20FebOAuth is destined to fail

Over the past couple of years, a small but dedicated group of developers have been pushing a new technique for authenticating users called OAuth. While it has some benefits, it’s limitations are crippling.

The goal of OAuth is to create a more secure authentication system by limiting who has access to your username and password. By authenticating with a system external to your application, the idea is that your data is more secure. Unfortunately, OAuth was clearly developed without much regard real-world problems. Here are a few reasons why OAuth is destined to fail:

  1. Horrible User Experience - In a world where doing something as simple as changing a font or button color can create noticable changes in user behavior, asking a user to jump over the hurdles required by OAuth is just unrealistic. For web apps, it adds multiple steps to the authentication process and the experience is even worse for desktop apps. The experience also closely resembles the phising sites that we desperately warn our non-tech friends to watch out for. Also, keep in mind that the applications that poeple consider most secure (online banking, tax software, email, etc) NEVER redirect the user to a different site to enter login info.
  2. No Consideration for Desktop Applications - While web-based apps are growing in popularity, desktop apps still dominate in most industries. The OAuth experience is completely focused on web applications. Whether it’s an app on your home PC or an app on your iPhone, the OAuth experience sucks.
  3. OAuth is far from perfect - An ambitious hacker can get information via OAuth without much more effort than other athentication methods. There’s nothing to stop an application from collecting additional data in the background withour your knowledge after you’ve logged in. There’s also nothing to prevent an attack against or data breach with the OAuth provider.
  4. It takes power from vendors, but not from hackers - The main goal of OAuth is to prevent nefarious people from having your precious login credentials. However, most OAuth providers still transmit your credentials over an insecure connection. So, rather than having my app send you credentials via Basic Auth, the browser sends it via an HTTP post. In the end, the chances of a request being intercepted from a browser or an app are about the same.

While I completely understand the concept behind OAuth, it’s just never going to catch on. There is no such thing as a 100% secure system and there a plenty of approaches that are just as secure as OAuth. In the end, OAuth doesn’t solve any real security problems and shifts a lot of work onto developers. I don’t mind putting in the extra work, but OAuth is replacing a few lines of code with 1MB of dlls and a bunch of UX headaches for an illusion of security.

in Development, Opinion and Web Tech. Comments

23JanWhat Trophy?

One of the most common complaints about Generation Y is the “Everybody gets a Trophy” ideal. There have been dozens of articles and even an entire book dedicated to this and how to train us Generation Y kids to just drop it and behave like good cubicle monkeys should.

There are 2 things that are generally considered part of this trophy idea. The first is that everybody deserves a reward, even if they fail. The second is that every minor success should be rewarded. Based on the opinions of older generations on the web and in print, these are both ideals that every member of Gen Y holds dear. However, a lot of this is based on a misinterpretation of what’s really going on in our heads and I’ve found that many of us only believe the second part.

Nobody likes the Participant ribbon.

Let’s tackle the idea that even failure deserves a reward. Of the people I surveyed, most addressed this. Of the people surveyed, all of them felt that this was inaccurate. I think the idea started because of how my generation was treated in elementary school. In just about every competition, everybody who participates gets some sort of reward. This has clearly led my generation to accept and even embrace failure right? The people I surveyed disagree; here are a few of their responses:

“Boy Scouts, Marching Band, Tae Kwon Do and Academic Decathlon all had a lot of competition in them and they had clear winners and losers. Games where everybody wins were usually the province of corny church youth group games and were the butt of jokes among my friends and me.”

Jason W, Pembroke, NH

“… At sports tournaments, my brothers and I would sometimes receive trophies even for placing in last. My parents were proud of us and put it with our other awards. However, my brothers and I treated them more like a daily reminder of our failure and it drove us to work harder.”

Anonymous

There were a variety of similar responses, but I think these two represent the ideas shared by all. We’ve never viewed rewards for failure as a good thing. I never took home a “participant” ribbon and showed it off to my friends and family. That being said, I think that many companies are far too concerned with failure and fear of failure can cripple a team. Innovation and creativity are rarely the result of continuous success.

Failure is unavoidable. Many of the companies founded by Gen Y are successful because they recognize small failures as necessary steps in the process of innovation.

Rewarding Success is a Good Thing

The other part of this Trophy idea is that Gen Y expects rewards for small successes. I would agree with this 100% and most of the people surveyed agree too.

The general consensus amongst my fellow Gen Y members is that the current corporate culture favors job title and longevity over productivity. I’ve been in many situations where I’ve put in extra hours, travelled over holidays and gone above and beyond only to see a manager get a pat on the back. In one case, my supervisor didn’t even know why he was being congratulated. While this instance is rather anecdotal, nobody can argue against the obscene bonuses executives have received while the companies they run fall apart and destroy our economy. What company do you think would be more successful, the one that rewards the extra effort of individuals or the one that provides a fat bonus for executives?

The issue I have with this aversion to recognizing success is that in most cases it’s very simple and cheap to do. I don’t expect a huge bonus for doing my job, but when my team puts in extra hours every night for a week, maybe a lunch is in order or possibly even just an email saying thanks. Why would having a group of young, ambitious professionals that are easily motivated by small rewards and recognition be a bad thing? I would think that having employees that will work extra hours for a nicer desk chair or bagels once a week would be a c-level executive’s wet dream.

[FYI, for those that doubt Gen Y employees can be motivated by weekly bagels and the occasional beer, take a look at one of my former employers CustomScoop. When a company with less than 20 people is building better products than Google, you know they’re doing something right.]

Summary

Overall, the feeling in the survey could be summarized in the following points:

  • We don’t expect rewards for failure.
  • We will be rightfully upset when others are credited for our hard work.
  • Not every reward has to be cash, a thank you or kind gesture is often more meaningful.

To wrap up, here are a few more quotes:

“Failure is much more important than success and I do not want trophies that I do not earn.”

Matt G, Senior Public Affairs Analyst - Washington DC

“I want recognition, but not necessarily a trophy… I don’t see this as a negative because it just motivates me to strive to do more good.”

Kelley Muir, Manchester, NH

“Actually it really annoys me when people feel like they should be treated like special snowflakes because they exist.”

Courtney, Attorney, Concord, NH

“That is not the way I was raised. In rec soccer, I was terrible, and knew I didn’t deserve a trophy. To this day, I haven’t seen a good argument for rewarding poor performance.”

Anonymous

in Opinion and Rant. Comments

18JanI’m a Piehead

As just about anybody who reads this blog knows, I was laid off in September of last year. While the lay off wasn’t a big surprise, it was sudden and left me in a tough spot. For a while I was hoping to make a move to Redmond to go work at Microsoft, but it just wasn’t in the cards. After about 4 months of free-lancing, contract work, odd jobs and a few hundred hours playing Rock Band, I’ve taken a full-time position at Piehead Productions.

Why Piehead?

A lot of people have asked why I chose Piehead. Mostly because I have expressed a lot of interest in moving away from web agencies and also because I’ve got some sort of connection with just about every agency in the state. In the end, there were a few reasons I chose Piehead. So, here they are:

  1. I’ve known a few of the people at Piehead, Jeremy and Clint, for a few years and have done some work with them in the past.
  2. Piehead is new to the web development scene, but financially stable. This provides a unique oppotunity to be part of the technical decisions that shape the compay without the fear of getting laid off again.
  3. I can telecommute a fair amount, giving me the opportunity to work from the Sunder Fortress of Awesomeness.
  4. Quite possibly most important is that Piehead supports my ambitious side. Some past companies have frowned on my open source work or felt that be an active member of the geek community was a waste of time. Piehead understands the value of having community leaders at the company and has been encouraging of my after-hours geekiness.

What will happen to Sunder?

Have no fear about Sunder Media. Since January, Kelley has been the largest contributor and done the majority of the work. While Sunder has always been a side-project for me, Kelley has turned it into a functioning and profitable entity. I will still be doing some after-hours work for Sunder as needed, but rest assured that there will be no major changes for existing Sunder clients. As always Sunder will be happy to help small businesses that can’t afford a big agency or projects that are too wierd and/or risky for more traditional web shops to handle.

One More Thing

On a slightly related topic, I will no longer being leading/contributing to the AmpForms project. It was a fun way for me to get into open source and learn some new techniques, but has not really gained a following or much interest. I’m planning to shift my free-time to working on the Orchard project. Orchard looks to be a tool that Piehead will be able to use on a variety of projects and allows me to put my CMS background to use.

In Closing

Thanks to all of my family, friends and colleagues who’ve helped me out over the past few months. It’s been tough, but thanks to groups like BarCampManchester and Geek Lunch, I’ve always had a good professional support network. Finally, a big thanks to my wonderful wife Kelley for putting up with my grumpiness and supporting my fake plastic rock habit.

in About The Blog. Comments

12JanGen Y Talks About Gen Y

Over the past 2 years, there have been a boatload of articles, posts, books and informative pamphlets about Generation Y. Most of them have either focused on “dealing” with us or how wrong we are. Every time I’ve read one of these, I’ve felt like it was written about somebody else. The facts have been accurate, but the conclusions drawn have been way off base.

Rather than assume I was some strange anomaly, I put the word out on Twitter to see if my fellow Generation Y friends would be interested in answering some questions. I received 14 responses to the following questions:

1.       In what year were you born?
2.       Are you well employed, underemployed or unemployed?
3.       How would you like to be identified in the post?
4.       Would you consider yourself Civic minded?
5.       Do you believe that the US government is effectively representing the US people?
6.       A common stated trait of Generation Y is the “Everybody Gets a Trophy” philosophy. Do you think this applies to you and is it a good thing?
7.       As employees, Generation Y often chooses jobs that provide opportunities for growth over jobs that provide purely financial rewards. Would you agree? Has this influenced your career decisions?
8.       Are you comfortable sharing personal information publicly or with people within internet-based communities? Do you feel that you are more open about your opinions and personal life than previous generations?
9.       Do you assertively seek more feedback, responsibility, and involvement in decision making in your career? Would you rather have feedback on a frequent informal basis or within a formal review structure?

The best part of the responses is that they are surprisingly diverse given the small sample size. The respondents included almost the entire age range of the generation, included a range of political affiliations and included an almost even gender balance. The surprise is that every question has at least 9 similar answers and 1 question was unanimous.

My original plan was to write a single post covering all of the results, but my new plan is to write several posts focusing on specific topics. Stay tuned for the results and analysis. I will probably tackle #5 or #6 first.

in Opinion. Comments

04DecEffectively Eliminating IE6

It’s no secret that IE6 is the nemesis of pretty much every web developer or designer on the planet. It’s CSS support is garbage, it’s javascript performance and support is just as bad and it’s got a boatload of security flaws. In general, it’s everything you’d expect from a browser that was released years before Firefox and Safari hit the market. Normally a piece of software as outdated and maligned as IE6 is phased out quickly. However, IE6 continues to hang on.

While there are many various anti-IE movements, most of them have an overly aggressive and often juvenile approach to the problem. A quick look at current browser usage statistics shows that this isn’t working. In many cases, these groups are just preaching to the choir and rarely make a solid case for those entrenched in IE6.

Who Uses IE Anyway?

While using a modern browser is an obvious choice for most tech savvy individuals, for many IE6 users upgrading becomes a cost-benefit analysis. The vast majority of sites on the internet still support IE6, so there isn’t a huge drawback for many users. They don’t care about CSS support because the sites still render correctly and performance is still rarely an issue for most sites. Also consider that there are a rather large number of older applications that rely on IE6’s broken rendering. Combine these together and you get a large number of corporate IT departments that are facing a huge cost to upgrade older software with a minimal benefit to their organizations.

How to Kill IE6

The biggest thing that our industry can do to eliminate IE6 is to stop supporting it. While some major sites like YouTube and Digg have already started pulling support, these aren’t likely the sites that employees at big corporations are visiting at work. If Salesforce and Constant Contact dropped IE6 support, I wouldn’t be surprised to see a huge drop in IE6 usage almost overnight. Unfortunately, we can’t really expect these big business companies to take the risk. Hell, even 37 signals still supports IE6 for their apps and they’ve been some of the most vocal Microsoft haters out their.

The next thing that we can do as a web professionals is to make sure our clients are aware of IE6 problems. In general, I would recommend avoiding discussion about CSS and instead focus on security issues. Most clients would view CSS rendering as a tech problem and point to other sites that work fine in IE6. However, there is a huge amount of literature around regarding IE6 security flaws. Remind them that while they likely aren’t legally responsible for security flaws in their users’ browsers, people are quick to blame any issues on the site their visiting rather than their own browser. Finally, if you’re building a site that needs to be secure, consider creating a waiver of liability for issues caused by IE6 security flaws. In most cases you wouldn’t be liable anyway, but having a document that clients sign helps it sink in that this is a real concern.

The last thing, and the one I will most likely get crap for, is to recommend upgrades to IE8. I know that things would be much easier if everybody was using Webkit and Gecko browsers, but requesting that users switch “brands” often comes across as a sales pitch. If you’re really dead-set against all IE versions, at least take the time to explain how Firefox or Chrome is better. I frequently hear developers say things like “It’s just better, trust me”, but this doesn’t really provide a compelling argument to users. Tell somebody that new browsers can use transparent pngs, and they won’t care; tell them their credit card number could be ganked and they’ll be more likely to pay attention. It’s about finding the issues that are relevant to your clients and users, even if they aren’t the issues that are relevant to you.

How not to Kill IE6

Don’t expect Microsoft to make IE6 magically disappear. For the most part, everybody at Microsoft hates IE6 as much as the rest of us, but their hands are essentially tied. They can’t force people to upgrade anymore than I can randomly upgrade old client sites from PHP4 to PHP5. Most of the companies hung up on IE6 pay for some other software from Microsoft. You can’t really expect any company to risk losing paying customers by forcing them to upgrade a free product. Even with that in mind, Microsoft has had newer versions of IE listed as critical updates for years, so I doubt most IT departments really care what Microsoft says.

Don’t forget to be an adult. If you make a huge deal about spending 2 hours fixing a CSS glitch, people will just think you’re whining. Our clients and users don’t understand the issues and likely won’t be receptive to hyperbolic statements about how much time you spend fixing IE6 issues. Present your case in a professional manner and people will respect your opinion.

Feel free to post any other ideas on how to effectively eliminate IE6 in the comments.

in Browsers and Web Tech. Comments

Blogroll

Recent Listening