Posts from November 2002

cat and boxes photo

new place to sit

RSS Assignment

Aha! Now I know why all of those impolite, unidentified aggregators were hitting my RSS feeds so often—it was assigned in a class at BYU. The course is CS462 "Enterprise and Distributed Computing." Maybe they could bring me in as a guest speaker to talk about how to block aggresive bots coming from BYU computers. ;) The assignment was to create a Java servlet that integrates Bookwatch data with Amazon Web Services queries. Of course a hip class like this has a weblog. (If you're a student from this class, I'm sorry if I blocked the multiple requests from your IP. I hope I didn't mess up any grades. I was just trying to keep the server load down.)

Pictures from I-5

Some pictures from Interstate 5 this weekend.

shasta in fog
Mount Shasta in fog

shasta from I-5
Mount Shasta from I-5

open space

Corvallis Photo

downtown corvallis
Downtown Corvallis

PGP-signed posts for weblog comments

A few weeks ago I posted about the problem with identities in open weblog comments systems. Since then I've been playing with different solutions, and I think PGP-signed comments are a good way to verify identities. It's extremely simple for the authors of comments systems to implement. (I added it to my comments system last night in about an hour.) It allows weblog authors to keep the barrier to conversation very low by not having a registration process. And it allows those comment-posters who are concerned about their online identity to take a few extra steps to digitally sign their comments.

It's also very easy on the comment-posting end. PGP has a function called "Sign" that matches the words of the comments with your public key. It includes a bit of garbled text based on those words, so the post can be verified. If anyone alters the words, the verification fails. I'm using PGP 8.0, and it has a great feature that signs the text in the current window with one click. I would simply type my comments into someone's site as normal, then click this button. It's instantly signed. I'll try to post more explanation with screenshots if I have some time later today.

Here's how I implemented it for my comments system. A standard post is plain text:

This is a standard comment.
A PGP-signed post is also plain text with some extra junk around it:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a PGP-signed comment.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 (Build 349) Beta

iQA/AwUBPdvNQq9S5muEtqHZEQKIgACfTjtzfc101lkfWXEHQLgcHux99S8AoN/p
GDxRz2sbpl1MIXFm5Bbb6JxF
=qlO3
-----END PGP SIGNATURE-----
Ok, it's not junk, it's important information. But for the purposes of reading comments, it's junk. So if the junk is there when someone posts, my system saves the entire PGP comment as-is, then strips away the junk and stores the good stuff as a regular comment. Then, next to the information about who posted that particular comment is a link: [PGP]. Clicking on PGP will give anyone the original, unaltered, PGP-signed post that they can then use to verify the commenter's identity. My system doesn't do anything with decryption/encryption, handle any keys, or do any of the verification—it simply does a bit of extra text parsing. I didn't need to add any extra form fields or ask for any extra info. It doesn't break up the flow of conversation. The functionality is mostly hidden.

It puts the burden of identity management on the comment-poster instead of the comments systems. The poster would have to make sure their public PGP key is available somewhere, so people could verify their posts. It doesn't break up the flow of conversation, and it adds a bit of security for people who aren't posting anonymously. I'd feel much better about posting comments on weblogs if they had something like this available. For those who don't care, nothing changes.

I've tested this feature here with signatures from both PGP 8 for windows and gnupg for windows. It's bound to have some parsing problems with other platforms that need to be worked out, but I'll fix them as they come in. Check the comments on this post for an example. And let me know what you think. Will this work? Do you think people would sign their posts if it was an option?

BookPost on News.com

BookPost was mentioned in an article on News.com today: Amazon, Google lead new path to Web services. I'm glad that journalists no longer have to explain what a weblog is to a general audience. It simply references BookPost by saying, "Another application combines the Amazon service with a Weblogger API to let users create a link to an Amazon product page on a Weblog in just one step."

My PGP Key

By the way, here's my public PGP key. I socially accept encrypted email.

Email PGP

Between the marketers and the government, I'm surprised we're not all using PGP to encrypt every email we send. (even the ones about where to eat lunch.) And blocking the ones that don't to cut down on spam. If sending encrypted email was socially acceptable, I think I would make the effort. Not because I have something to hide, but because I believe email should be a private way to communicate. Using PGP is like sealing an envelope. Though, unfortunately, not as easy yet.

AOL is working on building encryption into its enterprise version of AIM. I wonder if public encryption will be illegal by the time that feature is ready for release.

roughly 700 books photo

~700 books
roughly 700 books ready for transport

It's only when I move that I question whether I need my book collection. Do I really need so many Charles Bukowski books? They take up a whole box. A box I have to lift and carry. Up stairs.

Moving to Oregon

It's finally starting to hit me that skp and I are in our last two weeks of living in the Bay Area. We found an apartment, reserved a truck, and we're beginning to fill boxes. This next week we'll be doing serious packing and making trips to our new home. We'll be living in transition. I haven't even had a chance to feel sad about leaving because I've been so busy getting ready to go. I know I'm going to miss it. I fell in love with Sebastopol and the whole Bay Area as soon as I moved here in late 1998—especially the Sonoma County geography, weather, and attitude. We have fantastic friends and family here, know back roads, and have favorite spots for working, eating, relaxing. We love being able to drive an hour to visit San Francisco, and we've walked hundreds of miles of trails from the coast to Yosemite. We love our house on a hill that has great views of Mt. St. Helena and west Santa Rosa. But we feel like it's time to start a new chapter. It's time to discover new favorite places, walk different trails, and explore different cities. Saying goodbye is the hardest part of moving, but we won't be out of touch. We'll just be 600 miles north in Corvallis, Oregon.

2002 Leonids

The Leonid meteor shower is coming up next Tuesday. It could be the last big meteor shower of our lifetime, so get as far away from city lights as possible and check it out. If you're in the Bay Area, hope for no fog. The fog clouded much of our view last year but we still saw quite a few. I also tried to take some pictures last year, but none of them turned out. I need to read these meteor shower photography hints.

Wednesday's Sunset Photo

There was a great sunset here on Wednesday.

sunset

P2P RSS

Just thinking out loud about RSS Aggregators... If every RSS client was also a server, we could have a distributed solution to the brute-force problem. I'd gladly serve up others' feeds if it meant less drain on my server. For example, let's say I subscribe to the NYT Business feed. My RSS client needs a local copy to display the feed. In a perfect world I could also give my copy to others on demand. When someone requests my onfocus feed, they could send a list of other feeds they're interested in. If they're also interested in the NYT Business feed and I have a copy that's newer than theirs, I could send that RSS along with my onfocus RSS. You wouldn't always get the authoratative copy, but you could get close without too many hops; similar to DNS. Some feeds really do update every 10 minutes, and you'd need to grab those directly. But for most weblog RSS feeds, a P2P ripple effect like this would probably be fine.

Attack of the RSS Aggregators!

My server is under attack by RSS aggregators! They eat bandwidth and resources at four times the rate of regular viewing mortals like you and me. I love RSS, don't get me wrong. But the current crop of brute-force aggregators is really driving me crazy. (Amphetadesk and Netnewswire seem to be the worst offenders, but they may simply be the most popular.) Some stop by as often as every ten minutes without so much as identifying themselves. It's just rude to make so many requests. Aggregator authors could create polite software very simply: use conditional HTTP gets. The aggregator sends the last time they've seen the feed along with each request. And my server politely says, "no, it's the same one you have. 304." Or "yes, it has changed since your version, here you go. 200." It's much more civilized than, "gimmie! gimmie! gimmie! 200! 200! 200!" The other alternative is to set up a centralized ping-server where RSS authors can let every aggregator on earth know that their feed has changed recently. (like weblogs.com.) It's not as elegant or scalable as conditional HTTP gets, but it would be better than our current state of RSS anarchy. As it is, I'm going to have to write some sort of filter to slow them down.

Photo

*35

sxswBlog is go!

It's about that time to start thinking about sxsw again. That means sxswBlog is go! It's new AND improved this year with a new design and lots of trackback goodness. check it out.

Sky Rumble

It's pouring down rain and thundering here in the north bay. Thunder is an odd sound for this area. It's not the infinite rumble or violent cracks of the Nebraska storms I grew up with. It's more like a constipated growl.

Scriptomatic Tool

If you like to play around with Windows Scripting you might get a kick out of The Scriptomatic Tool: "Why do some system administrators get fancy cars, yachts, and Rolex watches? It's because they know how to write WMI scripts, and you don't!" It's an easy way to learn about all of the WMI classes, and what information you can get at. Fun stuff. I need to look into Hypertext Applications (.hta files) for writing simple client apps.

mail note

service note: onfocus mail may be a bit wacky as the mx fairies work their magic across dns land. my hotmail account will still work. Though my hotmail account is next to useless these days. I'm pretty sure some black-arts spam manual mentions my address specifically, "callibrate your spam cannon by pointing it at this hotmail address first."

#990000 and #000099

#990000

#000099

Get out the vote

I can't wait to vote tomorrow!

Puch Drunk Love sucks

Punch Drunk Love was terrible. Not terrible in a I-expected-wacky-Adam-Sandler-and-didn't-get-it sort of way, but terrible in a pretentious-misogynistic-waste-of-talent-and-worse-my-time sort of way. It's just another in a series of unimaginative fear everyone movies like One Hour Photo. And this one was mean-spirited.

Weblog Comments Ideas

Anil's discovery about We Blog related comments spam is just another reason why better identity management is needed for open weblog comment systems. Beyond an identity bank like I mentioned a few days ago, I think there are some other steps weblog authors could take to weed out unwanted comments. First, create a quick "terms of posting" that lets people know what is acceptable and what isn't...and publish it where people will see it before they post. Also, enforce consequences for violating the terms. I'm not sure what that should be. Maybe making the IP Address of the offending poster public (this is like putting up bad checks at your local food joint) would help. Blocking that address (or range of addresses) from future posting could be the way to go, though it's trickier with large ISPs. I think the real key is heavy moderation. As soon as someone violates the terms, delete the comment; no note that you've changed something, no email to the offender, just delete. The idea is that trolls and spammers will get bored when no one listens. (But we all know how well that works for email.) These aren't long-term solutions, but they could help while the ratio of unwanted contributors to good contributors is still low.