I’ve uncovered a deep dark secret individually guarded by many of the geeks in our local community. It’s only natural that children want to play, to explore, to… experiment. Sometimes as adults, we want the same things. Especially if we can bring our adult skills to bear on our childhood joys. Brothers and sisters, don’t hide your love away. Physical computing is not a sin. Although it can be a delight. Let me explain.

This morning, Dr Nic started tweeting about his urge for a ‘carputer’ of some description. After he started posting links to tiny hardware bits, I pointed him to the Ruby Arduino Development project:

RAD is a framework for programming the Arduino physcial computing platform using Ruby. RAD converts Ruby scripts written using a set of Rails-like conventions and helpers into C source code which can be compiled and run on the Arduino microcontroller. It also provides a set of Rake tasks for automating the compilation and upload process.

WTF is an ‘Arduino’

Arduino is an open-source physical computing platform. You can buy them, build them, and modify them. You can hack on the code or the hardware designs and share your changes with the community.

I’ve not played with them, but after reading articles and mentions of them and other forms of physical computing (such as Sunspots, Phidgets and the like) for the last 12-18 months, I’m incredibly interested.

Not knowing a lot about it, I can’t tell you why Arduino has captured the imagination of the community than I see more than the other similar products, but all I hear is Arduino. And the story was same this morning. After my next tweet mentioned Arduino, the local fans came out of the woodwork in a flurry of tweets.

It turns out that heaps of folks I know, particularly in the local Ruby community have already paid, played and procrastinated with their Arduino bits and pieces - but everyone wants to do more.

Do you need an excuse to play?

Firstly, if you’re interested in Ruby, Rails, Merb and the like, then it looks like peeps will now be bringing their Arduino gear along to Railscamp in June. I’ve added an Arduino section to the Equipment page so that you can list what you’ve got and we can collaboratively ensure we can make the most of it!

For the world outside the rosy bubble, the Australian importers of Arduino gear, Little Bird Electronics, are holding their first Australian Arduino workshop at UTS on the 31st of May.

Update! Little Bird Electronics are now offering a $20 discount to folks using the code ‘LACHSTOCK’ when buying workshop tickets. Thanks, Little Bird!

So if you’ve got a little electronic skeleton in your geek closet, unpack it and come play. It looks like you’ll be in some fantastic company!

This morning, Flickr released a new feature. One that let’s you find your friends from your existing address books on Yahoo! Mail, Gmail and Hotmail. All without providing usernames or passwords. Aren’t APIs wonderful?

I twittered about the new black and got a reply from Amanda asking isn’t that encouraging people to get phished?.

In a nutshell, the answer is yes.

Super green

Folks who think about such things are rejoicing that there are now so many site-specific APIs and authentication protocols such as OAuth that avoid what Jeremy Keith called the Password Anti-pattern. And I’m one of them. The Password Anti-pattern is a Bad Thing™. I don’t think anyone would disagree with that.

Removing the Anti-pattern means that the authenticating site doesn’t get full unlimited access to the account in question. In Flickr’s new feature, they get access to only the details of who is in my Gmail address book - not my emails and certainly not access to any other Google products I may have enabled on that account. Google’s authentication page confirms for me that Flickr is requesting access to only my contacts and only for a one-time use:

Flickr.com is requesting access to your Google Contacts account so that it can access Google Accounts on your behalf. You can revoke access at any time under ‘My Account’. Flickr.com will not have access to your password or any personal information. Learn more.

Flickr.com is only requesting one-time access. If it needs to access Google on your behalf in the future, you will be prompted again for permission.

All of this is hot, hot, hot! As long as you’re actually on Google’s authentication page.

Phishes away!

A major argument Jeremy stated against the Password Anti-pattern is that it teaches people how to be phished, but these new authentication methods don’t fix that. They still teach users that allowing your existing site to authenticate to a third party site is a Good Thing™. It’s a simple matter to produce the appearance of following that authentication process while actually harvesting details.

The solution to this is the same it has always been. The user needs to check the URL of the page they’re on and make the call. The problem with that is also the same as it has always been. Some users, possibly most users, don’t do it.

Are we making things worse?

The new authentication methods may actually train users to phished even more readily than before because there is less of a cognitive cost to the process. Ever since computers came into use, users have been hammered with warnings about the importance of passwords. The web has damaged that somewhat with our profligate password ways, but I reckon there are still plenty of mental alarms to ring when somebody asks for your password.

Using sexy protocols and APIs don’t cause that hesitation. The process has been designed to create a neatly streamlined user experience. Just click a few buttons and it’s over.

A phishing site is unlikely to do that, of course. These days API access requires registering for a key, allowing the API providers to track usage. Providers have varying levels of diligence, but it seems unlikely that an application could do phishing on a significant scale without being caught.

The most likely alternative is that they simply pretend you’re not currently authenticated with the third party site and request your username and password. Hopefully, that’s enough to give pause. Particularly if the app is telling you you’re not authenticated with Hotmail when you have Hotmail open in the next tab over.

What’s my scene?

In the Password Anti-pattern article, Jeremy took a moral stand: even if it costs me a contract in the short-term, I will refuse to implement any kind of interface that involves asking the user for a password from a third-party site. I urge you to do the same. That was admirable and eminently reasonable. Many agreed. He provided what he thought was a viable alternative by pointing to the same authentication methods I’m discussing here.

I thought it was the right choice at the time, too. I stood with him. I don’t know if his stance has changed now, but I know mine has.

What is the alternative?

Authentication APIs and protocols have their benefits and they have their costs. Do these cancel each other out? Should we refuse to implement this functionality?

If you agree with my points here, maybe you think that. But what do you implement instead? There will be a lot of demand for this functionality as it becomes easier and easier (no more screen-scraping!).

Personally, I’m for it. I have reservations now, but the practical benefits of isolating and securing access to my data wins over the hypothetically higher risk of phishing. And on that day when I’m so tired, hungover or ill that I absentmindedly just click through the process and hand over the keys to my kingdom, I hope some small flicker of self-preservation will alert me so that I can correct it in time.

I was recently incommunicado for roughly a month. I was traveling, and living life mostly offline but for occasional travel arrangements etc. This resulted in the kind of online buildup you hear about from such circumstances: a couple of dozen direct emails (gradually being responded to this week); several hundred mailing list emails (deleted); thousands of RSS items (all marked as read); 14,000 unread in Gmail’s spam folder and a relatively small selection of bacn, including 74 adds from Twitter users. 74 in 4 weeks? WTF, Twitter?

Break it down

I wanted to use this sample to give myself some idea of who these people are so, as I processed the requests, I started listing how many I blocked, how many were bots and how many I thought of as Real People™ (possibly not the same thing as actual real people). And being the anal-retentive pedant I am, this lead to creation of more categories for those who didn’t fit the above three. In turn leading to some people meeting multiple categories and this loosely-premised article looking even less scientific - if that’s possible.

Obviously, this is likely to reveal far more about how I use Twitter than any data about Twitter itself. I found it interesting. You’ve been warned.

The numbers

By major grouping

I counted:

• 41 Real People™,
• 8 of those odd link-freaks,
• 16 purely promotional vehicles,
• 2 fake personalities, and
• 17 bots.

I added 14 of these and blocked 26 - which included all 17 bots.

Let’s work our way through in reverse order before we get into the Real People.

Bots (17)

You’ve all been added by them. In permanent use by spammers and unethical promoters, I block them immediately upon identification. I direly wish Twitter had a “Mark as a Spamming Sod” option like Pownce does. It’s about time the application stopped treating every account as if it were a person. That’s blatantly no longer the case.

That’s not to say that Twitter bots aren’t useful. They’re fantastic, actually. But only when they’re opt-in. The ones that come to find you are the type of loathsome evil that I associate with marketers who call your house or cheerfully knock on your door on a Saturday morning while normal people are still hungover.

Fake personalities (2)

Some I like, some I don’t. Most fade away within the kind of period that makes me not bother adding them. Especially since they’re unsolicited.

Purely promotional vehicles (16)

In this sample, they varied from sites and companies to bands or American political propagandists. They’re kind of like bots, I only find them valuable if I’ve sought them out for a purpose.

Link-freaks (8)

There is an obvious visual pattern created on a Twitter profile when somebody adds a link at the end of every single tweet. It’s readily detectable within milliseconds. Somehow it is even more obvious when there is the occasional comment or reply thrown in.

These folks confuse me. They’re not bots. Most of them don’t seem to be using automated submission of links and yet they post more than 90% lame link action.

Nobody knows that much interesting stuff. Nobody has that much original information at their fingertips. These folks are just re-posting stuff they find on aggregation sites. If I cared about the generic links that get posted repeatedly in every link graveyard on the net I’d subscribe to feeds from Digg, SlashDot, Techmeme or any one of 15,000 others. I don’t need it on Twitter.

Quit grumping and talk about the Real People™

I broke down these folks even further based on what I thought were interesting differentiators:

• 6 total newbies with virtually no posts but following 40-odd people;
• 13 people following 3,000+ people and seemingly attempting conversation with all of them;
• 2 people who used to follow me re-adding me (now that I was completely quiet?);
• 4 colleagues;
• 4 people who seem to use Twitter prolifically but don’t have a bio or a link off-site;
• 7 people who had recently replied to Jeremiah Owyang; and
• 21 self-identified Social Media Enthusiasts/Evangelists.

What the fuck is a Social Media Enthusiast? I know what a social media enthusiast is. Some people would probably classify me as one. But as something that warrants title case? Is it a job title? Who pays people just to be enthusiastic about stuff?

One answer to the last question would be: no one. Every single one of the SM Enthusiasts appeared to be a self-employed consultant. I would love some of those folks to let us in on how well that’s working out for them.

Evangelists, on the other hand, is a familiar (if conflicted) term. The big consultancies all have Social Media consultants now. I can easily see them called ‘Evangelist’ to ride the wave of familiarity with that particular term in technology circles.

Some folks even provided the slash themselves. They are both ‘Enthusiasts’ and ‘Evangelists’. Either that or they find themselves torn in that reputedly tricky limbo in between?

So what?

It’s a valid point. I don’t know that any of this means anything (except that @jowyang is an exceptionally popular Twitterer amongst a certain subset of users). I do find the numbers interesting in an abstract kind of way. They’re indicative of a broad range of Twitter uses that hopefully illustrates out the pointlessness of all those Twitter Etiquette posts that spring up every time some blogger cracks it with those he is following on Twitter. Pruning according to need vs satisfacton is the answer to that issue, not complaining that nobody does it the way you want them too.

I’m curious to see if others break their requests down in similar fashion (even on a one-by-one basis) or if I’m a little too obsessive. What do you do?

Fight the Power!

Standardistas the world over are burning their bras and thinking of the children. Folks are raising hell over a single line of HTML and I can see why. Becoming a standardista gave me my passion for the web and led into an entirely new world that has offered me more opportunities for every aspect of my life. So I get it. I know why folks are upset. There’s a little part of my brain that wants to scream: “It’s just wrong!”

But it’s only a small part, and the rest of it is thinking: no matter what you think of that single line of code, it’s coming. It will be implemented. Chris Wilson’s post linked above, in combination with Aaron’s excellent article outlining some of the reasoning behind X-UA-Compatible and Eric’s considered piece on his changing perceptions of the switch, aren’t exactly media releases but do represent a considerable amount of forethought and planning. They represent a decision.

Know Your Enemies

Microsoft doesn’t tell you it’s going to do something of this scale unless it means it. So, regardless of where you come down on the pavement of good intentions, I want to talk about what X-UA-Compatible means to developers, businesses, users and clients. If you want flame wars, there are plenty of other folks packing ‘throwers in the comments of any of those posts (and countless others). Let’s leave thoughts of poor broken pages aside and keep this to asking interesting questions

What’s a battle?

Questions like:

1. What does the capability to lock your site to a single version of IE mean for your development cycle?
2. What do the IE7 users checking out my shiny locked-to IE8 site see?
3. How does this affect my business decisions?
4. How does this affect my boss/client/manager’s business decisions?
5. Does this encourage innovation or stifle it?
6. Will this practically mean less time debugging IE?
7. What place has X-UA-Compatible in best practice methodologies?
8. What is the significance that each of the men linked to in this post have gingery facial hair?*

Talk to me, Goose

I have a few answers to some of these questions, but not all and this isn’t a lecture. It’s a discussion. What are your answers? Even more importantly, what are your questions?

* I have photos to prove this allegation somewhere…

I hear lots of paranoid mutterings about OpenID from geeky folks. I get that. They’re still hurting from the fiasco formerly known as Passport. It’s understandble, but it’s time to let it go.

People have valid concerns about any scheme purporting to represent their identity (or identities, given we’re talking about the web). It’s hard to get to the bottom of those with OpenID, because, as has been raised on the mailing lists, it’s very obscure niche topic with bugger all in the way of plain language explanations. It takes too long to get into it and understand it, and not everybody has that time. This is for those who are willing to trust that I took the time.

The next five points are for all my geeky friends who can’t be stuffed delving into esoterica:

OpenID is good for you.

You can stop using usernames and passwords for every site that supports it.

OpenID saves you stress

You don’t have remember which of the 3 different passwords you’ve used since high school is the right one for this site. You don’t have remember which of your 47 different usernames you gave it.

OpenID saves you time

You don’t have to trawl your browser password storage to find the right one when you haven’t visited the site since you last cleared your cookies.

OpenID is safe

Hardcore security freaks can go read the specs, get involved in the community and determine this for themselves, but for the rest of us, it’s enough to know that a bunch of very smart hardcore security freaks have already done this.

The defence rests

There you have it, folks, the completely non-scientific (and non-scary) explanation of OpenID. No grand justifications. No confusing diagrams.

What now?

Just 3 simple things to do:

1. Go get one today;

   I recommend ClaimID because those guys are fucking smart, but lots of people like myOpenId too;

2. Make sure you delegate your OpenID to your own site using Tim Lucas’s handy instructions so you have control of your identity; and

3. Tell your all friends - if you want the revolution, you’d better start lighting fires.

Party on, people. The fight isn’t over yet.