« Older posts
Newer posts »

Identity Providers – Facebook

28Sep10

This is my third post in a series looking at how federated identity has becoming a reality (I first looked at Twitter, and then Google).

Before we get started

I kind of liked Facebook in the early days that I used it, but frankly I never expected it to last. I thought that like the social networks before it (MySpace anyone) it would bud, flower and die. In my view we’re now way past the point when it should have died, but the alternative just hasn’t appeared on the scene. For me the madness peaked with FarmVille, and since then I’ve repeatedly considered FaceBook suicide; especially as each new abuse of privacy has materialised. So… I’m not a fan, but still a (grudging) user of the ecosystem. Consider me a hostile witness.

The user experience

Much like Google an Twitter the initial contact with the user is a sign in with Facebook button. Assuming that they’re already signed into Facebook in another tab on their browser this should get them straight in[1].

The next bit is where it all usually goes wrong for me (and I either use another identity system, choose the username/password option or give up entirely). This is where the site that you’re connecting to tells you what it’s going to do with/to your Facebook account:

So some app that I’ve never used before wants to access a whole bunch of my data (at any time), and post as me, just so that I don’t have to remember another password. Not a fair trade. I’ve written about similar issues with the Google Apps Marketplace, but there’s a desperate need here for finer grained control.

Maintenance

You can review the apps using your Facebook ID by going to Account > Application Settings.

Under the hood

The original Facebook Connect has become deprecated in favour of OAuth, but developers still need to interact with the proprietary Graph API rather than something more open/standard such as OpenID. This recent Hacker News thread explores the pros and cons of this in some detail[2].

Persona

People are only supposed to have one Facebook account, and I’ve heard the Facebook team talk through the processes that they use to seek and destroy alternate personae. So Facebook doesn’t just not support persona – it actively discourages it. There’s no strong authentication either.

Overall

I’m not a fan, but I can see how people can get sucked into using it. It’s good in terms of not having to remember another set of credentials, but it’s bad in terms of all the (potentially) bad things that Facebook and its partners are doing with personal data. Hopefully it doesn’t discredit the whole concept of federated ID for consumers[3].

Next instalment… the rest.

Footnotes

[1] I mostly consume Facebook via Tweetdeck these days, and I must say that I find it very annoying to have to sign into Facebook just to read links that my friends have posted as I typically don’t have a Facebook tab open in Chrome.
[2] I was particularly amused by the suggestion that users might be obliged to pay a cash fee to register if they weren’t engaging in the ‘social contract’ implied by using Facebook.
[3] It seems to be popular, but still behind Google – Google Winning Sign-In War, But Facebook Close Behind.


Filed under: identity   |  Leave a Comment
Tags: , , , , , , , , ,

Thinking once more about state and synchronisation

23Sep10

When I registered thestateofme.com some years back it was for a project to allow synchronisation of RSS aggregator/reader state across a number of systems. I never wrote any code because things got overtaken by events. Firstly I discovered RSS Bandit, which had a mechanism to sync state via a WebDAV server (and a number of other means). Then along came Google Reader. At first it kind of sucked, and I kept on using RSS Bandit, but a year or so later I switched to Google Reader and I’ve never looked back.

But now state synchronisation is once again looming as a problem. I want to read ebooks, listen to audiobooks and watch videos on a range of devices, and I want to be able to pick up where I left off – regardless of which device I last used.

Despite knowing that ‘it’s a trap‘ I ordered a Kindle 3G a few days back, which should be delivered by the end of the month. I’ve accumulated so many O’Reilly ebooks recently that I reckoned it was worth having a dedicated device for them. But what if I get going on a novel using it, and then decide I’d like to read a few pages on my iPod touch, or my Tablet PC, or the Android phone I’ve yet to buy?

I recently got a bunch of audiobooks from Audible via a free promotion from a UK newspaper. I’d never tried the format before, but I kind of like it – I listened to a few chapters of Matter on the way to/from a reunion event at the weekend. The Kindle should pay those books too, so how do I start from the right place without laboriously writing down the chapter and time stamp?

I should also take this opportunity to moan about Windows Media Player’s lack of a ‘resume’ function. I like to watch videos on way train ride home, but I don’t always get to complete a whole episode. If I pause an episode then I can pick up again – provided that the machine hasn’t been restarted (which happens all too often with Windows). It’s also feasible that I’d start watching a video on my laptop, and want to finish it on a media player at home, or an iPod or whatever.

The answer to all of these questions is a bookmark service in the sky.

Of course it’s never that simple. People need to agree on APIs and data formats, but it’s also not rocket science. Just to make things a little more tricky though I’d like something that isn’t trapped inside a proprietary content/player silo.

Anybody out there interested in giving this a push forward?


Filed under: cloud, could_do_better, media, technology   |  Comments
Tags: , , , , , , , , , ,

Identity Providers – Google

21Sep10

This is my second post in a series looking at how federated identity has becoming a reality (I first looked at Twitter).

The user experience

The basic premise of federated identity is first you sign into something that you use a lot, and then the platform reuses that sign in to get you into other applications. Outside of the enterprise where people sign into their machines using Active Directory then by far the best place to start is email as that’s typically the app that’s opened first and used the most. Whenever I open my first browser after restarting a machine I open three tabs: Gmail, Google Reader and Google Apps mail for my company domain. In this case Gmail gives me a token to access all of the apps that are federated with my consumer persona, and GApps gives me a token for all of the apps that are federated with my work persona. When I start those other apps I might see some info in the browser saying that it’s redirecting briefly to Google, but I don’t see a sign in page, I get taken straight there.

First time

The first time you visit a site that supports Google sign in you’ll see something like this:

and then you get asked to confirm:

and after that things should be pretty seamless

Maintenance

You can review the applications using your Google ID by going into the My Account page and clicking on Change Authorized Web Sites [1]

Under the hood

There are two principle mechanisms at work:

1. OpenID for authentication

OpenID has been much maligned and is perceived to have many weaknesses. I would argue however that it isn’t a fundamentally weak protocol, and improvements have been made over time. I remember a few years back being stared at by a room full of identity geeks when I was the only one that said that I’d like the big company that was hosting us to support OpenID – oh how things have changed.

2. OAuth for authorisation

Sometimes authentication is enough in its own right, but there are many times when an associated authorisation is needed (e.g. to connect to contacts or calendar data). This is where OAuth comes in, and Google have been one of the driving forces behind the standard [2].

What about SAML?

The Google identity ecosystem, which has become the heart of Google Apps Marketplace is pretty much built on the ‘O’ protocols OpenID and OAuth, but there is a place for SAML. Basically it can be used to extend a Google based federation back into an enterprise – so first the user signs into their active directory or whatever [3] and then they get a Google issued token to sign into other apps. There’s a great diagram to illustrate how this works (thanks to Eric Sachs for pulling this together in the first place, and bringing it to my attention).

Persona

I already touched on the work/home persona piece above. Google certainly supports multiple personae, but there is trouble in paradise. A year ago I could be signed into multiple Google Apps domains, and my Gmail and everything behaved itself in isolation. These days I far too often see something like this:

and this:

and far too often when I select an account it still fails to get me to the right document. This can be worked around by using another browser (or ‘porn mode’), but it’s pretty aggrevating.

Google have tried to fix this with multiple sign-on, but this seems to do more harm than good. I for one don’t feel that offline mail is a sacrifice worth making.

The key issue seems to be that Google haven’t figured out an elegant means to determine an anchor identity against which multiple personae (more than 3 please) can be attached. For what it’s worth I’d argue that this should be put in the hands of the user – if they have multiple Google personae then let them decide which is the parent account (the one that they sign into first) and which are the children. Of course this can get complicated when work life (and work security policies) encroach onto ‘home’ computers and devices, which brings us on to…

Strong authentication

Had I written this a day or two ago as planned then I’d be spouting about Tricipher (and how wise VMWare were to buy them) and Verisign VIP (and how it also works with eBay/Paypal).

That all changed yesterday when Google launched their own two factor authentication.

I’ve been using it for a day now with the BlackBerry application, so some early thoughts on the system:

  • It’s a shame that I couldn’t use an existing OATH token like the VIP soft token that was already on my BlackBerry [4].
  • The access codes mechanism for applications and devices that can’t live with two factors is ultimately a security by obscurity mechanism for single factor by the back door, but I accept that it’s a necessary evil (I’ve already had to generate 6 codes). It would be helpful if I could impose additional controls (e.g. source IP) for certain access codes, but this is going to be impractical for mobile – bring on SIM/TPM based keys.
  • Strike codes are a good catch all for when people lose their token generator, but I fear that much better education will be needed to prevent disasters here. At least there isn’t a weak workaround (like there is with the eBay/Paypal VIP usage when you say you lost/misplaced your token).
  • User choice is all well and good for private accounts, but company administrators want control. I don’t want to say to my team ‘you can use 2 factor if you feel like it, it’s more secure but a bit less convenient’, I want to say ‘our corporate data is the life blood of the company, and we need to keep it as secure as possible – you will now need to use 2 factor’. I also want to have the tools to help my users out when they have trouble with 2 factor, like the ability for domain admins to (re)generate strike lists. It feels to me like Google have developed this for Gmail, but soft launched it to GApps Premier Edition.
  • I seem to be being prompted for my password (not my OTP) more often than I was before I turned two factor on. This is making things like Postini a bit more clumsy to use[5], and providing a lumpy user experience. I’m guessing that some parameters have been tightened up, but it would be good to have control over this (and for the user experience to be a bit more evened out).

Overall

It mostly works most of the time, which is certainly better than the alternative of having dozens of passwords to wrangle. There is however clearly room for improvement, especially around the new two factor support and persona. Two factor is good, but it’s also a bit of a pain, so I want to be able to use it as infrequently as possible. For that to happen Google really needs to nail down this thing I’ve termed the ‘anchor account’, and provide a means to spawn various personae off from that.

Next instalment… Facebook.

Updates

Update 1 (19 Jun 2012) – Google have now enabled GApps administrators to force 2 factor authentication.

Footnotes

[1] for Google Apps for domains you need to got to https://www.google.com/a/yourdomain/ManageAccount to do this stuff.
[2] There’s some excellent documentation of OAuth here.
[3] It is invariably AD, though the sign in can be using whatever mechanism the enterprise chooses – password, smartcard, OTP etc. Sadly there isn’t a good way of seeing how strong the initial authentication was and passing that through to an eventual relying party.
[4] Sorry Joe, but it seems you’re out of luck – though there is a glimmer of hope from within the Googleplex. C’mon guys – tell us how it’s done?
[5] I got an error message about cookies, when what it really wanted me to do was sign in (again).


Filed under: identity   |  Comments
Tags: , , , , , , , , , , , ,

iOS 4 on iPod Touch 2G

14Sep10

I heard quite a few friends whining that iOS 4 wasn’t a good ‘upgrade’ on their iPhone 3G(S)s, with many reverting back to versions of 3.x that were considered faster or more stable. I was therefore somewhat sceptical about upgrading my iPod Touch 2G, and would have left it be if it wasn’t for so many apps demanding 4.x.[1]

After digging around the web, and asking around on Twitter I couldn’t find anybody that would say whether this would go well or badly. Eventually I caved in and went for it with 4.02. The process began with an obligatory upgrade to iTunes 10. For some lucky reason I didn’t need to turn off Ping, it was off by default – yay. The backup/upgrade/restore cycle took ages (most of a day).

No harm done – that would be my first impression.

Oh – and there’s an ‘airplane mode’ slider now in settings.

4.02 to 4.1 didn’t take so long – around half an hour. I’ll report back here if I find anything worthy of comment.

Bottom line – iOS 4 on the iPod Touch – probably necessary for new apps (and upgrades to old apps) that insist on 4.x, but otherwise Meh!

[1] This would seem to mark the end of the road for my old iPod Touch 1G. It will still fill my kitchen with music, but the apps world has left it behind


Filed under: technology   |  Leave a Comment
Tags: , , , , ,

Identity Providers – Twitter

07Sep10

Federated identity seems to have sneaked up on us. A couple of years back federated identity was some huge enterprisey thing that was costly and took time to implement. Then a bunch of service providers started to be identity providers, but there were no relying parties making the whole effort somewhat useless. Now it seems that the relying parties have come. I’m going to start by taking a look at Twitter, and the sites that use it.

The user experience

I for one am sick of having to create a new account for every website I want to interact with, so it’s great when I can just click a button instead:

On first use there’s a splash screen asking if it’s OK for the web site (relying party) to interact with Twitter (identity provider) on behalf of that user, and that’s it, we’re done. Provided that you’re signed into Twitter using a browser you can get straight into the site in future.

We are what we Tweet

Using a Twitter identity to sign in to Twitter related sites makes perfect sense. There’s just no reason why users of that type of site wouldn’t already have a Twitter account to reuse, so for things like PeerIndex it’s perfect.

There is of course the anti-pattern of firstly getting people to sign in with Twitter, and then asking them to provide a password (for a presumably standalone account) – PlanCa.st – I’m looking at you (this is one user that you lost to identity management failure).

For sites that don’t revolve around Twitter it’s still nice to have the option not to create a new identity, and of course Twitter can sit alongside of other providers when that makes sense.

Persona

Having multiple Twitter identities seems to be something that’s broadly accepted. Certainly tools like TweetDeck make it easy to maintain several personae. Things get a bit tricky in the browser though, as you can only be signed into one identity per browser; though this is where ‘porn mode’ can come to the rescue by providing a cookie sandbox [1].

Overall

I’m glad to see that an ecosystem of relying parties has sprouted up around Twitter. It’s convenient, and it makes sense. I know that it aggregates some risk into my Twitter account, but I still feel that’s better than trying to manage a separate username and password for every web site.

Next instalment… Google.

Update 21 Sep 2010 – you can review the apps connected to your Twitter account in the settings/connections page

[1] Some experimentation with incognito windows on Chrome seems to indicate that you get a single cookie sandbox away from the main Chrome instance, so you can’t just open up fresh windows for each identity :(


Filed under: identity   |  Leave a Comment
Tags: , , , , , , , ,

Review – Thule 9705 BoltOn bike carrier

25Aug10

It used to be that I could sling the kids bikes into the boot of the family car, and strap mine and my wife’s onto a cheap two bike carrier on the boot. Life isn’t that simple any more. Now that the kids have their own little mountain bikes they don’t fit into the boot any more, so I needed something that could manage 4 bikes, which turns out to be less straightforward than I hoped. A bit of research let me to two options:

Option 1 – Roof rack mounted

This was never my favoured approach. For some reason I keep getting visions of driving under a low bridge (and with many cycle tracks on disused railways there’s a lot of these about) and hearing and awful clattering noise. When I totted up the cost of rails, bars and bike holders it was far too much, and I was also put off by the fact that most of the packages seemed to be only for two bikes (though I’m pretty sure four would fit).

Option 2 – Tow hitch mounted

If you want more than two bikes on the back of your car then it seems to be obligatory to get a tow hitch. A friend of a friend showed me a neat setup with a detachable tow hitch and a Thule carrier that went onto the tow ball, but ‘detachable’ seems to add around £130 to the cost so I went down the cheaper route. A ‘flange’ tow bar from Towequipe [1] set me back £85, and then the Thule 9705 carrier was a further £65. The carrier comes with a plate that bolts on to the towbar (hence the name ‘BoltOn’), and then clips into that plate [2]. It’s a simple but effective arrangement.

Garage tidy

My favourite thing about the 9705 is that you can but extra mounting plates (part no 958). I’ve got no intention of putting the bikes on my little car (what’s the point of four bikes on a car that only holds two people?), but I thought it would be useful to put one on the wall in the garage. This turned out to be a great move. Not only do I have a place to store the carrier, but I can also sling a few of the extraneous bikes onto it so that the garage is less of a mess than it might otherwise be.

Conclusion

I’ve yet to try the carrier in anger. I’ve had a dry run, putting it onto the car and putting the bikes on, but the British summer weather has so far prevented a proper trial. I wouldn’t be surprised if it alters the handling of the car a little with so much extra weight so far behind the back wheels, but that shouldn’t be a surprise. With the caveat that it hasn’t yet had the ultimate test I’m very happy with my new carrier, especially when I go into my tidier garage.

Notes

[1] For some peculiar reason the version for my car at this price was only available on their eBay store.

[2] One of the clips didn’t seem to align properly. On further inspection it seemed that the holes weren’t quite true. Rather than go through the hassle of returns I did a bit of reaming with an 8mm HSS drill bit and all is now as it should be.


Filed under: review   |  Comment
Tags: , , , , , ,

The end of the bus tour

23Aug10

I took the kids for a day out to the Tower of London last week. Despite one of my colleagues suggestions I didn’t leave them there. It was great – particularly the knights tournament and the water balloon catapult in the moat.

On leaving, my wife suggested that we should take a tour bus to kill the hour and a half that we had until our dinner reservation in Picadilly Circus. My gut feel was that this was a bad (expensive) idea, but I went along with it until the bill shock slapped us right in the face – £74 for a two adults and two children. We used our Travelcards to jump on a number 15, which took us right where we were going (lucky) and the London traffic was almost slow enough to make us on time.

This got me thinking – why would anybody (other than an Aberdeen Angus munching tourist uber-idiot) ever pay that much to get carted around London (or any other city) when there’s a perfectly good public transport system [1]. I believe (in due course) there’s an app for that. I know that having a tour guide can be part of the experience, but there’s the language issue for many tourists (who are often left listening to some black box anyway). Why not just use a location based app on a smartphone? As part of the ‘right click universe’ you then get to make your own tour – get on a bus – point at the things that look interesting – get the blurb.

[1] If we’d not already bought Travelcards then the daily limit for Oyster travel on London buses is £3.90, and kids are free. £7.80 or £74 – tough choice.


Filed under: wibble   |  Leave a Comment
Tags: , , , ,

Call routing

20Aug10

Joe asked me about call routing following my post about office VOIP. It’s not a straightforward subject, so I thought it probably deserves a post of its own rather than just a comment reply.

Point of entry – SkypeIn

Having used ‘one number’ for a while in my old banking IT job I wanted to continue in the same way when I left for my new role. SkypeIn seemed to be the only show in town (at the time) that would allow me to have a number that I could redirect where I wanted to. I bought a subscription, which gave me a discount on the number, and also allows me to forward to any UK landline number without running up per minute charges.

Fan out – Ribbit Mobile

Ribbit’s ‘find me’ function lets me have a number of phones ring in the hope that I’ll be near one of them.[1]

Office – SNOM 300

This is a decent SIP phone that allows for multiple SIP subscriptions (four) and has reasonable call handling facilities (hold, transfer etc.)

Home office – GrandStream 286 ATA and Plantronics T20

BT were kind enough to lend me that ATA for testing Ribbit’s SIP functionality. If they ever ask for it back I’ll probably buy a Linksys PAP2T (which a number of my colleagues use for their home extensions). I prefer a headset to a regular phone, and I bought a Plantronics T10 ages ago in order to deal with conference calls whilst working at home. With the extra line that the ATA gives me (in addition to the regular home phone line) I got the T20 so that I could deal with both.[2]

Mobile – BlackBerry 8900

An undocumented (and presumably unsupported) feature of Ribbit Mobile that sometimes works and sometimes doesn’t (and that I wish they would formalise) is that when a call hits its service without CLI from my mobile it knows that the caller didn’t already ring the mobile and so it rings the mobile too.[3]

It’s not actually that simple

Ribbit’s great, but there are times that I need to use Voicehost e.g. to call an office extension. To get my single line ATA to use multiple SIP services I employ SIP Sorcery, where I have a simple Ruby dial plan that routes calls via Ribbit unless I prefix them with 0*.

The people problem

It’s very hard to leave a phone to ring. But it’s also impossible for me to be in my office and home office at the same time, and I spend plenty of time in neither location. This means that when people call me there’s going to be a phone ringing in a place where I’m not, but my family and/or colleague might be. What I want to happen here is for nobody but me to pick up – so I rely on my family and colleagues not to be ‘helpful’.

I could of course spend my life fiddling with the web console for Ribbit turning extensions on and off, but that’s not very convenient

Profiles

Much better would be if I could have profiles e.g. ‘office’ – just ring the office phone, ‘home’ just ring the home office phone, ‘other’ just ring my mobile. Switching profiles would have to be possible from a mobile (web) app, as it’s the sort of thing that you’re sure to forget as you’re rushing out of the office for a meeting.

Location based automatic profiles

Better still would be if my profile could be automatically switched as I change location – something that my smartphone should already know. There’s not an app for that – yet. Fingers crossed.

Roaming

Most of my international travel is to the US [4], so I have a US PAYG SIM in an old Nokia 7210 (my last mobile phone that was just a great phone rather than an adequate phone bolted onto a handy little computer).

Most PAYG tariffs (including mine) don’t support conditional call routing, so I don’t get to make use of Ribbit. Here I just use SkypeIn to forward to my US cell number, and upgrade to a global subscription for the duration of my trip so that I don’t get whacked with per minute charges. This means that people can still get me on my ‘UK’ number even when I’m in the US.[5] I also make use of Skype’s excellent ‘To Go‘ service to call home from a US point of presence. I have to top up my PAYG account by $100 each year, and I never in practice use all of that credit, but it’s a lot less than I’d run up in roaming charges if I just used my UK mobile.[6] I also change the call forwarding on my mobile to go to my SkypeIn number, so anybody calling my normal UK mobile gets routed through to my US one.

Wishlist

In addition to the location based routing profiles I’d love it if Ribbit was internationalised so that I could have US ‘purpose’ numbers and route calls to US numbers (as well as UK numbers and SIP end points). It would also be great if I could port numbers between services, which I think is pretty easy in the US, but only seems to work for mobile numbers in the UK.

Endnote

There’s a video demo of Ribbit Mobile routing that begins with @jobsworth destroying his iPhone (when he was supposed to drop a dummy in the jug of water) – instructional and amusing.

[1] This isn’t how Ribbit Mobile is supposed to be used, at least not without the ‘purpose numbers’ that aren’t yet supported in the UK. The intended usage pattern is for the mobile number to be the point of entry and for the Ribbit service to be connected via conditional call routing.

[2] This hasn’t worked out so well. My T20 seems to have a fault on line 1 which makes the volume really low. Since I bought it from Amazon in the US (as they don’t sell them in the UK where there isn’t much of a market for 2 line home phones) it’s not so easy for me to get service or a refund :(

[3] I’d much rather have an Android phone than a BlackBerry, but when I needed a new phone the only Android on the market was the G1 on T-Mobile (and I was happy with neither). I’m counting the days until I can get an upgrade to something like the HTC Desire or whatever replaces it.

[4] In the past I’ve also run Swiss and Spanish PAYG SIMs, but I don’t spend enough time in those places to keep a SIM active.

[5] Which means that I need to be careful to turn the ringer off if I don’t want an early call from somebody without the faintest clue where I am (and that I’m trying to sleep).

[6] I started doing this after one month where I’d spent two weeks in the US running up £300 ($600 at the time) in roaming calls, and I’m not even one of those people who spends their lives with an ear glued to their phone.


Filed under: technology   |  Leave a Comment
Tags: , , , , ,

Netbooks – why I won’t buy another

19Aug10

OK. I very nearly bought a new tablety netbook earlier in the year, and I’d still like an s10-3t (or similar)[1], but I’m in no hurry to buy a new netbook and here’s why.

Netbooks are good enough. They’re good enough for web surfing. They’re good enough for watching SD video (maybe even 720p if you have the right screen and graphics chipset). They’re good enough for casual document and presentation editing. They’re good enough for pretty much everything that I’d like to do with a portable machine – and that’s it. The netbook that I bought more than a year ago is still good enough for all those things. I’ve had the chance to play with the latest Lenovo and HP machines in the last few weeks, and they’re a tiny bit better than what I have already. But not enough better that I’m going to splash another £250 or so on a new machine. I’ll buy a new netbook when the one I have breaks, and that could take a very long time – they’re built to a price, but not flimsy.

The press are starting to run articles along the lines of ‘tablets hit netbook sales’ (e.g. on  The Register). This misses a couple of important points for me:

  1. Tablets (like the iPad) and netbooks share a lot of functionality, but they aren’t interchangable purchases. Somebody who wants a netbook won’t buy a tablet instead.
  2. Pretty much everybody that does want a netbook got one already, it should be no surprise that sales are slowing up. The market is probably reaching that saturation point that mobiles hit a decade ago (when everybody in the civilised world already had two).

Dave Winer points out that the one thing that has improved in the last year is battery life. Batteries are an important consideration, particularly as they deteriorate over time. Maybe when the battery on my s10e gets to the stage that it’s frustrating I’ll be faced with a tough choice between buying a vastly overpriced replacement, or just getting a new netbook with a new battery?

[1] Lenovo never did get me the s10-3t that was promised, and they don’t seem to have made a reappearance on their UK direct sales web site. Whilst I’m still happy with the X201 Tablet that was sent as a substitute it would be nice to have something a little lighter.


Filed under: technology   |  Comments
Tags: , , , , , , ,
« Older posts
Newer posts »