Tim Marman's Loosely Coupled

Browse by Tags

• .NET
• Advertising
• AJAX
• Apple
• Blogging
• Business
• C#
• Copyright
• DRM
• Enterprise
• Gadgets
• Google
• Innovation
• Intellectual Property
• Law
• Law School
• Marketing
• Microsoft
• Misbehaving Software
• Music
• OpenID
• PDC05
• Personal
• Privacy
• Productivity
• Programming
• Rants
• Site News
• Slashstar
• Social Behavior
• Software Development
• Tablet PC
• Technology
• Things that amuse me
• Things that bother me
• Video
• Web 2.0
• YouTube

• Security implications of MyBlogLog vs. BlogRovr

  According to a TechCrunch story , Citibank is putting a warning message up for users of comment and blog tracking services. As it turns out, there is a known issue with the coComment plug-in and, though I'm not familiar with the service, it sounds like BlogRovr also has a browser extension. Since I use MyBlogLog here, I want to re-emphasize that this message above doesn't apply to this service. MyBlogLog works by saving a cookie to your machine under the @mybloglog.com domain. When you go to a site that has included the MyBlogLog JavaScript, it can interact with that cookie and know who you are. The MyBlogLog tracking script does have some logic for tracking clicks within an IFRAME (to handle Google AdSense clicks). Since Citibank doesn't include the MyBlogLog script on their page, it doesn't interact with the service. When you're here or on any other blog that uses MyBlogLog, the service doesn't even know you were on the Citibank page much less being able to track... Posted Nov 27 2007, 03:22 PM by Tim with | with no comments Filed under: Technology, Security, Blogging, Slashstar, Site News

• The UAC security flaw in Vista

  User Account Control (UAC) is one of the key security mechanisms introduced in Vista. In the past, the default account as an administrator. Following the principle of least privilege , the default Vista account runs with limited access, and Vista detects when something requires "administrator prompts", as mocked in the most recent Mac ad. All told, this is a good thing. Unfortunately, Microsoft made some poor design decisions in the implementation, sacrificing some of the security for ease of use. Joanna Rutkowska summarizes the issue : One thing that I found particularly annoying though, is that Vista automatically assumes that all setup programs (application installers) should be run with administrator privileges. So, when you try to run such a program, you get a UAC prompt and you have only two choices: either to agree to run this application as administrator or to disallow running it at all. That means that if you downloaded some freeware Tetris game, you will have to run its installer... Posted Mar 03 2007, 03:57 AM by Tim with | with 2 comment(s) Filed under: Security, Microsoft, YouTube, Video, Apple, Advertising

• The Pros and Cons of OpenID

  The Radar team has a good post up about the pros and cons of OpenID . So what does all that mean? It means that there are a lot of people who have OpenID, but they don't have many places to use them and they probably aren't aware that they have one. It is a good step towards solving some key online identity problems through an open standard that isn't trying to solve every problem at once and is instead focusing on deployment and handling issues and requirements as they arise organically. We are overall bullish on OpenID, but the security and usability issues need to be addressed before there is wide-spread user uptake and the larger players become acceptors. We've also found the sign-in and registration to be jarring and confusing to users, but that will undoubtedly improve as partners open up (and improve) affiliate programs . As I said before, OpenID does not define the mode of authentication, only the link between the authority and requesting site. In that sense, there's no reason someone... Posted Mar 02 2007, 05:41 AM by Tim with | with 1 comment(s) Filed under: Technology, Security, Web 2.0, OpenID

• Streamburst offers innovative DRM for video

  I've already discussed the German music store using watermarks to discourage piracy , and now it seems another service is applying the same principle to video . Instead of handcuffing viewers who want to view films they purchase on multiple devices and otherwise use content legitimately in ways DRM blocks - Streamburst takes two steps to prevent movie piracy. The first is that every film begins with a 5 second display of the name of the person who purchased that copy, as it appears on their credit card. The second step is that Streamburst eliminates an undetectable but unique series of bits from each copy of a file downloaded. That idea is that the psychological barrier of being named will stop many people from illegally distributing the files and those whom it doesn’t stop can be identified by the unique series of bits stripped from whatever copies make it into illegal file sharing networks. These techniques are just as effective at preventing the bad guys as "real" DRM (that is, they... Posted Feb 28 2007, 01:46 PM by Tim with | with 3 comment(s) Filed under: Technology, Intellectual Property, Security, Innovation, Video, Social Behavior, DRM

• Google launches Google Apps Premier Edition

  As rumored yesterday , Google made a major announcement : a subscription package of premium, hosted business applications. (Man, Arrington's sources are scary good). The service combines GMail, Google Calendar, Google Talk and Google Docs & Spreadsheets for $50 per user annually. I still insist that Microsoft is well positioned to compete with a hosted version that integrates with existing Office apps. There are elements about a hosted Office that are appealing, but there are just as many that are not - particularly in publicly traded enterprises. Aside from potential downtime issues, you're placing a lot of trust in Google and its security ( which may not be the best idea ). No word on any plans for a self-hosted server like their search appliance - to me, that would be key for broader adoption and erase a lot of these security and compliance concerns. Getting back to Microsoft, I'm still puzzled that they haven't done more with Foldershare. By integrating this technology with a Office... Posted Feb 22 2007, 06:04 AM by Tim with | with 2 comment(s) Filed under: Technology, Software Development, Security, Web 2.0, Business, Microsoft, Google, Enterprise

• OpenID gaining momentum

  On the heels of Microsoft's announcement that it will support OpenID in CardSpace , AOL has become the latest major player to support OpenID . "Every AOL/AIM user now has at least one OpenID URI". This is big news. We made the decision to use OpenID as the sole authentication mechanism on a product we're building, and I'm increasingly happy with that decision. At best, we'll have no local accounts. At worst, we'll be an OpenID provider. It would be relatively trivial to expose ASP.NET membership as an OpenID provider (especially with the JanRain Server component). In fact, I'm somewhat surprised no one has done this already. If you're not familiar with OpenID, check out the brief introduction to OpenID . Posted Feb 17 2007, 07:05 AM by Tim with | with no comments Filed under: Technology, Security, .NET, Blogging, Programming, OpenID

• An Introduction to OpenID

  OpenID, which describes itself as "an open, decentralized, free framework for user-centric digital identity", has been gaining momentum and getting press in the Identity 2.0 space. The fundamental idea of OpenID is that a URI is necessarily unique and thus a good way to identify users. If you say you own a URI and can properly authenticate with the URI, then you must be who you say you are. Admittedly, this can be tricky to understand at first. Perhaps the best analogy is an open version of Passport, where you can download and run your own Passport server. When you go to Microsoft.com or MSDN, you don't log in to a "local" account - you are instead redirected to a Passport (now Windows Live ID) screen to enter your username and password. From a user perspective, OpenID is not that different as Simon Willison showed in this his screencast (embedded below). Scott Hanselman also discussed OpenID on a recent Hanselminutes and has a number of good resources (including the screencast) linked... Posted Feb 15 2007, 09:06 AM by Tim with | with 4 comment(s) Filed under: Technology, Software Development, Security, .NET, Video

• Fighting crime with technology

  Last week, the big news here in NYC that the police are going to use technology to help fight crime . "This year, we'll begin a revolutionary innovation in crime-fighting: Equipping 911 call centers to receive digital images and videos New Yorkers send from cell phones and computers something no other city in the world is doing," he said. "If you see a crime in progress or a dangerous building condition you'll be able to transmit images to 911, or online to NYC.GOV." As Bruce Schneier discusses , this is significant for two reasons. First, it will allow callers to convey much more information to 911 operators in situations where they can't also articulate what's going on. Perhaps more importantly, it will assist in the prosecution of criminals. Still Images and videos can also help identify and prosecute criminals. Memories are notoriously inaccurate. Photos aren't perfect, but they provide a different sort of evidence -- one that, with the right safeguards, can be used in court. As they... Posted Jan 22 2007, 10:31 AM by Tim with | with no comments Filed under: Security

• Safety through Chaos

  There is a theory that strict laws encourage anti-social behavior . Ultimately, these strict laws do the opposite of what they were intended to do, because they allow us to rationalize away responsibility. Along those lines, a Dutch town has eliminated nearly all traffic lights ( via Jeff ) and seen a decrease in the number of fatal accidents. "It works well because it is dangerous, which is exactly what we want. But it shifts the emphasis away from the Government taking the risk, to the driver being responsible for his or her own risk. As Brian commented , this is all about relying on personal accountability instead of explicit control measures. When someone else considers the risk and creates the rules, we get lazy about the risk analysis and management process. It doesn't help that these are familiar risks, and we tend to underestimate these types of risks . Posted Jan 10 2007, 03:17 AM by Tim with | with 1 comment(s) Filed under: Security, Social Behavior

• If you can read a file, you can copy it

  Raymond reminds us that there is no "Copy" access mask because copying is not a fundamental file operation . Copying a file is just reading it into memory and then writing it out. Once the bytes come off the disk, the file system has no control any more over what the user does with them. Something to keep in mind when designing your web applications. Once you send something to the client, you inherently give up control over what can be done with that information. Posted Jan 09 2007, 09:42 AM by Tim with | with no comments Filed under: Technology, Software Development, Security, AJAX, .NET