Not So Relevant

Twitter has problems. Or Twitter users have problems. It depends on how you see things. Not only passwords were sold together with a Twitter application (see my recent post on the topic) but also users got phished and accounts of some celebrities got hacked. Really bad news!

Now people think Twitter needs some better authorization methods of third party applications and demand OAuth implementation. Even a website was launched: Please, Twitter, Implement OAuth Now!. Indeed OAuth is a solution and it’s great that more people feel the need for safer authorization. While it is a noble initiative, I feel a little bit uncomfortable when seeing some blind retweets of the message on Twitter. Basically, there are two reasons:

1. OAuth didn’t prevent the recent phishing and hacking attacks. To quote Twitter co-founder Biz Stone:

   We plan to release a closed beta of the open authentication protocol, OAuth this month but it’s important to note that this would not have prevented a Phishing scam nor would it have prevented these accounts from being compromised. OAuth is something we can provide so that folks who use third party applications built on the Twitter API can access their data while protecting their account credentials.

2. While you could argue that Twitter somehow encouraged users to give away their passwords to third party sites, we should not forget that the users themselves helped their accounts being compromised. For convenience’s sake or a tiny features (by the way, did any of those people request those features from Twitter?) some self-proclaimed internet elite was happily passing their passwords to other sites. Not just once, but many times.

I am 100% pro-OAuth on Twitter but users have to think about what they do on the web and who they trust. OAuth on Twitter is just a small relief for users. There are other sites and other risks as well. Think!

When talking or writing about technology and the web most of us have a very narrow view on what’s going on in the world. We only seem to notice what is happening in the Western hemisphere, sometimes even only focusing on the US. For example most people don’t know the biggest social networking sites in Asia and that some of them are even bigger than Facebook.

The same applies for OpenID. Mostly unnoticed from tech bogs OpenID has become quite popular in Japan. The OpenID Foundation Japan lists some fairly popular companies from all kinds of industries among its corporate members, a total of 41 members. Companies include: Oki, Hitachi, airline JAL, NEC, credit card company JCB, but also social networks like Mixi. While not all those companies have implemented OpenID yet, I think it is great to have support from such industry heavy-weights.

But not only industry support of OpenID is growing in Japan. Consumers know about and use OpenID. According to the chart below - lifted from a presentation by Nat Sakimura who is also a member of the OpenID Foundation Board - 28% of Japanese consumers know about OpenID and 15% are actually using it.

While adoption could be bigger, I think these numbers are quite impressive as they show a rapid growth (usage numbers for August are missing in the chart, though). Those numbers are also supported by another fairly interesting aspect: OpenID ranks number three of the biggest IT buzz words in Japan, higher than Firefox and Google Chrome.

Since Nat Sakimura is elected as a community member of the OpenID Foundation board, I hope he can help making OpenID successful in the rest of the world as well.

It had to happen sooner or later and it’s just surprising that it did not happen earlier: Yesterday Twitter passwords were sold! Well, actually Twply was sold just after one day of operation for the ridiculous tiny sum of $1,200. Twply was a service sending @replies via email to Twitter users. And to do just this it demanded people’s Twitter usernames and passwords.

However Twply is not the only “service” that demanded people’s usernames and passwords. Services that extend Twitter’s functionality are especially notorious in that aspect. Other services want people’s Gmail passwords which might cause even more damage to users considering their AdSense data, emails, calendars, and what not are at stake. Users have to be educated that it’s definitely not in their best interest to give away their passwords to other web based services. There are alternatives available: Portable Contacts and OAuth. With those open standards services can access e.g. contacts data from other services without demanding passwords. Users are in full control of what’s happening and are able to revoke access at any time. This will be the end of the password anti-pattern described by Jeremy Keith.

Plaxo and the password anti-pattern

Plaxo has been championing open standards for a long time now. Its engineer Joseph Smarr is one of the driving forces behind Portable Contacts and other related standards and he is a really smart guy. Though what’s really disappointing about Plaxo is, that it continues to collect passwords for webmail clients:

Plaxo knows better but still demands passwords. Maybe Plaxo doesn’t store passwords but how many services claim the same? Users can’t control it. Though recently Plaxo’s head of marketing, John McCrea, sent an interesting tweet:

Well, this sounds cool. At first. But what he is really saying here is: Hey, as long as those big guys [he means Google, Yahoo!,...] don’t support the standard we want them to support, you have to give us your passwords.
Shouldn’t Plaxo explain to its most valuable asset, its users, that it no longer supports the password anti-pattern? One day Plaxo might switch to Portable Contacts and OAuth to import contacts but in the meantime it has educated its users to give away their passwords. Will it re-educate them? Wasn’t it easier to say that currently there is no convenient and secure way to import contacts but that Plaxo will work on it?

I singled out Plaxo here not because I hate the service but because I really like it. I want it to do better. But John McCrea’s statement is at least a little bit hypocritical.

by Zay_Kureshi

A few months have passed since I announced the end of this blog - well, a little bit prematurely as I have to admit now. Back in summer I was just sick of blogging, especially tech blogging, but I never really stopped reading blogs and tried to keep myself informed as much as I could without wasting too much time. The virus is still there, I guess.

So, what will change with this relaunch? I will focus more on everything “open” - OpenID, of course, the open web, the so called Open Stack, and everything else related to it. I wrote about those topics before and currently there is quite a lot happening in this realm, so it is probably consistent to write about it.
Music, football, and other off-topic stuff won’t get mentioned here anymore. Some people might regret this decision but I think it should be clear to readers what the blog is about. I have seen this blog being linked as a source for netaudio reviews. That is certainly misleading, even if I reviewed releases in the past but it wasn’t really a focus.

I would be very happy if some of the old regular readers were still around. It would be great to read some comments from familiar names. Nostalgia, you know. Though I don’t mind new readers as well. So, let’s see how this blog will shape but please, don’t expect a new post each day. I don’t want to put too much pressure onto myself. Also there are still some glitches with the new theme but hopefully I will be able to fix them rather soon.

Oh, I almost forgot: Happy New Year to all of you!