Yesterday I attended the online community session of Web2Open, a barcamp-like meeting going on within Tim O'Reilly's Web 2.0 Expo. (The Expo has a huge number of attendees, it's doing very well.)

I put forward a number of questions I've been considering for later posts, but one I want to make here is this: Where has the innovation been in online discussion software? Why are most message boards and blog comment systems so hard to use?

I know this is true because huge numbers of people are still using USENET, and not just for downloading binaries. USENET hasn't seen much technical innovation since the 80s. As such, it's aging, but it shouldn't be simply aging, it should have been superseded long ago. We've gone through a period of tremendous online innovation in the last few decades, unlike any in history. Other old systems, like the Well, continue to exist and even keep paying customers in spite of minimal innovation. This is like gopher beating Firefox, or a CD Walkman being superior in some ways to an iPod. It's crazy. (The users aren't crazy, it's the fact that their choice is right that's crazy.)

In many cities, the transit systems have GPS data on the vehicles to allow exact prediction of when trains and buses will arrive at stops. This is quite handy if you live near a transit line, and people are working on better mobile interfaces for them, but it's still a lot harder to use them at a remote location.

A friend (Larry P.) once suggested to me that he thought you could build a rural mobile phone much cheaper than Iridium network by putting nodes in all the airliners flying over the country. The airliners have power, and have line of sight to ground stations, and to a circle of about 200 miles radius around them. That's pretty big (125,000 square miles) and in fact most locations will be within sight of an airliner most of the time.

I've been seeing a lot of press lately worrying that the internet won't be able to handle the coming video revolution, that as more and more people try to get their TV via the internet, it will soon reach a traffic volume we don't have capacity to handle. (Some of this came from a Google TV exec's European talk, though Google has backtracked a bit on that.)

If you're like me, you select special unique passwords for the sites that count, such as banks, and you use a fairly simple password for things like accounts on blogs and message boards where you're not particularly scared if somebody learns the password. (You had better not be scared, since most of these sites store your password in the clear so they can mail it to you, which means they learn your standard account/password and could pretend to be you on all the sites you duplicate the password on.) There are tools that will generate a different password for every site you visit, and of course most browsers will remember a complete suite of passwords for you, but neither of these work well when roaming to an internet cafe or friend's house.

However, every so often you'll get a site that demands you use a "strong" password, requiring it to be a certain length, to have digits or punctuation, spaces and mixed case, or subsets of rules like these. This of course screws you up if the site is an unimportant site and you want to use your easy to remember password, you must generate a variant of it that meets their rules and remember it. These are usually sites where you can't imagine why you want to create an account in the first place, such as stores you will shop at once, or blogs you will comment on once and so on.

Strong passwords make a lot of sense in certain situations, but it seems some people don't understand why. You need a strong password in case it is possible or desireable for an attacker to do a "dictionary" attack on your account. This means they have to try thousands, or even millions of passwords until they hit the one that works. If you use a dictionary word, they can try the most common words in the dictionary and learn your password.

So many social networking sites (LinkedIn, Orkut, Friendster, Tribe, Myspace etc.) seem bent on being islands. But there can't be just one player in this space, not even one player in each niche. But when you join a new one it's like starting all over again. I routinely get invitations to join new social applications, and I just ignore them. It's not worth the effort.

It's more and more common today to see software that is capable of easily or automatically updating itself to a new version. Sometimes the user must confirm the update, in some cases it is fully automatic or manual but non-optional (ie. the old version won't work any more.) This seems like a valuable feature for fixing security problems as well as bugs.

But rarely do we talk about what a giant hole this is in general computer security. On most computers, programs you run have access to a great deal of the machine, and in the case of Windows, often all of it. Many of these applications are used by millions and in some cases even hundreds of millions of users.

When you install software on almost any machine, you're trusting the software and the company that made it, and the channel by which you got it -- at the time you install. When you have auto-updating software, you're trusting them on an ongoing basis. It's really like you're leaving a copy of the keys to your office at the software vendor, and hoping they won't do anything bad with them, and hoping that nobody untrusted will get at those keys and so something bad with them.

I was seduced by Google's bribe of $20 per $50 or greater order to try their new Checkout service, and did some Christmas shopping on buy.com. Normally buy.com, being based in Southern California, takes only 1 or 2 days by UPS ground to get things to me. So ordering last weekend should have been low risk for items that are "in stock and ship in 1-2 days." Yes, they cover their asses by putting a longer upper bound on the shipping time, but generally that's the ship time for people on the other coast.

I've spoken before about ZUI (Zero User Interface) and how often it's the right interface.

One important system that often has too complex a UI is backup. Because of that, backups often don't get done. In particular offsite backups, which are the only way to deal with fire and similar catastrophe.

Here's a rough design for a ZUI offsite backup. The only UI at a basic level is just installing and enabling it -- and choosing a good password (that's not quite zero UI but it's pretty limited.)

Normally I'm a general-purpose computing guy. I like that the computer that runs my TV with MythTV is a general purpose computer that does far more than a Tivo ever would. My main computer is normally on and ready for me to do a thousand things.

But there is value in specialty internet appliances, especially ones that can be very low power and small. But it doesn't make sense to have a ton of those either.

I'm in Edmonton. Turns out to be the farthest north I've been on land (53 degrees 37 minutes at the peak) after another turn through the Icefields Parkway, surely one of the most scenic drives on the planet. My 4th time along it, though this time it was a whiteout. Speaking tomorrow at the CIPS ICE conference on privacy, nanotechnology and the future at 10:15.

In thinking about how to reduce the cost of bringing fiber to everybody (particulaly for block-area-networks built by neighbours) I have started wondering if we could build a robot that is able to traverse utility poles by crawling along wires -- either power, phone or cable-TV wires. The robot would unspool fiber optic cable behind it and deploy wire-ties to keep it attached. Human beings would still have to eventually climb the poles and install taps or junctions and secure these items, but their job would be much easier.

Over 15 years ago I proposed that USENET support the concept of "replacing" an article (which would mean updating it in place, so people who had already read it would not see it again) in addition to superseding an article, which presented the article as new to those who read it before, but not in both versions to those who hadn't. Never did get that into the standard, but now it's time to beg for it in USENET's successor, RSS and cousins.

It's common in the blogosphere for bloggers to comment on the posts of other bloggers. Sometimes blogs show trackbacks to let you see those comments with a posting. (I turned this off due to trackback spam.) In some cases we effectively get a thread, as might appear in a message board/email/USENET, but the individual components of the thread are all on the individual blogs.

I'm back fron Burning Man (and Worldcon), and though we had a decently successful internet connection there this time, you don't want to spend time at Burning Man reading the web. This presents an instance of one of the oldest problems in the "serial" part of the online world, how do you deal with the huge backup of stuff to read from tools that expect you to read regularly.

There are many proposals out there for tools to stop Phishing. Web sites that display a custom photo you provide. "Pet names" given to web sites so you can confirm you're where you were before.

I think we have a good chunk of one anti-phishing technique already in place with the browser password vaults. Now I don't store my most important passwords (bank, etc.) in my password vault, but I do store most medium importance ones there (accounts at various billing entities etc.) I just use a simple common password for web boards, blogs and other places where the damage from compromise is nil to minimal.

So when I go to such a site, I expect the password vault to fill in the password. If it doesn't, that's a big warning flag for me. And so I can't easily be phished for those sites. Even skilled people can be fooled by clever phishes. For example, a test phish to bankofthevvest.com (Two "v"s intead of a w, looks identical in many fonts) fooled even skilled users who check the SSL lock icon, etc.

The browser should store passwords in the vault, and even the "don't store this" passwords should have a hash stored in the vault unless I really want to turn that off. Then, the browser should detect if I ever type a string into any box which matches the hash of one of my passwords. If my password for bankofthewest is "secretword" and I use it on bankofthewest.com, no problem. "secretword" isn't stored in my password vault, but the hash of it is. If I ever type in "secretword" to any other site at all, I should get an alert. If it really is another site of the bank, I will examine that and confirm to send the password. Hopefully I'll do a good job of examining -- it's still possible I'll be fooled by bankofthevvest.com, but other tricks won't fool me.

The key needs in any system like this is it warns you of a phish, and it rarely gives you a false warning. The latter is hard to do, but this comes decently close. However, since I suspect most people are like me and have a common password we use again and again at "who-cares" sites, we don't want to be warned all the time. The second time we use that password, we'll get a warning, and we need a box to say, "Don't warn me about re-use of this password."

Read on for subtleties...

Everybody in the blogosphere has heard something about Alaska's Ted Stevens calling the internet a series of tubes.

They just heard him wrong. His porn filters got turned off and he discovered the internet was a series of pubes.

(And, BTW, I think we've been unfair to Stevens. While it wasn't high traffic that delayed his E-mail -- "an internet" -- a few days, his description wasn't really that bad... for a senator.)

Big news today. Judge Walker has denied the motions -- particularly the one by the federal government -- to dismiss our case against AT&T for cooperative with the NSA on warrantless surveillance of phone traffic and records.

The federal government, including the heads of the major spy agencies, had filed a brief demanding the case be dismissed on "state secrets" grounds. This common law doctrine, which is often frighteningly successful, allows cases to be dismissed, even if they are of great merit, if following through would reveal state secrets.

Recently IEEE Spectrum published a paper on a refutation of Metcalfe's law -- an observation (not really a law) by Bob Metcalfe -- that the "value" of a network incrased with the square of the number of people/nodes on it. I was asked to be a referee for this paper, and while they addressed some of my comments, I don't think they addressed the principle one, so I am posting my comments here now.

Bruce Schneier today compliments Google on trying out pay-to-perform ads as a means around click-fraud, but worries that this is risky because you become a partner with the advertiser. If their product doesn't sell, you don't make money.

And that's a reasonable fear for any small site accepting pay-to-perform ads. If the product isn't very good, you aren't going to get a cut of much. Many affiliate programs really perform poorly for the site, though a few rare ones do well.