Wednesday, February 28, 2007

Dulles Premium Passenger Security Lines

Way back when, I wrote about the addition of premium passenger security lines at Dulles and I later wrote about the change in the security gates which seemed to seriously degrade the speed at which the premium passenger line moved.

Around the time I noticed the movement of the security lines to the western end of the airport, I started bearing right when coming through the tunnel from Daily Garage 1 if I had already checked in online (bearing left would bring you to the United checkin area). When I came up to the security area, there was another Premium Passenger line, this one you enter on the western end of the airport (opposite end from United). This Premium Passenger line was always much shorter than I remembered, but I didn't put A and B together till my current trip.

I had forgotten to bring along my boarding pass that I had gotten during the online checkin and so I had to checking with United. After checkin, I walked down to premium passenger line near United (well, not "near" but closest). There was a sizable line there, so I decided to walk around to the other line and voila, the line was much, much shorter (as in 5 people).

Moral of the story: walk to the western premium passengersecurity line -- especially when the airport is crowded.

Tags : / / / / /

Tuesday, February 27, 2007

379 "identities"

It's been a while since I last posted on the number of internet identities I had. Back then, I only had 342 identities. Today, I have 379, a gain of another 37 identities over the past 5 months. That number might not be significant if I didn't already have 342 identities. At some point you would think that I had saturated the identity space and could conduct whatever businesses that I wanted to do without having to generate new identities.

Note that I am *not* including new facets to my existing identities (such as AOL's creation of an OpenID for my existing screen names) that still just counts as a single identity

Recent additions include:

  • YouTube - so I could post that wonderful Bohemian Identity video.
  • IEEE web account (yeah, I joined IEEE).
  • Wikipedia - so I could think about contributing some of my vast knowledge to the collective :-).
  • Where's George - so I could track the path of money through society.
  • RSA 2007 - they required you to create an account to attend the conference (and had this really really painful setup for wireless access at the conference that also required access to this account.
  • The IdentityGang wiki.
  • FlyerTalk - a forum for us frequent flyers.
  • The College Board - signed my kids up for the SAT.
  • Circuit City - xmas gifts.

Obviously there were more, but I lost track of the new ones in my list and that's all I could pick out easily.

Tags : /

Sunday, February 25, 2007

Web 2.0 Validation

John Kemp sent me, amongst others, a link to the Web 2.0 Validator:

I noticed that my score was quite low (only 8 out of 51), so I thought I would do what I can to join the metasystem, grab the long tail and improve my overall ratings :-).

Warning: This page is in public Beta at this point.. Don't even imagine you'll find any useful information here. It's just an attempt to get myself a better rating from the validator (and it worked!!!).

Of course, I don't understand this "less is more" mentality, but it's possible that AJAX will come to the rescue with their prototype.js file.

I even looked to put a google map here (to get a point for using the Google Map API, but it appears that blogger blocks scripts within blog entries (although I can put scrips in the template).

But I don't think I meet the 30 second rule here. Perhaps I should try using Ruby while I'm podcasting through Rocketboom, but I don't know what the RDF would be nor how to fit it into the Semantic Web. If only Del.icio.us would find me but if not I can just keep poking around with Firefox. Perhaps when I add prototype.js to my scripts on Flickr I'll get noticed by the Venture Capitalists and they can invest money in my nitro-based micro-blog startup....

All that may be unnecessary if I can get Dave Legg to help me build an architecture of participation mash-up on isometric.sixsided.org.

Creative Commons License
This POST is licensed under a Creative Commons Attribution 3.0 License -- All other rights (and the rights to all other posts) are reserved!

Tags : /

Where's George?

When I came home from Portland last week, I noticed some red and blue writing on one of my dollar bills when I took it out of my pocket.

So I went to WheresGeorge.com, entered the bill along with its current postition (Waterford, VA) and found that it had recently been added in Beaverton, OR -- not a short distance away, but easily explainable given that I just came back from Portland).

After poking around a bit, I became hooked and went about figuring out how to more actively participate. First off I had to get my own stamps so I could stamp my bills. Unfortunately, WheresGeorge.com doesn't sell stamps (according to Wikipedia, the secret service investigated and told them it was illegal because it amounted to advertising on money). Poking around a bit (googling "WheresGeorge Rubber Stamp") I found several places, selected Stamp-Connection.com and ordered my stamps. They came in yesterday and I'm off and running, entering all of the cash lying about.

I am concerned a bit about dealing with the cash that I get during the day... What if I spend it before I enter it... Should I log it immediately... Should I only spend marked cash and save the unmarked cash for marking when I'm home... Gosh... It's like blogging & watching readership stats... It's addictive..

Of course, for those privacy weenies out there, I do realize that I'm giving up some of the anonymous properties of my cash transactions... but it's fun!

Tags : / /

Friday, February 23, 2007

Dual Core.... Not Just For Computers!

While Intel has been making a lot of noise over the past couple of years about their Core 2 Duo processors for desktops and laptops, it isn't just computers that could make use of this type of technology.

This week, Canon announced their upcoming EOS 1D Mark III Digital SLR camera which includes a new Dual DIGIC III image processor engine which allows the camera to take a very impressive, market leading, 10 frames per second with a burst capacity of 110 images. Clearly one DIGIC processor wasn't enough for them.

Now I don't think I've taken more than two or three images in a single burst, but this new camera is causing me to long for the next upgrade for my full-frame EOS 5D.

Perhaps I should have titled this one "Drooling about Gadget of the Week".

Tags : / / / / / / /

Monday, February 19, 2007

United's Systemwide Upgrades

United Airlines has several forms of electronic upgrades, but the most valuable (at least to those who travel internationally) are the Systemwide Upgrades (SWU). An SWU can be used to upgrade to the next class of service (economy to business, business to first) on any leg (regardless of length of number of flight segments) that United flies. My longest such upgrade was a part of my trip-from-hell where I used a single SWU to upgrade the LHR->ORD->HKG leg of 11,746 miles from coach to business.

However, there are restrictions (of course). In the old days, the SWU used to be able to upgrade any and all fares -- if you had a seat on the plan, you could upgrade it, provided an upgrade was available. Now, the upgrades, while still powerful, are limited to Y, B, E, M, U, H, Q, V, and W international economy fares (E-Upgrade Rules). This is still much better than the set of fares that you can use miles to upgrade: Y, B, M and H (United Upgrade Award Rules).

And, of course, it all depends upon availability. If the upgrade seat isn't available, you can't have it (but at least you can be wait listed to get the upgrade should it become available).

The next question one might ask is how does one come by these cool SWUs?

Unfortunately for most travelers, SWUs are only issued to Mileage Plus members who achieve 1K status (by earning 100,000 qualifying miles or flying 100 segments in a year). In January, each 1K member is given 6 SWU. In addition at each multiple of 50,000 miles above 100,000, the 1K member will be given 2 additional SWUs (so at 150,000 miles you get 2 SWUs and again at 200,000 miles).

There is one other time that you get SWUs -- when you cross one million lifetime flight miles, United gives you 3 SWUs.

There is a gray market for selling SWUs on the likes of eBay. Of course, they will all claim that they are not selling you the upgrade itself, but an envelope that contains the upgrade -- that way the seller hopes to stay within the rules United has against selling the upgrades. The price of the upgrade varies with the amount of time left on the upgrade (they only last 1 year) with an average of around $400.

I have never sold or bought an upgrade (really -- I'm not just saying that for United's eyes), so I can't tell you how good it works. I have given upgrades to my family members and my sister has shared some of hers with me, so I presume it would work fine -- I would be less than comfortable with providing a stranger with my itinerary details so that they could apply the upgrade.

Tags : / / /

Sunday, February 18, 2007

Amex isn't exactly helping...

Speaking of phishing, while I was off attending the RSA Security Conference, American Express called and left a message on our home phone asking me to call them about some charges on my account. They added that this was not a sales call -- they weren't trying to sell me anything.

So, I pulled out my handy AmEx card and called the number on the back of the card. After wading through the "we want our computer to talk to you" menus and finally getting to a person, the customer service agent, who was very nice, was unable to tell me why they called and said everything looked alright, so the problem must have been fixed.

Later that week, I received another call from them. This time they left an 800 number that they wanted me to call and again were clear about this not being a sales call (not sure what they expect me to interpret that as since most sales guys would say the same). Of course, following good guidelines for identity theft prevention I would not call a number left on my answering machine, so I again called the number on my card.

Again, they had no clue why I was calling and told me I should call the number that was left on the message. I told them that I wouldn't call a number left on my answering machine. They asked for the number and after about 5 mins on hold, they connected me through the people who were calling and leaving messages. Apparently it's a different branch of Amex that looks at strange merchant transactions vs strange member transactions.

I pointed out that there was a problem with their system and that I wouldn't call a number left on an answering machine, but they said it would be ok... I don't understand that and I questioned them saying that if I called them they would ask me for information that identifies myself and that's exactly what a phisher would want... "Oh we wouldn't do that"...

Clearly they need to fix this as this is the exact behavior that leads to consumers having the identity stolen. At the minimum, I should be able to call the number on my card to resolve any problems/queries they might have.

Tags : / / /

Saturday, February 17, 2007

Using Ebay to phish Ebay...

In what I think is the best phishing attempt I have seen for an eBay account, I received a question about my currently running eBay auction (and this question was sent to me via eBay's messaging system and viewable directly online in their messaging system)...

I want to know if this is the same item with the item listed at this address: http://members.ebay.com/aboutme/**********
From: imabrit! (1246)

Now, I know I did not list the same item under some other user, and I noticed that the sender of this message was someone who had a rating of 1246 (for real), so I went to look at the item to see what's up and I got to the following page:

This looks like a normal eBay login page. This is hosted on eBay (the URL for the page is on eBay). One might even expect to be prompted for authentication before they could look at another user's profile. However, I knew I already had a live authentication session at eBay and therefore shouldn't be prompted for credentials. So, I started to wonder if this was a phish attempt.

First I checked the URLs and the links and they all looked fine (yes this page was coming from eBay's site. Then I checked the page by walking to the page through the member profile lookup on the Community page. I still ended up with the same page that looks legit and is hosted by eBay.

But, it still didn't feel right, so I pulled up the source for the HTML page and much of it was the normal eBay page. However, the data entry form had the following code:

<form ... action="http://us.1.p10.webhosting.yahoo.com/forms?login=....." onSubmit="return checkForm0()">

This submits the form data to a web server hosted at Yahoo (not one of Yahoo's own services, but they allow others to pay for hosting).

I don't know how the average user could ever figure this out and I would expect that many, if not most, phishing aware technologists would also fall prey to this one (yeah, I do think I'm special :-)).

UPDATE (2/17): It's actually easier to tell than I thought (after looking closely at the real sign-in page): The URL for any eBay login MUST start with https://signin.ebay.com. Now, I've been an eBayer since 1998 and I pay close attention to phishing attempts, but I couldn't have quoted that to you until I looked for it today, so I'm not sure how many others will know.

Tags : / / / /

Friday, February 16, 2007

Hotel Rooms

I just came back from yet another trip to Portland (that's where my office is). While there, I stayed in the Marriott Courtyard as I usually do (like about 15 times in the past year). Having nothing better to do, I spent some time thinking about how Marriott could do things up for the frequent guest.

Just like airlines, I think hotels should do up some sub-set of their rooms (like first class seats in the plane) and make them available as an upgrade. And I don't mean larger rooms like the suites available at many places -- I've even had the top-floor suite at the San Francisco Marriott, but what am I gonna do with 4 rooms of space when I'm there on a business trip (I just used the bedroom).

A good business hotel, like the Courtyard, could upgrade the room contents as follows:

  • High def television w/surround sound
  • Thick cushy towels (shut up Paul!)
  • La-Z-Boy recliner w/heat & vibrating massage

I'm sure I could go on, but that would be a great start!

While they're at it, they should upgrade their reservation systems to allow the guest to select a particular room and to do the upgrades in advance using hotel points or upgrade certificates -- oh wait... That's what you it works for airlines. But hey, why not do that in hotels as well.

Guess I have to wake up now..... :-(

Tags : / / /

Thursday, February 15, 2007

Is it an AOL ID or an OpenID?

My friend (yes, I think I have one or two of those), George Fletcher, from AOL has started blogging and has broken through a threshold and actually written two blogs so far this month (and we're only just over half way through the month). Go George!!!

His latest blog entry discusses AOL's OpenID implementation and raises the question:

In the "adoption and use" department... Given that many AOL users will not realize they have an OpenID, it would be great if the help text for "what is an OpenID?" on relying party "login" screens would mention that if you have a LiveJournal or AOL account, you already have an OpenID. This isn't very inclusive so maybe there could be a link ("Do I already have an OpenID?") to a wiki page or something that could be updated as more OpenID Providers become available. This isn't that important for those who explicitly create OpenID's at OpenID providers, but is important for those consumers who have an OpenID by virtual of having an account for other services.

This falls into a discussion about whether or not the user is using their "OpenID" at the relying party, or are they using their "AOL ID" at the relying party.

I would think that AOL would want the user to consider that they were using their AOL ID and I would expect most users would understand that.

However, the OpenID folks seem to want the user to know they have an ID that is associated with the OpenID protocols and therefore understand that they aren't just using their AOL ID, but using their AOL ID via OpenID protocols (or, perhaps, that their AOL ID is actually an OpenID).

To me that just seems to complicate issues for normal users who don't understand (and don't want to understand) protocols or bits or bytes. All they want to do is to be able to leave comments on someone else's blog.

In the Liberty Alliance and in OASIS SSTC, we've always thought that the user wouldn't know or care they were using SAML or Liberty protocols to SSO into a relying party. The IdP and the relying party would care since they wanted security and interoperability, but not the user... The user just wants this stuff to work.

Tags : / / / / /

Liberty ID-WSF Discover Servce Q/A

An interesting Q/A session about the Liberty Alliance's Liberty ID-WSF Discovery Service...



How would the Liberty ID-WSF Discovery Service (DS) be used for discovery of an Authentication Service (AS), rather than an identity service, as described in ID-WSF 2.0?

This would likely be accomplished by submitting a request to the DS (probably without a security token) and requesting the service type for the AS. For example, the following request could be used:

<disco:Query>
  <disco:RequestedService>
    <disco:ServiceType>urn:liberty:sa:2006-08</disco:ServiceType>
    <disco:SecurityMechID>urn:liberty:secuirty:2005-02:TLS:null</disco:SecurityMechID>
  </disco:RequestedService>
</disco:Query>

This would likely only be done when the client is built with the knowledge of thelocation of the DS and uses that to bootstrap to the AS. Other implementations have been built with the knowledge of the AS and used that to bootstrap to the DS.

I believe that typically the location of a principal’s DS is returned in an authentication response, e.g. as an attribute in a SAML assertion. If DS is to be used to discover the authentication service, how is it envisaged the location of the Discovery Service would be obtained in this context?

The client has to know (or get from the user) either the location of the AS or the location of the DS. In some cases you can get this from an SSO assertion which contains the bootstrap EPR, but that typically doesn't work for the LUAD WSC (e.g. a client running on a user's computer) case -- usually the client would have the knowledge of the location of the AS built in (DLink's radio service client for the AOL Radio Service worked this way).

Could DS be used to discover, for example, a SAML SSO service? If so, what would the service metadata registered with the DS for this service represent?

I don't know what is meant by a SAML SSO service. In any case, the metadata needed for any ID-WSF service is the same. For non-ID-WSF services we don't document what would need to be there so you would have to do it yourself. This might have interoperably issues with other ID-WSF and/or DS implementations that were not built to work similarly with non-ID-WSF services. For example, an ID-WSF DS implementation may require the <Framework> element within the service metadata since that is required by ID-WSF, but likely wouldn't be used for a SAML SSO service.

SAML does have it's own means for providing metadata about the SSO endpoint and I would recommend that the SAML metadata be used by SSO clients.

Who typically hosts a principal’s DS (where it is being used for discovering an authenticated principal’s identity services)? Is it the IdP that authenticates the principal, or some other entity?

In most cases, the IdP and the DS are very close and managed by the same party (although the DS can and have been hosted on different servers in some implementations).

Assuming a principal’s identity service (including DS) can be hosted by some entity other than the IdP that authenticates them, is there typically some mapping of identities between the authentication service and the identity service? If so, how is this normally achieved?

The IDP maintains a mapping of the principal's identities for all locations where that principal has federated their identity (and yes, an identity service provider for a principal (such as a profile service) is considered to have federated with the user's identity at the IdP).

Who typically maintains the service metadata registered with a DS? Who typically maintains the metadata/identity associations? How is access to these operations controlled?

The DS maintains the runtime copy of the metadata in it's internal database and provides administrative interfaces for the WSP to use to maintain their own metadata.  Access is controlled by the DS (in come cases with the user's consent).

Is there typically one DS endpoint for all principals, with the identity of the principal being specified in the SOAP header? Can the endpoint be different for each principal? (Is this what the ‘Via the endpoint’ bullet point in 1.1 of the spec is saying?) The same question for identity services other than DS.

There's two areas to address in that question. First off, there can be many DSs (even one for each principal) and likewise there can be many different instances of the same type of identity service (e.g. profile service). Within a given DS that is serving many principals, the DS may use a single endpoint address for all request (typical) or may use endpoints for groups of users (some basic form of load balancing).  We recommend against using individual endpoints for each principal as this has a tendency to leak information about the user (and can permit correlation if the same endpoint is provided to multiple service consumers).  The specifications allow for the identification of the principal using the Target Identity value (specified in either the ws-security header or the TargetIdentity header -- see the ID-WSF Soap Bindings specification for details).

Assuming the endpoint for each principal’s instance of a given service can be different, how does a DS mint the correct EPR for a given principal?

I would not make that assumption and would strongly recommend against using an endpoint for each principal’s instance of a service -- you loose privacy benefits, you loose the manageability benefits of sharing the same service metadata across many principals. Instead, the service instance should use the information contained with the ID-WSF defined SOAP headers to identify the principal (and therefore the service instance).

However, if you really wanted to do this, you (as a WSC) would simply register a unique Service Metadata for each principal (containing the endpoint for that principal) and the DS would just use their normal EPR minting rules to make use of it.

Tags : / / / / / / /

Wednesday, February 14, 2007

SPML Decision Followup

Ian responds to my response to his questioning about Liberty's decision to not use SPML in the Liberty Alliance Advanced Client work with a question:

Can someone summarize the “strangeness” in the Advanced Client spec? It seems to me that the Trusted Module is a bit like a PSO in SPML. That still doesn’t feel right, but I am having a hard time trying to be more specific than that.

The advanced client work (which isn't a single spec, but a set of specs covering different capabilities -- provisioning being one of them) addresses the problems involved in provisioning functionality to a secure container that is associated with a user somewhere nearby. In developing these protocols we did look at SPML and felt that SPML was more targeted at the case of server to server account provisioning (and we are working with using SPML for that use case in another in-progress specification).

I would say the specific differences include:

  • The recipient of the provisioning isn't a server that the provisioning party has a relationship with (contrary to the normal case for SPML).
  • The thing being provisioned is functionality, not an account -- there is no "account" on the target system (although the functionality being provisioned can be used to access accounts on other systems -- those other systems may have been provisioned with SPML).
  • The protocol has to deal with the fact of connecting the user to the interaction (in this case, that's the hand-off of the provisioning handle to the PMM).

And while I was looking more deeply at the messages I thought I would add a few things to note:

  • Ian seemed to connect this work to Cardspace, Higgins, and OpenID. I am not aware of this connection. The Identity Capable Platform is a research project at Intel, the Advanced Client work is a set of specifications being developed by the Liberty Alliance, the proof-of-concept was a joint effort by HP, BT and Intel. Of course, since the result of the Liberty work is open specifications, any party can make use of these protocols in their implementation.
  • Ian seemed to think that this provisioning was just about provisioning a credential. That isn't the case. The proof-of-concept involved provisioning functionality that included a credential (as well as the functional means to use that credential in EAP-SIM protocols), this isn't a restriction on the protocol and we expect that many different kinds of functionality will be provisioned this way -- not just credentials.
  • I don't think that the ICP would be within a TPM (although I would expect that the ICP would make use of the TPM to establish the ICPs secure environment).

All of that said, I should point out that the specs are currently an early draft release and any and all feedback is welcome. So if you look though what we've done and have suggestions for how we could do it differently (hopefully better), we are all ears.

Tags : / / / / / / / / / /

Tuesday, February 13, 2007

To SPML or not to SPML -- that was the question...

Ian Glazer questions the lack of use of SPML in the Secure Identity Provisioning demonstration put on by BT, HP and Intel(and the related Draft Liberty ID-WSF Advanced Client Specifications):

One aspect of all this is a provisioning service, one for which Liberty has cooked up a spec. As a user provisioning guy this model of provisioning looked a bit strange to me. Think telephone service provisioning, not enterprise user account provisioning. The funny thing is, I thought there already was a perfectly good provisioning service standard out there - Service Provisioning Markup Language (SPML).

We (Liberty) did look at SPML and plan to use it for the "account provisioning" type of operation in a future specification. However, we also decided that this "model of provisioning looked a bit strange" to try to shoehorn into SPML as the problem we were solving was just different. There was at least one contributor to SPML in the room while this disucssion was going on and the decision was being made, so I presume they also felt that the model was "strange" for SPML.

Historically, Liberty has been very good (if not fanatical) about adopting existing standards where they fit into the solution for problem we were trying to address. This just wasn't the case here.

Tags : / / / / /

Monday, February 12, 2007

Secure Identity Provisioning

Last week at the RSA Security Conference, the Liberty Alliance hosted a workshop where Intel, British Telecom, and Hewlett-Packard showed a joint proof of concept which made use of the Liberty Alliance Advanced Client functionality to show the secure provisioning of network credentials over the wire.

We had several presentations, including HP's presentation, BT's presentation, and of course, my presentation on the Identity Capable Platform (ICP). The ICP is a research project at Intel's Corporate Technology Group examining how a computing platform could be extended to support the concept of identity and to participate in secure identity transactions.

The workshop was well attended filling the seats in the room and with many people standing. It was great to see such interest in this stuff, especially with many of them staying for the entire 3 hour workshop (without a break!).

Tags : / / / / / / / / /

Sunday, February 11, 2007

Gadget of the week #10

I know I told you about my Nüvi 660 back in Gadget-of-the-week #7 a little over a month ago. But that gadget is so passé now that Garmin has released the Nüvi 670.

The 670 adds on to the 660 with the addition of build-in European as well as North American mapping data -- something that will come in very useful on my upcoming Liberty Alliance Technology EG meeting outside of London (in Ipswich). Last time I drove in the UK it cost me £10/day (about $20/day) for the GPS system from Hertz -- and it really helps with all those roundabouts.

Otherwise, the 670 is pretty much the same packaging as the 660 -- in fact the only way to tell the two apart is to pop up the GPS antenna and look at the serial number label underneath. They do add European adapters for the power plug, but since I just charge off my computer and/or the car, this doesn't mean much for me.

There is a non-trivial difference in the price, but if you do some traveling to Europe, having the map set built in is well worth it.

If you're interested, I'm selling the 660 on eBay -- it's a good unit if you primarily drive in North America.

Tags : / / / / /

Saturday, February 10, 2007

United Forsakes Snacks

Joseph Jaffe writes about United's decision to drop snack service for flights less than 2 hours:

That's why United - The Thinking Airline - has decided to drop snacks on flights less than 2 hours (which PS equals about 5 hours when you factor in travel and wait time, dumbasses)

According to the geniuses at United, they figure this move will save them $650,000 this year. I guarantee you they'll LOSE more than $650,000 with passengers that choose alternative airlines in the process.

I fear that this may follow the path of meal service, which, a few years ago, started with a similar decision to eliminate for flights of 2 hours or less and now has been extended to all domestic flights (in economy). Yeah, you can buy one of their meal packages nowadays, but I've never brought myself to do so. I do have to admit that this isn't usually an issue for me as I work pretty hard to ensure I'm upgraded as much as possible.

I wouldn't be surprised in another few years if this plan was expanded to all domestic flights (perhaps the terminal vendors are paying the airlines a percentage since this is surely going to drive up their business.

Of course, if you look at what it costs for the typical business trip across the country nowadays (mid-week, coast-to-coast, no Saturday night stay), it's amazing how the price has dropped. Yes, dropped. I remember frequently paying on the order of $2,000 for such trips to SFO or LAX (from IAD) and I remember as recently as 2001 being quite happy when I was able to get an $800 fare for such trips. Last week I flew IAD->SFO and back for $500. A month earlier I did it for $356 -- and neither of these had a Saturday night stay. No wonder they are doing everything they can to cut costs.

Tags : / / / / / /

Developers, Morons and Canards

Jeff Hodges forwarded to me a link for what has to be one of the best write-ups on why specs matter by Mark Pilgrim:

Most developers are morons, and the rest are assholes. I have at various times counted myself in both groups, so I can say this with the utmost confidence.

Assholes

Assholes read specs with a fine-toothed comb, looking for loopholes, oversights, or simple typos. Then they write code that is meticulously spec-compliant, but useless. If someone yells at them for writing useless software, they smugly point to the sentence in the spec that clearly spells out how their horribly broken software is technically correct, and then they crow about it on their blogs.

There is a faction of assholes that write test cases. These people are good to have around while writing a spec, because they can occasionally be managed into channeling their infinite time and energy into finding loopholes before the spec is final. Unfortunately, managing assholes is even harder and more time-consuming than it sounds. This is why writing good specs takes so long: most of the time is frittered away on asshole management.

Morons

Morons, on the other hand, don’t read specs until someone yells at them. Instead, they take a few examples that they find “in the wild” and write code that seems to work based on their limited sample. Soon after they ship, they inevitably get yelled at because their product is nowhere near conforming to the part of the spec that someone else happens to be using. Someone points them to the sentence in the spec that clearly spells out how horribly broken their software is, and they fix it.

Besides the run-of-the-mill morons, there are two factions of morons that are worth special mention. The first work from examples, and ship code, and get yelled at, just like all the other morons. But then when they finally bother to read the spec, they magically turn into assholes and argue that the spec is ambiguous, or misleading in some way, or ignoreable because nobody else implements it, or simply wrong. These people are called sociopaths. They will never write conformant code regardless of how good the spec is, so they can safely be ignored.

The second faction of morons work from examples, ship code, and get yelled at. But when they get around to reading the spec, they magically turn into advocates and write up tutorials on what they learned from their mistakes. These people are called experts. Virtually every useful tutorial in the world was written by a moron-turned-expert.

Angels

Some people would argue that not all developers are morons or assholes, but they are mistaken. For example, some people posit the existence of what I will call the “angel” developer. “Angels” read specs closely, write code, and then thoroughly test it against the accompanying test suite before shipping their product. Angels do not actually exist, but they are a useful fiction to make spec writers to feel better about themselves.

Why specs matter

If your spec isn’t good enough, morons have no chance of ever getting things right. For everyone who complains that their software is broken, there will be two assholes who claim that it’s not. The spec, whose primary purpose is to arbitrate disputes between morons and assholes, will fail to resolve anything, and the arguments will smolder for years.

If your spec is good enough, morons have a fighting chance of getting things right the second time around, without being besieged by assholes. Meanwhile, the assholes who have nothing better to do than look for loopholes won’t find any, and they’ll eventually get bored and wander off in search of someone else to harass.

Now I know it is all worth it!

Tags : /

Thursday, February 08, 2007

Identity, Microsoft, OpenID, and SAML

I've been attending the RSA Security Conference over the past week and sat through the keynote from Bill Gates and Craig Mundie on Tuesday.

I was quite happily surprised when they started to talk about identity issues. It was gratifying to see that the stuff I and many of my cohorts have been working on for years has come to the forefront in everybody's mind -- although I still have trouble explaining to my mother exactly what I do at work.

I was even slack-jawed with the mention and discussion of OpenID. At first I was a bit shocked, later a bit jealous (how come they didn't talk about my stuff :-() and finally happy -- both for the OpenID guys and for the industry. I congratulate the OpenID guys with their success at getting into the limelight and making what appears to be real progress forward.

I'm not so impressed with the discussion about the phishing-resistant flag as it really doesn't add much value today. My problems with the flag include:

  • A relying party (RP) would be hard-pressed to require a phishing-resistant credential nowadays given that only something like 0.000000001% (yes, I made that up, but I'm thinking I'm not far off there) of people today have phishing-resistant credentials that can be used for SSO transactions (yeah, many of us have cell phones with SIMs -- very phishing-resistant -- but the cellular providers severely restrict access to the SIMs to protect their own security).
  • There's no definition about what it means to be "phishing-resistant" and from the discussions I have had with people (some of them very smart) who thought they had come up with a new solution for phishing, I think that many parties will think they have added phishing resistance when they haven't.
  • Phishing isn't an issue of the OP or RP doing good authentication. It's an issue of the user being fooled into thinking they are talking to the OP when they really aren't. That won't be solved by a flag on the insecure request from the RP to the OP.

That aside, I think the most significant statement made in this area was the statement that Microsoft would work towards integrating better with OpenID in a future release of their products. I read this as Microsoft has recognized that there are other reasonable SSO protocols out there that they need to work with and this is a great step forward for the industry.

I now wait for Microsoft to recognize the other major player in the area of SSO and federation protocols: SAML 2.0. SAML is a convergence of work done in several areas including OASIS, Shibboleth/Internet2, and the Liberty Alliance and has a number of very large deployments throughout the industry.

If I had my druthers, I'd like to see SAML's ECP protocol support added to Cardspace so that a SAML relying party could make use of the Cardspace identity selector, so the user would have a single consistent place for local management of their identity information.

Perhaps I'm just a wishful thinker. I hope not.

Tags : / / / / / / / / /

Wednesday, February 07, 2007

A Dulles Update

Way back when, I wrote about changes made to Dulles' security screening. It is very sad to report that those changes are still in place. The closed security screening areas are still closed.

Luckily, all of my recent flights have been at off-time and I'm an "Premium Passenger" and so my waits haven't been that long -- although, I have had to wait 15 to 20 minutes several times while in the past, I had never waited more than like 5 minutes in the Premium Passenger lines.

There have been some changes at the airport in the recent few months:

  • The people movers for the C concourse are now right behind the new security areas(you no longer need to walk down to the behind the closed security gates to catch the shuttles at the old location). Look for them to the right after you get through security.
  • The path to/from the people movers for the B concourse has changed, especially the return trip as it no longer requires you to go up and down, but instead allows a level trip back straight to baggage claim.
  • United has reversed the order of the check-in counters so that 1st class, Global Services and 1K is now the closest counter to the security lines.

Of course much of the airport is still the same. The C concourse people movers still go all the way around the B concourse since they are still working on the train station at the cut-through they used to use (the path is a bit shorter now that the people movers start on the right side of the main terminal). The moving sidewalks on the way to/from daily garage 1 are still as flaky as ever (I don't remember the last time I used the tunnel and there wasn't at least one of the sidewalks out of commission).

Tags : / /

Thursday, February 01, 2007

Identity Capable Platform


On Monday (Feb 5) the Liberty Alliance is hosting a workshop at the RSA Security Conference. The workshop will show several demonstrations from Liberty participants.

I will be there talking about some research work we've been doing at Intel in the area of an Identity Capable Platform and showing a joint proof of concept with British Telecom and Hewlett-Packard. The POC demonstrates Secure Identity Provisioning using the latest Liberty Advanced Client specifications.

Come by and take a look if you're in town. If you haven't registered for the conference, you can get a free conference exhibition pass courtesy of the Liberty Alliance.

I look forward to seeing you there!

Tags : / / / / / / / / / / /