Technology - Page 24

Learning Identity

One of the things I’ve found about trying to figure out identity management concepts and technology is that there are lots of nuances, lots of things to worry about, and it tends to make you more wary (which I guess is all to the good). I now am more careful about whether websites have believable privacy policies before I sign up for them, I have a number of free email accounts for the sole purpose of getting newsletters or registering at websites, and I more often figure the information on these websites is unlikely to be worth the effort.

It’s exciting though, being part of something that is important and where people are realising the importance more day by day, sort of like XML in the early days where people starting saying, yes I do have that problem and maybe this technology can help solve it. So part of what I hope to do in the coming year is help the Liberty Alliance figure out how to help people learn what they need to know about some of these concepts, technologies, and specifications. Identity management is starting to expand beyond the “in group” now as more people start to realise the importance of building it (and security) into systems from the beginning rather than trying to bolt it on afterwards. Figuring identity out takes time – identity management is inherently complex (well, more complex than XML, anyway ;-)) and although Einstein’s famous quote says things should be made as simple as possible, it also says “but not simpler”.

One of the things that Liberty does to tell people about Liberty-related aspects of identity is to host webcasts on a regular basis. This month’s is on the People Service:

The Liberty ID-WSF People Service, a key component in ID-WSF 2.0, is the industry’s first comprehensive platform for managing social information within an open federated network environment. People Service allows consumers and enterprise users to manage social applications such as bookmarks, blogging, calendars, photo sharing and instant messaging from a common layer within the ID-WSF 2.0 framework. Liberty People Service has been developed to allow individuals to easily store, maintain, and categorize online relationships so that other socially-aware Web services applications can leverage information based on the consent and privacy controls established by a user in the federated social network. With Liberty Alliance People Service, consumers and enterprise users can now centrally manage all of their online social relationships using a federated network approach with privacy controls built into the system allowing users to leverage the privacy functionality of Liberty Web Services to more easily and securely share social and enterprise information across applications, platforms and service providers. In this Web cast, we’ll overview the functionality of People Service and provide some use case examples. You won’t want to miss this highly informative session.

The webcast is on this coming Wednesday (January 11, 2006) at 8 am Pacific; if you’re thinking of listening in please register soon (preferably by Monday) so there will be enough phone lines booked.

Phishing Sophistication

I’m starting to be impressed by the (almost) sophistication of phishing attempts. The latest one in my inbox today contained a message from someone purporting to have bought an item via eBay that they hadn’t received and unless they heard back they were going to complain to eBay and then the police — I can quite see some nervous seller who thinks there might be a mistake in the system clicking on the “log in to eBay message center” link (which of course doesn’t go to eBay at all) to try to rectify it.

Mind you, the spam filters are also starting to become sophisticated — my ISP adds headers to the email marking potential spam and this one tripped a number of meters, adding up to quite a lot of red flags. Some of them are, on their own, quite legitimate of course, but not all:

    1.0 FROM_ENDS_IN_NUMS      
        From: ends in numbers
    1.3 RCVD_NUMERIC_HELO      
        Received: contains a numeric HELO
    1.0 MSGID_SPAM_CAPS        
        Message-ID =~ /^\s*< ?[A-Z]+\@(?!(?:mailcity|whowhere)\.com)/
    0.1 HTML_TAG_EXISTS_TBODY  
        BODY: HTML has "tbody" tag
    0.4 HTML_70_80             
        BODY: Message is 70% to 80% HTML
    0.1 HTML_FONTCOLOR_BLUE    
        BODY: HTML font color is blue
    0.7 MIME_HTML_ONLY         
        BODY: Message only has text/html MIME parts
    0.2 HTML_MESSAGE           
        BODY: HTML included in message
     0.3 HTML_FONT_BIG          
        BODY: HTML has a big font
    1.1 MIME_HTML_NO_CHARSET   
        RAW: Message text in HTML without charset
    0.2 MIME_QP_LONG_LINE      
        RAW: Quoted-printable line longer than 76 chars
    0.4 NORMAL_HTTP_TO_IP      
        URI: Uses a dotted-decimal IP address in URL
    0.1 FORGED_HOTMAIL_RCVD2   
        hotmail.com 'From' address, but no 'Received:'
    3.0 FORGED_MUA_OUTLOOK     
        Forged mail pretending to be from MS Outlook
    0.6 MISSING_MIMEOLE        
        Message has X-MSMail-Priority, but no X-MimeOLE
    1.1 FORGED_OUTLOOK_HTML    
        Outlook can't send HTML message only
    1.1 MIME_HTML_ONLY_MULTI   
        Multipart message only has text/html MIME parts
    1.1 FORGED_OUTLOOK_TAGS    
        Outlook can't send HTML in this format
    3.0 SARE_MSGID_YAHOO       
        Message-ID is forged, (yahoo.com)
    1.1 HTML_MIME_NO_HTML_TAG  
        HTML-only message, but there is no HTML tag

After I saw this I promptly went and got the latest version of Pegasus Mail, which I use for my personal email. Pegasus has always had good anti-virus protection, has had decent spam filtering for some time, and shows the real URL that is being linked to on HTML emails, but it now advertises anti-phishing checks as well. It will be interesting to see how well they work in practise.

Woody to Sarge

Ive been intending on upgrading my Debian firewall/blog box to the latest version, called ‘sarge’ (a.k.a 3.1) for some months now. Today was the day I decided to finally bite the bullet. Since I’ve been using backports of unstable versions of software, such as MySQL (see Upgrading MySQL on Debian for that process, and Enabling Thumbnails for the process to upgrade libgd) I figured this could be a little trickier than I really like, and I should be prepared. Here’s the historical record of actually getting it running. YMMV, of course!

First, the documentation on the Debian web site is good. The upgrading instructions are written per hardware platform and seem complete. I started, as recommended in Upgrading your Woody system by replacing the word “stable” in the /etc/apt/sources.list file with the word “woody” and then checking I had woody’s version of aptitude installed.

After copying the recommended files to a safe location (that’s a lot of files!), I deleted the /etc/preferences file after saving a copy — this is the file that says which versions of any software to use. Since to begin with I want to use a clean, standard Debian sarge distribution, I don’t need this file. Then it was on to section 4.2.2, “Checking packages status”. I found that apt-get showed no holds, but aptitude showed that php4 was on hold (I can’t imagine why). So I got rid of the hold.

After that, I just followed the steps, taking the defaults mostly (since I didn’t understand some of the questions, that was an easy choice! One day I might understand what pango and defoma are all about, but in the meantime I’ve decided not to bother). There were a couple of messages that mostly seemed ignorable (note to self: upgrade exim3 to exim4 at some stage in the future) and all in all the process ran smoothly, if not particularly fast on my old, slow Pentium box.

Time to check the results — try my web site and find it’s been replaced by a generic “welcome to an Apache web site” message. The web server has been magically upgraded to Apache 2.0, which I hadn’t quite expected or planned for. Oh well, time to hit the Apache documentation.

There’s a big difference between Debian upgrade documentation and Apache upgrade documentation. Where the Debian upgrade instructions are exactly that (“Do this, then this. Run this command and if you get this output, do this, otherwise do that”), the Apache documentation on Upgrading to 2.0 from 1.3 is basically a list of feature changes, rather than instructions on how to upgrade or what modifications need to be made to the configuration files. Looking at the configuration files themselves in the Debian Sarge Apache 2 distribution you can see, for example, that httpd.conf has changed markedly from being the main configuration file to containing simply a comment saying it exists for backwards compatibility only. The README file does have some clues to the new files, with short descriptions of what they’re used for. The most interesting new directory to me was sites-enabled, which seemed to have something to do with setting up virtual hosts. So I typed sites-enabled into the Apache documentation search engine and found no hits whatsoever. The VirtualHost part of the documentation for Apache 2.0 says “Below is a list of documentation pages which explain all details of virtual host support in Apache version 1.3 and later.” Hmmm, things do seem to have changed somewhat between Apache 1.3 and Apache 2.0. On the other hand, it’s always possible that this particular configuration and choice of directory names etc is due to Debian rather than Apache; the Debian distributions do have a reputation for putting files in places that are unexpected and maybe this has extended to the names used in the Debian flavour of the Apache installations. If this is the case it’s not surprising it isn’t documented on the Apache web site.

Fortunately others have written this up; I found Upgrading to Apache 2 which described the purpose of the sites-enabled and sites-available directories in ways that make sense and worked when I tried them out. The same principles apply to making the mod_rewrite module available, which WordPress uses for rewriting the URLs for archives and categories.

So far, so good. My web site is available again, just not my blog. The error message is “Your PHP installation appears to be missing the MySQL which is required for WordPress”. When I check, all the necessary packages are installed. A quick search through the WordPress support site turns up that I’ve forgotten to uncomment the MySQL module in the php.ini file. I’m so used to Debian just doing the right thing that it seems odd to have to make that change, somehow. Now my blog is back as well, everything else seems to be working, no files seem to have been lost, and overall the upgrade was a lot less painful than I had anticipated.

Double Routing

Like probably every other computer geek out there, I do a certain amount of helping friends set up their home systems. This particular friend knows nothing about networks and firewalls and the like, and just wanted something secure that would allow her to have a reasonably safe Windows box and the daughter to have a reasonably safe and virus-free Windows laptop. The easy bits were installing the spyware detectors (Ad-Aware and Spybot S&D) and the virus checker/utilities (Norton SystemWorks); the tough bit was getting the routers to work.

The system that made most sense was to feed the DSL into a wired ethernet router with a built-in firewall (the D‑Link DI-604 has a reasonable price point and an integrated firewall) and then set up a wireless point for the daughter’s laptop. So my friend got a Linksys wireless router (no firewall). We have this system at home, though with different hardware (Linux firewall + Airport wireless) and it works just fine. So I wasn’t expecting any oddities. I found the support page on the Linksys site that said to turn off the DHCP server on the wireless router, and to give it an IP address that fitted in with the IP setup of the wired router. That was easy enough to do. But somehow the laptop just never managed to sync up.

Ah, how good it was that I allowed more time than I expected to need to set it up! My basic idea was that ethernet comes out of the DSL mode, goes into the wired router in the uplink socket, then a cable comes out of the wired router and goes into the uplink socket of the wireless router. Still seems logical to me, but in this case my logic was completely wrong. Fortunately Linksys has live chat to tech support that works on a Saturday (good move, people!) and Melrose didn’t need very long to figure out the problem and tell me to put the cable coming out of the wired router into one of the 4 regular sockets. This worked just fine; the laptop synced up, my friend (and her daughter) are happy and think I know exactly what I’m doing, while I’m still slightly baffled and wondering what’s wrong with my simple hose-pipe analogy of internet connections. Still, I now know empirically what to do, so that’s the important thing.

Bring out Your Votes!

Working in small technical committees on well-constrained problems can be really rewarding; the small group allows for a certain amount of fun in the meetings and everyone knows they have a role to play. I chair the OASIS Entity Resolution TC, which is working on XML Catalogs.

The idea of catalogs has been around for a long time, it was one of the first pieces of work to come out of SGML Open, the precursor to OASIS. We’ve updated them for XML and use on the Web and although we spend a lot of time explaining that entity resolution is not restricted to XML entitities and indeed we use the word “entity” in the more general sense of the word, i.e. we really mean “resource” in today’s terminology (see the FAQ for more on this), I think it’s a good piece of work. Mind you, having Norm edit it and write code to implement it does help immensely.

So now it’s time to vote! We need another 44 OASIS member companies to vote (we need to reach a total of 47 “Yes” votes to pass) — so please pass this on to any voting reps you know (yes, this is a shameless lobbying act for something I think is worthwhile). The ballot is at Approve XML Catalogs v1.1 as an OASIS Standard. Many thanks!

Some supporting information from the TC:

XML documents and data often reference other external resources. Often the referencing information is not sufficient to locate the desired resource unambiguously, or the resource is not accessible at the given location at the time it is required, or it is preferable that an alternate resource be used in place of the referenced resource.

For example:

External identifiers may require resources that are not always available. For example, a system identifier that points to a resource on another machine may be inaccessible if a network connection is not available.
External identifiers may require protocols that are not accessible to all of the tools on a single computer system. An external identifier that is addressed with the FTP protocol, for example, is not accessible to a tool that does not support that protocol.
It is often convenient to access resources using system identifiers that point to local resources. Exchanging documents that refer to local resources with other systems is problematic at best and impossible at worst.
Incoming XML documents may reference customized versions of standard XML schemas. To protect your systems, it is necessary to remap the schema references so that known, trusted copies of the schemas are used.

Entity Resolution is the process by which these resource references can be mapped to another version of the reference that can be found or that is preferred for other reasons. To address these issues, the OASIS XML Catalog specification defines an application-independent entity catalog that maps external identifiers and URI references to (other) URI references.

Entity resolution catalogs have already been widely implemented in much deployed software. Promoting the OASIS XML Catalog specification to an OASIS Standard is crucial for continued interoperability of XML applications.

Invisible Files

What do you do when you need the answer to a question and Google doesn’t deliver? Ask on the blog of course… I would really like to know the answer to this one, as it would save a large amount of irritation and I assume others have the same problem. I’ve spent hours buried deep in search engine results with no luck.

As befits a family with jobs in the computer industry, we have a few computers spread around the house, all connected with a decent home network and protected with a good Linux-based firewall (which also serves this blog). The computers run a number of operating systems — Windows 2000, Windows XP, Mac OS X, Solaris. The problem only appears with the Windows XP boxes — or rather, between them. For some reason, one Windows XP box can’t see all the files and folders on the other Windows XP box, although they’re quite visible from both Windows 2000 and OS X. The odd thing is that some files and folders are visible, often some files in a given folder will be visible but the others won’t, and to my eye there are no differences in security settings, ownership, or ACLs. Mind you, I’m obviously missing something somewhere or I’d be able to see all those files from every machine in the house! I tried copying some of the files to new directories; sometimes that lets me see them across the network, and sometimes it doesn’t. I have no idea what settings are being put in place to stop me looking at such dangerous files as .css and .html in particular directories; the system seems capricious — as does any system when you haven’t figured out the rules by which it operates. The innate ability of the human brain to figure out patterns has decidedly failed me in this instance.

Help would be much appreciated, not only for me but for the rest of the family who have to put up with my imprecations each time I want to transfer files from one box to the other, only to find that they’re not visible from the box I want to transfer them to.