If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Businesspundit: Pick Yer Bucket

I was at an event on Thursday, hosted by Oracle, where the primary topic was “Enterprise Architecture and its importance to business” - this post piqued my interest on a couple of counts following that. Firstly is the significance of EA to a business such as Walmart - which live and die by IT systems - foremost being customer databases and supply chain management. Without properly designed and aligned systems then such ventures will struggle.

The mention of Tesco is interesting as not only do they have an excellent track record in this area, but the main guest speaker at the event I mentioned was Mike Yorweth, their chief architect. BusinessPundit mentions their “Borg-like” track record and this is in no small part to the successful use of IT. A good point of comparison here is the previous supply chain management problem of Sainsbury’s, which required a huge, refocus of recruitment to solve short term stocking problems in stores caused by failing systems. This demonstrates how important

The main thrust of the article however is that of customer knowledge, allowing targeted marketing and better stock and price management. Having an awareness of who your customers are, what they buy, when plus their price sensitivity can be a huge advantage - hence the use of “loyalty” cards by the supermarkets (and increasingly other retailers). When combined with the intimate financial details available when a customer makes use of a store card or, more likely in the modern world, the raw financial services offered by these organisations (loans, credit cards, insurance are all offered by Tesco) the ability to profile individuals and the groups they belong to becomes an immensely powerful tool.

It’s been said that Tesco knows more about (holds more data about) the UK population that the Government itself and the requirement for properly designed and secured information systems is paramount - there’s a lot of concern about the Government’s plans for identity cards and associated databases (including from myself), but less concern about the data that is held about us by private enterprises. One element of this is that private enterprises generally tend to get IT development right (and suffer the consequences / learn the lessons if things go wrong) whereas the Government tends to make a mess of things, then repeats the mistakes in the next project. I’d like to think that it’s not just because the supermarkets give a money-off voucher back every month that we surrender so much privacy to them

I think the lesson for any organisations dealing in data (which is pretty much everyone now) is the importance of proper architecture and governance. It’s been said before that “IT doesn’t matter” and there’s an element of truth to this in that the technology itself is much less important than having well designed process and systems, properly aligned to business needs. That’s where the real competitive advantage is.

Kim Cameron seems to have stirred up a hornet’s nest in his recent discussions with (amongst others) Eve Maler, Jim Kobielus and now Dave Kearns. I’m, as usual, somewhat late to the party here, but had some opinions on this anyway

I actually think there are some valid points from both sides of the argument - Kim is saying primarily that agents should be identifiably different from the users they act on behalf of. Dave, apart from pointing out that it isn’t the case with current systems, is saying that it isn’t always desirable. I like to apply a little real world thinking to this problem and instead of discussions email clients and inboxes to think about the use of agents elsewhere - email does however serve to illustrate a related point.

The act of delegation I’d guess people are most familiar with is that of giving a power of attorney (or trust) and another good example can be seen in the way that corporations use employees as agents. In the case of a power of attorney this can be (and often is) limited in some way - perhaps to financial affairs (or maybe even just a stock portfolio), or perhaps in a temporal fashion (until I recover from my illness). Possibly in these scenarios the attorney and the granter of rights are indistinguishable so the question to be asked here are what happens when those boundaries are stepped over or the power is misused in some way - the result is a legal liability tangle.

A similar situation arises in the corporate world - an incorporated entity cannot act for itself and relies upon directors and employees to do its bidding! Here we need to know what rights individuals have to perform an action, the extent of their power (can the CEO sell you the headquarters of the business? Perhaps under certain circumstances he can!) which is why corporations usually have such complex rules determining such things (such as SOX for accounting purposes) - the idea is that the regulations support the rights of an entity that cannot adequately represent itself. Likewise, the doctrine of corporate manslaughter allows the agents to be held responsible for actions taken by them on behalf of a corporation. Elements such as these are the core of enterprise identity management systems - “who can do what”, “who did what” and “when”?

One place where the analogies collide head-on is when looking at delivery of documents - we all know how important it is to send documents to the right person (one who has the power to do as requested) and legal systems have developed methods to ensure that this happens - even when using agents (litigants don’t deal directly with each other, but use legal agents who can interpret the protocols and translate the information). If my e-mail client is my agent, but is indistinguishable from me - then how can one tell if a message ever got to me? It’s possible, with a smart email client to have a rule that automatically moves a message, sends a reply and marks it as read - the user could, theoretically, never have seen a message, which all evidence suggests he did! This is, I think, the crux of the Kim’s suggestion that agents be identified as such.

In my opinion, where this breaks down is that all software is, almost as a requirement, an agent for either a user or another system component - in the act of posting this message I use my keyboard to produce the right signals for each key press, for the OS to interpret that and pass to the browser which displays and then posts the message. WordPress stores and displays data which should if the intervening agents are trustworthy, be the same as what I now type… I can have visibility over some of this process, but there comes a point where I rely on some other agent - particularly to know that these words you see are the same that I originally typed.

In the email scenario what I’m actually looking for is an agent that will act on my behalf to collect my messages after being given permissions to do by me (I run the program and authenticate to it). The email server will then take the credentials of the software and the user to determine whether to provide the data and audit the transaction. What is really required to take this step is consistent machine identifiers along with user identity attributes, but this whole process begins to seem very like using Kerberos! Taking it to the next step could even involve something along the lines of a WS-Security header including a user token… All that’s required is that the two end points have a mutual confidence in the veracity of the token.

One of the problems with cryptographic systems in general is that it’s usually pretty obvious that a message is encrypted. This is reflected in laws such as RIPA requiring users to surrender their keys to law enforcement agencies when under suspicion. This has caused the sci-art of steganography to develop - after all, nobody will ask for a key if there’s no sign of a hidden message.

Until now, practical applications of this have been relatively obscure, with the only exception I could recall being that of hiding messages in mp3s. Now the classic example of how it could be used - in photos - has been made available by PicSecret and you too can encode messages into image files!

This is so simple to use and provides pretty good results (depending on the contents of the original image). Hopefully, this should illustrate -

I can add a secret message into the photo using the tools there and get a results like this -

Hopefully, this should demonstrate that with the right photo choice it’s possible to hide a message in any image. Maybe Flickr already stores a great number of encrypted messages!

You should be able to decode it - here!

Just a short while after upgrading Wordpress to 2.1.1 there’s an announcement that 2.1.2 is released, with a warning that everyone running the older version upgrade immediately due to a potential security exploit. Go on, do it. Now. Do not pass go. Do not collect £200.

There’s a comment to be made here about verification of the software that we use - I generally check the md5 sum of software that I download (where it’s provided), but that can only provide a certain level of protection, especially in scenarios like this. In theory, with an open source product, once it’s released then there can be many people in a position to check the code and ensure that all is well - I’d like to think that something like that has happened in this case! Closed source software is naturally very different… I wonder if we hold the vendors to a different level of responsibility because of that?

I’m using the Google RSS Reader as my primary method of keeping up with RSS feeds and have been for a while. It’s pretty good generally, but I’m looking to get more out of it. One of the things I want to do is take advantage of the “shared items” feature, rather than using the quick links section of my site (if you’re reading the site rather than the RSS feed, then it’s on the right hand side!).

This should, in theory, be simple since Google provide a nifty feed to it (here) so I’ve installed a plugin here (feedlist looks good) to do this. It seems to be almost working, but for some stupid reason the items are wrong - the link and the source are combined into a single entry which ends up looking like on this page.

I think there’s an easy solution to this - I’m looking to have two versions of the feed - a cut down version with a limited number of entries in the sidebar and a full(er) version on the page I’ve just linked to - but frankly it’s a Friday night and I’m struggling Anyone who’s done this, please let me know!

Berkun blog » Blog Archive » How to start meetings on time (the honest version)
Some good tips on running meetings - especially the one about ending five minutes earlier!

Links » Government Consultation on Information Assurance

Ben Lawrie makes an interesting point about how governmental organisations treat citizen’s identity - so often identifiers are required when in reality a proof of entitlement would be adequate and in some cases more suitable to the needs of both parties. This was a point raised at the Oracle Architect’s Club event I attended in November. In my previous post on that I mentioned the example of buying alcohol where only proof that the purchaser is at least eighteen years old is required by the vendor although with Ben bringing this up better examples spring to mind - especially in interaction with Government (or other authority).

Some specific examples were actually put forward at that event included the provision of services to homeless people - all that the person needs is an entitlement card, with some method of checking that they aren’t using more than one - other identifiers can be positively dangerous in this case. When the Government has been attempting to sell the idea of identity cards the phrase “entitlement” is often used - there’s fundamentally a huge difference between them and the amount of data leaked by the use of full identity card will cause problems. Again, all that’s required in most cases is a believable assertion that the subject is a member of a group or has certain attributes.