While Germany and Europe in general have some of the strictest rules
regarding the use and storage of personally identifiable information,
the last few months have seen rather extreme data security breaches.
Today, the German media is reporting about a new installment of
irresponsible negligence government incompetence:
According to the SPIEGEL ONLINE
a spokesperson for the software company HSH admitted that the personal
information of more than 500,000 residents of at least 15 cities and
towns were readily available on the internet for at least 3 months [1].
According to a investigative news program (Report aus München),
this problem actually affected more than 200 municipalities for more
than 3 years. The alleged cause for this blunder was rather simple: the
software used by the cities to manage these huge data collections had
at least one default/demo account that was not disabled by the IT staff
of the authorities. These credentials were inadvertantly published by
the software maker on their web site and thus available to every one.
While
problems like this can happen, it seems odd that this massive security
breach has not caused a major uproar with the various highly paid
privacy guardians. In fact, there i svirtually no report on this
incident in any language but German. One might get the impression that
there is a strong desire with a rather large number of people to keep
this incident on the q.t. and avoid further investitigations and public
disclosures.
Germany has (or had?) after the horrible
experiences with two dictatorships and their respective secret police a
tradition of resistance against data collection and privacy invasion.
The proposed general census of 1983 was stopped by the German Supreme
Court in a decision that laid the foundation of what has recently been
termed "Informationelles Selbstbestimmungsrecht" (right to
informational self-determination).
So far, Germany has not
seen a large number of identity theft cases: until last year, there was
no unique ID in use and most electronic transactions are currently
handled through a European debit card system that is less exposed to a
number of frauds. Also, while the various branches of government had
been busy collecting large amounts of data on German citizens and
residents, there have been only a few federal databases. When talking
to people on the street, I found a growing indifference to the German
governments extended data collection and linking programs. The general
attitude seems to be that "we do not have anything to hide", and if a
little (or even more than just a little) loss of privacy leads to a few
high profile tax evasion prosecutions, everyone is happy.
[1]
Germany has a national ID law that requires citizens to register with
city hall and disclose persoanlly identifyable information such as
names, current and former addresses, religious affiliation, birth date
and place, children, current and former spouses, tax information,
serial numbers of the national ID card and passport, and more. Since
last year's July, this data also includes a tax ID, the German
equivalent of a social security number.
Starting today, I will try to review some of the more interesting gadgets that I have been playing with. The first installment will be on the Windows Mobile phone that I won last week at TechEd. After attending a Mobile Security session, I won this phone for knowing the original code name for the first Windows Smartphone (that was "Stinger"). The phone is a SAMSUNG Blackjack II with AT&T branding.
The list of features is good:
Windows Mobile 6.0
Tri-Band UMTS (3G) and Quad-Band GSM
128 MB RAM and µ-SD port (up to 4GB)
GPS
Thin (0.4") and light-weight
2.0 MPixel camera
In general, the device is easy to handle. It has a jog wheel that feels a little flimsy, but it works ok (so far). The keys are a little small for my clumsy fingers, but that way the phone does not get too big, so it is a good compromise. While the above feature list ist good, there are a few things that are sorely missing:
No WiFi - this is probably the biggest shortcomming on this device.
Proprietary connector - now standard USB, no standard headphone jack, no antenna extension - just proprietary connectors. This was acceptable in 2000, but I am no longer willing to tolerate this in 2008.
UMTS/3G internet services are quite good, at least in most places North of Boston. As such, most web sites suited for mobile browsers display quickly and efficiently in IE mobile.
The advertised add-on software (mobile TV, Navigator, etc.) is rather disappointing: some of it works all-right, but pretty much all of the applications are only short-term trials. This is highly annoying, especially since there is no easy way to remove the various links to these app from the Start menu.
Overall, I am quite happy with this new toy (especially at the price), allthough I would probably not have extended my contract for two years and paid USD 99 for it.
Just back from Orlando, here are some takeaways from this year's TechEd 2008 for IT-pros:
Interoperability with SOAP based web services is progressing: I was part of a panel on interoperability, moderated by Chris Haddad. It was a fairly diverse panel, with speakers from Microsoft, WSO2, Tibco, and Sun. While there was general agreement on the usefulness of the more basic WS-* specifications like WS-Security, opinions differed on where the future lies and how it can be achieved. In my opinion, the relatively high fidelity of interoperability within the WS-SX family of specifications is a direct result of the proper standardization process at OASIS that these specs were subjected to, comparable to that of ebXML or SAML 2.0. Thus, it is my expectation that the WS-RX and WS-TX protocol families will eventually yield similarly good interoperability.
For the "Demo that almost made it (TM)", we made some serious progress: After talking to Greg Leake of Microsoft and Jonathan Marsh of WSO2, I am quite optimistinc that we can get easily inject a Metro based STS and/or OpenSSO with WS-Trust and CardSpace support into the StockTrader sample application to allow authentication through a SAML token. At the same time, I think that this demo application in particular lends itself quite nicely to showcase the strength of the Liberty framework for web services: you have a web application that needs to interact with the Business Services and the Order Processing Service. Identity has to be preserved across these different tiers, yet privacy protection would be highly desirable.
It was very interesting to see that Microsoft is continuing on the path of interoperability in the systems management area. Three years after we demonstrated MOM 2005 managing and monitoring a Sun v40z with Solaris, Microsofts System Center beta features an open source Solaris management adapter. An interesting question is where this code will be hosted ...
Thunderbird, Lightning, and the Ubuntu 8.04 (Hardy Heron Update)
A small note: if you are using Lightning for Thunderbird and you install or upgrade to Ubuntu 8.04 (Hardy), you might run into an issue of you calendars disappearing (probably only when using the build from the Lightning website):
Error: [Exception... "Invalid ClassID or ContractID" nsresult: "0x80570017 (NS_ERROR_XPC_BAD_CID)" ...
This is related to the fact that Hardy upgrade the C++ libraries to libstdc++ 6. In order to fix this, you might want to try installing the 5.x version of libstdc++.
Another goodie: starting with Lightning 0.8, WCAP support for the Java Calendar Server is now part of the main trunk.
I attended a meeting of the Hartford, CT, chapter of OWASP yesterday - James McGovern was so nice of inviting me there. OWASP is a group focusing on web application security, with a heavy emphasis on "application" (in contrast to "infrastructure"). Most of the attendees were either directly working in the financial industry or closely working with them - at the end of the day, it was Hartford.
To me it was a very interesting event - especially since I have mostly been thinking about platform and infrastrastructure security and not so much about the applications. Some of the emerging standards (like PCI DSS) were rather new to me, but seem interesting enough for me to take a look at.
Some more interesting tools and tidbits:
WebGoat is a "deliberately insecure JEE application", designed to teach developers how to *not* code a web application. This should be fun to take a look at.
When I started working on this last spring, I was not even hoping to see this released in open source and part of the OpenSSO extensions family in less than a year. It took the goodwill and talent of quite a few people to get this off the ground, but with the public release of this code and the upcoming OSIS interop during the RSA onference, OpenSSO is now "speaking ISIP" ...
Pat, Ben, and Kim have been talking about the use of password tokens for use with Windows CardSpace. Pat's detailed description of how this could work is quite useful, and can be extended in some interesting ways:
1. Create a single-use password deployment
If we change the default WS-Sec username/password token to not only include the username and the password needed to login, but also a newly IdP generated second password that replaces the old one on the RP, we would get a single-use password. This might be quite useful for improving the security of the system.
For the rest of this article, I will call such a token "Extended Username/Password token" (EUPT).
2. Creating an account at the RP
One of the issues that Kim has an issue with is that for bootstraping into a CardSpace password manager setup, the user would be required to enter the initial password into a web form. I agree that this *is* bad, but an extended username/password token could help here, too: When the user does not yet have an account at the RP, he will need to login at a special URL. That URL accepts cards that support EUPTs. When the user creates the account, the RP will accept an EUPT with *any* values. These initial values (username AND password) are randomly generated at the IdP. Upon receipt of the EUPT, the RP stores the username and the initial password and associates it with the newly created account.
--
Time permitting, I will work with Pat to get this done, at least on the IdP side.
There are quite a few indications that the hopes for an industry backed, ad-supported music exchange were - at the least - too early. Maybe it's a scam, maybe it is just a test-balloon, but in a world of iTunes hating music companies, this scheme did make some sense...
For years I have been playing around with all kinds of computer based TV and multi-media solutions and toys: Windows MCE in its various editions from 2004 to Vista, early versions of MythTV and proprietary stuff. Until now none of these where really at a point where they were actually useful for a family room:
While Windows did have a reasonable UI from the start, the fact that it recorded to a highly proprietary format with nasty DRM implication was a deal-killer right from the start. Some of the tuner-cards (like ATI) attempted to mitigate this by bundling plugins for MPEG-2 conversion, but these were implemented rather clumsily and had frequent failures.
MythTV was - until recently - also more of a geek toy: nice for my lab or office, but nothing I could really throw at my family. Now, with the 0.20 config found in the Gutsy release of Mythbuntu, MythTV takes a rather large leap towards usability.
The UI is basically usable and driver support (especially for the tuner cards) is becoming acceptable. I am using an WinTV HVR-950 USB stick now with my digital-over-the-air setup and there is not a lot more I could ask for in terms of device support.
The proprietary NVidia drivers are good enough and support the motion extensions that are needed to offload motion processing to the GPU.
For audio, I require at the very least S/PDIF support (mostly for lossy Dolby Digital, but there is no other format like e.g. MLP being used for digital TV at this time), which has been quite painful, but ultimately doable.
There seems to be decent remote support, but I am right now still fighting with my old ATI Remote Wonder (I think that I will cave in here at some point in time though).
The by far most important factor for family room usability for me is RTC wakeup: I could not near having a computer with its nasty fans running all the time. Enter ACPI controlled RTC wakeup: using a couple of scripts[1], I was able to make the MythTV box boot up in time for any show that I wanted to record. Very cool.
One thing that I was fighting with in the end was a problem with the way MythTV could be shut down automatically after an unattended recording session. For this, MythTV provides mythwelcome(1) which is a helper program to start the MythTV frontend[2]. The trick that made is work for me was to instruct[3] mythwelcome(1) to not start mythfrontend(1) automatically: This overcomes a problem with session management in Ubuntu and mythwelcome, and allows the box to shutdown automatically after it completed recording.
Bottom line is that I am quite happy with my MythTV box for now.
[1] There are quite a few of tutorials on ACPI wakup out there, many using nvram-wakeup. Discard all these, and only use those centered on /proc/acpi/alarm, instead (if you can).
[2] Mythbuntu Gutsy is actually quite smart about using mythwelcome(1): You only need to go into /etc/mythtv/session-settings and enable the welcome shell. No need to change the mythstartup.sh script.
[3] Press the 'i' key while in mythwelcome(1) to configure this.
This is so brain-dead, it is actually quite funny: In a move to make sure that he will be seen - once again - as a brave contrarian, John Dvorak thinks that Oracle paid Sun to kill MySQL. After reading this article, I had to verify that this was not The Onion, but actually MarketWatch.
His argument is fairly simple: Sun has a bad track-record of M&A, so Larry Ellison forces his old buddy Scott ... ahmm, no wait, it's Jonathan now ... to buy MySQL and ruin it. To prove his point, Dvorak links to a list of recent Sun aquisitions that - allegedly - went bad.
Let's take a look at that list of "failures" again:
SavaJe - JavaFX Mobile
SeeBeyond - JavaCAPS
Tarantella - Secure Desktop
Waveset - Identity Manager
StarDivision - OpenOffice (my addition to the list)
Last time I checked, pretty much all of these above technologies were thriving, some of them actually driving at the leading edge of their respective markets and/or standards regimen. Have there been failures or less successful aquisitions? You bet - that happens practically everywhere. There were also some aquisitions that were mildly successful, and others that came to pay off in rather unexpected ways or much later (Cobalt and the Sun x86 story come to mind).
The MySQL acquisition was and still is nothing short of brilliant. Sun has a major league RDBMS now that is being used by virtually everyone in the (your favorite technology moniker here) 2.0 market. And while most of these organizations and individuals are happy with an unsupported open source model, there are still a lot of big companies that use MySQL who are in need of support and other services. This business model fits perfectly into the entire Sun software portfolio and long-term strategy.
It is probably a sign of the time that tech pundits and columnists are now far behind of what is happening in the industry - especially when it comes to business models. On the other hand, Dvorak has been a commentator with a particularly bad track record of making predictions: think about his dismissal of the Macintosh mouse in 1984, his prediction of the iBook failure, his expectation that the iPhone will be a miserable failure, or even his prediction on Microsoft closing down, since the software market is supposedly dead.
The thing that is really sad is that there are even today people who read the name and the headline and assume that he has got a point. He doesn't.
Dare wrote an interesting piece on why RESTful service are much better off without an interface definition language. He is especially picking up on teve Vinoski’s IDLs vs. Human Documentation post, which emphasizes human readable documentation over IDLs.
I am sure that Marc has a somewhat different opinion on this ...
This makes total sense - and finally Sun gets a real database. I can think of at least 10 different major software products from Sun that would benefits enomously from switching from their respective current database platform to a single data store. I am really looking forward to having a single API and place to store structured data in Solaris and Java. Cool.
It reminds me also of the phrase someone coined: "LAMP is for boys, MARS[1] is for men."
A nasty experience, that I would like everybody to avoid if you can: A few months ago, my bank (NetBank) was acquired by a - by then to me - unknown bank called ING Direct. Having gone through this cycle a couple of time, I did not think a lot of it and trusted that this acquisition process would go as smoothly as the many I have experienced before. Boy, was I wrong.
During the acquisition process, we had our grand family vacation, and shortly after I had a couple of trips to California scheduled. During the vacation, my father-in-law passed away, and we had to arrange for travel and some fund transfers to Germany. The travel was quickly arranged, only the - otherwise perfectly simple - international wire transfer was suddenly impossible with this new bank. Over the course of a few weeks (during which I was not able to sit down at home and sort things out), the quality of service degraded steadily from good (prior to the acquisition), through horrible (prior to the complete conversion) to street robber courtesy (after the conversion to ING Direct).
Here is an example: with NetBank, I had a checking account and a money market account. Simple, nothing fancy. After the ING conversion, I ended up with two savings accounts, no ATM cards, and no checks. Transferring money from either of my "Orange" accounts to an external checking account was - essentially - impossible. Now, ING offers account linking of their savings accounts to an external checking account. I tried that, and it turned out that they had an incorrect social security number registered for both accounts. Ouch! After this was resolved (another 5 ING banking business days, i.e. 12 calendar days pass), they presented me with an online quiz about prior credits (the one you have to fill out to get your credit report online). Fine, unfortunately the credits/data presented had nothing to do with me, so they blocked the option to link accounts online.
And so on, and so on. Bottomline is that ING Direct and their representatives I talked to never even pretended that they were appreciating my business. In that category, they get big kudos for being honest. Everything else, including the online login, which could easily be inadvertently misused to get information about other customers, was an outright disaster.
So here is my verdict: even though they offer pretty decent interest, you will pay for this by having to deal with a customer service department that is only rivaled by United Healthcare for customer non-appreciation. Stay away.
I recently ran across this most excellent site on the acoustical crimes of the 'content mafia community': http://www.turnmeup.org/
You will find here a lot of infomation on why louder is not better (contrary to popular belief) and what has already been sacrified in the arms race to produce even louder music. My favorite from there is this video:
Eve was kind enough to link to my earlier article on our CardSpace Deep Dive. In that post she mentions our whiteboard notes, that I took at picture of, after all:
Cards based on X.509 authentication are almost working ... there is still a small issue with identifying the right certs based on the thumbprint. Overall, a fairly good result, I'd say ;-)
Subscribe
