onfocus

I've been busy moving, and I have some catching up to do.

• Happy Thanksgiving!
• During the move chaos, Kiruba asked me some questions—and I answered them.
• If you missed it on December 1st, check out Metafilter's contribution to Link and Think 2002.
• Oregon is mostly cloudy with a good chance of showers.
• The only home Internet connection I've ever known is a dial-up because I lived way out in the country. Yesterday I got a cable modem. I predict it will make me impatient.

Did I miss anything while I was gone?

Aha! Now I know why all of those impolite, unidentified aggregators were hitting my RSS feeds so often—it was assigned in a class at BYU. The course is CS462 "Enterprise and Distributed Computing." Maybe they could bring me in as a guest speaker to talk about how to block aggresive bots coming from BYU computers. ;) The assignment was to create a Java servlet that integrates Bookwatch data with Amazon Web Services queries. Of course a hip class like this has a weblog. (If you're a student from this class, I'm sorry if I blocked the multiple requests from your IP. I hope I didn't mess up any grades. I was just trying to keep the server load down.)

Some pictures from Interstate 5 this weekend.


Mount Shasta in fog


Mount Shasta from I-5

Downtown Corvallis

A few weeks ago I posted about the problem with identities in open weblog comments systems. Since then I've been playing with different solutions, and I think PGP-signed comments are a good way to verify identities. It's extremely simple for the authors of comments systems to implement. (I added it to my comments system last night in about an hour.) It allows weblog authors to keep the barrier to conversation very low by not having a registration process. And it allows those comment-posters who are concerned about their online identity to take a few extra steps to digitally sign their comments.

It's also very easy on the comment-posting end. PGP has a function called "Sign" that matches the words of the comments with your public key. It includes a bit of garbled text based on those words, so the post can be verified. If anyone alters the words, the verification fails. I'm using PGP 8.0, and it has a great feature that signs the text in the current window with one click. I would simply type my comments into someone's site as normal, then click this button. It's instantly signed. I'll try to post more explanation with screenshots if I have some time later today.

Here's how I implemented it for my comments system. A standard post is plain text:

This is a standard comment.

A PGP-signed post is also plain text with some extra junk around it:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This is a PGP-signed comment.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0 (Build 349) Beta

iQA/AwUBPdvNQq9S5muEtqHZEQKIgACfTjtzfc101lkfWXEHQLgcHux99S8AoN/p
GDxRz2sbpl1MIXFm5Bbb6JxF
=qlO3
-----END PGP SIGNATURE-----

Ok, it's not junk, it's important information. But for the purposes of reading comments, it's junk. So if the junk is there when someone posts, my system saves the entire PGP comment as-is, then strips away the junk and stores the good stuff as a regular comment. Then, next to the information about who posted that particular comment is a link: [PGP]. Clicking on PGP will give anyone the original, unaltered, PGP-signed post that they can then use to verify the commenter's identity. My system doesn't do anything with decryption/encryption, handle any keys, or do any of the verification—it simply does a bit of extra text parsing. I didn't need to add any extra form fields or ask for any extra info. It doesn't break up the flow of conversation. The functionality is mostly hidden.

It puts the burden of identity management on the comment-poster instead of the comments systems. The poster would have to make sure their public PGP key is available somewhere, so people could verify their posts. It doesn't break up the flow of conversation, and it adds a bit of security for people who aren't posting anonymously. I'd feel much better about posting comments on weblogs if they had something like this available. For those who don't care, nothing changes.

I've tested this feature here with signatures from both PGP 8 for windows and gnupg for windows. It's bound to have some parsing problems with other platforms that need to be worked out, but I'll fix them as they come in. Check the comments on this post for an example. And let me know what you think. Will this work? Do you think people would sign their posts if it was an option?

BookPost was mentioned in an article on News.com today: Amazon, Google lead new path to Web services. I'm glad that journalists no longer have to explain what a weblog is to a general audience. It simply references BookPost by saying, "Another application combines the Amazon service with a Weblogger API to let users create a link to an Amazon product page on a Weblog in just one step."

By the way, here's my public PGP key. I socially accept encrypted email.

Between the marketers and the government, I'm surprised we're not all using PGP to encrypt every email we send. (even the ones about where to eat lunch.) And blocking the ones that don't to cut down on spam. If sending encrypted email was socially acceptable, I think I would make the effort. Not because I have something to hide, but because I believe email should be a private way to communicate. Using PGP is like sealing an envelope. Though, unfortunately, not as easy yet.

AOL is working on building encryption into its enterprise version of AIM. I wonder if public encryption will be illegal by the time that feature is ready for release.

roughly 700 books ready for transport

It's only when I move that I question whether I need my book collection. Do I really need so many Charles Bukowski books? They take up a whole box. A box I have to lift and carry. Up stairs.

It's finally starting to hit me that skp and I are in our last two weeks of living in the Bay Area. We found an apartment, reserved a truck, and we're beginning to fill boxes. This next week we'll be doing serious packing and making trips to our new home. We'll be living in transition. I haven't even had a chance to feel sad about leaving because I've been so busy getting ready to go. I know I'm going to miss it. I fell in love with Sebastopol and the whole Bay Area as soon as I moved here in late 1998—especially the Sonoma County geography, weather, and attitude. We have fantastic friends and family here, know back roads, and have favorite spots for working, eating, relaxing. We love being able to drive an hour to visit San Francisco, and we've walked hundreds of miles of trails from the coast to Yosemite. We love our house on a hill that has great views of Mt. St. Helena and west Santa Rosa. But we feel like it's time to start a new chapter. It's time to discover new favorite places, walk different trails, and explore different cities. Saying goodbye is the hardest part of moving, but we won't be out of touch. We'll just be 600 miles north in Corvallis, Oregon.

The Leonid meteor shower is coming up next Tuesday. It could be the last big meteor shower of our lifetime, so get as far away from city lights as possible and check it out. If you're in the Bay Area, hope for no fog. The fog clouded much of our view last year but we still saw quite a few. I also tried to take some pictures last year, but none of them turned out. I need to read these meteor shower photography hints.