Archive for June, 2005
It’s Day 2 at the eBay Developers Conference.
Security is always a trade off between convenience and safety. Over the years, eBay has continually worked at balancing the two issues, and we’ve learned a lot. In “Securing the eBay Marketplace,” our Chief Security Architect, Liam Lynch, is sharing key points.
So far, he’s covered
- SQL injection attacks
- Filtering input
- Cross site scripting
- Phishing attacks
- Hashing versus encryption
- Federated identity and authentication
- And a few more that I’m missing
Right now, he’s going over the OWASP Top Ten.
One of the interesting points that Liam’s making is that security isn’t a one-time thing. It’s an evolving notion. Also, security isn’t an absolute.
For example, eBay allows sellers to embed HTML inside an item listing. This presents a security risk, as people can try and use this to do malicious things. We could easily eliminate this issue by eliminating HTML, but that doesn’t make for very interesting item descriptions. Therefore, eBay’s set up a series of input filters to only allow “good” HTML and strip out the “bad” HTML. This isn’t easy, as the concept of “good” and “bad” is always changing, as we strive to strike the proper balance between the two.
Both JavaOne and Where 2.0 are in SF, so they’re close to home and a good excuse to avoid the trip down to San Jose. I went to JavaOne last year, but I’m really not a Java guy, so I’m not sure if I’ll go back. Greg and Sean are speaking, so I will let them do the recon for me.
I will be going to Where 2.0. Despite the version number, this is O’Reilly’s first conference on “Where,” or on location aware and mapping services on the Internet. I’ve looked over the program, and I can’t tell if I’ll be fascinated or bored. I think the first.
eBay, Inc. (as distinct from eBay.com, or the eBay marketplace) has increasingly moved into the local arenain the past year. We purchased 25% of craigslist; started Kijiji (craigslist for non-English speaking people); and most recently bought Rent.Com.
All of these sites are leaders in e-commerce at the local level. They’re quite distinct from the value proposition of the eBay marketplace, which is about creating a “perfect” global marketplace by removing local inefficiencies. Instead, they realize that when you’re looking for certain things — couches, apartments, jobs, potential boy and girlfriends — that it’s important to aggregate the largest amount of quality listings on a micro-local basis. While I don’t mind driving 30 minutes to buy an air conditioner, it’s even easier if I can walk down the block, and I’m even willing to sacrifice $5 on the price for the service.
In my case, when I moved from Manhattan to San Francisco, I sold both my air conditioners to people in my apartment building. I simply posted a paper flyer in the entryway, two people called, and I was done in 40 minutes. If that didn’t work, my next step would have been craigslist, not eBay. Who wants to pay to ship an air conditioner? (Additionally, who wants to package up an air conditioner? Not me.)
Now, the eBay marketplace does have a local component, too. You can restrict your searches to items within a certain radius of a specific ZIP code. This is most useful for larger items, such as what’s available on eBay Motors.
John Donahoe, the new president of the eBay marketplace, told us a story yesterday about how he sold his car on eBay Motors to someone in Sunnyvale (which is 10 minutes away from his house). The guy came over 15 minutes after contacting John, decided he liked it, and paid with a cashiers check the next day. What could be easier?
Despite this, I’m sure there are tons of other things eBay can be doing to get more local. The craigslist / Google Maps mash up is a perfect example. Why doesn’t eBay have a shared mapping server for all of our sites to use? (For that matter, why doesn’t craigslist have a Web services API?)
Another aspect of local is cell phones. I want to be able to SMS craigslist or Rent.com and ask for the locations of apartments for rent within 4 blocks of my current location. We have the data, we just need to open up the interfaces.
Hopefully, I’ll get some additional great ideas from Where 2.0 that I can bring back to eBay and figure out how we and our developers can deploy them.
eBay Live! has always put out a Daily Chatter print newsletter, but apparently daily is too slow for 2005. :)
I know we have over 10 people signed up to blog the Developers Conference, so updates should be fast and furious over the conference WiFi network.
The O’Reilly Open Source Convention (OSCON) early bird deadline is next Monday, June 20th.
This year’s crop of PHP speakers is the best yet: Rasmus and Andi, Derrick and Ilia, George and King Wez. Plus Andrei, Chris Shiflett, David Sklar, John Coggeshall, the list goes on. (And I will be speaking on Services_Ebay.)
Besides a wide selection of PHP speakers, OSCON has the advantage of of bringing in top notch speakers on Perl, Python, Ruby, Linux, XML, MySQL, Postgres, and even (sigh) Java. It’s great to learn about PHP, but I really value the opportunity to sit in on AJAX and Parrot and Ruby on Rails talks. This is the real value of OSCON over php|works or the International PHP Conference. (Both of which are great, don’t get me wrong, but they have a different focus.)
If you’re heading to Portland this August 1-5, (which I strongly suggest you do,) now is the time to register to save big bucks.
The spammers have found my new WP site. I have received over 50 bogus “casino” comments in the past day. They’re all being flagged for moderation, so they’re not making it live, but they’re filling up my INBOX with junk.
I hate spammers.
I have somehow neglected to mention the one event that’s been taking most of my May and June — the eBay Developers Conference.
We have a two day conference coming up this June 21 and 22 in San Jose all about eBay and PayPal Web services. If you’re at all interested in eBay or PayPal Web services, this is the place to be. (Duh.)
Attendance is quite strong. We even have people from other major web services companies signing up, presumable to steal our good ideas. I guess that’s only fair, as I am stealing theirs.
Since this year’s conference is in our home town, we’re able to bring busloads of staff to the show from all areas of the team: business folks, developer technical support, documentation, product managers, QA, the even the backend API engineers. We’re also borrowing from other areas of the organization. For example, one of our security experts is talking about how to write secure applications.
There are over 30 different sessions. I’m giving two: “Building eBay Applications using PHP 5 and Services_Ebay” and “Community Collaboration on the eBay Platform”. Services_Ebay is on Stephan Schmidt’s PHP 5 PEAR package. The other talk is centered around some new things we’re doing to help support developers working with other developers. Sorry I can’t give more details, but it’s a bit of a surprise.
Best of all, we somehow have the least expensive 2 day technical conference in the world. The price is only $395. (The super early bird price was $295.) That’s keynotes, 4 parallel tracks, 2 days of roundtable lunches, and a beer bust. It also includes free admission to eBay Live!, a $70 value.
You can register online. Do it before June 17th to save $50.
I’m skimming two interesting books this week. One old. One new. One borrowed. None blue.
The Art of Project Management by Scott Berkun. For some unknown reason this book showed up in my mailbox at work last week. I’m not quite sure who at O’Reilly decided I needed a copy, but I’m happy someone did. (O’Reilly is happy to send me any books of theirs I want, but I normally need to ask first.)
Right now at work I’m more focused on general management than project management, so I can’t quite bring myself to read it cover to cover, but I’ve been skipping around from place to place. Some of the lessons and tips are quite applicable, and I pretty much agree with most of what Scott has to say. He’s got a web site with a bunch of essays. Here’s one how to pitch an idea.
The Age of Discontinuity by Peter Drucker I crashed at a buddy’s house for a few days before the first FOO Camp in 2003. While there, I read selections from his collection of Whole Earth Catalogs and came across a great quotation from a book review:
Since the computer first appeared in the late 1940’s the information industry has been a certainty. But we do not have it yet. We still do not have the effective means to build an “information system….” We do not have the equivalent of Edison’s light bulb. What we are lacking is not a piece of hardware like a light bulb. What we still have to create is the conceptual understanding of information. As long as we have to translate laboriously every set of data into a separate “program,” we do not understand information. We have to be capable of classifying information according to its characteristics. We have to have a “notation,” comparable to the one St. Ambrose invented 1,600 years ago to record music, that can express words and thoughts in symbols appropriate to electronic pulses rather than in the clumsy computer language of today. Then each person could, with very little training, store his own data within a general system… Then we shall have true “information systems.”
With all the buzz about the symantec web and tagging folksonomies, I find it fascinating that Drucker started talking about the importance of making it easy to remix data in 1969. As a point of reference to frame the time, here’s another quotation: “Only now, when IBM is turning them out at a rate of a thousand a month, are computers starting to have substantial economic impact.”
Here we are, millions of computers later, and we’re still tackling the same issue.
When I stopped by to pick up Beth from work earlier this week, we ended up talking a tour of the main branch of the SF public library. While we were there, I finally got my SFPL library card. Since it was burning a whole in my wallet, I saw they had Drucker’s book, and checked it out.
With Web 2.0 (for lack of a better term) upon us, I’m convinced there’s got to be something to learn from his observations on the computer age 35-years ago. In particular, Part One “The Knowledge Technologies” and Part Four “The Knowledge Society” seem to be of particular interest.
Regardless, Drucker was right about one thing. We certainly are in The Age of Discontinuity.