If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

Stepping away from my usual topics for a while…

I was watching the news this evening and there’s been more coverage of the Yorkshire floods, which after a week don’t seem to be residing and have left thousands homeless along with several dead. All in all, pretty serious stuff.

The point that occurred was about disaster relief funds - every so often we’re asked to put our hands in our pockets to help those less fortunate - earthquakes in Pakistan, tsunamis in Indonesia and (dare I say it?) hurricanes in the USA have all attracted pleas for our money. There’s been constant mention of the costs of repair, rehousing &c along with how many of these unfortunates don’t have insurance yet not a single mention of a relief fund has been made. I’ve found this one, but I wonder what the people of Hull think of that?

So much for charity beginning at home!

Discovering Identity: Facebook and Identity: Will you Join?

I actually joined facebook a few weeks ago and haven’t really done anything much with it. I guess I’m getting old since I don’t get what all the fuss is about. However, people I know from work, friends and members of my family were already using it so I thought I’d give it a go.

I’ve joined the “Digital Identity” groups that Mark Dixon refers to here (along with some others). Apart from seeing how many people are on facebook and have an interest in “identity” I’m not sure what the benefit is! One thing that is obvious is the number of people in the “OpenID” group - that is popular

So, if you’re on Facebook and reading this, let me know!

Schneier on Security: Portrait of the Modern Terrorist as an Idiot

qwghlm.co.uk » Blog Archive » Be Careful

Schneier on Security: Terrorist Special Olympics in the UK

I was going to comment on the Schneier post “Portrait of the Modern Terrorist as an Idiot” anyway, but when reading Chris Applegate’s look at the most recent terrorism attempts here in the UK I thought I’d jump to it rather than put it off any longer. My initial thoughts on Schneier’s original piece was largely in agreement. One thing that irks me is that the label “terrorism” gets bandied around far too often; after all it helps with introducing draconian laws (what happened to the paedophile threat?) and selling newspapers!

Terrorism is, in reality, an extremely complex issue. One man’s terrorist is another’s freedom fighter and the line between them can be extremely fine and will depend largely on whether one agrees with the status quo or not, but we can see just how often the label is applied when, in my opinion at least, it’s really undeserved. Those who make idle threats to our freedoms are not terrorists (a good number of the so-called terrorists hadn’t even got as far as attempting to buy the required equipment) and a good many of the others are nothing but common criminals who should be treated as such.

The events of last week and over the weekend haven’t changed much. As Chris points out (initially - he followed it up with a more serious post) the best response to these people is a combination of pity and contempt, mixed with a good dose of “Ha Ha” (Nelson style). Schneier’s second post backs this up and returns us to the point - whilst we paint terrorists as idiots by misusing the term there are always those who’ll make the label stick by actually being idiots.

As usual, the response to these “attacks” has come in two different forms - the general populace of the UK, already struck with a real terror of floods leading to abandoned homes, overflowing resevoirs and loss of life have responded with the classic “stiff upper lip” method whilst our Government has responded with some talk about checking professional immigrants more thoroughly - especially those working in the NHS. Horses and stable doors spring to mind.

This is exactly the sort of thing that has been derided in past - the reactive method will not work as terrorists can be (unless they’re stupid) resourceful and will find ways to get around our defences. If we ramp up protection at airports then what’s to stop them from targeting hospitals, schools, railways or any other public facility? My favourite quote attributed to Gerry Adams seems particularly apt.

We only have to be lucky once, you have to be lucky all the time

Enterprise Architecture: Thought Leadership: Thoughts on CardSpace and Java

I’ve not been very active recently due to a whole combination of things and I’m still working my way through a huge backlog of RSS posts. I was going to wait until I’d got closer to the present day before really commenting on anything, but that could take forever and, frankly, this post by James McGovern really caught my attention for a couple of reasons.

I work with both CA SiteMinder and Oracle Access Manager which James mentions (along with products from Ping Identity and others) which will be impacted by the use of Cardspace, plus when describing it to a colleague earlier the question of how it will affect web authentication mechanisms (including single-sign on and traditional federation) was raised.

CardSpace itself has the potential to be disruptive to a good proportion of what I’d term the “Enterprise Identity Management” space - those occupied by the large vendors (including CA, Oracle, HP & Sun) and could become a de facto standard for web authentication. Like any disruptive technology the important thing is to find a way to adjust and take advantage of changes in the market.

When looking at CardSpace there are three components to think about - the client (identity selector and browser plugin), and two servers? - service provider (SP) and identity provider (IdP). Traditionally clients have been given away in order to sell the server components and this will obviously continue - the clients will be (and ARE) included in the OS and browser, which leaves the only way to make money from this to be with the servers.

As James comments - the plan is to make the service provider components easy to embed in any web application. Code obviously exists for .NET, there’s an Apache module and Java will be along soon - there’s still an opportunity for the enterprise providers (and those of us who sell and implement their products ). There’s obviously a lot of logic to be implemented about which provider’s cards will be accepted, which attributes are requested (and which are mandatory!) - wrapping this in a nice, easy to use UI and combining with centralised authentication and session management with policy enforcement will be one way that evolution can occur in web access control systems.

The biggest area where enterprise identity management systems will be able to take advantage of this change in paradigm, of course, will actually be in taking on the role of card issuer/identity provider - an area where there has (so far) being the least amount of sample code and deployment advice, but conversely there are greater complexities to deal with as adoption becomes more widespread. The role of identity provider will be key for adoption of the technology.

No matter what the technology there are? aspects of producing a secure web application interface that, in many cases, are best handled by a specialised security product that can abstract and centralise them - authentication, directory connectivity and session management are difficult to handle and this is the reason why products such as SiteMinder, Oracle Access Manager and Ping Login exist (and the reason why consultants exist).