2007/07/27

Blogger is looking for engineers!

Interested in working for Google onthe top blogging platform around? We're looking for engineers.  Experience or interest in buildingweb-based social applications is a plus but not a requirement.  Selfmotivation, ability to get things done, and burning desire to work onnew things are requirements.  Want to find out more?  Contact me.

2007/07/24

AtomPub now a Proposed Standard

http://www.ietf.org/internet-drafts/draft-ietf-atompub-protocol-17.txt is now an official IETF Proposed Standard.   Whee!

Tags: , ,

Share your dog's name, lose your identity?

From the BBS: Web networkers 'at risk of fraud'.
Credit information group Equifax said members of sites such as MySpace, Bebo and Facebook may be putting too many details about themselves online.It said fraudsters could use these details to steal someone's identity and apply for credit and benefits.
So, to protect the credit bureau's business models, we're all supposed to try to hide every mundane details of our lives?  The name of my dog is not a secret; if credit bureaus assume it is, they are making a mistake. 

Here's the solution:  Make the credit bureaus fiscally responsible for identity theft, with penalties for failing to use good security practices.

2007/07/19

Open Authorization, Permissions, and Socially Enabled Security

The session I proposed at Mashup Camp, Open Authentication and Authorization for Mashups, went pretty well (though I should have done more marketing).   Unfortunately none of the people on the OAuth group were at Mashup Camp, but perhaps we generated some more interest and use cases for it.

Consider a user navigating web services and granting various levels of permissions to mash-ups; a mash-up might request the right to read someone's location and write to their Twitter stream, for example.  The first time this happens, the user would be asked something like this:

The TwiLoc service is asking to do the following on an ongoing basis:
- Read your current location from AIM, and
- Create messages on your behalf in Twitter.
How does this sound?
[ ] No [ ] Yes [ ] Yes, but only for today


The user would also have a way to see what permissions they've granted, how often they've been used (ideally), and be able to revoke them at any time.

Now, of course, users will just click through and say "Yes" most of the time on these.  But there's a twist; since you're essentially mapping out a graph of web services, requested operations, granted permissions, usage, and revocations, you start to build up a fairly detailed picture of what services are out there and what precisely they're doing.  You also find out what services people trust.  Throw out the people who always click "yes" to everything, and you could even start to get some useful data.

You can also combine with social networks.  What if you could say, "by default, trust whatever my buddy Pete trusts"?  Or, "trust the consensus of my set of friends; only ask me if there's disagreement"?  Or more prosaically, "trust what my local IT department says". 

2007/07/18

At Mashup Camp today and tomorrow

I'm at Mashup Camp IV today and tomorrow.  Ping me if you're around too and want to chat.

Every mashup attempts to expand...

Proposed, half-seriously:

Every mashup attempts to expand until it can do social networking.  Those that can't are replaced by those that can.

(With apologies to Zamie Zawinski.)

2007/07/10

Implications of OpenID, and how it can help with phishing

:Last month, Simon Willison gave a talk at Google (video, slides) which is a good intro and summary of technical implications of OpenID.  He points out a very important point:  OpenID does outsource your security to a third party; so does sending a "forgot your password" email to an arbitrary email address.  All of the attacks that work against OpenID also work against these emails.

So the implication is that the security policies that you currently have around "forgot your password" are a good starting point for thinking about OpenID security.  Specifically phishing vulnerabilities and mitigations are likely to be similar.  However, OpenID also changes the ecosystem by introducing a standard that other solutions can build on (such as Verisign's Seat Belt plugin). 

OpenID really solves only one small problem -- proving that you own a URL.  But by solving this problem in a standard, simple, deployable way, it provides a foundation for other solutions. 

It doesn't solve the phishing problem.  Some argue that it makes it worse by training users to follow links or forms from untrusted web sites to the form where they enter a password.  My take:  Relying on user education alone is not a solution. If you can reduce the number of places where a user actually needs to authenticate to something manageable, like say half a dozen per person, then we can leverage technical and social aids much more effectively than we do now.  In this sense, OpenID offers opportunities as well as dangers.  Of course, this would be true of any phishing solution.

2007/07/09

Disorder, Delamination, David Weinberger

David Weinberger's presentation in Disorder: Feature or Bug? at Supernova 2007 was like watching a great rock singer deliver a passionate performance you just know is destined to be a classic.  How good was it?   The IRC channel went dead.  That's the conference equivalent of everybody waving their lighters in the air.  Um.  Well, you just had to be there.  I can't find a video.  Anybody have a bootleg?

Anyway.  David's now posted a new essay well worth reading, Delamination Now!. Also, well worth acting on.  Money quote: "[T]he carriers are playing us like a violin." 

2007/07/08

There she blows! (The Moby Dick Theory of Big Companies)

Having spent some time in the belly of the whale[1], I can testify that the decision making process of a large company is indeed a chaotic system even when seen from the inside.  The variables that control decisions are very well hidden.

The Pmarca Guide to Startups, part 5: The Moby Dick theory of big companies

[1] In the same whale as pmarca in fact, though in a somewhat different location along the alimentary tract.

2007/07/05

Fireworks, Social Compacts, and Emergent Order

Yesterday the family went to see the 4th of July fireworks just outside the Google campus, in Charleston park.  Great park, lots of friendly helpful people, the kid had a blast running in the water fountain, and he saw his first fireworks show.  It was great!

Then, we left (quickly, to avoid the crowds) and immediately got snarled in traffic.  Of course everyone was leaving at the same time so we expected it to be slow, but we were literally not moving for a quarter of an hour.  After a while we figured out that we couldn't move because other cars kept joining the queue ahead of us from other parking lots.  Around this time, other people started figuring this out too and started going through those same parking lots to jump ahead.  This solution to the prisoner's dilemma took about 30 minutes to really begin to cascade:  Everyone else began to drive through parking lots, under police tape, on the wrong side of the road, cutting ahead wherever they could to avoid being the sucker stuck at the end of the never-moving priority queue.  (Full disclosure:  I drove across a parking lot to get over to the main road where traffic was moving, but violated no traffic laws.)

I wonder how the results would have been different if the people involved could communicate efficiently instead of being trapped incommunicado in their cars.   I bet every single car had at least one cell phone in it, many with GPS.  Imagine an ad hoc network based on cell phones and GPS, communicating about traffic flow -- nothing more complicated than speed plus location and direction, and maybe a "don't head this way" alert.  It'd be interesting to try.

2007/07/01

Theory P or Theory D?

Which theory fits the evidence (Raganwald):

Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.

Maybe I'm an extreme P adherent; I say that learning is everythingin software development.  The results of this learning are captured incode where possible, human minds where not.  Absolutely everything elseassociated with software development can and will be automated away.

Finally:

To date, Theory P is the clear winner on the evidence, and it’s noteven close. Like any reasonable theory, it explains what we haveobserved to date and makes predictions that are tested empiricallyevery day.

Theory D, on the other hand, is the overwhelming winner in themarketplace, and again it’s not even close. The vast majority ofsoftware development projects are managed according to Theory D, withlarge, heavyweight investments in design and planning in advance, verylittle tolerance for deviation from the plan, and a belief that goodplanning can make up for poor execution by contributors.

Does Theory D reflect reality? From the perspective of effectivesoftware development, I do not believe so. However, from theperspective of organizational culture, theory D is reality, and youignore it at your peril.

So this is a clear contradiction.  Why is it that theory D is sosuccessful (at replicating itself if nothing else) while theory Planguishes (at replicating)?  Perhaps D offers clear benefits to itsadherents within large organizations -- status, power, large reportingtrees...  and thus P can't gain a foothold despite offering clearorganization-level benefits. 

But I suspect that it's simpler than that; I think that people simplydon't really evaluate history or data objectively.  Also, it may bedifficult for people without the technical background to really howdifficult some problems are; past a certain level of functionality,it's all equally magic.  The size of the team that accomplished a taskthen becomes a proxy for its level of difficulty, in the way that highprices become a proxy for the quality of a product in the marketplacefor the majority of consumers.  So small teams, by this measure, mustnot be accomplishing much, and if they do, it's a fluke that can beexplained away in hindsight with a bit of work.

Somebody should do a dissertation on this...

Theory P or theory D?

Whichtheory fits the evidence (Raganwald):

Theory P adherents believe that there are lies, damned lies, andsoftware development estimates. ... Theory P adherents believethat the most important element of successful software development is learning.

Maybe I'm an extreme P adherent; I say that learning is everythingin software development.  The results of this learning are captured incode where possible, human minds where not.  Absolutely everything elseassociated with software development can and will be automated away.

Finally:

To date, Theory P is the clear winner on the evidence, and it’s noteven close. Like any reasonable theory, it explains what we haveobserved to date and makes predictions that are tested empiricallyevery day.

Theory D, on the other hand, is the overwhelming winner in themarketplace, and again it’s not even close. The vast majority ofsoftware development projects are managed according to Theory D, withlarge, heavyweight investments in design and planning in advance, verylittle tolerance for deviation from the plan, and a belief that goodplanning can make up for poor execution by contributors.

Does Theory D reflect reality? From the perspective of effectivesoftware development, I do not believe so. However, from theperspective of organizational culture, theory D is reality, and youignore it at your peril.

So this is a clear contradiction.  Why is it that theory D is sosuccessful (at replicating itself if nothing else) while theory Planguishes (at replicating)?  Perhaps D offers clear benefits to itsadherents within large organizations -- status, power, large reportingtrees...  and thus P can't gain a foothold despite offering clearorganization-level benefits. 

But I suspect that it's simpler than that; I think that people simplydon't really evaluate history or data objectively.  Also, it may bedifficult for people without the technical background to really howdifficult some problems are; past a certain level of functionality,it's all equally magic.  The size of the team that accomplished a taskthen becomes a proxy for its level of difficulty, in the way that highprices become a proxy for the quality of a product in the marketplacefor the majority of consumers.  So small teams, by this measure, mustnot be accomplishing much, and if they do, it's a fluke that can beexplained away in hindsight with a bit of work.

Somebody should do a dissertation on this...