Google Reader

By now, anyone using Google Reader should probably know that it’s going to shutdown on July 1 this year. Personally, I think it’s a shame, but not entirely unexpected.

I use Google Reader daily and in fact it’s the only Google service I still have need for (although I’ve kept Gmail as a backup mail service – it’s good to have a secondary address that can be used for temporary communication, particularly with one use web sites). Once the decision was taken to let the feedburner service run down I always assumed Reader wouldn’t be far behind.

I think there are some issues with the concept of RSS as a “consumer” technology – these implementations never quite gained the popularity I think they should have. I’ve introduced other people to the idea and seen how it can help ease the way that updates are retrieved from web sites. Anyone working online should have least have tried it, but I think the perception was always that it’s a geeky tool and little used. Hopefully the outcry around the web about Google’s decision will contradict that.

One of the comments I was most interested in around this decision was from Dave Winer. Dave makes two points that are worth mentioning; Firstly around his favoured “River of News” approach, I think this is personal preference. One of the reasons I like the Reader style RSS approach (or inbox style, as he refers to it) is that I don’t miss the stories – rivers mean that much is missed, if I don’t see the story when it’s still onscreen I may never see it (this incidentally is my biggest complaint with Twitter as well). The way that I, and in my experience, most other people use RSS is to have that collection of stories that I can come back to when *I* want. If I’m out for a few days I can skim over the list and read as much or as little as I like. I also find the Inbox metaphor constricting – these are not messages to me and no-one is expecting a response; if I mark all as read, no-one is going to chase me for a response!

Dave’s second interesting point is also, to me, somewhat ingenuous.

Next time, please pay a fair price for the services you depend on.

I, like most people are happy to pay for a good service and there are paid for services out there, unfortunately they are, from what I’ve seen just not as good (for various definitions of good) as Google Reader. Quite frankly, everything else I’ve tried to use so far has fallen short. I have paid for apps that provide a front-end to Google Reader (on both iPhone and Mac) that ultimately use the service as a back end. These add value to the experience.

I’ll obviously be checking out alternatives to Google Reader from now. Any suggestions would be welcome!

Addendum: The Ars Technica story and discussion

McKinnon

Gary Mckinnon Extradition To US Blocked By UK Home Secretary | Techdirt

I was planning on making a quick comment on the Gary McKinnon case but the Techdirt article linked is one of the few I’ve seen actually making most of the valid points about this whole mess so deserved a special mention.

The question here is not whether McKinnon is criminally culpable for his actions (that can be established later), but whether it’s right to send him to a country he’s never been to stand trial when he already falls within the jurisdiction of UK courts and is obviously suffering health issues. I made a more flippant point previously on the questions of jurisdiction in these types of cases and, assuming the act is a crime in the place where a person is physically located it’s best left to be handled in that country. To do otherwise means we can end in a situation where a crime can be simultaneously committed in multiple territories (think of accessing data from cloud based services), or for someone to not know where they have committed a crime, or even if their actions are illegal in that location. That’s no way for the law to work. Extradition is a perfectly valid process in cases where a person has left the prosecuting jurisdiction and certainly has a place in the world; just not here.

I hope that, whatever the truth here, justice prevails and I believe that this is a good step towards making that happen. It also seems that we have a chance of doing something about the one-side extradition process we have with the USA.

As an aside I was forced to draw parallels with recent extradition cases (Abu Hamza et al) and reconcile differing views. I think there are some valid points in discussion but ultimately we look at questions of citizenship and the nation’s duty of care to those people; more importantly in those cases it is a fact that no trial could ever happen here in the UK; extradition was required for any real criminal proceedings.

Security as an advantage

This week has seen a lot of activity in the security world about one of the largest companies in Britain – Tesco. What’s unusual about this, certainly compared to most “security” news is that there’s been no notified data breach. Efforts conducted by Troy Hunt, in particular (and well documented at his web site – Lessons in website security anti-patterns by Tesco) have identified a number of potential security issues with Tesco’s online presence.

Tesco have made some responses (additional coverage at SC Magazine) and I’m sure we’ll see additional news on this.

Tesco aside, what this highlights is that most people aren’t aware of what security is in place, or should be in place for their online transactions. Not everyone has the time, ability or stubbornness of people like Troy to investigate and follow through with enough knowledge to get through the anodyne responses. This is an example of why having a knowledgeable and semi-independent security assessment is something that any organisation should do. That’s not to denigrate some of the fine people who work at Tesco – all of us sometimes need an extra set of eyes and ears, sometimes just to challenge assumptions. Luckily, here, the problems have been identified before there’s a serious issue.

One of the basic issues here is that security is hard – knowing that even if everything has been done “right” that it still may lead to a problem. This is one of the reasons that it’s good advice for users to use different passwords – even if you trust the people you give a password to, you can never be sure that it won’t get leaked. If you use the same username and password combo on multiple sites (or worse, for your e-mail access itself) then any password leak on those compromises a large amount of your online presence. Even a low value breach (a blog, for instance) escalates if those same credentials are used at a shopping site that has your credit card number stored and allows quick purchasing.

Security is about layers of defence – not assuming that each layer will hold, but mitigating and minimising the risk if it doesn’t. This incidentally is one of the issues with the “padlock” icon in browsers – it gives a false sense of security. Users are one of those layers and should assume that whatever is in place by the provider may not be enough…

One of the difficulties with any form of security is when it meets head-on issues such as finance, usability, compliance or legislation. The latter two in particular are insidious, often being used as a replacement for security (we’ve complied with XYZ policy) or even being antipathic to security. Especially in large organisations the challenges in putting forward a culture of good practice against those are immense. There may even be good and acceptable reasons for, what at first appears to be, bad practice.

That said, I’m wondering if these types of events may be the trigger for security as a competitive advantage. Would a (non-security) person actually choose to shop online at one store over another due to security deficiencies? If not, at what point would that happen?

Data in the cloud

Who cares where your data is? – Roger’s Security Blog – Site Home – TechNet Blogs

There are many issues with data security as soon as we start discussing the “cloud”. Handing control of your data to third parties is pretty obviously something that should take more thought than it does. One area that people forget is to think about the data itself – who owns and controls the email addresses of your customers? The moment it’s on salesforce (to pick an example), they have that data – very few people encrypt the data they give to their service providers; the data and the service are somehow conflated.

Roger picks out a great point which brought back to me my favourite argument against cloud services. At a basic level, the cloud does not exist – what does exist are servers and drives containing data. At any time you, as a “cloud” customer have no idea where your data resides – is it in the USA (the country that searches laptops that come across the border), is it in China, is it in Libya? Only the “cloud” provider may know this. This may seem like a superficial point, but something very serious lies beneath in that different countries retain their own controls over what is acceptable. Whilst we in the UK and Europe think that online gambling is fine, it’s not in the USA – what if a “cloud” provider puts data relating such activities into the USA?

Just to drive home the point – “cloud” customers also have no idea whom else’s data resides on the same hardware as their own. If a criminal or terrorist organisation (in a particular country; obviously definitions vary wildly) happens to share the same services as you, what chance your data could be raided and analysed?

All these points serve to remind us that the cloud does not exist. What does exist are a series of buildings, housing servers, that happen to have Internet connections. There’s a huge difference.

Linking

Feds Really Do Seem To Think That Linking To Infringing Content Can Be A Jailable Offense | Techdirt

The story reminded me of a point I made a while ago – regardless of anything else, you (my reader), or me (as the author) has absolutely no idea what will be displayed if you click on the link. At the time of writing, using the particular DNS servers currently provided on the wireless network I am using it is an interesting story about how linking to infringing content shouldn’t really be an offence. Of course, given the way the Internet works, that may not be true for you (your own hosts file may resolve that name to a completely different address) and I guess the people at Techdirt could also change the story at any time which would make this post somewhat non-sensical.

There’s a current trend of using URL shorteners, which seems to be related to the stupid and arbitrary 140 character limit on twitter (which is derived from the limit on SMS message length, despite the fact that every modern phone can concatenate messages into one, making the whole thing even more absurd, but I digress…), which introduce another level of abstraction and make it utterly impossible to know what will happen if a link is clicked. Here’s an example, just to drive the point home…

http://bit.ly/f1dzwo

For a start… notice the CTLD is .ly. That means that this service is controlled by Libya, so obviously nothing wrong there. Secondly, you don’t know what site that links to. Thirdly, you don’t know how the people who control your DNS servers will resolve that name to an address. Fourthly, you don’t know what the http server at that address actually serves as content (malware, porn, movies, live sport). Yet, people click these things all the time.

There’s a major disconnect between the way the law wants to work and the way that things actually do work.

Facebook Security

There’s been a lot said about privacy on Facebook recently, that I won’t go over or comment on at the moment.

Given Google’s recent move to supporting HTTPS on the search page I was starting to check other sites for the same. I was slightly surprised to find that Facebook does indeed allow HTTPS connections and then even more surprised to find that chat doesn’t work (“disabled on this page”) – possibly an area this would be most warranted.

I can’t think of a good reason why this would be the case – perhaps more investigation is required!

Open or Siloed Identity?

Kim Cameron’s Identity Weblog » GOOGLE’S AUTHENTICATION VERSUS MICROSOFT’S LIVE ID

I was fortunate enough to hear Kim talk at the MS Security Summit I attended today. Whilst I thought I had a pretty good understanding of Infocards/”Cardspace” and the Identity Metasystem, hearing it explained in this way was very useful and I’ve left with an even greater understanding. Whilst the demo’s were obviously using the Microsoft implementation of the ideas the open-ness of the system was evident and the effect that this will have on our industry in the future. I’ve a couple of technical questions that have come up, but I’ll get back to those later (and unfortunately I’d been booked to be elsewhere this afternoon so was unable to hang around for questions in person!)

Having seen this post tonight (one of the best things about RSS feeds is that I can miss a few days and have everything sat waiting for me to catch up!), it’s a striking comparison between the two giants’ approaches to the problem. I’ve previously written about how the trust in the two companies is different and it’s been noted again that, perhaps at least part of the reason for the new Microsoft open approach is the failure of Passport (as an Internet-wide universal Identity, at least) whereas Google thinks it can avoid those same mistakes with its siloed identity systems (Google seems to be increasingly arrogant in all areas of its business).

One thing that does worry me is that one of the reasons, IMHO, that Passport failed was that by that time, Microsoft’s reputation was already low – security was always a problem in Windows. In contrast, Google has an almost unhealthy positive reputation amongst most web users. They are quite capable of churning out substandard products and services that somehow get rave reviews in the media and from a certain group of people – whilst there is another group becoming more suspicious (and critical) of Google and everything it does. Unfortunately I get the feeling that this second group is suffering from the echo-chamber effect of the blogosphere and not much is getting out to the wider world. Given this, it’s entirely possible that the Google way could gain some traction, despite the activities of all those involved in the work so far – maybe some more publicity is required to prevent this from happening..?

Rohan Pinto also points to Kim’s post.

Addendum: Paul has already asked the questions I wanted to.