Phil Windley's Technometria

« January 2007 | Main | March 2007 »

February 28, 2007

John Wait on Technometria

I just published an interview with John Wait on the Technometria podcast. John's got a long tenure in the publishing business and spends most of his time looking at how new digital tools affect the more traditional business of publishing books. We had a very enjoyable chat. I'm sure you'll enjoy listening to it.

2:47 PM | Comments () | Recommend This | Print This

Talking Portraits Debuts on IT Conversations

Today, a new series, Talking Portraits made its debut appearance on IT Conversations. Talking Portraits is hosted by Tom Parish, who's been doing podcasting for along time and audio on the 'Net even longer. On Talking Portraits, you can expect thought-provoking shows about technology and the people behind it. I'm proud to have Tom as part of the IT Conversations team and hope you'll enjoy his show.

1:54 PM | Comments () | Recommend This | Print This

February 27, 2007

IT Conversations Meetup: San Diego, March 27

I'm going to be in San Diego for O'Reilly's Emerging Technology Conference the end of March and thought it would be fun to have a Meetup for IT Conversations. If you're going to ETech, or are simply in San Diego, and you'd like to meet and talk to other IT Conversations listeners, hosts, or staff, then mark March 27 on your calendar.

This is a great opportunity to continue the conversation in person. We'll talk about technology, IT Conversations, podcasting, and more. I hope you'll be there. We'll be meeting at 7:30 at the Manchester Grand Hyatt. Watch for room information later.

I've created an event on Eventful for this meetup. If you're planning on coming, pop on over and say you're coming so we know how big a room we'll need. If you can't come to the San Diego event, but would like to know about future IT Conversations meetups, hopefully in a town near you, join the IT Conversations group at Eventful. I'll be adding future meetups and other IT Conversations events there.

9:34 AM | Comments (3) | Recommend This | Print This

February 26, 2007

OpenID Economics Centers on Relying Parties

Tim Bray has written a post saying that OpenID seems pretty useless and then points out some problems and possible solutions. The ironic thing is I can't argue with many of his points, but come to a very different conclusion.

I don't intend to respond point by point. He's spot on, for example, in what he says about TLS. While the OpenID spec tries to stay away from specific authentication mechanisms and has been subjected to considerable security analysis over the months, there's not reason not to require HTTP transport happen over TLS. In practice, however, I doubt any serious OpenID identity providers (IdPs) wouldn't use TLS.

That leads to the primary point. While it's true that anyone can throw up an OpenID server and start offering IdP services (Tim's "what's it mean" point), I think we'll see a limited set of trusted IdPs in practice. After all, AOL offers it now. If a few more of the big players offered with their services (come on, Yahoo! and Google), everyone on the 'Net would have an OpenID from a trustworthy IdP.

A few big players would be sufficient since what OpenID provides is authentication. Simple, plain-old authentication. When you accept an OpenID as a relying party, all you know is that the IdP is saying that the person in control of the password for that OpenID entered at their site. So, as long as you trust the IdP to verify the identity of the user, that's all you need.

What's the value? Just that. I don't have to do authentication and mess with password reset, and so on. If I were building a Web applications today, I'd certainly allow OpenID authentication and might even consider only accepting OpenID. There's not much time savings at build time, but it cuts the operational complexity. You still have to associate attributes with that identity and build authorizations around it.

OpenID 1.0 doesn't include attribute exchange, but OpenID 2.0 does. With attribute exchange, I might start caring which OpenID provider someone uses even more. Amazon might be able to send me attributes (with the user's permission) that Google can't. As a relying party, I might get more picky based on what I need to know.

Much of the talk is about user convenience and "single sign-on" (SSO) but that's not what will drive OpenID acceptance and use. For that to happen relying parties have to see value in (a) account management simplicity and (b) attribute exchange. The first is a reality today, the second will come.

With attribute exchange, some niche OpenID providers are likely to spin up based on specific attributes or features. But wait, if I've got multiple OpenIDs and IdPs, doesn't the negate the SSO value? Yes, but for the announcement that OpenID will interoperate with CardSpace. Now, I can have multiple OpenIDs and manage them in my card selector from my desktop, choosing which to send based on what I want to reveal and what the replying party needs.

So, I don't think OpenID is useless. To the contrary, I think there's real value to relying parties now and more to come.

4:46 PM | Comments (2) | Recommend This | Print This

Beautiful and Disturbing

Charlain has a humorous and interesting look at what it's like to get a new machine with Vista on it. Beautiful and disturbing.

4:03 PM | Comments (1) | Recommend This | Print This

February 24, 2007

Using OpenID Delegation

In a comment on my post about OpenID being an official lifehack now, Richard Miller asks "which OpenID provider do you suggest?" The good news is that OpenID has a layer of indirection builtin, so it's not critical that you choose correctly. Here's how it works.

First, you need pick a URL to serve as your OpenID. It doesn't need to be an OpenID provider and you don't need to install a server at that URL. I'd recommend choosing one that you believe you'll be able to hold onto for a good long time. That's going to be the URL you use as your OpenID. I use http://phil.windley.org

Next, install link tags in the header of the HTML that gets returned from that page specifying your OpenID server and delegate. The server is the URL of the actual server that will process any OpenID requests. The delegate is your ID on that server. So, for example, if I want to use myopenid.com as my server, I add these two tags to the page at phil.windley.org:

<link rel="openid.server" 
      href="https://www.myopenid.com/server">
<link rel="openid.delegate" 
      href="http://windley.myopenid.com">

Now, suppose that I decide to use AOL, as my OpenID server, I just change the preceding two tags to look like this:

<link rel="openid.server" 
      href="https://api.screenname.aol.com/auth/openidServer" >
<link rel="openid.delegate" 
      href="http://openid.aol.com/pjwindley" >

I still use phil.windley.org as my OpenID, just like before, but instead of logging into myopenid.com when I want to authenticate using my OpenID, I will be sent to openid.aol.com.

There's no limitation on using delegation for the same OpenID with other URLs. For example, I also have link tags on www.windley.com, so if I want to use that as my OpenID, I can. This gives me the option of using different OpenIDs for different purposes. Note: These URLs are not independent identities; if you use two different URLs that both delegate to the same server/delegate pair, those identities can be linked by the relying party.

Delegation is a neat feature and one I'd recommend OpenID users take advantage of. Delegation gives you a certain amount of freedom in changing OpenID identity providers depending on feature set, price (all are free right now), and other considerations. So which OpenID provider should you use? Just pick one. The choice isn't critical--you can always switch later with almost no consequence.

OpenID Bonus Links:

• OpenID and the Value of Connected Identity from Fred Stutzman
• Digg Will Support OpenID

8:41 PM | Comments (3) | Recommend This | Print This

February 23, 2007

Leaving Arkansas

I'm about to board my flight to Salt Lake City, leaving Arkansas after my first visit ever. Besides being able to put another notch in my belt, the trip was a good one for other reasons as well. I enjoyed the small town feel of Jonesboro, the drive from Little Rock, and, especially, the BBQ. The Identity Solutions Symposium was good, providing me with some new things to think about and many new contacts in the world of identity. All in all, a worthwhile trip.

12:34 PM | Comments () | Recommend This | Print This

OpenID is a Lifehack

Lifehacked reposted a screencast (original from Simon Willison) today showing how to sign up for and use an OpenID. OpenID is now, officially, a way to make you live better, more efficient, and happier. Really.

12:13 PM | Comments (1) | Recommend This | Print This

February 22, 2007

The Economics of OpenID

I spoke at the Identity Solutions Symposium on the topic of Social and Economic Aspects of Identity (PDF of slides). This is a difficult topic because there is so much to say and so many issues that you could cover.

One of the things I didn't talk about that I wish I'd had time to cover was the developing economics around user-centric identity. With announcements like OpenID and CardSpace interoperability and AOL's support for OpenID only a few weeks old, I think that we're getting very close to the identity "big bang" that Kim Cameron talks about.

If you're building a Web-based app today, you could choose to not have an authentication system and instead just use OpenID. Anyone who doesn't have an AOL account could easily sign up at AOL or one of the other providers. You'd still have to associate the identifier with the properties you care about, but you wouldn't have to handle authentication at all. Big win--the authentication stuff is a necessary evil--something you'd just as soon not do if you could.

What's missing at this point is user experience. Most people building a Web site for business purposes wouldn't want the cognitive disconnect that happens when a user is redirected to login. Anyone who's studied Web site usability would tell you you're going to lose people with that step. Even more so if they have to sign up for an account somewhere else.

There's no reason that the OpenID user experience couldn't be improved to solve this problem, or at least mitigate it. You have to balance usability with concerns for security, but I think that even within those bounds, we could make real progress.

1:06 PM | Comments () | Recommend This | Print This

February 21, 2007

Man In the Browser Attack

Russ Jones, a professor at Arkansas State University gave a presentation on phishing and mentioned a term I'd not heard before the "man-in-the-browser attack." The idea is to install a trojan on the browser that presents a small, borderless window in the browser that overlays the login fields of the target site in a way that can't be detected by the user. The user is at the real site (so the cert will check out), but the credentials are stolen when the user tries to login.

Here's a paper that describes the attack and some potential countermeasures.

3:08 PM | Comments () | Recommend This | Print This

Are You a Product or a Brand?

There's been a lot written over the years on the ideas of the personal brand. I'm always surprised how many otherwise bright people will go get a Hotmail account when what they need is a professional, personal email address. Part of blogging's appeal to many is the chance to build personal brand. Tom Peters says "To be in business today, our most important job is to be head marketer for the brand called You."

I was just reading a post by Chris Borgan about making money from podcasts called Your Show Itself is NOT the Money Maker. He says:

The other value comes from the same reason radio stations exist for bands, and that's as promotion of your core product: YOU. If you have a specialized skill, like Heidi Miller as a corporate conversationalist for trade events, or Christopher S. Penn as a leader in financial aid advice, or Becky McCray as an expert on the rural small business, you've got a show that drives home the fact that you're an expert.

This brings people to your door for other opportunities, for consultation, for short term contracted help, and for other opportunities you never knew existed. And here, you're playing on your uniqueness.

From [chrisbrogan.com] » Your Show Itself is NOT the Money Maker
Referenced Wed Feb 21 2007 13:22:03 GMT-0600

This is a distinction that Doc Searls refers to as "making money because of your blog, rather than making money from your blog." I've espoused that idea before as well, but I've been rethinking that lately.

Notice that Peters uses the word "brand" and Brogan uses the word "product." That's a critical distinction in my eyes. The problem with you as a product is that there's only so much of you. Let's say you work 2000 hours a year. You want to make more money. There's just two choices: make more per hour or work more hours. The first is hard and the second is harder.

A better strategy is to use your time to create products besides you that can be sold or otherwise monetized. This leverages your time and your brand. What kind of products? Software, paintings, podcasts, whatever your skill set leads you to.

Obviously, this is harder to do than it is to say. Maybe monetizing your blog or podcast is hard for whatever reason. Maybe you don't want to for other reasons. No matter, you're still building brand. But to make money off that brand, you've got to have a product. If that product is you, then your upside is limited. Find something else if you can.

12:53 PM | Comments (1) | Recommend This | Print This

Cancelable Biometrics

One of the problems with biometrics is that they're difficult to reset. Lose your password, you get a new one. If someone compromises your biometric data, how do you get new fingerprints? The invariance over time of biometric data is one of it's greatest strengths as well as one of it's greatest weaknesses.

The biggest threat isn't that someone will steal your fingerprints, retinas, or other body parts from you (action movies being the obvious exception). Rather, it's that once the biometric data (features) about the artifact have been stored in the computer, they can be stolen and replayed.

Turns out that there are ways. This article, Enhancing security and privacy in biometrics-based authentication systems by N. K. Ratha, J. H. Connell, and R. M. Bolle describes with a method (see the section on Cancelable Biometrics toward the end). The article also contains recommendations on creating biometric systems that better withstand attack. Here are some images showing the technique at work.

In essence you're hashing the biometric data with some other key and changing the key where you can't change the biometric. This approach offers several advantages:

• Because the transforms are non-invertible, the original biometric data cannot be recovered from the transformed data and thus is safe.
• Different applications could use different transforms, preventing stored biometric data from one place being used somewhere else.
• Privacy can be better protected because the actual features of a person aren't stored, but transformed data instead.

So, what about the Gummi Bear attack? Well, the system posits that the transform could be stored on a smart card, so that the Gummi Bear attacker would have to also get the card or at least what's on it. If the card get lost, issue a new card and you're back in business.

11:02 AM | Comments (1) | Recommend This | Print This

Cloning a Verichip and Other RFID Fun

Dale Thompson from the University of Arkansas spoke about RFIDs (surprisingly, many of the talks are tutorial in nature, which I hadn't suspected would be the case). He mentioned Verichip, which is an RFID device the size of a grain of rice that is certified for implanting in humans.

I had heard of Verichip, but was curious. Of course, the obvious question is how secure is such a device. The answer appears to be "not very." Jonathan Westhues has a detailed Web site describing how to clone the data on the chip. He also has an easy do-it-yourself version for the curious.

Annalee Newitz wrote an article last May in Wired Magazine about RFID hacking. The article starts with a story about someone who steals RFID data for real:

James Van Bokkelen is about to be robbed. A wealthy software entrepreneur, Van Bokkelen will be the latest victim of some punk with a laptop. But this won't be an email scam or bank account hack. A skinny 23-year-old named Jonathan Westhues plans to use a cheap, homemade USB device to swipe the office key out of Van Bokkelen's back pocket.

"I just need to bump into James and get my hand within a few inches of him," Westhues says. We're shivering in the early spring air outside the offices of Sandstorm, the Internet security company Van Bokkelen runs north of Boston. As Van Bokkelen approaches from the parking lot, Westhues brushes past him. A coil of copper wire flashes briefly in Westhues' palm, then disappears.

Van Bokkelen enters the building, and Westhues returns to me. "Let's see if I've got his keys," he says, meaning the signal from Van Bokkelen's smartcard badge. The card contains an RFID sensor chip, which emits a short burst of radio waves when activated by the reader next to Sandstorm's door. If the signal translates into an authorized ID number, the door unlocks.

The coil in Westhues' hand is the antenna for the wallet-sized device he calls a cloner, which is currently shoved up his sleeve. The cloner can elicit, record, and mimic signals from smartcard RFID chips. Westhues takes out the device and, using a USB cable, connects it to his laptop and downloads the data from Van Bokkelen's card for processing. Then, satisfied that he has retrieved the code, Westhues switches the cloner from Record mode to Emit. We head to the locked door.

"Want me to let you in?" Westhues asks. I nod.

He waves the cloner's antenna in front of a black box attached to the wall. The single red LED blinks green. The lock clicks. We walk in and find Van Bokkelen waiting.

"See? I just broke into your office!" Westhues says gleefully. "It's so simple." Van Bokkelen, who arranged the robbery "just to see how it works," stares at the antenna in Westhues' hand. He knows that Westhues could have performed his wireless pickpocket maneuver and then returned with the cloner after hours. Westhues could have walked off with tens of thousands of dollars' worth of computer equipment - and possibly source code worth even more. Van Bokkelen mutters, "I always thought this might be a lousy security system."

From Wired 14.05: The RFID Hacking Underground
Referenced Wed Feb 21 2007 10:35:56 GMT-0600

Dale mentioned RFDUMP, a tool for detecting RFID-Tags and showing their meta information. Lukas Grunwald, RFDUMP's creator says it's not hacking. Bruce Schneier, quoted in a ComputerWorld article, agrees:

"[Grunwald] is doing what RFID is supposed to do," said security author and Counterpane Internet Security Inc. Chief Technology Officer Bruce Schneier. "This is serious. He didn't hack anything. RFID technology originally was designed to be completely open; that's its problem. He went to the spec, read it and followed it. If you query the chip, you will get this info. If there were security countermeasures on the chip that were thwarted, then we could talk about hacking."

From Securing RFID information
Referenced Wed Feb 21 2007 10:41:15 GMT-0600

Tracking packages, no problem. BYU has used RFID devices for access to the parking lots for several years now. Not too many security issues there. Repurposing the technology for access control doesn't seem like too smart an idea at this point. Let's not even get started on passports...

9:44 AM | Comments (1) | Recommend This | Print This

Would You Like to Update Now?

This morning Michael Sullivan of Booz Allen Hamilton was speaking about bar codes and his computer flashed a "Would you like to update..." message. I had to laugh at the inappropriateness of the message in the context. Vista is supposed to be smarter about knowing that you're giving a presentation and not interrupting, but in truth there's almost no context where I want to be interrupted to answer that question.

Of course, systems need to be updated and without reminders, we're unlikely to remember. What I really want is an interface to my todo system so that such tasks show up on my todo list and I can deal with them in the appropriate context.

9:03 AM | Comments () | Recommend This | Print This

Digital Identity for Cattle

Marion Berry is the representative for the Arkansas First District in Congress, and the opening keynote at today's meeting. He seemed passably informed on identity issues, noting how important identity is in modern society. He's a supporter of the Real ID act, which makes me wonder whether he understands the implications of identity policy.

He took questions at the end of his talk. One questioner asked him to respond to Arkansas farmers opposition to cattle tagging. I wasn't aware of the issue before. The program is part of some federal effort to track food supplies.

I've written about this program before, nicknaming it "cowster" at the time. The issue may seem silly at first--who cares about the privacy of cattle--but it's actually an issue of commercial information and trade secrets:

Critics of premises ID include Jane Williams of Dardanelle, a founding officer of the Arkansas Animal Producers Association, who opposes premises ID because she said those who control the information will control the market.

Apple said such mistrust of the system and federal intentions is common and not without cause.

"Producers don't trust each other, the state or the federal government. They have been burned before and when they hear stories reported in the media of lost or compromised data, what are they supposed to think?" Apple said.

Arkansas Agriculture Secretary Dick Bell has said the he thinks information confidentiality is the biggest concern surrounding premises ID.

From The Morning News: Business : Cattle ID Technology Meets Opposition
Referenced Wed Feb 21 2007 08:42:30 GMT-0600

As I said back in 2003, I think you could come up with a distributed system that allowed tracking and preserved the privacy of the data.

7:45 AM | Comments () | Recommend This | Print This

February 20, 2007

Viacom, Joost, and YouTube

Today, Viacom stuck it to YouTube and Google by cutting a deal with Joost to host Viacom videos. So far no Comedy Central. Here's the question that this raises: what happens to cable companies when content owners like Viacom are making deals with Internet companies for distribution? Now would be a great time to short cable stocks.

10:04 PM | Comments () | Recommend This | Print This

Arkansas and Identity

I'm in Arkansas at the Identity Solutions Symposium and Workshop in Jonesboro. I speak Thursday on the social and economic aspects of digital identity. I'm looking forward to it.

I've never been to Arkansas before. I flew into Little Rock and drove up to Jonesboro because the flights into Memphis didn't work out timewise. The drive is about 2.5 hours, so I had plenty of time to get acquainted with Northeast Arkansas. The rental car lottery gave me a PT Cruiser. I've never driven one before--I wouldn't say it's a particularly fun car to drive. Boring actually. But I enjoyed the countryside. Northeast Arkansas is pretty empty.

I'll be blogging the workshop, so watch for more news tomorrow.

9:59 PM | Comments (1) | Recommend This | Print This

February 17, 2007

Rentals on Rails

Cid Dennis, an old friend from the iMall days--and one of the best programmers I know--has built his first Rails application: RentSpider, a rental property listing service. Go Cid!

1:52 PM | Comments (3) | Recommend This | Print This

Two Factor Authentication with a Bookmarklet

I've been meaning to write about this all week, but kept forgetting. Ben Adida has proposed a two-factor authentication scheme using a bookmarklet which looks pretty cool. Ben calls this a "bookmark," but I prefer "bookmarklet" since it's a bookmark that contains a runnable Javascript.

The solution seems pretty cool. My biggest question centers on usability. When you imagine this scenario with one site, it seems simple enough, but if every place you wanted to log into on the 'Net needed a bookmarklet, you'd have a bookmarks file full of entries to allow you to log in. What a management headache.

Of course, if you're using OpenID and the only bookmarket you need is one for your OpenID site, then that's not such a big deal. So, scaling Ben's idea presupposes the existence and broad acceptance of a wide-area identity system like OpenID.

Update: I misunderstood. It's not a bookmarket. The bookmark doesn't contain any Javascript--rather the page you go to contains the javascript and recognizes a shared secret that is in the bookmark and gets put in URL as a fragment identifier (which is never sent across the wire). Neat.

1:45 PM | Comments (1) | Recommend This | Print This

February 16, 2007

Speaking of Blogging...

I spoke about blogging today to the Utah Valley Chapter of the PRSA. I enjoyed it a lot. Lots of good discussion and interest. Kip Meacham also spoke. In a reversal of roles, the techie (me) spoke about why blog and the marketer (Kip) spoke to the mechanics of blogging. Noelle Bates of Logoworks set it all up. Here's a copy of my slides.

The only problem with an event like this is that one hour (Kip and I each had an hour) is hardly enough to get started. For example, I didn't get into much on the "corporate blogging" side or how to follow the conversation about your company and product. Another time, perhaps.

8:39 PM | Comments (1) | Recommend This | Print This

Designating Blog Collections by Photograph

I'm taken with the design of the mezzoblue blog. The archiving is done by "collection" where each collection is identified by a photograph and the color palette for that collection is based on the photo. Very nice. The blog is the work of Dave Shea, one of the authors of The Zen of CSS Design: Visual Enlightenment for the Web, one of my favorite CSS books.

4:50 PM | Comments () | Recommend This | Print This

Controlling Amazon's EC2 with Capistrano and Rake

Steve Spigarelli sent me a link to this description of how to control EC2 from rake, the Ruby build manager. The implementation uses Capistrano, a Ruby utility for executing multiple commands on remote server in parallel.

This is very timely since I just posted the Technometria podcast with Doug Kaye and Jeff Barr on using Amazon's Web services (AWS) for large, sophisticated applications. This has been on my mind of late and its nice to see some specifics about doing it. The Niblets post gives some great detail on how to manage the instances.

I just relistened to the conversation with Jeff and Doug again yesterday afternoon and was struck by some of the details about building applications on AWS.

• You'll probably need an external controller that runs the database and manages instances. You can't put the whole application on AWS.
• Applications that have a component of batch processing work well.
• Management by SLA is a key topic that hasn't been discussed enough. Automatically firing up new instances to meet SLA guidelines is a natural thing to do in this platform.
• Building user interfaces to asynchronous applications is difficult and not well understood.
• Queues provide a universal message buss for connecting and controlling instances.

I'm sure there's more in there, but that's what I impressed me at the moment.

3:56 PM | Comments (1) | Recommend This | Print This

Power Line Innovations

I have an undergraduate degree in Metallurgical Engineering. That's probably why I enjoyed the first segment of this IEEE Spectrum Radio program on composite power lines so much. No accounting for taste, I suppose. The other segments on home-scale windmills and paying for non-consumption were interesting as well. I added it on my personal queue at IT Conversations.

3:26 PM | Comments () | Recommend This | Print This

Eclipse Haiku

As part of a longer post Steve Yegge offers up this Eclipse haiku:

startApplication()
thenWaitFriggingForever()
thenItGoesRealSlow()

Funny.

1:49 PM | Comments () | Recommend This | Print This

Karen Stephenson on Social Network Analysis

If you miss PopTech! on IT Conversations (and I do) then listen to this talk by Karen Stephenson on Social Network Analysis from MeshForum. It's every bit as good as anything from PopTech!

Whether you're interested in social networking, organizational issues, management, or group interaction, there's something here for you. Fascinating stuff.

1:41 PM | Comments () | Recommend This | Print This

eVoting Machine Secrets for $82

Princeton computer science professor Andrew Appel paid $82 to acquire five Sequoia electronic voting machines from a government auction site. This is the first time anyone's examined a Sequoia machine without signing an NDA. Here's his story.

1:20 PM | Comments () | Recommend This | Print This

Broken Scroll Ball on Mighty Mouse

I know a lot of people don't like Apple's Mighty Mouse, but I actually like the thing--at least the bluetooth version. It's small, fits in my backpack and pairs with my MacBook Pro consistently (which can't be said of all the Bluetooth mice I've owned).

The one I keep in my office, however had a problem: the scroll ball stopped scrolling up. Down, right and left all worked. It was annoying. I was wondering if I needed to send it in to be fixed (or simply buy a new one).

I fixed it. Turns out the sensor for scrolling up is particularly susceptible to dirt and dust. I took a wipe for cleaning screens and rolled it on the scroll ball vigorously for a minute of so and the problem went away.

8:19 AM | Comments (22) | Recommend This | Print This

AOL Deploys OpenID

On Wednesday, John Panzer of AOL announced that AOL has deployed OpenID on top of their identity system. What this means is that if you have an AOL identifier (including AIM), you've got an OpenID and can use your AOL identifier to login to OpenID enabled Web sites. Here's what John says:

Here's where we are today:

• Every AOL/AIM user now has at least one OpenID URI, http://openid.aol.com/.
• This experimental OpenID 1.1 Provider service is available now and we are conducting compatibility tests.
• We're working with OpenID relying parties to resolve compatibility issues.
• Our blogging platform has enabled basic OpenID 1.1 in beta, so every beta blog URI is also a basic OpenID identifier. (No Yadis yet.)
• We don't yet accept OpenID identities within our products as a relying party, but we're actively working on it. That roll-out is likely to be gradual.
• We are tracking the OpenID 2.0 standardization effort and plan to support it after it becomes final.

From AOL and OpenID: Where we are
Referenced Fri Feb 16 2007 07:19:01 GMT-0700 (MST)

Very good.

7:21 AM | Comments () | Recommend This | Print This

February 15, 2007

Building Newsletters for IT Conversations

I was a little late getting this week's IT Conversations newsletter out because I was trying to finish my tool for building the newsletter. I like building tools because they help me leverage my time.

The newsletter tool is written in Perl. It downloads and parses two different RSS feeds and a zipped CSV file with ratings data. I only want items in the two RSS feeds that haven't been seen before so I have to have a persistent hash to remember the GUIDs of previously seen items. The tool also sorts the shows using the ratings data (which I index by GUID). A template contains the boilerplate. It was a fun little project.

Before this, I've been using a Movabletype template to construct most of the newsletter and then sorting and editing by hand to get the final product. That took about 30 minutes. I just finished using the newletter tool and the total time was less than 5 minutes (I still do some hand editing after the tool does its work). Not bad.

10:17 PM | Comments (1) | Recommend This | Print This

Harvesting Underwater Logs

I was fascinated by the Wired article on using submersible robots to harvest underwater forests (and there's a lot of wood underwater, as it turns out).

3:42 PM | Comments (1) | Recommend This | Print This

CTO Breakfast Report: The No-Employee Business

At this months' CTO Breakfast we had a long discussion about preparing students for careers in software this morning. We debated how much students need to know real tools like Subversion, Eclipse, Ant, and so on versus knowing how to design. I'm not convinced that the two are separable, which was another thread in the discussion. No decisions, naturally, but informative to me and I hope others.

This led to a discussion of off shoring which then led to a longer discussion on switching from a reliance on paychecks to living from multiple revenue streams. Of course, this is nothing new--I remember my grandfather had a book from the 50's about this idea and real estate. What's changed is that there really are places to generate revenue these days without much investment--at least for geeks.

This is a topic I've been thinking about for a while. If you consult, for example, you trade your time for money and the only way to make more money is to make more per hour. That's hard and ultimately limited. If you use your time to generate a revenue stream, the recurring revenue is much more valuable.

There's now a tremendous support structure that you can use with little upfront investment to build online services: Paypal, Web hosting, and domain names all cost little or nothing these days. Google Ad Sense and similar services are another example.

The Technometria podcast I just published on IT Conversations with Doug Kaye and Jeff Barr (listen) discusses how Doug built a sophisticated Web application for transcoding audio for tens of thousands of potential customers with less than $1000 in upfront hardware costs. The power of this is that you essentially do away with the fixed costs and consequently, you're expenses scale with your revenue. Not bad.

One of the problems with this is getting started. A few ideas came out of the discussion. Scott Lemon started a Wi-Fi business in between jobs that is self-sustaining and needs little maintenance that generates income for him every month, even now that he's back working as the CTO at MediaForge. When you get to a lull in your life--whether between jobs or projects at work--build something that will generate revenue rather than catching up on Lost.

Of course, another time-tested method is to leverage the efforts of others. Find a partner or outsource some of the work. Often a partner with more time than you have can help get the job done for a cut of future earnings, which is especially nice. I recommend being generous with the cut.

The important thing is to get started, even if it's just something that generates a few hundred dollars a month. Getting something going will get you off the couch and thinking.

One example: if you've got some expertise and a blog, writing an eBook and marketing it on your blog could generate some revenue--especially if you spend some time marketing it. Attention is the chief problem. The distribution may be virtually free, but you've still got to market.

Compare this to writing a book. If you write a book, 10/10 ($10,000 retainer and 10% royalty) is a pretty standard deal. With a $10,000 retainer on a $40 technical book and 10% royalty, you'll probably never see any money past the retainer. But you've only got to sell 250 eBooks at $40 a pop to make $10,000.

That's not to ignore the value that publishers bring--including editing, but the reality is that the publisher and distribution eat up almost all the money. You're book has to support all of that and you get the left overs.

Here are a few books that came up in discussion related to this idea of no-employee businesses:

• Rebel without a Crew by Robert Rodriguez
• The Future of Work by Thomas Malone (listen on IT Conversations)
• Rise of the Creative Class by Richard Florida (listen on IT Conversations)

At the end, the conversation almost always devolves into rapid fire topics quickly giving way to something else. Today was no different. We ended up talking about electric power generation for some reason. Actually, I remember it was sparked by a discussion of Intel's 80-core prototype chip and a report that data centers use more power than Mississippi and that led to power.

11:44 AM | Comments () | Recommend This | Print This

February 14, 2007

Behind the Scenes: Producing the Technometria Podcast

Paul Figgiani, the Executive Producer of the Podcast Academy Channel and the Senior Audio Engineer for IT Conversations wrote up a behind the scenes description of what we did to make this weeks Technometria podcast with Doug Kaye and Jeff Barr.

As Paul points out, there are seven people directly involved: the five people on the call and Paul and Joel Tscherne, the Series Producer for Technometria working behind the scenes. This is a good description of what it takes to make a show. I'm lucky to have good support--Paul and Joel do their jobs well and it makes the rest of us look good.

3:23 PM | Comments (2) | Recommend This | Print This

Repricocity, Trust, and Reputation

Chris Slater presented A Computational Model of Trust and Reputation today in class. The paper introduces three concepts--reputation, reciprocity, and trust--and how they relate to each other. We talk a lot about reputation and trust, but don't often consider reciprocity. They define reciprocity as a "mutual exchange of deeds (such as favor or revenge)."

In a reputation system focused on stopping blog comment spam, for example, the engine that calculates the score is calculating reputation, the threshold that you set in your software (e.g. moderate commenters with scores below 20) is the trust metric. Reciprocity is the probability that ham will be accepted and spam rejected.

An expectation of reciprocity and consistency in action is important if there's to be any social benefit. Without it, the system doesn't reliably affect behavior.

Transparency supports reciprocity. When my past actions in response to someone else's behavior are unclear, people who interact with me in the future will not be reliably affected by those actions.

10:43 AM | Comments (2) | Recommend This | Print This

February 13, 2007

How Many of Me?

We all know that names aren't unique identifiers, but just how many people share your name? HowManyOfMe.com gives you an answer. I benefit from having an unusual last name and a fairly uncommon first name as well. There are three of me:

The numbers estimated from statistical and demographic US Census Bureau data.

6:21 PM | Comments (6) | Recommend This | Print This

Using Amazon Web Services

I just posted a piece at Between the Lines about our latest Technometria podcast with Jeff Barr and Doug Kaye. We discussed using Amazon Web Services to build sophisticated Web applications. Lots of good things in the podcast about business models, asynchronous programming, and so on.

This was a fun podcast to do. Not only was the content exciting, but it was also a bit of a challenge from the recording angle as well. Jeff was in my office with me and Doug, Scott, and Matt were on the phone. I recorded the whole conversation using AudioDesk and a MOTU firewire mixer on three tracks: one for me, one for Jeff, and one for the phone (using a Telos One digital hybrid).

4:00 PM | Comments () | Recommend This | Print This

Blu-ray and HD DVD Processing Key Exposed

According to Engadget, a DRM hacker named "arnezami" has found the "processing key" that can decrypt all HD DVD and Blu-ray Disc films. This is huge. Previously, there were ways of recovering the keys that controlled the individual disc, but you had to have a different key for each title. Now, one tool, with this key embedded in it, will be able to decrypt every disc that's been produced to date.

This kind of thing just shows the futility of DRM as a solution for protecting copyrighted works. At 20Gb per movie and $25 for a blank disc, there's no imminent threat, but it's a portent of things to come.

The technology is designed so that processing keys can be revoked, so this will only work for movies out now discs made with that key. Discs going forward will undoubtedly have a new processing key. They'll also make it harder to find the key, but it's only a matter of time until the next exploit becomes available. The individual title keys can't be revoked, so even though they're more trouble, they work forever.

2:34 PM | Comments (2) | Recommend This | Print This

February 12, 2007

Jim Harper Testifying Tomorrow

Jim Harper, who spoke in Utah last November will be testifying before the Utah Government Operations Committee at 8:15 in Room W010 of the Capitol. I'm sure his testimony will be in regard to this resolution against the RealID Act.

Jim's an advocate of states taking a firm stance in opposition to the Federal government on the RealID act. He makes very good points about why the RealID act is ill-conceived and will be as ineffective at stopping terrorism as it is effective at invading the privacy of everyone else.

3:01 PM | Comments () | Recommend This | Print This

CTO Breakfast Thursday

We'll hold the CTO breakfast this Thursday at 8am. Last time we met in the Novell Cafeteria and that worked really well. Folks coming from Salt Lake reported that it was perhaps even shorter than driving over to Canyon Park.

As usual, the conversation will be informal and free-form. Anyone interested in how information technology is used to build products or run companies is welcome.

Here are the scheduled dates so far:

• March 22 (Thursday)
• April 20 (Friday) (changed!)
• May 24 (Thurdsday)
• Jun 28 (Friday)

Here's directions: Take the University Ave exit off I-15, cross University Ave, and turn left (north) onto Novell Place and enter the Novell campus. When you drive up to bldg H (the 8-story bldg), turn left and park in the SW parking lot. The sidewalk on the west side of bldg H will take you to the cafe (bldg G). We'll be in the conference room at the far end (past the food court).

11:16 AM | Comments () | Recommend This | Print This

On the Importance of Names

Phil Hagelberg of Technomancy references the essay on Confucianism and Technical standards with this quote:

In a famous passage, Analects 13.3, Confucius was asked by a disciple what his first order of business would be if he were to govern a state. He replied, 正名, meaning roughly "make right the names," "insure that names are used properly," or "rectify the names." His disciple was somewhat incredulous and asked, "Would you be as impractical as that?" Confucius strongly rebuked his disciple and explained that proper nomenclature is the basis of language and that language is central to taking care of things.

From Confucianism and Technical Standards @ DHS.com
Referenced Mon Feb 12 2007 08:37:56 GMT-0700 (MST)

Phil's using the quote in connection with behavior driven design (this is cool stuff, go read Phil's post) to make the point that nomenclature makes a difference. I made a similar point about nomenclature in an essay about retaining corporate knowledge.

What struck me about the passage, however, was how true it is in the context of plain old identity. Until the identity system is working--in your organization, on your Web site, or on the Web as a whole--everything else is hard.

8:44 AM | Comments () | Recommend This | Print This

February 10, 2007

Expose, Dock, USB, and EyeTV Weirdness

Today Expose stopped working. I also noticed that the Dock magnification didn't work (I normally hide the Dock) and the submenus under the Apple in the top-left corner wouldn't open.

First I restarted the Dock. No joy, so I restarted Finder. No joy, so I escalated to logging out. Still no joy, so I rebooted the computer. The problem is still there. My exocortex (Google) doesn't seem to know anything.

Then doing something else, I unplugged the USB hub and viola the problem is solved. A little investigation shows that it's my EyeTV Hybrid that's causing the grief. When I unplug it, Expose works fine. When it's plugged in, Expose will work once, then quit. I reinstalled the EyeTV software and the problem seems to have gone away.

What a weird interaction.

11:19 PM | Comments (2) | Recommend This | Print This

Conflicting Roles and the Use of Tor

This story from the Chronicle for Higher Education does a good job of illustrating the conflict that often exists between academic Computer Science departments who want to teach computer science and the campus information technology organization who is responsible for keeping the network running and legal.

In this report, Paul Cesarini, an assistant professor of visual communication and technology education at Bowling Green State University, receives a visit from the campus police because he's teaching students about Tor, a tool for anonymizing Web browsing.

The detectives and network-security technician listened patiently to me, wearing their best poker faces. They then gave me a copy of the university's responsible-use policy, which employees must agree to abide by when we first sign up for our e-mail accounts. They pointed out that my actions violated at least three provisions of that policy.

I wasn't particularly impressed. I had helped edit and revise that policy when I worked for the information-technology office before I earned my Ph.D., and I knew that neither Tor nor any similar program had existed when the policy was first written. I also knew that the provisions in question were vague.

My visitors next produced page after page of logs detailing my apparent use of Tor. While I couldn't dispute most of the details in the logs, they seemed inaccurate. For example, the technician said I had been using Tor earlier that morning. In fact, I had been at Wal-Mart that morning looking for a good deal on an HDTV; I had reached my office only about five minutes earlier.

More important, the logs did not prove any wrongdoing on my part. All they demonstrated was that I, like thousands of others around the world, had installed and infrequently used Tor. In my case, of course, there was no wrongdoing.

Nonetheless, my visitors made two requests: that I stop using Tor, and that I avoid covering it in class.

From The Chronicle: 2/9/2007: Caught in the Network
Referenced Sat Feb 10 2007 19:32:28 GMT-0700 (MST)

In the end, Cesanini says:

So in the head-on collision between my appreciation of the role IT staff members play on my campus and my understanding of the role I have to play for my students, my need for academic freedom won. I found myself lecturing my three visitors into near catatonia about the uses of Tor.

Finally, they shook my hand, thanked me for talking with them, reminded me that I was probably violating the responsible-use policy, and left. They had bigger game to catch: the other Tor user on the campus.

From The Chronicle: 2/9/2007: Caught in the Network
Referenced Sat Feb 10 2007 19:34:36 GMT-0700 (MST)

And this, I think, nails the issue. There is a legitimate role for each group and they are sometimes at odds. University CIOs have a tough job because they can't lock down devices or even the network the way their corporate cousins do. That said, with changing business culture, corporate networks are probably going to become more like campus networks than the other way around.

7:38 PM | Comments (1) | Recommend This | Print This

February 9, 2007

Terrorist Math Teachers

I thought this was funny:

TEACHER ARRESTED.. - A public school teacher was arrested today at John F. Kennedy International Airport as he attempted to board a flight while in possession of a ruler, a protractor, a set square, a slide rule, and a calculator.

At a morning press conference, Attorney General Alberto Gonzalez said he believes the man is a member of the notorious Al-gebra movement. He did not identify the man, who has been charged by the FBI with carrying weapons of math instruction. "Al-gebra is a problem for us," Gonzalez said. "They desire solutions by means and extremes, and sometimes go off on tangents in a search of absolute value. They use secret code names like e 'x' and 'y' and refer to themselves as 'unknowns,' but we have determined they belong to a common denominator of the axis of medieval with coordinates in every country. As the Greek philanderer Isosceles used to say, 'There are 3 sides to every triangle.'

When asked to comment on the arrest, President Bush said, "If we were supposed to have better Weapons of Math Instruction, we would have been given more fingers and toes."

3:58 PM | Comments (1) | Recommend This | Print This

Top 150 Tech Heroes on IT Conversations

On wednesday SYS-CON published their final list of 150 all time technology heroes. The list is a mix of people who might have made the list if it were published 10 or even 20 years ago (like Claude Shannon) and relatively new faces (like Dave Sifry).

As I looked at the list I realized there were quite a few people on the list who'd been on IT Conversations over the last few years. Niels Makel, one of the folks who works behind the scenes at IT Conversations as a series producer, took the time to create a list of all the people on the SYS-CON list who'd been on IT Conversations and linking to the shows. There are 36 people on the list who have one or more shows on IT Conversations.

This is an awesome list since it's talks by some of the most important people in information technology. You could do a lot worse that listening to these talks.

1:54 PM | Comments () | Recommend This | Print This

The Role of Intellectual Property in Protecting Reputation

Today in class, we went over a paper called The Value of a Reputation System by John Kennes and Aaron Schiff (both of The University of Auckland). The paper presents a complicated mathematical model of markets that are similar to eBay and other auction sites, although the example in the paper is "pick-your-own" orchards.

I've also been reading Peter Navarro's book The Coming China Wars recently and the two ideas got me thinking about the value of intellectual property in properly functioning markets.

In Keenes and Schiff's paper, they model markets where there are product with high and low quality and vendors who are willing to lie via false advertising attract buyers to their low quality products. They show how in markets with enough sellers, a reputation system (even a simple one) can add "social value" by protecting buyers from low quality products.

In Navarro's book, he has a chapter on the counterfeiting culture that is rampant in China. In the IT industry we tend to focus on software and music and music, but, the problem extends to hard goods as well. For example, there are Chinese manufactured, counterfeit drugs that have no active ingredient and may even be toxic, yet the packaging is so good--right down to the holograms--that not even the legitimate manufacturers can tell them from their own product without lab tests.

This fits quite well in the model that Keenes and Schiff created: high and low quality products and a good number of buyers. Buyers would be protected from this fraud except for one thing: Keenes and Schiff assume that sellers can be identified. Counterfeiting is an identity problem. Brands are identifiers and trademarks are protections for those identities.

Counterfeiting is just identity theft at the corporate level and the consequences, in many cases, affect more than victim because anyone who relies on that identity in making purchasing decisions is at risk.

So the conclusion isn't anything that should be shocking or surprising: good, secure, universal identity systems are a foundational element in creating social good--online and off.

10:37 AM | Comments () | Recommend This | Print This

February 8, 2007

1337 on Google

I just found Google's Leet search engine. H4x0r can now 534rc# in 1337.

Update: You can also get the Google Toolbar in 1337.

9:07 PM | Comments (3) | Recommend This | Print This

February 7, 2007

Cancel or Allow?

I have no idea what security feature in Vista this Apple ad is making fun of, but it's still hilarious. I also like seeing the IT guy tape the camera to PCs head in this one. I know IT guys who would really do it that way!

8:42 PM | Comments (4) | Recommend This | Print This

Top Ten IT Conversations Shows for January 2007

Here are the top ten most listened to shows on IT Conversations for January 2007:

1. Who Owns "You"? - Supernova2006
2. John Seely Brown - Supernova 2005
3. Peter Navarro - Tech Nation
4. Curt Carlson - Tech Nation
5. David Platt - Why Software Sucks
6. Chip Heath - Tech Nation
7. Gary Lang - Opening the Possibilities: APIs and Open Source Code
8. Sudoku, Biorobotics & Aeronautical Genius - IEEE Spectrum Radio
9. Dr. Pauline Mele - BioTech Nation
10. Kelly Phillipps - New Technology In Enterprises

Today was the first time I've used my new Perl script to generate this list. Up until now, I was manually grabbing the top ten downloads from the stats page and then creating the list. The problem was having programatic access to the show data to correlate with the show URL in the log files. My script reads and parses the RSS feed to grab the show data. So this is a nice example of easy, loosely coupled integration. No need to have access to the database.

I plan to update the program to grab the rating data from Loomia as well and generate rating data. I plan to eventually generate RSS feeds to these. I'll let you know.

4:22 PM | Comments (1) | Recommend This | Print This

Banning iPods

If you haven't seen this yet, get ready to shake your head. New York is considering banning iPods in crosswalks.

3:45 PM | Comments (2) | Recommend This | Print This

Houses Go Green

Last week, Moira Gunn interviewed Michelle Kaufmann, an architect who designed modular homes with a focus on resource conservation. Wired Magazine had an article on this same subject last month that I really enjoyed. If you listen to the interview, you'll here Moira and Michelle talk about the Glidehouse, one of Kaufmann's original designs. Michelle's firm has a variety of designs that are efficient, cheaper to build (because of the modular design), and desirable. Those are words you don't always see in the same sentence together.

3:35 PM | Comments (1) | Recommend This | Print This

February 6, 2007

Action Needed: Contact Your Legislator on VoIP Taxation

Tomorrow the Utah House will start debating a bill to add the E911 tax to VoIP in Utah. I wrote about the bill earlier and why I think it's a bad idea.

If you live in Utah, contact your legislator by email as soon as possible and tell them that infeasible to tax VoIP and that you're opposed to it.

8:54 PM | Comments (2) | Recommend This | Print This

Overstock's Community Portal

Overstock.com has launched a community portal where they hope their customers will write "guides" about things that they're passionate about. Seems like an interesting idea. I've wondered about the ability to harness people's passion to create customer service sites that are more useful than those run by the company.

Interestingly it's built on MediaWiki which I think is a great platform, but a little hard for wiki novices to use. I wonder if they've done something to make page editing any easier.

I'm wondering rather than looking because when I went to sign up for an account, they wanted a credit card. Uh-uh. Way too much friction. You can skip it, but that ought to be the default, not an opt-in option.

7:43 PM | Comments (2) | Recommend This | Print This

Security Indicators Are Largely Ignored

A paper to be presented at the IEEE Symposium on Security and Privacy in May called "The Emperor's New Security Indicators: An evaluation of website authentication and the effect of role playing on usability studies" (PDF) shows that users largely ignore security indicators like whether a site is using HTTPS, customer-selected images, and even warning pages.

I believe a large part of the problem is inconsistent user experiences. For example, if you go to a Web site and picture you selected to indicate that this site is real isn't there for some reason, most people would just assume that this is a different login page and that feature isn't part of that page. PayPal has multiple login pages for example--all different.

CardSpace, Microsoft's identity system has a consistent user interface for selecting cards and that's a real bonus.

6:19 PM | Comments () | Recommend This | Print This

Marriott Blogs

The CEO of Marriott International, Bill Marriott, has a blog. The blog is about two weeks old and has a half a dozen entries. They're authentic and interesting. The technology is well done, as you'd expect from someone who has lots of IT support.

There's an audio link which has Bill Marriott reading the post, or perhaps that's how he creates it. Comments are also open on all the posts and there's considerable activity.

I was puzzled at the URL:

http://www.blogs.marriott.com/

He's not just one of the corporate blogs, he seems to be the only blog with no room in the URL space to grow.

But, all in all an excellent effort to authentically reach out from a CEO of a major company. Nice job Bill! I hope it's rewarding.

6:11 PM | Comments () | Recommend This | Print This

Cheap Pseudonyms, Privacy, and Sex Offenders

The BBC is reporting on a move by the British government to require convicted sex offenders to register their online identities. Of course, it only takes a minute of thought before you realize that its so easy to get a new email address that registering one doesn't do much good.

There are some scary responses to that, like this one:

If everyone had a single internet identity for life, like a National Insurance number, this would make it far easier to track people, he said. Child internet safety expert John Carr, of children's charity NCH, said: "This is a very welcome move."

"It will mean that we can extend the Sex Offenders Register regime into cyberspace and that will be a great comfort to many people."

From BBC NEWS | Politics | Plan to list paedophile web names
Referenced Tue Feb 06 2007 12:00:20 GMT-0700 (MST)

This kind of legislation isn't limited to Britain. In December, John McCain introduced a bill in the US Senate that would do much the same thing.

The issue here is the pseudonyms are cheap. Eric Friedman and Paul Resnick wrote a paper in 1999 on the social cost of cheap pseudonyms (PDF). Here's the abstract:

On the Internet it is easy for someone to obtain a new identity. This introduces opportunities to misbehave without paying reputational consequences. A large degree of cooperation can still emerge, through a convention in which newcomers ``pay their dues'' by accepting poor treatment from players who have established positive reputations. One might hope for an open society where newcomers are treated well, but there is an inherent social cost in making the spread of reputations optional. We prove that no equilibrium can sustain significantly more cooperation than the dues-paying equilibrium in a repeated random matching game in which players have finite lives and the ability to change their identities, and there is a small but nonvanishing probability of mistakes and a large number of players.

Although one could remove this inefficiency by disallowing anonymity, this is not practical or desirable in a wide variety of transactions. We discuss the use of entry fees, which permit newcomers to be trusted but exclude some players with low payoffs, thus introducing a different inefficiency. We also discuss the use of unchangeable pseudonyms, and describe a mechanism which implements them using standard encryption techniques.

The paper presents a game-theoretic study of various strategies for dealing with cheap pseudonyms. The bottom line is that there aren't many good ones:

It would be nice to create environments where strangers were trusted until proven otherwise. Unfortunately, obvious strategy vectors involving cooperation with strangers are not stable, and we proved that no strategy vector can do substantially better than punishing all newcomers.

Thus, there is an inherent social cost to free name changes. We can mitigate this cost by charging for name changes, but this also requires charging for names in the first place. That may exclude poor people or those who are just exploring and not yet sure whether the payoffs from participation would justify the entry fee. A better solution is to give people the option of committing not to change identifiers.

The paper presents such a mechanism. Would that help here? Probably not. Say, you give someone a "once-in-a-lifetime" identifier. That identifier works within a certain context, so you could commit someone to not change their MySpace identifier, but that doesn't mean they wouldn't have another identifier somewhere else.

But so what? What makes registers work is that they can be easily checked. Send the parole officer by and see of the guy really lives where he said he did. That's hard to do online and once-in-a-lifetime IDs don't help. Confirming that someone is somewhere is a provable thing. Confirming that someone isn't somewhere (or doing something) is nearly impossible.

Legislation to give someone a single identifier for life would likely fail for the same reason. In the end, however, society will decide how much they value the anonymity of the Web when confronted with the attendant costs.

Bonus link: Terrell Russell wrote about this back in December.

1:57 PM | Comments () | Recommend This | Print This

NextPage Document Retention Preview

My preview of NextPage Document Retention product is out on the Test Center Daily blog. Here's my verdict: NextPage 2 Document Retention provides a method for versioning, tracking, cleaning up, and archiving corporate documents that users will actually use. Watch for a full review a little later.

11:45 AM | Comments () | Recommend This | Print This

Making CardSpace and OpenID Interoperable

Microsoft, JanRain, Sxip, and VeriSign have agreed to work together to make OpenID and CardSpace interoperate. This isn't totally unexpected since the community has been moving forward in this direction. Kim Cameron has been discussing the details of how it might work in recent weeks. Here are the specifics from the press release:

• As part of OpenID's security architecture, OpenID will be extended to allow relying parties to explicitly request and be informed of the use of phishing-resistant credentials.
• Microsoft recognizes the growth of the OpenID community and believes OpenID plays a significant role in the Internet identity infrastructure. Kim Cameron, Chief Architect of Identity at Microsoft, will work with the OpenID community on authentication and anti-phishing.
• JanRain, Sxip, and VeriSign recognize that Information Cards provide significant anti-phishing, privacy, and convenience benefits to users. Information Cards, based on the open WS-Trust standard, are available though Windows CardSpace.
• JanRain and Sxip, leading providers of open source code libraries for blogging and web sites, are announcing they will add support for the Information Cards to their OpenID code bases.
• JanRain, Sxip and VeriSign plan to add Information Card support to future identity solutions.
• Microsoft plans to support OpenID in future Identity server products.

The Bill Gates keynote at the RSA conference today also contained commitments to support OpenID in some Microsoft products (I'm not sure which), I'm told. Very good development for everyone, I think.

11:14 AM | Comments () | Recommend This | Print This

Securing Vermont's Networks

Vermont's governor has called for a complete audit of security across executive branch agencies.

"The problems discovered over the last several months are entirely unacceptable to me because they were preventable," Douglas said. "I expect the department to look at every area and aspect of our Internet security protocols to be sure we are employing all the available resources to protect the integrity of our systems. And I expect a higher standard to be set in IT departments throughout state government."

From Vermont Governor Calls for Full Internet Security Audit - Feb 02, 2007
Referenced Tue Feb 06 2007 09:14:42 GMT-0700 (MST)

This is on the heals of an security breach last month that the personal data of 70,000 individuals being compromised. To make matters worse, the data had been supplied to the state by New England Federal Credit Union to help track people who owe child support.

This is one of the things that keeps State CIOs up at night. Most don't have the authority to prevent the problem and yet they're going to catch the flak.

9:27 AM | Comments () | Recommend This | Print This

February 5, 2007

Funding Public Radio (and ITC) with VRM

In a post at Linux Journal about identity and VRM, Doc Searls says that rather than boil the VRM ocean, he would rather pick a specific problem.

Beyond cash for goods or services, I would like the option of having some range in relating. Maybe I want nothing more than give an artist some cash and a high-five. Or I may want a subscription to notices of new work, or to performances near where I live.

The thing is, this mechanism needs to live on my side: to be mine. It must be able to relate to a first source or to an intermediary, but it can't belong to the intermediary. The responsibilities for relating need to be shared. To do that, I need to control my end, free and clear. I can't just be enrolled in a system controlled by the supply side, or by somebody in the middle.

The absence of the power to relate from the demand side --- except with cash or mechanisms controled by the supply side or its intermediaries --- is a problem as old as the Industrial Age, and it's time to solve it.

... we need to pick a problem to solve, not an ocean to boil. Here's one I like: make it easier for public broadcasting listeners and viewers to pay for the goods they receive. Right now public broadcasting continues to raise money in extremely old-fashioned ways. The one I hate most is the fund drive where they turn off programming for two weeks, plead poverty, and then give you a cup or a CD if you send some money. There has to be a better way.

From Putting the Wholes Together | Linux Journal
Referenced Mon Feb 05 2007 21:08:36 GMT-0700 (MST)

This public radio problem is one that's near and dear to my heart since I struggle with how IT Conversations ought to relate listeners and, to be frank, derive some monetary gain from the value that IT Conversations provides.

As Doc says, if this is to really be VRM, then it can't be controlled by the vendor (ITC in this case), but by the user. On the other hand, until someone steps up and builds it, am I just supposed to sit around and wait?

When Doc say that he wants a range of relating, I can think of several things that might work for ITC or public broadcasting.

1. You ought to be able to express a preference for specific shows
2. There ought to be a full range of ways to show appreciation (from a positive rating to money)
3. Expressing preference ought to get you more of what you like

This isn't just a donation and it isn't a subscription. Rather, it's a hybrid mode: it's voluntary, like a donation, but specific to certain shows or classes of shows like a subscription. I think ultimately it has to happen in lieu of, not in addition to, advertising.

The problem with applying these kinds of rules to Public Radio is that Public Radio is wedded to the broadcast model and that's extremely limiting. For example, spectrum and time create a zero sum game where to give me more of what I want means you get less of what you want.

Not so with IT Conversations where with virtually unlimited content (most user-generated), ITC can serve the role of filter, ensuring that everyone gets what they want. Perfectly? Probably not, but much more solidly than in a zero sum world.

You may be thinking: this isn't a relationship, it's just another way for me to pay money. I disagree. When you express preference and that preference really means that you get what you want, that goes beyond the traditional exchange of goods or services for money. That builds a tighter bond between you and the vendor. That's a relationship.

10:04 PM | Comments (1) | Recommend This | Print This

Church Networks

The United Methodist Church (UMC) has a online social network (with some funny URLS). The network is similar to other social networks: create a profile page, make your blog, link to friends, etc. The difference, as explained on the site:

What makes the UMC.org Community unique is our needs registry, allowing you to reach beyond your immediate communities to a global audience. The needs registry allows you to share your gifts and share how you personally want to help make the world a better place. The idea here is to connect those with needs with those that are equipped to help.

By working in a community of faith like this, we are able to share knowledge, resources, and content with one another, all in an effort to grow as a global community, as leaders, and in faith. Join the UMC.org Community and meet others who are committed to making a difference in their communities and across the globe.

From UMC.org Community - UMC.org
Referenced Mon Feb 05 2007 20:48:34 GMT-0700 (MST)

I think this kind of innovative use of technology in religious discussion is noteworthy and laudable. Still, you have to wonder how you can manage the content so that it's consistent with the religious principles espoused by the UMC. There is a code of conduct that is fairly specific about what's allowed and what isn't. I suspect that the community can police itself very effectively where these issues are black and white. There will be more trouble at the edges and someone will have to make a judgment and that's when the trouble starts.

8:53 PM | Comments (1) | Recommend This | Print This

Finding Jim Gray at Sea

It's Amazon week at Technometria! If you've followed the story of Jim Gray being lost at sea, you know that one of Computer Science's preeminent figures is in grave danger and possibly dead. I heard Jim Gray speak a few years ago at the University of Utah's Organick lecture.

The reason for the Amazon reference above is the part that Amazon's Mechanical Turk (MT) is playing the search for Gray. If you're not familiar with Mechanical Turk, it's a system for employing human intelligence to do small tasks for which humans are uniquely qualified. In this case, it's recognizing boats in satellite images.

This is a remarkable use of MT in search and rescue. I'm sure there could be many other uses in disaster recovery. If you've got a few minutes, pop over to Amazon and help in the search. It's quick, painless, and might really make a difference.

1:50 PM | Comments (1) | Recommend This | Print This

Using Amazon's Web Services for Sophisticated Applications

I just put a post up at Between the Lines about Doug Kaye's use of Amazon's Web services for hosting sophisticated applications. One look at the block diagram on Doug's site will convince you that this is substantially more than a trivial use of AWS.

11:51 AM | Comments (1) | Recommend This | Print This

February 3, 2007

Superbowl Exploits

Ryan Naraine reports that the Superbowl XLI site was hacked and seeded with exploits that will install a keylogger and backdoor that give the crooks access to the compromised machine.

This is doubling interesting to me since Ross Jardine and I did the first two Superbowl sites on the Web for Superbowls XXIX and XXX. We even owned the domain name superbowl.com at one point. For Superbowl XXIX (1995) we ran a contest and gave away Superbowl merchandise each day with a grand prize of two Superbowl tickets. In 1994, that was a great way to build traffic and put iMall.com on the map.

1:16 PM | Comments (1) | Recommend This | Print This

Community in Denial

Christopher Koch, who is the Executive Editor at CIO Magazine, has a provacative post on his blog about "community" being the code word of denial in the current burst of activity commonly called Web 2.0. He compares it to the word "collaboration" which fueled the B2B bubble in the late 90's. Using the c-word allows you to "slide past any discussion or proof of real value."

Chris points out three things necessary to get and keep visitors to any Web site:

1. Perceived value
2. Safety
3. Clear exchange of value

You could probably argue the first of these draws visitors, the second enables the transaction, and the third keep them coming back.

Chris uses MySpace and YouTube as examples and while I found myself nodding in agreement with that he said about MySpace, I couldn't help but disagreeing when it came to YouTube. Maybe it's just a generational thing with MySpace, but I think Chris hits the nail on the head when he says:

All in all, the perceived value on the home page of MySpace comes across as the opportunity to enter a hopelessly large, undifferentiated lonely hearts club that's potentially unsafe and embarrassing and provides little hope of real value exchange.

From CIO Blogs - Web 2.0: A Community in Denial |
Referenced Sat Feb 03 2007 12:33:22 GMT-0700 (MST)

That said, I couldn't help but think of a recent Wired magazine article about the role MySpace played in the life and death of Daniel Varo and his friends--not to mention enemies. Months after his death people were still leaving comments on his MySpace page. It was like his online memorial. Value? I don't know--but it was definitely compelling for these people.

On YouTube it's easy to lose the value in the sheer volume of material. It's easy to dismiss it as a home of pirated material (and Viacom appears to agree), but the user generated content is compelling. A recent Bear Sterns presentation by Spencer Wang claims that 75% of the top 20 videos on YouTube was user-generated content on November 15, 2006.

YouTube has also become an important political tool in the 2008 race. Supporters and detractors of Mitt Romney, not to mention the campaign itself, have used YouTube. Rather than firing multi-million dollar ads back and forth at each other, for now, they're fighting with low-budget videos that can be linked, shared, and embedded.

As far as I can see, YouTube's "community" isn't the draw. Humans are amazingly social animals, so they will find ways of using almost any tool to congregate and that's happening on YouTube despite its poor support for such activities, not because of them.

Chris finishes with a discussion suggesting businesses look at recommendations to build "community" on their sites with a critical eye. I think that's good advice.

Most businesses are likely to look at community building as code word for "lock-in." Most businesses aren't designed to cultivate and profit from relationships with their customers. Instead they are focused on direct value exchange in transactions. That's a function of accounting and metrics. Relationships are hard to quantify on the bottom line.

If your company's efforts to create "community" are being talked about in terms of customer lock-in and growing average transaction size, then stop the conversation. You're wasting your time. I suspect most successful community related efforts in companies will grow out of customer support, not marketing or sales. Some customer support organizations are starting to realize real value, in the form of reduced support costs, from activities like forums, blogs, and other activities which give customers more information, build reputation, reduce customer frustration. I wrote about this a while back in a piece called Customer Starts With Custom.

1:02 PM | Comments (2) | Recommend This | Print This

February 2, 2007

IIW2007

This is not the Internet Identity Workshop--but going to Croatia to learn to weld might be fun.

We'll be doing the first Internet Identity Workshop this year on May 14-16, 2007 at the Computer History Museum in Mountain View, CA. Put it on your calendar now. Registering early will help us plan and pay for upfront fees.

5:04 PM | Comments () | Recommend This | Print This

February 1, 2007

Finding Truth in Crowds

The folks at JanRain (the OpenID library builders) have released jyte, a site that allows you to make claims about anything you like and then other people can agree or disagree. It's a well-done Web 2.0 kind of site with lots of cool infographic features, embeddable result bars, comments, tags, and OpenID authentication (what else?). It even let me use my i-name. Hurray!

Here's a claim that David Recordon made about Emacs:

I'm not sure how that's going to look or even if you have to log in to vote, but we'll see...

The idea that people can make statements about something and then other people can agree or disagree has a nice tie-in to reputation. There's a lot of debate about whether there really is wisdom in crowds or not, but reputation is one place where that happens in real life. It doesn't matter much whether it works or not--in society it just is.

Most of the claims on the site are trivial at this point (like the one I embedded above--who cares?). Still, I believe that you could use it for more serious activities like paring down the results of a brainstorming session. I may try using it on my class on Reputation in some way.

2:43 PM | Comments (1) | Recommend This | Print This

Social Network Fatigue

Dana Boyd has a good post on social network fatigue and how marketing people everywhere are trying to jump on the MySpace bandwagon. This dovetails with the post I did yesterday on social networking without a safety net. I've seen people stop blogging for the same reasons Dana cites regarding MySpace.

2:27 PM | Comments (2) | Recommend This | Print This

Personal Businesses On the Rise

Number of US businesses with no employees (Intuit/IFTF study) (click to enlarge)

Paul Kedrosky pointed out an Intuit/IFTF study on small business (PDF) that talks about the rise of the personal business. Tim O'Reilly has a nice riff on this as well.

As I talk to people, I find more and more who consider themselves free agents and, even though they have an employer, take pains to keep themselves free of organizational entanglements. They use their own email address for most correspondence, buy their own tools, and see their employment more like a business to business relationship than a traditional employer-employee relationship.

Thomas Malone, who's been on IT Conversations several times talks about this in his book The Future of Work. It's work reading, but if you don't have the time at least listen to the talk

10:46 AM | Comments (1) | Recommend This | Print This