Saturday, September 30, 2006

Bi-Directional Federation and SAML part 3

Paul continues our "discussion" on Bi-Directional federation

I'm sure he would have preferred to actually get in and invoke 'editorial privileges' to modify my post but Conor has settled for a response.

If only that were the case... :-)

Paul then goes on to quote my explanation about what a NameID is and to question my interpretation with:

The other interpretation is that, when playing their initial roles, the SP and IDP made the following commitment to each other:

SP: Dear IDP, when I communicate with you I will use the 'abc' identifier (in the NameID) that you created for me.
IDP: Dear SP, when I communicate with you I will use the 'def' identifier (in the SPProvidedID) that you created for me.

I'm not sure where the "Dear"s came from, but NameIDs are always chosen by an IdP when the IdP creates an assertion. To be totally clear, in any given transaction there is exactly one IdP and exactly one SP. The IdP generates the assertion and sends it to the SP. The IdP chooses the identifier to use. This identifier becomes the value of the <NameID> element. If the entity that is the SP in this transaction had previously asked, the IdP will also include an identifier that the SP provided previously (in the SPProvidedID attribute on the <NameID>).

If the format attribute of the <NameID> element has the value "urn:oasis:tc:SAML:2.0:nameid-format:persistent", the entity acting as the IdP is also agreeing that should it generate a subsequent assertion for the same principal, the assertion will have the same identifier (so the identifier has some level of persistence).

Now, the identifier chosen by the IdP may not be from the IdP itself. It may use an identifier created by another party. That is why there is a NameQualifier attribute. This attribute is there so that when the IdP is using an identifier created by another party (such as another IdP), the IdP using the identifier can identify the other party.

I assert that this exact case is what is happening in a bi-directional federation where both IdPs have chose to use the same identifier for the user. Regardless of direction, the identifier will be placed into the value of the <NameID> element and in both cases the NameQualifier will be the IdP that originally created the identifier (although in the case where the IdP that created the identifier is also the party issuing the assertion, they MAY omit the qualifier since the context (they issued the assertion) is enough to figure out it is their assertion).

Anyway, Paul goes on with:

Conor will argue that the initial commitment is more along the lines of:

SP: Dear IDP, when I (acting as an SP) communicate with you I will use the 'abc' identifier (in the NameID) that you created for me. When however I (acting as an IDP) might communicate with you, I will use the 'def' identifier (in the NameID) that I created for you.
IDP: Dear SP, when I (acting as an IDP) communicate with you I will use the 'def' identifier (in the SPProvidedID) that you created for me. When however I (acting as an SP) might communicate with you, I will use the 'abc' identifier that I created for you.

The problem here is that this makes it seem like these statements are being made as part of the protocols (or due to some message) and that isn't the case. I point back to what I said before about the single transaction, one IdP, one SP, how identifiers work. There's no "I'll do this when that and I'll do this other thing when that other thing".

Paul later says (referring to a section of the SAML Spec I quoted):

As I read them, these two paragraphs from the SAML spec require that the Former-SP-Now-Acting-As-An-IDP, if they use an identifier initially created by the Former-IDP-Now-Acting-As-An-SP, to use the NameQualifier attribute. So, the example from my first response was incorrect, it should have been

<saml2:NameID Format="persistent" SPProvidedID="def" NameQualifier="">

So the question of the hour is: which example?

If we're talking about the single identifier case, that is the example I had in my original post that we've been going on and on about other that the fact that it somehow now has a second identifier (which doesn't fit the use case as we were talking about a single identifier case (both parties chose to use the same identifier)).

So, perhaps, this long article by Paul is just a way of him saying to me, "You're right"... (I do like to hear that :-)).

Tags : / / / / / /

The Canon SD500 & the Cracked LCD Screen

A few months ago, I wrote of My Cannon SD500 LCD Cracked and my successful self repair for $40.

At the time it seemed that this has happened to many people and to many versions of the Powershot series camera with little explanation other than many suspecting an manufacturing defect.

I recently noticed a possible explanation that would likely explain my breakage (and it wasn't rough handling). The camera comes with a wrist strap which attaches to end of the camera and has a separate sliding plastic piece which allows you to cinch the strap to your wrist (so it won't easily slide off). When I was putting my camera back into it's little case, I noticed that the following could result:

Note that the plastic slider is positioned directly over the LCD screen. In this position it creates a pointed pressure point on the LCD screen and, I fear, any little pressure would cause the LCD screen to crack. This easily explains how my LCD cracked (not that I have any direct proof this happened as I didn't notice the position of the handstrap when I took the camera out of the case).

Moral of the story: Keep the strap on the front side of the camera when you put the camera into a case or don't use the strap.

Let me know if this may have been a part of your problem as well.

Tags : / / /

Friday, September 29, 2006

Bi-Directional Federation and SAML part 2

Paul writes in response to my article about Bi-Directional Federation article.

He takes a quite long time to get there, but essentially he questions my choice as to the location of the identities within the SAML 2.0 <NameID> element. His main concern is that when each party is using an different identifier, the reverse assertion has the original IdP's identifier in the SPProvidedID attribute, while when they are using a single identifier, that identifier appears as the <NameID> value(not the SPProvidedID attribute).

While I'll admit there's a certain level of consistency to Paul's proposal, I still think that the right way is to put the identifier in the <NameID> value rather than the SPProvidedID. My reasons include:

  • The <NameID> carries the value chosen by the "IdP" to represent the user at the "SP". In this case, the Former-SP-Now-Acting-As-An-IdP has chosen to use the identifier that it had received from the Former-IdP-Now-Acting-As-An-SP. Therefore that value belongs in the <NameID> element, not in the SPProvidedID attribute.
  • The SAML 2.0 Core Specification does not allow for a null value in a persistent identifier (see section 8.3.7).
  • Lines 3326-3332 and 3350-3356 of the SAML 2.0 Core Specification actually discuss the case of an SP using the same identifier provided to it by an IdP when that SP-now-acting-an-IdP issues assertions pointing out that they would need to identify the original issuing party using the NameQualifier attribute.

To me, it's clear that while there may be a bit of an inconsistency in placement of the identifier in the single vs muti-identifier cases, the layout I proposed is compliant with the specifications (and, at least to me, more fitting with how name identifiers work).

Tags : / / / / / /

Thursday, September 28, 2006

Mistaken Identity

So, I'm going through the ever-wonderful process of entering travel expenses for reimbursement (and yes, Intel also has one of those pain-in-the-but applications which is supposed to make it all easier, but really just moves the cost of processing the expenses from the accounting department out to the business units)..... Anyway...

I pull up a receipt from the local Burgerville (I think it's a Oregon version of McDonalds) for my lunch a couple of weeks ago and low and behold, I find that I have been given a 10% senior discount (she didn't mention anything about it at the time, but clearly she felt I was a senior).

Luckily, I have a few more years before I actually qualify for such things, even if I look like I already qualify. But for now, I guess one could say this is a good case of mistaken identity (saved me $1.22).

Tags : / /

That's not a trip...

Paul writes about an upcoming Liberty Workshop in Japan where we will both be speaking. He was, of course, quick to point out to me that he will be speaking for 40 minutes while I only have 30 minutes. Of course, he's speaking about the Liberty People Service (an old (internet-time) topic nowadays) while I'll be speaking about some new work Liberty's doing around the Liberty Trusted Module (sorry, no links yet).

That workshop is just after the Liberty Alliance's fall Sponsor's meeting in Hong Kong, so it does involve some interesting air travel.

Paul found a neat site, Great Circle Mapper which you can use to map out your trips. Paul's all-coach trip (which includes a strange connection through SGN (Ho Chi Minh City) for his leg from HKG to NRT) is below:

My totally-upgraded-to-business-class trip, on the other hand, involves going to London first. This makes it a real round-the-world trip (Washington->London->Hong Kong->Tokyo->Washington). Virtually it would look like:

But, alas, virtuality isn't reality. My real trip (for cost reasons -- $1,600 vs $4,200 or something like that) ends up being:

Yeah, I have to fly through Chicago to get to Hong Kong (total of 23 hours of flight time on that leg). The one consolation that I have is that I was able to upgrade that entire leg with a single United system-wide upgrade certificate (perhaps it qualifies as one of the longest such trips).

You can see the difference that can make when you look through the tray table pictures (our group blog is now the #3 google search result for the term traytable!).

Tags : / / / / /

Wednesday, September 27, 2006

Bi-Directional Identity Federation

Recently a friend asked me about Bi-Directional Identity federation and how it could be done with SAML 2.0. The now familiar off-the-shelf uni-directional identity federation involves an Identity Provider (IdP) issuing an identifier for a user and agreeing to only transmit that identifier to the Service Provider (SP) if the same user returns to the SP (in an SSO transaction from the IdP) at some point in the future.

Bi-directional federation takes that one step further allowing the SP to act as an IdP in some future transaction and assert the user's identity to the former IdP now acting as a SP.

The issues at play in this situation are mostly about policies. Has the user allowed their identity at the SP to be asserted to the IdP? Is there some special agreement that the user consents to during the first federation that explicitly states this is allowed? Does the IdP accept identities asserted by the SP?

From a technical point of view, it's much clearer. Federation (in this case) is about the agreement of two parties to use a handle (identifier) for the user. In the case of the user federating from the IdP to the SP, the IdP issues the handle and passes it to the SP. The SP may accept and use that handle, or it may ask the IdP to provide it (the SP) with an additional handle created by the SP (the SPProvidedID in SAML-speak). These identifiers are carried in the <saml2:NameID> element within the <saml2:Subject> of an assertion. An example NameID with both IDs:

<saml2:NameID Format="urn:oasis:tc:SAML:2.0:nameid-format:persistent"

For Bi-directional federation, nothing else needs to be done. The exchange of handles that has already taken place can be used for each direction. In the case where there's only one handle (the IdP created handle) the SP can now use that same handle when asserting the identity to the IdP (although the SP would need to specify the NameQualfier attribute since the SP was not the issuer of the NameID). For example:

<saml2:NameID Format="urn:oasis:tc:SAML:2.0:nameid-format:persistent"
              NameQualifier="" >

In the case where the SP has registered its SPProvidedID at the IDP, I would recommend that the IDs are placed in inverse positions when the user's identity is asserted in the opposite direction, so the example NameID above would change to be the following when the identity was asserted from the SP to the IdP:

<saml2:NameID Format="urn:oasis:tc:SAML:2.0:nameid-format:persistent"

Note that the ID issued by the entity that was acting as the IdP during the original federation operation is now placed in the SPProvidedID attribute as, in the current transaction, they are acting as the SP.

With that minor understanding, the remaining SAML 2.0 profiles, including Browser SSO, all work out-of the box bi-directionally. There are no changes to the protocols necessary to support Bi-Directional federation.

As with much of the work in the Identity world, it isn't a hard technical problem, but more of a business and policy problem (which can take much more time and energy to solve).

Tags : / / / /

Tuesday, September 26, 2006

Liberty is more than relevant

Recently, it seems a spate of people have been asking if the work being done by the Liberty Alliance is still revelvant (call me suspicious, but I think they're only doing it to be controversial in order to drive up readership, so I'm not linking to their pages from here :-)).

Perhaps I suffer from a lack of objectivity as I have been involved in Liberty since it was founded in 2001 (and still cringe anytime I hear "the Sun led..." :-)), but Hell YES it is relevant -- it is more than relevant. The work going on in the alliance includes:

  • The ONLY ongoing work at defining and extending an interoperable profile for identity based web services in the industry (this work is NOT yet being done explicitly in any WS-* draft or spec, nor any WS-I work I have seen).

    As an example of the ongoing work, the most recent release (ID-WSF 2.0, to be published RSN) includes multi-party transaction support and user-to-user federations -- both of which have been very well received in the industry (the typical "duh, why hasn't anyone addressed that before kind of stuff").

  • The Strong Authentication Expert Group working on trying to solve the problem of Strong Authentication across the industry so that the user doesn't end up with a boat anchor full of strong auth device tokens and so that developers and deployers of said tokens don't need to support hundreds of different protocols.
  • The eGovernment, eHealth and IDTheft SIGs addressing the issues related to Identity in various envionments
  • The Liberty Conformance program, which is certifying interoperability conformance of products in the ID-FF, SAML2 and ID-WSF worlds. If you plan to deploy any of these services, you will save alot of time if you require that the products have been through conformance or you will be spending alot of time trying to get them to work together.
  • etc., etc.

If you haven't lookes at it recently, I suggest you take a look at the revamped web site which does a much better job at getting the message across than the old site (although I can't say I'm a fan of the color choices they made).

If you're wondering about whether or not you should join, the question, in my mind, comes down to "Do I have relevant use cases that I want solved by the specifications and do I want to impact the solutions to ensure they are implementable in my environment?"

If you answer yes to either or both of those, you should join.

Tags : / / / / /

Sunday, September 24, 2006

342 "Identities"

I ended this week with a total of 342 Internet identities (7 more since 8/25). I count any site that requires a username and password credential as an "Internet identity" (others might call these "Identity Silos", but I think of them as distinct instances of my identity). One would think that given I have so many identities, I wouldn't need to create new ones all that frequently, but that doesn't seem to be the case.

The new identities created this over the past month include:

  • zdnet - I was forced to create an identity here in order to respond to a blog entry on zdnet (they would not allow anonymous response, nor take the typical minimum information for blog entries). Of interest was that creating an account there required name, address, industry, company size, etc., etc. Of course, I filled this in with junk (I hate sites that require unnecessary ifnoramtion). Interestingly, they alwo required zip code even though they said it was only required for US & Canada (I had selected Bangladesh as my country). And, of course, every time I made an error in completing the form, they reset my subscription selections back to getting all kinds of spam so that if I didn't unselect them again I would be added to the lists of spam drones.

    Finally, the email addreessed had to be confirmed before I could post and upon confirmation, they again somehow thought I had subscribed to a bunch of email subscriptions, even though I purposefully de-selected all of the subscription checkboxes (several times).

    Definately NOT the kind of experience those in the identity world are driving towards (including, interestingly, the author whos blog I was responding to).

  • - so I could participate in a wiki
  • academic superstore - to make a purchase
  • - where I purchased the drive I wrote about in "160 of them bad boys". they had interesting password rules, only allowing lower cace alphabetic characters, 0-0 and '_'.
  • - to join opensso (so I can get a free T-Shirt :-))
  • - to get alerts about local school delays/closings (they changed their system and did not migrate over the old system, nor did they close the accounts on the old system which is a public system and continues to exist for other school systems)

At some point one would think that I will reach the point of saturation (I will have an identity at every possible place I would use), but that doesn't appear to be the case (yet) as I'm still creating close to 2 every week and I'm not counting things that are of temporary use (like the ID's I received for internet access while at a conference in Paris)

Tags : /

Thursday, September 21, 2006

It's all in a name...

This week, hanging out with my Liberty "friends" in Paris, I learned a new French word that has a pronunciation that is very similar to my name and which some seemed to think applied quite well to my behavior.

The French term "connard" (which is pronounced like Conor, but with a rolling "are" at the end rather than the "or") is a term vulgaire which at best means something along the lines of being "jerk". My "friends" seemed to enjoy using that pronunciation for my name throughout the meeting (and I think it will probably stick for subsequent meetings). Sad to say that there wasn't a similar term like "tonnard" -- which, of course, would have been even more appropriate (just joking Tony :-).

Seems like it isn't just my poker or hockey "friends" that have affectionate terms for me :-). Some would even say my picture should appear next to the definition.

Of course, I am quite proud of having earned such distinction.

Tags : / / /

Wednesday, September 20, 2006

An Identity crisis...

I was looking at some older pictures the other day with one of my daughters (Lauren) when we ran across a picture of her with her sister.

Now, Lauren and Jessica have always given us a hard time when we make a mistake as to which is which. Initially they just ignored us -- so if Jessica was 3 feet away and you were saying "hey, Lauren", she would just ignore it, even when you repeated it several times, getting louder each time (and Lauren was nowhere to be found so she had to know you were talking to her. Later, they look at you with this disappointed look like "how could you?" and say "I'm NOT Lauren."

So, I thought turn-about was fair play and asked her "hey, which one of them is you?"

Lauren stared and stared as I said "You mean you can't tell which one is you?" and "Are you really Lauren or are you Jessica?" and on and on (I was having a good time with this, if you can't tell).

Eventually she guessed (with a 50/50 chance) the right one (and was quite proud of herself when I told her it was right). But I think the lesson was learned. Perhaps the next time I will tell her she was wrong, even if she was right (just to see how she takes it :-) ).

Tags : / /

Tuesday, September 19, 2006

Liberty in Paris...

I'm off in Paris, France, (as opposed to Paris, Texas, which I'm sure that's what you were thinking of) for a Liberty Alliance Technology Expert Group (TEG) meeting (one of the advantages of joining Liberty is the abundance of cool places to visit for our meetings :-)).

I was traveling with one of my TEG compatriots from AOL and we had planned to be good, environmentally conscious, citizens and take the RER into Paris. Getting into town from Charles de Gaulle airport was an experience. It seemed like we waited left and right for one thing or another (first to take the elevator down to the train level, then to get a ticket from the machine -- only to find out that the machine only accepted smart cards or coins (no US Credit cards and no Euro bills accepted), so we gave up and took a taxi :-(.

Later, we were able to get one of the week long tourist metro/RER passes and plan to use it on the way back to the airport on Friday.


Of course, after catching up on email & work related stuff, we headed off to the Eiffel Tower where we ran across a Greg Whitehead look-alike (photo to the right)... Sorry to say he wasn't there


Another interesting tidbit is that we watched the police bust a guy over in the Palais de Chaillot apparantly for selling miniature Eiffel Towers illegally (not sure whatever the crime was, but they took all of his miniatures) and then as they were walking away, started giving them to people sitting around the courtyard. People would even come up to them and ask for one.

Tags : / / / / / /

Saturday, September 16, 2006

To the Left or to the Right, that is the question..

The ever-inquisitive Paul Madsen wonders about my airline seat preferences in My Frequent Flyer Sensei, so I thought I would clear things up...

You ask a good question Grasshopper... It's all about the airplane itself, then about the upgrade, whether you want to work or rest, how quickly you want to get off the plane when it lands, and, of course, the length of flight.

For example, on the Airbus A319, if I'm upgraded and plan to work, the best seat is 1B (decent legroom, no one to lean back into your workspace). If I want to rest, better to be in row 2 (more legroom, but it can have more limited recline, especially in the winter when winter coats are hanging behind the seats) and at the window (not disturbed by someone else getting up). On the Airbus A320, if you are upgraded and you want to rest, the best seats will be in row 2 (more legroom, uninhibited recline) and, if you have a large bladder, window (2A or 2D). Row 3 has the recline limit issue. Row 1 has the legroom issue.

Right side vs Left side only comes into play in wide-body aircraft and is mostly about getting off the airplane first. (Of course, you first have to figure out which is right and which is left (the right side of the plane is the side with the higher seat letters (the side on the right when you are sitting in your seat)). On wide-body such as the Boeing 777 (Triple-7 for us in the industry :-)), The left side in Business or First Class will typically empty a bit faster than the right, but in Coach, it seems to be the opposite (not that I get much experience back there :-)).

Of course, the best seat you can have in business class (on United at least) is the upstairs window seat on the Boeing 747 (towards the rear, like row 17 or 18, again because of that fast exit policy -- although you are clearly giving up some exit priority by being upstairs).

I could go on and on and on, but you get the picture.

A lesser person, of course, falls back to using the best web source for seating information: Seat Guru -- they're OK, but not as useful as real-world experience.

Tags : / / / / / / / /

Friday, September 15, 2006

When an offer isn't as good as it might seem

I recently received this offer from United via email:

The basics thrust of the offer is that I can pay $.01/mile + a $35 fee to "share" between 5,000 and 15,000 miles in my account with a "friend".

Given the pain in exchanging miles for useful trips and the fact that the common thought as to their value is only on the order of $.02, I just don't get why anyone would take them up on their offer. This just seems like one of those sucker type deals that the unknown user into providing additional funds to the airline -- even with the 10% bonus miles.

Personally, since I already own the miles, I think I should be able to give them to whomever I want without any per-mile fees (perhaps a service charge to cover the operation). I also think that I shouldn't be limited in how many miles I give.

My $.25 is that if you really want to give some "miles" to a friend, it is much easier to just issue a ticket in their name (no additional costs).

Note that I'm not a United critic, I like United, I fly their airline very often (like over 110,000 miles so far this year). I just think this deal is a pretty bad one for their customer who has already paid their dues in earning the miles.

Tags : / / / /

Thursday, September 14, 2006

Strange access logs...

An interesting side effect of my Liquid Free Travel solution to carry-on baggage is that the security guys looking at my access logs for my office building have to be scratching their heads (and I wouldn't be surprised if I'm raising a few red flags).

Tonight my flight to Portland was delayed about 2 hours which means when I stopped by the office to pick up my "liquids", it was pretty close to midnight -- kind of a strange time to be going into the office.

And when I leave on Friday, I'll stop by before my early morning flight, meaning a 4:30 AM stop at the office.

Perhaps I can work out a deal with the hotel I usually stay in to get them to let me store my stash in between visits.

Tags : / / /

Wednesday, September 13, 2006

Microsoft's license...

Starting with the Identity Openspace Conference (rumor stage) on Monday and continuing into the DIDW conference where it became public, the talk in the halls has been about Microsoft's Open Specification Promise announcement.

Many have blogged about the announcement. Lots of praise is afloat for Microsoft, for the people in the identity and web services world who helped push them in the "right" direction (assuming that it is physically possible to push Microsoft to do anything) and, of course, many questions as to what it actually means. Some notable comments include:

I think this is a great step forward and the parties responsible should be commended. This is the model that has been adopted by the majority of Liberty participants including AOL, Sun, Fidelity, RSA, etc., etc., so it's good to see Microsoft walking down the same path.

I do, however, have the same concerns about the missing components that were raised by Eve:

Onward: I missed seeing Mike Jones's response to Gerry yesterday, which answers one question: whether developers of actual CardSpace implementations are covered. The bad news is that the documentation that would fill in a large part (if not, perhaps, all) of what'’s needed for building compliant CardSpace implementations is clearly not covered. The good news is that they'’re working on it.


Finally: I just noticed that the list of covered specs doesn'’t include the SAML Token Profile of WS-Security. I realize that this wasn't one of those specs that Microsoft privately published first; its genesis was some work that the SAML technical committee did before tossing it over the wall to the WS-Security TC by mutual agreement. But nonetheless, it's an important spec (nay, standard!) that Microsoft clearly has some investment in, and their name is on it to boot. So why exclude it? Hopefully this is just an oversight that can be remedied soon along with the other outstanding issues.

I think that overrall this is a great show of faith on the part of Microsoft and they deserve the benefit of the doubt (which I hope they live up to!). If only they had made such a positive statement 5 years ago, I think the web services evolution would have been much more cooperative.

Tags : / / / / / /

The 2006 Liberty IDDY awards

Today, at the Digital Identity World Conference, Liberty announced the winners of the 2006 IDDY (which they pronounce eye-dee, but I just don't think so -- iddie just seems more natural, although I do recognize the "ID" play on IDentity).

The winners included:

  • Deutsche Telekom AG (T-Com, Business Unit T-Online)
  • EduTech
  • UK Government Cabinet Office

All with interesting deployment stories.

It's good to see real-world stories showing how the Liberty specifications provide a foundation for getting real work done (which, of course, we knew all along :-)).

Congratulations to the winners and to all of the other leading edge deployments that have come about in the past year or two.

Tags : / / / / /

Tuesday, September 12, 2006

Liquid Free Travel...

In todays world of TSA restrictions on carrying liquids onto planes, many have chosen to check bags that have been traditionally carried on. I have even been forced to do so (check bags) several times myself.

One of the positive effects of this is that boarding times have been reduced as people haven't had to lug/man-handle several carry-on pieces. Another is that you rarely see the gate-checked bag because of full overhead storage -- there's almost always space available up there nowadays.

On my current trip to California & Oregon, I have chosen to leave all non-prescription liquids at home so that I can carry on my luggage like the good old days. I was able to do this because:

  • I use an electric shaver and can live without after-shave.
  • All hotels that I know of have soap & shampoo in the rooms.
  • Most hotels have small packets of toothpaste available at the front-desk.

With all of that, and with a couple of topical medications I need for my psoriasis that I am allowed to carry onboard, I am able to travel without carrying any prohibited liquids and thus no wait for the checked bags at my destination.

In addition, because I frequently travel to OR (I have an office there), I have left a packet of my typical liquids so that I can use my normal shampoo, toothpaste & such for each trip (just have to stop into the office before heading to the hotel and again before heading to the airport).

I should note that this solution only works in the US on domestic flights as most international flights to the US (at least from European airports) seem to still have a restriction of only 1 carryon (which, of course, must be the computer bag).

It will be interesting to see which, if any, hotel chains step up to publicly advertise meeting this need for the business traveler -- seems like a no brainer to me.

Tags : / /

Friday, September 08, 2006

Are we safer?

As we approach the 5th anniversary of the 9/11 attacks on the US and many of us are asking the question about whether we are safer today when we fly and if so, why?

I am sure that we are much safer today than we were on 9/10, but it isn't because of all the heightened security, the ban on metal knives, box cutters, or even liquids on planes, the increased presence of air marshals, or the no-fly lists.

I believe the primarily reason we are safer is because the flight crew now knows that if they give up control of the plane, they provide the enemy with a weapon of mass destruction.

Pilots (who were trained to cooperate with hijackers prior to 9/11) will do everything in their power to get the plane to the ground at an airport rather than give up control (including using the plane itself as a weapon to disarm the hijackers -- by doing interesting aerobatic operations) because they know that giving up control will likely result in the death of everyone on board and probably many on the ground.

The one security measure put into effect that lends great support to the pilot is the reinforced cockpit door. That, of all the things done by TSA/FAA, is probably the most significant improvement in all our safety.

Tags : / / /

Impressive service..

On a trip to Intel's Hillsboro campus, I stopped in to the local Safeway on 185th street to get something for breakfast and lunch (instead of my typical visit to McDonalds (yes, Paul, I really did)).

It was early (like 6:30 am) and they were busy restocking the shelves throughout the store.

What really amazed me was how helpful and cheery everyone was. In the 10 mins or so I was in there, anytime I walked by someone, they greeted me with a "good morning"... if I was looking around at signs, they would ask "Can I help you find something" and they asked it like they really wanted to help. At another point, someone noticed my Intel badge and asked how thing were at Intel given the recent publicity around layoffs. Even when they weren't

That store's manager is clearly doing a great job getting all of their people interested in perhaps the most important job at any company -- customer service.

Job well done!

Tags : / /

Thursday, September 07, 2006

Paul's "safe" lead...

In My lead feels safe, my dear, only-person-to-have-me-in-their-PeopleService-but-wont-admit-it, bestest friend, Paul Madsoooooooooooooon (like the great "It is baloooooooooon" line from F-Troop), while clearly troubled about his diminishing lead in readership, writes about the great articles he has read from my blog:

a) a stirring account of how he fixed his kitchen drawer. b) a hard & driving story describing his purchase and plans for some computer equipment.

And he goes on to speculate about possible future great, MacGyver like stories that you can expect from me:

I expect we'll next hear about some problem with his farm tractor that he was able to repair with a USB cable and a patch made from chewed-up Cheerios paste.

I am truly touched by his belief in my ingenious problem solving abilities.

All that said, he does try to stem the tide of leadership loss (and leadership only because he's been blogging close to 10 times as long as I have and started his blog with a clear readership fishing article about the great American sport of baseball) by accusing me of:

Blatant attempt at targetted marketing for those searching on 'hardware'.

I would never sex add keywords money just to get more love readership hits.

Finally, Paul closes with:

Note: I choose to believe that it was coincidence that Conor chose his blog address to begin with 'C O N' - the same three letters as does mine. Not intentional typo squatting I'm sure. I might have to revisit this opinion if Conor's metrics (number of linking blogs and Technorati rank) pass mine.

Clearly showing he's worried and I should point out that he knew my name long before he started his blog, so clearly he was thinking of me when he named his blog (he's so impressed with my strength of character that I wouldn't be surprised if, should he have a boy one day in the future, that he try to convince his wife to name the boy after me).

PS. If you want to help give Paul a hard time, feel free to add a link to this page on your blog or website somewhere -- the more the merrier :-).

Tags : / / / /

Wednesday, September 06, 2006

Please give me your banking login and password...

This morning I was setting up an account on Etrade to enable ACH funds transfers to my banking account at Wachovia Bank, NA.. I was truly flabbergasted when I received the following prompt:

Note the first option for "Instant gratification" which subsequently requires that the user enter their banking provider's web site login and password to Etrade so that Etrade can verify that they (the user) owns the account.

I am totally amazed that in this day and age, with rampant identity theft via spoofing sites, that one of the frequent targets of said spoofs would do anything that would encourage behavior that makes their customers more susceptible to said theft. The entire concept just gives me the heebie jeebies. And when you think further about it, my account number isn't published on my banking site's web pages (the only show a portion of the account on a particular page), so I even question how useful the security check is.

I have setup ACH transfers at many places, some incoming, some outgoing (including places like UBS and Fidelity which should be on a par with Etrade) and NONE of them have required verification of the destination account and NONE of them have asked me for my banking providers web site login credentials. Paypal, which does do an account verification, uses the verification as a reputation factor and even so doesn't attempt to get your credentials to do the verification.

Someone should take Etrade out back and teach them a lesson or two. If they really feel the need for verification of their user's account info, they should look at some of the federation solutions out there such as SAML or Liberty which provide reasonable solutions for secure account linking without requiring that the user give up their credentials.

I strongly recommend that users NOT take advantage of the instant gratification model and instead use the model where Etrade sends them some money (they pay you to do the verification this way) that you later report back how much you got. Yes, it takes a few days to receive the deposits, but your stock trade takes a few days to settle anyway.

UPDATE: Following Erik's comment re: Am I sure, I went back and stepped forward through the "instant gratification" path and found the following in their Instant Verification User Agreement (hidden behind a link on the verification page, of course):

THIRD PARTY ACCOUNTS. By using the service, you authorize E*TRADE Bank and/or E*TRADE Securities and Yodlee to access third party sites designated by you, on your behalf, to retrieve information requested by you. For all purposes hereof, you hereby grant E*TRADE Bank and/or E*TRADE Securities and Yodlee a limited power of attorney, and you hereby appoint E*TRADE Bank and/or E*TRADE Securities and Yodlee as your true and lawful attorney-in-fact and agent, with full power of substitution and resubstitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites, servers or documents, retrieve information, and use your information, all as described above, with the full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person. YOU ACKNOWLEDGE AND AGREE THAT WHEN E*TRADE BANK AND/OR E*TRADE SECURITIES OR YODLEE ACCESSES AND RETRIEVES INFORMATION FROM THIRD PARTY SITES, E*TRADE BANK AND/OR E*TRADE SECURITIES AND YODLEE ARE ACTING AS YOUR AGENT, AND NOT THE AGENT OR ON BEHALF OF THE THIRD PARTY. You agree that third party account providers shall be entitled to rely on the foregoing authorization, agency and power of attorney granted by you. You understand and agree that the service is not endorsed or sponsored by any third party account providers accessible through the service.

So it is clear that they are accessing your account.

Tags : / / / / / / / /

Tuesday, September 05, 2006

160 of those bad boys... and keep them comming...

Today I was running low on disk space on my laptop (I start to worry when I get to less than 20% free space) and while I was enabling compression on much of my drive, I thought I would poke around to see what's available.

I currently have an "80GB" (75GB formatted) 5400 RPM drive that came with my laptop almost a year ago (a pretty decent DELL Precision M70) and am running tight even though I have already moved my photo and music collection to an external Western Digital 120GB USB Drive (great thing for this kind of stuff)

So, after poking around a bit on the web I find the Hitachi 5K160 with a whopping 160 billion bytes (yeah, I know it ain't GigaBytes). Comes in both PATA and SATA models (my laptop has PATA, albeit an older version ATA-6 vs ATA-7 -- hopefully that won't be an issue)

I found the PATA version at AxionTech for $186 w/free shipping and ordered one right quick...

Of course, now the big question is: Once the drive arrives, do I want to do a clean install on the new drive or do I just move over the partitions and resize as necessary.

My logical preference is to reinstall, my pragmatic approach will probably be to just copy over the old partitions for now, resize them and then, perhaps, reinstall when Vista ships (yeah, I like to play on the bleeding edge there as well).

Tags : / / / /

Reducing data's risk at rest

Robin Wilton recently wrote a article questioning whether people could do anything to safeguard their own data when you hear about data losses at more and more companies:

This recent reported lapse at AT&T, exposing some 19,000 sets of customer details (including credit card details) is as good an example as any. Short of simply not giving their credit card details to any third party, it's hard to see how AT&T's subscribers could modify their behavior in a way which would mitigate this particular risk.

I do use one important feature of my DiscoverCard to help mitigate risk associated with such loss: Discover's Secure Online Account Number feature.

With this feature, I create a unique account number that I provide to each merchant I work with (and I'm up to 335 network identities -- most of which include credit card info). The card, unlike the one-time-use cards, can be repeatedly used at the same merchant, acting pretty much like the regular account number for that merchant. However, once used at a particular merchant, the card is not usable at any other merchant.

This restriction to a single merchant makes the data fairly useless should it be stolen. Of course, they do get my other data that is stored at the same vendor and this could be used for identity theft attacks, but at least the risk of them being able to do something with the credit card itself is mitigated.

Now, if I could only get Discover to get rid of their flashy flash application and make this feature available from a simple web page, life would be faster, happier, and easier.

Tags : / / / /

Liberty announces results of latest interoperability testing

Today, the Liberty Alliance announced the latest results in their interoperability conformance testing program where, to date, almost 75 products/solutions have achieved interoperability with other implementations.

This is important for people inside and outside of Liberty because it means that when you look to implement federated identity solutions, products from different vendors on the list will be much more likely to interoperate. Intel's first attempts to implement federation solutions (BMT - before my time) ran into several issues related to interoperability failures that would have surfaced in such testing. Had the products been through this conformance program, that would have made life much simpler for everyone.

Congratulations to the new (and old) products that have made it through the program!

Tags : / / / / / /

Sunday, September 03, 2006

A crash in the kitchen...

There I was, sitting in my study, working hard at figuring out something I could write about on my blog as I attempt to take on the great Paul Madsen in a race for readership (and he's got quite the lead on me) and out of nowhere I hear a big crash coming from the kitchen.

When I investigate the problem, I find my wife standing in front of the silverware drawer looking below where about half of the contents of the draw have fallen down into the cabinet below when the silverware tray broke and spilled its contents.

Thinking I could just order a new one, I take out the tray and start looking around for some identifying label here or there, but can find nothing other than a reference to a patent. Aha! Perhaps I can look up the patent and find out the company it is assigned to. A quick search at the US Patent Office lead me to patent #4,993,786 which has and inventor (John De Giulio), but no assignee. A search for De Guilio shows several kitchen design firms, but no obvious component manufacturer.

So, I'm off to plan B -- trying to repair the thing. The problem is that the tray is made of plastic and has 2 screws holding it in the drawer while the upper level rolls back/forth (when it is rolled all the way back, it does present a non-trivial amount of torque on the screws). The plastic around the two screws has broken and the tray is no longer held in the draw (which allowed it to flip up when my wife rolled the top back to get to the lower level).

To the rescue comes a metal 18 inch ruler I had lying about. Trimmed an inch or so off the ruler, drilled a couple of holes in it to fit where the screws were in the plastic and screwed it on top of the plastic so the tray was held by the metal across the entire back (see pic below). Worked like a charm.

Now I have to go find a new ruler

Tags : /

Saturday, September 02, 2006

Belgium Travel Restrictions

In preparing for an upcoming trip, I was poking around United's web site and found that flights to the US from Belgium (e.g. Brussels) have even tighter restrictions than flights from the UK (not that I'm going to Belgium at any point in the near future, I was just suprised to see it specifically called out as the only location other than the UK).

The restrictions posted on Brussel's airport site include:

one single plastic carrier bag containing :
  • pocket size wallets and pocket size purses plus contents (for example money, credit cards, identity cards etc (not handbags));
  • travel documents essential for the journey (for example passports and travel tickets);
  • prescription medicines and medical items sufficient and essential for the flight (e.g. diabetic kit), except in liquid form unless verified as authentic.
  • spectacles and sunglasses, without cases.
  • contact lens holders, without bottles of solution.
  • for those traveling with an infant: baby food, milk and sanitary items sufficient and essential for the flight (nappies, wipes, creams and nappy disposal bags).
  • female sanitary items sufficient and essential for the flight, if unboxed (eg tampons, pads, towels and wipes).
  • tissues (unboxed) and/or handkerchiefs
  • keys
  • 1 book
  • 1 newspaper
  • Mobile phone
  • 1 laptop (inclusive adapter) in case
  • PDA / black berry

Of special note is the lack of mention of any other electronics -- they are not allowed (another part of the restrictions specifically mentioned that MP3 Players, IPods and Gameboys were not allowed -- I assume this would include my noise-canceling headsets).

This was even more restrictive than what was in place at the LHR when I flew through there a week ago.

I was just quite surprised that Belgium was listed specifically and that Brussels had these tight restrictions because from all the news coverage over the past few weeks it seemed like the restrictions were worse in the UK than anywhere else.

Tags : / / / / /

Is it thievery or is it privacy...

In Protect yourself from your credit cards, Kim Cameron writes about Emvelope's neat products that prevent radio transmissions from RFID devices.

Of course, the "neat" side if it is that then can protect you from RFID leakage from your wallet (e.g. RFID enabled credit cards being read by unscrupulous parties as you walk down the street). Popping one of these products into your wallet means that the RFID in the card can't be read until you open the wallet and/or take the card out. This kind of remind me of the practice of banks including small tyvek sleeves for their ATM cards to protect the magnetic stripe from damage -- although I haven't gotten one of these in a while, so perhaps it's no longer being done.

I wonder how long it will be before shoplifters figure out that the same devices can be used to block the RFID tags on the materials they intend to purloin.

I also wonder how long it will be before retailers, seeing the potential for loss, lobby governments to prohibit such things (hey, it's already been done in other fields such as the DMCA).

Tags : / / /