw|tz|ua|ug|uk|um|us|uy|uz|va|vc|ve|vg|vi|vn|vu|wf|ws|ye|yt|yu|za|zm|zw)|([0-9]{1,3}\.{3}[0-9]{1,3}))

Upside: It doesn’t allow xxxx@yyyy.zzz!

Downside: Upkeep could be tough with this one. You’d have to update any time new domain extensions are announced. In fact, you already would need to add the .me extension.

4. Way complicated approach

A Perl module has a long regular expression based on the standard description of an email address. It’s so long (nearly 6,500 characters!) that I won’t include it here.

Upside: It’s complete.

Downside: It’s way complicated.

Meet in the middle approach

You’ll have to decide, if you haven’t already, which regular expression to use. Likely, you’ll choose somewhere in the middle of the examples we’ve given. Regular-Expressions.Info has a good run-down of the trade-offs of different approaches.

Have you already decided how to check email addresses? How do you do it?

[via Reddit]

See also:

• A New Tool Offers a Little Help with Regular Expressions
• June 1 Is Regular Expression Day
• Tutorial: Use Regex in Perl

Slowly but surely, the Android phone continues its slow crawl towards our doorstep. The latest announcements include the new software development kit (SDK) beta and the HTC Dream, the first commercial mobile handset built to run Google’s mobile operating system.

Both announcements arrived Monday. The 0.9 beta version of the SDK can be downloaded now, the handset is slated to arrive this Fall

Hear the polite applause? It’s coming from Android’s developers who, until today, have not seen an SDK update to the mobile operating system since November. What has Google been doing since?

According to Android’s SDK blog announcement, the answer is ensuring the hardware works first.

“Back in November, we made some SDK builds available that we referred to as “early look” SDKs. The goal was to give developers insight into the platform as early on as possible, and to get some initial feedback. Since then, we’ve been working with our Open Handset Alliance partners to incorporate much of that feedback, and finish the first devices. Since those devices are shipping in the fourth quarter, the platform is now converging on a final ‘Android 1.0′ version.”

The announcement ensures Google will be moving rapidly to deliver both a handset and a version 1.0 SDK by the fourth quarter. We wait with baited bated breath.

While we wait, the question remains: is the operating system any good? You can bet Google’s existing mobile applications, like Maps, will work in parity with iPhone, Blackberry and Symbian equivalents (Even better, in some instances; The SDK includes a version of Google’s streetview feature unavailable in current software versions on other platforms). We’re pretty sure the thing will make a decent phone call. The browser looks to work just like a desktop browser, with all the typical mobile Safari-like zooms and taps. But can it compete with other current mobile software?

We’ve talked before about what Android might have that the iPhone won’t. Since Android has become a (semi) reality, let’s flip the script for a moment and take a look at what the iPhone has now which Android may be missing.

1. Celebrity Skin — The iPhone is this summer’s, and likely this winter’s, top selling knick-knack. It’s the go-to gift if you’re looking for something special, and early gadget adopters were on it like a seagull on Fabio. The phone’s appeal rivals that of The Hills’ Lauren Conrad or High School Musical’s Hannah Montana’s Miley Cyrus. Sure, they look neat enough, but what do they do to get the fan attention they get? It’s a certain pink ribbon-packaged “je ne sais quoi,” I suppose. Fans, internet junkies and gadget hounds have been lining up outside of Apple stores for weeks and have all signed their name on AT&T’s dotted line, which leads us to our second list item.
2. Contracts — Millions of them, in fact. In America, they’re two-year slammers which cost about $175 to break out of, courtesy of AT&T. Who’s left wanting a phone in the mobile marketplace? At best, Google will be competing for the slackers who don’t really care much about mobile phone technology and those who will end their existing contracts in the next couple years — depending on when the luster wears off on the iPhone. If lucky, its software will compete with RIM’s Blackberry for corporate contracts. However, it is unlikely for corporation’s IT departments to trust Android’s open operating system instead of RIM’s tried and true software. The SDK doesn’t even have a dedicated email program.
3. A Stable SDK — Concerns about its non disclosure agreement aside, the iPhone SDK is smooth and polished. It has a nifty iPhone emulator, great hardware support and it works cleanly with Apple’s existing development tools (like XCode). You have to hand it to Apple here — it has a great track record of enabling developers to code by packaging its devices with up-to-date development environments and thorough documentation. The new Android SDK deserves some scrutiny, but compare Apple’s SDK to Android’s last out of date SDK and its skimpy documentation? Fuhgeddaboutit.
4. Profitable App Store — Software developers can make money easily on the iPhone. Draw up a gadget nobody’s thought of, get it through Apple’s strict reviewing process, get featured on the App Store front page and you might earn $50,000 in your first month on the store. Write up an application for Android and you’ll be lucky to get any exposure at all, let alone figure out how to get paid for it.
5. Bold Experimentation — We now know the HTC Dream will work with Android, but we’re also promised Android can be ported to any smartphone device. It means hardware developers need to write drivers for their devices, and without a decent headstart, we’re looking at another year or so of gradual adoption across other devices. Conversely, we know what we’re going to get with the iPhone. Apple’s hardware features have enabled plenty of accelerometer, internet, GPS and touch screen ideas which have pushed software development further. Who knew you could use your phone as a level, a cowbell or a tuning fork?
6. Developers — Apple has a SDK, developer support and profitable App store, all of which have enabled it to attract a gaggle of developers. Meanwhile, without any new software, development or hardware support, many Android developers have jumped ship. Who knows if the newest SDK will draw them back? From a phone buyer’s perspective, less developers mean less applications, less functionality and more reasons to buy an iPhone instead.

All of these arguments hint at why developers are so let-down by Google: why bother? While the promise of an open mobile operating system should be exciting burgeon to the mobile web and operating system development community, the announcement of the HTC Dream and updated SDK is too late.

We still don’t know if Google has the next mobile killer app in its back pocket. It could be the remote control to the cloud computing kingdom Google has built. We won’t know until we see the final version. Maneuvering through the emulator which comes with the SDK, it feels like Android is competing with Symbian as merely a mediocre software OS which just works.

However, Google still has a chance to make good with its promises. Maybe after a couple more years of development, after the release of Android 1.0, the HTC Dream, and a finalized SDK — and when iPhone owners reach the end of their AT&T contracts — it may be time for the next big (or in this case, small) thing.

[Edited a couple typos. Thanks commenters!]

See Also

• Five Reasons Android Might Deliver Where iPhone Won’t
• Android Developers Vent Over Google Delays
• iPhone Coders Miffed, Muzzled by Apple’s NDA
• Android Mobile OS: Still Coming in Late 08
• Google’s Android Hits a Few Snags, But Feature Details Emerge
• 8 Cool Things You Can Do With Your iPhone 2.0