Identity and Access Management (often referred to by identity geeks as IAM) is a field I have come to know and love. There's been a resurgence in the past few years in this space, brought on by a number of builders of critical mass. One of those drivers, in the financial services industry, was some "guidance" issued by the FFIEC (United States federal government agency that regulates banks) in 2005 that requires banks to use stronger authentication for online banking services (better than just user name and password). In addition, the general discomfort across all industries that use the Internet as a true platform for doing business has become a motivator, especially in the wake of multiple news cycles about fraud and data theft. In a nutshell, The Internet is a technology platform that is being used for something it was not originally architected to do, and as a result there are some critical gaps from a technology perspective - especially in the area of security. Many defensive "point" solutions have been cobbled together over the years to plug holes in the metaphorical levee, but at some point you have to start thinking about either building some serious reinforcements or - quite possibly - building a whole new dam to serve the needs.

Over the past couple years the open source community, Microsoft, and a number of other companies large and small have embarked on a bit of a shared crusade (and a good one, at that) to first redefine and then re-architect identity on the Internet, how it works and what the principles are that guide and drive Identity going forward. It's been a rare and refreshing community effort, and as a result we are starting to see some real-world traction in markets like financial services; Interest is growing outside the circle of academics and programmers that are implementing the new systems. Interoperability is being seen as critical and that's likely the one things that will drive success. And while we can design a great system that can solve all the world's ills, adoption is the second-to-final gauge of success in this case (longevity and strength are the final-final determining factor, but we can't truly get there without meaningful and across-the-industry adoption).

One of the architects of this whole concept in redefining and improving Identity on the Internet is Kim Cameron. He writes the Identity Blog (worth a subscription if you're not already there) and was the publishing author of his "Laws of Identity," or what he refers to as "the missing layer of the Internet." I had the good fortune to play host to Kim and his compadre, Rich Turner (both work for Microsoft) when they spoke at a security conference I hosted a couple months ago. They discussed identity in general as well as CardSpace, Microsoft's effort in the larger community effort to add this missing layer to the Internet schema.

Richard Turner is the Product Manager for Microsoft's Identity Platform Developer Marketing group and owns Windows CardSpace Product Management there. While at the Microsoft TechEd conference in Orlando a few weeks back, I found him and pulled him aside for about 45 minutes to chat with Richard Campbell and me for the RunAs radio show we do each week. You can hear the interview here:

RunAs Radio Show #12 | 6/27/2007 (47 minutes)
Richard Turner Checks Our Identity

Another Tech Ed US 2007 interview from Orlando, Richard and Greg sit down with Richard Turner and discuss how CardSpace impacts the IT professional. CardSpace (formerly code-named "InfoCard") is a key technology in Microsoft's Identity Platform.

Links: RunAs Radio web site and RSS feed

As always, we welcome your input and ideas for the show - Just email info@runasradio.com and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear more about as we book our guests.

I recently ran up against a self-induced application disaster on my Blackberry 8800 (that's what I get for messing with stuff I know will probably break), so I needed to do a clean reset of the device to it's factory defaults and then start over again from scratch. I'm not too keen on the idea of reloading the OS if I don't have to (with over the air configuration I have not used a USB cord on my blackberry except for once since I got it), so I started poking around trying to find the on-board reset capability (they call it "wipe" the handheld device). Nothing like trying to find a command deep in the bowels of a multi-layered system. But, this is one that people should not find it easy to accidentally choose...

So, since I finally found it, note to self for the next time I need it:

Blackberry "Wipe-Handheld" command list (at least for my 8800 - same or similar for other models)

• Options menu 
• Security Options
• General Settings
• Menu
• Wipe handheld
• Enter password ("Blackberry" or your business-assigned security password)

Useful if you're like me an have a tendency to muck around under the hood too much and gak things up. And yeah, that's a word. Gak.

dasBlogv1.9.7releasefinal.NE.1version_8FF9/image.png" target="_blank">dasBlogv1.9.7releasefinal.NE.1version_8FF9/image_thumb.png" width="240" align="right" border="0"> Scott posts about the latest dasBlog release, v1.9.7, which you can download and use now. He also discusses the pending (within a week) release of dasBlog v2.0, which will be compiled using the 2.0 .NET framework, and even additional versions planned under framework v3.5. Lots happening in dasBlog land. 

Among the new, improved and changed stuff in v1.9.7 (the below list is quoted from Scott's blog):

• Fixed a metric buttload of bugs (ed: Scott's word, not mine, heh)
• Taken in more patches from the public than any other release (Thanks public!)
• Category and Home Page Paging Macros
• LiveComment Preview (thanks SubText!)
• Emailed Daily Activity Reports
• Windows Live Writer Custom Integration
• Support for Akismet Comment Spam Support
  • Go get a WordPress account, without a blog, and use the API key they'll send you.
• Optionally show comments on the Permalink Page
• Even more performance gains (4x+) in the Macro engine
• New Internationalized Languages, including Swedish (Thanks Per Salmi!)
  • This brings our total supported language count up to 15! Although we can ALWAYS use more, and we really need double-checkers and updaters to put in localized strings for some of the new features!
• Support for Blogging directly from Word 2007
• Many fixes in our Blogger API and MetaWebLog API support
• Better detection of referrals from Search Engines
• CSS fixes and additions like highlighting of the Blog Author's comments
  • Make the comment email address match the email address in sitesecurity.config for this feature.
• DHTML Timeline of Posts from the MIT Simile project
• Support for SMTP Servers like Gmail for notifications
• New themes
• Support for THREE Rich Editors - FreeTextBox, FCKEditor and TinyMCE (in DasBlog Contrib, see the source)

Ah, fireworks. It's that time of year again. Some of you probably know that I'm a licensed pyrotechnician here in Oregon, where I live. That's what lets me run and operate public fireworks displays - the big ones, you know? Like here and here and here. Not the stuff you buy at the local stand or up on the reservation (common way around purchasing issues in these here parts), but rather the kind of explosives that make for huge (and expensive) shows. It's something I've been involved with for several years now, and a number of my friends like to help out on the Independence Day shows I do each year as well as the occasional other occasion. It's a lot of fun.

Well this year the fireworks display company I work for needs me to do a somewhat larger show in Walla Walla, Washington (yep it's a real town, not just a Bugs Bunny reference). So, in order to be able to run a show in Washington, I took my exam recently to be licensed in that state. Today (just in time, I might add), I got my license in the snail mail. I guess I passed the test. :)

Operating these shows is a big responsibility, and there's a lot of critical safety items to watch out for every time, but it's also a lot of fun and I do enjoy it when I get the chance to blow up someone else's stuff and not get in trouble in the process. I mean, where else can you destroy what someone else buys for thousands of dollars and have everyone cheering when you're finished? Heh.

For anyone in the Portland area that might be interested in spending your July 4th this year helping with a show, let me know and I will put you in touch with my friend Norm at Western Display and he'll probably be able (and glad) to set you up to assist with a show somewhere. Or, if you want to join me in Walla Walla for a couple days and don't mind making the hike over there, let me know as well and we'll see what we can work out. Or if you're in Walla Walla, even better. I'll be making a three-day deal out of it, including travel and setup and stuff. My cell phone is 503-970-1753. Call or text me. And you can find out a little more about what's involved in being a crew member at this link from a show last year as well as the links above.

Ker-freakin-boom. Heh.

In my line of work, we spend a lot of our time writing software that catches bad guys and keeps them out of systems that require protection. So, in the course of building good security and forensics software I often work closely with partner companies that bring something valuable to the table - technology that we might include or integrate with but would not build ourselves. One of the technology areas that adds value to what we do is the business of Internet Protocol (IP) address intelligence and geolocation. The ability to glean a variety of valuable information about any given IP address or block provides the opportunity for both intelligent and - if the partner does their job well - reliable decision making, in a manner not otherwise possible. Imagine your application being able to present information or make decisions based on the actual physical location of a user, or base don the type of connection they are making. In the case of the software I've been involved with creating, IP intelligence is a key capability that helps to enhance the products.

So, for last week's RunAs Radio interview, we sat down with an expert in the field, Bill Varga, who works for a company out of Mountain View, California called Quova - one of the partners I have worked with for a few years now. They do IP geolocation and IP intelligence - and that's their business. They're focused on that market and they're very good at it. IP intelligence is a world that is growing quickly and always generates ideas and thought when brought up for discussion. The applications of IP-related metadata are many, and Bill effectively describes them in our interview. He also discusses some of the new things Quova is doing in the field.

RunAs Radio Show #11 | 6/20/2007 (38 minutes)
Bill Varga Makes Us IP Intelligent

Richard and Greg talk to Bill Varga about what IP (that's Internet Protocol) Intelligence is all about. They also dig into how IP geolocation helps with regulatory compliance and fraud detection. Bill also talks about the new technology Quova (his employer) has developed that can deal with geolocation of satellite and megaproxy IP addresses.

Links: RunAs Radio web site and RSS feed

We welcome your input and ideas for the show - Just email info@runasradio.com and let us know what's on your mind! We might even read your email on the air, and we are always interested to know what you would like to hear about as we book our guests.

eWeek has a good summary in their article "Analysts: iPhone Has Neither Security nor Relevance" with a number of links to other resources of the likely security problems introduced by (of not in - we'll see) the iPhone. Certainly the iPhone is not the only device where we have to worry about these types of problems, but let's face it: iPods and other mass storage devices are already too loosely allowed at many companies and organizations, and the hype surrounding the iPhone and the potential excitement of iPod owners can cloud judgement. Read Andrew Storm's article on the topic.

In contrast, Blackberry's enterprise services are well-secured and provide a whole slew of workable and effective controls that the iPhone can't even begin to match up with. In a nutshell, the iPhone is a consumer device that probably doesn't belong in the enterprise - at least not in it's first version. Gartner plans to recommend businesses keep the iPhone out of the enterprise.

Also - sounds like typing on the on-screen keyboard is an index-finger exercise, not for thumb typers. So again, not so much an enterprise device. But we'll see all this stuff for ourselves in just a few days. The iPhone debuts on June 29th.

Note: I think the iPhone is a cool looking device and probably a great consumer item. I'm not knocking the device for consumers, just pointing out it's not appropriate for use in the enterprise. So before anyone starts with "iPhone/Apple-Hater" rhetoric, you can just stop. :)