Julian Lepinski

Nearly a million people are lining up for Mailbox right now, and a lot of ink has been spilled debating the nature of this particular digital lineup.

Which shows, if nothing else, that standing in line gives you a lot of time to think about standing in line.

Watching the line slowly advance I started wondering about something else: how is Mailbox managing the whole thing? The line is little more than person-based progress bar, and I’ve been doing a bunch of work on progress bars recently – this piqued my interest.

I wondered how accurate my purported position in line was, and how Orchestra was running the show behind the scenes. So I took a closer look, and here’s what I found:

When the app first launches, it generates a universally unique identifier (UUID) for your device. This is a string that an app can use to uniquely identify a device, and it looks like Mailbox is using CFUUID for its device IDs. UUIDs aren’t persistent, so the app has to cache it. (Interestingly, the app also seems to use iCloud to sync your UUID with other devices associated with the same iCloud account. Launch Mailbox on your iPad and it’ll get the same status as your iPhone, for example.)

The app queries an Orchestra server with your UUID and a checksum in order to determine whether your UUID has been allowed entry. Internally, Mailbox appears to refer to full app access as the ‘velvet room.’

The server in charge of monitoring the line appears to be named Mister T, who, incidentally, worked as a bouncer before his movie career. Because of course he did.

If the generated UUID doesn’t get past Mister T, the app gives you the option to enter a reservation number and a private code (“But I’m on the list!”) to jump the line. Otherwise it’s out in the cold with the other nobodies.

Once you’ve taken a number and found your spot in the line, the slow march to the velvet room begins. Mailbox shows a satisfying countdown when you re-launch the app and your line position has advanced. Leaving the app running will show what appears to be a live countdown. Orchestra seems well aware of the best salve to ease the sting of a long line, so they give you a satisfying counter of all the suckers in line behind you.

Are these numbers real and live? It looks like they are.

Once you’re in line, the app queries the bouncer server (Bouncerver? Can we start saying that?) every few seconds about the status of the line. Mister T replies with a “now serving number…” (which allows Mailbox to calculate how many people are ahead of you), the line total (allowing it to figure out how many people are behind), and an explicit “allowed” value. Using these values, Mailbox ticks up your place in line in near realtime.

Jumping the line isn’t an easy feat, mind you. v1.0 of Mailbox was vulnerable to an edited .plist on jailbroken devices (or using a modified backup restore, I’d imagine) – velvet room allowed = YES, and you were in. The 1.0.1 update (which deserves a spot on the Tumblr of shame for “- bug fixes”) seems to close this hole. Mister T seems similarly immune to a straightforward MITM attack on his line-position responses.

Which isn’t entirely unexpected because, you know, he’s Mister T.

Today Cabel Sasser tweeted a proposal to add a “shutdown requires PIN” option to iOS. Cabel found, as have numerous people who have had their iPhones stolen recently, that many thieves have gotten wise to Find My iPhone. They make sure to shut off stolen devices as soon as they can, rendering the device recovery service useless.

I had the same thought after my girlfriend’s factory-unlocked (ugh) iPhone 4 was stolen recently while she was hosting a fundraising event. By the time she called to tell me her phone was missing, the device was offline – and it hasn’t resurfaced since. It’s clear that whoever took it knew the drill.

In light of this, it seems like PIN-protecting device shutdown is a great idea (I was so enamoured of the idea when I first thought of it that I nearly fired off a self-satisfied email suggesting it to Apple), but unfortunately it’s not likely to prove useful.

Nothing protects against thieves ejecting your SIM card, but that’s not the most significant problem.

Most devastating is the device hard reset (holding Sleep/Wake and Home simultaneously for a few seconds). Hard resets are a failsafe for an unresponsive device, and thus cannot require a PIN. Hell, given the ease and speed of a hard reset, I’d guess it’s the preferred shutdown method for a savvy thief – it can even be performed completely eyes-free.

Unfortunately, this all means that adding a “shutdown requires PIN” setting won’t be more than a brief respite in the arms race against thieves – smart thieves will quickly learn to evade the system, and we’ll soon be back where we started.

Update: Cabel has suggested that this can be resolved by turning hard shutdown into a hard reboot. My guess is that Apple doesn’t want devices rebooting endlessly if they’re erroring out. (I have a vague memory of the iOS hard shutdown being a reboot eons ago – if this is the case, Apple must have changed the behaviour for a reason.) That being said, I’d probably take that risk myself for a less-stealable iPhone.

More flying over the last few weeks has meant I’ve been able to work a bit of the way through my Instapaper backlog. I don’t think I’ll ever tame it (unlike Eric, who lords his bloody Instapaper Zero over me like a sociopath). Here’s what I done read:

• Fortune has a great profile of the recent fall of HP in How Hewlett-Packard lost its way

• Eric Puchner writes an astounding, soul-searching piece about meeting the person who he might have been in another life in The Cooler Me

• The uber-short, uber-fascinating tale of The $144,146,165 Button

• Toronto Life’s definitive breakdown of the Ford mayoralty in Toronto to date, including lots of new info I’ve never read elsewhere in The Weirdest Mayoralty Ever

• A creepy and disturbing writeup about a guy behind one of the biggest ‘revenge porn’ sites: “Gary Jones” Wants Your Nudes

• The interesting-but-a-little-too-paradigmatic The Web Is A Customer Service Medium

• Sound on Sound’s inside story of how U2 recorded Achtung Baby and Zooropa; fascinating even for a non-U2 fan (but admitted recording geek) such as myself. Robbie Adams: Recording U2′s Achtung Baby & Zooropa

• The critical but nonetheless interesting Another Thing to Sort of Pin on David Foster Wallace, with which I did not entirely agree

• Businessweek’s The Rise and Inglorious Fall of Myspace which is a great  (is it too soon to say) postmortem of the company

• The controversial and amazing Straight White Male: The Lowest Difficulty Setting There Is (and the incredible followup)

• A quick breakdown in The StarPhoenix of how the Canadian election fraudster Pierre Poutine (I wish I was joking) covered his tracks

I started working through my deep Instapaper backlog on the flight, and I figured I’d share, without a filter, what I read.

Here goes.

Eight Men In: Cheating Tarnishes Everyone In 2K Sports’ Million-Dollar Scandal

A President who is helpless in the face of Middle East reality

Sneaking Into Pantone HQ: How color forecasters really decide which hue will be the new black.

Alone, ‘Riodoce’ Covers the Mexican Drug Cartel Beat

A Giant Among Giants

Runner’s world: Usain Bolt and his entourage

The Stalking of Korean Hip Hop Superstar Daniel Lee

Is An ESPN Columnist Scamming People On The Internet?

Near death, explained

Fanfare For The Comma Man

Odd Blood: Serodiscordancy, or, Life With an HIV-Positive Partner

The Case Against Google

[5:38PM EST \ 5:38 AM CST]

Looks like the great circle taking us to Beijing will have us flying over the arctic, which is thrilling. I’ve never seen these northern latitudes by land or air, so I’ve my fingers crossed that the cloud cover will break at some point.

[11:58PM EST \ 11:58AM CST]

A strange thing about China is that the whole country is on a single time zone (which is conveniently centred around the capital, Beijing). China’s breadth covers a lot of longitude, and if you use the eastern expanses of Russia to the north as a guide, China is in desperate need of two or three more time zones. People living in the extreme western parts of the country pay the price for the iron clock; the cycles of the sun don’t match up with the little hand and the big hand. Word is that in places like Urumqi there is “official time” and then “local time,” despite the illegality of it. How subversive.

Below us is a vast expanse of sea ice, broken occasionally by a snaking, dark channel of open water. From up here the snowdrifts, carved by the wind, look like the lines on the back of your hand.

Over northern Quebec and then Nunavut the clouds opened up, and we got our first glimpses of the arctic, bright and cold. Out of the sea rose sharp, rocky cliffs and small mountains, softened by deep snow cover.

As we fly over northern Siberia I’m reading Solzhenitsyn.

[1:34AM EST \ 1:34PM CST]

We have guiltily kept our window shade up, flooding the sleepy cabin with white light. There’s too much to see out the window to leave it down; the white of the arctic has softened to taiga. We recently passed over what looked like a table mountain made of snow and ice. I’ve decided it was a glacier.

Planning the trip we debated where to visit after Beijing. We settled on Hong Kong, but also under consideration was Mongolia. As my seatback tv cycles through maps I keep noticing Mongolia’s capital, Ulaan Bataar. I feel sheepish; I was scared of Mongolia.

Hong Kong is not indicated on the map.

[6:55PM CST]

In a taxi, heading to the hotel. Flashes of an arc welder on a massive steel dome in the distance. (Hotel? Conference centre?) I’m quite relaxed, and I think it’s freaking Susana out.