Author: donpark

On OAuth Vulnerability

Twitter’s OAuth problem turned out to be a general problem affecting other OAuth service providers and well as consumers using ‘3-legged’ OAuth use-case. For details, you should read not only the relevant advisory but Eran Hammer-Lahav’s post Explaining the OAuth Session Fixation Attack.

First hint of the vulnerability surfaced last November as a CSRF-attack at Clickset Social Blog which was initially diagnosed as an implementation-level issue. Well, it turned out to be a design flaw requiring some changes to the protocol.

There are actually two flaws.

The first flaw is that parameters of HTTP redirects used in OAuth can be tempered with or replayed.

This flaw allows hackers to capture, replay, and mediate conversations between OAuth Consumer and Service Provider flowing over the surface of User’s browser between the User, Consumer, Service Provider.

I think the easiest general remedy for this flaw is including a hash of the HTTP redirect parameters and some shared secret like consumer secret. A more general solution like evolving tokens could be done as well but inappropriate as a quick remedy.

This flaw should not affect OAuth service providers that manage and monitor callback URLs rigorously.

The second and more serious flaw is that the User talking to the Consumer may *not* be the same User talking to the Service Provider.

This means that a hacker can start a session with TwitsGalore.com then phish someone to authorize at Twitter to gain access to TwitsGalore.com as that someone without stealing password or session-jacking.

Solving the first flaw simplifies the solution to the second flaw by reducing the possibility of the hacker intercepting callback from Service Provider to Consumer which is not supposed to have any sensitive information but some implementations might include. Wire sniffing is a concern if HTTPS is not used but the relevant concerns for the flaw are integrity and identity, not secrecy which is an application factor.

Removing the possibility of callback URL tempering leaves double callback, meaning that the hacker start things off, tricks someone into authorizing without intercepting the callback, then simulate a callback to Consumer. Note that the Consumer would have started a HTTP session with the hacker, session associated with the RequestToken in the callback. Even if HTTP session is not created until the callback is received, there is no way for the Consumer to tell who is who.

I think Service Provider have to send back a verifiable token, like a hash of the RequestToken and consumer secret so the hacker can’t simulate the callback.

Regardless of which solutions OAuth guys decide on, one thing is clear. It will take time, many weeks at least, if not months. That’s going to put quite a damper on developers in the Consumer side of the OAuth as well as the Service Provider side.

Value of Journalism

Will newspapers survive? I think the physical form will survive for another 10 years at least at much lower valuation then eventually break into nich market fragments. The profession of journalism will, however, not only continue on but become more respected than before.

This is why I think so. When we are short of something we consume, like water in the desert, we put value in availability. As we approach ubiquitous availability of the same, we shift value to quality.

In a sea filled with unverified and biased news and information, we will rediscover the value of journalism. We will see memes as what they really are, mental viruses, and know the danger of careless consumption. As we have become more health conscious, we will also become more mental health conscious.

We’ll see products of journalism like bottled water, avoid reading/eating things off the ground, and see eaters of biased or mutated news as inbred rednecks. Those who can afford to pay, that is.

As usual, I am exaggerating. Not quite hyperbole but enough force to kickstart pointless thinking.

Leg Fetish

I’ve been too busy tinkering so, beyond twittering, I haven’t had the mindshare to blog. Sorry.

I think the stock market is in for another big leg down soon, not like the slide we’ve had lately but a drop of 500 pts or more in a day. One card Obama adminstration can play to stem or prevent the damage is the restoration of the up-tick rule.

I could be wrong, of course, so use your own judgement.

update on March 2nd at 10:41AM: Dow is at 6800 now, 200+ pts down but the volume is not there, just average so far, so this is not the massive volumn crash I was expecting. It’s as if hedge funds have changed their trading strategy from a disaster movie to suspense-building horror movie. Eerie. The only real support is still 300 pts away, btw, at 6500. There will be continued drama, of course. I’m just not sure what kind.

update on close March 2nd: So the market went down orderly in a straight line more or less with Dow closing down 300, S&P barely hanging on at 700 which makes it look bad. NASDAQ didn’t do too badly but volume was nearly 4x where Dow volume was about 1.5x. Spitting into the wind, downward pressure is still overwelming. I am done looking at the market for today. It’s time to look at some business plans and code.

a reminder to follow me on twitter: my tweets are mostly mindfart but look what I twitted last Thursday. 😉

Transcultural Funk

Here is Natalie, a cute non-Korean girl (as far as I can tell ;-)) based in LA, singing a popular song by K-POP group Wonder Girls:

and idol-mob girl group SNSD’s song:

Being a cultural mutt, I enjoy this sort of cultural mash thingy. She looks and sings great. It would be cool to see her make it big time in South Korea, hopefully short of turning things into a circus as usual.

OpenID Middlemans

Apparently the invite-only OpenID meetup at Facebook took place tonight. The fact that it was held at Facebook points to a shift taking place in the OpenID world. What’s coming is obvious: somehow retrofit Facebook Connect into OpenID architecture. Repeat after me. Yes, we can.

Facebook Connect can become a OpenID middleman, serving attribute-enriched OpenID to consumer sites that selected Facebook as its OpenID supplier. OpenID middlemans solve two key OpenID usability issues as well as opening up the potential to solve some privacy issues.

The first usability issue the middleman solves is the need to type in OpenID URL by replacing the URL input box with a button saying Signin with OpenID or a branded version like Facebook Connect button.

The second usability issue is users forgetting which OpenID they’ve used at a OpenID consumer site. Site can save that in a cookie but that opens up privacy and taste issues, particularly since consumer sites will be less trusted than OpenID supplier services like Facebook and Google.

The middleman can also support anonymous personas for users to minimize privacy issues but, to do so, they’ll have to provide bridging service between the sites and the real identity to meet the needs of consumer sites.

Who will be the players? Facebook and Google, of course. Throw in MySpace, Yahoo, Microsoft, and AOL as well. I reckon security, payment, and infrastructure companies to come in too, late of course. Now, they are all OpenID providers but, to act as middlemans, they’ll have to also act like OpenID consumers to either pass on third-party OpenID identity or return a proxy identity. IMHO, it’s a very small price to pay IMHO since only oddball users will choose to do so.

Yes, it’s going to be a party night and, when the dawn comes, small OpenID providers will just fade away like old soldiers, taking the name with it too and leaving behind only big name portals and social networks wrapped in brand names.

Micropayments and News

Is micropayment what the ailing news industry needs? Will it save New York Times? Like Clay Shirky, I have my doubts about micropayments, particularly from usability perspective. Micropayment UI can get as bad as Vista UAC, endless parade of buy this and buy that.

What I think the news industry should do is follow the example of cable TV industry. Bundle contents by type into channels then charge per channel or channel combo deals like 10 free news channel + choice of 10 premium news channels + 100 article of choice from other channels for $5 per month. For $10, 30 premium plus 500 articles of choice. To add an extra channel for a month, an extra $1.

Regardless of details, the core idea is to transition to finer-grained subscription model, selling sections instead of the whole newspaper, bothering the user only once per month and when the fuel tank (a-la-carte article budget) gets empty to ask whether refill for a fee or add a channel.

Merb Herbs

Just a couple of crumbs from my brush with Merb tonight:

dependencies.rb

After merb-gen app, edit config/dependencies.rb to fix version numbers of dm_gems_version and do_gems_version gems used by the generated app. To find out what which version you have, type

gem list {gem-name}.

Missing some MySQL dylib on OS X

When I got some errors like “dyld: NSLinkModule() error “, probably after doing sudo gem install do_mysql for reasons I can’t recall, I fixed it with this:

sudo mkdir /usr/local/mysql/lib/mysql
cd /usr/local/mysql/lib/mysql
sudo ln -s /usr/local/mysql/lib/*.dylib .

I’ll add to this post over time as more crumbs fall. Note that I am not a Merb, Rails, nor Ruby guy. I am not a guru in anything but everything which means exactly nothing. Yes, I am trying to confuse you. ;-p

Sex and Status: Twitter and Facebook

For the past six months, I’ve been thinking about sex. Not the sweaty kind, you perv — wink wink, nudge nudge — but about perspective differences between sexes and what that means to the Web at large. I am drawn to the differences to identify new business opportunities instead of trying to save the world or make it a better place or anything but I’ll take the bonus points if it’s on the way.

Fred Wilson asked rhetorically Hasn’t It Always Been About Status? in his post about Facebook opening up their status update API more. My answer from the sex-difference perspective is: Yes, for guys, not as much for girls.

I think status updates offer two things:

  • Awareness
  • Presence

Awareness

Back when we had more hair than brain, awareness had direct impact on survival, resulting in the need to be aware carved into our veins. As civilizations advanced, focus of awareness expanded from elements and beasts to include awareness of what others are doing, moving from dodging predators and bashing skulls to keeping an eye on strangers and smelling whiffs of wars in distand lands.

The twin brother of Need is Fear. Even while drowning in constant avalanche of information, modern man fears not knowing enough soon enough.

Presence

Whether it’s simply brushing shoulders or social status, men feel the need to be acknowledged and, if given a chance, respected. I don’t think it’s pride but more to do with the dog brain part of us, wolfpack mindset.

My current thinking is that men’s need for awareness and presence are far greater than women. For women, I think things like order and intimacy are more important which could mean that:

  • Twitter is more useful to men than women.
  • Facebook has more general appeal.

Right or wrong, I use this kinds of thoughts like I would a bottle-opener and would like the readers to do the same.

Young Star Rising

Ice skating is a sport where high spirit and confidence impacts the outcome greatly. I don’t usually watch ice skating performance because inspiring perfection is rare and heartbreaking mistakes are too common to make fine entertainment. But I watch Kim Yu-na’s performances because watching the growth of her spirit and confidence is a joy in itself.

Photos below illustrates the change very well.

yuna-1

Good spirit, still vulnerable

yuna-2

Confidence finally finds home

yuna-3

From recent Four Continents event

Web Form Design: Missing the Big Picture

I ran across a book titled Web Form Design: Filling in the Blanks by Luke Wroblewski which, according to glowing blurbs from well known folks, a great book on web form design. But, when I proceeded checkout after placing the digital copy in the shopping cart, this web form smacked me in the face:

daunting-form

While the form may be clean looking and arguably well organized, it made me abandoned the purchase. Why do I need to create an account with two-book publisher website to purchase the book? If the form was optional and discount was offered in exchange, I might have thought about it but not if it’s a requirement without a matching reward. I also didn’t see why they needed my address when I am buying a digital copy?

The lesson here is:

Web designers should first justify, from the customer’s perspective, the need for each form and its components well before sculpting them into perfection.