Social Lipstick

When I was in college, I remember learning how to use Linux. It confused me horribly that different computers window managers would behave in different ways. First off, coming from Windows, I didn’t even know that the window manager and the operating system were distinct concepts - I assumed they just belonged together. Linux empowered greater modularity and flexibility, but it was also quite daunting for a first time user who had to learn all these new abstraction layers that I didn’t even know existed.

The “Open Stack” in social software sometimes feels the same way. There are a lot of terms bandied about that can be quite confusing. OpenID, OAuth, XFN, PortableContacts, OpenSocial, XRDS-Simple, Yadis, … what are these and how do they fit together? Isn’t OpenID just a url thing for geeks?

Facebook application development is similar to the all-included package. You still have the different concepts of identity, authorization, contacts, activities, but they are unified together in a cohesive interface that is easy to understand.

But the Facebook stack and the “Open Stack” are really analogous, just with different names for things. So here is your Open Stack Glossary for the Facebook Developer.

Your identity is your user ID

Identity is what lets an application say “yep, I’ve seen you before.” It’s some sort of identifier that tells them who you are. On Facebook, it’s your user ID. In the “open stack”, it’s your OpenID. Now, since Facebook controls the identity space, user IDs are simple 32-bit ints. Because there is no central authority for OpenID, they needed a more creative way to avoid conflicts, so the OpenID community borrowed from DNS to ensure uniqueness. But whether I say “I am Facebook user 2901279″ or “I am Yahoo user http://openid.yahoo.com/id/XRXRXRXR”, it’s ultimately the same thing. It provides a key into a database on the application side. (well, relying party)

OpenID Translations

A Facebook session key is your authorization

Identity isn’t all you get with Facebook. The reason that people develop apps for Facebook is because they want data and distribution, both of which require user permission. And once you have a session key, you can make plenty of API calls. Getting that session key in a secure way is a sort of a pain though- you have to redirect the user back and forth a few times, make sure that everything is signed, handle failure appropriately. The “Facebook Auth” mechanism was developed in 2006, after studying how other websites did it. Eventually, after Flickr, Amazon, Facebook, and others had all reproduced the same series of redirects and signatures, OAuth came along to standardize the means of obtaining a token.

OAuth Translations

friends.get() gets all your friends.

Okay, so we have an identifier to key off, and a session key. What can you do with the session key? The current state of the world is, it’s up to the service provider. Google lets you use your OAuth token to make service calls in their own format. Flickr does the same thing. But now we’re seeing some layering on top of that, starting with friends.get().

PortableContacts is a brand new evolving standard that allows a developer, armed with an OAuth token, to fetch information about a bunch of a user’s contacts. In Facebook, this is equivalent to a friends.get() call, followed by users.getInfo() - or better, an FQL call like this:


select uid, name, ... from user where uid in (select uid2 from friend where uid1 = %d)


PortableContacts returns like this:

Of course, the quality of the contacts will vary from service to service. A large part of the reason Facebook is so strong in this area is that the friends returned tend to represent real-world friends with influence. Most services out there will have a hard time achieving the same level of quality.

The Developer Application lets you specify where your application lives and what it can do.

In any communication between two web applications, they need a way to find out how to talk to each other and what language to speak. For Facebook, this is relatively easy - the developer just comes to the site and tells Facebook all the information about itself. But in the “open stack” it’s much harder. After all, there is only one Facebook, but there are an unbounded number of “open” web services, which can each offer some variation on OpenID, OAuth, PortableContacts, etc etc. How does a relying party know who offers what, who is telling the truth, and what’s going on?

On Facebook, the developer visits the Developer application and fills out a few forms. They can specify who they are, what they offer (iframe or canvas application, on-facebook or off, etc), and most importantly, where to find it (the callback URL).

Specify an application

XRDS is a service discovery protocol that lets a service advertise what it offers, so that all necessary information can be discovered by software without needing human intervention. It doesn’t cover quite the same options as the Facebook Developer application, but it is the same idea. The main difference is that XRDS is automatic (in-band) discovery, whereas the Developer app is done manually (out-of-band).

For instance, here is Plaxo’s XRDS service definition file. Anyone who hits plaxo.com can figure out that Plaxo supports OpenID, Oauth, and PortableContacts, and they know where to find those services.

<xrds:XRDS
xmlns:xrds="xri://$xrds"
xmlns="xri://$xrd*($v*2.0)">
<XRD version="2.0">
<Type>xri://$xrds*simple</Type>
<Service>
<Type>http://specs.openid.net/auth/2.0/signon</Type>
<URI>https://www.plaxo.com/openid_server</URI>
</Service>
<Service>
<Type>http://specs.openid.net/auth/2.0/server</Type>
<URI>https://www.plaxo.com/openid_server</URI>
</Service>
<Service xmlns=”xri://$xrd*($v*2.0)”>
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://www.plaxo.com/openid?actionType=complete</URI>
</Service>
<Service>
<Type>http://oauth.net/discovery/1.0</Type>
<URI>http://www.plaxo.com/oauth/xrds#oauth</URI>
</Service>
<Service>
<Type>http://portablecontacts.net/spec/1.0</Type>
<URI>http://www.plaxo.com/pdata/contacts</URI>
</Service>
</XRD>
</xrds:XRDS>


And then there’s the REST

Once we move beyond the core technologies and into the specifics of the APIs, the analogy starts to break down. The OpenSocial REST API offers an analogous set of APIs as fbCode, but they are sufficiently different as to not quite be a standard. And both the open community and Facebook have features that don’t appear in the other one. For instance, Facebook’s implementation of News Feed publishing, FBML, and XFBML are quite different from the OpenSocial specifications for activity streams and templates, although they do share similarities. I think that Facebook, MySpace, Google, and other containers will continue to experiment with these features until they coalesce on a standard, at which point we can add them to this list.

Let me count the ways…

Okay, so suppose you’re a website owner. You have a user database, but you want more people to use your site. You’ve heard about a lot of these technologies for making your login process easier, but you’re not sure how to use them. Facebook is offering Facebook Connect, and you’ve heard of Yahoo and the OpenID community. But how do you actually go about using them? What happens when a user decides to use one of these systems?

Three basic uses

Different sites have different uses for using delegated auth. Perhaps the site is already well established and just wishes to sprinkle some “social sauce” throughout to make their site more engaging. Other sites will be brand new and want to grow their userbase quickly. Still others may have a core userbase, but want to really increase their numbers.

1. Keyless remote

Log in once, logged in everywhere. Log out once, logged out everywhere.

My favorite aspect of this social web is the promise of being able to “sign into the web”. With a single click, I can log into any number of sites. For example, if I’m logged into Facebook, then I can go to a relying party and just be automatically signed in. This is incredibly powerful as it removes pretty much any friction. Of course there’s an initial setup phase for each website, but once that’s complete, I shouldn’t ever have to remember my provider again - the website just knows, and logs me in automatically.

If I log out of any site, then I’m logged out of my identity provider and all the rest of them. If I go to a shared computer, then I just click logout once, and I will be signed out of everything.

Master key

Substitute for name and password, but then manage everything after that.

Then there are some sites that will want to use OpenID as a means for logging in, but they have their own way of managing sessions after that. In this case, users will click on the “login” button for OpenID, Yahoo, or Facebook, and then they will get a session granted by the remote website. From here on in, it doesn’t really matter what the user does with his provider - the site will still have its own cookie that will determine if the user is logged in.

Simple Link

Establish a different identity, but don’t share sessions.

Some sites already have a strong userbase, and they perhaps have to protect credit cards or

Some sites already have a strong userbase. They really like selling data to advertisers, and they don’t want to get hung up on who “owns” the user. If they accept identity from a random OpenID provider, then what happens if that provider goes out of business? Will they be able to recover the identity? For that reason, these sites prefer each user to have their own username and password. They accept OpenID or Facebook because they want to just establish an extra link - for example, to get a user’s friends, or to display a link on their profile.

How do we implement it?

Authentication is a gnarly problem. It’s hard enough to figure out how to securely keep authenticated sessions alive on a single domain; how do you manage to get an authenticated session across domains? If I want to use yahoo.com as a provider, and I live on crossways.com, then how do I do that?

Answer: it’s pretty tough, but getting easier as library support evolves.

Logging in

The login process for OpenID is pretty straightforward. You either redirect full, or use a browser popup, but you open a window onto the identity provider’s domain. The user enters their username / password, then la-dee-dah, they are sent back where they came from and they are logged in. The RP can then set a cookie to keep track of that state.

If the RP has reason to believe that a given user has come from a specific provider, but they aren’t sure, then they can use the checkid_immediate call in OpenID to check if the user is currently logged in. For example, the RP might store a long-term cookie that says I’m jerry from yahoo.com. When I visit their site, it could do a quick redirect and then redirect back to check if I’m actually logged into Yahoo as chuck. If I’m not, then the OP can just show their normal sign-in page.

With Facebook, it’s the same basic approach, except that it is wrapped in a Javascript library. The JS does some fancy auto-detection of your login state before it renders the popup. Most importantly, it allows a site to know whether you are an existing, logged-in user before it ever does a popup, by using Facebook’s cross-domain communication library.

Google does something like this for Blogger. If you visit Blogger from a new computer, you’ll first be redirected to google.com, and then immediately back, and Blogger uses that to tell if you are logged into your Google account or not.

Logging out

OpenID doesn’t have a way to support universal logout; with Facebook, there is a FB.Facebook.logoutUser() method that allows you to log the user out of Facebook (as well as your own site, if you want). Likewise, if you log out of Facebook, then it invalidates all your sessions with the remote sites (applications).

… pretty much sums up the Mission District. That’s where Nicole and I will be hanging our hats come this weekend. After so many long months of planning, packing, moving, traveling, dancing, wedding, and hunting, we are almost ready to start to settle down again. Whew! It’s been quite a tumultuous time. Since May, we have gone on a road trip from Seattle to California; hosted guests while our house collapsed in on itself; enjoyed pina coladas in Tamarindo, Costa Rica; imagined phantom earthquakes; written a new feature for Facebook (not yet released); ascended a mountain on the island of Ometepe in the middle of lake Nicaragua; learned how to pack liquids in carry-on and not get caught; read the full series of Harry Potter books …. oh yeah, and joined two families with a bond of lifelong commitment in the eyes of God. Almost forgot.

Our whirlwind existence is ready to come to an end, or maybe just the beginning? We already are imagining when we are celebrating our 31st year anniversary instead of 31st day, that we’ll reflect on these times and wonder why we did it all at once. And I’m not gonna lie, it’s been stressful. Quite. But I think doing the wedding in the midst of all of this has had its perks as well as its stresses. How wonderful was it to have so many of our close family and friends surrounding us while we go through this? It’s been exhilarating, and it’s all for the purpose of adventure, and living our lives out, so there’s really nothing to complain about.

So - the new apartment. It’s really quite nice, a bit smaller than the previous place (which feels like a mansion in comparison), but still roomy considering that it’s in San Francisco. Hardwood floors, one-bedroom, nice big kitchen, and a place for the bikes - it’s really everything we need. The Mission District is a formerly almost entirely Latino community that has undergone huge gentrification in the past few years. I’m not sure whether Nicole and I are helping the balance or not (I think we’re probably adding to the yuppification of our block). Our windows look out over a school, which is fitting for Nicole - hopefully she can work there or somewhere near there, although that is still up in the air. There are tons of tacquerias, burrito joints, coffee shops, clothing shops, and other stuff we haven’t discovered yet. Yes, folks, this really is the dense urban lifestyle I’ve craved. We’re really excited to move in!

Oh, and the address is 2458A Bryant St, San Francisco CA 94110. There ya have it!

What a whirlwind of a week! In the past few days, I have quit my job, packed my belongings, and ended up at a bed and breakfast in Grant’s Pass, Oregon, where I write now. It’s a strange feeling, no longer being a resident of Seattle. I lived there for almost three years, made several good friends, and now to pack up and leave for a strange and new city - it’s so much at once.

The idea behind this move is exactly this though. If Nicole and I can make it through this in one piece, then I figure we will be less afraid of change in the future. I’m trying to just conquer it. Leaving Amazon, I felt a huge piece of my identity slip away. Since college, that has been who I am - a developer at Amazon. I had power to look at and change orders, and I had knowledge about how the insides work. Now that knowledge will grow stale, and my access passwords are gone, and I am just another one of the millions of customers. I met plenty of great people there, who I will definitely keep in touch with, but it’s still a big missing piece. However, I don’t want to be identified only by my work, and I feel that the longer I stay at one place, the more likely that is. I am more than just a software developer at Amazon. I’m more than just a software developer, although that part isn’t changing. I’m trying out a smaller company, a newer company, with a different philosophy, in a new region, with new people. So much change, but it’s all for the best, I think. Facebook will be a great place to work, I can feel it. I start there in just two days, and I am excited.

Nicole and I are taking this cathartic trip down the coast to clear our heads and more formalize the move. It’s a long drive! We slugged through Washington and most of Oregon last night, and today we head down the California coast, bound for Fort Bragg. Tomorrow we’ll finish up into the city. Then Nicole flies back to Seattle, leaving me alone in San Fran. Andy is kind enough to take me in, make me his roommate for a few months. I am so excited to dig into Facebook, meet the people, learn the software and business, and create new features and fix bugs. I feel like I’m part of something really special down there.

The past few weeks have been kind of meandering. Without an anchor at Amazon, I’ve been drifting into work, spending my time training and mentoring others and trying to pass on some knowledge before I check out. I have full confidence in the team I’ve left - Jacob, Cary, Alex, Vikas, and Ed are going to do some great things with the software, as long as they have Mike to guide them. Nicole and I are moving in two phases. This past week, we moved a lot of the “unnecessaries” - things we can live without for a few months. Then we’re going to get married at the end of June, honeymoon in Costa Rica, and then back to Seattle for some intense packing and a final move. Lots of whirlwind of activity in such a short time, it’s going to be great :).

Well, back to the road trip. Here we are, driving along what some say is the most beautiful stretch of road in the country. Hopefully we’re not too tired to take it all in.

I visited Clark University today. No, I’m not looking to transfer - I was there with my brother, Scott, and my dad. He’s on his junior year college tour, and I decided last minute to tag along. At Clark, we had a tour guide who had no clue about the school. Here is a sampling of Scott’s questions and answers:

[She describes the UC].
Scott: What does the “UC” stand for?
TG: Umm … uh … University? … uh …
Scott: Maybe University Center?
TG: Oh yeah!

Q. How is the sports teams? What are their ratings?
A. Ummmm. .. I don’t do sports, maybe you can find out online?

Q. Does the BioSci building do only bio sci?
A. I don’t even know what they do here!

Q. How many courses are required for graduation?
A. Math? Counting? Huh? I’m afraid of math.

Anyway, he didn’t even bother asking about Physics. Instead he just went into the Physics building and found a professor, and chatted with him. The prof found out that Scott knew what he was talking about, and they dug into the research papers from the past several years. “1-4-di-nitro-penzine? Oh my god that’s so cool!”

Tomorrow, he’s going to more Clark classes, then off to Amherst. Should be good.

Five minutes each. That’s all they got. Yet these presenters were able to fill my head with swirling images of two-man pogo sticks and robots taking over the world. Not to mention the career advice, a computer-aided cure for autism, and an awkward yet somewhat interesting take on the world of messenger bags.

This was Ignite Seattle, a geekfest with a surprising number of women in the audience.

Tech highlights:

* Ever wondered what it would be like to not have to type in your password at every site you go to? OpenID solves that problem for you. Instead of typing in your password, you type in your “open ID” (which is just a website). Then you are taken to your own website, where you authenticate (maybe with a password) and then you are taken back to the calling website, this time with your credentials. Now the site has access to whatever data you want it to have access to.

I’m thinking this concept could be expanded. The privacy policy of the site you’re going to could be automatically checked against what data you are willing to give … i.e., if the site has a policy that it never sells your data, then you let them have your email, but if they don’t say so, then you don’t — automatically. This would be a start at giving users control over their data without the headaches of actually keeping track of the control. And your OpenID server keeps track of all the sites you’ve logged into and when, and what data you gave to each of them, so you know where you’re data is going.

* Matt Maclaurin from Microsoft talked about programming languages for eensy weensy children. Interesting … how do you get a 5 year old to program? Make it into a game.

* A program that provides therapy for autism. That could be awesome.

* Finally Mike Arcuri from Ontela.com talked about how to leave a big company. There are a lot of reasons to stay - money, “prestige”, work with smart people, make a big difference, etc. But there are often more reasons to go. And he pointed out the reasons to stay, and encouraged us all to go out and start that new chapter in our lives. Well, he didn’t say it as such, but he meant it. It made me wonder if maybe he didn’t get a payoff from all the other teams there tonight - many of them were hiring, and he probably helped them recruit more than anything else.

We live in a world where information is disseminating incredibly quickly. You can search locally based on your zip code. You can upload photos with geographic data in them. You can send emails. You can make phone calls at your fingertips. For each of these actions, some amount of information is captured. Where does that data go? And who owns it? Increasingly, I’m afraid, the answer is: not you.

I went to a talk today by Brady Forrest, author of O’Reilly Radar. He had some really cool things to talk about - new gizmos and virtual gadgets dealing with “Geocoding”, one of the hot new applications of “Web 2.0″. He showed us some new ways that data is being captured and displayed on the internet. It used to be that cameras took pictures. Later, you looked at the picture and maybe scrawled a caption on the back, and that was it. But nowadays, digital cameras store lots of metadata along with the photo, including the date and time it was taken, the model of the camera, the image format, etc. One of the key data points that is being added is the “geodata” - the latitude and longitude. Some cameras have GPS devices built in, which makes it easy. Others have GPS extensions attached. There are ways to determine location without GPS. For instance, if you happen to be anywhere near any Wifi networks (so pretty much anywhere in a big city), then Skyhook Wireless can pinpoint your location by looking up a database of known networks and locations. This location data is attached to the image, which can then be uploaded onto Flickr and mapped out. It’s available for millions of other users to then mix and match, look at, filter, whatever.

Seattle Times story about how invasive technology has become in our modern-day lives. Specifically, how much information is being collected about you during the day? This article lists a few common sources:

* Security cameras. These are everywhere and growing more pervasive.
* Email, stored on remote servers like Gmail, Yahoo. Even stored on your local ISP it is subject to sniffing on the wire.
* Cellphone company records call time and who you called. It stores location data (which cell tower you used) but does not share that with you.
* Mobil speedpass.
* Credit / debit card purchases
* Online companies to keep track of birthdays, anniversaries. Amazon does this; Ecards; lots of sites do this.
* Domino’s and pizza companies keep databases of phone numbers, names, addresses - even unlisted ones.
* GPS devices in cars (for services like OnStar, ATX)
* Automated toll devices (iPass, EZPass)
* Shopping cards (Safeway, Jewel, Costco)
* Retailers (BestBuy, Circuit City, Amazon)
* VIP services (for the rich and famous)
* Web Searches (Google, Yahoo). Any web site you go to is recorded by that web site.
* RFID keys, electronic keys. Many condos/ apartments have this. Each entry may be recorded.

All of this data. It floats around out there. Who owns it? More specifically, for each data, can you ask:

* Who looks at it normally? Usually the company will tell you “nobody”. It’s only viewed by “computers”.
* Who could look at it if they wanted to? The government could subpoena, hackers could exploit, employees almost always have full access even if they aren’t supposed to.
* How long is it kept? This is a tough one to answer. Companies don’t like to delete data, even when they should. Your data may be around for a long time, much longer than you’d think it would be relevant or useful.
* Can you ask for your data? This is tricky. Sometimes you can, sometimes you can’t. Most of the time you don’t even know what data is held or by who. Can you ask to see security camera recordings that have your face on them? What about the record of your entry to your apartment? How about your shopping history at Safeway? None these companies will give you your data - although I haven’t personally tried.
* Who can change or delete it? Can you? Can they? Do they have the right to?

This kind of technology is really cool. But it’s also terrifying. If you think about how much data was recorded about you just a few years ago and compare with today, you’ll find that it has gone up tremendously. And in the next few years, it will only continue to rise. This data can be used by many people - it’s not clear what the right mix is. The important thing to think of is this: none of the companies have an incentive to protect your data. Only you do.

Ah, if only more people had an appreciation of the
5,000 Years of Middle East History (in only 90 seconds!).

Meanwhile, notwithstanding any appreciation for Middle East history, the President believes that we should attack Iran. He also thinks
he has the right to.

Congress must proactively deny him that right. Regardless of who has what right to declare war, Bush thinks that he does, and he’ll continue to stand by that right up to when he drops nukes over Tehran.

Ouch.

Nicole and I mostly lazed about this weekend. Friday night, she was *very* sick, but by tonight, she’s gotten quite a bit better. She’s been drinking Thera-flu and lots and lots of tea. Yesterday we were both in the house most of the day, but today we got up and went out to a coffee shop for a few hours. I brought my second love with me, AKA my new Macbook Pro. We hung out for a little while. Nicole still felt pretty sick, so we came home and skipped the first Sunday of Advent. ¿Què làstima, no?

I’ve been playing a lot of guitar, and trying my best to learn some fun songs. I can tell I’m getting better, which makes me feel all accomplished. I’m sure my neighbors are sick of me by now, but whatever.

Life is okay as we go into the holiday season. Nicole and I both feel like we’re missing out on some of the holiday charm. We have put up a tree and some lights, and we have some eggnog in the fridge, so some of it’s nice … but really the holidays are all about family, and we are in short supply on that front. I think a visit home will fix that up, and I’m still basking in the Thanksgiving dose I had last week.

Quotes:

* “The Gimp”

*– nametag given to Scott at Too Much Light, due to the crutches*

* “You want me, Crutch Boy, to get you, Leg Girl, a drink?”

*– Scott, in response to Nora’s request that he hobble inside to grab her a Sprite. We gathered around the campfire Saturday night and roasted mini-marshmallows (although mostly Nora and I threw them at Eric and Nathan).*

* ” ‘I KNOOOW!’ ”

*– Nora’s impression of her schoolmate, the “queen bee”. The “I know” was in response to another student griping that her teacher had lied about her bad behavior at conferences.*

* “Oh yeah, he’s the one always looking for a hug. He walks into St. Nick’s just looking for someone to hug”

*– Mr. Pape, in reference to the newest faculty member at Loyola Academy, a scruffy-looking Mr. Heineman.*

* Tina: It’s a house divided …
Me: That can’t stand.
Tina: It can’t?
Me: Not a house divided, nope.

*– My lame punnery, Saturday night with the Regina girls at the annual “Carrie’s friends dessert”*

* “Soooo-neeeeee”

*– My dad’s attempt to pronounce the name of their new exchange student, Sanni.*