Jon Tan's Profile

Thanks for posting this Chris. The only thing stopping a typophile like me using it is that lack of a Safari plugin (hint, hint, guys). :)

Posted in /blog/2008/may/openid-with-myvidoop.

Wed, 07 May 2008 at 16:02:35: Link

In principle, Chris' analysis is right. It's important to separate the UX issue from the outright security ones. Leaving URLs, and other possible development flaws aside, the issue that initially emerged here is of of user experience, or user expectations.

The definitions of security and privacy as Don has described are not necessarily congruent with the understanding of users. Add to that what seems like a genuine desire to give users finely granulated control over their content, and what you end up with is a degree of confusion. If that confusion leads to users choosing privacy/security settings that they didn't intend, it is a UX issue.

Without delving further in to the checks and balances within the interface, it's impossible to say how secure the user experience is. However, even with the extra form labels, there is obviously an issue of clarity, and perhaps one of decision validation. User testing would provide empirical evidence of any flaws, and allow better design decisions. If the finely granulated settings need to persist, then my recommendation would be revisiting a user centered design process as well as fixing the entirely separate programatical security problems, if they exist.

If nothing else, this example serves to demonstrate that user experience design is critical to security when users gate keep their own content.

Posted in /blog/2008/jan/security-and-user-experience.

Tue, 05 Feb 2008 at 07:13:22: Link

Nick, not only are you dead wrong, but your comment was also rude.

...half-assed reliance-on-authority screed

See my point? Chris was exploring Tim O'Reilly's idea of the Web as OS, quoting the Unix philosophy, then citing and linking to the same. He did a pretty good job of provoking some interesting thoughts, too. Was the entry really a screed? It is neither long, monotonous, or ranting. Did you actually read it? I ask because you seem really quick to judge, and have done so with complete inaccuracy.

Posted in /blog/2007/oct/the-internet-is-the-new-unix.

Wed, 24 Oct 2007 at 01:52:21: Link

The barrier to usage is just memorization...

Michael, I think that, in a way, that proves my point. Great user experience is about learning by exploration and play and minimizing the learning curve. This is at the core of the best Web applications today. I'm not sure if UNIX lends itself to that.

To use "UBIX" :) , all a person need memorize is how to push a few keys, hit enter and use a mouse. Trail and error takes over from that point and, most of all, it's (hopefully) designed to be fun. Is that true for UNIX?

For me, one of the missing pieces of the Web as OS is related to Nate's comment: Privacy, but also intellectual property. Amongst the score of user accounts, different data types and applications people use, there is not single simple way of managing the data, or porting it. I think that personal domain applications with high quality GUIs to manage the data, and open data formats to port it are the future.

This also seems consistent with the Web of All Things, that the W3C are working towards. As a consequence, I wonder how Yahoo, Amazon or Facebook would adapt to people owning and managing their own data, on their own domain and porting it to applications to use available tools as they see fit? Be fun to find out.

Posted in /blog/2007/oct/the-internet-is-the-new-unix.

Tue, 23 Oct 2007 at 07:57:26: Link

I think I spot a straw man from Valenz. My logic identifier is overclocking today. :)

Chris, I agree, and not least of all because to do a few things well, is much better than doing a lot of things poorly. However, UNIX is not a friendly place unless you've leaped over the high barrier to technical enlightenment. Maybe another way of looking at it is that the Internet is evolving into everypersons' UNIX. No longer the platform of the technically erudite; a ubiquitous OS: UBIX!

Posted in /blog/2007/oct/the-internet-is-the-new-unix.

Tue, 23 Oct 2007 at 03:36:15: Link

Good to hear from Alex how much work the guys are putting in. Immediacy is not so important to me, so the intermittent update lag to my phone in the UK is not an issue.

What I value above all else, are the glimpses into friend's lives that I would not ordinarily have. Twitter can paint great pictures in my head, and with a little selective friends management, delivers signal rather than noise almost all of the time.

It's coming to replace IM as the primary method of staying in touch over distance because of the passive, unobtrusive experience so the IRC analogy seems spot on, Chris.

Picture messaging a la Yappd would be welcome for my purposes then I wouldn't have to type at all, just point, click and push. :)

Posted in /blog/2007/oct/i-almost-get-twitter.

Tue, 16 Oct 2007 at 05:06:50: Link

The linked pictures are fantastic, Chris. The history is priceless and Theo's post was emotive. May the best of the past be the worst of the future. Congratulations!

Posted in /blog/2007/sep/omniti-turns-10.

Fri, 28 Sep 2007 at 17:03:03: Link

Thanks for the mention, Chris, the WebAppSec Crowd were great fun to do. In fact, Wes' zombie would make good material for another character: Pre-Red Bull Man. :)

Posted in /blog/2007/sep/php-works-recap.

Tue, 18 Sep 2007 at 17:07:30: Link

And lo, in his thirty-something year on the blue ball, in the season of winds, the tangerine, the gibbins and the shiflett had a pint or FOWA.

Looking forward to it, mate. Thanks for the birthday wishes!

Posted in /blog/2007/aug/upcoming-conferences.

Mon, 03 Sep 2007 at 01:04:07: Link

...you should explicitly set the charset in the Content-Type header and specify the same charset in htmlentities()/htmlspecialchars().

Thanks Ben. Display of multibyte characters or the possibility of that being required is exactly why I always set UTF-8 by default. In fact until I read this article from Chris I wasn't aware of any other implications. It would feel less than thorough to not be explicit and it's good to know that being explicit is useful regarding XSS too.

Posted in /blog/2007/may/character-encoding-and-xss.

Sat, 16 Jun 2007 at 06:59:18: Link