Chris' shared items in Google Reader

Can Identity Management really be outsourced?

Ian Yip — Sun, 06 Jul 2008 19:49:31 -0500

I wrote about this a year ago (almost to the day). At the time, I said outsourcing Identity Management (IDM) and its related activities was "a hard sell". Although I was pretty negative on the idea, I didn't say it would never work or that it wasn't a good idea. I just felt like the market wasn't ready for it yet. That said, I still don't think the market is ready for it in an absolute sense, but we're making some baby steps forward.

To summarise that post for those that don't want to read the whole thing:

Outsourcing IDM is like giving away the front door key to your house and letting someone else decide who to let in and what they can do. Something I didn't say at the time was that this implies you are relying on them to tell you what happened while you were out and they can also give out your back door keys without you knowing.
IDM is not about technology. It's about people and business processes. Outsourcing works best when trying to solve technology pains. Not only that, IDM lies at the core of your organisation. Because of this, your organisation NEEDS to own it.
The day when you can comfortably outsource ALL of your IDM-related functions is the day where you are able to hire a bunch of business analysts to model and maintain your internal identity , access, security, audit and compliance related processes in an industry ratified and standardised fashion that can be sent straight to the IDM service while being automated and enforced with immediate effect. And this is ONLY after you can be assured that the sensitive data you are letting out of your environment is adequately protected.

Matt Pollicove, Matt Flynn, Ash Motiwala and Mark MacAuley have been talking about this lately (timeline of posts - Matt P, Matt F, Ash, Matt P, Mark). Ash even quotes my post from last year, specifically where I used a "bake a cake and eat your dog food" analogy (it'll make sense when you read it...I hope).

I'm also reminded about earlier this year when Mark MacAuley, Ian Glazer and Matt Flynn talked about compliance as a service and Dave Rowe added his thoughts on the issue (timeline of posts - Mark, Matt F, Ian G, Ian G, Dave).

I tried to summarise everyone's thoughts but it just got very confusing, so you'll have to read them at your own leisure. Everyone was talking about very similar things but with slight variances on their interpretations of terms and concepts. I think people (myself included) would agree with each other about certain aspects if they could just set a baseline and have a glossary of terms and definitions...and write their posts based on this glossary. That takes time though...and we are writing blogs after all, not whitepapers :-)

There are a bunch of different things in play when we talk about IDM as a discipline and Outsourcing/Managed Services. I won't over-complicate things but at the risk of over-simplifying, I will point out the following:

There is the business, people, process and compliance side of things in IDM.
There is also the IT/technology side of things in IDM.
Managed Services can be on-site or off-site.
Software as a Service (SaaS) is becoming a real option.

I don't think there's going to be much argument when I say that the technology to outsource IDM is there today, whether you want to have an on/off-site model or SaaS (although the SaaS model is not as mature).

If an organisation decides today that they want to do it, there are service providers that have the experience and will give you all the assurances in the world that your data will be protected, all security measures have been taken care of and that they can meet the Service Level Agreements (SLAs) you set for them. Large organisations like IBM, EDS (acquired by HP), Wipro and Infosys (there are others, but I won't bother listing them all) can do it. Smaller ones like Ash's company Identropy can do it. If it's SaaS that you want, the choices are more limited, but Fischer and Symplified come to mind.

The key here is IF an organisation wants to do it. Ash said it himself:

"In my opinion, the reason is more emotional that rational. The market just isn't ready, emotionally, to completely outsource the management of their IdM systems. The whole thing seems so tied to their environment, to their business processes, that handing the management over to a third party just feels wrong."

The first hurdle is always emotional. Once you get beyond that, ask if it's the right thing to do. I still don't think an organisation should outsource it all. An organisation should ALWAYS own the business aspects of their IDM initiatives. Now let's take a look at the technology side of things.

Matt Flynn points out that:

"most companies are already outsourcing IdM – they just do it on a project basis"

He is of course absolutely correct. So from an emotional standpoint, you already have people looking at sensitive data that are not part of the organisation. What's the difference if you formally outsource it to a managed service provider? The difference is mostly psychological. People just don't look at bringing external people or companies in as "outsourcing" so they don't realise that external people already have visible access to their sensitive data (of course, this brings up the issue of data leakage, but let's not complicate the issue any further for now). I should also note that just because it's done today does not make it right. My main objection was to "giving away the keys". If you don't own the solution within the organisation, then that's exactly what you've done.

"Giving the keys away" aside, if the decision's been made to outsource IDM somewhat, the next question is going to be the location. Do you feel comfortable not owning the infrastructure and more importantly, are you comfortable knowing that all your sensitive information is sitting in an environment owned and controlled by another company? Many organisations would not be. That's why it's a hard sell.

Don't think it's a problem having your organisation's data outside of your infrastructure and not on your premises? Then perhaps you can also take the SaaS approach and outsource all of the other painful IT management aspects around trying to manage software deployments and infrastructure. If you're willing to accept the risks associated and "give away the keys", then why not get the SaaS benefits as part of the deal? There are pros and cons in going with SaaS over an off-site Managed Service, but I won't go into them as that's besides the point.

Ash may be onto something when he says:

"I think that the only solution is a pragmatic one, where there is shared management. The customer can still feel "in control", but hand over day to day ops to a third party."

If you read my blog regularly, you'll hopefully get that I'm all for the pragmatic approach to anything. I would modify that statement somewhat. They not only need to feel in control. They really need to be in control and the onus is on the service provider as the subject matter expert to make sure that happens.

He follows up by adding:

"(Customers) get to gradually let go, and initially lean on the service provider as a very knowledgeable augmentation to their staff. Once the comfort level sets in, customers can lean a bit harder, grant "persistent approvals" for break/fix scenarios, and reduce management staff for identity."

The decision to outsource your IDM (whether it's on-site, off-site, SaaS) should not be a big bang approach. It needs to be gradual, and what Ash suggests makes sense if the decision is made.

Ultimately, it boils down to the following:

You must still own it. Never take your hands completely off because then you won't know what's going on if it all falls into a heap or when the auditors come knocking. Matt P's statement sums this up nicely:
"If I were the person in charge of Compliance and Risk management, I'd want to be able to look at the auditors, police/FBI, Upper Management and lawyers after an incident and be able to say exactly what I did to protect my data and not say, "well the hosting company told me they were secure...""
There's a difference between outsourcing the business aspects and the technological aspects. Keep the business aspects (people, process, compliance) internal. If you must outsource, only outsource the technical bits you don't want to have to deal with on a day-to-day basis that will not make any difference to the business no matter how it's done.
The on-site/off-site debate is all about comfort level. How much do you trust your outsourcer with your data? What happens if something happens to the data? Who is accountable? Is this written anywhere in the contract? If you can't answer this question, don't do it.
It's all about the risk you are willing to accept for the amount you have to spend. Perhaps an anonymous commenter to my original post said it best:
"The level of security one intends to achieve would depend on the amount of money one is willing to spend. Some would rest on this judgment alone to give an IdM provider the keys to their gates. I am sitting in chair just like that right now. Security is business driven."

If you read my original post carefully, you'll realise I haven't really changed my stance too much. If anything, I'm perhaps a little less harsh today about why it's a "difficult sell" and have tried to address it from different points of view. I still don't think organisations in general are ready to outsource IDM completely, and they shouldn't. At least not until standards, processes and solutions mature to the point where most of the moving parts are commoditised and better understood. However, I do think the market is better placed to at least start to take a look at outsourced IDM and make informed decisions. The most dangerous thing to do with outsourcing IDM is to jump in the deep end. Take little baby steps, people.

10 Best Hacking and Security Software Tools for Linux

(author unknown) — Thu, 03 Jul 2008 11:50:03 -0500

Linux is a hacker’s dream computer operating system. It supports tons of tools and utilities for cracking passwords, scanning network vulnerabilities, and detecting possible intrusions. I have here a collection of 10 of the best hacking and security software tools for Linux.

Review: Ring2 Conferencing for BlackBerry

Ryan Blundell — Tue, 01 Jul 2008 14:03:03 -0500

It’s time for the monthly sales meeting. As your company has grown across the country, it isn’t easy for everyone to assemble under one roof. This can become quite frustrating. You may find yourself playing elementary school roll call, or dealing with a noisy background from someone who has dialed in. Someone may put the call on hold or even not “show up.” In rare cases, you may even have an ex-employee, who has access, trying to sit in on the call.

There must be another way, something that will help you manage these time wasting and potentially unprofitable circumstances. But perhaps this innovation may cause more headaches; perhaps it’s too complex to be easily harnessed.

Innovation can be simple.

That’s what Michael Hughes at Ring2 instilled in me when he described their outstanding product. With Ring2 Conference Controller, they are the first company to provide an application that will allow your BlackBerry to act like a remote control for your audio conferences.

Ring2 focuses on the “pain points” that matter the most; Access, Visibility, Security and Control. They have won award after award, including a 2006 Entrepreneurial Company Award from Frost & Sullivan and Red Herring’s 100 Europe award for hottest emerging technology in Europe in 2007. This is one application that definitely deserves a glance at, so read to learn more about their Brain Child.

Summertime security: No letup for IT

Ellen Messmer — Thu, 26 Jun 2008 19:00:00 -0500

What ever happened to the lazy days of summer? For IT and security managers in businesses, hospitals and universities across the country, summer is just another season to get things done. Here's a roundup of IT security projects we're hearing about.

BlackBox keeps tabs on time and travel

Simon Sage — Mon, 30 Jun 2008 11:33:15 -0500

BerryVine’s BlackBox launched recently, offering project-based travel tracking. Clock in, track your movement, and clock out. This would make for quick expensing, and can report time just as easily in a variety of file formats. This is definitely a more flexible system than RideCharge, and seems really easy to use. You can grab for € 49,95 over here, or give the trial a shot by downloading BlackBox over the air from bb.berryvine.com.

Filed under News, Software Release | Permalink | No comment | Add to Del.icio.us or Digg

Viper Team militia informant risks life to reclaim identity

(author unknown) — Thu, 26 Jun 2008 06:09:50 -0500

Pappy Andrews wants his identity back. He gave it up more than a decade ago after helping federal agents break up a right-wing militia in Phoenix. Because he had put his life on the line and there were fears the militia or its friends might harm him, the federal government gave him a new identity.

T-Mobile Offering $10 Home Phone Service Starting July 2nd

Ronen Halevy — Tue, 24 Jun 2008 23:31:53 -0500

T-Mobile just let me know that as of July 2^nd they will be offering unlimited home phone service as a $10+tax/fees addon for T-Mobile subscribers . This means that you essentially get an internet phone with its own number for $10 a month. The only catch is that you need to be a T-Mobile customer on a single $39.99+ or family $49.99+ plan to be eligible.

It is still called T-Mobile@Home but now it offers real home service! With the plan you get unlimited nationwide long-distance calling, plus call waiting, caller ID, three-way conferencing, voicemail, call forwarding and other features. You can also port your number and addon services such as ringback tones.

T-Mobile is really undercutting the competition on this one. Vonage is easily charging twice this price. The only downside is you don’t get the normal VOIP features such as voicemail to email.

Keep an eye out on www.t-mobileathome.com for the launch on July 2^nd. Full press release after the jump.

T-Mobile to Launch $10 Home Phone Service

T-Mobile @Home® Service Gives Families Across the Country
Freedom From Their Costly Landline Bills

BELLEVUE, Wash. – June 25, 2008 – T-Mobile USA, Inc. today announced a groundbreaking new home phone service that enables customers to make unlimited nationwide calls from their home phone for just $10 per month*. Beginning July 2, T-Mobile will breathe new life and value into the home phone by launching nationwide T-Mobile @Home®. The service allows customers to keep their home phone number, ditch their high phone bill and save money by adding their home phone line to their T-Mobile service.

According to a 2007 Scarborough Research[1] report, families spend an average of $65 per month on home phone service. However, for just $10 per month, T-Mobile customers can add T-Mobile @Home service to a qualifying T-Mobile wireless plan2 and get unlimited nationwide long-distance calling, plus call waiting, caller ID, three-way conferencing, voicemail, call forwarding and other features. In addition, customers will have the opportunity to use features typically associated with wireless services—for instance, CallerTunes™ (ringback tones)—and port their existing home phone number so family and friends can continue to call them at the same familiar number.

“For years, the traditional landline companies have been great at consistently delivering one thing to their customers—a high monthly bill,” said Robert Dotson, president and CEO, T-Mobile USA. “T-Mobile is now delivering the best priced home phone service in America for our existing and future customers.
In addition, we are not only delivering the traditional features of a landline service, we are also including the innovative features consumers love in their more widely used mobile phones.”

Previously available in two test markets, Dallas and Seattle, T-Mobile @Home has proved to be a great solution for families looking for a way to save money without sacrificing a home phone. According to an internal T-Mobile study in these test markets, virtually all customers (97 percent) who had a traditional landline phone service reported dropping that service since adopting T-Mobile @Home.

To use the service, customers simply need the touch-tone corded or cordless phone they currently use, an existing broadband Internet connection, and the T-Mobile @Home HiPort™ Wireless Router with Home Phone Connection, available from T-Mobile for just $49.99 with a two-year service agreement. T-Mobile @Home is designed to be easy to set up and running in a matter of minutes. “Unlike VoIP, no special phone is required, allowing the family’s center of communications to stay in the kitchen,” Dotson added.

T-Mobile @Home is available exclusively for T-Mobile customers, and will be offered at T-Mobile retail stores nationwide and online at www.t-mobile.com. For more information visit www.tmobileathome.com.

Some answers on Identity enablement

Ian Yip — Mon, 23 Jun 2008 21:05:27 -0500

James McGovern has a habit of posing questions and then naming the people he would like to answer them. This time around, I had the privilege of having my name read out on the roll call. Actually he posted it just before I went on my week-long holiday hence I'm only getting around to it now.

Here are his questions (in blue) and my attempts at some answers (hopefully I don't sound like a complete fool - I'll settle for mildly foolish):

[JM] Protocols:Nowadays, the folks over at the Burton Group such as Bob Blakely, Dan Blum and Gerry Gebel have put together the most wonderful XACML interoperability events. The question that isn't addressed is if I am building an enterprise application from scratch, should I XACML-enabled, think about integrating with STS, stick to traditional LDAP invocation or something else?

[IY] I'm not 100% sure what James is asking and my answer will probably be different if James actually means something other than what I've interpreted it as. I read the question as being once the decision's been made to use XACML, how should one be dealing with authentication? Talking about an STS (I assume James means Security Token Service) vs LDAP refers to 2 different "layers". In reality nowadays, you're ultimately authenticating to a directory of some sort. Usually you do this using the LDAP protocol under the covers. Whether you know this or not depends on the overall design.

Note that using XACML means you are pushing policy definitions around to ultimately get your Policy Enforcement Point to be able to come up with an authorisation decision. When you talk about STS or LDAP, you're typically referring to authentication which ultimately produces some sort of credential for the user within their session. Authentication and authorisation (or entitlements as people seem to like calling it nowadays) are related, but separate things that can be implemented differently as long as there is a point where they interoperate. Usually the most important part is where the authentication mechanism passes the security principal onto the authorisation mechanism so it can make an identity based, access control decision (that is also hopefully fine grained and context aware).

That said, I'm going to ignore the XACML consideration for a moment...

There are a few common approaches to take when writing authentication for applications:
1) Take a service-oriented approach (e.g. SOA or web services)
2) Leverage an API or application programming standard (e.g. JNDI, JAAS)
3) Use the native protocol of the authentication store (e.g. LDAP, SQL)

Option 1 is the most difficult to set up because this type of infrastructure is typically not built in organisations today. But it IS the most extensible option and hides the implementation specifics from every application that needs to perform authentication. Whether the underlying store is a directory, database, file system or even a mainframe does not matter. You also get the benefits served up by leveraging a web service. For example, you just need to know how to format your message (this is actually not a problem if you use a standard as it is usually taken care of by some other service) and where to send your request (via the URI). You obviously also need network connectivity to that location. There are no headaches around what libraries to import, whether your authentication services are co-located with your application or whether you need to go screw around with configuration settings and files because you are actually calling a service that is not located on the same application server as you. Keep in mind that you don't necessarily have to use an STS, although it is probably the best approach today if you're going with a service-oriented design.

Option 2 still leverages standards of sorts. JNDI and JAAS for example are both standards in their own rights. They just happen to be tied into a programming language and platform. This option is probably still easier than option 1 because organisations will more than likely have this infrastructure more or less set up. It's a matter of getting the programmers to code to these standards/APIs and then setting up the application infrastructure to hook into the relevant authentication stores. Again, this is probably already done if you're using a standards-based Application Server (e.g. J2EE). You will however, have configuration files to screw around with and changes to any of the infrastructure will potentially require applications to be modified. You're also tied into the platform somewhat. For example, if you use JNDI you're stuck with Java and the directory under the covers. With a web service, it doesn't really matter what programming language is used or what the authentication store is. You can swap components out without modifying the other loosely coupled pieces. You're supposedly able to do this easily if you code to API standards, but that's rarely true. There's usually re-configuration and some re-writing required.

Option 3 requires intimate knowledge of the protocol or tools required to access the authentication store. If using LDAP, you need to know LDAP query syntax. If using SQL, you have to know how to write SQL queries or stored procedures. It also means you cannot change your authentication stores and schemas without re-writing your applications.

They each have their benefits, but it boils down to the age old discussion around tight coupling vs loose coupling. The looser the coupling of your infrastructure components, the more extensible they are. You lose performance however and it usually takes more effort and time to build a loosely coupled system because of all the design considerations to take into account. (Note: The performance issue is usually one that can be designed around if you have the budget. You put enough redundancy, load balancers and hardware in place and you can usually get something to perform within your service level agreements (SLAs). If your network hops are large, just do a better job of negotiating your SLAs - easier said than done I know).

Option 1 is the loosely coupled approach which should "identity proof" your environment for a longer period of time (notice I didn't say forever). Option 3 is the tightly coupled approach. Option 2 is something in between. The one to pick depends on requirements, time and cost constraints. The choice will be determined by how much of the authentication infrastructure specifics you want to burden your developers with.

Bringing the XACML considerations back into the picture, I would go for option 1. If you're going to take the effort and XACML-enable your applications, why would you "get cheap" and not go with the use of an STS? It also makes everything nice and clean from an application programming standpoint. Developers will only have to worry about using security services. They won't need to remember that for certain security related things, they need to use the web service while for others they have to use the API or go direct to the source over LDAP or SQL.

[JM] Virtual Directories: What role should a virtual directory play in an Identity metasystem? Should virtual directory be a standalone product in the new world and simply be a feature of an STS? If an enterprise were savage in consolidating all directory information into Active Directory, why would I still need virtualization?

[IY] I don't come across too many organisations that use a virtual directory. Maybe it says something about the maturity of their Identity Management infrastructure. Or maybe it means that they don't see the need and are quite happy replicating things using meta-directories and synchronisation.

Leveraging a virtual directory is very much a technology choice and dependent on each organisational environment. If they have lots of identity stores and have a nightmarish amount of information that would take a long time to integrate and synchronise, then a virtual directory makes sense. If an organisation has a fairly small number of stores or their strategy is to leverage a specific central store like Active Directory, then they probably don't. On the flip side, one could argue that the virtual directory could become this "central store".

I'm not for or against virtual directories. I just think there's a time, environment and place for the choice between a virtual directory or a synchronisation solution like a meta-directory. As for using a virtual directory as part of an STS, the argument is very similar to what I've just outlined.

[JM] Entitlements: One missing component of the discussion is authorization and their is somewhat too much focus on identity. Consider the scenario where if you were to ask my boss if I am still an employee, he would say yes as he hasn't fired me yet. Likewise, if you ask him what are all of the wonderful things I can access within the enterprise, he would say that he has no freakin clue, but as soon as you figure it out, please let him know. Honestly, even in my role, there are probably things that I can do but shouldn't otherwise have access to. So, the question becomes how come the identity conversation hasn't talked about any constructs around attestation and authorization?

[IY] People are too busy crapping on about OpenID and CardSpace all the time :-)

Seriously, I think it's got to do with the way things in the identity space evolve. Before you can deal with entitlements and attestation, you need to know who people are and what they can use (i.e. what they can "log into"). It's a very high level approach sure. But that's how organisations typically start looking at the whole issue.

Also, Identity Management is not an easy issue to solve. As a result, it's taken a long time to get around to thinking about authorisation properly. It doesn't mean we will never get there. We just have to be a little more patient. All the GRC initiatives going on around the place are certainly helping. Attestation is usually one of the first things that get addressed in any GRC initiative because it needs to be done to satisfy the regulators and auditors.

Once organisations realise that having a proper authorisation infrastructure in place makes their lives a lot easier from a management and audit perspective AND it'll save them money (instead of having to re-invent the authorisation wheel for every application), they'll start to do something about it.

It's also about evangelism, education and focus. The focus isn't there yet so there's no education. Evangelism comes from the industry as a whole. The large vendors are usually the ones with the marketing clout to get the messages out in a meaningful way. Unfortunately, they chase the dollars. Until recently, there hasn't been sufficient sales revenue or qualified opportunities to justify evangelising authorisation. It's the next cab off the rank I think. We might have to wait a year or 2 for organisations to get through the early phases of their GRC initiatives before authorisation gains real traction.

[JM] Workflow: Have you ever attempted to leave a comment on Kim Cameron blog? You will be annoyed with the registration/workflow aspects. The question this raises in my mind is what identity standards should exist for workflow? There are merits in this scenario for integrating with the OASIS SPML standard, but I can equally see value in considering BPEL as well.

[IY] I don't think there needs to be identity standards for workflow in the traditional sense of technical standards. A generic workflow standard (e.g. BPEL) across all disciplines is good enough and will be better in the long run. Workflows are very dynamic, can get very complex and will be different for each organisation even if they are trying to do similar things. This makes standards tricky. Then there is also workflow from a business standpoint. When technical folk talk standards, they usually mean nuts and bolts (e.g. XML specifications). Those in the business world don't care that a worklow is written in BPEL. They care that they have to write a frigging workflow procedure from scratch. They would probably find some standards around business process definitions useful. It might be prudent of us to define easily extensible procedural workflow templates for Identity business transactions perhaps? Now that would REALLY be something.

[JM] Education: Right now the conversation regarding identity is in the land of geeks and those who are motivated to read specifications. There is a crowd of folks who need things distilled, the readers digest version if you will. Traditionally, this role is served by industry analysts such as Gartner and Forrester. What would it take for this guys to get off their butts and start publishing more thoughtful information in this space?

[IY] I don't think industry analysts are ever going to write a "readers digest" version of anything related to Identity. It doesn't help them make more money from selling reports and holding conferences for specialised groups of people while charging them thousands of dollars each. Unfortunately, I think the fastest way to get simplified Identity education out there is through the marketing dollars of the large vendors. Consulting organisations (including analysts like Gartner and Forrester) will never simplify anything because they need for things to remain (or sound) complex so they can keep charging for their "expertise".

[JM]Conferences: When do folks think that the conversation about identity will occur at other than identity/security conferences? For example, wouldn't it have been wonderful if Billy Cripe, Craig Randall and Laurence Hart where all talking about the identity metasystem in context of ECM?

[IY] Ummm how about never...which is fine by the way. The Identity industry needs to make things so dead simple and ubiquitous that there is no need to talk about it. It should just be there. Therein lies the challenge facing us all today.

iCall: Opportunity or Threat

Steve — Fri, 20 Jun 2008 10:31:00 -0500

A couple weeks ago there was news about a new application for the iPhone called iCall. In the clever video demo below, the founders describe iCall as an application for the iPhone which enables users to make calls for free over any Wi-Fi access point. The video how theiCall application works:

User starts call on GSM
User goes into Wi-Fi
Phone detected/attaches to Wi-Fi
iCall application asks the user if they would like to switch the call to Wi-Fi
Phone switches networks

If it sounds a lot like a UMA-based dual-mode handset service, it is. The only difference between iCall and T-Mobile’s HotSpot @Home service is step 4: User intervention.

So, is this an opportunity or a threat for the mobile operator? (Ed note: UMA Today’s position is always from the viewpoint of the mobile operator, UMA is for mobile operators)

There is a threshold for subscribers between ‘actions’ and ‘cost’. At what point does a user change their actions to save on costs? (Ed note: Here in San Jose, it’s when gas hits $4.60/gallon...)

Will users actually stop a call, press a button, and switch it to Wi-Fi to save money?

Or would users rather have a call that automatically switches to Wi-Fi and saves money? If so, then T-Mobile, Rogers, Orange, Cincinnati Bell, Telia and others already have this covered.

Hack the Jura coffee maker for fun and profit

John Biggs — Thu, 19 Jun 2008 07:38:56 -0500

The Jura F90 has an Internet connectivity kit that allows you to change settings via the Internet. The coolest thing? There’s a huge hole in the software that lets almost anyone login to the coffeemaker and blow out most of the settings, resulting in bad coffee, puddles, and endless service alerts.

Fun things you can do with a Jura coffee maker:
1. Change the preset coffee settings (make weak or strong coffee)
2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
3. Break it by engineering settings that are not compatible (and making it require a service)

The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary service.

The coffeemaker can also allow hackers access to the XP machine its running on. So basically this thing is not just insecure but it can actually piss you off by allowing hackers in before you’ve had your morning coffee.

FAQ: How To Force BIS To Use IMAP For Gmail

Ronen Halevy — Thu, 19 Jun 2008 05:00:23 -0500

If you are like me you will probably enjoy using IMAP for Gmail integration on your BlackBerry. I found that it has better syncronization of deleted and archived messages.

The problem is that the second you put in your email address and password into the BlackBerry Internet Service (BIS) form it automatically chooses to use POP3 and re-enables POP3 on your Gmail account. Pain in the…

So turns out I found this great set of instructions on how to force BIS to use IMAP to access your Gmail account instead of POP3. It might be a tad slower but the added benefits of deleted and filed content sync are worth it.

Check out the detailed instructions at this link on Google Help

BlackBerry Thunder to pack Verizon’s visual voicemail

Simon Sage — Thu, 19 Jun 2008 07:26:26 -0500

Verizon’s been gearing up to launch visual voicemail (a la PhoneTag), and it looks like the upcoming touchscreen BlackBerry, the Thunder, is on the launch list. The visual voicemail service is said to be launching in late July to early August, meaning the Thunder would have to be out if it is in fact one of the “affected devices of the initial launch”. This would back up the earlier rumours of a Q3 launch, as well as give us a heads up on some of the services Verizon customers can look forward to on the new BlackBerry.

(via Engadget)

Filed under News, Rumors | Permalink | No comment | Add to Del.icio.us or Digg

Review: FindMe Application for BlackBerry & Facebook

Ryan Blundell — Wed, 18 Jun 2008 10:14:13 -0500

Calling all Facebook fanatics! Yes you, the one with thousands of friends and yet you can’t even remember the names of half of them. And yes even you, the wallflower who’s waiting to be noticed. You all know about the umptee –million things you can do on Facebook when you’re bored with looking at embarrassing pictures or writings on a wall. Here’s another one to throw at you and your BlackBerry. Let me introduce you to FindMe.

Computer Scientists Scour Your Holiday Photos

CmdrTaco — Wed, 18 Jun 2008 09:00:00 -0500

Barence writes "Hundreds of thousands of images on Flickr are being used to teach a program to determine the geographic location of an image, simply by looking at it. The program attempts to mimic the way that humans can deduce the location of an image by searching for visual clues, such as similarities to pictures or locations they have seen previously. In its current state it can guess the location of a photo to within 200km, 16% of the time — extremely accurate given the complexity of the problem."

Verizon Adds 10 States to 50 MB FiOS Rollout

Associated Press — Tue, 17 Jun 2008 23:53:00 -0500

Verizon customers in 10 more states who have the need for speed get their prayers answered with a FiOS upgrade offering 50 mbps downloads and 20 mbps uploads. Congratulations California, Delaware, Indiana, Maryland, Oregon, Pennsylvania, South Carolina, Texas, Virginia and Washington -- you get the chance to pay $140 a month for internet.

WD's My Book Mirror Edition simplifies redundant storage

Darren Murph — Wed, 18 Jun 2008 10:40:00 -0500

Filed under: Storage

That sound you hear is Western Digital grabbing hold of an udder and not letting go as it continues to milk the My Book brand for every penny it's worth. Today, the outfit is introducing a new line of dual-drive units that come ready to mirror whatever information you shove on 'em. The RAID-based Mirror Edition drives tout USB 2.0 connectivity, RAID 1/0 support, a fanless design, user serviceable enclosure, a capacity gauge and intelligent drive management features including automatic power-up and Safe Shutdown. The external HDDs arrive in RAID 1 (mirrored) mode -- which creates automatic duplicates of your files in case one drive fails -- but RAID 0 (striped) can be configured during setup. Stack your My Book collection even higher right now for $289.99 (1TB) / $549.99 (2TB).

Read | Permalink | Email this | Comments

Indian gov’t to step up to the decoding plate

Simon Sage — Wed, 18 Jun 2008 05:57:58 -0500

Although the Indian government’s ability to only decode 40-bit encryption has caused some serious headaches for RIM and carriers over the last couple of months, it sounds like they’re on the way to being able to handle 256-bit standards. BlackBerry messages go through the pipes at 128-bit, which means if the National Security Advisor follows through, standard service will resume. As for the decoding itself, there’s still a lot of talk about outsourcing to third parties, and it’s presumed that the government wouldn’t raise the encryption bar unless they had some way of getting into transmissions.

(via The Economic Times)

Filed under News | Permalink | 2 comments | Add to Del.icio.us or Digg

The Impact of Low Salaries At Apple

kdawson — Tue, 17 Jun 2008 17:52:00 -0500

orenh writes "Recent data indicate that Apple engineers have significantly lower salaries than their Silicon Valley peers: $89,000 at Apple, versus $105,000 at Yahoo and $112,000 at Google. Paying lower salaries had a major impact on Apple's bottom line when it was struggling in the market up until 2004. But now that Apple is highly profitable, these lower salaries are no longer a factor in Apple's success. Will Apple have to raise salaries to match the market rate, or face defections?"

Depressingly Familiar

jbohren — Tue, 17 Jun 2008 11:42:05 -0500

Dave Kearns recently quoted some vendor numbers on the state of orphaned accounts in enterprises that are pretty scary. It’s not that I don’t believe the numbers. Quite the contrary, they are depressingly familiar. These numbers are very much in line with what I regularly saw at customer deployments when I was at EnableSolutions (later renamed Access360 and then acquired by IBM)… 10 years ago.

That’s really quite staggering when you think about. 10 years, at least a dozen vendors entering the market, and a handful of compliance regulations later the situation with orphaned accounts isn’t any better than where it started.

However I didn’t understand this quote:

Almost all current provisioning software includes modules to de-provision accounts, but that hasn’t always been the case. As I noted in an article about the first identity provisioning application, back in 1999, de-provisioning was in the road map for the second release.

In 1999 I was working on version 4.0 of enRole, an identity provisioning application. And yes, it supported deprovisioning as Dave defines it, and had for several years before then. I am also fairly sure Control-SA (then produced by EagleEye/New Dimension) also supported deprovisioning back then as well.

IntelliGolf Eagle v9.02 Released - Adds GPS Option

Ronen Halevy — Tue, 17 Jun 2008 11:07:02 -0500

IntelliGolf has just added a $10 GPS addon option to their software. I know there are free golf tracking alternatives but IntelliGolf seems to be a full featured product. You can now use your GPS to view distances, track shots, and keep scores. I guess it is pretty much a rangefinder. It even syncs with your desktop and helps you track your bets. It also lets you download scorecards over the air.

From the press release:

IntelliGolf is the only golf software to include all seven S’s of golf: Scoring, Shot tracking, Satellite GPS, Sharing, Sidegames (35+), Statistics (250+), and Signature course (24,000+) scorecards. IntelliGolf is compatible with industry leading GPS-enabled smartphones and receivers. The IntelliGolf software replaces pencil and paper golf scoring, wagering, and statistics gathering on the golf course. Users enter their scores, wagers, and club selection on their handheld/smartphone. IntelliGolf totals all scores, tabulates all wagers, and synchronizes with the included Windows desktop software.

You can pick it up for $49.95 + $10 GPS option (Pricy) at this link

Extending OpenPTK, the User Provisioning Toolkit [del.icio.us]

cravercc — Sun, 20 Apr 2008 07:50:12 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** Masoud Kalali recently posted an interesting article about the Open Provisioning ToolKit (OpenPTK), "an open source User Provisioning Toolkit exposing API's, Web Services, HTML Taglibs,

Google Apps hit by session-stealing attack [del.icio.us]

cravercc — Thu, 17 Apr 2008 22:19:41 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** A security researcher has uncovered a serious flaw in Google Spreadsheets, which could give an attacker access to all of a user's Google services. Enterprise IP Goes Mobile Ad

Bruce Schneier's Security Matters: Prediction -- The RSA Conference Will Shrink Like a Punctured Balloon [del.icio.us]

cravercc — Thu, 17 Apr 2008 07:52:02 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** If there's one thing last week's RSA Conference made clear, it's that no one wants to buy security as a stand-alone product.

Fring iPhone Chat/Voip App Launching Today [del.icio.us]

cravercc — Tue, 15 Apr 2008 06:18:35 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** Fring, an Israeli startup that has a great VOIP/Chat service for mobile phones, is launching an iPhone version of the service sometime in the next 24 hours, we've heard. This is not

People uneasy with Web sites using personal details: poll [del.icio.us]

cravercc — Fri, 11 Apr 2008 21:03:03 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** TORONTO (Reuters) - Many people are uncomfortable with Web sites customizing content to people's personal profiles, according to a new survey.

GrandCentral, one call to bind them all [del.icio.us]

cravercc — Thu, 10 Apr 2008 07:28:34 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** Google's GrandCentral provides free and very powerful call management services.

Chertoff pushes cybersecurity goals (AP) [del.icio.us]

cravercc — Wed, 09 Apr 2008 07:06:57 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** AP - Federal cybersecurity officials are trying to develop an early warning system that alerts authorities to incoming computer attacks targeting critical U.S. infrastructure, Homeland

Foil Identity Thieves [del.icio.us]

cravercc — Tue, 08 Apr 2008 11:31:14 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** Find out how to foil identity thieves with Wired.com's How-To Wiki.

RIM Offers Scary Solution To India [del.icio.us]

cravercc — Mon, 07 Apr 2008 11:30:30 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** I have been trying to stay on the sidelines of this whole RIM security issue with India. Personally I originally thought it was a big hoax to get RIM to open a NOC in India to create mo

Wanted: Gordon Brown's fingerprints, £1,000 reward [del.icio.us]

cravercc — Mon, 07 Apr 2008 10:57:12 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more **

Security agencies raise alarm over Blackberry (rediff.com) [del.icio.us]

cravercc — Mon, 07 Apr 2008 07:11:10 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** While the telecom ministry and cellular operators are trying to hammer out differences over the issue, the security agencies have submitted a report to the Union home ministry about the

U.S. Military Building Virtual Strike Capabilities [del.icio.us]

cravercc — Mon, 07 Apr 2008 07:10:27 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** U.S. military officials seeking to boost the nation's network warfare capabilities are looking beyond defending the Internet: They are developing ways to launch virtual attacks on enemi

Microsoft to unveil 'Stirling' at next week's RSA security conference (InfoWorld) [del.icio.us]

cravercc — Thu, 03 Apr 2008 08:20:41 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** InfoWorld - The world's largest security conference will kick off next week in San Francisco with the public unveiling of Microsoft's next-generation of security software, code-named S

State centers tap into personal data: report (Reuters) [del.icio.us]

cravercc — Wed, 02 Apr 2008 07:44:35 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** Reuters - Intelligence centers run by U.S. states have access to personal information about millions of Americans, The Washington Post reported on Wednesday.

VCs Adjust to Facing More Competitors for Fewer Companies. [del.icio.us]

cravercc — Wed, 02 Apr 2008 07:40:19 -0500

** Posted using Viigo: Mobile RSS, Sports, Current Events and more ** Venture capitalists are vying against new sources of funding to woo internet startups but have found innovative ways to stay ahead of the competition.