Things I actually like

Well, lots of negative reviews and blather from me lately, so how about something a little more postive –

First. Camino, the browser. I have run it for a while (a week-ish?) and it has not yet crashed on me. v.1.0.3 . This is particularly good, for me. It’s not too crazily resource-intensive. It doesn’t degrade much over time. Alas, I can’t use all the great debugging extensions that Firefox can use, and that is very, very unfortunate. But I haven’t lost work – and that’s huge. As one might recall, I don’t like browsers very much. And Camino annoys me as well. But, as of late, it has annoyed me less than most of the others. I still feel that the finest web-browsing experience one can have seems to be Firefox on Windows, which is blasphemous of me to say, but I feel it’s true. But Camino is my new browser, until the Firefox people can get their collective shit together and put out a version for OS X that doesn’t suck as much as this one does.

Next up – I bought myself a copy of Star Fox for the DS as a little ‘gift’ to myself for ‘being good’ – whatever that means. Anyways, after having come off a bad spate of games I worried that this oen might be the same. But, in fact, it is not at all! It’s quite good – but I should note that I am one of the shittiest fighter pilots alive, so perhaps take my words with some salt, a little paprika, and a sprig of thyme.

There’s a “strategic” view where you use the stylus to draw the paths you want your ships to take, and can tap on areas of the screen to scan them, then when you end your turn, your units all move. It’s a great non-rectilinear take on strategic stuff, and could end up making something interesting in its own right. But as for Starfox, it makes a great way to send your different fighters off to do different tasks.

Then there’s the regular, old-school fighter-pilot-ing. Simple controls – stylus on screen. You get a nice analog response with this setup, and though it doesn’t feel completely 3-dimensionally free, it is quite good. You can cruise around a 2-D square, and you have a relatively tight timespan to do it in. But it makes a challenge, and is fun.

The plot leaves a bit to be desired, but stuff does seem to happen, and it is advancing interestingly enough.

All in all, I’m glad this one sucked less.

And, finally, gym attendance. Sucking worse than normal, now. The problem is that my time is so very very limited and the few minutes I do have to do with what I will I need to be spending productively, for whatever definition of the word ‘productively’ suits me at the time. And gym attendance is good for me and all – I don’t doubt that – but there are other things I need to be working on. The latest thing is my new authentication initiative It’s finally something for me to fiddle with that’s small enough that I really can reach my grasp all the way around it and get it to be exactly whatever I want it to be. I hope I can get it to the point where I don’t have to say, “oh, that part doesn’t work yet, coming soon” – and for the most part, it does work, and as advertised. The next issue – and the one that really killed me with NetServOS – will be getting Developers to develop for it. And of course, making it pretty. But I have plans for both of those things, for which you shall have to stay tuned…

More On Identity

Well, I was very excited to see that some people have created some pretty reasonable protocols to define what your ‘identity’ is in this whacky, Web 2.0 world we live in. Unfortunately, they botched. The protocols they define are based upon identifying yourself with a URL – giving the protocols near-complete decentralization. Yay! Except people aren’t URL’s. The closest thing they are is email addresses. Boo! Furthermore, the protocol adds lots of complexity in terms of what information you share or don’t share, etc. Signing up for an identity being completely separated from using your (completely separate) identity somewhere else. And the most damning thing, is that sites that use openid still retain their old username/password boxes from before. Yuck. Why wouldn’t they migrate everyone over? Because it can’t be done. Ugh.

So I was thinking about a radically simpler solution.

Here’s what I came up with:

#1) Guy gets to website he’s never been to before. He’s never used our system before either. He wants to do something that would require some kind of ‘identify yourself!’ thing. Maybe posting to a blog, maybe editing a Wiki article.
#2) The login thingee says ’email:’ and our guy puts in his email and clicks a button or something.
#3) The system emails him a big long ugly URL. Or maybe a short-and-sweet case-sensitive one. He clicks it.
#4) New window pops up saying, “OK, your info thingee has been validated or whatever. You may close this window”.
#5) He is done. He may even stay validated for another 30 minutes (hour? 2 hour?) or so so he can repeat this several times. On several different sites.

Let’s see what happens if he does go to another site –
#1) Guy now goes to somewhere else. He tries to do something else which requires identification.
#2) Login thingee says ’email’ which he puts in – or his browser auto-fills.
#3) A window pops up saying, “OK, you’ve already been authenticated as bobo@agladsfhlkyewiutykxjcnkjwheriwuehf.fromple, click here to use that identity on this site”
#4) User clicks. Is done.

Now if our user finds that this type of thing is happening to him all the time, he may get encouraged to ‘register’ so he can just has to put in a password to be identified. This encouragement might happen around step #3 above, once the dude has used this system a few times. There, instead of the email going out, a login screen would show up. He could log in, and be so identified for so long.

There! How’s that? Simple enough for ya!? OK, that’s how it acts, here’s how it should work.

When the user clicks the Login button it gets posted to my server. If his email address has never been seen before, it just sends him an email. Maybe after asking him questions like name or something. Maybe you can choose to make a password there too. When the user clicks on the URL he was emailed, he’s proven ownership of the email address, and a cookie is set on his machine, pointing to my domain. Probably set with a time limit or something. The page somehow gets magically redirected to where he was going.

The second time this happens the system has seen your email address before – it should consider asking you, “Hey, this keeps happening to you, do you want to set a password and use that instead?” If you’ve set a password, then you get a password prompt instead. Success implies cookie and redirection to wherever you were going.

Subsequent authentication attempts will still post to my site, but then your cookie will be detected, and you’ll just get a “OK, you want to auth to this site?” thing.

At some point something complicated will have to happen to inform the original site that you are, indeed, who you say you are. Ah! When you get redirected back, the original site gets URL parameters appended saying – here’s the dude, here’s a crypto hashey thing. Ah! You specify a ‘nonce’ thingee in your form which posts to me, upon return I hash the nonce, the date/time, your site URL, and your mother’s maiden name together into a big ugly base-64 thing which you are obligated to decipher. Hell, with the date/time, you can skip the noncery I think. Oh, no, you need it so people can’t just hash up gibberish and have you believe it.

You want the system to be super-duper simple, but not start forking over the dude’s identity willy-nilly.

So – I guess when you’re signing up, you can put in things like Full Name, city, etc – and maybe set certain things as private or public…?

Anyways, this version has these advantages –

#1) No differentiation is made between a ‘consumer’ and a ‘server’ – any site which uses this auth method can implicitly sign people on.

#2) People are E-Mail addresses.

#3) Minimal to nearly no commitment required on the user’s part – you don’t have to make much of an account, or anything.

#4) Easy(ish) to implement.

With the obvious disadvantage –

#1) No longer decentralized. But we’re not talking about lots of data here, it would be possible to scale a centralized identity service up.

#2) Phishing attacks – no more or less so than openid, but you still could find yourself a victim of a phishing attack with this system.

Edit – I found the idea for this stupid thing so simple and compelling that I just built it. It’s still in the conceptual/prototype stages right now, and I wouldn’t use it to secure anything I really deeply cared about just yet, but it’s there so you can look at it. It’s very early yet. Just look and think and stuff, don’t whine yet: – Your new…desk…to be…uh…working on. Or something.

Google Everything

So, Google has pretty much done all the stuff I intended to do, oh so many years ago, with their very good and very clever web apps like Gmail, Google Calendar, Reader, Google Home Page, Docs & Spreadsheets, etc. So I’ve decided to wade in and start using all the great little applications – well, not little, big. A few slight snags – first, for Gmail to be useful, I’ve had to forward other mail accounts to it. Second, I had to change my name. My old Gmail name was something I thought was really cool when I was like 14 and into BBS’ing. However, I’m 900 years old now, and I have professional needs and stuff, so I had to come out with a slightly more regular-human-sounding name. Okay, easy enough, done. Now alllllll this crazy Google shit I’ve accumulated over the years I have to try and move over. Not so easy. Browser Sync? Easy, delete the service and re-add it. Email? Forward my old gmail to my new one. Docs? I guess I can share out all my docs to my new self (done), and this Blog here…well…I guess, I can invite my new self to collaborate with my old self…weird, because my old self is going to remain a weird vestigial account forever in the future, I guess…until Google lets ownership of things migrate back and forth. Some services of Google’s I don’t even mess with, but I’ve used at some point, so I don’t have here. But I don’t think that matters.

So, problem number one. My browser just hung while I was typing this. My opinions about browsers are well known, and I’m on a Mac, which can be less nice than using a Windows box when it comes to AJAX-heavy Javascript-ey stuff. So I had to actually type the first paragraph again while looking at the frozen screen in my other browser. This is why I always have 15 browsers available in my Applications.

Next – as much as I like to keep thinking of myself as ‘ahead of my time’, I’m not. Quite frankly, I never imagined that the Web, and regular-issue Web browsers, would ever be able to do the stuff we can do in a Browser today using Javascript and the DOM and such. I mean, don’t get me started on the fact that Javascript is an interesting language that’s just miserable to program in because the environment it lives in is so awful, or the DOM as being the worst API to do anything anywhere, but the end result is still insanely powerful.

But, now I got it all here, and I have to say, I’m a liiiiittle bit disappointed. Not very, but a little. Gmail isn’t as fast as I had wanted. It’s still fast – and really comparable with, which is my favorite mail program up until now. We’ll have to see how it goes.

And I made my own custom Google homepage. That’s really, really, really great. I have a little box for my mail, my calendar, my RSS feeds…it’s pretty cool. I tried to do this with my Apportal software (one of the many failed or semi-failed attempts at making the NetServOS software back in the day), and it didn’t quite make it, but Google has completely nailed this one. Very impressive, guys. I’m even considering making a little doodad for it.

The only thing that bugs me – only slightly, but it does bug me – is that you only get what you’re given. What you get is what Google gives you. And that’s nice, Thank you Google, for giving us stuff, but I don’t think I can imagine a world where all software comes from one single great benevolent software entity. Even Google. Or Microsoft. Or MicroGoogleOracleIBM. Eventually, someone’s going to want something that doesn’t exist.

Proof: Let us posit that Google has made all applications that you could ever want, which all work in whatever fashion you desire. Ok, fine. So I want an application that lists applications that I want, but don’t exist yet. Ah ha! Wait, I guess that means Google might give me a nice Google-branded empty window which says, “Here are all applications you want that don’t exist!”…crap. Forget that proof.

Okay, just take my word for it. Nobody can make everything you want. So what’s going to be the solution for that? I think lots of that is tied in with Identity – and there are some stupid people working on it (Microsoft, Liberty Alliance), and some less stupid people working on it – – for example. But they insist on representing a user’s “identity” as a URL. Clever, but people tend to identify themselves more with email addresses, I would’ve gone with that instead. Though I guess “mailto:brady@sldkjskldjflskjglkjelkjsldkjflskdjflsdkfjsldkfjalkjdfalskdjgalskdldk.schlorm” is a valid URL. Who knows.

And after that, of course, we then come to interoperability. If the only thing that ties you together throughout all these applications is your identity – well, that’s kinda weak. Not terribly so – if you think about how you use your applications in your day-to-day life, you probably don’t chain them together that much (unless you use Unix, but that’s a perverse case). The big one is your Mail application and the rest of your OS in order to open documents on it. Or your web browser and documents or files you’ve downloaded from that. If you’re on a Mac, your Mail client and your Calendar work well together – but they cheat, I don’t think they’re using any protocol or anything to talk to each other. Or if you use something to transfer files to Important Places (FTP, SFTP), it might be nice to open the files after you get them. But I don’t think this is as important as I thought it was. I’m not sure, we’ll have to see how much my Google usage intersects with my Regular Computer Usage, and see. For the first time in literally years, I’m running with shutdown, and it’s not bothering me in the slightest, so I think we may be off to a good start.

I will most definitely keep reporting in.