Artnotes and GIRDS

The other week I applied for some project funding from JISC under the rapid innovation call. The idea behind the call is to promote “small” and/or “risky” and/or “mad” projects which can be done in a short timescale and do innovative things. The terms being that projects have to fulfil some specific community need in higher education.

I don’t yet know if the bid is going to be successful but obviously I’ve got my fingers crossed, meanwhile I feel it’s worth getting some of my plans and ideas out there for comment.

The project is called Artnotes, the inspiration for it coming from visiting an artist friend of mine who showed me her notebook. It was full of doodles, scribblings, postcards and photographs of artwork she had seen, taped-up pages of things she didn’t want to destroy so much as save for another time. It was a beautiful and very tactile thing full of memories and influences.

It got me thinking, could you do something like that digitally? Could you use mobile devices (such as the iPhone – which I’ve been getting into coding for on my own back) to let artists and others catalogue and document their visual noodlings and found objects in a way that didn’t loose too much of the lovelyness of a real book but enabled all sorts of modern webby things – like being able to search through public image repositories and museum catalogues for images, like being able to share the book back out to the world. So I did a bit of reading around the subject, worried greatly about rights issues and risks, talked to a few other people round the community, panicked at the last minute and got a bid together.

One of the mockups from the Artnotes bid

If you’re interested, take a look at the BID DOCUMENT (reproduced here sans coversheets and budget) which explains the scope of the project and includes a bunch more mockups and planned features.

The trouble with ideas is that they tend to spawn more ideas – much of the work that went into the bid was in trying to cut it down and keep it limited to the core of what I thought the tool needed to be effective. Hopefully I’ve done this in the bid while not being too conservative.

One of the “cool” ideas that didn’t make it and is probably a separate project in its own right was to provide some kind of image recognition service hooking into the catalogues of major galleries. Along the lines of being able to walk into a gallery, snap a picture of an exhibit and be delivered a link to the entry in the museum’s (publicly available and machine readable obviously) catalogue. I’ve been following the work of the Museum API efforts set up by Mike Ellis and contributed to by many others which seems to be making some inroads into getting the necessary underpinnings of this in place. Of particular interest are technologies such as which already does data aggregation across a number of museums, the exemplary Brooklyn Museum API which lets you dig deep into their collection, and on the image recognition side Tineye which does a very similar reverse-image-search on the web at large.

The service which for the sake of convenience I’ve dubbed GIRDS (Gallery Image Recognition and Discovery Service) at first cut be a web-api (and probably a very lightweight browser-based interface) and would work a little like this:

girds diagram

girds diagram

Better names for it are obviously most welcome!

If anything the GIRDS service would fit more in the category of mad than Artnotes and perhaps would have been a better one to submit for the call. However to my mind getting the nice user interface through the iPhone done first and then adding the image recognition capabilities through GIRDS later seems the right way to go about it. Unless of course anyone else fancies pitching in with either project (they are both going to have to be open source after all).

Irrespective of whether my bid for Artnotes is successful I’m feeling very strongly that this work is taking me back to my roots – dreaming up nice workable tools which can potentially be of some benefit to learners, teachers, researchers or the wider community.

Mashups for your Mancunian masses

A couple of months back at the CETIS 2008 conference I participated in a session entitled Technological Innovation in a world of web API’s facilitated by Brian Kelly and Marieke Guy from UKOLN and featuring contributions from Tony Hirst, Ian Ibbotson, Wilbert, myself and many other good people. The slightly cooler sounding subtitle Eduglu perhaps summed it up more aptly. It was shamelessly techy and delightfully free: “Does this need to have educational value? No it just needs to be cool!”. Floating on the waves of endless open APIs rather like Eddie Hazel’s guitar solo from Maggotbrain we were really feeling that aetherial #edufunk/#eduprog mashup goodness.

Funkadelic's classic album: Maggotbrain

Funkadelic's classic album: Maggotbrain

Emboldened and inspired by this I re-purposed many of the things I talked about (and even shamelessly stole the session title from the previous year: Mashup Market) to run a session at Manchester’s Social Media Cafe last Wednesday night. The #smc_mcr as it likes to be known for short is Manchester’s branch of the Tuttle Club, a mixture of media types, bloggers and technology enthusiasts and a fair few ed-tech folk with things to say and ideas to germinate. The ed-tech force was in fact particularly strong this time with David Bird from MMU also running a session on social media in education in parallel with me.

While we may not have got quite as baroque as one would have at CETIS it was excellent to be sharing the wealth with a wider community.

Walk this way the full writeup of the SMC_MCR Mashup Market on Samscam

How on earth do I add OpenID to my LDAP schema

Okay – this is bugging me.

The scenario is as follows: I have an OpenLDAP directory with several hundred users in it. For the records I’m using the normal inetorgperson schema.

I want to add an openid attribute for my users (in a responsible and proper way) so that I can associate users with multiple arbitrary external OpenID providers.

All I’ve managed to find on the net about this was a blog at oracle discussing how this is an issue and how it would be a really good idea to do something about it.

I’m all at sea – how on earth am I supposed to do this? Do I create a new subclass of inetorgperson and migrate everyone on to it? Can I do this without breaking everything? Do I hackily use the “labeledURI” attribute and just shove things in there?

Come on lazyweb!

PROD’s Progress

Apart from the previous post about the OpenID implementation it has been a while since I’ve written about PROD so here is the “vision” and some details of what’s happening with the project.

Before we go on I’ve written an FAQ on the PROD wiki which you are all advised to have a look at…

The PROD Vision:

PROD is a dynamic directory of JISC projects providing an easy-to-use way to locate projects and get a view of their current status and activity. Through integration with the Standards Catalogue and e-Framework it will also provide an overview of interoperability standards used by projects and their rationale for doing so.

PROD draws information on projects from a number of sources including the JISC website, individual project sites and project RSS feeds. We have also developed import mechanisms for legacy spreadsheets and catalogues.

The data in prod can be exported in standard formats (including RSS, ATOM, DOAP and CSV) to facilitate re-use in other catalogues.

Progress report

People oriented activities:

We are currently looking at how this data can facilitate integration with efforts at OSSwatch and with the JISC PIM system. We had a meeting in London to discuss how we can leverage doap across the different systems to exchange data and avoid duplication of effort. Present included Ross Gardler from OSSwatch with SIMAL, Yvonne Howard and Dave Millard from Southampton with their e-Framework Knowledge Base, Neil Chue Hong from OMII in Edinburgh, and Simone Spencer who is heading up the JISC PIM. It was pretty satisfying to feel we all agreed that with a bit of work on our respective DOAP implementations we would be able share core project data and thus concentrate on the more individual value-adding aspects of our projects.

Here in Bolton we are holding a workshop tomorrow on how we plan to use PROD internally to help us with the process of ”technical audits” of projects and how we can go about integrating PROD with the other JISC CETIS web offerings.

Ongoing development work:

DOAP, RSS & CSV export for collections of projects through the browse/query interface. We’re also thinking about making widgets to embed this in other places (like the main JISC CETIS site – or your own personal iGoogle or Dashboard if you like!)

OpenID associations for existing users – this is part of the general OpenID implementation across JISC CETIS sites. Currently it works to enable commenting.

Selectively elevated privileges for project staff and programme managers. This will happen automatically through existing data where available, we will also put in a “claim” button to users to assert a relationship to a project where a connection is not already held.

General review of data held, sanitisation particularly around people, organisations, themes. This will include a manual trawl for project sites, feeds etc where they haven’t been auto-discovered. Administrative interfaces may also see some improvement.

Integration with Standards Catalogue. Users (CETIS staff, projects, etc) will be able to associate projects with relevant standards and comment on the rationale for their use or implementation. The standards catalogue bit is working fine now.

Integration with main JISC CETIS sites – highlighting relevant projects within domain pages and other CETIS output (blogs, e-learning focus etc). This activity will be of particular relevance to ongoing comms work including the “technology & standards briefings”.

Highlights of completed development work to date:
(Roughly in order of implementation)

  • Core data model
  • Core interface
  • Old directory import
  • JISC spreadsheet import
  • DOAP export
  • Search interface
  • Funding status indicators
  • AJAX editing (administrators only at the moment)
  • JISC web-scraper
  • RSS feed-scraper
  • Data-sanitisation utilities (for admins)
  • Activity indicators
  • Comments
  • Browse & querying interface
  • OpenID authentication (for commenting)

Down and dirty with OpenID

I’ve spent the last few hours (after getting home from a swift pint in the pub admittedly) having one of those satisfying coding experiences where the dots just start joining up… I took the very nicely written OpenIDenabled PHP library and bolted it on to the authentication routines for PROD.

The technical principles behind OpenID are simple enough: the user tells your application their openid URL, the app asks the relevant provider if everything is ok, the provider comes back and tells the app a whole bunch of stuff saying that the user is kosher (or halal or whatever it says in their profile).

The latest version of the toolkit made this a breeze – coming as it does with working examples and very well documented code. Most of the work was putting in a few new hooks in my authentication script to catch both ends of the transaction, copying and pasting some code from the example scripts to create the consumer object and set it flying and finally catching the response at the end and telling my application that the user is now logged in.

As with most quick work there is still quite a bit tidying up to do – particularly around how I associate existing users in the LDAP directory with their OpenIDs… At the moment I’m just not bothering. Useful error messages would probably be a good idea too! Testing it with a few different providers is also a must.

One gotcha I discovered was that at some point the exact recipe for doing Delegation must have changed and that the library is more fussy about this than other implementations I’ve seen and used. When testing using my own domain’s delegation which I’ve had set up for years it was consistently failing. This is not good news as there are probably thousands of people who still have it set up exactly as I did…

Another (Ubuntu specific) issue was that it was failing to authenticate against yahoo’s service because I was missing some bits of openssl… This was fixed with a quick sudo apt-get install openssl ca-certificates

Now I’ve had a few brushes in recent months with OpenID mainly around the web provision for the XCRI project – where we got OpenID working across WordPress, Mediawiki, and (through some rather cheap hacking) BBpress. It was however reliant on plugins for said apps and never really a very satisfactory experience – generating a long string of complaints from users getting very variable results depending on which provider they were using. Upgrading any particular component of the site seemed to just lead to more chaos.

Sadly I think that these variable experiences do rather detract from the potential that OpenID has to help us all better manage our online identities. That and the insistence of so many “providers” like Yahoo! and that they are just that, providers and not consumers. I’ve already got about 6 OpenIDs on the go without really realising – useful for testing but the exact opposite of the single authentication service goal. Tsk tsk.

Anyway… Now that I’ve actually tackled the problem at a slightly deeper level I’m feeling confident that over time we can not only iron out XCRI’s woes but also introduce OpenID across the JISC CETIS (and IEC) services in a reasonably robust way. The future looks rosy, the sky is blue, thunderclouds? What thunderclouds?

Songs of restriction and compromise

I’m rather perturbed by some recent conversions with friends in university IS departments and for that matter a recent experience of being at a conferencelet in Keele. It all boils down to questions of security – and the (in my view mistaken) belief that by restricting the network to certain ports administrators can limit exposure of users to the evil that is the internet. This really bugs me as the internet is not just about port 80 and the wealth of potential applications (and therefore educational opportunities) gets squeezed through the single technological bottleneck of the web. Trouble is the compromises and attacks just get squeezed through the same chink as well and it’s still hell to manage.

Some songs of restriction…

Here in Bolton we have a quite complex set of restrictions on different parts of the network – the main segment which is mostly an internal free-for-all but users have to use a web-proxy to get out, the unrestricted wilds of the res-net where pretty much anything goes, the wireless which (once authenticated) gives you an unrestricted but mutually-isolated bit of connectivity, the DMZ where the servers live and breathe. From within our own office most of us end up using the wireless and then VPN-ing back in to collect email (or in some cases using external providers). Only a few of us can print without connecting our laptops directly to the printer and reconfiguring them to be on a different subnet – which is intensely annoying.

When I visited Keele I saw that they also have a wireless network – which in theory is all well and good. Apart from being put under considerable strain by the sheer volume of people wanting to use it (this being nothing new for JISC-orientated conferences) there were two major issues with it; Firstly access credentials were provided on pieces of paper and then users were required to log in by downloading and running a slightly shady and buggy Java application. Secondly once on the network it was very heavily restricted so while regular web-browsing was fine, anything slightly more exotic like picking up email with IMAP or (heaven forbid) using VPN to get in to Bolton was totally blocked. Strangely though the access credentials came with a temporary email account – which I didn’t touch or particularly want to mess with.

Some songs of compromise…

Unsophisticated: The other week we all got this email from Support Team (University of Bolton)

Attn: Staff/Student,

To update your account & webmail, you must reply to this email immediately and enter your password here (*********)

Failure to do this will immediately render your Email Address deactivated from our database as this is part of our security measures to serve you better.

Thank you for being a part of University of Bolton.


Support Teams

You can probably guess how many phishies bit the bait on this one. It’s an old and well tried social engineering technique and sadly it still works. It’s just regular email with a bogus “from” address and some external “reply-to” address, no fancy stuff here. An attacker on picking up valid credentials would not only be able to hijack the user’s account but also in theory get VPN access and dig their way into the internal network.

Sophisticated: Second example and this one contains an element of personal shame – CETIS run a couple of servers and a few weeks back (while I was off doing family things) one of them got rooted good and proper. I had neglected to run any security updates for a while and (as far as I can tell) the machine was compromised through vulnerable SSH keys – what with the SSH port being open to the world. Suspicious port-scanning activity was picked up downstream and we had no choice but to take the machine down until we could re-build it.

So we can’t win?
You can see why IS departments are worried about providing unrestricted access to the net for users – and why the heavy approach seems to work for shielding their machines from viral infection and so forth – however there will always be things that slip through via social engineering or more sophisticated attacks. There are many many other scenarios, users working around the restrictions to do whatever it is they want to do, physically unplugging their machines, taking them home and bringing them back, reconfiguring them to do such-and-such.

Yes we can win
Institutions need to get real and run some mandatory courses on computer security and behaviour for all staff. And for the really clueless some basic courses on computers and what they are. This is what is done in industry and by all accounts it works pretty well. While gullibility may not be curable people should at least know that there are some clear lines of responsibility and where and why they should not be crossed. From the technical end places need to reconsider their policies to balance protection of users against freedom to use whatever network services may help them teach, learn, research or administrate. Even if that does mean they can get on Skype, bit-torrent and Second Life!

I’ve had the timeline of my life….

Some time ago (like about 2 years or so) I had this great idea for an ePortfolio manager that would use timelines and playlists to organise ones life experience and be all superduperly web enabled and so forth. I even gave it a catch name and registered a domain for it: Mofolio

I posted up my mockups and then did absolutely nothing with it! Shame.

Anyway, this idea has been re-surfacing in my mind of late and if it’s not too late to pick it up again I’m going to see if I can make some kind of push into actually building it in the autumn.

The timeline component was something I always though really important to give people a visualisation of their work and experiences and today, while reading Alex Little’s blog I saw his post entitled Time for Timelines where he tries out two tools for doing just this; Simile which is a timeline-generating javascript widget from MIT and the intriguing Dipity which looks like it has beaten me to it in many respects. Dipity takes a bunch of feeds (rss, flickr, blogger, twitter etc etc etc) and turns them into a timeline. You can then add more stuff or remove things or make other timelines about the history of Spacerock in the 1970s or whatever floats your boat. Here’s mine – it took five minutes and for some reason wouldn’t accept my workblog feed. Ho hum:

My dipity timeline
And it wouldn’t embed a live version in WPMU… Click to see the real thing

Anyway this all gives me pause for thought – Mofolio also needs to do much of this, but as I had conceived it, needs to do a whole load more too. Reflection, playlisting, organising of earlier educational experiences, organising of local resources (rather than just webstuff). Oh and it’s got to be prettier and have swimlanes rather than just everything muddled together.

Dipity and other such general timelining tools doubtless also have their classroom use potential. Great for teachers who want to have students build reflective timelines of their learning experiences or timelines representing the rise of the roman empire or whatever it may be. Then again there are always big bits of flip-chart paper and sticky notes.

Futuresonic 2008

Futuresonic is an annual conference and festival held in Manchester on technology, music, art and ideas. This year’s theme (spot the bandwagon) was entitled Social Networking Unplugged so I figured it would be a perfectly legitimate way to spend a Friday discussing social technology and it’s educational/creative/artistic implications with a slightly different crowd from the normal JISC/CETIS bunch. Oh and there were some excellent gigs too which I’ll write about elsewhere!


The big keynote of the day was Richard Stallman donning his free software halo and mantle and telling us all that we are complicit with the forces of darkness by using proprietary software. Frankly I find his point of view somewhat puritanical and preachy though there are some legitimate concerns over openness and security of the tools we use. Still his general political message and anti-megacorporation, pro-civil-liverties stance is very admirable. For me it’s a matter of practicality – for servers I’d not use anything but free software but it’s not going to make me ditch the Mac OS tomorrow for my desktop platform. I suppose I could but I just don’t want to. Shucks, I’m supporting EVIL. The corollary of free software in my mind is free hardware – and to the possibility of sweatshop-free open hardware which would be something to strive for. I notice that Scott has been on about this too.

The angel blesses his flock

In other sessions though I didn’t think there were any major revelations there were a few cool things shown off – mainly along the lines of niche social networks and things to do with them. There were also some energetic open discussion groups set up in the afternoon – mine talking in a more artistic vein about the impact of social networking on artists and their relationship with their audiences (it was always a 2-way thing – but now it’s a 2-way thing on the internet).

Shannon Spanhake from calit2 at UC San Diego showed a device for measuring air pollution and reporting it back through web-enabled mobile phones to a central processing house and website – nothing to do with music (apart from the beeping she turned on to demonstrate the device) but certainly a novel application of technologies. Her plan is to do this on a large scale in Lima of all places – where the existing environmental monitors are so utterly useless (3 working monitors in a city of millions) that something needs to be done. Do you really want to be broadcasting information about how many carbon-monoxide particles there are in your trouser pockets though? I’m not sure I do.

An educationally interesting one was a sort of game called PMOG – or Passively Multiplayer Online Game. Delivered through a Firefox plugin, the concept being that whenever you are browsing the web you are simultaneously playing the game, fulfilling missions, discovering traps or messages that players have left lying around the web. An example might be that you hit the Tesco site and see a message pop up saying something like “mmm sausages” presumably as a starting point on some merry sausage related journey. I could imagine this being quite good fun in the classroom – providing a kind of framework around which you could get kids researching and exploring online but with a bit more guidance (from peers as well as mentors) than just “letting them loose on wikipedia”.

And I opened a Dopplr account just to tally up yet another network to belong to. This one is for frequent travellers and aims to bring about serendipitous meetings: “ooh look, Dave is in birmingham tonight and so am I, let’s go for a pint”. Happily it already interfaces neatly with other major social networks (including Facebook and Flickr) so in theory all my friends will pop up once they realise what a cool and indispensable thing Dopplr is. At the moment I have one trip planned to Newcastle-under-Lyme and two “friends” and neither of whom have chosen to tell me about their travel plans. There are a few very good points to Dopplr though – it uses OpenID for authentication (though you still have to register first) and it generally assumes that you want your information keeping private unless you specify otherwise, a very sensible assumption.

Then there was DirtParty – which is a bit like LolCats only with humans instead of cats. Nuff said.

The Unplugged bit probably was best articulated by the various art pieces. An exhibition called My Space Our Space Your Space produced an analogue analogy to various popular social networks. They provided participants with:

  • Webspace a cardboard box
  • Development tools a wide selection of art materials, scissors, glue
  • Server Architecture wooden bookcase in a shop window in which the boxes are placed
  • Messaging services envelopes mounted on the back of your cardboard box in which people can place notes. Also little “you’ve got mail” stickers to go on the front of the box.

Server architecture

Over the course of several days the people of Manchester filled the shop window with a wide array of strange things. From an operational point of view they experienced capacity problems (not enough shelving) server crashes (several boxes fell down) spam (someone put flyers for their gig in everyone’s envelopes) and all that you would expect from the “real” thing.

The MOTHERSHIP framework for introduction of new technologies


  • Seed nanobots Lay down necessary infrastructure for scalable deployment
  • Buzzing Let a few of people get a glimpse of something interesting, strut up and down making beep-beep noises
  • Abduction Grab a likely looking individual or two
  • Anal probe Embed the technologies into your best abductees – creating drones
  • Infection Use the drones to spread the technology through their peers
  • Mind control Mass marketing through cosmic rays
  • Total invasion!

Please note that this invasion plan is not endorsed by JISC, CETIS or the University of Bolton