Dreaming Of Beetles

Recently Twitter updated their API Wiki with a new “Sign in with Twitter” page that explains OAuth in more detail and provides several “Sign in” buttons. This created a big buzz with ReadWriteWeb, TechCrunch, Mashable, and others all calling it a new entrant in the portable ID sector (OpenID, Facebook Connect, Google Friend Connect, etc.). I called BS on this as I saw the authors were premature in their predictions (plus all commenters on these stories).

One author, whom I highly respect, contacted me directly asking what my take on the story was. Here is my response (with slight modifications):

Not sure of your technical level, but I’m going to breeze through this.

There are two fundamental open source credential mechanisms – OpenID and OAuth. Most “single sign on” is based on OpenID or a variant (both Google and Facebook are embracing and extending here). The problem with OpenID is that it is http based and actually requires you to visit the issuing site to supply your credentials. This won’t work for every case, such as mobile apps or basically any non-web app. This is what I refer to as the OpenID dilemma.

With OAuth, the login process is decoupled further. So if you are on a mobile app and attempt to sign in with twitter, the app will tell you to visit twitter.com to complete the process. You visit twitter.com and are presented with a dialogue saying “so and so app is requesting authorization”. At that point you approve or deny. Once approved, the mobile app forever more has the ability to access your twitter account. As far as I know, the first large adopter of this is Flickr. It is sort of ironic that Twitter actually began the OAuth efforts years ago.

In the twitter API, the OAuth calls have been available ever since I started developing my own twitter tools. So I always wondered why OAuth was never forced on third party developers (I think this was just a smart business decision). So now we have thousands of third party twitter apps that request your username/password for use and you have no idea how reliable the apps are or the people behind them.

In an effort to increase OAuth usage, twitter added the “sign in with twitter” buttons (and also gave the OAuth calls more prominent placement on the main API page). There really isn’t anything new here except a few graphics and twitter providing a little more documentation on OAuth. You can see an example of how it actually works at twittermass.com.

So the bottom line is OpenID is used more often as a “single sign on” and OAuth is used as a security measure for API calls. This doesn’t mean OAuth CAN’T be used as for “single sign on”, but I highly doubt that it will.

Twitter is being extremely cautious with their model right now so throwing down the gauntlet of a new “single sign on” really doesn’t make sense. I have no inside information, so I could be totally wrong here.

If you have any insights on this, I would love to hear them.

Popularity: unranked [?]

Instead of updating each post with new download versions, I’ve consolidated all builds onto one page – Downloads. I have also added the mozconfig file I’m using to build the Intel Optimized Shiretoko as many have requested. I would really like to get feedback on it so that future builds get faster.

I’m not quite ready for nightlies (but getting there). I’ll also be adding some iPhone apps with provisioning shortly. I’m not going to deal with the app store just yet.

I also have some WordPress plugins that I want to release. So those will be available shortly as well.

Popularity: unranked [?]

Am I missing something with the auto-updates for WordPress plugins? When I try to do an auto-update, I get a page asking me for the ftp(s) info for my server. I’m expected to:

1. send ftps info unencrypted through the browser
2. send my credentials to an untrusted third party
3. open up my firewall so any ol’ IP can ftps to my server

Right.

Popularity: unranked [?]

Shiretoko

Update: Shiretoko 3.1b4pre is now available, some new numbers and a slightly updated FAQ.

BeatnikPad has been offering G4/G5/Intel optimized builds of Firefox 3.0.x and earlier for a number of years now and I’ve grown somewhat reliant on them. This has been a great service to the Mac community and I really appreciate all of Neil’s efforts. He is not only timely with the builds, but is very good with user support as you can see in his comments.

I’ve been using WebKit, Minefield, and increasingly Opera as my main browsers for a while now (and Bon Echo (Firefox 2)) and have recently been running Shiretoko (Firefox 3.1) to take advantage of TraceMonkey. But I’ve been longing for an Intel optimized build and haven’t found one, so I’ve made one.

Shiretoko 3.1b3pre had a SunSpider JavaScript Benchmark of 1333 and Shiretoko 3.1b4pre clocks in at 1449. The regex engine is vastly improved, while 3d/access/math took a hit. I think I can optimize further with the browser config, but don’t have time at the moment.

I’ve also made a few adjustments to the default config, namely turning on TraceMonkey and other minor tweaks to eek some additional speed out.

Go To Downloads Page

Mini FAQ

What’s the deal with all these weird names?
Non-official builds cannot use Firefox branding. I guess I could call it something else, but everyone in the dev community knows this particular version as Shiretoko.

Is Shiretoko Japanese for something?
Yes. Since dev builds are named after parks and this one is named after the Shiretoko National Park in northern Japan. (thanks Mike).

Is this going to break my existing Firefox?
No. You just cannot run them simultaneously.

Will my add-ons work?
Maybe. Firebug works and that’s all that matters to me.

Will you be doing nightly builds?
Yes. Since there is the demand for it, I will start nightlies once my current data crunching project is finished (I cannot interrupt this project every night). I expect to have this done by the end of March.

Will you build for different architectures?
No. Intel is where it’s at.

Popularity: unranked [?]

I finally realized I was about 7,000 miles from home in a foreign county.

I was in bed reading, trying to get tired at 2:30, when the call came. I needed to get to Japan immediately. I packed as fast as possible and headed to the airport without even a ticket. The prices at the various airlines were outrageous topping out at $4,500. A quick web search got me a ticket for $1,200.

Twenty hours later I arrived at my in-laws. With severe jetlag and sleeping pills flowing through my body, it all felt like a dream. Two days later I finally came to the realization of what had happened.

I won’t go into the details of why I’m here, but the trip was absolutely necessary.

I’ll be on a brief hiatus from blogging while I’m here but will continue twittering.

Popularity: unranked [?]

I used wordle.net to generate a tag cloud of my twitstream so you can see the kind of stuff I’m blabbering about on Twitter. I’m usually complaining about something or another – The “All Mail” Gmail folder in Mail.app, Frustration with Kindle for iPhone, The App Store – but sometimes I tweet some useful junk like blog announcements or problem fixes.

So follow me!

I’m working on a couple interesting posts here so don’t write me off just yet. You can also subscribe to this blog to get updates.

Popularity: unranked [?]

This is the old public/private SSH key switcharoo that allows clients to log into servers without being challenged by a password. This is one of the least secure of the SSH setups, but still beats ftp security by a long run. Here are the steps:

1. Make sure you have added the RSA key fingerprint of the server to the client’s “known_hosts” file. This is as easy as attempting to ssh to the server and answering YES to the dialogue. The key will then automatically be registered to the “~/.ssh/known_hosts” file. You don’t even need to successfully SSH to the server at this point to get the key registered. This step can actually be avoided as you will register the key in step 3 when you scp.
   
   
2. Generate the client’s SSH key. Just type
   
   

   # ssh-keygen -t rsa

   at the prompt (you want an RSA key type), then just hit enter to accept defaults for everything, including leaving the passphrase empty.
   
   

3. Move the client’s public key – “~/.ssh/id_rsa.pub” to the server. You can do something like this
   
   

   # scp ~/.ssh/id_rsa.pub hostname:/Users/clatko/

   Where you put the key on the server at this point is irrelevant.
   
   

4. Add the client’s public key to the server user’s “authorized_keys” file. On the server you can “cat” this key to the existing file by doing
   
   

   #cat id_rsa.pub >> .ssh/authorized_keys

   Also, you can add keys across users if you want, but this opens up the ability for abuse (adding a regular users key to root’s authorized_keys file, etc.).

That should do it. If this doesn’t work, you probably have a permissions problem somewhere – SSH is very picky if the wrong permissions exist on the .ssh directory or its contents. .ssh needs 700 and authorized_keys needs 400 (at the very most).

Popularity: unranked [?]

I’ve decided to create an application launch platform called Beetle Labs. The purpose is to have a public staging area where I can get feedback on different ideas. Whatever gains traction, I’ll spin off into a separate site with a new UX. Most of the stuff I put out there, I expect to fail. Failing applications just won’t receive the attention that more prominent ones do. It’ll be a sort of survival of the fittest. The first app probably won’t launch for another week or so, but I’ll announce it at that time.

Popularity: unranked [?]

I needed to copy all files with the string “_1″ in them to a separate folder and remove the “_1″. I thought I could pull this with a one liner, but that wasn’t happening. A two liner had to do:

# find . -name "*_1.jpg" -exec cp {} ../xx/ \;
# for file in *_1.jpg; do mv $file "$(basename $file _1.jpg).jpg"; done

A brief explanation of the above.

I usually use find/xargs quite a bit, such as removing .svn directories when I forget to export. This wouldn’t work in this situation, because I needed to use the result of the find as an argument within my next command and the pipe wouldn’t do. So the -exec flag of find will pass the match as an argument that can be used with the syntax {}. The semi-colon denotes the end of the command and I’m escaping it with a backslash. So this reads “find all files in the current directory that end in _1.jpg and move them to ../xx/.”

The second command I ran within the “xx” directory. The basename string manipulation let me strip the _1.jpg from the name, then I re-added .jpg and this is all within the quotes so it comes out as a single file name. So this reads “for every file in this directory that ends in *_1.jpg, rename by removing _1.jpg then adding .jpg to the end.”

I guess this could have been done in one line, but whatever.

Popularity: unranked [?]

When Safari 4 Public Beta came out, there was a mad rush to find the applications hidden preferences. Some used it to bring back the aqua loading bar, others used it to bring back tabs on bottom, and others were just curious. I’m leaving S4PB the way it is because I want to give it a chance to win me over. Here are three ways that I know of to find these hidden preferences.

1. Right click (control-click) on an application and select “Show Package Contents” from the popup. Open up the Info.plist and see if there is anything interesting to change. Also, it’s fun to poke around the Resources folder, there are all kinds of neato icons and other goodies.
2. Find all the strings in the application binary. From the command line, run this “# strings /Applications/Safari.app/Contents/MacOS/Safari”. You have to target the binary file and “Safari.app” is just a package (a glorified folder). You’ll get back a bunch of junk, but if you look closely there are gems in there like “IncludeDebugMenu” which you can modify with the “defaults” utility. If you want to turn on the debug menu, you would do “# defaults write com.apple.Safari IncludeDebugMenu -bool YES”, restart Safari and you’ll see the debug menu.
3. Read the defaults. So run “# defaults read com.apple.Safari” and you’ll get back a bunch of preferences. You can change these by using write or delete. Check out “# man defaults” for all the info.

If you know of other ways, I’d love to hear about them.

Popularity: unranked [?]