Monthly Archives: March 2010

The TSA will NOT touch your monkey!

For those travel with service monkeys, you can rest assured that the TSA will not touch the monkey during the security screening.

Clearly they never saw the George Romero movie “Monkey Shines”.

Just a bit more complicated than that

Phil Windley posts about Google’s recent moves in China and describes them as a result of conflict between Google’s desired to do what’s right (not censor) and doing what it needs to do to stay in business in one of the largest markets in the world. That’s an interesting take on it, but it doesn’t wash with recent history.

To be clear, Google was fine with doing evil for several years now. The lived with the government restrictions and did business up until recently when they were penetrated (reportedly badly) by hackers that no one seriously believes aren’t at least backed by the Chinese government. Also the decision to buck the government was also made easier by Google’s own lagging competitive position in China.

If the real story ever comes out I’m sure it will be fascinating. Until then I’m not sold on Google’s altruistic motives in this dispute.

Pre-crime and punishment

Reason has this disturbing story about an Oregon man who was taken into custody, had his house searched (without a warrant), had his property taken, and was forced to undergo a mental examination all because there was a suspicion that he might commit a violent crime in the future. He is not suspected of actually committing a crime or of actually threatening anyone, but he was a gun collector who had been place on administrative leave from his job.

Defenders of this policy will likely point out that he was released and his property was returned, so the action is warranted to make sure that he wasn’t a threat to his community. I would note that such defenders are not volunteering to have the SWAT team come to their home, search their house, and haul them to a mental facility in handcuffs.

Living and dying in reputation time

Microsoft has done an interesting study that finds %70 of hr professionals surveyed had rejected applicants due to online reputation. Clearly people need to be more careful about not putting things out there that will hurt their reputation.

But why stop with just hiding the bad? How about accentuating the good? How about inventing the good?

Perhaps there is a great opportunity for a start up that would “puff” people’s online reputations for a small fee. If your prospective employer if browsing your Facebook page, wouldn’t it be great if Reverend Smith was thanking you for your great work you did at the homeless shelter last weekend, or kudos from your kids school for getting their library book fair organized? How about posts from one of your friends about how you helped him move into his new house? A reputation buffing service could plant this kind of reputation to really make you look like the kind of person that employers would want on their team.

Or you could go out and actually do those things… nah, that’s just crazy.

Ghost in the machine?

When the Toyota Sudden Acceleration Syndrome circus was in full swing I had a strong sense of déjà vu. We have been here before. What’s ridiculous is that the obvious answer is staring us in the face and we don’t want to accept it.

All modern cars have brakes that have far more stopping power than their engines can deliver. If you jam both the accelerator and the brake your car will stop (although I don’t recommend actually doing it).

So there are really two explanations here:

1) Some mysterious fault causes the brakes to fail while the accelerator suddenly engages. This fault is both unreproducible under lab conditions and undetectable after the incident.

2) The drivers are stepping on the wrong pedal.

Why is this important to you? The government is talking about require “smart brakes” on all new cars that would cut off the accelerator when depressed.  Some cars apparently already have this feature.

But this won’t do anything to help the driver that is simply pressing the wrong pedal. If required for all cars, it will raise the price of your next car for a feature that you don’t really need.

It’s all about the PEP

Jackson Shaw has this to say about authorization via SAML vs XACML. Jonathan Sander follows up with some very good comments about SAML vs XACML.

I really like XACML. Ideally, it should be much more widely used. But when push comes to shove it’s really all about the policy enforcement point (PEP).

SAML can be an easy (relatively) bridging technology that really doesn’t require significant changes to the back-end systems. All that is needed is to create a SAML end point that receives the authentication and creates an authn token appropriate for the services being authenticated. It may also need to provision identity information, but that’s another discussion. The point is the services can still leverage the same authentication token they used before SAML was added.

XACML, on the other hand, will require changes to services to make the appropriate XACML authz queries. In other words, the service needs to become a PEP.

An alternative approach is to pass SAML attribute assertions during the authentication that are converted to updates to a user attribute store (in a DB table or directory). Those attributes are then used for authorization decisions by the service. The same can be done with role information.

You could argue that ABAC and RBAC are not sufficient. But chances are the service you are trying to federate is already ABAC or RBAC based. That and the fact that SAML will be implemented first, makes  XACML a hard sell.

Assumed consent

According to this Telegraph article, the UK government is rushing ahead with putting all their citizens NHS records into a massive centralized DB. The rush is apparently intended to beat the next election.

Being the UK it should come as no surprise that they are assuming consent unless told otherwise, and aren’t going out of their way to inform the public that it’s happening and that opting out is even possible.