Wednesday, January 31, 2007

The Drought is over...

After a loooooonnnnnnggggg dry spell, my little Bro has finally gotten back in the saddle and wrote his first blog post in more than a month.

He has clearly not lost any of his whit.

Glad to have you back bro!

Tags :

Gadget of the week #9

This week's gadget of the week is another gadget that I got for my wife for xmass -- the Motorola IHF1000 Bluetooth Car Kit. I had, in the past, purchased several different headphone options for my wife including good quality bluetooth headsets and wired headsets. None of them worked for her, mostly because of the need to pull them out and get them setup in her car while she was driving. So I went looking for a permanent installation kit and found this kit from Motorola.

Obtaining the item before xmass was a bit of a problem as I ordered it from Amazon and the item that they shipped to me was a $9.95 Palm Treo skin, not the IHF1000. After explaining the problem to them, they re-ordered it for me, but low and behold the same Palm Treo skin arrived again at which point they told me I should get it from someone else as there was clearly something wrong in their distribution systems. So I found one online at for just $180, free shipping and in stock (and it was shipped the same day) -- Amazon's loss.

I was planning on doing the installation myself (I had installed a number of stereos and other automotive equipment in my younger days), but after looking at her car (a Ford Explorer) and at the installation kit, I gave up. I stopped by the local Best Buy and they agreed to install it for $80. Best $80 that I've spent in a long while. The installation went great (just about an hour) and looked way better than any installation I would have done.

The unit itself is great. Once you pair the phone (very easy through their voice prompts), the unit recognizes the phone's presence and announces that the phone is ready when you start the car -- no need to even pull the phone out of your pocket or purse. You can also program up to 20 voice programmed numbers (and more if your phone supports voice dialing). What amazed me about the voice programming was that I was able to program one of the numbers with my voice and my wife was able to use it with her voice -- pretty cool voice recognition going on there.

Call quality is very clear from both ends and my wife now usually answers the phone on the first ring and with much less distraction on her side.

Unlike many older systems that always waited for a voice command (and frequently picked up on noises in the car, such as the radio, instructing it to phone someone in the calling list while you quickly tried to abort), this system requires that you touch the command button (center button, easy to find/press) to start a sequence, eliminating the false commands problem.

We're so happy with the system that I plan to buy another one for my truck.

Tags : / / / / / / / /

Tuesday, January 30, 2007

Odd Goods

My son attends Thomas Jefferson High School for Science and Technology here in northern Virginia. It's a magnet school attracting talented math and science students from around the northern Virginia area and frequently wins and/or places in many regional and national academic and science competitions.

Last year, during the freshmen orientation, one of the upper class girls was talking to the incoming freshmen girls, telling them that the odds were very good (being that the girl to boy ratio is rather low). She continued with "BUT..... the goods are very, very odd."

My wife and I like to tell and re-tell this story often, especially when my son is around (definitely an odd good). I'm sure he's cringing now that I've blogged it.

Tags :

Monday, January 29, 2007

Tax software pain

The past weekend, I started working on that annual royal pain in the *ss here -- the filing of our annual tax forms with the federal and state government. For the past like 15 or 20 years, I've used Turbo Tax from Intuit to do my taxes and this year is no exception.

I find it an interesting software market for them. They have a product that has built in obsolescence every year, used for just a few hours each year before needing an upgrade to handle the new tax rules the following year. This class of software probably has the highest cost in dollars per hour over any other software, including the bloated MS Office.

In any case, this year, as I was preparing my taxes, I ran across a problem where I paid Alternative Minimum Tax (AMT) last year and received a tax refund from state tax for that same tax year. Since AMT is in part impacted by the state taxes paid the same year, the tax refund that I received from the state could have a reduced tax liability because it was offset by the increased liability provided by AMT.

However, figuring this out is a tough exercise for most of us and it requires alot of re-work of the prior years taxes. This is exactly the kind of thing that the tax software should address as it's mostly just a recalculation issue. That wasn't to be the case with Turbo tax as all I got was:

At first I was just going to take the easy way out and assume that my refund was taxable. However, I decided to check it out so that I could share the experience with others here. I had to install the 2005 version of Turbo Tax, download and apply the latest updates, then had to add the refund amount into one location in the old form. After that, I copied two values from the revised 1040 and voila, the tax refund was not taxable. This is a very sizable difference and well worth the time. It is not hard, nor does it involve alot of calculations (I don't have a clue as to why they indicate it as such and I certainly don't understand why they can't do this calculation automatically).

Moral for the story, if you were subject to AMT and you have a sizable state tax return (probably anything over a few hundred dollars) you SHOULD do the extra calculations.

Tags : / / / /

Friday, January 26, 2007

Social Security Numbers

Sitting in the Mobile Identity Workshop in San Francisco the subject of Social Security numbers came up and how you're stuck with one for life. I brought up that you can get the number changed in cases of identity theft. This was met with some skepticism around the table, so I had to go do some research.

As I suspected, I was right :-). You can get your social security number changed if you can show that you are an ongoing victim of identity theft. You can read more of this on the Social Security Administrations web site (on this page).

Of particular interest were the various reasons why you can get your number changed:

I was surprised with the 3rd one. I guess I could object to a 13 in the middle of the SSAN or one that starts with 666. Others would probably brag.

My twin daughters have sequential numbers and so far this hasn't caused any problems, but that may be because they are only 13 -- we get much more problems with them having the same date of birth (health insurance systems frequently have problems when we have a claim for the two of them on the same day since they use the DOB as a differentiator).

I should note that changing your SSAN isn't a easy process and don't recommend it unless you really, really need to. Just think that you are going to have to start all over with your credit history and update your SSAN at all of your existing credit suppliers not to mention employers, tax records, etc. This isn't something to take on lightly.

Tags : / / / /

Liberty Advanced Client

I've been working on the Liberty Alliance's Advanced client work over the last year. This work involves enabling and/or describing how a client can participate in Liberty protocol transactions to provide any of the following transactions:

  • A trusted extension of the Identity Provider (IdP) which can provide for delegated Single Sign On (SSO) and federation to relying parties. The delegation provides for a client that can enable the user to participate in transactions when off-line from the IdP and/or perform these operations without involving the IdP as a privacy enhancing capability (the IdP doesn't know exactly who the user actually SSO's with nor when).
  • A locally hosted instance of a Liberty ID-WSF service (a Client Service Instance (CSI)). Of course any client that can expose a network visible endpoint for their service (or a PAOS endpoint to provide functionality along the lines of Cardspace) doesn't need any advanced support - that can be done using existing ID-WSF protocols. This work involves showing how the CSI can make use of a network entity (the Service Hosting/Proxying Service (SHPS - pronounced ships)) to increase availability when the client is behind a firewall and/or experiences changes in its connectivity (such as going through a tunnel or being turned off at night).
  • Provisioning of functionality modules down to a device. This includes models where the provisioning can take place in a trusted environment (so a Trusted Module (TM), which exposes the IdP extension features above, can be provisioned over the wire to a user's device.
  • Reporting/Accounting - a feature required in some cases for the client to report on events that have taken place to a host authority. For example, in some cases, the TM will report after the fact on the operations it performed to the IdP so that the IdP can track and/or audit usage. This reporting is, of course, optional and likely wouldn't take place in areas where privacy is a concern.

You can read more about these technologies in the presentation I gave earlier this week at the Liberty 2.0 workshop. In the presentation, I provide a history of the evolution of the intelligent client capabilities in Liberty as well as a peek at the future technologies.

Early drafts of the protocols along with an overview are working through the publication process within Liberty and should be available soon. I will post a note about them when they become available.

You can also come see some of this work at the Secure Identity Provisioning demonstration that Intel, HP, and British Telecom will be showing at the Liberty Workshop at the RSA Security Conference on Monday the 5th of Feb. You can read more about this demo and get the information necessary to register and get a free conference exhibit pass at the Liberty Event page.

Tags : / / / / / / / /

Thursday, January 25, 2007

Open Liberty

On Monday, the Liberty Alliance announced the startup of OpenLiberty is a community open source effort to support the development and deployment of open source implementations of the Liberty Alliance and SAML specifications.

Contributions from all are welcome, so please sign up and participate. I will be doing so and I plan to contribute the work I have done so far on my open source Liberty toolkits. Now if I could just find more time to add additional features to the toolkit.

Tags : / / /

Wednesday, January 24, 2007

United announces shorter expirations on miles

In case you haven't noticed, last week United Airlines announced that the expiration time for miles in their accounts has been reduced to 18 months (from the previous time of 3 years). The expiration time is extended by any activity related to your miles (earning or using miles in any way) so for most of it it won't be an issue, but people who stop flying for any extended period of time will have to keep an eye on their accounts to make sure they don't inadvertently lose their miles.

This is the 3rd time that United has changed their policies with regards to expiration of miles. Initially the miles were good forever. Later they changed it so that they expired after 3 years, regardless of activity. The last change made a number of years ago, was to extend the expiration to 3 years from last account activity (thus giving you the miles forever as long as you keep doing some form of business with them).

Why has United done this? I think it is because that the millions of miles in user's accounts are a liability to United that has to be carried on their books and this give them a way to decrease that liability by removing miles from people who are not actively participating in the program. It also has the side effect for United that those people who are worried about loosing their miles will be encouraged to do something to retain those miles (and I'm sure United is hoping that it's some way of earning miles since United would make more money that way.

I, of course, won't have anything to worry about given my travel schedule.

Tags : / /

Tuesday, January 23, 2007

Web 2.0's need of Liberty ID-WSF

Yesterday, I spoke at the Liberty 2.0 workshop on the subject of Web 2.0. I took the position that Web 2.0 applications needed the functionality presented by Liberty ID-WSF to provide rich, useful mashup applications.

I started with the poster-child web 2.0 mashup of Google's Google Earth 3D mapping/imagery product with Fboweb's FAA tracking data (to present real-time flight tracking in 3D of planes landing or taking off from a number of different US airports). The picture below was a live 3D image of aircraft in the landing pattern at ATL this past Sunday morning(1/22/07).

I examined how the application worked and a series of what-ifs related to such applications including:

  • What if the data wasn't free and therefore required user identity to access.
  • What if the application wanted to pull in user based information (spousal tracking -- where my wife could track the one flight I was on).
  • What if the application were implemented as a light weight web application (as opposed to a local heavy client).
  • What if the release of data from one of the back end applications required user consent.
  • How does all of these what-if's apply in a multi-layered web application mashup (makes the problem even more complex).

While some of these may appear to be specific to this application, they apply to pretty much any application mashup. Once you move away from free, open data, you need identity and once you move away from client based mashups to server hosted mashups, the requirements are all the same.

Of course, my position is that the work done in Liberty ID-WSF anticipates and solves the needs such requirements add to the applications and I show how things would work in such an environment. This, in conjunction with Eve's presentation on ID-WSF 2.0 at the same workshop can be looked at as a very good primer to the concepts, technologies, and use cases surrounding the ID-WSF work.

You can see my presentation as well as the other presentations yesterday (including a second presentation I made about Liberty's advanced client work) at the workshop web page.

Happy reading (although it is mostly pictures :-)).

Tags : / / / / / / / /

Monday, January 22, 2007

Brain food...

I signed my kids up for taking an upcoming SAT Reasoning Test (formerly the Scholastic Aptitude Test). For those who don't know, the SAT is a nationwide test used by colleges to evaluate students.

An interesting feature that they provide now (for free) is the "Official SAT Question of the day". It's available online and you can subscribe for email delivery.

I signed up for the email delivery and actually try to answer each question (and certainly don't get them all right). They seem to randomly alternate math and verbal questions. I find it a good bit of mental exercise for the old noggin and recommend the same for you as well (even if neither of us plan to take the SATs again, if ever).

Go ahead, give it a shot. It's free and it can stretch the mind.

Tags : / / /

Friday, January 19, 2007

Gadget of the week #8

My gadget this week is a present that I got for my wife for Christmas. She loves it... I love it... They've come a long way.

The Philips 9" Digital Photo Frame.

This thing has a bright clean display (so much better than my several years old 5" Digi-Frame (they seem to have gone out of business) that cost more than double the price) and holds tons of pictures on it's internal memory (if you reduce them, you can get between 100 and 150 pictures on there).

The most useful feature, perhaps, is the fact that it is powered by battery (in addition to the wired power). So when you have some friends come to visit they don't have to bend over in front of your table, you can pick it up, unplug it and let them look at the photos in their lap.

This is a great gift idea (I bought mine on amazon for $220 (although they are now listing them at $249), especially for your mother.

Tags : / /

Thursday, January 18, 2007

United Disappointments

In the past week my once favorite airline, United, has come to disappoint me twice. I'm not sure what I'm going to do!

First, I get this well typed email (not a letter, but an email) telling me:

Dear Conor P Cahill,

We sincerely value your business and recognize you as one of our most loyal customers. Although we are unable to extend your United Global ServicesSM membership for the upcoming year, we are pleased to present you with 1K® status for 2007.

I knew this was coming, even though I not-so-secretly wished for someone at United to give me a break and let me have one more year of the special treatment.

Given that Intel's policy is to fly coach and coach only, no matter how long the flight is (and from a financial point, I kind of understand it, but not from a but-in-the-seat point of view), I don't think I'll be qualifying for Global Services again anytime soon. I've heard of people who fly 300,000 miles and don't qualify.

This will make it harder to keep up my upgrade consistency, although I do remember the days of being a Premier Exec and wishing I were a 1Ker since they seemed to get all the upgrades, so perhaps this won't be as bad as I fear.

The second disappointment was in United's stinginess. Last year it appeared that I had flown 162,285 miles, crossing the 160,000 level in Dec. Each time you pass a 10,000 mile boundary they are supposed to give you 4 500 mile upgrade coupons. I didn't get mine and so I asked them why. The answer I got back was not impressive:

Hello Mr. Cahill,

Thank you for your loyalty as a 1K Million Mile member.

Elite members earn four 500-Mile e-upgrades for every 10,000 paid flight miles flown during the calendar year on United, Ted and United Express. Partner flights and bonus miles from the high-yield offer do not count towards earning e-upgrades.

In 2006, you flew 159,600 miles on United Airlines. I am not able to credit additional e-upgrades as you did not meet the next 10,000 mile requirement.

I appreciate the time you've taken to contact us.

So, they took off a couple of code-share flights and a few hundred bonus miles I had gotten for the one full fare ticket I had to buy and viola I was just 400 miles below the mark. On top of that, those 9,600 miles toward the 10,000 go away on Jan 1 (the counter restarts).

I'm a bit peeved about it since a) I think I was close enough that they should have just given me the tokens and b) if not give someone credit for 96% of the way there, at least let them carry that clock forward so that the boundary is closer the next year. We are talking about upgrade coupons only good on united on a space available basis and you need one for every 500 miles of flight. No they aren't worthless as I clearly want them, but they aren't $$ either.

Anyway, I'm done venting... back to work..

Tags : / / / /

Wednesday, January 17, 2007


Robin Wilton proposes a new term persistonym to describe these pseudonyms we've created but want to maintain for non-trivial periods of time (like my ebay id, or my AIM ID).

Seems like a good definition to me and a clear difference from the non-persistency-qualified term pseudonym.

Tags : /

It's been quiet around here...

I've been very quiet here lately (almost a full week since my last post). I'd like to say it was because I was out having a good time in some tropical place like Cuba (like a friend who shall remain nameless), but alas that isn't the case.

I've been hunkered down behind my laptop working diligently on the Liberty Alliance Advanced Client specs that we hope to have in a public draft RSN (although I do have to admit that I did sneak a peek at the football games last weekend whilst I was working on the docs).

I'll be presenting a webcast on the Advanced Client Technologies tomorrow morning (11AM EST). If you're interested, feel free to register and watch. There's even 30 minutes of "Drill Conor" time at the end... Should be more than enough time for you to take your best shot :-).

Tags : / / /

Tuesday, January 09, 2007

A Pickup

My wife and I were talking with one of our friends about our CJ's right of passage. He also has a son (one of CJ's friends) that is also going through the same rite. We both spoke about being extra careful on the road nowadays given both of our son's being out there :-).

He also mentioned a solution to the proverbial "how many kids can you get into a single car?" problem for teenagers (yeah, there's laws against a teenage driver carrying more than one other passenger in Virginia and many other states, but kids don't always listen to laws) -- a mutual friend had the policy of providing their kids with pickup trucks only.

Pickup trucks with no extended or crew cab. The kind that only fit at most 3 people. Much stronger restriction than any law.

Seems like a good idea to me although I don't know what's up with this idea about providing a car for your kids... I had to earn my own money to pay for my own car.

Tags : /

Monday, January 08, 2007

Rsync & SSH on a Windows 2003 server

In my previous post about using ssh & rsync for backups, I wrote about backing up from my Fedora UNIX virtual machine to my UNIX backup server.

That was a fairly simple case (other than the need for the enveloping ssh sessions) because both systems had the requisite tools installed & configured. However, in a windows environment, those tools aren't there out of the box and need to be installed & configured as well as getting the script setup to do the backup.

This post addresses the steps necessary to setup a Windows 2003 server as an rsync server for backups from Windows clients. I'll address the client side in a future article. While I set this up on a Windows 2003 server, the steps most likely apply equally to any Windows server OS. \

Since the OS does not come with the necessary tools, I turned to the cygwin distribution of UNIX utilities for Windows.

Server Setup

  1. Download cygwin's setup.exe, which you then use to download and install cygwin components. I installed the complete package. I'm sure that you could get by with a lesser install, but given the cheap cost of disk space, why bother.
  2. Initialize sshd on your server:
    cpcahil(mercury,505): ssh-host-config
    Generating /etc/ssh_host_key
    Generating /etc/ssh_host_rsa_key
    Generating /etc/ssh_host_dsa_key
    Generating /etc/ssh_config file
    Privilege separation is set to yes by default since OpenSSH 3.3.
    However, this requires a non-privileged account called 'sshd'.
    For more info on privilege separation read /usr/share/doc/openssh/README.privsep.
    Should privilege separation be used? (yes/no) yes
    Warning: The following function requires administrator privileges!
    Should this script create a local user 'sshd' on this machine? (yes/no) yes
    Generating /etc/sshd_config file
    Added ssh to C:\WINDOWS\system32\drivers\etc\services
    Added ssh to /etc/inetd.conf
    Warning: The following functions require administrator privileges!
    Do you want to install sshd as service?
    (Say "no" if it's already installed as service) (yes/no) yes
    Which value should the environment variable CYGWIN have when
    sshd starts? It's recommended to set at least "ntsec" to be
    able to change user context without password.
    Default is "ntsec".  CYGWIN=ntsec
    The service has been installed under LocalSystem account.
    To start the service, call `net start sshd' or `cygrunsrv -S sshd'.
    Host configuration finished. Have fun!
  3. Configure sshd as appropriate

    For my server, I edited /etc/sshd_config to make the following changes:

    *** sshd_config.old     Sun Jan 16 07:31:24 2005
    --- sshd_config Sun Jan 16 16:38:38 2005
    *** 28,34 ****
      # Logging
      #obsoletes QuietMode and FascistLogging
      #SyslogFacility AUTH
    ! #LogLevel INFO
      # Authentication:
    --- 28,34 ----
      # Logging
      #obsoletes QuietMode and FascistLogging
      #SyslogFacility AUTH
    ! LogLevel INFO
      # Authentication:
    *** 39,45 ****
      #RSAAuthentication yes
      #PubkeyAuthentication yes
    ! #AuthorizedKeysFile   .ssh/authorized_keys
      # For this to work you will also need host keys in /etc/ssh_known_hosts
      #RhostsRSAAuthentication no
    --- 39,45 ----
      #RSAAuthentication yes
      #PubkeyAuthentication yes
    ! AuthorizedKeysFile    /etc/authorized_keys
      # For this to work you will also need host keys in /etc/ssh_known_hosts
      #RhostsRSAAuthentication no

    The key change there being the specification of the /etc/authorized_keys file as I use private keys to authenticate my clients to the server.

    This isn't necessary if you want to use username/password authentication as the out-of-the-box sshd implementation will use the windows active directory for authentication.

  4. Open port 22 on your firewall

    If you are running a firewall on your server, you need to open up incoming connections to port 22 (the port used by sshd) so that your clients can communicate with the sshd daemon (service) on your server.

  5. Start the "CYGWIN sshd" service. This can be done using the Windows Control Panel->Administrator's Tools->Services or via the following command:
    net start sshd
  6. Test sshd availability

    Run the command: telnet localhost 22

    The output should look like:

    bash-3.1$ telnet localhost 22
    Connected to
    Escape character is  '^]'.

    the key being the last line. Once you see that, sshd is fine and you can abort the telnet (<ctrl>-] followed by quit).

  7. Configure Rsyncd for your system

    The rsyncd server was installed with the rest of CYGWIN in the first step above, so all we need to do is configure it as necessary. First part of the configuration is the /etc/rsyncd.conf file (if you installed CYGWIN into c:\cygwin, then the windows path for the file is c:\cygwin\etc\rsyncd.conf). If the file doesn't exist already create it. A portion of my rsyncd.conf:

    use chroot = false
    strict modes = false
    hosts allow = *
    uid = administrator
    secrets file = /etc/rsync.secrets.txt
            path = e:/data/angie
            read only = no
            auth users = angie

    The important lines in this file:

    • strict modes = false

      This disables strict access mode checking on the rsync.secrets.txt file (which rsyncd normally requires to have no access to anyone other than the owner).
    • secrets file = /etc/rsync.secrets.txt

      This tells rsync where the secrets file is located. The secrets file contains a list of id:password combinations. My secrets file looks like:

      This defines a secret for my wife (Angie) and I.
    • [angie]
              path = e:/data/angie
              read only = no
              auth users = angie

      This defines an rsync "module" (which you could look at as the equivalent of a rsync shared drive entry point). In this case the the module "angie" equates to the windows path "e:/data/angie", is not read-only and is only available to an rsync client that can present angie's secret.

  8. Install rsyncd as a service

    Run the command (in a cygwin bash shell window):

    cygrunsrv.exe -I "Rsync" -p /cygdrive/c/cygwin/bin/rsync.exe -a "--daemon --no-detach" -f "Rsync daemon service" -u Administrator -w admin_passwd

    That is all on one line (in case it wrapped in your browser).

  9. Start the rsync service (yeah, it's the rsyncd daemon (by UNIX naming conventions), but called the rsync service in Windows). This can be done using the Windows Control Panel->Administrator's Tools->Services or via the following command:
    net start rsync
  10. I did not have to open a firewall port for rsyncd since I would only be accessing rsyncd via an ssh tunnel (so the connection to rsyncd is a local connection from the sshd process).
  11. Test rsyncd availability

    Run the command: telnet localhost port
    Where port is the port chosen for rsyncd to listen on (the default 873).

    The output should look like:

    bash-3.1$ telnet localhost 873
    Connected to
    Escape character is  '^]'.
    @RSYNCD: 29

    the key being the last line. Once you see that, rsyncd is fine and you can abort the telnet (<ctrl>-] followed by quit).


The system works very well for backups. One problem that we have experienced is that permissions set on files and folders created on the server are messed up. They are owned by the user id that rsyncd is being run as (in my case, administrator) and read, write and execute permissions are turned off. This means that when I add new photos to our photo collection on our server, my wife can't view them until I get onto the server and reset the permissions.

I have tried a few things to fix this to no avail. Others on the net have claimed that setting the CYGWIN environment variable to "nontsec" (as opposed to the default of "ntsec"). I tried that and it had an extremely negative impact on performance (the backup of my photo directory -- with no changes -- takes about 40 seconds normally, but with "nontsec" I killed it after 40 minutes with no perceived progress.

So, for now I live with the permissions problem.

Tags : / / / / / /

Saturday, January 06, 2007

A Rite of Passage

Today my son started the traditional teenage "rite of passage" of learning to drive.

He's had his driving permit for almost 6 months and finally did some driving today (under my expert tutelage, of course :-)).

We went to a fairly quiet residential area and he did a bunch of driving around the neighborhood (we found many streets that we had never been down before). After about an hour he was getting bored. I told him that's good. Uneventful driving is supposed to be boring -- when it gets exciting, bad things start to happen.

After a while, we headed out of the neighborhood and drove into town and stopped by the nearby supermarket. He seemed to handle this pretty well (I'm still alive, aren't I?).

All without me yelling or having a heart attack... That clearly qualifies as a success in my book!

Tags : /

Locality is not baked in

Dave Kearns writes (in reference to one of Eve's posts):

Where we differ is in where the data will be stored. Eve, as a faithful follower of the Liberty Alliance spec, expects an "in-the-net" service to do everything

This shows that Dave "suffers from" the common misconception (perhaps caused by some of Liberty's marketing materials) that the protocols have some "in-the-net" concept baked into them. This isn't the case. In fact, in a large part due to the participation of folks like Nokia, Gemplus and others, Liberty's protocols were designed to be location independent. Any entity defined by Liberty can live "in-the-net". "in-the-handset", "in-the-pc", or pretty much anywhere.

What Liberty has defined is the protocols used by the entity, regardless of where it lives, to provide the necessary services for the user. This includes the IdP, the Discovery Service, the People Service, etc.

In fact, in some of the work that is currently in progress in the Advanced Client Technologies, we're working on enabling that local, "in-the-phone" service to optionally make use of "in-the-net" components to form a hybrid implementation to best meet the user's connectivity needs.

Tags : / / / / / / / /

Friday, January 05, 2007

Liberty, Enterprises and Membership

James continues to raise questions about participation in the Liberty Alliance by enterprise customers.

I'm not sure what he's using to measure enterprise participation, but he claims:

Of the thirteen members of the management board, only two don't sell technology.

I don't know what James uses to differentiate one company from another, but "sell technology" isn't the right one. The right one is whether or not the company is coming to the table as a vendor (or potential vendor) or are they coming to the table as a user (or potential user).

Clearly some of the members of the management board and some of the sponsor members are vendors. However, unlike most other standards bodies, Liberty does have participation of companies that are users of the protocol (and hence potential customers of the aforementioned vendors). These "user companies" include:

  • AOL (management board)
  • France Telecom (management board)
  • Fidelity Investments (management board)
  • General Motors (management board)
  • NTT (management board)
  • United Airlines (former management board)
  • American Express (former management board, now sponsor)
  • Bank of America (sponsor)
  • British Telecom (sponsor)
  • Bipac (sponsor)
  • T-Com (sponsor)
  • Telephonica (sponsor)
  • Vodafone (sponsor)

Not to mention the many government organizations which clearly are not vendors.

This is a vastly larger level of participation by non-vendors than you find in most standards bodies. Liberty is proud of that fact and continues to reach out to enterprise customers to encourage their participation.

And yes, all of these companies and governments use technology. Some even sell products that are in a technological world. However, their participation in Liberty is not about those products, but about ensuring that the protocols developed within Liberty meet the needs of their enterprise development.

James also seems to have a problem with my statement that participation gets you a voice and vote in the development of the use cases, requirements and protocols:

Conor, are you saying that you would be wildly successful in convincing hundreds of CIOs in Fortune enterprises to spend money so that they will not only have a say in the definition of requirements but also get the opportunity to vote? Whether you agree with this statement, enterprises already have a say and a vote, it is called their wallet. If several large enterprises want to not only have standards but see them implemented in enterprise products then they can participate in ways that do not require a level of time commitment that is higher than the return it brings by using approaches such as I outlined in ECM and Security Curious to know if you think this approach would be more expedient, cheaper, or successful if done under the Liberty banner?

FYI. I am not sure that standards bodies need to equal closed source. Factually speaking, at work, I have recently contributed to an ISO specification in which neither myself nor my employer were a member of. Likewise, I have also been invited to contribute insight into BPM and Security at an upcoming Object Management Group meeting that will happen over the summer. So, if ISO and the OMG have figured out how to allow folks to contribute without being closed source then why can't Liberty Alliance. Voting is not an attractive value proposition, seeing vendors actually implement is.

Liberty too has had people invited people whom we felt could make real contributions to participate (even when they weren't a member). We also release public drafts of our specifications asking for feedback and input from the general public. We run public interop events so that different implementations can exercise the new specifications. We run a conformance certification process to help ensure that different products will work together. All of these are opportunities for non-members (as well as members) to actively participate in the work we are doing. You, yes you James, can actually read the specs and provide feedback and input to help evolve the specs to meet your needs (if they don't already do so).

That said, Liberty needs to fund the operation of the alliance. It costs real dollars to operate a standards organization and the funding model that Liberty has chosen is membership fees. And those membership fees have to mean something in order to encourage people to pay them. Clearly a substantial number of enterprise organizations (as well as vendors) have chosen to pay those fees and actively participate in the evolution of our specifications.

All of that said, I think there are many reasons why a large number of companies (both vendor and enterprise alike) choose to not participate in a standards body:

  • It's hard work. Writing a standard is not simple and working with people from many different companies with different interests makes it even harder.
  • They have limited resources -- $$ and/or people.
  • There may be a lack of interest -- "Let the vendors figure it out".
  • They believe that it's easier to just let others do the work and then adopt it when it's all done. Perhaps they feel that if so-and-so is participating, that's enough for them.

I'm sure that there are many more such reasons that I just haven't thought of.

All-in-all, Liberty does have enterprise participation. Liberty also has vendor participation (and the enterprises want them there so that this stuff gets into real products that the enterprises can purchase). I think the mix is one of the strongest things that Liberty has in its favor.

Tags : / / /

Thursday, January 04, 2007

Engineers and Programmers

Pam's "Baking in Security" post included a quote that raised her ire:

I remember being incredibly incensed by a Catalyst conference panel some years ago, where one of the panelists haughtily declared something to the effect of “if engineers built bridges the way coders wrote programs”… you can guess the rest of the analogy.

That kind of a statement raises my ire as well.

The engineer's job in designing the bridge is so easy:

  • Engineers don't get blamed for someone driving or jumping off the side of the bridge. That's the common user model that programmers have to develop against (and we can't figure out all of the possible ways the dumb user might try to go -- there doesn't seem to be alot of "stay in your lane" mentality for computer users).
  • Engineers don't get blamed when someone accidentally or purposefully damages the bridge. That's the primary security threat for a programmer.
  • Engineers even take shortcuts in their bridge design.. Many bridge deck components are only attached on one side -- the other side is just resting on the vertical structure. This allows the engineer to ignore some of the lateral forces from expansion and contraction since the unattached side can move back and forth. This gave my wife a wonderful feeling when I told her about it and pointed to the place where you can see the bridge just resting (e.g. not bolted) on one end.

Note that I'm not making an excuse for bad code and when I write code I tend to try to anticipate many such situations to protect from them. I'm just saying that comparing the two jobs is like comparing first grade addition to multi-variable calculus. There's just no comparison.

Tags : / / / / /

United's Global Services

United Airlines has a special frequent flyer class referred to as "Global Services". It's the creme-de-la-creme of frequent flyer status at United but you can't find any clear delineation of what that status means nor how to attain that status anywhere on United Airlines site nor on any of the various frequent flyer sites I've looked at.

I've been a Global Services member for the past two years (not sure I'll get it again this year) and I can't tell you exactly what the qualifications are (although they did come out last September and state in letters to current members that flying 50,000 miles in full fare coach, business or first was one certain way to qualify). Most of the speculation around other ways to qualify had to do with overall revenue and/or revenue per mile.

The two years I have qualified, I flew 250,000 miles one year and 175,000 miles the next year, but did have a substantial number (5 or 6 -- can't remember) of business class international flights which I'm sure went a long way towards getting me qualified. Unfortunately, last year, while I did fly 160,000 miles, none of it was in business class (other than upgrades, of course) -- hence my concerns about getting it again this year.

So, what does this secretive level get you?

  • Top of the list for upgrades and they clear 120 hours prior to departure (1K members clear at 100 hours). With this status I was able to upgrade 68 of my 70 flights last year.
  • Automatic re-booking with highest priority if there's a schedule change or cancellation - usually before I'm off the airplane. I've even had them re-route me when it looked like there would be delays on a connection through Chicago -- without my asking for it.
  • Early boarding with 1st Class (in case you aren't in first class). They are even starting to do some Global Services only boarding prior to first class at some airports. One might ask why someone who flies that much would want to get on early -- it's all about storage, especially if you're in a bulkhead seat. I hate having to swim upstream to get my bag, or even worse, having to check it.
  • Use of the United Arrivals facility in select international airports, even if you aren't booked in business or first class. Being able to take a shower when you arrive after an overnight flight is a great thing.
  • In one particular airport, London Heathrow, they really try to treat Global Services as special -- they meet them at arriving flights and drive them to the connections center -- saving a long walk through the labyrinths of Heathrow. This is the only airport that seems to have a dedicated team for taking care of Global Services people.
  • Some have reported that Global Services members get gratis upgrades all the time. I haven't found that to be the case. In the past two years, I've gotten a gratis upgrade probably 2 or 3 times.

    I believe that this is because gratis upgrades are only given out when there's an otherwise empty seat that nobody's willing to pay for or upgrade into (and if you've flown recently, you know that there aren't all that many empty seats). In addition, I think that the paid fare has a lot to do with it as well. If you're flying on a full fair ticket for the class that you are currently in, you're probably first in line for the gratis upgrade.

    For me, since I've been upgraded already (which I paid for in miles or certs), I think I'm at the bottom of the list for a "double bump" (upgrade of an upgraded seat). I even worked quite hard on my 23 hour leg from LHR to HKG via Chicago to get the double bump (mentioning that I went over 1 million lifetime miles during that leg, begging and otherwise making a fool of myself) to no avail (not that I'm really complaining as I was in upgraded business class the whole way).

Otherwise you're very much like a United 1K person with all of the 1K benefits (system wide upgrades, double mileage, etc.). I don't know for sure if you get the 1K status if you qualify for Global Services but don't fly 100,000 miles. It would seem that they would still want to give you that benefit, but I have no information about that one way or another.

Me, I'm hoping that they think my 160,000 miles, my going over 1,000,000 lifetime flight miles last year plus the fact that I'm already a member will get me at least one more year of Global Services status. I do like the benefits.

Tags : / / / / / / /

Wednesday, January 03, 2007

Safety Inspections...

Today I was able to waste 2 hours and almost $50 to go through the annual right of passage here in Virginia -- the annual vehicle safety inspection and the bi-annual vehicle emissions inspection.

Virginia isn't the only state that has these things. I know New York does as well (I grew up there). Maryland only has safety inspections as part of a sale of the car (including re-sales of used cars) (at least that's what they had when I lived there).

What I want to know is has someone done a cost benefit analysis that shows there is some positive value obtained from this program? I didn't see any more cars involved in accidents or sitting on the side of the road in Maryland than I do here in Virginia (and, in the far distant past, I volunteered in a local rescue squad in both states, so I had been to many, many accidents -- none of which were obviously caused by mechanical deficit).

I've been in Virginia for 20 years now and been married for more than 17 years where we've had 2 or 3 cars the entire time. I've NEVER had one of these inspections fail (it may be because I've tended to only keep cars for 3 or 4 years).

Perhaps there could be some form of waiver program for vehicles with low mileage (my current truck -- a Chevy Colorado -- is 2 years old and only has 16K miles and, of course, passed the inspection). Perhaps cars less than 4 years old and having less than say 30K miles shouldn't have to be inspected. I'm sure a good statistician could come up with the right figures that would bring this into the right risk/reward balance.

Even if most people don't wait as long as I did (and I don't think that is the case from past experience -- the only way to not wait is to drop off the car the night before and hope they get to it the next day or to be very lucky on a drive by in the middle of the month) and only half the people in the state have a car, that's still like millions and millions of hours of wasted productivity and millions of wasted $$.

Tags : / / / / / /