Web Services

Heading to OSCON

I am heading to OSCON on Sunday afternoon. I will be there all week.

On Tuesday, I am participating in the mother of all PHP user group meetings, and on Thursday I am speaking on Services_Ebay.

Please come on by.

Let me know if you want to hang out. When I’m not at the show, I will be off drinking draft Fred.

Introducing eBay Community Codebase

Unlike many Web services, eBay has a large number of commercial developers who pay us money to hook up to our site. However, we’ve never gotten as many open source developers using our Web services as I want.

The obvious reason is that we charged money for access to our Production API servers, and even then we only gave you a miserly 50 calls per day. Happily, we have finally gotten rid of the $100 self-certification fee. Now you can join up at the Individual Tier and start making calls against real live eBay data without paying us a nickel.

We also upped the calls limits to 10,000 API calls per month. We think this should be enough for people to be able to write meaningful applications, but if you’re running into the limit, let me know.

Additionally, we introduced the eBay Community Codebase. Another one of the issues writing eBay Web service applications is that our APIs are quite extensive — we have over 100 APIs calls and they’ve available for 22 different countries worth of sites (plus eBay Motors). It’s possible to write some pretty complex applications. Complex enough that you’d want to work together with others on a project.

Community Codebase is a central repository of open source eBay projects with hosting, version control, mailing lists, bug trackers, and more. (Think of it as SourceForge for eBay. Actually, think of it as CollabNet for eBay, which is what it really is.)

We’ve stocked the pond with a few of our own projects, including our eBay/TiVo mashup. We’ve also been quite excited to see a bunch of other contributions, including a PHP SDK, a Perl DBD interface, and a Java category cacher.

I’m also revving up Services_Ebay development, but that’s the topic of another post.

Please come on by and check out the eBay Community Codebase.

Securing the eBay Marketplace

It’s Day 2 at the eBay Developers Conference.

Security is always a trade off between convenience and safety. Over the years, eBay has continually worked at balancing the two issues, and we’ve learned a lot. In “Securing the eBay Marketplace,” our Chief Security Architect, Liam Lynch, is sharing key points.

So far, he’s covered

  • SQL injection attacks
  • Filtering input
  • Cross site scripting
  • Phishing attacks
  • Hashing versus encryption
  • Federated identity and authentication
  • And a few more that I’m missing

Right now, he’s going over the OWASP Top Ten.

One of the interesting points that Liam’s making is that security isn’t a one-time thing. It’s an evolving notion. Also, security isn’t an absolute.

For example, eBay allows sellers to embed HTML inside an item listing. This presents a security risk, as people can try and use this to do malicious things. We could easily eliminate this issue by eliminating HTML, but that doesn’t make for very interesting item descriptions. Therefore, eBay’s set up a series of input filters to only allow “good” HTML and strip out the “bad” HTML. This isn’t easy, as the concept of “good” and “bad” is always changing, as we strive to strike the proper balance between the two.

Global versus local marketplaces

The rest of the month is shaping up as a conference-fest for me. I’ve already mentioned my two eBay conferences, but immediately after are Sun’s JavaOne and the O’Reilly Where 2.0 shows.

Both JavaOne and Where 2.0 are in SF, so they’re close to home and a good excuse to avoid the trip down to San Jose. I went to JavaOne last year, but I’m really not a Java guy, so I’m not sure if I’ll go back. Greg and Sean are speaking, so I will let them do the recon for me.

I will be going to Where 2.0. Despite the version number, this is O’Reilly’s first conference on “Where,” or on location aware and mapping services on the Internet. I’ve looked over the program, and I can’t tell if I’ll be fascinated or bored. I think the first.

eBay, Inc. (as distinct from eBay.com, or the eBay marketplace) has increasingly moved into the local arenain the past year. We purchased 25% of craigslist; started Kijiji (craigslist for non-English speaking people); and most recently bought Rent.Com.

All of these sites are leaders in e-commerce at the local level. They’re quite distinct from the value proposition of the eBay marketplace, which is about creating a “perfect” global marketplace by removing local inefficiencies. Instead, they realize that when you’re looking for certain things — couches, apartments, jobs, potential boy and girlfriends — that it’s important to aggregate the largest amount of quality listings on a micro-local basis. While I don’t mind driving 30 minutes to buy an air conditioner, it’s even easier if I can walk down the block, and I’m even willing to sacrifice $5 on the price for the service.

In my case, when I moved from Manhattan to San Francisco, I sold both my air conditioners to people in my apartment building. I simply posted a paper flyer in the entryway, two people called, and I was done in 40 minutes. If that didn’t work, my next step would have been craigslist, not eBay. Who wants to pay to ship an air conditioner? (Additionally, who wants to package up an air conditioner? Not me.)

Now, the eBay marketplace does have a local component, too. You can restrict your searches to items within a certain radius of a specific ZIP code. This is most useful for larger items, such as what’s available on eBay Motors.

John Donahoe, the new president of the eBay marketplace, told us a story yesterday about how he sold his car on eBay Motors to someone in Sunnyvale (which is 10 minutes away from his house). The guy came over 15 minutes after contacting John, decided he liked it, and paid with a cashiers check the next day. What could be easier?

Despite this, I’m sure there are tons of other things eBay can be doing to get more local. The craigslist / Google Maps mash up is a perfect example. Why doesn’t eBay have a shared mapping server for all of our sites to use? (For that matter, why doesn’t craigslist have a Web services API?)

Another aspect of local is cell phones. I want to be able to SMS craigslist or Rent.com and ask for the locations of apartments for rent within 4 blocks of my current location. We have the data, we just need to open up the interfaces.

Hopefully, I’ll get some additional great ideas from Where 2.0 that I can bring back to eBay and figure out how we and our developers can deploy them.

Blogging eBay Developers Conference and eBay Live!

In an new experiment for eBay, we’re blogging the eBay Developers Conference and eBay Live!.

eBay Live! has always put out a Daily Chatter print newsletter, but apparently daily is too slow for 2005. :)

I know we have over 10 people signed up to blog the Developers Conference, so updates should be fast and furious over the conference WiFi network.

eBay Developers Conference: June 21-22

I have somehow neglected to mention the one event that’s been taking most of my May and June — the eBay Developers Conference.

We have a two day conference coming up this June 21 and 22 in San Jose all about eBay and PayPal Web services. If you’re at all interested in eBay or PayPal Web services, this is the place to be. (Duh.)

Attendance is quite strong. We even have people from other major web services companies signing up, presumable to steal our good ideas. I guess that’s only fair, as I am stealing theirs.

Since this year’s conference is in our home town, we’re able to bring busloads of staff to the show from all areas of the team: business folks, developer technical support, documentation, product managers, QA, the even the backend API engineers. We’re also borrowing from other areas of the organization. For example, one of our security experts is talking about how to write secure applications.

There are over 30 different sessions. I’m giving two: “Building eBay Applications using PHP 5 and Services_Ebay” and “Community Collaboration on the eBay Platform”. Services_Ebay is on Stephan Schmidt’s PHP 5 PEAR package. The other talk is centered around some new things we’re doing to help support developers working with other developers. Sorry I can’t give more details, but it’s a bit of a surprise.

Best of all, we somehow have the least expensive 2 day technical conference in the world. The price is only $395. (The super early bird price was $295.) That’s keynotes, 4 parallel tracks, 2 days of roundtable lunches, and a beer bust. It also includes free admission to eBay Live!, a $70 value.

You can register online. Do it before June 17th to save $50.

Safari, XMLHttpRequest, and WebDAV

Apparently, Safari’s implementation of the XMLHttpRequest object doesn’t support HTTP methods other than GET and POST. If you try to use anything else, say SEARCH, then it’s silently converted to GET.

I guess this is supposed to protect me from doing something wrong, but really it’s just not trusting me to know what I want to do. I hate this. And it’s not as if this is a technical issue. All Safari has to do is insert the string into the HTTP request, just as it’s already doing for GET and POST. There’s no new logic to handle arbitrary methods.

Not suprisingly, smarter browsers, say Firefox, aren’t quite so inhibited.

This has put a bit of a crimp in my plan to write a calendar Dashboard widget that pulls data from Outlook using WebDAV. I can work around this, but I’m not sure if it’s worth the effort. Stupid Apple.

Outlook Calendar REST API

I’ve been thinking about useful, but non-existent, web services lately. What I want is a REST interface to my Outlook calendar (i.e. “the one I’m forced to use at work“) that serves up vCalendar data. (Actually vCalendar isn’t XML, but there looks to be an XML version. I would prefer that, as I could always transform XML to standard vCal using XSLT.) I will then take that data and write a nifty Dashboard widget to display my next appointment on my Macintosh.

I know there must be some way to do this. I’ve seen products that sync calendar data with Outlook, but the files I found on the Microsoft web site weren’t too helpful in getting me started. I couldn’t tell if I need use Windows to communicate with Exchange using some special protocol, or if I can do it from Linux using standards. Ah, Microsoft.