IETF strongly discourages IPv6-SNAT because SNAT was conceptually just a workaround for the lack of IPv4 addresses in the addressing space.

I fully disagree!

There are benefits to running networks isolated from globally addressable IPv6-space, and using SNAT to bridge the private subnet with the public globally addressable IPv6-space. One of the biggest benefits is that your private subnet is not globally addressable, i.e., a natural “firewall” is thus created, similar to what you get in IPv4 world with RFC1918 private-space addresses (familiar to most people in the form of 192.168.0.x). Imagine if all your containers were fully reachable from the global internet just by getting hold of their IPv6 addresses, including their “unexposed” container ports!

Primer on IPv6 addressing types

So in IPv6, broadly speaking for the ease of this write-up, there are 3 major groups of addresses.

1. “Global”;
2. “Link-local” (now deprecated in RFC3879); and
3. “Unique Local Address” (ULA).

“Link-local” addresses are automatically generated by the OS and are only valid within a link-segment, and cannot be used across routers. This is similar to the IPv4 stateless address auto-configuration (169.254.0.0/16), and cannot be used across routers. Practically useless.

ULAs can be seen as an RFC1918 IPv4 private address space equivalent (i.e., 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8), which are separate from the “Link-local” addresses. ULAs can be used across routers, depending on the routing table, but they are still not globally routable.

To enable IPv6 on docker and also within the docker-compose default network, ULA IPv6 prefixes will be used. The ULA prefix is defined as fd00::/8. Docker requires a minimum addressable space of /80. Generally, I will assign fd00:ffff::/80 to the default docker0 bridge, in violation of RFC4193, but I don’t see any negative impact to doing so for this docker0 bridge configuration.

Enabling IPv6 in Docker and the docker0 bridge

I’ve adapted these instructions from the docker docs.

To enable IPv6 in Docker and assign a ULA prefix to the docker0 bridge, put the following in /etc/docker/daemon.json:

{
	"ipv6": true,
	"fixed-cidr-v6": "fd00:ffff::/80"
}

Then, restart the docker daemon:

$ sudo service docker restart.

You should see that the default docker0 bridge has IPv6 enabled:

$ docker network inspect bridge | grep -i "ipv6\|subnet\|gateway"
		"EnableIPv6": true,
				"Subnet": "172.17.0.0/16",
				"Gateway": "172.17.0.1"
				"Subnet": "fd00:ffff::/80",
				"Gateway": "fd00:ffff::1"

Test it with this command:

$ docker run --rm -it debian ping6 google.com -c3

Success?

Probably not. The container might still not be able to obtain connectivity because there is no packet forwarding between the global addressable network and the ULA subnet. This is the automagic from docker IPv4 support that is missing in docker’s current IPv6 implementation.

3 approaches

I will discuss 3 approaches to address these shortcomings: Docker’s experimental ip6tables support, docker-ipv6nat, and Shorewall[6] (if you are already using Shorewall to define your firewall).

ip6tables approach

Before you proceed, you will need a very recent docker installation, version 20.10.2 or later, recently merged with this pull-request. Otherwise, manually set-up SNAT using ip6tables, or try the other 2 approaches.

To enable ip6tables handling, the experimental flag must be enabled. Put the following in /etc/docker/daemon.json or adjust to fit:

{
	"ipv6": true,
	"fixed-cidr-v6": "fd00:ffff::/80",
	"ip6tables": true,
	"experimental": true
}

Then, restart the docker daemon:

$ sudo service docker restart.

Review the ip6tables FORWARD chain for new rules:

$ sudo ip6tables -L

Test it with this command:

$ docker run --rm -it debian ping6 google.com -c3

If it’s successful, you should see the following:

PING google.com(sa-in-x66.1e100.net (2404:6800:4003:c00::66)) 56 data bytes
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=1 ttl=110 time=3.10 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=2 ttl=110 time=3.62 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=3 ttl=110 time=3.14 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.099/3.284/3.619/0.241 ms

Done!

docker-ipv6nat approach

I don’t recommend this approach as it does not work with IPv6 networking in docker-compose. Eventually, once the ip6tables support in docker is mature, docker-ipv6nat will be retired. Otherwise, this is an easy approach for pure docker containers.

Run docker-ipv6nat as a docker container:

$ docker run -d --rm --name ipv6nat --cap-add NET_ADMIN --cap-add NET_RAW --cap-add SYS_MODULE --cap-drop ALL --network host --restart unless-stopped -v /var/run/docker.sock:/var/run/docker.sock:ro -v /lib/modules:/lib/modules:ro robbertkl/ipv6nat

Or with docker-compose.yml and docker-compose up -d:

version: '2.3'
services:
  ipv6nat:
    image: "robbertkl/ipv6nat"
    container_name: ipv6nat
    restart: unless-stopped
    network_mode: host
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /lib/modules:/lib/modules:ro
    cap_add:
      - NET_ADMIN
      - NET_RAW
      - SYS_MODULE
    cap_drop:
      - ALL

Review the ip6tables FORWARD chain for new rules:

$ sudo ip6tables -L

Test it with this command:

$ docker run --rm -it debian ping6 google.com -c3

If it’s successful, you should see the following:

PING google.com(sa-in-x66.1e100.net (2404:6800:4003:c00::66)) 56 data bytes
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=1 ttl=110 time=3.10 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=2 ttl=110 time=3.62 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=3 ttl=110 time=3.14 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.099/3.284/3.619/0.241 ms

Done!

Shorewall6 approach

I’ve adapted these instructions from this gist.

Enable docker support in /etc/shorewall/shorewall.conf:

DOCKER=Yes

Take note that this directive is not available in shorewall6.conf, which is fine.

Define your /etc/shorewall[6]/interfaces files to capture all the docker bridges, i.e., docker0 and br-xxx, where docker is the zone defined for docker traffic, using the physical option:

?FORMAT 2
#ZONE	INTERFACE	OPTIONS
-	lo		ignore
net	eth0		dhcp,routeback,accept_ra=2
docker	docker0		routeback=1,physical=docker+
docker	br		routeback=1,physical=br-+

Be sure to set accept_ra=2 in your public-facing interface, eth0 in my case.

Enable SNAT by adding the following line to /etc/shorewall6/snat:

#ACTION			SOURCE			DEST		PROTO	PORT	IPSEC	MARK	USER	SWITCH	ORIGDEST	PROBABILITY
MASQUERADE		-			eth0

Older versions of Shorewall use the masq file instead. Adapt the above accordingly.

You don’t need to enable SNAT for IPv4 as docker does it for you automagically.

Check your shorewall[6] configurations:

$ sudo shorewall check
$ sudo shorewall6 check

Once error-free, activate the new rule sets:

$ sudo shorewall safe-restart
$ sudo shorewall6 safe-restart

Review the ip6tables FORWARD chain for new rules:

$ sudo ip6tables -L

Test it with this command:

$ docker run --rm -it debian ping6 google.com -c3

If it’s successful, you should see the following:

PING google.com(sa-in-x66.1e100.net (2404:6800:4003:c00::66)) 56 data bytes
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=1 ttl=110 time=3.10 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=2 ttl=110 time=3.62 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=3 ttl=110 time=3.14 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.099/3.284/3.619/0.241 ms

Done!

docker-compose

Now that plain docker containers have IPv6 connectivity, it’s time to tackle docker-compose IPv6 bridge networking.

In a typical docker-compose.yml, whenever there is more than one service defined, docker-compose will automatically create a default bridge network, named after the project. This project-specific default bridge network connects the containers together and configures their hostnames according to their service names. This bridge is IPv4-only and additional directives are required in the compose file to override this.

As of now, docker swarm does not support IPv6 and hence, the enable_ipv6 directive is only available for file format versions below 3, e.g., 2.4.

Similar to the fixed-cidr-v6 configuration in docker daemon.json above, a separate ULA needs to be manually assigned to each docker-compose.yml project, annoyingly.

To prevent conflicts (as expounded by RFC4193) with other projects and to ease tracking, I recommend generating this prefix in a simple way using the project name like this:

$ echo "projectname" | shasum | cut -c1-8
109b2e51

Using the above 8 digit hash to fill up the following 2 groups of 16-bits of the ULA prefix (fd00::/8): fd00:109b:2e51::/80.

Append or update the following networks key to the project docker-compose.yml:

networks:
  default:
    enable_ipv6: true
    ipam:
      driver: default
      config: 
        - subnet: fd00:109b:2e51::/80
          gateway: fd00:109b:2e51::1

You do not need to manually assign IPv4 or IPv6 addresses to each of your containers using the networks key under each service entry.

Test your config and bring up the services and the IPv6 enabled bridge:

$ docker-compose config
$ docker-compose down ; docker-compose up -d

Inspect the network bridge:

$ docker network inspect projectname_default  | grep -i ipv6
 "EnableIPv6": true,
		"IPv6Address": "fd00:109b:2e51::2/80"

Test it with one of the following commands:

$ docker-compose run --rm projectname ping6 google.com -c3
$ docker-compose exec projectname ping6 google.com -c3

If it’s successful, you should see the following:

PING google.com(sa-in-x66.1e100.net (2404:6800:4003:c00::66)) 56 data bytes
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=1 ttl=110 time=3.10 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=2 ttl=110 time=3.62 ms
64 bytes from sa-in-x66.1e100.net (2404:6800:4003:c00::66): icmp_seq=3 ttl=110 time=3.14 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 3.099/3.284/3.619/0.241 ms

Done!

Conclusion

IPv6 is now available in Docker and docker-compose, as long as you know how to set it up and populate your docker-compose.yml file. Hopefully, the docker automagic will get implemented in IPv6 configurations by default, and the workarounds discussed in this write-up will no longer be necessary.

Special thanks to Felix and James for helping me proofread this write-up.

References

• How to enable IPv6 for Docker containers on Ubuntu 18.04
• Walkthrough: Enabling IPv6 Functionality for Docker & Docker Compose

I can’t remember why my pervious code used the post.excepted liquid variable as it no longer exists in Jekyll 3.x. Fortunately, Sean has a solution.

The solution compares the word count between the post content and the post except variables, and if they are not equal, the “Read More” link is added.

It’s not significantly slower but at least it works.

I started off in my school gym during my undergrad days, doing regular cardio (running), just to keep my mind sharp and efficient during intensive school semesters. I tried my best to maintain a twice weekly routine, even during the intensive “hell weeks”, where we had presentations and report submissions for most of our 4-5 modules for that semester.

By maintaining some form of exercise, I have experienced first hand, the reduction in the number of sleeping hours required before I feel rested for the next day. Admittedly during school semesters, sleep was never sufficient, but exercising reduces my mind’s demand for sleep. Without exercise, I will definitely need 7-8 hours of rest before I felt awake. However, with regular exercise, I was able to get by with just 6-7 hours of rest. Secondly, or as a result of this, I needed less caffeine to get through the day.

Benefit 1: Rest efficiency improves.

As I neared graduation, I learnt about the benefits of weight lifting. Lifting weights triggers bone density growth and muscle growth. This has two major benefits: 1) Stronger bones reduces the probability of breaking upon impact. As we grow older, bone loses calcium and density, making them more brittle. Any impact from any falls will increase the chances of a fracture, which is best avoided in old age. 2) More muscles gives me more strength and raises my basal metabolic rate (BMR). Strength, if built appropriately, can improve my posture and stability. BMR will help burn calories when idle, and such increases can help offset a general reduction in BMR brought about by ageing.

Benefit 2: Stronger bones, preparation for old age.

Benefit 3: Higher BMR, burning more calories at rest.

With this context in mind, I searched the web for an efficient and effective set of exercises and started myself on an adapted (simplified due to limited access to the required equipment) version of the StrongLifts 5x5 workout.

It was tough in the beginning as I was extremely new to free-weight workouts, as opposed to the guided movements provided by the resistance machines. Free movement has an added benefit of training auxiliary muscles that work to provide stability. For the greatest benefit, I’ll always opt for free-weight workouts.

Around the same time, I began to have a greater appreciation over my diet and the macro nutrients that I consume on a daily basis. I picked up the basics of a balanced diet and the required nutrients to support strength training.

With ever slight adjustments and improvements to my diet, coupled with exercise, I managed to slowly increase my weight, without increasing my waist size.

While I’ve seen the hype over group fitness (GX) classes held in the gyms, I had always been skeptical over its effectiveness. Fast-forward to the weeks leading to my graduation, I was introduced to a GX programme, BodyPump, by a friend.

I was hooked.

Strength training, checked. Light-cardio, checked. Good music, checked. Self-paced, checked. The group nature of the exercise class makes it easier and more motivating to attend and complete the full 60 minutes of it.

The hardest element of keeping fit is the intrinsic motivation. When it gets boring, tough, and painful, most people would not want to repeat the experience again; but with all things fitness, no pain, no gain.

I think the most sustainable way of keeping fit and being ready for old age is to find 1-2 friends to keep doing an activity or a few activities together regularly, like a routine, that meets all the fitness criteria and goals.

In a subsequent post, I shall write about my experience with Yoga.

In the meantime, stay fit, stay healthy!

Prior to S3 supporting advanced redirection rules, there was only a binary option to redirect all requests to a specified hostname. While this feature is useful for handling blanket redirections, but useless if you need selective redirection like what a .htaccess file can do, it is insufficient for site that have legacy permalinks to maintain.

Fortunately, S3’s advanced redirect rules allows you to somewhat mimic a subset of what an Apache .htaccess file can do: 1) substitute the hostname; and/or 2) substitute the path, based on 2 possible conditions: a) HTTP error codes from S3, and/or b) request path prefix, albeit with a clumsy XML syntax. With a good text-editor with XML intelligence, it’s not too challenging to hand-craft.

Thanks to this feature, I’ve managed to set up redirect rules to map permalinks from my previous blog engine to the current permalinks layout.

To begin, assuming that you’ve already got a S3 site up, check out the awesome documentation for this feature.

One gotcha that took me a while is that object-keys within S3 buckets do not begin with a /, even though the request path traditionally begins with a /. As such, do not include the preceding / within the KeyPrefixEquals or ReplaceKeyPrefixWith keys. Refer to Example 1 within the docs for an illustration.

This is made possible due to a policy change by Apple, announced in WWDC 2015, to allow personal apps developed and compiled on Xcode to be loaded on and run on personal iOS devices, without needing an iOS Developer Program membership, bypassing the App Store. This thus becomes a technique for which unapproved apps can be distributed (in source form) and built by adventurous users and loaded onto their own iOS devices. Apps “sideloaded” with this method have a lifespan of 90 days, after which, they require to be resigned and reloaded onto the iOS devices before they can continue functioning.

In my opinion, this is a great way for OpenSource applications to enter a user’s device, without having to go through the hassle of the AppStore process, where there may be conflicts with the source code license.

Unfortunately, as f.lux distributed a skeletal Xcode project with the bulk of the application logic hidden within a compiled binary, Apple contacted the f.lux developers to remove the download as it violated the Developer Program Agreement.

My suspicions was that they were distributing a binary, rather than unobfuscated source code, and that is potentially risky for users. Who knows, the binary blob could be secretly uploading personal data and nobody would know better. I believe that it is for this reason that prompted Apple to respond so quickly. After all, GBA4IOS is still available and in source form.

Thankfully, there’s another unaffiliated alternative, GoodNight. It nicely mimics most of f.lux’s features, without the annoying bugs stuck in the last posted version of f.lux before it was taken down.

To install GoodNight on your iOS device, you’ll need the following:

• Apple ID
• iOS device
• Xcode (7.1 is fine)
• USB connection to your iOS device

If you have them all, follow these fine instructions, but using the latest released version of Xcode instead of the beta. The latest version of Xcode was of this writing is 7.2.

Good luck and have a better sleep! Good night!

Apple TV

What jumped out at me is the newly announced Apple TV. Back in my 2012 post on Revolutionary User Interfaces, I wrote that Apple TV will gain Siri support as its main user interface:

I believe that the “Apple TV” in its eventual successful form will have Siri power a large part of its UI. To control our living rooms, the Mouse, the Click Wheel (remote controls), and Multi-touch are largely limiting and inadequate. Google TV has shown us how unpopular these input-methods are. Siri, with our voices, will become the controlling interface for these technologies that provide entertainment and services, throughout the household.

With yesterday’s announcement, it became clearer that we are moving closer to the day where our voices can take a greater role in controlling computer interfaces.

Another exciting prospect with the new Apple TV is the introduction of an App Store for the tvOS. The television is a huge canvas for collaborative and individual couch gaming, as seen from the very good sales of Xbox, PS, and Wii, of a few years ago.

Unfortunately, these mainstream consoles have dropped the ball when it comes to content distribution. Seriously, who still heads out to a store to buy DVDs? The makers of Xbox and PS have only recently understood this by having respective online stores for purchasing and downloading games, but the consoles out there are not originally designed for primarily downloading new content, due to their limited internal storage capacities. I know add-on external storage options exist, but they are cumbersome.

With 32 GB of storage as basic on the new Apple TV, I believe there will be a huge potential for it to be the next console platform. Code once, and have your game logic run on 3 different platforms: iOS (iPhones, iPads), Mac OS X, tvOS (Apple TV), is a rather attractive proposition for developers. The Windows gaming market-share may not be the biggest after all.

3D Touch

3D Touch is the obvious (but difficult to implement) evolution of MultiTouch, and no, you don’t have to run out to get it yet; it’s not revolutionary. Having read “How Apple Built 3D Touch” by Bloomberg, I’m convinced that this technology will not be easily copied by competitors in the near future, leaving Apple to define and set new expectations of touch screen interaction paradigms.

Summary

Overall, I would say that this is an iOS roadmap event, for customers and developers alike. The future of Apple and these technologies laid out are a vast canvas, awaiting developers to exercise their imagination and coding prowess. The holy grail of a healthy platform would be user-generated content, allowing a (relatively-)free market of demand and supply to fuel and sustain the platform and its growth.

Apple as a company has a very sustainable near-to-mid-term future. I am quite pleased.

Disclosure: I own AAPL shares.

Fortunately, the great guys over at Investment Moats have already created a Stock Portfolio Tracker google spreadsheet that is easy to use and is a good place to start.

To begin, follow their introduction / instructions.

By tracking your portfolio over time, you’ll be able to see poorly performing positions and do something about them before it’s too late due to opportunity costs.

Unfortunately, in the most recent version of the tracker, the authors removed the XIRR function as it is too computationally intensive for the browser, if you have many different stock counters.

To enable for selected counters, follow the instructions in the version 1.8 row of the Version History table within the Read This First tab, but use the following formula instead:

=IFERROR(XIRR(
	SPLIT(JOIN("~", QUERY(Transactions!A$2:R, "SELECT R WHERE (B = 'Buy' OR B = 'Sell' OR B = 'Div') AND C = '" & B2 & "'"), U2, "~" ), "~"),
	SPLIT(JOIN(",", QUERY(Transactions!A$2:R, "SELECT A WHERE( B = 'Buy' OR B = 'Sell' OR B = 'Div') AND C = '" & B2 & "'"), TODAY(), ","), ",")
), 0)

This updated formula takes into account the structural changes of the Transactions sheet up until version 1.13 (dated: 2015/05/24). For use with the Transactions USD sheet and others, update the formula above, replacing Transactions!A$2:R throughout with 'Transactions USD'!A$2:R.

With that, happy investing!

“No longer may this liberty be denied,” Justice Anthony M. Kennedy wrote for the majority in the historic decision. “No union is more profound than marriage, for it embodies the highest ideals of love, fidelity, devotion, sacrifice and family. In forming a marital union, two people become something greater than once they were.”

In Josh Zepps’s words:

It's almost poetic, for judges… #SCOTUS pic.twitter.com/c2ylIN2MtP

— Josh Zepps (@joshzepps) June 26, 2015

Truly a long-awaited day for equality. A good time to celebrate, but remember that the fight for equality continues.

The version 2 release of Jekyll has finally modernised the static page generator that this blog currently runs on, and it now runs on the latest version of Ruby (currently version 2.2.2).

There were a few challenges for a straight-out migration. Some older plugins and liquid tags are no longer supported, but some much sought after features are now built-in.

Rack App

With the new version of Jekyll, the project folder is not pre-configured to run as a Rack app. The config.ru supplied by the previous Octopress installation is too full of cruft and now would be a perfect time to improve it.

To serve static pages from a folder, Rack has Rack::Static that can be used directly. Unfortunately, it does not have automagic support for returning a custom error 404 page for file-not-found errors.

Fortunately, Vienna can be used (almost) out-of-the-box for this. The default is to serve files from a public directory, but for Jekyll, the generated site is found under _site. For the file-not-found custom error page to work, a 404.html needs to be generated within the _site directory.

My config.ru now contains only 2 lines of Ruby code:

#!/usr/bin/env rackup
#\ -E deployment

require 'vienna'
run Vienna::Application.new('_site')

Include the following in your Gemfile:

gem 'rack'
gem 'vienna'

Done! To test this our, run rackup in the project directory, and Rack will spawn a webserver to serve contents from the _site folder.

Push to Heroku and it will work. Include a Procfile if you want a custom webserver, such as Rainbows!.

Incompatible Change

The biggest incompatible change that I could not workaround and had to edit every of my affected posts was the removal of include_code liquid tag. Fortunately, render-code solves the same problem with a minor change in function name. A quick find-and-replace or sed solved it.

Local Search

With the new Jekyll theme, there is no search engine configured for the blog. I used Google’s Custom Search Engine with a 2-page layout for this and installation was a breeze.

Basically, I embedded a custom searchbox on the top right menu, and added a search.html that the searchbox will POST to.

Create a search.html in the project directory with the following:

---
layout: page
title: Search
permalink: /search/
---
<gcse:search>

Then within the header, implement a form with a textbox and POST to /search/ with q as the query parameter.

Finally, include the Google-supplied JavaScript code into the header or footer of the site.

Done!

Jekyll Plugins

Here are the list of Jekyll plugins that I currently use within my Gemfile:

group :jekyll_plugins do
	gem 'octopress-filters'
	gem 'octopress-include-tag'
	gem 'octopress-minify-html'
	gem 'octopress-gist'
	gem 'octopress-solarized'
	gem 'octopress-codefence'
	gem 'octopress-render-code'
	gem 'octopress-linkblog'
	gem 'octopress-feeds'
	gem 'octopress-littlefoot'
	gem 'octopress-image-tag'
	gem 'octopress-return-tag'
	gem 'jekyll-assets'
end

Your mileage may vary, but this should be a good starting point.

The iPhone 5s deserves further scrutiny. There were only 3 major features announced: First, a 64-bit capable Apple-designed A7 chip, that employs the ARMv8 architecture. As a sub-point, the Apple M7 motion co-processor was introduced as a low-power chip, designed to “collect sensor data from integrated accelerometers, gyroscopes and compasses and off load the collecting and processing of sensor data” from A7 chip in the iPhone 5s. Second, an amazingly powerful camera system, with hardware and software innovations. Third, Touch ID, a fingerprint sensor that authenticates the user, just by touching the home-button.

All three features revealed have huge implications. However, I have time only to write on one idea, and briefly touch on the rest.

Camera

The best camera is the one you have with you. Instagram has consistently showed us that iPhones take the best photos, and with these hardware and software improvements, it is unlikely that other devices can take its place.

Touch ID

Finally bringing their acquired AuthenTec technology into their products, we get an excellent fingerprint reader integrated into the home-button. One that does not require sliding, works in any direction, recognises only live fingers, and does it fast. I wouldn’t be surprised that the efficiency and speed of A7 plays a huge part to make this happen, seamlessly.

That said, the software implementation is rather impressive. Touch ID will refuse to unlock restarted phones, or phones that have not been unlocked within the last 48 hours—a manual passcode input is required for these cases. Clearly, somebody has thought about the weakness of the technology before bringing it to the mass-market.

A secret enclave within the new A7 chip was highlighted as a storage area for fingerprint data. Brian Roemmele wrote a great piece on the significance of this secret enclave. Essentially, Brian suggests that 7 years of secret innovation ended up in that secret enclave, opening up the world to new applications and possibilities, including but not limited to mobile transactions. As A7 chip and its successors become more mainstream, exciting possibilities await us.

M7

While a new 64-bit processor with twice the transistors is nothing to belittle, it is however, not the most significant. Tucked away with little fanfare is the M7 co-processor. Marketing says that it continuously tracks data from sensors without having to wake the CPU up, saving battery.

No doubt, the sharp ones will notice that this engineering effort for a new chip cannot be just for saving battery on the iPhone 5s; there has got to be a more significant and wide-spread use, which the iPhone 5s is merely a test-bed for.

Imagine for a moment. Marketing says that the phone will be able to tell if one is walking, driving, or sitting. What if the M7 is on a different device, one that is always with you, one that has even more sensors? Would this be the foundation of Apple’s wearable-computing solution?

RUIs

Last October, I wrote about Revolutionary User Interfaces and suggested that Siri is the forth RUI. Guess what, in iOS 7, Siri has left its beta status and it seems Apple is confident in Siri’s comprehension abilities, even as it continues to self-improve. Siri eyes-free has also now been rebranded as “iOS in the Car”.

At the end of the post, I suggested that Passbook—where location-based events meet contact-less commerce, might be the fifth RUI. I think I need to update that statement given new revelations.

While Touch ID wouldn’t qualify as a user interface alone as it is an authentication enabler, but together with the M7 chip and its sensors, the combination might just fit the bill as the fifth RUI. Passbook is just the graphical interface and I believe it will evolve into something even more powerful and encompassing.

Location-based events can be triggered by motion sensors, including low-power bluetooth iBeacons, tracked by the M7, and authenticated with Touch ID, unlocking secret identity credentials stored with the CPU’s secure enclave, enabling contact-less commerce.

While most of the hardware pieces are only just coming together, when it is full envisioned, we can expect major disruption to current transaction networks; we can formally bid farewell to NFC.

It sounds super far-fetched and illegal but Apple could just theoretically become the biggest Bitcoin exchange overnight.

Just think about that for a moment.