Sea of Troubles

➞ User-centric Identity – the Ethernet of Identity Protocols?

Dave Kearns at KuppingerCole draws a parallel between ethernet and identity federation protocols, arguing that identity is improving by leaps and bounds, much as ethernet had to. He goes on to argue that OpenID Connect is a phoenix rising from the ashes of the now-defunct or siloed federation protocols that marked the first generation of “user-centric identity”.

I hadn’t, however, seen user-centric identity linked as closely with enterprise mobility and the cloud model:

It’s no longer called “User-centric” identity. Today’s term is “Consumer Identity” and it’s part of the movement called the “Consumerization of IT” (CoIT), which has evolved from the Bring Your Own Device (BYOD) movement.

➞ The Devaluation of Everything: The Perils of Panflation

The Economist this week has an excellent Leader on inflation beyond price.

Take the grossly underreported problem of “size inflation”, where clothes of any particular labelled size have steadily expanded over time. Estimates by The Economist suggest that the average British size 14 pair of women’s trousers is now more than four inches wider at the waist than it was in the 1970s. In other words, today’s size 14 is really what used to be labelled a size 18; a size 10 is really a size 14.

They go on to discuss the same effect in hotel rooms and ratings, frequent-flyer miles, academic grades and job titles.

Related is the tendency for grocery producers to release “new look packaging” that reduces the size of the contents while keeping the price the same, hoping that nobody notices. This price inflation by stealth seems an insidious force, slowly taking over one’s supermarket.

➞ Hotel Wifi JavaScript Injection

It seems that some hotels are actively altering web pages served over their guest internet connections. Justin Watt noticed that there was something wierd on his personal blog when browsing through hotel WiFi; after checking a couple of other blogs, he concluded:

Somewhere between the internet and my computer, someone [was] injecting JavaScript into EVERY SINGLE PAGE I LOAD.

I found a utility that unpacks packed JavaScript, and it only took a quick skim of advnads20.js (over 1900 lines reformatted) to estimate that its primary purpose is ad injection/takeover.

It seems as though the code was injected deliberately, by a device disturbingly named the Revenue eXtraction Gateway (RXG), made by RG Nets; see Justin’s blog for more details.

This is very disturbing from a security perspective. To an attacker, this RXG device is a perfect target; if you could add a hook to a drive-by kit (e.g. this week’s hot topic: the Flashback malware attacking OS X), you could target every user on that network. This device is, by design, a man-in-the-middle rewriting attack.

John Gruber’s observation:

Yet another reason to bring your own 3G or LTE hotspot with you when you travel.

I couldn’t agree more. If you can’t, look for other alternatives — like a corporate VPN, an SSH port forward (use -D) to a trusted host (e.g. EC2 or Linode) — and use SSL as much as possible.

Let’s hope the wireless carriers don’t feel the need to install these devices into their networks.

(ᔥ New York Times and Daring Fireball)

➞ Make a Linked List With Octopress

This post, by Jonathan Poritsky, is a really useful set of hints about how to build a linkblog — a la Daring Fireball and many others — using Octopress.

Regular posts feature unadorned headlines while link posts are denoted by an additional glyph at the end of the headline. […] The headlines of all link posts go to another site, both in your web browser and in your RSS application. They also feature a permalink at the bottom of the post so you can always find a way to get back to my site, which usually features commentary of some lasting value (I hope).

QR Code Bookmarklet

I often find that I’m reading something right before I need to leave, and need a quick way to get the thing I’m reading to my phone. Traditionally, I did that by sending an email to myself; about 10% of my inbox is little notes to myself, many of which I never read again.

Google’s Chrome to Phone solved this problem when I was reading in in Chrome and wanted to send it to my Nexus, but didn’t help if I was using Safari, Firefox or (shudder) IE6 at work, or if I wanted to read it on my iPhone or iPad.

For a while, I used services like bit.ly or goo.gl to create shorter URLs that were easy to copy manually, but that’s still tedious. Usefully, if you add ‘.qr’ to the end of a goo.gl short link, it will give you the QR code for that URL.

Later, I bumped into the Google Chart API, and it’s QR Code funtionality. That gave me an idea: a bookmarklet that generates a QR code for the current URL, so that you can quickly scan it into your phone. Here it is:

➞QR

Drag it into your menubar, and enjoy.

Interesting, but unrelated, if you need to use your Google account from a computer you don’t trust, you can evade keyloggers by visiting Google’s QR code login system from your smartphone.

A Week With the Galaxy Nexus

About six months ago, I noticed that we were making lots of decisions at work about the Android ecosystem, without having the benefit of lots of first-hand experience. In particular, I was making decisions about the security characteristics of the platform based on documentation, rather than having used one for more than a few moments. So, I bought the Nexus S on Vodafone.

Carrying it for a few months, I learnt a lot about how Android works in real use, and about the security functionality built into the platform. It was an interesting device, with a lot of promise, but it was never compelling enough for me to give up my iPhone; I found that it increasingly spent most of its time in my bag rather than in my pocket.

Android on the Nexus S felt like it was frozen in time; the development effort in the platform seemed to be going into Honeycomb, and as a phone user I was locked out of that innovation. When Ice Cream Sandwich and the Galaxy Nexus were announced, I was tired of waiting.

So, about a week ago, I bought the new Galaxy Nexus. In the time since, I’ve been using it as my primary phone wherever possible. When at home, I’ve left my iPhone on my desk and carried the Galaxy Nexus.

Moving Off WordPress

I’ve left WordPress.

A few years ago, this blog was hosted on a linode, using pyblosxom. Pyblosxom was a wonderfully elegant solution — it converted plain text files into HTML using a Python CGI script, without the need for anything more complex. The downside of Pyblosxom was that running CGI scripts has always been pretty ugly; all that messing around with different directories for CGI and static content, permissions, runtimes. Urgh. Comments were a mess, at the time nearly impossible to configure securely.

➞ Steveys Google Platforms Rant

This is a brilliant post by an ex-Amazon current-Googler about the differences between the companies. It touches eloquently on the lessons learned from doing serious SOA at scale, based on Amazon’s experiences. There’s a sideline in corporate cultures too, with some terrifying stories about the culture at Amazon. He criticises Google for a lack of understanding of platforms and “universal services” and makes a strong case for them.

It also includes this gem, which made me smile:

I’ll argue that Accessibility is actually more important than Security because dialing Accessibility to zero means you have no product at all, whereas dialing Security to zero can still get you a reasonably successful product such as the Playstation Network.
All up, a very interesting read.

via Steveys Google Platforms Rant.

➞ the Economist on Consumerisation

This week’s edition of The Economist has an excellent Special Report on Personal Technology.

One of the articles, IT’s Arab spring, looks at how the consumerisation of IT is affecting technology departments in large companies. In particular, the challenges that adopting consumer-centric technologies can cause for support (as a result of a much more diverse device fleet which changes rapidly) and security.

In it, this line made me smile:

[A study by IDC] accused internal tech teams of frequently using security concerns as a “figleaf” to justify keeping tight control of decisions about which devices workers may and may not use.

One of the biggest challenges in my role is that we often hear that a good idea was killed because someone said “Security will never let you do that”. Quite often, we would, and sometimes we would go out of our way to support the initiative. It’s usually the case that the idea was atypical or difficult; instead of expending (significant) effort on exploring how it might be made to work, they look for the quickest way to shut it down, which often means either “security” or cost. Changing that culture (and ours) will probably take a long time.

Android’s Value-control Challenge.

Google has invested much in Android, dumping in huge volumes of engineering, design and marketing effort. They did this in reasonable expectation of future benefit, in the form largely of mobile advertising revenue and commission on app sales. They receive an ancillary benefit through ensuring that the web remains open on (at least some) mobile devices, making it harder for competitors’ platforms to freeze them out.

The primary weakness in this model is that people can take all the work Google’s done (here’s the recipe), replace Google’s apps and sell it.