Fixed Aptana RadRails GEM_LIB issue on mac by linking ‘/Users/{user}/.gem/ruby/1.8/gems’ to ‘/usr/local/lib/ruby/gems/1.8/gems’. I can’t blame Aptana for this since it was me who chose to use a tool built by a company that spread itself too thin. I doubt they have more than a couple of engineers working on RadRails which is not enough to provide the necessary quality across the range of environments Aptana is unfortuantely being asked to support.

I haven’t been tracking HTML5 design efforts lately but what’s being proposed for microdata (see posts by Sam Ruby and Shelly Powers) yucked me sufficiently to revisit an old fantasy of mine about HTML (man, what a boring life I have). My fantasy was to add general element/structure definition facility to HTML. It should easily extended to support microdata as well.

The way I envisioned it being used is like this:

<address>
<street>123 ABC St.</street>
<city>Foobar</city>
<state>CA</state><zip>94065</zip>
</address>

which sure is preferable to:

<div item>
<span itemtype="street">123 ABC St.</span>
<span itemtype="city">Foobar</span>
<span itemtype="state">CA</span>
<span itemtype="zip">94065</span>
</div>

As to how a semantic structures and syntactic sugars can be defined, one very arbitrary way could be:

<head>
<def name="address" package="http://test.com/1/mapking"
    params="{{street city state zip}}">
  <div>
    <span>{{street}}</span>
    <span>{{city}}</span>
    <span>{{zip}}</span>
    <span>{{zip}}</span>
  </div>
</def>
</head>

I don’t have any illusions that this fantasy has even a tiny chance of coming true though. Besides, it’s like a beggar asking for caviar when any kind of microdata support will satiate our hunger.

Boss! Boss! The Plane. The Plane!

update:

Here is a more elaborate version of the def element for the bored:

<def name="name" package="http://ting.ly/name"
  attrs="$$first last$$">
  <span>$$first$$ $$middle$$ $$last$$</span>
</def>

which could be used like this:

<name first="Don" last="Park"/>

There are lots of wholes in this sketch which is why it’s a fantasy.

I wish I could use a set of profile images instead of just one and have appropriate one displayed based on text content so that if I put a smiley like or in the text, photo of me smiling or winking will show.

It doesn’t have to be a face, it could be topic/category images. And I don’t see why tweet-specific images couldn’t be displayed since Twitter already sends out image URL with each tweet (inside ‘user’).

Trying Twitter/Facebook-like P2 theme to see if that’ll get me to post more often.

I did change default template’s post body font size and added side paddings for easier reading.

According to OAuth about page, it was Blaine Cook who initiated the birth of the the standard while working at Twitter in Nov. 2006. Blaine mobilized the initiative by getting Chris Messina involved which attracted others at CitizenSpace to join the effort (an excellent demonstration of benefits co-working social environments offer). By April 2007, the initiative got to formalize and, by October 2007, OAuth Core 1.0 spec was finalized. The question of interest to me is, why did it take a year and a half to uncover the first vulnerability?

It’s puzzling because OAuth was well known and popularized, attracted a large body of developers, many of whom I presume read the spec, and implemented by many, some very large companies. I’ve read the spec as well and discussed it with peers and partners in the security and payment industry on several occasions.

I think the right answer might be that our collective perspective in dealing with the standard was focused on implementation, application, and hype while wrongly assuming that the standard was secure. Recollecting my thoughts when I was reading the spec for the first time, I now realize that it was the safety in numbers and the lure of promising applications that influenced me to focus only on implementation.

The good news is that I think OAuth will be given the proper shake it needs to get any remaining kinks out. The bad news is that we are likely to repeat the mistake when the next popular grassroots standard emerges in a hurry. Relatively fast pace of community/grassroots standard initiatives is not a concern only if mass appeal can be effectively leveraged to shine intensive searchlight on all aspect of the standard.

While the OAuth team is working on addressing the OAuth session fixation vulnerability at the spec level, Twitter made following changes to reduce the exposure window:

• Shorter Request Token timeout – This is good practice in general. Developers tend to be too generous and, all too often, forget to enforce or verify enforcement.
• Ignore oauth_callback, in favor of URL set at regration time – this prevents hackers from intercepting callback.

Double-callback is still possible though which means Twitter OAuth Consumers will have to detect extraneous callbacks and invalidate access to everyone involved because they have no way of telling who is who.

Remaining exposure to the vulnerability is when hacker’s simulated callback arrives before the user. We are talking temporal exposure of a couple of seconds at most which, given current Twitter use-cases, is not that big a deal. I wouldn’t do banking over Twitter though.

Twitter’s OAuth problem turned out to be a general problem affecting other OAuth service providers and well as consumers using ‘3-legged’ OAuth use-case. For details, you should read not only the relevant advisory but Eran Hammer-Lahav’s post Explaining the OAuth Session Fixation Attack.

First hint of the vulnerability surfaced last November as a CSRF-attack at Clickset Social Blog which was initially diagnosed as an implementation-level issue. Well, it turned out to be a design flaw requiring some changes to the protocol.

There are actually two flaws.

The first flaw is that parameters of HTTP redirects used in OAuth can be tempered with or replayed.

This flaw allows hackers to capture, replay, and mediate conversations between OAuth Consumer and Service Provider flowing over the surface of User’s browser between the User, Consumer, Service Provider.

I think the easiest general remedy for this flaw is including a hash of the HTTP redirect parameters and some shared secret like consumer secret. A more general solution like evolving tokens could be done as well but inappropriate as a quick remedy.

This flaw should not affect OAuth service providers that manage and monitor callback URLs rigorously.

The second and more serious flaw is that the User talking to the Consumer may *not* be the same User talking to the Service Provider.

This means that a hacker can start a session with TwitsGalore.com then phish someone to authorize at Twitter to gain access to TwitsGalore.com as that someone without stealing password or session-jacking.

Solving the first flaw simplifies the solution to the second flaw by reducing the possibility of the hacker intercepting callback from Service Provider to Consumer which is not supposed to have any sensitive information but some implementations might include. Wire sniffing is a concern if HTTPS is not used but the relevant concerns for the flaw are integrity and identity, not secrecy which is an application factor.

Removing the possibility of callback URL tempering leaves double callback, meaning that the hacker start things off, tricks someone into authorizing without intercepting the callback, then simulate a callback to Consumer. Note that the Consumer would have started a HTTP session with the hacker, session associated with the RequestToken in the callback. Even if HTTP session is not created until the callback is received, there is no way for the Consumer to tell who is who.

I think Service Provider have to send back a verifiable token, like a hash of the RequestToken and consumer secret so the hacker can’t simulate the callback.

Regardless of which solutions OAuth guys decide on, one thing is clear. It will take time, many weeks at least, if not months. That’s going to put quite a damper on developers in the Consumer side of the OAuth as well as the Service Provider side.

Will newspapers survive? I think the physical form will survive for another 10 years at least at much lower valuation then eventually break into nich market fragments. The profession of journalism will, however, not only continue on but become more respected than before.

This is why I think so. When we are short of something we consume, like water in the desert, we put value in availability. As we approach ubiquitous availability of the same, we shift value to quality.

In a sea filled with unverified and biased news and information, we will rediscover the value of journalism. We will see memes as what they really are, mental viruses, and know the danger of careless consumption. As we have become more health conscious, we will also become more mental health conscious.

We’ll see products of journalism like bottled water, avoid reading/eating things off the ground, and see eaters of biased or mutated news as inbred rednecks. Those who can afford to pay, that is.

As usual, I am exaggerating. Not quite hyperbole but enough force to kickstart pointless thinking.

I’ve been too busy tinkering so, beyond twittering, I haven’t had the mindshare to blog. Sorry.

I think the stock market is in for another big leg down soon, not like the slide we’ve had lately but a drop of 500 pts or more in a day. One card Obama adminstration can play to stem or prevent the damage is the restoration of the up-tick rule.

I could be wrong, of course, so use your own judgement.

update on March 2nd at 10:41AM: Dow is at 6800 now, 200+ pts down but the volume is not there, just average so far, so this is not the massive volumn crash I was expecting. It’s as if hedge funds have changed their trading strategy from a disaster movie to suspense-building horror movie. Eerie. The only real support is still 300 pts away, btw, at 6500. There will be continued drama, of course. I’m just not sure what kind.

update on close March 2nd: So the market went down orderly in a straight line more or less with Dow closing down 300, S&P barely hanging on at 700 which makes it look bad. NASDAQ didn’t do too badly but volume was nearly 4x where Dow volume was about 1.5x. Spitting into the wind, downward pressure is still overwelming. I am done looking at the market for today. It’s time to look at some business plans and code.

a reminder to follow me on twitter: my tweets are mostly mindfart but look what I twitted last Thursday.

Almost exactly a month ago, I posted about passing of SafePage. Yesterday, news appeared on VentureWire and mentioned in a WSJ blog post which triggered some calls. Yeah, I am doing fine. Sure I got plans. I might do this or that. Let’s get together soon. Blah blah. If a startup story ends good, it feels like a graduation and closure is crisp. If bad, it feels like a funeral and effects lasts months.

I now have quite a field of ideas and prototypes at various stage. I feel like a mother of an octuplet, feeding each one along as plans gel and whims wander. And, since babies need names, buying domain names on impulse, almost everyday. I have also consulted a bit on the side and will continue to do so albeit only in advisory roles.

Overall, I am happy, healthy, and keeping myself busy. What more can one ask for?