Monthly Archives: February 2008

Where I won’t be next week

Next week is DEC2008 and I won’t be there. There are a lot of conferences I won’t be at, but what makes this one different is that I had originally been scheduled to speak there. Unfortunately my change in companies meant that I, regrettably, had to cancel my speaking engagement.


I spoke at the last two and it’s a really great conference. It’s one of the most technical conferences I have ever attended and I hope to be able to make it next year.

HaaS Been

Apparently hackers have thier own eBay sort of site with exploits offered via a SaaS model. According to Finjin:

Here’s how it works: The software uses an eBay-like trading interface to qualify the stolen accounts in terms of the country where the server is located and the Google page ranking of the compromised server. Cybercriminals use the information to set a price for the compromised FTP credentials so they can be resold to other cybercriminals or adjust an attack on more prominent sites. The software also allows cybercriminals to use the FTP credentials to automatically inject HTML IFrame tags into Web pages on the compromised server.

“Software as a service (SaaS) has been evolving for sometime, but until now it has been applied only to legitimate applications. With this new trading application, cybercriminals have an instant ‘solution’ to their ‘problem’ of gaining access to FTP credentials and thus infecting both the legitimate Web sites and its unsuspecting visitors. All of this can be easily achieved with just one push of a button,” said Yuval Ben-Itzhak, CTO of Finjan.

Technically speaking, shouldn’t this be an Exploit as a Service (EaaS). Or perhaps a Hack as a Service (HaaS)?

Still scary stuff.

Electric Fence Learning

Will Rogers once said:

There are three kinds of men: 
            The ones that learn by reading. 
            The few who learn by observation. 
            The rest of them have to touch an electric fence.

Sometimes Microsoft is one of those “Electric Fence Learning” kind of company. Let’s hope they don’t choose that course of action in this case and instead will leave this contained in a lab where it belongs.

Using a worm to spread software patches? The ways that could go wrong are just mind boggling.

Why everything you know about the Metric System is wrong and what it means for Identity Systems

Recently as part of my work with Cub Scouts I had to prepare a lesson on the Metric System. That started me thinking about the myths and misconceptions of the Metric System, why it isn’t used in the United States, and what that all means for Identity Systems.

First let me say I am a big fan of the metric system (I have a MS in Aerospace Engineering). And living in the United States, I almost never use it. And those not contradictory statements. The reason that I never use it is that for my day to day life outside of work it simply offers no advantages to me. When studying engineering in college I used the Metric System almost exclusively. However after going into the software industry I haven’t used it professionally since.

Here are some myths and misconceptions:

Myth #1 – The Metric System is a base10 system which is far superior to base 12 systems. The metric system has been adopted world-wide (except for those crazy stuborn Americans) because of the inherent superiority of base10 mathematics in every day use.

BTW, what time is it where you are? What coordinates does your GPS show? How steep is that incline? Have you ever tried to saw a 1 meter board into 6 even pieces?

The point is while base10 is much better for doing calculations with a calculator, base12 is better for some calculations you need to do in your head. That is because 10 is divisible by only 5 and 2, where as 12 is divisible by 2,3,4, and 6.

Myth #2 – You shouldn’t use the English (Customary) System for technical purposes because the conversion between feet and inches and pound and ounces is much harder than converting between meters and kilometers and liters and milliliters.

When doing technical work you don’t ever need to convert between feet and inches. You really every need to convert between meters and kilometers either. Once you are using scientific notation it doesn’t matter. 10,000 feet is 1x10E6 feet and 10,000 meters is 1x10E6 meters. Neither unit system is easier than the other in scientific notation.

Myth #3 – The Metric System is superior because all units are derived and reproducible from the properties of natures. For instance the Celsius 0 and 100 are freezing and boiling point of water. The meter is derived from a Meridian of the Earth.

While the Metric System was once naturally derivable, it was long ago discovered that physical properties that they originally used vary too much to give an accurate definition.  For a while they where defined against physical models (for instance a certain platinum bar was used to define the meter). That was eventually viewed as too risky. Now all units are defined in purely arbitrary, but reproducible terms.

Myth #4 – The stubborn Americans will eventually convert when enough are “educated sufficiently”. It’s only ignorance that keeps the Americans from converting willingly like the rest of the world.

The Metric System originally became accepted only at gun point. The point of Napoleon’s guns to be exact. The real telling point comes from the Wiki entry:

As of 2007 only three countries, the United States, Liberia, and Myanmar (Burma) had not mandated the metric system upon their populace.

Ah, breathe in the Orwellian goodness of that statement. The Metric System is so superior to other forms of measurement it has been mandated on the people by the force of law. All for their own good of course.

The point is while there is a huge advantage to everyone being on the same system of measurement, the choice of Metric versus Customary is purely an arbitrary choice. Since people make these choices based on personally perceived value combined with a natural resistance to change, most will not willingly convert to a new system without being forced to under threat of punishment. Or put simply:

Change is hard. Inches are easy.

What does all of this have to do with Identity Systems? Change is painful. Like measurement systems, people will make do with their current Identity System (mostly user IDs and passwords), because they understand it and it works sufficient for their day-to-day lives.

Yes, it’s a mess. Yes, it’s not very secure. But it works for most people. They understand it. They are comfortable with it. Most will not switch to an alternative like OpenID or CardSpace unless they see real value. Or put simply:

Change is hard. Passwords are easy.

Three Good Questions

Sometimes questions are more important than facts. Kevin Coleman has this very interesting posting about the increasing incidences of Cyber-Attacks. He lists a bunch of facts that are interesting, but then lists three questions that he thinks all good CSOs should ask themselves every morning when the wake up:

1. What has happened that I don’t know about?
2. What do I need to know that I don’t?
3. Who are my new adversaries today?

Actually the first two are good questions in any area of responsibility.

Cartoon Identity Selectors

I was watching my oldest plan Disney Toon Town, which is an MMOG for young kids. If you are a subscriber you get to have up to 6 six different avatars that you can choose from when entering the game world.

It occurs to me that this is really an identity selector. I have a feeling that Cardspace or other identity selectors will be an easy transition for them when they are ready.

Paul’s Blue Period

Paul Madsen is feeling blue about data portability. See for yourself.