Wednesday Jan 13, 2010

Faviki: social bookmarking for 2010

faviki logo

Faviki is simply put the next generation social bookmarking service. "A bookmarking service? You must be kidding?!" I can hear you say in worried exasperation. "How can one innovate in that space?" Not only is it possible to innovate here, let me explain why I moved all my bookmarks from delicious over to faviki.

Like delicious, digg, twitter and others... Faviki uses crowd sourcing to allow one to share interesting web pages one has found, stay up to date on a specific topic of interest, and keep one's bookmarks synchronized across computers. So there is nothing new at that level. If you know del.icio.us, you won't be disoriented.

What is new is that instead of this being one crowd sourced application, it is in fact two. It builds on wikipedia to help you tag your content intelligently with concepts taken from dbpedia. Instead of tagging with strings the meaning of which you only understand at that time, you can have tags that make sense, backed by a real evolving encyclopedia. Sounds simple? Don't be deceived: there is a huge potential in this.

Let us start with the basics: What is tagging for? It is here to help us find information again, to categorize our resources into groups so that we can find them again in the rapidly increasing information space. I now have close to ten years of bookmarks saved away. As a result I can no longer remember what strings I used previously to tag certain categories of resources. Was it "hadopi", "paranoia", "social web", "socialweb", "web", "security", "politics", "zensursula", "bigbrother", "1984", ... If I tag a document about a city should I tag it "Munich", "München", "capital", "Bavaria", "Germany", "town", "agglomeration", "urbanism", "living", ...? As time passed I found it necessary to add more and more tags to my bookmarks, hoping that I would be able to find a resource again in the future by accidentally choosing one of those tags. But clearly that is not the solution. Any of those tags could furthermore be used very differently by other people on delicious. Crowd sourcing only partially works, because there is no clear understanding on what is meant by a tag, and there is no space to discuss that. Is "bank" the bank of a river, or the bank you put money in? Wikipedia has a disambiguation page for this, which took some time to put together. No such mechanism exists on delicious.

Faviki neatly solves this problem by using the work done by another crowd sourced application, and allowing you to tag your entries with concepts taken from there. Before you tag a page, Faviki finds some possible dbpedia concepts that could fit the content of the page to tag. When you then choose the tags, the definition from wikipedia is made visible so that you can choose which meaning of the tag you want to use. Finally when you tag, you don't tag with a string, but with a URI: the DBPedia URI for that concept. Now you can always go back and check the detailed meaning of your tags.

But that is just the beginning of the neatness of this system. Imagine you tag a page with http://dbpedia.org/resource/Munich (the user does not see this URL of course!). Then by using the growing linked data cloud Faviki or other services will be able to start doing some very interesting inferencing on this data. So since the above resource is known to be a town, a capital, to be in Germany which is in Europe, to have more than half a million inhabitants, to be along a certain river, that contains certain museums, to have different names in a number of other languages, to be related in certain ways to certain famous people (such as the current Pope)... it will be possible to improve the service to allow you to search for things in a much more generic way: you could search by asking Faviki for resources that were tagged with some European Town and the concept Art. If you are searching for "München" Faviki will be able to enlarge the search to Munich, since they will be known to be tags for the same city...

I will leave it as an exercise to the reader to think about other interesting ways to use this structured information to make finding resources easier. Here is an image of the state of the linked data cloud 6 months ago to stimulate your thinking :-)

.

But think about it the other way now. Not only are you helping your future self find information bookmarked semantically - let's use the term now - you are also making that information clearly available to wikipedia editors in the future. Consider for example the article "Lateralization of Brain Function" on wikipedia. The Faviki page on that subject is going to be a really interesting place to look to find good articles on the subject appearing on the web. So with Faviki you don't have to work directly on wikipedia to participate. You just need to tag your resources carefully!

Finally I am particularly pleased by Faviki, because it is exactly the service I described on this blog 3 years ago in my post Search, Tagging and Wikis, at the time when the folksonomy meme was in full swing, threatening according to it's fiercest proponents to put the semantic web enterprise into the dustbin of history.

Try out Faviki, and see who makes more sense.

Some further links:

Saturday Jan 09, 2010

Mr Security: patrolling public spaces

Mr Security is a brilliant piece of performance art exploring with seriousness and humor the fast encroaching surveillance society growing in our midst and in our souls. The product of their work consists in realistically crafted PDF security marketing material (in German and English), in which they describes the team's security performances, which consist in watching public spaces and documenting the reactions to it.

A very telling example is the very short surveillance of the street around the American Embassy in Berlin. After taking a few pictures of the street a few police officers arrive. The dialog is noted as:

POLICE OFFICER 1
Excuse me, please put your camera away. Hello young man, did you hear me?
POLICE OFFICER 2
Hello. Do you have some identification?
MISTER SECURITY
Yes!
PO 1
Why are you taking pictures of us here?
MS
I'm observing
PO 1
Who?
MS
The street.
PO 1
Why?
MS
For Security.
PO 1
Oh!? Where are you from?
MS
Private security service.
PO 1
Where are you from? Your badge doesn’t help us at all. Where are you from?
MS
What do you mean, where am I from?
PO 1
Well, where from? A security service? Who?
MS
Here, Mister Security!
PO 2
Young man, please take your hands out of your pockets! I feel happier that way. What security company do you work for?
MS
Mister Security, private security service!
PO 2
Yes, and your area of operation is the American embassy, or what?
MS
Private security reinforcement.
PO 2
Oh!
PO 1
For what? For who?
MS
For public safety.
PO 2
Who hired you?
MS
The public itself!
PO 1
Oh! Let’s get this straight, it’s not entirely clear what you’re saying here. Let me tell you what I think. I don’t buy this private security service story – look at your shoes. They look like my last pair of work shoes, to be honest. I don’t believe you’d be dressed like that if you were working for the public.
MS
There’s not that much money in the private sector anymore!
PO 1
Well, I’d have thought your employer would provide you with what you need.
MS
I have to see to my clothes myself.
PO 1
No, really, this is not okay!... What’s on your film? What kind of a camera is that?
MS
It’s not switched on. It’s a digital camera, but as you can see, it’s not turned on, look – nothing!
PO 1
Okay! Well I do want to get clearance here. We’ll have to inform the sector. And I’m going to ask you to wait so that we can be sure about your identity. You can stand under the shelter here, that way you’ll stay dry. This’ll take a few minutes.
PO 2
Are you a one-man business?
MS
Well, it’s not that big yet – but I’m trying to grow.
PO 2
How did you get this commission and who gave it to you? What assignment are you working on?
MS
I am not at liberty to say!
PO 2
Oh, you’re not at liberty to say?!
MS
I think it’d be a good thing if there were more surveillance.
PO 2
You do?
MS
You need reinforcements here. It’s not enough that you’re here with just three people on this side.
PO 2
Oh! And where do you see the security problem?
MS
Yes, well you could have twenty well-prepared guys come and run right past you here!
PO 2
Right, and what do you want to do about that, if I may ask? Perhaps we could exchange some ideas?
MS
Yes, that’s exactly the issue. We’re working for several embassies right now. We’re revising the security concept, which we’ll then introduce personally.
PO 2
Right! Great! And the private sector will deal with it then?
MS
Exactly! It’s cheap and effective!

You can read about the continuation of this conversation, and others involving a number of different actors (including anti-fascist demonstrators, for example) in their PDF.

Mr Security presented his work in detail at the 26th Chaos Computer Congress "Here be Dragons" in Berlin on 27 December 2009. There he revealed how the camera's sound had in fact continued to function during the whole conversation. What does not appear in this PDF is his later experience going to the US, where he received a stipend at a New York art institute. On appearance of the FBI to the studio he was promptly ejected by his artist colleagues who clearly lacked the courage (see my recent article on "After Virtue") to support him. Not that surprising perhaps given the extraordinary high amount of people in US jails, with 3.2% under direct police surveillance at any one time.

Can one still have a democracy in such an atmosphere of fear? If yes, then for how long?

Friday Jan 08, 2010

After Virtue: history, ethics and identity

While walking around Blackwell's bookstore in Oxford I picked up Alasdair MacIntyre's "After Virtue", a book that I had seen in philosophy sections for over 20 years now after it having been recommended to me by my undergraduate Philosophy discussion partner Mark Pitt.

When I finally started reading it a few weeks later, I could no longer put it down. This is a philosophy book that starts like a novel, reads like a novel, and indeed it's main thesis is that our understanding of ethics and life has to be that way, because we have to understand ourselves and our interactions with others as parts of a developing, interlinked, enmeshed and developing narrative.

Virtues are those character traits that are necessary for individuals-in-communities to work together to a common goal, that will enable the good of man, understood itself as an evolving historical self understanding. This type of analysis requires teleological thinking - the idea that a person can only be understood by understanding the good of man, the aim of a life being that of having a coherent story to tell - which was the basis for the Aristotelian account of society and nature.

Where Aristotle failed was by applying telos to the physical sciences: explanations that stones fall to the ground because they want to be there, were put to an end by Newtonian mechanics. With that Newtonian insight and the massive success of the physical sciences that followed, started a process of questioning the philosophy that Saint Thomas Aquinas had integrated so well into Christian thought, itself underpinned by Jewish historical religion. The philosophers of the enlightenment attempted one after the other to replace telos and history with some form of Rational grounding where it was thought that reason in some sense gave us access to the divine point of view. But without the understanding of telos, MacIntyre argues, the project was bound to fail. Hume had to resort to intuition to ground a very specific moral outlook; Kant resorted to universalisable rules that would complement the laws of nature which could be used as criteria to evaluate actions viewed non historically; and Bentham and the other utilitarians up to this day tried to devise mathematical calculi of happiness, ignoring the issue that this cannot be measured. Historically minded philosophers such as Hegel still held onto a rationalistic conception of evolution of spirit, that fatally believed that history was deterministic, since science seemed to be. Since science did not make value judgments, neither did Marx, leading to the creation of some of the worst political systems of the 20th century - and that is not a major feat. Within the western tradition amoral bureaucracies gained ground, under the Weberian motto of utility, and slowly all understanding of the basis of right and wrong disappeared, as it did in the 1930ies when it was found reasonable in philosophical circles to hold a position that to say that something is good, is just to say "I like it, do so too", preparing us for the ravages of consumer culture.

Since the book was first published, the Soviet empire collapsed, and it might even be that the latest financial crisis is revealing some of the deep flaws in non critical implementations of capitalism. So the message seems just as relevant now as it did 30 years ago when the book first appeared.

The above review, needless to say does no justice to the depth of argumentation found in the book. The Internet Encyclopedia of Philosophy has a much more detailed overview of MacIntyre's philosophy though it does not read nearly as well as "After Virtue" itself.

Thursday Oct 15, 2009

November 2nd: Join the Social Web Camp in Santa Clara

The W3C Social Web Incubator Group is organizing a free Bar Camp in the Santa Clara Sun Campus on November 2nd to foster a wide ranging discussion on the issues required to build the global Social Web.

Imagine a world where everybody could participate easily in a distributed yet secure social web. In such a world every individual will control their own information, and every business could enter into a conversation with customers, researchers, government agencies and partners as easily as they can now start a conversation with someone on Facebook. What is needed to go in the direction of The Internet of Subjects Manifesto? What existing technologies can we build on? What is missing? What could the W3C contribute? What could others do? To participate in the discussion and meet other people with similar interests, and push the discussion further visit the Santa Clara Social Web Camp wiki and

If you are looking for a reason to be in the Bay Area that week, then here are some other events you can combine with coming to the Bar Camp:

  • The W3C is meeting in Santa Clara for its Technical Plenary that week in Santa Clara.
  • The following day, the Internet Identity Workshop is taking place in Mountain View until the end of the week. Go there to push the discussion further by meeting up with the OpenId, OAuth, Liberty crowd, which are all technologies that can participate in the development of the Social Web.
  • You may also want to check out ApacheCon which is also taking place that week.

If you can't come to the west coast at all due to budget cuts, then not all is lost. :-) If you are on the East coast go and participate in the ISWC Building Semantic Web Applications for Government tutorial, and watch my video on The Social Web which I gave at the Free and Open Source Conference this summer. Think: if the government wants to play with Social Networks, it certainly cannot put all its citizens information on Facebook.

Monday Aug 24, 2009

FrOSCon: the Free and Open Source Conference in Sankt Augustin, Germany

[froscon logo goes here]

At HAR2009 a couple of people put me in contact with Dries Buytaert, the creator and project lead of Drupal, the famous Open Source content management platform based on php. Dries is leading a very interesting effort aimed at integrating the semantic web stack in Drupal. So I was really happy when he responded to the introduction. He suggested we meet at FrOSCon the Free and Open Source conference located in Sankt Augustin, near Bonn, Germany. I really wanted to stay a bit longer in Amsterdam, but this was just too important an occasion to miss. So I packed up my bag Friday, and after meeting up with Dan Brickley, the co-author of the Foaf ontology who needs no introduction, I caught the last train towards Germany. This turned into a 5 hour trip with 5 changes on slow local trains as those were the only ones I could bring my bicycle onto without first packing it into a box.

[note: this blog uses html5 video tag to view ogg video files, and is best viewed with Firefox 3.5]

Going to FrOSCon turned out to be a very good idea. First of all I met Dries and introduced him quickly to foaf+ssl. It took less than 15 minutes to explain how it worked, for Dries to get himself a foaf certificate on foaf.me and to try it out. If this were made easy to use on Drupal sites, it would be a great way to get some very creative people to help build some cool apps making the most out of distributed social networks...

On Sunday Dries gave a very good keynote "The secrets of building and participating in Open Source communities". Building Open Source communities is not easy, he starts off with, yet it is fundamental to any successful project. He then goes on to elaborate on 6 six themes which from his experience allow a community to thrive and grow:

  • Time: it takes time to grow a community. Open source communities are always a bit broken, like the internet: there is always something not functioning, but the whole works very well.
  • Software architecture:
    • make the code modular,
    • centralise the source code, so that people who contribute modules, and others can find the code
  • Ecosystem: allow volunteers and commercial organizations to work together. Each has something to bring to the party. Everybody has to be equal. And don't have roadmaps, as they disencourage experimentation and rigidify processes. "Trust, not money is the currency of Open Source"
  • Tools, Community Design patterns:
    • Adoption: easy registration. RSS feeds, documentation
    • Identity: profiles, avatars, buddy lists, contacts
    • Group support: issue queues, trackers, activity streams, reputation
    • Conversations: messaging, comments, forums, blogs, interest groups, planet/aggregator
    • Development: CVS/SVN/git/bzr issue queues. release management
  • Mission: Have a mission that goes beyond the project. In the case of Drupal it is democratizing online publishing. And the core values are
    • Be open to Change
    • Collaboration
    • 100% transparency
    • Agile
  • Leadership: "leadership is not management". Replace planning with coordination (see Clay Shirky's talk "Institution vs collaboration")
Coming from someone with real experience in a very successful project these words are very much worth listening to:

Just before the start of Dries' keynote you may have noticed an announcement about a change in the program. The talk on Subversion was canceled due to the inability of the speakers to attend, and it was replaced by a talk on distributed social networks. Yep! During the party the evening before I was told there could be a slot for me to give a talk on foaf+ssl the next day. So on the suggestion of Naxx, an open source grey hat security specialist I had met in Vienna, and who I was surprised to see here again, I spent the whole evening rewriting my slides for Apple Keynote. Naxx spends 3/4 of the year traveling giving talks on security and he had a few hints for me on how to improve my presentation skills. I tried to remember a few of them, and to make sure I did not wave my hands as much as I did at HAR. Here is the result "The Social Web: How to free yourself of your social networks and create a global community:


(The slides for this talk are available online here)

Please do send me some feedback on how I can improve both my talk and my presentation of it. I may have gone a bit too deeply here into technical details for example, and I should probably have added a section on the business model of distributed social networks. As the last talk of the conference there were only 40 or so attendees, but I was really thankful for the last minute opportunity given to me to present on this topic.

Naxx who helped me work on my presentation skills, gave a very interesting and worrying talk "Malware for Soho Routers: The war has begun", where he showed just how easy it is to hack into everyday home routers and turn them into zombie machines ready to launch an attack on the web. I had always thought that financial incentives would lead large telecoms to make sure that such routers were secure. Not at all it seems. Short term profit motives have led many of them to buy the cheapest machines with the worst possible software (web pages built with shell scripts!) with laughable security. Security may be on the news everyday since September 11 2001, but clearly it was always just a sham. Listen to his talk, and be very worried:

Time either to help out on a open source project for secure routers, or to invest money in a cisco one!

Finally I do have to say that the prize for best presentation (I saw) clearly has to go to Simon Wardley from Canonical, for his funny, entertaining and educational keynote "Cloud Computing". If you have been wondering what this beast is, this will really help:

Well that's it from the FrOSCon, which in german is pronounced FroshCon, "Frosch" being the german for Frog, hence the logo. It was great attending, and I have the feeling of having made a huge leap forward here on my tour.

Saturday Jul 25, 2009

Saving Face: The Privacy Architecture of Facebook

In his very interesting thesis draft Saving Face: The Privacy Architecture of Facebook, Chris Peterson, describes through a number of real life stories some very subtle and interesting issues concerning privacy and context that arose during the rapid evolution of the now 250 million member social network.

Perhaps the most revealing of these stories is that of Junior High School student Rachel who broadcast the following distress status message my grandmother just friend requested me. no Facebook, you have gone too far! Chris Peterson develops: Rachel and her grandmother are close. She trusts her grandmother. She confides in her grandmother. She tells her grandmother "private" things. She is certainly closer to her grandmother than many of her Facebook Friends. So what's the big deal? Rachel explains:

Facebook started off as basically an online directory of COLLEGE STUDENTS. I couldn't wait until I had my college email so that I could set up an account of my own, since no other emails would give you access to the site. Now, that was great. One could [meet] classmates online or stay in touch with high school mates [but it] has become a place, no longer for college students, but for anyone. [About] five days ago, the worst possible Facebook scenario occurred, so bizarre that it hadn't even crossed my mind as possible. MY GRANDMOTHER!? How did she get onto facebook?...As my mouse hovered between the accept and decline button, images flashed through my mind of sweet Grandma [seeing] me drinking from an ice luge, tossing ping pong balls into solo cups full of beer, and countless pictures of drunken laughter, eyes half closed. Disgraceful, I know, but these are good memories to me. To her, the picture of my perfectly angelic self, studying hard away at school, would be shattered forever.

The paper is full of legally much more serious stories, but this one is especially revealing as it makes apparent how the flat friendship relation on Facebook does not take into account the context of the relationship. Not all frienships are equal. Most people have only very few friends they can tell everything to. And most often one tells very different stories to different groups of friends. In the physical world we intuitively understand how to behave in different contexts. One behaves one way in church, another in the bar, and yet another way in front of one's teachers, or parents. The context in real life is set by the architecture of the space we are in (something Peter Sloterdijk develops at length in his philosophical trilogy Spheres). The space in which we are speaking and the distance others have to us guides us in what we should say, and how loud we can say it. On Facebook all your friends get to see everything you say.

It turns out that it is possible to create an equivalent contextual space on Facebook using a little know and recently added feature, which allows one to build groups of friends and specify access control policies on posts per group. Chris shows clearly that this by itself is not enough: it requires a much more thorough embedding in the User Interface so that the intuitive feel one has in real life for who hears what and to whom one is speaking is available with the same clarity in the digital space. In the later part of the thesis Chris explores what such a User Interface would need to do to enable a similarly intuitive notion of space to be available.

Applications to the Social Web

One serious element of the privacy architecture of Facebook (and other similar social networks) not covered by this thesis, yet that has a very serious impact in a very large number of domains, is the constant presence of a third party in the room: Facebook itself. Whatever you say on these Social Networks, is visible not only to your group of friends, but also to Facebook itself, and indirectly to its advertisers. Communicating in Facebook puts one then in a similar frame of mind to what people in the middle ages would have been in, when mankind was under the constant, omnipotent and omniscient presence of God who could read every thought, even the most personal. Except that this God is incorporated and has a stock market value fluctuating daily.

For those who wish to escape such an omni-presence yet reap the benefits of online electronic communication, the only solution lies in the development of distributed secure social networks, of a Social Web where every body could own what they say and control who sees it. It turns out that this is possible with semantic web technologies such as foaf and access control mechanisms based on ssl.

One very positive element I take from this thesis is that the minimal technical building blocks for reconstituting a sense of context is the notion of a group and access control of resources. In a the Social Web we should be able to reconstitute this using the foaf:Group class and foaf+ssl for access control. On this basis Chris Peterson's user interface suggestions should be applicable in a distributed social network.

All in all then I found this thesis to be very rewarding and a very interesting read. I recommend it to all people interested in the Social Web.

Thursday Jun 11, 2009

The foaf+ssl world tour

As you can see from the map here I have been cycling from Fontainebleau to Vienna (covering close to 1000km of road), and now around Cyprus in my spare time. On different occasions along my journey I had the occasion to present foaf+ssl and combine it with a hands on session, where members of the audience were encouraged to create their own foaf file and certificates, and also start looking into what it takes to develop foaf+ssl enabled services. This seems like a very good way to proceed: it helps people get some hands on experience which they can then hopefully pass on to others, it helps me prioritize what need to be done next, and should also lead to the development of foaf+ssl services that will increase the network value of the community, creating I hope a viral effect.

I started this cycle tour in order to loose some weight. I still have 10kg to loose or so, which at the rate of 3kg per 1000km will require me to cycle another 3000km. So that should enable me to visit quite a few places yet. I will be flying back to Vienna where I will stay 10 days or so, after which I will cycle to Prague for a Kiwi meeting on the 3rd of July. After that I could cycle on to Berlin. But really it's up to you to decide. If you know a good hacker group that I can present to and cycle to, let me know, and I'll see how I can fit it into my timetable. So please get in contact! :-)

Thursday May 21, 2009

Identity in the Age of Cloud Computing

The Aspen Institute published a 90 page round table report in April entitled "Identity in the Age of Cloud Computing: The next-generation Internet's impact on business, governance and social interaction" under a generous Creative Commons License. I read the freely available pdf over the last week with interest, as it covers a lot of the topics I am talking on this blog, and gives a good introduction into cloud computing (of which I have not yet written).

The paper is a report by J.D. Lasica of a round table discussion with a number of very experienced people that occurred just before the 2008 presidential election. It included people such as Rod Beckstrom, Director of the National Cyber Security Center of the United States Department of Homeland Security, David Kirkpatrick Senior Editor of Internet and Technology at Forune Magazine, Professor Paul M Romer of Stanford University, known for his work on New Growth Theory, Hal Varian, chief ecoomist at Google, and many more...

The discussion around the table must have been very stimulating. Here is my take on the paper.

Identity

Identity turned out to be the core of the discussion. The abstract summarized this best:

Throughout the sessions personal identity arose as a significant issue. Get it right and many services are enabled and enhanced. The group tended to agree that a user-centric open identity network system is the right approach at this point. It could give everyone the opportunity to manage their own identity, customize it for particular purposes, (i.e., give only so much information to an outsider as is necessary for them to transact with you in the way you need), and make it scalable across the Net. Other ways of looking at it include scaling the social web by allowing the individual to have identity as a kind of service rather than, as Lasica writes, "something done to you by outside interests."

The Cloud

The cloud is a way to abstract everything in the connected web space. It is the way the user thinks of the net. It is nebulous. Where information and services are is not important. This is the experience people have when they read their mail on gmail. They can read their mail from their computer, or from their cell phone, or from their hotel, or from their friends computer. The mail and the web, and their flickr photos, and their delicious bookmarks are all there.

The cloud from the developer's point of view is very similar. He buys computing power or storage on Amazon, Google, GoGrid or the upcoming Sun Cloud. Where exactly the computer is located is not important. If demand for the service he develops grows, he can increase the number of machines to serve that demand. This of course is a great way to quickly and lightly get startups going - no need to get huge financing for a very large number of servers to deal with a hypothetical peak load.

The Social Networks on the cloud also allow people to link up and form virtual and short lived organizations for a task at hand. This again reduces costs enabling the companies to get started for very little money, very quickly, try out an idea. The paper does not say this: venture capital is no longer needed -- good thing too, as it has been serverely reduced by the current recession.

The Cloud and Identity

The cloud is the abstraction where the physical location of things becomes unimportant. What operating systems run the software we use, what computers they run on, where these computers are, all that is abstracted away, virtualized into a puff of smoke.

What is of course still needed is a way to name things and locate them in the cloud. What is needed is a global namespace, and global identifiers. These are indeed known as a Universal Resource Locator (URL). Since everything else is abstracted away, URLs are the only consistent abstraction left to identify resources.

It is therefore just one small step for the panelists to agree that something like foaf+ssl is the solution to identity on the cloud. It is user centric, distributed, permits global social networks, and allows for people to have multiple personalities... Foaf+ssl provides exactly what the panelists are looking for:

open identity would provide the foundation for people to invent and discover a new generation of social signals, advice services, affinity groups, organizations and eventually institutions. Because the identity layer is grounded on the principles of openness and equality, anyone would be able to create social networks, tagging systems, repu- tation systems or identity authentication systems.

Thursday Apr 30, 2009

The anti-privacy/liberty law named Hadopi

The Hadopi law(en) being voted now in France, constitutes an incredible attack on Freedom of expression and Privacy. It is fascinating to see how a law that gives the state an easy route to invade people's every digital thought is being pushed through, and will very likely be accepted by the French parliament on Monday May 4, 2009.

Parliamentary Maneuverings

The maneuvers of the French parliament here take some work to understand. A few weeks ago Hadopi was rejected in the Assembly by 21 votes against, 15 for. For an Assembly containing well over 300 deputies, and for a law of such importance, it may seem odd that so few people were part of the discussion. The best understanding I have of this is that President Sarkozy, has made this a very personal issue, having promised to a lot of big media friends, with which he is very close, to put in place a system to break the problem of "piracy" on the internet. Anyone in the majority who may have been tepidly against the law, may not have wished making such a powerful enemy. Others may have thought the law was a done deal given the backing. And sadly I think most of the deputies don't really understand the issue at all, as reveled by this video asking deputies what p2p is.

The Anti-Piracy law

Having lost the first vote, Sarkozi ordered his troops together to make his majority in parliament felt by having them massively vote for the law. The problem is that the majority voting now have very little understanding of the technical issues in front of them. Their view of the issue is the one a large part of the French population have: this is simply an issue of being for or against the Pirates; being for or against the artists. "Piracy is theft" is the simplifying drumbeat which organises their thoughts.

Coming to the defence of artists is of course a very noble thing to do. I myself try to stay as clean as possible in that regard, favoring works that are clearly licensed openly. Most work I publish under very free licences, that make it close to impossible to pirate my work. This article for example is published under a Creativce Commons attribution licence. In any case I find it much easier to buy or rent DVDs than to search for content that may be broken on some other p2p network.

What the best way to defend artists is, and how to find ways of rewarding their work is a complex issue. For the past 50 years people have mostly accepted electronic work to be freely available via the radio or the television -- if interspersed with advertising. I don't want to look into this problem here. For some good ideas one should read and listen to Lawrence Lessig speak on the issue of copyright and the future of the network, or the French economist Jaques Attali write about 10 steps to solve this problem.

The Anti-Privacy/Liberty Law

However noble the issue of saving artists is, the real problem is how this law intends to go about doing what it set out to do. And if one looks at it this way, one soon gets a bad feeling of having entered a Orwellian 1984 like world! (See the public letter "Sci-Fi Against Hadopi") The law is not just anti-piracy, it is also anti-privacy, anti-freedom of expression, anti-freedom of all sorts. It is like a super DDT, a chemical that gets rid of all insects, but is so powerful that it also starts killing humans too.

The Hadopi law (pdf) will enable a newly established administrative higher authority to receive ip addresses from content owners, and ask telecommunication companies to reveal the owners of that ip address, to whom they will send 2 warning e-mails, telling them that something illegal is being downloaded or uploaded from their network, and asking them to secure this network. It seems that this warning will not even mention the work that is thought to have been illegally transmitted. After the third postal warning the internet connection will be cut off. At that point the citizen whose connection will be cut off, will be placed on a black list, making it impossible for him to seek any other telephone connection. As it will be extremly difficult for him to defend himself, he will then have to accept putting a yet undefined piece of software on his network that will snoop everything he is doing. One motion required this software to also sniff the email communications [ I am not absolutely clear this went through though.]

So in short, private companies will be able to anonymously denounce French citizens, leading their internet connection to be cut off, and then forcing them to install snooping software on their network to prove their innocence! If this is not an extreem invasion of privacy I do not know what is.

To help citizens who want to stay legal find their way around the internet, the Hadopi institution will distribute special labels for clean content. Good citizens will be safe if they don't stray too far from officially approved sites. If this is not an attack on freedom of information I don't know what is!

Where is the resistance?

So over the past few weeks as my concern grew I tried discussing this with a number of people. My initial thought was that an issue such as this would not get through in a country that demonstrates on nearly every issue that comes up. What stunned me was the silence, or the lack of interest in these issues by most people. It is instructive in my view to look at various types of responses I got.

The law cannot be implemented view

A lot of people are convinced that this law cannot be implemented. It is too crazy to be workable. Let us hope and pray that it is! The previous DADVSI law wich had set punishments of €300 000 and 3 years in prison, was so extreemly overwhelmingly powerful, that it indeed was not useable.

But that argument is very dangerous. The DADVSI may not yet have been used, but it may one day be. It is certainly what is spurring the current law, Hadopi, which comparatively seems innocuously kind. It only will ask you to install snooping software on your network. And since it is big brother the State asking this, and most people have no idea of what this implies, a lot of people may very well be frightened into accepting this. In any case it does not matter if it is not immediately applicable. It need only slowly with time work itself into people's lives. If enough people have this working, even if it is widely bypassed, then you can bet that in 10 years time, a movement will start where people who do have this installed will complain that some of their fellow citizens don't have it, and so push for harsher laws, perhaps going so far as to install this automatically on all networks.

We can bypass it

A lot of technically savvy people have convinced themselves they can bypass this easily.

So what if they do? The law need only frighten the majority into behaving a certain way. With time, and with the majority on their side, they can add other laws to make the undesirable behavior a lot more difficult. For example for those who think that anonymising software is going to be an easy way out, then they should look at the next law on the table: Llopsi which will give the State the power to block any IP address they need to. Now perhaps a good use case for Llopsi will be large anonymiser services.

Not fighting a law because one decides one will not follow it, is a very selfish and short term way of thinking. Sadly it seems to have grown in a large portion of the population that allowed itself to be tagged as Pirates. And for that selfishness we will all pay (yes, this is not just a French phenomenon, it seems to be a globally orchestrated movement - see for example blackout europe.)

It will be blocked by the constitution

It may be. But then it may not be. In any case it is extreemly worrying that a law should have to go so far as to require blocking by the constitution. Remember how Lawrence Lessig's attempt to get the Supreme court to change the provisions on copyright? It failed.

It will be blocked by the European Union

The EU is a Union of States, where the states have an overwhelming power. The EU does not have an army and cannot enforce much. France has the "cultural exception" it can use quite easily, and it may also be that similar problems are brewing in the rest of europe. Don't count on the EU. The parliament have done a great job there, but they don't have the final say, and they can be pressured. They have just watered down the telecom bill for example. The EU is not the USA.

The people will rise

This is unlikely given what I have seen. Many people don't yet really feel the power of the internet. They work with the internet via the expensive and limited cell phone networks, if at all. For them the Internet is cool, but not essential. Furthermore traditional media are still extremely powerful, and they can direct the message the way they wish. If they were not so powerful, laws such as this would not ever be able to go so far. I don't watch enough television to be able to tell if both sides of the debate here have been aired equally. My guess is not. [ Update: the major French television channel TF1 - the first french TV channel to be created, now privatised - was found to have sacked the head of their innovation center, for having sent privately a critical message on Hadopi to his Member of Parliament as reported by Libération. Thereby confirming the suspicion that other sides of this debate are not getting equal airing time]

But in the long term the people may very well rise. If the law were applied equally and without discrimination then businesses may very well be the first to rise up -- and leave. Later as the internet does become more and more part of every day life, the people themselves may rise. Most likely the younger generation will feel most strongly the difference between what is being asked and what is reasonable. They may feel these new chains most forcefully. Mass movements though are worrying, because when masses move, they can end up being very difficult to control, and can easily go the wrong direction.

All in all I think it would be much better for people in France to call their deputies before the law passes and urge them to change their mind, than to wait and fight this out on the streets.

Vote

There are a number of ways people can get their voice heard. One is the twitition petition. But I don't like the way it requires your password. Better I think to add the string JVoteContreHadopi to a blog post or tweet of yours. After a little time the vote should appear on this Google query where the votes can be counted. (We did this for when voting for Java 6 on OSX leopard.)

Tuesday Apr 07, 2009

Sun Initiates Social Web Interest Group

I am very pleased to announce that Sun Microsystems is one of the initiating members of the Social Web Incubator Group launched at the W3C.

Quoting from the Charter:

The mission of the Social Web Incubator Group, part of the Incubator Activity, is to understand the systems and technologies that permit the description and identification of people, groups, organizations, and user-generated content in extensible and privacy-respecting ways.

The topics covered with regards to the emerging Social Web include, but are not limited to: accessibility, internationalization, portability, distributed architecture, privacy, trust, business metrics and practices, user experience, and contextual data. The scope includes issues such as widget platforms (such as OpenSocial, Facebook and W3C Widgets), as well as other user-facing technology, such as OpenID and OAuth, and mobile access to social networking services. The group is concerned also with the extensibility of Social Web descriptive schemas, so that the ability of Web users to describe themselves and their interests is not limited by the imagination of software engineers or Web site creators. Some of these technologies are independent projects, some were standardized at the IETF, W3C or elsewhere, and users of the Web shouldn't have to care. The purpose of this group is to provide a lightweight environment designed to foster and report on collaborations within the Social Web-related industry or outside which may, in due time affect the growth and usability of the Social Web, rather than to create new technology.

I am glad we are supporting this along with these other prestigious players:

This should certainly help create a very interesting forum for discussing what I believe is one of the most important issue on the web today.

Thursday Jan 15, 2009

The W3C Workshop on the Future of Social Networking Position Papers

picture by Salvadore Dali

I am in Barcelona, Spain (the country of Dali) for the W3C Workshop on the Future of Social Networking. To prepare for this I decided to read through the 75 position papers. This is the conference I have been the best prepared for ever. It really changes the way I can interact with other attendees. :-)

I wrote down a few notes on most paper I read through, to help me remember what I read. This took me close to a week, a good part of which I spent trying to track down the authors on the web, find their pictures, familiarise myself with their work, and fill out my Address Book. Anything I could do to help me find as many connections as possible to help me remember the work. I used delicious to save some subjective notes, which can be found on under the w3csn tag. I was going to publish this on Wednesday, but had not quite finished reading through all the papers. I got back to my hotel this evening to find that Libby Miller, who co-authored the foaf ontology, had beat me to it with the extend and quality of her reviews which she published in a two parts:

Amazing work Libby!

70 papers is more than most people can afford to read. If I were to recommend just a handful of papers that stand out in my mind for now these would be:

  • Paper 36 by Ching-man Au Yeung, Laria Liccardi, Kanghao Lu, Oshani Seneviratne and Tim Berners Lee wrote the must read paper entitled "Decentralization: The Future of Online Social Networking". I completely agree with this outlook. It also mentions my foaf+ssl position paper, which of course gives it full marks :-) I would use "distribution" perhaps over "decentralisation", or some word that better suggests that the social network should be able to be as much of a peer to peer system as the web itself.
  • "Leveraging Web 2.0 Communities in Professional Organisations" really prooves why we need distributed social networks. The paper focuses on the problem faced by Emergency Response organisation. Social Networks can massively improove the effectiveness of such responses, as some recent catastrophes have shown. But ER teams just cannot expect everyone they deal with to be part of just one social network silo. They need to get help from anywhere it can come from. From professional ER teams, from people wherever they are, from infromation wherever it finds itself. Teams need to be formed ad hoc, on the spot. Not all data can be made public. Distributed Open Secure Social Networks are what is needed in such situations. Perhaps the foaf+ssl proposal (wiki page) can help to make this a reality.
  • In "Social networking across devices: opportunity and risk for the disabled and older community", Henni Swan explains how much social networking information could be put to use to help make better user interface for the disabled. Surprisingly enough none of the web sites, so taken by web 2.0 technologies, seem to put any serious, effort in this space. Aparently though this can be done with web 2.0 technologies, as Henny explains in her blog. The semantic Web could help even further I suggested to her at her talk today, by splitting the data from the user interface. Specialised browsers for the disabled could adapt the information for their needs, making it easy for them to navigate the graph.
  • "Trust and Privacy on the Social Web" starts the discussion in this very important space. If there are to be distributed social networks, they have to be secure, and the privacy and trust issues need to be looked at carefully.
  • On a lighter note, Peter Ferne's very entertaining paper "Collaborative Filtering and Social Capital" comes with a lot of great links and is a pleasure to read. Did you know about the Whuffie Index or CELEBDAQ? Find out here.
  • Many of the telecoms papers, of which Telefonica's "The social network behind telecom networks" reveal the elephant in the room that nobody saw in social networking: the telecoms. Who has the most information about everyone's social network? What could they do with this information? How may people have phones, compared to internet access? Something to think about.
  • Nokia's position paper can then be seen in a different light. How can handset manufacturers help put to use the social networking and location information contemporay devices are able to access? The Address Book in cell phones is the most important application in a telephone. But do people want to only connect to other Nokia users? This has to be another reason for distributed social networks.

    I will blog about other posts as the occasion presents itself in future blogs. This is enough for now. I have to get up early and be awake for tomorrow's talks which start at 8:30 am.

    In the mean time you can follow a lively discussion of the ongoing conference on twitter under the w3csn tag.

  • Tuesday Dec 30, 2008

    foaf+ssl, pki and the duck-rabbit

    In part II §xi of the "Philosophical Investigations", Ludwig Wittgenstein introduces the duck-rabbit figure:

    I shall call the following figure derived from Jastrow, the duck-rabbit. It can be seen as a rabbit's head or as a duck's. And I must distinguish between the 'continuous seeing' of an aspect and the 'dawning' of an aspect.

    The picture might have been shewn me, and I never have seen anything but a rabbit in it.

    It is worth stopping here and considering that illustration carefully, making sure you can see it one way then the other. There is no illusion here notice. There is not one correct way to see the line. The figure itself is ambiguous. The duck-rabbit therefore shows very simply how the way we perceive the world can change without any new fact appearing in the world.

    Is that not what magic does?

    Much more complex examples of this phenomenon can be found. In some cases it is much more difficult to switch between meanings. I find this for the Young Woman Old Woman image for example. I really need to work hard there to see the other interpretation, and when I find that interpretation I find switching back very difficult.

    Recently I have felt that the foaf+ssl protocol does something similar to Public Key Cryptography (PKI). We use a tool that was always meant to be used one way, in a completely different way, a way of course that was always permitted, but that nobody saw (or if they did they did not pursue it openly).

    To perceive this different way of using this tool one has to - just as with the duck-rabbit - look at it differently. One has to see it in a new way, or perhaps even use it in a new way. Whereas PKI is used for hierarchical trust, we use it to build a web of trust. Where X509 certs built up a lot on the Distinguished Name hierarchy, we nearly ignore it. Where X509 tried to place information in the certificate, we place it outside at the name location. Even though SSL can request client certificates in the browser, nobody does this, yet we build on this little known feature. Self signed client certificates, which would not have made sense in traditional PKI infrastructure, because they proove nearly nothing about the client, is what we build everything on....

    All the usual X509 and ssl tools work just as they should, but magically it seems they are suddenly found to be doing something completely different.

    Friday Dec 19, 2008

    what does foaf+ssl give you that openid does not?

    Jason Kolb asked on Twitter "what does foaf+ssl give you that openid does not?". I can make the answer short but not short enough for a tweet. So here are my initial thoughts on this.

    • foaf+ssl gives people and other agents a URL for Identification, just like OpenId does. But in the case of foaf+ssl the user does not need to remember the URL, the browser or keychain does. A login button on a foaf+ssl web site is just a button. No need to enter any identifier. Just click the button. Your browser will then ask you what identity you wish to use. The user does not need to remember the password either (except perhaps that of the keychain if the browser requires it).
    • The foaf+ssl protocol requires minum 1 to 2 network connections. Compare this to the much more complex OpenId sequence diagram. In a world of distributed data where each site can point to data on any other site, this can become really important.
    • the description of foaf+ssl holds on one page. A page is required to list the OpenId specs.
    • foaf+ssl builds on well established standards: REST, RDF, SSL, X509. That is why of course it takes much less space to explain. It does not invent anything new.
    • foaf+ssl is clearly RESTful. You can GET your foaf file, and if you needed update it with PUT. You could create it with POST. No need to reinvent those verbs as OpenId has to do in OpenId Attribute Exchange spec
    • It is easy to add new attributes to the rdf file. It is easy to extend, and to give the extensions meaning. Every attribute is a URI, which when clicked on can give you yet more information about the relation, and participate in the Linked Data cloud. New classes can be created. You can add relations to objects, and those objects themselves can have yet more relations (see my foaf file, and how it relates me to an address, which is related to a country). The complex OpenId attribute exchange spec does not offer any of this.
    • You can reason about the foaf. Well that just comes for free with RDF and OWL. (So you can do this too with OpenId, but you'd have to treat it as a special case of RDF for that to work.)
    • Being simpler, it will be easier to
    • With foaf+ssl you get a web of trust. With OpenId you only get trust indirectly if you trust the OpenId provider. So for example you may trust the information gathered by the foaf+ssl attribute exchange mechanism of someone who has an OpenId provider at the url http://openid.sun.com/, because you trust Sun Microsystems. With foaf+ssl you can get trust of some file on some web server you never heard about because all your friends point to his foaf file.
    • Foaf+ssl is distributed. There is no need for a OpenId provider. You just need a web server, ideally your own at your own domain name. Yes you can run your OpenId server locally too, but then you loose the trust that might have been associated with that domain name. Have you ever wondered why there were so many very large OpenId providers, and not many small ones?
    • Foaf+ssl requires no HTTP redirects: these are problematic on many cell phones I am told, in part often because telecoms proxys get in the way.

    OpenId is very well known and widely used now. It has made people aware of the power of a URL for identifying people, and is what helped me find this solution. Furthermore it would be quite easy to create a foaf+openid service as I proposed some time ago, simplifying OpenId in the process. So the two technologies are not incompatible.

    More on foaf+ssl on the esw wiki

    Thursday Dec 04, 2008

    video on distributed social network platform NoseRub

    I just came across this video on Twitter by pixelsebi explaining Distributed social networks in a screencast, and especially a php application NoseRub. Here is the video.


    Distributed Social Networking - An Introduction from pixelsebi on Vimeo.

    On a "Read Write Web" article on his video, pixelsebi summarizes how all these technologies fit together:

    To sum it up - if I would have to describe it somebody who has no real clue about it at all:
    1. Distributed Social Networking is an architecture approach for the social web.
    2. DiSo and Noserub are implementations of this "social web architecture"
    3. OpenSocial REST API is one of many ways to provide data in this distributed environment.
    4. OpenOScial based Gadgets might run some time at any node/junction of this distributed environment and might be able to handle this distributed social web architecture.

    So I would add that foaf provides semantics for describing distributed social networks, foaf+ssl is one way to add security to the system. My guess is that the OpenSocial Javascript API can be decoupled from the OpenSocial REST API and produce widgets however the data is produced (unless they made the mistake of tying it too closely to certain URI schemes)

    Thursday Nov 20, 2008

    foaf+ssl: a first implementation

    The first very simple implementations for the foaf+ssl protocol are now out: the first step in adding simple distributed security to the global open distributed decentralized social network that is emerging.

    Update Feb 2009: I put up a service to create a foaf+ssl service in a few clicks. Try that out if you are short on time first.

    The foaf+ssl protocol has been discussed in detail in a previous blog: "FOAF & SSL: creating a global decentralised authentication protocol", which goes over the theory of what we have implemented here. For those of you who have more time I also recommend my JavaOne 2008 presentation Building Secure, Open and Distributed Social Network Applications, which explains the need for a protocol such as this, gives some background understanding of the semantic web, and covers the working of this protocol in detail, all in a nice to listen to slideshow with audio.

    In this article we are going to be rather more practical, and less theoretical, but still too technical for the likes of many. I could spend a lot of time building a nice user interface to help make this blog a point and click experience. But we are not looking for point and click users now, but people who feel at home looking at some code, working with abstract security concepts, who can be critical and find solutions to problems too, and are willing to learn some new things. So I have simplified things as much as needs be for people who fall into that category (and made it easy enough for technical managers to follow too, I hope ).

    To try this out yourself you need just download the source code in the So(m)mer repository. This can be done simply with the following command line:

    
    $ svn checkout https://sommer.dev.java.net/svn/sommer/trunk sommer --username guest
    
    (leave the password blank)

    This is downloading a lot more code than is needed by the way. But I don't have time to spend on isolating all the dependencies, bandwidth is cheap, and the rest of the code in there is pretty interesting too, I am sure you will agree. Depending on your connection speed, this will take some time to download, so we can do something else in the meantime, such as have a quick look at the uml diagram of the foaf+ssl protocol:

    foaf+ssl uml sequence diagram

    Let us make clear who is playing what role. You are Romeo. You want your client - a simple web browser such as Firefox or Safari will do - to identify yourself to Juliette's Web server. Juliette as it happens is a semantic web expert and she trusts that if you are able to read through this blog, understand it, create your X509 certificate and set up your foaf file so that it publishes your public key information correctly then you are human, intelligent, avant-garde, and you have enough money to own a web server which is all to your advantage. As a result her semantically enabled server will give you the secret information you were looking for.

    Juliette knows of course that at a later time things won't be that simple anymore, when distributed social networks will be big enough that the proportion of fools will be large enough for their predators to take an interest in this technology, and the tools for putting up a certificate will come packaged with everyone's operating system, embedded in every tool, etc... At that point things will have moved on and Juliette will have added more criteria to give access to her secret file. Not only will your certificate have to match the information in your foaf file as it does now, but given that she knows your URL and what you have published there of your social graph, she will be able to use that and your position in the social graph of her friends to enabling her server to decide how to treat you.

    Creating a certificate and a foaf file

    So the first thing to do is for you to create yourself a certificate and a foaf file. This is quite easy. You just need to do the following in a shell.

    
    $ cd sommer/misc/FoafServer/
    
    $ java -version
    java version "1.5.0_16"
    Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b06-284)
    Java HotSpot(TM) Client VM (build 1.5.0_16-133, mixed mode, sharing)
    
    $ ant jar
    

    Currently one needs at least Java 5 to run this.

    Before you create your certificate, you need to know what your foaf URL is going to be. If you allready have a foaf file, then that is easy, and the following will get you going:

    
    $ java -cp dist/FoafServer.jar net.java.dev.sommer.foafserver.utils.GenerateKey  -shortfoaf
    
    Enter full URL of the person to identify (no relative urls allowed): 
    for example: http://bblfish.net/people/henry/card#me
    http://bblfish.net/people/henry/card#me
    
    Enter password for new keystore :enterAnewPasswordForNewStore     
    publish the triples expressed by this n3
    # you can use use cwm to merge it into an rdf file
    # or a web service such as http://www.rdfabout.com/demo/validator/ to convert it to rdf/xml
    # Generated by sommer.dev.java.net
    @prefix cert: <http://www.w3.org/ns/auth/cert#> .
    @prefix rsa: <http://www.w3.org/ns/auth/rsa#> .
    @prefix foaf: <http://xmlns.com/foaf/0.1/> .
    <http://bblfish.net/people/henry/card#me> a foaf:Person; 
        is cert:identity of [ 
              a rsa:RSAPublicKey;
              rsa:public_exponent "65537"\^cert:decimal ;
              rsa:modulus """b6bd6ce1a5ef51aaa69752c6af2e71948ab6da
    9e5a5f086dba7548d8b80150d392117d90138948062eec6ecb5745a45491eea03a46b0a1c2e6324d
    54144f42cdaa05ca39939eb973086cfedc8e31641cf7f29abc58310dcb8e56d9e6dae2233a317167
    74d1eb32ced152084cfb860fb8cb5298a3c0270145c5d878f07f6417af"""\^cert:hex ;
              ] .
    
    the public and private keys are in the stored in cert.p12
    you can list the contents by running the command
    $ openssl pkcs12 -clcerts -nokeys -in cert.p12 | openssl x509 -noout -text
    

    If you do then run the openssl command you will find that the public key components should match the rdf above.

    
    $  openssl pkcs12 -clcerts -nokeys -in cert.p12 | openssl x509 -noout -text
    Enter Import Password:
    MAC verified OK
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number: 1 (0x1)
            Signature Algorithm: sha1WithRSAEncryption
            Issuer: CN=http://bblfish.net/people/henry/card#me
            Validity
                Not Before: Nov 19 10:58:50 2008 GMT
                Not After : Nov 10 10:58:50 2009 GMT
            Subject: CN=http://bblfish.net/people/henry/card#me
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                RSA Public Key: (1024 bit)
                    Modulus (1024 bit):
                        00:b6:bd:6c:e1:a5:ef:51:aa:a6:97:52:c6:af:2e:
                        71:94:8a:b6:da:9e:5a:5f:08:6d:ba:75:48:d8:b8:
                        01:50:d3:92:11:7d:90:13:89:48:06:2e:ec:6e:cb:
                        57:45:a4:54:91:ee:a0:3a:46:b0:a1:c2:e6:32:4d:
                        54:14:4f:42:cd:aa:05:ca:39:93:9e:b9:73:08:6c:
                        fe:dc:8e:31:64:1c:f7:f2:9a:bc:58:31:0d:cb:8e:
                        56:d9:e6:da:e2:23:3a:31:71:67:74:d1:eb:32:ce:
                        d1:52:08:4c:fb:86:0f:b8:cb:52:98:a3:c0:27:01:
                        45:c5:d8:78:f0:7f:64:17:af
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE
                X509v3 Key Usage: critical
                    Digital Signature, Non Repudiation, Key Encipherment, Key Agreement, Certificate Sign
                Netscape Cert Type: 
                    SSL Client, S/MIME
                X509v3 Subject Key Identifier: 
                    85:CD:66:A3:F7:23:DA:42:4B:F6:44:A1:90:A8:FE:27:9E:55:64:FE
                X509v3 Authority Key Identifier: 
                    keyid:85:CD:66:A3:F7:23:DA:42:4B:F6:44:A1:90:A8:FE:27:9E:55:64:FE
                X509v3 Subject Alternative Name: 
                    URI:http://bblfish.net/people/henry/card#me
        Signature Algorithm: sha1WithRSAEncryption
            a6:e0:3f:7c:cb:78:9b:f1:75:7f:62:ca:20:9e:a3:bb:87:61:
            29:59:3f:b9:bb:70:c5:06:bd:9a:62:fc:98:32:b7:f4:8b:53:
            ca:69:fc:5e:01:6a:4c:d8:85:5c:b3:a1:84:ec:1c:d2:6f:a8:
            0f:dd:c0:ff:9f:88:d2:84:8f:77:48:2e:f0:91:fb:2c:2a:22:
            96:07:be:ce:b2:98:87:ee:40:bd:16:32:fa:11:55:fb:0f:96:
            fb:c4:f8:be:66:3f:98:fa:62:61:0b:2f:b5:02:98:97:53:35:
            b5:46:32:c4:38:01:4c:97:66:aa:79:40:1a:67:45:bd:a0:e1:
            97:72
    

    Notice also that the X509v3 Subject Alternative Name, is your foaf URL. The Issuer Distinguished name (starting with CN= here) could be anything.
    This by the way, is the certificate that you will be adding to your browser in the next section.

    If you don't have a foaf file, then the simplest way to do this is to:

    1. decide where you are going to place the file on your web server
    2. decide what the name of it is
    3. Put a fake file there named cert.rdf
    4. get that file with a browser by typing in the full url there
    5. your foaf url with then be http://yourhost.com/path/cert.rdf#me

    Then you can use the following command to create your foaf file:

    
    $ java -cp dist/FoafServer.jar net.java.dev.sommer.foafserver.utils.GenerateKey
    

    That is the same as the first one but without the -shortfoaf argument. You will be asked for some information to fill up your foaf file, so as to make it a little more realistic -- you might as well get something useful out of this. You can then use either cwm or a web service to convert that N3 into rdf/xml, which you can then publish at the correct location. Now entering your url into a web browser should get your foaf file.

    Adding the certificate to the browser

    The previous procedure will have created a certificate cert.p12, which you now need to import into your browser. The software that creates the certificate could I guess place it in your browser too, but that would require some of work to make it cross platform. Something to do for sure, but not now. On OSX adding certs programmatically to the Keychain application is quite easy.

    So to add the certificate to your browsers store, open up Firefox's preferences and go to the Advanced->Encryption tab as shown here

    Firefox 3.03 Advanced Preferences dialog

    Click on "View Certificates" button, and you will get the Certificate Manager window pictured here.

    Firefox 3.03 Certificate manager

    Click the import button, and import the certificate we created in the previous section. That's it.

    Starting Juliette's server

    In a few days time Ian Jacobi will have a python based server working with the new updated certificate ontology. I will point to that as soon as he has it working. In the mean time you can run Juliette's test server locally like this:

    
    $ ant run
    

    This will start her server on your computer on localhost on port 8843 where it will be listening on a secure socket.

    Connecting your client to Juliette's server

    So now you can just go to https://localhost:8843/servlet/CheckClient in your favorite browser. This is Juliette's protected resource by the way, so we have moved straight to step 2 in the above UML diagram.

    Now because this is a server running locally, and it has a secure port open that emits a certificate that is not signed by a well established security authority things get more complicated than they usually need be. So the following steps appea only because of this and so, to make it clear that this is just a result of this experiment, I have placed the following paragraph in a blue background. You will only need to do this the first time you connect in this experminent, so be weary of the blues.

    Firefox gave me the following warning the first time I tried it.

    Firefox 3.03 certificate error dialog

    This is problematic because it just warns that the server's certificate is not trusted, but does not allow you to specify that you trust it (after all, perhaps you just mailed you the public key in the certificate and you could use that information to decide that you trust the server).

    On trying again, shift reloading perhaps, I am not sure, I finally got Firefox to present me with the following secure connection failed page:

    Firefox 3.03 secure connection failed page

    Safari had done the right things first off. Since we trust localhost:8843 (having just started it and even inspected some of the code ) we just need to click the "Or you can add an exception ..." link, which brings up the dialog below:

    Firefox 3.03 secure add exception page

    They are trying to frighten users here of course. And so they should. Ahh if only we had a localhost signed certificate by a trusted CA, I would not have to write this whole part of the blog!

    So of course you go there and click "Add Exception...", and this brings up the following dialog.

    Firefox 3.03 get Certificate dialog

    So click "Get Certificate" and get the server certificate. When done you can see the certificate

    Firefox 3.03 get Certificate dialog

    And confirm the security Exception.

    Again all of this need not happen. But since it also makes clear what is going on, it can be helpful to show it.

    Choose your certificate

    Having accepted the server's certificate, it will now ask you for yours. As a result of this Firefox opens up the following dialog.

    Firefox 3.03 Server requesting Client Certificate

    Since you only have one client certificate this is an easy choice. If you had a number of them, you could choose which persona to present to the site. When you click Ok, the certificate will be sent back to the server. This is the end of stage 2 in the UML diagram above. At that point Juliette's server ( on localhost ) will go and get your foaf file (step 3), and compare the information about your public key to the one in the certificate you just presented (step 4) by making the following query on your foaf file, as shown in the CheckClient class:

          TupleQuery query = rep.prepareTupleQuery(QueryLanguage.SPARQL,
                                    "PREFIX cert: " +
                                    "PREFIX rsa: " +
                                    "SELECT ?mod ?exp " +
                                    "WHERE {" +
                                    "   ?sig cert:identity ?person ." +
                                    "   ?sig a rsa:RSAPublicKey;" +
                                    "        rsa:modulus [ cert:hex ?mod ] ;" +
                                    "        rsa:public_exponent [ cert:decimal ?exp ] ." +
                                    "}");
           query.setBinding("person", vf.createURI(uri.toString()));
           TupleQueryResult answer = query.evaluate();
    
    If the information in the certificate and the foaf file correspond, then the server will send you Juliette's secret information. In a Tabulator enabled browser this comes out like this:

    Firefox 3.03 displaying Juliette's secret info

    The source code for all that is not far, and you will see that the algorithms used are very simple. This proves that the minimal piece, which is equivalent to what OpenID does, works. Next we will need to build up the server so that it can make decisions based on a web of trust. But by then you will have your foaf file, and filled up your social network a little for this to work.

    Further Work

    Discussions on this and on a number of other protocols in the same space is currently happening on the foaf protocols mailing list. You are welcome to join the sommer project to work on the code and debug it. As I mentioned Ian Jacobi has a public server running which he should be updating soon with the new certificate ontology that we have been using here.

    Clearly it would be really good to have a number of more advanced servers running this in order to experiment with access controls that add social proximity requirements.

    Things to look at:

    • What other browsers does this work with?
    • Can anyone get this to work with Aladdin USB e-Token keys or similar tools?
    • Work on access controls that take social proximity into account
    • Does this remove the need for cookie identifiers on web sites?

    I hope to be able to present this at the W3C Workshop on the Future of Social Networking in January 2009.

    Tuesday Nov 11, 2008

    REST APIs must be hypertext driven

    Roy Fielding recently wrote in "REST APIs must be hypertext-driven"

    I am getting frustrated by the number of people calling any HTTP-based interface a REST API. Today's example is the SocialSite REST API. That is RPC. It screams RPC. There is so much coupling on display that it should be given an X rating.

    That was pretty much my thought when I saw that spec. In a comment to his post he continues.

    The OpenSocial RESTful protocol is not RESTful. It could be made so with some relatively small changes, but right now it is just wrapping RPC results in common Web media types.

    Clarification of Roy's points

    Roy then goes on to list some key criteria for what makes an application RESTful.

    • REST API should not be dependent on any single communication protocol, though its successful mapping to a given protocol may be dependent on the availability of metadata, choice of methods, etc. In general, any protocol element that uses a URI for identification must allow any URI scheme to be used for the sake of that identification.

      In section 2.2 of the O.S. protocol we have the following JSON representation for a Person.

      {
          "id" : "example.org:34KJDCSKJN2HHF0DW20394",
          "displayName" : "Janey",
          "name" : {"unstructured" : "Jane Doe"},
          "gender" : "female"
      }
      

      Note that the id is not a URI. Further down in the XML version of the above JSON, it is made clear that by appending "urn:guid:" you can turn this string into a URI. By doing this the protocol has in essence tied itself to a URI scheme, since there is no way of expressing another URI type in the JSON - the JSON being the key representation in this Javascript specific API by the way, the aim of the exercise being to make the writing of social network widgets interoperable. Furthermore this scheme has some serious limitations such as for example that it limits one to 1 social network per internet domain, is tied to a quite controversial XRI spec that has been rejected by OASIS, and does not provide a clear mechanism for retrieving information about it. But that is not the point. The definition of the format is tying itself unnecessarily to a URI scheme, and moreover one that ties one to what is clearly a client/server model.

    • A REST API should not contain any changes to the communication protocols aside from filling-out or fixing the details of underspecified bits of standard protocols, such as HTTP's PATCH method or Link header field.
    • A REST API should spend almost all of its descriptive effort in defining the media type(s) used for representing resources and driving application state, or in defining extended relation names and/or hypertext-enabled mark-up for existing standard media types. Any effort spent describing what methods to use on what URIs of interest should be entirely defined within the scope of the processing rules for a media type (and, in most cases, already defined by existing media types). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]

      Most of these so called RESTful APIs spend a huge amount of time specifying what response a certain resource should give to a certain message. Note for example section 2.1 entitled Responses

    • A REST API must not define fixed resource names or hierarchies (an obvious coupling of client and server). Servers must have the freedom to control their own namespace. Instead, allow servers to instruct clients on how to construct appropriate URIs, such as is done in HTML forms and URI templates, by defining those instructions within media types and link relations. [Failure here implies that clients are assuming a resource structure due to out-of band information, such as a domain-specific standard, which is the data-oriented equivalent to RPC's functional coupling].

      In section 6.3 one sees this example:

      /activities/{guid}/@self                -- Collection of activities generated by given user
      /activities/{guid}/@self/{appid}        -- Collection of activities generated by an app for a given user
      /activities/{guid}/@friends             -- Collection of activities for friends of the given user {guid}
      /activities/{guid}/@friends/{appid}     -- Collection of activities generated by an app for friends of the given user {guid}
      /activities/{guid}/{groupid}            -- Collection of activities for people in group {groupid} belonging to given user {uid}
      /activities/{guid}/{groupid}/{appid}    -- Collection of activities generated by an app for people in group {groupid} belonging to given user {uid}
      /activities/{guid}/@self/{appid}/{activityid}   -- Individual activity resource; usually discovered from collection
      /activities/@supportedFields            -- Returns all of the fields that the container supports on activity objects as an array in json and a repeated list in atom.
      

      For some reason it seems that this protocol does require a very precise lay out of the patterns of URLs. Now it is true that this is then meant to be specified in an XRDS document. But this document is not linked to from any of the representations as far as I can see. So there is some "out of band" information exchange that has happened and on which the rest of the protocol relies. Furthermore it ties the whole service again to one server. How open is a service which ties you to one server?

    • A REST API should never have "typed" resources that are significant to the client. Specification authors may use resource types for describing server implementation behind the interface, but those types must be irrelevant and invisible to the client. The only types that are significant to a client are the current representation's media type and standardized relation names. [ditto]

      Now clearly one does want to have URIs name resources, things, and these things have types. I think Roy is here warning against the danger that expectations are placed on types that depend on the resources themselves. This seems to be tied to the previous point that one should not have fixed resource names or hierarchies as we saw above. To see how this is possible check out my foaf file:

      
      $ cwm http://bblfish.net/people/henry/card --ntriples | grep knows | head
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://axel.deri.ie/~axepol/foaf.rdf#me> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://b4mad.net/FOAF/goern.rdf#goern> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://bigasterisk.com/foaf.rdf#drewp> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://crschmidt.net/foaf.rdf#crschmidt> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://danbri.org/foaf.rdf#danbri> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://data.boab.info/david/foaf.rdf#me> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://davelevy.info/foaf.rdf#me> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://dblp.l3s.de/d2r/page/authors/Christian_Bizer> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://dbpedia.org/resource/James_Gosling> .
          <http://bblfish.net/people/henry/card#me>     <http://xmlns.com/foaf/0.1/knows> <http://dbpedia.org/resource/Roy_Fielding> .
      

      Notice that there is no pattern in the URIs to the right. (As it happens there are no ftp URLs there, but it would work just as well if there were). Yet the Tabulator extension for Firefox knows from the relations above alone that (if it believes my foaf file of course) the URIs to the right refer to people. This is because the foaf:knows relation is defined as

      
      @prefix foaf: <http://xmlns.com/foaf/0.1/> .
      
      foaf:knows  a rdf:Property, owl:ObjectProperty;
               :comment "A person known by this person (indicating some level of reciprocated interaction between the parties).";
               :domain <http://xmlns.com/foaf/0.1/Person>;
               :isDefinedBy <http://xmlns.com/foaf/0.1/>;
               :label "knows";
               :range foaf:Person .
      

      This information can then be used by a reasoner (such as the javascript one in the tabulator) to deduce that the resources pointed to by the URIs to the right and to the left of the foaf:knows relation are members of the foaf:Person class.

      Note also that there is no knowledge as to how those resources are served. In many cases they may be served by simple web servers sending resources back. In other cases the RDF may be generated by a script. Perhaps the resources could be generated by java objects served up by Jersey. The point is that the Tabulator does not need to know.

      Furthermore, the ontology information above is not out of band. It is GETable at the foaf:knows URIs itself. The name of the relation links to the information about the relations, which gives us enough to be able to deduce further facts. This is hypertext - hyperdata in this case - at its best. Compare that with the JSON example given above. There is no way to tell what that JSON means outside of the context of the totally misnamed 'Open Social RESTful API'. This is a limitation of JSON, or at least this name space less version. One would have to add a mime type to the JSON to make it clear that the JSON had to be interpreted in a particular manner for this application, but I doubt most JSON tools would know what to do with mime typed JSON versions. And do you really want to go through a mime type registration process every time a social networking application wants to add a new feature or interact with new types of data?

      as Roy summarizes in one one of the replies to this blog post:

      When representations are provided in hypertext form with typed relations (using microformats of HTML, RDF in N3 or XML, or even SVG), then automated agents can traverse these applications almost as well as any human. There are plenty of examples in the linked data communities. More important to me is that the same design reflects good human-Web design, and thus we can design the protocols to support both machine and human-driven applications by following the same architectural style.

      To get a feel of this it really helps to play with other hyperdata applications, other than ones residing in web browsers The semantic address book is one such, that I spent some time writing.

    • A REST API should be entered with no prior knowledge beyond the initial URI (bookmark) and set of standardized media types that are appropriate for the intended audience (i.e., expected to be understood by any client that might use the API). From that point on, all application state transitions must be driven by client selection of server-provided choices that are present in the received representations or implied by the user‚Äôs manipulation of those representations. The transitions may be determined (or limited by) the client's knowledge of media types and resource communication mechanisms, both of which may be improved on-the-fly (e.g., code-on-demand). [Failure here implies that out-of-band information is driving interaction instead of hypertext.]

      That is the out of band point made previously, and confirms the point made about the danger of protocols that depend on URI patterns or resources that are somehow typed at the protocol level. You should be able to pick up a URI and just go from there. With the tabulator plugin you can in fact do just that on any of the URLs listen in my foaf file, or in other RDF.

    What's the point?

    Engineers under the spell of the client/server architecture, will find some of this very counter intuitive. This is indeed why Roy's thesis, and the work done by the people who engineered the web before that and whose wisdom is distilled in various writings by the Technical Architecture Group did something that was exceedingly original. These very simple principles that can feel unintuitive to someone who is not used to thinking at a global information scale, make a lot of sense when you do come to think at that level. When you do write such an Open system, that can allow people to access information globally, you want it to be such that you can send people a URI to any resource you are working with, so that both of you can speak about the same resource. Understanding what the resource that URL is about should be found by GETting the meaning of the URL. If the meaning of that URL depends on the way you accessed it, then you will no longer be able to just send a URL, but you will have to send 8 or 9 URLs with explanations on how to jump from one representation to the other. If some out of band information is needed to understand that one has to inspect the URL itself to understand what it is about, then you are not setting up an Open protocol, but a secret one. Secret protocols may indeed be very useful in some circumstances, and so as Roy points out may non RESTful ones be:

    That doesn’t mean that I think everyone should design their own systems according to the REST architectural style. REST is intended for long-lived network-based applications that span multiple organizations. If you don’t see a need for the constraints, then don’t use them. That’s fine with me as long as you don’t call the result a REST API. I have no problem with systems that are true to their own architectural style.
    but note: it is much more difficult for them to make use of the network effect: the value of information grows exponentially with its ability to be linked to other information. In another reply to a comment Roy puts this very succinctly:
    encoding knowledge within clients and servers of the other side’s implementation mechanism is what we are trying to avoid.

    Monday Nov 10, 2008

    Possible Worlds and the Web

    Tim Berner's Lee pressed to define his creation said recently (from memory): "...my short definition is that the web is a mapping from URI's onto meaning".

    Meaning is defined in terms of possible interpretations of sentences, also known as possible worlds. Possible Worlds under the guise of the 5th and higher dimensions are fundamental components of contemporary physics. When logic and physics meet we are in the realm of metaphysics. To find these two meet the basic architecture of the web should give anyone pause for thought.

    The following extract from RDF Semantics spec is a good starting point:

    The basic intuition of model-theoretic semantics is that asserting a sentence makes a claim about the world: it is another way of saying that the world is, in fact, so arranged as to be an interpretation which makes the sentence true. In other words, an assertion amounts to stating a constraint on the possible ways the world might be. Notice that there is no presumption here that any assertion contains enough information to specify a single unique interpretation. It is usually impossible to assert enough in any language to completely constrain the interpretations to a single possible world, so there is no such thing as 'the' unique interpretation of an RDF graph. In general, the larger an RDF graph is - the more it says about the world - then the smaller the set of interpretations that an assertion of the graph allows to be true - the fewer the ways the world could be, while making the asserted graph true of it.

    A few examples may help here. Take the sentence "Barack Obama is the 44th president of the U.S.A". There are many many ways the world/universe/complete 4 dimensional space time continuum from the beginning of the universe to the end if there is one, yes, there are many ways the world could be and that sentence be true. For example I could not have bothered to write this article now, I could have written it just a little later, or perhaps even not at all. There is a world in which you did not read it. There is a world in which I went out this morning to get a baguette from one of the many delicious local french bakeries. The world could be all these ways and yet still Barack Obama be the 44th president of the United States.

    In N3 we speak about the meaning of a sentence by quoting it with '{' '}'. So for our example we can write:

    @prefix dbpedia: <http://dbpedia.org/resource/> .
    { dbpedia:Barack_Obama a dbpedia:President_of_the_United_States . } = :g1 .
    

    :g1 is the set of all possible worlds in which Obama is president of the USA. The only worlds that are not part of that set, are the worlds where Obama is not President, but say McCain or Sarah Palin is. That McCain might have become president of the United States is quite conceivable. Both those meanings are understandable, and we can speak about both of them

    @prefix dbpedia: <http://dbpedia.org/resource/> .
    { dbpedia:Barack_Obama a dbpedia:President_of_the_United_States . } = :g1 .
    { dbpedia:John_McCain a dbpedia:President_of_the_United_States . } = :g2 .
    :g1 hopedBy :george .
    :g2 feardedBy :george .
    :g1 fearedBy :jane .
    

    Ie. we can say that George hopes Barack Obama to be the 44th president of the United States, but that Jane fears it.

    Assume wikipedia had a resource for each member of the list of presidents of the USA, and that we were pointing to the 44th element above. Then even though we can speak about :g1 and :g2, there is no world that fits them both: The intersection of both :g1 and :g2 is { } , the empty set, whose extension according to David Lewis' book on Mereology is the fusion of absolutely all possibilities. The thing that is everything and everywhere and around at all times. Ie. you don't make any distinction when you say that: you don't say anything.

    The definition of meaning in terms of possible worlds, make a few things very simple to explain. Implication being one of them. If every president has to be human, then

    
    @prefix log: <http://www.w3.org/2000/10/swap/log#> .
    { dbpedia:Barack_Obama a dbpedia:President_of_the_United_States . } log:implies { dbpedia:Barack_Obama a dbpedia:Human . }
    

    Ie the set of possible worlds in which Obama is a president of the United States is a subset of the set of worlds in which he is Human. There are worlds after all where Barack is just living a normal Lawyer's life.

    So what is this mapping from URIs to meaning that Tim Berners Lee is talking about? I interpret him as speaking of the log:semantics relation.

    
    @prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
    log:semantics a rdf:Property;
             :label "semantics";
             :comment """The log:semantics of a document is the formula.
             achieved by parsing representation of the document.
              For a document in Notation3, log:semantics is the
              log:parsedAsN3 of the log:contents of the document.
              For a document in RDF/XML, it is parsed according to the
              RDF/XML specification to yield an RDF formula [snip]""";
             :domain foaf:Document;
             :range log:Formula .
    

    Of course it is easier to automate the mapping from resources that return RDF based representations, but log:semantics can be applied to any document. Any web page, even those written in natural languages, have some semantics. It is just that they currently require very advanced wetware processors to interpret them. These can indeed be very specialised wetware processors, as for example those that one meets at air ports.

    Wednesday Sep 17, 2008

    Are OO languages Autistic?

    illustration of a simple play

    One important criterion of Autism is the failure to develop a proper theory of mind.

    A standard test to demonstrate mentalizing ability requires the child to track a character's false belief. This test can be done using stories, cartoons, people, or, as illustrated in the figure, a puppet play, which the child watches. In this play, one puppet, called, Sally, leaves her ball in her basket, then goes out to play. While she is out, naughty Anne moves the ball to her own box. Sally returns and wants to play with her ball. The child watching the puppet play is asked where Sally will look for her ball (where does Sally think it is?). Young children aged around 4 and above recognize that Sally will look in the basket, where she (wrongly) thinks the ball is.
    Children with autism will tend to answer that Sally will look for the ball in the box.

    Here are two further descriptions of autism from today's version of the Wikipedia article:

    The main characteristics are of Autism are impairments in social interaction, impairments in communication, restricted interests and repetitive behavior.
    Sample symptoms include lack of social or emotional reciprocity, stereotyped and repetitive use of language or idiosyncratic language, and persistent preoccupation with parts of objects.

    In order to be able to have a mental theory one needs to be able to understand that other people may have a different view of the world. On a narrow three dimensional understanding of 'view', this reveals itself in that people at different locations in a room will see different things. One person may be able to see a cat behind a tree that will be hidden to another. In some sense though these two views can easily be merged into a coherent description. They are not contradictory. But we can do the same in higher dimensions. We can think of people as believing themselves to be in one of a number of possible worlds. Sally believes she is in a world where the ball is in the basket, whereas Ann believes she is in a world where the ball is in the box. Here the worlds are contradictory. They cannot both be true of the actual world.

    To be able to make this type of statement one has to be able to do at least the following things:

    • Speak of ways the world could be
    • Refer to objects across these worlds
    • Compare these worlds
    The ability to do this is present in none of the well known Object Oriented (OO) languages by default. One can add it, just as one can add garbage collection to C, but it requires a lot of discipline and care. It does not come naturally. Perhaps a bit like a person with Asperger's syndrome can learn to interact socially with others, but in a reflective awkward way.

    Let us illustrate this with a simple example. Let us see how one could naively program the puppet play in Java. Let us first create the objects we will need:

    Person sally = new Person("Sally");
    Person ann = new Person("Ann");
    Container basket = new Container("Basket");
    Container box = new Container("Box");
    Ball ball = new Ball("b1");
    Container room = new Container("Room");
    
    So far so good. We have all the objects. We can easily imagine code like the following to add the ball into the basket, and the basket into the room.
    basket.add(ball);
    room.add(basket);
    
    Perhaps we have methods whereby the objects can ask what their container is. This would be useful for writing code to make sure that a thing could not be in two different places at once - in the basket and in the box, unless the basket was in the box.
    Container c = ball.getImmediateContainer();
    Assert.true(c == basket);
    try {
          box.add(ball)
          Assert.fail();
    } catch (InTwoPlacesException e) {
    }
    
    All that is going to be tedious coding, full of complicated issues of their own, but it's the usual stuff. Now what about the beliefs of Sally and Ann? How do we specify those? Perhaps we can think of sally and ann as being small databases of objects they are conscious of. Then one could just add them like this:
    sally.consciousOf(basket,box,ball);
    ann.consciousOf(basket,box,ball);
    
    But the problem should be obvious now. If we move the ball from the basket to the box, the state of the objects in sally and ann's database will be exactly the same! After all they are the same objects!
    basket.remove(ball);
    box.add(ball);
    Ball sb = sally.get(Ball.class,"b1");
    Assert.true(box.contains(sb));
    //that is because
    Ball ab = ann.get(Ball.class,"b1");
    Assert.true(ab==sb);
    
    There is really no way to change the state of the ball for one person and not for the other,... unless perhaps we give both people different objects. This means that for each person we would have to make a copy of all the objects that they could think of. But then we would have a completely different problem: namely deciding when these two objects were the same. For it is usually understood that the equality of two objects depends on their state. So one usually would not think that an physical object could be the same if it was in two different physical places. Certainly if we had a ball b1 in a box, and another ball b2 in a basket, then what on earth would allow us to say we were speaking of the same ball? Perhaps their name, if it we could guarantee that we had unique names for things. But we would still have some pretty odd things going on then, we would have objects that would somehow be equal, but would be in completely different states! And this is just the beginning of our problems. Just think of the dangers involved here in taking an object from ann's belief database, and how easy it would be to by mistake allow it to be added to sally's belief store.

    These are not minor problems. These are problems that have dogged logicians for the last century or more. To solve it properly then one should look for languages that were inspired by the work of such logicians. The most serious such project is now knows as the Semantic Web.

    Using N3 notation we can write the state of affairs described by our puppet show, and illustrated by the above graph, out like this:

    @prefix : <http://test.org/> .
    
    :Ann :believes { :ball :in :box . } .
    :Sally :believes { :ball in :basket } .
    

    N3 comes with a special notation for grouping statements by placing them inside of { }. We could then easily ask who believes the ball is in the basket using SPARQL

    PREFIX : <http://test.org/>
    SELECT ?who
    WHERE {
         GRAPH ?g1 { :ball :in :basket }
         ?who :believes ?g1 .
    }
    

    The answer would bind ?who to :Sally, but not to :Ann.

    RDF therefore gives us the basic tools to escape from the autism of simpler languages:

    • One can easily refer to the same objects across contexts, as URIs are the basic building block of RDF
    • The basic unit of meaning are sets of relations - graphs - and these are formally described.
    The above allows query for objects across contexts and so to compare, merge and work with contexts.

    It is quite surprising once one realizes this, to think how many languages claim to be web languages, and yet fail to have any default space for the basic building blocks of the web: URIs and the notion of different points of views. When one fetches information from a remote server one just has to take into account the fact that the server's view of the world may be different and incompatible in some respects with one's own. One cannot in an open world just assume that every body agrees with everything. One is forced to develop languages that enable a theory of mind. A lot of failures in distributed programming can probably be traced down to working with tools that don't.

    Of course tools can be written in OO languages to work with RDF. Very good ones have been written in Java, such as Sesame, making it possible to query repositories for beliefs across contexts (see this example). But they bring to bear concepts that don't sit naturally with Java, and one should be aware of this. OO languages are good for building objects such as browsers, editors, simple web servers, transformation tools, etc... But they don't make it easy to develop tools that require just the most basic elements of a theory of mind, and so most things to do with communication. For that one will have to use the work done in the semantic web space and familiarize oneself with the languages and tools developed for working with them.

    Finally the semantic web also has its OO style with the Web Ontology Language (OWL). This is just a set of relations to describe classes and relations. Notice though that it is designed for intra context inference, ie all inferences that you can make within a world. So in that sense thinking in OO terms does even at the Semantic Web layer seem to not touch on thinking across contexts, or mentally. Mind you, since people deal with objects, it is also important to think about objects to understand people. But it is just one part of the problem.

    vote on reddit and follow the discussion
    vote on dzone

    Thursday Sep 04, 2008

    Building Secure, Open and Distributed Social Network Applications

    Current Social Networks don't allow you to have friends outside their network. When on Facebook, you can't point to your friend on LinkedIn. They are data silos. This audio enhanced slide show explains how a distributed decentralized social network is being built, how it works, and how to make is secure using the foaf+ssl protocol (a list of pointers on the esw wiki).

    It is licenced under a CC Attribution ShareAlike Licence.
    My voice is a bit odd on the first slide, but it gets better I think as I go along.

    Building Secure Open & Distributed Social Networks( Viewing this slide show requires a flash plugin. Sorry I only remembered this limitation after having put it online. If you know of a good Java substitute let me know. The other solution would have been to use Slidy. PDF and Annotated Open Document Format versions of this presentation are available below. (why is this text visible in Firefox even when the plugin works?) )

    This is the presentation I gave at JavaOne 2008 and at numerous other venues in the past four months.

    The slidecast works a lot better as a presentation format, than my previous semantic web video RDF: Connecting Software and People which I published as a h.264 video over a couple of years ago, and which takes close to 64MB of disk space. The problem with that format is that it is not easy to skip through the slides to the ones that interest you, or to go back and listen to a passage carefully again. Or at least it feels very clunky. My mp3 sound file only takes 17MB of space in comparison, and the graphics are much better quality in this slide show.

    It is hosted by the excellent slideshare service, which translated my OpenOffice odp document ( once they were cleaned up a little: I had to make sure it had no pointers to local files remaining accessible from the Edit>Links menu (which otherwise choked their service)). I used the Audacity sound editor to create the mp3 file which I then place on my bblfish.net server. Syncing the sound and the slides was then very easy using SlideShare's SlideCast application. I found that the quality of the slides was a lot better once I had created an account on their servers. The only thing missing would be a button in addition to the forward and backward button that would allow one to show the text of the audio, for people with hearing problems - something equivalent to the Notes view in Open Office.

    You can download the OpenOffice Presentation which contains my notes for each slide and the PDF created from it too. These are all published under a Creative Commons Attribution, Share Alike license. If you would like some of the base material for the slides, please contact me. If you would like to present them in my absence feel free to.

    Tuesday Aug 26, 2008

    Sun Intranet Foaf Experiment

    image of Address Book displaying internal sun foaf

    Building a foaf server from an ldap directory is pretty easy. Rinaldo Di Giorgio put a prototype server together for Sun in less than a week. As a result everyone in Sun now has a experimental temporary foaf id, that we can use to try out some things.

    So what can one do with foaf that one could not so easily do with ldap? Well the semantic web is all about linking and meshing information. So one really simple thing to do is to link an external foaf file with the internal one. I did this by adding an owl:sameAs statement to my public foaf file that links my public and my sun id. (It would be better to link the internal foaf file to the external one, but that would have required a bit more work internally). As a result by dragging and dropping my foaf iconfoaf file onto today's release of the AddressBook someone who is inside the Sun firewall, can follow both my internal and my external connections. Someone outside the firewall will not be able to follow the internal link.

    By extending the internal foaf server a little more one could easily give people inside of Sun a place to link to their external business connection, wherever they might be in the world. To allow other companies to do this too it would of course help if everyone in Sun had a minimally public foaf ID, which would return only minimal information, or whatever the employee was comfortable revealing about themselves. This would allow Sun to present a yet more human face to the world.

    Well that's just a thought, and this is just an experiment. Hopefully it will make the semantic web more real for us here, and allow people's to dream up some great way of bringing all the open source world together, ever closer.

    PS. For people inside of Sun it may be easier to just drag my foaf iconinternal foaf file directly on the the AddressBook (started via jnlp). Otherwise to get the internal foaf file to download you need to click the "fetch" button next to the "same As" combo box when viewing my info. Then you need to switch to "Last Imported" and back to allow "Bernard Traversat" to appear in the second column. He appears as someone I foaf:know after the merger of the internal and the external foaf. I know this is clumsy, and I'll try thinking up a way to make this more user friendly very soon. You are welcome to participate on the Address Book Project.

    PPS. Sun internal users can get more info on the project home page.

    PPPS. We of course use the Firefox Tabulator plugin too for tests. It gives a different interface to my AddressBook. It is more flexible, but less specialised... The Tabulator web application does not work currently because we only produce Turtle output. This is to avoid developers trying to use DOM tools to process these pages, as we don't want to put work into an RDF crystalisation. ( Note: If at some later time you find that the plugin is not compatible with the latest version of Firefox, you can manually disabling compatibility checks. )

    About

    bblfish

    Search

    Archives
    « April 2014
    MonTueWedThuFriSatSun
     
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
        
           
    Today