Friday, April 29, 2005

fyi Regime for Privacy Protection

All:

Pointer to blogpost: http://www.identityblog.com/2005/04/12.html#a187

Kobielus kommentary:
“Regime for privacy protection”? Sounds like an oxymoron. Privacy protection by a system, or “The System”? Privacy protection is founded on our ability as solitary souls to keep the system, the world, and all its prying eyes and tentacles at a comfortable distance. The “legal architecture”—i.e., the superstructure of any regime, benign or otherwise—is a regime within which attorneys, judges, jurors, and other third parties invade our privacy membrane for the purpose of defending vs. puncturing it, enforcing vs. invading it, and generally trampling it in the act of “recognizing” it. Likewise, a commercial regime has no interest in respecting our privacy, since companies’ every fibre is bent on targeting, selling, delivering, serving, and otherwise tracking, billing, and extracting payment from us based on whatever identity information they can find on us, and the more the merrier. Sounds about as Kafkaesque as it gets.

Privacy feels like the sort of comfort zone that gets institutionalized at its own peril. It’s the sort of buffer zone that must be maintained by self-interested self-aware evasion, subterfuge, and cloaking. Everybody who every comes into contact with every aspect of our persona inadvertently participates in trampling our privacy, regardless of whether they, individually or as part of a system, regime, or superstructure intend to compile a “superdossier” on us. This notion of a superdossier, continually compiled by a shadowy cabal of ubiquitous conspirators, is the stuff of superparanoia.

Privacy is something we surrender, to greater or lesser degrees, by the act of being born (which leaves at least one permanent public record—two, if you’re in a bureaucratic religious sect, such as Roman Catholicism, that requires that infants be baptized within a certain number of days after birth). God is the prime witness of our entry into the public world, and the county birth registrar comes second.

Correct me if I’m wrong, but aren’t the most privacy-conscious people the most unhinged? The Ted Kaczynskis of this world. The very people who flee the legal, commercial, and civil-behavior regime that the rest of us choose to inhabit, for better or worse. The sorts of people who see the public world as an all-pervading threat that must be annihilated?

Privacy is important, of course. But let’s not imagine that privacy-protection mechanisms, laws, and other public institutions and organizations can actually guarantee some all-pervading bliss called “privacy.”

They just offer new doors we can shut upon occasion to cloak some personal attribute, behavior, or situation that’s our business. And ours alone. Within the bounds laid down by civil society.

Jim

Thursday, April 28, 2005

fyi Is technological innovation ying or just yang?

All:

Pointer to blogpost:
http://www.identityblog.com/2005/04/13.html#a189

Kobielus commentary:
You mean “yin or yang,” but who’s paying attention. Cameron is engaged in a ping-pong with others in the identity blogging community, and the number of words and mass of umbrage in this particular post far outweigh the insight content.

The kernel of a point in this piece is that technological innovation (SOA, ESB, Web services, etc.) certainly drives the development of the increasingly integrated global identity environment, but the multi-everything (-jurisdiction, -authority, -organization, -domain, -platform, -protocol, -application, -etc.) federation governance issues require what Cameron calls an “identity metasystem” that can operate as a neutral backplane bridging, brokering, and mediating among these many dimensions, and among legacy, current, and future identity environments. And this “metasystem” is not something that can be laid down by decree, or even planned in any coordinated fashion, or “reformed.” It’ll just form and re-form itself, emerging from the evolutionary goo of the IdM landscape, taking whatever shape the geometry of the identity space-time continuum requires.

You can tell I’ve been reading about non-Euclidean geometry recently. In particular, the pivotal roles of Gauss and Riemann in the 19th century in defining a non-Euclidean geometry built on the notion of “curvature” and “hyperspheres.” A hypersphere is an abstraction that maps points on two 3-dimensional spheres as if those spheres were "hemispheres" of some fourth-dimensional object, so that when you cross the abstract "equator" from one "hemisphere" (aka, a 3-dimensional sphere) to its counterpart, you're moving to the "adjacent" point in the counterpart "hemisphere" (i.e., 3-d sphere). Or you can map from one point on one sphere to its "antipodes" point on the counterpart sphere.

As I said, a hypersphere is an abstraction that maps the sphere concepts--center point, radius, diameter, great circle--from the 3rd to the 4th dimension. Don’t want to bore you with all the details, but it’s clear that, when you look out into the universe, you’re looking at light that issues from both spheres of this all-encompassing hypersphere: the sphere of the deep past and the sphere of the deep future: the sphere of the alpha and the sphere of the omega: the sphere of oldest light that shows our current view of where we originated (the Big Bang), and the sphere of newest light that shows our destiny (ever receding “away” from the Big Bang). Recognizing that these two spheres of light are superimposed on each other, and, in fact, every point in the sky rests on both spheres.

Mind blowing, eh? Think of how flat maps of the earth distort the paths among points on this spherical planet, and how we can plot out a circular azimuthal great-circle-radiating flat map from our current earthly location to any other location on earth, and how our current antipodes—a single point on a sphere--appears on such a map as a full-circle surrounding the entire plot. What I suspect is that the “cosmic background radiation” is simply the all-encompassing, 360-degree smear of oldest light from the Big Bang, splayed all around us like an apparent full-sphere on the alphasphere. When in fact that apparent full-sphere is in reality a single point.

The singularity point. Our singular temporal and spatial antipodes point. The Big Bang.

Ah yes. The wonder of coffee. Yin and yang? Alpha-omega. Antipodes. Where did I start this post? Now I'm disoriented. And I've probably screwed up the spacey higher geometry bigtime. Oh well, I'm nothing if not pretentious and overreaching.

Jim

Tuesday, April 26, 2005

poem Clip

CLIP

Shadow of a high
plane crossed my car's path
and vanished. A false
moon. A crisp eclipse.

Friday, April 22, 2005

lol Syntax Error (deliberate tech b***sh*t paper accepted by tech conference)

All:

Pointer to article:
http://www.washingtonpost.com/wp-dyn/articles/A6622-2005Apr21.html?referrer=email

Kobielus kommentary:
We all know how easy it is to lapse into high-falutin b***sh*t in this biz, and how easy it is to pass off derivative ideas under a cloak of jargon. So much of modern technology is abstract, recombinant, sprawling contraptions of the mind. Some of these contraptions manage to get translated into stuff that actually improves people’s lives, while the rest just remains in the limbo between thought and illusion.

Which is why it doesn’t surprise me that a computer-generated string of syntactically well-formed tech-spew could be accepted more or less sight-unseen for publication by a tech conference. Being able to “talk the talk” gets many people very far in this biz. Marketing people, for example. Do they fully comprehend what they’re putting forth? Do their customers fully comprehend what they’re buying? Do the engineers who build this stuff understand every last detail, interface, component, and interaction? No…we’re winging it from day to day, and project to project. Hoping to bootstrap our understanding on the fly, plunge into the maelstrom of new complexity, and somehow stay on top and in the biz.

Which brings me to one of the alliterative mnemonic strings I’ve been brandishing for years: Where there’s change there’s complexity. Where’s there’s complexity there’s confusion. Where there’s confusion there’s a need for clarity. Where there’s a need for clarity there’s a need for consultants to come in, clean up the mess, and cash in. And/or contribute more confusing cognitive crapola. And still cash in.

And sometimes I wonder why I have a headache at quitting time. Quitting time—what an archaic notion. We’re swimming in this confusion, 24x7. Some are pissing in the pool.

Jim

Wednesday, April 20, 2005

fyi Identity Theft Could Become A Legal Liability, But It's Also A Sales Opportunity

All:

Pointer to article:
http://www.crn.com/nl/security/showArticle.jhtml?articleId=160901599

Kobielus kommentary:
Many IT vendors are pitching the “compliance” features of their wares.

By “compliance,” they’re usually referring to such US laws/regulations as Sarbanes-Oxley, HIPAA, and Gramm-Leach-Bliley. These are essentially top-down mandates to implement lifecycle controls over information access, transfer, storage, and management, leveraging strong authentication, authorization, encryption, digital signatures, risk assessment, auditing/logging, and so forth. In other words, to the whole bag of goodies that IT security vendors and consultants have to offer.

This article points out that the ultimate battleground for “compliance” will probably be bottom-up: driven by the growing volume of lawsuits by people who have been the victims of identity theft. In this regard, it’s just going to get nastier and more litigious for more companies who collect and manage this info. The news stories of identity theft will just grow in frequency, shrillness, and alarmism.

In defending your organization against these increasingly inevitable lawsuits, it would behoove you to make sure you’ve got compliance—a la SarbOx, HIPAA, and GLB—nailed down good and tight. That way, you’ll stand a better chance of proving to judges that you’ve implemented every and all necessary controls and safeguards on the identity info you manage, per industry best practice, and in keeping with national laws, regs, and standards.

IT vendors should begin to recast their compliance pitches in terms of customers protecting themselves from the coming deluge of identity-theft lawsuits. SarbOx, HIPAA, and GLB are fuzzy mandates with loose timeframes for compliance and unclear punishments. But lawsuits are nasty, unexpected shots fired across your bow, and demand an immediate attention to defensive pre-emptive strategy.

Jim

Tuesday, April 19, 2005

fyi Vatican Goes High Tech, Jams Signals in Sistine Chapel

All:

Pointer to article:
http://www.newsfactor.com/story.xhtml?story_id=33022

Kobielus kommentary:
The penalty for communication is excommunication.

This supersecrecy is just a bit silly, don’t you think? I’m a Roman Catholic, and I don’t quite care what the cardinals say to each other, or what principles and prejudices inform their election of the next pontiff. The church changes at a glacial pace, even under extraordinary circumstances, and the next person in St. Peter’s chair will be, for all intents and purposes, indistinguishable from the late pope, in terms of their desire or ability to reform this huge, ancient religious institution. Actually, that deep conservatism is what many people value most about Catholicism.

Clearly, the Catholic church is trying to maintain the illusion of unanimity that will bolster its claims for the “infallibility” of the next person to wear the supreme mitre. But that person will undoubtedly be one of the 100+ fallible human beings in that chapel today. We all know that the cardinals are distinct personalities, with different backgrounds and priorities, and different opinions on all things religious and secular. Somehow, for all their differences, the person so elevated becomes magically infallible in the act of elevation. I don’t buy it.

So these institutional and technical cloaking mechanisms are understandable, in terms of the church’s culture and ideology. I like the fact that “conclave” comes from the Latin “with key.” Which puts me in mind of secret keys, symmetric keys, encryption keys, and so forth. Someone will emerge from the Sistine Chapel with the key to that particular kingdom, and all of them will be sworn to secrecy, which won’t prevent people from attempting to eavesdrop on their discussions (via cellphone, e-mail, etc) when they go back to their dioceses. There’s no way that 100+ men who meet with each other frequently can jointly and forever protect secrets from leaking out (on the bold assumption that people will care much about this after the next pope’s name is revealed and the church goes back to the same ol’ same ol’).

I wonder if failure to use strong encryption would be grounds for excommunication.

Jim

Wednesday, April 13, 2005

fyi Gorbachev: IT could learn from Pope John Paul II

All:

Pointer to article:
http://www.computerworld.com/managementtopics/outsourcing/story/0,10801,101029,00.html?source=NLT_PM&nid=101029

Kobielus kommentary:
This is one of those peculiar stories where the former head of an aggressively atheist state cites the late head of a theist state and religious institution. And reveals his lack of understanding for development economics. I doubt that the recently departed pope understood these things any better.

Fundamentally, the last premier of the Soviet Union is calling for more offshore outsourcing of IT jobs to the developing world. In other words, he’s recommending (superfluously) the continuance of a strong trend that’s well underway. Citing the late pope, Gorbachev implies that this strategy is an act of charity, or should be regarded as such, and should be encouraged on those grounds. Somehow, oddly, communism and catholicism share a belief in the primacy of institutional charity over free-market commerce. As if the former were inherently more virtuous than the latter, or more fruitful materially and spiritually, or more blessed in the eyes of God or Marx.

I think that’s a well-meaning but wrongheaded way to look at the situation. I’m no fan of Ayn Rand, but I believe that self-interest in a competitive market culture is healthy for the society as a whole, and for individuals’ growth and self-realization. Yeah, I’m a secular humanist. Offshore outsourcing should be pursued selectively, only for those functions (call center, development, design, manufacturing, etc.) where it makes sense, in terms of cutting costs, improving quality, accelerating delivery, and so forth, without compromising quality or service. To the extent that offshore outsourcing doesn’t advance those business objectives, it shouldn’t be pursued. Sure, companies shouldn’t be discouraged from the occasional charitable donation, and there are certainly important niches for non-profit orgs, but the mainstream economy must depend on profit-maximizing enterprises. Besides, developing nations wouldn’t benefit, in the long run, from ill-considered outsourcing moves, such as those that jeopardize the outsourcer’s solvency and/or competitive posture.

Offshore outsourcing is capitalism, not charity. Gorbachev implies that offshore outsourcing should be pursued even if it doesn’t contribute to profit maximization. That’s a self-defeating approach to economic development. Charitable acts are sometimes critically necessary as one-off or situational responses to need, or when the recipient needs ongoing support without any hope or expectation of their being able to repay the gift. Charity’s a one-way street: it doesn’t normally empower the recipient to eliminate their need for future charity. By contrast, investment acts aim at fostering long-term economic development, wealth formation, and greater independence at the recipient’s end. Investment’s the “gift” that keeps on giving.

Contrary to Gorbachev’s claim, the US-based and other companies that engaging in offshore outsourcing don’t generally worry about cultivating potential competitors (though it can certainly have that long-term effect). An outsourcer primarily focuses on the tactical necessity to farm out some function to a low-cost location. It’s only the misguided nationalists—the politicians, not the business people—who beat a jingoistic xenophobic drum over such things. As if nations were economic fortresses and not simply economic amoebas with shifting shapes and porous membranes.

Gorbachev complains that “the U.S. must allow Russia and its companies to have equal footing. Russia will not accept a position of junior partner." My response to him would be that it’s not a matter of the US or any other country “allowing” Russia and its companies that “footing.” It’s a matter of Russian companies seizing that footing by competing aggressively. Just the same way companies from Japan, Korea, India, China, and other countries have done and will continue to do. If you want our investments to bootstrap yourselves to that level, then provide a conducive investment environment. If you want to fund your own economic development, then create the appropriate entrepreneurial culture, legal system, fiscal incentives, and so forth.

There are certainly a lot of smart, well-educated, professional IT people in Russia, and in other developing nations. They shouldn’t simply depend on other countries’ IT companies to outsource this or that peripheral function. They should grow their own. And play on the world market, like everybody else. Same rules, same playing field, same risk/reward equation. No guarantees.

Jim

Tuesday, April 12, 2005

fyi Service Lets Customers Buy with a Phone Number

All:

Pointer to article:
http://www.eweek.com/article2/0,1759,1783798,00.asp

Kobielus kommentary:
I’m trying to decide whether this is a great service or a great folly. Several things about the MobileLime payment service bother me:

• Requires an account with a payment processor (MobileLime) other than my credit card company: hence, another institution to trust with critical identity information; and another bill for me to deal with at the end of the month
• Uses the last four digits of my cellphone number as my sole credential into the MobileLime payment service; a step backward from the nominal two-factor authentication method of presenting a physical credit card and affixing my signature to a payment form; more critically, it uses a very public string of numbers as my “PIN” (or what have you) into the service; we are talking phone number here, the very same number I give to many people, and publish on my business card;
• Requires customers to identify the merchant they want to use about an hour before making a purchase; this sounds like the payment card equivalent of Viagra; few people pre-plan their spending that way; most spend spontaneously, or without elaborate arrangements; this “security” feature of MobileLime totally destroys the supposed convenience of the service; few people, for example, pre-arrange to be picked up by a particular taxi company; consequently, the taxi example that opens the story is entirely bogus
• Requires that customers subject themselves to mobile text-message spam for ads and promotions from participating merchants; this is either a service or disservice to the customer, and I’d bet that most would regard it is as the latter; it’s more of an in-your-face marketing service to merchants, like the obnoxious spam, pop-ups, interstitials, and banner ads we’ve had to swallow on the Web

The supposed time you save quoting those four digits is negligible, compared with the speed with which a wireless-enabled mobile credit card reader can operate. Shave ten seconds off the tail end of your next cab ride. If you’re that pressed for time, then you haven’t prearranged your travel schedule with enough buffer time to keep you from missing your connection. And if you can’t prearrange your travel schedule, then you certainly can’t prearrange the next several impulse purchases you’re going to make while rushing to that next appointment. Keep your cellphone in your pocket and make a mad dash for it.

Jim

Monday, April 11, 2005

fyi Lessig: A war against the freedom to innovate

All:

Pointer to article:
http://blogs.zdnet.com/BTL/index.php?p=1247

Kobielus kommentary:
Lessig is unfairly stereotyping all litigious software IP defenders as, in the words of the article’s author, “patent-wielding legacy businesses.” Many innovative software companies consider IP development—culminating, they hope, in patentable innovations—as part of their core business model and hoped-for revenue stream. We’re talking startups and small businesses, as well as the Microsofts of the world, and we’re talking new software development, not just legacy software patents. As long as the current system of software patents endures, inventors—large and small--would be remiss in their fiduciary responsibility to their investors if they didn’t attempt to seek whatever legal protections the current system offers. Lessig’s primary beef is with the software patent system as a whole. And there’s a lot in the current system that needs to be reformed. But it’s unfair for him to stigmatize people and companies that are only doing their best under the rules of the current system.

Jim

fyi Missing The Point On Thunderbird

All:

Pointer to article:
http://update.internetweek.com/cgi-bin4/DM/y/enEe0GN5MD0G4X0DJre0EQ

Kobielus kommentary:
OK, I’ll add my puny mass to the general pile-on. My primary objection to Thunderbird is its newsreader’s inability to import an OPML list of channels and blogs. Considering that I have dozens of channels/blogs that I read regularly, and would like to read within the context of an integrated e-mail/newsreader client, that was the showstopper. I downloaded and installed Thunderbird when it was released, futzed around with it for a few days, then de-installed it.

What I need, above all, is a more perfect firehose filter. Anything that helps me sift more quickly through a growing stream of content—e-mails, newsletters, newsfeeds, blogs, etc.—will rock my world. Anything that increases my span of information while also reducing my burden (in effort expended and hassles endured) in accessing, aggregating, reading, absorbing, sorting, filing, and otherwise disposing of that information. Anything that delivers the world of important new stuff into my consciousness in a flash without requiring me to so much as lift a finger or bat an eye (OK, that latter requirement is going a bit far--a bit sci fi).

News is my primary addiction, as it is for any analyst. In case it’s not obvious by now, I draw energy and inspiration from news. Hence the fyis, such as this.

Jim

Friday, April 08, 2005

fyi RFID moves beyond supply chain mandates

All:

Pointer to article:
http://www.computerworld.com/mobiletopics/mobile/story/0,10801,100886,00.html?source=NLT_ERP&nid=100886

Kobielus kommentary:
Complying with mandates….such a Y2K-plus concern. Interesting how the Internet economy sprung up spontaneously in the late great 90s without any such mandates. By contrast, this current decade has been pure crackdown, lockdown, whip-cracking, hatch battening.

RFID is a technology that will quickly become ubiquitous, with or without supply chain mandates. This article notes the trend toward ongoing, widespread, horizontal, general-purpose implementation of RFID across diverse use cases, application domains, vertical markets, and business processes. The grand test of any new technology is, as the article points out with RFID, its rapid adoption for tactical, closed-loop, quick-payback applications.

By pressing digital identities more deeply into the everyday fabric of things—-and of people’s personal possessions—-RFID carries forward the revolution that began with the invention of the URL. The rapid worldwide adoption of the URL (and its brethren: the URI, URN, etc.) in the mid 90s was the true turning point in the rise of the Internet economy. For the first time, it became feasible to implement an “all points addressable” world within which all entities were uniquely identified.

RFID brings all points addressable closer to its ultimate realization. However, all points addressable has its obvious downside. As the article notes, RFIDs are essentially visible/exposed to anybody/thing in their immediate vicinity. That’s why it’s critical, if we’re going to rely so heavily on this technology in all spheres of our existence, to adopt the following RFID implementation guidelines widely:

• Store as little identity information as absolutely necessary on the RFID tag;
• Configure the tag to broadcast a pointer to a secure firewalled identity repository, for RFID-relying applications that require further identity information on the tagged entity;
• Harden the tag-resident ID, so that it can’t be overwritten by unauthorized third parties;
• Configure the tag with a private key and the crypto algorithms necessary to digitally sign and encrypt the broadcast ID, so that it can only be read by authorized third parties, and can ’t be spoofed;
• Issue digital certificates for all RFID-tagged objects, or, more manageably, for the owners/holders/platforms of RFID-tagged objects, to support the requisite digital signatures and encryption

All points can become addressable only if we have the means to retrofit old things for this new identification scheme. I predict that, before long, we’ll be able to go to stores to pick up pads or rolls of RFID-bearing “post-it”-type adhesive tags. We’ll apply those tags to any and all of our personal possessions. We’ll also be able, when we purchase those RFID tags at the store, to automatically purchase the requisite digital certificates and RFID “base station” allowing us to set up, configure, and administer all RFID tags in our household (including those that will come embedded in all new movable electronic and other possessions). We’ll be able to plug our RFID base station into our home security system (or, preferably, the security system will automatically recognize and configure the RFID base station over WiFi or whatever home wireless network we have installed). When one of our RFID-tagged possessions leaves our home, the security system/RFID base station will notify us, or send an alarm to the police, or update our home property inventory. Or all of the above.

This is not a far-fetched RFID mass-market scenario, and I expect it will become commonplace by the end of this decade. This isn’t a supply-chain application of RFID, and nobody will mandate that we implement tighter surveillance over our personal possessions. It’s just gut-level, personal-protection common sense.

And it’ll bring PKI into the mass market in a major way too.

Jim

self New job

All:

On the off-chance that anybody cares, I want to let you know that I found a new job. I’m a senior technical systems analyst with Exostar LLC, which is a hosted B2B trading exchange serving the aerospace and defense industry. Exostar is a five-year-old joint venture owned by Boeing, Lockheed Martin, Raytheon, Rolls Royce, and BAE. I’m part of the team that’s building out Exostar’s identity, trust, security, and policy infrastructure for collaborative commerce. I’m in Herndon VA, just a stone’s throw from Washington Dulles International Airport. My new work e-mail is james.kobielus@exostar.com. My new work phone number is 703-793-7730.

Obviously, I’ve slacked off on posting IT-related stuff to this blog over the past few weeks. To fill the dead air, I’ve generated a few new poems. I promise to get back to posting tech-related musings regularly. Just settling into my new routine. Thanks (if you’re still reading this blog) for your patience.

Jim

Wednesday, April 06, 2005

poem Static

STATIC

When the music dies
and radio formats go
flat, we just whistle.

Some hum and drum their
fingers along any
idle limb.

Some turn up the din
and, streaming,
sift.