This is the blog, but if you want to know more about me and my projects, check out the Projects and About pages.

Beats Music Likes My Clojure Library


I’ll do a full post on the library some time soon. In the meantime, check it out:

A Follow Up on the STLToday Paywall Story


Yesterday’s post about how to bypass the weak paywall has gained a fair bit of traction over the last 24 hours. Here’s the story on the Riverfront Times (the alt newspaper in St. Louis).

Before this gets further out of hand I wanted to address a few points that I didn’t hit in my original blog post and weren’t in the RFT article:

  1. To call this “hacking” is…well…it’s not. It’s just a user script that manipulates the web page you downloaded from I never touched anything on the servers. It’s no different than other scripts that change the look and feel of Reddit or that tweak the interface of GMail.

  2. As I detailed in the previous post, their method of implementing this paywall, running code on the client machine to check and redirect, is a very very thin barrier in front of this content. It’s as if they sent you a book in the mail and stapled the last few pages together. They know this.

  3. It seems quite clear that this was a trial as not much of their content is behind the paywall and they implemented it with the easiest possible client-side solution. My sincere hope is that they take this result result at face value and see how many people are using it to assess what they can or should do going farther based on the data. I’ve already supplied a few solutions and I’d be more than willing to help them more if that’s something they are interested in.

STLToday's Paywall is Weak


I’m originally from St. Louis, and in fact spent my last few years in St. Louis working with and taking on the media in one form or another. I’ve since moved on and no longer concern myself with the day to day craziness of St. Louis’ bizarre media scene…but I do like to check up on the sports.

STLToday is the website of St. Louis’ prominent newspaper, The St. Louis Post Dispatch and it’s always been kind of a mess. Horrible designs, way too big pictures that take too long to load, crazy ads all over the place, etc…basically the standard crazy failing “old media” company stuff. Today they added: “Paywall” to that list. There’s countless articles about why paywalls don’t work and they are at best a way to delay death rather than anything close to a solution, but frankly I just wanted to read the excellent sports coverage supported by ads! Luckily it only took about 5 minutes to bypass the paywall.

When you load a article blocked by the paywall you’ll notice that the content is shown for a few seconds and then it will redirect you to the pay screen. Interesting. At first I thought this might have been something along the lines of a enticement plan so you can see what you’re going to miss if you don’t pay up…but knowing the history of this particular website it made more sense that this was some drop-in paywall script that is loaded after the article and redirects once it reads your cookies and the content and determines you haven’t paid. I took a quick look at the page source and found a meta tag named ”__sync_contentCategory” it was set to “premium” on the article I wanted to read, but set to “free” on the article explaining their new paywall. Luckily their site is still slow as hell with all the ads and stuff they are loading, so if I just manage to change that meta tag to “free” on every article I read before their redirect script (probably loading on DOM ready) fires, will that short circuit the whole system?


Here’s the script (in the form of a user script that can be added to Chrome or Firefox):

So what could STLToday do to make this a lot more secure?

  1. Well they could not use javascript for one and simply have the backend read the user's information and the content type, but I suspect that their CMS isn't setup to do this and it's probably something they licensed so they can't make any changes to it, which explains the drop-in solution.
  2. They could also make their site faster (a good idea anyway) but one could still figure out a way to inject my script before their's runs.
  3. They could not rely on a meta tag for content tagging and instead ping back to the server to request the content type (premium vs free). This could still be bypassed by spoofing the server's response to your browser, but it would be a lot harder to write a script like the one I did earlier. This is probably a good enough solution, but if they still can't figure out how to write a server-side response on their CMS it can't happen.
  4. They could just not care. I very much doubt that they will see a lot of "digital subscriptions" and those that would be interested probably aren't the type to know what a User Script is or follow me on Twitter.

Women in Tech - Lets Keep the Anger Gun Pointed in the Right Direction

Two nights ago Jason Calacanis posted this on his Twitter account (@jason):

It’s not overly shocking as this is Calacanis’ standard schtick of getting attention anyway possible, usually with a thin facade of caring about whatever the current issue is. That being said, many women who have been working hard on trying to crack the gender issues in tech after the latest GitHub firebomb were understandable upset. Calacanis is trying to steal the focus of the horrible RadiumOne story and take over a discussion that was never and should never be his to own.

I came upon all of the intense conversation that followed a few hours late. By then the primary voices had taken a Twitter break but as I was catching up on the conversation one thing someone said struck me as unproductive (out of the many many good things everyone said). Here’s the exact tweet:

At the time I too was fired up by Calacanis’ decision after being fired up about the latest from GitHub and I had a gut reaction to that tweet. I thought that generalizations of women is a core element in this tech gender madness, so having the side of reason throwing around generalizations about ”almost no / all men” seemed misguided at best and at worst, counter productive to the goal of getting more men to speak out on this issue. I replied:

After I had a moment to calm down I thought about the original tweet and thought that maybe I fired that off a little quickly as, she wasn’t ridiculously far off the mark (sadly) and the restrictions of Twitter may have made that seem like a stronger generalization than it was probably meant to be…but I still think we should be very very careful of generalizations so I cautiously left it alone. Moments later, I was called out on it in nearly the same way I called out myself internally:

I quickly consented:

What followed was what I considered a great conversation about the issue, Calacanis is particular and what can be done to get more men to speak out on the gender issues in tech. I felt a little attacked or misunderstood at some points along the way, but I knew the issue was a hot one, especially at that moment, and one that women will always naturally have more ownership of, so I made an effort to stay focused on the discussion.

…and then, 24 hours later I get this:

Feel free to click the link, but here’s a pull quote:

I’ve heard this counter-argument almost every single time I’ve tried to bring up a feminist issue with a man: “but not all men are like that!”

I know.  Not all men are rapists.  Not all men abuse their significant others.  Not all men actively oppress women.  I get it.  Moving on.

However, generalizations about women–along with misogyny as a whole–can lead to rape, murder, abuse, belittling, harassment, wage gaps, and handfuls of other harmful things.  Generalizations about men cause hurt feelings.

Having to point out that not every man exhibits explicitly harmful behavior allows for oppression to continue because having to say “some men do harmful things” gives oppressors peace of mind.  It reassures them, falsely, that only a small portion of men behave in a way that is detrimental to the liberation of groups outside of white men (so, most people).  It reassures them that said white men don’t have to critique their own behavior or think long and hard about why their shitty behavior is damaging to everyone else.

When you say, “not all men are like that!” what you’re really saying is, “I don’t want to have to think about my privilege as a white man, so I’m going to try to defer the blame to other guys because I clearly don’t act like that.”

To equate this to what I said (and took back) is superficial at best, and to say that generalizations about men only cause “hurt feelings” is displaying the same bullshit that this article is claiming to be fighting. Try asking a guy who was on a sports team or fraternity in college that people said “they are all rapists” if there was more than hurt feelings. Naturally throughout history there are more hurtful things that can be said about women than men, but that “article” is a logical leap too far…but who cares? If that author wants to believe that, she can. What was bullshit is someone out there who doesn’t know a fucking thing about me other than the fact that I stood up and was 100% in agreement with her on the issue at hand, and then turns around and paints me with this “white man guilt” brush?! How is that any different than some one saying “All women talking about gender issues in tech are just pissed off about not knowing enough to kill the technical interview?” I didn’t even come close to saying that every time you say something about men you need to say some men, but implying “no men” or “almost no men” care about the issue isn’t helpful and minimizes those that do care and are helping. To bring it back to this exact conversation, if you want to imply anything, why not imply more men disagree with sexism like that? Further more, why does it have to be one generalization or the other? Generalizations are bad. Period. And finally, I would agree that someone who’s only argument is “not all men” is arguing less than the minimum, but 1. that’s not what happened in this situation, and 2. I wasn’t arguing! I was on their freaking side!

Yes, there were definitely hurt feelings that came with that association. I’ll get over it. What is even more sad is that this is the same group that is asking over and over again about why more men don’t stand up and help on this issue. How many men won’t stand up now in fear of having shit like this happen to them? It won’t stop me from speaking up again, but even if it stops one man from speaking up, then this is a huge fuck up and hurt the cause. It sounds obvious, but maybe not: You can’t ask for help and then shit on the people who come to help. Not everyone on one side will 100% agree, the important thing is that you agree on the primary goal. It’s like asking for someone to put out your fire and then complain about the brand of bottled water they had on them. Most men will never say the 100% right thing on this issue because empathy is the best we can do as we don’t know exactly what it’s like to be in that situation, but any kind of in-fighting is just sad and takes away from the very issue we are all working so hard to fight for.

Oh Twitter, What Have You Done?

I’ve used and enjoyed Twitter for what seems like a very long time now. To be clear, I don’t “enjoy” Twitter like all the “social media experts” or Klout junkies, or anyone looking to help “maximize my personal brand awareness”, I just like it. It’s quick. It’s simple. Lots of available tools. Easy to develop on.

Those last two go hand in hand of course, and it’s the first thing I usually mention when someone gets me started on what I think about Twitter, or how an API should be created. There’s no doubt in my mind that the rise of Twitter can be directly attributed to it’s beautifully simple API. No doubt. None. Suer it’s simple, and people can figure it out quickly, and lots of interesting people were on it from the beginning so it fostered a great atomphere for geeks, who then told their non-geeky friends and so on…but without that API, that really simple, “I can make a script that pulls new tweets in 5 seconds” kinda way, it would not be where it is today. There wouldn’t have been a ton of clients for every phone, desktop, and website letting people easily make tweets. There wouldn’t have a little widget in the side bar of every blog showing who’s talking about the blog at that moment, of if you’re less popular, what the author is talking about at that moment. And there wouldn’t have been whole businesses started about looking at the data and pulling out trends or market data. More important to Twitter corporate, there also wouldn’t have been: Twitter’s own search technology, or Twitter’s own iOS/Mac client as both of those were third party services that Twitter acquired later on down the road.

And now this:

There’s lots and lots and lots of reaction to this already, but here’s the short version:

  1. You always have to authenticate on the API. No matter what. Even for public stuff.
  2. You can only display Tweets in the way we want you to.
  3. Don’t make a client.

The sound you’re hearing is the collective “WTF?!” from the very same group of people that made Twitter what it is today: The developers. The current client developers are screwed because if their app gets popular they get capped, and even more importantly, new developers that were thinking about doing something with Twitter data now probably won’t.

It’s not the Klout’s or other big data apps that will get hurt since they already have plenty of reasons to obey the new API laws and already authenticate, it’s the small apps actually. The apps developers make one night to see if they want to make something bigger. Even something as simple as the little js code I threw together the other day to display tweets from people replying to the @answersdotcom account, now would seem like a pain in the ass. “I have to authenticate for public tweet searches? Never mind. I’ll do my actual work instead.” …and that’s the key. Twitter, while big, still isn’t a necessity. It isn’t email or instant messaging. You might think someone’s weird for not having a Twitter account, but it’s not like you can’t share with them another way. Twitter is still, at some level, “extra”. Do I want to show my developers Tweets of people talking to the company or using a certain hash tag? Yeah, I think that kind of stuff is fun. Do I need to make that happen? No. So if it’s a pain to implement, I won’t. It’s that simple.

There is one silver lining: When I get on my high horse about making APIs simple, making sure that while all the authenticated functionality is there, we also have a easy path to get up and running with the data in minutes…the part where I always use the early Twitter API as an example…I can follow it up with the counter example: The latter Twitter API that none of them use because it’s a pain with added steps and rules just to get a simple app off the ground. It will really help bring the point home.

mikeflynn @ GitHub thatmikeflynn @ Twitter