jr conlin's ink stained banana

NOTE: WHAT FOLLOWS IS PERSONAL OPINION. IT IS NOT SANCTIONED NOR REFLECTS THE OFFICIAL VIEWS OF MY EMPLOYER.

Right, that's out of the way then. So, i work at Netflix. Specifically, i work in the API group. The guys that offer http://developer.netflix.com and various services tied to it. Anyone who knows me (or just reads this blog) also knows that i'm more than a little paranoid about security and privacy.

Some time ago, a company called Jinni started collecting Netflix customer ratings so that they could store them on their servers and do things with them. Unfortunately, since Netflix doesn't offer a way to pull those ratings directly, Jinni decided that they'd use one of the worst anti-patterns possible, and ask for the user's account name and password, which they store on their servers.

This, not surprisingly, is a violation of the Netflix Terms of Service. Netflix, for those not aware of the company, is a subscription based movie rental company. You set up your subscription via a credit card which is tied to your account by… your user name and password. Netflix, also not surprisingly, doesn't want potentially thousands (or really, even one) credit card to be stolen out of it's service by any site that's suddenly been compromised.

You see, regardless of the sort of encryption being done to store user credentials on a remote site, if you're entering a username and password, it must be transmitted (and therefore stored) in plain text and therefore it's easy to steal via any number of mechanisms. This is why services like OAuth are better because they provide the three parties (you, a third party program acting as your agent, and your data service) to all agree on a common set of alternate credentials that have access to an explicit set of information. For instance, i can use these alternate credentials to let PocketFlicks access my reviews and movie watching history, but not have access to my credit card info. Plus, should i ever distrust a given service, i can have the data service revoke access at any time.

i'll toss in that OAuth is just one solution. There are others, including Yahoo's BBAuth, Google's Auth, and Facebook Connect which all provide similar function (although those are tied to specific vendors). This is what's known as balanced security, and frankly, if you're using either an agent or a data service that doesn't provide that sort of balance, i'd seriously question the goals and aims of that service. (Twitter, thankfully, has recently joined the OAuth bandwagon after having had several accounts compromised by various less than upstanding services.)

So, it both confuses and saddens me when i see companies like Jinni slinging fud. To them, the obvious reason that Netflix is "demanding they remove the import ratings feature" is obviously because Netflix see them as a threat. Well, i'd guess Netflix does, but definitely not in the sort of way that they seem to think.

Netflix's income comes from subscriptions. Netflix's main goal is to increase subscribers. In order to do that, Netflix want's to provide a service that folks are happy enough to both continue to use and to recommend to others. One of the ways that we've found to make our service useful is by recommending movies that you might enjoy watching. We do a fairly good job, but we're about to award some guys $1,000,000 for a way to make it just 10% better than it was before, so we know that others might do a better job than we can. We just want more subscribers*. Heck, if you like watching movies based on random words in the dictionary, we don't care so long as you become a subscriber. Honest, that's the sum total goal.

Now, there are also laws in place that we have to respect dealing with ensuring your privacy. For instance, we can't share your movie rental history without your consent. Every time we look at offering a new service, we have to make sure that it's not potentially violating laws or existing privacy policies. That means that the reason somethings are offered before others isn't always because it's technically challenging. Is it frustrating? Oh man, is it ever, but that's the reality we have.

i'm quite sure that the Jinni folks are fine, upstanding citizens with only the best of intents. That said, i'm still paranoid as hell, and frankly, you should be too. Heck, be rightfully paranoid about Netflix, that's why security experts recommend having unique passwords for every service you use. (Just note that Netflix is required to be SOX compliant and regularly audited by our credit holding insurance agency where i don't believe Jinni is.)

We i believe that Netflix doesn't care if someone wants to store and use their customers movie ratings. Heck, when they're allowed to provide them, i personally hope Jinni does a better job than Netflix does because that will also increase Netflix subscriptions. Netflix just can't provide them yet.

As for giving them, or any site, credentials that could access your stored credit card personal info? Well, that's just stupid.

(*Oh yeah, those stupid pop-up/over/under ads? Those are from affiliate partners. They're not supposed to do that.)

Don't get me wrong. i like the EFF, in fact, i've contributed and gotten the full set of stickers and lovely note, but there are times that i kinda wonder if they're thinking clearly.

Take, for instance, a note they published yesterday Several Facts about Google. They note that they're very happy with the fact that Google is testing out HTTPS connections for gmail, since that means that the connection between you and Google is secure. That's very nice. Granted, SMTP, the method of delivery of your mail, is generally unencrypted, but that's probably beside the point. Kind of like how it's great to have a locking mailbox, but your mailman can still get mugged or just bury your mail in his backyard.

The other part that really had me scratching my head was that they were pushing to have Google use HTTPS for searches.

Again, i really like EFF, but i really wish they'd consider what they're asking for.

HTTPS means a secure connection. That means that so long as you're holding a connection open, you've got a mutual, trusted handshake between you and the box you're talking to. That's important to think about so make sure you remember that.

When you make an HTTP request to Google, the first thing that happens is that your request goes to a DNS balancer. This machine tries to figure out the closest server to you and hands you off to that machine. That machine is probably a VIP or "Load balancer" who's job it is to hand you off to a machine that can actually service your request. How you walk that path is kind of dependent on a lot of things like how busy a given server is. All of these hand-offs are done in nanoseconds because none of these needs to keep the "line" open. In fact, with some things, you may not even get to google because you wanted something that exactly matched what someone else just asked for (like "Ed McMahon Memorial" or something). That's called Caching and it means even faster delivery of data to you.

When you switch to HTTPS, however, you introduce a good deal of security and a lot of extra steps. Your machine will only exchange information with a machine that identifies itself correctly. It also means that every request and response has to be encrypted and signed and then checked and decrypted.

Think of it this way, let's say you wanted to get a quart of milk. Currently you go to a local grocery store, and grab a jug. (We'll pretend that milk is free and unlimited, so you don't have to worry about checking out.) That's pretty much how HTTP works.

HTTPS means driving to an approved Milk Distributor, showing your ID at the door, calling the FDA to ensure that the person you've shown your ID to is who he says he is, handing him a cryptogram that contains your request for a jug of milk, he walks into the store, and sometime later returns with a locked safe which he hands you. You depart, drive home, enter the combination to unlock the safe and pull out your jug of milk. That, of course, presumes that nobody else wanted milk, eggs, meat, or laundry detergent that day and you had to wait in line to talk to the clerk.

Why would you have to wait in line to talk to the clerk? Well, because he costs a lot more than the fridge (even though he's basically walking up to said fridge to grab the milk), and even if you're the most successful grocery store on the planet, you can only realistically afford so many highly trained, FDA approved clerks. Plus, you have to pay for new training for them every year.

i'm sorry EFF, but that's just a really dumb idea. Particularly since your fridge, err, computer could still be seized and the store's receipts , err, search engine's logs can also be subpoenaed.

There are lots of existing ways that you can cover your tracks should you need to. Just ask anyone in China or Iran how to do it. But for the bulk of us, i think we can live my life with my milk in a normal, non-reinforced carton.

About a week ago, my Archos 605 exploded. Well, not "Oh God! My House is on Fire!" exploded, but the battery catastrophically failed and expanded to the point where it blew the back off the device and dismounted it from it's DVR base. i suspect the problem was that the near constant trickle charge from the base it was on caused the problem. i contacted Archos and the offered the option to RMA it, and replace the battery for $65 (Which, i'd guess means rolling the "Oh God! My House is on Fire!" dice again in another couple of years), or $100 off on a new Archos5 or 7. Considering i already have an Archos5 (which i've now relegated to "charge and load only before lengthy trans-continent flights"), i decided to not send Archos any more of my money.

This kinda lead to the next question: What should i get as a DVR?

It's actually more complicated than it sounds.

You see, i kinda got used to the idea of having a second DVR that i could use to record my geek-tastic shows on and have playing while i wrote code. It was also sometimes useful to have something that could encode video and audio when i wanted to save something that didn't come on CD or DVD. i have a Hauppauge 1600 that came with my desktop computer, but it's only recently kinda/sorta supported under Ubuntu, and frankly, i still can't get it to work quite right. i also had a crufty old USB video capture plugin device i'd picked up sometime in the past for $30, and let me say that it's capture ability rivals that of an etch-a-sketch. Plus, neither of these had a decent IR Blaster so having it change channels for me was kinda out.

One thing i've also kind of learned over the years is that it's often better to have dedicated devices rather than farting around with trying to get something else cobbled up and working. Instead of trying to get wireless networking operational on a given device, it's cheaper and far easier to just go get a dedicated access point.

To that end, i ordered a Neuros for $99 (oddly, cheaper than the PVR base add-on for the Archos5, when it was in stock). Toss on one an old 60GB drive i slapped into a USB shell or a spare CF card i've got and i figure it'll suit just fine (Hell, if i really wanted, i could probably just plug in a cheap 1TB USB in a few years and be good to go for quite some time.)

Plus, if i ever do get that 1600 working right under Ubuntu, i can move this thing to the bedroom. Which is something i'd have a helluva lot more problems doing with my desktop.

i'm sure that it's strange to a lot of folks in this era of convergence, that i'd be happier heading in the opposite direction. i won't argue that it sucks that i need something like a bandoleer to haul around the various gadgets i'd like to have, but then again, i'm not terribly upset when the latest version of the phone i just bought gets video either. (Or really that upset when my camera stops working and can't swap it out.)

i have a personal philosophy: Use things that make your life easier.

Of course "easier" is a fairly relative term, but it's stuff that i prefer to use that doesn't overly complicate matters. For quite some time, that included using Yahoo Instant Messanger (Y!IM) as my messenger client of choice. Sadly, those days have come to an end.

For various reasons, i can't run the default Yahoo Messenger Client, nor do i want to dedicate a web page or flash app in order to do messaging. What's more, i don't want to see a bunch of ads or have cute smiley faces appear in code snippets. For the past two years, i've been using Pidgin as my client since it's far smaller and talks with all the messaging services. (Well, almost all. Facebook is still closed. Whaddya Know…)

Pidgin makes my life easier, so it's a good tool to have. What's more, it encouraged me to dig up a lot of my older messenger accounts because i could finally run one program that let me talk to anyone on any other network.

Up until a few days ago when Yahoo decided to be dorks.

They changed the method they use to authorize connections. Mind you, they do that from time to time to prune back spammers and others with malicious intent. It's a fair enough cause since their stand is "It's our network, so we control what goes on it". i can't argue with that, but it does tell me something else. It's their network, not mine, so i use it at their discretion, not mine.

So, much like my decision about getting a Facebook vanity URL, i decided to switch things around.

XMPP (or Jabber) is an open protocol that's been out for a few years. There are dozens of free (both in cost and in not ad driven) clients that can use it. What's more, i can add a Jabber server to my domain and publish my client connect without worrying about being spammed to death.

So here it is: jabber@jrconlin.com It's not an email address, and before you can send your offers of s3xy weeb camz, i have to agree to get messages from you.

That's going to be my new main IM address. It's mine, lives under my control, allows me to log in and run on multiple machines, and i don't have to worry about it not working in the future because someone wasn't making enough money.

Something Yahoo has been in the habit of doing quite a bit lately.

Having grown up on the East Coast in the 80's, Father's Day means having post traumatic flashbacks of Fudgey the Whale.

One thing that has always bothered the hell out of me was, what exactly did "A Whale of a Dad" mean?

• Here you go Dad, you're bloated and can only survive while buoyant.
• Dear Dad, i hope you don't die on a beach.
• Father, look! Eskimos! Run for your life!
• i love you Dad, Sorry about the harpoon.
• Hope you enjoy the cake Daddy. It was either this or a bucket of krill.
• i learned so much from you Dad, like how to hold my breath for 45 minutes and battle giant squid.

Come to think of it, any of those would be better than the usual assortment of cards about golf, watching TV and farting, so maybe there's a market…