Who Is Acorn For

Gus Mueller:

Acorn isn’t Photoshop. I have no desire to turn Acorn into anysort of Photoshop clone. Acorn opens up PSD files, borrows manykeyboard shortcuts and ideas from Photoshop (just as Photoshopborrowed from MacPaint), but Photoshop is not Acorn’s future.

This upsets some people. I know this because I get the angryemails. This makes some people very happy. I know, because I getthe love letters.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Translation From Weasel-Speak to English of the
Key Question in Twitters FAQ for Developers Regarding Their New Policy for Third-Party Client Apps

Q: Will Twitter’s own applications also go through the OAuth web flow?

A: We?re taking this step to give more clarity and control to users about the access a third-party application has to their account. The way users interact with Twitter?s clients is not expected to change.

Translation: No.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

TermKit

Steven Wittens rethinks the Unix terminal interface and interaction model. Ambitious, to say the least.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Ed Bott on the Mac Defender Trojan Horse Scam

Bott quotes an anonymous AppleCare support rep that the Mac Defender scam is a growing problem, and here links to a bunch of threads on Apple’s support forum from affected users. Trojans aren’t a new problem on Mac OS X — trick a user into installing an app with admin privileges and the game’s over. Mac Defender isn’t an indication that Mac users need anti-malware software — in fact, the reason it appears to be succeeding is that it preys on uninformed users’ belief that they might need anti-malware software.

So, for the sake of argument, let’s take it as a given that this sort of thing is becoming more common. What can Apple do? Think about it. (My guess: think about why the iPhone and iPad, despite being far more popular than the Mac, have no trojan horses.)

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Daring Fireball T-Shirts Now Available

In case you missed the announcement last week, DF t-shirts are now available.

I don’t keep a large number of shirts in stock — what I do is take orders for a week or so, and then do a print run just to cover the number of shirts that were ordered. I’ll keep the shirts on sale through the end of this week, but come Friday, the order form will come down. In other words, if you want one, order now.

New in this round of shirts: a black tee with gray logo. All orders will ship at the end of May or first week of June.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

How Does a Socialist Public Servant Pay for
$3,000-a-Night Hotel Suites and First-Class Flights

Annie Lowrey reports for Slate on Dominique Strauss-Kahn’s lavish lifestyle.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Twitters Shit Sandwich

Twitter today announced new finer-grained control over third-party API access to direct messages:

Beginning today, we?re giving you more control over whatinformation you share with third-party applications. Apps that youuse to access your direct messages will ask for your permissionagain. By the end of the month, applications that do not needaccess to your direct messages will no longer have it, and you cancontinue to use these apps as usual.

That’s good news on the surface — it means you can use services and apps that require your Twitter credentials without granting those services/apps access to your private direct messages. For services/apps that are entirely public, this makes sense.

But there’s a big shit sandwich attached: Twitter is implementing this change by requiring all third-party clients that want or need access to direct messages to use the cumbersome OAuth login flow for authentication. Here’s the developer-level announcement on the Twitter API Announcement group.

OAuth is complicated and hard to summarize, but in a nut, Twitter currently offers third-party developers two ways to do authentication, OAuth and xAuth. xAuth allows the developer to simply ask the user for their Twitter username and password. If you use any of the popular third-party Twitter clients for the Mac or iOS — Twitterrific, Tweetbot, Hibari, etc. — you’ve seen xAuth in action. You launch the app, the app shows you a dialog box with fields for your Twitter username and password, you enter them, and then you’re in. Behind the scenes, the apps using xAuth do not store your username and password. Instead, they use them once to authenticate with Twitter’s API, and in return they receive from Twitter a key granting that app authentication for your account. The app needs only to store that key.

With OAuth, on the other hand, authentication must take place through a web browser and a session on twitter.com. The app forwards you to a web page at Twitter, you sign in to your Twitter account on the twitter.com website, and then you’re prompted, by Twitter on their website, to grant permission to the app in question to access your account.

OAuth makes perfect sense for web-based services that seek access to your Twitter credentials. For example, consider “favorite” aggregators like Favstar and Jason Kottke’s excellent new Stellar. These services require authenticated access to your Twitter account. Thanks to OAuth, you never need to give these sites your Twitter password, let alone allow them to store your password. Instead, they forward you to twitter.com, you grant them access to your account there, and then twitter.com forwards you back to the website where you started. It’s common sense: a web-based authentication flow works naturally from within a web browser.

But the same web-based authentication flow is jarring for native apps. When you open a native app — Mac, Windows, iOS, Android, WebOS — you don’t expect to be forwarded out of the app and into your web browser. Developers can alleviate some of the context switching by using an embedded web view inside their native app for the OAuth authentication handshake, but at that point, why not just use xAuth and simply allow the user to enter their username and password in a native dialog box? So long as you remain within the app, there’s no security advantage for OAuth in an embedded web view over xAuth — but there’s a huge decrease in usability, simplicity, and clarity to the user.

I’m currently testing a review unit of HP’s new Veer 4G, and for whatever reason, the WebOS Twitter clients I’ve tried and liked the best (Bad Kitty and Carbon) use OAuth, not xAuth, and account creation is a huge pain in the ass compared to any of the iOS apps I’ve used — all of which use xAuth for a simple “username/password in a dialog box” flow.

And OAuth is even worse for setting up multiple accounts in a native client (and good multiple account support is surely one of the leading reasons to use a native Twitter client instead of the twitter.com web site). Because then, not only do you need to go through the cumbersome OAuth login process for each additional account, but you must first sign out of the Twitter account you’re already signed into in the web browser. The twitter.com web interface is inherently single-account. To use a different Twitter account in the same web browser, you have to first sign out, then sign back in using the other account. With xAuth, to add an additional account you merely enter another username and password. With OAuth, you have to start by signing out of whatever account you previously signed into.

Full Twitter clients require access to DMs. Everyone using, say, Twitterrific and Tweetbot and TweetDeck, knows that these apps have access to their DMs because they’re using these apps to read and write DMs. This is very different from a web-based service like Favstar or Stellar, where you signed up to grant the service access to your Twitter favorites (which are public) and have no reason to grant the service access to your direct messages (which ought to be private). The whole point of native Twitter clients is that some users want the sort of experience that only native apps can provide. OAuth cannot be made to feel like a native experience, and account authentication is the very first thing you do when trying a new client.

With both xAuth and OAuth, you, the user, have control over each application and service to which you’ve granted any sort of access to your Twitter account. On twitter.com, go to Settings: Applications to see a list of all the apps with access to your account. I can’t think of any reason why Twitter would force native apps through OAuth other than to create a hurdle that steers users toward Twitter’s own official native clients. Because Twitter’s official clients aren’t going to force users to jump through OAuth to authenticate — they’re still going to simply ask for your username and password in a simple native dialog box.

If you use a third-party Twitter client that currently uses xAuth, and Twitter does not reconsider this policy change, you’re not going to like it when they flip the switch that requires OAuth. If you don’t want to take my word for it that OAuth provides a crummy experience for users of native apps, take it from Loren Brichter — back in 2009, when Tweetie was just another third-party Twitter client.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Google Rolling Out Server-Side Fix to Android
Authentication Flaw

Google:

Today we’re starting to roll out a fix which addresses a potentialsecurity flaw that could, under certain circumstances, allow athird party access to data available in calendar and contacts.This fix requires no action from users and will roll out globallyover the next few days.

It hadn’t occurred to me that they could fix this server-side. This means users won’t have to wait for any sort of software update on their devices, and takes all the piss and vinegar out of my snark yesterday.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Facebook Awarded Patents for Tagging in Photos

Kim-Mai Cutler, Inside Facebook:

Tagging was arguably the feature that made Facebook the biggestphoto site in the world and seeded the idea for creating theplatform.

Now the company has finally won a patent for it.

More bad patent news.

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!

Guide the Orb of Fire with Burney Game for
iPhone, iPad and iPod touch

KDS Investments Ltd is excited to announce the launch of the Burney app for iPhone and iPod touch, a story-driven puzzle game that invites players to bend their minds with a fresh and unique challenge. Burney treats users to a touch-friendly interface and high quality sounds. The game takes players on a delightful journey to guide the orb of fire on its way to freedom through a colorful mix of challenging levels and spectacular zones.

Read The Full Article:
http://prmac.com/release-id-25701.htm

Add to del.icio.us

Digg this

Post to Furl

Add to reddit

Add to myYahoo!