kdmurray.blog

The crossroads of life and tech

Tag Archives: services

Security for Client Applications: OAuth

Recently I was listening to Security Now when the topic of OAuth keys being hacked out of Android applications came up. There was some discussion on how services that require OAuth for authentication (as Twitter now does) cause problems for client applications. (NB: In this post I’m referring to client applications specifically as something that the end user downloads to their PC or other device.) The case was made that the problem is that OAuth was not written for client development, and is really only secure when running from a web-server.

The key to the “vulnerability” with OAuth is that each application is given its own key. That key ties any request made to the service (Twitter for example) to the application which owns the key. The concern was that if the key falls into the wrong hands users’ personal information could be put at risk. With the key needing to reside somewhere that the application can read it, they’re typically stored within the application code which makes finding the key a trivial matter for a hacker.

The thought occurred to me that if you need to access a web-based service which requires OAuth, it might be helpful to have an intermediary service handle that authentication for you. By adding a service tier which authenticates a specific user of your application and performs all of the direct interaction with the service there’s no need to keep the OAuth keys on the client which makes them much more difficult to compromise.

Stack Overflow – Where Experts Exchange Information

soLast year a new Q&A site for developers called Stack Overflow was opened to the public. We covered the site a bit on an episode of the AGP a few months back, but I just realized the other day that I hadn’t posted about it here.

The site is focused on the interaction between software developers which is truly how most of us learn the best — by working with, interacting with and drawing on the wisdom of other developers.

The site draws on a whole bunch of different elements that set it apart from other Q&A sites.  Creator Jeff Atwood describes Stack Overflow as a free Q&A site that’s built and maintained by the community of developers.

While the site was built to answer developers’ questions, it also has some stiff competition in the form of the Experts’ Exchange.  Most developers know about EE, and are annoyed by the fact that the site purports to charge money for access to the answers to development questions.  As it turns out, it’s all available for free, you just need to look around a bit harder to find stuff.

Stack Overflow has been built with transparency and ease of use in mind since its inception; the model is to get as many eyeballs on a question as needed to get a good answer.  Good questions and good answers are up-voted by the community — similar to the way Digg works, except it’s harder to game the system.  Up-votes provide reputation points which at lower levels unlock some of the site’s features.  The site also gives out badges for meeting certain goals on the site, based on the ability to get badges or special goals on Xbox live.

Jeff Atwood’s passion is around developing software from a more human perspective. Much of the design of the site for Stack Overflow, and the code behind it are based on driving positive behaviours within the developer community.  Instead of lots of hard-and-fast rules, there are easy ways to do good things, and more difficult ways to do things that shouldn’t be overdone.

As a side-note, Stack Overflow’s codebase is written in C# using the ASP.NET MVC framework, and has been in use since the very early CTP days of MVC.  It’s a great example of the power that can be brought to bear on the web with this toolset.

I love the site, it’s been a great resource for me for the past year or so, and I highly recommend it to anyone who has a development dilemma that they need to solve.

Goodbye Grand Central, Hello Google Voice!

google_voiceGoogle today announced a new service to (some of) it’s customers called Google Voice. The service works very similarly to Grand Central (which the big G acquired back in 2007).

The system allows you to create a single phone number, to which you can aggregate other numbers to have a unified system for voice and messaging.

I’ve been trying to get myself a Grand Central account for several months, but I guess with the lead up to the Google Voice launch they haven’t been creating new numbers for people.  It looks, from a post on the Google Voice help site, that the service will be rolling out over the next few weeks.  The service will first be made available to existing Grand Central users, and rolled out to the rest of the great unwashed as it matures in the next few months.

There’s no indication at this stage if the service will be geographically limited but I suspect that, intitially at least, the service will only offer US-based phone numbers at launch.

Twitter Acquires Sandy and Stikkit

twitter logoHere’s a clip of a post I did over on the AGP Blog about the acquisition of Sandy & Stikkit by Twitter. It’s going to be very interesting to see what Twitter decides to do with the newly acquired technology, particularly in the wake of reduced services in nearl every country outside the US (read: no more SMS!!!).  Here’s a clip from the feature-length version:

Twitter has snapped up the IP behind a couple of popular Web 2.0 services.  I Want Sandy and Stikkit were both acquired by Twitter a few weeks ago.  The services were originally scheduled to go offline last week, but this window has been extended until the end of business (17:00 PT) this Friday, December 19th.

Check out the original post over on the AGP blog.

Time will tell…

Get more written: Write or Die

I came across this web application a few weeks back while listening to AmberMac‘s dulcet tones on CommandN #156.  The application is called Write or Die written by Dr. Wicked, and its aim is to make you a more productive writer.

Write or Die provides you motivation to write not based on the positive reinforcement of a job well done but on the fear of a web-based application inflicting consequences upon you.  Write or Die offers varying levels of “difficulty” from forgiving through to evil, and three types of consequences.

  • Gentle mode provides a polite pop-up reminder to keep writing
  • Normal mode plays REALLY awful music/sounds in the background
  • Kamikaze mode will begin deleting one word per second while you’re delinquent

The fear of having one’s work deleted is a serious motivator to keep writing.

If you’ve got a writing project to do whether it’s a paper for school like me, or you’re participating in a novel-writing event (WoD was originally built for authors participating in NanNoWriMo) give Write or Die a try.