Interested in working for Google on
the top blogging platform around?
We're looking for engineers. Experience or interest in building
web-based social applications is a plus but not a requirement. Self
motivation, ability to get things done, and burning desire to work on
new things are requirements. Want to find out more? Contact me.
Friday, July 27, 2007
Tuesday, July 24, 2007
AtomPub now a Proposed Standard
http://www.ietf.org/internet-drafts/draft-ietf-atompub-protocol-17.txt is now an official IETF Proposed Standard. Whee!
Share your dog's name, lose your identity?
From the BBS: Web networkers 'at risk of fraud'.
Here's the solution: Make the credit bureaus fiscally responsible for identity theft, with penalties for failing to use good security practices.
Credit information group Equifax said members of sites such as MySpace, Bebo and Facebook may be putting too many details about themselves online.It said fraudsters could use these details to steal someone's identity and apply for credit and benefits.So, to protect the credit bureau's business models, we're all supposed to try to hide every mundane details of our lives? The name of my dog is not a secret; if credit bureaus assume it is, they are making a mistake.
Here's the solution: Make the credit bureaus fiscally responsible for identity theft, with penalties for failing to use good security practices.
Thursday, July 19, 2007
Open Authorization, Permissions, and Socially Enabled Security
The session I proposed at Mashup Camp, Open Authentication and Authorization for Mashups, went pretty well (though I should have done more marketing). Unfortunately none of the people on the OAuth group were at Mashup Camp, but perhaps we generated some more interest and use cases for it.
Consider a user navigating web services and granting various levels of permissions to mash-ups; a mash-up might request the right to read someone's location and write to their Twitter stream, for example. The first time this happens, the user would be asked something like this:
The TwiLoc service is asking to do the following on an ongoing basis:
- Read your current location from AIM, and
- Create messages on your behalf in Twitter.
How does this sound?
[ ] No [ ] Yes [ ] Yes, but only for today
The user would also have a way to see what permissions they've granted, how often they've been used (ideally), and be able to revoke them at any time.
Now, of course, users will just click through and say "Yes" most of the time on these. But there's a twist; since you're essentially mapping out a graph of web services, requested operations, granted permissions, usage, and revocations, you start to build up a fairly detailed picture of what services are out there and what precisely they're doing. You also find out what services people trust. Throw out the people who always click "yes" to everything, and you could even start to get some useful data.
You can also combine with social networks. What if you could say, "by default, trust whatever my buddy Pete trusts"? Or, "trust the consensus of my set of friends; only ask me if there's disagreement"? Or more prosaically, "trust what my local IT department says".
Consider a user navigating web services and granting various levels of permissions to mash-ups; a mash-up might request the right to read someone's location and write to their Twitter stream, for example. The first time this happens, the user would be asked something like this:
The TwiLoc service is asking to do the following on an ongoing basis:
- Read your current location from AIM, and
- Create messages on your behalf in Twitter.
How does this sound?
[ ] No [ ] Yes [ ] Yes, but only for today
The user would also have a way to see what permissions they've granted, how often they've been used (ideally), and be able to revoke them at any time.
Now, of course, users will just click through and say "Yes" most of the time on these. But there's a twist; since you're essentially mapping out a graph of web services, requested operations, granted permissions, usage, and revocations, you start to build up a fairly detailed picture of what services are out there and what precisely they're doing. You also find out what services people trust. Throw out the people who always click "yes" to everything, and you could even start to get some useful data.
You can also combine with social networks. What if you could say, "by default, trust whatever my buddy Pete trusts"? Or, "trust the consensus of my set of friends; only ask me if there's disagreement"? Or more prosaically, "trust what my local IT department says".
Wednesday, July 18, 2007
At Mashup Camp today and tomorrow
Every mashup attempts to expand...
Proposed, half-seriously:
Every mashup attempts to expand until it can do social networking. Those that can't are replaced by those that can.
(With apologies to Zamie Zawinski.)
Every mashup attempts to expand until it can do social networking. Those that can't are replaced by those that can.
(With apologies to Zamie Zawinski.)
Tuesday, July 10, 2007
Implications of OpenID, and how it can help with phishing
:Last month, Simon Willison gave a talk at Google (video, slides) which is a good intro and summary of technical implications of OpenID. He points out a very important point: OpenID does outsource your security to a third party; so does sending a "forgot your password" email to an arbitrary email address. All of the attacks that work against OpenID also work against these emails.
So the implication is that the security policies that you currently have around "forgot your password" are a good starting point for thinking about OpenID security. Specifically phishing vulnerabilities and mitigations are likely to be similar. However, OpenID also changes the ecosystem by introducing a standard that other solutions can build on (such as Verisign's Seat Belt plugin).
OpenID really solves only one small problem -- proving that you own a URL. But by solving this problem in a standard, simple, deployable way, it provides a foundation for other solutions.
It doesn't solve the phishing problem. Some argue that it makes it worse by training users to follow links or forms from untrusted web sites to the form where they enter a password. My take: Relying on user education alone is not a solution. If you can reduce the number of places where a user actually needs to authenticate to something manageable, like say half a dozen per person, then we can leverage technical and social aids much more effectively than we do now. In this sense, OpenID offers opportunities as well as dangers. Of course, this would be true of any phishing solution.
So the implication is that the security policies that you currently have around "forgot your password" are a good starting point for thinking about OpenID security. Specifically phishing vulnerabilities and mitigations are likely to be similar. However, OpenID also changes the ecosystem by introducing a standard that other solutions can build on (such as Verisign's Seat Belt plugin).
OpenID really solves only one small problem -- proving that you own a URL. But by solving this problem in a standard, simple, deployable way, it provides a foundation for other solutions.
It doesn't solve the phishing problem. Some argue that it makes it worse by training users to follow links or forms from untrusted web sites to the form where they enter a password. My take: Relying on user education alone is not a solution. If you can reduce the number of places where a user actually needs to authenticate to something manageable, like say half a dozen per person, then we can leverage technical and social aids much more effectively than we do now. In this sense, OpenID offers opportunities as well as dangers. Of course, this would be true of any phishing solution.
Monday, July 9, 2007
Disorder, Delamination, David Weinberger
David Weinberger's presentation in Disorder: Feature or Bug? at Supernova 2007 was like watching a great rock singer deliver a passionate performance you just know is destined to be a classic. How good was it? The IRC channel went dead. That's the conference equivalent of everybody waving their lighters in the air. Um. Well, you just had to be there. I can't find a video. Anybody have a bootleg?
Anyway. David's now posted a new essay well worth reading, Delamination Now!. Also, well worth acting on. Money quote: "[T]he carriers are playing us like a violin."
Anyway. David's now posted a new essay well worth reading, Delamination Now!. Also, well worth acting on. Money quote: "[T]he carriers are playing us like a violin."
Sunday, July 8, 2007
There she blows! (The Moby Dick Theory of Big Companies)
Having spent some time in the belly of the whale[1], I can testify that the decision making process of a large company is indeed a chaotic system even when seen from the inside. The variables that control decisions are very well hidden.
The Pmarca Guide to Startups, part 5: The Moby Dick theory of big companies
[1] In the same whale as pmarca in fact, though in a somewhat different location along the alimentary tract.
The Pmarca Guide to Startups, part 5: The Moby Dick theory of big companies
[1] In the same whale as pmarca in fact, though in a somewhat different location along the alimentary tract.
Saturday, July 7, 2007
35 views of social networking
35 Perspectives on Online Social Networking: One fewer view than Hokusai's Mt. Fuji series. Just as much diversity.
Friday, July 6, 2007
A FULL INTERACTIVE SHELL!
iPhone SERIAL HACKED, FULL INTERACTIVE SHELL:
IT GIVES YOU A FULL INTERACTIVE SHELLNice.
I REPEAT, A FULL INTERACTIVE SHELL
Thursday, July 5, 2007
Fireworks, Social Compacts, and Emergent Order
Yesterday the family went to see the 4th of July fireworks just outside the Google campus, in Charleston park. Great park, lots of friendly helpful people, the kid had a blast running in the water fountain, and he saw his first fireworks show. It was great!
Then, we left (quickly, to avoid the crowds) and immediately got snarled in traffic. Of course everyone was leaving at the same time so we expected it to be slow, but we were literally not moving for a quarter of an hour. After a while we figured out that we couldn't move because other cars kept joining the queue ahead of us from other parking lots. Around this time, other people started figuring this out too and started going through those same parking lots to jump ahead. This solution to the prisoner's dilemma took about 30 minutes to really begin to cascade: Everyone else began to drive through parking lots, under police tape, on the wrong side of the road, cutting ahead wherever they could to avoid being the sucker stuck at the end of the never-moving priority queue. (Full disclosure: I drove across a parking lot to get over to the main road where traffic was moving, but violated no traffic laws.)
I wonder how the results would have been different if the people involved could communicate efficiently instead of being trapped incommunicado in their cars. I bet every single car had at least one cell phone in it, many with GPS. Imagine an ad hoc network based on cell phones and GPS, communicating about traffic flow -- nothing more complicated than speed plus location and direction, and maybe a "don't head this way" alert. It'd be interesting to try.
Then, we left (quickly, to avoid the crowds) and immediately got snarled in traffic. Of course everyone was leaving at the same time so we expected it to be slow, but we were literally not moving for a quarter of an hour. After a while we figured out that we couldn't move because other cars kept joining the queue ahead of us from other parking lots. Around this time, other people started figuring this out too and started going through those same parking lots to jump ahead. This solution to the prisoner's dilemma took about 30 minutes to really begin to cascade: Everyone else began to drive through parking lots, under police tape, on the wrong side of the road, cutting ahead wherever they could to avoid being the sucker stuck at the end of the never-moving priority queue. (Full disclosure: I drove across a parking lot to get over to the main road where traffic was moving, but violated no traffic laws.)
I wonder how the results would have been different if the people involved could communicate efficiently instead of being trapped incommunicado in their cars. I bet every single car had at least one cell phone in it, many with GPS. Imagine an ad hoc network based on cell phones and GPS, communicating about traffic flow -- nothing more complicated than speed plus location and direction, and maybe a "don't head this way" alert. It'd be interesting to try.
Sunday, July 1, 2007
Theory P or theory D?
Which
theory fits the evidence (Raganwald):
Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.
Maybe I'm an extreme P adherent; I say that learning is everything in software development. The results of this learning are captured in code where possible, human minds where not. Absolutely everything else associated with software development can and will be automated away.
Finally:
To date, Theory P is the clear winner on the evidence, and it’s not even close. Like any reasonable theory, it explains what we have observed to date and makes predictions that are tested empirically every day.
Theory D, on the other hand, is the overwhelming winner in the marketplace, and again it’s not even close. The vast majority of software development projects are managed according to Theory D, with large, heavyweight investments in design and planning in advance, very little tolerance for deviation from the plan, and a belief that good planning can make up for poor execution by contributors.
Does Theory D reflect reality? From the perspective of effective software development, I do not believe so. However, from the perspective of organizational culture, theory D is reality, and you ignore it at your peril.
So this is a clear contradiction. Why is it that theory D is so successful (at replicating itself if nothing else) while theory P languishes (at replicating)? Perhaps D offers clear benefits to its adherents within large organizations -- status, power, large reporting trees... and thus P can't gain a foothold despite offering clear organization-level benefits.
But I suspect that it's simpler than that; I think that people simply don't really evaluate history or data objectively. Also, it may be difficult for people without the technical background to really how difficult some problems are; past a certain level of functionality, it's all equally magic. The size of the team that accomplished a task then becomes a proxy for its level of difficulty, in the way that high prices become a proxy for the quality of a product in the marketplace for the majority of consumers. So small teams, by this measure, must not be accomplishing much, and if they do, it's a fluke that can be explained away in hindsight with a bit of work.
Somebody should do a dissertation on this...
Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.
Maybe I'm an extreme P adherent; I say that learning is everything in software development. The results of this learning are captured in code where possible, human minds where not. Absolutely everything else associated with software development can and will be automated away.
Finally:
To date, Theory P is the clear winner on the evidence, and it’s not even close. Like any reasonable theory, it explains what we have observed to date and makes predictions that are tested empirically every day.
Theory D, on the other hand, is the overwhelming winner in the marketplace, and again it’s not even close. The vast majority of software development projects are managed according to Theory D, with large, heavyweight investments in design and planning in advance, very little tolerance for deviation from the plan, and a belief that good planning can make up for poor execution by contributors.
Does Theory D reflect reality? From the perspective of effective software development, I do not believe so. However, from the perspective of organizational culture, theory D is reality, and you ignore it at your peril.
So this is a clear contradiction. Why is it that theory D is so successful (at replicating itself if nothing else) while theory P languishes (at replicating)? Perhaps D offers clear benefits to its adherents within large organizations -- status, power, large reporting trees... and thus P can't gain a foothold despite offering clear organization-level benefits.
But I suspect that it's simpler than that; I think that people simply don't really evaluate history or data objectively. Also, it may be difficult for people without the technical background to really how difficult some problems are; past a certain level of functionality, it's all equally magic. The size of the team that accomplished a task then becomes a proxy for its level of difficulty, in the way that high prices become a proxy for the quality of a product in the marketplace for the majority of consumers. So small teams, by this measure, must not be accomplishing much, and if they do, it's a fluke that can be explained away in hindsight with a bit of work.
Somebody should do a dissertation on this...
Theory P or Theory D?
Which theory fits the evidence (Raganwald):
Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.
Maybe I'm an extreme P adherent; I say that learning is everything in software development. The results of this learning are captured in code where possible, human minds where not. Absolutely everything else associated with software development can and will be automated away.
Finally:
To date, Theory P is the clear winner on the evidence, and it’s not even close. Like any reasonable theory, it explains what we have observed to date and makes predictions that are tested empirically every day.
Theory D, on the other hand, is the overwhelming winner in the marketplace, and again it’s not even close. The vast majority of software development projects are managed according to Theory D, with large, heavyweight investments in design and planning in advance, very little tolerance for deviation from the plan, and a belief that good planning can make up for poor execution by contributors.
Does Theory D reflect reality? From the perspective of effective software development, I do not believe so. However, from the perspective of organizational culture, theory D is reality, and you ignore it at your peril.
So this is a clear contradiction. Why is it that theory D is so successful (at replicating itself if nothing else) while theory P languishes (at replicating)? Perhaps D offers clear benefits to its adherents within large organizations -- status, power, large reporting trees... and thus P can't gain a foothold despite offering clear organization-level benefits.
But I suspect that it's simpler than that; I think that people simply don't really evaluate history or data objectively. Also, it may be difficult for people without the technical background to really how difficult some problems are; past a certain level of functionality, it's all equally magic. The size of the team that accomplished a task then becomes a proxy for its level of difficulty, in the way that high prices become a proxy for the quality of a product in the marketplace for the majority of consumers. So small teams, by this measure, must not be accomplishing much, and if they do, it's a fluke that can be explained away in hindsight with a bit of work.
Somebody should do a dissertation on this...
Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.
Maybe I'm an extreme P adherent; I say that learning is everything in software development. The results of this learning are captured in code where possible, human minds where not. Absolutely everything else associated with software development can and will be automated away.
Finally:
To date, Theory P is the clear winner on the evidence, and it’s not even close. Like any reasonable theory, it explains what we have observed to date and makes predictions that are tested empirically every day.
Theory D, on the other hand, is the overwhelming winner in the marketplace, and again it’s not even close. The vast majority of software development projects are managed according to Theory D, with large, heavyweight investments in design and planning in advance, very little tolerance for deviation from the plan, and a belief that good planning can make up for poor execution by contributors.
Does Theory D reflect reality? From the perspective of effective software development, I do not believe so. However, from the perspective of organizational culture, theory D is reality, and you ignore it at your peril.
So this is a clear contradiction. Why is it that theory D is so successful (at replicating itself if nothing else) while theory P languishes (at replicating)? Perhaps D offers clear benefits to its adherents within large organizations -- status, power, large reporting trees... and thus P can't gain a foothold despite offering clear organization-level benefits.
But I suspect that it's simpler than that; I think that people simply don't really evaluate history or data objectively. Also, it may be difficult for people without the technical background to really how difficult some problems are; past a certain level of functionality, it's all equally magic. The size of the team that accomplished a task then becomes a proxy for its level of difficulty, in the way that high prices become a proxy for the quality of a product in the marketplace for the majority of consumers. So small teams, by this measure, must not be accomplishing much, and if they do, it's a fluke that can be explained away in hindsight with a bit of work.
Somebody should do a dissertation on this...
Subscribe to:
Posts (Atom)