When is [Insert technical field name here] fun?

I think it is fun when it has recently hit humans.  When stone tipped spears were brand new, I bet you didn’t have to encourage kids to study chipping at arrowheads.

When calculus was new–I bet people studied it because it was the hot new thing.  Now calculus is universal and required (at least for technical fields). 

When I was a kid, programming was fun.  Mostly because it was the hot new thing.  In retrospect, programming wasn’t painful only because the constraints of the machines and tools forced us to become ludicrously modest in our goals.

When I hear on TV an actor playing a scientist say, “Science is fun!” I think, the science they are talking about on TV hasn’t been fun since the enlightenment, 200 years ago.

Fast forward to now.  Stone tip tools are studied by re-enactors and archeologists.  Calculus is a slog.  Programming is work.

GRRRR! Cardspace. What a useless steaming pile…

NOINFOCARDOk. Cardspace/Infocard is like OpenId.  Password-less access to websites (or password-fewer access).

BUT

1. You must use SSL.  Even if you just want to secure your application against your clueless neighbor.  That is a minimum of $40.

2. You must decrypt the response on an account with NTFS access to the private key.  The NT Network Service account is not likely to have read access to the private key on a hosted account.  Good luck explain how and getting co-operation from your hosting provider.

3. Decryption must be done under FULL TRUST.  Many hosted accounts only let you run in medium trust and don’t let you create COM+ dlls, put stuff in the GAC, etc.

[Items 2 and 3 might not even be a good idea.  If the world at large manages to use your web application to maliciously download your SSL cert, I suppose they could do something evil, like pretend they are you]

4. To get rid of the “the website isn’t secure for banking or ecommerce” you have to spend $1000 on an EV SLL cert.  Oh, sure, pocket change.

5. And who is issuing managed cards? I can get an SSL based cert from Thawte that says I am the person that controls my email account, but I can’t find anyone who issues managed infocards anywhere.

I’ve about realize that I–a computer profession and programmer, will not be able to implement InfoCard/Cardspace in any form, not for my blog, not for my hobby website, nothing.  Either one has $1040 and ones own entire server or nothing.

If only the top 10 biggest websites can overcome the hurdles posed by infocard, what we are going to see is 5 websites accept infocard and everyone else (mom & pop websites) continue to use passwords and user ID’s. InfoCard will have a minimal impact on how authentication is done.

This is going to drive small websites into using OpenId.  Consumer will rapidly gain a few dozen OpenId cards.  The rising ubiquity of OpenId–which doesn’t try to be a waterproof authentication method–will take over the world, relegating InfoCard to “that way you logon to Live.com services”.

Come on Microsoft, when are we going to be able to run CardSpace/Info card in “real world” mode?

[Thanks to Self-issued.info for the logo]  [Actually, I take that back, it is a Microsoft trademark. The purple box is has a substantial amount of IP self legislation that goes with it.  According to MS's lawyers, I am currently in violation of usage guide lines for the icon.  Let's see how Microsoft silences critics of InfoCard.]

Terminate with extreme prejudice: WinCinemaMgr.exe

WinCinemaMgr.exe installed itself without my permission into the startup queue. It didn’t ask explicit permission, it is malware. The delivery vector is the Sandisk Mp3 player. It isn’t an evil MP3 player and my son like it just fine, but Sandisk’s developers have no respect what so ever for their users. If I wanted to load up my startup queue with sh*t I would have browsed known malware sites.

[Update: I renamed the file and it..came back! Ugh!]

Harm done:

4MB memory erase from my system forever (or until I rip wincinemamgr.exe out of my computer). If you multiple the number of WinCinemaMgr infections by 4MB, you get the total amount of computer hardware, destroyed and rendered useless by SanDisk. I’m figuring a million installation, or about about 3,000GB, which works out to about $384,000 of national sabotage.

Unmeasured CPU usage. I figure it was probably lurking at something between 0 and 1%, again– work out the cost of 1% of a CPU, 1% of the electricity my computer draws, times a million users and all of a sudden, WindCinemaMgr.exe is doing some serious destruction.

Harddrive space 296KB * 2 copies, times 1 million userrs. That is 325GBs. Even with harddrives as cheap as they are, a third of a terabyte of space that no on ever wanted used up is a crime.

Stay tuned, maybe tomorrow I’ll rant about realsched.exe and if I get real ambitious, I’ll write a batch file for killing crapware and put that in my startup queue.

Thought process for defining an AzMan policy

Groups vs Roles.  What ever the difference, I think these should slice the universe of users differently.  If groups are based on you are in the organization (a partitioning strategy that can partition everyone), then roles should partition everyone by some other measure, say occupation. 

Another strategy is to assume that the groups are made up by an external organization and are too granular for your purposes.

The final strategy is to have groups == roles.  For each group create one role.  This removes groups from the policy altogether.

Task. Task are tricky.  If you want to give someone the right to send email, update a database and delete a row, but not the right to do any of those individually, then *don’t* use a task.  A task means that if some one is able to do one of the operations *individually*, it logically follows that they can do them all.  For example, “delete own account”, “delete other accounts”, “delete lapsed accounts”, “delete active account” might be put in a single task.  Then you grant the task to a high level user and save yourself four role associations (over using strictly operations).

If you do want the user to complete a series of actions as a whole, but not individually (for example, he can send email to himself as part of a purchase transaction, but not directly call the email method with arbitrary recipients) then the purchase should be an operation.

And now I’m too tired to keep thinking. Good night folks.  [Hey this is an un-edited blog, what'd you think you'd stumbled into? PC Magazine?]

SSL, I just don’t get it

So I’m buying an SSL certificate. To prevent getting a MSIE7 error, it needs only be unexpired, match the URL and come from a ‘trusted authority’.

A trusted authority, like rapidssl.com will give an SSL certificate to anyone who “controls their domain”

Why don’t we just call a spade a spade and tell people that an SSL certificate is a means of encryption on the wire amongst unauthenticated parties?

I got a magazine subscription from an online company that did everything possible to hide their identity (anonymous domain, no physical address)– and they used SSL. I did get my magazine subscription, so it appears that I was buying from a company that want to stay anonymous, maybe for tax reasons. The transaction size was small and the website was plausible, so I wasn’t exactly sending a check to Nigeria. All I really need for this transaction is *correlation* I can now correlate my experience with the first time I interacted with this anonymous company with the second time I interact with them and form a sense of their reputation. In fact, if a reputation server was what stood behind the URL & SSL cert instead of a picture of a guy with a bag over his head, ecommerce would be a lot safer.

I really don’t see the value in the expensive SSL certs either. To get the additional trust from that cert, users have to:

1. Understand that you $1000 cert underwent a rigorous audit, unlike the vast majority of certs.

2. Know how to click through to see the subject on the cert

3. etc.

Imho, SSL is not authentication at all. It’s more like meeting a stranger on the street and agreeing to speak in Esperanto so that the other strangers on the street can’t understand you.

The URL is not an identity either. OpenId is proposing that if you control an URL, you are that URL. But URL’s lapse all the time. Even excluding the rather rare, but technically possible hijacking of DNS servers and domain names, if my URL lapses, someone could pick it up and pretend that they were Matthew Martin. They wouldn’t be as stylish and suave, but an average web browser would be hard pressed to know the difference.

Solved! YUI Menu Bar “Pop” problem

I have a YUI menu bar. It is entirely javascript driven and inserted into a DIV. That means, it is rendered last. In MSIE 7, that causes the entire page to draw, then pop about 20px down to make space for the menu bar. Here is my solution:

<div
id=”mymenubarhere”
style=”position:absolute;right:0px;left:0px;”>

</div><div
style=”height:20px”></div>

The absolute positioned element lets everything else slide beneath it. The following div props up the rest of the page. If you put the height directly on the div where javascript will insert the menu, the height will add padding, border or something to create a tiny gap between the menu bar and the drop down menus, making it impossible to mouse over from the bar to the menu.

OpenID Adventures

Someone wrote an OpenId logon control for ASP.NET–very handy, since communicating with an OpenId server is an nontrivial tasks. But, the control was written in the .NET language Boo. This would be all fine and good, but the implementation is buggy (or some OpenID servers are buggy.) and I can’t fix bugs written in Boo. Currently, I’m dealing with the issue where the OpenID client and server can’t decide if Http://foo.com is the same as http://foo.com:80 Presumably it work work if I was using the SSL port, but I haven’t spent money on a certificate yet.

ClaimId’s profile management is buggy, but at least ClaimId thinks http://foo.com is the same as http://foo.com:80 whereas MyOpenId.com thinks they are different.

I can forecast that OpenId will go the same way as HTTP, potentially very successful, but writing the logon control will become increasingly complicated to compensate for the millions of different ways that servers implement the OpenId specs. And servers will likely become extremely difficult to implement to deal with the large number of ways clients implement the spec.

Sigh. It’s enough to make me look at CardSpace again. One of the key benefits I saw in OpenId was that it didn’t require SSL to be working–so I thought. Now it seems that both technologies really are intended to be heavily dependent on a fully functioning layer of SSL.

You want your site to support password-less logon, you’re going to have to buy an SSL certificate. What is really depressing about that, is that the web 2.0 model for authentication will be stuck in the business model for web 1.0, where we all give money to Verisign and get in return certificates that website users don’t understand very well. And with the large number of sites with SSL certs that are legitimate companies but have expired SSL certs and slightly mismatched URLs, or self signed certificates, what few people do pay attention to the little lock icon now know to ignore it entirely.

So Microsoft, where is the HTTP solution for authentication? I’m not about to buy an SSL certificate for managing comments to my blog.

OpenId vs CardSpace Smackdown

CardSpace means your site needs:

* to be running ssl, with a confirmed location and organization name to prevent warnings.

* to be running with an account that can access the ssl certifications (ASPNET account, NETWORK SERVICES, etc)

* to decipher the claims, you need to decrypt the certificate and the associated claims, hence the need for access to the machine’s ssl certs (It appears to be POST and rather hard)

* you have to use cobbled together controls from the internet

* Optionally a third party. The user can act as their own certificate issuer.

* The server can be any OS, but the client has to be XP2 or Vista

OpenId means your site needs

* a third party website to process the passwords

* ideally the users will want to get their own URL (so that their identity is as strong as the domain name sales process, woo hoo!)

* The user claims are posted back in the URL (REST is easy)

* you have to use cobbled together login controls from the internet

* The server and the client can be anything

I have an OpenID logon almost working, I got close to a working CardSpace logon control, but ran into the SSL cert issues.

Custom Rule Code vs AzMan BizRules

Application Rules

If MyApplicationLogic.CheckNonRoleInfo() then
            AzMan.CheckAcces(...)
end if

This above CheckNonRoleInfo() method has limited access to the AzMan algorithm, which searches the entire role data structure for evidence that so & so is allowed to do something. It would also be plausible that something depends on role and non-role information, so it’s possible CheckNonRoleInfo() might evolve into CheckNonRoleInfo(CurrentUser, UsersRoles(), TimeOfDate, OtherRelevantFactor). Now this method is probably implementing some of the same logic as AzMan.

AzMan Rules

AzMan.CheckAccess(..., MiniDBOfNonRoleInfo())

The hooks are in the CheckAccess engine, so it combines both Role & NonRoleInfo in a check.

The BizRule pattern means the rule is part of the AzMan Algorithm, which searches the entire role data structure for evidence that so & so is allowed to do something. I’m imagining that the AzMan role engine hold the roles as some sort of network or graph, which it traverses. Everytime it gets to a node with a Rule attached, it evaluates that rule in addition to normal role checking logic.

SQL Style vs AzMan Style rights granting

SQL Style
You can call a method (stored procedure) that access resources (views and tables) on your behalf, but you can’t always access the resources directly. SQL Procedures almost analogous to AzMan task, and tables are analogous to operations. How ever, an AzMan task implies you have access to all the components of the task directly as well as through the task.

AzMan Style
If you can call any method (task) that uses a resource, you can use that resource directly.

Both styles, make sense, why doesn’t AzMan support them both? Well, in a sense, you could simulate SQL style by making all stored procedures ‘operations’ I think the only disadvantage is that if there is an action, say sending an email, which is implicitly available in one operation, but not another, it might be confusing. For example, if you have a task called, ‘contact customer’, which is make up of ‘lookup address’, ‘send email’– you might decide to change ‘contact customer’ to an operation, since you don’t want the user to ‘send email’ except in the context of the ‘contact customer’ task.