my recent reads..

Yokoso Tokyo!

My Nexus One and the Japanese telcos had a 'lost in translation' syndrome over the past week, but I am back home now in Singapore with all the broadband that entails! I think I'll be retro-blogging for weeks to make up for the few fantastic days spent back in Tokyo. Big props to my uncle and his family who were great hosts and helped us make the most of a short trip..

After stumbling off the Airport Express bus and checking in early, what else to do but hunt down the lair of the famed Godzilla (ゴジラ, Gojira) near Ginza (銀座). She's HUGE! (No, that is sarcastic. Artistic camera angles are required)

Blogarythm for this post: Back in Black (Tokyo 1981)

See other posts in the Tokyo series:

read more and comment..

iPhone, smiPhone

Looks like DBS have decided that iPhone is now the official generic name for any kind of smart phone!

Click on their Win an iPhone ad and read the not-so-fine print (it's an HTC HD mini ;-)

iPod has arguably already attained genericized trademark status for any kind of MP3 device (taking the mantle from it's predecessor, the Walkman).

And it seems Main Street has long since given Apple another category winner with iPhone joining the likes of Escalator, Zipper, Butterscotch, and even Heroin(!)

Which can really piss off pedantic technologists and the people who have to sell the phones - as brilliantly captured in the iPhone vs HTC animations by the guy that Best Buy wants to fire.

read more and comment..

kalinka: Google Calendar Link-maker and Any+Time jQuery demo

Any+Time was one of the more interesting options I covered in my Quick Review of jQuery Date/Time Widgets the other day.

Any+Time had a lot more functionality than I got to investigate at the time, and there were some specific features I wanted to checkout in more detail - in particular timezone handling - so I built another little demo called kalinka.

kalinka is a simple tool to construct Google Calendar Event URLs without needing to publish an event in your own calendar. You can then put the link in an email or a website. Other people can then use the link to create the event in their own Google Calendar.

kalinka mimics the basic functionality of the Google Calendar Event Publisher, except that it also demonstrates using Any+Time to offer specific control of the timezone.

Try out kalinka here, and feel free to pillage the scripts.

Blogarhythm for this post: kalinka malinka - The Red Army Choir (a.k.a. Alexandrov Ensemble or Дважды краснознаменный академический ансамбль песни и пляски Российской армии имени А. В. Александрова)

read more and comment..

The third-party authentication dilemma: does Facebook pwn my site?

I've argued for some time that it is crazy for most websites to have their own authentication (username/password) system these days.

  • We the users have no patience for yet another registration process, validation email flow, and password to remember

  • Security is too easy to get wrong, unless you truly have security professionals on staff

  • Designing sites with a registration process, issuing credentials etc is a legacy holdover from the days when we had no choice. OpenID, OAuth (in particular) have long since changed the game.

And the shift is well underway. More sites these days are offering the ability to authenticate using twitter, facebook, google or other credentials. Janrain chief executive Brian Kissel has said that
..publishers are jumping on-board as they realize it’s valuable to know who their readers are and that it’s much easier to convince them to sign in with an existing account than to create a new one

Perhaps like many sites, you integrated with Facebook Connect to let users sign into your site with their Facebook account. Which all sounds great, until you wake up one day, and are caught you off guard by two bits of news:

Jason Calacanis was one of the high-profile Facebook quitters who got "caught" sneaking back in. He explained the reason on a This Week in Startups .. to (temporarily) regain control over all the third-party applications he'd forgotten were using his Facebook account for authentication.

Suddenly, you are feeling the downside of depending on a third-party authentication service:
  • The amount of engineering required to "keep up" with the evolving identity management space is unpredicatable since someone else is calling the shots

  • Your site and brand is totally exposed to a user backlash over something that you have have no control over and has nothing to do with you

So is there better way?

If your site is directly linked to the third-party service (e.g. a tool for twitter, or a Facebook application) then the answer is no, and the question doesn't even make sense.

But for most cases, we are basically outsourcing the identity management and authentication, and want to avoid getting caught down a blind alley.

Pure OpenID is one approach: it is not controlled by any single vendor, and there are capabilities such as delegation which allow users to pick and choose their provider. The unfortunate fact is that OpenID is far from mainstream, and will likely remain a mystery for most users (even if it is hard at work under the covers of their Google or Yahoo! sign in).

Personally, I think the best approach is to disentangle ourselves from directly dealing with identity providers. By outsourcing the identity management and authentication process to an intermediary that aggregates the services of many identity providers we get a nice compromise:

  • Someone else to take on the burden of securing the system and keeping up to date with the improvements made by the various identity providers

  • We get to offer the convenience to our users of signing in with a wide range of identity providers

  • And I am making my site directly dependent on only one service provider, and one that specializes in identity not other business interests which may potentially bring us into conflict

The best solution I have found so far is Janrain Engage (formerly RPX). I've used this on a number of sites (e.g. CloudJetty - my directory of cloud/SaaS applications), and released a gem (authlogic_rpx) for easily using the service with Ruby on Rails.

If you are concerned about your website getting locked in to a particular authentication provider (whether it is Facebook, twitter or anything else) then I would certainly recommend you check out Janrain Engage.

Now I realise this may come across as an unabashed plug for Janrain, but the truth of the matter is that (a) it works, and (b) I haven't really been able to find any fully baked alternatives. If you do know of other similar services or ways of approaching this problem I'd be really interested to hear about them.

Blogarhythm for this post: IDentity - 玉置成実 Tamaki Nami
The light will shine on me allowing me to make progress and start on the road to my identity

read more and comment..