idunno.org

Web services - We don't need no web server

Barry Dorrans — Sun, 11 May 2008 20:10:45 GMT

Yesterday I gave a presentation on WCF at DDD Scotland; the presentation and sample code is available for download. Feedback included

"a most enlightening talk."

"excellent delivery/pace/humour/depth on a topic of interest"

"very practical"
"Good quality slides; Alive for this time of the morning"

(Well I was first on!)

Technorati Tags: DDD Scotland

Functional duplication; or WTF is the point of Mesh?

Barry Dorrans — Mon, 28 Apr 2008 09:07:54 GMT

So we have FolderShare, we have Office Live Workspace, we have SkyDrive and we have MSN Sharing Folders. We have Windows Home Server offering RDP and classic remote desktop if you have a routable IP address. We have CardSpace and LiveID. We have Vista’s Sync Center. We have Vista Photo Gallery and MSN Photo Gallery. All of this and now we have Mesh, adding more duplication to the mix.

Whatever happened to the ethos of Office where everything worked together? Now we have siloed programs and development teams who spend god knows how much duplicating functionality that other teams have produced; sometimes promising a mythical API that never seems to deliver what the initial vision had. Apple gets this right; everything centralised, talking to each other, a consistent UI and a consistent experience.

Then there’s Mesh. Weird popup explorer bars which don’t fit with Aero, abandoning transparency in favour of Mesh blue; adding another remote desktop method to the mix and more shared folders just like Groove. In fact without this mythical API isn’t this just groove on steroids?

What happened to integration? What happened to the consistent UI design that Microsoft tells us we should use? What exactly is going on in Redmond these days? Teams fighting with each other like West Side Story? Fingers clicking and dance moves on the cobbled walkways between buildings? Where is an overall vision?

Technorati Tags: rant

PayPal to ban "unsafe" browsers

Barry Dorrans — Fri, 18 Apr 2008 16:27:47 GMT

You know where I’m going with this right? (I can see Robert holding his head in his hands right now)

So eweek and others have reported that PayPal are going to stop the use of "unsafe" browsers, those that don’t include anti-phishing protection or support for EV certificates. Setting aside the kneejerk "They can’t do that" arguments on Slashdot (of course they can, it’s their web site) it would be interesting to see if Paypal stick to their guns as Safari users would get locked out. It makes sense; Paypal is one of the most commonly spoofed web sites with numerous spam messages telling users their passwords need reset.

Paypal already publishes SPF records, which email providers could use to filter fake @paypal.com emails; which is a good start (well it would be if more email servers would actually check the SPF details). Last January PayPal announced two factor authentication in the shape of a Verisign one-time password device which users could purchase for $5 (and only for users in the US). In November someone noticed that the one-time password was being ignored and you could simply use any 6 digit number.

Like I said, you know where I’m going with this. It’s hard to describe information cards to someone who doesn’t know about them (I was trying to describe it to someone at Microsoft this week who had sat down with the CardSpace marketing person [I know, I’m as surprised as you are] and still couldn’t understand it). I sometimes liken it to mid-way between username/password and a hardware token solution. To me this is an obvious next step for PayPal to take; they could issue their own managed information cards, thus controlling the authentication and authorisation without the need for expensive, hard to manage hardware. There is even a Safari plugin for Mac users.

Do I believe it will happen? I’d love to, I really would; but truth be told I doubt it. MS should be jumping in there, offering to help; but Information Cards make no money. It’s a "for the greater good" effort and MS do not have a stellar history in that arena. We’ll see; but I would put money on PayPal acting like plip and saying "Card What?"

Technorati Tags: PayPal,CardSpace

SharpSTS now hosts in IIS

Barry Dorrans — Sun, 13 Apr 2008 06:10:10 GMT

After bashing my head against WCF for a few weeks; and attempting to be too clever for my own good I swallowed my pride and took the lazy route to enabling IIS hosting of SharpSTS. Of course now I have massive guilt about the breaking changes I had to make, but such is the price for being cutting edge.

So if you want to add a security token service to your web site, without having to host it inside a windows service or command line application you can. Well, it works for me anyway ....

Technorati Tags: SharpSTS

TripIt - Web 2.0 spam

Barry Dorrans — Thu, 10 Apr 2008 19:42:40 GMT

So yesterday I received the usual web 2.0 "Your friend wants to connect with you to swap tips on styling your hair" type email. This time it was from TripIt. I ignored it, I’m social networking fatigued anyway, but sharing when I am away from my house strikes me as a bad idea.

Nothing new there until this evening. When I got another invitation, from someone else. There was an optout link, so I went to follow it. This presented a problem; it asked me log in. "Why?" I thought, "I haven’t signed up." So just to check I asked for a password reset and it worked. This was strange. Even more interesting when I reset the password for the account I never signed up for I discovered I had 3 invitations from yesterday and one from today.

What appears to happen is as soon as the first invite is sent TripIt creates an account on behalf of the recipient. That account is then searchable; today’s inviter said that when he searched for me the site said I was a member. So much for "registration is optional" in their privacy policy.

I wonder in the search for venture capital TripIt are using their user numbers; because I should not be a user.

Technorati Tags: TripIt,Spam

The UK Government doesn't understand identity

Barry Dorrans — Fri, 04 Apr 2008 10:03:18 GMT

http://news.bbc.co.uk/1/hi/uk/7328170.stm

Sex offenders' e-mail addresses are to be passed to social networking sites like Facebook and Bebo to prevent them contacting children.

In the usual "won’t something think of the children" government attempts to legislate lack of parental supervision on the internet; assuming that an email address is permanent and can never change.

Home Secretary Jacqui Smith said she wanted children to be "free from fear".

"We need to patrol the internet to keep predators away from children in the same way as we patrol the real world," she told GMTV.

Of course in the real world we would hope parents don’t allow their children to go clubbing at 14, or put themselves in dangerous situations. The internet, on the other hand, well, it would be too much to ask parents to supervise their children wouldn’t it?

She said she accepted such a scheme could never be "completely foolproof" but did not see that as a reason not to try.

Frankly such a scheme is nowhere near fool proof; but is damned well near "fool". Given the widespread availability of free email addresses from hotmail, gmail, yahoo et al. attempting to provide a blacklist of email addresses is an impossible task. Not only does it depend on the honesty of people on the offender’s register (and if people are going to re-offend then their honesty is, at best, suspect) but it shows the usual governmental lack of understanding when it comes to technology.

The real problem lies with

a survey by telecoms regulator Ofcom found nearly half of children aged from eight to 17 had a profile on a social-networking site.

The obvious question is why? What does an 8 year old need social networking for? If a bookshop sells children’s books do we expect someone at the door of the shop to check everyone’s identity against the sex offenders' register? Why should social networking sites be held to a different, unenforceable, useless standard? Unless of course it’s just to win votes, or to push the current UK identity card agenda. Politicians would never do that.

Technorati Tags: Rant,Identity,Internet

Detecting information card support; and breaking Firefox

Barry Dorrans — Sat, 29 Mar 2008 09:32:23 GMT

Over the last few days I’ve been working what is basically a demonstration and debugging page for the SharpSTS site to allow people to dynamically build an Information Card object tag, then submit a card to it and see the results. It was problematic to say the least, with a major part of the problem being there is no real documentation about how the object tag is supposed to expose itself to a scripting environment.

In order to detect information card support without Firefox bringing up its additional plugin required information bar you cannot embedded an information card object tag in the page; you need to create it via javascript after the page as loaded. I took this a little further with the tag builder and produced what Axel, the maintainer of the Firefox Identity Card extension, deemed "kung fu". After a bunch of emails back and forth Axel has updated the plugin to support my jiggery pokery (thanks are obviously due here). At the moment the DigitalMe doesn’t work with the extended dynamic creation things I am doing (and my geek skills are weak; I can’t even get it installed inside SUSE in a Virtual PC).

The lack of an easy detection method is painful. There is discussion around an X-Id-Selector header; and debate over what it should contain and how the capabilities should be indicated; but until that happens it will be kung-fu or nothing.

Technorati Tags: Information Card,CardSpace,SharpSTS,FireFox

.NET Rocks

Barry Dorrans — Tue, 18 Mar 2008 15:53:19 GMT

Last Tuesday I spent an hour on the phone over the Atlantic, and even further to record .NET Rocks. It’s on-line. As you can probably guess I’m talking about Information Cards again.

(And I’m on a client site, so I can’t hear it. This may be a blessing ...)

Technorati Tags: .NET Rocks,CardSpace,Information Card

Upcoming Appearances

Barry Dorrans — Sun, 16 Mar 2008 14:28:25 GMT

Next month I will be presenting at the Irish Microsoft Technology Conference on "Information Card - Beyond the HTML Page"

Information Card promises to provide a secure way for users to provide login and identity information and there are plenty of samples on how to use it for web site logins. But what if you want to go beyond that? What if you want to use it in rich client software? What if you want to be a managed identity provider? This session aims to cover how you can take information cards beyond web sites and onto the desktop and the server.

In May I will be presenting at DDD Scotland on "How Safe are your web sites?"

Do you know what cross site scripting is? SQL injection attacks? Search engine leaks? Learn how to check your sites for nasties by seeing how it’s done against badly written code and what you can do to secure your sites.

Technorati Tags: IMTC,DDD Scotland

Announcing SharpSTS

Barry Dorrans — Tue, 11 Mar 2008 08:13:53 GMT

Dominick and David beat me to the punch; last night I hit the "publish" button on codeplex for SharpSTS; a C# library to allow you to develop Information Card Security Token Services.

As with all open source projects there is still a bunch of work to do; as it stands we have a command line STS which should allow you to get started. Well; if you can work out from the source code what you need to do :)

Over the coming weeks and months I, as dictator, Dominick Baier and David Christiansen hope to deliver a stable, tested, code base from which you can deliver managed information cards to your users, as well as a test web site which will issue and accept managed cards.

In the mean time you can download the code, implement your own authorisation policy provide and get started. In the meantime we’re guiding the rough beast, its hour come round at least, slouching towards Redmond to be born (with apologies to Yeats).

Technorati Tags: SharpSTS,Information Card,CardSpace