Category Archives: Uncategorized

Don is suprised, but Sam is mistaken

Sam Gentile says that Don Box needs to get out into the streets and talk to customers, and says that he would find, among other things:

No one cares about Web Services in real usage (only geeks think they’re cool).

Sam, I know you’re out working with customers, but maybe you should talk to a few more. I’ve worked with multiple clients using web services…including a multi-billion dollar travel services company, who have built and deployed web services (can’t deep link, click on “Galileo Web Services”) for their customers to use. With these services, they can get a new customer up in hours or days, rather than the weeks or months that it took previously. And they have unprecedented monitoring and control capabilities, and the ability to protect their legacy systems in a new way by encapsulating much of the old error-prone logic.

I’ve also worked with clients of these particular web services, and it’s even better from their perspective. No more screen scraping; no more wading through a 500-page manual of structured field specs; and no more waiting for months for a private data line to be installed. And even better, there are higher-level services provided to easily accomplish certain travel tasks that used to be very complex. We’re talking about weeks of development, reduced to a couple of days. Seriously.

So Don, I think you’re doing fine – and many real customers do care about this stuff.

Windows 2003 Server default settings

Dave Burke isn’t happy with Windows 2003 Server’s default security settings:

[…] But at the end of the flying day or computing day, what has changed?  Really?  As a developer (or flyer), there is just more crap to do to get to where you want to go.  But at the end of the day you still end up at the same place.

I’m sure lots of folks want to ream me for dissing the new W2K3 security features.  I’m in no position to question the array of security restrictions in W2K3.  Smarter guys than me thought they were a good idea.  Hey, I’m just saying that to me, using W2K3 is like post 9/11 Airport Security.

Windows 2000 was like buying a big new house, moving in, and seeing that all the doors and windows are unlocked and open. You have to remember to go around the house and close/lock them, assuming that you care if anyone breaks in.

Windows 2003 is a similar house, albeit with stronger doors and more tamper-resistant locks…but when you move in, all the doors and windows are locked – and you can open what you wish.

Seems like an easy choice to me.

Credit card fraud

So I’m trying to listen to PressPlay, and I notice that all my streams are only coming in at 20 kbps, which is just killing me – I feel like I’m listening to music on an old AM radio. I call them, and after a few minutes with the support guy, he figures out my account is on probation because the monthly fee on my credit card was declined. Ok, no problem, give him another card (need my music, WAY too quiet in here!), then call the credit card company and see what’s happening.

So I call in, enter my card number via touch tones, and get this security recording asking me to verify some charges. Wow, this is pretty cool – an automated security audit. Some of the charges didn’t sound familiar, so I pressed the appropriate button and talked to a real person.

Turns out there was a $1900 charge made a few days ago, which was declined because they had the wrong expiration date (I just got a new card recently with a new date). This charge, combined with the expired date, was evidently suspicious enough for them to place a security hold on my account – very nice. There was one more charge that wasn’t mine, for about $200 to a well-known auto insurance company.

So what I’m wondering is, how stupid does someone have to be to use a stolen credit card number to pay their insurance bill? I mean, hello?!? They’re going to be pretty easy for them to track down, I would think!

RIAA lawsuits

I’m as surprised as anyone about the recent round of lawsuits, including the suit against the 12-year old girl. But here’s a quote from the girl’s mom:

“It’s not like we were doing anything illegal,” said Torres. [Fox News]

This is exactly the problem. No one thinks it’s illegal. If you’re in the intellectual property business, take note – this is a problem.

Feed Validator has moved

This is worth re-posting…the feed validator has moved to http://feedvalidator.org.  There are other validators out there, but this is the only one really worth using, IMHO.

The Feed Validator, previously located at feeds.archive.org/validator/, now has its own domain: feedvalidator.org. If you have any scripts, templates, or applications that point to the Feed Validator, now would be a good time to update them. [dive into mark]

AtomAPI and Authentication

Joe Gregorio and Mark Pilgrim have been working on a new implementation of the Atom API, and have come up with a Digest-like authentication mechanism for it. Joe describes it here; here’s a small part of the post:

  1. Triggered an auth by rejecting a request with an HTTP status code of 401.
  2. The server response includes an Authenticate: header that includes Atom as an authentication scheme.
  3. The client then sends an Authorization: header with the scheme of Atom with all the Digest authentication information going into X-Atom-Authorization: header.
  4. With every request the server sends back an X-Atom-Authentication-Info: header with the ‘nextnonce’.

Note that this now uses the extensibility of the HTTP authentication scheme. 

Well, ok. But how about this:

1. Change “Atom” to “Digest” in the WWW-Authenticate header, and make a couple of other trivial changes to this response.

2. Change X-Atom-Authentication to Authorization, with appropriate trivial changes.

Poof! You’re using digest authentication. Now I know Mark and Joe thought about this, and I was involved in a long painful discussion talking about this. But here’s my point: if you have enough control over your server to implement this “Atom-authentication” mechanism, then you have enough control to implement Digest itself. With a huge added benefit that many client toolkits understand digest out of the box.

My guess is this – there is a way to implement this for Apache in code, rather than using the .htaccess built-in support. If you can implement atom-auth, can’t you just modify your code to implement Digest?

And I even have a Digest implementation for .NET built, for folks that can’t (or don’t want to) turn on IIS intrinsic support for Digest.

We’re so close. Let’s do this right. I bet if there was an implementation built for Apache that didn’t require .htaccess or httpd.conf access, then some of the nay-sayers might get on board. Someone care to try it? I did my part – my .NET/IIS implementation is available, free, for anyone to use today…

Embedded code

From Sean Varley’s weblog:

Apparently the University of Wisconsin and Netgear have a problem.  It looks like Netgear hard coded the SNTP IP address into some embedded devices for network time sync and now the school gets the pleasure of servicing a few hundred thousand requests per second.  You can read about it here.

Wow…seems to me the moral of this story is twofold.

#1 – don’t ship a product that beats the crap out of someone else’s server.

#2 – don’t ship 700,000 units of your product until you’re pretty sure you’ve taken care of #1.

Yikes!

Marketing by RSS

Dwight talks about RSS for marketing, and mentions a couple of things he sees as problems:

I love RSS as much as anyone else, but we don’t do anyone any favors when we refuse to take off the rose-colored sunglasses. Chris Pirillo throws some brickbats at an RSS doubter, but I happen to agree with the doubter on several points:

  • You can’t reliably measure exposure via RSS.
  • You can’t control how RSS is displayed.
  • RSS doesn’t build a user database.
  • RSS is difficult to customize – as a response driver – the way email is.
This problem has been discussed before, and I know Derek Scruggs has built at least one prototype of something that can do subscriber tracking. We’re using the same mechanism to power the NewsGator Tips feed, which is customized for each individual user. It’s simple really:
 
1. Get a user request for the RSS feed, say /rss.xml
 
2. Redirect the request with a 301 permanent redirect to /rss.xml?user=123456789
 
There you go. If you assign users an individual ID, you can track them to some extent. You can’t just look at how many times the feed has been retrieved (not relevant), but by looking at all the data in aggregate, you can tell how many users you have subscribed, the date they subscribed, the approximate date they stopped reading, and other useful data.  You can tell, with pretty decent accuracy, how many individual people are reading each post.
 
And if you are lucky enough to know something about an individual subscriber, you can customize the feed just for them. For example, with the NewsGator Tips feed, we trickle out tips one per day, based on the date you subscribed. It’s not hard – you just need a smart server, and your clients need to react correctly to certain HTTP status codes.

21-6 Productions

Back in another life, at Galileo, I worked with a guy named Justin Mette, probably one of the smartest developers I’ve had the pleasure to work with.

Well, a while back Justin left Galileo and formed a independent gaming studio called 21-6 Productions…and they’ve been doing some amazing stuff. At lunch a couple of weeks ago, I finally convinced him to create a RSS feed for their news so I could keep up with what they’ve been up to. And I see that a few days ago, they released version 2.1 of their award-winning game, Orbz – looks like they’ve been busy. Head over and take a look!