This morning, my friend Marjolein Hoekstra (aka @CleverClogs) brings this blog entry by Terence Eden to my attention. In it, he suggests that Twitter’s OAuth is a “gaping security hole,” but what he really illuminates is that he totally does not understand the point of OAuth. Let me try and explain:

In the bad old days of Twitter only allowing HTTP Basic authentication, in order for third-party applications to access your Twitter account, you had to hand out your username and password. While this “worked” it wasn’t ideal. Why? Well, any time you changed your password — either to prevent an application from continuing to have access to your account, or out of good “security hygiene” practices of regularly changing your password — you had to go back to every application that you wanted to continue to work on your behalf. If you use more than a few applications, this quickly became a tedious process as you can imagine. Again, this was less than ideal.

Eventually, Twitter rolls out OAuth, an open implementation of a cross-service authorization scheme. Each application now requests authorization to act on a user’s behalf, and such access is now manageable per application rather than an all-or-nothing as it were with HTTP Basic auth. This is a huge win as this decouples the user’s Twitter credentials from a third-party application’s privileges to act on behalf of that user. You can now change your Twitter password to maintain good security hygiene without the inconvenience of having to update every third-party application with your new password. You can now revoke access from a single application without having to, again, update every other third-party application with your new password.

Terence, sadly, mistakes this radical improvement as a defect and a security flaw. What’s truly sad is that Terence even knows about the Twitter OAuth Connections page where one can de-authorize individual applications, yet he still missed the whole point and benefit of OAuth in the first place. How?

He suggests that “Changing a password should – in the minds of most people – mean that you need to re-enter your password even if you have previously authenticated yourself.” Is this true? Is this what “most people” (that means YOU) think? Please, let me know in the comments below if this is truly the case when you authorize an application using Twitter’s OAuth. If this is true, then the problem still isn’t what Terence suggests. It’s a matter of user education. Read this entry again and absorb the goodness that OAuth provides over HTTP Basic auth. for third-party applications. Do not fall victim to Terence’s FUD.

I know we all love this time of year with kids dressing up in cute costumes and the mounds of candy and parties, but with the current H1N1 swine flu pandemic, have we stopped to think about what we’re really doing?

Picture this: people who may be carrying the swine flu virus are handling candy that is being given out to children, who will then handle it and eat it, possibly putting their hands in their mouths in the process.

See the problem, yet?

Happy Halloween!

Last night, Samantha and I went into NYC to see Daniel Bauer’s “Purity” show at The Duplex Theater with my friend Ian. It was a fun show and his magic is simple but effective. The Duplex is a very small venue and the intimate setting really lets you enjoy the experience nicely.

But, that’s not the point … what I really want to write about is some introspecting I did. I’ve known that I’m an extrovert, but oddly I don’t tend to enjoy myself amongst a large number of people. I usually end up spending time with the same few people once I identify who I want to spend time with.

A while ago, I stumbled upon the definition of dissocial personality disorder which fits me to a tee. I’m finding that the Paxil and Wellbutrin combo are helping a lot with this, but it hasn’t totally eliminated the feelings of “gee, I wish there weren’t so many people here.”

I realize that the definition of extrovert doesn’t necessarily speak to the number of people one interacts with but merely the fact that external interaction brings positive effect, and it’s clearly possible to be a dissocial extrovert because I am one, but it also means finding people that I enjoy spending time with is difficult.

I just wanted to get these thoughts down in writing before they escaped my head, so I can reflect on them later, and perhaps some of you have insights to share that I may not have thought of, yet. See, there I go again, that extroverted nature which thinks better by expressing than reflecting, looking for external inputs …

While waiting for my daughter at her hip-hop class, listening to folks answer their cellphones, it dawned on me that “telephone etiquette” has changed a lot. I remember the days when a person would answer their phone with a “Hello?” Now, most people seem to answer with a more casual “Yeah? Hey. What’s up?” I’m pretty sure this is a pretty common thing now, perhaps starting about 10 years ago. I think it all stems from the widespread adoption of Caller ID.

Years ago, before everyone had Caller ID, when you received a phone call, you didn’t know was on the other end. To err on the side of caution, we answered our phones more formally — the caller could be a parent, an employer, etc. But, now with everyone having Caller ID, we now know who the caller is before we answer and that familiarity results in the casual response when we answer.

Have you noticed this trend? Think there’s another explanation? Just curious …

Tags: telephone, etiquette, Caller ID

ActiveState has created a Tcl Extension Archive tool called teacup which simplifies the installation of binary extensions to Tcl. It’s included with ActiveTcl, but if you’re using Tcl from MacPorts and want to use teacup, it’s fairly easy:

1. Download teacup for MacOS X

The teacup binary can be downloaded from this location:

• http://teapot.activestate.com/entity/name/teacup/index

Here is a direct link to the latest teacup binary. The file is named file.exe — simply rename that to teacup and put it in /usr/local/bin or another convenient place in your $PATH.

2. Create the installation repository

You will need an installation repository where teacup can store its data locally. The default location is /Library/Tcl/teapot and you can create it like this:

$ sudo teacup create
Repository @ /Library/Tcl/teapot
    Created

3. Patch MacPorts tclsh to handle teapot repositories

$ sudo teacup setup /opt/local/bin/tclsh
Looking at tcl shell /opt/local/bin/tclsh ...
  Already able to handle Tcl Modules.
  Already has the platform packages.
  Patching: Adding code to handle teapot repositories ...
Done

4. Link teacup to MacPorts tclsh

$ sudo teacup link make /Library/Tcl/teapot /opt/local/bin/tclsh
Ok

That’s it! You’re done. You should now be able to list available packages within TEA using teacup list and install them using sudo teacup install "packagename".

I’ve tested this on MacOS X 10.6.1 Snow Leopard with Tcl 8.5.7 from MacPorts.

Tags: HOWTO, Tcl, ActiveState, TEA, teacup