Questions

A couple of weeks ago, I got an email from Nick Galvin, a Features Writer with the Sydney Morning Herald, asking if I’d be interested in answering some quick questions about what’s hot on the web for a feature in their weekly technology supplement for the “interested home user”, Icon. I jumped at the chance and thanks must go to John Allsopp recommending me.

The piece was published today and I finally got see who the other people were. I put a scan on my Flickrstream so you can read the full text at either Large or Original (bloody large). Huge thanks must go to the legendary Seng Mah for yet again allowing me to use his photo of me from last August as my publicly respectable face.

Update: Turns out the article did get published online, so it’s much easier to read there.

Answers

What I found most interesting is comparing my answers with those of Cheryl, Virginia, Tim and John. The differences are more telling than the similarities, I think. Cheryl’s answers are consumer-focused, John talks about the big picture and Tim can’t help but dish on what’s important to developers. Of the four, Virginia’s are probably closest to mine in ideas, although hers are expressed far more beautifully. (And she led me to a gorgeous new theme for my tumblelog!)

I copped a bit of a ribbing at work about the reference in the standfirst to ‘internet gurus’. Fair enough. I find it amusing too. Thing is, though, that I know some other internet gurus.

Anybody willing to spend any time at all reading my infrequent posts is automatically qualified as pretty damn interested in the internet (or related to me. Hi, Mum!). So I want to know what you would have answered. What are your responses to the three questions? You don’t have to stick to 180 words like we did!

1. What are the three things online that are exciting you most?
2. What gadget do you never leave home without? And given most everybody will say their phone or their laptop, why?
3. What will be the Next Big Thing?

Add answers or links to answers below.

This morning, Flickr released a new feature. One that let’s you find your friends from your existing address books on Yahoo! Mail, Gmail and Hotmail. All without providing usernames or passwords. Aren’t APIs wonderful?

I twittered about the new black and got a reply from Amanda asking isn’t that encouraging people to get phished?.

In a nutshell, the answer is yes.

Super green

Folks who think about such things are rejoicing that there are now so many site-specific APIs and authentication protocols such as OAuth that avoid what Jeremy Keith called the Password Anti-pattern. And I’m one of them. The Password Anti-pattern is a Bad Thing™. I don’t think anyone would disagree with that.

Removing the Anti-pattern means that the authenticating site doesn’t get full unlimited access to the account in question. In Flickr’s new feature, they get access to only the details of who is in my Gmail address book - not my emails and certainly not access to any other Google products I may have enabled on that account. Google’s authentication page confirms for me that Flickr is requesting access to only my contacts and only for a one-time use:

Flickr.com is requesting access to your Google Contacts account so that it can access Google Accounts on your behalf. You can revoke access at any time under ‘My Account’. Flickr.com will not have access to your password or any personal information. Learn more.

Flickr.com is only requesting one-time access. If it needs to access Google on your behalf in the future, you will be prompted again for permission.

All of this is hot, hot, hot! As long as you’re actually on Google’s authentication page.

Phishes away!

A major argument Jeremy stated against the Password Anti-pattern is that it teaches people how to be phished, but these new authentication methods don’t fix that. They still teach users that allowing your existing site to authenticate to a third party site is a Good Thing™. It’s a simple matter to produce the appearance of following that authentication process while actually harvesting details.

The solution to this is the same it has always been. The user needs to check the URL of the page they’re on and make the call. The problem with that is also the same as it has always been. Some users, possibly most users, don’t do it.

Are we making things worse?

The new authentication methods may actually train users to phished even more readily than before because there is less of a cognitive cost to the process. Ever since computers came into use, users have been hammered with warnings about the importance of passwords. The web has damaged that somewhat with our profligate password ways, but I reckon there are still plenty of mental alarms to ring when somebody asks for your password.

Using sexy protocols and APIs don’t cause that hesitation. The process has been designed to create a neatly streamlined user experience. Just click a few buttons and it’s over.

A phishing site is unlikely to do that, of course. These days API access requires registering for a key, allowing the API providers to track usage. Providers have varying levels of diligence, but it seems unlikely that an application could do phishing on a significant scale without being caught.

The most likely alternative is that they simply pretend you’re not currently authenticated with the third party site and request your username and password. Hopefully, that’s enough to give pause. Particularly if the app is telling you you’re not authenticated with Hotmail when you have Hotmail open in the next tab over.

What’s my scene?

In the Password Anti-pattern article, Jeremy took a moral stand: even if it costs me a contract in the short-term, I will refuse to implement any kind of interface that involves asking the user for a password from a third-party site. I urge you to do the same. That was admirable and eminently reasonable. Many agreed. He provided what he thought was a viable alternative by pointing to the same authentication methods I’m discussing here.

I thought it was the right choice at the time, too. I stood with him. I don’t know if his stance has changed now, but I know mine has.

What is the alternative?

Authentication APIs and protocols have their benefits and they have their costs. Do these cancel each other out? Should we refuse to implement this functionality?

If you agree with my points here, maybe you think that. But what do you implement instead? There will be a lot of demand for this functionality as it becomes easier and easier (no more screen-scraping!).

Personally, I’m for it. I have reservations now, but the practical benefits of isolating and securing access to my data wins over the hypothetically higher risk of phishing. And on that day when I’m so tired, hungover or ill that I absentmindedly just click through the process and hand over the keys to my kingdom, I hope some small flicker of self-preservation will alert me so that I can correct it in time.

This has been a long time coming. I’ve always followed the conversation. I read every site. I scoured the web for content as an increasingly voracious consumer. I stuffed more and more of everything into my brain and I couldn’t get enough.

Then I got the agency job. One that had me slaving 14-18 hours most days to produce slick high-quality standards-compliant accessible websites, usually for government departments. I never installed a feed reader on my new machine. I never had time.

Work was my life until Web Essentials in 2005. Everybody there was talking about Flickr, telling me it was a revolution. A new kind of application. A new form of online community. A new paradigm!

I scoffed at them like any other sensible person does when faced with such fervent reverence. But, after the conference, I looked at the photos and I wanted to comment… Trapped! Once I had an account, it seemed almost churlish not to post at least one photo. This started a long term obsession with photography, mostly self-involved.

More importantly, it started an attitude of experimentation, a willingness to sign up for any and every app that comes along. To subscribe to every feed, for at least a little while. It also meant that, after a while, I was actually giving back. Producing content and contributing in some small measure to both sides of the signal/noise ratio.

And then there was Twitter…

I’ve been writing small blips of bollocks there since October sometime (actually it was 10:53 AM October 27, 2006). And, for some reason, I can’t stop.

I love putting ideas out there. I love discussion and interaction. I love sharing my thoughts, then watching my thoughts and your thoughts grow and commingle.

In 2005, Molly Holzschlag told me I needed a blog, so I asked her what I should write. Being the woman she is, Molly said: “Everything!” Since that time, others have suggested it occasionally and I’ve always asked the same question. Their answers vary dramatically and that was my excuse for not building this site. I never knew what I would write about, and I still don’t. But I am going to write.

My hand has been forced by one of my favourite evil geniuses, Andrew Krespanis. The sneaky bugger slaved away for weeks to give me LachStock as a gift. Aided and abetted by a secret squirrel pact, he left me totally overwhelmed.

I still don’t know how to say thank you for that gift. I’m not even sure that is possible. The only appropriate response is to do this, and do it right. So, after 6 years of living, breathing and talking web, I’m finally making some web of my own. I’m joining the conversation I’ve followed for so long. I don’t know what I’ll be writing or where it will take us, but, fuck, I reckon it’ll be fun!