Sunday, May 13, 2007

You just have to weep

Some people don't like "attack blogging". Some people don't like "swear blogging". I don't like this.

We are now assuming that, despite the beguiling illiteracy and the ad-hominem attacks, this is a spoof site. If it is, then stop it. Really, really not funny. If it isn't, and you are genuinely supporters of Terry and Rayleen, then I don't think you are really doing them any favours. Regardless, I honestly pity you.

S-E

Saturday, May 12, 2007

Hope for some, No regrets for me.

I was listening to an interesting interview / puff piece on Radio Jockland, regarding the recent sale of Weir Pumps, upon whose products my life has depended, from time to time, from Weir Group to Clyde Blowers. They were speaking to Jim McColl, Scottish entrepreneur and Chief Exec of Clyde Blowers.

Congratulations to him, the rest of the CB team and for the 600 or so jobs the radio said would be saved. Interestingly, the Weir Group site says 400. Still, regardless, it is good news for Glasgow and Scotland and I hope they build a thriving business and many more jobs.

However, it would be difficult for me to cry much for the Weir Pumps Building in Cathcart, icon though it may be for Victorian Glasgow's industrial heritage. I understand, from the radio, that the site will be turned into housing.

So, there needs to be a competition to find the new world title holder for "worst commercial hot beverages". For many years this title has been proudly held in Weir Pumps, often by interlopers: the Scottish Power IT dept, then Calanais / SAIC, then Scottish Power again and, finally, by Weirs themselves. Coffee like radioactive sludge, but without the flavour and without any redeeming caffeine. Tea like dirty dishwater without the bubbles. Truly horrendous stuff - so bad that a previous MD I worked for actually put his hand in his pocket to buy us something real after a visit.

Not something, I hasten to add, that I suggest Mr McColl, who appears to be rather successful, takes up.

S-E

More random thinking

While brushing my teeth.

The level of control shown when car driving in the Middle East is notoriously appalling. Why? Is there a simple explanation? Probably not, but ...

This may be completely barking but horses are spectacularly dumb, donkeys better and camels, reputedly, quite intelligent. Somebody controlling a horse has to keep {cough} a tight rein on it most of the time. Somebody in charge of a camel is, more or less, better leaving it to do its own thing with a bit of encouragement along the haste axis, from time to time.

Assuming that requirements for control of more-or-less historical transport animals generate a cultural attitude to mobility which can be subsequently linked to motor vehicles (both big assumptions), you can see how, despite this, you might get a different approach to maintaining control of your transport.

Of course, this doesn't explain Italian driving, but nothing much does. As the title says, random thinking.

S-E

Tuesday, May 08, 2007

Security Screams for the morning

Firstly, Radio Scotland was discussing the new proximity debit & credit cards - where transactions up to £10 can be done without necessarily going through the full transaction authorisation process (i.e. no docking, no pin entry). To deter fraud, there will be both a limit on the number of transactions that can be conducted without authorisation (and, I believe, this will be stored on the card. That may well lead to the possibility of a card cloning situation where the fraudulent card is programmed to always answer "first transaction" when asked how many non-auth there have been, so some degree of back-end recording and audit will be necessary), and there will also be a random selection of transactions for on-line authentication. Enough, what caused the scream. Well, according to the expert from the regulatory board of APACS, these cards are continually broadcasting an encrypted subset of your card data.

Err, no. For a start that would have the "microwaves are rotting the brains of our children" crowd up in arms. Never mind that many people normally keep cards in or around their trouser pockets. Anybody else remember "Radhaz is Dadhaz"? What the cards actually do is take power from a proximity reader, via inductive power transfer, and then act in a transponder type "challenge - response" manner. So if you either never go near a terminal or use one of these, your card is unlikely to activate.

Not that that is a defence against fraud, particularly, because a fraudster can create a base station (or use one acquired as, or posing as, a legitimate merchant). And criminals are unlikely to obey restrictions on transmission levels for unlicenced radio devices ... Still we'll see what Ben or Ross, or their mates, manage to come up with.

The other scream - am typing this on a kiosk terminal. When I logged in it complains that Blogger's SSL cert is "not yet valid". Date is set to 25 July 2003. Because it is a kiosk, I can't change the date so had to keep clicking through. Do you wonder why punters ignore computer warning messages?

S-E

Monday, May 07, 2007

Today's Scotsman's "Opinion" Cartoon

Pretty much says it all. Page 20 in dead tree and only available online through the £30 premium subscription. :( Probably here, if you've paid up.

For those that haven't and either can't or won't, it shows a Returning Officer announcing the real election winners - a bunch of avaricious and smirking bewigged advocates. I wonder when we will see that doughty champion of everything dodgy in Scottish public affairs, D Findlay QC, make his appearance?

S-E

A Bank Holiday Challenge

While posting a comment on the Devil's site, I thought of a new phrase, later rejected as not adding to the debate in that context, to describe that appalling waste of time and money, the Scottish Parliament.

We have had "Parliament of Fools" for some years now, and I came up with "onanist orgy". Even a mere four days after the election, Cromwell's exhortation (paraphrased) also seems appropriate:
“You have been sat too long here for any good you have been doing. Depart, I say, and let us have done with you. In the name of God, go!.”

In the vain hope that one or two may be reading this and have time to think, how would you best disparage the bunch of numpties that claim to govern us? Feel free to have a go at the chimp enclosure as well as the chimps, if you see fit.

S-E

Sunday, May 06, 2007

Identity Pyramid, Slicing, reprise

I can only apologise for the general lack of a coherent message in my earlier post. I'll try again?

Why a pyramid? Well, at the top (or the bottom if you feel that identity in the digital domain is a hideously unstable and precariously balanced monster about to come crashing down on the poor denizens of e-wherever), we putatively have a means of identity that reliably proves you are who you claim to be, and, unless you are a mendacious statist control freak, there would only be an occasional requirement for this. At the other end (whichever you have chosen it to be) there is a regular and bulk requirement for non-identity (or minimal identity) tokens such as bus and event tickets (and the UV stamps night-clubs {used?} to mark you with so you could get back in without paying twice).

Why slicing? Because every organisation or system will have a variety of requirements for identification, verification & provisioning - this will require, if it is properly thought through (which it rarely, if ever, is), different levels of identity proof at different times.

We currently do not have, and I do not suspect we ever will, an effective strong identity solution, although government issued (or just backed) biometric solutions come somewhere vaguely near. (One reason that they will never come close is the inevitable weakness, or even corruption, at the point of issue. Aside from the general inability of governments everywhere, but particularly in the UK, to make complex technology projects function.) And any lower (or higher) layer solution that relies on some form of stronger ID at the point of initial issue will inherit the weaknesses of that identity solution (i.e. if I open a bank account with a fake passport, you cannot rely on my credit card as providing any form of identity guarantee. Not that you should any way - all you, or anybody else, should be relying on my credit card for is that the issuing bank will pay you. This is, in essence but slightly different form, the problem with the US SSN - an identifier being used outwith its design scope. Even if the designers got the security and practicality compromises properly matched, your misuse or abuse of the system introduces new vulnerabilities or just increases the attack surface.)

Another problem with strong identity systems is that the cost of implementing them even partially correctly is so high that, in order to justify the expenditure, they are evangelised into processes that don't need anything like that level of proof or, in fact, do not need any personal identification at all. And if the personal identification data is retained, stored and data-mined, you have just breezed in to what might be an egregious privacy breach.

Weak identity systems can be very effective. Take the purchase of alcohol. Does the vendor need to know your name? But have you ever seen a proof-of-age system which didn't have the kid's name on the card? A card with your photo, some anti-counterfeiting measures (and remember that the most likely attacker here is not some highly sophisticated criminal gang, it is a 16 year-old bloke) and "Over 18" or "Over 21" on it would actually be more than sufficient. And, of course, you can replace the photo with any other verification technology: signature (although, for some people, that could divulge your name), fingerprint, iris verification, DNA scan etc. All without your name on the card. (Ed notes: Of course, if you don't consider the criminal gang or other well-funded attacker, you will get dark side or, at least, significantly grey businesses churning out forged copies of your Boozer-Card TM by the bucket-load and flogging them online to the alcohol deprived but adolescent. :)

The message I am trying to get across, however ineptly, is that proper consideration needs to be given to the actual identification requirements within any system. If this doesn't happen at the outset, fraudulent abuse, waste of resource and breach of privacy are inevitable consequences of poorly designed identity processes - no matter how competent the specific implementation may be.

S-E

I suppose I should be proud ...

To be a "digital narcissist". Some pompous cretin has just been on Radio 4 denouncing blogging as the end of culture and destroying the economy because we have the temerity not to be paid for it. Or for the few of us who are, not very much.

I believe this flag waver of the fossilised pre-digital arena blogs here. I mean, we all know that Americans stereo-typically don't get irony but you do have to laugh.

Apparently, the mere existence of blogs and other self generated content is killing book publishing, Hollywood, newspapers, the music industry and baby seals. (Yes, I made the last one up.) This, as well as because we don't demand a wage, is because most of us aren't actually too good at writing and are "unable to devote our full resources to it." Seeing the quality of output (whether you agree with the world view or not) of some of the blogs I read on a daily basis, I wonder what we would actually be able to achieve if it was our full-time job and we were paid. Or looking at this, maybe I shouldn't.

However, if his point is that the general mass of the kultural output of what laughingly passes for American civilisation is so superior to the content of blogs generic, he clearly hasn't been checking much of what is popular. Britney Spears, "gangsta" (c)rap, most movies, etc, etc. I suspect it is a truism that the vast majority of cultural output of any generation will be consigned to be comprehensively ignored by the future well before even the oldest of that generation descends into the pit of Alzheimer's. Most of what is and always has been churned out is bland and eminently forgettable puerile entertainment. We remember Mozart, Bach, Turner and Michelangelo. We don't remember most of their contemporaries. How many of these will still be being read in 10 years, never mind 100? (Although, at the time I checked the link, the 2nd best selling hardback book in America is written by a guy who has been dead for 34 years. I like Tolkien's work and appreciate the presentation work by Christopher but what does that say regarding the quality of the tens of thousands of published living authors? Given my previous comment disparaging the link between achievement and popularity, probably nothing at all.)

The radio commentator then went on to discuss (approvingly) the Tim O'Really blog fascist censorship scandal, introducing it as all Jimmy Wales' idea and him as the "co-founder" of Wikipedia. We, of course, know that, at least in Jimmy's mind, he is the founder of Wikipedia:
((jwales)) So, I am publicly on record as stating, and I am willing to defend and explain at length why, here or elsewhere, that Wikipedia does not have any "co-founder"
((jwales)) Wikipedia has a sole founder

((jwales)) and a disgruntled former employee building himself a nice career on this lie

Which brings me back to irony:



Note the quote from the "disgruntled former employee". (Ed notes: Yes, S-E, being British, was aware that linking to the Wikipedia article about Larry is ironic. It was meant to be. If you are interested in sniggering at self-righteous morons, he also suggests you read this, for example:
19:19, 1 May 2007 D. Vater-Luxembourg (Talk | contribs) (26,532 bytes) (Removing false claim. Jimbo Wales clearly stated he is not "co-founder". Please respect that!) )

Oh, and if somebody sensible like Tim or Fabian is reading, can you have a go at the economics?

Update - from Tim, doing the economist thing:
He is indeed committing a grievous fallacy. Just because we use GDP (which measures paid activity only) as a measure of the economy (principally because it's easy to calculate) no one should be stupid enough to use it as the only measure of either the economy or economic wealth.

Look at his statement the other way around. Consumers now get (some portion) of their media consumption for free, something they previously had to pay for. This makes consumers richer.

Update 2: Fabian now has his own post on Mr Keen's economics.

S-E

PS. I would suggest to Mr Keen that he stays away from London. There are a few people who might be interested in having a less-than-distinguishedly-academic discussion with him about some of his sporting opinions:
"Arsenal is a minor soccer team based in a particularly undistinguished part of North London"

"Arsenal football club -- a subject which is of no interest to the civilized world"

"Like Arsenal football club and its supporters, Arseblog is fuckin' awful."

That is not safe talk, even from California :)

Friday, May 04, 2007

Slicing the Identity Pyramid

Following on from a brief sojourn into topicality, maybe it is time to reconsider what exactly we are trying to do when we talk about identity checks or, more technically, identity assertion and verification (which are two different things, something that regularly eludes the 'biometrics will solve everything' brigade.)

At a very basic level, I am trying to do something that you want some people (of whom I may or may not be a member) but not everybody, to be able to do. Conversely, if you don't want anybody to be able to do it or if everybody can without restriction, identity checking is superfluous.

Let's look at a few examples, and then return to the basics.

Tickets: these often do not have your name on them but increasingly they do. Why? Well, in the case of common or garden train tickets, or even carnets, all the identity provider is interested is in obtaining their revenue. They don't care who you are (because there is minimal economic incentive in their collecting that knowledge and no regulatory insistence that they must) and, even, often don't mind if you share your carnet with a work colleague (as I often do). Where there is a name - for example airlines and sporting or entertainment events - this is because there is a clear incentive for them to link the ticket to a particular claimed identity. There is no real assertion of identity and the only verification / validation is that the token has not been used before.

In the case of the no-frills airlines, this is because their pricing structures are sufficiently obscure and highly variable that it is possible for outsiders to engage in profitable arbitrage. You buy future dated tickets for a busy route, taking advantage of the cheap deals available with sufficient notice and sell these, closer to the date, to somebody with less ability to forward plan. Having a name on the ticket and requiring you to show official ID renders this impractical (hence the large charges for, or forbidding of, changing the name on a booking.) Here the assertion of identity is at the point of ticket purchase (which can easily go wrong, although this example was a date rather than a name error) and the verification is at the presentation of official ID and the comparison of the names.

For venues, whose pricing is often both public and fixed, their motives are more public spirited. They are trying to prevent tickets from both getting into and being resold from the hands of touts. Not to increase their revenue (except possibly in the case of corporate hospitality boxes) but to ensure that real fans can buy tickets at the intended price (I am probably being slightly too kind to them here.)

Let us take a counter-example of retail banking. My bank cares who I am. It wants to know how to accurately credit score me (although past behaviour is not a guarantee of future performance :). It is required, by anti-money laundering legislation and regulation, to recognise the sources of any large money flows in to and out of my accounts. It doesn't, to many people's surprise, care much that my real name is on my bank cards or cheque books (pace the many entertainers with accounts in their stage names.) In fact one of my banks consistently gets my name (inconsistently) wrong. All they care about is that the card securely (for some definition of the word) links me to one or more specific accounts and that they are sure of the identification of that account holder within their risk appetite. This applies just as much to old-fashioned anonymous banking and the new pay-as-you-go debit cards. Here, within the limits of what is possible under the regulatory regimes, all the identity necessary is the cash sum that originally backed the card on issue. As far as cards purchases go, the assertion isn't the name printed on the card, but the account number read from chip or swipe. The PIN (or signature) forms the identity verification - weak, as has been argued in many places but possibly risk-appropriate (at least from the bank's point of view) where the loss is merely financial.

Passports - the government want to know, as closely as practical, who you are but the more-or-less ubiquity of the requirement in the modern lastminute.com world means that they can't charge enough to do a proper job. Hence the counter-signatory on the application and the photographs. You assert your identity on the form and it is validated by your countersignatory. Once issued, of course, you still assert your identity, but it can now be validated by the passport (including printed and digital photographs, signature verification, counter-fraud checks and if you are unlucky, a range of biometrics).

So, back to fundamentals of identity.

Let us assume the philosophical point that we actually have an absolute identity, happily granting that to Monsieur Descartes. However, our assertion of our own personhood, while metaphysically pleasing, is absolutely no use when it comes to real world applications (I may assert that there is a couple of million £ in my bank account - would you believe me?)

Therefore, identity is asserted through the medium of a mutually trusted party. Sometimes, the medium can be extremely weak: the wearing of certain clothing (uniformed police officer or a priest). Sometimes it is asserted through technology - credit cards. Sometimes it is asserted through personal introduction (why would the Scotsman, say, claim one of their commentators is a Professor, if they are not.)

However, the real world aspect of identity is that it relies on different levels of both assertion and granularity for different purposes. This is where schemes like the UK Government's Identity Card fall flat - they have a (designed to be, even if it falls short in practice) strong and individual identity core, which they then want us to use for situations where we need to evidence a much less granular identity. Putting aside the likely success of an extremely large Govt IT project using unproven technology and the hideous statist control-freakery that is the National Identity Register, mere use of the card seems a breach of privacy in many circles.

I would not have objected to having to show an identity document if they had let me vote in person yesterday - voting is both sufficiently important an activity that a significant degree of control is reasonable and one where personation has been rife in the (recent past). On the other hand, why should there be any requirement to prove my actual personal identity to buy goods? All that should be necessary to prove to the vendor is that the financial intermediary will stand for the payment (practically, this may involve me proving my rights to draw on a specific and named account to the intermediary - but not necessarily my identity and not to the merchant.)

In the real world, identity solutions will need to involve differing levels of trust and granularity. They need to be robust against systems and communications failures, user and administrator errors and deliberate attack. The government are not trusted, by individuals and organisations, to get things right with sufficient regularity for them to be the trusted third party (see the chaos in yesterday's voting technology). Retention of widely heterogenous identity systems, including many with little up-front granularity, and minimal linking of back-end databases, is going to be increasingly vital for privacy and the effective functioning of society as the technical ability of the public and private sectors to retain, cross-link and search data increases.

Sorry for the ramble.

S-E

What a pathetic farce

Well folks, regardless of the actual results, yet another brilliant success for electronic voting systems. And this in a system with a fully guaranteed paper trail, as we still used a written ballot.

On waking up, Mrs S-E and I heard the results for one of the Glasgow seats (Shettleston) - the "spoiled ballots" were the third largest poll. Ridiculous. Aberdeen - poll suspended - spoiled ballots greater than (twice?) the putative winning margin . Linlithgow and Livingston - poll suspended - Returning Officer has no confidence in the system. And that is without factoring in all of the issues with the postal votes.

More, from many sources I am sure, about this later. Possibly, and I say this with great hesitation, actually justification for an independent public enquiry - because if we cannot even be sure that our vote was properly counted, what mandate do any of them actually have?

S-E

PS - And a pity to see that Tommy did not make it on the Glasgow Regional list. A conviction politician (as opposed to the many who should be convicted) and one of the characters of Scottish politics. My arithmetic suggests that, even on the votes cast, he would have got in ahead of the Green MSP, Patrick Harvie, if the Solidarity and SSP votes had been combined (11,123 versus 10,759.)

Thursday, May 03, 2007

RBS to issue EMV readers

It was announced yesterday, which I missed, that RBS (and Natwest) will shortly start issuing their EMV readers for online banking. These are not just for start-of-session (or even significant transaction) authentication, but should also help prevent transaction hijacking either by trojans or MITM phishing / pharming /p-whatever-ing web sites.

Assuming I get mine (and I may now be on a black list), I will let you know how the whole process works.

S-E

Have you voted yet?

If you are eligible to vote in today's election, please make sure you make your opinion heard.

You have until 10pm. Vote.

S-E

Wednesday, May 02, 2007

Fuck off, Jowell

From Dizzy. This (and the original article here. The Gruniard. What a fucking surprise.)

Dear M(r)s Secretary of State for Culture, Media & Sport, with the extremely dodgy ex-husband, can I please make this clear? This is not "your-space"; it is not the "British Government's space"; it is not, contrary to your suggestion, "ourspace"; it is not even, with apologies to Dizzy, "my space". This is blogger (or blogspot, or whatever) and it belongs to Google (both my bit and Dizzy's). As long as we don't breach their rules, we can do what ever the fuck we want to, you egregious statist control-freak (and, of course, if Google asks us to cease and desist, we can go elsewhere. The joy of the internet.)

I don't care if Tim O'fucking'Reilly made his abortive puritan attempt to force some sort of Vanilla middle-Americanism on the net (and Jimmy Wales is another control freak of almost Nu-Lab proportions.) He is a private citizen (if, in certain circles, one whose opinions are considered of some weight.) You are an elected servant of the British public. Fuck off out of our lives, our thoughts and our expressions. Go home and weep into your empty house and leave those of us with real lives to get on with them.

You disgust me but, unfortunately, do not surprise me in the slightest. Oh for politicians of reason, sense and honour.

S-E

Of what possible relevance

Despite the Mail on Sunday's insistence, what precisely does Lord Browne's sexuality (or lack of) have import for either the "millions of people who have invested in BP through their pension funds" or "the tens of thousands of employees of BP"? Not that I have ever worked there but I haven't heard that BP is a bastion of homophobic prejudice.

Back to the usual later.

S-E

Tuesday, May 01, 2007

A Storm in an Olympic Teacup?

Never let it be said that even the most obscure British politician is incapable of seriously raising my blood pressure. Step forward Derek Wyatt. Via the Devil, who got it from Bookdrunk who ... (Ed's note: sodding incestuous, isn't it, bloggerdom.)

Shock and horror (1) - commercial organisations sponsor major sporting events for commercial reasons.

Shock and horror (2) - the International Olympic Committee is not entirely free from financial dodginess (or out-right scandal).

Not-really-shock but certainly-horror (3) - Nu-Labour MP utterly clueless.

Well, let me have a little think about this ...

Security for major events is a rather expensive business. As Vicola points out, this often involves paying people relatively small sums of money to wait about endlessly just in case something happens. Frequently and thankfully, nothing does.

Identity verification, a small part of the overall security equation is, in this and many other contexts, about the ability to bypass certain security checks. Let us consider this in the Olympic context - you have officials, competitors, staff and spectators. What sort of identity checking and verification is necessary (or, in the absence of necessity, is actually likely to occur)?

Now, if you are Jacques Rogge, no identity check is going to be necessary. The sheer mass of fawning arse-lickers that will surround you as you are whisked from 5-star hotel to special hospitality box will mean that any mere security person will be shoved so far out of your road that they will be getting a train back from Preston.

As for a competitor - well, I am sure a letter from the Ruritainian Olympic Committee attesting to your prowess in your chosen sport (or, for one of the great Olympians - I am serious, here: the taking part is vital, the fortunes won by the professional sports stars much less so - of the modern era, Equatorial Guinea) will get you your Visa-provided ID card, access to the Olympic village, and a somewhat shorter queue to get into the relevant stadium. You may even get a seat on an LRT mode of conveyance, but I doubt it.

Staff (mere, including security, rather than the exalted officials of the IOC, national Olympic Committees, or sport governing bodies) will probably need to present very little core identification before being issued their Olympic ID Card. Probably proof of eligibility to work in the UK (although where in your typical HR trainee's education fraudulent passport and birth certificate recognition is and what does a Luxembourg national ID card actually look like?) - but does this apply to unpaid volunteers? So you get your Olympic card. What does that prove? Not much, I wouldn't think.

As for the mob who will have shelled out some quite significant moolah for the privilege of attending and will then have had to drag themselves through the fetid swamp that is cross-London travel in the summer ... Nope, don't think this applies. At best, they would be confirming the validity of your ticket (and possibly that you have the same name as on the ticket - although this may be rather difficult given the widely international nature of the event.) No actually identity checks or subsequent verification (e.g. I, who am not, book the ticket as Derek Wyatt, and turn up with fake ID claiming I am a person of that name) takes place.

S-E
 
HTTP Error 403: You are not authorised to access the file "\real_name_and_address.html" on this server.

(c) 'Surreptitious Evil' 2006 - 2017.