Every few months I delete my Facebook account citing lack of ethics in their business model and the way it's being executed. The FTC agrees with me, Austrians and Germans agree with me, and the Privacy Commissioner of Canada agrees with me. Facebook consistently seeks to undermine the illusion of privacy they present to us, and to violate laws and the rights of its users to perpetually maintain a "social graph" that contains mind-bogglingly detailed information about each and every person on the service including what websites you visit (that have a like or connect button installed), and what actions you do and personal information you share on many of these sites. I then inevitably sign up again to access their API in order to stay current as a developer where clients need to access people, and if their target audience is on Facebook; the client needs to be on Facebook too, and I better know how to give them that access.

What does Facebook have to do with identity? There's a new feature in Facebook's account settings that allows you to link your Facebook account with what are considered other identity providers (ie: Google, Yahoo) using OpenID. This means you can log into Facebook with credentials from these other services; and/or if you happen to log out of Facebook and into say Google a Like button on someone's blog would still recognize you as logged into Facebook. So what's in a username when a username is only weakly linked to your identity?

An email address is strongly linked to your identity; I can send you an email, but because email addresses are easy to spoof I cannot be sure an email is really from you without extra layers of security that aren't for the average user, or a really good Turing test which is unfeasible especially in the age of social networks where relationships are just as easy for anyone to discover and spoof. An email address is analogous to a driver's licence. Underage people create accounts with fake birthdays to get around COPPA just as they get a fake licence to buy beer. It's unfeasible for the average person to create fake driver's licenses as it is for them to hack into someone's email account; but fairly trivial for people to acquire the knowledge to use both technologies for identity theft or spoofing.

In the real world your identity is a culmination of the information that resides in other people's brains and in 'the system' about you. You are the impact you have on the world. In a court of law where identifying you can mean the death penalty or not, the only thing more convincing than DNA is DNA plus photo evidence plus eye-witness testimony plus a trail of other evidence. It is fairly trivial to plant some DNA as it is to hack into someone's online accounts; it's easy to brute force, phish, or Firesheep an account and gain access to credentials. In a digital world gaining access to and duping the bits used as a digital passport is easy, it's hard to post a thousand status updates, photos, and blog posts over a period of years as someone else while over those years interacting with other real people in that person's life. Because identity is a culmination of the impact you have.

People get upset when they can't access the first of their ten thousand tweets; no matter how trivial it was; because it's perceived as a part of their identity. Our history and our breadcrumbs are our identity. Our interaction with the world is accumulated validation that we are who we unconsciously present ourselves to be. When logging into online banking or anything else that requires extra security we set up secret questions and answers about our identity; and symbiotically depending on what parts of my life history is exposed to a given observer the nature of their perception of my identity is accordingly changed —Yet I wouldn't go so far as to say that we have multiple identities because of it. If two people are looking at the same sculpture from two different angles, then there are not two sculptures; only two representations of the same sculpture. There are no two people in my life who have the exact same account and there is no person including me who has the full account of my identity. The vast majority of our lives are forgotten or not known even to us. For example if someone found an old journal that belonged to your great great great great grandfather, reading it would add to your knowledge of your identity; it would uncover a part of your identity. There is no reason why a computer program could not be one of the mediums to store and retrieve parts of your identity, but your identity follows and remains attached to you.

Your family impacts your identity and so does your social interaction, as well as your knowledge and experience acquired. Identity rubs off and is transient. I am who I am because of who everyone else is. It's not just attached to my consciousness or my physical body, but both, and everything else those two things have together or individually interacted with either physically, digitally, or vicariously. Identity is a culmination of the impact you have on the world. Any website where you make an account wether strongly or weakly tied to your identity is merely a representation and thus an extension of it.

There are no social networks. There are only tools and services with social features. Google+, Facebook, and Twitter are all broadcasting and link discovery tools, and they are all ways to waste time. Forget about the motives and business models of the companies and their inherent overlap. Google+ gives you more finely tuned and personal search results, Twitter allows for trends to be easily sparked and monitored, and Facebook exposes your breadcrumbs to help you find people and discover parts of their identity that would otherwise be hidden to you. None of these things are inherently good or bad in theory and none of them are a complete picture of you.

The idea of only using one social network, or only having one ultimate online identity is not only silly (because they are all merely representations of your identity), but it leaves you vulnerable to exploitation. You should have many online accounts and many places where you publicly aggregate and maintain a list and links to those accounts so that if one goes out of business you still have breadcrumbs, and so that if one gets hacked you can mention it on all the others. You should use different login credentials so that it's totally unfeasible for anyone to gain access to the majority of them, and so that the patterned imprint of your identity on the web becomes easy to tell apart from what a given hacker would do with your account if they gained access to one of them. You should treat everything you post as public because it ultimately is and consider it to be public domain. The notion that these companies respect what's in their TOS is a marketing gimmick, although you can still use tools given to differentiate these public parts of your identity it is and should be seen merely as a form of curation rather than any form of security; and you should seek to maintain aspects of your identity privately, offline, and between close relatives and friends.

After waiting patiently since Wednesday afteroon for my invite to work(It's 4:30am Friday right now) It finally did.

Foot in the door

The first thing you're asked is if you'd like to enable +1 on non-Google sites. Right off the bat, compared to Facebook, the explanation of where and how my content will appear on non-Google sites if I enable this feature is very clear. I'm enabling it for now but there are some security/privacy risks which I'll get into in a future post.

Privacy

You also get a link to the Privacy Policy before signup. Google's Privacy Policy incorporates their Google-wide policy — which if you have a Google account you've already agreed to (~1660 words), and if you use the mobile version of G+ it instead incorporates their mobile specific policy (~1070 words). If you upload a photo to Google+ you're also agreeing to the Picasa Privacy Policy (~795 words). If you use the +1 button you're agreeing to the +1 Privacy Policy (~420 words). The Google+ (Plus) specific policy adds (~1035 words) of amendments so it totals around 3500 words, as Google already had hundreds of millions of users who'd already agreed to their sitewide policy and Picasa's there's only around 1500 words of new policy for their social layer. Contrast this with Facebook's Privacy Policy (~5850 words), which you have to click through from an overview page describing privacy controls (~1260 words), an expansive Privacy FAQ, 25 external privacy information links, 8 minutes of video explaining Privacy on Facebook, as well as the Privacy Policy of every app you use on the Facebook platform. In addition to Google being an order of magnitude more concise, the Google+ Privacy Policy is also written in much clearer wording. Look forward to my deconstruction of the Google+ Privacy Policy in a future post. What stands out is:

• that participants added to any group conversation may be able to see the entire history of the conversation. Since anyone in a conversation can essentially add anyone else, consider everything you post to Google+ public.
• If you use a third-party app like TweetDeck to post to Google+ the developer of the app has access to all the information you have access to. So consider everything you post to Google+ public as anyone of your contacts may use a third party app giving that developer access to all your posts.
• During the next step in the signup process you're shown a window requiring that you connect Picasa Web Albums to your Google+ account, so your photos are available to you. Your albums' visibility settings aren't changed, but people they are shared with can now share them with anyone else. So consider photos you share on Google+ public.

While these last three points may change the way you use Google+ at least they're upfront about how little control you have of a post once you post it online. Other social networks would prefer you not realize this.

Experience

annnnd I'm in.

It looks incredible, very clear and fresh. The interface is snappy and responsive and shows me little messages the first time I do something telling me what's about to happen.

No ads to be seen anywhere, hard to say at this point if that's because it's a "limited field test" or as competitive advantage. It would be great if when I'm looking at my social timeline I'm not bombarded with ads as apposed to Facebook where the ads mention my friends' names and is awkward and uncomfortable. Better targeted ads on other Google properties, and a clean social experience.

Hangouts are awesome, and simple to use.. Can't wait to try it out with some people when invites go live again. You'll need to download the Google Talk plugin. Google Talk is also integrated with G+, you get the same chat widget that's been around in GMail for a while except there's no dialpad and it's integrated with circles.

Photos looks really good, instead of a gallery of evenly sized thumbnails you have a dynamic spread of recent photos with a little bubble showing the number of comments each one has, clicking on a photo opens a better looking lightbox where you can see photo metadata, fly through the entire album, and photo comments are on the side so I can scroll through comments and leave one while still looking at the photo.

Your account settings are very clear, easy to understand, and well organized. There aren't many settings you need to configure. The first panel "Account overview" lets you manage your account and provides two links at the bottom to Delete your profile and remove associated social features, and to Close account and delete all services and info associated with it. They've also devoted a section of your account settings to Data liberation which is a simple set of 6 links to download all your data.

Things you can keep private —like who you're friends with, are very simple to control. Deciding "who gets to see what" is ingrained in the way you post and use the site, and it's clear that Circles are about managing who you're sending posts to, not creating an air-tight controlled network where your data is 100% private. This is a good thing, Google's not obfuscating the ultimate lack of control a given person on the internet has over their content once it's posted online, they're instead making it clear that it's up to the people you choose to trust and share with to respect your privacy —which is in fact the case on other social networks and anywhere else on the web; including email, despite what those sites would lead you to believe through branding or convoluted privacy policies and UI.

Google makes it very easy to:

• See what data they have
• Download your data to your computer
• Remove your data from Google's servers

Issues

There's a little option arrow on each post that let's you disable comments/resharing, but if I'm not looking at the Stream when I post then I don't have those options. There also doesn't seem to be a global way to disable resharing.

Yeah it's a field test and no one's using it yet, but when G+ does go live, I'd expect there to be a better way to find interesting people to follow. I'm talking your Scott Siglers, Leo Laportes, Gina Trapanis, and Keith Malleys. Right now (and rightly so) it's more geared towards finding your friends and family.

Invites

It looks like any computer in my house can now signup for Google+, but people are still getting a "capacity exceeded" message. Invites have also been temporarily disabled, but if you want an invite just email me your gmail address or post it in the comments below, and I'll invite you when I can.

Google+ was announced yesterday and is currently being field tested. Scheduled to be slowly rolled out to users.

What is Google+?

It's a social sharing layer being added to Google. Their answer to Facebook, Twitter, Skype.

(scroll down for videos and demos)

I'm leaving Facebook as soon as Google+ opens — or as soon as I get an invite and can invite the people I care about.

Why

Facebook is hella boring, only a few people post more than once a day, there's a stalker mentality, endless privacy fuck ups, and over time the software has become complicated and bulky not less. The Facebook iPhone app is really badly executed from a design and usability perspective. Google+'s Sparks where they feed people interesting news based on their interests will finally give "non-broadcasters" something to talk about and share. It's like mushing Google Alerts and StumbleUpon into Facebook.

Group video is huge a pain with Skype, and there's no iPad version; the iPad compatible version is just a tiny square. Call quality is frequently terrible, and it's awkward for people to start a video conversation. Working with a distributed team and trying to keep track of everyone's hours; when they're knee deep in code, or out to lunch is reason enough to get a personal assistant. Google+'s Hangouts is like a living room in your office that's actually in your social network. People can join and leave when they're available, videoconferencing where the video being shared or person talking loudest takes center stage. It's like a really natural Sococo that doesn't force you to play with little avatars.

Twitter's character limit is irritating now and I don't want to post to 3 social networks anymore. Every social sphere is on every social network, and Facebook privacy is non-existent. So I'm just posting multiple public messages to randomly dispersed people, and a lot of overlap. Yeah, you can go to a Twitter profile and quickly see a person's updates and absorb a lot of information in a glance from a set of guaranteed-concise updates; but who does that? Yeah you can get your public updates indexed by Google but only a few, a feat not even possible on Facebook. And quite frankly I don't care about all of a person's updates. Using Google+'s Circles to target who get's a given update means fewer, and more meaningful updates — rather than forcing wordplay and brevity.

With Twitter you think about what you post more and how to word it to make it fit, but that's conformity and a focus on structure over content. What you end up seeing is the Twitter version of the people you care about. I want to see the real version. I want to see the thought they had in the moment, worded the way they talk without all these barriers, and supplemented by links; videos; and images —and I want the interface to be clean and minimalist. Twitter's custom backgrounds and colours are a huge flaw.

Twitter also goes down a lot, and only lets you access your last 3200 tweets. Both traits seem a bit ridiculous for a social network that encourages you to post every off the cuff thought.

Demo

Here's the interactive demo, make sure you hit "Take the tour" to get it started.

http://www.google.com/intl/en/+/demo/

Videos

Here's a link to the full Google+ playlist, just go into Fullscreen and it'll play though them all
http://www.youtube.com/watch?v=xwnJ5Bl4kLI&feature=list_related&playnext=1&list=SPF3DFB800F05F551A

Dropbox has been getting a lot of flack recently for misleading users. Their attempt to address these issues on their blog is ridiculous; their marketing department spinning nuance into very serious security claims leaves them with a permanent stain on their brand, one of being utterly untrustworthy and incompetent. They tried to walk the line of ambiguity and it's come back and ruined what was once a shining example of a consumer brand done right.

Here's a link that highlights that incompetence, and here's an excerpt from a recent post on the Dropbox blog illustrating how full of shit they are:

For example, one help article formerly stated that “files stored on Dropbox servers are encrypted (AES-256) and are inaccessible without your account password.” We were explaining that there are multiple safeguards on your data: that the files are stored encrypted and in addition, protected by your access credentials. However, a security professional could incorrectly infer that the encryption key comes from the user’s password, so we’ve separated the two points for clarity.

Another statement read “Dropbox employees aren’t able to access user files.” That means that we prevent such access via access controls on our backend as well as strict policy prohibitions. That statement didn’t say anything about who holds encryption keys or what mechanisms prevent access to the data. We updated our help article and security overview to be explicit about this.

In summary, anything you put in Dropbox should be considered public, just like Facebook and Twitter. While all your data in Dropbox is "encrypted" the keys to decrypt all your data is accessible and stored with Dropbox in the cloud, not with you. Meaning the encryption is totally meaningless. Aside from the fact that Dropbox now openly co-operates with anyone who makes a request to peak at your files, any hacker that gains access to the Dropbox servers or codebase can easily get your encryption key and your data is compromised.

If you have to do some debugging you might need to monitor a log file - without having to reload it every two seconds.

The solution is to log in to your server via SSH, and use the tail -f command, which follows changes as the file grows and prints them in the terminal.

So if your php log is located at /logs/php.log just type in

tail /logs/php.log -f

to stop it type in crtl+c

I'm getting used to Flash Builder 4, man is it fast. I came across this plugin by Lee Brimlow, it's SnipTreeView adapted to work with .mxml files and in FB4. Just download it from his blog and add it to the plugins folder, then restart. There's a quick video how to, highly recommended.

Flash Snippets [http://theflashblog.com/?p=1494]

You probably found this because you're trying to make a socket connection from Flex/Flash and getting the following error:

SecurityError: Error #2123: Security sandbox violation:

Adobe went through a number of phases making the rules for serving and checking Policyfiles stricter. There are different security sandboxes. If you publish your flex/flash application on domain.com, and the application attempts to load content from domain2.com, it will look for a Cross Domain Policy File at domain2.com/crossdomain.xml to get permission. It does this automatically, however you could specify the location of the Cross Domain Policy File in your flex application using the following method:

Security.loadPolicyFile("http://domain.com/remote_content/crossdomain.xml")

A Cross Domain Policy File only has authority to grant access to content below it in the folder hierarchy. So a policy file in /remote_content/ can't grant access to content in the root folder, and in addition a Policy File at the domain root can override any other policy file. It has maximal authority. Subdomains are considered separate domains - which as a side note most search engines see subdomains that way too.

Now that's Cross Domain Policy Files, In general Adobe Air applications operate in one of the local system sandboxes and has thus have access to content on any domain. This post is about Socket Policy Files. When you access regular web content you're generally connecting to your server on port 80 and being served content by Apache or whatever web server you happen to be running. When you do this you're using http protocols under the hood and never have to deal directly with that crazy stuff. If you want to make a raw socket connection to your server you will need to serve up a Socket Policy File on a specific port.

First I just want to stress the difference between a Cross Domain Policy File and a Socket Policy File. For some reason my dyslexia and the ton of misleading, vague, and now out of date and incorrect information I kept thinking they were the same thing. Second there is no way as far as I'm aware to serve a Socket Policy File with Apache.

The default port for flex/flash to search for a socket policy file on port 843. There are several places on the web that talk about being able to connect to higher port numbers without a Socket Policy File, well that doesn't seem to be the case anymore. Just assume that any raw socket connection from a flex/flash client requires a Socket Policy File.

You can serve the Socket Policy File from the port you're connecting to, but this is tricky considering the manner in which Flex/Flash goes about loading the Socket Policy File and rewriting the service to serve this up, especially if you're using server software built by someone else, means it's just better to keep the Socket Policy File Server as a separate always running entity on the system.

Now in the simplest implementations you need a process either written in python, perl, c++, php cli, or whatever. It needs to be listening on port 843. It has to wait for - very specifically - the following string<policy-file-request/> followed by a NULL byte. Upon receiving that it needs to serve up the policy file which needs to at least have allow-access-from domain set to *, and to-ports set to *. You should use the links at the end of this post to familiarize yourself with the differences between and all options you can specify in Policy Files. It's easiest to keep the Policy File as an actual file, instead of adding the text of the file to your custom server code. And that's it!, now you can go on with a better idea of what information out there is out of date or not.

Here are some important links to help you on your journey:

Adobe on setting up a Socket Policy File Server

Adobe on Policy File changes for flash 9 and 10

Adobe on the structure of Policy Files

An intro to Sockets

Working PHP Cli Socket Policy File Server

First of all GRRRRRR!!

Second, this has been one of those things I randomly get sucked into between projects where I'll spend 5 hours on Google trying to figure it out and getting tiny fragments of info but never actually solving the issue. This is the worst! What the hell am I talking about? Say you use MAMP or whatever as a local testing server. You write some PHP and you need to use the mail() function. You test your new email function to your personal gmail account. Ok so you try it and it doesn't work, or even worse it works a couple times and then never again.  So you go to Applications->Utilities and fire up the Console application. You're shocked to see that there's a message in there saying something about Gmail not accepting mail from your IP address because it's registered as a residential thingy and apparently a lot of spammers use their personal computers to send spam.

So you say no no there must be some mistake I'm a programmer, not a spammer, I'm just trying to test out my new app. But you quickly realize you're talking to a computer, pleading, and well it doesn't care. typical. After, you cry and try piece together a coherent step by step set of instructions to route all mail sent from your computer through your Gmail account - so it would be from you, and all go through. here's what you do.

note that $ is used to show a new terminal command, you don't actually type it in:

Open Terminal - found in Applications->Utilities and type in:

$ sudo nano /etc/postfix/relay_password

You'll now be editing a new file called relay_password in the nano Terminal editor, type in the following substituting your login info - it should work with google apps accounts as well:

smtp.gmail.com example@yourdomain.com:yourpassword

Press ctrl+o on your keyboard followed by Enter to save the file, then press ctrl+x to exit the editor.

Now type in:

$ sudo postmap /etc/postfix/relay_password

That should tell Postfix to use the relay file you just created. Gmail uses a secure connection so you need to head over to Verisign and download some root certificates. Go to the following url fill out your info and download the .zip file:

https://www.verisign.com/support/roots.html.

Now type in the following commands one after another. In the second command it wants the roots.zip you just downloaded, you can just drag the zip file onto the Terminal window and it will fill in it's location, don't do that for the 4th command though. Also note you may have some certificates already on your system, so after the second last command you may be prompted to replace existing certificates, type N so it doesn't replace the ones you have:

$ sudo mkdir /etc/postfix/certs
$ sudo cp roots.zip /etc/postfix/certs
$ cd /etc/postfix/certs/
$ sudo unzip -j roots.zip
$ sudo openssl x509 -inform der -in thawte\ Primary\ Root\ CA\ -\ G2_ECC.cer -out thawte\ Primary\ Root\ CA\ -\ G2_ECC.pem
$ sudo c_rehash /etc/postfix/certs

Now type in:

$ sudo nano /etc/postfix/main.cf

Go to the end of the document, you can delete the MAMP stuff, also note that if you have MAMP Pro and you edit postfix settings from there it'll fuck up what we're doing here. So remember this going into the future and don't do that.

Paste in the following at the end of the document - note: use the keyboard to get around the document, but use the mouse to right click and paste:

relayhost = smtp.gmail.com:587
# auth
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/relay_password
smtp_sasl_security_options = noanonymous

# tls
smtp_tls_security_level = may
smtp_tls_CApath = /etc/postfix/certs
smtp_tls_session_cache_database = btree:/etc/postfix/smtp_scache
smtp_tls_session_cache_timeout = 3600s
smtp_tls_loglevel = 1
tls_random_source = dev:/dev/urandom

Save it like we did before by pressing ctrl+o, then Enter, then ctrl+x.

Now type in:

$ sudo nano /etc/postfix/master.cf

You're now editing master.cf, this is a different file to main.cf we just pasted stuff into. There should be a table in here, find the line in the table that looks something like this:

#tlsmgr    fifo  -       -       n       -       1       tlsmgr

Make it look like this - note the comment is removed and fifo should be unix:

tlsmgr    unix  -       -       n       -       1       tlsmgr

Save it like the other times pressing ctrl+o, then Enter, then ctrl+x.

Ok, so at this point you can put the following into terminal and see that it works - put your email address in there twice:

printf "Subject: blah" | sendmail -f user@gmail.com user@gmail.com

Postfix is working now. good. You go back to your PHP application and test the mail()function again. If it works then you're done, but if not you panic. You start feeling really hungry. You know that Postfix is working but maybe PHP or Apache haven't gotten the message yet. ok. So you see in Console that sendmail is crashing, you open the crash report in Terminal and it tells you there's an incompatible version of libxml. It wants 10 and you have 9. You begin questioning if any of this is worth it and maybe you should just go sit in front of a tv and forget about doing anything meaningful with the rest of your life.

After almost installing XCode and registering as an apple developer so you can make and install the newest version of libxml, you wonder if maybe MAMP comes with libxml and find that yes it does. So instead of spending 2 hours upgrading the system libxml only to find it doesn't do anything you just upgrade to the latest version of MAMP (1.8 at the time of writing) and it works. What?? it works? really? yup. so what do you do now?

REJOICE! with lunch.

Some of this was scoured from random forums and blogs in the midst of complete frustration and combined into steps that actually work. A chunk however was taken from this post: http://dejan.ranisavljevic.com/2009/05/28/enable-postfix-with-relay-outbound-to-your-gmail-account-on-os-x-leopard/ so check them out.