Comments for Mason Lee http://masonlee.org home page and weblog Fri, 18 Dec 2009 23:23:34 +0000 http://wordpress.com/ hourly 1 Comment on Twitter.com passwords compromised? by maht http://masonlee.org/2009/12/18/twitter-com-passwords-compromised/#comment-249 maht Fri, 18 Dec 2009 23:23:34 +0000 http://masonlee.org/?p=215#comment-249 The Twitter developer notes tell you to start by using HTTP auth in the clear http://apiwiki.twitter.com/Things-Every-Developer-Should-Know#8AcommandlineisallyouneedtousetheTwitterAPInbsp without telling you that it gets sent in the clear : Post a status update and get the resulting status back as JSON: curl -u username:password -d status="your message here" http://twitter.com/statuses/update.json The Twitter developer notes tell you to start by using HTTP auth in the clear

http://apiwiki.twitter.com/Things-Every-Developer-Should-Know#8AcommandlineisallyouneedtousetheTwitterAPInbsp

without telling you that it gets sent in the clear :

Post a status update and get the resulting status back as JSON: curl -u username:password -d status=”your message here” http://twitter.com/statuses/update.json

]]> Comment on Twitter.com passwords compromised? by Graham http://masonlee.org/2009/12/18/twitter-com-passwords-compromised/#comment-248 Graham Fri, 18 Dec 2009 20:39:40 +0000 http://masonlee.org/?p=215#comment-248 During the hack, Echofon on my Mac refused to connect, citing a problem verifying the certificate for the Twitter API. I was pretty encouraged to see that - it's consistent with the good experience I've had with Echofon and its variants. Echofon Pro on my iPhone worked not long before, but that may have been before the hacked DNS records propagated to the relevant local DNS caching server. I'd be surprised if the desktop version handled authentication much differently than the iPhone version. It'd be easy enough to test. m0n0wall and pfSense both make it easy to setup your own DNS records for local use, overriding whatever is actually in DNS. Regardless, I'm going to change my password just as soon as their web login stops returning a '503' after successful auth. :) During the hack, Echofon on my Mac refused to connect, citing a problem verifying the certificate for the Twitter API. I was pretty encouraged to see that – it’s consistent with the good experience I’ve had with Echofon and its variants.

Echofon Pro on my iPhone worked not long before, but that may have been before the hacked DNS records propagated to the relevant local DNS caching server. I’d be surprised if the desktop version handled authentication much differently than the iPhone version.

It’d be easy enough to test. m0n0wall and pfSense both make it easy to setup your own DNS records for local use, overriding whatever is actually in DNS.

Regardless, I’m going to change my password just as soon as their web login stops returning a ‘503′ after successful auth. :)

]]> Comment on Is the web sticky enough? by Mason Lee http://masonlee.org/2009/08/21/is-the-web-sticky-enough/#comment-245 Mason Lee Mon, 23 Nov 2009 23:29:41 +0000 http://masonlee.wordpress.com/?p=91#comment-245 The Tag URI scheme (RFC4151) looks like a nice method for minting URIs that are globally unique across time. They aren't network resolvable by nature, though. http://www.ietf.org/rfc/rfc4151.txt The Tag URI scheme (RFC4151) looks like a nice method for minting URIs that are globally unique across time. They aren’t network resolvable by nature, though.
http://www.ietf.org/rfc/rfc4151.txt

]]> Comment on RssCloud Atom Extension by Matt Terenzio http://masonlee.org/2009/09/11/rsscloud-atom-extension/#comment-244 Matt Terenzio Mon, 02 Nov 2009 02:36:58 +0000 http://masonlee.wordpress.com/?p=127#comment-244 Hmm, didn't see this until Dave just linked to it. Seems IP issue fix underway with the advent of the domain parameter. I guess you mean registerprocedure should be optional since it is empty on HTTP Post. Makes sense. No big deal. lastly, I believe there has been talk on PSHB list about the order of the hub elements in the document actually implicitly stating their priority. What do you think of that? Hmm, didn’t see this until Dave just linked to it.

Seems IP issue fix underway with the advent of the domain parameter.

I guess you mean registerprocedure should be optional since it is empty on HTTP Post. Makes sense. No big deal.

lastly, I believe there has been talk on PSHB list about the order of the hub elements in the document actually implicitly stating their priority.

What do you think of that?

]]> Comment on Is the web sticky enough? by Mason Lee http://masonlee.org/2009/08/21/is-the-web-sticky-enough/#comment-226 Mason Lee Wed, 07 Oct 2009 00:56:16 +0000 http://masonlee.wordpress.com/?p=91#comment-226 Just found this briefing paper on the same topic: http://www.digitalpreservationeurope.eu/publications/briefs/persistent_identifiers.pdf Just found this briefing paper on the same topic:
http://www.digitalpreservationeurope.eu/publications/briefs/persistent_identifiers.pdf

]]> Comment on RssCloud Atom Extension by Mason Lee http://masonlee.org/2009/09/11/rsscloud-atom-extension/#comment-212 Mason Lee Sun, 13 Sep 2009 08:13:13 +0000 http://masonlee.wordpress.com/?p=127#comment-212 Hi, Joseph. Thanks for looking it over. (And thanks for RssCloudifying my wordpress blog!) I haven't yet heard anyone suggest improvements to rssCloud that would affect this part of the spec, but actually I can think of two: 1. The "registerProcedure" attribute should be optional. 2. If multiple cloud elements are allowed for a single feed, each could have an optional "priority" int attribute to say, "This one is primary, this one is backup." 10, 20, 30, etc. Neither seem strictly necessary though. Not as important as fixing the "same-IP" issue, which I was happy to hear on the BadHair.us podcast Dave agrees is worth consideration. Hi, Joseph. Thanks for looking it over. (And thanks for RssCloudifying my wordpress blog!)

I haven’t yet heard anyone suggest improvements to rssCloud that would affect this part of the spec, but actually I can think of two:

1. The “registerProcedure” attribute should be optional.
2. If multiple cloud elements are allowed for a single feed, each could have an optional “priority” int attribute to say, “This one is primary, this one is backup.” 10, 20, 30, etc.

Neither seem strictly necessary though. Not as important as fixing the “same-IP” issue, which I was happy to hear on the BadHair.us podcast Dave agrees is worth consideration.

]]> Comment on RssCloud Atom Extension by Joseph Scott http://masonlee.org/2009/09/11/rsscloud-atom-extension/#comment-211 Joseph Scott Sat, 12 Sep 2009 22:57:05 +0000 http://masonlee.wordpress.com/?p=127#comment-211 I think this looks like a reasonable approach to adding rssCloud support to Atom. Might be worth waiting to move forward on this until any tweaks/adjustments to the original rssCloud details are made. Once folks are confident that the issues have been addressed your proposed extension could be updated and reviewed in more detail. I think this looks like a reasonable approach to adding rssCloud support to Atom. Might be worth waiting to move forward on this until any tweaks/adjustments to the original rssCloud details are made. Once folks are confident that the issues have been addressed your proposed extension could be updated and reviewed in more detail.

]]> Comment on Thoughts on .Tel and WebFinger by Mason Lee http://masonlee.org/2009/08/20/thoughts-on-tel-and-webfinger/#comment-205 Mason Lee Wed, 26 Aug 2009 09:43:11 +0000 http://masonlee.wordpress.com/?p=75#comment-205 HTTPS does have certificate authorities to mitigate DNS-spoofing, and the UIs for presenting CA-verified identities are getting pretty good, as can be seen, for example, in recent Safari and Firefox releases. What is Telnic's position on rolling out DNSSEC for .tel? HTTPS does have certificate authorities to mitigate DNS-spoofing, and the UIs for presenting CA-verified identities are getting pretty good, as can be seen, for example, in recent Safari and Firefox releases.

What is Telnic’s position on rolling out DNSSEC for .tel?

]]> Comment on Is the web sticky enough? by Mason Lee http://masonlee.org/2009/08/21/is-the-web-sticky-enough/#comment-204 Mason Lee Tue, 25 Aug 2009 09:13:09 +0000 http://masonlee.wordpress.com/?p=91#comment-204 Textbook examples of Atom feed elements use GUIDs as IDs. The nice thing about these is you don't need a central authority to generate them, they are just probably unique. Here is a scheme for generating them and for representing them as URIs: http://www.ietf.org/rfc/rfc4122.txt RFC 4122 uses 128 bit IDs. Using 256-bits would get you almost enough IDs to assign one to every atom in the universe (Est. 10^80). (Did God use 256-bit IDs and run out of space?) How resource IDs fit in with versioning is an interesting question... Textbook examples of Atom feed elements use GUIDs as IDs. The nice thing about these is you don’t need a central authority to generate them, they are just probably unique. Here is a scheme for generating them and for representing them as URIs:

http://www.ietf.org/rfc/rfc4122.txt

RFC 4122 uses 128 bit IDs. Using 256-bits would get you almost enough IDs to assign one to every atom in the universe (Est. 10^80). (Did God use 256-bit IDs and run out of space?)

How resource IDs fit in with versioning is an interesting question…

]]> Comment on Is the web sticky enough? by Mason Lee http://masonlee.org/2009/08/21/is-the-web-sticky-enough/#comment-203 Mason Lee Tue, 25 Aug 2009 09:05:20 +0000 http://masonlee.wordpress.com/?p=91#comment-203 @plaggypig Thanks. I agree, the re-assignability of memorable names is important for some systems. An audit trail maintained at the DNS level wouldn't be able to tell you if path-named resources were reassigned. Can you explain more your thinking? @plaggypig Thanks. I agree, the re-assignability of memorable names is important for some systems. An audit trail maintained at the DNS level wouldn’t be able to tell you if path-named resources were reassigned. Can you explain more your thinking?

]]>