Hugo’s blog

This is me waking up 1.5 months after everybody.

I worked at 3Com and lived for about 1 year in the Hemel Hempstead area, home of the magic roundabout, and I am finally realizing today while playing with Flickr that the Buncefield fuel depot which exploded last month in the UK was right in front next to where I was working. I even drove in front of it every day! Shame on my British memories.

Flickr has some photos of the damage that the explosions did to the building. Flickr is a really cool tool. Computer World even has an article about it.

Hier soir, Laurent de Wilde était au New Morning pour deux concerts. Tout d’abord une partie acoustique avec le Laurent de Wilde Trio, puis une partie électro avec Laurent de Wilde Organics.

J’ai beaucoup aimé Laurent de Wilde Trio. Laurent de Wilde au piano, Darryl Hall à la contrebasse, et Laurent Robin à la batterie ont notamment joué des morceaux d’électro-jazz de manière acoustique, et je dois dire que j’ai été emballė. Comme le dit Laurent de Wilde sur son blog, ils préparent un album pour fin avril qui promet.

J’ai notamment beaucoup aimé leurs improvisations sur Quiet, Not Quite. Cela m’a rappelé un peu la façon dont dEUS, dans un style complètement différent, arrive à bousculer une mélodie dans une chanson qu’on aurait pu croire prévisible (comme Let’s Get Lost ou Little Arithmetics).
La deuxième partie de soirée a été beaucoup plus remuante avec Laurent de Wilde Organics. J’avoue avoir moins apprécié la partie électro, le tempo étant parfois un peu trop rapide à mon goût. Ceci dit, je suis encore un néophite en la matière, et mon oreille va surement évolué. Julien m’a également fait remarqué qu’un concert d’électro assis n’est pas vraiment idéal.

En tout cas, un très bon moment. Et en bonus, les musiciens avaient demandé aux spectateurs de ne pas fumer. Un concert sans cigarettes, le rêve !

J’ai pris quelques photos du concert.

I have been using Firefox since the time it was called Phoenix. I think that the first build I used was 0.3, released in October 2002. So when I got a Mac a few months back, I naturally installed Firefox right away, with all my extensions, ad-blocking filters, etc.

But I have to face it: Firefox on the Mac is painfully slow. And it’s not just me: comparison charts and other users reach the same conclusion as me. Maybe MacBook Pro users won’t suffer from this, but Firefox on a PowerBook is far from ideal.

So I decided to give other browsers a try, which is tough as I can’t live without extensions like Adblock or Tab Mix Plus. However, responsivity of an application like a Web browser comes before features.

And it turns out that the Mac has quite a number of browsers available for it, ranging from free open-source ones (e.g. Shiira) to commercial closed-source (e.g. OmniWeb).

After giving them all a short try, I found two candidates that suit my needs and which I found very responsive:

• Safari, with SafariStand and SafariBlock installed. There actually are a number of extensions for Safari.
• Opera, used with no-ads.pac. Other solutions are available too.

Because SafariBlock is much easier to use than no-ads.pac (e.g. you can block Flash ads with one click), I settled on Safari as my main browser, but hacking a little GUI for no-ads.pac could be cool, especially this solution is cross-browser.

I like Survivor. I owe this addiction to Dean, who is also responsible for my watching of Lost, though this one is likely to stop soon based on the recent (lack of) storyline.

Anyway, I was amused by this article on Rich Hatch’s trial about the money he won on Survivor. Essentially, what’s happening in this court house doesn’t look so different from what happens in a tribal council on the show. I’m wondering if the judge is going to end the trial with: “Richard, the jury has spoken. It’s time for you to pay.”

Just as was I trying to find out when the DMC-FZ5 was going to be updated as it is now one year-old, Panasonic announces the DMC-FZ7.

It seems to have nice improvements over the highly recommended FZ5. I can’t wait to read full reviews, though this may take a while. I may have to wait a little before changing cameras, as it will start shipping in March.

My faithful PowerShot S30 suffered one too many falls last week. It was far from being the worst that it had seen, but this time, the button is broken. It still kind-of works (bye bye pre-focus as the shutter release lost its half-pressed capability), but who knows how long it will take for the button to stop working completely.

So it’s this time again where I get overwhelmed by the too many options there are in terms of cameras. More than picking a particular model, I have found 3 formats that are attractive:

• Ultra-slim: the Casio Exilim Z750 is very slim and fast; unfortunately, it seems that you need a dock to charge or download pictures, though.Jonathan is always raving about it and pointed out that with an SD card reader and thanks to the great battery, it’s not so much of a problem. It doesn’t have an orientation sensor, but rotating picture by hand is not terrible. The Panasonic Lumix DMC-LX1 is also a possibility, with its cool 16:9 CCD, but the pictures it takes seem fairly noisy.
• Compact: the Canon PowerShot S80 seems to be really cool; slightly bigger, slightly slower, but seems to have lots of cool features and manual settings, and a wide-angle lens; I have my doubts about the thumb-operated zooming button though.
• Big zoom: the Panasonic DMC-FZ5 has good features including a 12x zoom; it just is bigger. The Kodak EasyShare P880 has a 5.8x zoom and seems good too, as well as the Kodak EasyShare P850 with its 12x zoom.

I need to look at this a little closer.

Comments on any of those more than welcome.

I’ve been reading feeds with Vienna and it’s worked well except for one thing: it forces me to read the news and people’s ramblings on my laptop. So I thought: why not use this thing called the Web to do that and not be bothered by the software I’m running anymore?

After all, lots of people use BlogLines, so why not me? I tried BlogLines a long time ago. The same way I had tried del.icio.us a long time ago, tried it again recently, and discovered that I actually wanted to use it that the interface had improved a lot.

So I started using BlogLines again. But the difference with del.icio.us is the following: I don’t think that the interface has improved that much from what I vaguely remember, and I found it pretty slow compared to Vienna (but I shouldn’t be too surprized by that).

It was enough for me to try out other solutions. So I went on a mission, and I tried a number of online feed readers. What I was after was something close to Vienna:

• NewsIsFree: I didn’t like the tabbed interface; I’m too used to the column-based one from Vienna.
• Google Reader: it has a very fancy and cool-looking interface, but, again, I’m used to a two column-based view, with folders and a clear view of what is unread, so that I can choose what I want to read; the 3-pane (or is it 4?) view didn’t work for me. It did have keyboard shortcuts that help making you (Unix geek) at home.
• NewsGator: NewsGator is pretty neat, but has some drawbacks. The separation between posts is not obvious, and it’s really slow. That’s a shame.
• RoJo: Rojo is all-in-all pretty neat. I didn’t find how to show older articles first, though, and everytime I come back, all my folders (well, tags, on RoJo) are collapsed, so I can’t have a good view of what is available.
• Pluck: Pluck looks a lot like a deskptop application, but every operation (e.g. folder expansion) seems to require talking to the server, the number of unread items is not indicated in a feed, which makes it painful to use.
• BlogLines: this was my starting point; though I’m not a fan of frames, the interface is simple and works well. It doesn’t look as fancy as the others, and rearranging feeds is painful, but it does what it claims to do well: present you your unread news clearly. And it has very handy keyboard shortcuts to navigate your news, which is a huge plus for me.

I don’t pretend to have done an extensive study here. I’ve mostly used the default options, and may have missed some cool features. Also, some of those sites are more than just RSS readers and have community tools, in particular Rojo, but I ignored those as it wasn’t what I was after.

So BlogLines is the one for me. Looking at others, and to borrow an expression from Carson Kressley, I think that it would deserve some jujing up of its interface, but maybe we would loose without some usability and speed which are the most important aspect for me.

Rojo came in second for me, and may actually become number one. I’ll keep an eye on it. The Google Reader looks promising.

I’ve been subscribing to more and more podcasts, as I like it to listen to radio shows when it’s convenient for me: in the subway, when I run, in a plane, etc.

However, I discovered in the past week a weird problem: the duration of some podcasts is very short. I have some that last 7 seconds, others that last 20 seconds. And this despite the MP3 being its normal size. 20 seconds for a 50MB MP3, that’s suspicious!

An example of this is La Revue de Presse de France Inter. The MP3 file 7.3MB, iTunes says it lasts 7 seconds, so does my iPod, and only plays those 7 seconds. This same MP3 played by RealPlayer, MPlayer, VLC, QuickTime, lasts 7:54. I have a similar issue with the RTL Podcasts.

Having a closer look at the faulty MP3s, they seem to have an introduction music, and then the show. And the length advertized by iTunes and the iPod is the length of this introduction. I’m wondering if the MP3 specification has an end-of-file marker, and whether those podcasts are just the concatenation of the introduction MP3 and the show recording. As I could not find the specification despite following links from the Wikipedia MP3 page, I am making a lot of guesses here.

However, I tried a few more players (Creative Muvo V200, mpg321, etc.): none of them complains about the format of this MP3, for example, and they all, except iTunes and the iPod, play it in its entirety. MP3 Checker calls the MP3 good, and doesn’t report any error, though I don’t know how reliable this tool is.

I’m wondering if this isn’t a result of the update to iTunes 6.0.2 and of the iPod firmware 3.1.1 I did a few days ago.

Assuming that this isn’t a problem I’m the only one to see (though a number of searches on the Web didn’t confirm this), somebody who can actually do something to fix this will notice the problem. Or so I hope.

Update (2006-01-17): RTL‘s Webmaster wrote to me and told me that it was indeed due to the new version of iTunes, and that the new editions of RTL’s podcasts would not have this problem anymore. Cool!

Funny: MacBidouille.com : Bidouille hardware sur Mac (in French) shows two photos of the MacBook Pro from Apple’s Web site which actually are photos of PowerBooks that were (poorly) modified to look like a MacBook Pro. On one, they forgot the reflection of the IR port, and on the other one, they forgot to change the position of the latch.

I wrote my first Flickr desktop application, Offlickr, but something has been bothering me in the way the authentication is done.

The Flickr Authentication API Desktop Applications How-To explains how user authentication works. Basically, an application has an API key which will appear as an api_key parameter, and a shared secret which is used to sign every call, the signature being included as a api_sig parameter. If a call needs to be authenticated, an authentication token will be used (which is given to you by Flickr when you as a user authorize an application to access your data) that you include as an auth_token, and again, the application signs the whole thing with the shared secret.

A closer look at the authentication procedure

So the security relies on the api_sig signature, i.e. on the shared secret. Only the application with the shared secret can generate the right signature to do a call.

However, replay attacks are easy: everything is contained in the query parameters. Just do the HTTP request again. This is probably why people use HTTP POST instead of HTTP GET even for things like getList: to try to hide what’s going on and not have the authentication token show up in a log or in a Web cache.

In addition, one can get somebody’s authentication token somewhere (e.g. in a Web proxy log file), and then could reuse the same application (after all, the api_key identifies the application) and pretend to be this somebody. But this limits the attacker to using one particular application, as the so-called shared secret prevents you from doing arbitrary operations as you need it to sign the HTTP requests.

This is where another problem lies: the shared secret is not so secret; it doesn’t appear on the wire, but if you have an open-source application, you can easily find it in the source. If the code is compiled, maybe the developer can hide it from the public, but I was writing a program in Python. I spent some time wondering if one should or not include the secret in the code, but looking at other programs, it seems that the answer is that shared secrets are always included as you don’t want everybody to register the program with Flickr before they start using it.

So, if you can get a hold of somebody’s authentication token for say an uploader tool for which you can get the shared secret (e.g. because you have the source code), as the uploader will have read-write access, then you have full read-write access on somebody’s account. And again, the authentication token is shown in the clear on the wire, so you just need to go to a conference and snoop on the WiFi network to wait for somebody to use the uploader for example, and bingo.

The real secret here, since you already have the API key and the shared secret of the application, is therefore the authentication token that the user has gotten from Flickr. This is a piece of information that only the user which authorized the application has. It stays a secret until it gets on the wire as a query parameter. Well, it’s currently returned on a standard HTTP response so one could technically get a hold of this when the token is issued, but that’s a minor problem as it could easily be changed by having flickr.auth.getToken use SSL.

The question is therefore: why send the authentication token on the wire then? As it seems to be the real secret, it should be kept hidden.

I am assuming that Flickr doesn’t want to use SSL as it would be expensive CPU-wise. It seems that a stronger authentication technique could be used fairly easily and would improve security greatly.

One way to keep this authentication token secret would be to use it to sign the call, i.e. have a parameter auth_sig akin api_sig to hold a signature generated with the authentication token.

Using standards

It may seem that I’m excessively picking on the Flickr API, when actually this is a general HTTP problem. After all, basic authentication in HTTP is weak, and the current practice of using cookies is not better; capturing just a little unencrypted HTTP traffic is guaranteed to give you access to something you shouldn’t have. Plus I like Flickr, which is why I started playing with it and looking at the API in detail; I’m sure similar comments could be made of others. Qui aime bien châtie bien as one would say in French.
However, it seems that, with an API, we have a greater power and therefore can achieve better solutions as we’re not limited to the solutions supported by the intersection of what the major browsers implement.

A way other than the auth_sig solution I was talking about to solve this problem, could be to use the authentication token obtained from Flickr as the password in HTTP digest authentication (RFC2617) and it would even be standard so people wouldn’t need to do much in their code.

I admit I’m a little surprized that with all the standardization work happening on the Web, ad-hoc solutions are used. Digest authentication has failed to be adopted by browsers, so it sadly cannot be used for Web applications targeted to browsers (maybe that will change), but it certainly be used in the context of APIs (e.g. in Python, we have urllib2.HTTPDigestAuthHandler, Jakarta has a AuthPolicy.DIGEST, etc.).

Also, the Flickr API, like many others, exists in several flavors: REST, XML-RPC, and SOAP. But it’s basically the exact same messages, with a different envelope. It’s no wonder that people prefer REST APIs: they’re basically identical to the SOAP ones, except that you need to use less libraries in your code and your messages are simpler.

In this particular case, SOAP-based Web services bring you WS-Security that could solve this authentication problem nicely. Then the SOAP API would show the advantages of SOAP, and people may actually see the point of all this standardization (including Web services) work.