Monthly Archives: April 2009

It’s the model stupid

Posted on April 29, 2009 | Leave a comment

William Vambenepe has a great write up on past and current IT management standards efforts here (and rifs on the famous Bill Clinton internal campaign motto):

I wish that rather than being 80% protocols and 20% models, the effort in the WS-based wave of IT management standards had been the other way around. So we’d have a bit more to show for our work, for example a clear, complete and useful way to capture the operational configuration of application delivery services (VPN, cache, SSL, compression, DoS protection…). Even if the actual specification turns out to not make it, its content should be able to inform its successor (in the same way that even if you don’t use CIM to model your server it is interesting to see what attributes CIM has for a server).

It’s less true with protocols. Either you use them (and they’re very valuable) or you don’t (and they’re largely irrelevant). They don’t capture domain knowledge that’s intrinsically valuable. What value does WSDM provide, for example, now that’s it’s collecting dust? How much will the experience inform its successor (other than trying to avoid the WS-Addressing disaster)? The trend today seems to be that a more direct use of HTTP (“REST”) will replace these protocols. Sure. Fine. But anyone who expects this break from the past to be a vaccination against past problems is in for a nasty surprise. Because, and I am repeating myself, it’s the model, stupid. Not the protocol. Something I (hopefully) explained in my comments on the Sun Cloud API (before I knew that caring about this API might actually become part of my day job) and something on which I’ll come back in a future post.

I can sympathize with William. I wish that in the SPML effort we had spent more time working on the model up front. The plan had always been to finalize the protocol and then work on the model. As a result the model work never really got properly addressed, although there is a possibility it might someday.

→ Leave a comment

Posted in CMDB, SPML, Standards

Tagged , , ,

An OpenID game changer

Posted on April 29, 2009 | Leave a comment

One theme I have harped over the last year of so is that it means little for the big content providers to become OpenID providers if they don’t also become relying parties. You can’t build a highway with nothing but on ramps.

So far the vast majority of OpenID announcements by the big players have been to be yet another OP, or just signing up for the OpenID Foundation. It looks like the game is finally changing. Apparently Facebook is getting ready to become an OpenID Relying Party. From Inside Facebook:

Less than three months after joining the OpenID Foundation’s board as a sustaining corporate member (i.e. putting its weight and financial support behind OpenID), Facebook has just announced at the “technology tasting” event this afternoon at its Palo Alto headquarters that users will soon be able to log in to Facebook with their OpenID.

This could be huge for OpenID adoption, if it really happens.

→ Leave a comment

Posted in Facebook, Identity, OpenID, Standards

Tagged , , ,

IP logs? What IP logs?

Posted on April 29, 2009 | Leave a comment

Now here is an interesting trend in Sweden, ISPs expunging IP Logs so they can’t be turned over to the government. From ARS Technica:

Another Swedish ISP has decided not to retain customer IP records in an attempt to protect user anonymity. Tele2 announced this week that it plans to start deleting all IP records after they had been used internally-a move that is still legal under Swedish law, but is beginning to irk law enforcement.

Tele2 is the second major ISP to announce such a plan this month. The first was Bahnhof, which said earlier this month that it refused to keep any log files to hand over to authorities. Both ISPs are reacting to IPRED, the Intellectual Property Rights Enforcement Directive. The Swedish incarnation of this European directive went into effect on April 1, and it allows courts to force ISPs to turn over user data in cases of suspected copyright infringement. Because of this loss of anonymity, Internet traffic in Sweden saw an immediate drop.

→ Leave a comment

Posted in Privacy

Tagged

Jurisdiction matters

Posted on April 27, 2009 | Leave a comment

Bruce Schneier has this posting about privacy risks for Cloud software. These are all good points, but there is one that Bruce doesn’t mention. In fact few people are mentioning it which is a shame because it’s one of the biggest risks with using Cloud services: controlling legal authority.

In other words, in what country’s jurisdiction is your Cloud service? Do you know? Shouldn’t you know?

This was brought home recently when Germany-based RapidShare had to divulge its users IP addresses, according to this ARS Technica article:

The popular Germany-based file hosting service RapidShare has allegedly begun handing over user information to record labels looking to pursue illegal file-sharers. The labels appear to be making use of paragraph 101 of German copyright law, which allows content owners to seek a court order to force ISPs to identify users behind specific IP addresses. Though RapidShare does not make IP information public, the company appears to have given the information to at least one label, which took it to an ISP to have the user identified.

The issue came to light after a user claimed that his house was raided by law enforcement thanks to RapidShare, as reported by German-language news outlet Gulli (hat tip). This user had uploaded a copy of Metallica’s new album “Death Magnetic” to his RapidShare account a day before its worldwide release, causing Metallica’s label to work itself into a tizzy and request the user’s personal details (if there’s anything record labels hate, it’s leaks of prerelease albums). It then supposedly asked RapidShare for the user’s IP address, and then asked Deutsche Telekom to identify the user behind the IP before sending law enforcement his way.

What’s really interesting is this comparison to the laws governing US based last.fm and Germany based RapidShare:

There are, however, many differences between Last.fm and RapidShare. For one, if Last.fm were to find itself in the position RapidShare is in with GEMA, it would be able to argue that the Safe Harbor provision in the DMCA protects it from liability as long as it removes infringing content after being presented with a takedown notice. In Germany (and many other countries), there is no equivalent, meaning that RapidShare has little choice but to comply with the rulings. RapidShare’s incredible popularity-Germany-based deep packet inspection (DPI) provider Ipoque recently put out a report saying that RapidShare is responsible for half of all direct download traffic-has only made the issue more sensitive for the record labels and service providers alike.

Jurisdiction matters.

→ Leave a comment

Posted in SaaS, Security

Tagged , , , ,

Cyber-attack in Morgan Hill

Posted on April 27, 2009 | Leave a comment

Bruce Perens has an interesting article about an event that garnered far less attention than it should:

Just after midnight on Thursday, April 9, unidentified attackers climbed down four manholes serving the Northern California city of Morgan Hill and cut eight fiber cables in what appears to have been an organized attack on the electronic infrastructure of an American city. Its implications, though startling, have gone almost un-reported.

That attack demonstrated a severe fault in American infrastructure: its centralization. The city of Morgan Hill and parts of three counties lost 911 service, cellular mobile telephone communications, land-line telephone, DSL internet and private networks, central station fire and burglar alarms, ATMs, credit card terminals, and monitoring of critical utilities. In addition, resources that should not have failed, like the local hospital’s internal computer network, proved to be dependent on external resources, leaving the hospital with a “paper system” for the day.

The attack is as mysterious as it was successful. I suspect that the “disgruntled ex-telco worker(s)” theory is probably the best explanation.

I loved how the local Ham Radio enthusiasts came to the rescue.

→ Leave a comment

Posted in Cyber-warfare, Security

Tagged ,

Some random thoughts about Kantara

Posted on April 23, 2009 | Leave a comment

I would like to congratulate all the Liberty, Concordia, ICF, XDI, and other standards folks for launching the Kantara Initiative.  I have no doubt that there will be a lot of interesting work done under this umbrella.

That’s to not say there aren’t nay-sayers. There always are. My advice to those involved in KI is to ignore the nay-sayers and go solve problems. And have fun doing it.

As to whether the audience of technology adopters will find value in the results, I can’t venture a guess.

Oddly enough the first time I read about it I thought it was the “Katana Initiative”. Damn dyslexia.

[Full Disclosure: I was the BMC representative to Project Liberty]

→ Leave a comment

Posted in Identity, Standards

Tagged , , , ,

Apparently more credible

Posted on April 22, 2009 | 1 Comment

Some researchers in Austria are trying to tackle a very tough issue, blog credibility ranking. Unfortunately (if this blog article is credible) they are building their house on a very shaky foundation:

The proliferation of widespread Internet access has enabled everyone and their dog to start a website, but not every one is filled with what some of us would describe as “credible” information. That’s why some researchers are attempting to create software that can analyze Web content and automatically rank it to help out those who can’t quite decide for themselves.

Researchers at the Austria-based Know-Center are working on a program that analyzes the language used on blogs in order to rank them as highly credible, having average credibility, or “little credible.” The code looks at the distribution of words over time, and compares blog topics against articles from mainstream news, which are apparently weighted as being more credible.

[Emphasis added]

There are a whole host of reasons why using the mainstream media as a credibility benchmark is a bad idea, but the biggest reason is that the media really does a poor job in general of getting facts right. That’s not a criticism and really no one should expect any different.

The mainstream media generally gets things wrong simply because the content is generated by people that are generally not subject matter experts on the things they are writing about. They are experts at writing and (usually) journalism. Yet they are called upon to write about a vast universe of subjects that they are barely familiar with.

If you don’t believe me think back to the last time you read an article in the media that concerned a subject you were an expert at. Did you feel that the article accurately portrayed the crucial issues? Did it do it better than the dozens of blog entries you might have read on the same subject?

→ 1 Comment

Posted in Media, Skeptic

Tagged , , ,

Open source IdM connector project

Posted on April 21, 2009 | Leave a comment

Sun (or should I say Oracle now) now has an open source effort for Sun Identity Manager connectors (hat tip to Daniel Raskin). There is even an SPML 2.0 connector listed which is great to see.

This is another shot at the Holy Grail of enterprise management software, getting out of the connector business. It doesn’t matter if you are doing identity management, network management, configuration management, or security management, or systems management, satisfying a never ending customer demand of connectivity to a myriad of systems is a back breaking pain (and expense).

It will be interesting to see how this plays out. There are a lot of Sun IdM enthusiast out there, and many of them are capable of writing connectors. The success of this effort will depend on how many of them are willing to participate in OS projects and more importantly can get their companies buy-in to contribute source code.

→ Leave a comment

Posted in Identity, Identity Management, Open Source, Provisioning

Tagged , , , , ,

Genetic Registrants

Posted on April 20, 2009 | Leave a comment

Now here is a wonderfully Orwellian term; “Genetic Registrants”. That is how this NYT article refers to people who have had DNA samples taken as a result of having been arrested even if they have never been convicted of a crime:

Law enforcement officials are vastly expanding their collection of DNA to include millions more people who have been arrested or detained but not yet convicted. The move, intended to help solve more crimes, is raising concerns about the privacy of petty offenders and people who are presumed innocent.

Until now, the federal government genetically tracked only convicts. But starting this month, the Federal Bureau of Investigation will join 15 states that collect DNA samples from those awaiting trial and will collect DNA from detained immigrants – the vanguard of a growing class of genetic registrants.

The F.B.I., with a DNA database of 6.7 million profiles, expects to accelerate its growth rate from 80,000 new entries a year to 1.2 million by 2012 – a 17-fold increase. F.B.I. officials say they expect DNA processing backlogs – which now stand at more than 500,000 cases – to increase.

→ Leave a comment

Posted in Privacy

Tagged , ,

The cyber-cassandras vs the cyber-pollyannas

Posted on April 17, 2009 | Leave a comment

When I blogged here about the recent announcement that backdoors had been left in the US grid infrastructure, I had predicted that many would respond with the standard “hackers with no ties to any government” theory. Well, when you’re wrong, you’re wrong. Instead I saw some interesting reactions that seem to say “what the big deal?”

For instance Joel Hruska from ARS Techinica has this take:

At the end of the day, we’re watching a movie remake. The special effects have been updated, and some of the actors are new, but we’re still talking about security threats from “out there” and the need for a new type of national security. The Internet is merely the latest-and by most measures, the most benign-means by which one country could attack another. Personally, given the choice between ICBMs, chemical weapons, “the bomb”, or V-2 rockets, I’ll take the Internet.

I would point out to Mr. Hruska that these options are not mutually exclusive. Note that recently the country of Georgia was not bombed solely with packets.

And Bruce Schneier writes:

Read the whole story; there aren’t really any facts in it. I don’t know what’s going on; maybe it’s just budget season and someone is jockeying for a bigger slice.

Honestly, I am much more worried about random errors and undirected worms in the computers running our infrastructure than I am about the Chinese military. I am much more worried about criminal hackers than I am about government hackers. I wrote about the risks to our infrastructure here, and about Chinese hacking here.

And from this Evgeny Morozov article titled “10 easy steps to writing the scariest cyberwarfare article ever”:

1. You need a catchy title. It pays to cannibalize on some recent tragic event from the real world; adding “cyber” to its name would usually trigger all the right associations. Studies show that references to “digital Pearl Harbor“,”cyber-Katrina“, and “electronic 9/11” are most effective, particularly for stories involving electricity grids or dams. Never make any explicit attempts to explain the bizarre choice of your title- you need to leave enough ambiguity out there for your readers to “connect the dots” themselves. This is a win-win: readers love solving important cyberspy puzzles – and you could get away without doing any analysis of your own. Quoting real facts would spoil the puzzle-solving experience; plus, the fewer facts you quote, the harder it would be to debunk your story!

Perhaps this is just a tempest in a teapot. Perhaps I am just being a cyber-cassandra. But for all the dismissive rhetoric from the cyber-pollyannas, there is one thing you won’t hear: a reason why these penetrations were attempted. You won’t hear it because the plausible explanations are a bit more worrisome that the cyber-pollyannas want to admit.

→ Leave a comment

Posted in Cyber-warfare, Security, Skeptic

Tagged , ,