Comments should be working again

I had a captcha plugin that was failing. Since I myself hate captcha’s, I’ve removed it for now and adjusted the comment settings to require moderation the first time you comment. Moderation + akismet should take care of most of the spam (hopefully). You can also still sign in using OpenId if you prefer, although the openid login on wordpress remains quite underwhelming (compared to what should be possible by now).

Anyway, happy commenting and thanks @eelkefolmer for pointing out my site was broken.

N900 & Slashdot

I just unleashed the stuff below in a slashdot thread. 10 years ago I was a regular there (posting multiple times per day) and today I realized that I hadn’t actually even bothered to sign into slashdot since buying a mac a few months ago. Anyway, since I spent time writing this I might as well repost here. On a side note, they support OpenID for login now! Cool!

…. The next-gen Nokia phone [arstechnica.com] on the other hand (successor to the N900) will get all the hardware features of the iPhone, but with the openness of a linux software stack. Want to make an app that downloads podcasts? Fine! Want to use your phone as a modem? No problem! In fact, no corporation enforcing their moral or business rules on how you use your phone, or alienation of talented developers [macworld.com]!

You might make the case that the N900 already has the better hardware when you compare it to the iphone. And for all people dismissing Nokia as just a hardware company, there’s tons of non trivial Nokia IPR in the software stack as well (not all OSS admittedly), that provides lots of advantages in the performance or energy efficiency domain; excellent multimedia support (something a lot of smart phones are really bad at), hardware acceleration, etc. Essentially most vendors ship different combinations of chips coming from a very small range of companies so from that point of view it doesn’t really matter what you buy. The software on top makes all the difference and the immaturity of newer platforms such as Android can be a real deal breaker when it comes to e.g. battery life, multimedia support, support for peripherals, etc. There’s a difference between running linux on a phone and running it well. Nokia has invested heavily in the latter and employs masses of people specialized in tweaking hardware and software to get the most out of the hardware.

But the real beauty of the N900 for the slashdot crowd is simply the fact that it doesn’t require hacks or cracks: Nokia actively supports & encourages hackers with features, open source developer tools, websites, documentation, sponsoring, etc. Google does that to some extent with Android but the OS is off limits for normal users. Apple actively tries to stop people from bypassing the appstore and is pretty hostile to attempts to modify the OS in ways they don’t like. Forget about other platforms. Palm technically uses linux but they are still keeping even the javascript + html API they have away from users. It might as well be completely closed source. You wouldn’t know the difference.

On the other hand, the OS on the N900 is Debian. Like on Debian, the package manager is configured in /etc/sources.list which is used by dpkg and apt-get, which work just as you would expect on any decent Debian distribution. You have root access, therefore you can modify any file, including sources.list. Much of Ubuntu actually compiles with little or no modification and most of the problems you are likely to encounter relate to the small screen size. All it takes to get to that software is pointing your phone at the appropriate repositories. There was at some point a Nokia sponsored Ubuntu port to ARM even, so there is no lack of stuff that you can install. Including stuff that is pretty pointless on a smart phone (like large parts of KDE). But hey, you can do it! Games, productivity tools, you name it and there probably is some geek out there who managed to get it to build for Maemo. If you can write software and package it as a Debian package and can cross compile it to ARM (using the excellent OSS tooling of course), there’s a good chance it will just work.

So, you can modify the device to your liking at a level no other mainstream vendor allows. Having a modifiable Debian linux system with free access to all of the OS on top of what is essentially a very compact touch screen device complete with multiple radios (bluetooth, 3G, wlan), sensors (GPS, motion, light, sound), graphics, dsp, should be enough to make any self respecting geek drool.

Now with the N900 you get all of that, shipped as a fully functional smart phone with all of the features Nokia phones are popular for such as excellent voice quality and phone features, decent battery life (of course with all the radios turned on and video & audio playing none stop, your mileage may vary), great build quality and form factor, good support for bluetooth and other accessories, etc. It doesn’t get more open in the current phone market currently and this is still the largest mobile phone manufacturer in the world.

In other words, Nokia is sticking out its neck for you by developing and launching this device & platform while proclaiming it to be the future of Nokia smart phones. It’s risking a lot here because there are lots of parties in the market that are in the business of denying developers freedom and securing exclusive access to mobile phone software. If you care about stuff like this, vote with your feet and buy this or similarly open (suggestions anyone?) devices from operators that support instead of prevent you from doing so. If Nokia succeeds here, that’s a big win for the OSS community.

Disclaimer: I work for Nokia and I’m merely expressing my own views and not representing my employer in any way. That being said, I rarely actively promote any of our products and I choose to do so with this one for one reason: I believe every single word of it.

OpenID, the identity landscape, and social networks

I’m still getting used to no longer being in nokia research center. One of my disappointments of being in NRC and being a vocal proponent of openid, social networks, etc. was that despite lots of discussion on this topic not much has happened in terms of me getting room to work on these topics or me convincing a lot of people about my opinions on these topics. I have one publication that is due out whenever the magazine involved gets around to approving and printing the article. But that’s it.

So, I take great pleasure in observing how things are evolving lately and finding that I’ve been pushing the right topics all along. Earlier this week, Facebook became a relying party for OpenID. Outside the OpenID community and regular techcrunch readers, this seems to have not been a major news story. Since, just about anybody I discussed this topic with in the past few years (you know who you are) always insisted that “no way that a major network like Facebook will ever use OpenID”. If you were one of those people: admit right now that you were wrong.

It seems to me that this is a result of fact that the social networking landscape is maturing. As part of this maturation process, several open standards are emerging. Identity and authentication are very important topics here and it seems the consensus is increasingly that no single company is going to own all 6-7 billion identities on this planet. So naturally any company with the ambition to potentially separate 6-7 billion individuals from their money for some product or service, will need to either work with multiple identity providers.

So naturally such companies require a standard for doing so. That standard is OpenID. It has no competition. There is no alternative. There are plenty of proprietary APIs that only work with limited sets of identity providers but none like OpenID that can work with all of them.

Similarly, major identity providers like Google, Facebook are stuck at sharing a few hundred million users between them, they shift their attention to somehow involving all those users that didn’t sign up with them. Pretty much all of them are OpenID providers already. Facebook just took the obvious next step in becoming a relying party as well. The economics are mindbogglingly simple: Facebook doesn’t make money from verifying peoples identity but they do make money from people using their services. OpenID relying party means the group of people who can access their services just grew to the entire internet population. Why wouldn’t they want that? Of course this doesn’t mean that world + dog will now be a Facebook user but it does mean that one important obstacle has just disappeared.

BTW. Facebook’s current implementation is not very intuitive. I’ve been able to hook up myopenid to my facebook account but I haven’t actually found a login page where I can login with my openid yet. It seems that this is a work in progress still.

Anyway, this concludes my morning blogging session. Haven’t blogged this much in months. Strange how the prospect of not having to work today is energizing me 🙂

OpenID study at Google

Google and Yahoo have both posted a usability study for federated and openid logins. Basically both of them hint at keeping things simple and as easy to use for the user. Google has a quite nice suggestion about the UI but they all but stop at going all the way.

We’ve done a lot of thinking on this topic regarding the demo and youtube movie I linked last week. We have a similar problem that our users have to login, somehow and then login again for OAuth like authentication with e.g. Facebook for extra features.

I really like Google’s UI but would like to suggest a few simplifications:

Basically the site should ask:

With what openid identity, email address or username do you wish to login (excuse ascii art)?

-------------------------------- ------
| http://www.jillesvangurp.com | | OK |
-------------------------------- ------

The user will enter whatever seems right and the server will make a best effort to authenticate with whatever the user provides. Then the server checks the following rules (using AJAX of course) against the address/username

  • address/username known, not an IDP -> ask for the password
  • address//username known & an IDP -> redirect to IDP. Let user choose username optionally when returning to the site so the user can login with either short login name or IDP identifier.
  • not known & an IDP -> redirect to IDP, on return create an account on the fly with info IDP provides
  • not known, not an IDP -> show create account form, let user pick a username if email address was entered. Optionally, point out how to sign up with an OpenID provider and of course allow login with a different ID.

This is as simple as it gets. Basically, the only problem is the user entering a username that is in use by somebody else. A password field will show and login will fail.

The failure should look like this.
Login failed because the user and password are incorrect. You can either:

  • try another password
  • try another openidurl, email address or username
  • sign up with us or one of these Identity providers: XXX, YYY, ZZZ

This is as simple as it gets and it still supports a wide variety of login mechanisms.

Advantages:

  • Only one question that the user should be able to answer: who am I?
  • Using OpenID is rewarded by easy login
  • Worst case, user still has to provide a password.
  • Can support any kind of authentication, including non password based ones.

Indie Social Networking

I have this page elsewhere on this site where I try to keep track of various accounts I have with social networks and other sites.  I updated it earlier today with some interesting additions.

It seems finally decentralized social networking is starting to happen. It’s all very low profile now but promising. It all started somewhere last week when I noticed that one of my colleagues, John Kemp was now micro blogging via something called identi.ca. I noticed this because his status in skype was telling me. Since we share similar interests in things like OpenID and a few other things, I decided to check it out. I never really bought into this twitter stuff and gave up on updating my Facebook status regularly long time ago. But this identi.ca looks rather cool, so I signed up.

It’s basically twitter minus some features (not yet implemented) with a few interesting twists:

  • You can sign in using OpenID
  • It’s open source. The software identi.ca is based on is called laconi.ca.
  • It’s completely open. It has all the hooks and obvious protocols implemented. For example, I microblog using a identi.ca contact in my jabber client (pidgin) over XMPP. There’s RSS and probably some more stuff.
  • Your friends info is available as FOAF, thus enabling Google’s Social Graph search to work with the data there and in other places (like e.g. your wordpress linkdump).
  • It’s decentralized, you can have laconi.ca friends on different servers. Like email, there is no need for everybody to be on the same server.
  • It’s written in PHP -> you can probably install it on any decent hosting provider you can now run your own microblog just like you can run your own blog.

Of course being low profile, there’s only the usual suspects active: i.e. people like me.

A second interesting site I bumped into is whoisi.com. It’s basically friendfeed or similar sites with a few interesting twists:

  • You don’t have to sign in or register. You just start using it.
  • In fact you can’t sign in and there’s little need because whoisi creates a nice account for you on the fly that you can access using the cookie it sets automatically or a url you can bookmark.
  • You can follow any person on the web and associate feeds with that person.
  • There’s no concept of your profile on whoisi. It’s simply a tool for following people, anonymously. They don’t even have to use whoisi in order for you to follow them.

It’s run by Christopher Blizzard who works at Mozilla. I’m not sure if he is doing this in his spare time or if this has a bigger Mozilla labs plan behind it. Either way, he’s a cool guy with good ideas obviously. Since whoisi didn’t know about me yet, I ended up following myself, which feels slightly hedonistic, and added most of the interesting feeds. Including of course my identi.ca feed.

It occurs to me that using identi.ca’s FOAF and Google’s Social Graph search, whoisi should be able to automatically find websites related to a person from a single url by just following the rel=me links that Google can produce and then any friends from the rel=friend links. Check out what Google finds out about me from providing www.jillesvangurp.com here.

This hooking up of simple building blocks is exactly the point of the decentralized social network. It’s nice to see some useful building blocks emerge that work towards making this happen. Basically, all the necessary building blocks are there already. From a single link it is possible to construct a very detailed view of what your friends are doing all over the web fully automatically. True all this is still a bit too difficult for the average user right now but I imagine that a bit of search and discovery magic would go a long way to making this just work on a lot of sites.

WP-OpenID

I’ve been enthusiastic about openid for a while but have so far not managed to openid enable my site. WP-OpenID, which is the main openid plugin for wordpress is under quite active development. Unfortunately, until recently, any version I tried of that had some issues that prevented me from using it.

The author Will Norris got hired by Vidoop the other day to continue working on wp-openid in the context of the diso project. Diso is another thing I’m pretty enthousiastic about. So, things are improving on the openid front.

Tonight, I managed to get version 2.1.9 of wp-openid to install without any issues on my wordpress 2.5.1 blog. I’ve been testing and it seems to at least accept my openid www.jillesvangurp.com (delegate to myopenid) without issues.

So finally, my blog is openid enabled.

The delegation bit is BTW courtesy of another wordpress plugin: openid delegation. I’ve been using the 0.1 version for more than a year and it just works. Delegation is an openid concept where any website can delegate openid authentication to an external openid provider. This allows you to use a URL you own as your identity and also to switch provider without losing control of your openid url.

Friend Connect

Google announced their friend connect yesterday. It’s part of what is a pretty broad, and in my view really smart, strategy that they have been rolling out over the past few months bit by bit. It all started with open social which is their social network API that allows gadget creators to target any social network able to act as a open social container. By now this includes most relevant social networks except Facebook.

An issue is that open social is still a bit immature and also that compatibility between sites is not that great due to sites introducing all sorts of extensions and cherry picking features to implement, which of course leads to a great variety of circumstances to test for. However, it’s a huge improvement over having just the Facebook API (which is not that old either, or that good).

Then came google app engine, which is a ultra scalable, hassle free environment for creating and hosting simple web applications. Like for example open social gadgets. App engine is a very interesting achievement at least from an architecture and scalability point of view. Whether it will work as advertised remains to be seen of course, too early to tell. Also, it comes with lots of technical restrictions that are going to be not popular with people that have investments in existing, non compatible code.

On the other hand, there’s no way around the fact that most these limitations are more or less required for the type of scalability that Google wants to provide. So, Google App Engine lowers the barrier of entry for small parties to launch their own open social gadgets or full websites. That’s good for Google because inevitably Google ends up being a really attractive advertising partner for people choosing to sell their soul like that choosing to host their products on Google App Engine. And of course, Google gets to monitor site activity and track users which is all very valuable data from advertising point of view. And of course all those nice Google APIs are really easy to access from inside Google’s own platform.

Now yesterday they added friend connect to the mix. Friend connect does several things. First of all, it turns simple web sites into open social containers. Secondly, it comes with a few widgets that add some value to this. The most important of this is what appears to be a social network interconnect that allows for authentication of users against several popular social networks and openid thus relieving the simple website of that task. Basically visitors of a site can sign in with one or more social network credentials. Google handles all the interaction with the backend social networks which includes things such as publishing site activity to your event feed; access to your friend lists on all associated sites and that type of features.

Soon loads of blogs and other websites will start featuring nifty open social gadgets. Think wordpress sidebar widgets on steroids (checkout my frontpage to see a few in action). This will lead to a mass migration of activity from inside social networks to external websites.

I mentioned this was a very smart strategy by Google. What’s going on here? Well Google, unlike most companies relying on advertisement revenue, doesn’t care which websites you visit as long as they feature Google ads or as long as they can somehow track what you are doing. Friends connect vastly increases their ability to do so. It’s effectively as good as users visiting a Google owned site: you sign in; all sorts of complex javascript executes; AJAX calls to Google take place, etc. They might even start pushing ads this way, although I suspect that they are not that stupid (would basically alienate a lot of website maintainers). More logic is that they continue to push ads separately and instead make it more attractive for existing adsense users to also deploy friend connect.

So, Google ads + friends connect is worth billions. It basically turns all connected websites into one huge social network with Google right at the center. Facebook can’t really deliver this value because inevitably users browse to other domains than facebook.com and also because their third party website advertising marketshare is pretty much non existent: all their revenue is inside their walled garden. Same for myspace.com, or linked in.com and most other social networks. Google doesn’t really have this problem. Most of their ads are served up by third party websites anyway and more eyeballs for those means more money for them. Any way you get to see a Google ad is a good one as far as they are concerned.

Google also managed to do some interesting things here. Note that Facebook is featured on friends connect. Apparently Google is just using the public facebook APIs just like any other site. But it should be interesting to learn what’s in it for Facebook (revenue sharing?). Facebook and MySpace are also launching their connnect APIs this week BTW. However, as noted above, they currently lack the advertising solutions to make it work so it is debatable what the added value of that is going to be. It could be that they have to do do some website owner alienation by pushing ads. This is something Google can afford not to do.

Additionally, Google is actually bridging several social networks. Your myspace buddies showing up right next to your facebook buddies is somewhat of a novelty for the web (and the involved social networks). Google doesn’t care where you park your friends, as long as you expose them via Google Connect and interact with them on sites showing nice Google ads.

Very clever.

I have a few worries though. To me friends connect sounds like a rather exclusive club and huge control point. It achieves some of the goals of dataportability.org by basically introducing one big fat central control point. So it’s as open as Google wants/needs it to be. For now they seem to be doing the right way and friends connect being an openid relying party is a great example. But long term I wonder what will happen to the non Google connected web.

Update. It seems Facebook is blocking their, apparently, involuntary inclusion on Google’s friend connect citing terms of use designed to lock in users into their platform. If you are not part of the solution, you are a part of the problem. Or, as Despair.com paraphrases, If you’re not a part of the solution,there’s good money to be made in prolonging the problem. I guess, they are afraid of the walls of their garden being torn down and that their estimated value might deflate before they can capitalize on it. Rumor has it Steve Balmer is sitting on a sack of unused money due to a certain deal blowing up in his face recently. And we all know he likes to throw with what he sits on.

OpenID 2.0 and concerns about it

It seems JanRain is finally readying the final version of OpenID 2.0. There’s a great overview of some concerns that I mostly share on readwriteweb.com. Together with another recent standard (OAuth), OpenID 2.0 could be a huge step forward for web security and privacy.

Lets start with what OpenID is about and why, generally, it is a good idea. The situation right now on the web is that:

  • Pretty much every web site has its own identity solution. This means that users have to keep track of dozens of accounts. Generally users have only one or two email addresses so in practice that means most these accounts are actually tied to 1 email account. Imagine someone steals your gmail password and starts scanning your mail for all those nice account activation mails you’ve been getting for years. Hint: “mail me my password”, “reset my password”. In short, the current situation has a lot of security risks. It’s basically all the downsides of a centralized identity solution without any of the advantages. There are many valid concerns about using OpenID related to e.g. phishing. However, what most people overlook is that the current situation is much worse and also that many OpenID providers actually address the concerns by implementing various technical solutions and security practices. For example myopenid.com and verisign employ very sophisticated technologies that you won’t find on many websites where you would happily provide your credit card number. There is no technical reason whatsoever why openid providers can’t use the same or better authentication mechanisms that you probably use with your bank already.
  • While technically some websites could work together on identity, very few do and the ones that do tend to have very strong business ties (e.g. banks, local governments, etc. This means that in most cases, reusable identity is only usable on a handful of partner sites. Google, Microsoft, and Yahoo are great examples. They each have partner programs that allows externals to authenticate people with them. Only problem: almost nobody seems to do that. So reality check: OpenID is the only widespread single sign on solution on the web. There is nothing else. All the other stuff is hopelessly locked into commercial verticals. Microsoft has been trying for years to get their password solution to do what OpenID is doing today. They failed miserably so far.
  • Web sites are increasingly dependent on each other. Mashups started as an informal thing where site A used an API from site B and did something nice with it. Now these interactions are getting much more complex. The amount of sites involved in typical mashups is increasing and the amount of privacy sensitive data flying around in these mashups is also increasing. A very negative pattern that I’ve seen on several sites is the “please provide your gmail/hotmail/yahoo user password and we’ll import your friends” type feature. Do you really want to share your years of private email conversations with a startup run in a garage in California? Of course not! This is not a solution but a cheap hack. The reality is that something like OpenID + OAuth is really needed because right now many users are putting themselves in danger by happily providing their username and passwords.
  • Social networks like Facebook authenticate people for the many little apps that plug into them. So far Facebook is the most successful here. Facebook provides a nice glimpse of what OpenID makes possible on a much larger scale but it is still a centralized vertical. I am on Facebook and generally like what I see there but I’m not really comfortable with the notion that they are the web from now on (which seems to be implied in their centralized business model). Recent scares with their overly aggressive advertisement schemes shows that they can’t really be trusted.

OpenID is not a complete solution for the above problems and it is important to realize that is by design: it tries to solve only one problem and tries to solve it well. But generally it is a vast improvement over what is used today. Additionally, it can be complemented with protocols like OAuth which are about delegating permissions from one site to another on your behalf. OpenID and OAuth are very well integrated with the web architecture in the sense that they are not monolithic identity solutions but modular solutions designed to be combined with other modular solutions. This modular nature is essential because it allows for very diverse combinations of technology. This in turn allows different sites to implement the security they need but in a compatible way. For example, for some sites allowing any OpenID provider would be a bad idea. So, implement whitelisting and work with a set of OpenID providers you trust (e.g. Verisign).

OpenID and OAuth provide a very decent base level of protection that is not available from any other widely used technology currently. The closest thing to it is the Liberty Alliance/SAML/Microsoft family of identity products. These are designed for and applied exclusively in enterprise security products. You find them in banks and financial institutions; travel agencies, etc. These are also used on the web but invariably only to build verticals. Both Google and Microsoft use technologies like this to power their identity solutions. In fact, many OpenID identity providers also use these technolgies. For example, Microsoft is rumoured to OpenID enable their solution and several members of the Liberty Alliance (e.g. Sun) have been experimenting with OpenID as well. They are not mutually exclusive technologies.

It gets better though. Many OpenID providers are employing really advanced anti phishing technologies. Currently you and your cryptographically weak password are just sitting ducks for Russian/Nigerian/Whatever scammers. Even if you think your password is good, it probably isn’t. OpenID doesn’t specify how to authenticate. Consequently, OpenID providers are competing on usability and anti phishing features. For example, Verisign and myopenid.com employ techniques that makes them vastly more secure than most websites out there, including some where you make financial transactions. There has been a lot of criticism on openid and this has been picked up by those that implement it.

So now on to OpenID 2.0. This version is quite important because it is the result of many companies discussing what should be in there for a very long time. In some respects there are a few regrettable compromises and maybe not all of the spec is that good of an idea (e.g. .name support). But generally it is a vast improvement over OpenID 1.1 which is what is in use currently and which is technically flawed in several ways that 2.0 fixes. The reason 2.0 is important is because many companies have been holding off OpenID support until it was ready.

The hope/expectation is that those companies will start enabling OpenID logins for their sites over the next few months. The concern expressed here is that this may not actually happen and that in fact OpenID hype seems past its glory already. Looking at how few sites I can actually sign into with my OpenID today, I’d have to agree. As of yet, no major website has adopted OpenID. Sure there are plenty of identity providers that support OpenID but very few relying parties that accept identities from those providers. Most of the OpenID sites out there are simple blogs, startups web 2.0 type stuff, etc. The problem seems to be that everybody is waiting for everybody else and also that everybody is afraid of giving up control over their little clusters of users.

So ironically, even though there are many millions of openids out there, most of their owners don’t use them (or even are aware of having one). Pretty soon openid will be the authentication system with the most users on this planet (if not already) and people don’t even know about it. Even the largest web sites have no more than something like a hundred million users (which is a lot). Several of those sites are already openid identity providers (e.g. AOL).

The reason I hope OpenID does get some adoption is because if it isn’t it will take a very long term for something similar to emerge. This means that the current very undesirable situation is prolonged for a very long time. In my view a vast improvement is needed over the current situation and besides OpenID, there seems to be very little in terms of solutions that can realistically be used today.

The reason I am posting this is because over the past few months me and my colleagues have been struggling with how to do security in decentralized smart spaces. If you check my publications web site, you will see several recent workshop papers that provide a high level overview of what we are building. Most of these papers are pretty quiet on security so far even though obviously security and privacy is a huge concern in a world where user devices use each others services and mash them up with commercial services in both the local network and internet. Well, the solution we are applying in our research platform is a mix of OpenID, OAuth and some rather cool add-ons that we have invented to those. Unfortunately I can’t detail too much about our solutions yet except that I am very excited about them. Over the next year, we should be able to push out more information into the public.