Working currently on an RelaxNG project, I needed to automate conversion of RNG schemas to a W3C compliant schema in NetBeans. The tool I used to perform the transform is Trang. I added this macro to the build.xml file:

All necessary libraries reside in the ./resources/tools directory. Now, in order to use this macro on a number of RNG files, I decided to use the <for> directive from ant-contrib. James Allen has good instructions on how to integrate ant-contrib within NetBeans (or arbitrary ant environments) without having to drop the ant-contrib Jar into the ant/NetBeans installation.

Here I am iterating over the ${rng-files} property that contains a comma delimited list of the RNG files you want to convert (without the .rng extension). I filled this through <pathconvert>:

Obviously, these XSDs can then be used with any other tools, such as JAXB.

This is a happy Friday afternoon rant.

I am still following the headlines for Sun (as long as that is still possible), and today I found some interesting headline: "Oracle Should Spin/Sell Sun Hardware Unit, Analyst Says". Well, interesting enough, I open the article, expecting some deep insight into what is going on. Unfortunately, the full report was not available, but the blog did mention the $23 dollar target set by the analyst, and that he would not know who might be interested in buying the Sun hardware business from Oracle.

Wow, impressive. Unless there is a lot of interesting detail in that research report (which is not available on AmTech's website), this is completely trivial: yeah, Oracle holding on to Sun's hardware business seems illogical from the outside. Good thing we have an analyst telling the world that. And Oracle will soon be at $23? I would neve have guessed that, given that they are currently at about $20, the market is pointing upward, and there is a good chance that the market will see the completion of the aquisition some time in the summer as something positive.

I think that I should consider a second career as software industry analyst: Money for nothing and the chicks for free...

Trust is one of those concepts in IdM that are hard to define or measure, yet are at the basis of most of our transactions. There are a few different ways to look at trust or capture its essence, including reputation systems, assurance frameworks, and similar solutions. At the end of the day, however, it most often comes down to this:

Basic law of trust (BLT): Alice will only trust Bob in a transaction, if the benefits outweigh the perceived risk plus her personal margin of safety.

Sometimes there are situations where we MUST trust another party (through legal requirements or lack of other options), but these can be seen as special cases.  

Now, applying the BLT, one has to manage both parts of the equation: risk (including the safety margin) and benefits. The benefits can be rather manifold, and cover all aspects of internet usage: services, purchases, personal enjoyment.

The risk on the other side can also fall into different categories: financial, reputation, legal, etc. In many cases the financial risks are most prominent: for example, when I buy some book on the internet, how can I be assured that (i) I really get the book, and (ii) my financial and personal information (shipping address) is safe and not misused. Obviously, I do have to trust the retailer and his ecosystem of partners (payment provider, shipping company, etc.) to perform the requested services to my satisfaction.

Reputation of the retailer does play a critical role: if I personally know people that had a good shopping experience at the retailer, and in addition know that there are (apparently?!) many good review by people I do not know, I am tempted to assume that the risk is not too big. At the end of the day however, it really comes down to this:

Financial trust - sue and collect: Alice will only trust Bob, if - in case something goes wrong - Alice has legal recourse and can expect Bob being able to pay sufficient damages.

I am not 100% sure if this is really at the foundation of trust in commercial transactions, but it seems to be at least one important factor. Obviously this is not a very optimistic point of view, hence the title of the blog entry.

Ok, fair enough - I give up: now on Twitter: @beuchelt. Big question: what are people using to keep up with Twitter? Right now I got the MicroBlog plugin for Pidgin, but I am not 100% sure if I like it.

When I read Larry Seltzer's piece on H.R. S 773 IS, I fell into a constant nod about the issues he raised. In addition, I have two more:

SEC. 11 (a): Lofty goals, but these seem rather obvious, since they have been at the heart of any computer security research for a rather long time.

SEC. 14: This sections empowers the Secretary of Commerce with very far reaching powers, especially since 'critical infrastructure' is so woefully underspecified.

In general, I am very unhappy with the bill's vagueness and lack of definition, especially since there are enough provisions (such as SEC. 17 - see Larry's comments) that can significantly impact the civil liberties of all U.S. persons. The intent of the bill seems honest enough, but in order for this to not backfire, a lot more work needs to go into a more robust draft.

The excellent article "Security and Data Sharing" by Mark Richard and Leslie Lebl points to a few very important ramifications that the less than ideal current data sharing situation with the E.U. brings and what the ratification of the horrible Lisbon Treaty would mean for the future of international security cooperation. The article also mentions the potential positive effects of the U.S.-E.U. MLAT framework.

What really caught my attention, though, was the authors' regard for the supposedly high European standards for data protection and privacy. They are correct in assesing that the implementation of the Privacy Directive varies within the various member countries, with countries like Spain or some of the relatively new members not paying to much attention to privacy issues at all. At the same time, Germany is portrayed as having a very high standard of privacy and PII data protection. Unfortunately, this is not at all the case:

While many middle-aged Germans do remember the strong controversy about the 1983 census (which was relatively harmless in itself) and the German surpreme court even recently emphasized a basic right to privacy protection, the implementation in the real world are a far cry from the supposed nirvana of "information self-determination".

First, it seems prudent to make a fundamental difference between the rights of the German population viz-a-viz the private sector and government. When dealing with private entities, Germans do actually enjoy a fairly high level of control over what information someone might legally store about them, how it is used, and when it has to be amended or destroyed. Reality paints a somewhat different picture, though. Over the last few months, a number of scandals have surfaced, cutting across the entire spectrum of privacy invasions: large companies have spied on their employees and customers using hidden cameras or collected and used profile data without their knowledge. Beyond that, a number of shady address collection agencies have sold millions of records including financial information. In some cases, significant sums of money were misappropriated by thieves that automatically drafted funds from bank customers through the ACH. Obviously, these criminal acts (at least those that have surfaced) are being investigated, and hopefully the judical system will be able to mediate the harm done. 

The situation with respect to government privacy intrusion is much more dire, though, and it would be fair to state that any resident in the U.S. enjoys a much higher level of government intrusion that any German ever had. For starters, every German (in fact, European) is now issued at birth an 11-digit taxpayer identification number that is unique and valid over their entire life. One might argue that the SSN is very similar in this respect, but there are two significant differences: (i) no U.S. resident is *legally required* to obtain a SSN and (ii) the FTC and the other government agencies have realized the ID-Theft threat that such an identifier poses and there is active work to limit the use of SSNs.

But the issues go far beyond unqiue identifiers: every resident of Germany is legally required to notify city hall within 30 days if they move  - either within their street or across the country. Interestingly enough, this data is readily available to any interested private company, and some 400+ towns and cities have made some nice extra cash by selling off these lists. In addition, all residents are required to own a national ID-card, which will soon contain their digital photo, fingerprint, and a practical RFID chip for easy data skimming. 

This list goes on, and includes absurd stories of mandatory public broadcast fees (which are sometimes collected from residents that have been dead for more than 400 years - but, being Germany, they do have to pay.. or at least the church where they are burried). At the end of the day, the de-facto privacy protection in Germany is not at all better than e.g. in the U.S., where at least a strong vertical and horizontal division of powers and an active community prevents a centralization that has become so typical for Europe.

After my initial irritation about Massachusetts Governor Patrick ideas about creating a state-wide Big Brother register of citizen's location died down, I just heard this morning about another state ignoring the "right to be left alone": Oregon is rolling out a GPS based car tracking system pilot for taxing highway usage based on mileage.

Aside from the fact that this is one of the worst ways of invading the privacy of motorists that one can possibly think of^[1], there are some obvious absurdities associated with such a system:

1. It will cost a lot of money and time to build a surveillance system that is capable of tracking all cars on all highways at all time. The money wasted on spying on citizens would be better spent on repairing roads.

2. Since the current federal administration does not seem to be supportive of this idea (as Secretary Gibbs indicated), there will be initially a slew of local, most likely non-interoperable systems, that can only track the cars registered in a particular state. Out-of-staters will have to be free-riders or they cannot use the state's highway system. Imagine that: "No New Hampshire cars are allowed on Massachusetts highways" ... ouch!

3. Eco-friendly cars with excellent gas mileage will be disadvantaged under the current plan to replace the gas tax with a mileage-based system: they will not qualify as zero-emission vehicles (like electric cars that get charged on coal- or oil-generated electricity) and thus buying an efficent car will be discouraged. Unless - of course - the mileage tax is only in addition to the existing gas tax.

4. There will be security breaches - that is just a fact of live. The best way to avoid additional PII data being stolen is not to collect the data in the first place.

What I find most annoying and telling is the fact that there is already a very simple and obvious solution to tax per mile: as far as I know every state already has a yearly safety inspection, at which the odometer reading is read. The states could then prorate past usage to determine a monthly (or yearly) street usage fees, WITHOUT having to invade people's personal lifes.

tags: privacy gas tax odometer tax location data

[1] It is on par with the absurd German proposal of a "Strecken Radar" - a system that keeps tracks of all cars between two points to determine the average speed and automatically write speeding tickets.

Totally off-topic, but I really feel like communicating this: After 9 years in Massachusetts, I can now proudly claim to be a U.S. citizen! Along with 2717 other condidate, I took my Oath in the Hynes Convention Center in Boston and may now feel as a part of the family...

Here are a few pictures:

 

It's been only 2 hours of waiting so far ...




2717 new Americans



The speech.