« November 2006 | Main | January 2007 »
December 28, 2006
Linux Laptop
What's the best laptop for running Linux? I want the Wi-Fi to work, the thing to sleep reliably, and so on. In the past I've favored Thinkpads, but would willingly shift to something else if it had better behavior with Linux.
9:44 AM | Comments (15) | Recommend This | Print This
MacBook Pro Narcolepsy
Jon Udell is complaining about PowerBook rot. I think his TiBook issues are mostly age and to be expected. My TiBook is still going strong, but has a broken hinge. My son's using it at College. I think it's still the best piece of Apple gear I've ever owned.
Newer {Power,Mac}Books have been another story for me. I'm pretty hard on them, docking and undocking multiple times per day, using them pretty much non-stop for 12-15 hours per day, lots of compute intensive activity, and so on. Still, I've not had a single one that hasn't been in the shop at least once for repairs.
I've had the exact problem Jon's reporting: my lower memory slot on my last PowerBook stopped working and I had to have the motherboard replaced.
My newest MacBook Pro has fit and finish problems (like case bulges and a power button that's sinking into the case, but what I can't live with is the famed narcolepsy. Often when I put it to sleep, it mysteriously reboots at some point later (not immediately).
So, this one's probably headed for the shop. I kept my last MacBook on hand for just such a situation, so I'll still have a machine. The Apple repair techs know me by name, so that's telling you something?
Why do I put up with it? Because I love OS X. Simple as that.
9:39 AM | Comments (1) | Recommend This | Print This
Dave Fletcher's Top Ten for Utah IT
Dave Fletcher offers up his annual Top 10 in Utah IT for 2006. Among them are the State's wining of three different eGovernment awards and the fact that Salt Lake City, Ogden, and Orem all place in the top-10 digital cities. While you're there, check out his mashup showing the location of state buildings on Google maps. Now, if facilities (or some concerned citizen) would combine that with data on annual cost of the building to maintain, etc. we'd be getting somewhere.
9:19 AM | Comments (1) | Recommend This | Print This
December 27, 2006
On Bad Sinatra
It's fairly easy to follow your favorite blogs when they're updated frequently. I read Dave and Doc in my browser, because I know whenever I visit there will be something new and interesting. Infrequently updated blogs are another matter--that's where RSS is a perfect match.
I mentioned Steve Yegge last week. Another infrequent poster who's well worth reading is Steve Gillmor. His most recent Bad Sinatra post is a great example. He can be hard to read--especially if you don't follow tech industry news and trends very closely--but there's some great observations in the post and Steve's spot on.
I still hear from IT Conversations listeners that they miss the Gillmor Gang. Steve has a way of inciting (and that's the right word, I think) conversations among people that wouldn't happen otherwise and that's the true value. As much as I enjoy Steve's blog, I like his interactions with others in venues like the Gillmor Gang even better. Here's to more Bad Sinatra.
2:16 PM | Comments (1) | Recommend This | Print This
On Demand Publishing Creates 21st Century Photo Album
 Photo Album Cover (click to enlarge) |
A while back, Moira Gunn interviewed Eileen Gittins, founder, president and CEO of Blurb, about publishing a first-quality, professional-looking books for Tech Nation on IT Conversations and that got me thinking.
For Christmas I made for my wife and two oldest children a photo-book of our vacation to Europe last summer. It was a universal hit. As the Apple ad says, it was pretty easy to do in iPhoto. Make no mistake however, selecting, editing, and arranging 200 some odd pictures takes some time.
iPhoto has a "Buy Book" button at the bottom of the page, but while Apple was more than happy to verify my credit card, they wouldn't do the upload. I found that MyPublisher had an iPhoto plug-in (as well as a stand-alone app for Windows) that would let me publish my book with them. Since they guaranteed delivery by Christmas and got a good review from the Wall Street Journal, I went with them.
The experience wasn't totally satisfying. First the good news is that the books are well done and got here on time. But I was off-put by a process that used two modalities: iPhoto for creating and uploading the book and a browser for paying. They were connected enough that I felt like what I'd paid for was what I'd ordered. There was no preview button or even a way to see the cover to convince me that it was my order. I also had to play some games with the URL to get past their authentication page. With some faith though, it all worked.
As I said, the books were well done and my family was very happy to have a hard-bound, printed remembrance of a great vacation. I'm sure it's something they'll keep forever. This is really the photo-album of the 21st century.
12:59 PM | Comments () | Recommend This | Print This
December 26, 2006
Presence for Your Presents
I put a piece about user-centric presence up at Between the Lines this morning. Hope you're enjoying the holidays.
2:20 PM | Comments () | Recommend This | Print This
December 22, 2006
What's Your Interface?
Steve Yegge is a great writer. The latest from Stevie's Blog Rants proves it. Take 15 minutes and read it.
9:17 AM | Comments (1) | Recommend This | Print This
December 21, 2006
Composition as a Programming Activity
When I started programming, you had four choices on the IBM 370 system that the University of Idaho made available to students: Cobol, Fortran, Basic, and APL. I learned Fortran and Basic, avoided Cobol because it was for "business", and looked on APL with wide-eyed wonder. "Someday," I thought, "when I'm all grown up, I'll learn APL." Well, of course, that day never came (I never grew up and I never learned APL).
I'd kind of thought APL was dead--after all, you don't hear about it much. People refer, jokingly, to APL as a "write-only" language because it's very terse. Recently, however, I discovered that there is a successor to APL with a community of ardent users called "J".
"J" isn't a good name for a programming language in 2006 because its not easily googable. Nevertheless, there is a home for J with freely downloadable versions for Windows, Linux, and OS X. There's a wiki with lots of information, and even a decent tutorial on J by Roger Stokes.
I discovered all this by reading a posting by James Hague at Lambda the Ultimate on a paper entitled The Role of Composition in Computer Programmer. I was intrigued by the title of the paper because I'm always interested in new ways of thinking about the activity of writing programs.
Unfortunately, while I think the paper is tantalizing in its examples, it's written for someone who is an expert in APL (or J). I'm tempted to translate some of it into Scheme so that I understand it, but I'm practical enough to know I won't find the time.
In the meantime, if you're looking for something to challenge your notions about how programming happens, read the classic papers Why Functional Programming Matters. It's written with non-functional programmers in mind and probably won't convince you to be a functional programmer, but it might give you new ideas about how you program.
9:50 AM | Comments (1) | Recommend This | Print This
OpenID Delegation
Simon Willison (whose blog used to be green) has an excellent tutorial on setting up OpenID delegations so that you can use your own domain name (see what I said about persistence here) as your OpenID. In fact, you can use any URL where you control the resource (what gets returned when you GET the URL) as an OpenID.
Delegation is an important part of OpenID because it allows you to switch OpenID identity providers, your OpenID stays the same. Just change the link tags in the resource associated with the URL you're using as an OpenID and you're in business.
You can tell by the comments on Simon's blog that he's introducing the idea of OpenID to quite a few people. I was able to log into Simon's blog with my i-name, so things are working on his end and 2idi's! Oh yeah, in case you didn't know...i-names function as OpenIDs too.
8:07 AM | Comments (2) | Recommend This | Print This
December 20, 2006
Giving Away Pre-Loaded MP3 Players
Today I walked past a classroom and noticed an MP3 player left on the piano at the front of the room. For some reason it reminded me of an abandoned pen. We're used to seeing pens lying around, but there was a time when they were expensive and highly prized.
I'm fairly sure you can produce a reasonably featured MP3 player for less than $20. How long before they're like pens--everywhere, given away, easily abandoned, even disposable? They're probably cheap enough now to be given away as schwag at conferences. If you're considering that, you might want to also consider contracting with IT Conversations to pre-load them with great content.
8:09 AM | Comments (4) | Recommend This | Print This
Images and Video in Collaboration
Last week I was working on a short piece for InfoWorld about collaboration--what companies spend too much money on and what they don't spend enough on. One inexpensive collaboration tool that is underutilized is video. I'm not talking about video conferencing, but the now near ubiquitous ability to create and easily distribute short videos.
If there's anything YouTube has taught us, it's that user-created video is coming into its own. In a recent article called Video Knowledge, Jon Udell references the work of Sean McCown, a professional database administrator who writes the Database Underground blog for InfoWorld. Sean's been bit by the screencasting bug.
Every now and then you come across something that changes the way you do everything. I just got the latest release of Camtasia Studio and man is it great. It's got some cool new features that I'll let the website go into details on, but what I wanted to talk about is how this kind of thing can be used in our environments.
I sat down last night and made a video of the restore procedure for one of our ETL processes. It was 10mins long, and it explained everything someone would need to know to recover the process from a crash. So why can't you use this same thing to record your DR strategy? Think about it... would you rather sift through tons of documents or watch a video and see exactly what you need to do, and do it at the same time. This way you can also have the important things explained to you.From Database Underground | Not just a DR Plan Anymore | By Sean McCown
Referenced Wed Dec 20 2006 07:21:45 GMT-0700 (MST)
Sean's using video to teach and ensure his ideas are communicated clearly. People watching the screencasts get a firsthand look at how something is done rather than just reading about it.
Digital cameras are another technology that doesn't get enough use in the enterprise. I remember hearing about the CEO of a department store who used his camera phone to take pictures of particularly attractive retail displays and email them to his merchandisers. Simple, cheap, and effective.
I think over time we'll see imaging and video play and increasingly important role in business communications.
7:38 AM | Comments () | Recommend This | Print This
December 19, 2006
Rohit Khare and Decentralization
Yesterday I put another edition of the Technometria Podcast on IT Conversations. This one is Matt Asay and I talking with Rohit Khare. We had a great conversation about decentralization that ranged from the stock market to Nigerian 419 scams.
Today I posted another edition of IEEE Spectrum Radio--a panel discussion of the FBI Virtual Case File debacle. This is a case study in how to screw up a software project.
4:56 PM | Comments (1) | Recommend This | Print This
Making XRIs With XRDS
 User-friendly view of
my XRDS file (click to enlarge) |
Yesterday I posted a piece on XRIs and i-names at Between the Lines. Now that 2idi, my i-name registrar, is supporting forwarding, I've configured several XRIs that resolve to specific places on the 'Net including my blog, RSS feed, and even me at Skype.
I mentioned William Tan's FoXRI extension to Firefox that allows native resolution of XRIs (e.g. xri://=windley/(+blog)) instead of using an XRI proxy. Playing with that tool, I realized that the XRDS document for =windley was pretty skimpy. William informed me that 2idi has a new experimental feature that allows you to customize your XRDS document and create XRIs of all shapes and sizes.
We usually create URIs indirectly, by creating a file on our Web server, for example. With XRIs, at least now, you create them explicitly by editing the XRDS document. That will probably change at some point as more ways for developers to explore and use XRIs become available.
Before you get too far, it's a good thing to read the official specification on XRI resolution. Like most specs its dry and boring, but there's good reference material in there.
I wanted to create this XRI:
xri://=windley/blog/feed
I have my feed XRI in standard XRI semantics, but I also wanted to specialize my feed from my blog so that I could have feeds from other places too. To do this, I added the following endpoint specification at 2idi:
<xrd:Service>
<xrd:Type xrd:match='null'/>
<xrd:MediaType xrd:match='content' xrd:select='false'>
application/atom+xml
</xrd:MediaType>
<xrd:MediaType xrd:match='default' xrd:select='false'/>
<xrd:Path xrd:select='true'>
blog/feed
</xrd:Path>
<xrd:Path xrd:match='default'/>
<xrd:URI xrd:priority='1' xrd:append='none'>
http://www.windley.com/atom.xml
</xrd:URI>
</xrd:Service>
William Tan was good enough to give me some tutoring on all this. Be careful if you mess with your service endpoints, you could really mess things up. There's no undo feature in 2idi's implementation or even a reset. You may want to use a query like this (substituting your own i-name) to save your XRDS doc before you start playing around.
http://xri.net/=windley?_xrd_r=application/xrd%2Bxml;sep=false
While this is fun, it's not very natural. With DNS (and this URLs), you can run BIND for your own domain. The TLD just delegates the lookup to the authoritative name server. Right now, there's no way to take control or serving your own XRDS document (at least not that I know). Consequently, I can't easily build software that controls my XRIs. If 2idi would put a RESTful API on the service endpoint application, that would be a start.
10:38 AM | Comments () | Recommend This | Print This
December 18, 2006
Haskell vs. Java Smackdown
Defmacro.org has a small example of Haskell's expressive power and the same code written in Java. Both take five lines of code to "[go] through a parse tree of Haskell source code, locates every reference to an identifier that ends with 'Widget', puts it on a list, and removes duplicates so every identifier is represented in the list only once." Impressive. I believe that Haskell code is a bit more general and defmacro.org argues that it's more maintainable. You be the judge.
4:00 PM | Comments (2) | Recommend This | Print This
December 15, 2006
Limit Simultaneous Connections in Apache
Yesterday I wrote about the comment storms that were happening on my blog. Many people made some great suggestions and I plan on implementing many of them in the coming weeks. I found something, however, that was pretty simple and, so far, seems to be working beautifully.
Mod_limitipconn is a small Apache module that allows you to limit the number of simultaneous connections from any given IP address for any particular resource or mime-type. It built and installed without a hitch--within 15 minutes I was in business. Here's the configuration I'm using to limit connections to the comment CGI:
<IfModule mod_limitipconn.c>
<Location /mt/mt-comments.cgi>
MaxConnPerIP 1
</Location>
</IfModule>
Be sure you se
Now, I see lines like this in my error_log:
[Fri Dec 15 06:57:43 2006] [error] [client 219.95.92.19] Rejecting client at 219.95.92.19
I decided not to ban IP numbers, although banning them in bulk isn't too hard with mod_rewrite which I use for other reasons anyway. I did put together a little shell script to tell me the IP numbers of the offenders that others might find helpful.
#/bin/bash
Y=$(date +%Y)
M=$(date +%m)
D=$(date +%d)
grep $1 /web/logs/$Y/$M/$D/access.log
| sort
| awk -F\ '{print $1}'
| uniq -c
| sort
(Remove the newlines in the pipe if you use this.) This program produces a report like this:
[web@lynx web]$ ~/bin/find_abuse mt-comment
1 125.22.112.78
1 128.178.149.52
1 132.177.218.74
.
.
.
6 85.255.119.132
7 195.225.177.137
7 195.225.177.40
7 195.225.177.46
7 85.255.119.74
8 213.42.21.77
The first number is the number of connections to mt-comment (specified as an argument) from that IP address. Clearly thre's still some abuse going on, but it's not happening with simultaneous connections which is what was killing me.
8:58 AM | Comments (2) | Recommend This | Print This
December 14, 2006
Comment Spam Storms
Update: Be sure to read the comments. There are lots of good suggestions on solving this problem. Here's what I did to stop spam storms
About three times per day my server gets hit my a comment storm. Someone with a botnet is trying to spam my blog and they're going about it stupidly. They don't get any comments through because of a simple textual CAPTCHA that I installed in June.
The storm occurs because the spammers try to post over 100 comments in the space of about 1 minute from five or six different IP addresses. Naturally, the load average on my server shoots up to unacceptable levels. I'm stymied about how to combat this. The IP addresses are different every time. The browse tag is MSIE, so you can't filter on that. If you have ideas, let me know.
9:56 AM | Comments (10) | Recommend This | Print This
December 13, 2006
Le Web
On Dave Winer's blog, I saw a post about Le Web 3. Can you say "le web"? I thought that the language police got mad about non-French words. Is there a French version of "web" (I seriously want to know)? I listened to Jean-Benoit Nadeau on Diane Rhem last week speaking about his book The Story of French. The interview was good and I enjoyed it. Looking on Amazon, I see that Nadeau is also the author, along with Julie Barlow, of Sixty Million Frenchmen Can't Be Wrong: Why We Love France but Not the French.
10:28 AM | Comments (2) | Recommend This | Print This
Top Ten ITC Shows for November
Here are the top ten IT Conversations shows for November (based on individual downloads of the MP3):
- Mark Thompson - Success Built to Last
- Sean Carroll - The Making of the Fittest
- More Than Just A Game - Supernova2006
- Tony Giordano - a PhD in Biotech
- Managing Vendors Before They Manage You - Technometria
- Ryan Freitas - Facilitating Collaboration
- Ross Mayfield - Technometria
- Panel Discussion - Rise of the Videonet
- Web 2.0 Panel - SofTECH
- Erik Larson - The Transatlantic Hunt for a Murderer
6:59 AM | Comments () | Recommend This | Print This
December 12, 2006
OpenID and XMPP
Via Scott Kveton, a link to an OpenID server that uses XMPP authentication (the undelying protocol for Jabber). Fun stuff!
9:16 PM | Comments () | Recommend This | Print This
Your Conference, On Demand
I received a flyer (more like a catalog) for SD West 2007 in the mail today. My first thought was that it looked like content IT Conversations subscribers would enjoy. But as I looked closer, I saw that they sell the audio to the event.
You can pay an additional $95 with a full pass or $295 with a one-day pass and get unlimited access to the audio and slides from the conference for 365 days after the event. They call this "SD On Demand."
I'm interested in hearing from anyone who has been to a past SD Expo and from anyone who purchased the audio. Does this seem like the kind of thing that you ought to pay more for? When you pay are you satisfied with a year of access? Is it the kind of thing you expect to be included in the price of a conference, or is it something you're happy getting from places like IT Conversations as we filter it using editorial control?
Many conference organizers have concluded that IT Conversations is a good place to advertise. People who hear last year's conference and enjoyed the talks are more likely to attend in the future. You might argue that no one's going to go to a conference that they can hear later for free, but we all know that a huge part of the value of a conference is in being there, not just listening to the speakers.
As I've said before, speakers and attendees benefit when IT Conversations hosts the audio for a conference. Speakers ensure that their talk will be heard by tens of thousands more people than would hear it at the conference. Attendees ensure that they'll be able to hear talks they enjoyed again or listen to a talk that conflicted with the one they went to.
8:39 PM | Comments (4) | Recommend This | Print This
Reconstructing Iraq's Power Grid
I just finished listening to the second installment of the new IEEE Spectrum Radio program on IT Conversations. This piece, Reconstructing Iraq's Power Grid is excellent and very interesting. It's not political--but the size and importance of the job is eye opening.
These shows are not as easy as just republishing what IEEE sends us. This show, for example, was pieced together from three separate segments and Paul Figgiani did a great job of rearranging lead-ins, music and so on to make it seem like a connected show.
If you're wondering if every show in this series is somehow about Iraq or terrorism based on the content of the first two, have no worries. The show is broad-based and there's some great segments coming up. Stay tuned...
11:43 AM | Comments () | Recommend This | Print This
December 11, 2006
419 Scams, Black Money, and Greed
This piece about a former Congressman in jail because of Nigerian 419 scams caught my eye this morning. Amazing. It makes me wonder how gullible we all are. Clearly greed is the underlying culprit here. Be sure to watch the video on the black money scam. That was new to me. Anyone want to buy a suitcase full of black paper?
5:06 PM | Comments (2) | Recommend This | Print This
Jim Harper Audio On Identity
I just posted Jim Harper's talk on identity at IT Conversations. It's a good talk and well worth listening to if you've got any interest in identity and public policy. Unfortunately, we didn't have a mic for the audience, so the Q&A session didn't make it. That's too bad since there was some really good interaction.
1:54 PM | Comments (1) | Recommend This | Print This
December 10, 2006
IIW2006 Lost and Found
After IIW2006B was over last week, we found a few things. Kaliya has them, so if they're yours contact Kaliya to get them back. Here's pictures (click picture to enlarge):
Phone charger
|
Glass case
|
IBM power adapter
|
Macbook (65W) mag power adapter
|
5:05 PM | Comments (1) | Recommend This | Print This
December 9, 2006
TiVo and the iPod on OS X
Getting video from your TiVo to a iPod isn't as hard as it used to be. This hack shows how to do it all on the Mac and have it scheduled to run automatically.
10:03 PM | Comments () | Recommend This | Print This
December 8, 2006
Bohemian Rhapsody in the key of ID
On Tuesday evening, we were treated to the debut performance of Bohemian Rhapsody in the key of ID (lyrics by Eve Maler, Laurie Rae, Peter Tapling, Derek Fluker, Bill Johnson, and Wes Kussmaul). Conor Cahill shot a video:
1:12 PM | Comments (1) | Recommend This | Print This
Paper for Voting
Legislation pending in Congress would ban the use of paperless electronic voting machines in the 2008 election. When John Dougall proposed the legislation in Utah requiring a paper audit trail, there were some naysayers. John's looking pretty smart now since his legislation ensured that Utah didn't buy machines it would now have to throw out or modify.
10:45 AM | Comments (2) | Recommend This | Print This
December 7, 2006
Firefox, Internet or Search Engine? You Decide
 Firefox T-Shirt (click to enlarge) |
Today I was in REI. I had on my Firefox T-Shirt. The guy helping me with flashlights said "Oh, I love that search engine!" Contrast that with this story: When I first bought the shirt my daughter, who was six at the time, climbed up on my lap and asked "Daddy, why do you have a picture of the Internet on your shirt?" Who was more right?
9:44 PM | Comments (6) | Recommend This | Print This
December 6, 2006
Computational Reputation
I did a session on online reputation (or "computational reputation" as I've taken to calling it to distinguish it from reputation work in other fields). I didn't have time to take notes, but if I find others who have, I'll post an update here. In the meantime, here's the picture of the whiteboard I took and a link to my paper on reputation.
2:23 PM | Comments () | Recommend This | Print This
i-names...Again
 Salim Ismail (click to enlarge) |
I went to a session on the future of i-names this morning. Drummond Reed started off talking about what they are now. DNS names abstract IP numbers. URLs, based on DNS, typically point to specific locations. XRI provides an abstraction layer on top of the URL. i-names and i-numbers are synonyms. i-names provide a semantic identifier and i-numbers are a persistent identifier. i-numbers are never reassigned, but i-names might be.
Having a non-assignable identifier ensures that I can't lose my identity (and the rights that go with it). Any synonym in the XRI namespace resolves to the same i-number and all of them resolve to the same XRDS document.
i-names are transferable, but i-numbers are not. There was some discussion of why this is so, whether it's enforceable, and if its even good idea.
Right now, i-names can be used for authentication, contact (e.g. =windley), forwarding (e.g. =windley/+blog), and authentication.
Future uses include ePayments, vendor relationship management, telephony (managing incoming calls), open reputation, community management, embedded authentication, "break glass" (e.g. emergency medical information), abstracting contact information (e.g. like 911, 311, 511, etc. for the Internet) and so on. Of course, this same list could be made in an OpenID sessions.
I asked Drummond what distinguished i-names from other identitfiers. The big answer seems to be about the permenance of the identifier. This does happen with URLs. Domains get sold. This is why I recommend owning your domain for your blog. At least then you decided to drop the identity.
There's always a lot of interest in XRI and i-names at these events. People seem to sense that there's something there, but I never seem to get real traction on what I build tomorrow to use them effectively. Discussion with Drummond convince me that we're making progress on that point and I look forward to benig able to play with them easily.
11:59 AM | Comments (1) | Recommend This | Print This
Trusted Computing...Sounds Great. Is It?
Here's a great little video on trusted computing. Not much on the details, but well done and aimed at a less technical audience.
10:09 AM | Comments () | Recommend This | Print This
The State of User Centric Identity
Johannes Ernst has a good summary of the current user-centric identity landscape in his updated triangle diagram.
12:32 AM | Comments () | Recommend This | Print This
December 5, 2006
Beyond Passwords
 Hacking CardSpace in the Hi-Fi Lounge (click to enlarge) |
In the session on authentication without passwords (beyond passwords) put, Lisa Dusseault made the assertions (with some help from the room):
- Existing browsers do not succeed in verifying site identity to users
- HTML forms for login considered harmful.
- Browser-based third-party identity systems habituate user to redirect to enter their password (task fixation). When you catch someone in the middle of doing something, they will plow through all kinds of barriers to "get the job done." Current password redirection schemes (most of them) redirect users to authenticate.
- Any password-based system is vulnerable to password phishing attacks. Once you've given up the password it's gone. Most users share passwords. Sometimes for legitimate reasons. Certificates are little better.
- Subverting a leveraged identity is more attractive. There has to be some balance between convenience and single sign-on. I made the point that our physical wallets are a model here. Jim Harper's book is instructive here.
- Restoring integrity and reputation is expensive. It's usually easier for crackers to adapt to our defenses that it is for us to adapt to their attacks.
Some design points:
- Bits on the wire should be temporal
- Non-repudiation
- Consistent user interface
- Spoof resistant interface
- Verify site before releasing identity information
- Portability (kiosk access)
- Make insider attacks difficult
- Allow multiple credentials
- Consistent and seamless lifecycle of credentials and keys
We got into a big discussion of why PKI could or couldn't be fixed.
5:10 PM | Comments (2) | Recommend This | Print This
Speed Geeking
 Chuck Mortimore demos XMLDAP (click to enlarge) |
Speed geeking turned out great. I saw some things that really interested me and I got it in a quick hit. The following projects or demos were done:
- Earthgrid.org - Video worth paying for
- xmldap - Chuck Mortimore gave a demo that showed using en OpenID as a CardSpace card to log into Kim Cameron's blog.
- Safari Inforcard Selector - This is a plug-in for Safari that implements an CardSpace card selector from Ian Brown.
- AOL WebAIM Service nice demo showing how to get AIM data using a Web API. I would like to explore using this with the reputation framework we're developing.
- CardSpace in Java
- vAuth is a voice authentication service from Avery Glasser that leverages OpenID. You can enter your OpenID and then you get a screen telling you call a number and follow the instructions. When you're done, you're in.
- Multi-project interoperability. This was a Higgins/Bandit interoperability demo that I missed.
- Microformats and pingarati (?)
- OpenSAMLid
- The Sxipper showed the sxipper service and the use of signed attributes with OpenID.
- Johannes Ernst shows OpenID and NetMesh--a fairly introductory demo to the service, but good for people who weren't familiar with how all this works.
- OpenID in the Wild
I didn't get to all of them, but the ones I did go to were very good. Lots of good things happening and there's a real start on interoperability.
5:07 PM | Comments () | Recommend This | Print This
Vendor Relationship Matters
I went to Doc's discussion of VRM (vendor relationship management). We had a great discussion around a number of scenarios. There's Doc's (by now) famous rental car discussion. Dave Winer brought up Yahoo! Movies and Netflix and sharing data back and forth between them.
This kind of session easily turns into a discussion of how messed up most companies are. Doc summed it up thusly: "Living in a silo is self-destructive."
Doc said there were three pieces: transactions, intentions, and preferences. Avery Lyford boiled these down to three points:
- What you've done
- What you want
- What you like
Intentions are crucial. It is antithetical to so-called "demand creation" marketing techniques like coupons or Spam. Big organizations have been doing this for years as RFPs or RFQs. I wonder how we keep managing our intentions from being a lot of work in the way that building RFPs is a lot of work.
Aggregating intention with a high degree of reliability is an activity that is salable. Lead generation is expensive. That's the thing that's worth money.
2:40 PM | Comments () | Recommend This | Print This
Lightbulb: Bringing SAML to PHP
Pat Patterson spoke on using SAML in a "Web 2.0 World." SAML provides a good mechanism for transporting identity attributes. But to use SAML on the wild Web, you've got to support dynamic languages like PHP.
Pat has a mechanism for using SAML from PHP. One way to do this is using a PHP/Java bridge that talks to an existing federation manager. This is overkill if you've got one little site you want to use federation on. Pat has a project, called Lightbulb, that puts SAML directly into PHP. No custom PHP modules required. Future parts of Lightbulb may extend this to Ruby and other languages.
There are four integration points:
- Give the user some way of signing on with the IdP
- Give the user a way to log off
- Some way of setting the local ID from the information passed back from the IdP
- Some way of removing that when the user logs off
The code Pat shows for each of these is 3 or 4 lines of PHP. Local login still works. Very cool stuff really.
12:29 PM | Comments () | Recommend This | Print This
Trusting OpenID
We started off the morning, as is our tradition by building the schedule for the conference. Lots of good sessions proposed and many I will have to choose between. I love seeing these things come together.
I started off the morning at David Recordon and Josh Hoyt's talk on OpenID authentication in the new OpenID 2.0 spec. During a discussion of how OpenID 1.1 works, a good discussion of phishing broke out. Someone asked what's to keep a relying party from purposely misdirecting a user to a site that's spoofing the user's IdP and stealing the user's credentials. David said "Nothing."
Gasp! But actually, that's the right answer. Phishing can only be reliably stopped at the browser. Server-side band-aids exist, but this is where identity selectors like the one in CardSpace play a role. (Also watch to see if Sxipper helps here.)
OpenID is a simple authentication protocol that doesn't provide any kind of trust model. There's no built-in way to determine, for example, whether the IdP is trusted by the RP. The RP can do this out of band, of course.
Johnny Dupu from Sxip talked about OpenID Sign Assertion that allows a user to collect signed SAML assertions from 3rd parties, store them on their IdP and send them to RPs. An scrimmage erupted about broke out over who trusts who in this scenario. Is the RP trusting the IdP or is the RP trusting that the user has selected an IdP that will accurately represent her. This distinction seems to be important in context. Some use cases will want to trust the user to choose a trustworthy IdP, other RPs will be very concerned about which IdPs they trust.
This is, again, a selector (client side) problem. How can an RP indicate the kinds of IdPs that they will except?
This is made more complicated by redirection. OpenID allows users to redirect an authentication request from one site to another. This means that I can use http://phil.windley.org as my OpenID even if I'm using mylid.net as my OpenID IdP. Trust mechanisms need to be established between the RP and the delegate who is the true IdP.
11:01 AM | Comments (1) | Recommend This | Print This
December 4, 2006
Introducing User-Centric Identity
 Doc
Searls (click to enlarge) |
The Internet Identity Workshop (2006B) has begun. I flew in this morning and spent the time before the conference started shopping for things we need for snacks, etc.
Today is not an unconference event--that starts tomorrow. Today we have a more structured program intended to get people new to the space up to speed--but people who've been in the identity space for years come anyway.
Kaliya and Mike Ozburn started off the day with some discussion of the identity space map. Dick Hardt spoke on the identity lexicon and the laws of identity.
Next up was Johannes Ernst speaking about OSIS, the open source identity system. The OSIS steering committee is over a dozen identity companies working to make user-centric identity interoperable.
Kim Cameron gave an introduction to CardSpace, the Microsoft user-centric identity system (which is interoperable with OSIS). He did a great intro, including a demo. One thing he said that stuck with me was "Privacy is security from the point-of-view of the individual."
Paul Trevithick spoke about Higgins. Bottom line: Higgins is glue. Higgins defines a way for developers of identity systems to develop plug-ins that allow their system to interoperate with other Higgins-enabled identity systems. Users may not ever know that Higgins is even around--but it will likely play an important role in "making things work."
Eve Maler spoke about Project Liberty. Federated identity is about distributing identity information in the "right" way. Single sign-on, for example, is distributed authentication. Bonus: Read Eve's Identity Planets, Moons, and Comets for a great discussion of here ideas in this space.
Scott Kveton and David Recordon spoke on URL-based identity. David spoke on the history and where things are now (some exciting things to come out in the next few days at IIW). He also talked about futures including sing OpenID with HTTP Auth. Scott shows a chart that claims 12-15 million OpenID users. He quips that since it's all distributed, there's no way to prove him wrong. There are over 550 sites that use OpenID. Scott lists libraries for a dozen programming language that support OpenID. The bounty program is yielding results and more and more software will be OpenID enabled.
Eugene Kim spoke on identity Commons and it's role in the user-centric identity space. Identity Commons is fostering collaboration. Eugene tells some stories about how collaboration has occurred in the identity space: yadis, OSIS, and interoperability are examples.
Eugene talks about the trust that exists in the IIW community. People are willing to give each other the benefit of the doubt and work with each other. Interestingly, this wasn't always so. I can remember the first IIW where people were talking about their own stuff and arguing about why the other guy's stuff wouldn't work. That's completely changed. Eugene says "self-awareness is critical to a group of people becoming a community and it seeds interaction." Self-awareness allows the community to scale.
We asked Doc to close today. He covered the history, the need, and set the stage for the next few days. Well done.
I have some photos from today.
Here's a linkfest of things I saw related to Internet identity today:
- Doc Searls: Busting the Silos "I don't need a password when I go to the drugstore--why do I need one online?"
- Joe Andrieu posted an interesting piece on the power of the identity metasystem in preparation for coming to the workshop.
- Phil Becker makes acase for OpenID
- Tim O'Reilly has a post on the economics of disaggregation. OK, so Tim never mentions "identity" directly. In fact, I suspect Tim doesn't really buy the whole identity thing--or at least thinks it's boring--though there are signs that it's starting to get his attention. Regardless, these disaggregations require identity to make their magic and decentralized, universal, Internet-scale identity could change the game yet again.
6:00 PM | Comments () | Recommend This | Print This
December 2, 2006
Podcast Your Way to Fame and Glory
I'd like to start a regular feature on IT Conversations that contains interviews with authors of recent IT books. The series, which I'm tentatively calling "Book IT!", would air every other week.
I'd expect the host to
- Select and read the books (most publishers will send a complimentary copy to IT Conversations).
- Contact the author and schedule the interview. Most authors are happy to publicize their books.
- Conduct the interview and record the show (phone or Skype interview). This presume you have the equipment to produce a good quality WAV file from a phone conversation. IT Conversations can provide advice on how to best to this.
- Write the copy for the show page. You would use the IT Conversations CMS for this.
In exchange you get free books and a little fame (there's also a small amount of money for acting as the Web page editor). IT Conversations will post-produce and distribute the audio like we do all our shows.
If you're interested, send me a note with a brief synopsis of your experience in IT, with interviewing and, if possible, a link to a recorded interview you've conducted. Remember, this is a commitment of one show every other week, so only apply if this is something you have the time to do.
11:10 PM | Comments (1) | Recommend This | Print This
December 1, 2006
NIST Report Condemns DRE Voting Machines
In what may be the biggest blow for electronic voting machines yet, NIST, the National Institute of Standards and Technology issued a draft report this week that concluded that paperless direct-record equipment (DRE) voting machines cannot be made secure and recommends optical scan systems (Washington Post story).
The report will be debated next week in a meeting of the Technical Guidelines Development Committee (TGDC). This is the committee that makes recommendations to the Federal Election Assistance Commission. Next week's meeting will be webcast.
The report (PDF) stresses the need for "software independence." From the report
A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. In other words, it can be positively determined whether the voting system's (typically, electronic) CVRs [Cast Vote Records] are accurate as cast by the voter or in error. In SI voting systems that are readily available today, the determination can be made via the use of independent audits of the electronic counts or CVRs, and independent voter-verified paper records used as the audit trail.
The report recommends only using SI voting system and states:
The most obvious ramification of requiring SI in VVSG [Voluntary Voting Systems Guidelines] 2007 is that paperless DREs could not be certified to VVSG 2007. Purchase of paperless DREs would still be permitted, but certification of new paperless DREs would be prohibited after, likely, 2009/2010 when compliance with VVSG 2007 may be required15. This effectively leaves only voter-verified paper approaches for certification in the near/foreseeable future, including op scan, EBM devices [Electronic Ballot Marking device, e.g., the ES∓S AutoMARK], DRE-VVPAT [A DRE with Voter Verified Paper Audit Trail voting system], and, possibly, some E2E [End-to-end auditable voting systems, usually based on cryptography] approaches.
Of course, whether an audit can be done in a cost effective manner depends on how the system is built and the report talks about that as well, but the conclusions are softer:
Focus attention towards improving the usability and accessibility of paper- based SI voting systems: HFP and STS should continue to work together to incorporate requirements to make op scan, EBM, and DRE-VVPAT more usable, accessible, and convenient to audit. If this work requires more time than allocated for VVSG 2007 development, some method for continuing this work should be investigated.
and
Foster development of new SI approaches: STS recommends that research and development of new SI and possibly non-SI approaches be fostered and that an expert panel be created to review approaches. Usability of these approaches should be a primary factor in their design, as well as whether they lend themselves to accessibility.
One of the things that worries me is that once we've got a VVPAT we'll stop because elections officials will feel like they've "done all they can." In fact, to detect fraud, you may have to audit 50-60% of the paper audit trail. That's just not practical from a cost standpoint with current systems. Thus the need to continued evolution.
I'm not big on conspiracy theories and consequently believe that the best way to influence this process is to work with elections officials rather than rail against them. I believe that most elections officials sincerely want to run accurate elections and they need help to understand the pitfalls of DRE machines and how to mitigate the problems of voting machines.