Some new ways to look at infrastructure

Nothing challenges our understanding of infrastructure better than a crisis, and we have a big one now in Houston. We do with every giant storm, of course. New York is still recovering from Sandy and New Orleans from Katrina. Reforms and adaptations always follow, as civilization learns from experience.

Look at aviation, for example. Houston is the 4th largest city in the U.S. and George Bush International Airport (aka IAH) is a major hub for United Airlines. For the last few days traffic there has been sphinctered down to emergency flights alone. You can see how this looks on FlightAware’s Miserymap:

Go there and click on the blue play button to see how flight cancellations have played over time, and how the flood in Houston has affected Dallas as well. Click on the airport’s donut to see what routes are most affected. Frequent fliers like myself rely on tools like this

Continue reading "Some new ways to look at infrastructure"

Strong Authentication and Token Binding Presentations at EIC 2017

EIC logoI gave two presentations at the 2017 European Identity and Cloud Conference (EIC) on progress we’re making in creating and deploying important new identity and security standards. The presentations were:
  • Strong Authentication using Asymmetric Keys on Devices Controlled by You: This presentation is about the new authentication experiences enabled by the W3C Web Authentication (WebAuthn) and FIDO 2.0 Client To Authenticator Protocol (CTAP) specifications. It describes the progress being made on the standards and shows some example user experiences logging in using authenticators. Check it out in PowerPoint or PDF.
  • Token Binding Standards and Applications: Securing what were previously bearer tokens: This presentation is about how data structures such as browser cookies, ID Tokens, and access tokens can be cryptographically bound to the TLS channels on which they are transported, making them no longer bearer tokens. It describes the state of the Token Binding standards (IETF
    Mike presenting at EIC 2017
    Continue reading "Strong Authentication and Token Binding Presentations at EIC 2017"

Open Word—The Podcasting Story

Nobody is going to own podcasting.990_large By that I mean nobody is going to trap it in a silo. Apple tried, first with its podcasting feature in iTunes, and again with its Podcasts app. Others have tried as well. None of them have succeeded, or will ever succeed, for the same reason nobody has ever owned the human voice, or ever will. (Other, of course, than their own.) Because podcasting is about the human voice. It’s humans talking to humans. Voices to ears and voices to voices—because listeners can talk too. They can speak back. And forward. Lots of ways. Podcasting is one way for markets to have conversations; but the podcast market itself can’t be bought or controlled, because it’s not a market. Or an “industry.” Instead, like the Web, email and other graces of open protocols on the open Internet, podcasting is NEA: Nobody owns it, Continue reading "Open Word—The Podcasting Story"

Apple is a clothing company

applebutton1Reading Walt Mossberg’s latest, titled The post-Jobs Apple has soared financially, but lacks a breakthrough product, and looking toward Apple’s coming announcement on Wednesday, and the headline above occurred to me. Because the main things Apple makes are extensions of ourselves. That’s what our phones and laptops have become. They are things we almost wear, like our clothing. Is it just coincidental that Apple Stores inhabit the same shopping streets and districts otherwise populated by upscale clothing retailers? Or that Angela Ahrendts, who runs those stores, came to the company from Burberry? Or that Apple has lately clarified how it differs from nearly every other tech company by caring almost absolutely about personal privacy? With all that in mind, it’s easy to understand why Apple’s product lineup looks stale. Shirts and skirts are stale too. They’ve also been around for thousands of years, and we’ll never stop Continue reading "Apple is a clothing company"

OpenID Certification Progress Report at CIS 2016

OpenID logoI gave an invited presentation on OpenID Certification at the 2016 Cloud Identity Summit (CIS) this week. I used the presentation as an opportunity to inventory what we’ve achieved with the certification program since its launch in April 2015, and while the numbers are impressive in and of themselves (90 profiles certified for 28 implementations by 26 organizations, with new certifications in May by Clareity Security, Auth0, and Okta), there’s a deeper impact that’s occurring that the numbers don’t tell. The new thing that’s happening this year is relying parties are explicitly asking identity providers to get certified. Why? Because certified implementations should “just work” – requiring no custom code to integrate with them, which is better for everyone. This network effect is now in play because it provides business value to all the participants. While I’ve spoken about certification about 10 times since the launch, this presentation is different
Mike presenting at CIS 2016
Continue reading "OpenID Certification Progress Report at CIS 2016"

OpenID Connect Discussions at EIC 2016

OpenID logoOn May 10, during the OpenID Workshop at the 2016 European Identity and Cloud (EIC) conference, I gave a status update on the OpenID Connect working group to the 46 workshop attendees, including continued progress with OpenID Certification. You can view the presentation in PowerPoint or PDF format. While I was happy to report on the working group activities, what I really enjoyed about the workshop was hearing many of the attendees telling us about their deployments. They told us about several important OpenID Connect projects each in Europe, Australia, South America, North America, and Asia. Rather than coming to learn what OpenID Connect is, as in some past EIC workshops, people were coming to discuss what they’re doing. Very cool!

Toward an ethics of influence

2016-05-02berkman Stop now and go to TimeWellSpent.io, where @TristanHarris, the guy on the left above, has produced and gathered much wisdom about a subject most of us think little about and all of us cannot value more: our time. Both of us will be co-investing some time tomorrow afternoon at the @BerkmanCenter, talking about Tristan’s work and visiting the question he raises above with guidance from S.J. Klein. (Shortlink for the event: http://j.mp/8thix. And a caution: it’s a small room.) So, to help us get started, here’s a quick story, and a context in the dimension of time…
Many years ago a reporter told me a certain corporate marketing chief “abuses the principle of instrumentality.” Totally knocked me out. I mean, nobody in marketing talked much about “influencers” then. Instead it was “contacts.” This reporter was one of those. And he was exposing something
googletrends-influencer
googletrends-influencer-marketing
Continue reading "Toward an ethics of influence"

The Data Bubble redux

It didn't happen in 2010, but it will in 2016.

It didn’t happen in 2010, but it will in 2016.

This Post ran on my blog almost six years ago. I was wrong about the timing, but not about the turning: because it’s about to happen this month at the Computer History Museum in Silicon Valley. More about that below the post.
_________________

The tide turned today. Mark it: 31 July 2010.

That’s when The Wall Street Journal published The Web’s Gold Mine: Your Secrets, subtitled A Journal investigation finds that one of the fastest-growing businesses on the Internet is the business of spying on consumers. First in a series. It has ten links to other sections of today’s report.

It’s pretty freaking amazing — and amazingly freaky, when you dig down to the business assumptions behind it. Here is the rest of the list (sans one that goes to a linkproof Flash thing):

Here’s the gist:

The Journal conducted a
Continue reading "The Data Bubble redux"

Mercy for the bereaved

I didn’t know Dave Goldberg, but I can’t count all the friends and relatives who were close to him. By all their accounts, he was a brilliant and wonderful guy, much loved and respected by everybody who knew and worked with him. Along with the rest of the world, I await word on what happened. So far that word hasn’t come. But it hasn’t stopped speculation. For example, this post by Penelope Trunk, which imagines a worst-possible scenario — or a set of them — on the basis of no evidence other than knowing nothing. And why do we know nothing? Put yourself in Dave’s wife’s shoes for a minute. You’re a woman on vacation with your husband, to a place where nobody knows you. Then your husband, healthy and just 47 years old, dies suddenly for no apparent reason. What do you do, besides freak out? First you deal with the local authorities, which is rarely Continue reading "Mercy for the bereaved"

Perspectives on the OpenID Connect Certification Launch

OpenID Certified logoMany of you were involved in the launch of the OpenID Foundation’s certification program for OpenID Connect Implementations. I believe that OpenID Certification is an important milestone on the road to widely-available interoperable digital identity. It increases the likelihood that OpenID Connect implementations by different parties will “just work” together. A fair question is “why do we need certification when we already have interop testing?”. Indeed, as many of you know, I was highly involved in organizing five rounds of interop testing for OpenID Connect implementations while the specs were being developed. By all measures, these interop tests were highly effective, with participation by 20 different implementations, 195 members of the interop testing list, and over 1000 messages exchanged among interop participants. Importantly, things learned during interop testing were fed back into the specs, making them simpler, easier to understand, and better aligned with what developers actually need for Continue reading "Perspectives on the OpenID Connect Certification Launch"

10 Years of Digital Identity!

How time flies! In March 2005 I began working on digital identity. This has by far been the most satisfying phase of my career, both because of the great people I’m working with, and because we’re solving real problems together. An interesting thing about digital identity is that, by definition, it’s not a problem that any one company can solve, no matter how great their technology is. For digital identity to be “solved”, the solution has to be broadly adopted, or else people will continue having different experiences at different sites and applications. Solving digital identity requires ubiquitously adopted identity standards. Part of the fun and the challenge is making that happen. Microsoft gets this, backs our work together, and understands that when its identity products work well with others that our customers and partners choose to use, we all win. Very cool. Those who of you who’ve shared the journey with me have experienced lots of highs and lows. Technologies that have been part of the journey have included Information Cards, SAML, OpenID 2.0, OAuth 2.0, JSON Web Tokens (JWTs), JSON Web Signing and Encryption (JOSE), and OpenID Connect. Work has been done in OASIS, the Information Card Foundation, the OpenID Foundation, the Open Identity Exchange (OIX), the Liberty Alliance, the IETF, the W3C, the FIDO Alliance, and especially lots of places where the right people chose to get together, collaborate, and made good things happen – particularly the Internet Identity Workshop. It’s worth noting that this past week the Internet Identity Workshop held its 20th meeting. They’ve been held like clockwork every spring and fall for the past 10 years, providing an indispensable, irreplaceable venue for identity practitioners to come together and get things done. My past 10 years wouldn’t have been remotely the same without the past 10 years of IIW. My sincerest thanks to Phil, Doc, and Kaliya for making it happen! I won’t try to name all the great people I’ve worked with and am working with because no matter how many I list, I’d be leaving more out. You know who you are! While we’re all busy solving problems together and we know there’s so much more to do, it’s occasionally good to step back and reflect upon the value of the journey. As Don Thibeau recently observed when thanking Phil Windley for 10 years of IIW, “these are the good old days”.

The most important event, ever

IIW XX, IIW_XX_logothe 20th Internet Identity Workshop, comes at a critical inflection point in the history of VRM: Vendor Relationship Management, the only business movement working toward giving you both
  1. independence from the silos and walled gardens of the world; and
  2. better means for engaging with every business in the world.
If you’re looking for a point of leverage on the future of customer liberation, independence and empowerment, IIW is it. Wall Street-sized companies around the world are beginning to grok what Main Street ones have always known: customers aren’t just “targets” to be “acquired,” “managed,” “controlled” and “locked in.” In other words, Cluetrain was right when it said this, in 1999:

if you only have time for one clue this year, this is the one to get…

Now it is finally becoming clear that free customers are more valuable than captive ones: to themselves, to the companies they deal with, and to the marketplace.

But how, exactly? That’s what we’ll be working on at IIW, which runs from April 7 to 9 at the Computer History Museum, in the heart of Silicon Valley: the best venue ever created for a get-stuff-done unconference. Focusing our work is a VRM maturity framework that gives every company, analyst and journalist a list of VRM competencies, and every VRM developer a context in which to show which of those competencies they provide, and how far along they are along the maturity path. This will start paving the paths along which individuals, tool and service providers and corporate systems (e.g. CRM) can finally begin to fit their pieces together. It will also help legitimize VRM as a category. If you have a VRM or related company, now is the time to jump in and participate in the conversation. Literally. Here are some of the VRM topics and technology categories that we’ll be talking about, and placing in context in the VRM maturity framework: Note: Another version of this post appeared first on the ProjectVRM blog. I’m doing a rare cross-posting here because it that important.

The Increasing Importance of Proof-of-Possession to the Web

W3C  logoMy submission to the W3C Workshop on Authentication, Hardware Tokens and Beyond was accepted for presentation. I’ll be discussing The Increasing Importance of Proof-of-Possession to the Web. The abstract of my position paper is:
A number of different initiatives and organizations are now defining new ways to use proof-of-possession in several kinds of Web protocols. These range from cookies that can’t be stolen and reused, identity assertions only usable by a particular party, password-less login, to proof of eligibility to participate. While each of these developments is important in isolation, the pattern of all of them concurrently emerging now demonstrates the increasing importance of proof-of-possession to the Web.

It should be a quick and hopefully worthwhile read. I’m looking forward to discussing it with many of you at the workshop!

A New Data Deal, starting today

rn1There was a time when personal computer was an oxymoron: a contradiction in terms. That ended when personal computing got real in the ’80s. There was a time when personal networking, where every person has status, reach and power equal to that of corporations and governments, was unthinkable. That ended when the Internet got real in the ’90s. There was a time when putting both those powers, plus a zillion mobile apps, in everybody’s pocket, was a pie in the distant sky. That pie reached Earth in the ’00s. There was a time when clouds were only corporate, and personal cloud was an oxymoron — or worse, just a new term for more data storage. That ends today. Personal clouds level the market’s playing field by giving full agency to each of us: a place to stand where we can deal as equals with companies, governments, health care providers, lawyers, schools and everything and everyone else in the connected world. In your own ways, and on your own terms. They begin what @Petervan calls The Revolution of the Data Slaves. You can self-host your cloud (which some also call a vault or a store), or use a Cloud Service Provider (CSP) that hosts your cloud it in an encrypted form that even they can’t see. Either way, your personal cloud (hashtags: #pcloud, #TakeBackControl) is an ideal box for any number of current and future VRM tools, including ones for: Respect Network is has gathered together a bunch of Cloud Service Providers, along with other companies, development projects, organizations and individuals, for a world-circling launch tour that begins today in London. Tomorrow is an Immersion Day, for digging down into how personal clouds solve problems of privacy and personal empowerment. I’ll be at both, and giving the opening keynote tomorrow. Next stops on the tour:
  • San Francisco — 30 June and 1 July
  • Sydney — 7 and 8 July
  • Tel Aviv — 14 July
  • Berlin — 21 July
The tour is also a campaign to sign up a million members, each claiming their own cloud name — a sovereign identity that’s yours alone. They explain:
The Respect Network is a collaboration of over 70 companies and open source projects from around the world who share this commitment:
  1. On the Respect Network, every member owns his/her private cloud and cloud name (your =name) that is completely portable for life and not dependent on any single CSP (cloud service provider).
  2. On the Respect Network every personal and business member agrees to respect each other’s privacy and digital freedom.
  3. On the Respect Network, you control your digital identity and relationships. You have the right to be forgotten—or remembered—by any other member.
  4. On the Respect Network you control when and where your personal data is shared and benefit directly from the value earned.
  5. On the Respect Network you are not the product, you are the partner—the network is supported directly by members investing in privacy for life.

I’ll add more here as the day goes on. It’s going to be an exciting one.

JWT and JOSE have won a Special European Identity Award

IETF logoToday the JSON Web Token (JWT) and JSON Object Signing and Encryption (JOSE) specifications were granted a Special European Identity Award for Best Innovation for Security in the API Economy. I was honored to accept the award, along with Nat Sakimura and John Bradley, on behalf of the contributors to and implementers of these specifications at the European Identity and Cloud Conference. It’s great to see this recognition for the impact that these specs are having by making it easy to use simple JSON-based security tokens and other Web-friendly cryptographically protected data structures. Special thanks are due to all of you have built and deployed implementations and provided feedback on the specs throughout their development; they significantly benefitted from your active involvement! These specifications are: The authors are: Dirk Balfanz, Yaron Goland, John Panzer, and Eric Rescorla also deserve thanks for their significant contributions to creating these specifications.

Escaping the Black Holes of Centralization

Turkey shut down Twitter today. Prime Minister Recep Tayyip Erdoğan announced, “We now have a court order. We’ll eradicate Twitter. I don’t care what the international community says. Everyone will witness the power of the Turkish Republic.” (Hurriyet Daily News) He also said Turkey will “rip out the roots” of Twitter. (Washington Post)

Those roots are in the Internet. This is a good thing. Even if Turkey rips the roots out of the phone and cable systems that provide access to the Net, they can’t rip out the Net itself, because the Net is not centralized. It is distributed: a heterarchy rather than a hierarchy. At the most basic level, the Net’s existence relies on protocols rather than on how any .com, .org, .edu or .gov puts those protocols to use.

The Net’s protocols are not servers, clouds, wires, routers or code bases. They are agreements about how data flows to and from any one end point and any other. This makes the Internet a world of ends rather than a world of governments, companies and .whatevers. It cannot be reduced to any of those things, any more than time can be reduced to a clock. The Net is as oblivious to usage as are language and mathematics — and just as supportive of every use to which it is put. And, because of this oblivity, The Net supports all without favor to any.

Paul Baran contrasted centralized systems (such as governments), decentralized ones (such as Twitter+Facebook+Google, etc.) and distributed ones, using this drawing in 1964:

Design C became the Internet.

It appealed to military folks because it was the best design for surviving attack. Even in a decentralized system there are central points of vulnerability where a government can spy on traffic or knock out a whole service. The “attack surfaces” of a distributed system are no larger than a single node or a single connection, so it’s much harder to bring the whole thing down. This is why John Gillmore says ”The Internet interprets censorship as damage and routes around it.” No doubt this is happening right now in Turkey, just as it is in China and other countries  that block sites and services on the Net. It might not be easy, but it is do-able by design. That design is not about hard fixed administrated lines, but voluntary connections, or what Bob Frankston calls ‘DIY connectivity’.

Twitter’s centralized nature makes it a dot in the star-shaped designs of A and B. That dot becomes a black hole when powerful actors like the Turkish and Chinese governments “eradicate” it. We need to bear this in mind when we design and use centralized systems — and even decentralized ones.

It helps to recognize that some things — such as being social with each other — do not require centralized systems, or even decentralized ones. They can be truly distributed, heterarchical and voluntary. Just as we have freedom of speech and association in any free society, we should have the same on the Net. And, at the base level, we do.

But this isn’t easy to see, for five reasons:

  1. We do need centralized systems for doing what only they can do
  2. Existing building methods and materials make it easy
  3. The internet is also a “network of networks” which at the backbone and “provider” level (the one you access it through) is more like a combination of B and C — and, because you pay providers for access,  it’s easy to ignore C as the virtuous base of the whole thing
  4. After eighteen years of building centralized systems (such as Twitter) on the Net, it’s hard for most people — even geeks familiar with the Net’s base design — to think outside the box called client-server (and some of us call calf-cow)

A great way to avoid the black hole of centralization is to start from the fully distributed nodes that each of us are, designing and building first person technologies. And I have a specific one to recommend, from Customer Commons:

This is Omie:

She’s the brainlet of Customer Commons: She is, literally, a clean slate. And she is your clean slate. Not Apple’s. Not Google’s. Not some phone company’s.

She can be what you want her to be, do what you want her to do, run whatever apps you want her to run, and use data you alone collect and control.

Being a clean slate makes Omie very different.

On your iPhone and iPad you can run only what Apple lets you run, and you can get only from Apple’s own store. On an Android phone you have to run Google’s pre-loaded apps, which means somebody is already not only telling you what you must do, but is following you as well.

Omie uses Android, but bows to Google only in respect of its intention to create an open Linux-based OS for mobile devices.

So Omie is yours, alone. Fully private, by design, from the start.

Omie needs crowdfunding. More specifically, she needs somebody who is good at doing crowdfunding videos, to help us out. We have the script.  If you’re up for helping out, contact me. I can be DM’d via @dsearls, or emailed via my first  name @ my last name dot com. Thanks!

 

 

Short Attention Spasm Theater

This post is a hat tip toward Rusty Foster’s Today In Tabs, which I learned about from Clay Shirky during a digressive conversation about the subscription economy (the paid one, not the one Rusty and other free spirits operate in), and how lately I’m tending not to renew mine after they run out, thanks to my wife’s rational approach to subscriptions:

  1. Don’t obey the first dozen or so renewal notices because the offers will get better if you neglect them.
  2. See if you miss them.
  3. If you don’t miss them, don’t renew.

While thinking about a headline for this post, I found that searches for theater and theatre are both going down, but the former seems to be holding a slight lead.

While at Google Trends, I also did a humbling vanity search. Trust me: it helps not to give a shit.

Other results::: tired is up… stupid still leads dumb, but dumb is catching up… Papua New Guinea leads in porn. And Sri Lanka takes the gold in searches for sex. They scored 100. India gets the silver with 88, and Ethiopia settles for the bronze with 87. Out of the running are Bangladesh (85), Pakistan (78), Nepal (74), Vietnam (72), Cambodia (69), Timor-Leste (67) and Papua New Guinea (66) — perhaps because porn is doing the job for them.

Michael Robertson continues to invent stuff. His latest is Clock Radio, a Chrome browser extension that lets you tune in, by genre or search, to what’s playing now on the world’s Internet radio stations. Links: bit.ly/ClockRadio & bit.ly/ClockRadioVideo. Here’s what mine looks like right now:

I’m not surprised (and I don’t know why) that most of the stations playing music I like are French.

David Drummond, SVP, Corporate Development and Chief Legal Officer at Google, will talk about The Fight for Internet Freedom tomorrow at Stanford. Register by 5:30pm Pacific, today. @Liberationtech is hosting. Oh, and Google Fiber may be coming to your city.

George Packer says Amazon may be good for customers but bad for books, because Amazon is a monopoly in that category. Paul Krugman meanwhile says the same kinda thing about Comcast, and the whole cablecom biz. He’s not alone. Nobody likes the proposed Comcast acquisition of Time Warner Cable, other than Comcast, their captive regulators and their big-biz amen corner in what’s left of the press. (Watch: it’ll pass.) FWIW, Quartz has some nice charts explaining what’s going on.

What’s the word for a business nobody dominates because basically the whole thing, as we knew it, looks like Florida a week after Chicxulub? That’s what we have with journalism. The big reptiles are gone or terminal. The flying ones are gonna be birds one of these eras, but for now they’re just flying low and working on survival. For a good picture of what that looks like, re-dig A Day in the Life of a Digital Editor, 2013, which Alexis Madrigal posted in The Atlantic on March 13 of last year. In it he said,

…your total budget for the year is $12,000, a thousand bucks a month. (We could play this same game with $36,000, too. The lessons will remain the same.) What do you do?

Here are some options:

1. Write a lot of original pieces yourself. (Pro: Awesome. Con: Hard, slow.)
2. Take partner content. (Pro: Content! Con: It’s someone else’s content.)
3. Find people who are willing to write for a small amount of money. (Pro: Maybe good. Con: Often bad.)
4. Find people who are willing to write for no money. (Pro: Free. Con: Crapshoot.)
5. Aggregate like a mug. (Pro: Can put smartest stuff on blog. Con: No one will link to it.)
6. Rewrite press releases so they look like original content. (Pro: Content. Con: You suck.)

Don’t laugh. These are actual content strategies out there in the wilds of the Internet. I am sure you have encountered them.

Myself, I’m very partial to one and five. I hate two and six. For my own purposes here, let’s say you do, too, and throw them out.

That leaves three and four…

You’re reading #4. Flap flap flap…

Speaking of trash talk, Polygon says NBA 2K14 gives you a technical foul for swearing at the game.

I like the Fargo2 model:

Want to know where your Internet comes from? Look here. While it lasts. Because what that describes is infrastructure for the free and open world wide Internet we’ve known since the beginning. Thanks to the NSA spying, national leaders are now floating the idea of breaking the Internet into pieces, with national and regional borders. That seems to be where Angela Merkel is headed by suggesting a Europe-only network.

Progress: there’s an insurance business in protecting companies from data breaches. No, they’re not selling it to you, because you don’t matter. This is for big companies only.

Finally, because you’re not here — or you wisely don’t want to be here — dig what parking in New York looks like right now, after two weeks of snow, rain, freezing, melting and re-freezing:

parking in NYC

Let’s hope it thaws before alternate side parking goes back into effect.