« August 2006 | Main | October 2006 »
September 29, 2006
Yahoo!'s BBAuth: Browser Based Authentication
Today Yahoo! announced BBAuth or Browser Base Authentication (I found out from Dave Winer). Google has a similar service.
Once a user has logged in to Yahoo! (after a redirection from your site) they specifically authorize your application to retrieve certain user data that you've requested. You then get back a token (one hour TTL) that can be used with Yahoo! APIs to get the data. Jeremy Zawodny says that right now only Yahoo! Photos and Yahoo! Mail are supporting BBAuth. Dan Theurer has a post about getting it ready to go.
I'd like to use this in the reputation framework to get information about Yahoo! email addresses (with user permission) to assign then a rating based on how long they'd been in use, the ratio of incoming to outgoing email, etc. I'm not sure that data is available via the API (since it's not available yet).
3:43 PM | Comments (1) | Recommend This | Print This
Interaction Design
One of the things I try to get my students thinking about in CS462 is Web site design. I'm not talking graphics here--most techies are terrificly bad at making things look nice. I'm talking about the interaction.
I'm not hoping to turn them into usability experts, but I do want to give them the tools to design and document interaction and tie it to Web site behavior. People say you can teach design and I agree that it's hard to lecture about--but you can teach it. I have my students do design exercises as groups in class to get them thinking along these lines to to get some hands-on experience with design.
I just put a show on IT Conversations this week that's relevant. Dan Saffer's presentation on interaction design from the Adaptive Path User Experience Week is a good intro to the subject of interaction design and why it's important. He gives a more tactical presentation later in the conference that I hope we'll publish as well later on.
3:22 PM | Comments (1) | Recommend This | Print This
New Tools to Help Podcasters
 Podcast Pickle - No
idea what it is (click to enlarge) |
Yesterday at Podcast Academy, Doug Kaye made a couple of announcements that will be important to anyone interested in podcasting. There are a number of tools that Team ITC (the folks who produce the shows on IT Conversations and other other GigaVox Media channels) use. GigaVox has decided to release some of them for everyone to use.
The first is the Levelator, a tool for automatically adjusts the audio levels within a podcast to account for variations in level between speakers. So on on a conference call, for example, where one person's coming in stronger than the rest you could use the Levelator in post production to even that out. Without the Levelator, this is a huge job. The application is available for Windows and OS X. Bruce Sharpe and his son Malcolm are the brains behind this amazing piece of software.
The second announcement was for GigaVox Audio Lite, a slimmed down version of the content management and show assembly system that we use to run IT Conversations. This is an online server, so there's nothing to buy or install. GigaVox Audio Lite is like Salesforce.com for podcast production.
The Levelator should be available for download later today. Audio Lite will enter beta later this year. I'll be sure to let you know.
Update: The Levelator available now.
10:28 AM | Comments (2) | Recommend This | Print This
September 28, 2006
Leo Laporte on Monetizing Podcasts
 Leo Laporte from TWiT (click to enlarge) |
Leo LaPorte, the host of TWiT gave the closing keynote at Podcast Academy. This was one of those talks that's pretty fun to listen to, but hard to blog.
Leo mentions that TWiT has started to take ads. Interestingly he gets quite a bit of pushback from listeners saying things like "now that you've started running ads, you'll never be honest about Dell again..." Certainly, this is no different than technology magazines or technology Web sites, but people feel differently about the editorial conflict of interest. Perhaps this is because podcasts are more intimate? He's not sure.
He's turned down ad offers before because he was waiting for marquee names (Visa, Dell, T Mobile, Showtime) in an effort to show that podcasting is a real channel. He believes that these companies will be blown away by the effectiveness of podcasts as an advertising medium.
When someone's listening to a podcast, they went to some effort to listen. They're not channel surfing, they're making a connection. People feel like they're the podcast hosts' friend.
TWiT is 120 minutes. Over 20,000 listeners in a poll said they wanted the longer format. TWiT's audience wants it to be more technical, not less technical. Treat your audience right--they're intelligence. Super-serve the niche. That's critical in narrowcast media. If you're doing a program on golf, you don't have to appeal to people who don't like golf. Do a program for people who love golf... Don't dumb it down.
Advertisers still think they need to reach large, broad audiences. In the next 3 or 4 years, they'll realize that narrowcast media delivers better results.
Making that work requires that people remember that they're not there to reach their hands in the audience pockets. Love your audience and they'll love you. Embrace the niche. Have a conversation with your audience. They'll say hateful, hurtful things. Respond kindly.
If you want people to be interested in your podcast (and this applies to blogs too), get them to do something like give a buck. Then they're invested in you.
5:38 PM | Comments () | Recommend This | Print This
Tim Street on Producing Viral Video
 Tim Street (click to enlarge) |
Tim Street is speaking about viral video. Viral video has some important things in common:
- Easy to share
- OK to share (no too explicit)
- Controversial - takes risks
- Emotionally engaging
The last point is the most important. Tim goes through a list of primary and secondary emotions. He shows different video clips (and their stats) for various emotions. Use emotion to engage.
Some critical advice: think about who the audience should root for. Who's the hero? Who's the antagonist. This is basic story telling and applies to blogging and podcasting as well as video.
Spectacle vs. story. Lots of video on the 'Net is spectacle. Think of the Mentos and Diet Coke videos. Pure spectacle. Lonelygirl (on YouTube) is an example of story with over 16 million combined views. Robert McKee's "Story" is a good resource.
Once the story is over, your audience leaves. He cites Howard Stern who had much larger audience numbers when he was "fighting the man."
What helps launch a viral video? What you'd expect: sex, violence, and comedy. Title and key art are also important. You've got a postage stamp to make your visual statement. Off-air promo (ads bought on other networks) can help. Build a launch spot for your podcast. Cut a cross promotion deal with other podcasts.
Tim references The Tipping Point and Word of Mouth Marketing as good references. Online communities like StumbleUpon, Second Life, fan sites, email, and so on are good places to promote.
Love the haters. You can't make everyone love you. But you can make people hate you. Love the haters and they will bring you the lovers. He references the NBC Promo as an example of feeding off negative reviews.
3:05 PM | Comments (6) | Recommend This | Print This
Craig Syverson on Video Podcasting and Production
 Craig Sylverson (click to enlarge) |
Craig Syverson is giving a great talk on producing video for distribution on the 'Net. He breaks it down into a series of steps or concepts.
First, what's the concept? What are you trying to accomplish? What's the feeling and who's the audience. How will it be experienced? This is a question that really applies to 'Net distributed video. Will people see it on an iPod in an airplane or in their living room on an HDTV?
What's the strategy? How does it fit into the corporate strategy or what you're trying to do? Growth and scale is good to consider early. Video is resource intensive. If you succeed, will you be able to handle success? Video has unique qualities that differentiate it from print advertising or a documentary. With audio podcasts, program length isn't as big a problem. 'Net distribution has allowed video podcasts to be shorter than traditional video distribution outlets.
Repeat programs require format. Consistency reflect professionalism. The format should tie in with the concept.
Production is where the heavy lifting happens. Many people want to start with a camera, but you should start with a good writer. A good host is also a critical component. The format of the show can serve as a surrogate host. Watch the legal aspects. Remember that pictures are easy but sound is hard. If your sound is crap, it doesn't matter how good your video is.
Entry level HD cameras are a great place to start. Wireless lavaliere mics are a great way to get the mic close to the source. Pictures can be framed, but sound can't. Sony (UWP) and Sennheiser (Evolution) have released great prosumer kits. They come with crappy mics, so replaced them with Kung-Fu mics. On camera mics are generally a bad idea. He references Paul Figgiani's The Point podcast as a way to find out about good gear.
Post production requires a good editor--not necessarily the software, but the human. Post producing the audio is also needed to fix the sound in field situations. Overlay graphics get added here. Think of the screen. Remember backup. You're creating lots of data--back it up constantly.
Compressing is a dark art. It's very complicated. Video has different standards than audio. How many flavors will you offer to your audience? You have to continually experiment and test. ViddyUp is a good, cheap compression program with an unfortunate name.
Be consistent in how you name files, how you create ID tags, and how you put together the RSS feed. People will see these. Watch spaces, leading zeros in numbers, and how dates are formatted.
Of course, this all goes in an RSS file that needs to be hosted somewhere. Video uses a lot of bandwidth. He references Podcast Maker as a good application for doing all of this. He uses FeedBurner to get stats on downloads and have a consistent URL even if the hosting situation for his feed changes.
The same issues with Website design that Kris talked about for audio are true to video. Remember that a Web site is an archive for shows that are no longer in the RSS feed.
Stats are important. There's a lot of change happening with stats for podcasts. What constitutes a download, a listener, etc. Surveying your audience will help. Again, FeedBurner is important for stats. Podtrac is another.
Pay attention to promo materials. Get the bios, pictures, etc. in place. Design the artwork so that it looks good small, large, in color, and so on. PR Web is a cheap way to get press releases out.
Monetizing depends on the strategy. What's the value and to who?
2:09 PM | Comments () | Recommend This | Print This
Denise Howell on Legal Podcasting
 Denise Howell (click to enlarge) |
Denise Howell (who hosts Sound Policy on IT Conversations is speaking on the legal consideration in Podcasting. She mentions Collette Vogele (who Denise interviewed recently on Sound Policy). Collete's the force behind the Podcasting Legal Guide which Denise recommends every podcaster follow.
The basic problem is the podcasters need to comply with intellectual property laws and that's not easy task. Issues include the name, the URL, the hosts, the guests, the text, music, images, video, and voice.
Denise recommends not even trying to negotiate the waters surrounding commercial music licensing. You don't have enough money or lawyers. There are lots of other resources available.
The fair use doctrine in US copyright law. The most relevant parts of fair use for podcasters are criticism, comment, news reporting, and teaching. There are additional factors in fair use including the character of the use (commercial, etc.) the nature of work used, the amount used, and the effect on the market value of the work used. The problem is there are no rules. Every case is a court case. ultimately fair use is a mine field.
To avoid fair use problems, use material that's specifically licensed for use in podcasts or get permission from every person and entity who's work will be used in the podcast.
It's very difficult in today's environment to determine what the character of a podcast is. If you have a fun and frivolous podcast, but run Google ads on the side, have you turned it into a commercial venture? No one knows, but the answer is crucial to determining how a podcast can use IP.
Practice Safe Syndication...
- Be trademark wise in how you name your podcast and what URLs you use.
- Document agreements with partners, guests, and others. You can only count on people's goodwill for so long. People change their minds.
- Read license terms closely and critically. Just because something is "creative commons" for example, doesn't imply that it's free to use in any situation.
- Get permission for 3rd party material, releases from guests, and so on.
- Communicate license terms clearly and consistently.
- On the Web, nothing is certain by defamation and taxes (and privacy too). You may have to comply with privacy laws, for example, if you're having people register on your site.
Of course, these are just exactly the things people don't want to do.
The bottom line: adopt a businesslike attitude.
12:20 PM | Comments () | Recommend This | Print This
Kris Smith on Web Design for Podcasting
 Kris Smith (click to enlarge) |
I'm spending the day at Podcast Academy. I just flew down to Ontario CA this morning and I fly back tonight. Nice, easy in and out.
I missed the first talk, but gout here just in time to hear Kris Smith discuss successful Web design for podcasting. Integrating the Web site with the podcast is important for increasing traffic. Show notes, descriptions, and pictures flesh out the audio.
Tracking, stats, and metrics are some of the basic tools that you need to measure success. What you do in this area depends on how you measure success. Do you care about downloads, user-views, or what?
The gold standard of tools for podcasting is Wordpress. A lot of useful tools for podcasting have been built. Many of them have been integrated in Podpress. Find the tools you need and customize your site by copying what others have done. Make sure you've got your templates set up for RSS autodiscovery.
Make sure that your Web site has a flash player so that people visiting the site can preview programs or listen without a download. One that works well is Wimpy Player ($20). Here's another Flash MP3 player that's free.
You should focus on distribution. The Web site is one means of distribution. Your RSS feed will be the primary means of distribution. "Your feed is it." The Web site plays an important backup roll. Put your feeds and how to subscribe front and center on your site. Don't make people search for it.
Getting linked is the most important factor in getting traffic from search engines. Having a good Website gives people something work linking to. Michael Geoghegan uses the Steve Wozniak as an example. IT Conversations is the fourth link on the page. Interestingly, the part of of Woz's talk is the most linked to, but part 2 is more highly rated.
11:11 AM | Comments (1) | Recommend This | Print This
September 26, 2006
The Most Important Language in 2006: JavaScript
You gotta love Steve Yegge's blog. One of his latest posts is called Dreaming in a Browser Swamp. Steve's style is to write infrequent, long posts, but they are always worth the wait and the read.
"Browser Swamp" makes the outrageous claim that JavaScript is the most important language in the world today. A claim that surely going to get some argument (language wars are so much fun) but one which is grounded in some solid rationale. Note that Steve didn't say that it's the best language, only that it's the most important.
2:47 PM | Comments (1) | Recommend This | Print This
CTO Breakfast Report for September
Carl Youngblood told us of his experience as the sole technical person in a small construction loan wholesaling company. He's building a Rails application to automate the process and using an Indian outsourcing company to do much of the work under his direction. I was fascinated to hear how he had managed to set up an outsourcing contract and managed the work as a small shop.
I mentioned that Yukihiro Matsumoto, or Matz, the creator or Ruby will be giving the colloquium in the BYU CS Department on Oct 19th.
Eric Smith gave us a run down of Control4, his home automation company. This is Eric's second successful home automation start-up, so he knows this business. They're working on voice recognition right now. Using voice to turn on lights is boring, but using voice to search big media databases is a real win. Eric mentioned that they're doing streaming video with MoCA. I'd never heard about it, but it rides on top of the coax in your home at a frequency above cable, so that it doesn't interfere.
We had a pretty interesting discussion of AdSense, splogs, and new competitors to AdSense like Microsoft's Ad Center. This is an area that is interesting on a variety of levels, so everyone gets to participate.
Several people in attendance had used Asterisk to set up business PBX systems. I mentioned my fun controlling Vonage dialing from OS X's address book and my further desires to control phone routing based on my presence information. No one was actively using it at home or with Vonage, but Carl Youngblood recommended Nerd Vittles as a generally interesting blog with lots of cool things to do with Asterisk. I plan to spend a little time reading the archives.
As we were talking today, I decided that the unconference principles apply to the CTO breakfast beautifully.
- Who ever comes is the right people
- Whatever happens is all that could have
- Whenever it starts is the right time
- When it is over, it is over
2:40 PM | Comments () | Recommend This | Print This
September 23, 2006
Sprint's Product Management Foibles
Joel Spolsky got to review one of Sprint's new phones wit the new "Power Vision Network" and he hated it. It's difficult to believe that some team of product managers actually thought about this and concluded that it was good. When will cell phone companies wake up? Not soon, I predict.
8:48 PM | Comments (1) | Recommend This | Print This
September 22, 2006
Power Laws, Longtails, and Software
Yesterday I spoke to a group of about 60 students at UVSC and then in the evening, I addressed the BYU Unix Users Group. I spoke on Power Laws, Longtails, and Software. Here's the abstract:
If you took statistics and are a Computer Scientist, chances are you learned about the wrong kinds of distributions. Hardly anything about CS is normal...or Gaussian for that matter. This talk will explore power law distributions and their relationship to Internet businesses like Amazon.com and Rhapsody. Having a tough time figuring out who to work for? Power laws can help.
This is a fun talk to give to CS students and I enjoyed both sessions.
10:34 AM | Comments (6) | Recommend This | Print This
September 21, 2006
Blogging for Dollars
Last week I gave a guest lecture in Paul Allen's Internet Marketing class on blogging. The talk (PDF) was one I've given before. In fact, it was much of the information I gave to Altiris last month.
One of the questions I got asked several times was "so how do I use my blog to sell my product." Apparently, I didn't answer the question very well.
The bottom line is I don't think blogs are the right place to sell products. In fact, I think they're the wrong place to sell. They're a great vehicle for communicating with customers and engaging in the conversation happening on the 'Net about a product, but they're lousy places to sell products. The reason is simple: no one wants to come to your blog and listen to you talk about your product.
One of the points I made several times is that it's a lot easier to make money because of blogging than it is to make money from blogging. The distinction is critical. I've made a lot of money because of my blog. I make very little money from it.
Truth be told, I do use my blog to sell a product: me. You are the easiest product to sell on your blog because your blog will be a reflection of you. If people find it interesting or informative, then they're sold on you.
6:51 PM | Comments (1) | Recommend This | Print This
CTO Breakfast on Tuesday
This is a reminder that we'll be holding the CTO breakfast this coming Tuesday at 8am in Building L (cafeteria) of the Canyon Park Technology Center (former WordPerfect campus).
This is a change from the schedule. I have decided to go to the Podcast Academy on Thursday, so I'm hoping at least a few of you can join me on Tuesday.
A few topics I'd love to discuss include:
- Vonage, Asterisk, and VoIP for the home and small business
- Identity for doctors
Your topics are welcome, as they always are.
Future CTO Breakfasts will be held on
- October 26 (Thursday)
- November 30 (Thursday)
For more information, see the CTO Breakfast Web page.
2:31 PM | Comments () | Recommend This | Print This
Does Your Four-Year Old Have a Full Time Job?
An article in this morning's Deseret News revealed that the Social Security Numbers of as many as 600 Utah children under the age of 12 are in use somewhere in the state by someone else. These workers might be using these SSNs mistakenly or they might not...
The real story however, is that Utah law doesn't provide clear avenues and reasonable tools for the Dept. of Workforce Services to try to correct the mistakes. Workers are afraid of privacy law violations and have no authority to require employers to fix the problems.
So, if your four year old gets a notice from the Social Security Administration saying they worked 2000 hours last year you'll know why.
11:00 AM | Comments (2) | Recommend This | Print This
Digital Identity Is the Greatest Challenge on the Planet!
Forget global warming war, and famine. Digital identity is the "biggest challenge on the planet today." At least that's what Sun Chairman CEO Scott McNealy thinks. Given that, I can't understand why my book isn't on the NYT best seller list. :-) I wonder if Scott has a copy?
9:26 AM | Comments (1) | Recommend This | Print This
September 20, 2006
An Updated Top Ten for IT Conversations
In April I looked at the rankings for IT Conversations shows and listed the top ten. I decided I'd take another look some months later and see what's changed.
First there are over 80 shows that have a rating of 4 or above, compared to 60 in April. There are over 1000 shows that have some kind of ranking, compared to a little over 800 in April.
To find the top ten shows, I used the same criteria as last time, ranking only shows that had more than 20 votes. Here are the top ten shows:
- Dr. Daniel Amen - SPECT and the Future of Mental Health (Rating: 4.64)
- Neil Gershenfeld - Fab Lab (Rating: 4.43)
- Steve Wozniak Part 2 - Gnomedex 4.0 (Rating: 4.42)
- Paul Graham - Hackers and Painters (Rating: 4.42)
- Carolyn Porco - Explorer's Club (Rating: 4.39)
- Robert Trivers - What Do We Know? (Rating: 4.37)
- Peter Diamandis - X Prize Foundation (Rating: 4.36)
- Cory Doctorow - Europe's Coming Broadcast Flag (Rating: 4.31)
- Lawrence Lessig - Clearing the Air About Open Source (Rating: 4.31)
- Clayton Christensen - Capturing the Upside (Rating: 4.30)
Of these ten, seven were on the last list, although they moved around a bit. On this list, numbers 1, 2 and 5 are new. To be fair, there are another ten shows within striking distance.
Also, since we made the move to Gigvox, there have been far fewer ratings because of authentication problems (old cookies, etc.) I'm hoping that we're getting over that and will see an uptick in ratings over the next few weeks and months. Remember to vote for your favorite shows--it helps us know what to go after.
8:52 PM | Comments () | Recommend This | Print This
September 19, 2006
Student Entrepreneur of the Year Competition
The BYU Collegiate Entrepreneurs' Organization (CEO) is sponsoring their annual Student Entrepreneur of the Year Competition. Computer Science students at BYU have done very well in this competition in the past. A total of $31,000 in prize money is awarded, with $12,500 going to first place. If you're a student with an idea for a business and are serious about getting off the ground, this is a good way to focus your efforts, get some great feedback, and, if you're good, get a little funding for your idea to boot.
11:10 AM | Comments (1) | Recommend This | Print This
Using Parallels to Simplify System Admin Tasks
One of the things I was most excited about with my MacBook Pro was the ability to run Parallels. People ask "if you like OS X so much why are you excited to be able to run other OSs?" Here's one reason.
In my distributed applications class, I have my students set up and manage their own Linux server. For some of them it's the first time they've been root. They have to install jBoss, Axis, and other fun things before they can complete the assignments.
As a consequence, I end up working on a Linux machine quite a bit to make sure all the assignment works. Having one run in a window on my local machine is pretty handy. But that's not the best part.
Because your hard drive in Parallels is just a file on the OS X file system, you can copy it, burn it to a DVD, and do anything else you might do with a file. Once I had Fedora Core 3 loaded into Parallels and the initial configuration done to Fedora (including installing Emacs, creating users, etc., I burnt a DVD of the image and set it aside. Then I performed the complete set up for the 462 class and burnt another DVD with that image.
Now, rather than redoing that configuration each time I need a clean copy, I can just copy the image file from the DVD and start it up fresh. That saves a lot of time. Of course, I can have multiple images in different states and fire them up at will.
If you use Window's a lot, doing this of the hard drive image right after you load XP will ensure you don't have to ever load XP again--just copy the image over. This isn't something that will surprise anyone familiar with virtualization technologies, but still, it's fun to see it work.
10:48 AM | Comments (1) | Recommend This | Print This
Quad Core Upgrades for Apple
Later this year Intel will release quad core versions of it's Core 2 and Xeon processors that are pin-compatible with the current two core versions. The folks over at Anandtech dropped quad core samples into a Mac Pro and they worked just fine. I suspect that upgrading your Mac Book Pro would be dicey due to power and thermal issues, but upgrading Mac Pro towers should provide quite a boost for well-threaded applications
9:05 AM | Comments () | Recommend This | Print This
Controlling Vonage from Your Desktop
This morning, while I was listening to Ajay Madhok on IT Conversations, I was thinking it would be cool if I could manage what number my Vonage number forwarded to using an API. Then I could use the presence information in my IM application to drive where that one number sent my calls. Sometimes I want them to ring through to the handset, sometimes I want them to go to my cell and often I want them to go straight to voicemail (I hate telephones).
Well, Vonage doesn't have an API, but they do have a very cool RESTful service that allows you to initiate calls from your Vonage number to some other party. This means you can integrate the address book on your computer with your Vonage phone in some nice ways.
For example, I use the OSX Address Book application and this script allows me to simply click on the phone number in the Address Book to initiate a call. My phone rings and when I pick it up, it initiates the call to the number I want. Works great.
I made one change to the script. I added an else clause to the error checking code to pause iTunes if there are no errors:
--If there was an error, return a message.
if (characters 1 thru 3 of errorCode) as string != "000" then
display dialog "Error: " & errorCode buttons {"OK"}
else
tell application "iTunes"
if player state is playing then
pause
end if
end tell
end if
After all, as long as we're automating things, we might as well be complete. Unfortunately there's no way to know when the call ends, so you can't unpause iTunes when it's over. I can probably manage.
As an aside, I was a little put off by the URL for the service (click2callu.com) since I had to send it my Vonage account name and password. I wondered whether it was really Vonage or not. A quick check of the certificate shows that it's owned by Vonage Holdings and issued by Verisign, so I'm willing to trust it.
As a second aside, this is a great illustration of the power of RESTful interfaces. If this service had been created with a SOAP service, no one would have written an AppleScript to tie it to Address Book.
8:44 AM | Comments (5) | Recommend This | Print This
September 18, 2006
Using Reputation to Combat Online Fraud
Last week at DIDW, I had the opportunity to sit down with Iovation CTO Dan Lulich. I'd met Dan at the Berkman ID mashup in June, but didn't really know what Iovation did. I found that we had much to talk about: Iovation does reputation.
Iovation's reputation services aren't for people--they're for devices. Being able to link devices to undesirable activities and also to the accounts they log into is a great way to combat fraud in online gaming, eCommerce, and other places where money is at stake.
Denise Howell just interviewed Iovation's CEO Greg Pierson on IT Conversations. If you're interested in reputation, then I recommend it. Greg goes over examples where, for example, people create hundreds of accounts on online poker sites in an effort to launder money from credit card theft. Device reputation can be effectively used to thwart that kind of activity.
3:28 PM | Comments (1) | Recommend This | Print This
September 15, 2006
Where 2.0 on IT Conversations
We just launched a new series of shows from O'Reilly's Where 2.0 conference on IT Conversations. Today's show is the opening keynote by Nat Torkington and Brady Forrest. I really enjoyed the sessions from Where 2.0 in 2005. I'm looking forward to a great set of presentations from the 2006 conference in the coming weeks.
3:28 PM | Comments (1) | Recommend This | Print This
Scary Voting Videos
 Diebold AccuVote-TS voting in Princetons Voting
Studies Lab |
Ariel J. Feldman, J. Alex Halderman, and Edward W. Felten have completed a security study using an Actual Diebold AccuVote-TS voting machine. The study will no doubt provide some good information for people, but what's really eye-catching is the video they prepared showing how you can install software in under a minute that not only steal votes, but is also viral so that it spreads from machine to machine as workers update software.
These kinds of results make one wonder how any elections official can remain sanguine about the security of elections conducted on DRE equipment in the absence of concerted efforts to create processes and policy that not only take results such as this into account but also are continually updated to reflect emerging threats.
The move to DRE voting equipment has opened a Pandora's box of security issues that elections officials have never had to deal with before. If they insist on using DRE equipment, for whatever reason, they have to also be willing to engage in the security threat assessment and mitigation exercises that come with that equipment.
2:39 PM | Comments (3) | Recommend This | Print This
September 13, 2006
Wrapping Up DIDW
One of the things that distinguishes a great conference from a good one for me is that I not only learn new things, but I'm inspired with new ideas. Occasionally I come away from a conference with lots of new ideas, having met lots of new, interesting people, and having deepened friendships with people I already knew. That happened at DIDW this year and that's what will keep me coming back. Phil and Eric hit the nail on the head this year. I'm headed out to the airport, sorry I'll miss Doc's closing keynote, but glad I came.
4:17 PM | Comments () | Recommend This | Print This
whobar
SXIP seems to ta always come up with clever names for things. The entry this year is whobar, SXIP's software or relying parties that allows them to accept CardSpace cards, i-names, or OpenID itentifiers from users.
4:11 PM | Comments (2) | Recommend This | Print This
Kaliya Wins DIDW Award
Kaliya Hamlin won a DIDW award for "behind the scenes" work on the Internet Identity Workshop and th Identity Gang. It was well deserved. Kaliya is a motive force in this area and someone who makes the community better. Over and above that, she's a genuinely nice person and someone who's a pleasure to work with. Congratulations Kaliya!
3:45 PM | Comments () | Recommend This | Print This
Pretexting
The word for the week is pretexting.
3:20 PM | Comments (2) | Recommend This | Print This
Passive Federation
Patrick Harding, CTO at Ping, is speaking with Kim Cameron on using CardSpace in the enterprise. Patrick discusses how traditional federation allowed user data to flow between enterprise systems without the user's consent. Rather than refer to the case where the user is structurally involved as "user-centric" however, he introduces the term "active federation," calling the traditional federation scenario "passive."
12:36 PM | Comments () | Recommend This | Print This
Jamie Lewis Keynote: The Evolving IdM Landscape
 Jamie Lewis, CEO of
Burton Group (click to enlarge) |
Another highlight of DIDW each year is Jamie Lewis' keynote. Jamie is the CEO of the Burton Group (and, incidentally, wrote the forward to my book on Digital Identity).
He believes that the market has moved beyond the products and suites stage to the services stage. Good news for the people I've met at the conference this year who are hoping to build service-based businesses.
Stronger authentication is not going to solve most of the problems we see in the identity space. User IDs and passwords are still around and replacing them would solve a lot of tough problems. He uses the theft of the Veterans Administration laptop as an example.
Provisioning is the vortex of IdM. In theory provisioning is crucial to compliance, but in practice is difficult, expensive, and tricky. The politics and organizational dynamics are tripping points here. At the same time, provisioning is going mainstream. Products have matured and deployments are succeeding. While products don't always deliver on their promise, they aren't the reason projects fail.
 Jamie Lewis
assessment of the current IdM market (click to enlarge) |
Federating is building slowly. The elephant in the road is a combination is assurance, liability, and reliability. There's less internal federation than Burton Group anticipated--more external. Andre Durand, CEO of Ping told me yesterday, they're seeing about 50-50.
A lot of the IdM problems that arise today are a result of projects being developed in an identity vacuum. When we get to the point where there are services we can reuse, then we will see progress. There's reason for hope. Emerging frameworks, like CardSpace, OSIS, Higgins, and Bandit promise to create an access layer.
Jamie's recommendations haven't changed much
- Relate the problem to core business objectives
- Begin by cleaning up your identity house. Understand identity in your organization before you start buying products.
- Companies who succeed at this are the ones who don't try to solve the problem in one fell swoop. Stay focused, pick something small, and take many small steps.
- Buy Windley's book. Ok, he didn't really say that--he recommended a Burton Group paper. :-)
He moves on to Internet identity. He asks "Are we focusing too much on identity?" We shouldn't mistake authentication for recognition and other social interaction. Relationship, recognition, and reputation will have to share the burden.
Conflating user-centrism and federation is like confusing voting machines and democracy. They're related, but shouldn't be conflated or we confuse the picture. When Jamie talks about Federation, he's talking abut agreements, standards, and technologies that make identity and entitlements portable across autonomous domains. It's highly tolerant of asymmetry. Allows parties to disagree or agree on certain things at certain times in a just-in-time fashion.
It's fair to say that current enterprise federation models were design without giving the user a seat at the table. The topology needs to change. Topologies should make it impossible for the system to violate a user's privacy rather than merely making it possible to respect that privacy.
Jamie believes that there is no single center except, perhaps, reality. We need to acknowledge the reality that there are multiple needs and identity is dynamic depending on the conditions in which it's being used. There are multiple parties and to scale, identity systems have to negotiate the power sharing among these parties. That's the job of the identity meta system.
 Jamie believes that
planets are forming (click to enlarge) |
With respect to the various Internet identity systems, Jamie says that planets appear to be forming in the vacuum of space. He points out CardSpace, Higgins, Bandit, and URL-based identity systems. He placed the URL-based identity systems close to the Sun because he's not sure that the heat on those planets will support life.
Neuenschwander and Rowland have proposed a Limited Liability Persona. Each LLP is a container for a limited set of identity info and resources. Individuals can have multiple LLP for different modes and roles. They can he shed, sold, and have value. LLPs help enforce civic responsibility, criminal liability, can suffer reputation damage. The idea is that consequences echo the physical world.
10:46 AM | Comments () | Recommend This | Print This
Microsoft's Open Specification Promise
Yesterday Microsoft made an important announcement regarding the intellectual property that they have surrounding many of the WS-* specification. I wrote about it at Between the Lines. You can find details at Kim Cameron's blog.
9:31 AM | Comments () | Recommend This | Print This
September 12, 2006
Digg As a Game
There's been quite a bit of controversy surrounding how people game Digg. Pete Abilla has posted a thoughtful analysis using game theory to see what's wrong with Digg and how it could be corrected.
4:29 PM | Comments () | Recommend This | Print This
Digital Identity in BC Government
 Dave Nikolesjsin, CIO, Prov. of British Columbia (click to enlarge) |
Dave Nikolesjsin is the CIO for the Prov. of British Columbia. No less an authority on identity than Dick Hardt has told me that I really had to see what they were doing in identity. So, when I saw that Dave as speaking at DIDW, I knew that was one session I had to attend. Serendipitously, I sat with Dave at breakfast and got a chance to get acquainted.
The title of Dave's talk is "Citizen-Centric Identity." He shows a picture with a citizen, in this case a little girl from a dysfunctional family, at the center surrounded by ministries, agencies, and private sector assets that might provide service in this scenario. If this girl shows up in the emergency room, how do you know its her, reliably and securely deliver relevant information from government networks to the private-sector physician, and so on?
 Concentric services around citizen (click to enlarge) |
Right now there are no easy answers. The silo'd data sources and applications have little interoperability. Where are the online equivalents of the driver's license, birth certificate, professional credentials, and so on that can be used to provide trust in the online environment.
Dave turns the time over to Ian Bailey, an Identity Management Architect for the BC Government. He's talking about an identity program called BCeID. BCeID is a shared digital identity credential that can be used for personal and business users. BCeID is about authentication, not authorization. Corporate identity is actually easier since the government is the authority who decides who is and who isn't a corporation.
When a person wants to access an eGovernment service, they apply for a BCeID account and then go to an government office (I presume almost any one will work) to prove they are who they say they are by presenting two forms of ID. There's even handy "nearest office" functions with maps to show you where o go.
There's a complementary application that the government agent uses to verify the identity and ensure the data submitted by the citizen was correct (matches the data on the physical credentials). Once completed the identity is part of the citizen directory and is available for eGovernment applications.
There is a basic BCeID that doesn't require validated. This can later be converted to a verified BCeID so that the transaction history isn't lost.
Knowing what kind of user ID is necessary for a particular eGovernment service can be difficult so BC has built a online directory of services that clearly indicates what kind of ID is required.
 Ian Bailey, Chief Identity Architect, Prov. of BC. (click to enlarge) |
A business has only one BCeID. You can find out if your business is already registered to that you don't waste time registering only to find you don't need to.
Having only one ID per business seems problematic to me. When an employee leaves, I don't want them to be able to impersonate the business. I'd rather like for each person to have their own BCeID and give the business the ability to delegate authority, and revoke it, to individuals. Ah, later Ian shows how a business can create more than one BCeID for their business for individual users. During the question and answer sessions, they acknowledge that using federation with large organizations makes sense.
Because of the registration data that BC has for each corporation, they have a body of shared secrets that they can use to verify the person creating the BCeID for the business is really associated with the business. Businesses have the ability to list data about their business in a directory of BC businesses.
The BC government has 75 services that are using the BCeID authentication. There are 20,000 business who have registered, which is about one in five. There are 75,000 individuals registered. There are 4.3 million residents, so they've got a ways to go there. BCeID is voluntary right now (services that want to use it can) but soon, it will be required and be the only authentication service for BC goverment services.
Dick was right--this is very cool stuff. As Dave says, there are lots of people who talk about identity proofing being a good thing, but these guys are really doing it.
4:20 PM | Comments () | Recommend This | Print This
Location and Identity: A Powerful Team
Something Phil Becker said in his annual state of digital identity talk at DIDW this morning made me think about location and some of the things that go along with identity and mobile devices. I wrote those up and posted them at Between the Lines.
4:16 PM | Comments () | Recommend This | Print This
September 11, 2006
Vitamins, Pain-killers, and Viagra
 Dick
Hardt (click to enlarge) |
Dick Hardt intro'd a panel on identity at big sites (meaning eBay, Yahoo!, Google, MSN, and so on). He used a great analogy of vitamins, pain-killers, and Viagra. We've been selling ID Management as vitamins. Everyone knows that they're good for you, but there's no urgency. With pain-killers, there's urgency. Viagra, on the other hand lets people do things they couldn't do before. User-centric identity is a pain-killer for users, but only a vitamin for big sites.
How do you turn user centric identity into Viagra? He uses eBay as an example. By using a user-centric, federated identity system, they could allow other sites to use their reputation system and charge for the privilege. That's a good example of enabling behavior from shared identity.
5:57 PM | Comments (3) | Recommend This | Print This
Jim Harper on Identity
Jim Harper is the author of Identity Crisis: How Identification is Overused and Misunderstood. Jim is an analyst at the Cato Institute, a non-profit thinktank with Libertarian leanings. Phil Becker introduced him by saying his book was a great introduction to the theory of identification.
He uses the discussion of a national ID card to launch into a discussion of identification and it's theory. There are serious challenges in identification and policy makers will do a better job if we do a better job of articulating what identification is, how it works, and why it fails.
Surveillance is easier if we have a universal identifier because databases can be more easily correlated.
Access to data by a government puts that government in a better position to affect your life. In true Libertarian fashion, Jim lists the negative implications of that statement, but I'm sure more liberal interests would also list positive aspects. With more data, you can warp the incentive structure of law enforcement because you can use the data to determine that someone might have broken the law and then go look for the evidence. He cites highway data systems as an example.
 Jim Harper (click to enlarge) |
The world is moving toward a single key system for digital goods and services. This is true now for financial services (SSN). We wouldn't dream of using just one key for everything in the physical world. That's an interesting idea. I wonder if it was practical, would we?
There a many activities where we don't require identity from people. Jim mentions giving someone (who he didn't know) having someone approach him and ask for a hug on a bus in DC. "The only requirement I have is the absence of a bad smell. That's not an invitation..."
Knowing who people are, when flying, for example, doesn't make us more secure. The characteristic that matters is that the person sitting next to you on the plane is incapable of doing something to harm you and others. Will we require ID in malls, bus depots, parks? Will people be stopped as they walk down the street?
A national ID will make us less secure as individuals because it makes government and large corporations more powerful.
RealID won't make us more secure. Terrorist and criminal groups will beat this system using corruption and fraud. Illegal immigration will beat the path that more nefarious groups will follow.
5:26 PM | Comments () | Recommend This | Print This
DIDW Opener
 Phil Becker and Rob Clyde (click to enlarge) |
Our IOS event ended at 3pm. We had 5 sessions--too short, really, to get into the spirit of the event, but there were about 80 people there and lots of good discussion. We'll be doing a 3 day IIW in December. You can register now.
Phil Becker started DIDW with an interview of Symantec CTO Rob Clyde. I've been critical of DIDW keynotes before, so I have to give them credit on this one. Phil did a great job of guiding the interview and keeping it from being a marketing speech.
One of the things they talked about was a possible future world where employees pick and configure their own machine, but in a way that still allows the enterprise manage security by policy. Universities could be a testbed for developing this kind of capability because they live in a world where they're forced to let users pick their own machine and OS.
There's still a lot of IT hegemony where IT professionals crack down on users to force them to do things a certain way. There's a growing mindset however that wants to change this. Why can't more applications be secure applications on the 'Net?
Rather than trying to force systems to look all alike, users could be granted access to applications and networks based on the security profile of their machine. Rather than drawing a perimeter around the users, draw the perimeter around the data center and put the users all outside.
Another topic was the problem of establishing identity. We have lots of ideas for exchanging identity information, but the tough problem is trusting that the identity provider is who they say they are (and as we discussed earlier today in the reputation session at the IOS, whether you can trust service providers with your data). Enterprises have at least one point where an employee shows up and can show some ID to prove who they are.
In the B2C environment, you don't have that luxury. 54% of individuals have decreased the amount of information they're willing to share online in the past year. Consumers are more concerned with identity theft than with trusting that the online retailer will actually ship the item.
As I said, Phil did a great job conducting this interview. It was informative and thought provoking.
4:56 PM | Comments (3) | Recommend This | Print This
Identity Schemas
 Mark Wahl on identity schemas (click to enlarge) |
Mark Wahl of Informed Control led a session on identity schemas and how to deal with them. People reinvent schemas, they use different labels for the same data, there's problems bringing these various schemas together. Moreover, a community shouldn't have to go to a standards body every time they have an identity data storage problem. He brings up Ham Radio operators. If they want to use call signs as identifiers, who should decide how that fits in?
X.509 dealt with many of these issues. There are well known problems with X.509 collapsing under its own weight. Today's directories solve these problems with metadirectories, but who on the Internet could run such a metadirectory? Mappings are ugly, even with metadirectories because you still have to agree on the mapping. That's very political.
The syntactic problem is largely solved thanks to XML, but the semantics are problematic since they are often hard coded into the application.
Hub and spoke federation systems begin to form shared schemas.
There is an identity schema working group at Identity Commons. There is a wiki for identity schema discussion.
12:18 PM | Comments () | Recommend This | Print This
Intro to User-Centric Identity
 Kaliya leads a session at DIDW IOS (click to enlarge) |
Due to a mix-up with my plane reservations (completely my fault), I ended up flying into San Jose today rater than last night which meant that I ended up at the DIDW identity open space event 30 minutes late. Poor Kaliya ended up with all the set-up herself.
I arrived (sans shampoo and toothpaste) just as the session planning session ended and the real sessions began. Kaliya had volunteered to lead a session introducing user-centric identity for people new to the meetings.
Kaliya did a good job of introducing the user-centric space and elicited good questions from the audience which, in unconference fashion, helped answer the questions that came up.
There were the usual questions that com up whenever you start discussing identity with a new group: How does is this secure? How does this differ from federation? and so on. There were also some questions on identity rights, Higgins and CardSpace, i-names, and identity commons.
11:48 AM | Comments (3) | Recommend This | Print This
Digital Identity in the Real and Virtual Worlds
Last week Jon Udell and I spoke on the phone about digital identity. A serendipitous lead-up to this week's Digital ID World conference and the associated Identity Open Space event that Kaliya, Doc and I put together. Jon has published the discussion as part of his Friday podcast. Speaking with Jon is always enlightening and fun. The discussion follows how real-world identity scenarios collide with the digital realm.
10:51 AM | Comments () | Recommend This | Print This
September 7, 2006
Dunbar Numbers and PHP
There have been several shows on IT Conversations lately that I've really enjoyed, but failed to mention on my blog. One of those talks was Christopher Allen's talk from Mesh Forum on the Dunbar number. The Dunbar number is a measure of the cognitive limit to the number of individuals with whom a person can maintain stable relationships. Christopher talks about how the number is often misused and what the real limits are in various contexts. Christopher has slides and other posts on this topic at his blog, Life with Alacrity.
I also enjoyed Marc Andreessen's talk from the Zend/PHP conference. There were some interesting points about how Java, JavaScript and PHP have developed over the years. There's a long Q&A session as well with some good questions.
4:07 PM | Comments () | Recommend This | Print This
HTML to Kwiki Markup Conversion
I use Kwiki for lecture notes, homework and other Web pages I need to teach my class. Here's an example: the lectures for my programming language design class.
Today I needed to convert some old pages (embedded in PHP) for use on the wiki. I did one by hand and thought that I ought to write a Perl program to convert the HTML to Kwiki mark-up. Then I got smart and realized someone must have already done it--I was right. David Iberri has a HTML to Kwiki module for Perl that with a little scaffolding did the job nicely:
#!/usr/bin/perl # use a '-' to get stdin open(FOO,$ARGV[0]); while() { $html .= $_; } use HTML::WikiConverter; my $wc = new HTML::WikiConverter( dialect => 'Kwiki' ); print $wc->html2wiki( $html );
Now a shell loop, wget or curl, and this little script makes quick work of the conversion.
9:44 AM | Comments () | Recommend This | Print This
September 6, 2006
New iMacs Today: Bigger and Cheaper
Apple rev'd the iMac today. The two big changes I see: a 24" model and they're cheaper. I'd put in a purchase request for two 20" iMacs for my lab a week ago. With the new ones, I can get the 24" model for just $100 more than my original proposal. A no brainer...
Bonus: there's a new batch of ads.
11:55 AM | Comments (1) | Recommend This | Print This
VMWare ESX Performance Report
I've had a student, Terry Wilcox, working to understand the performance characteristics of VMWare's ESX virtualization monitor. Terry's finished his initial work and written up the tests and some conclusions. Overall, ESX scales quite linearly--that is each new virtual machine gets a fair share of the processor and other resources. There are some interesting conclusions:
- Single CPU virtual machines scale better than virtual machines using Virtual SMP.
- Hyper-Threading increases throughput if there are a large number of virtual CPUs, but makes no difference if the number of virtual CPUs is less than or equal to the number of physical CPUs.
- Do not allocate excessive resources to virtual machines. Additional resources may hurt performance.
If you're interested in the details of how the tests were done and these results, the full report is available (PDF).
10:55 AM | Comments (4) | Recommend This | Print This
Hacking Diebold
Nick Barker sent me a link to a web page that shows (in about the most annoying way possible) how a Diebold electronic voting machine can be hack in 4 minutes with $12 worth of tools. I didn't look over the last Diebold machine I was in close proximity to in enough detail to remember whether it used this method of securing the memory card or not. Anyone else remember?
And while we're on the subject of electronic voting, Diane Rehm is interviewing Avi Rubin about his new book Brave New Ballot today. Avi does a great job of explaining in simple, understandable language why electronic voting is inherently insecure. I've picked up the book and look forward to reading it.
Avi mentions that adding verifiable paper records to the electronic voting machines significantly improves the level of confidence that one can have in the voting system. There are 35 states that have a law, administrative rule, or simply bought such systems. Utah is one of them, having a law that requires the verifiable paper trail. It could be improved, but its a good start.
7:51 AM | Comments (1) | Recommend This | Print This
September 5, 2006
Program Descriptions for the NPR Crowd
When we get the TechNation shows from KQED, they always include a blurb about the show, meant to be used by stations who receive the show in syndication when they promote the broadcast. We typically use that same text in in the descriptions you see on IT Conversations.
I don't always get to listen to shows, TechNation or otherwise, before they're put up and sometimes I wonder about the content of the shows we get when I read the station blurb. This last week's show is a good example. The blurb we got from the station and ran on IT Conversations said:
Paul Goldstein, Professor of Law at Stanford, speaks with Dr. Moira Gunn about the days of McCarthy, the blacklisting of the Hollywood community and issues of today.
That is undoubtedly written to appeal to an NPR crowd, but when I read it, I wondered how appropriate the show was for IT Conversations and whether IT Conversations listeners would find it interesting. I listened to the show on the way into work this morning and that sentence describes one brief interchange in a show that deals mostly with intellectual property and his new novel (which also deals with IP). If you're interested in open source, file sharing, P2P, copyright law, and other related topics, you'll probably like this show, regardless of what the description says.
9:06 AM | Comments () | Recommend This | Print This
September 1, 2006
iPhoto Slideshows on DVDs
I've recently been creating some DVDs of pictures for some friends. I found a few things that others might fin helpful.
First, use iPhoto to create the slideshow and then share it to iDVD, rather than creating the slideshow in iDVD itself. There are more bells and whistles in iPhoto and the results are better. This isn't hard, once you have a collection of photos, just click on the "slideshow" button at the bottom, play with the settings, and then export it to iDVD. Exporting takes a long time.
Once it's in iDVD, you can choose a theme, edit text on the titles, choose a menu picture and audio, and you're ready to burn. I found this article at Mac DevCenter that talks about how to use iPhoto's greeting card feature to create slideshow titles, if you're looking for something fancy.
11:51 AM | Comments () | Recommend This | Print This
WiFi With Coconut Flavor
I found a cool little application for seeing what WiFi hotspots are available in OSX. Of course, you can keep checking the airport menu, but that won't tell you at a glance which are open and which aren't. Coconut WiFi puts a familiar green, yellow, or red indicator bubble in the menu bar to indicate what's available. You can even see a count of open networks. Very handy.