All:
Pointer to article: http://www.informationweek.com/story/showArticle.jhtml?articleID=166400224
Kobielus kommentary:
Yeah, Google knows more and more about you and me. But I’m not worried about them violating people’s privacy or leaving themselves open to identity theft in any major way.
Why am I not worried? It’s because Google is such a hugely visible player in the industry, and has so many competitors for all of its offerings, that any major screw-up would be a public relations disaster. More to the point, any negligence or evil on their part would devastate their business, driving customers away faster than a bit over broadband, deep-sixing Google’s stock price and street cred overnight.
Also, Google has a corporate conscience, hence is easily shamed and would quickly remedy any transgression—perceived or real--through substantive action. Should they screw up, they would—I suspect—immediately come public with it, shoring up their reputation before it can sustain major damage.
Competition, litigation, and shame--the chief checks and balances in the corporate world.
But, of course, as the article states, Google’s vulnerability to identity theft and privacy violation is growing. So what else is new? Identity theft has become the tabloid sensationalism-mongering topic of the year. Every company that collects even a shred of personal data on customers is more vulnerable—in the public’s minds, at least—simply because this threat is more salient in the culture now, and more lawyers are salivating at the prospect of initiating class-action lawsuits should any major or minor Internet company slip up.
It’s a fact. Our culture moves through these phases of fear- and greed-mongering, always latching on a new issue to launch the inevitable litigation. Google would be remiss if it didn’t have its people working on legal, PR, and technical counterstrategies in case it too gets swept up in the identity-theft hysteria.
Jim
Tuesday, July 19, 2005
Sunday, July 17, 2005
fyi Blogs Really Aren't So Unique
All:
Pointer to article:
http://www.publish.com/article2/0,1895,1837112,00.asp
Kobielus kommentary:
I agree with Coursey’s thesis, but that’s beside the point.
I don’t quite care whether the blogging phenomenon goes the way of the CB radio. I don’t care whether blogging is all that different from other media. I don’t care whether my blog is looked upon as a self-indulgent vanity press-cum-diary. I don’t care whether people see my blog as flaky, pretentious, boring, ponderous, verbose, or mysterious. I don’t care whether anybody in particular is reading my blog. I don’t care whether anybody else sees any rhyme or reason to the motley assortment of topics and thoughts I post to this space. I don’t care whether I ever monetize or otherwise make a living from my blog. I don’t care if I get lost and ignored in the vast blogosphere. I don’t care whether blogging makes me hip or more deeply brands me as the nerd I’ve always been. I don’t care whether my blog is successful in any way at shaping or swaying minds and hearts. I don't care if you think I'm blogging to hear myself blog. And I don’t care if my blog posts are too long for the short attention spans out there.
I’m not doing this for out there. I’m doing this for in here. I just need an outlet for my ideas. Anybody who's ever known me should know by now that I live to create and spread ideas drawn from research and continual cogitation. I’ve been so accustomed for so long to having my well-crafted thoughts and words go plop in the void, that blogging for me is just more of the same ol same ol. I'm so used to being misconstrued that I need one place where the construing is all pure me. Where it's all me, only me, all the time, straight and direct, thinking whole thoughts and inscribing them in some sorta persistent medium in the public world.
And that’s fine with me. I blog simply to show that I’m still present and still paying attention. And still disseminating.
Jim
Pointer to article:
http://www.publish.com/article2/0,1895,1837112,00.asp
Kobielus kommentary:
I agree with Coursey’s thesis, but that’s beside the point.
I don’t quite care whether the blogging phenomenon goes the way of the CB radio. I don’t care whether blogging is all that different from other media. I don’t care whether my blog is looked upon as a self-indulgent vanity press-cum-diary. I don’t care whether people see my blog as flaky, pretentious, boring, ponderous, verbose, or mysterious. I don’t care whether anybody in particular is reading my blog. I don’t care whether anybody else sees any rhyme or reason to the motley assortment of topics and thoughts I post to this space. I don’t care whether I ever monetize or otherwise make a living from my blog. I don’t care if I get lost and ignored in the vast blogosphere. I don’t care whether blogging makes me hip or more deeply brands me as the nerd I’ve always been. I don’t care whether my blog is successful in any way at shaping or swaying minds and hearts. I don't care if you think I'm blogging to hear myself blog. And I don’t care if my blog posts are too long for the short attention spans out there.
I’m not doing this for out there. I’m doing this for in here. I just need an outlet for my ideas. Anybody who's ever known me should know by now that I live to create and spread ideas drawn from research and continual cogitation. I’ve been so accustomed for so long to having my well-crafted thoughts and words go plop in the void, that blogging for me is just more of the same ol same ol. I'm so used to being misconstrued that I need one place where the construing is all pure me. Where it's all me, only me, all the time, straight and direct, thinking whole thoughts and inscribing them in some sorta persistent medium in the public world.
And that’s fine with me. I blog simply to show that I’m still present and still paying attention. And still disseminating.
Jim
imho Don’t think RFID-tagging of humans is inevitable or desirable
All:
A kind reader of this blog e-mailed to ask my opinion on the issue of whether RFID-tagging of human beings (such as prisoners or paroled sex offenders) was an inevitability, or was feasible/desirable and so forth. Here is the gist of my response to his stimulating discussion:
As regarding the possibility of embedding RFID tags in human beings, that's something people can choose to do or not do to themselves. Just another type of prosthetic. Or another type of piercing. Or tattoo. Or cosmetic. Or wardrobe. Or accessory. Or crutch. Ever since humans emerged as self-conscious beings, we've been modifying/extending/enhancing our god(s)-given endowments in all of these ways. But that should purely be left to individual choice. Nobody should be compelled by another--or by law/society--to deface or modify their body in any way. Similarly, RFID is a credential that someone may choose to embed in their being. It's not inevitable that society will some day force us all to do so. Has any society (other than, say, Nazi Germany) ever compelled people to tattoo an identifier into their skin? And that was clearly regarded as an inhuman thing to do.
Would it make sense to "RFID-tattoo" some subset of our society--say, prisoners, or paroled sex offenders--so as to monitor/control their movements? Would the perceived public danger from these individuals outweigh the abhorrence we feel at branding human beings in this way? Open questions.
Yes, anything's possible. But I don't see it as likely anywhere/anytime soon. Society has other means--such as public surveillance cameras--to track these suspect individuals, and also to track others who we don't yet suspect (such as the London subway cameras that were used after the fact to track down the suspected bombers). Public cameras capture a broad range of qualitative relevant to baddies, known and unknown, and seem like society's preferred control mechanism. For good and bad.
Besides, RFID-tagging of humans is unnecessary once everybody has a cellphone and can have their whereabouts tracked through that RF device. That day is fast coming. Yeah, the cellphone leash isn't pierced into your flesh, hence doesn't offer the strong authentication of RFID-tagging. But, in effect, it's just as good a beacon of your location/activities as any RFID tag. And the authorities can tap into your voice and data communications emanating from and to that device, which makes it a richer environment within which they can harvest privacy-sensitive identity-targeted info on people.
DNA fingerprinting is also becoming one of society's main tools for compiling a composite portrait of people's activities---especially those that don't involve any IT-based interaction.
So, between public surveillance cameras, cellphones/Blackberries/etc, and DNA fingerprinting (and wiretapping, subpoenas, etc.), the authorities already have considerable resources for strongly tracking people's every movement. All of those surveillance techniques have the advantage, from authorities' point of view, of being conducted in the background, undetectable by suspects. Mandatory RFID-tagging, by contrast, would be an overt fascistic inhuman approach that would arouse fierce resistance everywhere.
It just wouldn't sail in the real world. Or, more to the point, I hope it doesn’t sail. I hope it sinks into the abyss of dystopic horror scenarios that never come to pass. But further inroads on our privacy from various technologies/techniques are well-nigh inevitable.
Unfortunately,
Jim
A kind reader of this blog e-mailed to ask my opinion on the issue of whether RFID-tagging of human beings (such as prisoners or paroled sex offenders) was an inevitability, or was feasible/desirable and so forth. Here is the gist of my response to his stimulating discussion:
As regarding the possibility of embedding RFID tags in human beings, that's something people can choose to do or not do to themselves. Just another type of prosthetic. Or another type of piercing. Or tattoo. Or cosmetic. Or wardrobe. Or accessory. Or crutch. Ever since humans emerged as self-conscious beings, we've been modifying/extending/enhancing our god(s)-given endowments in all of these ways. But that should purely be left to individual choice. Nobody should be compelled by another--or by law/society--to deface or modify their body in any way. Similarly, RFID is a credential that someone may choose to embed in their being. It's not inevitable that society will some day force us all to do so. Has any society (other than, say, Nazi Germany) ever compelled people to tattoo an identifier into their skin? And that was clearly regarded as an inhuman thing to do.
Would it make sense to "RFID-tattoo" some subset of our society--say, prisoners, or paroled sex offenders--so as to monitor/control their movements? Would the perceived public danger from these individuals outweigh the abhorrence we feel at branding human beings in this way? Open questions.
Yes, anything's possible. But I don't see it as likely anywhere/anytime soon. Society has other means--such as public surveillance cameras--to track these suspect individuals, and also to track others who we don't yet suspect (such as the London subway cameras that were used after the fact to track down the suspected bombers). Public cameras capture a broad range of qualitative relevant to baddies, known and unknown, and seem like society's preferred control mechanism. For good and bad.
Besides, RFID-tagging of humans is unnecessary once everybody has a cellphone and can have their whereabouts tracked through that RF device. That day is fast coming. Yeah, the cellphone leash isn't pierced into your flesh, hence doesn't offer the strong authentication of RFID-tagging. But, in effect, it's just as good a beacon of your location/activities as any RFID tag. And the authorities can tap into your voice and data communications emanating from and to that device, which makes it a richer environment within which they can harvest privacy-sensitive identity-targeted info on people.
DNA fingerprinting is also becoming one of society's main tools for compiling a composite portrait of people's activities---especially those that don't involve any IT-based interaction.
So, between public surveillance cameras, cellphones/Blackberries/etc, and DNA fingerprinting (and wiretapping, subpoenas, etc.), the authorities already have considerable resources for strongly tracking people's every movement. All of those surveillance techniques have the advantage, from authorities' point of view, of being conducted in the background, undetectable by suspects. Mandatory RFID-tagging, by contrast, would be an overt fascistic inhuman approach that would arouse fierce resistance everywhere.
It just wouldn't sail in the real world. Or, more to the point, I hope it doesn’t sail. I hope it sinks into the abyss of dystopic horror scenarios that never come to pass. But further inroads on our privacy from various technologies/techniques are well-nigh inevitable.
Unfortunately,
Jim
Friday, July 15, 2005
fyi IBM, Microsoft to ship another Web services security protocol to standards body
All:
Pointer to article:
http://www.networkworld.com/news/2005/071405-ws.html
Kobielus kommentary:
These critical WS-* security specifications have been in draft stage for so long that it’s easy to forget that they’re not ratified de jure standards.
All of them are important for full-fledged identity and security specifications: the ones being submitted to OASIS (WS-Trust, WS-SecureConversation and WS-SecurityPolicy) and the ones yet to be submitted (WS-Federation and WS-Policy). I anticipate that all of these--except WS-Federation--will have clear sailing through the OASIS standardization process. And that’s because all of them—except WS-Federation—have the “legs”: well-wrought specifications, considerable industry support, and no direct rivals. WS-Federation is a good specification—don’t get me wrong. But it largely competes against well-entrenched rivals—SAML 1.x/2.0 and Liberty ID-FF 1.x/ID-WSF 1.x. And WS-Federation only has a handful of firm (albeit powerful) supporters—principally Microsoft and IBM. It’s quite likely that OASIS—once Microsoft/IBM submit the spec—will be folded into the next major version of SAML (beyond 2.0).
Getting standards ratified by OASIS or whoever is only half the game, where Web services/SOA security is concerned. Ratification is only one step on the roadmap to maturity of these standards. Before we can truly consider identity/security federation a mature, full-feature, mainstream approach to distributed security, the WS-* stack needs to jump the following hurdles:
• OASIS ratification: Dominant standards need to be ratified by OASIS in all of the principal identity/security functional service layers. Clearly, as the article states, that process will still take 2-3 years, at minimum, to complete. So we’re still talking 2008, at the earliest, before a full set of industry-consensus WS-* identity/security standards is ratified.
• Vendor implementation: Vendors don’t always implement OASIS- or whoever-developed standards at the same rate. Considering the wide range of WS-* identity/security standards and the wide range of vendors that will need to implement some or all of them to enable full-fledged federation, it would be quite surprising if the core group of “everybody implements ‘em” standards expands much beyond today’s status quo—WS-Security and SAML—by the end of this decade.
• Implementation profiling: And vendors, even when they say they implement the same standards, often implement them in very different ways, with the obvious impact on interoperability. The Web Services Interoperability (WS-I) Organization is the principal implementation profiling group in the Web services arena. So far, the only security standard that it has profiled is WS-Security (in addition to the core WSDL, SOAP, and UDDI standards). In profiling a standard, WS-I is sending a signal to industry that the profiled standard is mature and widely adopted, hence critically in need of a common implementation framework. Does anybody imagine that WS-I will begin to consider profiling the other WS-* identity/security standards/specs--WS-Trust, WS-SecureConversation WS-SecurityPolicy, WS-Federation and WS-Policy—any time before the end of the decade? They should focus first on SAML 1.1, which is definitely mainstream and badly in need of WS-I profiling. Also, XACML and SPML should be profiled soon, based on the fact that they’ve already been ratified and are being adopted widely.
So, to sum up, identity/security federation won’t truly mature as a full-fledged approach until these milestones—ratification, implementation, and profiling—have been crossed for the core WS-* standards and specifications in the principal functional layers. And that won’t happen till 2010, at the very earliest. More likely, 2011 or 2012.
Of course, enterprises can and should continue to deploy identity/security federation environments before the standards picture shakes out completely. The business benefits from federation are undeniable, and the current products/standards are more than sufficient for lots of federation scenarios.
But submitting a specification to a standards group doesn’t make that specification mature. Plenty of specifications die in committee. Or, if they’re approved/ratified, die in the marketplace. Or are effectively abandoned and ignored by their creators.
So curb your enthusiasm for these WS-* identity/security specs till we see how the marketplace shakes it all out.
Jim
Pointer to article:
http://www.networkworld.com/news/2005/071405-ws.html
Kobielus kommentary:
These critical WS-* security specifications have been in draft stage for so long that it’s easy to forget that they’re not ratified de jure standards.
All of them are important for full-fledged identity and security specifications: the ones being submitted to OASIS (WS-Trust, WS-SecureConversation and WS-SecurityPolicy) and the ones yet to be submitted (WS-Federation and WS-Policy). I anticipate that all of these--except WS-Federation--will have clear sailing through the OASIS standardization process. And that’s because all of them—except WS-Federation—have the “legs”: well-wrought specifications, considerable industry support, and no direct rivals. WS-Federation is a good specification—don’t get me wrong. But it largely competes against well-entrenched rivals—SAML 1.x/2.0 and Liberty ID-FF 1.x/ID-WSF 1.x. And WS-Federation only has a handful of firm (albeit powerful) supporters—principally Microsoft and IBM. It’s quite likely that OASIS—once Microsoft/IBM submit the spec—will be folded into the next major version of SAML (beyond 2.0).
Getting standards ratified by OASIS or whoever is only half the game, where Web services/SOA security is concerned. Ratification is only one step on the roadmap to maturity of these standards. Before we can truly consider identity/security federation a mature, full-feature, mainstream approach to distributed security, the WS-* stack needs to jump the following hurdles:
• OASIS ratification: Dominant standards need to be ratified by OASIS in all of the principal identity/security functional service layers. Clearly, as the article states, that process will still take 2-3 years, at minimum, to complete. So we’re still talking 2008, at the earliest, before a full set of industry-consensus WS-* identity/security standards is ratified.
• Vendor implementation: Vendors don’t always implement OASIS- or whoever-developed standards at the same rate. Considering the wide range of WS-* identity/security standards and the wide range of vendors that will need to implement some or all of them to enable full-fledged federation, it would be quite surprising if the core group of “everybody implements ‘em” standards expands much beyond today’s status quo—WS-Security and SAML—by the end of this decade.
• Implementation profiling: And vendors, even when they say they implement the same standards, often implement them in very different ways, with the obvious impact on interoperability. The Web Services Interoperability (WS-I) Organization is the principal implementation profiling group in the Web services arena. So far, the only security standard that it has profiled is WS-Security (in addition to the core WSDL, SOAP, and UDDI standards). In profiling a standard, WS-I is sending a signal to industry that the profiled standard is mature and widely adopted, hence critically in need of a common implementation framework. Does anybody imagine that WS-I will begin to consider profiling the other WS-* identity/security standards/specs--WS-Trust, WS-SecureConversation WS-SecurityPolicy, WS-Federation and WS-Policy—any time before the end of the decade? They should focus first on SAML 1.1, which is definitely mainstream and badly in need of WS-I profiling. Also, XACML and SPML should be profiled soon, based on the fact that they’ve already been ratified and are being adopted widely.
So, to sum up, identity/security federation won’t truly mature as a full-fledged approach until these milestones—ratification, implementation, and profiling—have been crossed for the core WS-* standards and specifications in the principal functional layers. And that won’t happen till 2010, at the very earliest. More likely, 2011 or 2012.
Of course, enterprises can and should continue to deploy identity/security federation environments before the standards picture shakes out completely. The business benefits from federation are undeniable, and the current products/standards are more than sufficient for lots of federation scenarios.
But submitting a specification to a standards group doesn’t make that specification mature. Plenty of specifications die in committee. Or, if they’re approved/ratified, die in the marketplace. Or are effectively abandoned and ignored by their creators.
So curb your enthusiasm for these WS-* identity/security specs till we see how the marketplace shakes it all out.
Jim
Thursday, July 14, 2005
fyi Sun to expand open-source moves into secure ID arena
All:
Pointer to article:
http//www.computerworld.com/softwaretopics/software/story/0,10801,103172,00.html?source=NLT_PM&nid=103172
Kobielus kommentary:
This is an important announcement. The underlying IdM federation components are becoming commoditized as the standards stabilize, get profiled and implemented widely, and as vendors distinguish themselves through the deeper IdM product sets. Also, more and more application server, middleware, IdM, and security infrastructure components are going the open-source route, with Sun, Novell, IBM, and pretty much everybody else (except for Microsoft) leaning strongly in that direction. Increasingly, IdM vendors distinguish themselves through professional services, vertical market applications, and IDEs.
It’s becoming possible to build an end-to-end federation IdM environment with standards-based open-source components. SourceID has been the principal purveyors of open-source IdM: SAML, WS-Federation, Liberty, etc. Separately, the OpenSAML (www.opensaml.org) and Shibboleth open-source codebases have been around for a few years. There’s also an open-source implementation of an WS-BPEL orchestration server (www.openbpel.org) that might be used as the workflow component of an account provisioning infrastructure, in conjunction with the open-source SPML implementation (www.openspml.org).
All of those are available under free open-source licenses for orgs that are serious about building federated IdM infrastructure and tailoring that infrastructure to requirements that the commercial vendor tools may not support, or may not support without considerable customization and professional services handholding.
Whether one goes with a commercial federated IdM solution or sundry open-source IdM components, the bottom line is “some assembly required.” And that doesn’t come cheap.
Jim
Pointer to article:
http//www.computerworld.com/softwaretopics/software/story/0,10801,103172,00.html?source=NLT_PM&nid=103172
Kobielus kommentary:
This is an important announcement. The underlying IdM federation components are becoming commoditized as the standards stabilize, get profiled and implemented widely, and as vendors distinguish themselves through the deeper IdM product sets. Also, more and more application server, middleware, IdM, and security infrastructure components are going the open-source route, with Sun, Novell, IBM, and pretty much everybody else (except for Microsoft) leaning strongly in that direction. Increasingly, IdM vendors distinguish themselves through professional services, vertical market applications, and IDEs.
It’s becoming possible to build an end-to-end federation IdM environment with standards-based open-source components. SourceID has been the principal purveyors of open-source IdM: SAML, WS-Federation, Liberty, etc. Separately, the OpenSAML (www.opensaml.org) and Shibboleth open-source codebases have been around for a few years. There’s also an open-source implementation of an WS-BPEL orchestration server (www.openbpel.org) that might be used as the workflow component of an account provisioning infrastructure, in conjunction with the open-source SPML implementation (www.openspml.org).
All of those are available under free open-source licenses for orgs that are serious about building federated IdM infrastructure and tailoring that infrastructure to requirements that the commercial vendor tools may not support, or may not support without considerable customization and professional services handholding.
Whether one goes with a commercial federated IdM solution or sundry open-source IdM components, the bottom line is “some assembly required.” And that doesn’t come cheap.
Jim
Wednesday, July 13, 2005
fyi Industry looks to unite again to tackle spyware
All:
Pointer to article:
http://www.computerworld.com/securitytopics/security/story/0,10801,103149,00.html?source=NLT_PM&nid=103149
http://www.antispywarecoalition.org/
Kobielus kommentary:
The Anti-Spyware Coalition (ASC) has produced a well-written, crisp, authoritative definition of spyware, plus discussion of an industry governance process (“Vendor Dispute Resolution Process”) and user protection guidelines (“Anti-Spyware Safety Tips”).
My only other comment on the draft is that ASC seems to suffer from dynamic scope creep. They seem to lump all malware into the core definition of spyware, thereby diluting their focus. The coalition defines spyware as follows:
• “In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for what the ASC calls ‘Spyware and Other Potentially Unwanted Technologies.’ In technical setting, we use the term Spyware only in its narrower sense. However, we understand that it is impossible to avoid the broader connotations of the term in the colloquial or popular usage, and we do not attempt to do so.”
Further blurring the distinctions between spyware and other malware, they offer this further definition of the former:
• “Spyware and Other Potentially Unwanted Technologies: Technologies implemented in ways that impair users’ control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; and collection, use, and distribution of their personal or otherwise sensitive information. These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.”
I have no beef with this broader definition of malware generally. Actually, I think the ASC should rename itself the AMC (Anti-Malware Coalition) and attack the more general problem of which spyware is just one variant. Their core definition of malware highlights what, imho, is the defining feature: unsolicited, remote, persistent third-party tampering with other people’s computing and network resources.
With that as the guiding definition, I would rename malware as “tamperware” and suggest that “tamper-evident computing” should be the principal framework for defining prevention, detection, and remediation approaches.
From the user’s point of view, how can they immediately detect tampering with their computing resources, whether that tampering takes the form of spyware, adware, backdoors, bots, browser helper objects, browser plug-ins, cookies, dialers, DDoS attacks, downloaders, droneware, hijackers, keyloggers, password crackers, rootkits, screen scrapers, tricklers, trojans, viruses, worms, or zombies? How can software publishers ensure that their products are delivered to requesting users in a way that both users and publishers recognize is consent-driven, authorized, legitimate, and doesn’t create the conditions under which those products might be mistakenly tagged as tamperware? How can users reasonably give full consent (and know/accept the consequences of that consent) when they’re dealing with a steady stream of complex software downloadables that issue from various publishers, get installed/configured in sundry complex ways, and interact with local and remote programs in such a way as to open up the gates to still more software that may try to slip nasty stuff down without consent?
The industry governance issues surrounding all of this are daunting. How can software publishers ensure that their products don’t cross the tricky borderzone into apparent tamperware, and how can they make sure that false-positive tamperware identifications get reversed immediately across all anti-tamperware programs so as to not impair their continued ability to do business? How can even the most technically astute users ensure that they’re granting consent only to the most trustworthy software publishers who’ve engineered their download, installation, EULA/registration, and configuration features in such a way as to not cross the nasty divide into tamperware territory?
And how can we make our computer operating environments, like the containers in which over-the-counter medications are dispensed, reliably tamper-evident?
Jim
Pointer to article:
http://www.computerworld.com/securitytopics/security/story/0,10801,103149,00.html?source=NLT_PM&nid=103149
http://www.antispywarecoalition.org/
Kobielus kommentary:
The Anti-Spyware Coalition (ASC) has produced a well-written, crisp, authoritative definition of spyware, plus discussion of an industry governance process (“Vendor Dispute Resolution Process”) and user protection guidelines (“Anti-Spyware Safety Tips”).
My only other comment on the draft is that ASC seems to suffer from dynamic scope creep. They seem to lump all malware into the core definition of spyware, thereby diluting their focus. The coalition defines spyware as follows:
• “In its narrow sense, Spyware is a term for Tracking Software deployed without adequate notice, consent, or control for the user. In its broader sense, Spyware is used as a synonym for what the ASC calls ‘Spyware and Other Potentially Unwanted Technologies.’ In technical setting, we use the term Spyware only in its narrower sense. However, we understand that it is impossible to avoid the broader connotations of the term in the colloquial or popular usage, and we do not attempt to do so.”
Further blurring the distinctions between spyware and other malware, they offer this further definition of the former:
• “Spyware and Other Potentially Unwanted Technologies: Technologies implemented in ways that impair users’ control over: material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; and collection, use, and distribution of their personal or otherwise sensitive information. These are items that users will want to be informed about, and which the user, with appropriate authority from the owner of the system, should be able to easily remove or disable.”
I have no beef with this broader definition of malware generally. Actually, I think the ASC should rename itself the AMC (Anti-Malware Coalition) and attack the more general problem of which spyware is just one variant. Their core definition of malware highlights what, imho, is the defining feature: unsolicited, remote, persistent third-party tampering with other people’s computing and network resources.
With that as the guiding definition, I would rename malware as “tamperware” and suggest that “tamper-evident computing” should be the principal framework for defining prevention, detection, and remediation approaches.
From the user’s point of view, how can they immediately detect tampering with their computing resources, whether that tampering takes the form of spyware, adware, backdoors, bots, browser helper objects, browser plug-ins, cookies, dialers, DDoS attacks, downloaders, droneware, hijackers, keyloggers, password crackers, rootkits, screen scrapers, tricklers, trojans, viruses, worms, or zombies? How can software publishers ensure that their products are delivered to requesting users in a way that both users and publishers recognize is consent-driven, authorized, legitimate, and doesn’t create the conditions under which those products might be mistakenly tagged as tamperware? How can users reasonably give full consent (and know/accept the consequences of that consent) when they’re dealing with a steady stream of complex software downloadables that issue from various publishers, get installed/configured in sundry complex ways, and interact with local and remote programs in such a way as to open up the gates to still more software that may try to slip nasty stuff down without consent?
The industry governance issues surrounding all of this are daunting. How can software publishers ensure that their products don’t cross the tricky borderzone into apparent tamperware, and how can they make sure that false-positive tamperware identifications get reversed immediately across all anti-tamperware programs so as to not impair their continued ability to do business? How can even the most technically astute users ensure that they’re granting consent only to the most trustworthy software publishers who’ve engineered their download, installation, EULA/registration, and configuration features in such a way as to not cross the nasty divide into tamperware territory?
And how can we make our computer operating environments, like the containers in which over-the-counter medications are dispensed, reliably tamper-evident?
Jim
Tuesday, July 12, 2005
fyi Subway Fracas Escalates Into Test Of the Internet's Power to Shame
All:
Pointer to article:
http://www.washingtonpost.com/wp-dyn/content/article/2005/07/06/AR2005070601953_pf.html
Kobielus kommentary:
Tell you what makes me shudder: this notion of “flash mobs” that materialize out of seemingly nowhere in physical space, focused on some particular place and time, driven by a common communication thread (IM, e-mail, SMS, VoIP, etc.) visible only to themselves. Sounds like a key new strategy of terrorism, guerilla warfare, and bullying everywhere. Though flash mobs, in their initial incarnation, have mostly emerged for benign reasons.
This article points to a related phenomenon: virtual teams on the Internet that emerge to humiliate someone who may or may not deserve it. This South Korean lady’s minor offense apparently was failure to scoop her dog’s poop on the subway. It’s also been said that the lady was recalcitrant and belligerent. She wasn’t without blame.
But some unkind people on her train took their grievance way too far. They took phonepics of her and her offending doggy doo, posted them to the Web, urged others to dig up other doo doo on her personal life, and post that as well. Before long, the public humiliation got out of control, and the lady was so shamed that she had to quit her job.
Do some people have nothing better to do with their time than heap cruel abuse on strangers over extremely petty offenses? It’s clear that many people hide behind anonymity and distance in order to engage in reckless endangerment. That’s why the world’s swarming with viruses, worms, and their ilk. Now this “Dog Poop Girl” incident underlines the human analog of malware: people joining online forces to inflict personal pain on other people.
It’s the evil side of collaboration. Call it mallaboration.
Jim
Pointer to article:
http://www.washingtonpost.com/wp-dyn/content/article/2005/07/06/AR2005070601953_pf.html
Kobielus kommentary:
Tell you what makes me shudder: this notion of “flash mobs” that materialize out of seemingly nowhere in physical space, focused on some particular place and time, driven by a common communication thread (IM, e-mail, SMS, VoIP, etc.) visible only to themselves. Sounds like a key new strategy of terrorism, guerilla warfare, and bullying everywhere. Though flash mobs, in their initial incarnation, have mostly emerged for benign reasons.
This article points to a related phenomenon: virtual teams on the Internet that emerge to humiliate someone who may or may not deserve it. This South Korean lady’s minor offense apparently was failure to scoop her dog’s poop on the subway. It’s also been said that the lady was recalcitrant and belligerent. She wasn’t without blame.
But some unkind people on her train took their grievance way too far. They took phonepics of her and her offending doggy doo, posted them to the Web, urged others to dig up other doo doo on her personal life, and post that as well. Before long, the public humiliation got out of control, and the lady was so shamed that she had to quit her job.
Do some people have nothing better to do with their time than heap cruel abuse on strangers over extremely petty offenses? It’s clear that many people hide behind anonymity and distance in order to engage in reckless endangerment. That’s why the world’s swarming with viruses, worms, and their ilk. Now this “Dog Poop Girl” incident underlines the human analog of malware: people joining online forces to inflict personal pain on other people.
It’s the evil side of collaboration. Call it mallaboration.
Jim
fyi No Dozing, Doughnuts at Office of Future
All:
Pointer to article:
http://www.technewsworld.com/story/43772.html
Kobielus kommentary:
No. No. NO! Don’t turn my office into a gym. Keep my gym a gym, my office an office, and my home a home. For my mental hygiene, let me keep each environment entirely separate from the others. I work out in my gym. I work-work in my office. I don’t work in my home—except for the office space in my basement where I do my freelance writing.
I actually enjoy going to the gym. Egidia and I do so most days of the week, and it’s a welcome break from the pressures of our jobs, and also the pressures of our home (we have teenage children, bills to pay, etc.). We’ve been doing it continuously for the past 3 years, and it’s now an established, much-needed, eagerly anticipated habit. When I’m on the treadmill, I am quite deliberately working to melt all the stress from that day into a pool that can be washed down the drain by the gym staff. Putting a treadmill and other gym equipment in my home, or in my office, defeats that whole purpose. Having to interact in the gym with people (such as co-workers, offspring, etc.) from those other environments would simply add stress—not subtract it—from the lactic load on my poor battered nervous system.
Working my body calms me down—bottom line—and centers my spirit somewhere inside my torso. Also, it gives me a chance to compare my body with other people’s. Yeah, snigger and take that statement any way you wish, but I measure my progress toward the desired form by the extent to which my current shape matches those around me with the best biceps, triceps, abs, delts, etc. No, I’m not becoming a preening narcissist. My core payoff from working out is the calming, the easier breathing, and the other internal-focused benefits. But working out gives me a feeling of efficacy in the sense that I actually can—by applying the intensity and work ethic that people have long known defines Jim Kobielus—sculpt my body to something I can be prouder of. No, it hasn’t made me taller, broadened my shoulders, regrown hair on my head, or given me a handsomer face. But I’ve brought my 5-foot-6 body down to my optimal weight—140 lbs.—and kept it there. As my 46-year-old self moves ever further into old-man territory, I can at least look at my aging body with some degree of self-satisfaction. I’m not the pudge I was.
Everything in its right place. My office provides me with plenty of what this article calls “non-exercise activity thermogenesis” (NEAT) to keep my weight under control. What they call NEAT I call work. Or rather, work performed continuously and restlessly with Jim Kobielus style intensity. The same intensity that has been programmed into my very existence by the roll of the genes and my particular life experiences.
I like working. And working my body. And working on keeping those worlds from invading the inner sanctum of my home life.
I like sitting down at work, looking, dressing, and behaving like a professional. Don’t bring running tracks and weightlifting equipment and hockey sticks into my office. I don’t want to have to dodge you or your flying pucks when I’m trying to discuss work.
Thanks.
Jim
Pointer to article:
http://www.technewsworld.com/story/43772.html
Kobielus kommentary:
No. No. NO! Don’t turn my office into a gym. Keep my gym a gym, my office an office, and my home a home. For my mental hygiene, let me keep each environment entirely separate from the others. I work out in my gym. I work-work in my office. I don’t work in my home—except for the office space in my basement where I do my freelance writing.
I actually enjoy going to the gym. Egidia and I do so most days of the week, and it’s a welcome break from the pressures of our jobs, and also the pressures of our home (we have teenage children, bills to pay, etc.). We’ve been doing it continuously for the past 3 years, and it’s now an established, much-needed, eagerly anticipated habit. When I’m on the treadmill, I am quite deliberately working to melt all the stress from that day into a pool that can be washed down the drain by the gym staff. Putting a treadmill and other gym equipment in my home, or in my office, defeats that whole purpose. Having to interact in the gym with people (such as co-workers, offspring, etc.) from those other environments would simply add stress—not subtract it—from the lactic load on my poor battered nervous system.
Working my body calms me down—bottom line—and centers my spirit somewhere inside my torso. Also, it gives me a chance to compare my body with other people’s. Yeah, snigger and take that statement any way you wish, but I measure my progress toward the desired form by the extent to which my current shape matches those around me with the best biceps, triceps, abs, delts, etc. No, I’m not becoming a preening narcissist. My core payoff from working out is the calming, the easier breathing, and the other internal-focused benefits. But working out gives me a feeling of efficacy in the sense that I actually can—by applying the intensity and work ethic that people have long known defines Jim Kobielus—sculpt my body to something I can be prouder of. No, it hasn’t made me taller, broadened my shoulders, regrown hair on my head, or given me a handsomer face. But I’ve brought my 5-foot-6 body down to my optimal weight—140 lbs.—and kept it there. As my 46-year-old self moves ever further into old-man territory, I can at least look at my aging body with some degree of self-satisfaction. I’m not the pudge I was.
Everything in its right place. My office provides me with plenty of what this article calls “non-exercise activity thermogenesis” (NEAT) to keep my weight under control. What they call NEAT I call work. Or rather, work performed continuously and restlessly with Jim Kobielus style intensity. The same intensity that has been programmed into my very existence by the roll of the genes and my particular life experiences.
I like working. And working my body. And working on keeping those worlds from invading the inner sanctum of my home life.
I like sitting down at work, looking, dressing, and behaving like a professional. Don’t bring running tracks and weightlifting equipment and hockey sticks into my office. I don’t want to have to dodge you or your flying pucks when I’m trying to discuss work.
Thanks.
Jim
Monday, July 11, 2005
cartoon Gerald McBoing Boing
All:
Pointer to cartoon:
http://www.bremenonline.org/boing/boingboing.htm
Kobielus kommentary:
I've been looking for this for years. I've never seen it before. But it didn't disappoint.
Here's the description from the website:
"Gerald McBoing Boing won the Academy Award as best animated short subject for 1950. The competition was an MGM Tom & Jerry cartoon Jerry's Cousin, and another UPA entry Trouble Idemnity with Mr. Magoo. It was a major triumph for UPA--formal recognition of their groundbreaking efforts.
This film--one of the finest ever made--had an impact that was both immeadiate and long-lasting. The concept came from Dr. Seuss, who as Theodore Geisel, had worked with some of the UPA staff on army films during WWII. His story, and rhyming dialogue, was adapted for animation by Phil Eastman and Bill Scott. Director Bobe Cannon and designer Bill Hurtz's concept was--less is more--how few lines could they use. The action was charted, then the music written to that action before it was animated by Bill Melendez, Rudy Larriva, Pat Mathews, Willis Pyle, and Frank Smith. Next Jules Engel and Herb Klynn added the bright, flat colors in the background, broken only by the sparest of "props." Different colors were used to convey different moods thoughout the film."
Now my two cents on it:
This is a wonderful little cartoon, an exquisite and elegant composition from beginning to end (slightly less than 7 minutes). You'll need RealPlayer to watch this stream. Watch it all the way through, then restart it and simply listen to it all the way through. Then watch and listen. Stop the video at any point and marvel at the economy, balance, use of fine line, and richness of color and texturing in every frame. Check out how fluidly one scene gives way to the next. How the action is expertly punctuated by the sound effects and score at every point. How the narrator intones it all in a jaunty script that so totally anticipates the more minimal Dr. Seuss to come later in that decade. It's not really minimalistic--it simply doesn't waste a single compositional element, and pares it all down to the absolutely essential. And it's a fun unpretentious piece of animation. Bright and brilliant no matter how you take it.
Clearly, a cinematic milestone. Boingboing. Bump-bum. Dang dang dang dang. Ah-ooga. Booooooooooooooooooooooooooooooooooom.
Jim
Pointer to cartoon:
http://www.bremenonline.org/boing/boingboing.htm
Kobielus kommentary:
I've been looking for this for years. I've never seen it before. But it didn't disappoint.
Here's the description from the website:
"Gerald McBoing Boing won the Academy Award as best animated short subject for 1950. The competition was an MGM Tom & Jerry cartoon Jerry's Cousin, and another UPA entry Trouble Idemnity with Mr. Magoo. It was a major triumph for UPA--formal recognition of their groundbreaking efforts.
This film--one of the finest ever made--had an impact that was both immeadiate and long-lasting. The concept came from Dr. Seuss, who as Theodore Geisel, had worked with some of the UPA staff on army films during WWII. His story, and rhyming dialogue, was adapted for animation by Phil Eastman and Bill Scott. Director Bobe Cannon and designer Bill Hurtz's concept was--less is more--how few lines could they use. The action was charted, then the music written to that action before it was animated by Bill Melendez, Rudy Larriva, Pat Mathews, Willis Pyle, and Frank Smith. Next Jules Engel and Herb Klynn added the bright, flat colors in the background, broken only by the sparest of "props." Different colors were used to convey different moods thoughout the film."
Now my two cents on it:
This is a wonderful little cartoon, an exquisite and elegant composition from beginning to end (slightly less than 7 minutes). You'll need RealPlayer to watch this stream. Watch it all the way through, then restart it and simply listen to it all the way through. Then watch and listen. Stop the video at any point and marvel at the economy, balance, use of fine line, and richness of color and texturing in every frame. Check out how fluidly one scene gives way to the next. How the action is expertly punctuated by the sound effects and score at every point. How the narrator intones it all in a jaunty script that so totally anticipates the more minimal Dr. Seuss to come later in that decade. It's not really minimalistic--it simply doesn't waste a single compositional element, and pares it all down to the absolutely essential. And it's a fun unpretentious piece of animation. Bright and brilliant no matter how you take it.
Clearly, a cinematic milestone. Boingboing. Bump-bum. Dang dang dang dang. Ah-ooga. Booooooooooooooooooooooooooooooooooom.
Jim
fyi TV technology at edge of legal frontier
All:
Pointer to article:
http://news.yahoo.com/news?tmpl=story&cid=581&e=2&u=/nm/20050706/tc_nm/slingbox_dc
Kobielus kommentary:
Re Slingbox, what struck me about this article was the crux question:
• Does the consumer have the right to place-shift as they do time-shift their content?
Well, duh, time-shifting is also, of necessity, place-shifting. You record a program onto a portable medium—such as videocassette—in order to have the freedom to watch it later and anywhere. Or to have the freedom to give it to someone else so that they can watch it later and anywhere. A more fundamental question is:
• Does the consumer have the right to place-shift without time-shifting, so that someone somewhere else can consume that content in real time as it streams?
Which raises the subsidiary question:
• What if that “someone somewhere else” is in fact simply another device of my own that I’ve designated as my alternate client app for watching it right now, or offsite storage and backup unit for the purpose of allowing myself, or someone in my household, to watch it later at that other site, or to allow myself to retrieve it from that backup site in order to watch it back at the primary site?
Well, I'm not a lawyer, but I'm sure most people will agree that we have the right to be able to consume all content that we pay for in any way we wish. In terms of mass piracy-enabling, the Slingbox doesn’t seem to support multicast or broadcast place-shifting, so the content providers of the world shouldn’t freak out just yet. I seriously doubt that the courts will quash a device that simply operates as a one-to-one relay. But it’s only a matter of time before multicast mode is built into Slingbox and similar mass-market devices. Which raises the further question:
• Why fight a development—consumer multicast--that’s inevitable and of obvious value, even if it makes life a bit trickier for IP defenders?
But the media companies will fight it vigorously. Prepare for several years of screaming headlines and gradual grudging eventually grateful acceptance. Grateful? The media companies will eventually figure out how to profit in unforeseen ways from this new development. And they’ll forget how scared and defensive they were when the technology was first introduced. As they did with TV, videocassettes, etc.
Jim
Pointer to article:
http://news.yahoo.com/news?tmpl=story&cid=581&e=2&u=/nm/20050706/tc_nm/slingbox_dc
Kobielus kommentary:
Re Slingbox, what struck me about this article was the crux question:
• Does the consumer have the right to place-shift as they do time-shift their content?
Well, duh, time-shifting is also, of necessity, place-shifting. You record a program onto a portable medium—such as videocassette—in order to have the freedom to watch it later and anywhere. Or to have the freedom to give it to someone else so that they can watch it later and anywhere. A more fundamental question is:
• Does the consumer have the right to place-shift without time-shifting, so that someone somewhere else can consume that content in real time as it streams?
Which raises the subsidiary question:
• What if that “someone somewhere else” is in fact simply another device of my own that I’ve designated as my alternate client app for watching it right now, or offsite storage and backup unit for the purpose of allowing myself, or someone in my household, to watch it later at that other site, or to allow myself to retrieve it from that backup site in order to watch it back at the primary site?
Well, I'm not a lawyer, but I'm sure most people will agree that we have the right to be able to consume all content that we pay for in any way we wish. In terms of mass piracy-enabling, the Slingbox doesn’t seem to support multicast or broadcast place-shifting, so the content providers of the world shouldn’t freak out just yet. I seriously doubt that the courts will quash a device that simply operates as a one-to-one relay. But it’s only a matter of time before multicast mode is built into Slingbox and similar mass-market devices. Which raises the further question:
• Why fight a development—consumer multicast--that’s inevitable and of obvious value, even if it makes life a bit trickier for IP defenders?
But the media companies will fight it vigorously. Prepare for several years of screaming headlines and gradual grudging eventually grateful acceptance. Grateful? The media companies will eventually figure out how to profit in unforeseen ways from this new development. And they’ll forget how scared and defensive they were when the technology was first introduced. As they did with TV, videocassettes, etc.
Jim
Friday, July 08, 2005
fyi Tsunami warning hits the spam barrier
All:
Pointer to article:
http://www.computerworld.com/softwaretopics/software/groupware/story/0,10801,102996,00.html?source=NLT_AM&nid=102996
Kobielus kommentary:
Doesn’t surprise me at all. Consider for a moment the provenance and tone of spam. First off, spammers often try to pass themselves off as an “official” this or that in order to phish for your personal info, or to “sell” you some crap, or simply to get you to open the message. Secondly, spammers often use appeals to the basic human emergency/urgency-drivers--fear, uncertainty, anxiety, inadequacy, doubt, (greed, horniness, etc.)—to get your immediate attention. Thirdly, all of these pandering pronouncements are issued in bulk out of the blue, with no warning. Taken together, these are the ingredients of the “sucker born every minute” spamiverse.
These are also the hallmarks of tsunami alerts and other legitimate emergency messages: issuing from on high, appealing to FUD, and blanketing the world with “act now” alarms. I don’t know about you, but almost four years of post-9/11 vigilance and alerts have got me all alerted out. Call it post-traumatic compassion fatigue and fatalism. Sad thing was, when I learned of the terrorism tragedy yesterday in London, I checked out CNN’s website briefly and went back to work, not even recalling the incident till I got home and informed my family. And we all just sort of shrugged. Not that we’re insensitive, but that we’re numbed and our emotions blunted by living under this cultural environment.
Getting back to legitimate tsunami alert messages that get blocked by being falsely tagged as spam, this is another potential tragedy in the making, when a real emergency hits. Spam filters are exquisitely optimized to filter out the “boys who cried wolf” to the point that, when the real wolf pushes his way into our midst in sheep’s clothing, spam will lay us down with the lamb to be eaten alive. Unless we can somehow still detect the real wolf within the steady stream of false wolves.
Or send out the legit alerts through all or most media simultaneously, and not tie every single medium to the same spam filters. In that way, the legit alerts can get to us through some unblocked channels, and then trigger we as human beings to alert each other with more targeted personal messages.
Such as, “Bob: This is Jim. There’s a huge wave crashing over the beach a mile away. It’ll be here in just a few minutes. Looks like a tsunami. Tell everybody in your end of the resort to run like hell to higher ground. This is no f***ing joke. Run!”
Jim
Pointer to article:
http://www.computerworld.com/softwaretopics/software/groupware/story/0,10801,102996,00.html?source=NLT_AM&nid=102996
Kobielus kommentary:
Doesn’t surprise me at all. Consider for a moment the provenance and tone of spam. First off, spammers often try to pass themselves off as an “official” this or that in order to phish for your personal info, or to “sell” you some crap, or simply to get you to open the message. Secondly, spammers often use appeals to the basic human emergency/urgency-drivers--fear, uncertainty, anxiety, inadequacy, doubt, (greed, horniness, etc.)—to get your immediate attention. Thirdly, all of these pandering pronouncements are issued in bulk out of the blue, with no warning. Taken together, these are the ingredients of the “sucker born every minute” spamiverse.
These are also the hallmarks of tsunami alerts and other legitimate emergency messages: issuing from on high, appealing to FUD, and blanketing the world with “act now” alarms. I don’t know about you, but almost four years of post-9/11 vigilance and alerts have got me all alerted out. Call it post-traumatic compassion fatigue and fatalism. Sad thing was, when I learned of the terrorism tragedy yesterday in London, I checked out CNN’s website briefly and went back to work, not even recalling the incident till I got home and informed my family. And we all just sort of shrugged. Not that we’re insensitive, but that we’re numbed and our emotions blunted by living under this cultural environment.
Getting back to legitimate tsunami alert messages that get blocked by being falsely tagged as spam, this is another potential tragedy in the making, when a real emergency hits. Spam filters are exquisitely optimized to filter out the “boys who cried wolf” to the point that, when the real wolf pushes his way into our midst in sheep’s clothing, spam will lay us down with the lamb to be eaten alive. Unless we can somehow still detect the real wolf within the steady stream of false wolves.
Or send out the legit alerts through all or most media simultaneously, and not tie every single medium to the same spam filters. In that way, the legit alerts can get to us through some unblocked channels, and then trigger we as human beings to alert each other with more targeted personal messages.
Such as, “Bob: This is Jim. There’s a huge wave crashing over the beach a mile away. It’ll be here in just a few minutes. Looks like a tsunami. Tell everybody in your end of the resort to run like hell to higher ground. This is no f***ing joke. Run!”
Jim
Thursday, July 07, 2005
fyi Q&A: An Internet Pioneer Looks Ahead
All:
Pointer to article:
http://www.computerworld.com/mobiletopics/mobile/handhelds/story/0,10801,102862,00.html?source=NLT_EMC&nid=102862
Kobielus kommentary:
Here’s one of the scariest pronouncements I’ve ever read, for reasons both technological and theological:
“The better you design a system, the more likely it is to fail catastrophically. It's designed to perform very well up to some limit, and if you can't tell how close it is to this limit, the collapse will occur suddenly and surprisingly. On the other hand, if a system slowly erodes, you can tell when it's weakening; typically, a well-designed system doesn't expose that.”
I’m not sure if I agree with that grand statement. If Leonard Kleinrock had cited a few examples to bolster this assertion it would have greater credence. Is this supposed to make us swear off structured, top-down, waterfall system development approaches forever? Is that all pure Frankensteinian hubris that will produce monsters destined to run amok and torch the castle wherein they were created? Should we instead let rogue teams of maverick programmers attack any problem they see with any available code they can slap down on a moment’s notice, regardless of whether it duplicates others’ work, or whether it conflicts with or fails to interoperate smoothlessly with legacy systems? Without regard for what high-level architecture, if any, that it figures into? And what do we say to the deists who regard all of creation as figuring into God’s master plan, which, by definition, is the best-designed system of all? That it’s all destined to “fail catastrophically”? That Armageddon is the fate in any God-designed order of things?
Getting back to earth for a moment, and to the interview with Kleinrock, he contradicts himself in the very next paragraph:
“So, how can complex systems be made more safe and reliable? Put the protective control functions in one portion of the design, one portion of the code, so you can see it. People, in an ad hoc fashion, add a little control here, a little protocol there, and they can't see the big picture of how these things interact. When you are willy-nilly patching new controls on top of old ones, that's one way you get unpredictable behavior."
Huh? Follow the train of my puzzlement on this for a moment. The best-designed systems are those that surface their overall structure, behavior, and controls in the most visible, maintainable, monitorable, extensible way. And these are the systems that Kleinrock says are doomed to fail catastrophically. So how does he propose to save them from self-immolation? By surfacing the control code even more saliently! By making them even better designed! In the previous paragraph, he implied that chaotic bottom-up development produces the most stable structure. In this paragraph, he says that chaotic development is to be avoided, in favor of structured top-down development! I don’t get it. He’s trying to have it both ways.
Actually, I think that, in the final analysis, he’s arguing that the Second Law of Thermodynamics is God’s fundamental law, that the best-designed systems are those that hint at grand eternal plans but slowly melt into entropy, accepting the inevitability of a steady stream of localized fixable malfunctions, thereby warding off the “Big Crunch” that some say will reverse the plan burst forth in the “Big Bang.” How else to interpret Kleinrock’s statement: “On the other hand, if a system slowly erodes, you can tell when it's weakening; typically, a well-designed system doesn't expose that.”
Is the Internet—Kleinrock’s Big Bang—eroding around us? Are spyware, spam, viruses, Trojans, DDoS, and other assaults on the matrix a sign of this? From a systemwide point of view, they’re all more or less “localized fixable malfunctions,” and none of them has crashed the Internet as a whole, which keeps, bottom-up, layering new controls over old to keep the rickety structure operating reason ably well. If Kleinrock’s perspective is valid, should we doubt that a localized Armageddon can ever crash the Internet as a whole?
I certainly hope so. My hope is the only certainty I know on this matter. Hope expressed through prayer, secular or otherwise, to the cybergod(s).
Jim
Pointer to article:
http://www.computerworld.com/mobiletopics/mobile/handhelds/story/0,10801,102862,00.html?source=NLT_EMC&nid=102862
Kobielus kommentary:
Here’s one of the scariest pronouncements I’ve ever read, for reasons both technological and theological:
“The better you design a system, the more likely it is to fail catastrophically. It's designed to perform very well up to some limit, and if you can't tell how close it is to this limit, the collapse will occur suddenly and surprisingly. On the other hand, if a system slowly erodes, you can tell when it's weakening; typically, a well-designed system doesn't expose that.”
I’m not sure if I agree with that grand statement. If Leonard Kleinrock had cited a few examples to bolster this assertion it would have greater credence. Is this supposed to make us swear off structured, top-down, waterfall system development approaches forever? Is that all pure Frankensteinian hubris that will produce monsters destined to run amok and torch the castle wherein they were created? Should we instead let rogue teams of maverick programmers attack any problem they see with any available code they can slap down on a moment’s notice, regardless of whether it duplicates others’ work, or whether it conflicts with or fails to interoperate smoothlessly with legacy systems? Without regard for what high-level architecture, if any, that it figures into? And what do we say to the deists who regard all of creation as figuring into God’s master plan, which, by definition, is the best-designed system of all? That it’s all destined to “fail catastrophically”? That Armageddon is the fate in any God-designed order of things?
Getting back to earth for a moment, and to the interview with Kleinrock, he contradicts himself in the very next paragraph:
“So, how can complex systems be made more safe and reliable? Put the protective control functions in one portion of the design, one portion of the code, so you can see it. People, in an ad hoc fashion, add a little control here, a little protocol there, and they can't see the big picture of how these things interact. When you are willy-nilly patching new controls on top of old ones, that's one way you get unpredictable behavior."
Huh? Follow the train of my puzzlement on this for a moment. The best-designed systems are those that surface their overall structure, behavior, and controls in the most visible, maintainable, monitorable, extensible way. And these are the systems that Kleinrock says are doomed to fail catastrophically. So how does he propose to save them from self-immolation? By surfacing the control code even more saliently! By making them even better designed! In the previous paragraph, he implied that chaotic bottom-up development produces the most stable structure. In this paragraph, he says that chaotic development is to be avoided, in favor of structured top-down development! I don’t get it. He’s trying to have it both ways.
Actually, I think that, in the final analysis, he’s arguing that the Second Law of Thermodynamics is God’s fundamental law, that the best-designed systems are those that hint at grand eternal plans but slowly melt into entropy, accepting the inevitability of a steady stream of localized fixable malfunctions, thereby warding off the “Big Crunch” that some say will reverse the plan burst forth in the “Big Bang.” How else to interpret Kleinrock’s statement: “On the other hand, if a system slowly erodes, you can tell when it's weakening; typically, a well-designed system doesn't expose that.”
Is the Internet—Kleinrock’s Big Bang—eroding around us? Are spyware, spam, viruses, Trojans, DDoS, and other assaults on the matrix a sign of this? From a systemwide point of view, they’re all more or less “localized fixable malfunctions,” and none of them has crashed the Internet as a whole, which keeps, bottom-up, layering new controls over old to keep the rickety structure operating reason ably well. If Kleinrock’s perspective is valid, should we doubt that a localized Armageddon can ever crash the Internet as a whole?
I certainly hope so. My hope is the only certainty I know on this matter. Hope expressed through prayer, secular or otherwise, to the cybergod(s).
Jim
Wednesday, July 06, 2005
fyi Phishing Attacks Reach All-Time High
All:
Pointer to article:
http://www.newsfactor.com/story.xhtml?story_id=37031
Kobielus kommentary:
Identity theft is fast becoming the most ferocious new bete noire of the cyberworld, crowding out spyware, spam, and viruses for that dubious honor. Over the past several months, the mass media have splashed ever scarier cover stories, consumer alerts, and other breaking news on people who’ve had their identities spoofed, credit cards hijacked, and assets looted by unseen strangers lurking out there on the Internet.
Indeed, identity theft is potentially more damaging to people’s lives than spyware, spam, and all the other online threats put together. Amid the growing hysteria, the IdM industry sees a big black eye in the making. Naturally, they’re worried, and they’re beginning to formulate strategies for identity theft prevention, detection, and remediation. In June, for example, Liberty Alliance formed a working group to develop best practices that will help business and consumers to prevent online identity frauds. In a similar vein, Microsoft recently announced a retooled IdM federation strategy—the Identity Metasystem—that underlines the need for identity-theft and privacy protection.
The unspoken subtext behind these initiatives is that trust—the foundation of IdM federation--is in jeopardy if the industry doesn’t proactively address identity theft on many levels. The stakes couldn’t be higher. What’s most worrisome is the growing prevalence of phishing, pharming, and other social-engineering ploys to steal user passwords, credit card numbers, bank account numbers, and other critical information. These frauds strike at the very heart of federation: users’ trust in the authenticity of IdPs. If you can’t trust that the party to whom you’re presenting credentials is in fact who they claim to be, then nothing’s truly secure and people will be much less likely to transact business online.
Likewise, the growing range of well-publicized break-ins to corporate databases, some of which resulted in theft of hundreds of thousands of user credit card numbers, have further shaken people’s trust in IdPs’ ability to safeguard this critical data. Massive theft of passwords, credit cards, and other credentials creates a corresponding trust loss: IdPs who’ve been victimized can no longer trust that the individual presenting these credentials is who they claim to be.
In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to the impacted users, but only after those users have been proofed to strong assurance by reputable agents, and only if the new credentials rely on biometrics for strong authentication. Clearly, that theft-unfriendly IdM environment is a long way from being implemented in the real world, and would be quite expensive, complex, and cumbersome to deploy universally.
Some have argued that federated IdM is a fundamentally flawed approach that encourages identity theft. Nothing could be further from the truth. There’s nothing inherently insecure about federation protocols—such as SAML and Liberty Alliance ID-FF—or in the way they’ve been implemented by vendors and enterprises.
Rather, most identity theft has its origins in the massive online market for bulk user personal data of the sort that many consumer-facing businesses collect in normal operations. Identity merchants indiscriminately buy, sell, and resell this information to anybody who can put up the bucks. By the same token, enterprises, carriers, and other IdPs frequently implement lax controls on external access to identity information in their databases and directories, thereby encouraging frequent hack attacks. This is wholesale identity harvesting, as opposed to the low-yield but persistent phishing and pharming attacks that undermine popular confidence in IdM environments but result in relatively few criminal-fraud incidents.
For sure, the federated IdM industry isn’t the only sector of our economy that’s looking for solutions to the multifaceted problem of identity theft. But the federated IdM market realizes that this is a showstopper bread-and-butter issue for them. It threatens to overshadow all of their other efforts to create a universal trust environment for interoperable e-business.
To their credit, the industry realizes that technical standards alone aren't the answer to identity theft and fraud. The threat is so multifaceted, pervasive, and stubborn that it must be addressed with federated IdM best practices that also encompass various business, legal, consumer education, and other considerations. That cross-disciplinary approach to identity theft protection—not purely technical approaches--should be the ongoing focus of work at Liberty Alliance and other industry groups.
Jim
Pointer to article:
http://www.newsfactor.com/story.xhtml?story_id=37031
Kobielus kommentary:
Identity theft is fast becoming the most ferocious new bete noire of the cyberworld, crowding out spyware, spam, and viruses for that dubious honor. Over the past several months, the mass media have splashed ever scarier cover stories, consumer alerts, and other breaking news on people who’ve had their identities spoofed, credit cards hijacked, and assets looted by unseen strangers lurking out there on the Internet.
Indeed, identity theft is potentially more damaging to people’s lives than spyware, spam, and all the other online threats put together. Amid the growing hysteria, the IdM industry sees a big black eye in the making. Naturally, they’re worried, and they’re beginning to formulate strategies for identity theft prevention, detection, and remediation. In June, for example, Liberty Alliance formed a working group to develop best practices that will help business and consumers to prevent online identity frauds. In a similar vein, Microsoft recently announced a retooled IdM federation strategy—the Identity Metasystem—that underlines the need for identity-theft and privacy protection.
The unspoken subtext behind these initiatives is that trust—the foundation of IdM federation--is in jeopardy if the industry doesn’t proactively address identity theft on many levels. The stakes couldn’t be higher. What’s most worrisome is the growing prevalence of phishing, pharming, and other social-engineering ploys to steal user passwords, credit card numbers, bank account numbers, and other critical information. These frauds strike at the very heart of federation: users’ trust in the authenticity of IdPs. If you can’t trust that the party to whom you’re presenting credentials is in fact who they claim to be, then nothing’s truly secure and people will be much less likely to transact business online.
Likewise, the growing range of well-publicized break-ins to corporate databases, some of which resulted in theft of hundreds of thousands of user credit card numbers, have further shaken people’s trust in IdPs’ ability to safeguard this critical data. Massive theft of passwords, credit cards, and other credentials creates a corresponding trust loss: IdPs who’ve been victimized can no longer trust that the individual presenting these credentials is who they claim to be.
In the face of never-ending identity thefts, the only way out of this downward spiral is to continue reissuing new credentials to the impacted users, but only after those users have been proofed to strong assurance by reputable agents, and only if the new credentials rely on biometrics for strong authentication. Clearly, that theft-unfriendly IdM environment is a long way from being implemented in the real world, and would be quite expensive, complex, and cumbersome to deploy universally.
Some have argued that federated IdM is a fundamentally flawed approach that encourages identity theft. Nothing could be further from the truth. There’s nothing inherently insecure about federation protocols—such as SAML and Liberty Alliance ID-FF—or in the way they’ve been implemented by vendors and enterprises.
Rather, most identity theft has its origins in the massive online market for bulk user personal data of the sort that many consumer-facing businesses collect in normal operations. Identity merchants indiscriminately buy, sell, and resell this information to anybody who can put up the bucks. By the same token, enterprises, carriers, and other IdPs frequently implement lax controls on external access to identity information in their databases and directories, thereby encouraging frequent hack attacks. This is wholesale identity harvesting, as opposed to the low-yield but persistent phishing and pharming attacks that undermine popular confidence in IdM environments but result in relatively few criminal-fraud incidents.
For sure, the federated IdM industry isn’t the only sector of our economy that’s looking for solutions to the multifaceted problem of identity theft. But the federated IdM market realizes that this is a showstopper bread-and-butter issue for them. It threatens to overshadow all of their other efforts to create a universal trust environment for interoperable e-business.
To their credit, the industry realizes that technical standards alone aren't the answer to identity theft and fraud. The threat is so multifaceted, pervasive, and stubborn that it must be addressed with federated IdM best practices that also encompass various business, legal, consumer education, and other considerations. That cross-disciplinary approach to identity theft protection—not purely technical approaches--should be the ongoing focus of work at Liberty Alliance and other industry groups.
Jim
Tuesday, July 05, 2005
fyi Microsoft Reportedly in Talks to Buy Adware Developer
All:
Pointer to article:
http://www.ecommercetimes.com/story/44337.html
Kobielus kommentary:
I keep promising myself that I won't blog so frequently on Microsoft topics. And then they hand me more juicy red meat.
Re this Gator/Claria acquisition, I don’t get it. Microsoft recently acquired Sybari to boost its anti-virus portfolio, acquired Giant so it could go all-out on anti-spyware, developed Sender ID and Exchange Edge Services so it can give spam a run for its money, developed IE7 to enable pop-up blocking natively in its browser, and promulgated its Identity Metasystem/InfoCard initiative to address privacy and identity-theft protection more aggressively. Now apparently it wants to negate all of those positive moves with a big foray into the adware arena. As if somehow Microsoft needs to seize even more power over our every keystroke and mouseclick. As if their presence in the cyberworld wasn’t already overwhelming to the point of strangulation.
They need to rethink this move. And right away. I migrated recently to Mozilla Firefox precisely to get away from the IE6 pop-up insanity. What sort of signal does want to send to the market with its overture to Gator/Claria? That pop-ups are now a good thing, as long as they’re Microsoft-sponsored and/or –sanctioned pop-ups?
Jim
Pointer to article:
http://www.ecommercetimes.com/story/44337.html
Kobielus kommentary:
I keep promising myself that I won't blog so frequently on Microsoft topics. And then they hand me more juicy red meat.
Re this Gator/Claria acquisition, I don’t get it. Microsoft recently acquired Sybari to boost its anti-virus portfolio, acquired Giant so it could go all-out on anti-spyware, developed Sender ID and Exchange Edge Services so it can give spam a run for its money, developed IE7 to enable pop-up blocking natively in its browser, and promulgated its Identity Metasystem/InfoCard initiative to address privacy and identity-theft protection more aggressively. Now apparently it wants to negate all of those positive moves with a big foray into the adware arena. As if somehow Microsoft needs to seize even more power over our every keystroke and mouseclick. As if their presence in the cyberworld wasn’t already overwhelming to the point of strangulation.
They need to rethink this move. And right away. I migrated recently to Mozilla Firefox precisely to get away from the IE6 pop-up insanity. What sort of signal does want to send to the market with its overture to Gator/Claria? That pop-ups are now a good thing, as long as they’re Microsoft-sponsored and/or –sanctioned pop-ups?
Jim
Friday, July 01, 2005
fyi Microsoft Wants a Piece of the Ajax Action
All:
Pointer to article:
http://www.eweek.com/article2/0,1759,1832206,00.asp
Kobielus kommentary:
A few months ago, I published an opinion in Network World on the growing interest in a standards-based enriched-browsing approach called “AJAX” See http://www.networkworld.com/columnists/2005/042505kobielus.html
Soon thereafter, several rich Internet application (RIA) vendors e-mailed to protest that I had referred to their products/approaches as “partially proprietary.” I dealt with their objections one by one, citing chapter and verse from their various product whitepapers, marketing presentations, and so forth. I still stand by that statement.
One of those vendors also protested that AJAX isn’t on a functional par with his or his rivals’ RIA approaches. And I didn’t disagree with his statement, because I didn’t argue otherwise in my column. At least twice in that column I referred to AJAX as a “common denominator” approach that developers can use to put some rich browser-based interaction into their Web apps. The term “common denominator” should have clued the reader to the fact that they can get richer browsing functionality if they go with RIA products from Macromedia, Laszlo, Nexaweb, and other vendors. And from Microsoft too, whenever they ship Windows “Longhorn” with “Avalon” and “Atlas.”
To the RIA vendor who pointed out that AJAX isn’t up to functional par, I suggested that they might reposition their solutions as “AJAX++” (just as today’s RIA is effectively “DHTML++). He wasn’t too keen on that suggestion.
But it was a serious comment. Just as every MOM, EAI, and BPM vendor is repositioning their products under such nouveau buzzphrase approaches as “SOA” and “ESB,” today’s RIA vendors will increasingly need to position their approaches with respect to AJAX. And that’s for no other reason than the fact that the RIA paradigm has subtly shifted toward reliance on open universally deployed browsing standards and away from proprietary approaches. To the extent that AJAX (er…RIA) vendors can show that they are more standards-based than the next vendor, they’ll be providing developer/customers with reassurance that Web apps developed with their enriched browsing tools and executed on their server runtimes can be deployed out to the widest range of browser clients WITHOUT NEED FOR MUCH OR ANY PLUG-IN BROWSER FOOTPRINT.
Quite frankly, Microsoft will soon be able to demonstrate that it implements Ajax-enabling open standards (especially XAML) and requires no browser plug-in (because AJAX/Avalon/Atlas will be built into the basic OS). Also, they’ll have an embedded AJAX/RIA capability embedded in the world’s predominant OS.
So Microsoft, unless something radically changes the game, will own the AJAX/RIA/enriched browsing space by the end of this decade.
Jim
Pointer to article:
http://www.eweek.com/article2/0,1759,1832206,00.asp
Kobielus kommentary:
A few months ago, I published an opinion in Network World on the growing interest in a standards-based enriched-browsing approach called “AJAX” See http://www.networkworld.com/columnists/2005/042505kobielus.html
Soon thereafter, several rich Internet application (RIA) vendors e-mailed to protest that I had referred to their products/approaches as “partially proprietary.” I dealt with their objections one by one, citing chapter and verse from their various product whitepapers, marketing presentations, and so forth. I still stand by that statement.
One of those vendors also protested that AJAX isn’t on a functional par with his or his rivals’ RIA approaches. And I didn’t disagree with his statement, because I didn’t argue otherwise in my column. At least twice in that column I referred to AJAX as a “common denominator” approach that developers can use to put some rich browser-based interaction into their Web apps. The term “common denominator” should have clued the reader to the fact that they can get richer browsing functionality if they go with RIA products from Macromedia, Laszlo, Nexaweb, and other vendors. And from Microsoft too, whenever they ship Windows “Longhorn” with “Avalon” and “Atlas.”
To the RIA vendor who pointed out that AJAX isn’t up to functional par, I suggested that they might reposition their solutions as “AJAX++” (just as today’s RIA is effectively “DHTML++). He wasn’t too keen on that suggestion.
But it was a serious comment. Just as every MOM, EAI, and BPM vendor is repositioning their products under such nouveau buzzphrase approaches as “SOA” and “ESB,” today’s RIA vendors will increasingly need to position their approaches with respect to AJAX. And that’s for no other reason than the fact that the RIA paradigm has subtly shifted toward reliance on open universally deployed browsing standards and away from proprietary approaches. To the extent that AJAX (er…RIA) vendors can show that they are more standards-based than the next vendor, they’ll be providing developer/customers with reassurance that Web apps developed with their enriched browsing tools and executed on their server runtimes can be deployed out to the widest range of browser clients WITHOUT NEED FOR MUCH OR ANY PLUG-IN BROWSER FOOTPRINT.
Quite frankly, Microsoft will soon be able to demonstrate that it implements Ajax-enabling open standards (especially XAML) and requires no browser plug-in (because AJAX/Avalon/Atlas will be built into the basic OS). Also, they’ll have an embedded AJAX/RIA capability embedded in the world’s predominant OS.
So Microsoft, unless something radically changes the game, will own the AJAX/RIA/enriched browsing space by the end of this decade.
Jim
Thursday, June 30, 2005
fyi U.S. lags in effort to create animal ID system
All:
Pointer to article:
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,102754,00.html?source=NLT_DM&nid=102754
Kobielus kommentary:
Hmmmmm…a national registry, identification scheme, tracking system, and regulations for branding livestock that doesn’t involve pressing a red-hot iron into their flesh.
This is another subtopic in the “identity of things,” in which case the “things” are the beasts from which we derive an important class of dietary proteins. And another potential use of RFID, which is becoming the identifier for every tangible and edible “thing” imaginable.
If I understand correctly, these RFID animal tags would allow us to track every individual head of livestock from the moment they’re born to the moment they’re slaughtered (or otherwise shuffle off to animal heaven), primarily to make sure that the infection routes for any disease to which they might have been exposed are made crystal clear and appropriate quarantining, notification, destruction, and other emergency response and remediation activities can be targeted with swift and brutal efficiency. And, I suppose, so that 21st century rustlers can be more rapidly found out and brought to justice.
Something tells me that this initiative will bog down quickly into a huge political range war, pitting the feds (who want ranchers/farmers to tag and track every thing that trots, waddles, or flaps its silly wings) and the ranchers/farmers (who’ll want to turn a profit, avoid major new unfunded mandates, and resist having “them damn bureaucrats in Washington” intruding more deeply into how they manage their operations and inventory).
This initiative will, no doubt, be called the “mad cow tag program” or something to that effect. My guess is that RFID tags will ultimately be rejected as too cumbersome and expensive. Instead, I'm in favor of requiring ranchers/farmers to take DNA samples from their animals’ mouths/ears/etc—-upon birth, transportation, and death--and then send those to some central FDA-mandated lab for DNA fingerprinting, registration, and tracking. That way, individual animals don’t need to have RFID tags branded into their hides or hung around their necks or whatever. When a “mad cow” or similar disease breaks out, the diseased animals will have DNA swabs taken and sent to the central lab, which will then figure out what other livestock came into contact with them where when and how. And then the appropriate alarms/quarantines can be issued to target those other possible infection vectors, wherever they happen to be.
Such an approach saves the rancher/farmer from having to “brand” their animals or buy/install/operate RFID receivers and RFID-based inventory-tracking systems. Thereby helping them keep costs as low as possible.
Politically, the folks in Washington have always succumbed to the rancher/farmer lobby. The last thing the pols want to do is force another expensive unfunded mandate on this particular industry. Prairie populism is always a smouldering brush fire in the USA.
Jim
Pointer to article:
http://www.computerworld.com/governmenttopics/government/policy/story/0,10801,102754,00.html?source=NLT_DM&nid=102754
Kobielus kommentary:
Hmmmmm…a national registry, identification scheme, tracking system, and regulations for branding livestock that doesn’t involve pressing a red-hot iron into their flesh.
This is another subtopic in the “identity of things,” in which case the “things” are the beasts from which we derive an important class of dietary proteins. And another potential use of RFID, which is becoming the identifier for every tangible and edible “thing” imaginable.
If I understand correctly, these RFID animal tags would allow us to track every individual head of livestock from the moment they’re born to the moment they’re slaughtered (or otherwise shuffle off to animal heaven), primarily to make sure that the infection routes for any disease to which they might have been exposed are made crystal clear and appropriate quarantining, notification, destruction, and other emergency response and remediation activities can be targeted with swift and brutal efficiency. And, I suppose, so that 21st century rustlers can be more rapidly found out and brought to justice.
Something tells me that this initiative will bog down quickly into a huge political range war, pitting the feds (who want ranchers/farmers to tag and track every thing that trots, waddles, or flaps its silly wings) and the ranchers/farmers (who’ll want to turn a profit, avoid major new unfunded mandates, and resist having “them damn bureaucrats in Washington” intruding more deeply into how they manage their operations and inventory).
This initiative will, no doubt, be called the “mad cow tag program” or something to that effect. My guess is that RFID tags will ultimately be rejected as too cumbersome and expensive. Instead, I'm in favor of requiring ranchers/farmers to take DNA samples from their animals’ mouths/ears/etc—-upon birth, transportation, and death--and then send those to some central FDA-mandated lab for DNA fingerprinting, registration, and tracking. That way, individual animals don’t need to have RFID tags branded into their hides or hung around their necks or whatever. When a “mad cow” or similar disease breaks out, the diseased animals will have DNA swabs taken and sent to the central lab, which will then figure out what other livestock came into contact with them where when and how. And then the appropriate alarms/quarantines can be issued to target those other possible infection vectors, wherever they happen to be.
Such an approach saves the rancher/farmer from having to “brand” their animals or buy/install/operate RFID receivers and RFID-based inventory-tracking systems. Thereby helping them keep costs as low as possible.
Politically, the folks in Washington have always succumbed to the rancher/farmer lobby. The last thing the pols want to do is force another expensive unfunded mandate on this particular industry. Prairie populism is always a smouldering brush fire in the USA.
Jim
Wednesday, June 29, 2005
fyi After Grokster: why (almost) everything we're told about P2P is wrong
All:
Pointer to article:
http://www.it-analysis.com/frame.php?name=The+Register&url=http://go.theregister.com/feed/http://www.theregister.co.uk/2005/06/29/after_grokster/
Kobielus kommentary:
Actually, the first rule of punditry is the dissemination imperative: unpublished punditry is mere self-stimulation.
That’s the first rule for all media products: get the word/song/movie/software/etc out there so people can be aware of it, access it, and consume it. The second rule is, if you can, find some way of getting paid for it. But the second rule is optional. The first is essential.
Which is why blogs have taken off in such a big way. It’s how we the self-appointed pundits disseminate our words, though most of us don’t make a dime directly from our punditry. I have it a bit better than most pundits. I also have steady freelance work from Network World (almost 18 years running, hard to believe—thanks John G., John D., Susan C., Neal W., etc.) and Business Communications Review (now in the third year of that gig, thanks to Fred K., Eric K., and Sandy B.). With pundits, as with professors, it’s “publish or perish [in spirit and/or cerebrum, if nothing else].”
I’ve been holding off on punditizing on the P2P phenomenon for a simple reason: many others have done a fine job of dissecting the phenomenon and I have felt I don’t have much fresh insight to contribute to the discussion. Maybe that’s false modesty on my part, but some topics are so overdone in the blogosphere that the last thing I want is to pitch in my semi-interesting observations into the general din.
But I’ll do that anyway. I just want to tie my thoughts to a recent experience that proved out the power of P2P to provide some artists with a decent living in spite of having been shut out of mainstream success. I hate to re-introduce the band Wilco into the discussion, considering that the likes of Lawrence Lessig and others have seized on Jeff Tweedy and associates as exemplars of artists who have loosened up on uptight copyrights in order to get their works disseminated to fans and interested parties.
But I have to ring the Wilco bell again. This past Sunday I attended my first rock concert in a long long time, and it was—guess who—Wilco, at the Merriweather Post Pavilion in Columbia MD. My son and I are big Wilco fans, and we bought their two latest albums, “Yankee Hotel Foxtrot” and “A Ghost is Born.” I used to go to concerts all the time during my prime years of 1975-1985 (I’m 46 now), but slacked off after I got married and started collaborating on baby production with a certain lady.
As regards Wilco, I know precisely how I got hooked on them. I started listening to the streaming web radio station KEXP (www.kexp.org) in early 2002, soon after I got my first DSL connection at home. KEXP (a public radio station in Seattle—free to access and groove to continuously) is the most awesome, eclectic radio station I’ve ever come across, and I soon got addicted to their brilliant mix of (mostly) new and (well-selected, like the new) older music from every conceivable genre. Needless to say, they’ve long been big Wilco champions, play tons of the Chicago group’s stuff, and it was only a matter of time before I got hooked on Wilco.
But I never quite knew how my (now 18 year old) son got hooked on Wilco. Until recently, he never listened to KEXP or any other streaming web radio station. And they certainly don’t play Wilco on the local radio stations in the DC area where we live. And I’ve never seen a Wilco video on music television. But he (Jason) was the one who took the initiative to buy both Wilco albums that we own.
On Sunday night, I heard Jason mention to his girlfriend (yes, I, old fogey, was essentially the chaperone at this event, and I was at least 10-15 years older that most other attendees) that he first read about Wilco from some website, and then downloaded a Wilco song from some P2P community, and then got hooked.
Ohhhhhhhh! We both got hooked on Wilco through free content distributed over the Internet. As I looked around at the packed audience for the Wilco concert on Sunday, I realized that most of these other DC-area people probably got hooked on Wilco the same way. And I’m sure many of them have bought the legit CDs of Wilco’s albums at local stores. And, now, they’re attending a Wilco concert, further sustaining Wilco’s musical career.
At one point in the (brilliant, and more hard-rocking than their brilliant recordings) Sunday show, Wilco singer/songwriter Jeff Tweedy announced to the crowd: “Brace yourselves now for a cavalcade of our hit.” (note the singular “hit”). And then they played “Heavy Metal Drummer” from “Yankee Hotel Foxtrot” (I don’t actually recall ever hearing that great song on any radio station, but I’ll give Jeff the benefit of the doubt).
How can a “hitless” radio-unplayed rock band sustain a long-lasting (10 years +) and lucrative career? Dissemination. Get the music out there, first and foremost, through any means. Money will follow, through various means, if you’re willing to work it hard, as Wilco has done. They could stay a touring band now for the rest of their lives (like the Grateful Dead, or, I suspect, the Pixies are turning into), thanks to the fanbase they’ve built up from P2P.
So thank you Internet community for this revolutionary technology that fills our lives with great music. And don’t worry about how the artists will get paid. The best of them will figure that out, by hook or crook, as they themselves hook into a fanbase.
And thank you Wilco. You’re a classic. And I hope you get at least one monster hit in your careers before you yourselves experience that touch of grey.
Jim
Pointer to article:
http://www.it-analysis.com/frame.php?name=The+Register&url=http://go.theregister.com/feed/http://www.theregister.co.uk/2005/06/29/after_grokster/
Kobielus kommentary:
Actually, the first rule of punditry is the dissemination imperative: unpublished punditry is mere self-stimulation.
That’s the first rule for all media products: get the word/song/movie/software/etc out there so people can be aware of it, access it, and consume it. The second rule is, if you can, find some way of getting paid for it. But the second rule is optional. The first is essential.
Which is why blogs have taken off in such a big way. It’s how we the self-appointed pundits disseminate our words, though most of us don’t make a dime directly from our punditry. I have it a bit better than most pundits. I also have steady freelance work from Network World (almost 18 years running, hard to believe—thanks John G., John D., Susan C., Neal W., etc.) and Business Communications Review (now in the third year of that gig, thanks to Fred K., Eric K., and Sandy B.). With pundits, as with professors, it’s “publish or perish [in spirit and/or cerebrum, if nothing else].”
I’ve been holding off on punditizing on the P2P phenomenon for a simple reason: many others have done a fine job of dissecting the phenomenon and I have felt I don’t have much fresh insight to contribute to the discussion. Maybe that’s false modesty on my part, but some topics are so overdone in the blogosphere that the last thing I want is to pitch in my semi-interesting observations into the general din.
But I’ll do that anyway. I just want to tie my thoughts to a recent experience that proved out the power of P2P to provide some artists with a decent living in spite of having been shut out of mainstream success. I hate to re-introduce the band Wilco into the discussion, considering that the likes of Lawrence Lessig and others have seized on Jeff Tweedy and associates as exemplars of artists who have loosened up on uptight copyrights in order to get their works disseminated to fans and interested parties.
But I have to ring the Wilco bell again. This past Sunday I attended my first rock concert in a long long time, and it was—guess who—Wilco, at the Merriweather Post Pavilion in Columbia MD. My son and I are big Wilco fans, and we bought their two latest albums, “Yankee Hotel Foxtrot” and “A Ghost is Born.” I used to go to concerts all the time during my prime years of 1975-1985 (I’m 46 now), but slacked off after I got married and started collaborating on baby production with a certain lady.
As regards Wilco, I know precisely how I got hooked on them. I started listening to the streaming web radio station KEXP (www.kexp.org) in early 2002, soon after I got my first DSL connection at home. KEXP (a public radio station in Seattle—free to access and groove to continuously) is the most awesome, eclectic radio station I’ve ever come across, and I soon got addicted to their brilliant mix of (mostly) new and (well-selected, like the new) older music from every conceivable genre. Needless to say, they’ve long been big Wilco champions, play tons of the Chicago group’s stuff, and it was only a matter of time before I got hooked on Wilco.
But I never quite knew how my (now 18 year old) son got hooked on Wilco. Until recently, he never listened to KEXP or any other streaming web radio station. And they certainly don’t play Wilco on the local radio stations in the DC area where we live. And I’ve never seen a Wilco video on music television. But he (Jason) was the one who took the initiative to buy both Wilco albums that we own.
On Sunday night, I heard Jason mention to his girlfriend (yes, I, old fogey, was essentially the chaperone at this event, and I was at least 10-15 years older that most other attendees) that he first read about Wilco from some website, and then downloaded a Wilco song from some P2P community, and then got hooked.
Ohhhhhhhh! We both got hooked on Wilco through free content distributed over the Internet. As I looked around at the packed audience for the Wilco concert on Sunday, I realized that most of these other DC-area people probably got hooked on Wilco the same way. And I’m sure many of them have bought the legit CDs of Wilco’s albums at local stores. And, now, they’re attending a Wilco concert, further sustaining Wilco’s musical career.
At one point in the (brilliant, and more hard-rocking than their brilliant recordings) Sunday show, Wilco singer/songwriter Jeff Tweedy announced to the crowd: “Brace yourselves now for a cavalcade of our hit.” (note the singular “hit”). And then they played “Heavy Metal Drummer” from “Yankee Hotel Foxtrot” (I don’t actually recall ever hearing that great song on any radio station, but I’ll give Jeff the benefit of the doubt).
How can a “hitless” radio-unplayed rock band sustain a long-lasting (10 years +) and lucrative career? Dissemination. Get the music out there, first and foremost, through any means. Money will follow, through various means, if you’re willing to work it hard, as Wilco has done. They could stay a touring band now for the rest of their lives (like the Grateful Dead, or, I suspect, the Pixies are turning into), thanks to the fanbase they’ve built up from P2P.
So thank you Internet community for this revolutionary technology that fills our lives with great music. And don’t worry about how the artists will get paid. The best of them will figure that out, by hook or crook, as they themselves hook into a fanbase.
And thank you Wilco. You’re a classic. And I hope you get at least one monster hit in your careers before you yourselves experience that touch of grey.
Jim
Monday, June 20, 2005
poem Oy
OY
As a pearl
in clam snot
glows, so I
inside my
stress headache.
A crust of
creation
encasing
mere and wee
irritants.
My grain of
nacreous
growth, a shell
grown grand as
pain is green.
As a pearl
in clam snot
glows, so I
inside my
stress headache.
A crust of
creation
encasing
mere and wee
irritants.
My grain of
nacreous
growth, a shell
grown grand as
pain is green.
Tuesday, June 14, 2005
poem Cuss
CUSS
Clapping hurts my hands
and ears. Hurts my heart
to pile plaudits on
the overhonored.
Gives repetitive
stress. Ouch. The crunch of
muscles. The steady
press on tendons. The
clank and rattle of
tin hallelujahs
and more undeserved
medals. These cussed
buzzing huzzahs of
rote percussive praise.
These thundering hand
farts of squeezed-out air
and deafening drum
rolls of idle prayer.
Clapping hurts my hands
and ears. Hurts my heart
to pile plaudits on
the overhonored.
Gives repetitive
stress. Ouch. The crunch of
muscles. The steady
press on tendons. The
clank and rattle of
tin hallelujahs
and more undeserved
medals. These cussed
buzzing huzzahs of
rote percussive praise.
These thundering hand
farts of squeezed-out air
and deafening drum
rolls of idle prayer.
Wednesday, June 08, 2005
poem The Adapted Cat
THE ADAPTED CAT
Sat all Saturday
bored and basically
hating the day and
waiting for something.
Sally my sister
and I were dying
inside and trying
not to go crazy.
A crack and a boom
came thundering in
and spilled the rain all
over Mom’s carpet.
A pounce and a whush
delivered a cat
who bolt upright and
read this announcement:
“A trick on a dark
day helps the draggy
time pass, and chases
the grays out your door.
If you wish, you can
watch the dribbing and
drabs, or with tricks, take
a stab in the blue.
With your fish, you can
sit, and scout for your
Mom, so then when she’s
nigh, upon your cry,
you, I, and the fry
can finish our fun,
hose down the house, and
only then, when the
storm has passed and
our time is done, will
we swiftly kick these
unpleasantries out.”
Just then, with a dart,
from the red-and-white
stack of his stovepipe
hat, a teensy hand
snatched, from the reading
cat’s clutches, the note
from which he had been
piecing his speech and,
sin mucho ado,
the hand withdrew and
cat, moving too, slunk
straight and away through.
“Just what I feared,” sneered
our bowl-bound fish, “this
brash interloper
acts like he knows her,
puts on a show, but
no one does nothing,
or so much as yawns,
without absolute,
incontestable,
indigestible
proof their intentions
are pure and a sworn
affidavit that
shows they’ve consulted
and have thoroughly
secured the total,
written, explicit
permission of Mom.”
Then up his upright
umbrella pole the
cat perched the fish in
his wobbledy bowl
and pirouetted
his own tippety
toe on a ball that
slopped slippety-so
down a freshly waxed
hall, with pitching and
woe, caterwauling
and yaw, like a lone
logroller clambers
over the lumber,
limberly scrambling
out from under and
gingerly hoping
to regain control.
Not heeding, it seems,
the fish’s wee shrieks,
or his little orb’s
diminishing wet,
the cat on the ball
started to bounce, and
struggle to juggle
the peeved little pet,
plus dead overhead
any movable junk,
or half-forgotten
snack, from any old
accessible crack,
or measly mouse that
popped into his path
whilst pogoing round
our deep-brown, detached,
family-friendly,
and apparently
unparented house.
He tricked dick-and-jane
from their dustbunny
lair, and for pleasure
a Dickens he found
languishing there, then
bowled them and the fish
through the juggular
air, while researching
for additional
distractions, like a
leftover dish of
left-out cream, Dad’s old
rake still dripping of
soylent green, and a
marbular carton
of spaghetti ice
cream that Sally once
loved and now resides
calcified deep in
our freezer downstairs.
“Put me down,” screamed the
downright adamant
fish, but the mad cat
oblivious could
scarcely see, through his
gyrations and glee,
and the field of fast
invisible hands,
that he was deep in
danger of flinging
it all, the proud and
perfect result of
his haul, the fat and
happy assorted
detritus, the massed
and sordid horde he’d
acquired, including
a log still flapping
its fire, in a vast
and fulsome, frightsome
and wholesome, bouncing
big baby shebang.
Through all the buzz, fate
belled the cat, as the
inevitable
inevitably
does, and his face and
hat lay splat in the
dust, while all through the
house, projectiles took
flight, the heavier and
messier went right
to their appointed
plots, and fish to a
pot, suspended and
hot, in the kitchen.
The cat raised his head
in some painless pain,
like an ump calling
a day due to rain,
a sheep just sheared and
his ribs shown plain, like
passing a ten-ton
sorcerer’s stone, a
magician’s shame at
a trick well-blown, or
a monster’s fury
for sins unatoned.
Then we could see, neath
his stripéd stack, a
face more monkey or
man than cat, with his
front-facing eyes and
foot of five digits,
his prehensile tail
and backbone rigid,
and the way he grasped
Sally’s szechuan fan.
We could see it all,
through his twidgets and
tricks, that no matter
whence his forebears had
come, dashing cross the
savanna, with or
without gun, that he
was happily and
fully adapted
to fun, sorry for
storming and wrecking
our calm, and vowing
to set the rainy
day right, wipe away
any suggestion
of blight, swiftly fix
and polish it bright,
and then split, ere Mom.
But his hat seemed to
have a soul of its
own, in the space of
an instant it had
gracefully grown full
ninety-nine sizes
too large for his head,
then sprung some new life
form, which quickly spread,
and occupied each
niche in our indoor
ecology, new
things were evolving,
sans apology,
and making the house
their very own shambling,
shivering, rambling,
quivering river
of overgrown goo
and personal swamp.
The things flew kites in
the interior
breezes, then their lines
intersectual
lashed us all at the
knees, and our pleas
ineffectual
couldn’t sway, nor cries
for mercy delay,
things having their way.
But the cat had one
trick in the sack that
he kept sequestered
round the rim of his
hat, and with his tail
unfurling, in a
flanking maneuver,
he extracted a
vacuum from the
red-and-white stack, then
smoothly hoovered the
things and their goo from
the throwaway rug
and our ceiling too
then sucked up our house
and all of the yard,
all the crumbular
remains and the shards
of the shattered day
and the scattered clouds.
When next we turned to
look, we were again
alone, with our Mom
approaching, though it
appeared our home was
none the worse for the
wear that the cat, or
whatever he and
things actually were,
exacted and weren’t
missing any of
the things extracted
when she wasn’t there.
The fish still burbling
and rain now sleeting.
What remained was a
fresh bag of tricks for
cheating sleep, and a
red-and-white tabby
that Mom let us keep.
Sat all Saturday
bored and basically
hating the day and
waiting for something.
Sally my sister
and I were dying
inside and trying
not to go crazy.
A crack and a boom
came thundering in
and spilled the rain all
over Mom’s carpet.
A pounce and a whush
delivered a cat
who bolt upright and
read this announcement:
“A trick on a dark
day helps the draggy
time pass, and chases
the grays out your door.
If you wish, you can
watch the dribbing and
drabs, or with tricks, take
a stab in the blue.
With your fish, you can
sit, and scout for your
Mom, so then when she’s
nigh, upon your cry,
you, I, and the fry
can finish our fun,
hose down the house, and
only then, when the
storm has passed and
our time is done, will
we swiftly kick these
unpleasantries out.”
Just then, with a dart,
from the red-and-white
stack of his stovepipe
hat, a teensy hand
snatched, from the reading
cat’s clutches, the note
from which he had been
piecing his speech and,
sin mucho ado,
the hand withdrew and
cat, moving too, slunk
straight and away through.
“Just what I feared,” sneered
our bowl-bound fish, “this
brash interloper
acts like he knows her,
puts on a show, but
no one does nothing,
or so much as yawns,
without absolute,
incontestable,
indigestible
proof their intentions
are pure and a sworn
affidavit that
shows they’ve consulted
and have thoroughly
secured the total,
written, explicit
permission of Mom.”
Then up his upright
umbrella pole the
cat perched the fish in
his wobbledy bowl
and pirouetted
his own tippety
toe on a ball that
slopped slippety-so
down a freshly waxed
hall, with pitching and
woe, caterwauling
and yaw, like a lone
logroller clambers
over the lumber,
limberly scrambling
out from under and
gingerly hoping
to regain control.
Not heeding, it seems,
the fish’s wee shrieks,
or his little orb’s
diminishing wet,
the cat on the ball
started to bounce, and
struggle to juggle
the peeved little pet,
plus dead overhead
any movable junk,
or half-forgotten
snack, from any old
accessible crack,
or measly mouse that
popped into his path
whilst pogoing round
our deep-brown, detached,
family-friendly,
and apparently
unparented house.
He tricked dick-and-jane
from their dustbunny
lair, and for pleasure
a Dickens he found
languishing there, then
bowled them and the fish
through the juggular
air, while researching
for additional
distractions, like a
leftover dish of
left-out cream, Dad’s old
rake still dripping of
soylent green, and a
marbular carton
of spaghetti ice
cream that Sally once
loved and now resides
calcified deep in
our freezer downstairs.
“Put me down,” screamed the
downright adamant
fish, but the mad cat
oblivious could
scarcely see, through his
gyrations and glee,
and the field of fast
invisible hands,
that he was deep in
danger of flinging
it all, the proud and
perfect result of
his haul, the fat and
happy assorted
detritus, the massed
and sordid horde he’d
acquired, including
a log still flapping
its fire, in a vast
and fulsome, frightsome
and wholesome, bouncing
big baby shebang.
Through all the buzz, fate
belled the cat, as the
inevitable
inevitably
does, and his face and
hat lay splat in the
dust, while all through the
house, projectiles took
flight, the heavier and
messier went right
to their appointed
plots, and fish to a
pot, suspended and
hot, in the kitchen.
The cat raised his head
in some painless pain,
like an ump calling
a day due to rain,
a sheep just sheared and
his ribs shown plain, like
passing a ten-ton
sorcerer’s stone, a
magician’s shame at
a trick well-blown, or
a monster’s fury
for sins unatoned.
Then we could see, neath
his stripéd stack, a
face more monkey or
man than cat, with his
front-facing eyes and
foot of five digits,
his prehensile tail
and backbone rigid,
and the way he grasped
Sally’s szechuan fan.
We could see it all,
through his twidgets and
tricks, that no matter
whence his forebears had
come, dashing cross the
savanna, with or
without gun, that he
was happily and
fully adapted
to fun, sorry for
storming and wrecking
our calm, and vowing
to set the rainy
day right, wipe away
any suggestion
of blight, swiftly fix
and polish it bright,
and then split, ere Mom.
But his hat seemed to
have a soul of its
own, in the space of
an instant it had
gracefully grown full
ninety-nine sizes
too large for his head,
then sprung some new life
form, which quickly spread,
and occupied each
niche in our indoor
ecology, new
things were evolving,
sans apology,
and making the house
their very own shambling,
shivering, rambling,
quivering river
of overgrown goo
and personal swamp.
The things flew kites in
the interior
breezes, then their lines
intersectual
lashed us all at the
knees, and our pleas
ineffectual
couldn’t sway, nor cries
for mercy delay,
things having their way.
But the cat had one
trick in the sack that
he kept sequestered
round the rim of his
hat, and with his tail
unfurling, in a
flanking maneuver,
he extracted a
vacuum from the
red-and-white stack, then
smoothly hoovered the
things and their goo from
the throwaway rug
and our ceiling too
then sucked up our house
and all of the yard,
all the crumbular
remains and the shards
of the shattered day
and the scattered clouds.
When next we turned to
look, we were again
alone, with our Mom
approaching, though it
appeared our home was
none the worse for the
wear that the cat, or
whatever he and
things actually were,
exacted and weren’t
missing any of
the things extracted
when she wasn’t there.
The fish still burbling
and rain now sleeting.
What remained was a
fresh bag of tricks for
cheating sleep, and a
red-and-white tabby
that Mom let us keep.
Wednesday, May 18, 2005
poem Chat
CHAT
Here's where protocols
fail and logs show no
network present. Where
chitter-chatter blooms
and anti-matter
resumes its steady
consumption of the
conversation's ghost
and containing frame.
Here's where protocols
fail and logs show no
network present. Where
chitter-chatter blooms
and anti-matter
resumes its steady
consumption of the
conversation's ghost
and containing frame.
Sunday, May 15, 2005
fyi Microsoft sells ID mgmt. plan
All:
Pointer to article:
http://www.networkworld.com/news/2005/051605-microsoft-identity.html
Kobielus kommentary:
Every few years Microsoft issues another new grand unified plan for identity management (IdM). Well, they’ve gone and done it again.
Microsoft is nothing if not relentless in the IdM arena. At the turn of the millennium, Microsoft launched Passport, an initiative under which the vendor sought to become the world’s pre-eminent identity aggregator and authentication service. That was followed a few years later by a comprehensive Web services security roadmap that included the WS-Federation protocol, and which marginalized Passport’s role in the grand scheme of IdM. Now we have a new Microsoft strategy—“Identity Metasystem”—that largely turns away from WS-Federation in favor of an architecture that grants WS-Federation and such rivals as the Security Assertion Markup Language (SAML) more or less equal footing. In fact, WS-Federation is mentioned nowhere in Microsoft’s Identity Metasystem vision paper, whereas SAML is mentioned several times.
Why is Microsoft distancing itself from its previous IdM strategies? The reason is simple. Its previous approaches ran into stonewalls of industry opposition and apathy. Neither Passport nor WS-Federation has gained much industry support beyond a hard core of Microsoft’s closest business partners. At the same time, the rest of the industry has flocked to SAML as the principal unifying framework for federated IdM. If Microsoft had participated more fully in OASIS’ ongoing federated IdM discussions, the new SAML 2.0 standard might have incorporated more features from WS-Federation, rather than from the rival Liberty Alliance Identity Federation Framework (ID-FF) specification.
Microsoft’s new party line for IdM stresses the need for a universal identity environment that supports interoperation of multiple identity technologies run by multiple identity providers (IdPs). This represents a 180-degree turn away from both WS-Federation and Passport. The former was intended to serve as the single universal federated IdM protocol while the latter was positioned as an uber-IdP for all of cyberspace.
What new twist, if any, does Microsoft’s new strategy add to the vendor’s IdM roadmap? To a great extent, the Identity Metasystem strategy simply repackages the core WS-* specifications that Microsoft has championed over the past three years, including WS-Security, WS-Trust, WS-Policy, and WS-Metadata Exchange. Microsoft hasn’t totally abandoned WS-Federation, but now positions it as the federated IdM plumbing within the Active Directory Federation Services feature of Windows Server 2003 and Windows “Longhorn.”
The only truly new component of Microsoft’s IdM strategy is “InfoCard,” which will be implemented in “Longhorn.” At heart, InfoCard is a privacy-protection feature within the “Longhorn” client. It will provide a secure client-side store of identity information for authenticating to various relying services. Users will also be able to selectively withhold privacy-sensitive InfoCard identity attributes from relying services, and to define and enforce policies regarding which relying services may access which client-store attributes.
Indeed, privacy protection is the principal theme of Microsoft’s new IdM strategy. This fact comes through loud and clear in the “identity laws” promulgated by Microsoft’s identity guru, Kim Cameron, who was the mastermind behind the new strategy. According to Microsoft/Cameron, IdM systems must gain user consent prior to revealing information identifying the user; disclose the minimum amount of identifying information necessary; limit that disclosure to parties with a need to know; provision public and private identifiers for pointing to users’ identity data; and provide user interfaces that help people avoid revealing personal information to phishing and pharming scams.
These are all worthy concerns, but Microsoft seems to be inflating privacy protection all out of proportion as an organizing principle for IdM. Totally missing from Cameron’s “laws” is any mention of trust management, strong assurance, multifactor authentication, single sign-on, role-based access control, confidentiality, integrity, nonrepudiation, audit, compliance, and governance.
In his blog, Cameron asserts that his "laws" are explanations of why previous identity systems have “failed where they failed and succeeded where they succeeded.” If that's so, can he be more specific? Which previous identity systems? How is he defining the success or failure of such systems? How have privacy and identity-theft concerns--the primary focus of his "laws"--stymied acceptance of these identity systems? Did Passport fail because non-Microsoft people didn’t trust Microsoft as an identity aggregator? Or because Microsoft pursued a stovepipe proprietary approach in a world rapidly moving to SAML as the convergence IdM federation framework?
It’s good to see that Microsoft recognizes where it went astray in its previous IdM visions. But its new IdM strategy is too narrowly focused to serve as the basis for a truly universal, general-purpose, federated IdM environment. And its InfoCard mechanism does little to address the threat of identity thefts on server-based IdPs throughout the federated world.
Microsoft needs to think through these issues more comprehensively before issuing grandiose new vision statements.
Jim
Pointer to article:
http://www.networkworld.com/news/2005/051605-microsoft-identity.html
Kobielus kommentary:
Every few years Microsoft issues another new grand unified plan for identity management (IdM). Well, they’ve gone and done it again.
Microsoft is nothing if not relentless in the IdM arena. At the turn of the millennium, Microsoft launched Passport, an initiative under which the vendor sought to become the world’s pre-eminent identity aggregator and authentication service. That was followed a few years later by a comprehensive Web services security roadmap that included the WS-Federation protocol, and which marginalized Passport’s role in the grand scheme of IdM. Now we have a new Microsoft strategy—“Identity Metasystem”—that largely turns away from WS-Federation in favor of an architecture that grants WS-Federation and such rivals as the Security Assertion Markup Language (SAML) more or less equal footing. In fact, WS-Federation is mentioned nowhere in Microsoft’s Identity Metasystem vision paper, whereas SAML is mentioned several times.
Why is Microsoft distancing itself from its previous IdM strategies? The reason is simple. Its previous approaches ran into stonewalls of industry opposition and apathy. Neither Passport nor WS-Federation has gained much industry support beyond a hard core of Microsoft’s closest business partners. At the same time, the rest of the industry has flocked to SAML as the principal unifying framework for federated IdM. If Microsoft had participated more fully in OASIS’ ongoing federated IdM discussions, the new SAML 2.0 standard might have incorporated more features from WS-Federation, rather than from the rival Liberty Alliance Identity Federation Framework (ID-FF) specification.
Microsoft’s new party line for IdM stresses the need for a universal identity environment that supports interoperation of multiple identity technologies run by multiple identity providers (IdPs). This represents a 180-degree turn away from both WS-Federation and Passport. The former was intended to serve as the single universal federated IdM protocol while the latter was positioned as an uber-IdP for all of cyberspace.
What new twist, if any, does Microsoft’s new strategy add to the vendor’s IdM roadmap? To a great extent, the Identity Metasystem strategy simply repackages the core WS-* specifications that Microsoft has championed over the past three years, including WS-Security, WS-Trust, WS-Policy, and WS-Metadata Exchange. Microsoft hasn’t totally abandoned WS-Federation, but now positions it as the federated IdM plumbing within the Active Directory Federation Services feature of Windows Server 2003 and Windows “Longhorn.”
The only truly new component of Microsoft’s IdM strategy is “InfoCard,” which will be implemented in “Longhorn.” At heart, InfoCard is a privacy-protection feature within the “Longhorn” client. It will provide a secure client-side store of identity information for authenticating to various relying services. Users will also be able to selectively withhold privacy-sensitive InfoCard identity attributes from relying services, and to define and enforce policies regarding which relying services may access which client-store attributes.
Indeed, privacy protection is the principal theme of Microsoft’s new IdM strategy. This fact comes through loud and clear in the “identity laws” promulgated by Microsoft’s identity guru, Kim Cameron, who was the mastermind behind the new strategy. According to Microsoft/Cameron, IdM systems must gain user consent prior to revealing information identifying the user; disclose the minimum amount of identifying information necessary; limit that disclosure to parties with a need to know; provision public and private identifiers for pointing to users’ identity data; and provide user interfaces that help people avoid revealing personal information to phishing and pharming scams.
These are all worthy concerns, but Microsoft seems to be inflating privacy protection all out of proportion as an organizing principle for IdM. Totally missing from Cameron’s “laws” is any mention of trust management, strong assurance, multifactor authentication, single sign-on, role-based access control, confidentiality, integrity, nonrepudiation, audit, compliance, and governance.
In his blog, Cameron asserts that his "laws" are explanations of why previous identity systems have “failed where they failed and succeeded where they succeeded.” If that's so, can he be more specific? Which previous identity systems? How is he defining the success or failure of such systems? How have privacy and identity-theft concerns--the primary focus of his "laws"--stymied acceptance of these identity systems? Did Passport fail because non-Microsoft people didn’t trust Microsoft as an identity aggregator? Or because Microsoft pursued a stovepipe proprietary approach in a world rapidly moving to SAML as the convergence IdM federation framework?
It’s good to see that Microsoft recognizes where it went astray in its previous IdM visions. But its new IdM strategy is too narrowly focused to serve as the basis for a truly universal, general-purpose, federated IdM environment. And its InfoCard mechanism does little to address the threat of identity thefts on server-based IdPs throughout the federated world.
Microsoft needs to think through these issues more comprehensively before issuing grandiose new vision statements.
Jim
Thursday, May 12, 2005
fyi So much for (out of) print...
All:
Pointer to blogpost:
http://www.identityblog.com/2005/04/14.html#a190
Kobielus kommentary:
First off, I’d like to point out that I rather like the randomness of these subject lines, which are, in fact, the subject lines of the Cameron blogposts to which I’m responding. Like so many e-mail subject lines when considered from deep inside the discussion thread, and measured in tangent-upon-tangent-upon-tangent distance from the original point of the original post (if in fact the original had a clear point). Most real-world discussion threads are weirdly meandering. My head is weirdly meandering.
I make no bones. Random streaming stimuli are my favorite prods to creativity and spontaneity. They throw me off my old balance and force me to find a new footing in a decidedly non-Kobielian coordinate space. The more non-Kobielian the coordinate system, the more new stuff Kobielus must know and learn to survive and thrive. The more Kobielus must know, the more Kobielus must grow by integrating non-Kobielian stimuli into a Kobielian koordinate system. And then continue to de-Kobielicize his field of view to the maximum extent possible. To avoid koming into kontinual kontact with a Kobielian kosmos.
That weird alliterative tangent was suggested by this excerpt from philosopher John Scott’s comment on Harold Innis’ thinking on media and culture and perspective:
‘[The] Internet is going to force us to take some needed, but overdue, institutional and political steps to address something like what eye doctors call an "accommodation" problem. When our eyes do not adjust quickly enough, or fully enough, or appropriately to the changing objects in our field of view the doctors tell us we have an "accommodation" problem. We have been accommodating changes in language-technologies in different and dramatic ways since the beginning of recorded history. Changes associated with the internet's vices and virtues are no different, except that the orders of magnitude seem considerably increased. The Internet changes the ways we record, send, and receive messages and will radically continue to change where and how we live, just as past messaging innovations have.’
I’m nearsighted as hell, and my nervous system magnifies the problem by continually zoning out (and in) when I’m under stress (such as always, and aggravated by the dynamism and complexity of all things tech, which is, after all, the dominate koordinate system of my/your/our life). It's cognitive. It's also neuromuscular. It's philosophical too.
I’m never quite able to accommodate all of this kosmos into a single synoptic view. The best I can do is defocus/refocus/de-focus on the various "objects" I stumble across, attempting to integrate the ten zillion scattered facets/fragments of it all into a synoptic view in some abstract higher-level koordinate system in my head.
Problem is, higher-level abstract koordinate systems in my head alone are, by definition, acutely Kobielian. Which makes me squirm. I just can't accommodate a me-only koordinate system. I must blog and be rid of it.
OK, strap me down now.
Jim
Pointer to blogpost:
http://www.identityblog.com/2005/04/14.html#a190
Kobielus kommentary:
First off, I’d like to point out that I rather like the randomness of these subject lines, which are, in fact, the subject lines of the Cameron blogposts to which I’m responding. Like so many e-mail subject lines when considered from deep inside the discussion thread, and measured in tangent-upon-tangent-upon-tangent distance from the original point of the original post (if in fact the original had a clear point). Most real-world discussion threads are weirdly meandering. My head is weirdly meandering.
I make no bones. Random streaming stimuli are my favorite prods to creativity and spontaneity. They throw me off my old balance and force me to find a new footing in a decidedly non-Kobielian coordinate space. The more non-Kobielian the coordinate system, the more new stuff Kobielus must know and learn to survive and thrive. The more Kobielus must know, the more Kobielus must grow by integrating non-Kobielian stimuli into a Kobielian koordinate system. And then continue to de-Kobielicize his field of view to the maximum extent possible. To avoid koming into kontinual kontact with a Kobielian kosmos.
That weird alliterative tangent was suggested by this excerpt from philosopher John Scott’s comment on Harold Innis’ thinking on media and culture and perspective:
‘[The] Internet is going to force us to take some needed, but overdue, institutional and political steps to address something like what eye doctors call an "accommodation" problem. When our eyes do not adjust quickly enough, or fully enough, or appropriately to the changing objects in our field of view the doctors tell us we have an "accommodation" problem. We have been accommodating changes in language-technologies in different and dramatic ways since the beginning of recorded history. Changes associated with the internet's vices and virtues are no different, except that the orders of magnitude seem considerably increased. The Internet changes the ways we record, send, and receive messages and will radically continue to change where and how we live, just as past messaging innovations have.’
I’m nearsighted as hell, and my nervous system magnifies the problem by continually zoning out (and in) when I’m under stress (such as always, and aggravated by the dynamism and complexity of all things tech, which is, after all, the dominate koordinate system of my/your/our life). It's cognitive. It's also neuromuscular. It's philosophical too.
I’m never quite able to accommodate all of this kosmos into a single synoptic view. The best I can do is defocus/refocus/de-focus on the various "objects" I stumble across, attempting to integrate the ten zillion scattered facets/fragments of it all into a synoptic view in some abstract higher-level koordinate system in my head.
Problem is, higher-level abstract koordinate systems in my head alone are, by definition, acutely Kobielian. Which makes me squirm. I just can't accommodate a me-only koordinate system. I must blog and be rid of it.
OK, strap me down now.
Jim
Wednesday, May 11, 2005
poem Jim's Oak
JIM'S OAK
Fred and Flora's oak
withstood the pressure
of our presence and
dryly took note of
human puniness.
Fred and Flora's oak
withstood the pressure
of our presence and
dryly took note of
human puniness.
Friday, May 06, 2005
fyi He's had enough 'ease of use'...
All:
Pointer to blogpost:
http://www.identityblog.com/2005/04/17.html#a199
Kobielus kommentary:
Just picking off the various and sundry idea threads in this particular post, in which Cameron rips Ben Hyde a new one on various levels.
This notion of an “identity big bang” is one of those IT marketing Great White Hopes, a la “killer application” and “year of the [pick the technology you love to death but the great unwashed masses haven’t gotten hip on yet]” and “[name your pet bleeding-edge on-the-cusp technology] market tipping point.” I’d really love it if Cameron and others didn’t pin their/our hopes for IdM market growth on some vague grandiose utopian pipedream. I’m much more comfortable relating to discussions of specific trends, developments, and events that might drive federated IdM to greater adoption.
Cameron’s hope for an “identity big bang” (or identity killer apps or year of the identity or what have you) seems to be predicated on the notion that “ease of use” can be radically improved, re “more secure and more intuitive ways to use identities.” Is he talking about the need for more pervasive SSO, as enabled by ever more extensive IdM federated circles of trust? Is he talking about more transparent multifactor authentication schemes (as compared to, say, using a USB token that stores certs, passwords, biometric patterns etc and have to enter/present all of that to kick off an SSO session)? Is he talking about facilitating more expedited registration and provisioning of user identities/accounts and end-entity medium-assurance certs throughout an IdM environment? Is he talking about engineering more user-friendly procedures under which people specify what personal attributes they disclose to which relying parties under which circumstances? There are many dimensions of identity “ease of use” that should be spelled out in greater detail. However, I doubt that any of these “ease of use” factors, if radically and ubiquitously improved, would produce some “identity big bang” that catapults IdM vendors to insane profitability overnight. Rest assured: the IdM train’s already left the station, and it’s a fast train, but it’s not a bullet train.
As regards product managers being “legitimate agents for customers” and “absolute advocates of their products,” both statements are true. The best product managers serve as product users’ interface to product developers, and also as product developers interface to users. The product manager is, of course, principally a market-positioning agent, helping customers to position the product’s value proposition within the customer’s business operations/roadmap, but at the same time helping the product manager’s employer to position the product as part of a broader suite, or a broader business plan, or a broader set of markets/customers/etc. A product manager is a go-between helping the customer and the vendor to continually re-assess their rolling relationship to each other.
Product managers are proxy servers, both forward and reverse. It’s a dizzying Janus role, playing both ends of the value chain and holding the chain together. You have to have a certain tensile strength to your personality and your mind to do it well. You try it sometime.
Oh….analysts are market-positioning agents of a higher order (imho): customers’ proxy to product managers, and product managers’ proxy to customers. Sifting the messages flowing both ways between these agents in the value chain, helping them both understand how strong the chain truly is, when considered across an entire industry, or an abstract set of approaches—such as IdM—that an industry has implemented in their solutions.
You try it sometime. It’s not for everybody. Or, rather, not everybody is equally well-suited, temperamentally or intellectually, to industry analysis. Check their blogs, if they have them, to size up whether they have the chops. Do they present the larger context and nail down to details with equal agility? Do they read the daily feed and digest it well? Do they present whole well-wrought thought-chains, or just fragmented and ill-joined retorts to what others have expressed more succinctly?
Do they further fuzz the already fuzzy field of kollective kommentary on whatever topic they touch? Or do they immerse themselves in that kommentary kosmos and add at least one brilliant little new point of light to the topic at hand?
Ask yourself.
Jim
Pointer to blogpost:
http://www.identityblog.com/2005/04/17.html#a199
Kobielus kommentary:
Just picking off the various and sundry idea threads in this particular post, in which Cameron rips Ben Hyde a new one on various levels.
This notion of an “identity big bang” is one of those IT marketing Great White Hopes, a la “killer application” and “year of the [pick the technology you love to death but the great unwashed masses haven’t gotten hip on yet]” and “[name your pet bleeding-edge on-the-cusp technology] market tipping point.” I’d really love it if Cameron and others didn’t pin their/our hopes for IdM market growth on some vague grandiose utopian pipedream. I’m much more comfortable relating to discussions of specific trends, developments, and events that might drive federated IdM to greater adoption.
Cameron’s hope for an “identity big bang” (or identity killer apps or year of the identity or what have you) seems to be predicated on the notion that “ease of use” can be radically improved, re “more secure and more intuitive ways to use identities.” Is he talking about the need for more pervasive SSO, as enabled by ever more extensive IdM federated circles of trust? Is he talking about more transparent multifactor authentication schemes (as compared to, say, using a USB token that stores certs, passwords, biometric patterns etc and have to enter/present all of that to kick off an SSO session)? Is he talking about facilitating more expedited registration and provisioning of user identities/accounts and end-entity medium-assurance certs throughout an IdM environment? Is he talking about engineering more user-friendly procedures under which people specify what personal attributes they disclose to which relying parties under which circumstances? There are many dimensions of identity “ease of use” that should be spelled out in greater detail. However, I doubt that any of these “ease of use” factors, if radically and ubiquitously improved, would produce some “identity big bang” that catapults IdM vendors to insane profitability overnight. Rest assured: the IdM train’s already left the station, and it’s a fast train, but it’s not a bullet train.
As regards product managers being “legitimate agents for customers” and “absolute advocates of their products,” both statements are true. The best product managers serve as product users’ interface to product developers, and also as product developers interface to users. The product manager is, of course, principally a market-positioning agent, helping customers to position the product’s value proposition within the customer’s business operations/roadmap, but at the same time helping the product manager’s employer to position the product as part of a broader suite, or a broader business plan, or a broader set of markets/customers/etc. A product manager is a go-between helping the customer and the vendor to continually re-assess their rolling relationship to each other.
Product managers are proxy servers, both forward and reverse. It’s a dizzying Janus role, playing both ends of the value chain and holding the chain together. You have to have a certain tensile strength to your personality and your mind to do it well. You try it sometime.
Oh….analysts are market-positioning agents of a higher order (imho): customers’ proxy to product managers, and product managers’ proxy to customers. Sifting the messages flowing both ways between these agents in the value chain, helping them both understand how strong the chain truly is, when considered across an entire industry, or an abstract set of approaches—such as IdM—that an industry has implemented in their solutions.
You try it sometime. It’s not for everybody. Or, rather, not everybody is equally well-suited, temperamentally or intellectually, to industry analysis. Check their blogs, if they have them, to size up whether they have the chops. Do they present the larger context and nail down to details with equal agility? Do they read the daily feed and digest it well? Do they present whole well-wrought thought-chains, or just fragmented and ill-joined retorts to what others have expressed more succinctly?
Do they further fuzz the already fuzzy field of kollective kommentary on whatever topic they touch? Or do they immerse themselves in that kommentary kosmos and add at least one brilliant little new point of light to the topic at hand?
Ask yourself.
Jim
Thursday, May 05, 2005
poems More excerpts from "Pieces of Fate" (1995-2005)
AMBIT
Wherein kind folks belong to my circle. Hold onto use not discard my gifts. Ever glad to banter with me. Really read what I give them. Ever ready response. Outshine elevate. Happy happy. Wherever.
ANALYST’S SKETCHBOOK
Tedium may, absent fellow-feeling and some larger life’s project, lead you to believe that none of this really matters. Multiplexing your limited attention among trillions of tasks, none of which originated or will terminate with you, seems calculated to transform you into a mindless conduit for information, a mutant scarcely capable of independent existence or coherent thought. Chopping your daily feed stream into bite-sized segments suitable for recombination into new life forms that, resenting challenge, may rise without you bleeds pink the very soul of the new economy. Everything’s on call, on demand, on the line. Scan, absorb, and be ready to regurgitate you say. Call her, call him, set it up, and pull back you say. Take this, file it, and never lose the key you say. Stand ready to serve it up you say. All in the name of the project.
AN ANALYST’S LISTS
Big bold and sweeping/statements about the weather/sustain our careers.//Overstuffed inbox/ponderings on the latest/shrink-wrapped abstractions.//Disembodied voices/powerpointing plans for/soft world domination.
AND SO IT FLOWS
Starts and fits and somehow it works. Pieces and bits and blood on the pages. Rush and push and squeeze it between times. Scream and stream and give it a name.
DOMESTICATED ANIMALS CONSIDERED WITH REFERENCE TO CIVILIZATION AND THE ARTS
Dogs the man-warped freaks the likes of which no self-respecting wolf would ever sniff were there convenient alternatives laid out the way God designed. Ornery ocelots curled on couches. Mammoths stalked over quaternary cliffs. Eagles without affiliation. Steaming pigs trotting out to greet us. Time the horse threw me. Innocent macaw and her stuttering perch. Cats and chimps who stare right back, awaiting provocation.
DWIGHT DAVID EISENHOWER SCHIDT
Dwayne Duayne D'wayne D'Wayne Duwayne Doowayne Douayne Dwayn Duayn D'wayn D'Wayn Duwayn Doowayn Douayn Dwain Duain D'wain D'Wain Duwain Doowain Douain Dwaine Duaine D'waine D'Waine Duwaine Doowaine Douaine Dwaign Duaign D'waign D'Waign Duwaign Doowaign Douaign Dwaigne Duaigne D'waigne D'Waigne Duwaigne Doowaigne Douaigne Dwajn Duajn D'wajn D'Wajn Duwajn Doowajn Douajn Dwajne Duajne D'wajne D'Wajne Duwajne Doowajne Douajne Dwejn Duejn D'wejn D'Wejn Duwejn Doowejn Douejn Dwejne Duejne D'wejne D'Wejne Duwejne Doowejne Douejne Dwein Duein D'wein D'Wein Duwein Doowein Douein Dweine Dueine D'weine D'Weine Duweine Dooweine Doueine Dwegn Duegn D'wegn D'Wegn Duwegn Doowegn Douegn Dwagn Duagn D'wagn D'Wagn Duwagn Doowagn Douagn Dwaen Duaen D'waen D'Waen Duwaen Doowaen Douaen Dwane Duane D'wane D'Wane Duwane Doowane Douane Dweighn Dueighn D'weighn D'Weighn Duweighn Dooweighn Doueighn Dweighne Dueighne D'weighne D'Weighne Duweighne Dooweighne Doueighne Dweign Dueign D'weign D'Weign Duweign Dooweign Doueign
EMC2
Take matter and factor/in light's second power/then stand back and ask if/it's fungus or flower.
EXPLOSAIC
Panopticon. Pages galorious. Plastered everywhere. Printout port, personal portals, private platforms. Panaudicon. People I’ll know, never know. Places I’ll go, never go. Projecting presence. Pull them down, me in. Pages explorious perseverious. Pantacticon.
FAR BE IT
Glad for the world and all its valleys No satellite can ever spy Nor mapmaker render Every face on every street Or every view From every room.
FINE JUST FINE
Morning gory smile. Spring sun glares my computer. Screen saver goes black.
FOND PHENOM
Little lost star on the World Wide Web, logged on just to find you, be you dormant or dead, or lighting a site all your own, caught you out there, on the altars, unauthorized fans, now possessing, fondly have brought you to bed.
FORTY-FOUR
Keep having birthdays/and conceptions, reasons to/live and deliver.//Keep happy the half-/life allotted as if now/were all and ever.//And add a candle/for every year allowed to/lapse in memory.
FRAUGHT
Evening, an odd/day's ending, an old//calm rebalancing/the fury of fires//the sun has set in/motion, smoothing the//waters of ripples/its swells subside, swing//you full into its/eternal other,//an equally fraught/moon countervailing.
GERM
Easter up-we-rise,/clear of the storm just//passed, bracing the next/collective cough, the//come-flowering at/its most extreme, the//sun's re-assertion/of green upon gray//and grain upon the/air's very spirit.
GESTURE EVER LARGER
Sonya scribbled spec/tacles on a whiteboard a/round the sun's eyeballs/two teeny weeny inkspots.
GETTYSBURG ADDRESS
This weighty oration/was blessedly brief./Abe's last-minute musing/on national grief.
GIN AND GINGER
Ginger pours/an invisible juice in a juice/down from a glass decanter.//She shares with me/her most ingredient secret/in a stack of ice.//My lover is careful/not to shake sediment/too soon/up from the bottom.
GRACE SLICK
Famous name. Lobby face. Lowered eyes. Hair pulled back. Deep in couch. Hands in lap. Silent voice. Still asleep. Quick escape. Strangers know you.
GRASSY WYOMING
Cable channel thirteen. The announcer tells us and we see hear squawkers, long-necked lofting birds, matching wingspreads, cruising the current and gliding to rest in grassy Wyoming.
GREAT PUBLIC
Morphing us all. One face, a total atmospheric projection, weighted toward universal contours, bright eyes, ready smile, bones of distinction. One voice, nowhere native, broadly mockable, fractured deliciously with each new accent. One hail hello, a mindful cliche, eschewing nuance, bonding strangers into a more perfect union. In daily human increments.
HAND OF ACCIDENTS AND TRAVEL
Still a saint-no-more,/the old road-patron/Mister Christopher.//There is certain grain/in any figure of long/gone veneration.//There fingers stroke/up kingdoms undone.
IN A MAN SKIN
All horned and coarse, bull and bear,/thick fingernails and facial//hair, boxy build and boxer/underwear, overstuffed and//muscular, a man can chart/the universe, trace time and//light to their celestial source,/master every earthly force,//win womankind and plumb the/depths of everything but her.
INFLAME THE SAVIOR
Sad: I can’t cry./Tired: I won’t drop./Mad: I can’t scream./Blocked: Don’t stop.
IN THEIR SOCIETY
Cats comfort us each/in our respectives.//Their purrs and murmurs/our wordless regard.//Their soft appearance/our ready reserve.//She contemplates their/curvature and sleep.//My mind joins in with/their hidden mischief.
IN THE N IN IN
In the air. A storm is rain contained. A slipping trail of gray.
IN TORRENTS
It rains unicorns/and ancestors, cats//and indolent stock/of European//royal families,/dogs and dog-walking//dog-walkers trained to/trail the pup and catch//its exquisitely/precipitate poop.
IN VIOLET
ere the invisible last bloom of the day an uninvited ray
IT
it comes when it comes,/an impulse's pulse//stirred, an itch shivered/away, a sore spot//rough from the rubbing,/a nervous tickle//persisting in a/stiffened urge to run//hot scalding water/till i just can't stand.
JAKARTA
Is all a warm swarming sprawl./It's as real remembered as/experienced, as crass and/crowded as any shining/capital, idealized/as any concrete bog. What's/a car to this labyrinth:/a serpent snaking itself/into impossible slots,/an air-conditioned escape/pod to brave the squeeze of the/unending Indonesian/welter. Go drive the hive of/brands and goods, up the high and/mighty rises, down through the/frayed Batavian canal-/infested old neighborhoods./It's a mart. It's a cart. It's/a stall. It's hidden bazaars/and holes-in-the-wall. It's the/superstore and the mega-/mall. Broadcast prayers, dirty air./All far too far familiar.
JAVA PLAIN
As the archipelago drifts. I sit here prehistoric. Pepsi in hand. Fresh off the bus. Not really thinking. Sunshine on the flats. Steaming rice. Shallow seas. Bright smoke. Absolutely winterless. Familiar strange. Ten thousand generations removed from this world.
JOYCE CAROL’S KITES
She flies jellyfish/In their natural membranes/But billowed with air.//She doesn’t bother/Them to wake. Their sheets she flaps/In morning’s currents.//One clothespin per pet./Clipping them down one by one/Along the coastline.
LORD'S PRAYERS
I//Father heavenly/and holy may your reign and/design grace the earth.//Sustain us daily./Forgive us as we others/and lead us from sin.//Above all are your/kingdom power and glory/here now forever.//II//Father in heaven./Holy your name. Come your reign/and plan over all.//Bring us to the bread./Forgive our due and spare us/the trials and devils.//Ever till the last/shall your kingdom power and/magnificence shine.//III//Father o father./May your kingdom and laws spread/and conquer the world.//Give us subsistence/and protection from foes strange/and familiar.//To only you is/due tribute and praise for this/state everlasting.
MASS OF THE PLANET
Ponder the it in/us, the stone in which we stand/immovably fixed.//Gray or grey the dark/dots clump into larger lumps/of loose gravity.//The holes into which/ghosts inject their voices and/our viscosity.
MATTER
There is in all this/the matter of the thumb we/suck and choose to share.//A quick hit of the/flesh, a poet's pathetic/self-stimulation.//There is in this the/thought or conceit that, come years,/we will still matter.
Wherein kind folks belong to my circle. Hold onto use not discard my gifts. Ever glad to banter with me. Really read what I give them. Ever ready response. Outshine elevate. Happy happy. Wherever.
ANALYST’S SKETCHBOOK
Tedium may, absent fellow-feeling and some larger life’s project, lead you to believe that none of this really matters. Multiplexing your limited attention among trillions of tasks, none of which originated or will terminate with you, seems calculated to transform you into a mindless conduit for information, a mutant scarcely capable of independent existence or coherent thought. Chopping your daily feed stream into bite-sized segments suitable for recombination into new life forms that, resenting challenge, may rise without you bleeds pink the very soul of the new economy. Everything’s on call, on demand, on the line. Scan, absorb, and be ready to regurgitate you say. Call her, call him, set it up, and pull back you say. Take this, file it, and never lose the key you say. Stand ready to serve it up you say. All in the name of the project.
AN ANALYST’S LISTS
Big bold and sweeping/statements about the weather/sustain our careers.//Overstuffed inbox/ponderings on the latest/shrink-wrapped abstractions.//Disembodied voices/powerpointing plans for/soft world domination.
AND SO IT FLOWS
Starts and fits and somehow it works. Pieces and bits and blood on the pages. Rush and push and squeeze it between times. Scream and stream and give it a name.
DOMESTICATED ANIMALS CONSIDERED WITH REFERENCE TO CIVILIZATION AND THE ARTS
Dogs the man-warped freaks the likes of which no self-respecting wolf would ever sniff were there convenient alternatives laid out the way God designed. Ornery ocelots curled on couches. Mammoths stalked over quaternary cliffs. Eagles without affiliation. Steaming pigs trotting out to greet us. Time the horse threw me. Innocent macaw and her stuttering perch. Cats and chimps who stare right back, awaiting provocation.
DWIGHT DAVID EISENHOWER SCHIDT
Dwayne Duayne D'wayne D'Wayne Duwayne Doowayne Douayne Dwayn Duayn D'wayn D'Wayn Duwayn Doowayn Douayn Dwain Duain D'wain D'Wain Duwain Doowain Douain Dwaine Duaine D'waine D'Waine Duwaine Doowaine Douaine Dwaign Duaign D'waign D'Waign Duwaign Doowaign Douaign Dwaigne Duaigne D'waigne D'Waigne Duwaigne Doowaigne Douaigne Dwajn Duajn D'wajn D'Wajn Duwajn Doowajn Douajn Dwajne Duajne D'wajne D'Wajne Duwajne Doowajne Douajne Dwejn Duejn D'wejn D'Wejn Duwejn Doowejn Douejn Dwejne Duejne D'wejne D'Wejne Duwejne Doowejne Douejne Dwein Duein D'wein D'Wein Duwein Doowein Douein Dweine Dueine D'weine D'Weine Duweine Dooweine Doueine Dwegn Duegn D'wegn D'Wegn Duwegn Doowegn Douegn Dwagn Duagn D'wagn D'Wagn Duwagn Doowagn Douagn Dwaen Duaen D'waen D'Waen Duwaen Doowaen Douaen Dwane Duane D'wane D'Wane Duwane Doowane Douane Dweighn Dueighn D'weighn D'Weighn Duweighn Dooweighn Doueighn Dweighne Dueighne D'weighne D'Weighne Duweighne Dooweighne Doueighne Dweign Dueign D'weign D'Weign Duweign Dooweign Doueign
EMC2
Take matter and factor/in light's second power/then stand back and ask if/it's fungus or flower.
EXPLOSAIC
Panopticon. Pages galorious. Plastered everywhere. Printout port, personal portals, private platforms. Panaudicon. People I’ll know, never know. Places I’ll go, never go. Projecting presence. Pull them down, me in. Pages explorious perseverious. Pantacticon.
FAR BE IT
Glad for the world and all its valleys No satellite can ever spy Nor mapmaker render Every face on every street Or every view From every room.
FINE JUST FINE
Morning gory smile. Spring sun glares my computer. Screen saver goes black.
FOND PHENOM
Little lost star on the World Wide Web, logged on just to find you, be you dormant or dead, or lighting a site all your own, caught you out there, on the altars, unauthorized fans, now possessing, fondly have brought you to bed.
FORTY-FOUR
Keep having birthdays/and conceptions, reasons to/live and deliver.//Keep happy the half-/life allotted as if now/were all and ever.//And add a candle/for every year allowed to/lapse in memory.
FRAUGHT
Evening, an odd/day's ending, an old//calm rebalancing/the fury of fires//the sun has set in/motion, smoothing the//waters of ripples/its swells subside, swing//you full into its/eternal other,//an equally fraught/moon countervailing.
GERM
Easter up-we-rise,/clear of the storm just//passed, bracing the next/collective cough, the//come-flowering at/its most extreme, the//sun's re-assertion/of green upon gray//and grain upon the/air's very spirit.
GESTURE EVER LARGER
Sonya scribbled spec/tacles on a whiteboard a/round the sun's eyeballs/two teeny weeny inkspots.
GETTYSBURG ADDRESS
This weighty oration/was blessedly brief./Abe's last-minute musing/on national grief.
GIN AND GINGER
Ginger pours/an invisible juice in a juice/down from a glass decanter.//She shares with me/her most ingredient secret/in a stack of ice.//My lover is careful/not to shake sediment/too soon/up from the bottom.
GRACE SLICK
Famous name. Lobby face. Lowered eyes. Hair pulled back. Deep in couch. Hands in lap. Silent voice. Still asleep. Quick escape. Strangers know you.
GRASSY WYOMING
Cable channel thirteen. The announcer tells us and we see hear squawkers, long-necked lofting birds, matching wingspreads, cruising the current and gliding to rest in grassy Wyoming.
GREAT PUBLIC
Morphing us all. One face, a total atmospheric projection, weighted toward universal contours, bright eyes, ready smile, bones of distinction. One voice, nowhere native, broadly mockable, fractured deliciously with each new accent. One hail hello, a mindful cliche, eschewing nuance, bonding strangers into a more perfect union. In daily human increments.
HAND OF ACCIDENTS AND TRAVEL
Still a saint-no-more,/the old road-patron/Mister Christopher.//There is certain grain/in any figure of long/gone veneration.//There fingers stroke/up kingdoms undone.
IN A MAN SKIN
All horned and coarse, bull and bear,/thick fingernails and facial//hair, boxy build and boxer/underwear, overstuffed and//muscular, a man can chart/the universe, trace time and//light to their celestial source,/master every earthly force,//win womankind and plumb the/depths of everything but her.
INFLAME THE SAVIOR
Sad: I can’t cry./Tired: I won’t drop./Mad: I can’t scream./Blocked: Don’t stop.
IN THEIR SOCIETY
Cats comfort us each/in our respectives.//Their purrs and murmurs/our wordless regard.//Their soft appearance/our ready reserve.//She contemplates their/curvature and sleep.//My mind joins in with/their hidden mischief.
IN THE N IN IN
In the air. A storm is rain contained. A slipping trail of gray.
IN TORRENTS
It rains unicorns/and ancestors, cats//and indolent stock/of European//royal families,/dogs and dog-walking//dog-walkers trained to/trail the pup and catch//its exquisitely/precipitate poop.
IN VIOLET
ere the invisible last bloom of the day an uninvited ray
IT
it comes when it comes,/an impulse's pulse//stirred, an itch shivered/away, a sore spot//rough from the rubbing,/a nervous tickle//persisting in a/stiffened urge to run//hot scalding water/till i just can't stand.
JAKARTA
Is all a warm swarming sprawl./It's as real remembered as/experienced, as crass and/crowded as any shining/capital, idealized/as any concrete bog. What's/a car to this labyrinth:/a serpent snaking itself/into impossible slots,/an air-conditioned escape/pod to brave the squeeze of the/unending Indonesian/welter. Go drive the hive of/brands and goods, up the high and/mighty rises, down through the/frayed Batavian canal-/infested old neighborhoods./It's a mart. It's a cart. It's/a stall. It's hidden bazaars/and holes-in-the-wall. It's the/superstore and the mega-/mall. Broadcast prayers, dirty air./All far too far familiar.
JAVA PLAIN
As the archipelago drifts. I sit here prehistoric. Pepsi in hand. Fresh off the bus. Not really thinking. Sunshine on the flats. Steaming rice. Shallow seas. Bright smoke. Absolutely winterless. Familiar strange. Ten thousand generations removed from this world.
JOYCE CAROL’S KITES
She flies jellyfish/In their natural membranes/But billowed with air.//She doesn’t bother/Them to wake. Their sheets she flaps/In morning’s currents.//One clothespin per pet./Clipping them down one by one/Along the coastline.
LORD'S PRAYERS
I//Father heavenly/and holy may your reign and/design grace the earth.//Sustain us daily./Forgive us as we others/and lead us from sin.//Above all are your/kingdom power and glory/here now forever.//II//Father in heaven./Holy your name. Come your reign/and plan over all.//Bring us to the bread./Forgive our due and spare us/the trials and devils.//Ever till the last/shall your kingdom power and/magnificence shine.//III//Father o father./May your kingdom and laws spread/and conquer the world.//Give us subsistence/and protection from foes strange/and familiar.//To only you is/due tribute and praise for this/state everlasting.
MASS OF THE PLANET
Ponder the it in/us, the stone in which we stand/immovably fixed.//Gray or grey the dark/dots clump into larger lumps/of loose gravity.//The holes into which/ghosts inject their voices and/our viscosity.
MATTER
There is in all this/the matter of the thumb we/suck and choose to share.//A quick hit of the/flesh, a poet's pathetic/self-stimulation.//There is in this the/thought or conceit that, come years,/we will still matter.
Wednesday, May 04, 2005
fyi A thread you should follow
All:
Pointer to blogpost:
http://www.identityblog.com/2005/05/03.html#a211
Kobielus kommentary:
If you notice that I’m only kommenting on Kim Kameron blogposts recently, you’re not mistaken. Considering that he’s konsistently kommenting on the kommentary koming from the IdM kommunity, and I kount myself as one of that bunch, Kim’s Identity Blog is my primary “if you only read one blog today” stop. Also, I’m bored by the industry news right now, and don’t feel much like kommenting on what I read therein. Though I read that krap too.
Much as I respect the work that Dan Blum and Trent Henry do, I take issue with their definition of “trust” as "The willingness of a party to take action based on its relationship with another party." It’s a good half-definition, but it misses the essential flipside of the “trust” relationship—the ability of a party to take action based on compromise, violation, abuse, or abrogation of its relationship with another party—in other words, the ability of a party to seek reparations, restoration, and/or damages when the ground rules laid down in existing business relationships, legal agreements, assertions, and shared policy are trashed and trust is violated. It’s in that context that we rely on cryptographic key management, assertions, technical assurance, and audit and accreditation infrastructure/arrangements to establish accountability for violation of that trust.
To trust someone is good. To extract a pound of flesh from the one who violates trust isn’t better. But it’s necessary on occasion, and it must be in our power if we’re every going to trust anybody ever over anything.
Trust isn’t about reducing the need for trust. It’s about reducing the need for lawsuits when people and organizations refuse to be held accountable for violating the trust placed in them.
Trust infrastructure provides the ammunition for enforcing accountability. It really should be called “accountability infrastructure”: PKI, directories, IdM, assertions, claims, keys, etc. It facilitates the legal discovery, case-building, ass-nailing, and asset-impoundment that is necessary if, God forbid, somebody violates the trust.
No. Burton Group’s doesn’t need to change their reportage on this topic. “Trust infrastructure” is an industry term of art that’s well understood. The term “trust” should only be used as an adjective to modify “infrastructure.” As a stand-alone noun, it should be avoided, in favor of “accountability,” or, more broadly, “mutual risk management.”
Trent: Monaco was fun. A last long walk and talk up and down the hills and bluffs. Thanks. Say hello to Pauli for me. And Fred, of course. Some day, maybe we’ll continue the conversation. Maybe some day soon.
Jim
Pointer to blogpost:
http://www.identityblog.com/2005/05/03.html#a211
Kobielus kommentary:
If you notice that I’m only kommenting on Kim Kameron blogposts recently, you’re not mistaken. Considering that he’s konsistently kommenting on the kommentary koming from the IdM kommunity, and I kount myself as one of that bunch, Kim’s Identity Blog is my primary “if you only read one blog today” stop. Also, I’m bored by the industry news right now, and don’t feel much like kommenting on what I read therein. Though I read that krap too.
Much as I respect the work that Dan Blum and Trent Henry do, I take issue with their definition of “trust” as "The willingness of a party to take action based on its relationship with another party." It’s a good half-definition, but it misses the essential flipside of the “trust” relationship—the ability of a party to take action based on compromise, violation, abuse, or abrogation of its relationship with another party—in other words, the ability of a party to seek reparations, restoration, and/or damages when the ground rules laid down in existing business relationships, legal agreements, assertions, and shared policy are trashed and trust is violated. It’s in that context that we rely on cryptographic key management, assertions, technical assurance, and audit and accreditation infrastructure/arrangements to establish accountability for violation of that trust.
To trust someone is good. To extract a pound of flesh from the one who violates trust isn’t better. But it’s necessary on occasion, and it must be in our power if we’re every going to trust anybody ever over anything.
Trust isn’t about reducing the need for trust. It’s about reducing the need for lawsuits when people and organizations refuse to be held accountable for violating the trust placed in them.
Trust infrastructure provides the ammunition for enforcing accountability. It really should be called “accountability infrastructure”: PKI, directories, IdM, assertions, claims, keys, etc. It facilitates the legal discovery, case-building, ass-nailing, and asset-impoundment that is necessary if, God forbid, somebody violates the trust.
No. Burton Group’s doesn’t need to change their reportage on this topic. “Trust infrastructure” is an industry term of art that’s well understood. The term “trust” should only be used as an adjective to modify “infrastructure.” As a stand-alone noun, it should be avoided, in favor of “accountability,” or, more broadly, “mutual risk management.”
Trent: Monaco was fun. A last long walk and talk up and down the hills and bluffs. Thanks. Say hello to Pauli for me. And Fred, of course. Some day, maybe we’ll continue the conversation. Maybe some day soon.
Jim
Tuesday, May 03, 2005
fyi LSE report on the British ID Card Initiative
All:
Pointer to blogpost:
http://www.identityblog.com/2005/04/04.html#a184
Kobielus kommentary:
A good report, assessing the proposed UK Identity Cards Bill on many levels.
What I liked most about the report is the thoroughgoing dissection of the complete identity metasystem (to borrow a phrase from Cameron) that the bill, if enacted, would establish in the UK. The bill calls for an identity metasystem with the following components:
• National identification register
• National identity registration number
• Collection of a range of biometrics such as fingerprints
• National identity card
• Provision for administrative convergence in the private and public sectors
• Establishment of legal obligations to disclose personal data
• Cross-notification requirements
• Creation of new crimes and penalties to enforce compliance with the legislation
The report’s assessment of the proposed identity metasystem is balanced—indeed, too balanced, in the sense that its main assessment is a bit too wishy-washy, attempting to appeal to both camps with studiously non-committal committee language: “the establishment of a secure national identity system has the potential to create significant, though limited, benefits for society.” “Significant, though limited”? Yeesh, come now, what are the potential benefits: significant or insignificant? Make up your collective minds.
Contrary to what Cameron implies in his post, privacy issues are only one set of objections that the committee articulates. More broadly, the committee states that “the proposals are too complex, technically unsafe, overly prescriptive, and lack a foundation of public trust and confidence.” Indeed, the most significant arguments against the bill are that it wouldn’t achieve the chief public interest objectives that its proponents cite:
“Many of the public interest objectives of the Bill would be more effectively achieved by other means. For example, preventing identity theft may be better addressed by giving individuals greater control over the disclosure of their own personal information, while prevention of terrorism may be more effectively managed through strengthened border patrols and increased presence at borders, or allocating adequate resources for conventional police intelligence work.”
One weakness in the report is it doesn’t define a workable alternative to the bill that would address the objectives of the bill re national security, counter-terrorism, identity and benefit fraud, crime prevention, immigration controls, etc. However, on page 74 they cite the French government’s call for “decentralized storage of data” and “distributed identifiers” to address the privacy concerns:
“Instead, the French Government calls for the creation of an ‘identity federator’: ‘the most successful solution consists of creating an identity federator, enabling the user to use the single identifier to access each of the services of his or her choice without either the government databases or the identity federator itself being able to make the link between the different identifiers.”
Is this proposal related to the Liberty Alliance use of opaque pseudonyms for identity/account linking across circles of trust? Sounds interesting. I wish the UK report had gone into greater detail on this and other federated approaches for privacy protection with a secure distributed identity metasystem. I wonder how the UK bill could be rewritten to address these concerns:
• No single national identification register—rather, one or more citizen-chosen decentralized identification registers (public and/or private, managing all user identity attributes or specific sets of attributes) per citizen, with the registers federated to each other and linking citizens’ various decentralized accounts through exchange of opaque pseudonyms, hence preventing third-party surveillance and aggregation of identity data across distributed environments
• No single national identity registration number—rather, citizen-chosen identifiers that are unique to their chosen or designated identification register or registers
• No collection of specific mandatory biometrics such as fingerprints—rather, collection of citizen-chosen biometrics that are stored and managed by their chosen register
• No national identity card—rather, issuance of register-specific portable identity credentials on hardware tokens (smartcards, USBs, wallet cards, etc.) that protect citizen-chosen privacy-sensitive data from release and keep track of what third-party has requested and been provided access to which token-managed data and when for what reasons
• No provision for administrative convergence in the private and public sectors—rather, private and public sector organizations can choose to rely or not rely on various identification registers for various data associated with various users for various applications
• No establishment of legal obligations to disclose personal data—rather, establishment of legal obligations of implementation of controls to protect personal identity data from unauthorized acquisition, disclosure, and use
• No cross-notification requirements—full stop
• Creation of new crimes and penalties to enforce compliance with the privacy-protection sections of the legislation
Or something along those lines.
Jim
Pointer to blogpost:
http://www.identityblog.com/2005/04/04.html#a184
Kobielus kommentary:
A good report, assessing the proposed UK Identity Cards Bill on many levels.
What I liked most about the report is the thoroughgoing dissection of the complete identity metasystem (to borrow a phrase from Cameron) that the bill, if enacted, would establish in the UK. The bill calls for an identity metasystem with the following components:
• National identification register
• National identity registration number
• Collection of a range of biometrics such as fingerprints
• National identity card
• Provision for administrative convergence in the private and public sectors
• Establishment of legal obligations to disclose personal data
• Cross-notification requirements
• Creation of new crimes and penalties to enforce compliance with the legislation
The report’s assessment of the proposed identity metasystem is balanced—indeed, too balanced, in the sense that its main assessment is a bit too wishy-washy, attempting to appeal to both camps with studiously non-committal committee language: “the establishment of a secure national identity system has the potential to create significant, though limited, benefits for society.” “Significant, though limited”? Yeesh, come now, what are the potential benefits: significant or insignificant? Make up your collective minds.
Contrary to what Cameron implies in his post, privacy issues are only one set of objections that the committee articulates. More broadly, the committee states that “the proposals are too complex, technically unsafe, overly prescriptive, and lack a foundation of public trust and confidence.” Indeed, the most significant arguments against the bill are that it wouldn’t achieve the chief public interest objectives that its proponents cite:
“Many of the public interest objectives of the Bill would be more effectively achieved by other means. For example, preventing identity theft may be better addressed by giving individuals greater control over the disclosure of their own personal information, while prevention of terrorism may be more effectively managed through strengthened border patrols and increased presence at borders, or allocating adequate resources for conventional police intelligence work.”
One weakness in the report is it doesn’t define a workable alternative to the bill that would address the objectives of the bill re national security, counter-terrorism, identity and benefit fraud, crime prevention, immigration controls, etc. However, on page 74 they cite the French government’s call for “decentralized storage of data” and “distributed identifiers” to address the privacy concerns:
“Instead, the French Government calls for the creation of an ‘identity federator’: ‘the most successful solution consists of creating an identity federator, enabling the user to use the single identifier to access each of the services of his or her choice without either the government databases or the identity federator itself being able to make the link between the different identifiers.”
Is this proposal related to the Liberty Alliance use of opaque pseudonyms for identity/account linking across circles of trust? Sounds interesting. I wish the UK report had gone into greater detail on this and other federated approaches for privacy protection with a secure distributed identity metasystem. I wonder how the UK bill could be rewritten to address these concerns:
• No single national identification register—rather, one or more citizen-chosen decentralized identification registers (public and/or private, managing all user identity attributes or specific sets of attributes) per citizen, with the registers federated to each other and linking citizens’ various decentralized accounts through exchange of opaque pseudonyms, hence preventing third-party surveillance and aggregation of identity data across distributed environments
• No single national identity registration number—rather, citizen-chosen identifiers that are unique to their chosen or designated identification register or registers
• No collection of specific mandatory biometrics such as fingerprints—rather, collection of citizen-chosen biometrics that are stored and managed by their chosen register
• No national identity card—rather, issuance of register-specific portable identity credentials on hardware tokens (smartcards, USBs, wallet cards, etc.) that protect citizen-chosen privacy-sensitive data from release and keep track of what third-party has requested and been provided access to which token-managed data and when for what reasons
• No provision for administrative convergence in the private and public sectors—rather, private and public sector organizations can choose to rely or not rely on various identification registers for various data associated with various users for various applications
• No establishment of legal obligations to disclose personal data—rather, establishment of legal obligations of implementation of controls to protect personal identity data from unauthorized acquisition, disclosure, and use
• No cross-notification requirements—full stop
• Creation of new crimes and penalties to enforce compliance with the privacy-protection sections of the legislation
Or something along those lines.
Jim
Monday, May 02, 2005
fyi From simple identity assertions to... identity ontology
All:
Pointer to blogpost:
http://www.identityblog.com/2005/04/10.html#a185
Kobielus kommentary:
I like Razzel’s discussion of “identity ontologies.” It’s a good organizing framework for understanding the potential for semantic match or mismatch among identity-asserting and identity-relying parties in any interaction.
My sense is that identity ontologies among asserting and relying parties overlap when they share commonly recognized identity authorities (e.g., PKI root CAs, authoritative directories, SAML authentication authorities), who establish and sustain the shared trust, federation, risk management, and policy framework within which parties can interact for their mutual advantage. Those frameworks naturally require common formats (aka, schemas) for the identity, trust, policy, and other assertions/claims that parties interchange in such an environment.
As to Razzel’s notion of identity “micro-formats,” it seems to me that this is applicable to environments wherein end-entities are their own authorities, issuing assertions (or “self-declarations”) on their own behalf and in self-declared assertion formats (or in one-off or one-time or ad-hoc per-relationship formats). In such an environment, the asserting and relying parties must find an intersection among authorities and formats (and among the trust relationships within which those authorities/formats exist) in order to interact securely for mutual advantage. If neither party recognizes each other as a self-assertion authority for a particular transaction, then the intersection among their identity ontologies is null. "I would trust you if and only if some trusted third-party says you exist and tells me somethiing useful about you. And you say you feel the same about me. Our solemn promises to each other are meaningless without third-party vouching."
The "micro-formats" can be as microscopic as the scope of the self-declaration and the scope/depth/duration of the relationship within which various attributes are being asserted. "I'm willing to recognize your self-assertion of membership in a peer-to-peer informal social network for the purpose of swapping information of mutual interest to people like us who self-assert such membership."
From a post of a few months ago, here’s my broader identity ontology, within which the notion of self-authority/assertion/declaration (and negotiated identity micro-formats, or ad-hoc assertion schemas) can be best be understood:
• Identity is a uniquely denotative set of one or more attributes associated with a designated entity.
• Identity is issued, owned, asserted, vouched, interchanged, controlled, disclosed, and administered by one or more recognized authorities, which may be the designated entity itself (i.e., self-declaration) and/or various third parties with responsibility over various roles, transactions, or scenarios in which that entity participates (and who may provision or deprovision some aspect of the entity’s identity at their pleasure, will, or whim, depending on their power over him/her/it in various spheres).
• Identity is queried, retained, and relied upon by one or more other parties when engaging in various relationships or interactions, public or private, with the designated entity.
• Identity is control over the entity that it designates, and that control may reside to varying degrees in the designated entity, various recognized identity authorities, and/or various relying parties.
By the way, “my ontology” has a special meaning in my own personal ontology of working. When I embark on a new research project (be it a freelance article, research report, or whatever), I attempt to quickly get my head around the topic by a) immersing myself in the latest, most comprehensive research on that topic and b) sketching out, on a single piece of paper, a graphical overview of all the principal entities and relationships (with appropriate boxes, labels, lines, and arrows) among all of those entities/relationships. Then I sit and stare and contemplate on that single jam-packed sheet of paper.
Which I refer to as “My Ontology.” Yeah, I’m a myontologist.
Jim
Pointer to blogpost:
http://www.identityblog.com/2005/04/10.html#a185
Kobielus kommentary:
I like Razzel’s discussion of “identity ontologies.” It’s a good organizing framework for understanding the potential for semantic match or mismatch among identity-asserting and identity-relying parties in any interaction.
My sense is that identity ontologies among asserting and relying parties overlap when they share commonly recognized identity authorities (e.g., PKI root CAs, authoritative directories, SAML authentication authorities), who establish and sustain the shared trust, federation, risk management, and policy framework within which parties can interact for their mutual advantage. Those frameworks naturally require common formats (aka, schemas) for the identity, trust, policy, and other assertions/claims that parties interchange in such an environment.
As to Razzel’s notion of identity “micro-formats,” it seems to me that this is applicable to environments wherein end-entities are their own authorities, issuing assertions (or “self-declarations”) on their own behalf and in self-declared assertion formats (or in one-off or one-time or ad-hoc per-relationship formats). In such an environment, the asserting and relying parties must find an intersection among authorities and formats (and among the trust relationships within which those authorities/formats exist) in order to interact securely for mutual advantage. If neither party recognizes each other as a self-assertion authority for a particular transaction, then the intersection among their identity ontologies is null. "I would trust you if and only if some trusted third-party says you exist and tells me somethiing useful about you. And you say you feel the same about me. Our solemn promises to each other are meaningless without third-party vouching."
The "micro-formats" can be as microscopic as the scope of the self-declaration and the scope/depth/duration of the relationship within which various attributes are being asserted. "I'm willing to recognize your self-assertion of membership in a peer-to-peer informal social network for the purpose of swapping information of mutual interest to people like us who self-assert such membership."
From a post of a few months ago, here’s my broader identity ontology, within which the notion of self-authority/assertion/declaration (and negotiated identity micro-formats, or ad-hoc assertion schemas) can be best be understood:
• Identity is a uniquely denotative set of one or more attributes associated with a designated entity.
• Identity is issued, owned, asserted, vouched, interchanged, controlled, disclosed, and administered by one or more recognized authorities, which may be the designated entity itself (i.e., self-declaration) and/or various third parties with responsibility over various roles, transactions, or scenarios in which that entity participates (and who may provision or deprovision some aspect of the entity’s identity at their pleasure, will, or whim, depending on their power over him/her/it in various spheres).
• Identity is queried, retained, and relied upon by one or more other parties when engaging in various relationships or interactions, public or private, with the designated entity.
• Identity is control over the entity that it designates, and that control may reside to varying degrees in the designated entity, various recognized identity authorities, and/or various relying parties.
By the way, “my ontology” has a special meaning in my own personal ontology of working. When I embark on a new research project (be it a freelance article, research report, or whatever), I attempt to quickly get my head around the topic by a) immersing myself in the latest, most comprehensive research on that topic and b) sketching out, on a single piece of paper, a graphical overview of all the principal entities and relationships (with appropriate boxes, labels, lines, and arrows) among all of those entities/relationships. Then I sit and stare and contemplate on that single jam-packed sheet of paper.
Which I refer to as “My Ontology.” Yeah, I’m a myontologist.
Jim
Friday, April 29, 2005
fyi Regime for Privacy Protection
All:
Pointer to blogpost: http://www.identityblog.com/2005/04/12.html#a187
Kobielus kommentary:
“Regime for privacy protection”? Sounds like an oxymoron. Privacy protection by a system, or “The System”? Privacy protection is founded on our ability as solitary souls to keep the system, the world, and all its prying eyes and tentacles at a comfortable distance. The “legal architecture”—i.e., the superstructure of any regime, benign or otherwise—is a regime within which attorneys, judges, jurors, and other third parties invade our privacy membrane for the purpose of defending vs. puncturing it, enforcing vs. invading it, and generally trampling it in the act of “recognizing” it. Likewise, a commercial regime has no interest in respecting our privacy, since companies’ every fibre is bent on targeting, selling, delivering, serving, and otherwise tracking, billing, and extracting payment from us based on whatever identity information they can find on us, and the more the merrier. Sounds about as Kafkaesque as it gets.
Privacy feels like the sort of comfort zone that gets institutionalized at its own peril. It’s the sort of buffer zone that must be maintained by self-interested self-aware evasion, subterfuge, and cloaking. Everybody who every comes into contact with every aspect of our persona inadvertently participates in trampling our privacy, regardless of whether they, individually or as part of a system, regime, or superstructure intend to compile a “superdossier” on us. This notion of a superdossier, continually compiled by a shadowy cabal of ubiquitous conspirators, is the stuff of superparanoia.
Privacy is something we surrender, to greater or lesser degrees, by the act of being born (which leaves at least one permanent public record—two, if you’re in a bureaucratic religious sect, such as Roman Catholicism, that requires that infants be baptized within a certain number of days after birth). God is the prime witness of our entry into the public world, and the county birth registrar comes second.
Correct me if I’m wrong, but aren’t the most privacy-conscious people the most unhinged? The Ted Kaczynskis of this world. The very people who flee the legal, commercial, and civil-behavior regime that the rest of us choose to inhabit, for better or worse. The sorts of people who see the public world as an all-pervading threat that must be annihilated?
Privacy is important, of course. But let’s not imagine that privacy-protection mechanisms, laws, and other public institutions and organizations can actually guarantee some all-pervading bliss called “privacy.”
They just offer new doors we can shut upon occasion to cloak some personal attribute, behavior, or situation that’s our business. And ours alone. Within the bounds laid down by civil society.
Jim
Pointer to blogpost: http://www.identityblog.com/2005/04/12.html#a187
Kobielus kommentary:
“Regime for privacy protection”? Sounds like an oxymoron. Privacy protection by a system, or “The System”? Privacy protection is founded on our ability as solitary souls to keep the system, the world, and all its prying eyes and tentacles at a comfortable distance. The “legal architecture”—i.e., the superstructure of any regime, benign or otherwise—is a regime within which attorneys, judges, jurors, and other third parties invade our privacy membrane for the purpose of defending vs. puncturing it, enforcing vs. invading it, and generally trampling it in the act of “recognizing” it. Likewise, a commercial regime has no interest in respecting our privacy, since companies’ every fibre is bent on targeting, selling, delivering, serving, and otherwise tracking, billing, and extracting payment from us based on whatever identity information they can find on us, and the more the merrier. Sounds about as Kafkaesque as it gets.
Privacy feels like the sort of comfort zone that gets institutionalized at its own peril. It’s the sort of buffer zone that must be maintained by self-interested self-aware evasion, subterfuge, and cloaking. Everybody who every comes into contact with every aspect of our persona inadvertently participates in trampling our privacy, regardless of whether they, individually or as part of a system, regime, or superstructure intend to compile a “superdossier” on us. This notion of a superdossier, continually compiled by a shadowy cabal of ubiquitous conspirators, is the stuff of superparanoia.
Privacy is something we surrender, to greater or lesser degrees, by the act of being born (which leaves at least one permanent public record—two, if you’re in a bureaucratic religious sect, such as Roman Catholicism, that requires that infants be baptized within a certain number of days after birth). God is the prime witness of our entry into the public world, and the county birth registrar comes second.
Correct me if I’m wrong, but aren’t the most privacy-conscious people the most unhinged? The Ted Kaczynskis of this world. The very people who flee the legal, commercial, and civil-behavior regime that the rest of us choose to inhabit, for better or worse. The sorts of people who see the public world as an all-pervading threat that must be annihilated?
Privacy is important, of course. But let’s not imagine that privacy-protection mechanisms, laws, and other public institutions and organizations can actually guarantee some all-pervading bliss called “privacy.”
They just offer new doors we can shut upon occasion to cloak some personal attribute, behavior, or situation that’s our business. And ours alone. Within the bounds laid down by civil society.
Jim
Subscribe to:
Posts (Atom)
