Random Neural Misfirings

Archive
net stuff

Social networking as an API

07-02-2008
net stuff

A little while back, Sean had the insight that social networks should be a feature, not a service. I think he was right, but I’ll go him a step further and say social networks should be an API, not a feature. Rather than the current state of affairs, where some slice of your social network is represented on every site you participate in, all of your social network would be consolidated in one place of your own choosing. This approach is being referred to as a “distributed social network,” but that strikes me as a misnomer. The current fragmented situation is also distributed, just along a different axis.

My idea is inspired by the concept behind OpenID: basically, that you’ve got one “identity server” and use your credentials on that server to log in everywhere. All identity servers speak the same language, so when you’re trying to log in somewhere, as long as it knows how to communicate with any identity server, it can communicate with yours.

Your social network could function the same way. In fact, it would make sense for your OpenID server to also be the central repository for your social-network information. While this wouldn’t be necessary, it simplifies things, and for the rest of this entry, I’ll be assuming it’s the case.

So how would this work?

Read more…

Page placards

04-04-2007
net stuff

There’s a growing trend towards using thumbnails of web pages–on those annoying Snap previews, tabs in NetNewsWire 3, tabs in omniweb, the front page of del.icio.us, etc. These thumbnails are simple screen-grabs of the page in question.

This may be an improvement over a text description of the item in question, but it compresses a lot of detail into oblivion. What if, rather than relying on the client to generate the thumbnail, the author generated it? I’m calling this a page placard.

Each page could use the link element to refer to its placard, So for this page, the link might look something like this:

<link rel="placard"
      type="image/png"
      href="http://8stars.org/a/2007/04/04/page-placards/placard/"
      title="page placard for blog entry 'page placards'" />

I’m imagining 128 x 96 pixels as a suitable placard size. In the simplest case, the placard would be a static graphic–like a favicon on steroids. So for this blog, it might be something like this:

static page placard

A more sophisticated approach would be to generate the placard on the fly (and, of course, caching it) using ImageMagick or the like: for a blog, it might be using a branding icon and post title text; for flickr or a photo-gallery app, it might be a thumbnail of the current graphic with a branding icon as a screen-bug.

So a more sophisticated version of the above placard might look like this:

dynamic page placard

A placard for a photo page on Flickr might look like this:

Dynamic placard for flickr image

Whenever a client needs a thumbnail of a page, it looks for the placard link first, and if available, uses that. Letting the author control the appearance of the placard should result in more relevant and immediately legible thumbnails.

This also suggests that even in the absence of an author-defined placard, it would be possible for the client to cobble together something like a placard using, say, the favicon and an element or two from the RSS feed. Heuristics or templates could be used with popular sites to customize how those placards were generated.

Twitter: Just a toy?

09-03-2007
net stuff

Chris tweeted that Twitter is “just a toy.”

Well, maybe. But if you really want/need to be reachable and you’re on Twitter (and your would-be contacts are too), it’s a one-stop way for people to message you. Twitter permits one-to-one messages (as opposed to its default broadcast mode), and if you’ve set Twitter up for it, these will be sent through chat, e-mail, and SMS. There are probably other ways to “explode” a message to multiple communications channels like this, but none that I’ve seen. So, chalk up one potentially practical use for Twitter.

This suggests a way Twitter might actually make money, one of the questions its members have been wondering about since day one: quality of service. An organization could move some of its communications onto Twitter and actually benefit from this message-exploding function, but Twitter has been too flaky lately to make that practical. But if business users paid for and received a certain QoS, it might be viable.

NYTimes answers the cluephone

08-02-2007
net stuff

screenshot of NYTimes.com pagePerhaps everyone else knew about this and failed to tell me, or perhaps I knew and then forgot, but the New York Times is making permanently accessible permalinks available for their articles online.

This sounds obvious, but it isn’t. NYTimes.com charges for access to older articles, and up until this change (whenever it was), the only way to bookmark an article in such a way that you’d always be able to get through to it was via a hack.

But they’re getting hipper now, with buttons to directly bookmark to a few social-bookmarking sites (not del.icio.us, too bad for me), and also a “permalink” button. Clicking on that reveals the key to the kingdom, with the welcome announcement To link to this article from your blog, copy and paste the url below into your blog or homepage. Using this link will ensure access to the article, even after it becomes part of the NYT archive.

V-vite

08-02-2007
net stuff

I’ve just received my first invitation in the form of a Youtube video. Somehow this feels like a watershed moment.

Security hole at my mortgage holder

06-11-2006
net stuff

I was just paying my mortgage online, at the website of my note-holder. Their online-payment system is set up so that once you log in, you are presented with an on-screen facsimile of a check, where you fill in the amount, routing number, and account number of the paying bank. Below that is a field for the last four digits of your SSN and an e-mail address to send a confirmation notice to.

Well, I actually fat-fingered my SSN today, and the page immediately popped up an alert that I had entered my SSN wrong. It seemed that there had been no round-trip to the server to check that, so I checked the page’s source code. Sure enough, I saw this:
function validateSSN1()
{
if (document.Form1.txtssn.value != "the actual last four digits of my SSN here" && document.Form1.txtssn.value != "the actual last four digits of Gwen's SSN here" )
{
document.Form1.txtssn.value = ""
document.Form1.txtssn.focus();
alert("Your entry did not match our records. Please enter the last four digits of your social security number.");
return false;
}
else
{
return true;
}
}
Embedded right there in the page asking my for the information is the very information it is asking me for. That’s just a bad security practice in general, but it’s especially bad considering the information in question. Now, admittedly, nobody should be able to get access to my account in the first place, but if they do, the damage they should be able to do should be limited to that website. But the last four digits of the SSN are so widely used as a shorthand identifier these days that the potential for mischief is much more widespread.

I have notified the bank, and will not mention their name just yet.

Zooomr

18-07-2006
net stuff

andrea poi 05

I’ve been using Flickr to host my photos for some time, and I’ve been happy with it. And it’s one of those rare websites that seems to have established itself almost as a public utility among many people active on the web, so it seems it would be hard to dislodge. But then there are these new kids at Zooomr. Jeremy is intrigued, and as he puts it, “I’m just not sure I’m willing to give even $25 to anyone [Flickr] whose parent company might take a cavalier attitude towards helping people into prison in China.” And, shoot, Zooomr is giving away free accounts to bloggers, so what the heck.

This is an oldie but a goodie, a picture of a friend I don’t get to see often enough, on the occasion of her first burn. The smile says it all.

Mailpass

19-05-2006
net stuff

Bank of America has a smart idea they call “site key” as a defense against phishing. Logging into their site is a two-step process: you enter your username, which takes you to another page to enter your password. On this second page there is a picture that you have previously chosen from among many pictures, accompanied by a descriptive word that you typed in yourself when you chose that picture. Barring a security breach, it would be essentially impossible for a scam artist to reproduce this.

Something like this could be applied to e-mail, to help identify it as legitimately from the bank (or paypal, or ebay, or any other institution susceptible to phishing attacks). When the user sets up an account, they type in a unique, memorable phrase that is completely unrelated to their password. This phrase will then appear in all e-mail from that institution to help identify it as legitimate. I’m calling this key phrase a “mailpass.”

I can imagine a technical objection to this, and a related psychological objection. The technical objection is that with rare exception, mail is not encrypted. So the mailpass will be sent as plain text over unsecured channels, making it vulnerable to interception.

Which leads to the psychological objection. Because a phisher could intercept and use your mailpass, the mailpass would need to be viewed as a necessary proof of authenticity, but not a sufficient proof. This point could easily be lost on a lot of people, and there would need to be plenty of attendant scare-language to the effect that you cannot count on a correct mailpass to be rock-solid proof of authenticity, should always exercise due care against scammers, etc.

But mailpass would definitely make e-mail filtering a lot easier. If I were to get e-mail from paypal that lacked the mailpass, I could confidently route it to the trash without even looking at it. And I can’t think of any other reasons this would be a bad idea, though I’m sure someone out there could.

Collaborative content and social awkwardness

03-01-2006
net stuff

I check in with Wikipedia every day, and try to be a good steward of the articles I’ve contributed to.

Wikipedia is a funny thing. It’s easy for two people of good intent to have very different ideas of what’s appropriate content, and to get into a fight over what belongs and what doesn’t. In situations like this, the “right” thing to do isn’t very clear-cut. In some situations though, there is a clear right and wrong. Commercial links and self-links are explicitly discouraged.

So it felt a little awkward for me today when I discovered someone I kinda-sorta know had inserted links to his own site in many articles. This is a little like cussing in church.

I reverted all his insertions.

From the department of really bad ideas

21-11-2005
net stuff

I’ve seen a sudden upsurge in a particular kind of spam over the past day or so. All of them come with a (Windows) executable attachment.

Several of the messages read as follows:

From:     Admin@cia.gov
Subject:  Your IP was logged
Date:     21 November 2005 22:07:31 CST
To:       [my e-mail address]

Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Call me crazy, but it seems like a really, really bad idea to use the CIA—the same organization known to torture prisoners—as the Joe in your little joe-job phishing expedition.

later: Apparently I’m not the only one getting these.

Archives by Month

Archives by Category