They say the only constant in life is change, and now indeed is a time of professional change for me. Jan 31st will be my last day working for BMC Software.  This is a big change for me as after nearly a decade of working on Identity Management software, I will now be doing something else.

Although I won’t be working on IdM software anymore, it’s a subject I still find interesting and will continue to blog about. You will still find me lurking at the virtual water cooler at odd hours; it just won’t be here at TalkBMC.

Or at OASIS. I have turned over the chair of the Provisioning Service TC to Kent Spaulding from TTG, who I’m sure will do a great job.

BMC is a great company and the more than 6 years I have worked for BMC and OpenNetwork have been very rewarding. The people I have worked with here are top notch and I wish them all the best.

I would also like to thank Ynema Mangum for getting me started with blogging. She has given me lots of great tips and I have had a great time writing this blog.

I hope you have enjoyed reading it.

Here is an interesting view on how cell phone numbers are becoming the key personal identifier in Australia. From the article:

Most Australians can be identified by their date of birth, driver's licence or tax file number, but a person's mobile phone number is becoming an increasingly important part of their identity.

Queensland University of Technology researcher Dr Christine Satchell believes a person's mobile phone is a type of virtual "home" where they can always be found.
"Changing your phone number is a very alienating thing to do, both for the person and their friends," Dr Satchell said.

"It forms part of a person's digital identity and even though it's just a number, it's very powerful."

The Australian Mobile Phone Lifestyle Index shows most Australians retain their mobile number for about seven years, which is in contrast to other forms of contact.
Research suggests people change their e-mail address on average every six to 12 months, which Dr Satchell believes is linked to unwanted junk mail.

The number that really jumps out at me is email address change every six to 12 months. That seems a little hard to believe. But if it’s true that’s going to be a headache for a lot of services providers that use email addresses for their user’s identifiers.



_____
tags: Identity |  Identity Management |  User Centric

I blogged about User Centric Identity in the Enterprise domain here. Matt Flynn blogs about it here and makes a very good point that I overlooked. I noted that the aspect of User Centric Identity that enterprises are most interested in is user self-service of personal information and credentials.

Matt makes the point that while users may provide this information via Self-Service, the typically can’t control who gets access to it afterwards. Basically the employee has read/write access and an indeterminate number of people have read access. So really the whole thing boils down to a terminology debate. I loathe terminology debates.

Clearly enterprises are not going to let employees control the use of their identity and personal information in general. Just as clearly they want to the employee to be responsible for providing and maintaining that same data.

Call it what you will.



_____
tags: Cardspace |  Federation |  Identity |  Identity Management |  Information Card |  User Centric

In 1950 Alan Turing described what became later known as the Turing Test. The Turing Test, which is a test of one aspect of Artificial Intelligence, involved a person sitting in front of a terminal exchanging in a typed conversation with another party. If the person could not determine if the other party was a person or a bit of software, then that software would have passed the Turing Test.

Of course almost everyone one the web has by now participated in a Reverse Turing Test where a computer tries to distinguish between a human and a computer (the T in CAPTCHA stands for Turing). But AI researchers over the years have failed to create software that can pass the standard Turning Test.

Who knew that the whole approach has been wrong? Instead of grad students and professors toiling away in major research institutions, the problem might instead be solved by Russian hackers looking to rip people off? If this doesn’t describe a piece of software that passes the Turing test, it’s closer than anything else I have heard of so far. Graft is apparent for more effective than research grants.

There are three things makes this really interesting. First, the environment (chat rooms) exactly matches the Teletype mechanism Turing first proposed. Second, the "test subjects" don’t actually know they are participating in a test. Ironically the software developers don’t either. Third, it’s illegal. So if the developers have actually cracked the Turning Test, they will never receive any recognition for it.



_____
tags: AI |  Identity |  Identity Management |  Identity Theft

Nishant Kaushik has this very interesting post about enterprise adoption of User Centric concepts. My experience talking about User Centric with my enterprise customers is quite different from Nishant’s. First almost none of my enterprise customers are interested in Information Cards or OpenID. Most haven’t heard about the concepts yet. But they really want User Centric Identity. The want it very badly. They just call it something different. They call it User Self-Service.

In other words the want the users to be responsible for every scrap of information for which they are the authoritative source of information. They want users to be responsible for managing their own credentials (typically passwords, but sometimes SecureID tokens). In some cases they want users to be responsible for determining what systems they should be granted access and making workflow requests to get that access.

Of course some will argue that using a Self-issued Information Card is User Centric, where as entering the same information into a self-service profile application is not. But my customers don’t care either way. So long as users can manage their own personal information without using help-desk or HR personnel, they are happy.


_____
tags: Cardspace |  Identity |  Identity Management |  Information Card |  User Centric

When I think about privacy I like to think of it in two terms. Granted privacy and real privacy. Granted privacy is when your neighbor agrees not to look into your window. Real privacy is when you buy curtains. That’s a good way of looking at this excellent post by Vikram Kumar about the privacy of Amazon purchases. Amazon, like most large retailers, will do their best to protect their customers privacy. But this is granted privacy and there are numerous situations (some outlined in this article) in which that grant will be revoked. All the big vendors do business word-wide in many countries with different and often conflicting privacy laws. Past experiences has taught us that some vendors will cough up their customers private information merely for the privilege of business in China.

In a nut-shell, Amazon will grant you privacy so long as it doesn’t conflict with the laws or dictates of a country that they want to do business with. If you want real privacy you have to drive to the bookstore and pay cash.

On a similar subject there is this interesting article about privacy concerns on Google’s upcoming Gdrive service. Unless Google incorporates some pretty strong encryption (with user managed keys), anything you store on it will have only granted privacy. Of course in the US the government can always search your computer disk drive if the get a search warrant. The big difference is that a search warrant is harder to get than a subpoena, it usually requires a criminal investigation, and you would typically know about it.



_____
tags: Identity |  Identity Management |  Privacy |  Security

Here is an interesting article in Computer World about a professor who has built a robot that uses an electrically wired moth as its brains (see below).



Professor Higgins (a richly ironic name) sees greater potential for growing organic neural computers rather than trying to wiring natural occurring brains. With professorial understatement his opines:

He does see an ethical line, though. "Our goal is not to hook up primate brains to a robot," said Higgins. "There's the possibility, when you start to tap into brains, for all sorts of evil applications. There are certainly all these ethical issues when you start talking about human and primate brains."

Ethical issues wiring human brains into robots... Who knew?

Back when I was studying AI in college, neural networks were just starting to become a hot area of research. Of course then the goal was to emulate a biological brain, not use one. 

Passlogix made two important announcements today.

[Full Disclosure: BMC is a Passlogix partner.]

First they are jumping into the privileged account management business, but with a huge advantage. Passlogix can leverage their ESSO technology to present shared credentials to applications without displaying them to the user. Or at least the user can’t easily see the passwords. The is a better approach than competing products which cough up the password in clear text that the end user would then copy down for use.  

Many IT departments view shared accounts as a necessary evil. No one likes it, but the alternatives are viewed as too painful. But with a product like this combined with a good password management product (like BMC Password Manager) to set passwords on non-AD systems, shared accounts can be managed in a more controlled fashion.

Second, Passlogix is easing the pain of needing desktop software for ESSO.


_____
tags: Authentication |  BMC Password Manager |  BMC Software |  ESSO |  Identify |  Identity Management |  Passlogix

Here is an interesting article about BMW experimenting with using an IPv4 network for in-chassis communication. The idea is that it would open it up for a wide variety of add on products. Sounds reasonable to me (Hat tip to Instapundit).

_____
tags: BMW |  IPv4

A blogger is accusing the SF Chronicle of one of the most clever deceptions I have heard of in a long time (via Instapundit). Apparently their commenting system has a feature where a deleted comment is still visible to the original poster, but not to anyone else. In other words the original poster thinks his comments are still there but to everyone else the comment appears to have been deleted.

I have never seen this kind of comment system behaviour before. Probably because it would be highly unethical and very easy to get caught. Of course it’s entirely possible that this is an unintentional flaw in the system.

Has anyone else ever seen anything like this?

_____
tags: Blogging