2005-06-02 06:40 am (UTC)
This doesn't seem like a good idea to me.
First, everyone who used the bot would have to give it their LJ password. This is just a terrible idea for security. AIM traffic is unencrypted and easy to sniff (and is sniffed, believe me) and not a medium to send passwords over. On the other hand, if the password were sent out-of-band (like on an SSL-protected web form when users set up their access to the bot), your server then becomes a big repository of passwords, making it extremely tempting to crackers. How experienced in this stuff are you? Make one subtle quoting mistake in a PHP script, open a security hole, and suddenly the journals of everyone who's used your service are compromised. Do you want your fun project to involve that kind of responsibility?
(Sure, there is no money involved in breaking into LJ accounts. But there is oh-so-much drama on LJ that I'm sure many people would love to do it, just to get back at people or cause trouble.)
Second, writing services that log into AIM is asking for trouble. If your bot becomes popular enough to be noticed by AOL, they will either kick it offline for "breaking into their network", or require license fees. For this reason, LJ/6apart would never touch such a thing.
Third, is this useful? Isn't it re-inventing the wheel? LiveJournal already supports posting by web form, email, SMS, and voice. In what kind of environment do people only have access to AIM, not any of those other media? (And OK, "I'm just doing it for fun" is a fine answer. But a for-fun project shouldn't involve the risk of compromising other people's data.)
I see this bot as a tool for a single person, who runs it on his own server, with hard-coded name/password. This negates the security and licensing problems.
As to the third issue -- it's not a matter of 'useful.' The aim bot is interesting because it imposes limitations on your posting style. You send a paragraph at a time and can't edit. You've always got a client running. No one expects any sort of sustained narrative. It's a totally different experience. Producing certain effects requires careful negotiation and planning. That makes it worthwhile.
2005-06-02 03:37 pm (UTC)
I was responding to repalviglator
's idea, which sounds like it's meant to be a service for many people, not just one.
As for intentional limitations: I agree that imposing artificial constraints can spur the creative process (the Surrealists, and Burroughs, did a lot with this.) That's not the sense I got from the original post, however.
Also, don't you get the same limitations from SMS posts without having to install any special software? AIM messages don't limit you to a paragraph — the OSCAR packet limit is about 7kbytes, IIRC, which is about 2 pages of text — and the editing experience is usually better than a web form since it's WYSIWYG. Personally, I always have an email and LJ client running, in addition to AIM, but that may be a generational thing...
But. Again, my objections weren't to the way you run your AIM bot, but to what I saw repalviglator
proposing to do.
SMS posts cost me money... I'm cheap. Plus, they are damn slow to type on a cellphone. But, if I wanted to post from a cell phone, that's probably what I would use.
Sure... it would be nice to be a service to many people, but I don't want responsibility for too many passwords. Maybe if they created a separate account just for this use. Or, maybe if I created one account that anyone could post to, like lifftchi
I think there is a smaller limit on characters you can enter in one IM, but of course you can string IMs together to form an entry which is what I want to do. Or, I think direct connect is limitless... not sure though.
So, one method is to create an application that anyone could run (on their own computer) and type in a username and password for both aim (the bot) and lj. (the blog) That way, they would keep that info private.
2005-06-02 07:41 pm (UTC)
Huh, I thought you had cellphones in mind. If you're not posting from a cellphone, why not just use a client app or a web form or email?
I have worked closely with the AIM protocol so I'm fairly confident about the 7k limit (IIRC, the OSCAR packet size is 8k, but there's some overhead for headers and such.) You just can't send messages that large very often or the server will rate-limit you."So, one method is to create an application that anyone could run..."
If you're going to install a custom app on your computer anyway, why not make it an honest-to-god LiveJournal client
Anyway, if you just think it would be Really Cool to type a message into AIM and see it come up on your journal, then go for it. I was just raising concerns about something that might compromise other people's passwords.
Complete OpenID/Yadis will allow one to safely authenticate in this manner without trusting the runner of the bot.
OMG... no joke? Tell me how.
2005-06-02 10:13 pm (UTC)
The way I see it is roughly as follows. When you first contact the aim bot, it asks you for your LJ user name, at which point it pairs your AIM sn with your LJ username. The server running the bot, then asks LJ for you OpenID server, using the URL of some informational page of the bot on the same server. You then add that URL to your allowed list.
Then when you post, the server running the bot does the whole OpenID handshake pretending it's a browser.
The big issue which is not really covered, is that I don't think OpenID will be allowed to be used to post top level entries onto LJ. But it's not entierly clear what LJ will expose as a server. I want to ask brad
what exactly will be exposed when he comes to my local LUG (next week).
Granted I'm almost certainly missing something because having read the documentation a few times now, I don't see how it really works. But given that one of the things OpenID can do is allow meemes to access your protected and private entries and to have your protected and private entries show up in your RSS/Atom feed, I assume that if posting using an OpenID identitiy is allowed, than what I'm describing can be done.
err, what LJ will expose as a Client.
2005-06-02 10:44 pm (UTC)
Disclaimer: I understand the basic approach of OpenID etc., and have skimmed the docs, but the current docs are way too vague for me to pore over the details thereof. So I may not have this right.
At some point during that first-contact process, you have to sign into LJ with your password. That means you have to use a web interface to configure the AIM bot (which means this can't all be done over AIM) or you have to send it your password over AIM (which would be very bad.)
Also, I don't think the signed permission given to the bot by LJ would persist very long. As a security measure, usually these things time out pretty quickly. That means you'd have to go through the config process over and over.
You have to tell your OpenID server that the AIM bot is allowed (seeing as LJ will almost certainly be your server, you'd use the LJ interface, requiring a signon to the Web interface).
The LJ OpenID server already supports perment permision grant. Yes the bot will have to jump through the hoops all the time, but the user will not need to participate in the authentication.
Also you don't need to configure the AIM bot with a web interface, you can provide a link to the users OpenID authentication page inside the AIM conversation, when it is required.