Author: donpark

OAuth Alternative for Twitter

The obvious solution (pun intended) to Twitter auth problem is OAuth. As Biz wrote, OAuth won’t prevent hacking but should reverse increasingly common practice of third-party software and services asking for Twitter credentials. However, OAuth is a disruptive change, one that will break existing code and force everyone to change over. In this post, I will propose a practical alternative to OAuth that offers smoother transition.

PAuth

The core idea behind PAuth is to continue using password for auth but allow multiple passwords to exist for an account, each potentially bound to specific set of clients and permissions.

The key advantage PAuth offers to fast moving services like Twitter is that no client software change is necessary.

User Experience

  1. User wants to use Twhirl but, to enable it, Twitter username and password is necessary.
  2. User  signs into Twitter with primary password and proceeds to creates generate a limited password for Twhirl, enabling only the permissions Twhirl needs.
  3. User uses the limited password to enable Twhirl.
  4. When user stops using Twhirl, limited password for Twhirl is deleted.

Multiple Posters

An interesting use of PAuth is limiting password to post-only. By issuing each poster a post-only password, multiple users will be able to post to a single Twitter account and admin (primary password holder) will be able to ban individual posters at any time without affecting other posters.

Details

Limited passwords should be generated for convenience and security. Since limited passwords are maintained by the PAuth provider and typically copy/pasted over to consumer site/client, it can be longer than usual passwords also.

Happy New Year

I would like to wish all my friends a happy new year. 2009 is looking to be a tough year but I am hoping this year will become a landmark year. Fingers crossed.

If I had to make some predictions, I think we’ll finally see non-fluff applications for Twitter, Facebook, iPhone, and other ‘virtual platforms’ this year because millions of user-base and relatively low launching cost make those platforms very compelling to developers during the recession.

Merry Christmas

Not much to be merry about but it’s the tradition so let’s be merry anyway. I tend to like end of the year because I tend to get moody and reflective which usually leads to creative thoughts.

Reading

I am refreshing my understanding of statistics. While it’s not my favorite part of math, I need to firm up what I know for an idea I am tinkering with. I spent most of last week revisiting NLP (natural language parsing) technology and business. In summary, nothing revolutionary technology-wise but blooming business intelligence application has fertilized the market wide and far. It’s still an imperfect technology but, thankfully, my interest is well within practical range.

Investing

Since my last post, base level moved up a level from DOW 8000 to DOW 8400 and less predictable (to me, at least). So I’ll be watching more and trading less except when extremes are reached.

Working

I am hoping to have some news to share in January.

Facebook Disconnect

Launch of Facebook Connect is a perfect example of how amazingly forgetful tech media can be. Despite regular appearance of phishing related news, there is no alarm being raised about glaring phishing vulnerability in Facebook Connect, just the usual armchair-general’s strategy bravos and hypes.

First, there is zero phishing protection in Facebook Connect as it is implemented now. What they need, at the very least, is something like Bank of America’s SiteKey.

Second, overall security of Facebook Connect sites depend on each and every one of them being secure. Is TechCrunch secure? Maybe. What about others? Is perpetual security audit a requirement for Facebook Connect?

Third, I don’t buy “there is nothing to phish for in Facebook” argument. Not until Facebook makes it clear to all Facebook users, developers, and partner sites aware of the dangers.

Disclaimer: I worked on the technology behind SiteKey while at PassMark which was acquired later by RSA/EMC and rebranded as Adaptive Authentication (AA). The core of the team that built SiteKey/AA now works at SafePage, company I co-founded a year ago.

November Update

I haven’t had much mindshare to blogging lately but I feel that some updates are owed so here we go.

Investing

I think we are finally at the ‘bottom’, bottom not in the sense of a pit or valley but in the sense of stability and sensibility (not volatility, of course). Until overal economy shows sign of recovering, I’ll be looking to buy into gorges and sell out of hills as market over-reacts on news in either direction with an eye toward accumulating quality.

Economy

America needs to overhaul the auto industry, creating an environment that favors smaller and nimbler car makers over mammoth ones, rewarding entrepreneurs over union workers. I want to see hundreds if not thousands of little car makers and value added resellers backed by world-wide mesh of auto part makers. I want to see a huge cloud of chaos out of which new engine of American economy will emerge from.

Startup

We are already in closed beta and working toward private beta. There are still challenges to overcome but the service is looking pretty good already. To address those challenges, I’ve withdrawn myself from daily activities at the startup to focus on our core technologies.

Obama! Wow!

Acceptance speech by Obama was simply the best I’ve witnessed live and at par with John F. Kennedy’s Ask-Not speech emotionally. Wow. He wobbled a bit after opening whomp but, boy, he piled it on and on. So good that he brought tears to people’s eyes, the good kind.

New Economic Solution: Whining

I was wondering how Paulson throwing money at banks would unfreeze the credit market. Looks like the answer is whine until bankers can’t stand it anymore. Ridiculous. What’s next? Accuse banks of being anti-American unless they lend?

IMHO, it makes more sense to measure each bank’s lending practice and adjust central bank lending rate for the bank. In essence, it’s a measure of how much leverage a bank offers over US economy. I think it’s reasonable that banks that offer the government more control over US economy should get lower lending rate over those who offer less.

To banks, this change would just introduce a new business factor to consider instead of the political and bureaucratic mess being thrown at them now. Banks know how to deal with business problems, not the other.

Looking for the Bottom

Despite the long (well, sure felt long) decline and bounces, I am still all cash. Throughout the rollercoaster ride, there were many luring moment but none felt true because I don’t think it’s the bottom when people are still joking and ranting about the market. To me, it’s bottom when no one wants to talk about the market.

When? I think the start of the last leg of the journey is about to start. It’s kind of funny that, while people know what’s happening now is a global crisis, many don’t fully realize what that really means. Imagine what would happen when practically every aspect of world economy shrinks by 1/3. That’s what’s happening now in the stock markets which is, in essence, the mirror reflection of the business world.

The bottom will be where the reflection meets reality because people won’t be crying wolf anymore when it’s sitting right in front of them, drooling.

Media Bias Against McCain, Palin?

While I am solidly in Obama/Biden camp and see McCain/Palin’s recent attacks against Obama as disturbing trendwise, I am also disturbed by apparent general bias in the media against McCain and Palin. It’s not unlike tech media’s obsession with anything Apple makes.

What I am not sure about is whether the bias is in the selection of news media I consume or not. If yes, I should balance my news diet, consuming more from the ‘otherside’. If not, it’s amazing that Obama has only 5 percent lead over McCain. Either way, it’s annoying that objectivity in news is being decentralized to news consumers.

Restart

After blogging for 7 years using my own blogging software, I’ve decided to move to WordPress platform. Why didn’t I set up my own WordPress server? Not enough time to install as well as track upgrades and patches. Old posts and comments will take some time to appear, probably not until the year-end holiday season. Identicons will also return…eventually.

Anyway, welcome to my new blog!