Ashok's dashboard

Ashok reported a problem in MetaBroadcast on October 07, 2009 16:29:

Security problem

There is a security bug in Amplus. I submitted details three days ago by email rather than exposing it here. The bug is still there and working, I just wanted to make sure you had seen that there is a problem.

Is there a better route to inform you of security bugs in future?

Ashok marked one of adrideo's replies in MetaBroadcast as useful. adrideo replied to the question "Possible to restrict OAuth permissions?".

Ashok replied on July 29, 2009 07:41 to the question "Possible to restrict OAuth permissions?" in MetaBroadcast:

Your choice, obviously.

Right now there's just no explanation on the amplus site saying why you are asking for posting permissions. That naturally makes me nervous when you do.

Ashok replied on July 29, 2009 07:26 to the question "Possible to restrict OAuth permissions?" in MetaBroadcast:

Since I re-auth most every time I return to the site, can you not keep the minimal permissions until you're really going to use them? When it does change, you could just (one-time) log people out who haven't given you so much power. Since I think I'd never want automated posting, I'd probably not use the service if you forced the choice.

I've seen a rash of little quizzes lately that post as the user, via OAuth or password; often enough the user is surprised by this. I happen to trust you not to post as me without saying so clearly, but right now there's a mismatch between your FAQ ('only when you ask us to') and the permissions you request. You're trustworthy, but you might look similar to some of the less trustworthy folk to a random person.

Ashok replied on July 19, 2009 04:52 to the problem "Twitter link should be over SSL" in MetaBroadcast:

Thanks for fixing that. The same is true, of course, for the twitter.com/?status=... link in the body of the page, or you land on an insecure login page when not logged in on the Twitter side.

It'd be great for Twitter to fix that too, but in the meantime there's no harm in consistently linking to the SSL version of the URI.

Ashok asked a question in MetaBroadcast on July 19, 2009 04:48:

Possible to restrict OAuth permissions?

I like that you say you won't send Twitter messages without my direct approval, but in that case wouldn't it be enough to just access, rather than access and update with the OAuth permissions?

Your FAQ: "We take you to twitter, propose a message, and then you can do what you want with it..." seems spot on, but that's just a link to ...?status=... on Twitter and needs no OAuth permissions.

Naturally, I'm quite a fan of the principle of least privilege.

Ashok shared an idea in MetaBroadcast on July 16, 2009 07:01:

Adding from pages with embedded video

Would it be possible to spot embedded videos in other people's pages. I appreciate it involves getting your hands dirty with random sites, but it seems quite odd that I can add a video when standing on the YouTube page, but not on a page where the only complex bit of markup is a single <embed>-code for a site like YouTube.

I expect I'd have a hard time explaining how to use it just now to someone who wasn't really quite familiar with how embedded video works.

Moreover, you could actually credit and link back to the page where the person found the video, if that's what the amplus user wanted.

For that matter, it would be nice, in a modern Web world to also pull out things like the <video> tag, which will naturally involve parsing the actual page.

Ashok reported a problem in MetaBroadcast on July 16, 2009 06:53:

Bookmarklet when not logged in

The page-flow when using the bookmarklet when not logged in is quite cumbersome.

I would prefer it if you offered the log-in link before offering the 'add to my channel' link, and then post log-in took me back to the page to add that video, rather than to the front of my channel, where I need to find the original window and run the bookmarklet a second time. The way you have it just now I end up with two extra windows.

Ashok replied on July 03, 2009 22:32 to the problem "Signing out broken?" in MetaBroadcast:

Would you consider disclosing the full details of the security bug, so that we can all both learn from the error and also keep an eye out for any possible re-emergence?

I hope that in future when you have security advice for users you will have a better way of passing it on to the actual people it affects, not just the people reading the bug-tracking site.

Ashok replied on July 03, 2009 10:10 to the problem "Signing out broken?" in MetaBroadcast:

Pleased you are working on this. In the meantime, if your advice is not to use it on shared computers it would be helpful to say that on the page itself, where the log in button is, rather than just over here.

Ashok reported a problem in MetaBroadcast on June 30, 2009 10:43:

Signing out broken?

When I press 'Sign out', then follow the 'Sign in with Twitter' link on the resulting page it just logs me back in with no user intervention. I tried logging out of Twitter to be sure that it wasn't because I had already blessed your site for OAuth and it did the same thing.

This is with Firefox 3.0.1 on GNU/Linux Ubuntu 8.04.

Ashok asked a question in MetaBroadcast on June 24, 2009 06:42:

Which URIs work?

I think 'which URIs work on the URIplay service' should be an FAQ on the site. Apologies if this is written somewhere that I failed to find.

In particular I thought that URIs like http://www.bbc.co.uk/programmes/b00lc71z used to work at some point, but I may be misremembering.

Ashok reported a problem in MetaBroadcast on June 20, 2009 14:19:

Twitter link should be over SSL

The link to Twitter goes to their plain HTTP site, where you are prompted for your credentials (if not yet logged in) which are then sent in clear over the network. Going to the SSL version of the same URI would be much better; I trust that's a very simple change.

Ashok replied on June 20, 2009 14:17 to the idea "Warn Amplus users if URIplay can't handle a video" in MetaBroadcast:

Even just a simple statement of what things do work in the page would be helpful.

Ashok reported a problem in MetaBroadcast on June 20, 2009 14:15:

Blank page for unhandled URI?

You get a blank page from the bookmarklet when you point it at: http://www.bbc.co.uk/programmes/b00l213q

I don't know if that's because URIplay doesn't handle it, or some other problem.

Ashok asked a question in MKE Computing Limited on April 14, 2009 13:44:

Custom 'URI' scheme?

Is it possible to link to the app from other iPhone apps or custom iPhone pages?

It would be really handy to be able to link to a pseudo-URI like freethepostcode:W1A+0AA in order to launch the app with that postcode filled in.

Obviously, it wouldn't make sense to link to it from the public Web, but I have a few pages where I know I'm accessing them from my iPhone, so a short route to adding the postcode would be really handy.

Ashok shared an idea in MKE Computing Limited on April 14, 2009 13:38:

Search contacts/address book

It'd be great to be able to search the local address book to find the postcode to submit.

It would make bulk additions a bit easier, by just making sure you've added the place to contacts before heading out. Ideally, I'd like to flag the contacts that are 'to do' too, or just find the ones that FreeThePostcode has no entry for, but I expect those are trickier and might involve some privacy fun & games.