Category Archives: Collaboration, Content, Community

Comment Systems Ask For Too Many Permissions

I’ve been paying close attention to the proliferation of blog commenting systems that enable authentication through third-party sites (mostly Twitter and Facebook, but there are others).

There are two competing tensions at work here: user convenience versus identity verification.

First, the site provider wants to make it as easy as possible for users to identify themselves. Third-party authentication enables users to authenticate through another site (like Twitter or Facebook) without having to fill out yet another form and establish a password at every site in the universe. If the site owner can make this process more convenient for me, it’s more likely that I’ll post comments.

But at the same time, site owners want to attach the comment to some real (or, at least virtual) identity. This is done to facilitate conversation, but it’s primarily an anti-spam and anti-troll tactic. And that’s totally reasonable.

The balance between user convenience and identity verification is struck by enabling the user to authenticate themselves through one or more third-party web sites that already store identity information for that user. But those third-party sites aren’t just identity-verification machines. They also are functional applications which store information on users’ social connection. When I authenticate on someone’s blog using Twitter or Facebook, I also have the option (but, importantly, not the requirement) to give that blog permissions to access my Twitter or Facebook account.

And therein lies the problem. Many blog comment systems are exposing users to security and privacy vulnerabilities because they are asking for too many permissions. Here’s a common example:

I nearly always attempt to log in via Twitter if I can, since I don’t trust Facebook (or its app developers) anymore. With a Twitter-enabled application, a developer has a few options in terms of what permissions you can request from the user: read tweets from the user’s timeline, see who you follow, follow new people, update your profile, and post tweets on your behalf.

None of these permissions are necessary to validate your identity to a blog comment system. There is no reason why Disqus should be allowed to edit my Twitter profile. The commenting system has no need to tweet on my behalf. And so on.

Since I worked on federated authentication initiatives at both eBay and Yahoo (and I was a consultant to Twitter on their developer portal rollout), I pay a lot of attention to this stuff. And I understand the technical implications of it pretty well. But I’m sure that most blog commenters do not. And judging by the number of VCs I follow on Twitter whose accounts have been turned into spambots, I am sure that even “sophisticated” users aren’t thinking this through.

That means it’s up to site providers and developers of commenting systems to protect their users. If you have a blog with a comment system that uses authentication through another site, you should check that system by logging in via Twitter and Facebook as a commenter to see what permissions your comment system requests. If it’s asking for any kind of write access to a user’s account, then it’s asking for too many permissions. This means that if a security vulnerability is discovered in your site in the future (and it will be!), you will be complicit in turning all of your users into social network spambots.

If your blog comment system doesn’t let you control the permissions it requests, you should dump that system and get one that does.

Federated authentication providers enable application developers to request granular permissions for a reason. Application developers must take advantage of that.

Our New Product: CodeLesson

CodeLesson LogoJust realized I haven’t made mention of our new product CodeLesson here yet (if you’re a Twitter or Facebook follower this will probably be old hat to you). CodeLesson is a place to take instructor-led online training courses. We’re doing technology courses today ’cause that’s mostly what we know, but later on we’ll be doing other types of courses and open up what we’re doing to anyone who wants to teach.

My wonderful wife Carole (who has a Master’s in education) is advising us, and our partner for this project is the indefatigable Ernie Hsiung, late of Yahoo and Ning, who has been working with us on some consulting projects in the last few months and is a really splendid chap.

We have several courses outlined on the site right now, two of which are taking place soon:

Web Programming with PHP (starts September 7). This is a very gentle introduction to Web programming for anyone with a good handle on HTML and CSS. It’s a twelve-week course which will be taught by me. The curriculum was also developed by me in cooperation with the University of Victoria (I’ve been teaching for them for a year now).

Introduction to Web Publishing with WordPress (starts September 20). This class is short (five weeks) and not super technical (no programming). The objective is to help you run your own Web site using the free, open-source WordPress content system. You start with a clean Web server and get all the information you need to set up, configure, work with and customize WordPress.

Online learning is a big deal in the US right now; with the University of California’s move to establish an all-online bachelor’s degree program, it’s safe to say that online learning is approaching a tipping point. But universities and private trade schools have a number of institutional barriers to producing consistently good online courses: they’re constrained by the calendar (they can’t vary the duration of a course because they’re on a semester/quarter schedule), they only teach what their professors happen to know, they innovate at the sluggish pace of a university bureaucracy, there’s a bias toward courses that will support the notion of an expensive campus and against courses that are practical and current, there’s no incentive or infrastructure for instructors to share course content, and a lot of departments and instructors just aren’t attuned to giving their curricula online (many of them actually perceive online learning as a threat). CodeLesson aims to fix those and many other problems by providing a net-native learning experience and eventually opening the experience up to anyone with the desire to teach and learn.

Are there online courses you’d like to take that we haven’t thought of yet? Do you have any questions about the format or content of an online course? Let me know in the comments!

Why Location-Based Systems Will Have No Effect On Crime

I’ve been watching the reaction to this service that uses the Foursquare API to tell the world when someone isn’t home, with the implication that criminals will be firing up their expensive laptops to go find people to rip off. This is nonsense, and it’s kind of surprising that it’s gotten so much attention. I’m not going to use the tired rationalization “must have been a slow news day,” but I’m thinking it.

I look at this site as a provocative and sensationalist art project (which, to my mind, is one of the best kinds of art project). At the same time, it is an extremely poor commentary on the relative safety of broadcasting your location, and I say this as someone who spent a couple of years reporting the news on a daily cop beat. The city I covered was pretty small and relatively crime-free, so property crime was kind of a big deal. As a result, I wrote stories and police blotter items on property crime frequently. After spending time with the Sergeant of Detectives at the local police station nearly every weekday, I learned a lot about how residential property crimes commonly happen and how the police investigate it.

First (and this is a pedantic point, I realize), it’s impossible for your home to be robbed. Robbery is something that happens to you, not your property; it is legally defined as “theft by force or fear”. If you’re not home, there can be no robbery, by definition. Burglary is what this site is really talking about.

Second, the site doesn’t provide “a list of all those empty homes out there,” as it purports to. It provides a list of check-ins that people have voluntarily made that say they’ve left home. It doesn’t say where “home” is. It also doesn’t say whether there’s someone else at home, or when the person will be back. It also has no way of knowing if the person checking in is telling the truth about any of this.

Third, this project implicitly misrepresents the statistical likelihood of being a victim of a major property crime, which for most Americans is close enough to zero to not be worth worrying about. If the creators of this site were really concerned about peoples’ safety, they’d create a site warning people who were about to get into cars or eat a bunch of transfat, since those things are far more likely to kill you than robbery in our society.

There are generally two kinds of people who break into residences: someone who lives in the neighborhood (a teenager, for example, or a disreputable acquaintance) or someone who is a little off (with substance abuse or mental health issues, for example). In any case, the vast majority of people who do these kinds of property crime are in poverty or close to it. They’re generally not computer whizzes (if they were, they’d probably have a job using their computer skills instead of breaking into houses).

Ultimately, if someone is going to burglarize your house, they either already know your habits (because they live down the block and see you leave the house for work every morning) or they can figure them out pretty easily. There’s a very simple way to see if someone is home or not — sit in a parked car and wait for someone to come out of their house, or pretend to go door to door selling magazines until someone doesn’t answer the door. Both of these techniques are very commonly used by burglars, and neither of them require the investment of a laptop and extensive knowledge of online social systems. These tactics also happen to be easy to defend against (lock your doors).

My solution, of course, to just never leave my house. It’s difficult to find the time to get out with all the time I spend here cleaning my extensive shotgun collection.

Crowdsourced document analysis and MP expenses

My former Yahoo! colleague Simon Willison is doing some amazing work setting up near-instant crowdsourced content analysis systems for government documents in the UK. He and his team are developing vital knowledge about what works and what doesn’t in these kinds of systems, and he’s shared it on his blog:

News-based crowdsourcing projects of this nature are both challenging and an enormous amount of fun. For the best chances of success, be sure to ask the right question, ensure user contributions are rewarded, expose as much data as possible and make the “next thing to review” behaviour as solid possible. I’m looking forward to the next opportunity to apply these lessons, although at this point I really hope it involves something other than MPs’ expenses.

Who is doing this kind of thing in the US, I wonder?

Link: Crowdsourced document analysis and MP expenses.

Because Russian Money is Clearly Worth Less, Somehow

Link: Russian Facebook Investor Adds Stake in Zynga –

Digital Sky Technologies, or D.S.T., an investment firm with offices in Moscow and London, is leading a group that is buying a $180 million stake in Zynga, a fast-growing San Francisco company whose online games, like FarmVille, Café World and Mafia Wars, are extremely popular on Facebook.

An unusual investment structure, by an unorthodox foreign investor, might shake up many of Silicon Valley’s traditional venture capital and private equity firms, which are losing out on another promising Internet opportunity.

If the Times reporters, Brad Stone and Claire Cain Miller, had bothered to talk to more than one Silicon Valley investors for this story, they would have learned that startups in the Facebook ecosystem are all but radioactive to Valley investors today. Of course Kleiner Perkins is going to say they’re an amazing company, etc., but if they didn’t pull the trigger on an investment, it means they didn’t like what they see (and Kleiner probably isn’t a terrific litmus test for investors

It’s definitely not the case that when an investor passes on an opportunity, that investor is  “losing out.” “Losing out” is the opposite of “winning”; DST hasn’t won yet. Do you feel like you’re “losing out” every time a bus passes you in the street because you could have been on it?

It’s also a little weird the way they characterize the investor in this deal. They raise the fright wig of Russians, criminals, and “unusual investment structures” without really going into what that means. If that’s the concern here, then why don’t you name the “criminal” investor until 18 paragraphs into the story?

How Not To Describe Your Platform

Link: PayPal Taps the Developer Community to Build Next-Gen Payment Apps

We haven’t actually released new APIs; what we have done is that we announced a set of APIs on November 3rd, which was our adaptive suite. Adaptive suite APIs include adaptive payments and adaptive accounts. Then we also announced our authentications and permissions API. What we had done at Innovate was to make those APIs exclusive — adaptive account, authentications and permissions, exclusive to the attendees of the conference. We did a full-on release for those APIs on November 3rd when we announced the platform. But we’ve had an overwhelming response from the community where people where saying, “You’re limiting us from actually using these APIs. Is there any ability for us to get these early on rather than to wait until 2010?” Based on the feedback, based on what people were looking for, we decided to open it up to everyone now, instead of sometime in 2010.

This quote is from Naveed Anwar of PayPal. It’s supposed to shed some light on the new PalPal platform. But I feel like I’ve been following the reboot of the PayPal platform for a month and a half now, and I’m still not sure I understand just how it’s supposed to help me. Apparently there is some conference that I was supposed to have attended? And if there are no new APIs, what has changed? Adaptive suite? What is that?

It’s not really possible to get the information you’d want from their web site, which at the moment is dominated by information about a new developer contest. (Developer contests are problematic on their own, as I’ve written about here previously.)

I’m really concerned that PayPal, like Yahoo and others, is going to miss a huge opportunity here by failing to articulate its vision in a straightforward way. (On second thought, screw the vision. Maybe just focus on saying what your products and services do on your web page first.)

Building the Virtual Academic Computer Lab

I’m taking a few computer science courses this year, partly for fun and partly to backfill some of my skills. I’m almost completely self-taught as a programmer, and while I’ve been coding in various capacities for nearly 20 years now, I have had almost no exposure to academic computer science and very little experience with the languages that are principally used for teaching these days (C++ and Java). So I’m learning both of those languages simultaneously to get them out of the way. (As I’ve mentioned here before, I’m also teaching an online introductory web development class for University of Victoria that starts next month, and taking these classes now is a way to get the teaching part of my brain working.)

Figuring out how to optimize the process whereby a developer starts using a given technology is a big part of my business, so I’m carefully studying the way that academic programs get student programmers going in a computer science course. As you might expect, there’s a lot to contend with, and even on a good day things are pretty messy. You’ve got ten different types of students coming in with at least three or four different types of computers and operating systems. Once you figure that out, you need to figure out how to get languages, tools, and database servers installed on your computer. The information technology management challenge is steep, and there’s a chicken-and-egg problem at work here: students can’t set up a development environment until they learn how to be developers, but they can’t learn how to be developers until they’ve set up a development environment.

When I was an undergrad starting in the mid-80s, most people had to go to the computer lab to get their work done. I had my own home computer to do school work and work-work on, but I was almost totally on my own when it came to figuring stuff out, and because there was no dial-up internet back then, I still found myself having to schlep into the computer lab and figure out XENIX to test and turn in assignments. That crummy logistical experience turned me off to the whole notion of academic computer science for many years.

The classes I’m taking this semester each devote a good week or two (out of an 18-week term) just to getting students ramped up. That means that almost 10% of the class is devoted to preliminaries. There is lot to do: you have to establish an identity on the college’s server, log in and figure out various unix commands and compiler options, as well as install a complete development environment on your own PC for development and testing. This kind of thing is not a challenge for a professional developer, and everybody should certainly learn how to do it, but a lot of the people in these classes are teenagers with little more than advanced browsing skills; it may not be the case that week 1 of Introduction to Programming is the right context for these kids doing this kind of activity. It can’t help their desire to learn to have to go through a couple of weeks of fiddling with command-line parameters to get stuff to work, and they can certainly figure out the details in a system administration class to be taken after they’ve gotten “hello, world” working.

It seems like this process could be significantly streamlined if schools would make a standard, pre-configured machine image available to students that they could then download and use for their classes. They could use something like the free VMWare Player product to put together an operating system and development environment that students could download for free. Virtualizing the development environment has other benefits to this as well — for example, if a student were experimenting and did something to mess up their computer, they could simply blow away the VM and re-download it. So not only would this make the first weeks of an undergraduate CS class go faster, it would also cut down on calls to the campus support desk, and probably save a bunch of money.

Lego Prohibits Use of Product in Spinal Tap DVD

Link: Lego Prohibits Use of Product in Spinal Tap DVD –

As final editing was being done on a concert DVD of the tour, which included footage from the video projected on stage, Lego declined to grant permission to use its figures, which are protected by copyright.“We love that our fans are so passionate and so creative with our products,” said Julie Stern, a spokeswoman for Lego Systems, the United States division of the Lego Group, a Danish company founded in the 1930s. “But it had some inappropriate language, and the tone wasn’t appropriate for our target audience of kids 6 to 12.”

Set aside for a moment the fact that Lego is being a copyright bully here, and legally, they don’t have a leg to stand on. What they’re doing is just bad branding. In their misguided attempt to protect their brand, Lego has completely lost sight of what their brand is actually all about. Is the Lego brand about protecting kids from heavy metal? Is it about only letting them do building projects that some corporation approves of? Of course not — when I buy my kids Lego instead of some talking Tinkerbell-branded crap, it’s because I want to help my kids be creative, even if what they come up with surprises me once in a while.

Plug-In Comment Systems Suck

I do a lot of commenting on other peoples’ blogs, so I pay a lot of attention to the user experience for comments. In the last year or so I’ve been noticing the rise of third-party plug-in comment systems such as Disqus and Intense Debate. I understand the value of these systems (single sign-on, presence, control over comment content and ability to subscribe to discussions), but I always had concerns about the cost (not in dollars, but in terms of loss of control and reliability).

I host WordPress on a server I own because I have this crazy notion that no individual or company should come between me and my printing press. Plug-in comment systems interfere with this by introducing a new point of failure into what should normally be a very straightforward process. Commenting isn’t complicated, but by using a pluggable remote system, you risk exposing your users to this:

(That 504 Gateway Time-out business is where Disqus was supposed to have been.)

There’s a larger trend at work here, the notion that a publishing system (or any software) is inoculated from gaps in its feature set because it happens to be modular/pluggable/hackable. This is one of the big lies of open source software (the reasoning is, if you don’t like the way it works, just roll your own). WordPress owns Intense Debate now; they should roll its feature set into the core WordPress product so I can host it myself and don’t have to rely on some disinterested third party to keep the otherwise very simple process of storing and displaying blog comments working.