Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Social networking is great, but there is something fundamentally wrong with the way social networking is implemented today in most popular services. I'll put it in this example: Imagine that there is no SMTP, and consequently, it is globally assumed and accepted that you can only send email to addresses on the same domain. The result would be the emergence of a single email service, let's call it emailbook.com, which we all have to subscribe to, if we really want to communicate with the world.
This is what's happening with social networking today. You HAVE to use the same service your fiends/colleagues are using to talk to them.
I would like to be able to put up my own social site, invite my friends who trust me, share amongst us, but still be able to share with the world at large.
What are the chances of this scenario happening in the future? What does it take?
There sure is, and not just one! The future you wanted is now here.
By the time of the question, back in the end of 2010, OStatus had already existed for half a year, and the year before that there was OpenMicroBlogging (OMB), and at about the same time as OMB, the XMPP XEP 0277.
Since then several other protocols have popped up, such as diaspora* just half a year later, and later some smaller players like Friendica's DFRN and HubZilla's Zot.
OStatus never left draft status, but the big buzz[0] these days is about ActivityPub, which is a W3C recommendation since January 2018 and came out of the Social WG mentioned by #keithjgrant in his answer. There is a multitude of implementations[1], finding their niches with different use cases like microblogging, blogging, link sharing, picture sharing, video sharing and audio sharing.
There is also the collection of blog-oriented protocols described on https://indieweb.org/.
[0] pun intended
[1] Diaspora and GNU Social, although shown at fediverse.party, do not implement ActivityPub. The other applications shown do. There are several other applications not shown there, such as FunkWhale, Plume, WriteFreely, Prismo ... There is no terse and complete overview of all of them, but several are listed at https://switching.social/ and https://wedistribute.org/ publishes news and interviews related to all of them.
There are a few. One Social Web uses XMPP which is open and decentralized like SMTP.
Check it out.
http://onesocialweb.org/
I absolutely agree. The good news is, yes, things are happening. Even better, they are happening in the W3C, which means open standards.
The W3C now has a Social Web working group. They are actively working on a handful of standards. The biggest of these seems to be the Social Web Protocol.
Today, they also posted the W3C Recommended spec for Webmention, which is sort of an improved version of the old pingbacks that used to be used on blogs, this time built on HTTP. It allows a post to notify another page on the web when it references it. There are already a number of libraries and services that implement this today.
I think you should take a look at http://code.google.com/apis/opensocial/. It is a spec developed by google and other social networking players. It supports interoperability and much more.
OpenSocial is currently being developed by a broad set of members of the web community. The ultimate goal is for any social website to be able to implement the API and host 3rd party social applications. There are many websites that support OpenSocial, including hi5, LinkedIn, MySpace, Netlog, Ning, orkut, and Yahoo!
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
Is there any open source alternative to talky.io? where client code and all server side code is available.
I just double checked and it seems the priologic team are keeping tawk.com code behind a paywall, just like talky.io.
In the webRTC ecosystem, vendors either focus on
an application, and the Backend is hidden (think Skype, or bistri, even though bistri pivoted to propose an API as well.),
a PaaS and
then both the sever code is hidden and you won't have an
application, at best a demo, because they do not focus on any
vertical and do no implement business logic (think AWS in general, or tokbox, temasys for webRTC)
propose consulting/app development and will provide a complete
application most often open source, but keeping some key components
(priologic: mobile SDK + app, &yet: app, algoworks, ...) behind a
paywall. They usually team up with a Paas and or Hardware vendor to
provide more compelte/scalable solution to their client
(priologic/oracle, ...).
It is very unlikely, and I wouldn't know of any, that there were a vendor that would provide a full solution open source. It is still too complicated to have a non commercial entity provide one. The ones which do provide a full solution do so for a limited scope.
In any case, an application is always focussed on a use case. Even though the underlying infrastructure might be the same, and the BE/client API might be the same, an app for contact center, and app for social dating, and an app for conferencing will be quite different because they implement a quite different business logic and address quite different market. It is reasonable NOT to expect a full stack, but to have only the top most layer left to implement.
I put a list of vendors and products there, but it s a little bit raw. So here is a recipe to build a free/open-source solution, and then where to look to upgrade:
mandatory: open source signaling server (easyrtc, signalmaster, peerjs-server, rtc.io, ...)
mandatory: BE API (easyrtc, simplertc, peerjs, rtc.io respectively)
optional but highly recommended: add the free turn server rfc5766, or the most advanced version "coTurn". Some of the open source server and library propose examples or how to to support this TURN server by yourself.
optional: a client API that brings you closer to your use case,
optional: a free plugin to support IE and Safari (temasys free plugin),
optional: a media server if you need to host many-to-many calls or conferences (MCU or SFU) (licode, meteecho's janus, medooze, kurento, jitsi's videobridge)
optional: a SIP gateway to connect to VoIP and/or pone by extension (PSTN).
and ... that's about as far as you can go with open source / free libs today. You might hit a scalability problem quite fast depending on your traction.
A next step would be to get hosted servers, but it's not free anymore.
Separate servers:
ICE/TURN/STUN: See xirsys/twilio for hosted solution,
Media server: see dialogic, radysis, for hardware and meedoze, Jitsi, acano, pexip, openclove for software/hosted solutions,
Full Paas including all of the above:
tokbox (beware of streamed minutes billing if you have large conferences, has recording and some features temasys does not have yet)
temasys
some of the media server vendors also market themselves as PaaS. I have not tested, so I can't comment or recommend.
If you want to connect to SIP/phone, you will need different vendors as hither temasys nor tokbox provide interoperability today.
You could have a look at jitsi https://jitsi.org/, which is an opensource solution for private communication and also serves as a video conference tool for the browser.
You could try Subrosa (latin for "under the rose"). According to https://subrosa.io/source: "The Subrosa client and server are both open source and licensed under GPLv3."
Would be better if the server component was GNU AGPL 3.0, to make sure anyone running a server makes their code changes available for re-use, but at least both ends are free code.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
From what I understand, you have to enter in all of your usernames and passwords into Mint, so I assume they are actually logging into your bank account and scraping the resulting screen to put this data into a form that Mint and others use.
How do they actually simulate the keypresses and mouse clicks? I assume banks don't like it when they do this - how do their scrapers avoid detection?
I'm pretty sure they don't simulate clicks, etc. In the end, any data that ends up on a user's page is transmitted in a response to a request. If you can figure out how to construct a valid request and then how to parse the response, you'll have the data you want.
As far as I could gather after using Yodlee for quite a while, they deal with sites in two major ways: the sites they have official agreements to work with and the sites they don't have official agreements with. For the first category of sites they, most often, have agreed upon APIs for getting the data. For the sites in the second category they reverse-engineer layer 7 communication protocols and data structures (a.k.a. screen/html scraping).
The way I understand it, Yodlee uses the OFX specification to access banks' financial information.
http://www.ofx.net/
For the banks that don't implement OFX, they use custom screen scrapers, which must constantly be updated when banks change the information that's displayed on their site.
I don't know Yodlee so i simply assume it's like "sofortüberweisung.de" where you give a 3rd party your bank login data (and depending on what you do even a valid TAN) and thus trust them not to abuse it and additionally break your bank's security regulations ("NEVER GIVE YOUR YOUR PIN/TAN").
They most likely simulate what a browser would do. As web-based banking interfaces are usually just HTML/JavaScript everyone can look at the client-side code and do whatever it does with a custom program. Since those actions are not done in a malicious way, actions which require e.g. a TAN or a CAPTCHA to be solved can be simply forwarded to the legit user who will then enter the necessary TAN or solve the CAPTCHA.
Nonetheless to say, it is really bad to use services like that. While they most likely won't do anything bad you cannot know it for sure. And your bank is damn right if they don't refund you anything if you ever get scammed by such a service.
Another solution which would be perfectly safe (as long as you are not concerned about a 3rd party knowing about your financial status etc.) would be the yodlee company making contracts with major banks allowing them to access your data after you've authorized it through some way (you can already do that on pages like Twitter - I'd never do that for bankign though but technically it wouldn't be hard to realize something like that). That would be clean and secure as it would not involve "screen-scraping" or customers entering their banking login data anywhere but on their bank's website. But I believe no bank does something like that and in my opinion that's good as there are way too many people out there who are far too trustworthy and we all know how many information they give out on Facebook & Co. Now imagine a facebook<->bank integration... M.Zuck.'s wet dreams which hopefully never become true... And even if it's not Facebook.. There'll always be companies who want people's personal data and enough people giving them out; especially if it's easy and looks secure ("I have to confirm it on MY BANK's page. so it MUST be safe - it's supported by MY BANK").
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
It would seem to me that many large enterprises already have robust directory services such as Active Directory and it would be silly to constantly duplicate users in an application-specific store.
Even if you require duplicating the user store, you can provide a mechanism to authenticate against Active Directory. Alternatively, you could support a standards-based SSO mechanism that leverages SAML.
Support for the XACML protocol. Duplicating information on roles and entitlements is equally insidious.
Support for the SPML protocol. Many enterprise leverage identity management toolkits and would at least like out of the box integration in terms of centralized management and provisioning.
So, why aren't open source projects considering this type of functionality as a default to getting on the radar within an enterprise context?
Lots of reasons, but one of the biggest is that there's less convergence on what the right or best methods really are than you seem to believe.
Active Directory, for example, is kind of notorious for presenting implementation difficulties to non-Microsoft developers.
There are probably a half dozen competing single-sign-on "standards".
It's very difficult to reconcile different roles/privileges models -- hell, Sun has trouble reconciling the models of Solaris Trusted Extensions with the Java model.
Solving those problems isn't a lot of "fun" and so FOSS developers are attracted to other issues.
I think that Charlie nailed it:
solving security problems is hard and generally not a whole lot of fun
OSS developers tend to be all about enjoying what they are working on. I work on a number of "enterprise class" efforts as part of my professional life and I will agree that they are not a whole lot of fun. However, this is one of my never ending griefs with OSS components... we have trouble using them in our solutions because they do not meet our customers needs.
I think that the general reasons are:
universities tend to ignore this aspect of "enterprise development"
too many standards to choose from
no clear market leader
the different security providers are difficult to configure and test
the entire application security paradigm requires a lot of expertise before you can even start trying to integrate
Personally, I blame the first one. Most engineers do not even consider how an application can be used in a larger context. They are interested in solving the problem at hand and not at all interested in providing a usable solution. Most FOSS solutions are very much an interesting solution to an interesting problem. A corporate entity normally comes along and provides the commercial packaging that makes the FOSS solution actually usable in a real environment. Of course, this packaging comes with a price tag attached.
Open ID is a start towards providing an "authentication" solution. (To the best of my knowledge, it has no "provisioning" mechanism, though. You have to trust the external authority to identify an account, then add your site's / app's version of that account using your own devices)
If anybody knows of some kind of open "authorization" solution to centralize the management of roles, that would be interesting as well. That sounds like the sort of thing you would do in-house, though, with roles that have a defined meaning in your organization. I'm sure IBM or Oracle would be happy to take a big chunk of change and make something for you, though :-)
You may not want to have your active directory / LDAP contains the role of all your users for all your applications. If you have a lot of movement in your structure, you may have a lot of daily modification going on.
Also, the information in the user store may be quite specific, and may not have its place in a global repository.
Least, the notion of role can be quite variable. We have three application that possess the notion of "mananger", each one having a slightly different definition of what is a manager and who he/she is managing.
regards,
Guillaume
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 1 year ago.
Improve this question
I have been asked to provide information on available techniques for assessing our current, and any future websites for security problems. the request is in the form of
Do you know of any good free one that examines for security holes?
I think our data security is probably worth a small amount of upfront spend so any non-free methods would be appreciated too.
Our systems are a mish mash of mySQL, Oracle, SQLServer, PHP, ASP.NET etc etc systems though I guess that that does not matter too much. All the systems are secured in as much as they are patched and the firewalls are set sensibly so outside people cannot get directly to the database boxes etc.
It is XSS and similar attacks that we wish to prevent.
What do YOU use to give you confidence in your systems? ');DROP TABLE answer;
owasp would be a good place to start. There's too much to cover to include here.
If the security of your site is worth nothing to your company then that's what you should pay. For my company the security of our data and the brand image has quite a high value.
We pay a whole bunch of money for regular scans, we've trained the developers in basic hacking/security of applications, our code reviews include a security review and now we're looking at AppScan from IBM (which is expensive but in the long run probably cheaper than all the pen' testing we pay for).
You get what you pay for. Making sure you understand the owasp issues would be a good start though.
Personally, I choose not to be confident in the security of our systems. I am convinced there is always something that I am missing and thus I keep looking for it.
What you seem to be looking for is something to make others feel confident (even if that confidence is an illusion). Penetration testing is probably the right choice for that. Depending upon the tool, it shows potential vunerabilities in a nice report and then you can report how you mitigated them.
We use IBM AppScan and it is a good tool for this. As with any tester of this type you will find yourself following a lot of bad leads. Most of them are not false postives per se, more just things that might be an issue or appear to be and you will have to investigate and determine if they actually are.
I would not put a lot of faith in this kind of testing. If you app scans clean it really does not mean your app is clean. Does not mean it is worthless, but don't make it out to be more than it is.
The next thing I would look into is static analysis tools in your various languages. A lot of these are free. Hand in hand with that is developer education. That is usually a pretty cheap solution to the issue, just making sure they understand what the risks are.
There is no silver bullet, no simple answer, you need to define security as an EVERYONE problem and make sure it is given both priority and commitment.
Check out dotDefender - they've got versions for IIS/Apache/ISA. I use this app to protect against SQL Injection/XSS/DDOS/probing/encoding attacks. No piece of software will ever be perfect but in my case I run systems with sites being developed in .NET, PHP, and classic ASP with some of our sites being new and others being 5+ years old.
http://www.applicure.com/?page=dotDefender
I do also have a company do penetration testing / social engineering every year or so as well but with dotDefender I'm at least happy that I've got a baseline security blanket to protect my sites.
Of particular interest to me was that their app is fully x64 compatible - necessary since I'm using x64 web servers.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
What's the best way to close the loop and have a desktop app "call home" with customer feedback? Right now our code will login to our SMTP server and send me some email.
The site GetSatisfaction has been an increasingly popular way to get customer feedback.
http://getsatisfaction.com/
GetSatisfaction is a community based site that builds a community around your application. Users can post questions, comments, and feedback about and application and get answers to their questions either from other members or from members of the development team themselves.
They also have an API so you can incorporate GetSatifaction into your app, and/or your site.
I've been playing with it for a couple of weeks and it is pretty cool. Kind of like stackoverflow, but for customer feedback.
Feedback from users and programmers simply is one of the most important points of development in my opinion. The whole web2.0 - beta - concept more or less is build around this concept and therefore there should be absolutely no pain involved whatsoever for the user. What does it have to do with your question? I think quite a bit. If you provide a feedback option, make it visible in your application, but don't annoy the user (like MS sometimes does with there feedback thingy on there website above all elements!!). Place it somewhere directly! visible, but discreet. What about a separate menu entry? Some leftover space in the statusbar? Put it there so it is accessible all the time. Why? People really liking your product or who are REALLY annoyed about something will probably find your feedback option in any case, but you will miss the small things. Imagine a user unsure about the value of his input "should I really write him?". This one will probably will not make the afford in searching and in the end these small things make a really outstanding product, don't they? OK, the user found your feedback form, but how should it look and what's next? Keep it simple and don't ask him dozens questions and provoke him with check- and radioboxes. Give him two input fields, one for a title and one for a long description. Not more and not less. Maybe a small text shortly giving him some info what might be useful (OS, program version etc., maybe his email), but leave all this up to him. How to get the message to you and how to show the user that his input counts? In most cases this is simple. Like levand suggested use http and post the comment on a private area on your site and provide a link to his input. After revisiting his input, make it public and accessible for all (if possible). There he can see your response and that you really care etc.. Why not use the mail approach? What about a firewall preventing him to access your site? Duo to spam in quite some modern routers these ports are by default closed and you certainly will not get any response from workers in bigger companies, however port 80 or 443 is often open... (maybe you should check, if the current browser have a proxy installed and use this one..). Although I haven't used GetSatisfaction yet, I somewhat disagree with Nick Hadded, because you don't want third parties to have access to possible private and confidential data. Additionally you want "one face to the customer" and don't want to open up your customers base to someone else. There is SOO much more to tell, but I don't want to get banned for tattling .. haha! THX for caring about the user! :)
You might be interested in UseResponse, open-source (yet not free) hosted customer feedback / idea gathering solution that will be released in December, 2001.
It should run on majority of PHP hosting environments (including shared ones) and according to it's authors it's absorbed only the best features of it's competitors (mentioned in other answers) while will have little-to-none flaws of these.
You could also have the application send a POST http request directly to a URL on your server.
What my friend we are forgetting here is that, does having a mere form on your website enough to convince the users how much effort a Company puts in to act on that precious feedback.
A users' note to a company is a true image about the product or service that they offer. In Web 2.0 culture, people feel proud of being part of continuous development strategy always preached by almost all companies nowadays.
A community engagement platform is the need of the hour & an entry point on ur website that gains enuf traction from visitors to start talking what they feel will leave no stone unturned in getting those precious feedback. Thats where products like GetSatisfaction, UserRules or Zendesk comes in.
A company's active community that involves unimagined ideas, unresolved issues and ofcourse testimonials conveys the better development strategy of the product or service they offer.
Personally, I would also POST the information. However, I would send it to a PHP script that would then insert it into a mySQL database. This way, your data can be pre-sorted and pre-categorized for analysis later. It also gives you the potential to track multiple entries by single users.
There's quite a few options. This site makes the following suggestions
http://www.suggestionbox.com/
http://www.kampyle.com/
http://getsatisfaction.com/
http://www.feedbackify.com/
http://uservoice.com/
http://userecho.com/
http://www.opinionlab.com/content/
http://ideascale.com/
http://sparkbin.net/
http://www.gri.pe/
http://www.dialogcentral.com/
http://websitechat.net/en/
http://www.anymeeting.com/
http://www.facebook.com/
I would recommend just using pre built systems. Saves you the hassle.
Get an Insight is good: http://getaninsight.com/