Archive for April, 2009

File Under: Web Basics
Apr
27
2009

Facebook Announces Support for OpenID Logins

By

What a day for Facebook.

The company has announced it is becoming an OpenID relying party, enabling users to log in to Facebook using an OpenID from any provider like MySpace, Google, Yahoo or AOL.

Facebook engineer Luke Shepard made the announcement at a developer event held at the company’s headquarters in Palo Alto on Monday. Earlier the same day, Facebook launched its new Open Streams API, a set of standards-based tools developers can use to incorporate user’s streams into third-party applications.

Shepard says Facebook will auto-detect if a user is logged in to any OpenID account when they arrive at Facebook.com. So, for example, if you’re already logged in to Gmail when you visit Facebook, you’ll be given the option to automatically log in to Facebook with one click. New users will also be able to quickly get started on Facebook by authenticating with OpenID.

This development comes less than three months after Facebook joined the board of the OpenID Foundation.

Does this mean an end to the “cold war” between Facebook Connect and OpenID? Maybe, but more importantly, it means there are fewer hurdles to the broad adoption of single sign-on technologies across the web.

See Also:

File Under: Uncategorized
Apr
27
2009

Facebook Cracks, Here Come the Apps

By

The Facebook stream is now wide open for developers.

The social networking site has launched its new Facebook Open Stream API, a set of tools developers can use to build apps that let users read, interact with and write to their Facebook stream. The company announced the arrival of the new API, which uses the emerging Activity Streams standard, in a blog post Monday morning.

Update: Also on Monday, the company announced it will soon offer support for OpenID logins.

The Facebook “stream” is the constantly updating river of news that displays what’s going on with you, your friends and whatever tidbits they’re talking about or sharing. Facebook defines the stream as the “the core Facebook product experience.” That’s definitely been the case since last month, when the site changed its default page design to bring the stream front and center.

The Open Stream API gives developers access to that flood of real-time information, and not just to re-publish it elsewhere, but to publish to it and interact with it by leaving comments. Soon, we’ll see specially-built third-party apps for interacting with Facebook, much like FriendFeed and similar sites allow for other social networking services. These apps will be able to let users filter content to see only specific types of posts, comment on items and mark items as favorites. These apps will be able to access Facebook from the desktop, through the browser and via mobile devices.

The new API represents a significant step towards open data sharing on the web. Facebook was one of the great walled gardens — a massive social network of around 200 million active users that was closed off from the rest of the social web. Recently, however, the company has taken steps towards supporting social web standards like OpenID and opening user profiles to public web searches. With Monday’s development, a large chunk of Facebook data becomes as portable as the user chooses to allow it to be — a change we’ve been arguing in favor of for a long while.

It’s a huge win for the open web, and to see why, it’s helpful to study what’s going on behind the scenes.

The Rise of Activity Streams

Facebook’s new API uses the emerging Activity Streams standard. This standard, which MySpace has also taken steps to adopt, proposes a unified model for publishing social networking activities on the web. It standardizes the way sites represent a user’s activity by using an “actor,” “verb,” and “object-type” model: a common way of announcing an event like, “Tom posted a photo” or “Becky left a comment on this video.”

Defining standards for those elements lets any application publish a stream that can be easily read and filtered by other applications. It ensures all the syndicated data coming out of social applications is well-formed so those apps can all play together nicely.

Chris Messina, an advocate of open data standards on the web and one of the authors of Activity Streams sees Monday’s announcement as a possible major development for the social web.

“What I hope it means,” he tells Webmonkey, “is that developers can focus more on creating compelling user experiences that make the most of the richness of activity data from all over the web —- spending less time hard-coding support for individual providers. This should accelerate the rate of innovation, I think, by creating an incentive for publishers to publish activities in a standard format in order to benefit from these kinds of applications.”

Messina also notes that this is just the beginning for the standard.

“I think it’ll start simple, with services that probably look like the old Facebook, or like Friendfeed,” he predicts, “and over time expand to include experiences focused on certain types of activities… giving rise to a whole medley of applications that serve individual needs but that all make use of the same kind of data.”

For an interesting take on what Facebook’s next steps should be, check out Marshall Kirkpatrick’s essay Read/Write Web titled “Despite New Openness, Facebook Remains Fundamentally Closed.” In it, Kirkpatrick argues that only by allowing persistent access to user stream data — a move that would require Facebook to rethink its privacy policies — will this API be as useful as other social tools on the web, such as those offered by Twitter.

See Also:

File Under: Software & Tools
Apr
24
2009

OAuth Security Exploit Tests Limits of Open Web Standards

By

Heads turned Wednesday when Twitter turned off its popular new authentication service, which uses the emerging OAuth web standard. The real story soon broke that someone exposed an OAuth security exploit that would let unauthorized users access a victim’s account using a phishing scheme.

The exploit was found on a bet during last week’s Foo Camp, a conference-like gathering for hackers put on by tech publisher O’Reilly at the company’s campus in California. One particular attendee decided he could find an exploit in OAuth.

“It’s just a new use case nobody thought of before,” said Eran Hammer-Lahav, OAuth’s designated community coordinator for this threat. “The initial response is: this is an authorization, not authentication. You shouldn’t use it for that, and I kept saying because I’m a big fan of the Twitter sign-in solution, ‘Well, show me an exploit.’”

Determined to find an exploit, the hacker (who prefers to remain unnamed due to the terms of his employment) targeted OAuth. The hacker found that if he started a request, then directed a victim to initiate the authorization form on his behalf from a bogus trap site, the victim would submit the login form and provide the hacker access to the victim’s data.

Hammer-Lahav wrote up a very detailed description of the exploit on his blog.

The exploit only affects new users of an application. If you’ve already authorized an application yourself, this exploit will not jeopardize your account.

OAuth’s official acknowledgement was released Thursday.

The good news is the exploit was found before it was used on any other use case than Twitter. The bad news is that once the exploit was discovered, OAuth experts realized other OAuth partners weren’t safe either. Because around 75% of OAuth adopters were gathered at Foo Camp by luck, the primary shareholders all agreed on a course of action to take to minimize damage.

Minimizing damage, in this instance, means making it as hard as possible for hackers to take token authentications and send them to users. This means turning OAuth off entirely (a la Twitter), limiting the time it takes to authenticate the session dramatically, or put up a warning on authentication questioning the source of the link (if the link did not come from the application itself).

In response to the exploit, Hammer-Lahav acknowledges the OAuth protocol will need to be revised. The new specification will not be backwards-compatible. Hammer-Lahav says this is the direction OAuth must take immediately.

When asked whether this security exploit will hurt OAuth’s future, Hammer-Lahav thinks it will actually do the opposite.

“This has been a solution that has been reviewed for a year and a half now, and it has been reviewed by most well-known security experts and they just missed it. Nobody ever thought of this particular security exploit. There’s nothing to suggest that if you create your own proprietary platform, you’re not going to make the same mistake or a different one.”

“I think the way the community behaves around it and the way it was addressed will really show that, you know what, this is a mature community that can respond to this situation in a mature and effective way.”

There aren’t very many security methods that have escaped exploits. The lessons learned from this exploit actually provide a good indication of how OAuth can adapt to inescapable flaws. According to Hammer-Lahav, OAuth has taken away a lot from this situation.

“We need to look at how we handle this and do a post-mortem on this entire process. — not now but in a few weeks — and come up with a process on how to deal with this. One of the things that we did not have was a list of providers that have OAuth so when there is an exploit you will be notified.”

There’s a lesson here for all open-community specifications. There is a fair amount of organization that is inherent to proprietary communities that aren’t available to organizations without a governing body.

“Next time it happens to OAuth or OpenID or any community-driven specification, we actually have resources [to address the problem]. For us it was really hard to find those resources,” Hammer-Lahav says.

He also claims the usual security resources or organizations were not equipped to help OAuth. “They don’t really help you unless you’re a vendor or a software provider. But if you have a spec that’s broken, there isn’t really an infrastructure to deal with it.”

See Also:

File Under: operating systems, Software & Tools
Apr
23
2009

Why Linux Will Crush Windows 7 on Netbooks

By

The explosion of low cost netbooks has inspired Microsoft to release a new, cheap, stripped down version of Windows 7. The Windows 7 Starter Edition, as it will be known when Windows 7 arrives later this year, is designed to compete with Linux on netbooks, but it has a potentially deal-breaking restriction: you can only run three applications at a time.

Microsoft is apparently gambling that mainstream customers will prefer a crippled version of Windows to any version of Linux.

But consider this question: do you like listening to music while you browse the web, chat with friends and download some torrents? Well, pick three because, you won’t be doing all those things at once in Windows 7 Starter Edition. Mind you, it’s not the the netbook can’t handle the workload, it’s because Microsoft thinks netbooks should be crippled.

Of course there are some exceptions to the three-app rule. For example, terminal sessions, Windows Explorer, background processes and apps like task manager or desktop gadgets don’t count. Still, even if you can run a couple extra apps, three main applications is limiting and it shows how much Microsoft misunderstands the netbook’s appeal — netbooks are not crippled laptops, they’re laptops that are “good enough.”

Which is why Microsoft’s Starter edition strategy seems horribly misguided. Netbooks already suffer two big limitations — screen size and cramped keyboards. Why add a crippled operating system to the list?

ZDNet’s Ed Bott took a beta version of Starter Edition for a spin and reports that “when I used this system as a netbook, it worked just fine.”

However, Bott’s definition of a netbook seems to the same as Microsoft’s: it’s a crippled notebook.

“If I tried to use this system as a conventional notebook, running multiple Microsoft Office or OpenOffice apps, playing music in iTunes or Windows Media Player, and using third-party IM programs,” Bott writes, “I would probably be incredibly frustrated with the limitations of Starter Edition.”

Clearly Bott (and Microsoft) view the netbook as a substandard way to work, but that doesn’t fit with my experiences on an EeePC where I am currently typing this post, listening to iTunes, downloading the latest version of Ubuntu via BitTorrent and both Photoshop and Lightroom are running in the background. It’s not the speediest laptop around, but it gets the job done.

Would I like my EeePC as much if it had a crippled version of Win 7? Of course not, I’d think of it as a crippled laptop.

While it remains to be seen how Windows 7 Starter Edition will fare with consumers, there is a potential winner here — Linux.

Linux versions of netbooks are already doing quite well and if Microsoft shoots itself in the foot by crippling its OS, the question becomes less about choosing between Windows and Linux and more about choosing between crippled and “just works.”

See Also:

File Under: operating systems, Software & Tools
Apr
23
2009

Slick New Ubuntu ‘Jaunty Jackalope’ Springs Onto Netbooks

By

The latest version of Ubuntu Linux is hot off the press and available for download. The new release, known as “Jaunty Jackalope,” continues Ubuntu’s slow but steady progression with a handful of slick new features, some welcome speed and stability improvements and a new “Netbook Remix” package optimized for the latest tiny laptops.

You can grab your copy of the free operating system from the Ubuntu downloads page. There are versions for desktop and server environments, the Netbook Remix, and versions for 32-bit and 64-bit hardware.

The Netbook Remix is a new addition to the Ubuntu family and offers a stripped down, user-friendly Linux that’s specially optimized for the small screens and limited hardware capabilities of netbooks. Ubuntu’s release notes claim the Netbook Remix will work with Asus’ EeePC 900, Acer’s Aspire One and Dell’s Mini 9 netbooks. However, while it took a little extra tinkering, I was able to get Ubuntu working on my EeePC 1000H as well. The result is a powerful, but simple interface that’s far snappier than competing options like Windows XP.

Overall, I’ve been pleased with Jaunty. To see what’s in store for users, we took the release candidate for a spin earlier this week. We found that none of the changes in Ubuntu 9.04 are earth-shattering, but the subtle changes add up to nicer Linux experience that could go a long way toward winning the much-maligned OS some new fans.

Jaunty Jackalope’s most noticeable change to the user interface is its new notification system. It informs you when new e-mails arrive or friends want to chat, and it informs you of system changes like volume level and battery status. The alerts appear as translucent message windows that pop up, stay for a moment, then fade away — a bit like Growl on Mac OS X.

This represents a break from the traditional way of doing things under GNOME, the graphical desktop environment upon which Ubuntu Linux was designed. It shows an attempt by Canonical, the corporation that oversees the development and distribution of Ubuntu, to provide more useful notices and to do so within a slicker interface than what’s available. GNOME purists may not like Canonical’s decision to create its own system, but the results are quite nice. (Flash demo).

GNOME 2.26, Ubuntu’s default desktop, ships with some improved applications that are installed by default. There’s an improved version of the Evolution e-mail client, which now works much better in Microsoft Exchange environments, and an update to the Brasero app for burning CDs and DVDs.

The overall interface design has been improved, too. Especially enjoyable is the new Ubuntu theme, “New Wave,” which is a nice mash-up between the default Human theme and the dark theme that arrived in Ubuntu 8.10. The Ubuntu team has also made some nice interface tweaks to dialog boxes, loading bars and other UI gadgets that give Jaunty Jackalope a slicker look than earlier Ubuntu releases.

Under the hood, Jaunty brings an updated version of the Linux kernel as well as the latest version of the GNOME desktop. Work on these are ongoing, and each release sees reduced boot times and better overall performance.

Thanks to the new Linux kernel (version 2.6.28) Ubuntu now offers support for the Ext4 filesystem and includes a new wireless package that should help those using newer wi-fi cards. The new Ext4 support isn’t the default choice for Ubuntu yet, but Ext4 does offers a number of advantages over its predecessor including support for larger disks, better defragging tools and a speed boost. However, there are some reports of lost data with Ext4, so proceed with caution.

Also new to this version is experimental support for Eucalyptus, a set of technologies that can be used to deploy a web app server with an elastic block storage (EBS) system, much like Amazon’s EC2 service. Using Eucalyptus, developers can create their own private clouds for storing data and running web apps. The Eucalyptus code is only included in Ubuntu Server, but it’s open-source, so it can be downloaded by anyone.

See Also:

File Under: Software & Tools
Apr
21
2009

Firefox 3.0.9 Fixes Bugs, Not Much Else

By

An upgrade to Firefox 3 is available late Tuesday from the getfirefox.com website. Firefox 3.0.9 fixes some security and stability bugs.

Not much else to report on Firefox 3.

The next version of Firefox, version 3.5 (formerly 3.1), is a far more exciting release. It is currently in its third beta. A fourth beta is expected later this week or next, depending on the results of a wave of testing being held on April 24th. Firefox 3.5 contains speed upgrades to its JavaScript engine, nicknamed Tracemonkey, and some enhancements to tab management and private browsing. It is expected sometime this summer, after at least two upcoming release candidates.

See Also:

File Under: Software & Tools
Apr
21
2009

API Gives Developers Keys to Google Analytics

By

A long-awaited API to Google Analytics data is finally available to data-hungry developers Tuesday. The API enables developers access to their Analytics-enabled website traffic statistics.

The API was one of Analytics’ top requested feature. Clever developers will be able to download traffic data using home-built applications. SEO managers will be able to better track their website’s popularity. IT pros will be able to program monitors to track if traffic spikes or drops suddenly.

Bundled with the release were third-party software applications utilizing the new API. Actual Metrics has developed an Android mobile application for checking your website stats on the fly. Desktop-Reporting has released a desktop application and desktop widget.

The API uses the Google Data API format. This is the same API protocol offered for Google Calendar, Finance and Webmaster Tools products. Documentation for utilizing the new API is available at Analytics’ code site.

See Also:

File Under: Multimedia, Software & Tools
Apr
21
2009

Google’s O3D Opens Rift to the Web’s Third Dimension

By

Tired of staring through the Browser window and only seeing content in two dimensions? Google wants to take you back to the future by open-sourcing a new 3D web standard called O3D.

The technology automatically renders 3D environments through the browser. The result is a world that looks a lot like the beautifully drawn 3D panels of the 1993 hit video game Myst. The difference being you can fly around the the O3D environments much like a 2009 flight simulator. Check out the video above for an example — also on a beach/island.

The technology utilizes your computer’s graphic hardware via an API built into a cross-platform browser plug-in. The content itself is in COLLADA format, a format generated by CAD programs such as Google’s own Sketchup. The 3D environment can be embedded and tweaked with extended JavaScript code. Interestingly, Google’s V8 JavaScript engine is embedded into the technology itself (V8 is also found in Google’s Chrome browser).

This isn’t Google’s first foray into a 3-dimensional web. Lively provided Second Life-like 3D chatrooms through the browser. The ill-fated product was discontinued after only four months.

It isn’t the web’s first 3D foray either. Those developing back in 1995 may remember VRML. The web standard was the first to play with mostly clunky and slowly-rendered 3D images. Somewhere around 1997, the technology was superseded by X3D. At the risk of angering some passionate X3D developers, that web standard didn’t really meet its potential either.

But hey, maybe the web is finally ready to be browsed like the 90′s special effect visualizations in movies trying to make this new thing called the internet look more enticing than what it really looks like: a caffeine-laden teenage nerd typing away at a computer. Although Google’s announcement proclaims Google Earth proves O3D’s relevance to the web, I think it’s a technology ripe for its inevitable destiny: making Lawnmower Man a (virtual) reality.

See Also:

File Under: Web Basics
Apr
21
2009

Google Makes It Easier to Search for ‘Me’

By

Try it out. Go to Google and search for “me.” If you’re logged in to Gmail or any other Google service, you’ll see a small link with your name on it — probably at the very bottom of the page.

Inside is an invitation to fill out your Google Profile. Tuesday, the company set up a new system to encourage users to add information about themselves to their public profiles.

The big question: Doesn’t Google know enough about me already?

Yes, probably. But the updated Profiles give you the opportunity to define what’s most important about you, and ultimately, how you’re represented in Google searches. You can add links to the other places you hang out online, like Twitter, Flickr, last.fm or Picasa. When somebody searches for your name, the information you plug in to your profile will help determine which bits of your online life are exposed first. It should also improve Google as a tool for people search overall.

[NB: Check out Ryan Singel's take on this development over at Wired's Epicenter blog. He raises some important points about privacy and the role of volunteered "person data" in Google's advertising model.]

As we mentioned previously, Google Profiles still aren’t using the rel="me" microformat. So, there’s little chance the new, beefed up profile is going to usurp any canonical URL you’ve already established on your own by manually adding rel="me" links to your main website and your various social networking profiles.

Later, if and when Google does add a way for you to identify which sites you want to favor as representing “you” in a search, it’s likely the company will give you the option of using whatever site you want — yours, theirs, Facebook.

Then again, Google does write the rules about how it weighs semantic web data within its searches. So if the company begins to do anything untoward (like ignoring rel="me" entirely) be a good netizen and delete your profile, which you can do at any time with one click.

Meanwhile, users without their own canonical URL are now able to use their Google Profile as their online identity hub. They won’t have to rely on Facebook or LinkedIn or MySpace to decide the best way to represent them online.

See Also:

File Under: Software & Tools
Apr
21
2009

It’s Time to Rethink Browser-based Bookmarks

By

 

If your browser’s bookmarking feature disappeared tomorrow, would you miss it?

Bookmarks used to be an essential part of the web browser. But then came Google, which made it just as easy to search for a site as to bookmark it; and RSS, which brought our favorite sites to us, eliminating the need to visit them every day.

Thanks to sites like Delicious, our bookmarks were reborn as web-based collections, but the emphasis switched from storing URLs locally to sharing them with friends.

Sadly, the bookmarking tools in our browser haven’t fully adapted to these changes, and as a result, many us barely use browser bookmarks anymore. The “Awesome Bar” in Firefox, which uses a search-plus-bookmarks approach, deserves a mention, but remember that a large-ish minority of users don’t think it’s all that awesome. Chrome and IE8 both use similar, search-based methods to find the pages you want.

Jonathan DiCarlo, who works at Mozilla Labs, the experimental arm of Firefox, thinks that it’s time our browsers change how they handle bookmarks and make them useful again.

“Bookmarking was a great feature back in the days of the first web browsers,” writes DiCarlo, “but on the modern web it feels a bit creaky… bookmarks are no longer doing their job as well as they could be.”

But, before browsers overhaul their bookmark paradigms, it’s important to figure out what we’re doing with our bookmarks. DiCarlo has four basic use cases for how most of us are using bookmarks:

  1. The Todo List. “I want to look at this, but not right now.” Someone gave me a link to a cool video about robots, but I don’t want to watch it right now, because I’m in the middle of something. Or, there’s a web form I need to fill out, but I don’t have the information I need yet. I bookmark the page because there’s an action I want to take later.
  2. Sharing. I found a hilarious picture, or a news article that proves I was right in that argument we had a week ago. Either way, the value is in the sharing. I bookmark it so that later on I can give the link to others.
  3. Frequently Used. “I want to get back here fast.” The page where I view my bank account status, the central documentation page for the project I’m working on, or a hub from which I often start surfing. I bookmark it because I expect to return often and I want to get there fast.
  4. The Research Collection. “This fits right in to something I’m working on.” I’m a history teacher, preparing a lesson plan, and I’m collecting resources about World War 1. Or, I’m a political blogger, and I’m collecting links about all the ways my Least Favorite Politician has screwed things up. I bookmark pages because I want to add them to my growing collection of data on a certain topic.

We have one to add to the list — JavaScript bookmarklets. If our browser’s bookmarking features disappeared tomorrow the only thing we would miss are the bookmarklets for Instapaper, Delicious and others.

How do you use browser bookmarks? Could browsers make bookmarks useful again? If so how? Let us know what you think.

Photo by *spud*/Flickr

See Also:

« OLDER POSTS