I have had a series of posts recently about various, supposedly responsible, Social websites asking for my username and passwords (email), and another post about not so trustworthy sites asking for Live Services passwords. I had resolved to only be concerned about sites that were clearly not taking advantage of the OAuth security pattern, however, it is quite difficult to explain to a layman if a site is using OAuth or taking short cuts of storing your password, logging in and doing some kind of screen scraping. I hope to address this here.

Why do we even need something like OAuth? Well if you are, like me, a user of the something like Live services, but you would love to be able to import all your contacts from a social network like LinkedIn. You have a couple of options, hope that LinkedIn allows you to export the contacts in some common format (csv, xls, etc) and also hope that Windows Live offers a compatible import solution … or … you need an Open secure API which both services can comprehend, vis-a-vis OAuth (I will not go into the details of the OAuth pattern, except to say that it overcomes the need to send user id and password with every request sent to a third party, like BasicAuth).

In short when a site is responsible enough to employ the OAuth open protocol you can gain access to secure areas (contacts, photos, etc) of other sites without spreading your password everywhere. A good example of this pattern can be seen at work in the Windows Live Services. I go through the steps of selecting the import process from LinkedIn, as shown below.

This is the really important part here! After clicking next I am redirected to the LinkedIn web site for authorization. What you should not be doing at this point is adding your LinkedIn credentials into the Windows Live site. This is always a bad idea! To be clear I trust both LinkedIn and Windows Live, I just do not believe they need the keys to each others houses.

Any system that teaches users that it is ok to put passwords from one site into another is really doing us all a disservice, this password Anti Pattern teaches people that it is ok to give away your password. This bad habit ensures that people will be more likely to be caught in Phishing scams the world wide web over. Many social networks have spread like this and LinkedIn is as guilty as any of them.

For me the design of this LinkedIn import page is really problematic. While it appears to redirect authentication for Windows Live and Yahoo,  for Gmail, AOL and the Others options it relies on you putting user names and passwords directly into the LinkedIn site.

I am sure that LinkedIn is being above board and responsible with my information (am I) but this pattern is doing the overall security of the web no good. They are teaching a whole generation of Social network users that this type of password sharing is ok.

What is more confusing is that AOL and Gmail appear to have OAuth implementations (AOL OpenAuth, Google AuthSub) yet LinkedIn seems to disregard this and teach bad habits to its users.

Hopefully in a future post I will go through some code that complies with the OAuth pattern.

Sweet!!

There are a gazillion great things about the new Windows Live updates that are just pure social love. I have the ability (if interested) to pull in Twitter feeds or blog feeds for all my social network to share and review. All the various services SkyDrive, Hotmail, Spaces, etc used to feel like different companies cobbled together. Now they really feel like one cohesive Live offering. Just seeing Twitter feeds from various members of my network arrive in my Home page is really sweet.

The one critique I have is the lack of integration with Windows Live and my Mobile phone. I do not use the Calendar on my mobile phone because it is completely disconnected from the rest of my online world unless I dock my phone at the PC.

In order to bridge that gap Live provides a set of rudimentary SMS commands, as shown on the left. This is really disappointing! I was hoping for something more integrated and reflective of the new found symbiosis that is the Live experience.

Things they have already got right:

   - My contacts sync from mobile to web and back again.
   - Live Messenger on my mobile phone is an enjoyable and easy to use experience.
   - Hotmail is directly integrated into the mobile experience.

With the abundance of these great Live features the mobile experience still feels like a second class citizen in the Live world. If we have to wait for WM 7 for this to be resolved I will be really disappointed.

I got some random text from a relative asking me to go this website, at which point I was confronted by the following web page…

Ha … they want my email and password … really … why don’t I just give you my SSN, credit card numbers and keys to the house and car (I overstate but you understand the point). The Terms and Conditions was honest enough to reveal the following:

     We may temporarily access your MSN account to do a combination of the following:
          1. Send Instant Messages to your friends promoting this site.
          2. Introduce new entertaining sites to your friends via Instant Messages.

Let me forgo all the obvious concerns about giving my password and look at the storage of my password by unqualified and un-vetted third parties. The only real way they can use my password effectively is by storing it in plain text in their database, the above T&C extract also implies that they are keeping this information indefinitely.

There are a metric ton of API’s for online services that allow applications access to user resources without the need for this type of password scamming. This includes but is not limited to:- Windows Live DelAuth, Google AuthSub, Yahoo! BBAuth, Facebook Authentication API, and the AOL OpenAuth.

The T&C for this site concludes:

”This agreement shall be construed and governed by the law of the republic of Panama. You expressly consent to the exclusive venue and personal jurisdiction of the courts located in the Republic of panama for any actions arising from or relating to this agreement.”

…enough said.

The recent updates with Zune have been great so far, the Zune software itself is even faster, the Zune Social site has an improved layout and even the Zune device itself got a refresh with 3 new games that support wireless community play.

What I believe is the most compelling update is that the Zune Pass now comes with free downloads that you can keep permanently!!! As you may or may not know the Zune pass is a $14.99 a month all you can eat music lease system. Almost all the songs on the Marketplace are available for this buffet styled music gorging.

Now as an added bonus when you subscribe to the Zune Pass you get to download 10 songs a month for your permanent collection. These songs can include MP3’s! So you can technically own them free and clear from the Zune\Microsoft eco system. This update means that the Zune Pass portion actually costs you closer to $5 a month for the all music rentals you like. This is sweet!!!

I was starting to see some significant slow down in the performance of my Digital Audio Workstation (DAW). Basically reading and writing files to specific directories was way slow. I know I had documented this issue before and noted that the issue was related to SONAR's insistence on storing all the metadata files for each project (of which I have hundreds) in a single directory. While my knee jerk reaction at the time was to simply delete some of these files, the Wizard (aka EdO) noted last time that this was probably an issue with the Windows 8.3 naming convention.

In case you do not know the 8.3 file naming convention is a relic of 16 bit computing and it helps modern operating systems (32 bit and above) produce filenames that MS-DOS or 16-bit apps may access. The problem with this archaic naming system is that Windows literally scans all the files in a given folder to ensure that it does not produce a duplicate. This scanning may become noticeable once you have tens of thousands of files in a single directory.

In order to disable this behavior on Windows 2000 and Windows NT you can go to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem – and set the value to 1.

For Windows 2003 and Windows XP there is a slightly easier way i.e. the File System Utility (FSUTIL). This command line application will quickly allow you to verify and\or configure a variety of file system related parameters. In order to update 8.3 setting use the following:

FSUTIL behavior set disable8dot3 1

For additional FSUTIL commands check out this site.

NOTE: If you happen to be using any 16 bit applications they will stop working.