February 29, 2012
Touch Arcade's behind-the-scenes on Beat Sneak Bandit — one of the most addictive games I’ve ever played, a brilliant one-button rhythm game
Robot quadrotors perform the James Bond theme — they play pretty well for mindless killing machines
A Year of Links — Tom Armitage’s physical book of Pinboard bookmarks and the code to make your own
Scott Schiller's HTML port of Survivor for the C64 — the source is on Github; I loved his making-of photos
Jesse Thorn's 12 Point Program for Absolutely, Positively 1000% No-Fail Guaranteed Success — some solid advice from inspiring, independent people
Ze Frank bringing back The Show — yay! all my Kickstarter dreams are coming true
Swear Cuts — editing this year’s nine Best Picture nominees to eight minutes of profanity
Ron Gilbert and Tim Schafer discuss adventure games — amazing 35-minute chat; related: they added new rewards to the Double Fine Adventure
Adrian Chen unmasks the creator of @horse_ebooks — some great Internet detective work
Stripe's Capture the Flag — hack six levels and get a t-shirt, and maybe a job
10 Seconds from Every Top 100 Song Ever — grabbing the loudest point is surprisingly useful for spotting choruses
Dutch scientists to create first lab-grown hamburger this fall — $316,000, cheap; take that, Fleur de Lys
YouBeMom — 4chan for moms; anonymous, ridiculously active, and often brutally honest
Gawker digs up Facebook's internal content moderation guidelines — they use oDesk contractors to moderate flagged material
John Gruber gets a one-on-one demo of Apple's Mountain Lion — moving much further in the direction of iOS
2QWOP — finally, multiplayer flailing
So, I made a weird new thing with my 15-year-old nephew, Cooper McHatton. It’s experimental and has lots of rough edges, but quite frankly, I’m tired of working on it, so here you go.
Playfic is a community for writing, sharing, and playing interactive fiction games (aka “text adventures”) entirely from your browser, using a “natural language”-inspired language called Inform 7.
Inform 7 is incredibly awesome and weird. For example, this is a fully functional game:
East of the Garden is the Gazebo. Above is the Treehouse. A billiards table is in the Gazebo. On it is a trophy cup. A starting pistol is in the cup. In the Treehouse is a container called a cardboard box.
Type that into Playfic, and you end up with this simple game, ready to send to the world.
For now, there’s very little documentation on Playfic itself, but you can click the “View game source” link on every game to see how it was made, and Cooper’s adding sample games from the official Recipe Book.
My hope is that Playfic opens up the world of interactive fiction to a much wider audience — young writers, fanfic authors, and culture remixers of all ages.
While the language can be tricky, building simple games is surprisingly easy. Cooper had never coded anything or made a game before trying Playfic, and within 30 minutes of futzing around, he’d made his first game.
Some stuff is broken and missing, but I’d love to hear what you make of it. Open to any and all feedback. Go make some games!
The Verge's analysis on apps that upload your contact list — finally, the data journalism article that everyone wanted after the Path debacle
Paul Ford's 100 Ways to Say I Love You — “60. Yell it over your shoulder as you are pushed into the squad car.”
Super Mario Bros. Crossover 2.0 — new skins span multiple eras of console gaming
Texting Level: Expert — Adam Ellis’s photo conversation from Vegas to New York
Bret Victor's Inventing on Principle — amazing talk that gets increasingly amazing; I want that code editor and iPad app
The Dark Room — a silly one-room YouTube adventure
Eclectic Method recreates 99 Problems with film clips — like a frenetic take on Matthijs Vlot’s Hello
Anatomy of a Tear-Jerker — or: why some songs give us chills and provoke an emotional response
The other day, I tried out Unroll.me, a clever new service that reads your inbox to let you unsubscribe from mailing lists and other unwanted e-mail flotsam with a single click.
As I was about to connect my Gmail account, my finger hovered over the “Grant access” button.
For all I knew, it could be run by unscrupulous spammers or an Anonymous troll looking for lulz. And I was about to give them unfettered access to eight years of my e-mail history and, with password resets, the ability to access any of my online accounts?
I had to dig around online to find out who’s behind it, and fortunately, Unroll.me is a totally legit NYC-based startup providing a useful service. I spoke to Perri Blake Gorman, Unroll.me’s cofounder and CMO, who assured me they’ll add all the company information as they roll out their public beta.
But since Gmail added OAuth support in March 2010, an increasing number of startups are asking for a perpetual, silent window into your inbox.
I’m concerned OAuth, while hugely convenient for both developers and users, may be paving the way for an inevitable privacy meltdown.
The Road to OAuth
For most of the last decade, alpha geeks railed against “the password anti-pattern,” the common practice for web apps to prompt for your password to a third-party, usually to scrape your e-mail address book to find friends on a social network. It was insecure and dangerous, effectively training users how to be phished.
The solution was OAuth, an open standard that lets you grant permission for one service to connect to another without ever exposing your username or password. Instead of passwords getting passed around, services are issued a token they can use to connect on your behalf.
If you’ve ever granted permission for a service to use your Twitter, Facebook, or Google account, you’ve used OAuth.
This was a radical improvement. It’s easier for users, taking a couple of clicks to authorize accounts, and passwords are never sent insecurely or stored by services who shouldn’t have them. And developers never have to worry about storing or transmitting private passwords.
But this convenience creates a new risk. It’s training people not to care.
It’s so simple and pervasive that even savvy users have no issue letting dozens of new services access their various accounts.
I’m as guilty as anyone, with 49 apps connected to my Google account, 80 to Twitter, and over 120 connected to Facebook. Others are more extreme. My friend Sam is a developer at Kickstarter, and he authorized 148 apps to use his Twitter account. Anil counted 88 apps using his Google account, with nine granted access to Gmail.
For Twitter, the consequences are unlikely to be serious since almost all activity is public. For Facebook, a mass leak of private Facebook photos could certainly be embarrassing.
But for Gmail, I’m very concerned that it opens a major security flaw that’s begging to be exploited.
The Privacy Danger
A long list of services, large and small, request indefinite access to your Gmail account.
I asked on Twitter and Google+ for people to check their Google app permissions to see who they’ve granted Gmail access to. The list includes a range of inbox organizers, backup services, email utilities, and productivity apps: TripIt, Greplin, Rapportive, Xobni, Gist, OtherInbox, Unsubscribe, Backupify, Blippy, Threadsy, Nuevasync, How’s My Email, ToutApp, ifttt, Email Game, Boomerang, Kwaga, Mozilla F1, 0boxer, Taskforce, and Cloudmagic.
Once granted, all of these services are issued a token that gives unlimited access to your complete Gmail history. And that’s where the danger lies.
You may trust Google to keep your email safe, but do you trust a three-month-old Y Combinator-funded startup created by three college kids? Or a side project from an engineer working in his 20 percent time? How about a disgruntled or curious employee of one of these third-party services?
Any of these services becomes the weakest link to access the e-mail for thousands of users. If one’s hacked or the list of tokens leaked, everyone who ever used that service risks exposing his complete Gmail archive.
The scariest thing? If the third-party service doesn’t discover the hack or chooses not to invalidate its tokens, you may never know you’re exposed.
In the past, Gmail’s issued security warnings to accounts being accessed from multiple IP addresses. I spoke to OtherInbox founder Joshua Baer, and he said that Google’s eased up on the warnings because of the prevalence of third-party services.
It’s entirely possible for someone with a stolen token to read, search, and download all your mail to their server for months, and you’d never find out unless they exposed themselves, or you were diligently auditing your “Last account activity” history.
Clearly, we’re not going to stop using awesome new utilities just because there’s a privacy risk. But there are best practices you can follow to stay safe.
- Clean up your app permissions. The best thing you could do, right now, is to log into each service you care about and revoke access to the apps you no longer use or care about, especially those that have access to Gmail. Finding the permissions pages can be tricky, but the nice folks at MyPermissions.org made a handy dashboard linking to every one.
- When in doubt, change your password. Have a feeling that someone might be reading your mail, but not sure which app is to blame? Changing your password instantly invalidates all your Google and Facebook OAuth tokens, though Twitter tokens persist after password changes.
Google could improve, as well. Their permissions page is too hard to find, even for experienced users, and it’s impossible to see which apps have accessed your account recently.
Facebook does an excellent job with this, but Google only shows you the IP address and the protocol it used to connect. Surfacing this information, as a periodic e-mail or on-site notification, would go a long way to averting a potential disaster.
The Greatest Troll of All
So, I originally published everything above over on my Wired column yesterday, but I left off something else I’ve been thinking about.
While I think a compromised database is the most likely scenario, there’s another possibility that disturbs me more.
Imagine that a brand new service pops up, offering a simple, fun service that uses your Gmail account. Maybe a neat visualization like Tout’s Year in Review, or maybe something more practical like sending all your attachments to Dropbox.
But it’s all just a giant troll, where the app’s creators are silently running targeted searches, downloading your mail, and looking for compromising photos and sensitive documents behind-the-scenes. They could collect the documents for months or years, and then release it all online in an anonymous blast. Lulz!
You’d likely never find out where the data came from, and the perpetrators would never be caught. Hell, if you’ve Gmail-authed a questionable app, this could be happening to you right now and you’d never know. Whee!
Raiding the Lost Ark — incredible fan-made compilation of archival commentary on Raiders of the Lost Ark
MG Siegler on VEVO employees pirating a football game — “Why would VEVO pirate content? Because it was easier than getting it legally.” (via)