Dratz asks: Feature or a bug ?
Archive for August, 2007
Feature or a bug ?
26
Aug
Web storage for backups
20
Aug
I’m contemplating using S3 for backups. Paul Stamantiou has a script ready to go. The thing which convinced me was this chart Paul showed. For 10GB of space he paid under 3 dollars per month. Thats really cheap…
GMail, Microsoft and yahoo all provide extra storage as well. However none of them have stable company supported APIs to allow users to upload data in this form.
Getting ready for Social Network portability
18
Aug
- Brad Fitzpatrick and David Recordon, kicked off another round of discussions on aggregating, decentralizing and Social network portability in a post called “Thoughts on the Social Graph“. The post is long, but he summarized the problem statement into a few lines..
Users and developers alike are going crazy. There’s too many social networks out there to keep track of. Developers want to make more, and users want to join more, but it’s all too much work to re-enter your friends and data. We need to lower the amount of pain for both users and developers and let a thousand new social applications bloom.
I’ve mentioned this problem in the past as well and feel like this is long overdue. Sites like Plaxo and Facebook have taken a step in the right direction, but its not the solution. As I see it the real solution should be something similar to the XMPP standard which opened up the chat protocol to allow decentralized chat networks work with each other.
Also read
Microsoft Live ID out : Google going to support OpenID soon… I predict
17
Aug
The other day I briefly mentioned the pain point of the web2.0 world and how consolidation, aggregation and summarization will help reduce some of it. 
Microsoft today formally announced the availability of Microsoft Live ID as a contender for the providing SSO (single sign on) services in the web 2.0 world. Live ID, incase you didnt know, is the repackaged version of Microsoft Passport Network, which had failed so badly that it forced Microsoft to pull it out of the market. Here are some examples of how to use other languages like php, perl, python, ruby etc to do authentication using Live ID. Microsoft is not the first one to openly come out with a SSO technology. Liberty Alliance and OpenID are other opensource competitors which have some foothold in this market already.
The move to SSO, in the web 2.0 world, (Single sign on) is bound to happen regardless of how scary some people might find it to be. If you can trust your online bank with 100000 dollars and trust 3 companies you don’t really know with your entire credit history, then this shouldn’t be that much of a concern. The real question is whether you trust the technology leaders Microsoft, Google, Yahoo or others like Verisign enough to provide these critical services for you.
In my opinion the reason why OpenID and Liberty Alliance have failed is because of fragmentation of standards and lack of leadership. While Microsoft failed the commercial venture into Authentication services (Microsoft Passport network) it might actually do well as long as it doesn’t screw up this time. Not because the they have done a great job in the past, but because the pain is now so unbearable that people are willing to give almost anything a try. But the real kicker is that almost everyone has a microsoft account anyway, so if I had an option to use my Microsoft account to login to a new web 2.0 product, I’ll do that in a heart beat. Creating yet another account with a new password and doing the email confirmation thing is not an adventure anymore… ( or may be I’m getting old ).
I predict that Google or Yahoo will soon jump into this with its own suite of authentication services (probably using OpenID or Liberty Alliance) which will then become the next battleground in the web2.0 world. I also predict that in a couple of years after that many of the web services will move towards supporting these forms of authentication services so that users are not forced to create new user accounts with new passwords every single time.
And if my predictions don’t really come true… hey, at least I know that I can dream.
References
- OpenID and Identity Systems of Yahoo , Google and MSN
- Google OpenID
- How to use OpenID
- OpenID enabled Sites
DNS Rebinding what ?
13
Aug
Everyone who knows what a “DNS Rebinding attack” is please raise your hands. I’m so glad I can’t see yours, because I’m ashamed of myself for not knowing this one. For those who are “pretending” not to know please read on.
Browsers use domain names to enforce same-domain policy for a lot of security features. Interestingly depending on which client you are using its possible to set a low DNS TTL and change the IP address such that without a change in domain name a script could interact with another website as long as browser can be made to believe that its still the same domain. To do this, all that the client needs to do is initially server contents from its own server and while the javascript is running, update the DNS such that the javascript can interact with a new domain from where it could steel information for the attacker.
There are some safe gaurds to stop these kinds of attacks, but for most part these kinds of attack can be done easily on the internet today. The browsers are getting smarter though. And the “DNS Rebinding attack” isn’t new anyway… its been known for years at least. The way browsers try to defeat this is by limiting the minimum DNS TTL which can be set.
All was well and good until an attacker realized that the browser and plugins inside the browser each have different minimum DNS TTL set. So as long as the browser and plugin can talk to each other, there could be a point in time when the plugin could be talking to the attackers server and the browser could be connected to the real server streaming the information to the attacker through the plugin.
References
- Protecting browsers from rebinding attacks
- XSRF^2
- Anti-DNS pinning and DNS-rebinding attacks
- Defending network against DNS Reminding attacks
Facebook code leaked.. but was it Hacked too ?
11
Aug
Everyone would be talking about this soon. Someone leaked the source of the index page of facebook on a website called facebook secrets.
Update: Brandee Barker from Facebook responded to Nic on Techcrunch.
Hi Nic-
I wanted to clarify a few things in your story. Some of Facebook’s source code was exposed to a small number of users due to a bug on a single server that was misconfigured and then fixed immediately. It was not a security breach and did not compromise user data in any way. The reprinting of this code violates several laws and we ask that people not distribute it further.
Thanks to you and the TC readers for helping us out on this one.
Brandee Barker
What is not clear is whether this was a hack or was someone inside involved. This is what Nik Cubrilovic from TechCrunch has to say…
“There are a number of clear ramifications here. The first is that the code can be used by outsiders to better understand how the Facebook application works, for the purposes of finding further security holes or bugs that could be exploited. Since Facebook is a closed source application, without access to the code security holes are usually found through a process of black-box testing, whereby an external party will probe the application in an attempt to work out how the application behaves and to try and find potential race conditions. In closed source applications it is common that developers rely on the closed nature of the application to obfuscate poor design elements and the structure of the application. An attacker getting access to the source code more often than not leads to further security holes being discovered. It is for these reasons that it is often claimed that open source software is more secure than closed source software, since there are many more eyes auditing the code and obfuscation can’t be used as a security measure.
The second implication with this leak is that the source code reveals a lot about the structure of the application, and the practices that Facebook developers follow. From just this single page of source code a lot can be said and extrapolated about the rest of the Facebook application and platform. For instance, the structure doesn’t follow any object oriented development practices, and it seems that the application is one large PHP file with a large number of custom functions living in the same namespace (they also seem to be using the Smarty templating engine). “
Content Delivery network: Will Price war boost web performance ?
08
Aug
GigaOm has an interesting write up on the commoditization of the CDN service and the pricewar raging in the industry. Akamai itself saw a significant stock market drop in the last couple of weeks.
“That burp has come with the increase in the number of competitors, each one trying to cash in on the boom in online video and other digital content. Limelight Networks (LLNW), Level 3 (LVLT), Internap (INAP), CDNetworks, along with new entrants Panther Express and EdgeCast Networks are some of the CDN players currently involved in a catfight with Akamai. “
CDN is an excellent way of boosting performance and providing PoP in different parts of the world which can benefit by faster content delivery.
Accoona.com going public…Why ?
06
Aug
Mashable mentioned that accoona is going public. It says…
Most of Accoona’s revenue comes from its e-commerce business, which operates in North America. It’s online lead generation and search engine services are used in the US, Europe and China. Its search technology was hailed as a viable competitor to other major search engines such as Google, when it launched its Internet service a few years ago. Accoona’s attempt at differentiation is that of its semantic search, incorporating the meaning of words into your queries, allow you to further filter your search results based on your highlighted keywords, and will revise information in real time, offering relevant data such as fax and phone numbers, addresses, etc. for particular information you look up.
My question is… why ? The site itself looks unpleasant to visit, slow to search and has at least a few implementation bugs at least. On top of that I found the advertisements annoying to look at and the search filtering idea, though great, wasn’t really implemented in an intuitive way.
Now, all that doesn’t really matter if the “AI” part of search was any good. I tried to search for two simple things and compared it with google.
- How high is mount everest ?
- Which is the second highest mountain ?
For both of these results, google was spot on… and Accoona’s AI based search required Real Intelligence on my part to find the right answer. The other problem is that SuperTarget’s 6 filter catagories are insufficient to cover various topics a user could be searching on.
But thats just me talking about it after using the site for 2 minutes.
Interestingly Accoona also runs this website ExchangePlace.net which might be where it really makes money. But its not clear if this website uses any of the AI infrastructure Accoona is investing on.
Update: John Battlelle has an update on Accoona.com. According to him this company does more than what meets the eye. But its still not clear why they have all the smoke and mirrors. Also checkout paidContent and the full S-1 filed with SEC is here.
“We are an Internet company engaged in three primary business lines — online-based lead generation, online search in the United States, Europe and China, and e-commerce consumer electronics retailing. Our services assist our users in finding the products, services and information they want, obtaining competitive pricing and making informed buying decisions. We use our expertise in technology, marketing and management to support and create efficiencies across our business lines, which are organized primarily into the following sectors:
• Online-based lead generation — We developed and operate ExchangePlaceTM, which we believe is one of the first U.S. online-based marketplaces that enables consumers to obtain offers from as many as four providers of services in which they are interested and allows providers to bid for the opportunity to contact qualified consumers, or leads, (i.e., those meeting the providers’ criteria), across a range of vertical markets. We believe that these leads are more valuable to providers because of the greater likelihood they will result in sales, thereby resulting in increased returns on investment, or ROI, for those providers.
• Search — We have developed and operate an artificial intelligence driven search engine in the United States, China and Europe. Our business plan contemplates the development of techniques to use our existing technologies to enable our users to better access certain specialized search markets. In addition, we operate a shopping comparison search engine, BuyersEdge.com, that allows shoppers to search for and compare products and prices available at numerous online merchants.
• E-commerce — We operate six Internet retail websites offering primarily a wide selection of consumer electronics and home appliances, backed by customer service and support. According to a report in TWICE, in 2006, the combined revenues of our e-commerce sites made us one of the top 10 consumer-direct electronics retailers in North America by online revenue and one of the top 55 consumer electronics retailers overall.”
Crowdsourcing the google way
05
Aug
Remember googles innovative image labeler idea ? They seem to be doing it again with getting the masses to build maps for Google in india. India unlike US and many other western countries doesn’t have well documented maps for its streets. Eicher is the only organization I know about which actively maps and provides printed maps in india.
Here is what Braddy Forrest has to say…
“Google has been sending GPS kits to India that enable locals to make more detailed maps of their area. After the data has been uploaded and then verified against other participant’s data it becomes a part of the map. The process is very reminiscent of what Open Street Map, the community map-building project, has been doing. The biggest difference is that the data (to my knowledge) is owned by Google and is not freely available back to the community like it is with OSM.”
The “me too” phenomenon and Identity theft
05
Aug
A very interesting article from Muhammad Saleem on the “me too” phenomenon. My problem with this phenomenon is that this might make stealing identity easier than before. In this new web 2.0 world, if I need your passwords or mother’s maiden name, all I have to do is build an interesting application which you would like to try out at least once. Once I have your password or other key information (which most likely be the same across all your applications), I can shut the side down and do other interesting things. I’m an open advocate of OpenID which attacks some of the issues, but its no silver bullet.
More from Muhammad’s blog..
“Everyday a new company announces a ‘new’ product which is nothing more than the old product with slight modifications or a few small additional features. This mentality is not only bad for users but also for marketers and even the startups.
A prime example of this phenomenon can be witnessed by comparing Dodgeball, Twitter, Jaiku, Tumblr, Pownce and a plethora of other microblogging tools. 90% of the services these different tools offer are the same, and the 10% that differentiates them is not significant enough to make most users switch.”