Re: Never Say Never

Paul Madsen replied on my blog “Never get lost again while federating“:

I don’t have quite the same amount of faith as Bavo De Ridder does in Liberty Alliance’s new intro to our specification set.

I know I’ve heard ‘recalculating’ countless times from another system that makes the same claim.

Liberty Alliance’s new representation of their specifications may not be perfect (and it surely isn’t) but at least it is a step up from the previous list of PDF files and will hopefully make it more clear to some people.

In the last few weeks I had to explain several times to people what federation was and what it isn’t and how the different specifications relate. At the same time, some people caught me on some errors and corrected me. People familiar with federation probably know there is a lot of misinformation out there, not in the least from vendors and in particular their sales-force. For the moment federation seems to be the magical bullet that will solve everything costly identity management suites apparently are not capable to.

Simple graphical representations, like the one Liberty Alliance has placed on their site, surely help in clarifying some of the misunderstandings out there. It is however only a (very) small part of the overall picture, a picture that is getting more complicated by the day and therefore harder to grasp. Graphical representations are not that magical bullet either, you still need to understand each of the blocks individually.

But all this still leaves my question standing:

Is there anyone out there brave enough to take all existing identity work and show their relationship in one graphic?

Never get lost again while federating

I was reading through the blogs of Paul Madsen and I came across this posting about an update to the site of the Liberty Alliance. One very nice addition is this Flash animated navigator for all the Liberty Alliance specifications.

This reminds me of the famous graphics showing all the XML specifications known at that time.

Such graphical representations sure help people to stay up to date with the multitude of emerging specifications and their relationships. Is there anyone out there brave enough to take all existing identity work and show their relationship in one graphic?

Data cleansing just became a lot easier

Novell has released a first version of Novell Enforcer. They blogged about this earlier. The tool supports the process of data cleansing and control in three different phases:

  • In the first phase, dubbed “Analysis“, the tool gives you a deeper insight on the quality, content and structure of the identity data in the various repositories.
  • The next phase, dubbed “Enhance“, helps you to correct erroneous data, create a consistent structure and overall enhance the quality of the identity repositories.
  • The last phase, dubbed “Control“, aids you in creating the necessary policies in the Novell Identity Manager product to keep the data consistent and clean.

This looks like a great tool and I can’t wait to lay my hands on this little gem! Up until now data control and cleansing had been a one-time job mostly implemented using a battery of quick and small scripts.

Today, Novell has shown us that data cleansing and control is not a one-time step but a continuous process that deserves a front row seat in your I&AM architecture.

Craig, don’t help spammers!

Craig Burton’s blog is on my blogroll. Yesterday I wanted to comment on a recent post of him about Onfolio and Firefox. The form asked me to insert my email address. Thanks to the amount of spam I receive I have become very reluctant to enter my address. Sites just have no clue about how to deal with them. There are numerous sites posting entire mail archives with no obfuscation whatsoever to protect email addresses. On Craig’s site, I pasted my XRI contact service url (http://xri.net/=bavo.de.ridder) which would allow both Craig and his readers to contact me.

Sadly enough, the form came back to me, telling me that I should enter a real address. Hmmm, so I had to give my address. Knowing Craig’s reputation I assumed to following:

  1. Craig uses the email address to confirm a real person was posting and I would probably get a confirmation mail I had to respond to before my comment would be published.
  2. Craig would then be smart enough not to publish my email address or at least obfuscate it enough to keep it safe from spammers.

Feeling slightly more comfortable, I entered my real address and hit submit. A few seconds later (actually a lot of seconds later, his site must be on a 32kbps line), the post was submitted. I went to my mail reader to hit “get mail” but nothing had arrived yet. Going back to Craig’s site I discovered that:

  1. The comment was submitted and showed my email address in both the source and the rendered version (so not even basic javascript hiding).
  2. I did not receive a confirmation mail.

I mailed Craig to ask him to remove my address from the site. His mail address is available on his site, obfuscated as “gcraigburton [at] Yahoo [dot] com”. Nice. Obfuscation for his address but al his commenters are exposed.

I am very tempted to include Craig’s mail address, not obfuscated, but I will refrain. Craig’s obfuscation of his own address is weak enough, spammers probably already got it.

Clearing cookies is not enough to save your privacy

Through a story on Slashdot I came across this article.

Apparently it is not enough to just clear cookies, your cache can also contain some nasty tracking features:

Your browser’s cache is a valuable store of information. A JavaScript .js file resource which is generated dynamically when requested can have embedded a unique tracking ID and can live permanently in your browser’s cache when sent with the right HTTP cache-control headers. This JavaScript file can then be called by pages. The script is never re-requested, and hence keeps the unique ID, and it can call resources on the server-side to track you. They just need to associate this unique ID once with your account (when you login first time after the ID was created), and they can set cookies back again later and track you anyway. The result is that you can be tracked uniquely even past the point where you clear your cookies (i.e., as if you never cleared your cookies to generate fresh ones).

The article informs you that with Firefox you can clear the cache each time you close the browser. Their menu path is wrong, here is the correct one: “Tools -> Options -> Privacy -> Cache -> Settings”. There you can choose what you consider private data. At the bottom of the dialog, you can enable a check box to make Firefox clear this private data on exit.

The author also complains about passing on identity information from one site to another, even when their TOS (Terms of Service) forbids them to:

They say that in their TOS which you usually ignore. For example, I was contacted on August 4, 2006 by a script at Google about my Sourceforge.net project, which asked me if someone else should be allowed to create a project on Google’s project hosting service with the same name as the Sourceforge.net project. Let’s ignore the fact that this email was sent by a script and was unsolicited. How did they know my details?? They should have a database of all Sourceforge.net projects and the owner email addresses and other details. I was quite unhappy about it.

I am not sure if Sourceforge would sell project owner details to Google, a competitor for them. Google probably just used their crawling knowledge to harvest these details from the Sourceforge site.

Your pc can hear you!

According to this article, Google is planning to use your PC’s microphone to eavesdrop on you. By isolating background sounds and comparing them to fingerprints, they can calculate what you are listening to on the radio or what you are watching on TV. They will then use that information to give you targeted ads while you surf.

For me this is clearly a bridge to far. This kind of technology is absolutely unacceptable. Law enforcement agencies need a judge to approve this. Google however, probably can get away with it by having you click “Yes” on a EULA. If a user opts-in for this, it should be in a very formal way, with paper trail and the likes.

It is just a matter of time before someone will use it to listen in on your conversations. A very scary thought.

If this trend will continue and nobody stands up against it, I am going to switch back to this.

Online Reputation

I just learned about Opinity, an on-line personal reputation services company. From what I could learn, without joining, it seems like a site where you can aggregate your profiles and, more importantly, reputation you have created and cultivated on other sites. I am not entirely sure how it works. Anyone who knows more? I am very reluctant to join and give them personal information before I know more. Just like they want me to build up a reputation, I will wait until they have a reputation strong enough to convince me.

On the bright side, they have this big sign in the upper right corner indicating they support Infocards and OpenID!

I have been on the inactive-side of the blogging spectrum lately. I do have two draft posts in the queue however, one about digital identities (again) and one about how garbage can ruin your day.