Monday, February 28, 2005

fyi Michigan City Provides Free WiFi to Residents


Pointer to article:,aid,117324,0...

Kobielus kommentary:
Imagine the horror that Philadelphia booksellers felt when Benjamin Franklin organized the USA’s first municipal library more than 200 years ago. People can borrow books at no charge from a big public library? Why would anybody ever buy a book ever again?

As we know, municipal libraries didn’t put much of a crimp in the publishing industry here or anywhere. Likewise, free access to the Web from library-situated computers hasn’t stopped people from subscribing to ISP services and installing Web-connected computers all over their homes.

I applaud what Grand Haven, Michigan is doing. I think most municipalities should provide their citizens with free WiFi-based Internet access. This should be part of the basic infrastructure that our taxes support, alongside roads, sidewalks, and sewers. It would be a critical component of the total package of civic amenities that spell the difference between a livable, economically vital community and a backwater.

I don’t think municipalities should worry about whether they’re putting a crimp in WiFi hotspot operators’ business models. My sense is that the hotspot industry is converging with the public cellular industry, which is converging with the landline telecom industry. Ultimately, there’ll just be a few nationally marketed telecom service brands, and they’ll offer the full range of voice, data, and multimedia services, including seamless broadband roaming from public to private wireless cells (and between wireless and landline networks).

As the broadband wireless industry evolves, municipal hotspots will provide the lowest-common-denominator free service option. But they’ll probably not support roaming to and from carriers’ public wireless networks (and only occasionally to other municipalities’ wireless networks). Instead, the municipal hotspots will be positioned as “fixed” wireless access islands with coverage primarily in business districts, libraries, municipal buildings, and other civic centers. Does anybody seriously think that, for example, Fairfax County, Virginia (the huge sprawling municipality to which I pay property tax) is going to install WiFi access points on every street corner? Even with WiMax, I doubt that citizens here or elsewhere will want their tax dollars spent on duplicating a “goldplated” wireless infrastructure best left to the private sector.

So Cingular, Verizon, Sprint et al. needn’t worry about being pre-empted by the municipal WiFi hotspots. Users will tune into those networks only when their primary wireless provider’s network is down or out of range.

And I would advise the wireless carriers to call off their lawyers, who are attempting to get state PUCs and legislators to nip the municipal hotspots in the bud. Actually, these hotspots are the best thing yet to happen to the broadband wireless market. They’ll enfranchise the masses on WiFi, and make them eager for value-added, higher-bandwidth metropolitan, regional, and national wireless services. In other words, for value-added services that only the huge national brands can build and sustain.


Sunday, February 27, 2005

poem Fit


These my shoes
have soles grown
holey from

The laces
are too long
from tugging
and I trip.

But we fit

I avoid
puddles and

Friday, February 25, 2005

fyi Spam Controls Imperil E-Mail Reliability


Pointer to article:

Kobielus kommentary:
Think of how many business and personal relationships are getting hung up with undelivered (or quarantined—same thing) e-mail. Think of how many people are too lazy or too shy to escalate the matter through a simple human touch: a phone call to see if a message went through (assuming that the sender has the intended recipient’s phone number).

E-mail has always been, essentially, best-effort delivery. Unfortunately, best effort isn’t good enough in a world that hinges on e-mail, and isn’t enough to surmount the mail-filtering barricades we’re constructing everywhere. Blame spam, viruses, Trojans, and so forth with closing the e-mail frontier and initiating a cold war of contending forces (allied e-mail users vs. the evil axis of confederated malware perpetrators).

How do you detect the e-mail messages you’re not receiving (without checking your quarantine folders)? If you expect a particular e-mail from a particular sender on a periodic schedule (such as daily and weekly), and you’re not getting it, then you’re likely to check quarantine. But if it’s the normal crush of any-old-time e-mails from any-old-sender (or new sender), you’ll probably never know it arrived and was shunted to quarantine. Or, more to the point, you’ll never know unless the sender has access to a secondary channel for notifying you. Such as IM. Or SMS. Or the phone. Or walking down the hall and telling you.

All of which raises the issue of spam jumping the synapse gap from one electronic medium (e-mail) to others. As you raise filtering barriers in these other media, how will necessary/desired escalations (i.e., from senders you OK) get through to you?

One approach is to build a whitelist-driven notification mechanism into e-mail. When you pull down your inbox, you should only see messages from pre-approved senders (such as those in your address book or corporate directory). All other messages should have been shunted to quarantine. However, your inbox should have a separate frame that simply shows the identities of senders in quarantine (but doesn’t show the message subject lines or text), and ranks those senders by likelihood of their being spammers.

With a mouse click, you could simply select authorized senders from that list, and have their messages thereby moved to your inbox. Alternately, those senders might have their e-mail addresses linked with their IM screen names; if they’re in your IM buddy list, they might be able to send you an IM to display within the e-mail “quarantine escalation” frame, requesting movement to your inbox. Or you might have provided your IM buddies with the ability to automatically get their e-mails delivered to your inbox. If they’re in your VOIP or SMS directory, you might set them up with similar privileges: send an e—mail delivery escalation message or automatic delivery to your e-mail inbox.

Whitelisting is so critical in the new order of filtered messaging infrastructure. Whitelisting, if it’s going to work in a multi-messaging/multi-service communications environment, has to be able to link addresses and identities across diverse domains. And to give you, the message recipient, the ability to define the policies that give all your trusted identities priority delivery to your world. Or the ability to holler at you through a special transom that you and they have pre-arranged.


Thursday, February 24, 2005

rip Dr. Hunter S. Thompson


I saw a post in Bruce Schneier's blog about Thompson. And that, somehow, made me want to pitch in a thought or two.

First off, I've only read "Fear and Loathing in Las Vegas," plus his many articles for Rolling Stone magazine, plus the occasional article in other pubs, plus the occasional chapter or two of his other books while loitering in bookstores, plus the zillion excerpts of his books that have appeared in reviews of them. So I'm not the deepest person on Thompson's oeuvre.

But I've enjoyed every single word the man ever wrote (of those that I've read, that is). He wrote with such singular zeal and style that you couldn't not notice. But I wouldn't call him a journalist--most of his stuff was pure rant and invention that stirred the emotions but didn't attempt to present an objective portrait of anything outside of his own obsessions. And this notion that he founded a so-called "gonzo" style of journalism is even more ridiculous--he coined this silly word to refer to precisely one practitioner of whatever it was that he wrote: himself. And, consequently, he's the only referent of this meaningless self-assertive adjective. (Note to self: invent nonsense adjective to refer to own unique blogging style, and convince others to think I'm the vanguard of that new school of blogging--yeah, that's the ticket).

Fundamentally, Thompson was a comedy writer, and quite a funny one, as anybody with even a passing familiarity with his work will attest. Admit it: when you think of Thompson, you think of Duke from Doonesbury, or some other cartoonish stick figure guzzling booze, doing dope, shooting guns, speeding recklessly across America's highways, running away from creditors, and generally shirking responsibilities. He created a purely cartoonish persona--from everything I've read, the actual man was a lot like this. So he was a performance comedian who brilliantly committed his performances to writing.

So Thompson cut quite a distinctive figure in the landscape of American literary culture. Don't buy into all that "gonzo journalism" crap. He was just a clown--not a merry prankster--but an agent provocateur with no agenda other than just being a cussed fool.

It's sad that he took his own life. Clearly, he was possessed by demons (as was the brilliant monologist Spalding Gray, who took his own life last year). I don't know what moral to draw from the Hunter S. Thompson story. He abused his body and brain for 67 years, till, apparently, his spirit just wore out. All the fear and loathing became too much for him.

You can't truly celebrate a life like that. Just observe, numbly. And wish him well on his next madcap adventure.


lol Hilton Cell Phone Numbers Posted on Net


Pointer to article:

Kobielus kommentary:
I almost didn't want to blog on this one--low hanging fruit. This story adds a whole new dimension to the term “identity honeypot.” Somehow, this woman mixes and mingles all too well, ingratiating herself far too wide, grabbing too many connections, acquaintances, and phone numbers. I actually feel sorry for the celebrities in Paris Hilton’s address book. They already have to deal with the privacy-invading consequences of their fame. Little did they expect that one of their peers would, inadvertently, be the weak link in the mutual-identity-protection circle that they, as a loose-knit community, maintain around themselves. And I feel (gasp!) sorry for Paris Hilton. She networks far too well for her own good. So does her cellphone address book. Available for the hacking. Just as Paris herself is always quite available for the …


fyi Relics of computer history in New York auction


Pointer to article:,10801,99946,00.html?source=NLT_PM&nid=99946

Kobielus kommentary:
I’m originally from Michigan, whose state motto is (smartypants that I am, I recall the Latin without having to look it up): “Si Quaeris Peninsulam Amoenam, Circumspice.” Translated to the vernacular, that’s “If you seek a pleasant peninsula, look about you.”

What does this have to do with “relics of computer history”? My feeling is that we don’t need to be reminded of computer history—it’s all around us, all the time, in all the legacy hardware we have cluttering up our homes and workplaces. I have old home computers, of the desktop and laptop variety, plus old printers, monitors, mice, keyboards, cables, software CDs, data diskettes, etc. Yeesh—enough history. Legacy just won’t go away. Our computing present is cluttered with too much computing past.

Of course, we need computing museums to hold onto the most significant relics of our computing past. We also need archival institutions to hold onto as many old hardware and OS platforms as possible, so that we can recover, use, and migrate as much of the significant old data as possible. The physical instantiations of old computing environments shouldn’t be allowed to disappear completely if they have a) archival/recovery/migration uses or b) historical significance.

One thing I’d like to see is more discussion of significant conceptual breakthroughs that lead—directly or indirectly—to modern distributed computing as we know it. One of the things I like most about this article is that it highlights the following conceptual breakthroughs, as expressed in physical artifacts being auctioned in NYC:

• “a 1946 business plan for a company to design and build a ‘multipurpose rapid computing machine of moderate cost’…drawn up by pioneers J. Presper Eckert and John Mauchly, whose list of possible users of their machine is remarkably prescient, if limited. It includes banks, insurance companies and government census offices.”
• “books documenting the history of mathematical calculation from the 17th century to the present day”

Many of the most fundamental breakthroughs in computing have been conceptual, in the realms of mathematics, symbolic logic, and software design and engineering. These are developments that don’t produce “relics”—rather, they produce enduring additions to the “prior art” upon which all future hardware, software, and networking inventions rely. Those inventions eventually become outmoded, hence “relics,” but the conceptual substrate continues to build.

Increasingly, the innovations in the conceptual DNA of the cyberworld don’t even produce physical journal articles or other tangible tokens of their provenance. And they don’t clutter up our physical environments. But they inform it all.


Tuesday, February 22, 2005

imho The difference between prose and poetry

Indulge me for a moment. I just need to persist this thought to my blog. I wrote this on May 15, 2001 and e-mailed it to a bunch of people who never responded. I hate it when good thoughts go unrecognized. So I’ll take it from the top once again:

Most people couldn’t give a crap about the difference between prose and poetry. But since this is a perennial topic of discussion in literary circles, I thought I’d take a crack at it.

On one level, I agree that in practice there is often little difference between prose and poetry as distinct literary genres. In practice, modern poetry is often simply prose chopped up and defaced with arbitrary carriage returns, tabs, punctuation, misspellings, and obscurities. Poetry often suffers from highfalutin abstractions, precious diction, adjectival overload, lack of point or narrative, and whining, self-pitying attitudes. And poets wonder why very few people buy or care about their work.

On another level, though, we can distinguish between prosaic and poetic
expression, which, taken together and interwoven well, can enliven even the most mundane writing. Prosaic expression points to objects in the world (even if that world exists only in the writer's head, as many scientific hypotheses, for example, do). Poetic expression points back at itself, focusing on language as an object worthy of contemplation in its own right (write!).

Language as an object worthy of contemplation--what do I mean by that? I mean the features of language that make it noteworthy, catchy, and memorable: meter, cadence, rhythm, rhyme, alliteration, tintinnabulation, imagery, word choice, etc. Language as a symbol system or an equation that we continually manipulate: grammar, syntax, etc. Language as a human artifact that is capable of conveying beauty and meaning through its very structure and sound.

The very best writing is both prose and poetry--you want to read, then
re-read it, focusing on the objects that the writer is trying to depict, but also the object through which the writer depicts them. Through brevity, the best poetry encourages us to re-read. The best e-mails do too.

It's all art and artifice. I've spent my career trying to breathe life into technical topics of thudding complexity. Committing this crap to someone's memory requires stealth poetry.


Monday, February 21, 2005

fyi RSA looks ahead on RFID security


Pointer to article:

Kobielus kommentary:
This raises a nightmare scenario in the “identity of things”: a scenario in which every personal “thing” we own or hold becomes a tattletale: a silent RFID beacon of who we are, who they are, and where we/they are.

How to keep this scenario from becoming a reality? Most important, it will have to involve the relying party presenting credentials before the RFID of a personal “thing” can be released. One approach is to require readers to transmit their identity, permissions, and other credentials to the holder of the RFID-tagged thing. The RFID thingholder—a human being or intelligent software agent—will then have the option of granting or not granting the request for RFID, once it has validated the credentials. The thing itself might display the results of that credentials check, or the results might be transmitted via an SMS to the thingholder’s cellphone display. Authorizing release of RFID might then involve pressing some key on the thing, or responding to the SMS, or some other dynamic handshake interaction.

Obviously, such a scenario demands several critical chunks of infrastructure. First of all, it would require that RFID “personal things” (we’re talking your personal possessions, not the RFID-bearing things in a manufacturing supply chain) come equipped with receivers as well as transmitters. Second, it would require a federated IdM infrastructure for registering, issuing, managing, and validating credentials for RFID readers—one that has the capacity to handle the huge and ever-growing transaction volumes. Third, it would require that all RFID-bearing things be engineered to participate in this federated RFIDm environment. Fourth, it would require serious rethinking of user interfaces associated with RFID-bearing things, so as to make it as easy as possible for ordinary people to set up the appropriate rules governing controlled, secure release of their personal, privacy-sensitive RFIDs.

If this sounds like a big kettle of public policy, technical, and usability issues, you’re quite right. We’ve barely begun to think through the many issues that will surface as RFIDs—and RFIDm as a discipline—begin to pervade our lives.


Friday, February 18, 2005

fyi 145,000 Americans' identity data stolen


Pointer to article:

Kobielus kommentary:
This just underlines how easy it is to fraudulently represent yourself as some “trusted” agency and use money to penetrate identity honeypot-for-profit sites.

One issue is when, whether, and how we’re going to mandate credentials and background checks on honeypot hounds who claim to work for legitimate debt-collection agencies, insurance agencies and other firms. Legislation and regulation seems to be called for here.

Another issue is providing prompt notification to people whose identity information is stolen or compromised. The notifications must be through all channels possible.

Yet another issue has to do with public education, and instilling in the culture habits of personal identity protection. We’ve all heard the guidelines about not disclosing more identity information than is absolutely necessary in various transactions. And in being careful who you’re giving it out to. And reporting/canceling lost/stolen credit cards and other credentials as soon as you’re sure they’re truly gone. And so forth.

But personal preventive habits don’t protect anybody against the incompetence of legitimate identity honeypots whose systems are breached, or who don’t do due diligence when selling our identities to the highest bidder.

I think personal identity surveillance is the most fundamental new habit we must all learn. A lot of it has to do with something quite simple we all should do like clockwork: check our statements. Know what statements (bank, broker, credit card, etc.) are due to you on what times of the month, quarter, or year. Check your statements item by item as soon as they arrive. Match up every single item against receipts and other records you’ve kept (you have kept them, haven’t you?) on every single transaction in which you’ve engaged over the preceding statement cycle. Question every anomalous item, and call the statement-issuing institution to discuss it with them. Flag possible identity theft right away so that the statement-issuing institution can implement appropriate damage/liability-control measures. And so forth.

These all seem like common sense habits, but it’s surprising how many people don’t pay close attention to what’s happening with their personal assets and liabilities. The point I’m getting to is that your identity isn’t valuable in and of itself. It’s only valuable as an instrument for unlocking and absconding with your assets.

Which brings me, and I’ll explain the relevance in just a moment, back to the subject of the “identity of things,” which I discussed in a recent blog posting. When I was thinking through that topic, my mind kept gravitating back to the time-honored characterization of nouns as referring to “people, places, and things.” Then I noticed a parallel with our concepts of identity. Most IdM systems focus on identities of people, and also on the identity of “places” (a term that I’m construing broadly as referring to any logical or physical grouping of people, and of “things”).

Then I rolled my mind over how we’re going to define the difference between “people” and “things,” from an IdM standpoint. And it hit me. The practical difference between these entities is simple:

• People have asses and assets that can be impounded.
• Things are just assets, associated with, owned by, and used by people.

Yeah, I know, that’s a crude cartoonish way to put it. But it occurred to me that all the risk of identity theft has to do with the fact that it’s your ass and your assets that are on the line. Your ass can be thrown into the slammer if somebody impersonates you doing something nasty. Your assets can all be taken away by the thief, or tied up in the most horrendous legal labyrinth.

Which is why you need to read your statements. Only you are keeping track of your assets. And should. They’re the real reason people want your identity. They covet your assets (hmmm...sounds quasi-biblical, doesn't it). Unless they somehow like your name more than their own, and enjoy introducing themselves with your euphonious moniker.

I suppose there are name fetishists out there, but that’s the least of it.


Thursday, February 17, 2005

poem Sum Things


My coffee
today was

tea. My songs
silence. My

income the
absence of

debt. My friend

fyi Prepaid Phones Get a Bad Rap From Crime Use


Pointer to article:,,SB110858146259256702-IFjeoNnlaZ4n5yoa4KHbayCm4,00.html

Kobielus kommentary:
It all comes down to identity. With prepaid cellular plans, people can buy the phones and airtime refill cards from pretty much anywhere. They can use cash. They don’t need to present identification to the carrier to activate the service. So, yes, they provide anonymity. And anonymity is an important weapon in the arsenal of criminals. So I’m not surprised that people are taking advantage of this feature of prepaid plans in order to commit what one might call “drive-by calling” (dump the phone after the deed’s been done).

Of course, Japan (the US and Sweden as well) is one of the few countries in the world where prepaid hasn’t succeeded in dominating the consumer cellular market. But I doubt that prepaid phones/plans are involved in criminal activity any more than postpaid phones/plans. The problem with prepaid, as implemented generally, is that these plans frustrate criminal investigations after the nasty cellphone-facilitated deed has been committed.

Prepaid is an offering of growing importance for most cellular carriers, and for customers who like the “built-in call budgeting” that comes from having to explicitly purchase airtime minutes in advance. For their part, cellular carriers make too much money off the hefty airtime charges from prepaid (higher than postpaid plans) to turn their backs on this approach. So you best believe the carriers aren’t eager to monkey with a good thing, though they would prefer that customers lock into long-term postpaid contracts, thereby reducing churn, but customers generally feel otherwise.

Nevertheless, it is possible to introduce customer identification into the prepaid mass-market equation. If customers are given incentives to use their credit cards when buying phones and airtime, then it would be easier to identify those who use their prepaid plans for bad purposes. Many cellular carriers provide bonus airtime to customers that have signed up to auto-refill their airtime balances from their credit cards (or debit cards or bank accounts).

As the article states, some countries are legislating on the issue, requiring prepaid customers to provide ID upon purchase. That’s a good approach, and it should be adopted by countries the world over. In the US, you have to show ID to purchase handguns, so why not for cellular phones as well? However, nobody in their right mind would require background checks on cellphone purchases (gasp--I'm sorry I even put the idea in people's minds).

The Cellular Telecommunications and Internet Association (CTIA) needs to take a strong public position on prepaid plans and the need for customer identification. Otherwise, this issue will fester and put an important service category on the defensive in the PR and regulatory arenas.


Monday, February 14, 2005

fyi "Far Out"... of Compliance (school district RFID kid-tracking)


Pointer to blogpost:

Kobielus kommentary:
This is in regards to the story on a small school district in California, which in January began requiring all students to wear RFID-enabled badges that monitor their whereabouts on campus. The district’s stated reason was to “ease attendance taking and increase campus security."

According to Jamie Lewis, “The school district did this without involving the parents, many of whom are now raising a ruckus. How many ways does this system violate Kim's laws of identity?”

The fundamental issue here is that two types of domains claim control over children’s identities: school districts (during schooldays) and parents (each parent/couple its own household domain, claiming legitimacy in tracking their kids’ whereabouts/doings all the time, including when the kids are in school). And each of them has quite legitimate reasons for wanting to control those identities—or at least track various attributes associated with those identities (such as real-time locations).

Generally, the identity domain of the school administration and the identity domain of the kids’ parents/household are federated to each other, and have the same interests at heart. We have a trust relationship, and a division of responsibilities that consistent with that relationship. As the parent of two highschoolers, I’d like to know that my offspring are in their school during normal school hours (and normal afterschool hours). As regards their precise locations in their school at any point in time, that’s a secondary concern that I’ll let the school administrators worry about. For me it’s not a privacy-of-my-kids issue. In school, students have no expectation of privacy, except for their lockers, and even there, issues of discipline and public safety make that a meager expectation at best.

As a parent, I wouldn’t choose to de-federate from the public school system (i.e., go the home-schooling route) over an issue such as RFID tracking of students’ whereabouts in school. That’s an administrator’s prerogative. In this case, the law of identity federation applies: domains must be able to establish trust relationships under which they can choose to accept each other’s identity assertions and honor each other’s identity decisions--or reject them--subject to local policies.

In the case of this school district, I would choose to honor the administration’s identity decisions—track kids via RFID--and accept their assertions—kid is here, in the place where he or she is supposed to be. Yeah, the school district should have honored parents by notifying them and consulting with them before they did it.

But, if my kid were in that school district, I wouldn’t raise a bogus privacy concern. And I wouldn't stop them from doing it.

I'm constantly worrying about my kids. In other words, I'm a normal parent.


fyi Cisco To Target XML Messaging Market


Pointer to article:

Kobielus kommentary:
This is one of the biggest, longest, most open secrets in the Web services management (WSM) arena. All the serious action in the WSM space is at the intermediary nodes, which are increasingly becoming full-fledged application layer routers, competing with the likes of Cisco (which traditionally has operated at the network layer).

No one has doubted for the past several years that Cisco would eventually muscle its way in the application-layer router market—most likely through strategic acquisitions. Cisco has yet to fully show its hand in that regard, but it undoubtedly will come out with scalable, clusterable, hardware-optimized layer-seven router appliances that play nicely alongside its core layer-three routers and traffic management products. I’d be very surprised to see layer-seven router-appliance WSM vendors DataPower Technology and Sarvega stay independent for much longer. They’re achieved enough of a headstart in that niche to make them quite valuable—or quite threatening--to the Ciscos of the world.

Increasingly, the enterprise service bus (ESB) will be an internetwork of layer-seven intermediary nodes. These intermediaries will facilitate transmission, routing and/or transformation of messages between ESB endpoints. Intermediary nodes in an ESB environment will perform any or all of the various message-oriented middleware (MOM)-oriented services, including queue management, brokering, routing, bridging, leveraging, wrapping, passthrough, bridging, and abstraction. An ESB intermediary will also function as an integration broker, orchestration engine, adapter engine, SOAP router, protocol gateway, and/or WSM agent. These intermediaries will increasingly be large, fast, powerful blade/grid servers executing a wide range of functions on a heavy traffic load.

Cisco will just be another purveyor of these intermediary appliances, and not necessarily the principal vendor. Middleware vendors such as IBM, Tibco, Sonic, and others will remain significant forces in the ESB market, as will dominant platform vendors such as Microsoft and Oracle. But Cisco will effectively leverage their layer-three dominance into a respectable share of the layer-seven market. When they actually make the leap into that niche. Which should be soon.


fyi IBM Sees Hackers Going Mobile, Targeting Phones, Handhelds And Cars


Pointer to article:

Kobielus kommentary:
Another twist on the “identity of things.” The countless computing/communicating things embedded in other things. Those things will need to issue continual “halt, who goes there?” challenges to other things pinging them from all sides, continually running authentication and authorization checks on all these things. Are IdM systems ready for that? Think about automobiles. Things in motion, passing other things in motion all the time. Occupied and surrounded by people (and animals) carrying and wearing things. Bathed in wireless frequencies transporting signals from remote things and people and what have you, all the time. Considering the troubles we’re having with malware things invading every last personal computing/communication device we have, I’d be happy if my principal things—house, car, appliances—remain deaf, dumb, and mute to the new world of communicating things. All the better for the physical protection of me and my loved ones. And for safeguarding my most expensive personal physical properties.

When technology is embedded, we're literally in bed with technology. Are we sure we want to be that intimate with another species?


Saturday, February 12, 2005

poem Sheer Enthusiasm


God's bottled. His fizz
sets the spirit sparkling and
the world on alert.

Friday, February 11, 2005

fyi Spyware vs. anti-spyware: get it together please!


Pointers to articles:

Coast antispyware consortium falls apart

Anti-Spyware Site Knocked Out By DoS

New Program Attacks Microsoft's AntiSpyware,4902,99666,00.html?nlid=AM_B

Nearly 30 Symantec Titles Open To Attack

Kobielus kommentary:
All of these headlines plopped into my inbox in a single day—this morning. It’s enough to make me swear off caffeine. I’ve got bad enough jitters from the morning news—why feed the fire? I’ve recently been plagued by spyware, and a persistent Trojan that keeps the barn door open to more. I have to run four (count ‘em—four!) anti-spyware programs daily to deal with the situation. But that’s like shoveling the snow while the blizzard’s still in progress. What I gather from this news is that the situation will get much worse before it gets better, because:

• The budding young anti-spyware tool industry can’t organize a coordinated collective response to this common threat.
• The anti-spyware tools that are out there are being attacked and neutralized effectively by the spyware community (or by their own inadequate engineering—viz. the beta Microsoft tool that consistently gives me the Blue Screen of Death)
• The big anti-malware vendors don’t necessarily offer rock-solid defenses against spyware and other threats.
• The biggest OS/application platform vendor is still scrambling to put together a coherent roadmap (and is hurriedly acquiring established vendors to cobble together a strategy).

All the more reason why each of us needs to keep virtual baseball bats by our virtual beds. We can’t trust the locks and guards and surveillance systems that we thought were keeping our perimeters safe. Perpetual vigilance, suspicion, and cynicism are the price we pay for Internet-centric computing. Intruders abound. Sometimes, they trigger no alarm. Sometimes, they snip the wires on their way in.


Thursday, February 10, 2005

lol Why Wilco is The Future of Music (According to Larry Lessig)


Pointer to article:

Kobielus kommentary:
I have and love Wilco’s latest two albums, “Yankee Hotel Foxtrot” and “A Ghost is Born”—actually went to Border’s and bought the CDs. I also have a purely-downloadable-for-free-thanks-to-our-fans-for-buying-“Yankee Hotel Foxtrot” EP that they released online between the two albums. I also love (but still haven’t gone out and bought, for some reason) their late-90s “Mermaid Avenue” recordings with Billy Bragg, wherein the Yanks and bloke set great new music to great old unsung lyrics from the incredibly great Woody Guthrie.

The quality of Wilco’s music isn’t my beef. I just worry that this band is setting itself up for the inevitable “they suck” backlash that comes from being embraced too tightly by the “cool” digerati and music aficionados. Wilco’s had this “cool” indie prestige for years, far outstripping their actual sales and popularity. They’ve become more a symbol than a band. Though they’re very much a band, and an excellent quirky one. If you actually listen to Wilco’s music, you can’t help wondering how they continue to pull it off: Jeff Tweedy’s voice is feeble at best, their song structures shamble all over the place, their lyrics are occasionally lame and pretentious, and they can’t seem to nail the pop-music hooks that they’re sorta trying to hit.

But I love popping their CDs into the player. And playing them over and over. They’ve got that same goofy shaggy-dog folk/rock-street cred that, say, Neil Young pioneered. And, like Neil Young, they somehow rock memorably against all odds.

No, I don’t manage the band. But I sorta wish all of their “Wilco-as-symbol” devotees would cool it. So the band—actually, let’s cut through the fiction here—Tweedy himself is Wilco—can just make that fun-to-listen-to music.

Why did I label this post “lol”? I think it was because I laughed a sardonic laugh when I saw that “Wilco is the future of music” headline. Heaven help us. God, no more strangling embraces.

Lessig: Just let this band be.


fyi Databases Can't Handle RFID


Pointer to article:,10801,99589,00.html?source=NLT_MW&nid=99589

Kobielus kommentary:
Good ol’ John Fontana of Network World called me the other day for analyst insight on this big bucket of abstraction called the “identity of things.” John’s one of the best tech trade press reporters. You can tell he’s good. He knows the right analysts to call. ;-)

Anyway, I’ve been meaning to opine blog-wise on the “identity of things” for some time. I just didn’t have a good enough fyi handle to hang my thoughts on till I ran across this story this morning.

First off, what the heck does the “identity of things” refer to? On one level, it sounds like some metaphysical plane of existence, some mythical spirit world, some platonic ideal, like the “secret life of plants” or the “lifestyles of the rich and famous.” Like animism: the identities/souls of the inanimate starstuff from which we’re all, magically, composed.

But I digress.

John called for assistance in helping him narrow down the scope of his contemplated article on the “identity of things.” He already had a good understanding of the broad scope of the term, in terms of concrete, real-world, commercial technical approaches, such as IP addressing, RFID, and ID dataweb. He had already ruled out discussion of IP addressing (nothing terribly new there—who’s up on IPv6?) and RFID (far too much into the supply chain management angle than John cared to delve in that particular article).

If I had read this article before John called, I would have suggested he explore RFID’s demands on the data storage, transmission, and processing infrastructure. Yeesh—listen to what one British RFID consultancy is finding in the manufacturing industry:

“[The consultants] contend that the [parts-tracking data management burden] will only get worse with RFID, which will balloon the amount of data that's generated and make indexing the information in a relational database prohibitively expensive and all but impossible. [One of them] estimates that if Wal-Mart Stores Inc. logged all of its inventory via RFID tags for a single day, it would reach 7 million terabytes of data. Gulp! Can your database swallow that? Didn't think so.”

That’s one of the big problems with the “identity of things.” There are just too many “things” in the universe. Try giving every star in the sky its own unique name, including the billions upon billions embedded in galaxies, and don’t forget to give each of the countless galaxies their own unique names. After identifying every discrete point of light uniquely, now try storing and managing all those names (plus the associated descriptive attributes of each star) in some master directory database in the sky. Clearly, the directory itself would have sufficiently massive gravitation to form its own black hole, sucking all of the named “objects” in the universe down into some freaky meta-universe, never to be heard from again.

But I’m rat-holing on a metaphor. Also, I’ve overlooked all the planets, asteroids, comets, and empire deathstars orbiting all those celestial bodies. We would need a universal Unicode that supports Klingon character sets, at the very least, to do justice to all that heterogeneity.

Actually, John was primarily interested in ID dataweb—aka federated resource sharing environments built on emerging Web services standards, especially Extensible Resource Identifier (XRI) and XRI Data Interchange (XDI). That’s a hot and interesting topic. John just wanted to know—as do we all—when it will actually become a substantial market. The standards have been laid down, and there are various companies implementing them. Epok in Bethesda MD is among the most advanced in this regard. It has commercial product. And customers.

ID dataweb (actually, there are many synonyms for this emerging space—I’m partial to “federated resource sharing”) is an approach under which every data element in every database can conceivably be given a unique, fine-grained identifier—thanks to XRI, which is backward-compatible with the URI/URN naming scheme that has achieved ubiquity on the Web. Hmmm…I hadn’t thought of that…the World Wide Web was built on the “identity of things” (aka pages, scripts, etc.), leveraging URI, DNS, and IP.

Well, anyway, ID dataweb is an environment within which autonomous data domains can choose to selectively grant fine-grained data-access rights to external parties—and unilaterally rescind those rights. It leverages the identity federation and trust infrastructure being implemented everywhere through open standards such as WS-Security, SAML, Liberty Alliance, and others. It’s a standards-based flexible way of securely setting up and managing as-needed data-integration connections between autonomous organizations. Such as manufacturers, suppliers, distributors, and other participants in a supply chain. Or financial services firms engaging in dynamic partnering on equities underwritings. And so forth. Data integration/exchange/transfer is one of the principal tasks in any B2B collaborative-commerce partnering.

Stevie Wonder once sang “Don’t you worry ‘bout a thing, pretty momma, cuz I’ll be standing in the wings when you check it out.” Well, you gotta worry about “things.” People are going to be checking out those “things” right and left. Here’s an issue that the ID dataweb community must grapple with: As organizations expose/share/protect more of their fine-grained data resources through XRI/XDI, how are they going to manage the massive databases underlying the humongous “directories of things” that result?

Oh…that was unintended…Stevie had an album called “The Secret Life of Plants.” I cycled subconsciously from the Wonder of Motown to the wonder of ID dataweb, and then back again.

Oh well. There you have it. Stranger things have happened.


Tuesday, February 08, 2005

fyi Microsoft turns spotlight on its search engine


Pointer to article:

Kobielus kommentary:
Here’s a search-engine feature request from me to MSN: make it easier to search for spyware/adware signatures. During my recent, nasty infestation by these beasties, my anti-spyware programs (I have several, and use them all, every day) have been only intermittently helpful. They’ve found some problems, but have overlooked others. Often, I’m surprised to see some new icon on my desktop, or new program in my registry, or some new folders and new exe’s, or some irritating new error message upon boot or crash. Having only these scattered bits of text to go on, I’ve had to resort to Google to find out if they’re friend or foe, and often to find out that they’re the latter. Google has pointed me (on some but not all occasions) to tools to fix them, or simply manual procedures that I might try. Given Microsoft’s woefully vulnerable OS, they should make their search engine their “malware annihilation nerve central” for empowering besieged end users (in addition to beefing up their anti-malware tools and protection features in Windows). BTW, I’ve tried their beta Anti-Spyware tool, and running its scan gives me the Blue Screen of Death every time. Often, people are at wit’s end, exhausting all personal resources on these problems. People are feeling precious little love for Microsoft these days, and it all comes down to their security problems’ impacts on their lives and nerves.


Monday, February 07, 2005

imho Critique of Cameron’s Seventh Law


Pointer to blogpost:

Kobielus kommentary:
I don’t think Kim’s seventh law is necessary. I agree with its thrust, but I think it can be resolved to the three identity governance principles I proposed.

First, consider Kim’s wording of his new law:

• “The Law of Harmonious Contextual Autonomy: The unifying identity metasystem MUST facilitate negotiation between relying party and user of the specific identity and its associated encoding such that the unifying system presents a harmonious technical and human interface while permitting the autonomy of identity in different contexts.”

Put more simply, identity environments must not constrain the ability of people and relying parties to arrive at a mutually agreeable handshake on the identities appropriate to particular transactions.

Now, consider the three laws I proposed:

• “Law of identity federation: Domains must be able to establish trust relationships under which they can choose to accept each other’s identity assertions and honor each other’s identity decisions--or reject them--subject to local policies.
• Law of identity assurance: Entities must be able to unambiguously ascertain, resolve, and verify each other’s identities, and reserve the right to refrain from or repudiate interactions in which such assurance is lacking.
• Law of identity self-empowerment: Humans must be able to self-assert their identities, and reveal or conceal as much or little of their identity as they wish, at any time, for any reason, from any other party, for any duration, and also to unlaterally defederate from any domain that deliberately or inadvertently compromises or violates these rights.”

This formulation asserts the critical importance of “local policies”—i.e., those of the identity owning party and the identity relying party—to any identity-based interaction. This is the “context” that Cameron, Lewis, Lemon, and others discussed. It needn’t be a “community context.” Rather, reduced to its simplest, it’s simply the converged interaction-specific contexts of the identity relying and owning parties.

It’s identity impedance matching:

• Sez the identity-owning party: “Here are the identities I might choose to present to you, the relying party.”
• Sez the identity-relying party: “Here are the identities I might choose to honor from you, the identity-owning party.”

If there’s an intersection between those two sets of identities within the context of a proposed interaction, there’s a basis for further negotiation. Hence a basis for further interaction.


P.S. BTW, do people realize I’m looking for a job? I’m looking for a position in the IdM industry. Are my ideas not sufficient to show that I know what I’m talking about? Please call me. 703-924-6224. AIM screen name: "Jim Kobielus"

Saturday, February 05, 2005

poem Sustain


Sort we each to fate
and fascinations,

daily dissolutions,
a sure surprising recrystallization,

assorted morning faces
we make to sustain,

each in our own ways
straight and strange.

fyi SAP plans new platform as competitive weapon


Pointer to article:,10801,99400,00.html?source=NLT_EB&nid=99400

Kobielus kommentary:
I find this story misleading, but not deliberately. It's the sort of cockeyed spin that sometimes gets placed on an important vendor roadmap direction when filtered through CEOs, marketing communications people, and semi-informed reporters.

For starters, SAP does not plan a "new platform." SAP's platform--now and through the remainder of this decade and beyond--is NetWeaver, which is not a single product but an application, integration, orchestration, and development suite. SAP has not changed its direction at all. NetWeaver is the platform.

Next off, SAP does not plan a "new system" by 2007 on which all of its apps and NetWeaver components will run. Rather, it's continuing to enhance the componentry within NetWeaver and all NetWeaver-based SAP apps (mySAP apps, xApps, etc.). The "new system" to which the article alludes is simply continued aggressive enhancement of the SOA, composite app development, and orchestration features of NetWeaver and NetWeaver-based apps. And to be even more painfully specific, SAP will continue to decompose its NetWeaver and mySAP functionality as reusable, recomposable service primitives, which will have their fine-grained APIs exposed via WSDL service contracts in NetWeaver's UDDI registry. This is something SAP has been working on for a while, and have discussed in public for well over a year, including at the recent SAP Analyst Summit in Scottsdale AZ (attended by yours truly and many others).

And this is a great strategy, targeted both at existing SAP customers as well as channel partners who are screaming for SAP's platform/apps to become ever less monolithic and ever more flexibly reusable. But it's not a new strategy, new platform, new component, or new development paradigm for SAP. It's simply a sign of how seriously SAP is implementing SOA throughout their architecture.

I don't doubt they'll make significant progress toward this goal by 2007. But I wish that articles like this would clarify rather than cloud what this important platform/app vendor is doing.


Thursday, February 03, 2005

imho Kim Cameron’s thoughts on messaging federation


Pointer to Kim’s blogpost:

Pointer to my original blogpost on this topic, which Kim commented on:

Kobielus kommentary:
I enjoyed Kim’s kommentary on the pitfalls of traditional SMTP-based federated messaging, and the associated, app-specific federated identity infrastructure.

Specifically, I agree with Kim’s principal remarks:

• “[K]ey to [SMTP’s] early success seems in retrospect to have been that everyone chose a policy of ‘whatever’ - or ‘no policy.’ Who configured a security policy in SMTP back in the eighties or even the nineties?”
• “[W]e are only beginning to move toward email relationships based on proactive policies employing federated identity.”
• “An example of progress? Well, some corporate SPAM filters are now designed to accept mail from known partners and servers - those with whom there is an established pattern of communication. Meanwhile they may apply extremely stringent controls to mail from unknown parties. And more recently people have begun working on designing and deploying "edge servers" that use cryptography and more formal trust relations.”
• “[H]asn't SMTP messaging basically been a free-for-all with an identity system drastically weakened by its lack of authentication?”
• “I think the [mail-server directory harvest] attacks [Kobielus] enumerates result from the lack of authenticated federation, rather than being caused by it.”

SMTP-based Internet e-mail is the first universally interoperable, federated communication environment. The flip side of universal federation/interoperability is universal exposure/vulnerability to all the nasty beasties coming down the wire. When that happens, it becomes more critical than ever to authenticate the content originators (and every router, relay, or server in the delivery chain), and to authenticate the content objects themselves themselves. All of this supports what I said in a separate blog post ( :

• “[S]pam is an identity management problem. Spammers have obtained your authenticated identity (your e-mail address), which allows them to target you with messages, even though you don’t always have theirs (their current e-mail address, IP address, or originating mail domain). Consequently, you can’t effectively target them with filtering and blocking mechanisms. Until you’ve nailed them down to a stable, authentic, verified address. Until you have the evidence necessary to justify adding that address to a whitelist of trusted senders.”

Whitelisting is, in fact, the ultimate solution to the spam problem, and is supported in a growing range of commercial solutions. Note that whitelisting is equivalent to the “contact list” functionality underlying IM services, which only allow messages from a peer group of trusted senders. It’s very likely, as the spam problem intensifies, that e-mail and IM services will begin to merge in this fundamental way: Priority message delivery to a user’s e-mail inbox will be granted only to those senders who have previously been designated a “trusted” sender by the recipient.

Whitelisting depends on an identity infrastructure that can feed trusted senders’ e-mail addresses into anti-spam-enabled messaging environments. Increasingly, anti-spam solutions will retrieve trusted senders’ addresses from authoritative enterprise and e-business directories, using protocols such as LDAPv3 and DSMLv2. All other (untrusted) senders’ messages will be delivered to some other, lower priority drop box or folder on the user’s desktop (or simply blocked and deleted).

Whitelisting and quarantining approaches are not mutually exclusive—in fact, they’re potentially quite complementary. Whitelisting is the only way to ensure a continuously spam-free inbox. However, enterprises want to strike a balance between the desire for spam-free inboxes and the desire not to have any important inbound mail blocked or lost. Messages should be delivered to a point easily accessible to recipients and/or mail administrators. Consequently, administrators (and the vendors who supply them with anti-spam solutions) will need to migrate quarantine folders conceptually from what they are now—glorified trashcans—to something more powerful.

Fundamentally, quarantine folders function as drop boxes for inbound messages that have been filtered, ranked, and categorized by their “spamminess.” As the anti-spam industry develops, we see vendors increasingly implementing these drop boxes along a “trusted sender” continuum: from “off-white” (not from pre-trusted senders but not matching any spam rules or signatures) to “off-black” (not obvious spam but nevertheless matching several critical spam indicators). Inbound messages will, in the filtering process, be automatically scored, ranked, categorized, and placed in the appropriate drop boxes. Tool vendors will base their spam rankings on a weighted synthesis of criteria (identities, rules, and patterns) retrieved from various rulemaking authorities, both internal (mail users, mail administrators) and external (anti-spam blacklisting, whitelisting, and dynamic rulemaking communities).

Of course, whitelisting can only operate effectively if the message senders aren’t spoofed. Hence the need for digitally signed e-mail, trust marks, etc. That’s an important, but orthogonal, issue to the need for dynamic auto-whitelisting with intelligent quarantining mail infrastructures everywhere. All of these enabling infrastructures—messaging, whitelisting communities, blacklisting communities, anti-spam signature identification/distribution communities, PKI—depend on federation.

Federation is the core concept: “autonomous domains that choose to accept each others’ assertions and honor each others’ decisions, per trust relationships, interoperability agreements, and local policies.”

Oh…speaking of authenticated identities….my surname is spelled “Kobielus.” But you can call me…


Wednesday, February 02, 2005

lol Doodling Megalomaniac Not Tony Blair, But Bill Gates


Pointer to article:

Kobielus kommentary:
Insert punchline here. I suspect that this story is fabricated. But sometimes the news is just pure comedy. The word “doodling” by itself it funny, but prepended to “megalomaniac,” it’s pure comic gold. I remember in the late 60s that someone got a hold of John F. Kennedy's doodlings from a cabinet meeting, and made metal sculptures out of them. To what artistic medium would you transform Bill Gates' doodlings? Keep it clean, folks. I doodle in poetry.


Tuesday, February 01, 2005

fyi CipherTrust: Mail Senders 'Guilty Until Proven Innocent'


Pointer to article:

Kobielus kommentary:
Ahh…such an inflammatory headline.

The actual article isn’t sensational at all, just thought-provoking. It presents an important anti-spam technique to be employed at mail firewalls: evaluating the potential spamminess of incoming e-mail based on the “reputation” of the IP address from which the mail originated. Specifically, it discusses CipherTrust’s approach for evaluating the “reputation” of an IP address based on its history of generating spam. In particular, it discusses how or whether one can evaluate the “reputation” of the many newly created IP addresses—perhaps 30 percent of the total on any given day—which, by definition, have no history.

What was interesting here is that CipherTrust's mail gateway evaluates these addresses’ “reputation” not individually, but en masse, based on the recent spam-generating behavior of the total class of newly created IP addresses. And then uses that evaluation as one of many factors to take into consideration when filtering mail from these sources. Hence the “guilty until proven innocent” preliminary evaluation on these addresses re their spam-potential.

Which only makes sense. In one important respect, spam is an identity management problem. Spammers have obtained your authenticated identity (your e-mail address), which allows them to target you with messages, even though you don’t always have theirs (their current e-mail address, IP address, or originating mail domain). Consequently, you can’t effectively target them with filtering and blocking mechanisms. Until you’ve nailed them down to a stable, authentic, verified address. Until you have the evidence necessary to justify adding that address to a whitelist of trusted senders. Even then, you can’t know whether your trusted senders have been hijacked by zombies, so you must continually “trust but verify.”

To the extent that you’re bombarded by mail from apparent strangers (i.e., unfamiliar/new IP addresses, e-mail addresses, etc.), you should presume they’re a possible threat, unless you have compelling indications otherwise. The more impermanent our IP addresses get, the more dynamic (and provisional) our whitelists must become. And the more often we have to do a “halt who goes there” sentry check with any knock on our virtual door.

Or set of doors. Inbound messages must run a gantlet of sliding doors-—i.e., mail gateways--before they enter the inner sanctum of our inbox. Like Maxwell Smart, only smarter. That’s the only way our mail-handling infrastructure can layer the intelligence needed to hold back the tide.