Archive >  2009 >  January >  5 Previous / Next

Scripting News, the weblog started in 1997 that bootstrapped the blogging revolution.

I'm in heaven Permanent link to this item in the archive.

The Internet has many wonderful applications, but I doubt if people think of it as a romance platform, but it is.

Case in point. I was looking for some music to play for my friends on Twitter the other night, and I don't remember how I stumbled on this wonderful recording of Ella Fitzgerald and Louis Armstrong singing Gershwin's Cheek To Cheek, but it is something else. I recommend putting aside a bit of time later if you don't have time now, and play it on a nice sound system, and get ready for your heart to go to heaven.

But that's not the end of the story.

I remembered seeing the same song sung by Fred Astaire with Ginger Rogers, in the movie Top Hat. Now Fred's not really a singer like Louis & Ella -- but boy can he dance. The yin and yang! Cheek To Cheek reaches places with Fred & Ginger that you're just going to love.

So the Internet is a history and heart machine. It's love and life. Flirting, dancing, swing, and yeah kisses. ;->

Rethinking authentication Permanent link to this item in the archive.

A picture named bonehead.gifFirst a caveat, this is going to be a technical post, so if you're not interested in techie stuff, you can skip it. However, I'm going to try to make it understandable to smart users who are willing to scratch their heads and read it two or three times, if you care to.

There's been a persistent problem in the twittersphere when developers have wanted to enhance the service but require access to the user's account. There's no other way than to ask for the user's login info: their username and password. If the developer is ethical, this is not a problem, it's much like giving credit card information to a vendor. But you can get in trouble when the developer isn't trustworthy and uses your information in malicious ways. We got a taste of this, this weekend.

Immediately people in the know say Use OAuth! -- believing that will solve the problem. I understand OAuth, I've implemented Flickr's authentication system which was the inspiration for OAuth. It's a complicated dance for the app developer, but it provides the user with an important ability that's supposedly available no other way. The user can de-authorize one app without de-authorizing all others. It's true, you can do this with OAuth, but it's not the only way to do it, and it's more complicated for users and developers than the other way, which I'm now going to explain.

I got this idea when Twitter rate-limited me yesterday. I was debugging some code, and I guess I made more than 100 calls in an hour. Now I can't make any more calls from my LAN (even though it's been almost 24 hours since the offense). This showed me one very important thing -- Twitter has the ability to block calls by IP address. That's the key.

A picture named wimpy.gifOkay, so now assume I've given my username/password to Wimpy's App Shop, who has a neat little Twitter add-on gizmo that I love, and everything's going great until one day Wimpy, whose shop is suffering in the recession, decides to make a little extra money by selling my login to Bluto's Greasy Spoon Spamporium, who proceeds to send huge numbers of phishing messages to Chris Brogan, Kevin Marks, Chris Messina and Guy Kawasaki. This is very annoying. We must stop it at once!

Now imagine that Twitter had a page that showed all the IP addresses that have used your login in the last 30 days, with a start date for each and a count of calls made. I bet you could figure out which one was The Greasy Spoon Group, pronto. Further suppose there was a checkbox next to each IP address. You could uncheck that one, click Submit, and voila, no more spam from your account. You just did everything that OAuth promises to let you do, and no one had to implement the dance. It worked with today's simple and klunky worse-is-better authentication system.

Now IP addresses are ugly and not informative, so add a little enhancement, and have Twitter do a reverse DNS lookup for each one. If something simple came back, like and not, display it instead of the IP address. Now it would be even easier to spot the nasty dude.

That's it, that's the idea. I think this works -- do you see any problems??

Update: Great comments. Over on the Twitter blog, Biz says they're going to release a closed beta of OAuth this month.


Last update: Monday, January 05, 2009 at 12:57 PM Pacific.

A picture named dave.jpgDave Winer, 53, pioneered the development of weblogs, syndication (RSS), podcasting, outlining, and web content management software; former contributing editor at Wired Magazine, research fellow at Harvard Law School, entrepreneur, and investor in web media companies. A native New Yorker, he received a Master's in Computer Science from the University of Wisconsin, a Bachelor's in Mathematics from Tulane University and currently lives in Berkeley, California.

"The protoblogger." - NY Times.

"The father of modern-day content distribution." - PC World.

One of BusinessWeek's 25 Most Influential People on the Web.

"Helped popularize blogging, podcasting and RSS." - Time.

"The father of blogging and RSS." - BBC.

"RSS was born in 1997 out of the confluence of Dave Winer's 'Really Simple Syndication' technology, used to push out blog updates, and Netscape's 'Rich Site Summary', which allowed users to create custom Netscape home pages with regularly updated data flows." - Tim O'Reilly.

Dave Winer Mailto icon

My most recent trivia on Twitter.

My Wish List

On This Day In: 2008 2007 2006 2005 2004 2003 2002 2001 2000 1999 1998.

January 2009
Dec   Feb

Click here to see a list of recently updated OPML weblogs.

Click here to read blogs commenting on today's Scripting News.

Morning Coffee Notes, an occasional podcast by Scripting News Editor, Dave Winer.

Click here to see an XML representation of the content of this weblog.

Click here to view the OPML version of Scripting News.

© Copyright 1997-2009 Dave Winer.

Previous / Next