How often do you need to crack something, really?  Once is all you need.

Information Week has this story on Blu-Ray Copy Protection Breached and the response from the BD+ encryption provider has me scratching my head.

“BD+ is a security response system designed to react to security attacks, not prevent them entirely. As part of this system, updated BD+ security code is continuously developed so that BD+ customers obtain ongoing value from the use of this technology.”

First, though I am often a guilty party, I hate sloppy language.  Of course their system isn’t designed to prevent attacks, it should be designed to prevent successful compromise having launched the attack.  Sure, it’s great if you can prevent someone from running at you with a baseball bat, but that’s really hard to do, especially on the open internet (see, sloppy analogy… guilty).  Its really, really important though that the bat and your head don’t meet.  That would count as a successful compromise of your defenses… crunch!
Second, this an admission that the BD+ system was successfully breached and content has been copied against the producer’s / protector’s wishes and therefore likely already a very busy Bittorrent.  So now that Movie X is a freely and widely available digital copy, how’s BD+ going to put the cattle back in the barn?  If someone in the Cryptography Research division of Macrovision can twiddle some algorithmic dials and make all those currently cracked discs become “uncrackable” again (”uncrackable again” is an oxymoron, right?) that will be impressive…

But useless.  The movie is already out there.  It can’t be retrieved, right?  Is Eric Rodli stating that they can make some adjustments and break all the digital copies sitting on all the hard-drives of those Bittorrenting miscreants?  I guess it isn’t beyond the realm of possibility that a copy could have embedded in it some type of “phone home or don’t play” mechanism, but that would be immediately obvious without any need for tweaking back at BD+ headquarters.

If I didn’t think this wasn’t a bunch of hot air, I’d investigate further, but there’s no need.  While very feasible that some algorithmic changes could be made to change how the next batch of Blu-Ray discs are protected and even feasible that currently cracked discs could get re-un-cracked (ouch that hurts to type) given the online nature of Blu-Ray (or is that in the next release when they’ll nearly catch up to HD-DVD technologically?), this is all just a bunch of Quixotic energy being wasted and defended.  This version got cracked, the next version will get cracked and once cracked there “ain’t no going back to re-un-cracked”.
Hey, that has a nice rhyme to it.  Makes it easier to type and say the second time around.

Originally published March 25, 2008

This is the first of what will likely become a series and so categorized as a Rant:

OK, so this is the last example of the day and nothing against Rafe, his post is just the last straw over the last couple days, where I’ve heard that how fast a browser opens really, really matters to the reviewer / commentator.  Seriously?  How often are people opening and closing their browsers that speed of launch is any kind of a measuring stick for the quality of a browser?  The only time I’m launching a browser is at some point after I boot my PC and then never shut down the browser until the PC does so at shutdown.  Nearly everything I do anymore occurs in a browser or is destined to be submitted, emailed, stored, etc. through the browser.  Why close it?

Rant off…

Some rants will be more serious than others.  This one’s not so serious, use your browsers any stupid way you want <grin>.

Originally published March 19, 2008

A friend asked me about IronKey today and my first recollection was that I stopped by their booth last year at RSA. So I initially responded that far as I could remember, it was just another secure USB storage play. But since he was asking, I figured I would revisit it, especially when he mentioned that Bill Harris is currently their Chairman of the board. He was with Intuit, then PayPal, then pAssmark (yes, that’s the proper spelling, where the “p”, like the security is silent) and sits on a variety of boards. Why does that matter? Bill Harris has been involved in a lot of things that run parallel to my own career over the past decade and he’s found lightning-strikes more than once. Me? No lightning yet <grin>.

So like anyone, I started with the web site and it pretty much confirmed my recollection. I read the most recent article from their PR page and it revealed some interesting details. I won’t recap it, you can go read it at your leisure.

Certainly has some nice functionality, but the price is prohibitive even for me, one of the paranoid and willing to pay to resolve my condition. I’m completely happy carrying Roboform2Go around on a much cheaper finger biometric USB. I further protect the Roboform data encrypted with a second-factor key-file setup using TrueCrypt. Though Roboform touts their use of AES for encrypting their data, big deal, the weakness is still the fact they are at base, reliant on a password from which they generate keys. Me, I’m big into true multi-factor security, you know, some combination of:

• Something you know (password / passphrase),
• Something you have (typically a smartcard, but in my case files I use as my TrueCrypt keys on a separate device),
• Something you are (biometric of choice, in my case my fingerprint(s).

So using my finger biometric USB, with TrueCrypt using key-files from another location and of course my Roboform password, I get all three factors. Purchasing Roboform, my biometric USB and free TrueCrypt comes in well under the $149 Ironkey price for their 4GB. The other benefit of my configuration is that for the same dollars spent on Roboform ($40) and TrueCrypt (free) I can do the same thing using all 80GB of my iPod or at least whatever is left over with my podcasts on the iPod. Sure, in this case I only have two factors, not three, but they are still two solid factors such that anyone stealing or finding my iPod would have no ability to get at the encrypted data (remember the files I use as my TrueCrypt keys are not on the iPod itself). Of course, there may not be many others in the general consumer market likely to be aware of the cheaper, more flexible options and how to use them to construct their own secure portable storage.

Of course, IronKey isn’t the only game in town and at their price, I’m not sure the security advantages are going to be obvious to those comparing IronKey to GuardID’s IDVault. If the purchaser is looking for secured surfing I suspect the IDVault will win, but if secure data storage on a portable device is the goal, IronKey all the way. These devices are actually nothing alike, but will Joe Noob at Best Buy rack understand beyond $40 vs. $150? It all comes down to marketing as usual and Bill Harris does know how to do that, so I’m not betting against him and the IronKey team. I’m just not likely to be one of their customers unless their service offering increases in some interesting direction… say, making CardSpace cards portable and still secure such that IronKey serves as my Identity Provider playing with OpenID while also making OpenID secure.

Yeah, that would have my attention and likely my $$.

Hey Bill or Mr. Harris, if you prefer; I’m available to help with that <grin>!

Originally published March 18, 2008

We are well into the era of Web 2.0 with social networking all the rage.  At work, we are using an increasing number of web applications and services.  Consequently, we are spreading around an incredible amount of sensitive information about our families, employers, associates and ourselves.  Amazingly, we have made no real gains in creating an environment where:

• We can assert our own identity with any security or assurance,
• Protect our data from trivial compromise,
• Ascertain the identity of others in “the social network” and consequently,
• Know who to trust at what levels.

What’s the story?  Where are the solutions?  Should I found a start-up to address it?

Do you, dear reader (Hi, Dad!) know of any products or services addressing this to your satisfaction?

P.S.  Wow! about 5 minutes after initially posting this, I ran across this blog entry by Ashish Jain.  Great stuff and cuts to the heart of my point.  Also very troubling as Ashish is quite involved with SignOn.com (Ping Identity related) an OpenID IP.

Originally published March 17, 2008

As I’ve listed in previous posts I’m the proud and mostly happy owner of a Treo 700w with Verizon.  I, like most other gear-heads out there, really can’t help but salivate over the iPhone.  Face it, it’s beautiful and has a fair amount of cool-factor.  But I don’t own one and really have no intention of looking into getting one till at least two things happen:

1. I can get it with a true fast internet connection.  I don’t care if it’s from AT&T or someone else, it needs to be able to allow me to do all the sexy stuff they tout at a much faster speed than AT&T is providing.
2. It has to support all the potential enterprise connectivity I may need in the future.  Sure, right now I’m between jobs and doing everything in Google’s realm, which suits the iPhone perfectly, but it has to be about 95% likely that my next gig will require some kind of Exchange / Outlook / Sharepoint connection.
3. Optional 3rd item I’d like to see as well is a LOT more storage on it and also removable storage.  16GB wouldn’t hold the various podcasts and videocasts I collect in any given week.  Not a gotta have, but sure would be nice to see something with 30GB+

Then there’s the whole Google backed Android thing.  I found this article and Rich Miner’s comments interesting.  So now I’m definitely waiting till late 2008 to see what the competition is going to come out with.  With Motorola, Samsung, HTC and LG all supporting Android, I’m way more inclined to jump on that bandwagon than bother with another niche Apple offering.  Not sure why Apple seems hell-bent on again claiming the best also-ran-product-hardly-anyone-uses (now if that doesn’t start a flame war, nothing will).  Their closed-world approach is what landed them behind the supposedly inferior, hard to use, unfriendly Microsoft.  This time though not only are they going to insist on only their platform, but only a single network provider.

Maybe this time the world is enough different that their strategy will work or perhaps, as I believe, they don’t really want to be the king.  They like being the niche, contrarian, we’re-fightin’-the-man product.  Funny too because everything Apple does is about them being the man.  Who is more of a control freak than Steve Jobs and his minions?  As a consumer, I hope they continue to push the others to greater heights so I can buy the best products and only capitulate to the Jobs-mind if I choose to, not because I have to.

Originally published March 15, 2008

I discussed this over on EYEdentityOnline.com:

G-Archiver Brings Web 2.0 Risks Into Focus

Originally published March 15, 2008

As I mentioned several posts previous, I’ve moved a large bulk of my online life to Google.  One of the reasons I did this was because of Google Apps.  I set up a domain for my family in Google Apps as we are always asking for each others calendar information and various shared contact information.  Seemed like a problem readily solved by a single, centralized locale to do that.  Throw in that everyone can have a personalized family named email address and… sweet! all done.

And actually for those points it has worked as planned.  So far I’ve only got a couple guinea pig test users running on the Google App and in the main, things are going well.  But there are a couple shortcomings.  These shortcomings oddly enough come from the fact that most of the properties we all take for granted as plain ol’ Google and Gmail users (Google for Consumers) aren’t available to Google Apps (Google for Business) users.

So far my test users have been frustrated by trying to tie their new Google Apps accounts into the Maps and Picasa (pictures) features.  Unfortunately when they select these options from the “more” link they are unable to login and access these functions with their Google Apps IDs and have had to keep their original Gmail accounts to use these functions.

I’ve done the same thing and this is why I use my Gmail / Google account as my daily working area.  All my e-mail funnels to that account and I perform my mapping, picture management, Blogger (family blog), etc. functions from there.  I share my calendar using the standard sharing feature in G-Calendar.

So what does the family see as the value of Google Apps going forward?  Well, that’s a good question.  I think the new Sites feature could be useful.  The Pages function could be fun for my nieces and nephews to play with in creating their own web pages and keeping them locked away in a protected viewership area.  And of course, it does get family members the ability to use Gmail with an address that’s more friendly than @gmail.com.

Google would be well served in making sure that Google Apps aren’t gimped relative to the rest of Google’s properties.  I’m really surprised there’s this gap in functionality as Google Apps is marketed as a business offering and we Google proper users feel quite constrained when thrown into the Google Apps world.

This is a comment I posted over at Digital ID World’s blog post on “The Identity Acquisitions Continue“, but since this is something I have been meaning to bring up here and in the interest of being seriously lazy at heart… here ya go.

I believe that whether anyone is ready to admit it yet, the meaning of enterprise IT is changing in the form of evaporation.  More and more services are turning into subscriptions of which the oft-touted Salesforce.com is only one.  It isn’t unusual for even a medium-sized organization to have a dozen or more external service providers and destinations that their employees visit either as pure business applications or other benefits related applications around health-care, 401k plans, etc.  Many of these application relationships to the employee (i.e. user) survive the employer-employee relationship.

Consequently, I believe that over time the idea of an “enterprise log-in” or an “enterprise credential” will disappear.  This won’t happen overnight and probably not even in the next couple of years.  It is coming and I believe the groundwork for it becoming feasible and acceptable from a manageability and security standpoint is being laid by these types of deals along with the recent Microsoft acquisition of Credentica.

Identity is front burner now and combined with the SaaS-dominated world into which we move, will stay front-burner on the development front.  Unfortunately on the delivery front, few seem ready to move forward with innovative credential issuing services for the masses as vendors still focus on “enterprise platforms”.  I guess we’ll have to wait a bit longer till the term “enterprise” gets even dimmer and hard to define any longer.

Originally published March 11, 2008

Identity space continues to stay hot and actually heat up more.  Over the last several months OpenID was in all the news as Yahoo and seemingly the rest of the world jumped on that bandwagon, or at least said they did.

Last week Microsoft announced their acquisition of Credentica and their technology for bolstering their Windows Communication Foundation (WCF) and Cardspace initiatives.  If you missed it, I’m not sure how.  Check out these hits to get caught up.  I guess Kim Cameron was serious when he presented at Digital ID World last fall on “Why Claims Will Change Everything” (PDF / MP3).  I certainly believe Ralf Bendrath when he notes that U-Prove technology does more than just strengthen claims, but certainly a quick review of the material shows pretty clearly that “claims are the thing”.

This is an important event in my mind as it shows that Microsoft is paying attention and taking action.  I know that Kim Cameron is influential in the identity community, but I often wonder if his opinions and thought leadership have much sway in Redmond.  Regardless how much the acquisition cost, it was chump change to MS, but at least it shows me they are looking to take Cardspace somewhere as it currently languishes lonely and unused even on my various PCs.

Now today I see that Ping has picked up Sxip.  Not exactly a surprise there.  This is a good fit and while Sxip has some interesting things going for it, I wasn’t seeing much traction in the marketplace.  Ping has real customers and having the Sxip bits rolled into their already strong offering makes perfect sense.
For me the Credentica acquisition is the more momentous of the two by a long shot, but only if MS rapidly moves to make something demonstrably useful out of it in short order.  As an internet user, I’m interested in getting something useful out of this sooner than later and don’t much care whether MS does it in proprietary mode or not.  However, the vendor and industry participant part of me agrees wholeheartedly with those calling for the U-Prove technology to be put in the public domain asap.

Both announcements for me just show that identity is solidly on the front burner and out of the insider-identity-geek-workshop hot-house (not that their stellar work is done by a long shot).  I wish both moves by both companies and all parties involved success in integrating and introducing new and better products.
Now if you all would just please get together something that I can use to actually make my online life more secure and productive, that would be great.  If you are looking for ideas, contact me.  I have several and just so happen to be between jobs <grin>.

P.S.  This was the most interesting bit I took from the Ping / Sxip PR:

• “Based on customer feedback, Ping Identity will leverage Sxip Access’unique features for SaaS such as batch provisioning, Rich Client support for Salesforce desktop plugins, and deep linking.”
• “As the leader in Identity 2.0 technologies, Sxip was the first to develop identity management solutions for SaaS gorillas such as salesforce.com and Google Apps. Selling Sxip Access to Ping strengthens their offering and allows Sxip to focus on providing users with Internet identity solutions such as Sxipper, making the Internet simpler and safer,”said Dick Hardt, founder and CEO of Sxip Identity.”

Originally published March 11, 2008

Just like the last post, let’s start with some background.  I’m between full-time gigs at the moment as I am blessed to be in the position to resign from my former gig and take some partial downtime while examining where, what to do next.  I state partial downtime as I am still doing some consulting work for my former employer.

My goal is to examine at some depth, all that is going on the Web 2.0 buzz-world and try to separate the wheat from the chaff.  The goal being to find in the wheat what opportunities are there for either putting together a start-up or finding a start-up that found the right opportunity before I did (humility dictates my asserting that this latter is the more likely case).  I figured the best way to do this was to pursue a project I’ve long had in my “rainy day” to do list, put together my own online environment where my public and personal lives could be managed in a unified manner.  My family is relatively online savvy and there’s a lot we could do online to better stay in touch and foster tighter communications as we are flung widely across the U.S..  How to do this and retain privacy while at the same time provide an outlet for the public and professional ramblings, one of which you are now reading?

Given the recent data portability issues arising in the social networking world, I was and remain reluctant to put much, if anything, in the hands of Facebook, MySpace or any of them for that matter.  I want to retain the capability of managing at least two of my online identities, Hahleq and Tim Renshaw, but centralize my communications so I wasn’t having to monitor multiple e-mail accounts.  Last, I wanted to set up something that any family member could participate in that would get them the abilities to blog, share calendars, chat, etc., but without the cost of our all having to subscribe to an Exchange hosting service.

I’ve read a couple things recently where Microsoft is getting ready to rollout their Office Live, or whatever they’re calling it today, service.  The problem was that it wasn’t here yet.  I haven’t revisited the beta version recently, but I’ve got a solid month of organization and construction under my belt and I won’t be looking at remodeling for at least 6 months.

I’d done some playing around with Google Apps and it was indeed available and ready for use.  So I setup up RenshawHome.com in Google Apps where I’ve begun issuing family members accounts so they can have their own @renshawhome.com email address, calendaring with sharing, etc..  I created a home page for RenshawHome.com with pointers to the Google Apps portal page as well as pointers to the various blog pages family members have setup.  Interestingly enough, both my siblings had started blogs on Google’s Blogger.com without any coaching from me.  I also have my private family blog on blogger.com and we all have them set with very strict, private “vetted members only” permissions.

Obviously, I have this blog here at TimRenshaw.com with my public, professional, “real me” email address under that domain.  It however forwards to my Hahleq email address at Gmail.com.  I run this blog with WordPress hosted at a reputable ISP.  Mostly because I wanted to learn more about WordPress and have full control over look and feel, structure, etc. as well as have the flexibility to branch it into various directions over time.

All of this was readily accomplished using Google properties, services and functionality.  I have all my various “real me” and Hahleq email addresses (at least 12 addresses from at least 5 different email providers) funneling to a single gmail account and appropriately filtered, labeled, categorized, blocked, etc..  My father and I are able to view each others calendars.  My communications with my siblings and my nieces and nephews has increased tremendously in just the last couple of weeks.  I’m hoping other family members will catch the buzz and join in the fun.

It took me about 2 days banging around with Google to at least conceptualize that what I wanted to accomplish, could be accomplished.  It took me 3 days with Microsoft to figure out that it was nigh unto impossible to accomplish, let alone as elegantly.  The cool thing is that I’m still discovering fabulous features of my new setup with various Google properties (Google Reader) that are further confirming that I made a great choice between the two parties as they currently stand.

At this point, Microsoft owns my home and travelling operating environment (Windows runs every online device I own), they have my networking, media sharing, backup, disaster recovery (Windows Home Server, Media Connectors, Xbox 360s, Xbox Live) and those are huge things I can’t see anyone taking away from them anytime in the next decade at least.  However, Google owns my online life with regard to communications with the exception of this WordPress installation.  This can be shortened to this over-generalized statement:  Microsoft is how I get there, Google is where I go.

Next, some observations on Google shortcomings.

Originally posted March 7, 2008