gdp's Comments

drstarcat.com : How to Train a 6 Year-Old to Hate Brands

Mon, 10 Aug 2009 12:12:06 +0000

Thanks Fred. I wonder if kids these days are so good at avoiding brands that they are just too disengaged to care?

Ultimately the question will be whether this sort of brand advertising (as opposed to the \"thing\" advertising that Google does) continues to drive sales the way it once did or if an ever increasing amount of advertising dollars go to intention-based advertising.�This�is�particularly�important�for�the�New�TV�because,�as�I'll�be�arguing�in�my�next�post,�intention-based�advertising�is�nearly�impossible�for�video�(because�when�watching�a�video,�my�intention�is�to�be�entertained and not interrupted).

I'll be interested to see how your kids (and the rest of us) react to Hulu�if�the�networks�try�to�cram�in�18�unskippable�ads�for�21�minutes of content. I think the networks might realize we're more at war than they think.

drstarcat.com : How to Train a 6 Year-Old to Hate Brands

Sun, 9 Aug 2009 20:02:08 +0000

Thanks Doc. It's always nice to have a comment that's as (if not more) informative than the original post!

drstarcat.com : How to Train a 6 Year-Old to Hate Brands

Thu, 6 Aug 2009 16:21:06 +0000

I don't buy the cultural issue. It's more fundamental than that. I DO buy your personal (and to some degree society's) ability to deal with this instinct in myriad, beautiful, and often counter-intuitive ways. That's what makes us great.

drstarcat.com : Why an OAuth iframe is a Great Idea

Fri, 17 Jul 2009 01:51:09 +0000

I know what the user SHOULD do. �I also know what the user WILL do. �And that's my point. �I believe that users will be more likely to get successfully phished if they get comfortable entering their credentials into redirected sites than they will if they get used to entering their credentials into the sites they are giving access to.�

In the first scenario, your average user will think they can give their credentials to a \"somewhat\" dubious site that redirects them to a Netflix-like page because they'll be convinced�it�IS�Netflix (regardless of the URL).��In�the�second�scenario,�they�will�at least give a second thought to typing their credentials, because it will at least \"feel like\" they giving their credentials to THAT site (whether they are in actuality or not).

Your second point is a VERY compelling one�though.��I'd�hate�to�have�my�guys�try�to�hack�something�together�that�doesn't�work,�or�if�it�does,�is�something�Netflix�wouldn't�be�happy�with.��Our�real�job�at�SetJam�is�to�make�online�TV�easy�and�that's�what�we'd�like�to�spend�most�of�our�time�on.��I'd�reconsider�your�anti-framing�stance�however.��I�think�the�community�has�put�\"should\"�ahead�of�\"will\"�in�this�case,�and�that's�a�recipe�for�disaster.

drstarcat.com : Why an OAuth iframe is a Great Idea

Thu, 16 Jul 2009 21:36:12 +0000

Btw... because of your suggestion, we're going to do the following: You need to let Netflix know that you want to use SetJam: If you've already got a Netflix account <login here>. If you don't have a Netflix account, <start your 30 day free trial here>. [smaller] We won't store your Netflix login information, if you'd prefer to enter your login information at Netflix, click here.

drstarcat.com : Why an OAuth iframe is a Great Idea

Thu, 16 Jul 2009 21:23:06 +0000

Wow Richard!� That is a very simple but smokin' good idea.� I was planning on putting a notification on the iframe stating that we wouldn't be storing user credentials, but adding a \"verify\" link for the truly paranoid is a great idea.� Thanks!

drstarcat.com : Why an OAuth iframe is a Great Idea

Thu, 16 Jul 2009 20:22:08 +0000

For a fully secure implementation, this is probably where it has to belong.� This is exactly why iCards works this way.� They problem is that any time you're relying on the browser, you've got to wait for the browser manufacturers to agree to and implement the standard.� And as we all know, that could take a decade (if it ever actually happened).

drstarcat.com : Why an OAuth iframe is a Great Idea

Thu, 16 Jul 2009 20:19:16 +0000

This is a great reply Simon.� As a technologist and member of the Identity community, I also greatly sympathize with it.� I'm still on the fence about this though.� In fact, I thought about writing a follow up post on why implementing OAuth in an iframe is actually better for security.� Here's my reasoning, and it is only half warped by my desire to give my users an easy experience.

If I (and the community) consistently redirect people to other sites, it is at least plausible that users would find this the \"normal\" way of doing things and look suspiciously at framed implementations (as they should).� But realistically speaking, what would the user find \"normal\"?� The answer--going to an entirely other site that LOOKS like their trusted site and typing in their credentials.� The thought that they will pay any attention to the URL is a total pipe dream.

So where does this leave the user?� Perfectly setup for every phishing attack in the world!� On the other hand, with an iframe implementation, what does the user think--I'm trusting THIS site (the relying party) with my authentication credentials.� And this is EXACTLY the site the user should be making the security evaluation about.

Now the community may argue that this defeats the purpose of OAuth and is no different than the user handing out their credentials to the relying party.� It's not though--because I'm NOT storing the user's credentials.� I'm not doing this because I, as the relying party, understand that this reduces MY risk exposure.�

So my point is three-fold:
Redirects may not be teaching users what you think and may actually be teaching them to erroniously believe that when a site looks like their trusted that it is actually is their IP. By authenticating on the RP site, users are making the trust evaluation about the correct site.That all is not lost with this implementation because we've won half the battle by teaching TECHNOLOGISTS how to be an RP and the advantages on NOT storing user credentials.

drstarcat.com : Why an OAuth iframe is a Great Idea

Wed, 15 Jul 2009 12:44:05 +0000

Good point and something we saw discussed in the OAuth community about this.� Others have managed to pull it off, so hopefully the issues won't be insurmountable.� Knowing my luck, we'll waste some time on it and have to go back to the new window anyway!

drstarcat.com : Why an OAuth iframe is a Great Idea

Tue, 14 Jul 2009 22:01:04 +0000

Eh... We could, but I feel like the full redirect is even worse than
popping up another window. If the claim holder sites didn't make
their authentication pages so ugly it wouldn't be so bad, but
typically they're just a login box surrounded by a black background!

rj

Sent from my iPhone

drstarcat.com : The Physics of Air Conditioners--Preventing bloodshed in the office

Sat, 4 Jul 2009 01:37:04 +0000

Amen to that!

drstarcat.com : The Physics of Air Conditioners--Preventing bloodshed in the office

Fri, 3 Jul 2009 02:50:15 +0000

Duly noted. Thank you!

drstarcat.com : The Physics of Air Conditioners--Preventing bloodshed in the office

Thu, 2 Jul 2009 13:43:45 +0000

Ha! So wrong. Office: Between 68-72. I'm not religious about this, I just can't STAND when it gets set to 50 degrees and after a few hours I realize that I'm shivering. I don't care about cool setting and probably prefer energy saver on (I never like the on/off thing with the fan) Home: 68/High Cool (to drown out the City noise), and ES off (to keep that white noise coming!)