Disclaimer #1. I know nothing about security and its relation to this entry’s topic. I’m saying this because in my career I’ve had more professional beat downs when I’ve sat in a meeting with security types and hinted that I know a thing about Security. Seriously. The last time I met with the security folks and tried to sound intelligent about security and it’s relation to my product, I was jumped, “You can’t say that Rands. Your product is a clear example of the Mxyzptlk conundrum and would be vulnerable to Chomsky-variant attacks.”
I have just said nothing. More often than not, that is how I feel when I leave my security meetings. I walk in smart and leave stupid because I hear nothing… and I’m smart.
Disclaimer #2. To whoever comments on the security-related aspects of this column, I pre-emptively say “You are right and I am wrong.” I realize security is your religion and I apologize for offending you.
Key to the web application revolution is that we’re all ok with the idea of our data being somewhere else. Your average Internet users don’t know whether their Gmail storage is sitting on their hard drive or on a server in Oregon. Don’t know, don’t care. At some point, they will. In the near future, bandwidth will be fast enough and storage will be cheap enough that it’ll make good sense to store everything somewhere else.
The reason for this is simple. You’re busy. Your job is not to reliably back up your data, your job is to do whatever it is that you do all day. Sure, you want to back-up your data because “it’s a good idea”. We all think that about back-up… we all say “it’s a good idea”, but we don’t actually do it because that takes work and we’re already busy doing all our other work.
Realize this. There are people out there who have these big red cell phones on their respective hips. These cell phones have a special ring tone that, when used, cause their owners to totally freak out because it means one or more of their servers are down. The owners drop whatever it is they are doing and they bolt to the data centers to get their servers back up because that’s their job… keep those servers happy no matter what.
This is why the mail sitting on Gmail is significantly safer than the mail sitting on your portable.
This is the point where security and privacy folks freak out. Let’s give them a moment to settle down and then I’ll continue.
I’m not saying it’s not convenient to have all your content following you around, it’s just not that convenient when all that content vanishes in a puff of OH MY GOD MY DRIVE CRASHED smoke when you could have trusted someone else’s well maintained server to care for your content.
The Internet is rightfully being made out to be a scary place. Apparently every hacker in what was the Eastern Bloc is out to break into your computer, steal your personal information, and sell it to the lowest bidder in some shady corner of cyberspace. You should be worried about these folks because they do exist and they are actively looking to exploit ignorant users.
The second key to the web application revolution is what we need to make another leap.
We need to trust that other people’s servers aren’t evil.
This issue of trust in cyberspace has been around since the moment someone realized that money would need to transfer via the Internet. This spawned an industry of folks debating the creation of public key certificates. All of this discussion is important and I’m glad it’s mostly being handled by folks who are qualified to have an opinion, but it strike me as odd that we’re still arguing about this when I’ve got a trust model that’s working really well right on my desktop.
AOL Instant Messenger.
Some important facts about my AOL Instant Messenger (AIM) account which I currently access with iChat.
- I’ve been using it every day since it was first bundled with Netscape back in the late 90s.
- At this very moment, there are 50 active folks in my buddy list.
- I hit the ceiling of 200 total buddies over two years ago.
- Unless I’m on vacation, I’m always online. Always.
Lastly and most importantly, in all of these years of usage, I’ve never received a single IM spam. Not a single one.
Does this mean that AIM is secure? That they haven’t shared my personal information with telemarketers? I don’t know. What I do know is that it’s been eight years and I still consider my AIM account to be an invaluable communication resource. A huge part of that perceived value is because AIM just works. I can’t think of a time I’ve been unable to access the service and, again, no spam. At this moment, there are over 900 spams sitting in my Yahoo account and over 3000 sitting on my Gmail account. Yes, they’ve done a fine job of filtering them into another folder, but they still sneak through.
How does AOL do it? It’s a feat. Eight years of usage of a free service and I have yet to be pimped to advertisers. Well, the solution is partly technical, but mostly educational. From the technical perspective, yes, AOL has done a fine job of keeping their database of AIM user names secure. One would assume if this database ever got in the wild that all AIM users would’ve been spammed at some point. Go AOL. Keep up the good work.
On the educational front, I’ve done two things. First, I know to never broadcast my AIM username is a public forum. Yes, I know there’s an account right there on the front page of the weblog, but that’s not my main account. (As an aside, the jerkyrands account has only been spammed once in a few years of usage.). Second, I choose the right people for my buddy list. This is a big deal. When you think about adding someone to your buddy list, you go through a blindingly fast qualification process: Who are they? Do I want to keep talking with them? Are they idiots? Are they who they say they are? What if I ask them this?
Your brain is an excellent judge of identity. When a random person sends you an AIM, you can qualify them as a decent human being with just a few random questions. This quality control creates a buddy list full of trusted relationships and that’s why I don’t receive spam via AIM; I don’t have buddies who are out to screw me.
The same idea applies to trusting web applications. We can define another dozen security protocols to make sure your credit card is getting from here to there without nefarious parties sniffing out your data. We can paste digitally signed certificates everywhere. We need that technology, but we also need the users of web applications to be educated. We need to keep explaining to them the clever ways phishing sites are trying to steal their PayPal accounts. We need to fill their brains with useful data about the four clever questions they should ask themselves before they ever enter their credit card information because trust is best assessed and maintained by a human.