This is quite astonishing: I am sitting in a public elementary school in Massachusetts, happily booting my laptop to finish reading some PDF document. After logging in I suddenly notice that my wireless adapter picks up a network: 'linksys'. Amazed that some neighboring home reached into the school building with their WiFi access point, I only quickly check the nameserver to see which ISP that access point is connected to: (name of town).mec.edu. What??? I am in the school network? No WAP/WEP, firewalls, proxy or anything.

Given the fact that the calendar shows the year 2007, I am now really astonished and shocked, that the IT environment of an entire school system is exposed to the world through an unprotected WiFi AP.

The security, privacy, and potential ID theft implications are huge: I assume (though I cannot speak for certain, since I did not even try to touch any of the systems) that some of the systems in this infrastructure contain personally identifyable information about the school staff, teacher and even students. Even a well patched and maintained system that is monitored by advanced intrusion detection software can not necessarily replace a firewall that blocks in-coming traffic. I just hope that - going forward - things like this will never happen again.

tag: security, schools

In order to go through some exercise here, I recently needed to create a few Java classes from XSD schema. "Well," I thought, "JAXB with its integrated XJC is your friend!" And so it is, but you might have to dig a little deeper.

The problem I was facing was a schema that had references to WS-Security, XML Encryption and XML Signature. As such, it imported all these schemas from the web using <xsd:import namespace="..." schemaLocation="http://..." />. Since xjc is pretty flexible, accessing these schemas on the web was a charm, even through the firewall. After all, this is much better than downloading all the referenced schemas (and all schemas they reference) and edit the imports to point to the right location in the file system.

Well, not so quick. In their infinite wisdom and foresight, the schema developers at OASIS and W3C decided to use different schema locations for XML Dsig. They reference the same schema (with identical namespace, obviously), but import through different schemaLocation URIs. That confuses xjc to no end, since it detects a re-definition of the same object and gives up.

In order to resolve this problem, you can create an XML Catalog, that allows you to rewrite (or redefine) URLs referenced in you schema. Here is an example:

<?xml version="1.0"?>
<catalog xmlns="urn:oasis:names:tc:entity:xmlns:xml:catalog">
  <system
      systemId="http://www.w3.org/TR/2002/REC-xmldsig-core-20020212/xmldsig-core-schema.xsd"
      uri="http://www.w3.org/TR/xmldsig-core/xmldsig-core-schema.xsd" />
</catalog>

This simple catalog redefines the URI used by the XML encryption schema to point to the one used by OASIS. The XML Catalog specification provides many more options, and it is good to know that xjc supports this.

While this is quite simple, I found it relatively hard to find concrete examples on how to use this mechanism.

tag: XML Catalog, XML Schema, XSD, JAXB, XJC, Data Binding

... software, that is here the question.

There have been quite a few comments for the leadership of my employer lately (GregP, JonathanS), and now Mark Shuttleworth of Ubuntu chimes in.

His argument goes as follows: Microsoft (and in extension most, if not all major corporate software player) really do not have an interest in software patents. Why? Simply because they are obviously the most juicy target a patent troll can hope for: deep pockets, big software products that cover vast areas of intellectual property. Examples of this can be found at Mike Dillon's blog.

In the light of these developments, Non-assertion covenants such as Sun's for OpenID are of crucial interest to the developer community and the public as a whole. These initiatives truly create a "patent cold war" in a good sense, at least within the software industry.

What remains is the patent-troll industry, and here is where regulatory bodies are required to evolve the current patent and copyright legislation ^[1] to a model where inventors and practitioners (like developers or artists) are rewarded, while parasites (like patent trolls and ...) have their air supply cut for good.

I am wondering one thing (and maybe there is a legal expert/lawyer out there who could clarify this): Can I license e.g. software in a way that would revoke license rights from potential patent plaintiffs?  So that any software license has a 'nuclear' provision, that renders the entire license provision null and void, if the licensee (i.e. user of the software) uses software patents for the sole purpose of suing without practicing such patents in a meaningful way. Note that this provision should not be directional, but cover any suit based on horded patents.

If the open source community and the commercial software community adopted a model like this, the patent trolls would at least be relegated to using paper and pen for all of their fillings.

tag: patents, IPR, intellectual property, NAC

[1] absolutely including the completely brainless DMCA and its WIPO relatives

UPDATE: After talking to a few folks (that are quite cynical at times ), I guess my license idea would not work: It would be quite easy for a troll to setup a front and 'outsource' business activities ...

You can find some information on this at the "On The Record" blog, including a link to the official text of the NAC. Now let's hope that more folks issue a similar covenant.

This time, Eve was faster than me ...

tag: Identity, OpenID, Open Source, iiw2007, sunopenid

Drummond blogged about semantically meaningful identifiers - really interesting. I particularly like his example ... and Drummond: I am perfectly happy for you to use my identifier in this example

tag: identity, XRI, OpenID

Wow, sensible ideas *do* seem to spread by themselves ... I just read in eWeek that more and more companies are using desktop virtualization. No kidding. I have been using desktop virtualization for more than 4 years now, with my production machine (Email, Blog reading, OpenOffice, etc.) virtualized now for almost a year. Anything else would be totally insane for me, especially since I use a lot of beta (or alpha) software that has a tendency to break certain OSes.

tag: Virtualization

Mike Jones has blogged about Microsoft's latest OSP covered specification. Large chunks of the InfoCard protocols that appeared on Kim's blog over time are now in this refatored version of the spec. I did not have the time yet to go through this in detail, but I am quite interested to figure out if I can build a managed card provider and consumer based solely on this spec. Mike assures me that this works, so I hope to report back about this soon ...

BTW: Thanks for all your work, Mike (and Kim, of course).

tag: Identity, Microsoft, InfoCard

Last night's untalend show was - as usual - quite interesting. Here is the lyrics of some of Eve's andmy song (snippets):

Twinkle, twinkle WS-Star
How I wonder what you are

Architecture in the sky
Now in part in WS-I

Twinkle, twinkle WS-Star
How I wonder what you are
(traditional)

and

Bye, Bye, Mr. InfoCard guy
May be managed some day later
Now he's self-certified

When he left Dot Net
And kissed Kim Cameron goodbye
Saying "Soon I'm gonna be a profile,
soon I'm gonna be a profile."
(after Wierd Al - The Saga Begins, after Don McLean - American Pie)

tag: IIW2007, un-talent

Today, we (pre)-announced at the IIW 2007 a non-assertion covenant (NAC) for OpenID. What does this mean?

First, the NAC is a short (three paragraphs) legally binding document that licenses all of Sun's patents (and not only necessary claims) to anybody for the purpose of implementing OpenID 1.1 Auth and Simple Reg 1.0 ... in perpetuity ... royalty-free. This license will only be withdrawn, if someone decides to sue Sun over this technology.As far as I know, this is the first covenant like this around OpenID.

Sun has issued already some of these - one on ODF and another one on SAML. Everytime, this prompted similar licenses and promises from other companies. Note that this move is so far totally unilateral - we (Sun) clear the way for the OpenID community as much as we can. Now it is up to other companies to do the same thing and show their commitment to the open source community.

The official announcement of this NAC will appear soon on the "On the Record" marketing blog at blogs.sun.com.

Finally, here is a picture by David showing Eve, Bill and myself making the announcement:

tag: OpenID, sunopenid, IIW2007, opensource

Here are my slides to yesterday's mini talk in the java.net community corner.

OpenID JavaOne.pdf (380.11 KB)

tag: identity, OpenID, sunopenid

I will be giving an OpenID talk at JavaOne this afternoon at 4:00pm in the java.net Community Corner in the Pavilion. In this, I will explain Sun's recent press announcement and shed some light on what we are planning to do next. Slides (and a podcast) will be available soon at the community wiki.

tag: OpenID, identity, sunopenid

Marina Fisher and I will be presenting on AJAX interoperability here at JavaOne on Thursday at 5:30pm in Esplanade 302. We will be covering jMaki, WCF, Silverlight/ASP.NET AJAX and Java REST API interoperability. For more details, go here. 

tag: AJAX, jMaki, Silverlight, Interoperability

In the free VMWare Server edition, there is no vmfstools program that could be used to extend and manage virtual drives, as it would be e.g. needed to extend boot partitions. Instead, the program is called vmware-vdiskmanager and performs - as far as I can tell - the same function.

tag: vmware, diskutilities

Paul has a wonderful letter to Hubert on his blog ... Sorry Paul, 5 CDN will not do - but here is a web site that might help

tag: identity, OpenID, opensource, sunopenid

As a response to Johannes' post (Thanks, Johannes!), here is an unordered list of all folks that have been contributing to OpenID - Thanks to all of you:

• Hubert Le van Gong
• Wajih Ahmed
  
• Yvonne Wilson 
  
• Lauren Wood
• Rich Sharples
• Eve Maler
• Paul Bryan
• Pat Patterson
• Erica Pereiras
• Tim Bray
  
• Carolyne Wong
• Terry Palanca
• Jodie Pastor
  
• Jacki DeCoster

and many, many, more ...

tag: identity, OpenID, opensource, sunopenid

Today, Sun is announcing (Press Release) a new program to explore how OpenID can be used and utilized in a corporate environment.

As a first step, we are creating an IdP exclusively for Sun employees. What is the rationale for this, especially since there is an ever growing number of OpenID IdPs available for anybody to sign up? In principal, there is – obviously – no difference. However, the big difference is that by creating an IdP at sun.com and creating a process and policies around account this IdP, we create a trust base for relying parties: anyone accepting a sun.com OpenID authentication is assured that the holder is a Sun employee. This knowledge can be applied to customize the user experience to the Sun employee (e.g. for a special discount).

This IdP is implemented as an extension to OpenSSO/Sun Access Manager. By putting the OpenID protocol on this proven platform, we can simply extend this reliable and secure platform to new set of clients and relying parties, while offering SAML/Liberty federation and authentication from a single IdP. Today, OpenID is still simply another access protocol for relying parties, but going forward combination of OpenID with the power and capabilities of SAML will enable a variety of interesting applications. The extension is also available for OpenDS.

Over the next couple of months, we will release a number of new services and ideas around OpenID. One of the more interesting areas (I think) will be convergence and interoperability. Stay tuned!

Finally, on a personal note: I really enjoyed working with everybody on this project. Given the little time and resources I think we really got this done right.

tag: identity, OpenID, OpenSSO, opensource

I just picked this up from Phil Windley(he also found the lyrics):

Gee, I haven't laughed like this in a long time

tag: humor, mathematics

As most of you have heard by now, a certain number is the focal point of a major controversy between the a small an mostly insignificant, but loud portion of a minor industry segment on the one side and the majority of people living on this planet on the other. Somewhere in the middle are folks like Wikipedia, Google, and as of yesterday digg.com.

The root cause for all this nonsense is - of course - the DMCA, which states that even parts of a DRM "circumvention device" are illegal.

I find it completely intolerable that such a very small group has the audacity to claim protection rights for a simple sequence of 32 hexadecimal numbers that are on equal basis with the protection rights for intellectual property. This is - by all due respect for *actual* intellectual property - completely ridiculous. In fact, I think that this claim undermines the value of intellectual property per se, since  - if this would hold in a courtroom - literally anything could now be claimed to be protected by the DMCA:

Consider the following situation: I am using the number 20 07 as my secret key to unlock 'protected work'. As such, any reference to this number that is even remotely associated with DRM or content protection is a violation of my DMCA guaranteed right. So, if you, or your company should happen to work in the DRM field, be sure to not write down years in any of your communications. While this example is a little over the top, it still illustrates the extremes that are possible in this legislation.

Another interesting question would be: What happens to a person getting a tattoo of a part of a circumvention device? Can he/she be ordered to get skinned? Or terminated?

tag: FreedomOfSpeech

Funny, I find this number everywhere now ... What could it only mean?

UPDATE: I get it! The numbers in the title are only the lyrics to this song on YouTube. I hope that citing his lyrics here is covered by fair use.

tag: FreedomOfSpeech

Here is a nice short article by Scott Hanselman on what is currently happening in .NET land - especially at MIX07. I find his graphic on the evolution of the various .NET technologies quite interesting and helpful. A couple of interesting take aways and comments:

- Silverlight 1.1 alpha, along with the "CoreCLR" will be interesting to disect. According to Scott, there is nothing "micro or tiny" about this runtime, only sane refactoring. That might be so, but the Base Class Library amounts to somthing of a Micro/Mobile edition ...?!

- The Dynamic Language Runtime is interesting - but I am not quite so optimistic to believe that the Microsoft Permissve License will really win the "hearts and minds" of the hardcore open source community...

- The JavaScript/CLR (in process?) integration sound *really* interesting.

Ultimately, the success of Silverlight and the CoreCLR program will probably depends on platform support. And as Sun has learned very painfully, sufficent platform support can only be achieved with truely open source software.