On KISSmetrics

I think Hiten Shah, CEO of KISSmetrics, is too distracted with recent lawsuits to understand the mistake his company made: not looking out for their customers.

Legality of using ETag for tracking or reusing same ETag hash across domains is unclear and should be answered through legal process. What is clear, however, is that their usage raises suspicions and invites accusations against their loyal customers, not just KISSmetrics.

KISSmetrics should have foreseen this but apparently either did not or  did but failed to act before it blew up. I hope my two cents worth will help them learn and improve their service. Lawsuits may come and go but lessons learned will stay with you.

An ounce of foresight is worth a pound of hindsight.

Excuses make poor stain removers.


Filed under: General

Cinemetrics

Cinemetrics is a promising example of Identicon IMO. Similar efforts have been made audio clips.

Cinemetrics aims to create a visual “fingerprint” for film using the editing structure, color, speech and motion.

Design challenge in generating interesting ‘fingerprint’ depends largely on the target audience. Multimedia production is a very iterative process resulting in many variations and combinations so, if the target audience are film editors, challenge is in finding ways to emphasize difference without sacrificing similarity.


Filed under: General, Technical Tagged: identicon

Identicon and Robohash

This post is a dump [for archival purpose] of exchange between Colin Davis, creator of Robohash, and I that took place in context of a Hacker News about Robohash. Colin:
Identicons are a great idea, I really love them.. They’re a good solution to a gut-check “Something is wrong here..” Sort of like a SSH-fingerprint. The problem I’ve had with them is that they’re generate not all that memorable. Was that triangles pointing left, then up, or up then left? This is my attempt at addressing that problem for my own new project, but I’d love to see what you build! If you want to use these images, feel free. They’re CC-BY, so they’re open to the world now ;)

Don:
Re ‘not all that memorable’, that’s because identicons were originally designed for ‘distinguishing’ and ‘matching’ data, not ‘memorizing’. Abstract geometric identicons like my original implementation as well as variations used at WordPress and StackOverflow are, while nearly impossible to remember, distinguishable in a pile which comes in handy when distinguishing the ‘voice’ of individuals in a long thread of comments. To use identicons as permanent identity, one has to ‘identify’ with their identicon. We can identify faces of our friends because we shared memories with them, stories if you will. So robotic identicons like yours can be made more memorable if users had some ways to create a story they can associate with it like ‘blue viking with left arm missing’, etc.
Colin:
That makes a lot of sense. I wasn’t trying to be disparing. It’s a great idea, and very helpful, I just felt like it could go in a slightly different direction for this specific use-case (Public Keys).
Don:
I think an interesting way to apply identicon to certs is to map each cert attributes to an ‘attribute’ of identicon, visualizing attributes.


Filed under: General, Technical Tagged: identicon

What is Identicon?

Word identify has two meaning:

  1. Establish or indicate who or what (someone or something) is.
  2. Recognize or distinguish.

I chose the name Identicon with second meaning in mind to convey that Identicons’ intended applications are in helping users recognize or distinguish textual information units in context of many.

Textual Data Problem

Human eyes have evolved to recognize individual objects out of a group by noticing visual differences. Unfortunately, textual data are visually similar.

While many different typographic features and techniques have been invented since writing was invented, most of them are for free-form text. Additionally, list and table text layout lack the irregular features free-form text have, like line ends and paragraphs, to use as landmarks.

Icon Solution

Icons do add the necessary visual differences to textual data. Only problem is that icons are typically designed by hand or, in case of avatars, photos or pictures have to uploaded.

Identicon = Generated Icon?

One might say Identicons are simply generated icons. The first implementation of Identicon used salted hash of IP address to generate 9-block colored icon for each blog commenter. Most popular use of Identicon today remains generated iconic avatars.

I think it’s a bit more. Certainly, generated part is required. But the icon part is unnecessarily restrictive unless colored circle or box can be called an icon.


Filed under: General, Technical Tagged: identicon

Identicon and QR Code

I was recently asked to provide some information on identicons, a good excuse to restart blogging.

This post, more like notes actually, compares Identicon to QR code which may seem similar visually but are not.

WARNING: I think in random fragments, brief moments of coherency, so my posts will be the same.

Machine vs People

Content

  • QR codes are containers of information.
  • Identicons are shadows of information they are associated with. 

Usage

  • QR codes are used to transfer information from real life (RL) objects to computers using only optical means.
  • Identicons are used to distinguish individuals or groups of information.
More to come later. Sorry.

Filed under: General, Technical Tagged: identicon

Installing sqlite3-ruby gem on Snow Leopard

Problem:

After upgrading to Snow Leopard, I had to rebuild/reinstall MacPorts and RubyGems as recommended. While doing this, I found that sqlite3-ruby gem install failed with errors related to extconf.rb file.

Solution:

Not sure why this works but I found a working solution at StackOverflow which replaces:

/usr/local/lib/libsqlite3.dylib

with a symbolic link to one that came with XCode for Snow Leopard:

/Developer/SDKs/MacOSX10.6.sdk/usr/lib/libsqlite3.0.dylib

You can find the full ‘ln’ command at StackOverlow page above but be sure to rename the original in case you need to restore it.


Posted in General, Technical Tagged: ruby, sqlite3, tech

Using JSP with Jersey JAX-RS Implementation

This post shows you some tips you’ll likely need to use JSP with Jersey in typical Java webapps.

Tested Conditions

While Jersey 1.1.1-ea or later is probably the only hard requirement for the tips to work, my development environment is listed here for your info. You are welcome to add to this rather meager basis for sanity.

  1. Jersey 1.1.1-ea
  2. Tomcat 6.0.20
  3. JDK 1.5
  4. OS X Leopard

Change JSP Base Template Path

Default base path for templates is the root of the webapp. So if my webapp is at “/…/webapps/myapp” then Viewable(“/mypage”, null) will map to “/…/webapps/myapp/mypage.jsp”

To change this, say to “WEB-INF/jsp” as it’s commonly done for security reasons, add following init-param to Jersey servlet/filter in web.xml:

<init-param>
<param-name>com.sun.jersey.config.property.JSPTemplatesBasePath</param-name>
<param-value>/WEB-INF/jsp</param-value>
</init-param>

Return Viewable as part of Response

It was not obvious to me (doh) where Viewable fits into Response when I have to return a Response instead of Viewable. It turns out, Viewable can be passed where message body entity is passed. Example:

return Response.ok(new Viewable("/mypage", model).build();

Use “/*” as servlet-mapping for Jersey

The primitive servlet-mapping URI pattern scheme, which somehow survived many iterations of the servlet API, impacts JAX-RS hard if servlet-mapping is overly broad. Unfortunately, pretty restful URL calls for servlet-mapping to be “/*” instead of something like “/jersey/*”, breaking access to JSP files as well as static resources.

To work around, you’ll have to use Jersey as a filter instead of a servlet and edit a regular-expression init-param value to punch passthrough holes in Jersey’s routing scheme. To enable this, replace Jersey servlet entry in web.xml with something like this:

<filter>
 <filter-name>jersey</filter-name>
 <filter-class>com.sun.jersey.spi.container.servlet.ServletContainer</filter-class>
 <init-param>
  <param-name>com.sun.jersey.config.property.WebPageContentRegex</param-name>
  <param-value>/(images|js|styles|(WEB-INF/jsp))/.*</param-value>
 </init-param>
</filter>
<filter-mapping>
 <filter-name>jersey</filter-name>
 <url-pattern>/*</url-pattern>
</filter-mapping>

That’s all for now. Hope this post saved you some headaches.


Posted in General, Technical Tagged: java, jax-rs, jersey, jsp

Firefox Extension Developer Tips

Just a couple of tips for Firefox extension developers, hard earned after many hours of head scratching. Not adhering to either tips will confuse Firefox and XPCOM component will fail to load.

XPCOM components get loaded before chromes are loaded.

[Update: The most common problem related to this is Components.utils.import call fails during launch with NS_ERROR_FAILURE exception. To fix, wait until app-startup notification is received before importing javascript modules.]

This means anything defined in chrome.manifest won’t be available until “app-startup” event is observed. Note that Resource URI scheme “resource://” introduced in Firefox 3 uses resource directives in chrome.manifest which means you should defer Components.utils.import calls until “app-startup“.

XPCOM components implemented using Javascript should be defined as a pure object, not function.

So it should look something like this:

var MyServiceModule = {
  registerSelf: function(compMgr, fileSpec, location, type) {
    ..
  },
  ..
};

Posted in Technical Tagged: Components.utils.import, firefox, NS_ERROR_FAILURE, tips, XPCOM

Real-Time State of Mind

I need to get back to blogging more often. Having to type more than 140 characters feels wierd. ;-) Given that I’ll be attending TechCrunch’s Real-Time Stream CrunchUp this Friday, I thought a blog post on a key real-time stream problem would help me into a real-time state of mind. Real-time streams have many technical problems to overcome many of which are thankfully being resolved by advances in technology and infrastructure but the problem that interests me the most is the user experience problems:
Information, real-time or otherwise, is meaningless if users are drowned within it.

Typical Twitter users see only a fraction of tweets from people they follow. The notion of Top Friends (related to my social radar diagram from 8 years ago) will help but at the cost of additional chores users have to do separate the greens from weeds. The financial industry has used real-time streams for a long time so there is a lot to learn there technically. But, when it comes to user experience, they haven’t cracked the nut either, forcing traders to use bewildering number of charts and numbers on multiple displays and input devices to trade. So the emerging consumer real-time stream developers will have to break new grounds ourselves.
Posted in Technical Tagged: realtime, stream, ui

Fixed Aptana RadRails GEM_LIB issue on m…

Fixed Aptana RadRails GEM_LIB issue on mac by linking ‘/Users/{user}/.gem/ruby/1.8/gems’ to ‘/usr/local/lib/ruby/gems/1.8/gems’. I can’t blame Aptana for this since it was me who chose to use a tool built by a company that spread itself too thin. I doubt they have more than a couple of engineers working on RadRails which is not enough to provide the necessary quality across the range of environments Aptana is unfortuantely being asked to support.


Posted in General Tagged: aptana, gem_lib, radrails, wtf

HTML5 Microdata Fantasy

I haven’t been tracking HTML5 design efforts lately but what’s being proposed for microdata (see posts by Sam Ruby and Shelly Powers) yucked me sufficiently to revisit an old fantasy of mine about HTML (man, what a boring life I have). My fantasy was to add general element/structure definition facility to HTML. It should easily extended to support microdata as well.

The way I envisioned it being used is like this:

<address>
<street>123 ABC St.</street>
<city>Foobar</city>
<state>CA</state><zip>94065</zip>
</address>

which sure is preferable to:

<div item>
<span itemtype="street">123 ABC St.</span>
<span itemtype="city">Foobar</span>
<span itemtype="state">CA</span>
<span itemtype="zip">94065</span>
</div>

As to how a semantic structures and syntactic sugars can be defined, one very arbitrary way could be:

<head>
<def name="address" package="http://test.com/1/mapking"
    params="{{street city state zip}}">
  <div>
    <span>{{street}}</span>
    <span>{{city}}</span>
    <span>{{zip}}</span>
    <span>{{zip}}</span>
  </div>
</def>
</head>

I don’t have any illusions that this fantasy has even a tiny chance of coming true though. Besides, it’s like a beggar asking for caviar when any kind of microdata support will satiate our hunger.

Boss! Boss! The Plane. The Plane!

update:

Here is a more elaborate version of the def element for the bored:

<def name="name" package="http://ting.ly/name"
  attrs="$$first last$$">
  <span>$$first$$ $$middle$$ $$last$$</span>
</def>

which could be used like this:

<name first="Don" last="Park"/>

There are lots of wholes in this sketch which is why it’s a fantasy.


Posted in Technical Tagged: fantasy, html5, microdata

Smiley Profile Image Set

I wish I could use a set of profile images instead of just one and have appropriate one displayed based on text content so that if I put a smiley like :-) or ;-) in the text, photo of me smiling or winking will show.

It doesn’t have to be a face, it could be topic/category images. And I don’t see why tweet-specific images couldn’t be displayed since Twitter already sends out image URL with each tweet (inside ‘user’).


Posted in General Tagged: blog, twitter

Why wasn’t OAuth Vulnerability found earlier?

According to OAuth about page, it was Blaine Cook who initiated the birth of the the standard while working at Twitter in Nov. 2006. Blaine mobilized the initiative by getting Chris Messina involved which attracted others at CitizenSpace to join the effort (an excellent demonstration of benefits co-working social environments offer). By April 2007, the initiative got to formalize and, by October 2007, OAuth Core 1.0 spec was finalized. The question of interest to me is, why did it take a year and a half to uncover the first vulnerability?

It’s puzzling because OAuth was well known and popularized, attracted a large body of developers, many of whom I presume read the spec, and implemented by many, some very large companies. I’ve read the spec as well and discussed it with peers and partners in the security and payment industry on several occasions.

I think the right answer might be that our collective perspective in dealing with the standard was focused on implementation, application, and hype while wrongly assuming that the standard was secure. Recollecting my thoughts when I was reading the spec for the first time, I now realize that it was the safety in numbers and the lure of promising applications that influenced me to focus only on implementation.

The good news is that I think OAuth will be given the proper shake it needs to get any remaining kinks out. The bad news is that we are likely to repeat the mistake when the next popular grassroots standard emerges in a hurry. Relatively fast pace of community/grassroots standard initiatives is not a concern only if mass appeal can be effectively leveraged to shine intensive searchlight on all aspect of the standard.


Posted in Technical Tagged: oauth, security

On Twitter’s OAuth Fix

While the OAuth team is working on addressing the OAuth session fixation vulnerability at the spec level, Twitter made following changes to reduce the exposure window:

  • Shorter Request Token timeout – This is good practice in general. Developers tend to be too generous and, all too often, forget to enforce or verify enforcement.
  • Ignore oauth_callback, in favor of URL set at regration time – this prevents hackers from intercepting callback.

Double-callback is still possible though which means Twitter OAuth Consumers will have to detect extraneous callbacks and invalidate access to everyone involved because they have no way of telling who is who.

Remaining exposure to the vulnerability is when hacker’s simulated callback arrives before the user. We are talking temporal exposure of a couple of seconds at most which, given current Twitter use-cases, is not that big a deal. I wouldn’t do banking over Twitter though. ;-)


Posted in Technical Tagged: oauth, security, twitter