Monthly Archives: June 2009

SaaS provisioning

Jackson Shaw makes the point that the last thing that most enterprises need is to take on is provisioning their SaaS identities when they are still struggling with their internal identities:

We have a standard called “Services Provisioning Markup Language” (SPML) which was specified to help provision identities via a web service. Does your SaaS vendor support that standard? I’ll bet they do not! What do you do then? I’ve met with hundreds of customers over the years and many are still struggling with provisioning inside the enterprise! Throw in SaaS provisioning – via some hairbrained interface because the vendor doesn’t support SPML – and it only adds to the organization’s identity management complexity.

Of course having an SPML capability in a SaaS is not going to be much help if the enterprise doesn’t have a provisioning system in place with SPML support. SPML support is not widely available in provisioning systems (although there are a few that have it out of the box).

Ashraf Motiwala echoes the point and also points out that enterprise are going to want to leverage not only their internal provisioning systems, but also their workflow and role management systems as well:

Recreating a workflow engine, role management, delegation, etc. in the cloud seems to just create redundancy for these capabilities, especially for organizations that have already dropped a few dollars to deploy an IdM solution on premise. Why would I drop my existing investment here? (Perhaps there is a compelling case, but I just don’t see it.) I would much rather find a solution that proxies the SPML requests from my existing provisioning solution that handles all the complexities (or “hairbrained interfaces”) for the SaaS apps on the backend!

The upshot is that SaaS vendors should be rolling out SPML interfaces to their services. But just like with the traditional enterprise software vendors, they most likely won’t do it until the customers demand it. Until it becomes a selection criteria it probably won’t happen.

Keeping the world safe from comic books

Can the TSA really detain someone just for carrying a manuscript? Apparently so:

Sable wrote of his experiences: ‘Flying from Los Angeles to New York for a signing at Jim Hanley’s Universe Wednesday (May 13th), I was flagged at the gate for ‘extra screening’. I was subjected to not one, but two invasive searches of my person and belongings. TSA agents then ‘discovered’ the script for Unthinkable #3. They sat and read the script while I stood there, without any personal items, identification or ticket, which had all been confiscated.’

‘The minute I saw the faces of the agents, I knew I was in trouble. The first page of the Unthinkable script mentioned 9/11, terror plots, and the fact that the (fictional) world had become a police state. The TSA agents then proceeded to interrogate me, having a hard time understanding that a comic book could be about anything other than superheroes, let alone that anyone actually wrote scripts for comics.’

Yeah, this is really helping.

Knife fight

As sure as night follows day when you give petty bureaucrats the authority to regulate something they will inevitably try to expand their powers and ban more things. The Obama administration wants to ban more kinds of knives:

Hunters, whittlers and Boy Scouts, beware – your knives may soon be on the government’s chopping block.

The Obama administration wants to expand the 50-year-old ban on importing “switchblades” to include folding knives that can be opened with one hand, stirring fears the government may on the path to outlawing most pocket knives.

Critics, including U.S. knife manufacturers and collectors, the National Rifle Association, sportsmen’s groups and a bipartisan group of lawmakers on Capitol Hill, say the rule change proposed by Customs and Border Protection (CBP) would rewrite U.S. law defining what constitutes a switchblade and potentially make de facto criminals of the estimated 35 million Americans who use folding knives.

“Boy Scout knives, Swiss Army knives – the most basic of knives can be opened one-handed if you know what you are doing,” said Doug Ritter, executive director of Knife Rights, an advocacy group fighting to defeat the measure.

“The outrage is gaining steam,” he said.

This is a silly and pointless fight to take on. Banning more types of knives will not increase public safety. In fact there is really no justification to banning traditional switch blades. If anything we should be getting rid of these knife regulations, not expanding them.

I teach knife safety for both Cub Scouts and Boy Scouts. Any knife can be dangerous when not wielded safely. How it opens is irrelevant except for the consideration that the harder a knife is to open or close the more likely you are to hurt yourself with it.

Privacy Salience

This is an interesting story about a study of the economics of privacy in social networking:

The most interesting story we found though was how sites consistently hid any mention of privacy, until we visited the privacy policies where they provided paid privacy seals and strong reassurances about how important privacy is. We developed a novel economic explanation for this: sites appear to craft two different messages for two different populations. Most users care about privacy about privacy but don’t think about it in day-to-day life. Sites take care to avoid mentioning privacy to them, because even mentioning privacy positively will cause them to be more cautious about sharing data. This phenomenon is known as “privacy salience” and it makes sites tread very carefully around privacy, because users must be comfortable sharing data for the site to be fun. Instead of mentioning privacy, new users are shown a huge sample of other users posting fun pictures, which encourages them to  share as well. For privacy fundamentalists who go looking for privacy by reading the privacy policy, though, it is important to drum up privacy re-assurance.

Personally, social networking sites concern me less from a privacy standpoint than institutions such as the government and financial institutions. I follow the rule that sites can’t disclose what they don’t know. I simply won’t voluntarily give any site personal information that I want to be kept private. If they ask for it, I just make stuff up. Unfortunately that is usually not an option when dealing with financial or government institutions.

I guess that makes me a privacy fundamentalist.

The FTC has too much time on their hands

Apparently the FTC has too much time on their hands according to this AP article:

Savvy consumers often go online for independent consumer reviews of products and services, scouring through comments from everyday Joes and Janes to help them find a gem or shun a lemon.

What some fail to realize, though, is that such reviews can be tainted: Many bloggers have accepted perks such as free laptops, trips to Europe, $500 gift cards or even thousands of dollars for a 200-word post. Bloggers vary in how they disclose such freebies, if they do so at all.

The practice has grown to the degree that the Federal Trade Commission is paying attention. New guidelines, expected to be approved late this summer with possible modifications, would clarify that the agency can go after bloggers — as well as the companies that compensate them — for any false claims or failure to disclose conflicts of interest.

It would be the first time the FTC tries to patrol systematically what bloggers say and do online. The common practice of posting a graphical ad or a link to an online retailer — and getting commissions for any sales from it — would be enough to trigger oversight.

So if Kim Cameron praises Cardspace in his blog, does that trigger an FTC inquiry? I mean we all know he works for Microsoft but does he have to put a disclaimer in each posting? Or is once the main page enough?

What makes this all the more silly is that tonight ABC will run an hour long infomercial for Obama’s nationalized health care, the cost of which the administration estimates to be more than 1.5 trillion dollars (and we all know it will never be that cheap). How come the FTC isn’t investigating that?

Oh wait, I forgot who runs the FTC now.

Dude, where’s my scan?

Apparently the CLEAR program is defunct. As with any identity effort this raises the question about what happens to the data, especially biometric data, if the service provider goes out of business.

Kevin Kampman wants to know what happens to his data:

I am not surprised by CLEAR’s failure, but it raises other serious questions: Who gets custody of the background data that’s been collected over the life of the program? Will that data be archived or destroyed? Will another company or agency take over? (CLEAR’s privacy policy doesn’t seem to directly address the issue of what a successor entity can and can’t do with the data that’s been collected). Finally, what are TSA’s plans for this contingency?  The TSA website currently doesn’t say anything about CLEAR’s termination.

Jackson Shaw wants to know what happened to his scans:

Now my question is: What happens to those digital fingerprints and retinal scans they took? Checking their privacy policy reveals this interesting tidbit:

…a copy of your biometric information (but not your name) is retained by the Transportation Security Clearinghouse to prevent fraudulent enrollments under alternate identities.

So, the TSA has my biometric information but not my name in order to prevent fraudulent enrollments under alternate identities? Hmmm, does that mean that the TSA has my biometric information but not my name but does have my social security number? Otherwise, how would they prevent fraudulent enrollments?

Yet one more reason not to use biometric authentication.

Hell’s dumpster

In the Pipeline is my favorite chemistry blog. He has a regular series called “Things I won’t work with” in which he describes chemicals so dangerous the even he (as a professional chemist) won’t allow in his lab. In his most recent installment he describes a chemical so foul smelling that it made is forbidden list on that basis alone. Here he names Hell’s Dumpster:

My recent entries in this category have, for the most part, been hazardous in a direct (not to say crude, or even vulgar) manner. These are compounds that explode with bizarre violence even in laughably small amounts, leaving ruined equipment and shattered nerves in their wake. No, I will not work with such.

But today’s compound makes no noise and leaves no wreckage. It merely stinks. But it does so relentlessly and unbearably. It makes innocent downwind pedestrians stagger, clutch their stomachs, and flee in terror. It reeks to a degree that makes people suspect evil supernatural forces. It is thioacetone.

Or something close to it, anyway. All we know for sure is that thioacetone doesn’t like to exist as a free compound – it’s usually tied up in a cyclic thioketal trimer, when it’s around at all. Attempts to crack this to thioacetone monomer itself have been made – ah, but that’s when people start diving out of windows and vomiting into wastebaskets, so the quality of the data starts to deteriorate. No one’s quite sure what the actual odorant is (perhaps the gem-dimercaptan?) And no one seems to have much desire to find out, either.

Interesting research for some brave and ollifactory challenged soul.

If you haven’t read the rest of the things in the list, you should. It’s especially frightening to know there is a chemical that sets sand on fire and eats through asbestos fire brick.