Category: web

  • It’s a WRAP

    I’m just finding out about oAuth WRAP, a new, simplified version of oAuth which some are calling the “valet key” approach to web data sharing: don’t give your Facebook password to a random web app, instead use oAuth to mint them a valet key that lets the app access only some specific portions of your […]

  • Facebook account hacked

    So this evening my Facebook account was hacked and spam messages were posted to a few dozen friends on my behalf. Thankfully, since I’m friends with a number of security-savvy folks, I was notified almost instantly. Now I’ve never cared too much about my Facebook account, so I used one of my weak passwords. I’m […]

  • Stefano thinks I’m a purist…

    Stefano Mazzocchi is awesome and his thinking on Web-based data is incredibly nuanced and pragmatic, so it’s not often that I want to publicly disagree with him. But in his latest post, I think he’s off the mark. Stefano argues: The difference between RDFa and Microdata (syntactic differences aside) is basically the fact that the […]

  • A Partial Report from Social Network Security 2009 @ Stanford

    On Friday, I attended Social Network Security 2009 at Stanford. This was a fantastic get-together, with some very interesting info from Facebook, Google, Yahoo, Loopt, and the research front. I have some notes, mostly from the first half of the day, at which point my laptop battery ran out. Time to upgrade to the 7-hour […]

  • Real-world usage sometimes includes things you don’t like

    When people criticize RDFa without much experience really working with it, I tend to ignore the comments, because they’re usually out to prove some subjective point about what they think the Web should be like (“prefixes are ugly!” “Yahoo’s RDFa support was broken once so clearly RDFa sucks!”…). But when Jeni writes about RDFa, given […]

  • Multi-Factor, maybe, but is it really harder to phish?

    MIT Tech Review asked me for a general comment on web authentication for their article covering new technology by Delfigo. There wasn’t enough time to look in depth at Delfigo’s technology, so my comments were about multi-factor authentication in general, and whether the additional factors are easily phishable. In other words, it’s interesting if authentication […]

  • Engaging Data going, going….

    The Engaging Data Conference at MIT, which brings together a number of interesting folks around the management of personal electronic data, is happening in October. The deadline for papers is this week, so submit a paper now if you’ve got some good ideas to share.

  • Pot, Kettle, meet Zuckerberg

    Facebook is an impressive company, they’ve done and continue to do some very amazing things. And I admit I certainly didn’t see them coming 4 years ago. But okay, come on: “No one wants to live in a surveillance society,” Zuckerberg adds, “which, if you take that to its extreme, could be where Google is […]

  • Loosely Coupled Health IT

    My research group, Children’s Hospital Informatics Program, just released a statement of principles in designing the next generation of Health IT, and folks are picking it up. The key concept is substitutability, or what software/Internet architects have called loose coupling. The idea is to build modular rather than monolithic systems, and ensure that the modules […]

  • More on Google Wave Trust Model

    I wrote briefly about Google Wave, and Ben Laurie points out that my statement on the Google Wave trust model is misleading. He’s right. I said that the Google Wave trust model is the same as email (and thus I think Google Wave will succeed). What my words unfortunately and misleadingly implied is that it’s […]

  • Google Wave – thoughts

    First impressions / predictions on Google Wave, Google’s new communication idea/product/protocol/service: because it’s open-source, federated, and follows the same trust patterns as email, it will be successful whatever authentication protocol Google Wave uses will be a significant (if not a crushing) player in the web authentication space, and that’s not a bad thing because it […]

  • Incremental Benefit and Bursts of Innovation

    Ian Davis, of eRDF fame and a great guy all around, writes about Google’s recent RDFa announcement: At first this announcement seemed like a big deal – Google supporting the web of data in a big way, a real push into the world of open structured data. However, a closer look reveals that Google have […]

  • Google announces support for RDFa

    RDFa is a simple way to add structure to your web pages, for example the text ‘ben adida’ is not just any text, it’s my name, the link to the Creative Commons page is not just any link, it’s the copyright license for my page. I’ve been working on this specification for a few years […]

  • What Verifying an Election Means

    The election at the Université Catholique de Louvain is over, the winner has been declared. So, what does it mean that this was, supposedly, a verifiable election? It means that you can go to the audit web site. There, you’ll find a detailed specification that describes the file formats, encryption mechanisms, and process by which […]

  • Facebook: “we’re keeping your data for your friends’ sake!”

    So Facebook changed their terms of service so they can keep and distribute your data forever, even if you delete your account. It seems that they will factor in your privacy preferences, but I’m not a lawyer and I’m not sure how ironclad that provision is. What seems to be clear is that they keep […]

  • Pinker on Personal Genomics

    As some folks know, I’ve spent the majority of my time over the last 1.5 year as a member of the Faculty at Harvard Medical School in the Informatics group, thinking about security and privacy of web platforms for managing personal health data, including genomic data. I’ve had trouble blogging about it, because I’m still […]

  • Trusting Trust and JavaScript

    About 2 years ago, I tried to come up with a way to make OpenID and similarly single-sign-on systems less phishing-prone. That turned into BeamAuth (note to self: must publish the source code! Argg, so little time.) Minutes before I presented BeamAuth at CCS, Adam and Collin cornered me and found a subtle but significant […]

  • CC Tech Summit – December 2008

    I just finished my presentation on “RDFa: Life after W3C Recommendation” at the Creative Commons Tech Summit held at MIT (photographic evidence). Fun to chat about RDFa, as always, and a good crowd with some good questions.

  • OpenID and Creative Commons

    Creative Commons recently launched the Creative Commons Network, including OpenID support. I wrote up an introduction to OpenID, its risks, and how Creative Commons is addressing them.

  • Resig on Chrome: it’s the Process Isolation, Stupid!

    So Google launched their own browser, Chrome, and in the words of a friend “this looks like an operating system to my MBA eyes.” Exactly. John Resig, of jQuery fame, has the smartest comment so far: The blame of bad performance or memory consumption no longer lies with the browser but with the site. By […]

  • Where we’re going, we don’t need SSL

    Read a funny thing on DaringFireball: AppleInsider reports that the MobileMe web apps supposedly do use SSL, even though you don’t see “https:” URLs or the “secure” lock icon in your web browser Hmmm, sounds awfully fishy. If the page is over plain HTTP, then it will have a lot of trouble making requests over […]

  • Helios Voting System — Launched!

    I just gave my talk at Usenix Security on Helios, my new web-based voting system that supports cryptographic auditing. Since it’s web-based, you don’t want to use this for elections where coercion is a serious concern. But if you’re running an online election for your club, software community, etc.., it’s perfect. Just go to: […]

  • Adam & Collin strike again

    I’m now at Usenix Security, which I’m micro-blogging over at Sometimes, though, one talk merits more than a micro-blog. Currently, I’m listening to Adam Barth presenting his web-security paper (joint with Collin Jackson) on subtle but huge issues with frame navigation and communication. Top-notch stuff. What’s fascinating to me about Adam & Collin’s research […]

  • Bridging the Clickable and Data Webs

    Over the last few years, I’ve been the Creative Commons representative to the World Wide Web Consortium (w3c). This means that I work with a bunch of great folks on web standards, specifically trying to define solutions that will help Creative Commons. Since 2005, I’ve led a w3c task force on RDFa, which is a […]

  • Don’t Hash Secrets

    Building secure systems is difficult. It would be nice if we had a bunch of well-designed crypto building blocks that we could assemble in all sorts of ways and be certain that they would, no matter what, yield a secure system overall. There are, in fact, folks working on such things at a theoretical level […]

  • Privacy violations can be so useful

    Have you noticed that, after you visit a web page, links to that web page change color, usually a lighter shade of blue? That’s one of the earliest User Interface wins of the web, a feature that dates all the way back to the first version of HTML. How convenient to be able to tell, […]

  • Why I’m switching to Yahoo Search

    [Disclaimer: Yahoo supports RDFa, which is a specification I’ve worked on. So, obviously, I’m excited. But hey, that doesn’t mean I’m wrong.] Yahoo recently announced SearchMonkey, and for the first time in 10 years, I have a reason to switch search engines, from Google to Yahoo (In fact, I just did that in Firefox.) Most […]

  • WWW2008

    I was at WWW2008 last week in Beijing, where I presented a Tutorial on RDFa with Elias Torres and Ivan Herman, and SessionLock, a technique for securing web session used over unencrypted HTTP. The conference was a lot of fun. Spent quite a bit of time discussing security with Collin Jackson and Tyler Close. The […]

  • Privacy vs. Omnipotence, Mashups and your browser.

    Facebook is in hot water again, this time for “Facebook Beacon” which posts your activity at various partner sites to your Facebook newsfeed. Buy a self-help book at Amazon? Your friends will know. Browse some recipes at Epicurious? Your girlfriend might get some idea of what you’re cooking for Valentine’s Day. The fuss is mostly […]

  • Privacy Quote of the Day

    Facebook just launched a targeted advertising platform. Suddenly, all that data you entered about yourself will be used to target advertising to you. Were you expecting it? This is worse than Gmail, because when gmail launched, they told you upfront that they were using your mail content to target ads. You could make the conscious […]