Standards fascinate me. One of the most problematic standard in use almost universally today is the kilogram (kg). The problem is that no one really knows exactly how much mass a kilogram actually has. By extension that means that no one knows how heavy a pound is either since the US government defines it in relationship to the SI kg unit.
Originally the metric system was supposed to be defined in terms of “natural laws” that the common man could measure for himself. The kg was originally defined as a cubic decimeter of water under certain conditions. This is probably what you were taught in school, one of many metric misconceptions (see why everything you know about the metric system is wrong).
But that approach was jettisoned as impractical due to variations in water density, temperature, etc. In 1889 the standard became defined by a set of “physical prototypes” that were manufactured and distributed to major countries. So what was a standard based on “natural laws” became based on an arbitrary hunk of platinum and iridium.
Only that has not worked either (at least not to the number of significant digits desired). The problem is that the different physical prototypes are changing mass by a small but measurable amount. So today there is effectively no precise consistent definition of a kilogram, and thus by extension the pound.
The plan going forwards is to define the kg in terms of basic physical properties, similar to what has been done with the meter and the second. But for now, kg is only an estimate for given levels of precision.
Vittorio Bettocci from Microsoft has a great write up of OAuth 2.0 and how it relates to authentication protocols (but is not one itself). You can read it here.
Just in time for Christmas Samba 4.0 was released. This big news here is Samba 4.0 adds Active Directory Domain Controller emulation, including Kerberos, LDAP, DNS, and a bunch of other services.
While this is an impressive technical achievement, I don’t really see many enterprises adopting it. Samba 4 is fighting against one of the biggest IT pressures, headcount reduction. Most enterprises are now willing to pay more for the license cost of the software if it saves them administrative man hour costs.
So unless Samba 4 is going to be easier to install and maintain than Windows servers, it’s not really going to have an impact. Who knows, maybe it will be that easy. If you have Samba 4 in production drop me a comment and let me know what you think.
Meanwhile, Jackson Shaw is … unimpressed.
Posted in AD, Identity, Kerberos, LDAP, Linux, Open Source, Security, Software
Tagged Active Directory, AD, Kerberos, Open Source, Samba 4
There is an old saying that when you sit down to a poker game if you can’t spot the rube, you’re the rube.
Given the recent news that Instagram has announced that they now have the rights to sell your photos, perhaps that should be good advice for online services. Here is a good hint; if you aren’t paying for a service, then at a minimum you aren’t a “customer”. Oh the service has customers all right, you’re just not in their number.
Update: of course XKCD nails this one better than I ever could.
John Fontana writes about a new idea called People Centric Security. The idea is to loosen enterprise security policies so that security decisions are made by those directly responsible for business area rather than a central security team.
To paraphrase the immortal words of Pogo: We have met the security team and they is us!
For better or worse I think this actually reflects the current state rather than some new idea. For all the work security teams do, users just work around them to do what they need to do.
Who many times have you heard these conversations:
- The mail server blocked your attachment. Can you send it to my gmail account?
- I can’t reach your website. Let me disconnect from the VPN and try again.
- Our machines disallow USB storage devices, but I can upload the files to DropBox.
Your company’s security already depends on your users. They are just pretending it doesn’t.
Last week at TechEd Microsoft disclosed their new Graph API for Windows Azure Active Directory. Graph API is a RESTful web service for accessing the identity system behind Windows Azure and Office365.
This is an interesting development because it will enable Azure and Office365 customers to provision with systems other than FIM. While Graph API is not specifically an identity management API like SPML and SCIM, the capabilities are effectively the same in the context of the Azure environment.
There is a great presentation on this here, including a demo of the soon to be released OptimalIdM support.
It seems strange that there is so little attention being paid to this. It really an important step in cloud identity.
There is an idea that has been kicked around in IdM for years called Security Policy Provisioning. Basically the idea is that you have a system that takes centrally managed security policies and pushes them out to disparate system, the same way provisioning systems manage user accounts. We kicked around the idea of building a Security Policy Provisioning product back at OpenNetwork, but never did. In all honesty I had expected some IdM vendor to have added this feature to their provisioning engine by now, but as far as I know none ever went farther than user role management.
Well Axiomatics has apparently rolled it out in the guise of pushing their XACML policies to Windows Server 2012 to leverage the new authorization features. This is a very neat idea.
Of course after you push out the policies, Windows Server 2012 becomes the PDP as well as the PEP. You could develop a similar solution without using XACML at all.