rc3.org

Strong opinions, weakly held

Author: Rafe (page 41 of 989)

Tim Bray on eradicating the digital divide

I like this quote from Tim Bray on the proper aspirations of people working the mobile industry:

Some worry (reasonably) about everyone being online all the time. I think that regularly disconnecting from the endless input overflow is a good thing. But, that choice must always be voluntary; its imposition, by a malevolent government, a failing market, or poverty, is a bug that we should fix.

The anachronism that is North Korea

Am I wrong in thinking that the most interesting thing about North Korea is that it is a living anachronism that illustrates how most countries around the world were governed in the pre-enlightenment world? Ostensibly North Korea is a Communist country ruled by a dictator, but now leadership has passed to third generation, I think it’s pretty clear that North Korea is for all intents and purposes a monarchy. As economic systems go, North Korea is home to an expansive state that keeps most of its people in a equivalent to serfdom. Any wealth generated by the country is used to maintain an army, build monuments to the ruling class, or fund the lifestyle of the “royal” family. Prior to the enlightenment, that’s how pretty much every country operated. As frustrated as I am with our government, even our somewhat shabby democracy is better in just about every way to what preceded it, monuments like Versailles, the Taj Mahal, and the Egyptian pyramids notwithstanding.

Update: Brad Plumer looks at the results of decades of misrule. Per capita income in North Korea is 5% that of South Korea, meaning that even if the two countries wanted to reunite, they probably couldn’t afford it.

An opportunity to exercise empathy

My previous post was about Ta-Nehisi Coates’ call for muscular empathy. This video of North Koreans crying over the death of Kim Jong-Il provides an opportunity to exercise that empathy:

The New York Times catalogs the evils of his regime.

Giving advice as a form of self-aggrandizement

A couple of years ago I wrote a post advising people not to give advice. Let’s move on past the hypocrisy inherent in that sentence so that I reiterate my point. Giving advice is often a form of self-aggrandizement.

This week, Gene Marks, a technology writer, wrote a bit long chunk of advice entitled If I Were A Poor Black Kid. It turns out to be the sort of reductio ad absurdum argument against getting into the advice business. You can easily skip reading the article and just imagine what it says instead, and you’ll probably be right. What you should read is Ta-Nehisi Coates’ response to it.

He attacks the general idea people have that they would never allow themselves to be victims, be it of poverty, or slavery, or abuse, or any other situation that is obviously abhorrent. He writes:

What all these responses have in common is a kind benevolent, and admittedly unintentional, self-aggrandizement. These are not bad people (much as I am sure Mr. Marks isn’t a bad person), but they are people speaking from a gut feeling, a kind of revulsion at a situation which offends our modern morals. In the case of the observer of slavery, it is the chaining and marketing of human flesh. In the case of Mr. Marks, it’s the astonishingly high levels of black poverty.

It is comforting to believe that we, through our sheer will, could transcend these bindings — to believe that if we were slaves, our indomitable courage would have made us Frederick Douglass, if we were slave masters our keen morality would have made us Bobby Carter, that were we poor and black our sense of Protestant industry would be a mighty power sending gang leaders, gang members, hunger, depression and sickle cell into flight. We flatter ourselves, not out of malice, but out of instinct.

As he points out further down, this is really a failure of empathy, an empathy that’s necessary to really understand the world at all.

Apple the patent troll

It appears as though Apple has become more deeply engaged in patent warfare — transferring patent rights to a patent troll so that they can pursue lawsuits against other mobile handset makers. For more on this tactic, the goto resource is episode 441 of This American Life, When Patents Attack! I’m sure Apple’s response to criticism would be, “Don’t hate the player, hate the game,” but I reserve the right to hate both the game and the players. Apple is one of the most profitable companies in the world, it can afford to stay out of the gutter.

In other patent news, Marginal Revolution blogger Alex Tabarrok argues in his new book that our dysfunctional patent system is holding back innovation in the United States.

Why Twitter ought to keep supporting third-party clients

John Gruber has posted a lengthy review of the new Twitter client for iOS that was released yesterday. Just as the new Gmail disappointed a lot of longtime Gmail users, the new Twitter client has disappointed a lot of longtime Twitter users. How big are the changes? Here’s how Gruber describes them:

This is more than an update. It’s a serious rethinking of the entire concept of Twitter.

I’m sure the goal of the new redesign is to make Twitter more engaging to new users and to people who’ve signed up for Twitter in the past but have never really gotten into the flow of things. Rather than working to make things better for the people who are already addicted to Twitter, they’re experimenting with new ways to create more addicts. My gut feeling is that the experiment will be a failure this time around, mainly because the interface is rather muddled in the ways that John describes, but I would expect Twitter to continue to experiment in this direction over time.

The other reason for the redesign is that Twitter wants to make more money. That seems to be the reason the Discover tab has been added — not everything on it is stuff that someone is paying Twitter to show you, but that’s the part of it that matters to Twitter. I don’t begrudge them that, either. It’s clearly a case, though, where Twitter is trading off usability for cash. This goes to a point that Maciej Ceglowski made earlier this week, which is that free services have their own set of costs. The one he focuses on is that the risk of a free service being acquired and disappearing along with your data is high. The other, though, is that when a service is funded through advertising or sponsored content, making money and making the product better for end users are in a constant state of tension.

Twitter once had a thriving ecosystem of third party clients that made the constant tweaks Twitter makes to its Web site mostly irrelevant. You could use your favorite client and ignore Twitter’s user interface mishaps. Unfortunately, Twitter seems to be committed to killing off the third party application market. If Twitter were only worried about its first set of concerns — making Twitter more engaging for new users and old users who aren’t taking advantage of the service — then they’d have no reason to shut out third party clients. New users could try out Twitter as designed by Twitter, and the rest of us could use the clients that make sense to us. A diverse client base makes it more likely that power users will stick around — even if the default interface doesn’t work, they can probably find one that will.

The other side, though, is that third-party client developers don’t really care about shoving sponsored content at users. Indeed, the ability to hide or deemphasize sponsored content could be a killer feature for a third-party client. So inside Twitter, a user switching from an official appa third-party app represents lost revenue.

I’d argue that Twitter should support third-party clients anyway. Twitter, like all social sites, derives nearly all of its value from a network effect. Nobody would use Twitter if other people couldn’t read their tweets. For Twitter, it’s better for a user to abandon the official Twitter client for a third-party client than it is for a user to abandon Twitter for Facebook or Google+. A robust ecosystem of third-party clients is a strong competitive advantage for Twitter against other social sites.

Secondly, the intramural competition helps Twitter. When the official apps are losing market share to third-party alternatives, it’s a good indication that they need to put more work into improving their official apps. Third-party apps provide free R&D for Twitter. They can always incorporate the best ideas from third-party apps into the official apps. And finally, developers of third-party apps provide a solid base of talent from which Twitter can recruit.

Twitter’s two key advantages relative to other social sites have always been that it is simpler than the others, and that it is a platform rather than just a Web site. Unfortunately, Twitter seems committed to erasing both of those advantages. The service continues to gain complexity, and Twitter’s management seems bent on reducing the flexibility of Twitter as a platform. I think both are big mistakes, but it’s not too late to rectify either of them.

Why you might not want to do business with PayPal

Teresa Nielsen Hayden runs down the debacle of PayPal shutting down Regretsy’s toys-for-kids drive on utterly ludicrous grounds. PayPal works fairly well for most people most of the time, but every once in awhile we get these kinds of reminders of how much power PayPal has over your money if you choose to use them to process payments. There is a very troubling lack of accountability here.

Bruce Schneier on Carrier IQ

Security expert Bruce Schneier has a nice, short post on Carrier IQ. Here’s his bottom line:

Several things matter here: 1) what data the CarrerIQ app collects on the handset, 2) what data the CarrerIQ app routinely transmits to the carriers, and 3) what data can the CarrierIQ app transmit to the carrier if asked.

I think another thing that matters is how much of the data Carrier IQ collects is already being collected through other means. Carriers already have access to any unencrypted data that is transmitted over their network.

Read the whole thing. I hesitate to comment so much because the story is changing so fast. It’s best to focus on the essentials.

The argument for strict coding standards

cbloom rants on the value of strict coding standards:

Strict coding standards are actually an intellectual relief because they remove all those decisions and give you a specific way to do the syntax. (The same of course goes for reading other people’s code – your eyes can immediately start looking at the functionality, not try to figure out the current syntax)

Don’t forget that adherence to coding standards also produces higher quality diffs.

Using HMAC to authenticate Web service requests

One weakness of many Web services that require authentication, including the ones I’ve built in the past, is that the username and password of the user making the request are simply included as request parameters. Alternatively, some use basic authentication, which transmits the username and password in an HTTP header encoded using Base64. Basic authentication obscures the password, but doesn’t encrypt it.

This week I learned that there’s a better way — using a Hash-based Message Authentication Code (or HMAC) to sign service requests with a private key. An HMAC is the product of a hash function applied to the body of a message along with a secret key. So rather than sending the username and password with a Web service request, you send some identifier for the private key and an HMAC. When the server receives the request, it looks up the user’s private key and uses it to create an HMAC for the incoming request. If the HMAC submitted with the request matches the one calculated by the server, then the request is authenticated.

There are two big advantages. The first is that the HMAC allows you to verify the password (or private key) without requiring the user to embed it in the request, and the second is that the HMAC also verifies the basic integrity of the request. If an attacker manipulated the request in any way in transit, the signatures would not match and the request would not be authenticated. This is a huge win, especially if the Web service requests are not being made over a secure HTTP connection.

There’s one catch that complicates things.

For the signatures to match, not only must the private keys used at both ends of the transaction match, but the message body must also match exactly. URL encoding is somewhat flexible. For example, you may choose to encode spaces in a query string as %20. I may prefer to use the + character. Furthermore, in most cases browsers and Web applications don’t care about the order of HTTP parameters.

foo=one&bar=two&baz=three

and

baz=three&bar=two&foo=one

are functionally the same, but the crypto signature of the two will not be.

Another open question is where to store the signature in the request. By the time the request is submitted to the server, the signature derived from the contents of the request will be mixed in with the data that is used to generate the signature. Let’s say I decide to include the HMAC as a request parameter. I start with this request body:

foo=one&bar=two&baz=three

I wind up with this one:

foo=one&bar=two&baz=three&hmac=de7c9b8 ...

In order to calculate the HMAC on the server, I have to remove the incoming HMAC parameter from the request body and calculate the HMAC using the remaining parameters. This is where the previous issue comes into play. If the HMAC were not in the request, I could simply calculate the signature based on the raw incoming request. Once I start manipulating the incoming request, the chances of reconstructing it imperfectly rise, possibly introducing cases where the signatures don’t match even though the request is valid.

This is an issue that everyone implementing HMAC-based authentication for a Web service has to deal with, so I started looking into how other projects handled it. OAuth uses HMAC, with the added wrinkle that the signature must be applied to POST parameters in the request body, query string parameters, and the OAuth HTTP headers included with the request. For OAuth, the signature can be included with the request as an HTTP header or as a request parameter.

This is a case where added flexibility in one respect puts an added burden on the implementor in others. To make sure that the signatures match, OAuth has very specific rules for encoding and ordering the request data. It’s up to the implementor to gather all of the parameters from the query string, request body, and headers, get rid of the oauth_signature parameter, and then organize them based on rules in the OAuth spec.

Amazon S3’s REST API also uses HMAC signatures for authentication. Amazon embeds the user’s public key and HMAC signature in an HTTP header, eliminating the need to extract it from the request body. In Amazon’s case, the signed message is assembled from the HTTP verb, metadata about the resource being manipulated, and the “Amz” headers in the request. All of this data must be canonicalized and added to the message data to be signed. Any bug in the translation of those canonicalization rules into your own codes means that none of your requests will be authenticated by Amazon.com.

Amazon uses the Authorization header to store the public key and HMAC. This is also the approach that Microsoft recommends. I think it’s superior to the parameter-based approach taken by OAuth. It should be noted that the Authorization header is part of the HTTP specification and if you’re going to use it, you should do so in a way that complies with the standard.

For my service, which is simpler than Amazon S3 or OAuth, I’ll be using the Authorization header and computing the HMAC based on the raw incoming request.

I realize that HMAC may not be new to many people, but it is to me. Now that I understand it, I can’t imagine using any of the older approaches to build an authenticated Web service.

Regardless of which side of the Web service transaction you’re implementing, calculating the actual HMAC is easy. Normally the SHA-1 or MD5 hashing algorithms are used, and it’s up to the implementor of the service to decide which of those they will support. Here’s how you create HMAC-SHA1 signatures using a few popular languages.

PHP has a built-in HMAC function:

hash_hmac('sha1', "Message", "Secret Key");

In Java, it’s not much more difficult:

Mac mac = Mac.getInstance("HmacSHA1");
SecretKeySpec secret = 
    new SecretKeySpec("Secret Key".getBytes(), "HmacSHA1");

mac.init(secret);
byte[] digest = mac.doFinal("Message".getBytes());

String hmac = Hex.encodeHexString(digest);

In that case, the Hex class is the Base64 encoder provided by Apache’s Commons Codec project.

In Ruby, you can use the HMAC method provided with the OpenSSL library:

DIGEST  = OpenSSL::Digest::Digest.new('sha1')

Base64.encode64(OpenSSL::HMAC.digest(DIGEST, 
  "Secret Key", "Message"))

There are also libraries like crypto-js that provide HMAC support for JavaScript.

Older posts Newer posts

© 2024 rc3.org

Theme by Anders NorenUp ↑