Nick Taylor
identity, security, the environment, and other assorted rants
CV- Twitter
- Music
- Travel
- Visits
- Blog
- Links
- Contact
-
Info
- Senior Manager at DeloitteInformation Technology and Services | London, United Kingdom, GBSummaryExperienced technical architect, delivering successful implementations in finance and telecoms organisations.
Proven delivery capability in:
- Identity Lifecycle Management
- Federated Access Management
- SIEM & auditing / reporting
- Enterprise architecture
- Disaster recovery / high availabilitySpecialties: - CISSP certified - Identity Lifecycle Management (Process design & tool implementation) - Federated web access management - Server & application architecture - ITIL Service Management (ITSM) - Project management incl PRINCE2 - Team leading - Vendor relationship management - Procurement processes (RFI/RFP/ITT)Experience- May 2010 - PresentSenior Manager / Deloitte
- May 2009 - May 2010Principal Consultant / Infinitum Consulting
- May 2007 - May 2009Technical Architect - Capital Markets Single Sign-On / BNP Paribas
- Jun 2006 - May 2007Technical Project Manager - Capital Markets Transversal / BNP Paribas
- Sept 2001 - May 2006Senior Support Analyst / UBS
Education-
1998 - 2001University of Warwick
Additional Information-
Websites:
-
Tweets
- @thegareth For people of our age, you only need to worry when the get to Enya.
- @thegareth I'm fairly sure Labour were 'inheriting' things for most of their time in power
- Mmm tasty... Pork, the surprise remedy for a nosebleed | The Guardian http://t.co/15jTPpcd
- @thegareth Exactly.Slightly odd - offal stuffed in a chicken breast.
- 'Chicken Haggis', neeps and tatties on a virgin train. Surprisingly tasty.
- Hello Manchester. Grey, wet and cold. Just the day for debating service acceptance criteria. :)
- @Rich_Sawyer @Michelle_Bannon Excellent :)
- @Rich_Sawyer next time you're visiting the market you should drop in and say hello :)
- @thegareth hah, I'd forgotten that. Breach is about being able to read private messages and photos though.
- Funny and serious in equal measure: Grindr Hack Leaves Hundreds of Thousands Exposed http://t.co/gWxjERvg
- Visiting new client today. Near Oxford Street rather than Macclesfield. A definite improvement.
- @stephenbonner Probably a wise move!
- @chrisburt2 Are you in another timezone, or did that just take 12 hours to post?
- @stephenbonner Hope you've got the Roo costume on...
- OH: "Oh god, how do you recall an email?"
-
Recent Tracks
- Body And Soul by Tony Bennett
- Best Friends, Right? by Amy Winehouse
- Wake Up Alone - Original Recording by Amy Winehouse
- Half Time by Amy Winehouse
- The Girl From Ipanema by Amy Winehouse
- Valerie - '68 Version by Amy Winehouse
- Like Smoke (feat. Nas) by Amy Winehouse
- Will You Still Love Me Tomorrow? - 2011 by Amy Winehouse
- Tears Dry - Original Version by Amy Winehouse
- Between The Cheats by Amy Winehouse
PlaceboSkinBBC 6 MusicAmy WinehouseBBC Radio 4Michael JacksonMansunDeath In VegasDirty SouthTyken feat. AwaJazz InstrumentalsJavi Reina, Alex Guerrero Feat. SyntheticsaxMonocle 2499 AllstarsPrydaThe EconomistJc ChristopherBer All StarsPaul van DykNalin & KaneMKSeamus HajiBBC Radio WalesFunk-KVicente Belenguer, T. TommyRuff Loaderz & Cut Up BoysMichael Gray, Danism & RaeMaroon 5 feat. Christina AguileraSolexRadioheadDean MartinJohn LennonAudioslaveThe Chemical BrothersMariah CareyWham!Chris ReaCliff RichardBrenda LeeAled JonesYomandaSamantha MumbaDJ TatanaCassiusTony BennettAdamFreestylersTomcraftPendulumNightcrawlers- 4 plays
- 4 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- Faithfulness by Skin3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 3 plays
- 2 plays
- Dirty Cash by Funk-K2 plays
- 2 plays
- 2 plays
- 2 plays
- 2 plays
- 2 plays
- 2 plays
- 2 plays
- 2 plays
- 2 plays
- Disgusting by Mansun1 plays
- 1 plays
-
Map
- Manchester, United Kingdom, January 2012Jan 24, 12 - Jan 25, 12
- Manchester, United Kingdom, January 2012Jan 17, 12 - Jan 19, 12
- CranageJan 10, 12 - Jan 12, 12
- Manchester, United Kingdom, January 2012Jan 03, 12 - Jan 05, 12
- Manchester, United Kingdom, December 2011Dec 13, 11 - Dec 15, 11
- Manchester, United Kingdom, December 2011Dec 05, 11 - Dec 09, 11
- Macclesfield 28/11 - 29/11Nov 28, 11 - Nov 29, 11
- Manchester, United Kingdom, November 2011Nov 21, 11 - Nov 23, 11
- Macclesfield 14/11 - 17/11Nov 14, 11 - Nov 17, 11
- Macclesfield 7/11 - 10/11Nov 07, 11 - Nov 10, 11
- Macclesfield 31/10 - 2/11Oct 31, 11 - Nov 02, 11
- Macclesfield 24/10 - 27/10Oct 24, 11 - Oct 27, 11
- Macclesfield 18/10 - 21/10Oct 18, 11 - Oct 21, 11
- Macclesfield 10/10 - 13/10Oct 10, 11 - Oct 13, 11
- Macclesfield 3/10 - 6/10Oct 03, 11 - Oct 06, 11
- Macclesfield 26-27 SeptSep 26, 11 - Sep 27, 11
- Macclesfield 19-23 SeptSep 19, 11 - Sep 23, 11
- Macclesfield 12/9 - 16/9Sep 12, 11 - Sep 16, 11
- Moscow, Russia, August 2011Aug 31, 11 - Sep 01, 11
- New York, NY, August 2011Aug 22, 11 - Aug 26, 11
- Bradford, United Kingdom, August 2011Aug 17, 11 - Aug 17, 11
- Kristiansand, Norway, July 2011Jul 08, 11 - Jul 10, 11
- Beijing, China, March 2011Mar 26, 11 - Apr 10, 11
- Vilnius, Lithuania, February 2011Feb 01, 11 - Feb 04, 11
- Prague, Czech Republic, September 2010Sep 10, 10 - Sep 12, 10
- Las Vegas, NV, March 2010Mar 30, 10 - Apr 17, 10
- Your trip, October 2009Oct 13, 09 - Oct 14, 09
- London, United Kingdom, October 2009Oct 05, 09 - Oct 06, 09
- Gaithersburg, MD, September 2009Sep 28, 09 - Oct 01, 09
- MaastrichtSep 23, 09 - Sep 25, 09
- ParisSep 18, 09 - Sep 23, 09
- Maastricht, Netherlands, September 2009Sep 14, 09 - Sep 16, 09
- Amsterdam, Netherlands, September 2009Sep 13, 09 - Sep 13, 09
- Newbury, United Kingdom, September 2009Sep 03, 09 - Sep 04, 09
- Newbury, United Kingdom, August 2009Aug 18, 09 - Aug 19, 09
- Newbury, United Kingdom, July 2009Jul 23, 09 - Jul 24, 09
- Maastricht, Netherlands, July 2009Jul 07, 09 - Jul 08, 09
- Milan, Italy, June 2009Jun 15, 09 - Jun 19, 09
- Athens, Greece, June 2009Jun 08, 09 - Jun 12, 09
- Paris, France, June 2009Jun 02, 09 - Jun 05, 09
-
Checkins
- Soho Gyms Clapham Common95-97 Clapham High St
- Home Office2 Marsham Street
- Tapped and Packed26 Rathbone Pl.
- Nude Espresso19 Soho Square
- Davy'sFisherman’s Walk
- Deloitte2 New Street Square
- Malmaison Hotel1-3 Picadilly
- Malmaison Hotel1-3 Picadilly
- Soho Gyms Clapham Common95-97 Clapham High St
- Tapped and Packed26 Rathbone Pl.
- The Black Lab Coffee House18 Clapham Common Southside
- Natural History MuseumCromwell Rd.
- Marwood Coffee Shop52 Ship Street
-
Posts
- Feb 21, 10
Recently I’ve been working with a client to build a federated SSO system. One of the requirements was for internal employees to have seamless access using Windows’ Kerberos. This isn’t anything novel, and is something I’ve worked on for a number of organisations – though not for a while. However we came unstuck, with multiple OpenSSO servers behind a load balancer and SSL termination there rather than the servers themselves. It seems that Microsoft have done something entirely reasonable and enhanced the security of their Kerberos implementation, enabling ‘channel binding‘, wherein the requests are bound both to the Service Principal Name of the server requested by the client, and also to the SSL transport.
This breaks when a request arrives through a load balancer, since the underlying hostname doesn’t match that of the client browser request (the load balancer DNS name), and thus the AD domain controller rejects the token. Microsoft made the change enabling this ability in August 2009, in Security Advisory 973811 and then progressively enabled this for clients and servers of theirs, including Internet Explorer.
When channel binding isn’t requested by a server (in this case the OpenSSO servers), in theory it can be ignored, but currently available versions of Java don’t ignore it, instead passing it on to the AD domain controller, the result of which is a GSS Exception in the OpenSSO logs when using Internet Explorer on the client workstation. Firefox isn’t affected as it doesn’t request channel binding.
There are various workarounds which might be applicable to your situation:
- Ensure all Windows users use Firefox
- Make a registry change on all Windows clients to disable the Extended Protection
- Upgrade to a new build of Java (it’s Java bug 6851973)
If you’re looking to upgrade Java, this fix is available in release candidates of Java 7. It may be available in Java 6u19, but not in the currently release Java 6u18 or prior, unless you’re paying for Java for Business – the fix is in 6u17-rev-b06.
Hopefully this post might prove useful to someone – it took us some time to find the cause of the problem, and the resolution.
- Jan 10, 10
Being at home over Christmas, followed by a week of cold weather has meant a rather poor start to my aim to achieve 10:10.
- Jan 06, 10
For a while I’ve been thinking about how personal identity data (often called Personally Identifiable Information, or PII) is managed – both as a consumer, and from the perspective of service providers. I’ve been following along with the work being done by (amongst others) Microsoft, Google and the Kantara Initiative UMA WG, and it seems inevitable that over the next year or so the landscape will have the scope to evolve dramatically; I say ‘have the scope’ because I wonder what this will actually mean from a consumer’s point of view.
The internet landscape of the ‘average Bob’ consumer user has changed significantly over the past year or two, resulting in not only an explosion of logins and of PII scattered everywhere, but of services that allow (or require) this data to be shared from site to site. Bob might well have logins to various sites for online account management (banks, utilities, etc), each of which will hold local copies of his PII (address, DOB, etc), but he also now has a Facebook profile, a Flickr account, and perhaps shares his travel through Dopplr and his location through Google Latitude, and allows his friends to see his data in some or all of these services.
What I want
Because I’m conscious of my PII spreading out over the internet, and of the hassles of managing it all in a secure manner, I’d like a service along the lines of that described by Mark Dixon here to manage it all; though as I commented on his post, I’d like something a bit more outward-facing. My ideal identity service would contain:
- Credential Vault: Consolidate credentials into one identity (‘me’), which lets me authenticate to services as appropriate. This should be a standard federated identity (an OpenID, InfoCard or whatever) where it can be, but it should also act as a LastPass-style credential vault where the service provider doesn’t support new-fangled federation. This credential store should be cloud-based, but locally cached, and optionally integrated with my OS (for strong auth via smart card, biometric, etc). The credential actually exposed to the end service will vary (I might want to be totally anonymous, or at least pseudonymous – not traceable from one service to the next), so they don’t necessarily need my strongly authenticated, full-on identity, and this is separate to my level of authentication to the broker (which is by necessity always equal, or stronger).
- Attribute Store / Persona Editor, with Assurance: Collect all my PII, and provide an easy way for me to group this into personae (my personalities, if you will) and present this to SPs. Services should be able to specify that they need a level of assurance, and that the various attributes I provide are true – and my identity store should be able to keep this and present it when needed. As an example, I might just present a name (it might not be real) to a web forum, but my real address, verified by an independent body, when applying for a new credit card.
- Auditing and Updating Service: Beyond providing PII to sites, I want to be able to look back and find out who I gave it to. Today, I have no idea how many sites have my addresses (email or physical) – probably thousands over time. I’d like to see a log of this; moreover I’d like to be able to revoke that data from the providers, or force them to update their cache of it from my store when it changes. Furthermore, I want to know where else my data has gone – a list of which of my Facebook friends has synced my contact details to their mobile, perhaps. Ideally I should be able to set terms on registration of what each service can do with my data – this is more of a contractual, rather than technical, assertion.
- Sharing and translation: For site-to-site sharing of my data (Dopplr updating my Facebook, for example), OAuth describes how permission can be granted at a service-to-service level, but my Identity Store should be a broker in the middle so I can make decisions in one place. By sitting in the middle, this broker could offer additional services, translating data into a shareable format where a point-to-point service doesn’t already work.
I’d probably be prepared to pay for this, or see it as a value-add service from someone I already have a relationship with, as long as I trusted them with all this data.
What Bob wants
Bob, our ‘average internet user’, doesn’t really understand security. He’s the guy whose PC you have to fix when you go to visit, who has 15 browser toolbars from assorted malware running, and who loves to throw sheep at you on Facebook. He isn’t curious about why all those quizzes exist, and on a quiet Friday night wonders if that Viagra email might actually be a good deal.
He’s got online banking, GMail, Facebook and MSN Messenger. They all use his name (or a variant of) for the login name, and every password is the same, but it’s 8 characters and has a number in it – because his work IT policy says so, and that password is the same too.
Bob doesn’t think about where his PII is going, nor about who has it – at least until he moves house and has to tell dozens of companies – and gets a bailiffs letter because he missed one off the list and bills get sent to his old house. He’d likely be pretty confused with the concept of the identity service I’ve described.
What the services want
Service Providers (like my bank, Facebook, or even government) want me and Bob to use their services. They want to capture enough PII from me to provide that service without scaring me off (because the service is insecure, or they’re taking too much PII) or scaring Bob off (because signup is hard and confusing), in the cheapest way possible. They want users to be ‘sticky’ to their services, locking me in as much as they can so I don’t leave for a competitor. And if they’re less than scrupulous, they can sell all my juicy PII to ad companies.
The attributes actually needed by the service provider, and how sure they need to be that the attribute is trusted, varies according to the service. Twitter doesn’t care that I’m me – unless I’m a celebrity – but the government wants to be pretty sure I’m who I say I am when issuing me a passport.
There aren’t too many standalone Identity Providers, and no ‘Identity Store’ brokers in the way I describe that I’m aware of. The best we have today are things like OpenID and OAuth. These allow me to use the credentials from one service provider to access others, or to set up point-to-point data sharing, but these are far from perfect… Google is of course keen for me to use my Google login to access services like Plaxo or Facebook – but they wouldn’t let me use a credential from these sites to get into all my Google services. This is done to assert the Google brand, and to keep me using their services.
Will we meet in the middle?
The various great technical minds in the identity world will no doubt come up with excellent solutions to a lot of this, but I don’t think the technology is the real challenge; instead, it’s the fact that the bulk of internet users are like Bob.
Service providers are generally not independent enough to build a complete service like this, and for it to be truly trusted, and there isn’t a business case for a standalone identity provider because most people are like Bob, and wouldn’t pay for an identity service.
It’s not all doom and gloom, however. The fact I can use my Facebook, Twitter, Google or Windows Live login to log into multiple sites is a step forward; indeed I even think the ‘NASCAR problem‘ is a good thing, because it’s forcing people to think of elegant ways to move forward. This will over time
I’m not sure there’ll ever be a business case for completely standalone identity providers, but would imagine decent consumer-grade services will evolve out of services like Verisign’s Personal Identity Portal, or equivalents from people who already store lots of your PII (credit agencies, governments, banks etc) when they spot the consumer value in doing so. These will inevitably be multi-tiered services, offering Bob something nice and simple, yet offering me a (perhaps paid-for) more complex service.
As someone working in the identity field, I figure the best way to drive these things forward is to encourage all the Bobs I know to be more aware of their PII and where it goes – if enough of them start to ask questions, the services to support them will fall into place.
- Dec 07, 09
A couple of times recently I’ve had to explain SAML-based federation to people whose areas of expertise lie outside identity and security. After repeatedly drawing things in different ways on a whiteboard, I found myself working towards a real-world analogy.
It’s a bit tortured, and not exactly representative of the inner workings of SAML, but it gives the basics. For a real, technical explanation, the Wikipedia page gives a good outline, and hardcore nerds can read more at saml.xml.org… But if you’re interested in reading those, you’re probably not the right audience for this post anyway.
The basics
So, we’re trying to achieve federated SSO – that is, I’m a user at Company X, and I’m trying to access resources at Company Y. As the user, I don’t want a new set of credentials to manage at Company Y, and Company Y doesn’t want to have to deal with joiner/leaver for me. SAML allows us to solve this problem fairly easily – indeed in the case of some service providers (Salesforce and Google Apps as an example), this is trivial out-of-the box functionality for some SSO systems.
SAML federation occurs through a series of interactions between the two parties, after first establishing trust between them. So, on to…
The analogy
Imagine I’m a consultant (I am, so it’s easy for me), and I’m going to be working on a client site for a while. We’re going to look at my interactions with my own employer (my identity provider) and that of the client, whose resources I’ll be using (the service provider).
Establishing trust
Clearly, I can’t just turn up unanounced at the client’s site. There’ll be a series of meetings, swapping of business cards, probably some lunch… And then a contract will be signed. This contract will determine the length of the work order, and we’ll probably sign NDAs, and perhaps we’ll be given details of security behaviour (what to do on the first day, etc). The client will conduct due diligence, making sure (s)he knows our company, checks references and so on.
What we’ve done here is established trust between the two entities. They know who each other is, have contractual agreements on information sharing, and some basic protocol information.
Swapping tokens – authentication
So, now that we’ve arranged the work, on Monday morning I’ll turn up at the client’s office. Of course, the guy at the security desk has never heard of me. So firstly he asks me for some recognised ID, and I show him my passport. So now he knows I’m who I say I am – one might say I’ve used a standard protocol and token. But he doesn’t know that I really work for my employer, so a couple of things might happen. He could check in his computer system and call the security team at my employer, or call someone in his own organisation who’s already done this.
He’s now established I’m who I said I was, and that I belong in his building, he gives me a security pass for the building. It’s a temporary pass, obviously. It might be valid for the whole duration of the work order, or a shorter period. If the contract is a long one, he might want to periodically call up my employer to make sure I haven’t been fired – but probably not every day.
So, I’m authenticated at my employer with a token (my security badge). But the client doesn’t understand this so a shared token standard is used to convey this information to the client – my passport. On validating the token, the client needs to check that I belong to the partner and I’m not just a random, so they call up and check, in the same way SAML back-channel validation can occur. Once validated, I’m given a session token with the client/provider, which has a local expiration, and a periodic check against the partner.
Authorisation
The building pass he’s given me lets me into certain parts of the client building, based on the work I’m doing for them (as agreed with my employer). This compares to the pass I’ve got from my employer, which restricts me to access based on the job I do when I’m back at base – but the two cards are completely unrelated and disconnected.
Here we’re highlighting that my level of access on either side of the partnership are disconnected. My employer has agreed the work package with them, so they know what access to give me in their building based on that role. This is of course related to my role in my own office – but the access level given here is completely different.
…For dummies
So, that’s a high level explanation of how federation occurs, particularly with regard to SAML. I’ve found it a useful simplification for people who have no comprehension of how this stuff works – obviously it breaks down if you look more carefully! If you read this and can think of improvements, let me know.
Update: I had some debate with @paulmadsen regarding the ‘passport’ part of this. It doesn’t really work in the analogy – I was trying to convey the idea of the SAML token being something generated to a common standard, that both parties understand, and that’s not the same as the internal auth token necessarily. A passport is wrong since anyone can read your passport in the real world, but with SAML only the two endpoints can read it.
- Nov 10, 09
Last week, I gave a talk at IDM 2009 entitled ‘Privacy and Data Minimisation with Improved Business Returns’. A bit of a mouthful and the result of title-decision-by-committee, but good subject matter!
The main message of the talk was that by focusing on flows of data (particularly, but not limited to identity data) and the user owning that data, you can improve security, your user/customer experience and drive improved financial returns. The slides for the talk with accompanying notes should hopefully be up on our website shortly.
The topic is one that’s gaining focus as organisations shift focus from using IAM solutions to manage risk/compliance and regulatory requirements to more intelligent, business-focused solutions. In discussions with clients, there’s an eagerness to bring IAM out of the ‘back room’ and integrate it more tightly with CRM and BI tools – but also to empower users.
This is seen in internet properties from Google and Yahoo (amongst others), giving the user the ability to share logins, contacts, location and other personal data. Whilst this is great for simplifying things for a user across a number of sites, the key is to empower the user to decide which data is shared, and where. Both in an enterprise context and on the internet, it becomes a challenge to present this to the user in a friendly way, highlighting which data is owned by the user and which by the ‘other party’ in each context. This challenge looks to be where my focus is going to be for the next few weeks, at least.
- Oct 17, 09
On 29/30th September, I went to the OASIS Identity Management 2009 forum, the theme of which was ‘Transparent Government: Risks, Rewards and Repercussions’. It was my first time at an OASIS event, and befitting the organisation and the location (it was hosted at NIST), the content was pretty in-depth and technical.
I’d really hoped to convert my scrawled notes into a series of posts on the topics covered, but time has escaped me and so I thought I’d at least post some of the notes I’d taken in rough form so that they didn’t get completely lost… So here are the notes from Day 1. If I get time, I’ll come back and post on some of these topics in more detail!
(There are also plenty of notes from other folks on the event’s Twitter stream, #idm09.)
OASIS IDM 2009 – Day 1
Session 1 – Use of Open Identity Technology In Government
- Leverage existing, open identities for government applications
– New government 2.0 initiative
– Using OpenID / InfoCard vetted providers
– 10 providers -> Can choose which provider / id (Google vs Equifax, for example)– GSA defining ‘profiles’ – sets of standards at specific versions, guaranteed compatible
– Also ‘levels of assurance’ – criteria for various strengths/token types, according to risk/impact of incident
– Not building again, mapping publicly available identities against government assurance levels–New concept of open trust framework to certify IdPs
– Jointly presented by OpenID, InfoCard foundations
– Outreach to OpenID, InfoCard, InCommon, Liberty and Kantara–> Open Trust Framework
– Doesn’t presume any existing circles of trust (vs SAML)
– User controlled identity management
– Open, reusableAnyone can become an IdP, but need to be vetted.
ICAM profiles force private sector IdPs to be precise, to meet the government-specific requirements
It’s a win for the government, industry and the public:- Govt doesn’t build in a silo
- Industry gets tighter specs to focus on, and drive wider adoption
- Users get reduced numbers of identities, at government levels of assurance- No verification of assertion attributes, just that attributes are present (e.g. email attribute not checked to be a valid email)
SAML Profile: Already exists, based on existing SAML use cases in govt.
ICAM OpenID Profile:
- Only for sites at LOA1 thus far
- Based on OpenID 2.0
- SSL enforced on all endpoints
- “Directed Identity” approach, i.e. identity appears different to each RP, so no tracking
- Other restrictions defined in profile too, to ensure appropriate securityInfoCard Profile:
- acceptable at LOAs 1-3 (maybe 4)
- Focus on the UI, digital ‘card in wallet’ – card selector in browser
- Can have varying underlying auth methods
- Only supports Managed Cards, IdP issued
- Card auth mechanisms are un/pw, X509, Kerberos, etc– Truly user-centric would be self-managed
Don Campinella (Equifax)
Spoke about ‘persona control’ – multiple personas for a given identity
Attribute use assurance
Verification of claimsSuggested that a commercial IdP gives experience, data, scale, trust
Better fraud protection and privacy (some liability?)Discussed at LOA1 use of pairwise unique IDs, pseudonymous: reusable unique identifier given to each RP, but can’t be traced back to the user unless the user shares attributes. Each pairwise identifier can be revoked from the RP.
Quoted that 20% of Medicare/Medicaid fraud is at the service provider, not the user, so we need to authenticate the service providers as well as consumers. This creates the need for a standalone IdP, outside of the RP.
Session 2 – Mary Ellen Callahan (CPO of DHS) & Ari Schwartz (COO – Centre for Democracy & Technology)
MEC on the baseline of govt idm tech – “It’s got to work for my mum” – what happens if something goes wrong? Not just a data breach, but how do you interact with the individual and manage the problem.
- Should have a plan, since nobody’s infallible
- Elements of redress
- Harm-based analysis
- Not just financial loss, but also reputation, etc.
- Maybe even public safety (location data, etc)-> All about trust of government
Overall message: “Make it as secure as can be, but also plan for the worst. Have a policy to a) deal with it and b) prevent it recurring”
AS – Test of ‘user-managed identity’ is not in the user interface or the technology, but whether the user is on an equal footing with the IdP and the RP.
Session 3 – John Tolbert (Boeing)
Using XACML and ODF for Export & IP controls
Need to have resource (classification, ECCN, USML) & subject (nationality, location, US person) attributes
For IP controls, there’s an OASIS-XACML-IPC profile.
By using XACML, there’s a simpler, quicker adoption
-> Government can push out standard policy in XACML format to be used in a central decision engine at each org
-> Facilitates quick updates, easier audit – using standardised XACML means standardised rules (though relies on accurate metadata)Extending this to ODF document control profiles, to match the XACML-IPC profile. This gives end-to-end authorisation, not just at the point of distribution.
Gives the organisation a single set of policies / rules to manage.
Breno de Medeiros (Google)
Drivers for federated identity standards in Google are predominantly credential reuse and social graph sharing
- Social sites ask for passwords for data harvesting
- This is bad! Users are trained then to share passwords (see Linked In, Dopplr, etc)More reputable sites are less likely to implement APIs for authorisation/delegation as an RP, since they have little to gain. To succeed, providers should give a rich authorisation/delegation API, and a good UI!
Example of Plaxo & Google – OAuth and OpenID combined, but with friendly simple UI. Google account can be used to login to Plaxo, then OAuth allows for sync of contacts.
UI: Per-attribute authorisation is difficult, every additional checkbox makes the UI more complex and prone to rejection by the user. Also noted that users expect a ‘generated’ ID to be pairwise, but a social site ID, or manually created by the user, to be a global, shared identity. Need to be careful as PII could be exposed in URLs (email address, other correlatable data)
Current UI for OpenID that hides the ID is good (‘use your Google/Facebook/Live ID to login’) but isn’t scalable. There needs to be a good browser interface (like InfoCards) for IdP discovery in a privacy-aware way.
Session 4 – SAML 2.0 in government
Karen Higa-Smith (DHS programme manager)
Anil JohnDiscussion around use of SAML2 for data sharing.
Authentication is already handled by the PIV smart card.“Profile” created – this is a set of specs at particular levels along with guidelines and implementation documentation for use within government departments. It’s not a ‘standard’, since building these is slow and expensive.
Programme to manage ‘backend attribute exchange’ (BAE).
- Built a deployment profile and documentation
- Build a proof of concept BAE reference implementation, using synthetic data, to show interoperability between multiple vendor products following the BAE profile- Idea was to document the profile but not to reinvent the wheel, instead to use commercial or free products and existing standards. Programme should allow for multiple approaches and technologies, but to ensure interoperability.
- Encouraging COTS vendors to provide out-of-box support for the US government BAE profile.Explained two models
1- Direct Attribute Exchange
2 – Brokered Attribute ExchangeIn the first case, a simple data exchange using SAML from point-to-point
In the second, smaller departments can use shared infrastructure from a larger department – but the data should be encrypted so that the shared infra provider can’t read the data. This was successfully accomplished using existing SAML standards.- Specification of supported attributes, name identifier, encryption standards, etc are all specified within the SAML exchange.
- Also integration with the CA, so that user identities can be mapped to those on PIV cards or other certificate issuance.
- Flexible name identifiers, so that there’s no enforcement of a specific unique identifier.Session 5 – Social Identity
Burton: Leveraging relationships & managing social identity
Discussed benefits of social identity (profiles, social graphs, etc) within the enterprise
e.g. Establishing social data in enterprise portals (skills, expertise, interests)
Leverage within blogs, wikis, forums – munge this data for display on portal -> activity feeds
Allow for ‘following’ of employees, subjects of interest‘Facebook for enterprise’ – already have business dashboards, sales dashboards – why not a social dashboard?
Supports strategic talent, encouraging interaction, reflects generational shift towards social interactionsBUT
- problems of profile proliferation across multiple internal sites (and external)
- solve this with federation/sharing – but then problems of data leakage?- Also automated activity stream causes sensitivity issues (e.g. posting on a gay forum, completing a sensitive deal)
- Resolve through access management, but then this risks losing serendipity. Creating a balance of access restrictions and openness is a big challenge.-> Becomes an even bigger problem when trying to merge social graphs between internal and external tools (Facebook, Linked In)
- Breaking boundary between “work me” and “citizen me”. Is it acceptable for your boss to contact you about work issues on Facebook? Should they know about your out-of-work activities?Roles:
- Enterprise roles are well defined, though centred around access control
- Social roles proposed, e.g. “News filter”, “wiki gardener”
–> Social ‘talent management’, mining within the enterprise?Vendor presentations
IDology (Jodi Florence) – identity verification provider
Anakam – government to citizen verification – a sliding scale from anonymous through to vetted proof with liability
Privo (Denise Tayloe) – Parental consent for managing a child’s identity and data sharing - Aug 30, 09
There’s a stereotypical image that people who work at Microsoft are insular and inward-looking. Kim Cameron is far from that. He regularly posts insightful commentary on the ‘identity metasystem’ on his blog, and is widely seen as a ‘thought leader’ in identity management, driving forward standards such as Information Cards and taking a pragmatic, standards-based approach to Microsoft’s involvement in the ecosystem.
A couple of years ago he came up with a set of Laws of Identity – embracing the ideas that users should always own their data and dictate how it’s shared, that there should be minimal disclosure, and so on. In this post, you can see links to more detailed descriptions of the laws, and a nice image summarising the laws (shown below).
I’m spending progressively more time at work thinking about public/consumer identity as well as that kept within an enterprise, and I find keeping these laws in mind ensures the delivery focus is kept in the right place.
- Aug 07, 09
This week I’ve come across two more articles about Facebook’s poor security/privacy.
The first by Ian Glazer on the Burton Group Identity blog notes that apps can get access to all your details even if your privacy settings are set to prevent this… Whilst you can prevent a third-party app from accessing your details directly, if you allow your friends to read your profile, when they install the app it inherits the permissions of your friend relationship, rather than your own app settings, meaning the app can suddenly access your whole profile.
The second by the Cambridge University Security Research Lab relates to ads served either through Facebook, or within apps using the Facebook platform, and how these can access your personal data and the pictures you’ve stored. It ends with a worrying note – ‘The platform API remains fundamentally broken and gives users no way to prevent applications from accessing their photos.’
- Aug 03, 09
It’s rare that IT security and aesthetics come even close to being related, however I stumbled across something on the Information Aesthetics blog this week which peaked my interest.
I’ve come across some debate recently around passwords. It seems to be becoming common knowledge that password security generally isn’t good enough these days, and 2FA or other strong methods should be used where possible. However, that’s an issue for another day – passwords clearly are in the majority when it comes to the average user’s experience of IT security.
Some sources suggest that password rotation is a bad idea, and others propose that the asterisks, or similar characters that obscure your password are nigh-on a waste of time – notably security expert Bruce Schneier. Masking passwords mostly serves to annoy users continually to avoid the virtually non-existant threat of someone reading the password over your shoulder.
It’s a potential solution to this password masking problem that I came across this week – a mechanism that displays a colour key next to the password entry box called Chroma-Key.
A hash of the text you’re entering for your password is generated in real-time. Each small change generates a significantly different hash, and it means you can see at a glance that you’re entering the correct password, hopefully avoiding your account getting locked through typos, but without revealing the exact password.
You can find out more about it on the author’s site, and the original article on Infosthetics.
- Jul 02, 09
Despite my better judgment, I’m still using Facebook. All of my friends and acquaintances use it, increasingly as an IM application, and not just for posting inane status updates. Indeed Adium, my IM client of choice, now supports Facebook chat, so I’m spending more time rather than less.
That being said, the thing I really don’t like about Facebook is the crappy applications and quizzes that people seem to expect you to join in with. I don’t care that you’ve thrown a sheep at me, or the Spice Girl you’re most like is ‘Baby Spice’… But more worrying is that these apps are quite often vectors for spam and people are entirely oblivious.
The security lab at Cambridge wrote a good article highlighting how bad this is, clearly spending a lot more time than my totally unscientific analysis of asking a few people I know, and experience of using the site. They noted that it’s relatively easy for an app to get published on the Facebook platform that can steal the user’s Facebook session, then use this to query Facebook’s servers impersonating the user and mine all of their personal data and that of their friends.
Facebook don’t allow you to do this under their terms of use, but obviously there are so many apps being published that some slip through the net. More than this, they’re not inclined to check particularly actively as long as users don’t shout too much – these apps have nicely targeted ads which make them and Facebook money. But of course the ads are targeted – the app stole all your data, so you can be pretty sure they can pick an accurate ad. None of this is new news, there have been a variety of reports in the technology and mainstream press highlighting how identity theft and other privacy concerns abound on Facebook.
The thing that never ceases to amaze me, however, is the fact that users continue to complete these inane quizzes, download free apps that allow them to throw sheep at their friends and don’t stop to wonder why anyone would go to the trouble of building these apps for free. It’s all well and good that Facebook asked me my date of birth when logging in from an ‘unusual location’ (I was travelling for work), but this is of little security benefit when it’s trivial to steal this information during my use of the site from the safety of my own house.
I’m unlikely to stop using Facebook given the amount of friends and work colleagues who use it, but please don’t be offended if I ignore your request for a pillow fight, zombie chase, gang war, or the chance to find out which South Park character you are.
- May 13, 09
- This app looks lovely. I just wish I could see all my Oyster data online, and not just PAYG data, paid for on the website – seems a daft artificial restriction to me.
- May 12, 09
- I'm working on some of the SSO integration work that makes this possible.
- May 10, 09
- Another reason to like Obama. I've always thought Hydrogen cars are stupid. Why use electricity to make Hydrogen, which then needs a completely new distribution network… Much better to invest the money in battery tech and use the electricity grid.
- May 06, 09
I was quite surprised when I saw these adverts for the first time yesterday at Paddington Station. I saw them again this morning at Oxford Circus, and I suspect they’re being shown quite widely. This one was on its own, but they were also being shown as every other ad on the video ad screens up all the main escalators.
It’s quite a daring advert campaign – and one I have a hard time believing. To me, the Evening Standard, along with its former owner the Daily Mail, have been for a long time synonymous with racism, homophobia and general, widespread negativity. I’ve assumed that every article is pretty much about sending the ‘dirty black, gay, asylum-seeking, dole-scum’ back where they came from.
The Guardian comments on the new advertising campaign, noting that if nothing else it will spark debate, following the paper’s acquisition by a Russian billionaire and his plan to transform the paper.
He stated that he’d like to make the paper younger, more ‘progressive’ and more positive about life in London. This can only be a good thing – I for one would pay for a quality evening newspaper that provided a decent amount of interesting news – a Guardian-lite, perhaps – instead of the drivel that is currently available, whether the freesheets or the current incarnation of the Standard. When the paper is relaunched on 11 May, it’d be great to see this transformation – but I think I’ll wait for the news coverage rather than queuing for my own copy.
- Apr 26, 09
- Love the ad, the Vimeo flash treatment is pretty cool too.
- Apr 24, 09
- About the Microsoft Surface… A touch-screen computer that you can't touch, by design, when it comes out of the box. Not quite like the Apple packaging porn experience.
- Apr 14, 09
- Looks quite cool for getting around town.
- Apr 13, 09
- Powering your CC128 by battery. I wonder how long it lasts, though.
- Great looking graphing app from Omni – handy for all those 'management graphs' needed in presentations.
- Apr 12, 09
- Clever – combining public data from various social networking sites to establish the identity of supposedly anonymous individuals.
- Apr 10, 09
- Great spoof site by the ORG folks, highlighting quite how much data the UK government is mining.
- Pretty cool visualisations of OECD data
- "Sid and Ajay will present a technical overview of OpenSSO (Resource Center) and then will explain how it is being used in a real-world deployment. The presentation will end with a roadmap for the features in future releases of OpenSSO."
- 'This gateway is valuable because it is a hub for connecting users and other identities to the services that it works with, so that an organization has to manage only a single identity-federation relationship to enable its identities to access any and all Microsoft and Microsoft-based services that they want to use.'
- "pv – Pipe Viewer – is a terminal-based tool for monitoring the progress of data through a pipeline. It can be inserted into any normal pipeline between two processes to give a visual indication of how quickly data is passing through, how long it has taken, how near to completion it is, and an estimate of how long it will be until completion."
- I've seen something like this used once and it seemed pretty effective. Worth remembering for future use.
- Sounds awful.
- Apr 10, 09
Tesco has for some time allowed people to convert Clubcard points into Airmiles, so on one hand, this story seems a bit of a non-event… Except for the fact Tesco are actively suggesting people convert the bonus miles earned when buying CFL bulbs into Airmiles.
That’s right – suggesting you get in a jet and burn a load of fuel as a reward for ‘greening’ your domestic lighting.
I’m all for encouraging people to reduce their consumption, but this needs to be by educating people on the reasons why, not by offering discounts on massive energy consumption as a reward for minor reductions.
- Apr 07, 09
- A great article on what you should be scared of. Hint: Being scared of terrorists makes you an idiot.
- Apr 05, 09
- 'A survey by Stonewall, the gay rights charity, published last year found that one in five gay people had been the victim of a hate crime in the last three years.'
- Decent article on Microsoft / Yahoo / Google. And Big Hairy Audacious Goals
- Apr 05, 09
Whilst the news has been focused on the financial aspects of the G20 summit of late, there’s also been a good scattering of news on international environmental issues. There seems now to be a general acceptance that we’re rapidly approaching, if not sailing past a ‘tipping point’ that sends us towards catastrophic climate change.
Even for those who don’t believe in the cause, there are undeniably good reasons to strive for energy efficiencies, and to remove the Western dependence on Middle-East oil. On a local scale, for individual homes and businesses, there’s a clear economic gain with a very short payback period by installing insulation and low-energy lighting, or simply by planning more efficiently.
At an international level, it’s surprising to see even fairly entrenched ‘traditional fuel’ organisations announcing that they are aiming for carbon-neutrality by 2050. Given this agreement includes companies like E.On and EDF, who are heavily into coal and nuclear respectively, it’s going to be quite a stretch. If they can collectively move forward on smart grid technologies and power distribution, though, the cost savings of stable, European power prices will be much more attractive than the volatile fossil fuels markets – especially if one factors in the cost of wars for oil. I was surprised by quotation from the president of the European Wind Energy Association on the relative prices of fuel -
At current fuel prices, electricity production costs from a new wind farm, coal plant and gas station are more or less the same.
I was under the impression renewables were still a fair bit more expensive. Of course, the statement needs to be taken with a pinch of salt given the source.
Elsewhere in the world, Barack Obama has promised to sign a climate bill into US law, a significant departure from the previous administration. The bill is likely to include a US cap-and-trade system for CO2 emissions, compatible with the system already in operation in Europe. It also seems that a significant amount of Obama’s economic stimulus money is being given to green power, which is great news. Interestingly even companies such as IBM are bidding for funds, in order to invest in smart metering & distribution. We’ll just have to hope that the bill doesn’t get too watered down, and that US carbon trading is more effective than the European scheme has been so far.
Closer to home, things are a little less optimistic. It seems there’s now a chance that the third runway at Heathrow won’t get built, but this relies on the fact that BAA won’t lodge a planning application until 2012, after the next general election, and that the Conservatives are significantly ahead in the polls. They have said they will prevent the project going ahead, as compared to the encouragement from Labour. Whilst I support many of the environmental moves the Tories are making – high speed rail instead of the runway being one – there are enough skeletons in their (not so hidden) closet that I couldn’t bring myself to vote for them.
Talking of Conservative idiocy, in a supposed cost cutting measure, Boris Johnson has cut the environmental staff of the GLA from 40 to 20, reducing the climate change & energy team from 10 to 3. This seems to fly in the face of his stated goal to make London the greenest city in the world. In isolation this would be frustrating – but perhaps necessary to save money – but alongside his abandoning of the Western congestion charge and paying mere lip service to other environmental schemes, it seems we’ll have to look elsewhere for leadership on the environment.
- Apr 04, 09
In a thrilling final installment in my current (no pun intended) obsession with power consumption at home, I took some time to go around the house switching things off and on to get an idea of where power is still being used despite things being notionally ‘off’.
In a pretty unscientific experiment, I turned off everything in the house except the Current Cost meter, then went around switching things on and noting roughly how much power they use. Curiously, with nothing on except the meter, it was still showing around 60W of consumption. I’m not sure where this is coming from, but it’s constant.
Here’s the list of devices around the house that I measured:
Fridge 50W (when running) Sky 30-50W NAS 65W (on 1600-midnight weekdays, 24hrs weekend) Mac mini 20W Airport 4W Router 5W Xbox 360 10W Wii 5W (in 'red' standby, 10W in 'amber') TV 5W Xbox 5W Amp 5W Subwoofer 5W Phone 5W (two cordless chargers) Laptops 2W (two chargers) Mobiles 1W (two chargers) Boiler 2W Microwave 3W Appliances 2W (oven / dishwasher / washing machine) Pong clock 3W
So this highlights mostly that we have too many gadgets. I reckon we could save about 40W by completely switching off some of the stuff in the living room when it’s in ‘standby’. Assuming usage of 4 hours per day and the rest of the time on standby, at roughly 20p per kWh, we’d save nearly £60 a year by switching them off – definitely worth investing in a ‘standby saver’ adapter, I think… Or just getting rid of the gadgets!
- Mar 31, 09
- Open Streetmap plus cycleroutes. Looks useful, if I ever get off my arse and buy a bike.
- Mar 31, 09
After a few weeks away, I’ve had another fiddle with the Python scripts I run to graph data from my Current Cost meter. You can see the results here.
Of note, I’ve switched from using the Google Graphs API to RRDTool. This is for two reasons – the Google graphs API just seemed a bit fiddly, even using PyGoogleChart, and rrdtool graphs just seem pretty easy to output. In addition, it means I get averaging for free and don’t have to manage the database.
I’m still using the Python I tweaked from Dale Lane, but I created an RRD based on Paul Mutton’s guidance and update it using a Python module for RRD from Corey Goldberg. Feel free to ask for a copy of the scripts.
For some reason my sqlite db update script liked to bomb out after a couple of hours, but this seems to be working fine and has been gathering data reliably for the last few days.
Of course the whole point of this isn’t just to make pretty graphs, but to try and do something about our consumption. I’m already obsessing about the graphs produced, and they’re making it easy to see when something’s left on – our ‘base load’ seems to be about 200W, so anything more than this means something’s on somewhere.
Our most obvious heavy power usage is the oven, at about 3kW, but there’s not much I can do about that other than cook more with gas – or eat more salad! It’s generally not on for long, so not the end of the world. Interestingly, the oven seems to heat up in under 10 minutes (solid power use, followed by intermittent bursts to keep it hot). I’d always assumed this to be longer, so that’ll save some time and money!
I’m also quite conscious of the fact we sit in the living room with a few 60W lights on in the evening for quite some time. They’re on dimmer switches so I’m now hunting for dimmable CFLs. The Megaman bulbs seem to come quite highly rated, but I’m not really sure how good they are. If anyone’s readig this and has some insight, feel free to leave a comment!
My next plan with the graphs is to work on aggregating daily/weekly data to show trending totals and ignore the short-term fluctuations, so that I can see how things are improving. When I get some time at home to myself I’m going to try and work out exactly where the 200W base load is going (NAS, router and Sky are the key candidates) and see if I can get it lower.
- Mar 28, 09
- Looks like the ideal toy to show energy consumption, though I'd have to make sure to become more efficient to justify it
- Some useful setup info on troubleshooting SSO issues. Probably good for other products too
- Mar 25, 09
- Using existing user attribute stores to manage account lockout parameters in OpenSSO. Might come in useful one day.
- Hadn't seen this until it went past on Twitter this week – Perl libraries for bank account statement retrieval.
- Mar 18, 09
- Wesabe launching a platform for banks to use their analysis tools with your real banking data. If only First Direct were to use this, they'd be pretty close to my 'full service bank' idea that I've been talking about for a couple of years.
- Mar 17, 09
- Somewhat morbid system – pay annual subscription, company prompts you to log in every so often. If you don't respond, it emails your chosen contacts. Seems a sensible service, but there's something a bit wrong about it. Perhaps companies offering wills or life assurance could do this?
- Mar 16, 09
I recently listened to a series of lectures from Warwick Business School on the way communities can be built within large organisations, as distinct from the management hierarchy / team structure. They cover some interesting ground, looking at how communities can give significant competitive advantage by creating strong networks of information sharing both within and beyond organisational boundaries. There are also some cautionary notes in terms of how communities need to be nurtured and ingrained into the character of a firm or other organisation, but without overt management influence.
The lectures are recordings of sessions held at WBS, outlining research work they’re undertaking. I took a few modules on organisational behaviour as part of my degree at Warwick, and it’s something I have quite a personal interest in – unfortunately it’s not necessarily been reflected in the places I’ve worked. I’m hopeful that’ll change in the future.
You can find the lectures on iTunes U – I think they’re definitely worth a listen, though they might be a little dry for some people!
- Mar 14, 09
- What it says on the tin – might come in useful one day.
- Mar 14, 09
Unfortunately I’m having a busy time of it at the moment, with lots going on both in and out of work. I really wanted to write a decent post around this, but haven’t had the time.
For now, I’ll just link to two articles from the Guardian:
Revealed: police databank on thousands of protesters
This first article shows how police are routinely storing photos and videos of political campaigners or protesters. These people aren’t breaking the law, but their movements and behaviour are being compiled into a large intelligence, to be kept for seven years, alongside evidence of those convicted of public order (or worse) offences. It’s a massive violation of privacy, as far as I’m concerned.
The second article stretches this loss of privacy even further, with the former Whitehall security co-ordinator stating “Finding out other people’s secrets is going to involve breaking everyday moral rules.”
This to me is a staggering admission that the government and civil service are happy to breach the rights of privacy for innocent citizens by routinely capturing and mining it to spot ‘suspicious’ patterns. The data to be collected are “personal information about individuals that resides in databases such as advanced passenger information, airline bookings, and other travel data, passport and biometric data, immigration, identity and border records, criminal records and other governmental and private sector data, including financial and telephone and other communications records.”
Even more worrying (though perhaps unsurprising these days), there’s a good chance the data management will be outsourced to the private sector and not held by the government. This means that private organisations, quite likely outside the UK will be responsible for the security of your financial information, communications records (in other words your phone bills, and likely your emails), and travel records.
It seems there’s little general awareness of the scale of these plans. If you happen to stumble across this post, I recommend you try to learn more about this, and if you feel strongly, write to your MP.
- Mar 13, 09
- Some great insights, especially around ‘data.gov’, empowering people to use data, and the ‘default assumption’ that all government data is public.
- Mar 08, 09
Since installing my Current Cost meter, I managed to get Dale‘s graphing app up and running fairly quickly. Since then, I’ve progressed a bit with my own Python.
The scripts are fairly thrown together as I’ve waded my way through various Python documentation, and the sqlite and Google Chart API modules, but I’ve managed to get some initial graphing up and running, which you can find on the Current Cost tab (or click here).
The graphs should update every couple of minutes, and so far show power usage & temperature readings for the last 15 minutes, and last hour. To get these working, I have a script which listens continually for the output from the CC128 and stores it into a sqlite database. There’s a second script which reads this database and makes calls to the Google charting API, generates PNG files and then pushes those up to my blog host.
I’d like to get 6-hourly, daily and weekly graphs, but these will require a bit more fiddling as the data needs aggregating before passing to the chart API. I suspect it’ll be a few weeks before I have the time to get that working… Likewise the graphs need a bit of tidying up (better axes, labels, etc).
In the unlikely event that anyone’s interested in the Python scripts to do this, either leave a comment in this post or drop me a mail.
- Mar 06, 09
So we’re approaching the first major release of my identity management project. It’s taken a while to get us close to the release, mostly through no fault of our own. Given it’s taken us so long, unsurprisingly the ground has moved underneath us.
There’s a new release of Sun Identity Manager just out, version 8.1. This close to a go-live I wouldn’t normally contemplate upgrading, but it seems to have a good set of features worth investigating – not least better SiteMinder integration and open source identity connectors.
A nice touch, whilst terribly dull, is a blog that features updates/changes to the documentation, so you can get notified via RSS of significant updates. Their competitors could learn a lot from this sort of open way of working.
- Mar 03, 09
- Richard's cool new site that gives you alerts for new Spotify releases
- Mar 02, 09
- "We shall be a life-affirming, aspirational newspaper that aims to be different and bold, our style embodied in punch, zest and humour. From today this newspaper takes a fundamentally optimistic view of life, of London and Londoners"… Almost closing down and starting again, surely?
- Mar 01, 09
- Amusing video ad by the Cohen Brothers on the reality of 'clean coal'.
- Sigh.
- 'More than 98% of the toilet roll sold in America comes from virgin forests' – a surprising waste. American bums too delicate for recycled.
- Mar 01, 09
If I had bags of money, I think I’d opt for Super Awesome Broadband – it offers ‘unlimited’ static IPs, with no fair use policy or download/upload limits, and they promise no traffic shaping, proxying or Phorm.
Interestingly, they also offer ‘Secure VPN exit in Switzerland’, to offer you extra privacy. Your traffic will appear on the internet with a generic Swiss ISP address. In comparison to other ISPs, they have a surprisingly simple acceptable use policy – ‘Don’t do anything stupid or illegal’.
The downside is that they charge £65/mth for an 8Mb service, so for now I’ll be sticking with Be/O2.
- Feb 25, 09
I first heard about Doubletwist around a year ago, and never really expected it to turn into a real product, but it entered into public beta (on the Mac, at least) this week.
It’s slogan is ‘All your stuff, on all your devices, with all your friends — in seconds’. It’s a media manager that seems to have a pretty good UI, and on the Mac mimics somewhat the Finder or iTunes sidebar, showing your music, photos and videos. It also has a ‘friend feed’ for you to see what your Doubletwist friends are playing (or sharing), and you can upload media to Youtube, Flickr and Facebook. Surprisingly, you can even share tracks you’ve bought from iTunes with your friends.
The most impressive feature is that of copying your media (including DRM-protected content, such as purchased iTunes songs). A pretty large set of devices are included, counting Nokia phones, Blackberries, Windows mobile, Android and the PSP – oddly iPod and iPhone sync support is only available in the PC version.
Sync is as simple as it could be – just drag the media you want on to your device, and any encoding or translation is done on the fly.
Whilst some of the more extreme DRM-ripping features have been removed since the initial concept came about last year, and the media playing features aren’t that great yet, it looks like an interesting tool to keep an eye on.
- Feb 23, 09
- A brilliant infographic explanation of the 'crunch'.
- Feb 18, 09
…almost. I’ve mentioned before how I’ve been reading my electricity and gas meters every four weeks or so, which gives a rough approximation of how much we’re consuming in our house.
I’ve got my Current Cost meter up and running with Dale Lane‘s Python app. This was ever-so-slightly fiddly, so I thought I’d add my voice to those already out there with some step-by-step instructions for OS X users.
- Get a Current Cost meter
- Order the USB serial lead
- Install the drivers for said lead – this creates a new device
- Install the Apple Developer Tools
- Download the Python source for Dale’s app
- Follow the prerequisite list
- Install MacPorts
- Rebuild SQLite (run sudo port install sqlite3 +loadable_extensions from an XTerm)
- Export the DYLD_LIBRARY_PATH (for me this was export DYLD_LIBRARY_PATH=/opt/local/lib)
- Run the app – python currentcost.py
Not too bad, and you should get a nice pretty graph, like so:
Next up, I’m going to be taking the real-time data into a database and trying my own bit of graphing.
- Feb 17, 09
- Cool presentation about interfaces between web apps, and how to get rid of polling.
- Feb 17, 09
I’ve just finished reading ‘Managing Humans‘ by Michael Lopp, also known as Rands.
It’s a witty and amusing read for anyone who has any interest in office politics, particularly those in IT. It’s written from the point of view of a development middle manager, and highlights with surprising accuracy the stereotypes of employees and managers you find both in a large organisation or a startup.
For me (with particular personal relevance), the highlight of the book was a paragraph commenting on an average employee who’s drowning in work he’ll never be able to finish because he’s fundamentally not good enough, whom you should get rid of:
If you’re the manager in this scenario, you’ve got to make a major change because you cannot release crap. There are companies that do this and end up making a tidy profit. You are not this person, because once you are rewarded for releasing crap, you begin a blind walk down a path of mediocrity that ends up with you working at Computer Associates on a product no one has heard of and that no one cares about.
- Feb 13, 09
- To get to this page, you have to log in, select the product, then download a PDF (in a Zip) which contains a link to the download page, which has download for tons of products not just the one you selected. Rubbish.
- Feb 11, 09
My Current Cost CC128 arrived yesterday, an eagerly awaited treat after my day at Home Camp ’08.
It’s already producing surprising data – when I got up this morning, the house seemed to have an ‘ambient’ power consumption of 278 watts, which seems pretty high, but I think the boiler was whirring away at the time.
As I sit here, with some lights on and various other bits and pieces, it’s reporting 674W, or £2.26/day at this rate of consumption.
The real value of the Current Cost though is the cable for attaching to a PC, so you can capture and report on the data. Not being too much of a coder, it’s going to be a bit of an adventure – the CC just outputs chunks of XML every 6 seconds, but handily there’s tons of good work out there to ‘borrow’.
I’m hoping to produce some graphs a bit like these, or even better make the lights on Corneliuss, my Nabaztag light up according to how much we’re using!
- Feb 08, 09
Whether in the guise of increasing regulatory pressure, or through a credit-crunch-driven round of redundancies, most organisations of more than a handful of people need to verify the IT access their employees have, comparing this regularly to the rights they should have.
Both in my own experience and through stories of others, it seems most large organisations are woefully bad at doing this – most often conducting adhoc manual reviews, orchestrated by an overworked IT Security team. These are almost always achieved through mailing Excel spreadsheets, or people wandering the office with printouts… “Are you the owner of this system, and if so, what does it do?”
There are far better ways of doing this – both as a one-off, and as a regular exercise.
First step – People
Firstly, you need a good source of people data – ideally your HR system or some kind of directory containing names, job titles, locations and line managers of your employees. It’s important to be able to trust this hierarchy – there’s little point worrying about access rights if you’re not sure whether someone’s still an employee, or who they work for.
Current access rights
Once you know who all your people are, who their managers are and what job they do, you need to determine the access they have.
If you’ve got a provisioning system, great – this will already have a store of the rights in most of your key systems. If not, or for systems beyond the scope of your provisioning tool, you’ll need to capture the user access rights.
For critical applications, you might be forced to report on this sort of thing anyway, but if not, get into the habit of capturing simple files of users and group memberships.
Validation – the challenge
So you’ve now got an employee hierarchy and a series of application rights. To validate, it’s just a matter of checking with a given user and his/her manager that the access is what they need and no more, right? That’s a great theory, but most business managers have no idea what group TRD47 does or why you need to be in it or the hundreds of others that you’re in.
Here’s where that ‘better way of doing things’ comes in – most identity & access vendors now have products for role mining & certification.
Let’s take a big warehouse and into it pour all those lists we collected earlier. Next, we’ll take the following steps:
- Get line managers to confirm their direct reports
- Get system owners to describe each access group for their application
From here, we can run some pattern matching giving output like these:
- All employees get a mail account and Windows login
- All IT staff get admin rights to their workstation
- All traders get access to the trading system
- HR get access to the HR system
- …
Starting with really broad definitions that cover as many people as possible, we gradually narrow down on individual teams, defining the rights they have into business roles. When we’re happy, we can start to validate these roles, having the IT organisation confirm each permission group.
This leaves business managers just to confirm that employees have one of these ‘friendly’ roles.
The second time
Once you’ve captured these role definitions and validated them (and their exception cases), it’s relatively easy to maintain this and conduct regular audits.
Whenever a new system or group is created, this gets captured. If you release a new application, you’re most likely aiming it at a set of users, and this should already have been defined as a role (the London sales team, for example), so you add the new system to that role.
When it comes to your next certification cycle, you need the role owner to confirm that a given role still contains the right systems, and you need line managers to confirm their employees. Much easier than trawling around with Excel.
Moving
In between certification cycles, things are much easier too, especially when you tie your role management tool directly to your provisioning solution (this is pretty easy, as all support standards-based communication). If an employee moves within the organisation, you don’t need to worry about what systems they need access to, or cleaning up the access they had – you’ve just got to add the new role to their profile, and take the old one away.
Likewise for a new joiner or a leaver – their access is well defined, so you know exactly what to give, and what to take away.
So next time someone mails you a spreadsheet asking you to describe what a system does, and who should have access to it, tell them there’s an easier way.
- Feb 02, 09
- Feb 01, 09
- Tours around Big Ben – how cool!
- Feb 01, 09
My main ‘PC’ at home is a Macbook. It’s generally on my lap in front of the TV, and only generally sits on my desk for charging. It’s always connected to the internet, but virtually always via wifi – almost never plugged in with a cable. In my house, I have always-on storage in the form of a Readynas NV+.
My requirements for backup are:
- It happens without me thinking about it
- At least daily schedule
- Backup deferred until I next wake the laptop
- Selected backup (not whole hard drive) – ideally with varying frequency of backup for certain files
- Automatic versioning of files I change (and delayed deletion of things I delete)
- Offsite storage of critical data (which should be encrypted with my own key)
My ideal would be to backup my laptop to the NAS, and from there to take selective data (photos, documents, etc) and upload it somewhere online.
I’ve not really come up with a good way of doing this, so for now I use Jungle Disk, which at least gets all my important data to an Amazon S3 bucket. This is a good solution, but often means remembering to leave my laptop on for hours after taking a batch of photos so they upload to Jungle Disk. I’m not nerdy enough (almost, but not quite) to write an rsync script that runs in my desired ‘lazy’ scheduled way to get my data to the ‘intermediate’ step before uploading.
Any suggestions welcome!
- Jan 27, 09
- Interesting – despite commuting from Clapham to the City every day except holiday/sick days, I only just save money by buying an annual travelcard.
If you've got flexible hours, it's worth considering switching to PAYG.
- Jan 26, 09
I bought my 3G iPhone the day it came out, about six months ago.
It was my second.
I managed to rationalise the guilt of yet another gadget purchase because it was effectively a free upgrade. I already owned a first generation iPhone, but since it wasn’t subsidised I could break my O2 contract early.
A new contract would entitle me to a free iPhone if I spent £45 a month with O2, giving me some daft number of inclusive call minutes and texts, and of course unlimited data & free use of the ubiquitous Cloud wifi in the City. This seemed reasonable, and there was the added bonus of some free money when I sold my first iPhone on eBay.
Not a bad deal, I thought – except £45 a month now seems a bit steep. So I dug into the terms, and read that I could downgrade to a cheaper tariff part-way through my contract.
I called O2 today and asked about this. After instantly anwering the call, a friendly lady said that I couldn’t downgrade until 9 months into my contract (half-way), from my March bill date.
Oh, I thought, I’ll put an entry in my calendar to call back in March. I was about to hang up when said friendly lady suggested she “diarise the change”. What’s this? “I’ll schedule the change to your account for March, and you’ll get a confirmation email before your bill date to remind you. Call at any time if you change your mind.”.
I’ve had issues with O2′s coverage and call quality, but if this works as expected, I’ll be pleasantly surprised – most mobile phone firms have notoriously bad customer service. Of course the free chocolates O2 Customer World sent me as a Christmas present didn’t harm their brand either…
- Jan 25, 09
WordPress taunts me every time I log in with the draft of a post I’ve been meaning to complete for quite some time that explains the general concepts around Identity Management, provisioning, role mining and so on. It’s intended to be a precursor to further more in-depth posts on various aspects of the topic. I never seem to manage enough time to finish it, so until then, a video!
At work we’re almost done with our first deployment of Sun Identity Manager. Personally, I’ve found it a good product to work with. I like Sun’s approach to deployment – the base system deploys as a Java WAR file that installs into Tomcat, Glassfish, etc, and it’s pretty easy to connect it to your first set of resources for provisioning. The workflow and forms design are a bit more of a challenge, using an XML-based functional language, XPRESS, and that takes a bit of getting used to, but is amazingly customisable.
Some while ago I was invited to a Sun technical day, at which I saw a demo of some SunRay thin-client appliances that link to the Sun Secure Global Desktop (SGD) product. If you’re familiar with Windows Remote Desktop, it works like this from a user’s point of view, except a bit more powerful. Stick your smartcard in the SunRay and connect to your desktop (Windows, Linux, whatever) running on a VM in a data centre. Go home from work, visit a web-based version and fire up the same desktop.
A couple of guys at Sun have put together a demo of how SGD, OpenSSO and Identity Manager can work together, dynamically creating whole new instances of desktops at a user’s request and giving the appropriate access, then killing it all off again when HR deactivate your account.
I think it’s a pretty cool explanation of how these sort of systems can hang together – for many organisations this could represent a huge saving in user administration, desktop provisioning, and even hardware.
Read about it here, or skip straight to the demo video (12 mins or so, with a great soundtrack!)
- Jan 24, 09
- Noticed Tom Taylor (no relation) bookmark this, but wouldn't mind giving it a go – perhaps stopping for a couple of days in each place along the way.
- Good discussion of UX when using OAuth. Relevant to stuff I'm working on, too.
- Jan 22, 09
I started reading Next by Michael Crichton just after Christmas, and have been reading bits of it since. In some ways it’s typical Crichton – taking a scientific theme and writing a novel around it. In this case, the subject matter is genetics and bioengineering.
The plot is in fact a set of loosely coupled stories about people either in or affected by biotech/genetics, and at times it’s a struggle to remember all the characters. Some chapters are quite fun, and the talking animals (really) are an amusement but the entire novel seems largely to be a rant at the biotech industry, indeed the last few pages are things that the author suggests need to change.
Even if you’re a Crichton fan, it’s not one of his best.
Next up, something a little different – Managing Humans: Biting and Humorous Tales of a Software Engineering Manager
- Jan 16, 09
- Monbiot on the Tories plans. Great stuff, if only a better party came up with stuff like this.
- Jan 16, 09
I came across a great post at ecogeek.org (hmm, that makes me sound even more nerdy than I am) today on a topic we discussed at Home Camp. It talks of encouraging people to cut home energy consumption by turning it into a game, referencing the Behaviour, Energy & Climate Change Conference.
It seems that the idea’s gaining some traction – I see more and more references to it. I really like it as a way to get consumers as a whole to talk about their energy usage, something which most people see as inherently fairly dull.
Whilst products like the Current Cost or Onzo are great for getting individual households to reduce consumption by comparing against their own historic use – or even more simply watching how much money it costs to boil a kettle – encouraging people to be competitive seems a great way forward.
As well as the encouraging news that British users will all have a smart meter by 2020, we need to make sure the data provided by these meters is standardised and easily ‘mashable’ to allow games like this to evolve on their own. I can imagine energy providers or other organisations offering ‘free stuff’ or discounts to the winners of ‘biggest loser’ competitions if all of us can share our energy data safely and securely – though of course there’s some irony in giving out products to people who are best at cutting their energy consumption. It’d be great to see, for example, the government offering discounts on your council tax bill as a reward for consistently reducing your consumption. I suspect, though, that would be a step too far given how most councils still live in the dark ages.
So far, a very basic form of this exists – my Carbon Account posts my carbon footprint to Facebook each time I add a reading, and I can compare with friends, but this is an entirely manual process reliant on my submission of meter readings once a month. I’m sure wider availability of Wattsons, Onzos and Current Costs will get this moving – I can see me handing them out to my family and friends as Christmas presents this year.
Meanwhile, take a look at this video showing a great example of how it might all come together.
- Jan 13, 09
For a while now I’ve been putting a little money here and there into Kiva. They’re a non-profit organisation who lend money out to individuals and small co-operatives in many of the poorer regions of the world.
You put some money into your Kiva account and then pick an entrepreneur (or more than one) to lend the money to. The money is disbursed to the businesses via ‘field partners’ – organisations located near the recipients who select the borrowers and manage the repayments. The borrowers pay some interest on their loans, which pays the costs of the field partners. Kiva itself is run by donation. As a lender, you don’t receive interest, but once the loan money is returned to you it can be relent. A charitable donation that keeps on giving!
As well as regular donations to some major charities, I really like the idea of directly helping individuals and their small businesses. Developing businesses and encouraging entrepreneurship seems to me a better idea than just doling out aid money.
If you take a look at my lender page, you’ll see the people I’ve lent money to. Since being a Kiva member, I’ve given out $400 in loans – I put in a much smaller sum, but the money has been cycled round a few times! All of my loans so far have been repaid in full, with no late payments. Pretty good, especially if you compare it to Zopa (where you can earn money by lending to UK-based borrowers) – whilst earning interest here, I’ve had two loans that have defaulted.
This video was produced by a Kiva Fellow – someone who left his job at Credit Suisse in London to volunteer in Cambodia. It gives a great insight into how Kiva works – and might encourage you to lend some yourself!
A Fistful Of Dollars: The Story of a Kiva.org Loan from Kieran Ball. - Jan 11, 09
- Where I had lunch on Saturday. Highly recommended if you're in Brighton (and like Japanese, obviously)
- Jan 09, 09
We got a notice at work this morning about the US Visa Waiver programme, informing potential travellers to the US that the system is changing. As of 12th January 2009, it’s mandatory to register in a US government online system at least 72 hours before you travel, unless you’re a US citizen or have a Visa.
Into this system, you must provide:
- Applicant information (Birth date, full name, email, gender and phone number)
- Passport information (issued date, expiration date, number and country of issue)
- Travel information (flight and city)
- Address whilst in the US
- Health information (diseases, mental illness)
So, in itself, it’s amazing that you’re expected to give up all this personal data to the US government before you even leave your own country. Beyond that, there’s the risk that this system gets hacked, and someone steals all this data about you.
But I’m absolutely staggered by the popup disclaimer you have to accept on entering the site (I’ve added the bold emphasis):
You are about to access a Department of Homeland Security computer system. This computer system and data therein are property of the U.S. Government and provided for official U.S. Government information and use. There is no expectation of privacy when you use this computer system. The use of a password or any other security measure does not establish an expectation of privacy. By using this system, you consent to the terms set forth in this notice. You may not process classified national security information on this computer system. Access to this system is restricted to authorized users only. Unauthorized access, use, or modification of this system or of data contained herein, or in transit to/from this system, may constitute a violation of section 1030 of title 18 of the U.S. Code and other criminal laws. Anyone who accesses a Federal computer system without authorization or exceeds access authority, or obtains, alters, damages, destroys, or discloses information, or prevents authorized use of information on the computer system, may be subject to penalties, fines or imprisonment. This computer system and any related equipment is subject to monitoring for administrative oversight, law enforcement, criminal investigative purposes, inquiries into alleged wrongdoing or misuse, and to ensure proper performance of applicable security features and procedures. DHS may conduct monitoring activities without further notice.
So I have to give up significant amounts of personal data, and have no ‘expectation of privacy’. Makes me think twice about whether going to the US is even worth it.
- Jan 05, 09
- "The image was made to demonstrate an application protected by opensso. The application is divided in three parts, the first one is available for everyone (non authenticated users). The second part, the secure area, is available only for users authenticated in OpenSSO, and members of group employee. And finally, only users authenticated by certificates and member of group employee can access to the very secure area."
- Dec 31, 08
I’ve just finished reading The Lucifer Effect. The basic premise is “how good people can become evil” – how honest, morally upstanding people can be induced to conduct immoral, illegal acts.
The first half of the book describes the 1971 Stanford Prison Experiment (SPE), in which the author, Philip Zimbardo, took a group of US college students and created a mock prison, aiming to study the effects of stress and anonymity. After a series of psychometric tests, ‘normal’ students were randomly allocated the role of prisoner or guard, with the intention of analysing their behaviour over two weeks.
In less than a week, two of the ‘prisoners’ left the study suffering extreme stress – effectively a breakdown – and the guards were becoming increasingly sadistic, forcing prisoners to perform ever more devious punishments. The experiment was terminated after 6 days.
Following the early termination of the experiment, Zimbardo conducted extensive post-mortem analysis with both prisoners and guards, and also of his own team. He highlights how even external observers (for example the parents of the ‘prisoners’) became absorbed in the ‘game’ of the prison, instantly forgetting that it was all an experiment and the participants were free to leave at any time.
Zimbardo uses the second half of the book to compare the SPE to the abuses of Iraqi prisoners in Abu Ghraib, made famous by the degrading photographs taken by Military Police officers and shown around the world. Initially this seems quite a leap, comparing a group of relatively passive, middle-class students to trained, hardened soldiers in the battlefield, but the concepts are surprisingly similar.
Despite public assertions from senior US military figures (indeed as far as Donald Rumsfeld and Dick Cheney) that these were just ‘bad apples’ in an otherwise well-oiled military machine, Zimbardo asserts that they were in fact in a ‘bad barrel’ – significantly over-stretched, fearful of their own lives and living in squalid conditions, MPs with little training of how to look after prisoners are expected to maintain order, with little guidance on how to achieve it.
Beyond this, there was seemingly a strong carry-over from Guantanamo, where ‘high value’ prisoners were routinely tortured. CIA officials operated anonymously along-side the military in the Iraqi prisons, outside of military rules and thus giving conflicting sets of behaviour for the soldiers to follow. Staggeringly, it seems a lot of this interrogation was carried out not by military intelligence, but by contracted-out US companies like CACI. This ‘interrogation’ extended as far as using ‘fake menstrual blood’ that was wiped across the faces of Muslims, followed by the denial of cleaning facilities, to make them feel dirty and question their faith, so as to weaken them to retrieve information.
The analysis of Iraqi abuses highlights the ‘evil of inaction’, wherein observers do little to discourage or prevent morally objectionable behaviour, and how this can then encourage conditions to worsen. Examples are cited where soldiers expect to be rebuked by their senior officers, or for comment to be passed, and in its absence, assume tacit acceptance of the behaviour as ‘the norm’.
In the final chapter Zimbardo describes ‘hero’ behaviour, citing a number of examples of individuals who rally against ‘the system’. He notes that often in such severe situations, it can take just a small amount of effort ‘at the coalface’ to change people’s perceptions of acceptable behaviour. He also gives pointers on how to avoid being absorbed into such situations (obviously on a different scale!) by being conscious of the dynamics of a situation. He makes interesting references to the NASA Challenger Shuttle Disaster, caused technically by the failure of an O-Ring washer, but widely recognised to be caused by various organisational failures within both NASA and the manufacturer Morton Thiokol.
In all, a fascinating book. Its reference section runs to some 31 pages, so I can’t hope to cite all the examples I’ve mentioned, but Zimbardo seems to have found good claim and counter-claim examples in many cases, lending some authority to his argument. Highly recommended.
- Dec 30, 08
- "Our policy of torture was directly and swiftly recruiting fighters for al-Qaeda in Iraq. The large majority of suicide bombings in Iraq are still carried out by these foreigners. They are also involved in most of the attacks on U.S. and coalition forces in Iraq. It's no exaggeration to say that at least half of our losses and casualties in that country have come at the hands of foreigners who joined the fray because of our program of detainee abuse. "
I've almost finished reading a book about US abuses of prisoners in Iraq – this is further evidence that their policy of beating the hell out of people is, unsurprisingly, making these people angry… Angry enough to fly a plane into a tower, perhaps.
- Flaws in MD5 could allow 'real' certificates that look to be issued by a CA who still uses MD5.
- Dec 29, 08
- US officials completely ignored the clearly labelled components of gunpowder, because they were in small, clear baggies.
- Dec 28, 08
- Great message from Muji, except it's all Flash so can't be cut/pasted.
- Dec 28, 08
I’m not sure why I dislike the term ‘New Year’s resolutions’, and I’m not sure I like the idea of putting these personal goals on the web for all to see – mostly because I don’t think people will be interested. That said, I figure if I post them here, I’ll feel more pressured into actually achieving them.
So, here goes, in no particular order.
- Exercise more – to lose 1 stone by my skiing holiday at the end of March
- Read more – at least all the books I got for Christmas
- Write more – I’d like to keep up the blog
- See friends more – especially those who live far away
- Cook more – related to being healthy, but to try and find more interesting things to eat, away from the routine
- See & do more – theatre, galleries, etc.; generally taking more advantage of living in London
- Dec 24, 08
- Practical tips on how to avoid people committing fraud with your cards. As noted at the end of the article it's a shame that the system wasn't better designed so as to avoid the need, but there you go.
- He's a very smart man… Given I'm fairly anti-religion, somewhat of a surprise to agree with a lot of what he said.
- Dec 23, 08
- Internet filtering plan may extend to peer-to-peer traffic, says Stephen Conroy | News | News.com.auCrazy australians.
- It's already the coolest boardgame… Now it's actually *cool*
- Dec 21, 08
- Hand-me-down jackets and bags from Howies. Great to see a manufacturer producing high-quality items design to be handed down and reused, with styles that are meant to be 'timeless'. I quite want the jacket.
- Nice last.fm mashup
- Great google mashup showing volumes of US imported oil – I already knew, but to see on a map how little difference drilling in Alaska makes highlights how wrong it is.
- Handy prefpane that disables the suspend-to-disk, meaning your mac sleeps instantly. You lose the ability to pull the battery out of a sleeping laptop though.
- Dec 16, 08
- Stunning online database – a very friendly and functional UI hiding what appears to be an impressively powerful and flexible application.
- Good overview of how SSO works, and how to configure a simple example of OpenSSO.
- Might come in useful one day
- Useful, alongside the PCTools password generator
- Dec 14, 08
- A search I've often attempted, and yet never found a good answer.
- Fascinating – on-site paper recycling for your office. On a par with sending paper out for recycling.
- Microsoft writing for the iPhone, whodathunkit?
- Dec 13, 08
For some time I’ve been taking monthly meter readings of my gas and electricity bill – I started a little over a year ago when we moved into our new house. The new house is quite a lot bigger than our old flat, so I was concerned that the bills would be a lot more… Also, I’m keen on doing my bit to become more efficient.
This graph shows 4-weekly gas & electricity readings, divided by the number of days between readings, to give an average daily reading. The most striking is our gas usage. Obviously usage declined as the weather got better, but we had a condensing combination boiler installed to replace a 20 year old conventional one at the end of May.
Following the boiler install, our gas usage dropped to basically zero – helped in part by three weeks in the summer when we had our new kitchen installed, so the only use was hot water. Since the weather’s got colder again and we’ve had the heating on, you can still see a significant difference to our gas usage.
For electricity, we’re obviously using less than we were last year. We’ve been consciously trying to be more efficient – I’ve been gradually replacing light bulbs with CFLs, and trying to turn things off when not in use. I’m hoping that getting a Current Cost meter (or hopefully an Onzo) will trigger some further change in behaviour.
I also sold my car in the summer, and instead rely on Streetcar. This is saving me a lot of money, but also is an environmental benefit to a degree. There’s the debatable benefit of reselling my car theoretically avoiding someone else buying a new one, but also the fact that it’s encouraged me to think twice before driving.
What’s next? I’ve noticed our loft insulation isn’t up to much, and there’s a big hole where our cold water tank used to be, so I’m thinking of installing some Thermafleece.
I’d really like to double glaze all our windows, but large double-glazed sash windows don’t come cheap, so I think the best I’ll manage is to install draught strips around the doors and windows.
Any additional suggestions welcome!
- Dec 10, 08
- This service 'deep dials' businesses to avoid you having to navigate push-button hell. Looks really cool, I hope it makes it to the UK!
- Novel idea for waste collection & recycling
- Nov 30, 08
I started Saturday morning huddled with an old friend and one of his colleagues in an Imperial College corridor, wondering what I’d let myself in for. I usually spend most of my time in meetings debating the minutiae of corporate security policy, and relatively little doing ‘academic’ thinking, so coming to an event designed to encourage open debate on emerging technologies with a bunch of self-professed geeks was an interesting departure.
I’d come to HomeCamp, an unconference on home automation and energy efficiency. Despite being initially sceptical, I’ve spent much of the weekend mulling over the day, which consisted of a number of sessions that behaved more like one big group discussion.
There were a number of topics that stood out for me.
Data Gathering and Visualisation
The basic assumption of much of the discussion was that people need to understand their consumption, and this is achieved through monitoring devices. Ideally, you’d monitor the usage of every device consuming power in your home (of course minimising the energy used to do so!). Andy Stanford-Clark gave a great talk on his automated, twittering home – with lots about his Current Cost meter, and impressive use of the IBM message brokers that he’s developed, to gather data from everywhere… Even down to his mouse traps!
In reality, I believe the average (non-geek) user needs an easy way to capture this data and see it represented. I had a great chat with Ben from Onzo, who look to be producing some nicely designed hardware and have already done a deal with a major electricity supplier to distribute these to customers. I’m looking forward to finding out more about their products.
I’d hoped that someone from AlertMe might be there too – I’ve followed their security products with interest, and was recently excited to see they’ll be expanding into energy products. A logical step given their network of Zigbee sensors, and low-powered, always-on base station.
Behaviour Change – Demand Shifting, Demand Reduction
Having gathered the data, you need to do things with it. Firstly, smart meters (or better, smart appliances) will allow your utility company to communicate with your devices in order to smooth the demand curve, and operate at cheaper times. This is important given the inefficiencies that result from our varied demand, which results in power stations that have to start up at short notice, or run at less than 50% capacity. Tom Taylor wrote a good overview post on dynamic demand, based on what he learned yesterday.
I’d never really thought too much about “Economy 7″ and how it came about, beyond my grandad running his dishwasher on a timeswitch so it started at 2am to save him money. If this concept were extended into much more advanced variable pricing to encourage us to smooth the power demand curve, electricity could be generated much more efficiently, reducing costs and pollution – but also allowing use of more ‘variable’ renewables, like wind.
In addition to smoothing the curve, there’s clearly an incentive for us to all use less power, full stop. Dan Hill eloquently describes a concept for visualising this sort of data, and this sort of concept was discussed at length at Home Camp.
Of note, there was a debate on how to encourage people to act – between the simple financial savings and leveraging peer pressure to encourage reductions in consumption. There were some great suggestions around something like ‘Xbox Achievement points’ for challenges, or using Facebook, etc., to give context to your consumption. What’s the best way for me to show my friends I pay £50 for electricity a month, and my fridge represents 6% of that, for example? Could we reward people for being the ‘biggest loser’ somehow, for making tangible changes to consumption rather than just advertising cheap CFL lightbulbs and hoping for the best?
I’d love my electricity bill to give me that context. Don’t just tell me I need to pay £50 a month, tell me that other similar-sized houses with a working couple pay £75 a month, and that I could reduce my bill to £40 by getting a smarter fridge that switched itself off whilst the rest of the country made tea after Eastenders.
For businesses, we got to hear about Pachube (pronounced patch-oo-bay, I think), a startup service enabling people to capture real-time data and aggregate/share it. It’s designed for any sort of data from anywhere, but we talked a lot about companies (or even cities) submitting building data (lighting, heating) which can be reused. A fascinating example showed Pachube data being fed into SketchUp for visualisation – not far from Dan Hill’s idea of hovering sparklines of consumption data above buildings.
In summary, then, it was a great day. I learned about a lot of new technologies, and new ways to apply existing ones to help us reduce energy consumption. It was a good start to what will no doubt be a successful series of events in the future. I’ve have had Home Camp thoughts running around my head all weekend – to the point that I think it’s reaffirmed my belief that I’d like to take a career in this field when a suitable opportunity arises, nudged even further by a recent post by a friend. Thanks to Chris Dalby for organising, and I look forward to the next Home Camp in March. Until then, I’m hoping to spend more time thinking about these topics, and ideally writing about them here.
For other people’s perspectives on the day, take a look at the wiki, the Friend Feed, or follow #homecamp or #homecamp08 on Twitter.
-
Posts
- Jan 25, 12
Mmm tasty... Pork, the surprise remedy for a nosebleed | The Guardian
- Jan 25, 12
RT @321CtrlShift: RT @iallow Google announces changes to #privacy policy
- Jan 22, 12
RT @ossij: "Logout failed. You need to be logged in to log out. Please log in to log out." #virheilmoitukset
- Jan 21, 12
Funny and serious in equal measure: Grindr Hack Leaves Hundreds of Thousands Exposed
- Jan 16, 12
Hmm. Smart meters, £££ and data: new IdealGov post
- Jan 15, 12
Essex police officers resign after sharing personal data from police database. Not good. (Warning: Daily Mail)
- Jan 14, 12
White House against #SOPA, This is good. (via @gruber)
- Jan 13, 12
This is awful. RT: @monkchips: Google, what were you thinking? ← Mocality Kenya words fail me. :-(
- Jan 11, 12
RT @rodolfor: RT @cstross: Facebook outs teenage gay man, destroying his life, via behavioural advertising:
- Jan 10, 12
Thats shocking: RT @harrym: I'd like to talk to someone who's really pissed off/worried about this.
- Jan 05, 12
Start 2012 by Taking 2 Minutes to Clean Your Apps Permissions via @aviche
- Jan 01, 12
finished It's Not Me, It's You by Jon Richardson #Kindle
- Dec 29, 11
@thegareth Crucial M4 256Gb - £293.
- Dec 28, 11
RT @LanceCottrell: The FDA Quietly Delivers a Christmas Present to the Meat Industry via @zite
- Dec 27, 11
RT @mikko: "Siri, I'm bleeding really bad, can you call me an ambulance?"
- Dec 25, 11
Let's play Words With Friends. My username is 'rolyatn'. #GamesWithFriends
- Dec 24, 11
RT @marxculture: Nabaztag robotic rabbits rise from the ashes at midnight -- Engadget
- Dec 23, 11
@imaginaryreview *cough* two children?
- Dec 22, 11
Looks interesting... -- HBO Films: Game Change via @youtube
- Dec 13, 11
Thats quite special! - RT @JoeBaguley: It doesn't get much more geeky than this -
- Dec 05, 11
Excellent post and discussion about challenges of the 'long tail' of government content over at @pubstrat's blog
- Dec 05, 11
First "IdealGov" post in months: my Aug note to Francis Maude: Note HMG has just done the "What not to do" bit.
- Dec 03, 11
RT @AndrewBloch: The awkward moment when the Daily Mail forgets that Fatima Whitbread is a woman...
- Dec 02, 11
RT @tomwarren: SHOCKING PORNOGRAPHY IN WAITROSE via @twitpic
- Nov 22, 11
I'm at Old Trafford for Benfica vs. Manchester United (Sir Matt Busby Way, Trafford) w/ 17 others
- Nov 09, 11
@brad_tumy If you know of people struggling, I'd be happy to talk to them about ours :) ...
- Nov 01, 11
RT @mikko: Remember; it could happen if you don't forward that chain letter:
- Nov 01, 11
If you're a developer and you're curious about @GovUK and you like pubs come to this
- Oct 31, 11
RT @glynmoody: The unavoidable truths about GovIT – by Cabinet Office official - at last it is being said... #uk
- Oct 19, 11
Trying bespoke coffee delivery... via @eightpointnine
- Oct 15, 11
RT @teksquisite: With iOS 5 You’ll Be Stalked Like Never Before
- Oct 15, 11
Clever, yet privacy invading. To use it or not...
- Sep 25, 11
UPDATE @js4all has identified a security problem with a certain version of OpenSSH which prints out the command (including parameters!) in the debug when connecting. To work around this problem instead of using the secret above, pass through an identifier and then put the security key inside the script and perform a lookup there.
- Sep 17, 11
@Antonn21 You thought of XBMC on your atv, that should play with the nas nicely -
- Sep 17, 11
RT @JoeBaguley: Simple, but clever innovation - solar bottle! -
- Sep 07, 11
In case there was any doubt, Google's definitely evil - lying about Android being 'open', and generally screwing people:
- Sep 03, 11
RT @NishantK: If you run an #IAM program, keep an eye on thse 7 crucial Identity & Access Management metrics - #SCUI ...
- Aug 31, 11
Nice! RT @urbanshepherd @jeffblankenburg:Ordered pizza from @pizzahut. They followed my instructions perfectly.Awesome.
- Aug 28, 11
Fascinating graphic / article on banks' borrowing during the crisis: via @BloombergNews
- Aug 24, 11
RT @KimZetter: Nokia-Siemens Spy Tools Aid Police Torture in Bahrain -
- Aug 17, 11
RT @TheMediaTweets: It's been THREE WEEKS since Diana was on the front of the Express... Fear not she's back tomorrow...
- Aug 12, 11
