If you’re following any tech news today at all, you’ve probably heard about the hacking of Twitter’s Google Apps account. Some have suggested that this is some kind of “wake-up call for cloud computing.”
Twitter responded and said not to blame Google or cloud computing in general.
I agree… mostly. In my opinion, this isn’t a problem with storing your documents on a hosted “cloud” service like Google Apps. It is, however, a problem with not enforcing (at the corporate level) the same kind of security requirements that have become common for on-premises document storage. That means password complexity requirements, regular password expirations, and very very strict account retrieval options (if you allow such an option at all).
Does Google allow Google Apps customers to enforce such restrictions? Actually, I can’t tell. I went to the Google Apps site and looked around and couldn’t find any indication, even in their Security FAQ page. I even did a search for “password” on the Google Apps Premier site, and got no results! (same for words like “security” – hmm). Maybe someone should tell them to switch to Bing for searching their site 😉
A web search on Bing or Google returns this story, which seems to indicate Google does or at one time said it would support such restrictions. But I don’t see any other sites mentioning it, nor any indication from Google itself. If they don’t offer that ability, they certainly should!
But as Twitter said, this was really a failure on their part, not Google’s. On the bright side, hopefully all of the attention they’re getting will result in others fixing these kind of problems before they suffer the same fate.
I’m confused. AT&T wants me to pay $599 for a 16GB iPhone 3GS. $599!?! I’ve been an AT&T subscriber for about 3 years now. I always pay on time. I first signed up with a BlackJack. Then less then a year after that, I bought an iPhone at full price on its launch day. Then last year I upgraded to a 3G as soon as I found a store with one in stock.
Now I’m aware that most 3G users aren’t getting the discounted $199/$299 pricing that new subscribers are getting. Though apparently some people are getting that deal. Most others are paying $399/$499 depending on the model. But $599/$699? That’s ludicrous.
What’s more, I actually bought another iPhone 3G from the AT&T store at FULL PRICE in February, after my original iPhone 3G was stolen. Apparently, even though I paid full price, they extended my contract and upgrade eligilibility from that point in February. I asked very specifically, and was told by the AT&T store staffer, that replacing my iPhone 3G at full price would not affect my upgrade eligibility.
Well, apparently that’s not true. Even though I paid the full $399 price for an 8GB replacement phone, I’m now listed as not eligible to upgrade until 7/15/2010. Seriously. If I’d been told that buying that full price replacement would extend my contract and upgrade term, I obviously wouldn’t have done it, and would’ve just bought one on eBay or Craiglist. In retrospect, I probably should’ve done that anyway.
So this afternoon I spent a good 20 minutes going over this with a customer service rep who insisted that I had never bought an iPhone 3G last summer and that I “upgraded” to the 3G from an original iPhone in February at an Apple Store. The account summary she forwarded me indicates an upgrade and new contract in February but doesn’t indicate what I “upgraded” from or where I did it, so I think she was just making that up.
I told her I wouldn’t care about the contract being renewed if she could just fix my upgrade eligibility, since it should be based on the last time I got a discount on a phone, not the last time I paid full price for a replacement. She said this couldn’t be done, and refused to transfer me to anybody else.
The best she could tell me was that I needed to take any paperwork I had to the AT&T store in Bellevue and try to convince them to fix it for me. This means rummaging through boxes (since I just moved) to hopefully find at least the receipt for the new phone, and taking at least an hour out of my time, with very little promise of actually achieving anything.
I’m going to try that tonight or tomorrow. If they can’t help me, I may have to go take a look at the Pre.
Twilver page on Brandontools.com
I put up the start of a description page on BrandonTools.com for Twilver. I started with a list of what’s currently implement, what I plan to implement soon, and future feature ideas.
At this point , having it locked to the 3.0 developer preview of Silverlight actually seems to work as an automatic filter to keep the initial testing group nice and small :) Perhaps in the next few days as I get more functionality enabled in it, I will set up a forum on BrandonTools.com and try to recruit a few more testers to try it out and report bugs + suggestions.
If you want to keep up to date on its progress, just watch this space, or follow me on Twitter!
Twilver authentication model
I had some questions in the comments about how I built Twilver, so here’s a quick overview of how the app works. Of course this is still “prototype” territory so it could change entirely in the future, especially if you have better ideas!
Anyway, the current build works like this:
First, you browse to Twilver.Cloudapp.net which is an Azure ASP .NET page hosting the Twilver Silverlight 3.0 control. The control checks to see if it has a cached access token, and since it’s your first visit, it does not. It then redirects the hosting web page to Twitter and makes a call via the OAuth API. Then you log into Twitter directly so only they see your credentials, and they give back an authorized token to my ASP .NET service on Azure, via the OAuth callback registration.
After that my service exchanges the auth token for an Access Token and Access Secret, which are provided by Twitter and don’t expire unless the user goes to Twitter and revoke’s my app’s authorization.
The web page passes the Access Token and Secret to the Silverlight control, which stores them in local isolated storage. Then when the Silverlight control wants to make a request to Twitter, it calls into my proxy WCF service running on the Azure server. This is necessary (I think), because Twitter doesn’t register their API for cross-domain access by Silverlight and Flash. So Silverlight prevents me from making a direct cross-domain call. My proxy service is a very, very simple WCF wrapper around the Twitter API. Building this in Visual Studio was dead simple.
In the future I could change it so that the access token and secret aren’t stored in the Silverlight local storage, but instead are stored by my service in the Azure storage service. For now, having the control do the caching seemed simplest, as it means my service is stateless and doesn’t track anything at all about users. I may want to change that any way in the future, though, so that I could offer features like roaming settings and such.
So that’s what I put together this weekend. Any feedback or suggestions would be more than appreciated!
My new project: Silverlight Twitter App
Update: As of 5/28 I ported Twilver to run on Silverlight 2.0. I’m in the process of refining that port, and creating a Windows Gadget (for Vista + Win7) that hosts it on your desktop or sidebar. I’ll make further posts with more info about that.
If you follow me on Twitter, or read my earlier post about Twitter clients, you might have figured out that I’m not exactly thrilled about the state of Twitter clients on Windows. I’ve also long been itching to see what all the hype with Windows Azure and Silverlight was about, and to try and wrap my head around XAML. So a few days ago I decided to check out the Silverlight walkthroughs and installed the Azure and Silverlight 3.0 Beta SDKs. Since then I’ve been busy (well, mostly yesterday and today)…
So there’s my first Silverlight + Azure app, running standalone thanks to Silverlight 3.0’s new out-of-browser support. Of course the UI and feature set are very early at this point. But I’m pretty happy with what I was able to get working in such a short time. Especially since I spent several hours just figuring out how to deal with Twitter’s OAuth authentication API.
Unfortunately there isn’t an end-user friendly version of the Silverlight 3.0 Beta (you have to get it via the SDK), as it is targeted at developers only. So that means it’s not very convenient to share this with potential testers. In the meantime I may look at putting up a Silverlight 2.0 version (confined to a browser window) for people to look at. I have no idea what the Silverlight 3.0 timeline is like, but now I have reason to hope it gets released soon =)
I plan to work pretty aggressively on matching feature parity with the popular clients, like Witty and Tweetie, and then start working on some other ideas I’ve had. My very first goal, though, is to get the basic functionality available in a lightweight, attractive client UI. Right now the Windows offerings are either horrendous resource hogs (Witty), or butt ugly (all the Adobe AIR apps, like Seesmic Desktop). The Mac client situation seems quite a bit better, and that just makes the Windows situation bug me even more. Hopefully I can help change that. And since Silverlight is cross-platform, I may be able to win over some Mac users as well 🙂
Oh yeah, the name I’ve been using for the project is Twilver. This is likely just a placeholder until I decide on something I like better… I was originally going to call it Twilight, but apparently that name has already been claimed.
Hope you’re all enjoying the Windows 7 RC!
This week we published an update to the Federated Search Implementer’s Guide. This update includes some new information as well as some corrections to the original document. Most crucially, the original document erroneously indicated that the URL template contained an attribute called “format” — when it was referring to the “type” attribute. So if you followed the guide exactly, your OSDX file wouldn’t work properly with Windows 7 (or anybody else following the OpenSearch spec).
This update also includes additions such as information about providing “collection” templates to display results without the user entering a query, details about URL protocol support, and more.
Link: Windows 7 Federated Search Provider Implementer’s Guide
Windows 7 RC is almost here!
Fellow Windows blogger and guy-named-Brandon, Brandon LeBlanc, posted an update outlining the timeline for official availability of the Windows 7 Release Candidate. We’ve all been working very hard on this for a long, long time now. I’m really looking forward to hearing what everyone thinks!
IOpenSearchSource documentation
Just wanted to post a heads-up to interested parties, the stub page on MSDN for IOpenSearchSource and its one method have been replaced by the draft documentation.
The new page roughly sums up its use and purpose:
A client-side OpenSearch data source that sits in between the Microsoft Windows OpenSearch provider and the external data source. With a search connector (a .searchconnector-ms file), Windows Explorer calls your implementation with the query parameters. Your implementation returns results formatted in RSS or Atom format. That allows your implementation to provide custom authentication UI and connect to the data source using its proprietary API.
More details at: http://msdn.microsoft.com/en-us/library/dd378289(VS.85).aspx
Unfortunately we still don’t have any details on how you actually hook up an implementation of this. The doc / SDK folks are working on this but it’s part of a larger effort that’s taking a bit of time. In the meantime I’m going to see if I can post an example here or on CodePlex. Most likely I’ll be posting a detailed .NET example followed by a simpler C++ version.
If you have questions about whether this API may end up being useful to you, let me know, and hopefully I can help clarify what is or isn’t possible.
Last week Raymond Chen posted about how he drives a car the way most people user computers. His point was simple: he doesn’t care about the “driving experience,” he just wants to get from point A to point B. I like the computer analogy he made, as it makes sense to me that normal PC users simply want to get something done, and they don’t want to understand the technology or the operational subtleties of the tools they’re using.
I’m not in the same bucket at Raymond. He doesn’t like driving a manual and doesn’t care to improve his ability at doing so. However, when I bought my car I had a choice between the faster dual-clutch race transmission that Audi calls “S-Tronic,” (which can work like an automatic or be controlled via paddle on the steering wheel) and a regular old-fashioned stick shift with a clutch pedal.
I chose the stick. It’s what I was used to from my previous car, and it makes me feel more in control of the vehicle. It wasn’t a simple choice, because the S-Tronic isn’t a regular automatic. It’s lightning fast, way faster than I ever could be. But ultimately I decided against it because I didn’t like having control and information taken away from me. With an automatic I can’t just disengage the clutch and let the car roll forward or backward. And with the paddle-shift option, I can’t easily tell which gear I’m in unless I look at the dash. With a stick, I know just by feeling.
Taking that away would be like taking my debugger, my command line, or some other source of control or detailed input which I’ve come to rely on. If you’re going to do that, you better offer something awfully compelling in return.
E7 Blog: Federated Search in Windows 7
Late last night Steven updated the E7 Blog with a post about Federated Search in Windows 7. I co-authored the post with two program managers from my team.