Twitter is wrong: should not drop httpS basic auth

As some of you might know, I write a µ-blogging tool called elmdentica. It is a client side application developed with Elementary, an EFL library oriented towards small touchscreen interfaces. I only recently learned that Twitter is dropping Basic Authentication support coming next June 30th. They claim it’s insecure because:

  1. with http credentials go in the clear (no problem here)
  2. with https, some people may think it’s too expensive (only complete idiots)
  3. applications have to store user credentials locally

As an alternative, they are making oauth mandatory for APIs that need authentication. While their reasoning may make sense in the context of massively concentrated web applications (think Twitpic and similars) this is absurd for client application like those running in your cell phones or computers.

Let’s take a look at the problem…

oauth gives you a consumer key and a consumer secret that authenticate your application. They don’t authenticate the user, they prove Twitter that you’re a legitimate and registered application.

If both key and secret became public, anyone could make an application pretending to be yours. While someone making a clone of your program isn’t a real problem, if someone writes a trojan horse… then there could be a problem, no?

Well, with oauth, both key and secret need to be known by the application during run time. So at any given moment, the computer running your application will have these two important assets. Either because they are embedded in your code, or because you download them live from a site. The fact remains: they are for all practical effects no longer secrets.

In web applications, no user accesses the only running copy of the software holding both key and secret, so oauth works there.

What about xauth?

I haven’t read much about xauth but after reading this page explaining what xauth is, I’m absolutely convinced the problem remains and wasn’t even tackled. The only issue that was solved, by requesting an user’s login and password only once, without need of local storage or visiting a web page, was an usability issue for client applications.

The real problem is still there, so Twitter is wrong and should not drop Basic Authentication from the https interface.

If they do, elmdentica will very likely not work on Twitter anymore. I don’t care much about that, but the users of elmdentica may care. That pisses me off.

What now?

Fortunately, there is a better alternative to Twitter if you value software freedom called More than just using, you can have your own “Twitter” by installing the Free Software that makes, which is StatusNet.

At least they have no plans of dropping Basic Authentication. Hurra!

Yes, it’s you. But only you…

I posted the following as a comment at some guy’s blog who claims he’s parting with the FSF because of their “hate speech”. I find it so ridiculous that I commented, but then later on thought I should actually make it a blog post. So here it is:

«If you want people to adapt your ideals or products you gotta show them why they are better than what they have been using: Tell them about the brilliant things they get when they use your stuff, tell them about new possibilities

They do just that. When you claim such a thing, I can only guess you never ever heard or read one of Richard Stallman’s speeches.

Campaigns like DefectiveByDesign or Windows7Sins are *very*small* things compared to the rest.

That you should choose your position over them rather than the whole, and totally demonstrate you missed the point of software freedom, is really revealing that you don’t give a damn about your community‘s software freedom.

You just want, like a spoiled child, to run all the software you want at your will, regardless of whether you’re infringing the law.

Want proof? Nothing easier… I’ll just take your own words:

«The FSF should focus on outlining what positive  things a new users gets from FLOSS: Tell people about VLC that allows them to play basically every type of media without hassle

Well, this is false. Many types of media supported by VLC are encumbered by software patents. In the USA, in particular, doing what you “preach” could become a very concrete and real legal liability: they could be accused of enticing people to break the law.

Is that what you think the FSF should be doing? Really? Or you just never sat and thought things through?

OMNewRotate 0.5.8 is out!

I’ve just released omnewrotate 0.5.8 which integrates Tim Abell’s improvements to rotation sensitivity and I’ve added some code so it is smarter about detecting the paths for setting the brightness level while rotating which changed in more recent Linuxs (2.6.32 and beyond, I think).

As I’m running SHR-Unstable, your mileage may vary but it’s likely it will work 🙂

As usual, the download links are at the project’s Google Code site for omnewrotate (see the featured downloads section):

SHR-Unstable users should only need to upgrade (later today, or in a day or so).


OMNewRotate 0.5.7 is out!

After about 11 months since the previous release, I’ve just released omnewrotate 0.5.7 (after short lived 0.5.5 and 0.5.6 as I found out a dangling patch in SHR-Unstable’s recipe and did a mistake on the 0.5.6 release) which integrates Tim Abell’s init script change and the aforementioned patch.

As I’m running SHR-Unstable, your mileage may vary but it’s likely it will work 🙂

As usual, the download links are at the project’s Google Code site for omnewrotate (see the featured downloads section):



As usual, the weekend at FOSDEM is awesome. It all started on the previous Wednesday as I flew from the day job towards Brussels. Still nobody I knew there, so I basically went straight to bed.

The adventure started at the capacity event conference organized by EDRi at the European Parliament. I enjoyed very much to finally meet some people I only knew online, some of them for quite a few years.

The theme was, of course, digital rights in Europe. ACTA is some scary shit, not so much about the undemocratic secrecy, but because of the few contents that have spilled out, like three strikes to take you off the Internet, criminal offences for copyright, trademark and patent infringement, etc. No wonder the European Comission representatives claim ACTA will not change european law, I mean… just add up the EUCD, IPRED1, Data Retention Directive, eventually IPRED2 and other Trade Agreements that are happening, by the time ACTA comes up all the scary military-state-like laws will already be in place.

So it’s true, it won’t change, because change is happening before ACTA comes to be. Fait accomplit!

More about this theme at a later posting, reflecting my summary of the event. Get ready for the real life pirates who are threatening our digital rights.

It was almost midnight when I learned that a good friend I was expecting to meet again was getting married the following morning, so I had to join @jwildeboer (who had just flown in) for one celebratory drink, which ended up with a few hours of a very interesting talk with @kanarip. He’s an amazingly interesting no-bull-shit guy, if you ever meet one. Respect!

Unfortunately I had to cut the event short and missed the last quarter, Friday afternoon, to join an OpenForum Europe meeting. At some point the warm fuzzy feeling of a family getting together was felt in the room 🙂

After that, dinner with more interesting people. Some came from the EDRi event, some from the OFE meeting, and one (@webmink, whom I felt very honoured to have personally met) was already waiting for us at Le Roi  before dinning, and let me tell you that before eating at the place Simon took us, the Roue D’Or at Rue des Chapeliers, I though there was no decent food in Brussels (even if you have to be a bit of a masochist with the service).

After that, realizing that the FOSDEM #googlebeer event at the Delirium was so packed it was impossible to stay there, Mark Taylor joined us as we moved to A La Morte Subite for a drink with some Java developers.

Next morning, FOSDEM. Met @stephwer and Jan for breakfast then came back for a couple of talks before meeting up with more people I haven’t seen for a while, like @zoobab who was kind enough to host me last year, and some of the great guys from Tux Brain, who buzz fixed my OpenMoko (and David Samblas posted a lot of pictures).

Then we left early, for #statuscheck, the meetup at A La Morte Subite. Finally meeting @evan, the founder of Status.Net (formerly, the Free Software behind (it’s like Twitter but with the cool people), fellow OpenMoko user @pieterc, and some awesome guys like @rejon, @gbraad, @blizzard (whose beard is not at all nearly as black as his avatar’s) and all the others in the table:

#statuscheck meet up
#statuscheck meet up

@bugabundo (who could not go), asked me to send @evan a hug, here’s the evidence (thanks to @pieterc):

Hugging @evan
Hugging @evan

After #statuscheck, joined @webmink and some friend of his for dinner at Roue D’Or again (yum, yum), and then we joined a couple of Mozilla People, namely Patrick Flich, who together with @webmink and I stayed up until expelled from a bar which wanted to close down. Good excuse for going to bed 🙂

The day after I had to do some chocolate shopping before FOSDEM, so I missed half the OpenMoko talks at the devroom. Still… I arrived in time to meet heinervdm, mickeyl and GNUtoo.

Then I me @alxc from April, @floschi from LiMuX and attended @rejon’s and @vegyraupe‘s Ben Nanonote talk. A very interesting and promising device, I hope it’s successful enough to launch Qi Hardware into a bright future. Check it out! Now!

Then I had to get back straight to the hotel, as I was going to wake up at 4am in order to get back to Portugal, straight to my day job. It was like waking up from a dream.

I wish it was FOSDEM for all year long 🙂

ElmDentica 0.8.0 is out!

Screenshot of account editor at the settings window.
Screenshot of account editor at the settings window.


I’ve just release ElmDentica 0.8.0 with a bit more polished screens and exciting new features:

  • you can have more than one account, and if you have many accounts, only a few of them enabled or disabled quickly.
  • you have a messages and posts cache (albeit the last one is still incomplete)

So there you go, download if you’re too impatient to wait for SHR-unstable to update 🙂

ElmDentica 0.7.0 is out!

Screenshot of release 0.7.0
Screenshot of release 0.7.0
Press a bubble for about 1s and magic action possibilities will show up.
Press a bubble for about 1s and magic action possibilities will show up.

Hi everyone! ElmDentica hasn’t had a new release for a while (*cough*cough* proving it works so well *cough*cough*), so I though I should share with you the new stuff in the development of this release.

The news are:

  • Replacement of the side buttons by hover’s fired up by pressing for about 1s over the bubble
  • Usage of inwins for entering user and domain data in the settings window
  • Usage of hoversel to gain a few more space on the toolbar, specially for future features

So that’s about it… you can get the package from the usual places, the project’s web-site, by upgrading shr-unstable as it upgrades elmdentica on next autobuild, building it yourself, etc…

Nokia’s Free Software bullshit and insults in Maemo

Remember when Nokia wanted to give a lesson regarding software patents to Free Software people? Like «they’re ‘m’kay? We know best, m’kay?»

Well, I was really anxious about the Nokia N900, the 4th Nokia GNU/Linux internet device which now has the ability to make phone calls! It’s an impressive device… cell phone (3G, yay), camera with enough resolution, GPS, wifi, decent graphics card, powerful processor, a half-decent amount of memory, more than decent storage, etc…

It is also being branded as so “open” that software freedom lovers would love it. This seemed like really good news, no? Well, like the saying goes… when it’s too good to be true… it most probably ain’t.

I tried to figure out how “open” the device is, and wasn’t really happy. After more than 70 comments, Quim (who works at Nokia) spills the guts:

Nobody claims Maemo is the 100% free mobile OS and the N900 is the 100% free mobile device. I claim is currently the most interesting combination for a free software lover thanks to its standard Linux stack, possibility to modify the platform and access to the root. The % closed helps Nokia getting a sustainable business model and reaching consumer appeal.

Well, nice claim, but it is the idea that you (and Nokia) are selling. And worse of all, you seem to pretend that in 100% of an operating system, all % are of equal value. They’re not. The minimum percentage that is proprietary is essential for Nokia’s GNU/Linux devices to work. Take it away, and they won’t work, or might even burn in your pocket. Period.

If 100% freedom is your goal Maemo 5 and N900 is a good starting point.

No it’s not. There’s better if you want 100% freedom, what OpenMoko started. The company may now only be selling Freerunners to resellers who want to keep on with the business, but there’s new sources of hardware showing up (thanks go mainly to John ‘MadDog’ Hall who’s been in talks with the University of São Paulo, in Brasil), so no, the phone is not dead. It is actually growing a lot better and faster now it’s free from the corporate strings of OpenMoko, which partly restricted the flow of things.

But I digress, let’s get back to Nokia and its bullshit and insults to the Free Software community (I use Free Software because I prefer to talk about freedom, but these insults and bulshit also apply to you, Open Source guys, so pay attention).

There’s a wiki page in Maemo explaining why there are some proprietary software. That page needs to be passed by the bullshit filter, like I said in my comment, Nokia is far from being friendly to Free Software. They’re actually quite aggressive and strongly lobby for the legalization of software patents in Europe. Don’t be fooled by the sugar coating, they are not your friend. So what is in the wiki page after you pass the bullshit filter?

  • Brand We think that “open source” reduces our brand value
  • Differentiation Proprietary software is much better, just use it
  • Legacy We don’t want to be shamed by the garbage we forcefeed upon you
  • IPR & licensing issues Software Patents are good, just buy the freaking licenses from us.
  • Security Since we sell dangerous products, we take your freedom away so you don’t make the mistake of getting proof they’re crap (like their batteries, which the phones must know the limits of)
  • Third party Just accept that we know best and choose from the best

While the “security” aspect could be of some value for some people, let me give you an example of how much crap it is:

Nokia’s batteries are dumb. So dumb, in fact, that their phones have to know what batteries they carry in order to not overcharge.

What if the battery was smarter, and had a way to tell the operating system it’s full? If a little company like OpenMoko had it, why wouldn’t Nokia have it? It’s one of the most dangerous equipments in the phone, so I guess that’s what they refer to when they talk about security and some of the energy related software is *closed*.

That’s evidence of crappy hardware.

Sorry, disappointing. Will wait for the competition unless this changes.

BTW, someone said that even OpenMoko has some proprietary software… well, as Mickey Laurer explained it

«There’s a difference between closed firmware providing a standard protocol and a proprietary ASIC providing a closed-source binary driver using a proprietary command language to talk to the hardware.

None of the Nxx tablets are fully functional with free software. The FreeRunner is.»

Indeed it is!

root@om-gta02 ~ $ cat /proc/sys/kernel/tainted

So there you go! There’s much better, in terms of freedom, so don’t settle for less just because it’s fancier.

Demand more! It’s your right as a software user, and your power as a consumer.

Elmdentica release 0.6.0

ElmDentica (the Tuga release), is now translatable and the first included localization is Portuguese (hence Tuga) 🙂

Elmdentica 0.6.0 in action (in portuguese)
Elmdentica 0.6.0 in action (in portuguese)

It will also now launch a browser if you confirm after pressing on a link. Right now, the following browser choice is made:

  1. this version of woosh (sig), which I hacked to load urls passed with the -u flag
  2. or midori
  3. or dillo
  4. or xdg-open

Download and enjoy:

Elmdentica release 0.5.1

Fixed some bugs, added a domain editor so you can add your own installations or other µ-blog sites with a twitter like API, and now supports links in status messages (but does nothing at all with them, yet, my favorite browser, woosh, doesn’t get URLs from command line, I wonder if it has a way to do it).

Domains toolbar button
Domains toolbar button

Have fun!