About the Author

Chris Shiflett

Hi, I’m Chris: entrepreneur, community leader, husband, and father. I live and work in Boulder, CO.


All posts for May 2008

Who Created PHP?

This past week, I noticed several feeds I poll for Planet Chris are broken. In a few cases, it's because the site is offline. In most cases, it's because people don't maintain URLs when they change blog engines. (Hint!)

I've been thinking about changing my feed URLs as well, because /feed doesn't let me gracefully offer more than one. (URL vanity strikes again.) I'll be sure to maintain the old ones, though.

Questioning the completeness of my own planet's coverage, I visited Planet PHP for the first time in a while, and Hasin Hayder's post I don't give you a damn, if caught my eye. Not wanting to be denied a damn, I read the post to learn more. The title completes:

You came to an interview for PHP Developer and you said you don't know the name Rasmus Lerdorf.

He poses an interesting question. How well should someone know a particular technology's history, community, or culture to be considered adequately proficient?

It's easy to draw parallels between this and other debates surrounding indicators of proficiency, such as the Zend certification. A common straw man is to say the indicator alone proves nothing. In this particular case, Hasin's initial comments are strong enough that this argument is understandable, but he later clarifies. Another illogical argument is that we can't possibly know the creator of everything we use. (Examples include the internal combustion engine, the toaster, fire, and the wheel.) Hasin's comments aren't directed at those who use PHP tangentially; he is seeking those for whom PHP is a core competency.

Personally, I look for people who are passionate about what they do, because I want to surround myself with others who enjoy coming to work as much as I do. Knowing Rasmus created PHP doesn't prove passion, but it does make sense to use this as an indicator. I have never asked this question in an interview and probably never will, but I suspect everyone I have hired knows the answer. The real question is whether it's valuable enough to justify asking in an interview. I'm pretty sure there are better questions.

Aside from standard technical questions, what do you do to evaluate candidates? Is there anything you've found to be especially helpful?

OpenID with myVidoop

I like OpenID. I've been an avid user (and consumer) of OpenID for well over a year now, but I've only recently found time to explore Vidoop, whose self-described mission is one username, no password.

I keep meaning to write a more general post about OpenID, but this is what's on my mind at the moment. (Sorry for posting out of order.) In the meantime, you can watch Simon Willison's video tutorial for a good introduction.

You can learn more about Vidoop on their web site, but if you like to learn by example, I recommend registering for a myVidoop account. (They get extra credit for dropping the superfluous www subdomain and using a secure connection.) When registering, you choose three categories for your Image Shield, a grid of images that looks something like this:

An Example Vidoop Image Shield

The Image Shield is what replaces the need for a password, or more precisely, it's an innovative way to give you a one-time password. Each time you log in, you're presented with a completely new Image Shield, and among the images are going to be three that match your three previously-chosen categories. For example, if the categories you choose are cars, cats, and boats, then your one-time password is opu according to the above Image Shield. (Note the letters on each image.)

This is worth explaining in more detail, because it's the primary differentiator, and there's a bit more to it. (This innovation is what compelled me to explore myVidoop, now my primary OpenID provider.) Alone, the Image Shield is convenient but otherwise unimpressive. However, you can only log in from an activated browser. Browser activation is what qualifies myVidoop's authentication as two-factor authentication, because it uses an alternative communication medium that you choose when registering. If you choose text messaging and try to log in from an unactivated browser, you see something like this:

Logging In with an Unauthenticated Browser

In many ways, browser authentication is equivalent to a traditional authentication system that uses a username and password, with two important differences:

  • Instead of providing a username and password, you provide an activation code that is sent to you using an alternative form of communication. (In other words, not the web site.) This protects you against security problems in the web site, because a successful attack must exploit multiple mediums.
  • Instead of being considered logged in, you're simply allowed an opportunity to log in via the Image Shield. Thus, the Image Shield is an additional security measure that is traditionally absent.

This might sound like a lot of trouble, but browser activation is very long-lived, so logging in via the Image Shield is what you'll be doing most of the time. The Image Shield is a last line of defense that happens to be pretty good, so even if someone steals your computer, there's still hope. You can even log in and deactivate a browser, but of course you'll have to activate another browser first. Try to make sure someone can't easily steal both your computer and your phone. :-)

If you want to try myVidoop as your OpenID provider, you can either use the OpenID myVidoop provides (mine is shiflett.myvidoop.com), or delegate your own as I do with shiflett.org:

<link rel="openid2.provider" href="https://myvidoop.com/openid" />
<link rel="openid.server" href="https://myvidoop.com/openid" />
<link rel="openid2.local_id" href="http://shiflett.myvidoop.com/" />
<link rel="openid.delegate" href="http://shiflett.myvidoop.com/" />

You can view the source of this page to see this in context. Be sure to replace shiflett with your own username, unless you can authenticate as me. :-) You can try your OpenID by leaving a comment below.

I've also been enjoying the myVidoop Plugin, a Firefox extension that replaces the login manager. The biggest advantage is that I'm able to decide whether to remember a password after observing the next page to see if I remembered it correctly myself. :-) The biggest disadvantage is that the extension does not support HTTP auth, and because it disables the login manager, there's actually no way for Firefox to remember HTTP auth credentials. I really hope this gets fixed, because it's a huge problem for anyone that has to deal with HTTP auth on a daily basis. (I do.)

If you use Twitter like I do, you can follow Vidoop there. Unlike Pandora, the Vidoop bio doesn't mention who is responsible, but whoever it is responds to feedback, which is a plus. For example, I asked about the lack of HTTP auth support and received a prompt response:

When the myVidoop plugin is added we disable the Firefox login manager (else you would get multiple 'remember this' prompts)

This didn't exactly answer my question, but I asked a more direct question and got a more direct answer.

It's nice to be able to provide feedback so easily, and it's even nicer to have your feedback acknowledged. With any luck, the HTTP auth issue will be addressed at some point, so I can complain about less important things. :-)

I may write more about myVidoop in the future, because there are a number of features I haven't mentioned. If it sounds interesting, I encourage you to give it a go and tell me what you think. (You can tell them, too, by emailing myvidoop-fb@vidoop.com or using Twitter. I'm sure they'd appreciate it.)