Laughing Meme

I was thinking about doing one of those my most popular blog posts of 2008 vs my favorite blog posts of 2008 posts (see Sippey for an archetype of the genre). And I noticed that the pickings were kind of sparse: 152 posts in 2008 including MLPs[1] and photo posts. Which got me wondering how that stacks up against past years:

2009: (1)
2008: ++++++ (152)
2007: ++++++++ (199)
2006: ++++++++++++++ (359)
2005: ++++++++++++++++++++++++ (602)
2004: ++++++++++++++++++++++++++++++++++++++++++ (1058)
2003: +++++++++++++++++++++++++++++++++++++++++++++++++++ (1268)
2002: ++++++++++ (249)

Maybe I’ll try to get back to and find those populate and best posts, but right now I’m trying to decide how I feel about the those posting trends.

1. What’s an MLPs: when I had my link blogging separated out as a separate stream, that blog was called MLPs, short for “Mindless Link Propagation”, the kuro5hin category for link blogging.

Spent a couple hours last night writing the core of a stripped down, PHP4 compatible API library for Amazon SimpleDB (in the style of my flickr simple library. Just not a fan of abstraction for its own sake). In the process I discovered that Amazon had revved the version on their “Signature Method”. Which is good news as SignatureVersion 1 contains a classic crypto-blunder in its design, namely it encourages collisions. (more details, also why you care about collisions) To date the solution was use SSL, and wait patiently, very patiently. So yay for Amazon fixing this! And in fairness, first couple of drafts of the OAuth spec contained a similar issue, though it got ironed out quickly. Yay for many eyes and the open web.

“OAuth-compatible” signing

Great things are more secure, good news and all, but that isn’t what caught my eye. This block of text did:

Here is what’s different about forming the string to sign for signature version 2:

• You include additional components of the request in the string to sign
• You include the query string control parameters (the equals signs and ampersands) in the string to sign
• You sort the query string parameters using byte ordering
• You URL encode the query string parameters and their values before signing the request

You really have to be an OAuth-dork to find anything special with that paragraph, but if you were, you’d notice that those 4 bullets are an incredibly succinct description of generating an OAuth signature. (in fact a more succinct description then appears anywhere in the OAuth documentation

Which meant that my SimpleDB library can reuse most of the logic from my OAuth library to do the trickiest part of the API call, namely the signing. (Additionally it means that security reviews of both protocols support each other)

So my AWS signing method is a approximately a dozen characters different then my OAuth method and as straightforward as:

    .....

    $signature = aws_request_signature(AWS_SECRET_KEY, $http_method, AWS_SIMPLEDB_SERVICEURL, $parameters);
    $parameters['Signature'] = $signature;

    $encoded_params = array();

    foreach ($parameters as $k => $v){
        $encoded_params[] = oauth_urlencodeRFC3986($k).'='.oauth_urlencodeRFC3986($v);
    }

    $request_url = AWS_SIMPLEDB_SERVICEURL . '?' . implode('&', $encoded_params);

    .....

    function aws_request_signature($key, $http_method, $service_url, $parameters) {
        $base_string = aws_base_string($http_method, $service_url, $parameters);
        return base64_encode(hash_hmac('sha1', $base_string, $key, true));
    }

    function aws_base_string($http_method, $service_url, $parameters) {
        $parsed = parse_url($service_url);

        $host = strtolower($parsed['host']);
        $path = $parsed['path'] ? $parsed['path'] : '/';
        $data = array(
            strtoupper($http_method),
            $host,
            $path,
            oauth_normalized_request_params($parameters)
        );

        $base_string = join("\n", $data);
        return $base_string;
    }

(this uses my personal OAuth library, but your library should have similar methods)

Sure made my jobs of implementing a library easier. If you’re going to invent a new crypto protocol, please consider doing like Amazon, and re-using the basic building blocks. (which also happen to be best practices)

Photos from waterbubblz, dgrubz, murdlebanks, so_phie, elton and picturesofthings

A griot (pronounced /g?i.??/ in English or [??i.o] in French, with a silent t) or jeli (djeli or djéli in French spelling) is a West African poet, praise singer, and wandering musician, considered a repository of oral tradition. - Wikipedia

Also an emerging tag for describing the ongoing protest in Athens over a 16 year old being shot to death at point blank range by Athens policemen.

Being used on Flickr, blogs, and Twitter and the meta del.icio.us. Not being used by the corporate media (aside: the trailing ’s’ is lexically significant, classic stemming does not work on tags)

Does anyone know how and where this tag emerged?

Clearly the next evolution in participatory media (and the only type with a future) is figuring out what the tools to discover, distribute and broadcast these meta-media collaborative objects. Who is thinking and writing about this?

Photo by murplejane

I tried to fit this all into 140 characters. I really did. I couldn’t do it, not even with disemvoweling.

#motrinmom

Chatting with a friend who does information architecture for pharmaceutical advertising she was shocked I hadn’t heard about the “Motrin Mom” twitter-in-a-teapot. I had no idea what she was talking about.

Apparently “Twittering Critics Brought Down [the] Motrin Mom Campaign”. And the entire advertising industry, at least here in New York, is having a fear-of-a-twitter planet moment. Complete with righteous anger about the “irrationality of Twitter”. (um, hello folks, but didn’t you build one of the largest global business by cynically manipulating people’s “irrationality”?)

But the part that really caught me off is this didn’t blip my radar at all. Maybe I was just offline for it, but as far as I can tell the twittering classes I follow didn’t peep about this. I thought Twitter was all about us? (Also, Summize you are already awesome and everything, but if you add “search within people you’re following” and “search within people who follow you” I promise to love you forever)

@flickr

Only tangentially related, I’m sure Tyler Hawkins aka @flickr has a very busy @replies tab.

What I can’t figure out is if all these folks responding to @flickr are really confused about whether Hawkins is a Flickr representative (he isn’t and doesn’t in anyway suggest he might be) or just believe so strongly that “@flickr” address twits will arrive in Flickr’s inbox that reality is irrelevant.

I’m torn on whether the assumption that when you speak you will be heard is the ultimate arrogance (and one particularly prevalent on Twitter), or if rather this proves that we’ve historically worried too much about URIs and that culture has no problem evolving them ad-hoc.

Now if only I had a thesis, rather then a rambling collection of half thoughts. Which is why I wanted to fit this all into 140 characters. Alas.

Did you know you get a new mount when you run those last three ALTERs in the frozen north? - Peter Norby

I’ve been following Andy’s experiments into pricing of Mechanical Turk (MTurk) jobs. He found that he had to pay $0.50 per to get someone to upload a photo of themselves. Which I find both interesting and puzzling given that my day job is largely about coping with folks uploading many (sometimes too many) photos of themselves, sometimes for free, sometimes paying for the privilege to do so.

MTurk therefore seems to create a problematic context for incentivising people, due, we can assume, to the largely unmotivating nature of small cash payments. Within the MTurk context the only way to increase the incentive is to increase the financial reward. Besides being boring, it also overlooks that this is not true in the wider world.

World of Warcraft has proven that people are willing to pour days and days of time into tasks, menial and complex, for significantly less tangible rewards: “gold”, prestige within imaginary organizations, vanity items for paper dolls. For example, a common daily quest might take a skilled player 15-20 minutes each day for which they will receive 10 gold (10g). Calculating a generous exchange rate (which exist only as black market) we get a rate of 0.5 cents per gold. For 15-20 minutes time a worker is receiving 5 cents worth of compensation.

There are a number of possible routes where this thinking could take you, informing how you design reward and compensation systems, and how MTurk should evolve. But for me what this suggests is that Blizzard’s business model should be to wave their monthly subscription fee on Warcraft, and instead sell access to folks with HITs (human intelligence tasks) to manufacture compensation within WoW (gold, items, rep, achievements, and titles), with Blizzard acting as the brokers to control the market, manage inflationary forces, and create gold sinks to keep demand high, and therefore a supply of HIT workers.

The real problem with micropayments is that they’re trying to pay with real money, and money just isn’t as exciting as gold and a murloc costume.

Just putting a note here for the next time I’m working with the Yahoo! GeoPlanet APIs.

The conudrum: a HTTP GET on a given resource (http://where.yahooapis.com/v1/place/23511846?appid=$appid) works in the browser, and works with wget from the command line, but fails from within PHP with a 406 Not Acceptable.

The solution, append format=XML to the resource URL, because the service is blowing out its brains on a missing Accepts header.

And that folks is the magic of REST.

update 2008/12/04: quick scan of my referer logs suggests this is biting folks using lwp-simple and wget particularly hard.

If you’ve forgetten your password to your Wordpress install it has a nifty email-a-one-time-key-to-retrieve-password flow built in. Which for some reason never works on my box. (probably has to do with how I have Postfix setup doing 2ndary MXing) In the olden days the solution to this problem was to connect your database and UPDATE the user_pass field with an MD5 of your desired new password.

But now we’re living in the future, so things are more complicated. I still connect to my database, and manually UPDATE users set user_pass=$hashed where ID=1, but now I need this handy script to generate the hashed password for me. Hopefully the 3 other people in the world this is useful for will find this blog post.

(And now I might start blogging again)

Photo from sarabbit

And in calendaring/scheduling news…., originally uploaded by kellan.