May 22, 2008
Dueling Fingers
The wireless networking may have been problematic, but the human networking was excellent. Spirited argument between friends (see picture) is always great fun.
Posted by Ian at 11:06 AM in | Comments (0) | TrackBack (0) | Permalink
May 22, 2008
Beyond Connectivity
I've been at a networking conference this week. If you've sent me mail and I haven't replied, the above indicates why. Normal service will be resumed in a day or so.
Posted by Ian at 7:13 AM in Miscellanea | Comments (0) | TrackBack (0) | Permalink
April 1, 2008
RFC 5241 on Naming Rights in IETF Protocols
Not a bad one this year:
This document proposes a new revenue source for the IETF to support standardization activities: protocol field naming rights, i.e., the association of commercial brands with protocol fields. This memo describes a process for assignment of rights and explores some of the issues associated with the process. Individuals or organizations that wish to purchase naming rights for one or more protocol fields are expected to follow this process.
RFC 5241 for the whole thing.
Posted by Ian at 6:31 PM in Humour | Comments (1) | TrackBack (0) | Permalink
January 23, 2008
UK federation Technical Statistics
I was recently asked to give a presentation to a group of people involved with service delivery for the UK federation. The result is Technical Statistics: What they tell us, and what they don't.
There are some interesting statistics in there (for example, the high degree to which the fairly young JANET Server Certificate Service has already taken off) but the other theme of the talk was that there is an awful lot going on that we probably can't understand without a lot more direct interaction with the membership.
I've also uploaded the slides to slideshare, if you'd like to give that a try.
Posted by Ian at 11:46 AM in Identity | Comments (0) | TrackBack (0) | Permalink
January 9, 2008
McShib Talk on Core Attributes
I gave a presentation to the second meeting of the McShib group last month covering An Identity Provider’s Guide to the Core Attributes (of the UK federation).
I made an audio recording of the presentation. I ran "a bit long" on the day (70 minutes), but once I have edited out the coughing and some of the rambling I'll post a synchronised audio+slides version.
Links referenced during the talk:
Posted by Ian at 12:17 PM in Identity | Comments (0) | TrackBack (0) | Permalink
January 9, 2008
OmniFocus 1.0
After a long public beta program, OmniFocus, OmniGroup's "professional-grade personal task management" application for the Mac, has finally reached its 1.0 milestone. If you're already both a Mac cultist and a Getting Things Done convert, you probably already know this because you're one of the 13,590 people who pre-ordered it.
GTD and OmniFocus won't magically rescue you from being disorganised (they certainly haven't entirely done that for me) but I've found that some of the GTD principles that OmniFocus allows you to implement really do lead to some level of stress reduction:
Get everything that's on your mind out of your head and into a trusted system.
Plan in terms of small, concrete, actionable steps.
Concentrate on the next available action for your current context.
You probably can't plan multi-person mega-projects this way, but that's not what this product is for. If you're trying to hold together a lot of smaller projects, it can be pretty much ideal. There's a 14-day trial available.
Posted by Ian at 10:55 AM in Software | Comments (0) | TrackBack (0) | Permalink
January 4, 2008
Tiger Team
If you're at all interested in physical security as well as computer security (or, alternatively, if you find it interesting to think about security systems as opposed to just components of those systems) a new TV show called Tiger Team might be worth a look.
The idea is pretty self-explanatory if you've heard of the concept of a tiger team elsewhere: this is a "reality" show in which the heroes break real-world security systems using a combination of technology, brass neck and dumpster diving. Rather like Mission: Impossible but without Peter Graves and (so far) without the rubber masks. What's not to like?
Unfortunately, I can't see any evidence that this series will be shown anywhere here in the UK, but you can stream the pilot episode from the cable channel's web site, at least for now. It's interesting to watch the ways in which the target's (fairly good) security fails when approached in the right way, and the presentation isn't too grating even for my sensitive British ears. Some of what you see is obviously re-enactment, but I guess that's "reality" TV for you.
Posted by Ian at 9:39 PM in Security | Comments (2) | TrackBack (0) | Permalink
January 2, 2008
Responsible Behavior
People have observed that this blog can from time to time be characterised as "a nearly impenetrable thicket of geekitude". I can't really argue with that, and I have no intention of making any kind of New Year resolution to "mend my ways".
On the other hand, I do sometimes wonder about rating my posts in terms of a new metric: how many Wikipedia entries would you have to reference to explain this to the man on the Clapham omnibus?
One of my favourite cartoon sites — xkcd.com — also finds the need to peg the MOTCO-meter once in a while. Responsible Behavior is a good example; I have to rate it a four at least:
Do you agree? More interestingly, what do you think the answer will be in ten years?
Posted by Ian at 6:12 PM in Humour | Comments (0) | TrackBack (0) | Permalink
December 30, 2007
Thawte WoT Notary
![[thawte Web of Trust notary seal]](http://www.iay.org.uk/identity/seal_wot.gif)
I am now a (very junior) notary in the thawte Web of Trust. An assurance from me is worth 10 points towards the 50 required for a personal e-mail certificate with your own name on it.
More details are available for those who are interested.
Posted by Ian at 7:47 PM in Identity | Comments (0) | TrackBack (0) | Permalink
November 15, 2007
Dual_EC_DRBG Back Door?
Bruce Schneier reports that one of the pseudo-random number generators in the recently released NIST Special Publication 800-90 (.pdf) appears to include something that looks awfully like an intentional back door:
What Shumow and Ferguson showed is that these numbers have a relationship with a second, secret set of numbers that can act as a kind of skeleton key. If you know the secret numbers, you can predict the output of the random-number generator after collecting just 32 bytes of its output. To put that in real terms, you only need to monitor one TLS internet encryption connection in order to crack the security of that protocol. If you know the secret numbers, you can completely break any instantiation of Dual_EC_DRBG.
It's possible that this is accidental; if it is deliberate, the prime suspects are the NSA, who have been pushing to get this algorithm adopted for some time. So much for the usual outsider's paranoia about how the evil TLA might be compromising our cryptography for their own nefarious ends. That's not the scary part, though; the really scary part is the thought that perhaps that isn't what is going on:
If this story leaves you confused, join the club. I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
Shumow and Ferguson's presentation (.pdf) is short, and although there are some squiggly letters in it you don't need to understand the mathematics of elliptic curves to follow the argument.
I look forward to seeing how this one plays out.
(Via Schneier on Security.)
Posted by Ian at 2:16 PM in Cryptography | Comments (0) | TrackBack (0) | Permalink
