Pat, Ben, and Kim have been talking about the use of password tokens for use with Windows CardSpace. Pat's detailed description of how this could work is quite useful, and can be extended in some interesting ways:

1. Create a single-use password deployment

If we change the default WS-Sec username/password token to not only include the username and the password needed to login, but also a newly IdP generated second password that replaces the old one on the RP, we would get a single-use password. This might be quite useful for improving the security of the system.

For the rest of this article, I will call such a token "Extended Username/Password token" (EUPT).

2. Creating an account at the RP

One of the issues that Kim has an issue with is that for bootstraping into a CardSpace password manager setup, the user would be required to enter the initial password into a web form. I agree that this *is* bad, but an extended username/password token could help here, too:
When the user does not yet have an account at the RP, he will need to login at a special URL. That URL accepts cards that support EUPTs. When the user creates the account, the RP will accept an EUPT with *any* values. These initial values (username AND password) are randomly generated at the IdP. Upon receipt of the EUPT, the RP stores the username and the initial password and associates it with the newly created account.

--

Time permitting, I will work with Pat to get this done, at least on the IdP side.

tag: Identity, CardSpace, OpenSSO

I had a SunBlade 1000 (UltraSPARC III based) system available, so I started on a Friday afternoon project of getting Ubuntu installed on this box. Here is what I did to get a running system, including a Gnome desktop:

1. Get the Gutsy ISO image from http://ubuntu.com/ and burn it. You must select the UltraSPARC version, which is - unfortunately - only available for Ubuntu server (more about this below).

2. Run the installer from the CD. THis should be fairly straightforward, but different if you are only used to the desktop edition of Ubuntu. For starters, there is no Live CD with X windows functionality included.

3. You should have a running Ubuntu server system by now. Now in order to get the windowing environment, you need to login and get the entire desktop:
    user@host:~> sudo apt-get install ubuntu-desktop
This should work for the kunbuntu, xubuntu, etc. desktop as well. Good luck trying.

4. During the install, you will likely be prompted to configure Xorg. If this fails for any reason, you can reconfigure X by
    user@host:~> sudo dpkg-reconfigure xserver-xorg
or even
    user@host:~> sudo Xorg -configure

5. By now you should be able to start a naked Xorg server, e.g. by running
    user@host:~> Xorg & sleep 15 ; killall Xorg
This command will kill the X server after 15 seconds, in case the keyboard mapping does not support <Ctrl> <Alt> F1 console switching (try it out).

6. My system has and Elite3D graphics board (sunffb), and even through Xorg would start just fine by itself, when starting X through the gdm, the X server would die after a split-second. To overcome this, I added an option to the gdm.conf file:
Locate the command=/usr/bin/X line in the [server] section of gdm.conf. You need to add the following option at the end of this line:
    +XINERAMA
Apparently, gdm probes for Xinerama support, and the Xorg server for the sunffb will die when being probed without enabling this.

7. After rebooting, the login screen should appear now.

tag: Ubuntu, Gutsy Gibbon, Sparc, Xorg

There are quite a few indications that the hopes for an industry backed, ad-supported music exchange were - at the least - too early. Maybe it's a scam, maybe it is just a test-balloon, but in a world of iTunes hating music companies, this scheme did make some sense...

tag: qtrax, iPod, music

Maybe, maybe: there are signs on the horizon that the content industry will finally come to grips with the harsh reality that their old models just do not work anymore the way they used to: enter Qtrax, a free, ad-supported P2P network that claims to have the blessings from a bunch of major labels, including Sony/BMG and EMI. Qtrax will lauch tonight, so soon we will know more.

Overall, this might be a sign that the RIAA monopoly is finally understanding that suing their customers is not a good way of advertising your goods. And while MP3s are not exactly the encoding that HiFi fans' dreams are made out of, it is still an interesting start into a hopefully much brighter future.

There are a few things that really interest me:

• They are using the Mozilla rendering engine. That is a good thing. Period.

• They promise iPod compatibility. Hmm.. this sounds odd, since the iPod is quite capable of playing back MP3s. Now - assuming for the moment that they are using MP3s - why would you need to make the iPod compatible? Unless there is some sort of DRM or platform lock-in included ... we will see in about 3.5 hours

• Who will be the ad source, ie. which advertising seller will get the opportunity to get access to a potentially gigantic market. While I have absolutely no idea, I'd be surprised if the name of that company started with a 'G'.

• How will Apple and the market react? At the end of the day, this whole thing is a thinly-veiled attack against Apples extremely strong position with the iPod and iTunes. If Qtrax can offer a similar level of ease-of-use, Mr. Jobs will have to do some very creative thinking.

• What is their Linux story? Or - to rephrase the question in a more interesting way: What is their open source/open specification story? I can see that they are not particularly interested in opening up their platform, as this would directly undercut their ad-based business model. But will they allow ports or make the engine at least reasonably portable to other OSes, including Linux, but also Symbian or other cell-phone OSes (and - of course - OpenSolaris)?

We will see ... soon.

tag: iPod, apple, audio, music, qtrax

For years I have been playing around with all kinds of computer based TV and multi-media solutions and toys: Windows MCE in its various editions from 2004 to Vista, early versions of MythTV and proprietary stuff. Until now none of these where really at a point where they were actually useful for a family room:

While Windows did have a reasonable UI from the start, the fact that it recorded to a highly proprietary format with nasty DRM implication was a deal-killer right from the start. Some of the tuner-cards (like ATI) attempted to mitigate this by bundling plugins for MPEG-2 conversion, but these were implemented rather clumsily and had frequent failures.

MythTV was - until recently - also more of a geek toy: nice for my lab or office, but nothing I could really throw at my family. Now, with the 0.20 config found in the Gutsy release of Mythbuntu, MythTV takes a rather large leap towards usability. 

• The UI is basically usable and driver support (especially for the tuner cards) is becoming acceptable. I am using an WinTV HVR-950 USB stick now with my digital-over-the-air setup and there is not a lot more I could ask for in terms of device support.

• The proprietary NVidia drivers are good enough and support the motion extensions that are needed to offload motion processing to the GPU.

• For audio, I require at the very least S/PDIF support (mostly for lossy Dolby Digital, but there is no other format like e.g. MLP being used for digital TV at this time), which has been quite painful, but ultimately doable.

• There seems to be decent remote support, but I am right now still fighting with my old ATI Remote Wonder (I think that I will cave in here at some point in time though).

The by far most important factor for family room usability for me is RTC wakeup: I could not near having a computer with its nasty fans running all the time. Enter ACPI controlled RTC wakeup: using a couple of scripts^[1], I was able to make the MythTV box boot up in time for any show that I wanted to record. Very cool.

One thing that I was fighting with in the end was a problem with the way MythTV could be shut down automatically after an unattended recording session. For this, MythTV provides mythwelcome(1) which is a helper program to start the MythTV frontend^[2]. The trick that made is work for me was to instruct^[3] mythwelcome(1) to not start mythfrontend(1) automatically: This overcomes a problem with session management in Ubuntu and mythwelcome, and allows the box to shutdown automatically after it completed recording.

Bottom line is that I am quite happy with my MythTV box for now.

tag: Ubuntu, MythTV, mythwelcome, Audio

[1] There are quite a few of tutorials on ACPI wakup out there, many using nvram-wakeup. Discard all these, and only use those centered on /proc/acpi/alarm, instead (if you can).

[2]  Mythbuntu Gutsy is actually quite smart about using mythwelcome(1): You only need to go into /etc/mythtv/session-settings and enable the welcome shell. No need to change the mythstartup.sh script.

[3] Press the 'i' key while in mythwelcome(1) to configure this.

This is so brain-dead, it is actually quite funny: In a move to make sure that he will be seen - once again - as a brave contrarian, John Dvorak thinks that Oracle paid Sun to kill MySQL. After reading this article, I had to verify that this was not The Onion, but actually MarketWatch.

His argument is fairly simple: Sun has a bad track-record of M&A, so Larry Ellison forces his old buddy Scott  ... ahmm, no wait, it's Jonathan now ... to buy MySQL and ruin it. To prove his point, Dvorak links to a list of recent Sun aquisitions that - allegedly - went bad.

Let's take a look at that list of "failures" again:

• SavaJe - JavaFX Mobile

• SeeBeyond - JavaCAPS

• Tarantella - Secure Desktop

• Waveset - Identity Manager

• StarDivision - OpenOffice (my addition to the list)

Last time I checked, pretty much all of these above technologies were thriving, some of them actually driving at the leading edge of their respective markets and/or standards regimen. Have there been failures or less successful aquisitions? You bet - that happens practically everywhere. There were also some aquisitions that were mildly successful, and others that came to pay off in rather unexpected ways or much later (Cobalt and the Sun x86 story come to mind).

The MySQL acquisition was and still is nothing short of brilliant. Sun has a major league RDBMS now that is being used by virtually everyone in the (your favorite technology moniker here) 2.0 market. And while most of these organizations and individuals are happy with an unsupported open source model, there are still a lot of big companies that use MySQL who are in need of support and other services. This business model fits perfectly into the entire Sun software portfolio and long-term strategy.

It is probably a sign of the time that tech pundits and columnists are now far behind of what is happening in the industry - especially when it comes to business models. On the other hand, Dvorak has been a commentator with a particularly bad track record of making predictions: think about his dismissal of the Macintosh mouse in 1984, his prediction of the iBook failure, his expectation that the iPhone will be a miserable failure, or even his prediction on Microsoft closing down, since the software market is supposedly dead.

The thing that is really sad is that there are even today people who read the name and the headline and assume that he has got a point. He doesn't.

tag: MySQL, Sun

Dare wrote an interesting piece on why RESTful service are much better off without an interface definition language. He is especially picking up on teve Vinoski’s IDLs vs. Human Documentation post, which emphasizes human readable documentation over IDLs.

I am sure that Marc has a somewhat different opinion on this ...

tag: development, REST, WADL

This makes total sense - and finally Sun gets a real database. I can think of at least 10 different major software products from Sun that would benefits enomously from switching from their respective current database platform to a single data store. I am really looking forward to having a single API and place to store structured data in Solaris and Java. Cool.

It reminds me also of the phrase someone coined: "LAMP is for boys, MARS^[1] is for men."

tag: Sun, Solaris, MySQL

[1] MySQL, Apache, Ruby, Solaris

A nasty experience, that I would like everybody to avoid if you can: A few months ago, my bank (NetBank) was acquired by a - by then to me - unknown bank called ING Direct. Having gone through this cycle a couple of time, I did not think a lot of it and trusted that this acquisition process would go as smoothly as the many I have experienced before. Boy, was I wrong.

During the acquisition process, we had our grand family vacation, and shortly after I had a couple of trips to California scheduled. During the vacation, my father-in-law passed away, and we had to arrange for travel and some fund transfers to Germany. The travel was quickly arranged, only the - otherwise perfectly simple - international wire transfer was suddenly impossible with this new bank. Over the course of a few weeks (during which I was not able to sit down at home and sort things out), the quality of service degraded steadily from good (prior to the acquisition), through horrible (prior to the complete conversion) to street robber courtesy (after the conversion to ING Direct).

Here is an example: with NetBank, I had a checking account and a money market account. Simple, nothing fancy. After the ING conversion, I ended up with two savings accounts, no ATM cards, and no checks. Transferring money from either of my "Orange" accounts to an external checking account was - essentially - impossible. Now, ING offers account linking of their savings accounts to an external checking account. I tried that, and it turned out that they had an incorrect social security number registered for both accounts. Ouch! After this was resolved (another 5 ING banking business days, i.e. 12 calendar days pass), they presented me with an online quiz about prior credits (the one you have to fill out to get your credit report online). Fine, unfortunately the credits/data presented had nothing to do with me, so they blocked the option to link accounts online.

And so on, and so on. Bottomline is that ING Direct and their representatives I talked to never even pretended that they were appreciating my business. In that category, they get big kudos for being honest. Everything else, including the online login, which could easily be inadvertently misused to get information about other customers, was an outright disaster.

So here is my verdict: even though they offer pretty decent interest, you will pay for this by having to deal with a customer service department that is only rivaled by United Healthcare for customer non-appreciation. Stay away.