October 1, 2008
@ 04:22 PM

Werner Vogels, CTO of Amazon, writes in his blog post Expanding the Cloud: Microsoft Windows Server on Amazon EC2 that

With today's announcement that Microsoft Windows Server is available on Amazon EC2 we can now run the majority of popular software systems in the cloud. Windows Server ranked very high on the list of requests by customers so we are happy that we will be able to provide this.

One particular area that customers have been asking for Amazon EC2 with Windows Server was for Windows Media transcoding and streaming. There is a range of excellent codecs available for Windows Media and there is a large amount of legacy content in those formats. In past weeks I met with a number of folks from the entertainment industry and often their first question was: when can we run on windows?

There are many different reasons why customers have requested Windows Server; for example many customers want to run ASP.NET websites using Internet Information Server and use Microsoft SQL Server as their database. Amazon EC2 running Windows Server enables this scenario for building scalable websites. In addition, several customers would like to maintain a global single Windows-based desktop environment using Microsoft Remote Desktop, and Amazon EC2 is a scalable and dependable platform on which to do so.

This is great news. I'm starting a month long vacation as a precursor to my paternity leave since the baby is due next week and was looking to do some long overdue hacking in-between burping the baby and changing diapers. My choices were

  • Facebook platform app
  • Google App Engine app
  • EC2/S3/EBS app

The problem with Amazon was the need to use Linux which I haven't seriously messed with since my college days running SuSe. If I could use Windows Server and ASP.NET while still learning the nuances of EC2/S3/EBS that would be quite sweet.

I wonder how who I need to holler at to get in the Windows Server on EC2 beta? Maybe Derek can hook me up. Hmmmmm.

Note Now Playing: Lil Wayne - Best Rapper Alive [Explicit] Note


Categories: Platforms | Web Development

I'm sure y'all have seen this link floating around the Internet's already but I wanted to have this here for posterity. Below is an excerpt from a 1999 article in the New York Times by Steven Holmes titled Fannie Mae Eases Credit To Aid Mortgage Lending 

In a move that could help increase home ownership rates among minorities and low-income consumers, the Fannie Mae Corporation is easing the credit requirements on loans that it will purchase from banks and other lenders.

The action, which will begin as a pilot program involving 24 banks in 15 markets -- including the New York metropolitan region -- will encourage those banks to extend home mortgages to individuals whose credit is generally not good enough to qualify for conventional loans. Fannie Mae officials say they hope to make it a nationwide program by next spring.

Fannie Mae, the nation's biggest underwriter of home mortgages, has been under increasing pressure from the Clinton Administration to expand mortgage loans among low and moderate income people and felt pressure from stock holders to maintain its phenomenal growth in profits.

In moving, even tentatively, into this new area of lending, Fannie Mae is taking on significantly more risk, which may not pose any difficulties during flush economic times. But the government-subsidized corporation may run into trouble in an economic downturn, prompting a government rescue similar to that of the savings and loan industry in the 1980's.

''From the perspective of many people, including me, this is another thrift industry growing up around us,'' said Peter Wallison a resident fellow at the American Enterprise Institute. ''If they fail, the government will have to step up and bail them out the way it stepped up and bailed out the thrift industry.''

Although the article is particularly prescient there is one thing it didn't predict, which is how much this risk of failure would be compounded while remaining hidden due to the rise of Mortgage Backed Securities. Still, it is definitely interesting reading to see that someone called the current clusterfuck as far back as 1999.

Way to go Clinton administration, as always the road to hell was paved with good intentions.

Note Now Playing: Young Jeezy - The Recession (Intro) Note


Categories: Current Affairs

September 28, 2008
@ 09:51 PM

I'm in the market for a new phone and I've been considering getting an iPhone 3G to replace my AT&T Tilt (aka HTC Kaiser). The Tilt is a great PDA (thanks to Windows Mobile 6) and I love the slide out QWERTY keyboard. My main problems with it are the relatively huge physical size, small amount of storage space and needing two hands if I want to send email or text messages.

Although I've recently seen a lot of hype around Google's Android operating system and T-Mobile G1 (aka the HTC Dream), I haven't had any interest in it since it has no support for integrating with Microsoft Exchange which is the only reason I want a smart phone in the first place. However I have found it interesting that a lot of recent blog posts about the iPhone are about how it is in a weak position against Android because Google's open approach will trump Apple's closed approach with regards to their developer platform.

A typical example of this trend in iPhone coverage is Antionio Cangiano's blog post entitled Don't Alienate Developers which is excerpted below

Apple, a company that is generally considered far from “sinister” or “evil”, on the other hand, is trying their best to alienate developers.

Their first idiotic move was to place an NDA on a finished product like the iPhone SDK (including the final version).

Apple then decided that it was a good idea to charge people for the privilege to develop for the iPhone: $99

These were two blatant mistakes, but, if you can believe it, Apple managed to alienate developers further still. A few thousand people put up with the NDA on the SDK, with the cost of the Standard Program, and with the lengthy and bureaucratic process it takes to access the only viable distribution channel, the iPhone App Store. Some of them spent months trying to create excellent, innovative applications for the iPhone, only to see their work rejected for no good reason other than that it competed with Apple’s own products (e.g. Podcaster) or was inconvenient for their business partner AT&T (e.g. NetShare).

I fail to see Apple’s usual business insight and only see blind greed, the kind that acts as a highly effective cautionary tale against developing for Apple’s platforms. This all comes at a time when Google is promoting a truly open platform, Android, which poses a few challenges due to the heterogeneous nature of the devices it will be deployed on, but is equally interesting from a technical standpoint. Google even went so far as to award ten million dollars in prize money through a contest that they held, to attract new developers and applications. Android is definitely welcoming new developers and it’s doing so free from glaring restrictions and limitations. I suspect that many will put up with Java, to get a cup of freedom.

This kind of thinking is particularly naive because it fails to consider why developers adopt platforms in the first place. Developers go where the users are. Users go where they can get the best user experience for the right price. Openness of the platform only helps if it improves the user experience, thus attracting more users and reinforcing the virtuous cycle.

Rory Blyth recently a very insightful which compared to "open" approach taken with the Windows Mobile developer ecosystem with the "closed" approach of Apple's iPhone ecosystem. In his post entitled iPhone vs. Windows Mobile - Apple vs. Microsoft - It's the Little Things Rory wrote

Here, from what I've learned, is how iPhone and Windows Mobile rate against these criteria.

---- Windows Mobile

  • My access to your money: If you have a WM device, you probably have money. Even with carrier "discounts" they're not cheap. If you know what to get, it's worth the moolah, and you'll take advantage of what your chosen device has to offer by downloading apps that make use of it. This is as easy as:
    1. Trying to figure out where the big app stores are. There are a few, and they don't all support Windows Mobile, nor do they all have apps that will run on whatever version of WM you've got. It can be frustrating because Microsoft's practice of renaming products and slapping weird version numbers on things that are meaningless without context can easily leave you wondering what version of Windows Mobile you have (and wondering if what you've got is  the same as/compatible with PocketPC, WinCE, PPC, etc.).
    2. If not big stores, then searching the small independents where devs post their stuff on sites that look like they were made with a beta release of the first version of FrontPage.
    3. When you find an app, you go through whatever arbitrary transaction process the store/dev is using. This might mean creating an account with a site you'll never return to, handing your credit card info over to an independent whose trustworthiness is unknown, or even going through PayPal and then having to wait for the dev to check his email and manually respond with a serial number (or whatever).
    4. Run the app on your desktop which will kick off ActiveSync's install bits that install stuff on your PC in addition to the device.
    5. After clicking "Yes" or "I think so" or "Sure" on a few dialog boxes that pop up on the desktop and on the device, a CAB file is opened on the device and a local installer runs. This can mean more dialog boxes, and it can also mean having to make choices about things you don't understand (many users aren't going to comprehend the impact/difference between installing to the device's memory or to an expansion card).
    6. Run the app! Easy as 1-2-3-4-5-6!

  • App distribution options and ease of install for the customer: As you may have figured out from my "Easy as 1-2-3-4-5-6!" list above, finding, buying, and installing apps on WM devices has always been a pain in the ass. Going back to my first PocketPC (the first iPaq (the 3630)), I wondered why I needed ActiveSync just to install some stupid little app. ActiveSync makes sense if, say, I'm syncing something with the desktop like mail or calendar data, but it doesn't make sense if I'm installing Super Solitaire 5000 Deluxe Color Edition. Where do you sell your app? How do you get the word out? I haven't looked into it for a while because it frustrated me so much in the past. I'm going to take a look again, and, because I plan to target one specific platform for my app, I also plan to develop for others. In the case of Windows Mobile, I'm hoping Microsoft copies Apple's model.

    ---- Apple's iPhone

  • App distribution options and ease of install for the customer: Apple users have been bitching about using iTunes to install iPhone software. If they had any idea what it's like with other platforms, they'd shut it. While iTunes as an app store feels wrong and stupid and lame and stupid to me, at least iTunes is an app everybody has nowadays (aight - not everybody, but many, and that's good enough). Not that it matters much - with the introduction of Apple's App Store, you can browse apps on your phone, pay for, and install them without having to do some stupid syncing thing. You could be out at a bar where Jolene Blalock is hitting on you, and without having to run home to your iMac, you can buy, install, and run a crossword game before you've even had the chance to realize you've just made the biggest mistake in your life by ignoring her. And when you do realize it, and you see Jolene running off with another man, at least you'll have your crossword puzzles.
  • This is just one example of how a "closed" approach where a vendor supplies the entire end-to-end user experience provides a superior experience to an "open" approach where the vendor leaves it up to other developers to fill in the gaps. Apple's approach seems to be working well for developers some of whom are making hundreds of thousands of dollars a month thanks to how good of a job Apple has done in making it easy for users to find, purchase and install applications on their iPhones.

    The key thing Apple has brought to the table is building a user experience that its customers love to use instead of one that they merely tolerate. Getting this right is way more important than the "openness" of the ecosystem. Customers and developers can put up with a closed ecosystem that limits choice as long as it improves the quality of the user experience. Where Google Android has to shine is in building a better user experience for the same price or a comparable experience at a lower price. Everything else is just noise.

    Don't take my word for it, here's what the John Wang of HTC [Chief Marketing Officer of the company that is shipping the first Google Android phone] has to say about the topic in an article from Digitimes

    Some believe the success of Android handsets will rely on their open source platform. However, this is not true since Linux-based handsets have already been on the market for a while, Wang argued.

    The key element is innovation, said Wang, noting that the T-Mobile G1 is being rolled by combining Google's Internet services, HTC's proven capability in smartphone manufacturing, and T-Mobile's telecom network resources.

    Apple is definitely ticking off developers but until another vendor shows up with a phone whose hardware and software provides a better experience for customers then it will continue to get the lions share of attention from top mobile developers.

    Note Now Playing: T.I. - Whatever You Like Note

    Categories: Platforms

    jQuery is an Open Source Javascript framework that is very popular among Web developers. John Resig, lead developer of the project has a blog post with some interesting news with regards to Microsoft and jQuery where he writes

    Microsoft is looking to make jQuery part of their official development platform. Their JavaScript offering today includes the ASP.NET Ajax Framework and they’re looking to expand it with the use of jQuery. This means that jQuery will be distributed with Visual Studio (which will include jQuery intellisense, snippets, examples, and documentation).

    Additionally Microsoft will be developing additional controls, or widgets, to run on top of jQuery that will be easily deployable within your .NET applications. jQuery helpers will also be included in the server-side portion of .NET development (in addition to the existing helpers) providing complementary functions to existing ASP.NET AJAX capabilities.

    John's announcement has been followed up by a blog post from Scott Guthrie, corporate vice president of the .NET developer division at Microsoft, entitled jQuery and Microsoft where he writes

    I'm excited today to announce that Microsoft will be shipping jQuery with Visual Studio going forward.  We will distribute the jQuery JavaScript library as-is, and will not be forking or changing the source from the main jQuery branch.  The files will continue to use and ship under the existing jQuery MIT license.

    We will also distribute intellisense-annotated versions that provide great Visual Studio intellisense and help-integration at design-time.  For example:

    and with a chained command:

    The jQuery intellisense annotation support will be available as a free web-download in a few weeks (and will work great with VS 2008 SP1 and the free Visual Web Developer 2008 Express SP1).  The new ASP.NET MVC download will also distribute it, and add the jQuery library by default to all new projects.

    We will also extend Microsoft product support to jQuery beginning later this year, which will enable developers and enterprises to call and open jQuery support cases 24x7 with Microsoft PSS.

    This is great news for Web developers everywhere. Kudos to everyone involved in making this happen.

    Note Now Playing: T.I. - Swagga Like Us (Ft. Kanye West, Jay Z & Lil Wayne) Note 


    A few days ago, Omar Shahine wrote about the new features of Windows Live Calendar in a post entitled Windows Live Calendar gets To Dos where he writes

    At long last, we have shipped To Dos. It’s been a long time since I worked on Windows Live Calendar and we were talking about building To Dos. The best part about To Dos is that they work with Shared Calendars. In other words, if you and your spouse have a “Family Calendar” you can now create and manage a shared task list… something Google Calendar still doesn’t have.

    With the new release of Windows Live Calendar and the new Beta releases of the Windows Live Suite there is a ton of great end to end Calendar functionality.

    1. Outlook Connector to sync all your Windows Live Calendars to Outlook, including your Birthday Calendar for all your Contacts.
    2. Windows Live Mail now with Calendar Sync will also sync all your Windows Live Calendars
    3. Shared Calendars that you can create, share and manage with other Windows Live Users
    4. Calendar Subscriptions to public internet calendars that you can subscribe and sync to all the products above.

    And of course now To Dos. Dare should be happy about this. He’ll need it when the baby comes :-).

    One thing has been frustrating me for months is that there was no easy way to incorporate shared calendaring into my wife and I's workflow even though we both used calendaring products from Microsoft. Typically my wife would add an item to her calendar (in Windows Calendar) and then have to literally tell me about the appointment at which point I'd either enter it into my Windows Mobile phone which would synchronize it with Outlook + Exchange or I'd fire up my laptop and enter it directly into Outlook. The big problem with this "approach" is when she tells me about something and I don't immediately enter it into my phone (e.g. when i don't want to be inappropriate at our midwife appointments) in which case I forget and end up being late or missing shared appointments.

    This has all changed with the usage of two free products from Microsoft. The first is the newest version of Windows Live Mail (Wave 3 beta) which now has a built in calendar with synchronizes with Windows Live Calendar which my wife now uses. The second is Microsoft Office Outlook Connector which allows you to synchronize email with Windows Live Hotmail and calendars from Windows Live Calendar directly into Outlook which I use at work.

    Besides installing both pieces of software the only setup step needed was for my wife to share her calendar with me from Windows Live Calendar. Now that my wife has begun her maternity leave in preparation for the birth of our son, I'm glad I can fire up Outlook and see what's going on with her during my work day. For example, looking in my Outlook calendar for tomorrow shows an appointment I'd almost forgotten

    That would have been embarrassing. Smile

    Now Playing: Stevie Wonder - I Was Made To Love Her


    Categories: Windows Live

    September 22, 2008
    @ 03:20 PM

    Someone at Microsoft forwarded me a link to danah boyd's announcement, I will be joining Microsoft Research in January where she writes

    Guess who has a post-dissertation job? [Yes, that implies I'm actually going to finish this *#$@! dissertation.] ::bounce:: In January, I will be joining the newly minted Microsoft Research New England in Boston, MA. w00000t!!!!! I couldn't be more ecstatic.

    It all began with Dopplr. Linda Stone noticed that I was swinging through Seattle and she called me up and told me that I had to do dinner with her. Linda's plots are always tremendous so of course I said yes. When I arrived, she introduced me to Jennifer Chayes and Christian Borgs, the physicists who were starting the new MSR lab. Jennifer immediately began interrogating me about my research and about social science more broadly. To say Jennifer & I clicked is a bit of an understatement. Like me, Jennifer is loud, crazy, and intense. We got along like peas in a pod and spent the night chattering away. When she told me that I should come work for her, I laughed it off and didn't think much about it. But I couldn't stop thinking about it.

    Jennifer and Christian's vision for the lab aligned with my view of research. They believe in interdisciplinary work, believe in the ways that new ideas can come from unexpected collaborations. While I know a lot of social scientists who curl their nose at the idea of a lab full of physicists, mathematicians, and economists, I find that quite appealing. I love the idea of such a diverse group thinking about how the world works from different angles. Plus, meeting the folks at the new lab - Henry Cohn, Yael Kalai, Adam Kalai, and Butler Lampson - only made me more intrigued by it. Everyone was so ridiculously nice and even though we didn't work on the same problems we found funny intersections.

    The more that I talked with folks at MSR, the more I fell in love with the possibility of going there. And then I started meeting with execs and realized that what MSR researchers were telling me fit with broader strategy. I met with Rick Rashid, the head of MSR, who explained why he started MSR and how he saw it fit into the company. I met with Ray Ozzie (who I've known and adored for quite some time) and he confirmed the importance of research for the future of Microsoft. Both of them made me feel fully confident that my approach to research would not only be tolerated but welcomed. Plus, there's a broad desire to understand the intersections between computing and all things social which is straight up my alley.

    Congratulations to danah, I've always loved her research and I'm glad to see that she will continue contributing to the industry as a part of Microsoft Research. She is one of the few people out there doing real research into how social software is changing the lives of people on the Web and I'm glad Microsoft can be a part of that effort.

    Besides her research papers, danah also have some interesting insights into the current goings on in the world of social networking sites like her post Facebook and Techcrunch: the costs of technological determinism and configuring users on Facebook's continued determination to delete user accounts that don't conform to the company's beliefs about how the site should be used. Her post knol: content w/out context, collaboration, capital, or coruscation which points out some of the shortcomings of Google's Knol when compared to Wikipedia is also another great recent post of note.

    Good luck with the new job, danah.

    Now Playing: Rascal Flatts - My Wish


    Darren Neimke a post entitled The “What’s New” feature in Live Messenger where he gives some feedback on a new feature of Windows Live Messenger which shows updates from the user's social network at the bottom of the Messenger window in a slideshow/carousel. Although I don't work on the Windows Live Messenger team, I did work on the platform that powers this feature and I am intimately familiar with how it works. So here are his questions and my answers


    The new beta for Windows Live Messenger has given us an interesting new featured called “What’s new” which displays updates from your friends at the bottom of the Messenger application.  As you can see from the promotional image for this feature, it displays Who, What, and When information from your friends updates.

    I really like the idea behind this feature and watching “What’s new” updates has already led me to information that I might previously have missed.  I would say that in the current beta, some parts appear not to be working correctly.

    I'm glad to see that bringing activity streams down to the desktop client has led Darren to find out information about his social network that he would have otherwise missed. Serendipitous discovery is what this feature is about and its great to see people getting value out of it within the first few days of using the feature.

    Since this is a beta some features may not seem to work correctly either because we haven't gotten around to implementing them or because we would like user feedback on how people expect the features to work.

    The actual feature as it is installed on my machine does not seem to display the “When” part of the information as you can see from the following image:


    Actually the "When" part of the activity is available in the beta. By default the "What's New" carousel is in collapsed mode but you can expand it by clicking on the divider that separates the "What's New" carousel from the contact list as shown below.

    STEP 1: Hover over divider

    STEP 2: Click to expand


    As you can see from the screenshot above, the expanded view takes a lot of real estate from the contact list which is why the default is the collapsed mode. We did have some concerns that users wouldn't discover that they could expand the carousel which seems to have been borne out by Darren's assumption that the feature wasn't there.

    Another issue with the status update shown above is that the link that is displayed does not take me to the post that Jamie commented on.  Instead, it takes me to Jamie’s profile page.  Probably not what I’d be interested in seeing here as I’d be much more interested in reading the post and the comment that Jamie made.

    Another feature which doesn’t appear to have been implemented as yet is a “Post a note” link.  Currently this appears as a non-clickable piece of text.


    The fact that various links don't work in the "What's New" is a known issue. You can expect that these links should work in subsequent releases.

    I haven’t really seen much discussion or documentation about the “What’s new” feature as yet to see what events get added and whether there is an SDK behind all of this. 

    I’m interested in seeing where this feature goes as it appears to have a lot of promise.  Overall, I think that the current UX is lacking in some way – most popular applications that display feeds tend to show more than just a single entry.  I’m also wondering whether it would make sense to see some sort of provider model that would allow me to publish updates into the feed somehow.

    Jamie Thomson has a blog post on the new notification types in the What's New feed where he references the original list from Rob Dolin who's actually responsible for PMing the content of the feed. There are also comments from other Windows Live users discussing the kind of updates they've seen in the feed thus far. I assume Rob is waiting until Wave 3 is final before writing a post on the various update types that show up in the feed. However it should be noted that part of the platform work our team did in this release was to make the process of adding new update types to the feed easier. Thus even if Rob Dolin does post a list of the current update types in the What's New feed, that list could change in a matter of days, weeks or months. 

    I've thought a little bit about what a public API for interacting with the What's New feed should be like but I'm currently not sold on whether we should have one and if so what capabilities it should expose. I'd be interested in hearing more from people who would be interested in such an SDK.

    Now Playing: The Game - Money


    Categories: Windows Live

    I have this dream that one day we will see true interoperability between social networking sites potentially powered by OpenID. As part of trying to make this dream a reality I've been reading a lot about the pros and cons of implementing OpenID since a shared identity system is the cornerstone of any hope of getting interoperability to work across social networking sites. Here are some of the things I've learned.

    The Problems OpenID Solves for Web Developers

    There are two ways to approach using OpenID on your Web site.  The first way is to treat OpenID as a way to delegate user authentication on your site to another service. This means that you rely on someone else to authenticate (i.e. sign-in/log-in) the user and take their word for it that the user is who he/she claims to be. Some sites use this as the sole means of authenticating users (e.g. StackOverflow) while others give users the choice of either creating an account on the site or using an OpenID provider (e.g. SourceForge). The assumption behind this view of OpenID is that asking users to create yet another username/password combo for your site is a barrier to adoption and using OpenID removes this barrier. However this assumption is only correct if the OpenID sign-in process is easier for users than registering a new account on your site.

    The second approach is to use OpenID as a way to give users of other Web sites access to features of your site that are traditionally only available to your users. For example, Google's Blogger has an option to enable anyone with an OpenID to comment on your blog. However Blogger does not allow you to login with OpenID instead you must have a valid Google account to create a blog on their service. In this scenario, the assumption is that asking users to create yet another username/password combo just to leave a comment on a blog or use some other feature of the site is too high of a barrier to entry but that same barrier to entry is acceptable for people who want to become full users of the site.

    It should be noted that the second approach is actually why OpenID was originally invented but scope creep has made it become a popular choice as a single sign-in solution. 

    The Ideal OpenID User Experience

    As a Web developer, the main problem OpenID is supposed to solve for you is that it reduces the barrier to using your service. This means that if redirecting a user to an OpenID provider to be authenticated and then having them redirect the user back to your site is more complicated than a new user account creation flow you could build on your site then using OpenID will cost you users. The ideal OpenID user experience should be

    1. Your log-in page gives the user a choice of OpenID providers to use to sign in
    2. The user selects their OpenID provider from a list or enters their OpenID provider information
    3. The user is redirected to a log-in page on the provider's site
    4. User enters their credentials
    5. The user is redirected back to your site and is now logged in

    Even in this ideal flow, there is a chance you will lose users since you have distracted them from their task of using your site by directing them to another site. The assumption here is that the redirect->sign-in->redirect flow is less cumbersome than asking new users to pick a unique username and password as well as asking them to solve a Human Interactive Proof or CAPTCHA. This sounds like a fair tradeoff although I'm not aware of any published research results that back up this assumption.

    However if the OpenID sign-in flow is any more complicated than the above steps then the risk of losing users increases significantly. Here is an example of how OpenID can cost you users taken from a post by Ned Batchelder entitled OpenID is too hard 

    Earlier this week I visited yet another site that encouraged me to get an OpenID, and I decided I would finally cross OpenID off my list of technologies I should at least understand and probably use.

    The simplest way to use OpenID is to pick a provider like Yahoo, go to their OpenID page, and enable your Yahoo account to be an OpenID. This in itself was a little complicated, because when I was done, I got to a page that showed me my "OpenID identifiers", which had one item in it:


    What!? What is that, what do I do with it? Am I supposed to paste that into OpenID fields on other sites? Are you kidding me? Also, in the text on that page is a stern warning:

    This step is completely optional. After you choose an identifier, you cannot edit or delete it.

    (Emphasis theirs). So now I have a mystifying string of junk, with a big warning all over it that I can't go back. "This step" claims it's optional, but I seem to have already done it! Now I'm afraid, and I'm a technical person — you expect my wife to do this?

    How many users do you think start this process and complete it successfully? Now how many of these users would have been lost if the site in question had replaced their OpenID usage with a lightweight account creation process similar to that used by reddit.com which only requires username/password and solving a CAPTCHA?

    This is food for thought when comparing the costs and benefits of adopting OpenID.

    The Risks of Using OpenID

    There are lots of commonly voiced criticisms about OpenID, a number of which are captured in the blog post entitled The problem(s) with OpenID by Stefan brands. A few of the complaints are only interesting if you are a hardcore identity geek while others are of general interest to any Web developer considering adopting OpenID. Some of the key criticisms include

    • Susceptibility to Phishing: The argument here is that the growing popularity of OpenID will train users into thinking that it is OK to enter their credentials on a "trusted site" after following a link from another Web site. However given that this is how phishing works it is also training users to be more susceptible to phishing since any random site can now claim to be powered by OpenID when in truth it redirects people to http://www.example.com/phishingattempt/yahoo.com/login or some similarly malicious URL.

      Given that we live in a world where worse practice of Please Give Us Your Email Password is now commonplace and the best solution people have come up with for dealing with it (OAuth) also utilizes browser-based redirection, I'm not sure this is a fair criticism against OpenID.

    • Identity Providers May Be Lax about Validating Users: When you outsource user authentication to an identity provider via OpenID you are trusting that they are performing some minimum level of user validation to keep spammers and bots out of their service. However there is no requirement that they do that at all nor is there any minimum standard that they have to meet. A year ago, Tim Bray posted an interesting thought experiment where he pointed out that one could create an identity provider that "successfully authenticated" any user URL you provided it with. You can imagine what kind of fun spammers would have with such an identity provider on a site like StackOverflow.

    • Identity Providers May Recycle Identities: A number of large email service providers like Yahoo! and AOL have decided to become OpenID identity providers. Email service providers typically recycle abandoned email accounts after a set period of time. For example, if I don't sign-in to my dare@example.com email address after three months then all my data is wiped and that account joins the pool of available email accounts. What happens to my accounts on other sites where I use that email address as my OpenID? Does this mean that the next person to use that email address can log-in to StackOverflow as me? Maybe…it depends on quality of the identity provider.

    • Privacy Concerns: Delegating user authentication to another service means you are letting this other service know every time a user logs in to your site and often times what the user was trying to do since you pass along a return URL. Depending on the sensitivity of your site, this may be information that you would rather not leak about your users. Then again, most Web developers don't care about this given how much information about their users they let Web analytics firms and advertising providers track.

    White Lists are Key

    The bottom line is that accepting an Tom, Dick and Harry as an identity provider on your site is probably a bad idea. User authentication is an important aspect of an online service and delegating it to others without vetting them is not a wise given how widely the user experiences and the policies of various identity providers can vary. Developers should evaluate OpenID providers, then select a subset those whose policies and sign-in experience is compatible with their goals to avoid the risk of losing or alienating users. 

    Now Playing: The Game Ft. Ice Cube - State Of Emergency


    Categories: Web Development

    I recently read that Sarah Palin's Yahoo! email accounts had been hacked. What is interesting about the hack is that instead of guessing her password or finding a security flaw in Yahoo's email service, the hacker used the forgot your ID or password feature and a search engine. The Threat Level blog on Wired has posted an email from the hacker in a post entitled Palin E-Mail Hacker Says It Was Easy which is excerpted below

    rubico 09/17/08(Wed)12:57:22 No.85782652

    Hello, /b/ as many of you might already know, last night sarah palin’s yahoo was “hacked” and caps were posted on /b/, i am the lurker who did it, and i would like to tell the story.

    In the past couple days news had come to light about palin using a yahoo mail account, it was in news stories and such, a thread was started full of newfags trying to do something that would not get this off the ground, for the next 2 hours the acct was locked from password recovery presumably from all this bullshit spamming.

    after the password recovery was reenabled, it took seriously 45 mins on wikipedia and google to find the info, Birthday? 15 seconds on wikipedia, zip code? well she had always been from wasilla, and it only has 2 zip codes (thanks online postal service!)

    the second was somewhat harder, the question was “where did you meet your spouse?” did some research, and apparently she had eloped with mister palin after college, if youll look on some of the screenshits that I took and other fellow anon have so graciously put on photobucket you will see the google search for “palin eloped” or some such in one of the tabs.

    I found out later though more research that they met at high school, so I did variations of that, high, high school, eventually hit on “Wasilla high” I promptly changed the password to popcorn and took a cold shower…

    The fundamental flaw of pretty much every password recovery feature I've found online is that what they consider "secret" information actually isn't thanks to social networking, blogs and even Wikipedia. Yahoo! Mail password recovery relies on asking you your date of birth, zip code and country of residence as a proof of identity. Considering that this is the kind of information that is on the average Facebook profile or MySpace page, it seems ludicrous that this is all that stops someone from stealing your identity online.

    Even the sites that try to be secure by asking more personal questions such as "the name of your childhood pet" or "where you met your spouse" fail because people often write about their childhood pets and tell stories about how they met on weddings sites all over the Web.

    Web developers need start considering whether it isn't time to put password recovery features based on asking personal questions to pasture. I wonder how many more high profile account hijackings it will take before this becomes as abhorred a practice as emailing users their forgotten passwords (you know why this is wrong right?)

    Now Playing: DJ Khaled - She's Fine (Feat. Sean Paul, Missy Elliot & Busta Rhymes)


    Categories: Web Development

    Chris Jones has a blog post entitled Building Windows Live where he talks about the what all of us on Windows Live have been working on over the past year. He writes

    We have spent the last year working on our next major wave of releases for Windows Live. This wave is part of our ongoing work to build a great set of communication and sharing experiences that help keep your life in sync. This wave includes significant updates to our software applications for your Windows PC, and in the next few hours, we will release public betas of the latest version of the Windows Live suite of PC applications, including Messenger, Mail, Photo Gallery, Movie Maker, Writer, Toolbar, and Family Safety. You’ll find new features across the products and most notably, Windows Live Messenger has been almost entirely redesigned. I’m sure many of you will have questions, and, over the coming weeks, we’ll have individuals from the engineering team share more about what we have built and why we made the investments we made. Our intent is to post regularly to this blog, and if there are topics you think we should cover, please leave a comment or send me an e-mail at chris.jones@microsoft.com.

    It seems the download links were found early by those intrepid correspondents over at LiveSide and a number of people have already started trying the new versions out. The download URLs are http://g.live.com/1rebeta3/en/wlsetup-web.exe and http://g.live.com/1rebeta3/en/wlsetup-all.exe depending on whether you want to download a subset of the Windows Live desktop applications or all of them.

    I probably won't be blogging in detail about what I've worked on over the past few months until the products are out of beta but I will leave with this screenshot from Darren Neimke's post Loving the new Live Beta’s.

    I'm sure you can guess which of the features called out above I worked on.

    PS: My favorite thing about the new wave of Windows Live products is that the world now has a seamless calendar sharing solution that works. If Omar doesn't write something similar first, I'll probably throw a blog up about how my wife and I plan to use Outlook + Outlook Connector and Windows Live Mail + Windows Live Calendar to share our schedules so I no longer miss birth center appointments. :)

    Now Playing: DJ Khaled - Go Hard (Feat. Kanye West & T-Pain)


    Categories: Windows Live