For more about the project, see Marshal Kirkpatrick's Identi.ca: May A Million Twitters Bloom, Hugh McGuire's Why Identi.ca Matters, and Edd Dumbill's Why Identi.ca is Important. Personally I'm thrilled by the idea and encouraged by its execution so far, and have been poking cautiously at Laconica for the past couple of weeks, hoping to contribute in whatever way I can. Here's a prototype badge, based on Laconica's RSS feeds and Yahoo! Pipes.

If you see an author's name in a post, click it to explore his or her friends' posts. To visit the author's identi.ca page, click the top link, to so-and-so with friends.

To try this yourself, copy and paste the following wherever you want the badge to show up:

<script type="text/javascript" src="http://kentbrewster.com/js/identica-badge.js">
{
   "user":"kentbrew",
   "server":"identi.ca",
   "headerBackground":"#000"
}
</script>

Substitute your own ID in the user parameter; many of the other parameters available in Twitterati will also work.

Although we're waiting for the real API, if you find a working Laconica server that forms its RSS urls the way identi.ca does, the badge should work unmodified if you substitute the server name of your choice for identi.ca in the second parameter.

Working through kinks in the real API now ... so far, so good. More to come!

Please keep in mind that this badge will change radically once the API goes live, and will hopefully be hosted by the project. I don't mind if you try it out, but please host your own copy if you put it in production anywhere.

For background information about how badges like this one work, please see Case-Hardened Web Badges, which I presented at Web 2.0 earlier this year.

Have fun, and please let me know how it goes!

Start Presentation in New Window

Please keep in mind that this is a presentation, not a book. Lots of stuff is hinted at; much was said live that isn't here, obviously. If you'd like me to present this--or something like it--at your conference, please contact me and I'll see what I can do.

Yes, the examples really do work; copy, paste, save, and run, and you'll see it live, right there in your browser.

As always, have fun, and please let me know how it goes.

What I Want

• To create, update, and share one (and only one!) instance of my public profile information--including contacts, status, location, and so forth--and serve it up so anyone who asks can see it with a minimum of fuss.
• To delegate the right to update certain branches of my profile to agencies that I trust, such as MyBlogLog or Twitter.
• To reserve administrative rights--including create, read, update, and delete--over the root of the profile.

That last is most important. For a while now I've been hearing about various "data portability" initiatives, most of which will only allow you to make a copy of some small subset of the current state of your profile. Everything else--including historic transactions and top-secret personal information--remains online, per the terms of the TOS you ignored when you first joined up.

Remember, if you can't delete it, it's not portable.

Narrowing the Scope

Okay, so ... what do I want it to do that I can accomplish myself? Simple stuff, mostly:

• I want interested people to be able to hit a single url, http://foo.com/myid, and get back a JSON object containing my complete profile. If I add a callback to the url, http://foo.com/myid/callback, I want it to come back as JavaScript, properly wrapped for use with the SCRIPT tag hack. (Oh, and no screwing around with arrays of callback functions and the like; please give me the callback inside the return, like Pipes does.)
• When I'm signed in, I want to see my public profile in a textarea and make changes that instantly update the whole thing. None of this hand-holding nonsense; I want the bare metal, please, and if I want to delete it, I want to delete it.
• I also want a private object, consisting of nothing but key-value pairs. Each key will exactly match the branch of my main object I want others to be able to edit; each value will be the password I expect them to submit to make changes.
• When one of my outside agents--Fireeagle, for example--makes a POST to my profile, I want it to check for a key-value match in my private object. If the agent knows the password, I want my profile to allow it to update the validated branch object.

A First Half-Blind Stab

To pull this off, I needed something big, fast, powerful, and free. Google's Application Engine was immediately interesting to me because of the single most impressive developer demo I've ever seen, Brett Slatkin's Introducing Google App Engine. Everything Brett showed in the video looked completely doable, and when I tried it out, by golly, it was. (I'm still looking at it, and cursing the fact that I can't copy and paste directly from the code in the video. Boy, would that ever be cool.)

Thanks to Steve Souders, late of Yahoo but recently moved to the big G, I've acquired early access. As of this writing App Engine still in closed beta; keep an eye on their blog for updates.

Can we See the Source Code, Please?

Nawp, sorry, not yet. It's like this: Open Profile is my first Python program, ever. I can see dozens of places where it sucks, and I'm not even remotely qualified to tell if something written in Python sucks or not. I'm in conversations right now with a Python expert; once I get it vetted I will credit him appropriately and open-source everything.

This thing would definitely work on a non-Google box, with the addition of user authentication plus minor mods to make it talk to MySQL, so if you wanted to put it on that server in the basement and own it completely, you could.

View My Profile

Here's my public profile on http://exo.appspot.com/kentbrew/ping:

The base URL is http://exo.appspot.com/kentbrew; the callback I've wrapped it in is ping. If you omit the callback, you'll get a pure JSON object, which your browser may or may not be able to handle inline.

As you can see, I have two branch objects in my profile, foo, containing the last value you guys put in, and status, containing an array of objects that you theoretically can't monkey with. Using my private object, which you don't see here, I've granted permission to edit object foo:

Things to Do and Notice

• Enter some valid JSON for the contents of the object you want to update. Be sure to quote your strings and bracket your objects and arrays.
• You'll see an intentionally sparse success-or-failure message go by when you submit this. We don't want to give the bad guys any hints about what they might be doing wrong.
• If you see the Success message, use the Reload link to see your changes serve up.
• This should work for anyone, signed in to Google or not, because I've given you my root object name, my branch object name, and its password.
• There's no callback option for the update function, since it's only supposed to be POSTed.
• You should not be able to monkey around with my status object, since you don't know the password.
• If you head over to exo.appspot.com and create your own object with an open branch, you ought to be able to update it from here.
• Right, updates are not even remotely secure. This could be mitigated somewhat with https ... but please don't use this form for anything mission-critical.

Directions for Future Development

• I can see an approach like this lending itself quite nicely to decentralized social networking. If I have a list of contacts and they each have their own open profiles and they all point back to me in a contacts array, we can deduce the same sorts of relationships we find in FOAF or XFN.
• Unlike FOAF or XFN, delegated update rights are built in. Any service that cares could ask me to put up a branch object and give them a password.
• Next up, I'm going to see if I can hook up Twitter and get some real status updates in there.

How It Feels So Far

Even though it's in an embryonic stage and nobody at all is paying attention, I like it.

I'm creating data. I'm authorizing access. I'm giving out passwords to my agents, not begging them from big faceless companies. Unlike all those other Web profiles, which could change or vanish at the whim of their hosting companies, this one feels powerful, like I own the thing, instead of it owning me.

What's This?

FOAFster is a prototype visualizer for Friend Of A Friend relationship objects. What you're seeing here are icons for a bunch of FOAF contacts, scattered around the screen, and network services, in a much neater line at the top.

About FOAF

I've been interested in FOAF for a long time. Abstracting out all my social relationships into a separate layer, just as I do with my presentation and behavior layers, really resonates. Future possibilities like being able to point marketers at my FOAF object so they will quit wasting their time trying to sell me timeshares seems like a very real possibility.

The problem? As it sits right now, FOAF is a giant pain to update. Most folks fire it once and forget it; the results range from amusing to disastrous.

What changed today? MyBlogLog rolled out FOAF. And now, finally, I don't have to worry about keeping a file on my Web site. All I need to do is add people and services to my network on MyBlogLog, and it's taken care of for me. Here's my FOAF object, courtesy of MyBlogLog:

http://www.mybloglog.com/buzz/members/kentbrew/foaf/

Why MyBlogLog's FOAF Is Superior

All this is generated and re-generated for me, whenever I add a service or a contact, and whenever any of those contacts add a service of their own. So now all I need to do is link it in the HEAD of my document, like so:

<link rel="meta" type="application/rdf+xml" title="FOAF" href="http://www.mybloglog.com/buzz/members/kentbrew/foaf/" />

Although other services like LiveJournal and FriendFeed are doing this, MyBlogLog's FOAF is superior. LiveJournal only points inwards; FriendFeed does not contain your contacts' network connections. And nobody else in the world is presenting FOAF as a JSON object wrapped in the callback of your choice, if you ask nicely, using format=json&callback=foo. Although it's possible to run anybody's FOAF object through Pipes and get JSON back, MyBlogLog cuts out the middleman by being brave enough to serve it all up live.

Want to Play?

It's trivially easy, which is how it ought to be. Go sign up at MyBlogLog, add some services and/or contacts, and your FOAF should be ready to rock, at http://www.mybloglog.com/buzz/members/yourname/foaf/.

Things to Do and Notice

• Click any of the service icons to see what the user in the background is doing over there. (These use the same Pipes I wrote for Blog Juice, if you're interested.)
• Click any of the contact faces to go see what they're up to. They will always show up in the same spot for each starting profile.
• If you need to go back--yes, there are dead ends out there; you'll be alerted if you hit one--click one of the faces in the row of breadcrumbs at the bottom right.
• If you'd like to try it out starting from a different ID, enter it at the end of this page's URL, like so:
  http://kentbrewster.com/foafster?q=johnsampson

Caveats and Gotchas

• Some people--Scott Beale, for one--have incomplete information about their Flickr profiles on MyBlogLog. You guys need to go update before you'll see your Flickr photos.
• There's a lot going on; the first time you try a FOAF object that hasn't been generated yet it may go slowly, depending on network latency and caching and such. I'm sneakily changing out the background and the person's name right when you click; you'll see the usual square twirligig while the FOAF query is running.
• I've set an arbitrary limit of 400 contact icons, but the whole FOAF object still comes down from MyBlogLog, so it can take a while. Sometimes--*koff*Rafer*koff*--a long while.
• It's semi-broken on IE, and twitchy on Opera. This is all my fault, not that of the API; working on it now.

Directions for Future Development

• User should be able to click a face from the MyBlogLog reader roll, or automatically start with the signed-in MyBlogLog user.
• User should be able to drag and drop those faces, and save their locations as a cookie or to a central server. Face locations should be consistent no matter who the starting account is.
• Individual icons should scurry into and out of the middle when you mouse over a service icon that they have; it ought to look like the Stanford marching band.

I'll have the code up once I fix up the IE bugs; for now, adventurous developers should know how to read source, copy, and paste. Have fun, and please let me know how it goes.

During the intervening months I've had a chance to give Pipes a workout. Examples range from the simple Badger application to rolling a complete API layer to cover a multitude of different sites and endpoints.

This morning, the Pipes team launched a new feature, Pipe Badges. Using several of the ideas collected in Case-Hardened JavaScript, Pipe Badges allow the site operator to include a single line of JavaScript, hosted by Pipes, and see one of three handy badges--list, image, or map view--pop up instantly.

If I'm not mistaken, this:

<script src="http://pipes.yahoo.com/js/mapbadge.js">{
   "pipe_id":"WlLkGRj63BGEG7TKiHrL0A",
   "_btype":"map",
   "pipe_params":{
      "q":"pizza",
      "g":"95051"
   }
}</script>

... is just about the single easiest way to search for something near something, and display the results as a map on your site. Here we're searching for pizza near 95051; parameters q and g can be changed to anything you like.

Pipe Badges are the result of many months of coding by the Pipes team, including Jonathan Trevor and Paul Donnelly. Awesome work, you guys; keep it up!

As a result of several eye-opening conversations I've had while at SxSW this year, I've taken down all of the articles detailing live exploits. As trivial as they are, I should not have disclosed any specific vulnerabilities without warning the service operators first, and I want to strongly discourage anyone from following my example, which was the wrong thing to do.

I will, however, present an overview of the methods I used, and the lessons I learned during the process.

Principles:

• Any file on your site, whether or not it is actually JavaScript, can be included with a SCRIPT tag by a third party.
• If the contents of that file vary sufficiently depending on the user's cookies--which almost always contain his or her login status--a third-party site can infer information which should be private, beginning with the user's login status and potentially including much more.

Detecting Vulnerabilities in Your Service:

Before you push a new feature to your AJAX-powered site, please run through the following steps:

• Get Firefox and Firebug, and sign in to your service.
• Go to any page that has an AJAX-powered interaction that should only be usable if the user is signed in. This could be a message post, a profile update, a mailbox read, a social network connection update ... we're looking for anything that affects the content of the page without reloading it that should only be visible if the user is logged in.
• Once you've found it, run it.
• Open up Firebug, go to the Net tab, and find the interaction.
• Open the interaction's URL in a separate browser tab.
• Go back to the original tab and sign out of your site.
• Open a new tab, and paste in the interaction's URL again.

Analysis

View the source code of both states, and answer these two questions:

• Does either state contain executable JavaScript?
• If not, when both states are loaded as SCRIPT tags, do they throw different errors?

If the answer to either question is Yes, your users' login state can be guessed by a tiny scrap of JavaScript, running only in the client.

Some Suggestions

• Don't serve live JavaScript. It's trivially easy to exploit.
• Make sure your error messages come down in the same format, whether or not the user is logged in. If an URL returns XML when the user is logged in but redirects to the login page when he's not, you're vulnerable, because they throw different errors when included as SCRIPT tags.
• If you're offering an API, be sure that your endpoints throw the same errors whether or not the user is logged in. Are you offering a JSON object wrapped in a callback to authenticated users and a redirect to your login page to others? One throws an error and the other does not.
• Don't serve up hcards or vcards to signed-in users and HTML errors to outsiders. While neither is valid JavaScript, they throw different errors when included as SCRIPT tags.
• Test all the URLs on your site that are supposed to be POSTed and be absolutely certain they return the same error whether or not the user is logged in, in the event some clever fellow tries a GET.
• Keep an eye on your referrer and error logs. Are your AJAX endpoints starting to throw a lot of those please-go-log-in errors? Are they being linked from sites that have no business peeking or poking at them? Somebody may have already found a hole in your site.
• Have a clearly marked path for reporting security holes, listen, and be extremely responsive!

Please Note

This isn't meant to be a definitive list, just cautionary squawking about a very common vulnerability. Please be careful; your users are depending on you.

Blog Juice

You can try it here, or drag it to your bookmarks toolbar and run it anywhere else on the Web. (On IE, right-click, add to favorites, say Yes to continue past scary warning, and choose Links. You may then need to fiddle around with your Tools drop-down in order to get Links to show in your chrome.)

Things to Do and Notice

• Each reader comes up in a toggle-able list item. You'll see a MyBlogLog avatar, a name, and possibly some tags. Click the name to visit the MyBlogLog profile; click the tag to see a list of other users with that tag.
• Click anywhere else in the reader record to open it up and see details from ten different social networks. At the moment, they are: MyBlogLog, Twitter, Upcoming, Digg, LinkedIn, Delicious, Flickr, Last.fm, StumbleUpon, and YouTube.
• Inside the detail you'll be able to click the item to go over to the other site and view it.
• Up top are a series of icons that match the detail icons for each service. Mouse over them to only show reader roll items.
• The MyBlogLog icon (first on the left at the top) will show the user's authored blogs. Click the image to open its reader roll up, right there in the badge without leaving the page you're on. Click the text link to visit the blog.
• Each user has a checkbox. If you check it, the user will be added to your Stalk List, and a small icon resembling a guy cradling a loaf of French bread will show up at the bottom of the badge. Click the French Bread Guy to see all your buddies.
• As of the latest version, the widget comes up in an iframe. This works seamlessly in all browsers except IE. We're using an iframe because the CSS is much easier to construct, and when you bookmark a user for your Stalk List, the cookie will be set to my domain, not the domain you're on, so it will be available no matter where you go on the Web.

Rolling Our Own API with Pipes

Astute readers will immediately recognize that some of the services we're querying don't actually have APIs, and those that do have vastly differing endpoints. To cut down on the amount of scripting required to send and receive data, I've rolled my own APIs for each of them, using Pipes.

• http://pipes.yahoo.com/kentbrew/blogjuice_delicious
• http://pipes.yahoo.com/kentbrew/blogjuice_digg
• http://pipes.yahoo.com/kentbrew/blogjuice_flickr
• http://pipes.yahoo.com/kentbrew/blogjuice_lastfm
• http://pipes.yahoo.com/kentbrew/blogjuice_linkedin
• http://pipes.yahoo.com/kentbrew/blogjuice_stumbleupon
• http://pipes.yahoo.com/kentbrew/blogjuice_twitter
• http://pipes.yahoo.com/kentbrew/blogjuice_upcoming
• http://pipes.yahoo.com/kentbrew/blogjuice_youtube
• http://pipes.yahoo.com/kentbrew/blogjuice_tumblr

Each takes an S parameter, the user id, and an optional N parameter, the number of items you want back from each endpoint, which defaults to 3. Output from all of these pipes looks substantially like this:

"items":[
   {
      "u":"http:\/\/twitter.com\/jlam\/statuses\/717107112",
      "t":"jlam: Would anyone like to catch http:\/\/tinyurl.com\/3xz6kc tonite?"
   },
   {
      "u":"http:\/\/twitter.com\/jlam\/statuses\/717097392",
      "t":"jlam: @dearlazyweb a 713733562 Ben, John http:\/\/ejohn.org is writing one now. Meanwhile, see http:\/\/jQuery.com and http:\/\/learningJQuery.com"
   },
   {
      "u":"http:\/\/twitter.com\/jlam\/statuses\/705479382",
      "t":"jlam: Indeed @Coley Hong Kong has unbelievably awesome public transportation! The subway costs $0.10\/mile but profitable, and did an IPO in 2000."
   }
]

If there's a thumbnail in the API, it shows up in the n object. Using Pipes eases the strain on these outside sites and provides a consistent output stream from many different sources, so a single subroutine can render all the many different results.

getActivity : function(mbl, api, nick, id) {
   var callback = trueName + '_' + mbl + '_' + api + '_' + nick + '_' + id.replace(/@/, '');
   window[callback] = function(z) {
      var t = callback.split('_');
      var mbl = t[1];
      var api = t[2];
      var nick = t[3];
      var id = t[4];
      if (t.length > 4) {
         var n = t.length - 1;
         for (var i = 5; i < n; i++) {
            nick += '_' + t[i];
         }
         id = t[n];
      }
      if (z && z.value && z.value.items) {
         var r = z.value.items;
         for (var i = 0; i < r.length; i++) {
            var li = document.createElement('LI');
            li.className = api;
            var img = document.createElement('IMG');
            img.src = 'http://l.yimg.com/us.yimg.com/i/us/mbl/services/i' + api + '.png';
            img.align = 'absmiddle';
            li.appendChild(img);
            var tx = r[i].t;
            if (api == 'twitter') {
               var tx = tx.replace(/http:\/\/([^\s,-]*)/gi, '<a href="http://$1" target="_blank">http://$1</a>').replace(/@([^\s,.!-]*)/gi, '@<a href="http://twitter.com/$1" target="_blank">$1</a>');
               r[i].u = '';
            }
            if (r[i].u) {
               var a = document.createElement('A');
               a.href = r[i].u;
               a.target = '_blank';
               if (r[i].n) {
                  var img = document.createElement('IMG');
                  img.className = 'v';
                  if (api == 'flickr') {
                     img.className = 'q';
                  }
                  img.align = 'absmiddle';
                  img.src = r[i].n;
                  a.appendChild(img);
                  li.appendChild(a);
                  var a = document.createElement('A');
                  a.target = '_blank';
                  a.href = r[i].u;
               }
            } else {
               var a = document.createElement('SPAN');
            }
            a.innerHTML = tx;
            li.appendChild(a);
            $.s.c.bd[mbl].appendChild(li);
         }
      }
      $.f.addServiceIcon(mbl, api);
      $.f.removeScript(callback);
   };
   if (id) {
      nick = id;
   }
   var url = 'http://pipes.yahoo.com/kentbrew/blogjuice_' + api + '?_render=json&_callback=' + callback + '&s=' + nick;
   $.f.runScript(url, callback);
}

This function is almost entirely generic; only a couple of exceptions (to remove the @ from Flickr ids, apply a special class name to Flickr thumbnails, and hotlink URLs in Twitter tweets) come into play. Feel free to clone or use my Pipes for your projects; they're all published and available.

We're using some techniques from Case-Hardened JavaScript here, most notably the practice of creating a single anonymous variable and a private global to hang all the code from; references to $.f and $.s refer to functions and structure.

When we create our dynamic script tags, we're naming them with window[callback] and passing information about what their user IDs, service nicknames, and API endpoints are inside the callback name. This allows us to remove each dynamically-generated script tag from the inside, once it's run.

Filtering URLs in Tweets

To filter API output tx, we double down on our regular expressions. The first looks for http://; the second looks for an @:

var tweet = tx.replace(/http:\/\/([^\s,-]*)/gi, '<a href="http://$1" target="_blank">http://$1</a>').replace(/@([^\s,.!-]*)/gi, '@<a href="http://twitter.com/$1" target="_blank">$1</a>');

Caveats and Gotchas

• Firefox, IE7, Opera, and Safari all work ... but the iframe is giving me trouble on IE. It's ugly.
• If it hangs forever, something's busted in one of ten or eleven API endpoints we're banging on. Suggestions? Clear your cache; I might be monkeying with the script. If all else fails, bring up Firebug to track this down.
• We're leaning heavily on several different APIs here, so this thing is almost guaranteed to be flaky. Sorry about that; for best results, please be patient, wait for the page to load before trying to juice it, and keep an eye on your status bar.

Directions for Future Development

• Right, it would be great to have some indication of when it was done, and when it was stuck on something. Working on it!

Thank You:

Adam Platti, Andrew Wooldrige, Aramys Miranda, Ash Patel, Ava Hristova, Bill Scott, Bob Zoller, Bradley Horowitz, Cameron Marlowe, Chad Dickerson, Chanel Wheeler, Chip Morningstar, Chris Goffinet, Christian Heileman, Dan Theurer, Dav Glass, Dave Balmer, David Filo, David Flanagan, Doug Crockford, Dustin Diaz, Ed Ho, Eric Marcoullier, Eric Wu, Ernie Hsiung, Gina Groom, Havi Hoffman, Hedger Wang, Ian Kennedy, Ian Lamb, Isaac Schleuter, JR Conlin, Jason Schupp, Jean-Paul Cozzatti, Jenny Han, Jeremy Gillick, Jeremy Zawodny, Jimmy Byrum, John Greene, Jonathan Trevor, Julian Lecomte, Kevin Brown, Lauri Voss, Leslie Sommer, Luke Wroblewski, Matt McAlister, Matt Sweeney, Micah Laaker, Mike Lee, Nate Koechley, Nathan Arnold, Nicholas Zakas, Norm Francis, PPK, Paul Hammond, Randy Farmer, Scott Schiller, Sean Michael Imler, Steve Souders, Steven Wheeler, Tenni Theurer, Thomas Sha, Tim O'Reilly, Todd Klootz, Todd Sampson, Tom Coates, and (most of all!) Vickie Brewster.

After much hard work, the team at MyBlogLog and the Yahoo! Developer Network--including but definitely not limited to Todd Sampson, Ian Kennedy, J.R. Conlin, and the one and only Chris Goffinet--have released the MyBlogLog API into limited public beta.

Included in the API are the usual goodies already found in the reader roll, plus other stuff like tags, discussion, and outside communities.

That last bit is important: suddenly there's a wide-open source of information about who lives where on the Web. Over the past week I've begun pinging various services as they come up for my users; as of right now, we should see:

• Sites authored -- if you click an image, the app will re-load and show you the readers from there. This is fun; try it out!
• Photos from Flickr
• Status updates from Twitter
• Current professional status from LinkedIn
• Bookmarks from del.icio.us
• Pages shared through Digg
• Songs scrobbled through Last.fm
• Next events on Upcoming
• Last five videos favorited on YouTube

Things to Do and Notice

• The most recent visitor might not be you if you just got here and have not seen anything else on the site; I can't imagine the API could possibly be that fast. (I'm willing to be pleasantly surprised, though.)
• If you've been tagged on MyBlogLog, they ought to show up here. If you haven't, go do it now!
• If you've registered an outside social service id (like Myspace or Flickr) via MyBlogLog, you ought to see it listed. If you click it, you'll go straight on over to your profile there.

Caveats and Gotchas

• Right, sorry, it's an invite-only beta. Please trust me on this when I say there are Good and Sufficient Reasons for this, and the closed period will be kept as short as humanly possible.
• Missing from the API is an easy way to simply link a user's name to his or her designated home page. If everybody delegated their openIDs through their home pages--I use idproxy.net--this would become a non-problem.
• There's a fair bit of bouncing around; we have to make an API call to get user details for each reader from MyBlogLog, and then there's a call to each outside service that person might have listed. So far nothing's terribly broken, mostly due to the fact that I'm leaning on Pipes quite heavily.

Please Note

Although I am a developer who works for Yahoo!, I don't work on MyBlogLog or any of the other services that show up here. Absolutely nothing you see on this page--including random stuff written and broadcast by any of the services that are being returned as a result of connections between the MyBlogLog API and outside services--should be taken as official messaging from Yahoo!

In addition to MyBlogLog, data for this hack comes from a wide variety of sources, including Yahoo's MyBlogLog, Flickr, Upcoming, and del.icio.us services. I believe I've attributed it properly, by linking to http://developer.yahoo.com/about, as requried by YDN's attribution page.

The Code

If you're curious about the coding style, please take a look at Case-Hardened JavaScript. More about implementing nothing-but-net API clients using the SCRIPT tag hack may be found under Presentations, in BBC Search Widget and Wikipedia Search Widget. I do take these presentations on the road; if you're interested in seeing it in person, please hit me up in Contact.

Special note to RSS readers: this entry contains live JavaScript. Please visit the page to see it working!

Perhaps you bought the 16-gigabyte model, which now costs exactly what the 8-gig iPhone does, and you're wondering why it didn't come with e-mail, or an RSS reader, or an IRC client, and why you can't just go ahead and add one. Maybe you'd like to read Cory Doctorow's books on it. Or maybe you agree with the Owner's Manifesto and would like to crack into the thing a little bit and see what's inside. Remember, if you can't open it, you don't own it.

This list is not guaranteed to be definitive, all encompassing, or kept up-to-date. Comments are open, however, and I do hope for help from fellow travelers.

Oh, and: yeah. I know. It's an "iPod Touch," not an iTouch. Sorry if that makes you crazy; I'm not going to stop saying it.

Before You Begin: the Scary Warnings

Please seriously consider not doing this. It's painful.

If you are not a dedicated hobbyist, hacker, or both, and all you want is the iPhone application bundle--including Mail, Maps, Weather, Stocks, and Notes--update to 1.1.3, visit iTunes, and pay for it. It's supported by Apple, works on all the mail providers (not just Gmail, which now has IMAP support), and the Maps application has been upgraded to do some really neat stuff with IP location.

If you absolutely must do this, kindly heed the following warnings:

• Please read the entire (horribly long) page before doing anything, including the comments. Actually, please read the comments first, since the readers of this page are much, much smarter than I am, and have been responsible for pointing out all critical errors so far.
• I won't support you if you demonstrate basic lack of knowledge. If you can't get a command prompt open and navigate from directory to directory, please go take the BLUE pill; it's avaiable for $20 via iTunes.
• Sorry, I don't know where to get those NES ROMs. Don't ask. I'm just barely okay with showing how to get the iPhone apps; as soon as the price from Apple drops to $0, that part will be going away.

If your iTouch Freezes, Freaks Out, or Otherwise Becomes Unusable

• Check that you have iTunes version 7.5 or below. If you have 7.6, much of what we're doing won't work.
• Start over from Restoring Version 1.1.1, just below.
• Give up this madness and update to the current version.

Getting Started

To install third-party applications, you'll need to jailbreak your iTouch. When we're done, you'll have a new application, Installer, which will allow you to download and install other programs.

If you just got your iPod out of the box, please go through the steps to download iTunes to your computer and synch it for the first time.

Important: if iTunes offers to install new software on your iPod when you first set it up, say No.

Also take a moment to familiarize yourself with a few important features, namely the Home button, which is a white square inside a round button on the front of your iTouch, and the Sleep button, which is a thin raised line on the top edge of your iTouch, the opposite edge from where the docking cable and earphones plug in.

Make sure you can get to the Internet. Find the Settings function--the square icon with gears on it--touch WiFi, and then choose a network. If you can't get to a wireless network, you're not going to be able to get much further than this. Once it looks like you've joined a network, press your Home button to get out of Settings, and bring up Safari. If Safari will show you a Web site (any Web site) you are ready to move on.

Check your version. Press your Home button to get out of Safari, bring up Settings again, go to General, and then About. If your version starts with 1.1.1--mine says 1.1.1 (3A110a)--skip the next step. (If you got your iTouch for Christmas, you've probably got 1.1.2. If you got it after January 18th, you may have 1.1.3; please read the next paragraph carefully!)

Watch Out for Firmware Version 1.1.3 and iTunes 7.6 or Above!

If your version number says 1.1.3, you've either got a brand-new post-Macworld iTouch, or you've inadvertently upgraded since the push went out. If you're not already on firware version 1.1.3 and/or iTunes 7.6 or above, you're going to want to be very careful not to get the iTunes updates.

Before you begin, check your iTunes version. If it says 7.6, much of what we're going to try to do below won't work. Make sure all your music is safe in a different directory, uninstall iTunes, and download and install version 7.5, which you can get from filehippo.com.

Alert reader Nick says this works to get out of 1.1.3:

• Download the firmware version you need, which is 1.1.1. (Link is below, in step 1.)
• Connect your iTouch and bring up iTunes 7.5 or below.
• Turn off your iTouch, using Home plus Sleep for ten seconds, and then slide the red slider. (Your iTouch should disappear from iTunes.)
• Press and hold Home and Sleep until iTunes sees your iTouch again. (You won't see anything on the screen of the iTouch. Just watch iTunes.)
• Skip to step 4, below, and restore the 1.1.1 firmware.

Restoring Version 1.1.1

Warning: what we're about to do is absolutely guaranteed to wipe everthing on your iTouch. Please make sure that any music, video, photos, or other content is backed up before you continue!

1. Open up a Web browser on the computer where iTunes resides and visit the following URL:
   

   http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-3932.20070927.p23dD/iPod1,1_1.1.1_3A110a_Restore.ipsw

2. Save this file to your desktop. It's quite large (150mb), so it might take a long time. If you're having trouble downloading it, I recommend the Opera Web browser, which has a very stable pause/resume/recover-after-errors download function.
3. Once you're done loading, open iTunes, plug in your iTouch, and make sure it's not rigged to automatically do anything--especially upgrade its firmware--when your iTouch is connected. Leave this setting on forever, or else you may wind up with a factory-reset iPod when Apple pushes out the next update.
4. When iTunes recognizes your iTouch, shift-click (on a PC) or option-click (on a Mac) the Update button. Instead of recovering to the most recent version, a special hidden menu will pop up and ask you for the location of the firmware file you'd like to recover. Choose the 1.1.1 firmware file, which you saved to your desktop, and let it work.

When your iTouch reboots, it should come up with version 1.1.1, ready for our next step, Jailbreak.

Jailbreak!

Next, we're going to break your iTouch out of jail. Left at factory settings, you won't be able to access your own file system, add programs, or do anything else our Cupertino overlords don't want you to do.

1. Fortunately, jailbreaking your iTouch from 1.1.1 is easy. Bring up Safari on your iTouch and go here:

   http://jailbreakme.com

2. Scroll to the very bottom, click Install AppSnap, and follow the prompts.
3. You'll see some loading going on, and then when your iTouch reboots, you'll see a new icon on your home screen, Installer.

If you like, you can stop right here. Many applications run on 1.1.1; feel free to jump right in with Installer and try out a few games. (Labyrinth is my personal favorite.)

On to 1.1.2

You're not really done, because iTunes will bug you constantly about updating your iTouch, and if somebody inadvertently does this for you--say you sych to a different machine, for instance--all your hard work can be wiped in an instant.

Get Version 1.1.2

Download and save this file. It's your 1.1.2 software, which you want to use instead of 1.1.3:

http://appldnld.apple.com.edgesuite.net/content.info.apple.com/iPod/SBML/osx/bundles/061-4036.20071107.9g3DF/iPod1,1_1.1.2_3B48b_Restore.ipsw

Jailbreaking 1.1.2 is not quite as easy as the 1.1.1 jailbreak, but it's close. Here we go:

1. You'll need Java on the same machine that iTunes resides upon; chances are excellent you already have it if you are running an even remotely up-to-date Web browser. Check that Java is set up, using Sun's handy online tool, and if it's not, go get it. [Updated: I'm being told that the Sun tool doesn't always work. To tell for sure if Java is on your machine, open up a command prompt (Windows: Start, then Run, then enter CMD in the box) and enter "java" on the command line. If a slew of command-line options comes up, Java is installed. If you get a file-or-command-not-found error, it's not.]
2. Once you're sure you have Java, download and extract this file:

   http://conceitedsoftware.com/iphone/1.1.2-jailbreak.zip

   ... to a folder on your desktop.
3. Got the 1.1.2 firmware and jailbreak? Next, open up Installer on your iTouch, click Install, All Packages, and then install OktoPrep. OktoPrep will chug for a bit and then tell you your iTouch is ready to update to 1.1.2.
4. Connect your iTouch and launch iTunes. When iTunes recognizes your iTouch, shift-click (on a PC) or option-click (on a Mac) the Update button. Instead of recovering to the most recent version--which you do NOT want to do--a special hidden menu will pop up and ask you for the location of the firmware file you'd like to recover. Choose the 1.1.2 firmware file, which you saved to your desktop, and let it work.
5. Once you're all done, your iTouch will come back without the Installer on the desktop; this is fine, since OktoPrep is lurking backstage ready to help break you out of 1.1.2.
6. Eject your device from iTunes, but keep it connected to your computer.
7. Close iTunes.
8. Open up the directory you installed the 1.1.2 jailbreak into.
9. If you're using a PC, double-click windows.bat; if you're using a Mac, double-click jailbreak.jar. If you already know what OpenSSH is, go ahead and tell it to install; it's handy later. (If you don't know what OpenSSH is, don't bother. You can get it later with Installer.)

Sit back, relax, and watch your iTouch being jailbroken. When your main menu comes back, you should see your old friend Installer, plus your optional new friend OpenSSH, all jailbroken and ready to rumble.

If you're seeing mysterious "cannot connect to your device" errors, you may be missing an /opt directory that needs to be installed in your root. I found details on macrumors.com that seem like they may help. I'm not totally clear whether this is a Mac-only problem, or an Intel vs. non-Intel problem; if it happens on PCs as well, I'm not sure where that "root" directory is.

Your First Installation

Before you do anything else, use Installer to load up the BSD Subsystem. Many third-party applications (including the one we're about to install) require it to work.

Do yourself a favor here: any time you're doing package installations on your iTouch, go to Settings, General, and then Auto-Lock, and tell it never to automatically lock. Some of the stuff you're going to download will take more than five minutes to download and install, and it's chancy, coming back from a lock.

1. Make sure your wireless network is running and bring up Installer. While it refreshes packages, please consider the karmic benefits of donating to the project ... remember, these folks made a much higher enjoyment of your iTouch possible.
2. Once Installer is back with packages, tap Install (at the bottom of the screen) and then All Packages. Slide down a bit and find the BSD Subsystem.
3. Try out the Contact and More Info functions; they should bring up extra pages about what the BSD Subsystem is and does.
4. Tap the Install button at the top of the screen (not the one at the bottom; this gets me frequently) and wait for your package to install.
5. Once you're back to Categories, get Term-VT100, using the same method as above. Term-VT100 is a terminal program that will allow you to open up a command prompt for your iTouch, right there on the screen. Command-line access looks boring but is actually quite handy; you'll be able to tweak settings without having to load programs designed specifically for that purpose.

6. When Term-VT100 is done installing, press your Home button. Your desktop will come back, along with a twirly image that means it's thinking. It will then reboot to your locked screen; unlock it, and you ought to see a new icon, Term-vt100, with a lovely black command-prompt icon.

Got Term-VT100? Excellent; bring it up and try this:

pwd

If all has gone well, you should see this:

/var/root

If you're getting a command not found error message, go back to Installer and try installing the BSD Subsystem again. It didn't take.

When all is well, let's make an important change so you won't run out of storage space when adding more third-party programs.

Making Sure You Don't Run Out of Storage Space

Again: this is optional but highly recommended for people who plan on installing more than a few tiny third-party applications.

Since the factory-set iTouch comes with an artificially small size limit on its /Applications directory, you may receive an error message--"Warning: You are running out of disk space. Please delete some photos or videos"--even though you're quite sure you've got lots of space left.

DANGER DANGER WILL ROBINSON: please do this next part slowly and carefully. Screw it up and you'll have to go back, restore version 1.1.1, and start all over again.

1. Bring up Term-VT100. If you've never seen one before, you're looking at a Unix prompt. (You can also do this with OpenSSH, if you installed it and you know what you're doing.)
2. First task: move to the iTouch's root directory, copy your Applications directory there, rename your existing Applications directory to Applications.old, and then tell your iTouch to look in the new directory for stuff it previously found in the old directory. Type the following commands, exactly as shown:

   cd /
   cp -pr Applications /var/root
   mv Applications Applications.old
   ln -s private/var/root/Applications /Applications

   If you're seeing error messages like command not found when you try cd /, you didn't install the BSD Subsystem. Please go back to Your First Installation and fix this.
3. Next, let's check that it worked. Still in Term-VT100, enter these commands:

   cd /
   ls -al

   Somewhere in the resulting list--you may need to scroll the screen up to see it; to do this, drag it gently upwards at one of its edges--you'll see something like this:

   rwxr-xr-x 1 root admin  29 Dec 26 23:27 Applications -> private/var/root/Applications

   If it looks like /Applications has been linked to private/var/root/Applications, you're done. If not, you'll want to keep trying that last ln command again until you get it.
4. Restart your iTouch, by pressing and holding the Sleep button until the slide-to-power-off prompt appears. Power off, wait a moment for the twirly thing to stop and for the screen to go completely dark, and power back on again, using the Sleep button.
5. Here's where things can go wrong, so please be absolutely sure you've created that link. If you've mis-typed the link, your iTouch may reboot repeatedly, or may come back with no icons on the desktop. If this happens, you'll need to a) restore version 1.1.1 of the firmware and start over again from scratch, or b) try OpenSSH, if you installed it upstream.
6. If all is good, bring up VT-100 again, and remove the old /Applications directory, thusly:

   cd /
   pwd

   If the output from pwd doesn't look like this: /, try the cd / command again. You need to be in your root directory for the next command to work. Once you're there, do this:

   rm -rf Applications.old

Relax, the hairy part is over. From now on, everything we do will go through Installer. Let's have some fun monkeying with the interface next.

Monkeying Around with the User Interface

Using Installer, load up two new packages, Customize and SummerBoard. After you have them both, reboot your iTouch, by pressing and holding the Sleep button until the Power Off slider comes up. (If you get further into this process and Summerboard says it's "inactive" down at the bottom, you didn't reboot. Told you so.)

Summerboard will allow you to add desktop wallpapers, themes, hide labels, and other cool stuff; Customize will allow you to hide and change the images for your onscreen icons. I run both, personally; I like the green-grass Leopard background, no icon labels, and a dock containing anything that might have an alert on the icon with number of messages, etc. I also push as many of my customization options (like Term-VT100) off to the second page as possible, to discourage casual goofballs from messing around with my setup.

What? Mail? Yes. And Maps, too. And games ... sweet tasty games for everyone! Hold tight: it's finally time to add some Cool New Toys.

Cool New Toys

Lots of fun may be had with the Installer; it's getting fun-er by the day. My personal favorites include:

• Labyrinth - tilt the iTouch to roll the ball through the wooden maze. This is the first thing I show people; they instantly "get" the idea that the iTouch is neat, and you ought to be able to hack it.
• iFlix - a Netflix queue manager that must be seen to be believed. (I didn't actually have Netflix until I saw this app running on a colleague's iPhone; it's that compelling.)
• MobileRSS - mmm ... feedie goodness! Consumes output from Yahoo! Pipes really nicely.
• iSolitaire - awesome Klondike experience.
• Sketches - an Etch-A-Sketch for your iTouch. Shake to erase, or upload those pictures to Flickr through Mobile Mail, described below.

In General, Install Things Slowly and Carefully

Especially when dealing with apps that were originalliy intended for the iPhone, install slowly and carefully. Always go back to the home screen, every time, and pay special attention to those "prep" packages.

Applications from Apple that were Originally Intended Only for the iPhone

If you skipped to here instead of reading the rest of the page, please go back to the top and read the warnings, and the strong advise that if all you want are these apps, go pay for them from Apple.

To run Mail, Weather, Stocks, Notes, and Maps on your iTouch, you will need to download and install some Apple property not specifically intended for the iTouch. You will need to lie, cheat, and steal even more than you already have to do this; if you believe in karma, be very, very careful here.

Maps and Mail are hairy; you'll want to follow the instructions about installing the "prep" software first. Notes, Stocks, and Weather jump right up and run; Notes is really cool, especially when integrated with Mail.

Google Maps on the iTouch may be the single most useful thing I've ever held in one hand. It's what's got me seriously considering an iPhone ... but that's just not gonna happen until I can run the provider of my choice.

Getting Mail Working

1. Add http://applerepo.com/ to your list of sources. (Sources, Edit, Add) If you have the old repo.us.to repository, your iPhone apps won't show on the list of packages any more.
2. If sources refresh successfully--this may take a long time--it will come up as the Apple Repository. If it's an anonymous source at the bottom, refresh sources again.
3. In the package list, find the iPhone 1.1.2 Apps for iTouch category. (In theory Mail will also work on 1.1.1 ... I recommend going to 1.1.2, however, because the Mail install is a pain and you won't want to go through it again if you decide to move up later.)
4. Add the Mobile Mail Prep for 1.1.2 application and click your Home button, to get all the way back out to your home screen.
5. Go back into Installer, Packages, iPhone 1.1.2 Apps, and install Apple MobileMail 1.1.2. It will warn you that you need to have Mobile Mail Prep 1.1.2 installed; if you don't, you may wind up going all the way back up to the top of this whole dismal list and starting over again with the 1.1.1 recovery.

As far as I can tell, Mail won't work with Yahoo! via an iPod Touch. I can't see myself giving access to my personal IMAP server to a hacked client, and I can't bring myself to start an AOL or .mac account, so ... it's GMail for me.

Start a New GMail Account

1. Seriously. Do this. Since you're installing the Mail from a non-Apple source, and there's a strong motivation for wily hackers (or maybe even Apple themselves) to code in a back door and grab what personal information they can, start a brand-new GMail account, just for this experiment, using absolutely no personal information--especially that one crucial password you use on all your social networking sites!--that you care about.
2. Once your new account is up and running, sign in to GMail, go to Settings, Forwarding and POP/IMAP, and enable POP for all mail. Leave it set to keep GMail's copy in the In box; this will be handy when you have to re-do this entire process in a week.
3. The one flaky thing you'll notice about Mail on the iTouch is this: when you go into Settings and click the Gmail address, your iTouch may hang, sometimes disastrously so. When this happens, you need to power off, power back on again, and sometimes plug it into iTunes to get it to come back. (I used to think this was part of running mail on 1.1.1, but it also happens to me on 1.1.2. No idea what's up with this; suggestions will be appreciated.)

Be Afraid. Be Very Afraid. Of an Update, That Is....

The next update from Apple is almost guaranteed to hose everything we've done here, and may even make it impossible to downgrade to 1.1.1.

• Please be sure you've got iTunes rigged to ask you first before updating your iPod; for maximum paranoia, plug it in, click it in the Devices list, and un-check the box marked Open iTunes when this iPod is Connected.
• When updates become available, check back here (and elsewhere; resources are listed below; The Unofficial Apple Weblog is an excellent first stop) before installing anything. Chances are excellent that whatever comes down next from Apple will break everything you've done to your iTouch and restore it back to factory settings.

So Why Bother?

• Because something like this has the potential to truly revolutionize communications. One Laptop Per Child becomes a moot point if everybody's got one of these things and it's wide-open; if I could plug in a microphone, camera, and keyboard, I could ditch my laptop and cellphone forever.
• Because pressure from people like us is causing the folks in charge to reconsider the use of closed-source hardware and software. There's an SDK coming from Apple in a month or so, for both the iTouch and the iPhone.
• Because it's yours, dammit. It's like buying a car and being told you can only drive it on toll roads. You paid for it, you're steering it ... so you ought to be able to drive it anywhere you want as long as you're not endangering anybody else's life, liberty, or property.

Development Tools?

In addition to following several really great tutorials for building Safari web apps that run on the iTouch, I've recently downloaded and installed Jiggy, a very impressive little integrated developer's environment and runtime. Jiggy actually allows you to do iTouch and iPhone development right there on your device. Inside is a tiny Web server; you bring it up, it tells you its IP address, you log in from a full-sized computer on the same wireless network, and program in JavaScript, inside a Web form. This is just plain spectacular work on the part of the Jiggy crew; you can (seriously) get an application working in minutes. More on this, as things develop.

Other Important Resources

• jailbreakme.com -- where it all started for me.
• iPhoneWebDev -- developing content for mobile Safari.
• The Unofficial Apple Weblog, especially Erica Sadun's stuff
• ModMyIFone.com -- don't forget to add modmyifone.com/installer.xml to your installer sources.
• Nullriver Software
• Ipod Touch Hacks
• Iphone Dev Team
• Hackint0sh
• iPhone Dev Wiki
• MacRumors, for the bit about the Can't Connect error, post 1.1.2 jailbreak.

For Best Results, Please Donate!

Heinlein was right, as usual: supreme artistic appreciation may only be expressed by the phrase "Pay to the Order Of."

Third-party projects for the iTouch and iPhone are shoestring-budget affairs, done for the love of it. You can help increase the love many times, by donating to the project of your choice. (Hint: jailbreakme.com, Nullriver, and the iPhone Dev Team are really, really good choices.) $20 is a tiny amount compared to the $300 or $400 you paid for the thing, and doesn't even begin to compare to that one crucial opportunity you'll gain because you had an RSS reader, or maps, or e-mail. Your iTouch is a tool, not a toy, and these unsung heroes have set you free to swing that hammer as hard as you want. Donate!

Welcome to Glint. In its current incarnation, it's a six-color Sudoku board; to finish, you need to fit one piece of each color into each row, column, and two-by-three sub-board.

• You get one piece at a time; the current background color is the color of the piece you're placing.
• If you make an illegal move, enough of the board (the row, column, and sub-board, in that order) will be cleared to make your move legal.
• When you fit all the pieces in, you're done; the fewer moves you make, the better.
• To try Glint on your iPhone or iPod Touch, visit http://kentbrewster.com/glint
• If you had fun today, check back tomorrow; there's a fresh puzzle every day.
• For quite a bit more fun, check out the Games section of the Apple developer gallery.

How It Works

• It's a pretty standard Web page, containing structure, presentation, and markup. Since I'll be pushing a fresh game every day, I'm inserting it directly into the source via PHP. This will show up in the config.status object, if you peek at the source.

• The interesting bit is that <meta> tag in the document head:
  <meta name="viewport" id="iphone-viewport" content="width=228, height=260, user-scalable=no" />
• This plus some explicit sizing in the body makes the board exactly fit the width of the browser, and not roll around on the screen too much when the user accidentally drags it around.
• I've had good luck finding information about iPhone web development on iphonewebdev.com, the iPhoneWebDev Google Group, iphonedojo.net, and (of course) the official Apple site. Have fun with Glint, and please let me know how it goes.

Special note to RSS readers: this entry contains live JavaScript. Please visit the page to see it working!

Beyond the occasional trip report, I don't post much personal information here. I'm putting this up on the chance that someone may be seeking information about Mr. Thomas Edward Boyd Jr., usually abbreviated as Tom Boyd, of 1563 Tobias Dr., San Jose, CA, doing business under California insurance agent's license #0D88155.

On 22 November 2007, after Thanksgiving dinner at his sister's home, Mr. Boyd punched my wife, Dr. Victoria Brewster, full in the face.

Mr. Boyd is a big, beefy guy, and weighs at least what I do, 230 or more. Mr. Boyd stepped in and hit Vickie with a hard right. Vickie's head snapped sharply around, her eyes rolled, and she fell into her niece's arms. Mr. Boyd then assumed a fighting stance and backed away into a narrow hallway.

Several sets of circumstances--very tight quarters, and the presence of innocent bystanders, including Vickie, her niece and daughter, Tom and Vickie's elderly parents, and the possibility that his seven-year-old daughter was standing directly behind him--combined to save Mr. Boyd from eating through a tube for the rest of his life. Instead of risking further harm to the family, I put my chin down, my hands up, and walked straight into him. Mr. Boyd struck me about the head and neck, and then we were tangled up on the floor, immobile. After a brief struggle on the ground, our host and his son peeled Mr. Boyd loose, escorted him out the door, and that was that.

We still can't believe he did it.

Three days later, Vickie's still not herself. She's tired and sore, and sad, and angry. Her neck hurts, and her jaw hurts, and her teeth were rearranged a bit; she's got a sharp corner that wasn't there before, which her dentist is going to have to look at.

The rest of the family seems to be doing as well as can be expected. Vickie's daughter witnessed the attack at close range and was utterly distraught; we had to put her on a train back to her university the next morning, but we're staying in close contact. Small blessings: Vickie's son was out of the room playing video games, and Mr. Boyd's daughter didn't actually see any of it, having been removed from the scene by her parents--convenient timing, there--immediately before the unfortunate incident took place.

I'm scuffed up in a couple of places that haven't seen use since I quit practicing martial arts. Mr. Boyd caught me in the forehead and gave me a bit of a mouse that's noticeable whenever my eyebrows move. My knee is skinned, my neck and ear are bruised, and my elbow doesn't want to be leaned on or straighten all the way out.

While none of the above has any relation to Mr. Boyd's competence to sell insurance or dispense financial advice, I mention it because I believe the public makes an implicit assumption that a man in his position is a gentleman who can be trusted to do the right thing in times of stress. In my personal opinion, this is clearly not the case with Mr. Boyd.

Mr. Boyd? If you're concerned about any effect this post may have on your reputation, I'll be happy to take it down without further comment after Vickie and the rest of your family have accepted your apology. Personally, I believe that any man who strikes a woman is a miserable coward, and a bully, and an unfit parent. If you disagree with this and feel like setting me straight, simply name the time and place.

One request: this time, let's leave the women and children out of it.

[Updated, Monday morning: I've disabled comments on this post--and will delete comments posted elsewhere about this matter--due to the potential for misunderstanding. Family and friends know how to reach us; thanks for your support!]

• Art helps us share experiences we don't have in common.
• As long as the gaming is transparent, the community will figure it out and deal with it.
• Communication has gone from e-mail, open by default, filtered through a black list--to instant messaging, closed by default, filtered through a white list.
• Computers are explicit; it's digital, so it either is or is not.
• Dark Webs will cease to exist. If it can't be found via search, it's not out there.
• Data becomes information when you need to know it.
• Don't sugar-coat what it is we do for a living. Don't dumb it down. Managers are voracious consumers of theory; they want to be able to make decent predictions.
• Every new parent company understands that it can't have a traditional command-and-control relationship with a distributed sales force.
• Gaming comes from structural issues around a site. Transaction costs are minimal with Digg, so it's hard to analyze past behavior. There's no construction of a person doing a thing. Richer systems will emerge, where you can see what a person has done in the past.
• Half of all information is disinformation. Is the preceding statement part of that 50%?
• How can I experience insight and intepretation? How about surprise?
• How can we do a better job of making people feel okay that they're wrong all the time?
• How do I make sure I don't miss anything?
• I grew up in Detroit and I live in Oakland now. Where I'm from, "user" is a bad word.
• If everybody knows what I do, what is my value?
• If you try to prevent collusion, you prevent collaboration.
• In the 1950s. 60s, and 70s, computers were about reducing us to facts. "Informationalization" is about classifying everything. Nowadays we do it ourselves, every time we fill out a Preferences form.
• In the future, "I'm not showing you my data" will be far less important than "I'm not showing you my connections."
• Information is just stuff I need to know. Knowledge is information with semantic content.
• Interestingness is data mining around people's activities, and the social relationships between them and the photos. It's not a voting scheme, and not susceptible to gaming; interestingness is an organic measure that can be applied retroactively, before the feature came online. The magic word is "implicit." Even thought the average Flickr user doesn't think of himself as an editor, his progress through the system makes it better for everyone.
• It's amazing that Wikipedia still works. Under every page is a flame war. It doesn't feel like a scalable system.
• Kids today are confident enough that they'll be able to create a new idea that they don't need to lock away the rights to old ones.
• Language consists of words, paragraphs, punctuations, and now links. Being able to make content permanent--first words, then writing--was a founding event. Links make the relationships permanent, for the first time.
• Last year we were talking about breaking identity out of the walled garden. We were terribly concerned with the explicit: this is who I am. This year we're talking about breaking networks out of the walled garden, and are just starting to think about the importance of the implicit: this is who I'm connected to.
• Links reveal the world in a way that matters.
• Links are the opposite of information. They are impossible to understand without society.
• Networking sites take off for tiny reasons about the site, not the intended architecture of the network.
• Often the most loyal employees know that their company is wrong. They will treat customers well even though they may lose their jobs for doing so. We need to legitimize the position of these people. They are putting themselves at risk for no personal gain; if caught, they will be fired, but if not caught, the company will profit.
• Our children need to understand the difference between potential and possibility.
• Overload is a choice: you choose to be overwhelmed, or you focus. You use tools.
• Poets have to decide how much to make explicit. So do we, when we make a site, or write a program.
• Social software accrues value to the users, the readers, and the owner of the system. In that order.
• Some decisions should not be coded.
• Sometimes it's a mistake to declare your preferences up front. Life is complex!
• Team blogs seem to fit better at work than individual blogs or wikis. Blogging is writing in a way that contributing to a wiki isn't. You find an authorial voice.
• The for: tag is a gift. What my friends and contacts are bookmarking is incredibly powerful.
• The Semantic Web is self-describing, linked data.
• The Web works outstandingly well ... it enables us to do the basic thing that peace wants us to do: live with other people in difference, yet share the fundamental things that make us human.
• The social graph connects people. The semantic graph connects everything.
• The take from electronic crime is now higher than the drug industry. Within a remarkably short period of time, they'll be messing in our space.
• Think augmentation, not automation.
• To be implicit is human.
• Using social software will not homogenize the ties within a network. The impact will be differentiation: things will be less alike than they were before. The world is spiky, not flat.
• We focus on the explicit. It misleads us.
• We're at the end of 5000 years of yang ... convincing users to embrace the ying is going to be very, very hard.
• What people don't want from search is a bunch of pages. They want a visualization based on their query.
• What we care about turns possibility into potential, and makes information inadequate. What's between us is what we don't say.
• Where's the history of the Web? When Google updates, it ceases to exist.
• Words don't carry meaning. They point towards shared understanding.

Next Defrag: 11/4/2008, in Denver again. Get those absentee ballots in early!

Here's how I did it today, with my new best friend, the Group Policy editor:

In your Windows taskbar--usually on the lower left corner of your screen--click Start, then Run, then enter gpedit.msc in the resulting Run: window, and then click OK. If all goes well, the Group Policy editor will pop up. If this does not happen, you may be running the Home Edition of WinXP.

In the left pane, navigate your way to User Configuration : Administrative Templates : Start Menu and Taskbar. Lurking in a long list of ways to screw up your user experience--seriously, be careful with this--are three important options concerning document history privacy:

Remove Documents Menu from Start Menu

This seems like it may be what you're looking for, but read the fine print, by double-clicking it and then checking the Explain tab. Contrary to what's been said elsewhere, Remove Documents From Start Menu does not prevent Windows from displaying shortcuts to recently-opened documents, so if this option is re-enabled, your recently opened files will be back.

Also seen elsewhere: removing Documents from the Start menu has been known to hose programs like Adobe Premiere, which depends on it.

Do Not Keep History of Recently Opened Documents

Maximum paranoia, but if you gotta, you gotta. This is almost certainly going to mess up your work flow if you commonly edit the same documents. While you're in there under Administrative Templates, don't forget:

• Start Menu and Taskbar : Turn Off User Tracking
• Windows Components : Windows Explorer : Common Open File Dialog : Hide the Dropdown List of Recent Files

That last should hide recently opened files from the drop-down list of all Win2K-and-above programs, including Windows Media Player.

Clear History of Recently Opened Documents on Exit

This is the one I went with. As long as I'm in, I see my recent document history; as soon as I log out, it's gone. This also includes the name of the last few programs I ran using the Run... window.

Sadly, there is no matching Clear History of Recently-Opened Documents over in the Common Open File Dialog section mentioned above; that would be really, really nice.

Bonus Tidbit: Applying Changes Without Rebooting

Contrary to what the program says, you won't need to reboot to see these changes. Go back to Start : Run : and enter GPupdate /force. Say "No" when it asks you if you want to reboot, wait a moment, and your changes should be up.

So, armed with foggy memories of how Norton Utilities used to work, off I went into the wilds of the Net, searching for recovery advice. Mostly I found questionable stuff; there are many operators out there who will charge you hundreds of dollars to take a crack at your data with no guarantees, and there are plenty of freeware/shareware downloads that claim to recover lost files but were last updated in 1997, and have since been turned into those $49.95 bloatware packages you see at Office Depot. Most of these are about hard drives or floppy disks, not memory sticks; I tried a half-dozen, but got nothing back from Vickie's poor dead baby.

Finally I found Christophe Grenier's TestDisk/PhotoRec suite, at http://cgsecurity.org. PhotoRec ignores the file system in favor of finding lost files, so it works on FAT, NTFS, EXT2/EXT3, HFS, and (with certain caveats) ReiserFS. And since it's looking for known file headers and using data carving techniques, more than eighty file types--among them DOC, PDF, and PPT--are instantly recoverable. Here's how it went:

• I downloaded the ZIP file, extracted it to my desktop--no installation required, awesome!--and fired up PhotoRec. After smiling at the text-only interface, I hit the down-arrow to highlight the drive--in my case it was /dev/sdb--and hit Enter to continue.
• Next I needed to choose the partition table type. Not knowing what else to do, I chose Intel, since the last time the thing had run successfully was on a Windows machine. (I'm guessing this would want to be set to Macintosh if one was attempting recovery from a Mac-formatted iPod.)
• The next screen showed an empty partition and a FAT16 partition, both of which took up pretty much the entire disk. I crossed my fingers and hit Enter again, choosing the empty partition.
• Next, it asked me to choose my filesystem; I was pretty sure we weren't looking at an EXT2/EXT3 system, so I hit Enter to accept Other, the highlighted default.
• Finally it asked for a location to store recovered data; I went again with the default, which creates a new directory wherever you have the program installed. And we were off and running; the first file to pop up was a PDF, and since my new directory showed thumbnails by default, I could see that everything was going to be okay. Four minutes later, we were all done; all Vickie had to do was re-create her directory structure, re-name her files, and figure out which belonged where.

Many thanks, Christophe; you ought to be receiving one of your US Amazon wish-list items from us shortly.

]]> http://kentbrewster.com/easy-flash-drive-data-recovery-with-photorec http://feeds.feedburner.com/~r/KentBrewster/~3/169638284/adobe-max-uiuc-hack-day http://kentbrewster.com/adobe-max-uiuc-hack-day http://kentbrewster.com/adobe-max-uiuc-hack-day Mon, 08 Oct 2007 09:35:29 PDT Kent Brewster Back from a week-long jaunt to the heartland: to Chicago, for Adobe MAX, and thence to Champaign-Urbana, for a lecture to Mike Woodley's class and the kick-off event for the UIUC chapter of Yahoo!'s University Hack Day.


The first thing I did in Chicago was to visit Millennium Park, home to the most engaging piece of public art I've seen since Sagrada Familia. It's a 50-foot mirrored object roughly the shape of a jelly bean, mounted on a stone pavillion in the middle of downtown Chicago. People were there in droves; I don't think I've ever seen that many smiles on random strangers' faces in a long while. If you ever have the chance, do check out the Bean. (One thing: I cannot recommend the walk from McCormick Center to Millennium Park; although you do eventually pass by the fountain in the credits from "Married, With Children," the walk is long, and takes you through some genuinely nasty areas on the way out from the convention center. I cabbed it back.)

MAX was an eye-opener; I don't think I've ever seen better large-scale presentations. The keynotes and general sessions were nothing short of spectacular; imagine an OSX desktop, but in triplicate, with super-high resolution, maybe 200 feet wide. Add whomping sound, interesting content, and 4000 fans of the product, and you've got a really nice event.

At MAX I did a ten-minute talk about AIR Search, and worked the booth in the Community Pavillion. We showed up with 288 of the same t-shirt we had for the Rich Web Experience in September; these are a very nice variation on an internal Hack Day shirt, featuring the Kung Fu Dude on the front and the (okay, rather presumptuous) inscription "My Kung Fu Is The Best" on the back. Nobody else had a decent t-shirt in the Community Pavillion; when one of our developers accidentally opened a box in a crowd we found out very quickly that a) the shirts were popular and b) we were out of extra-large, just like that.

So: short on shirts, we huddled briefly and came up with a plan. From then on, anybody who wanted a shirt would need to show us their kung fu. We set up a couple of laptops and invited anyone brave enough to step up and show us their site. This worked on two levels: first, we connected on a personal level with dozens of nice folks who had no idea YDN was out there. And second, we didn't have to struggle to establish a background of relatedness: everybody who stepped up had something interesting to show. We ran YSlow to break the ice, found a couple of interesting things about each site--several of which were already running stuff like YUI--and sent everybody away with the Coveted Kung Fu Shirt.

And, yeah, somebody actually did show up and demonstrate some real live kung fu; video should be available shortly. :)

On Wednesday I hopped the train to Champaign, did my thing for Mike Woodley's class, and met up with a close friend for excellent native cuisine. Thursday I found the local Yahoo! office. Apparently we've bitten off a tiny piece of Motorola; it's a very smart crew of (what I assume to be) mobile-app developers, in sweet new quarters with sparkly new laptops and the same 24" monitors it took me three years to requisition back home. Nice folks, all.

Friday was the Hack Day kick-off; we had a full house, thanks to local hacktivists Greg and Rahul, and the ACM chapter at UIUC. Friday was also the night before the Big Game with Wisconsin, so when we went out for drinks after the kick-off event, we found ourselves swimming upstream through a sea of dark blue and bright orange--dark blue polo shirts, worn by dead-serious Alumni Dads, and blazing orange t-shirts, worn by just about everybody else. They do take their football seriously out there.

UIUC's Hack Day seems like it went okay; at last count there were about five times the number of entries as last year, which bodes well.

Next up: Defrag, in Denver.

]]> http://kentbrewster.com/adobe-max-uiuc-hack-day http://feeds.feedburner.com/~r/KentBrewster/~3/160814883/air-search http://kentbrewster.com/air-search http://kentbrewster.com/air-search Sun, 30 Sep 2007 13:34:20 PDT Kent Brewster Special note to RSS readers: this entry contains live JavaScript. Please visit the page to see it working!

In which our friends Structure, Presentation, and Behavior go on a New Adventure, outside the browser window....

What's This?

Adobe's Integrated Runtime (AIR) environment claims to builds cross-platform desktop widgets from Flex files or plain old HTML, CSS, and JavaScript. As somebody who's been suspicious of Flash since it first started hanging Netscape 4, I was very interested to see whether Adobe's claims of interoperability and transparent development were true.

The short answer: yes. They are. The very first time I tried compiling an AIR app, it worked. Hopefully what follows will convey some of the delight I felt when my little widget popped up and ran.

We're going to build a Yahoo! Search widget, made with nothing but standards-compliant HTML, CSS, JavaScript, and a little help from the Yahoo! Developer Network.

Not a Coder? Just Want the Widget?

Go ahead and grab the compiled version, which looks and acts exactly like the little purple box immediately to my right. Thanks for stopping by!

Want to Poke at the Source First?

Of course you do! Here it is:

Structure:

Presentation:

Behavior:

XML Wrapper:

Couldn't All This Stuff Go In One File?

Not quite. The XML wrapper still needs to be separate. But yes, we could put the CSS and JavaScript into the HTML and not have to worry about separate files. I'm not doing this, because it's not good Web development practice; unless you're running PHP or some other build process behind your site, linking your CSS and JavaScript is definitely the way to go.

Let's Build It!

If you have not already done so, you'll need to install Adobe's Integrated Runtime environment. When it's all installed and working, come on back and download the source:

• structure.html - the structure
• presentation.css - the CSS
• behavior.js - the javascript
• YahooSearch.xml - package file

Download all of these to your Adobe development directory, go there (mine is C:\Program Files\Adobe\AIR\dev\) and run this:

adl YahooSearch.xml

Did your widget come up and run? When you're ready to build it, do this:

adt -package ys.air YahooSearch.xml structure.html presentation.css behavior.js

If all goes well, your search widget will be ready to install in just a few seconds. As always, have fun with this, and please let me know how it goes.

Interested in Learning How the Search Part Works?

I've done a bunch of these things; see SpiffY!Search, Build a BBC Search Widget, and Build a Wikipedia Widget, for three. The heavy lifting is all done by Yahoo!'s Search APIs, which are documented on the Yahoo! Developer Network. All we're doing here is creating some script tags on the fly to generate and receive the output, and a bit of structure to display it when it shows up.

Special note to RSS readers: this entry contains live JavaScript. Please visit the page to see it working!

]]> http://kentbrewster.com/air-search http://feeds.feedburner.com/~r/KentBrewster/~3/161812542/delicious-badge http://kentbrewster.com/delicious-badge http://kentbrewster.com/delicious-badge Wed, 26 Sep 2007 20:50:39 PDT Kent Brewster During my first redesign--this would be two years ago or so--I decided I wanted to include a link to del.icio.us on each page, so my visitors could easily bookmark it if they wanted. A bit more research showed that there was an existing piece of hosted javascript that did this, and also showed the number of saves that had already occurred, and (optionally) popular tags and links to those who'd saved it recently.

Unfortunately, implementing the del.icio.us tagometer badge on the new site clashed with my main goal for the redesign: it had to be as fast as possible. I'm using YSlow to benchmark my site, and it's just not going to work for me if it's not getting an A.

When I tore it down to see how it worked, I discovered that--in addition to the first call to get the script--the tag-o-meter made three other calls, one to the script that actually returned the data, another to include some CSS, and a third to return an image.

What I'm currently running does only one thing: it queries the database, gets the save count, and displays it if it's there. (Popular tags come back from the script, but I haven't decided how--or if--I want to show them.) It's a tiny 6k script, and since I'm rendering it inline with PHP instead of calling it with a separate LINK, it does nothing to my YSlow score, which is currently a 96% on pages that don't have a bunch of external includes.

Building the Logo Without an Image Call

Images slow things down, jack up your HTTP call count, and kill your YSlow grade if they don't come down from a content distribution network. As it turns out, just a dash of non-semantic HTML plus a little CSS trickery will simulate the del.icio.us logo at the client end, in your choice of size and color. Here's the structure:

<span class="delicious">
<div class="db"><b></b><i></i><u></u></div>
<a href="http://del.icio.us/post?url=http%3A%2F%2Fkentbrewster.com%2Fdelicious-badge%2F&title=Case-Hardening+the+del.icio.us+Badge">save to del.icio.us</a>
<span id="dc"></span>
</span>

Span dc is reserved for the save count; more on this later. Span db has three empty deprecated tags (bold, italic, and underline) that we're going to style as blocks and position absolutely within the containing DIV. Here's the CSS:

.db { display:block; float:left; margin:3px 5px; height:10px; width:10px; position:relative; background-color:#fff; overflow:hidden;}
.db * {display:block; position:absolute; height:50%; width:50%;}
.db b {top:0; left:50%; background-color:#00f;}
.db i {top:50%; left:0; background-color:#000;}
.db u {top:50%; left:50%; background-color:#ddd;}

To change the size of your del.icio.us logo, alter the height and width in the first line. To change colors, look at the background-color parameter in the last three.

Getting the Save Count

The script uses several of the methods documented in Case-Hardened JavaScript, including the randomly-generated global global, dynamic script node and function creation, and delayed loading. It also leans heavily on Paul Johnson's JavaScript MD5 function, which I swiped straight from the original badge. Here it is:

When the data returns, it winds up in the div identified by id dc, which can be changed at need, along with the messaging around the counts.

To truly case-harden this script I'd need to call it inline and build the entire structure and presentation package from scratch, instead of depending on my external CSS and <span id="dc"> to be there when I needed it. (Remember: CSS IDs are global variables, and global variables are evil!) Stay tuned ... this may actually happen at a later date, once the new-and-improved del.icio.us--which is spectacular, by the way--hits the aether.

Next time on This Old Site: we take a jackhammer to the MyBlogLog tracker! :)

]]> http://kentbrewster.com/delicious-badge http://feeds.feedburner.com/~r/KentBrewster/~3/160814875/inside-amazon-widgets http://kentbrewster.com/inside-amazon-widgets http://kentbrewster.com/inside-amazon-widgets Sun, 23 Sep 2007 23:19:21 PDT Kent Brewster A week or so back, Amazon released their Widgets page, which seems to be a corral for many existing widgets and services, plus some neat-looking new ones.

What's most interesting to me is that the cool new toys all seem to be in HTML, and not Flash. Amazon seems to be going after a smaller, more-capable crowd (bloggers, hackers, small business operators) and not the denizens of the MySpace/Facebook walled gardens.

Most of the new badges are basic script tags that make iframes full of static ads. The iframe approach seems to be the only sensible way to make the ten out of sixteen that want you to be signed in before showing personalized recommendations work in a secure fashion.

At least one of these new widgets, however, is interactive and not just a static ad. See here:

http://widgets.amazon.com/Amazon-Search-Widget/

They're using the script tag hack, JSON, and callbacks. They are not, however, deleting their dynamic scripts after they run, or returning a final semicolon in their returns ... tssk tssk tssk!

The badge framework itself is large, heavily obfuscated, and makes four more calls to bring in support libraries, including Alessandro Fulciniti's Nifty Corners Cube, for a total of 108k in scripts alone. There's also a CSS call, which--depending on what badge and what chrome you choose--pulls in up to 20 more images to build the thing. It seems like it could be done in a cleaner fashion, especially with regards to all those HTTP calls ... YSlow gives a maximum grade of 76% to any page with my tiny search badge on it, and it can't get possibly better as you make the badge bigger.

To play with my search badge, save the next few lines as amazonSearch.html and drag it into your browser:

<html>
<body>
<script src="http://ws.amazon.com/widgets/q?ServiceVersion=20070822&MarketPlace=US&ID=V20070822/US/widgetsamazon-20/8002/12eddf18-620f-4108-bbe5-7f530ee45f23"></script>
</body>
</html>

What's interesting--to me, anyway, because they're hackable--are the APIs that Amazon has released with this widget. Bring it up under Firefox, open up Firebug, and switch to your Net tab. As the badge builds you'll see output labeled q go by twice. The first is my badge styling information, which you can ignore.

The second is a call to Operation=getTopSellers, which runs automatically to populate the badge:

http://ws.amazon.com/widgets/q?Operation=GetTopSellers&InstanceId=0&ResponseCount=20&TemplateId=8002&ServiceVersion=20070822&MarketPlace=US

Here's the reply:

topseller_display_callback( {
   results:[ {
      ASIN : "B000QDLSR0",
      Title : "Heroes - Season One",
      Price : "$39.99",
      ImageUrl : "http:\/\/g-ec2.images-amazon.com\/images\/I\/21e%2B0TZImQL.jpg",
      ImageHeight : "160",
      ImageWidth : "118" ,
      ThumbImageUrl : "http:\/\/g-ec2.images-amazon.com\/images\/I\/11uZ1UXZbiL.jpg" ,
      ThumbImageHeight : "75" ,
      ThumbImageWidth : "55" ,
      category : "DVD" ,
      DetailPageURL : "http:\/\/www.amazon.com\/dp\/B000QDLSR0" ,
      Rating : "4.5" ,
      TotalReviews : "129" ,
      Subtitle : "Hayden Panettiere, Masi Oka, Ali Larter, Adrian Pasdar (DVD)"
   },
   { ... more results here ... }
   ],
   MarketPlace: "US",
   InstanceId: "0" }
)

InstanceId looks like it would be useful to determine which of your script tags was the one you were waiting for. While I haven't figured out how to specify a callback, I can pass arbitrary text to InstanceId, which I'd probably fill with the ID of the script tag that called it, so I could delete it and clean things up.

Side note: I'm hoping Amazon is keeping an eye on whatever goes through InstanceId ... it seems like there ought to be an XSS vulnerability in there somewhere, if I can pass InstanceId=alert('ding') and see it back in my results. Which, by the way ... I can.

After the Search badge comes up for the first time, it waits for input and then runs a different API, Operation=getResults:

http://ws.amazon.com/widgets/q?Operation=GetResults&Keywords=cool&SearchIndex=All&multipageStart=0&InstanceId=0&multipageCount=10&TemplateId=8002&ServiceVersion=20070822&MarketPlace=US

Here's the reply you'll see if you enter cool and click the Go button:

search_callback( {
   results : [ {
      ASIN : "B000RHRGOO",
      Title : "Forever Cool",
      Price : "$12.99",
      ImageUrl : "http:\/\/ec1.images-amazon.com\/images\/I\/21xS4SwS-DL.jpg",
      ImageHeight : "160",
      ImageWidth : "160",
      ThumbImageUrl : "http:\/\/ec1.images-amazon.com\/images\/I\/11y96t9bKyL.jpg",
      ThumbImageHeight : "75",
      ThumbImageWidth : "75",
      category : "Music",
      DetailPageURL : "http:\/\/www.amazon.com\/dp\/B000RHRGOO",
      Rating : "4.0",
      TotalReviews : "13",
      Subtitle : "Dean Martin (Audio CD - Aug 14, 2007)"
  },
  { ... more results here ... }
  ],
  NumRecords : "75511",
  CorrectedQuery : "",
  MarketPlace : "US",
  InstanceId: "0"
} )

Yes, before you ask: plugging in one of Amazon's ASINs into Keywords will yield the single definitive record for that product. I'm guessing there has to be a way to run GetResults without making the poor thing run a full search ... all we need to do is figure out the right parameter name.

So: here's the ASIN for that Heroes Season One DVD entered into GetResults:

http://ws.amazon.com/widgets/q?Operation=GetResults&Keywords=B000QDLSR0&SearchIndex=All&TemplateId=8002&ServiceVersion=20070822&InstanceId=0

... and here's the output:

search_callback( {
   results : [ {
      ASIN : "B000QDLSR0",
      Title : "Heroes - Season One",
      Price : "$39.99",
      ImageUrl : "http:\/\/ec1.images-amazon.com\/images\/I\/21e%2B0TZImQL.jpg",
      ImageHeight : "160",
      ImageWidth : "118",
      ThumbImageUrl : "http:\/\/ec1.images-amazon.com\/images\/I\/11uZ1UXZbiL.jpg",
      ThumbImageHeight : "75",
      ThumbImageWidth : "55",
      category : "DVD",
      DetailPageURL : "http:\/\/www.amazon.com\/dp\/B000QDLSR0",
      Rating : "4.5",
      TotalReviews : "136",
      Subtitle : "Hayden Panettiere, Masi Oka, Ali Larter, Adrian Pasdar (DVD)"
   } ],
   NumRecords : "1",
   CorrectedQuery : "",
   MarketPlace : "US",
   InstanceId: "0"
} )

So What?

Amazon has already created a universal identifier for just about any product that might be ordered online or discussed in an online community by a consumer. From here on out, anybody who discovers and records an ASIN and wants to pull down an image, an average rating, or a price need only poke GetResults.

I can already see how to create rate-this-product pages and communities that show recommended or related sets of products and allow the Web site operator to instantly cash in on Amazon's Associate program.

Bravo, Amazon ... now please consider officially opening the API!

]]> http://kentbrewster.com/inside-amazon-widgets http://feeds.feedburner.com/~r/KentBrewster/~3/160814876/yahoo-answers-api http://kentbrewster.com/yahoo-answers-api http://kentbrewster.com/yahoo-answers-api Sun, 23 Sep 2007 07:28:42 PDT Kent Brewster Special note to RSS readers: this entry contains live JavaScript. Please visit the page to see it working!

A Quick Intro to Answers:

Yahoo! Answers is an online community where you can ask questions on a range of topics, from the serious to the purely fun, and get answers from real people. Or you might help others by answering their burning questions. Either way, you have the chance to share ideas and information with millions of Yahoo! users about politics, sports, health, or whatever else interests you. By asking and answering questions you can accumulate points and build a reputation as a valuable and knowledgeable community participant.

So ... what possible good is an Answers API?

Beyond the obvious social-networking stuff (who's talking about what I'm interested in, etc.) I can see at least one compelling business use for Yahoo! Answers. Answers users--especially high-scoring ones--are what Seth Godin refers to in Unleashing the Ideavirus as "promiscuous sneezers." According to Godin, ideas are like viruses, and the more powerful they are, the more likely they are to be retransmitted by important people:

Powerful sneezers can't be bought. But don't forget that they are selfishly motivated. Will this make me look smart? Will it make someone else happy? Will it make the world a better place? There are plenty of levers that motivate powerful sneezers to spread the word, and they are often complicated and subtle.

Because of the way Answers is set up, high-level users--and by "high-level," I mean "anybody level 3 and above"--are not powerful because of what they know, but because of the frequency and tone with which they communicate what they know. They're on the service a lot. They answer questions quickly and accurately. And they have high status because they write graceful, easy-to-digest answers that don't make the person who was brave enough to ask the question feel stupid for having done so in public.

The Business Use

Okay, let's say you're a provider of goods or services on the Web, and you'd like to find out who your happy users are. In the questionSearch API, send a link to your main site in query and set the optional search_in parameter to best_answer. Any answers that come up were pretty clearly posted by users who 1) know what they're talking about and 2) like your stuff. These folks are your volunteer evangelists. Snuggle up to them. Be nice. Send them a T-shirt, or a job offer.

Here's an example I've used at work. We'll search for best answers in the Programming & Design category that have a link to developer.yahoo.com:

http://answers.yahooapis.com/AnswersService/V1/questionSearch?appid=kentbrew&category_name=Programming&Design&search_in=best_answer&query=developer.yahoo.com

Run It!

Try Out the Rest of the API:

Here's a pocket-sized API explorer for Answers. For best results, start with something simple like "cars" in questionSearch. Once you see some results, poke around inside and find a user, question, or category ID, copy it, paste it into the Find box, select the appropriate API, and you're off and running. If you'd like to see your results in JSON, check the box.

questionSearch (find text, like "cars") getQuestion (enter question ID) getByCategory (enter category ID) getByUser (enter user ID) Find: Go!
Show results in Javascript Object Notation (JSON)

http://answers.yahooapis.com/AnswersService/V1/questionSearch?appid=YahooDemo&query=car&output=json

Special note to RSS readers: this entry contains live JavaScript. Please visit the page to see it working!

]]> http://kentbrewster.com/yahoo-answers-api http://feeds.feedburner.com/~r/KentBrewster/~3/160814877/about http://kentbrewster.com/about http://kentbrewster.com/about Fri, 21 Sep 2007 17:08:23 PDT Kent Brewster Brewster's Law of Developer Psychoanalytics: if you want to find out exactly how screwed up in the head a front-end engineer is, have him write a content management system and analyze the resulting user experience. You'll see. (Oh, yes ... you will see....)

Some home-grown CMSs are punishingly anal. Others are incomprehensibly random. All, however, are weird little rat's-nests of code, built with insufficient product requirements, patched only under circumstances of extreme duress, and prone to break at the Exact Wrong Time.

After suffering through the vicissitudes of my very own hand-whittled CMS for way too long, I'm pleased to unveil the new and improved Brewster's Field Guide to Web 2.666, code-named "Lelijk maar Snel," which is Dutch for "Ugly but Fast." I'm doing my best to bring all the old posts, content, and comments over, and have added something new. Here and there you'll spot a closed norgie next to a purplish headline, indicating that there's something behind the curtain that you might or might not want to see. In this case, it's the nerdish details of how the new site works. (Or, in the words of the folk singer: "I've suffered for my art; now it's your turn.")

The Nerdish Details

• Basic principles: each page on the site should consist of structure, presentation, and behavior layers, with a single CSS link in the HEAD and a single script tag at the bottom of the BODY. In my case I'm getting a little bit obsessive-compulsive about things, and have rigged it so all my JS and CSS shows up inline, rather than coming in on separate HTTP calls. (Take that, YSlow!) Other scripts and styles might pop up occasionally, especially when I'm showing an example.
• I'm using a heavily modified version of the Yahoo User Interface library's Grids, Fonts, and Reset stylesheets. Most of the mods were to Grids, which had no way of doing a 15% column. I've renamed some of the class names so they made more sense to me (content-unit and content-wrapper, instead of yui-u and yui-gg). I've also added a decorative wrapper around the main bd division and fiddled with some margins, to show a right-height vertical line between content and navigation.
• As already noted, I'm hiding some content using the methods described in Toggling Element Visibility. I'm a wordy little so-and-so; hopefully this will allow only marginally-interested readers to get all the main points of what I'm trying to say before giving up in disgust.

So: it's looking less like a blog and more like a collection of quasi-random pages and projects, which is what it always was. I've also added a chunk of my fiction, celebrating the ten-year anniversary of my last professional sale. Someday When I Have Time™, I will get back at it. Also on the site is a set of Frequently Asked Questions and a contact form, but please keep in mind that the best way to reach me is to leave a comment in public, somewhere on the site.

]]> http://kentbrewster.com/about