Reason #478 to Update WordPress and Plugins

WordPress Sites Hacked
WordPress Sites Hacked
Dumb. Really Dumb.
Photo via BigStockPhoto.

We all know we shouldn’t let an old WordPress site sit around without updating it. It’s dangerous, they say.

And… for the most part, I’m really good about staying on top of this—at least when it comes to mission-critical sites. But… I’ll admit, there are a few sites that I built and forgot about.

One in particular came to my attention this week. It was a site I built around a hobby of mine. It needed a WordPress upgrade.

Okay… it had missed a lot of WordPress upgrades.

But worst of all: it had a plugin that was very old and had stopped being updated by its original developer. It was a stats plugin that I really loved back in the days before Jetpack gave us access to WordPress.com stats.

That particular plugin had a vulnerability which was exploited by some nasty malicious hacker.

How I Found Out I’d Been Hacked

This particular site was in one of my longest-standing hosting accounts… one I’ve had since 2006 with 1and1.com. I keep telling myself I’m going to clean that account out and move all the sites, but I just haven’t done it. That’s part of the reason I’ve let some of the sites go unpatched—because why patch ’em if you’re gonna move ’em, right?

<sigh>

Well… somewhere along the line, 1and1 started the practice of sending an email when they encountered something suspicious going on. In the past, they’ve notified my when SPAM emails started going out because of the TimThumb WordPress vulnerability and when their antivirus scanner found malware in a PHP file.

I’ve always been quick to respond when I see one of those, and it happened just a few weeks back. In that case, it just turned out to be an old inaccessible file that I’d renamed after fixing a previous problem.

On Monday of this week, I got another one of these emails:

Anti-virus scan reports: Your 1&1 webspace is currently under attack [Ticket XXXXXX]

Even though I was busy, I jumped right in to see what was happening. They identified a file that had been uploaded to my webspace, and when I saw where it was located, I knew exactly what was going on. That old plugin was still running on the site I mentioned earlier.

So… I logged in via FTP, downloaded a copy of the “malicious file” just so I could see it, and then deleted it and the entire plugin that it got in through.

No big deal.

Or so I thought.

Sites Down

Yesterday, I discovered that all of the sites in that hosting account were down. For most of them, I was getting a simple “Access Denied” error from 1and1 when I tried to load them up in my browser.

A minor panic set in as I went in and tried to discover what was going on.

What I found was very perplexing. The file permissions on the index.php file, the wp-config.php file, and a handful of other files in these sites were changed to 200.

If you aren’t familiar with Linux file permissions, 200 basically means that the file can’t be read by anyone. So… if that file happens to be critical to the running of your site, then… your site doesn’t work.

So… I changed the permissions on a couple of these files in one of the most important sites just to try to get it working. Oddly… within a few minutes of me setting the permissions to 644, they were automatically changing back to 200.

“Hmmmmm…. maybe there’s some malware still running in my account,” I thought to myself.

That’s when I noticed a whole bunch of database “dump” files in the root of my webspace. They looked like this:

dbxxxxxxxx.dump.lzo

Uh oh.

So… I replied to the email I’d gotten a few days earlier, and explained what was going on. This updated the “ticket” in 1and1’s Abuse Department so they could have a chance to respond.

After working on things for a few more minutes, I couldn’t stand it any longer. I dialed the 1and1 Support Department (something I truly hate to do) and waited. Within a short time, I was on the line with someone from India who had undergone a significant amount of accent reduction, and explained what was going on. When he was unable to find my ticked ID, I explained that I’d gotten an e-mail. He put 2 and 2 together and connected me with the Abuse Department.

Then… for the first time in the 8 years that I’ve had this account, I spoke to an American. I mean… fluent English. Clearly no foreign accent. And also for the first time, he knew something about what he was talking about!

He reviewed the ticket and was able to explain a little better what had occurred. Hackers had gotten in through unpatched software (which I knew) and had managed to execute shell commands with my account’s user privileges.

Within what must’ve been a very short period of time, they inserted malicious code into approximately 1,500 files in my webspace. This means that they infected even the WordPress sites that were all patched and running the latest versions.

All told, somewhere near 40 sites were infected.

1and1’s systems were automatically changing the file permissions for any infected files to 200 in order to keep anyone from accidentally downloading malware when visiting my sites.

So… then began the painstaking process of removing all the malicious code that had been inserted and bringing the sites back on line one by one.

Could This Happen To You?

Yes. And it’s just a matter of time.

I’m planning to write In this post, I provided more details about it and an update explaining exactly what to do if you fall victim to an attack like this. It’s not particularly difficult to fix, but if you have 1500 files across 40 sites affected, it’s gonna take some time.

Prevent Ransomware: Update Java NOW

Ransom Note: Pay Up or the Computer Gets It

Whether you have a Mac or are running Windows or Linux on your PC, you should update java immediately. Read on to find out why…

Sure. We’ve all had spyware. Ads, popups. Annoying.

But what about having control of your computer taken from you by malicious hackers… and then being forced to pay a ransom to get it back?

Kinda makes a pop-up ad seem like a welcome annoyance by comparison, doesn’t it?

Ransom Note: Pay Up or the Computer Gets It
Prevent Ransomware: Images courtesy of redjar and MC4 Army via Flickr

This type of modern cybercrime attack is known as ransomware. And although it isn’t really new, it hasn’t been seen in the wild nearly as its annoying cousins. As it has evolved, ransomware has grown in its complexity, not to mention in the compelling nature of the demands being made by its creators. Some of the more sophisticated versions involve threats to report you to the police for your illegal downloads (you can use your imagination here) if you don’t pay, and even official-looking “fines” that appear to be messages from law enforcement.

Why This Is Urgent

Recently, a vulnerability in Java was identified. Java runs on virtually every PC (Windows, Mac and Linux) and a substantial number of mobile and other devices as well. There are many applications that rely on Java in order to function, and it’s hard to picture a world without it. Mashable estimated the number of computers affected at 850 million.

Java is owned by Oracle, which updates the software platform from time to time in order to provide feature enhancements and to fix security vulnerabilities. The most recent vulnerability to be discovered actually allows hackers to take control of your computer and download ransomware to it, not to mention the other exploits they develop.

Chances are really good that your computer is running some version of Java 7. Any version of Java 7 other than the just-released “Update 11” contains this vulnerability and should be patched right away. Without patching it, you run the risk of a “drive-by” download of ransomware (or some other bad-behaving software). Often this happens without your knowledge.

This vulnerability was discovered and publicized on January 10th by a blogger named Kafeine. Until it was patched, the only option available to prevent exploits was to uninstall Java from your computer and/or disable it in your web browser.

Thankfully, Oracle announced today that the vulnerability has been patched with the release of Java 7 Update 11. All users are advised to download and install this version right away. Most users only need the version labeled “JRE” as the “JDK” version is primarily only necessary for software developers.

The following tweet went out from Oracle’s official “Java” account at 4:43PM Eastern:

Once again, my recommendation is that you download and install Java 7 Update 11 (the JRE version) right now.

P.S. If you are reading this because you have a computer that is locked up with ransomware, don’t pay the ransom. Use one of the many available tools to remove it. Here’s a good place to start for free.

HTC Evo Shift 4G Problems: Solved!

**Update (October 16, 2011): The process is a lot simpler now than it was a few weeks ago. This thread outlines the new simpler method for achieving root for your Evo Shift 4G. (I haven’t tried it myself, but I’d use it if my device weren’t already rooted.)

Meet the HTC Shift 4G

A few months ago, I upgraded my HTC Hero on Sprint to the HTC Evo Shift 4G. I liked the Shift because it had a good size and promised a little better battery life than the original HTC Evo. I didn’t need 2 cameras and a couple of the other bells & whistles of the bigger device, so the Shift looked to be a great choice.

And it was… for months. But unfortunately, the latest OTA (over-the-air) update that came to the device in late August / early September created a giant mess. For the first time ever, the Evo Shift started running slow. Every time I would hit the “Home” button to exit an app, the HTC Sense UI would restart. I wasn’t actually aware this was exactly what was occurring, but the home screen took forever to come up and the HTC logo would spin for a while. This was incredibly frustrating.

Rebooting the device didn’t help. Eliminating some apps made no difference. On a couple of occasions, using the device was so frustrating that I was about ready to throw it at the pavement.

Root, Root, Root Your Phone

I’ve written previously about rooting my HTC Hero. That turned out to be the best thing I could’ve done with that device. But I had hesitated to root the Shift. In fact, I hadn’t even looked into it because I was so happy with the device’s performance and really enjoyed the latest version of HTC’s proprietary Sense UI. Sense is a set of apps and tweaks that sits on top of the device’s Android O/S.

My experience with the HTC Hero was that by rooting it, I gave up access to the Sense UI. I liked it enough on the Evo Shift that I hadn’t gone down that road.

But with all my frustrations after the latest OTA update (which bumped me to Android 2.3.3 “Gingerbread”), I wondered what could be done. So… I started to check out the community of Android device hackers.

What I discovered was both delightful and frustrating. First of all, the guys & gals that work on this stuff had found a way to re-install the Sense UI after rooting the device. (This was not possible when I originally rooted my Hero.) Yippee for me! I can root the device and have full control, but still get the enjoyment out of Sense.

The downside — which was a bit frustrating — was that the road to get to a nicely-running, rooted “Gingerbread” (Android 2.3.3) Evo Shift with Sense UI was pretty convoluted.

Essentially, here’s what had to happen:

  1. Backup everything
  2. Gain a “temporary” root (goes away on reboot) on the Evo Shift
  3. Install some code to the device allowing a downgrade
  4. Backup everything
  5. Downgrade to “Froyo” (Android 2.2)
  6. Permanently root the device on Android 2.2.
  7. Backup the device
  8. Install a nice fresh new ROM

Definitely convoluted. Definitely more frustrating than the process on the HTC Hero (when I did it). But the results have been amazing. I’m running a custom ROM called MikShifted-G “Executive” from TheMikMik. It is gorgeous. It is lightning fast. All the “bugginess” from my device is ancient history.

And of course, with a rooted device, there’s no end to what you can do that was locked down previously by Sprint & HTC. All the Android goodness is there… and it gets better all the time!

I’m glad I rooted my Evo Shift 4G. You will be too!

For reference: xda-devleopers is the ultimate resource for rooting Android devices. For the HTC “Speedy” (Evo Shift 4G) running Android 2.3 (“Gingerbread”) this thread in particular will be helpful. It’s not for the faint of heart, but it’s worth it!

Enhanced by Zemanta

How to Get a Faster Sprint Hero

Update: On September 18th, a stable release of CyanogenMod 6.0 became available. Details are here. (The post below refers to my experience with the “release candidate,” which is the predecessor to the new stable release.) I updated my phone on October 23rd to the stable release and can attest it’s faster and better than ever! I was happy with the release candidate, but I’m even happier now!

HTC Hero for Sprint: Is There Any Hope?
HTC Hero for Sprint: Is There Any Hope?

I absolutely love my HTC Hero. I have since day 1, which for me was November, 2009.

But I’ve hesitated to recommend it to people… primarily because of the frustrations I’ve experienced with the device. It is plagued with significant lag (delays between when you expect something to happen and when it actually happens), some of the Android functions weren’t quite ready for prime time, and its battery life left something to be desired.

Nevertheless, I’ve been so thrilled with the Android operating system as a whole that I’ve personally just looked beyond those frustrations and made the best of it.

But a couple of months ago Sprint royally ticked me off. I’ll explain in a moment.

Cupcakes, Donuts & Eclairs

It may help here to provide a little background. My Hero originally shipped with Android “Donut,” which was version 1.6 of the Android Operating System.

For clarification, “Android” is the name of the open source operating system that is developed by Google (or has been since they acquired Android, Inc. about 5 years ago). There remains some confusion over terminology since Verizon licensed the term Droidâ„¢ from Lucasfilm, LTD. Verizon produces and sells several different devices under the name Droidâ„¢ as a way to brand their family of phones that run the Android operating system.

But any manufacturer is free to develop devices using the Android operating system. And many do. The devices began to take off when Android 1.5 (AKA “Cupcake”) released in early 2009. Google’s “Market” (their version of Apple’s “App Store”) began to explode with fantastic apps and the devices became more or less ready for daily use.

HTC Sense UI

So back to my Sprint HTC Hero. The Hero shipped with “Donut” (the successor to “Cupcake”), and as I said before, I loved it from day one. An important reason for it got so much love (from me and from others) was because HTC (the device’s manufacturer) developed an array of apps, widgets and modifications to the Android operating system that they labeled the “Sense UI” (UI is geek-speak for “User Interface”). Anyone who has used the Sense UI is spoiled.

I didn’t realize how spoiled I was until I picked up a friend’s Verizon Motorola Droidâ„¢ thinking I could use it. It was substantially clunkier and actually quite unfamiliar. I was surprised by the learning curve I had (considering I had owned and used my Android device regularly for months). But most surprising to me was how blazingly fast the Droidâ„¢ was in comparison to my Hero.

It was then that I began to realize just how unhappy I was with all the lag and the other frustrations I was experiencing.

This wasn’t just a case of device envy. I was syncing my Hero to an Exchange server and a Gmail account. I was regularly unable to answer calls because the lag was so long that they would go to voicemail before my phone was ready. Text messages were difficult at times. The browser was clearly powerful (especially when compared to my previous Blackberry and Windows Mobile browsers) but so painfully slow that it was rendered almost unusable.

So… imagine my delight when Sprint and HTC announced the availability of a significant upgrade from “Donut” (Android 1.6) to “Eclair” (Android 2.1) in May. Eclair boasted faster speeds — even on the same hardware (a rare occurrence in the world of hardware/software relations), and HTC had made substantial improvements to the Sense UI.

I backed up all my data (using an app that was readily available from the Android Market) and performed the upgrade. It was painful to watch the process run so slowly, but when it was over, my phone was noticeably more responsive.

But not responsive enough.

And even more painful was knowing that Eclair’s release date was October of 2009, fully 7 months before Sprint & HTC bothered to roll out the update. And also that “Froyo” (Android 2.2) was released by Google right about the time that I was downloading the Eclair update from HTC’s servers.

The Froyo Frustration

So… I said earlier that Sprint had ticked me off. Several things happened all about the same time in the world of Sprint. In June, they announced the HTC EVO… which they widely proclaimed the nation’s first 4G phone. It boasted a bigger screen, faster processor, and a big fat price tag. And even though I’m a Sprint “Premier” customer, I was still nearly 6 months away from qualifying for their “upgrade pricing.”

Another Sprint event: a leak. Word leaked out that although the EVO would be getting an upgrade to Froyo, the Hero (and a couple of other lesser phones) would not.

Whatever the reasons for their decision, here’s how it came across to the community of HTC Hero owners: a slap in the face. Some of them had just purchased the Hero, and in fact Sprint still sells it brand new today.

My wife is eligible for a Sprint upgrade and has been for probably 18 months or so since her last contract expired. No matter how easy to use, there was no way I was going to have her purchase the HTC Hero… because I knew that to a non-techie the problems I was experiencing would be absolute showstoppers.

But given Sprint’s attitude (“We’re not going to provide the software update, just buy our new $500 phone if you want something better…”), I seriously began contemplating a switch to another carrier.

I know, I know… they all screw their customers. And frankly, I’ve had almost no trouble at all with Sprint over the years… nor with Nextel prior to Sprint’s acquisition of it. Signal is good. Billing is accurate. Customer service (on the rare occasion when I’ve required it) has exceeded my (admittedly low) expectations.

So… why would I want to switch? It just felt like the decision was made purely to dangle a real expensive carrot in front of customers like me who pay significant fees every month for service.

It also happened that around July I began to face the fact that my dependence upon Microsoft was coming to an end. I’ve owned, managed or leased space on Exchange Servers for nearly 1o years. I’ve synced with a variety of mobile devices (as I mentioned before) and I am an enormous believer in “the cloud.” In fact, when I switched from my last smartphone (a Windows mobile device) to the Hero, my 1000+ contacts and an untold number of emails (even in the 3-day sync window) were synced before I left the Sprint store.

Realizing how good the sync is on the Android platform (including Facebook and Twitter integration), and that Google isn’t going anywhere, I decided to take the plunge and test out Google Apps For Your Domain (“GAFYD”). Holy cow. I wish I’d done it sooner. The Gmail platform (private-labeled for my team) is unbelievably powerful and easy to use. The extremely low cost ($50 per user per year) is an enormous cost savings over using (and supporting) the Exchange platform, and no software (Microsoft Outlook, you know who you are) is required.

So… a number of pieces were coming into place for me. I’m seeing a long term commitment to Google’s platform — including Android.

But man… the Hero was frustratingly slow.

So… last week, I bit the bullet and “rooted” my phone.

To Root or Not to Root

No… I’m not digging around in the soil. And no… I didn’t let it get acquainted with nature in an attempt to get an insurance upgrade (ever known anyone who’s tried that trick?)…

I did, however, void my warranty. At least temporarily.

The Android platform is closely related to Unix. On a Unix system, the “Administrator” (to use Microsoft’s terminology) is called the “Root” user. This user has “root” (the highest level of) access to the operating system.

For reasons that I’m sure are relatively obvious, Sprint (and every other carrier) does not provide “root” access to the operating systems on its devices. Instead, it locks down most configuration options and system areas so that the end user can’t screw things up too badly (and so that rogue apps don’t have the ability to behave too badly). Apple does the same thing with its devices.

Of course, there’s a vibrant community of hackers who will teach you how to gain root access to your Android device… and even provide software tools to avoid the most complicated, error-prone steps.

Why would you want root access? Well… for a long list of reasons, most of which involve gaining a higher level of control over the device. Want to overclock your processor? You need root access. Want to reconfigure your LED? You need root access. Want to do just about anything aside from installing the sanitized apps from the market? You need root access.

Want to install Froyo (Android 2.2)? You need root access.

Wait a minute… you can install Froyo? The same Froyo that boasts 3x-10x speed improvements (yes… on the same hardware) over Eclair? The same Froyo that allows for tethering (providing internet access via a USB cable from your phone to your laptop when not in range of wifi service… a feature blocked by Sprint in Eclair) and hotspot (turning your phone into a wifi hotspot so your laptop and other devices can utilize its internet connection… something Sprint charges an extra monthly fee for on the EVO even though it’s a built-in feature) and significantly-improved multiple Google account support?

Well… officially, no. You can’t have Froyo. You’re stuck with a slow Hero.

But unofficially… once you make the decision to take a few liberties with your device… you can do all of the above.

And let me tell you… the difference is nothing short of amazing.

On Saturday, I decided to take the plunge: root the phone and install Froyo. Of course, there’s no chance of just going to Google’s Android site and finding a download for Android 2.2 that’s going to actually work on your phone. But thanks to the community of developers/hackers I mentioned earlier, there are ready-made distributions available that are tailored to your carrier, device and desired configuration.

Let me be clear: this process is not for the faint of heart. There are portions that are highly technical in nature, and it’s best if you don’t expect someone to hold your hand. The community has produced a dizzying array of blogs, wikis and most importantly: forums, where answers can be found for all manner of technical questions.

I’m personally writing this post to inform some of the non-techies in the world that there are ways to get yourself a much better experience with your HTC Hero on Sprint (or just about any other Android device, for that matter). But I’m unable to provide technical expertise or guidance on this aside from sharing a few details that worked for me and pointing you toward the true masters of this game… the ones who have devoted untold hours to writing code, testing and supporting their work.

To these individuals — the ones who dared to say to Sprint, “Take that!” — I am truly grateful. I have today what amounts to a brand new phone. Yes, the hardware is no different. But how it performs… there’s absolutely no comparison.

So… let me provide a brief summary of the steps I took to get this amazing result.

The Process… Summarized

First and foremost, as with any operation that has the potential to affect valuable data, perform a backup. I highly recommend a phenomenal paid app from the Android Market called MyBackup Pro. Open the Market from your device, fork over a mere $4.99, and you can backup everything from your emails, contacts and calendar all the way to applications and even the layout of your homescreen. It will save to your device’s SD card and, if you choose, upload a backup to the developers’ servers where it can be retrieved later from the same device or from a replacement (if you’re switching hardware).

For me, my emails, contacts and calendar were all synced to Google accounts, so there was no need to actually store that data. But my call log, SMS (texts) and MMS (multimedia messages) and apps were valuable to me. I guess some people don’t see a need to hang on to those, but I like being able to refer back to things in the future. So I backed ’em up.

After you’re satisfied that you have a backup and can restore your phone to its current state if necessary (either because things go badly or because you need warranty service from Sprint because of hardware issues), then you can get under the hood and really start tinkering.

The short version is this:

  1. Gain root access to your device
  2. Download and install a recovery image (provides a boot platform as well as backup and other valuable tools)
  3. Perform another backup using Nandroid (part of the recovery image)
  4. Download and install a ROM that contains the distribution of Android and the configuration you’re looking for)
  5. Install the ROM
  6. Install the Google Apps (Market, Gmail, Maps, etc…) so that you can use the basic functions you’re expecting from Android
  7. Install/configure Launcher software (if you choose — as I did — to go with something different than what came with the ROM you installed)
  8. Selectively restore data from your backup (the one you performed prior to step 1). For me, this meant: call logs, SMS/MMS messages, and apps.
  9. Locate some new apps (as desired) to replace the stuff from HTC’s Sense UI that you might miss.
  10. Experience blazing speeds, better battery life, and overall… a fantastic phone!

I’ll provide a little more detail for you below. But here’s my caveat: this stuff changes… sometimes daily. Whatever I post here will be outdated by the time I hit publish, not to mention by the time you read it.

So… I’m going to point you in the direction of the valuable resources I have found. There are a few major players worth highlighting, but there are countless other players who may not be as visible or noticeable who have also played an enormous role in making this level of customization to your device possible. These are the real heroes, in my opinion. Obviously, Google and the original Android team deserve some major props as well.

The developers who have gone the “last mile” to us end users can be found in the forums at XDA-developers.com. This is where you’ll find heroes like Darchstar — who created the final actual ROM I’m currently using and would highly recommend — and theimpaler747, who is one of many who deserve recognition for their tireless support answering questions from people like me who are trying to wrap our heads around what it takes to get the job done.

So, by topic, here are some important links you’ll need in order to undertake the process. (Note: these links apply — in most cases exclusively — to the HTC Hero on Sprint and may be out of date — see my red ink above. If you need stuff for a different device or a different carrier, then search the forums for your specific situation. Chances are, you’ll find great results.)

  1. Learn about (and download tools to gain) root access to your device here.
  2. Download the ROM Manager from the Android Market (using the Market app on your phone). It will only work after you have root access. Give it “Superuser” permissions and it will install the appropriate recovery image and the other tools (such as Nandroid for backups) to your device.
  3. Reboot to the recovery image and run a Nandroid backup to your SD card. This is a much more comprehensive, system-level backup of your entire device.
  4. Wipe your device. In hacker parlance, this means perform a “factory reset.” This is required in order to effectively install the ROM you’ll need. Alternatively, you can download the desired ROM and install it via the ROM Manager, which will prompt you for the wipe (which you should have it perform in this case).
  5. Here’s where to find Darchstar’s Froyo ROM RC1 for the Sprint Hero. (“Release Candidate 1” means it’s stable enough for you to use, but isn’t officially considered a full release yet as they’re still tinkering). Darchstar built upon the fantastic work of the CyanogenMod community in bringing us Froyo. This particular distribution bears the date of August 15, 2010. I’m sure I’ll be flashing (installing) a newer ROM when it becomes available — either RC2 or a formal release. There are also “nightlies” (nightly builds) available that may have newer features but may also be less stable. I’m not using the nightlies because my phone is something I absolutely depend upon on a daily basis and I can’t afford the luxury of testing at the bleeding edge for now.
  6. Darchstar also maintains a link to the latest version of the Google Apps distribution you’ll need. It’s posted on the same forum topic as his distribution. Grab it. You’ll want it. You “flash” this ZIP file right on top of the ROM (don’t perform a wipe this time) that you just installed. I used ROM Manager to do it, which Darchstar was kind enough to include in his Froyo distribution.
  7. Test, tinker and tweak.

I dug through the forums and decided to purchase the Launcher Pro App from the Android Market (after I synced my Google account, naturally). This brought some of the features of the Homescreen back that I would’ve missed from HTC’s Sense. I also gained some fantastic new features in the process (e.g. more rows for icons, a nifty all-new App Drawer, and some more fun stuff.)

I also decided to download the Dialer One app to regain some of the experience inside the actual phone functions that I liked from HTC Sense. It looks different, but performs very well. You can also turn it off and switch back to the standard Android dialer if it isn’t what you like.

For text messaging, I went with chompSMS. This was something I’d already switched to prior to rooting and upgrading to Froyo. It has a fantastic UI… including popups that appear when you receive an incoming text so you can answer (or not) without interrupting what you were doing. The threaded conversations are fantastic and visually appealing as well.

One of the most noticeable elements of HTC’s Sense UI is the big digital clock with the animated weather icons that typically adorned the Homescreen of most users. While Launcher Pro comes with some options, I ultimately decided to get the Beautiful Widgets app (and pay for the upgrade) from the Market. It has some obvious visual differences, but there are replacement widgets that look as good as (and are frankly more configurable than) the ones that come with Sense.

There are lots more tweaks available. And a few lingering issues are minor annoyances as well. The whole experience has opened my eyes to just how powerful the Android platform really is. At this point, I’m not sure I could ever be talked into buying an iPhone. Apple’s reputation for closing itself off to proprietary platforms is legendary… and ultimately not in the best interests of users. There are certainly those who think Google could be evil… and I’m mindful of the possibility that they could turn that direction somewhere along the line. But their commitment to open source development is clear. And there’s a clear path for getting your data off of their platforms at any point in time if you decide you want to switch.

As for the annoyances, there’s a lag that remains when you bring the phone back from sleep. Some users have overclocked their phone’s processors using “uncapped kernels” (another piece of software you can optionally flash on top of Darchstar’s Froyo ROM if you’re extra brave) and claim to have gotten rid of this. Frankly, I’m aware of it (it’s longer than the lag I had previously with Eclair/Sense), but it’s not a big deal. The blinding speed I get with every other function on the phone far outweighs any complaint I might raise about this lag. But the forums are filled with questions about it (typically the same question over and over), so some people are more annoyed by it than I am.  Occasionally, I uncover some other “missing feature” that I realize was part of Sense. But there are replacements for almost all of these. There’s a bug that occurs when you try to open the camera from inside the gallery (something I did regularly before) that causes the phone to hang. The fix is nifty: you get to pull the battery from your phone in order to reboot it. Not cool, but as with the other issue: it’s something I’m aware of and in this case, I can avoid it!

All in all, I’m so thrilled with my experience that I wish I’d done it a lot sooner. Of course, every day that goes by produces better and better code from the crew that’s working on it. So… perhaps the timing of my switch was good.

Either way, if you own a Sprint HTC Hero, I highly recommend that you root your phone and upgrade it to Froyo. You won’t regret it… and if for some reason you do, you can go back to the configuration you have today (if you really want to) by using the ROM that Sprint/HTC made available when they rolled out Eclair back in May.

This may be the longest post I’ve ever written here. But… what can I say… I’m thrilled with my Hero! And I’m running Froyo on it.

Incidentally, there’s a fantastic thread now running on XDA-developers.com that was started by the aforementioned theimpaler747 for users of any of the CyanogenMod ROMs for the Hero (this includes the one I’m using from Darchstar). In addition to the thread containing Darchstar’s ROM download, this one is highly useful.

I hope this post helps you make the decision to move forward with upgrading your Hero. It’s worth every minute of effort you spend learning your way around and going down the road, as complex as it may be!