“Do We Need an Alternative to HTTPS and TLS?” This question came up in the Personal Clouds list recently. Thanks to the well publicized problems with Certificate Authorities, variations on this question are a common theme among many of the communities in which I participate. The CA has become the whipping boy for all the ills of authentication and network security. Let’s just get rid of it, right? It’s not that simple.
Banks manage information, not money
29, September 2013 by · 1 Comment
In a recent thread on the Personal Clouds list discussing to Barclay Bank’s new secure document storage service, a correspondent wrote “I believe many banks will offer similar services as they move from managing money to “managing information.” That many people still believe that the business of banks is primarily money and not information speaks to the effectiveness of the industry’s PR. Banks have primarily managed information for decades. They just didn’t want to tell retail customers until doing so was likely to yield a competitive advantage or a profit. That time has come.
Industry still puzzling over consumer reaction to tracking
19, September 2013 by · Leave a Comment
Industry is still wondering what went wrong with tracking.
Frank Hayes over at Storefront Backtalk asks “When Is Data Collection Creepy?” That’s a really good question now that ordinary people are waking up to the possibility that anyone and everyone can track them online and in real life. The post touches on but doesn’t quite illuminate that the biggest difference is one of atoms versus bits. When surveillance was physical Newtonian physics limited what could be done. We didn’t need laws or policies stating that you couldn’t surveil all of the people all of the time because to do so wasn’t physically possible. Because we have never had that capability before, we do not have any experience with it from a policy-making standpoint.
My RBAC Manifesto
31, July 2013 by · 4 Comments
No one component taken out of context makes the Personal Cloud.
I’ve been following the Role Based Access Control thread on the Personal Clouds List and just sort of biting my tongue so as not to sidetrack any productive discussion there. However, I cringe every time a new email comes out comparing Clique Space to RBAC. One is a model, one is an implementation. To compare them is like saying “China is not capitalism.”
I have issues on several levels with the whole discussion. First, I believe that Role Based Access Control will be essential to the Personal Cloud architecture. With all of the different functions proposed for Personal Cloud, it doesn’t seem scalable with the other types of access control. Furthermore, there is no “personal cloud” if all the parts of it are developed in a vacuum. Even though your component of the Personal Cloud may be simple enough to not require RBAC, how will it fit into the greater architecture? For example, a smart light switch may have one role – either you can access it or not. That’s a use case that screams out for simple Access Control Lists right up until you try to integrate it into a larger home automation system. It isn’t so much that the switch now needs roles, but rather that the ability to manipulate or inquire on the switch from within the home automation system is itself a role of that larger system. So as a designer the question becomes: In a larger cloud context where the owner manages using RBAC, do you want your device or component to be the only thing that requires the homeowner to program specific Access Control Lists? How user friendly is that?
My answer to this is that as designers we need to recognize up front that the complexity of the Personal Cloud requires something more manageable than individual access control lists and then design our components to live in that greater context.
FT on How much is your personal data worth?
16, June 2013 by · 6 Comments
A recent Financial Times article asks “how much is your personal data worth?” This sparked a thread on the VRM mailing list to which I’d like to respond. Tony pointed out that their numbers are old. I’d also add that the entire article is a bit disingenuous. The headline “How much is your personal data worth” implies broad valuation as in “how much is a dollar worth?” The article conveniently ignores many uses and markets for that data and in fact is extremely narrowly illustrated. It should have read “What is your legally collected data worth to data brokers, assuming you are not a high value target?”
Let’s take these in reverse order.
Big Data? No. Big Signal!
8, June 2013 by · Leave a Comment
One of the best ways to understand VRM (Vendor Relationship Management) is to look at it from a more familiar perspective. When it comes to consumer data, one of the most familiar perspectives is that of Big Data so naturally many questions about VRM are couched in Big Data terms:
- How big is VRM data anyway?
- How much data is (or will be) in the personal cloud?
- Who crunches VRM data to come up with something useful?
The answers to these questions lead to one inescapable conclusion: VRM isn’t a difference in scale. It is a difference in kind. This isn’t Big Data. It’s Big Signal.
Duking it out with miicard
17, May 2013 by · Leave a Comment
In my never-ending quest to make the world make sense, I have turned my attention to miicard.com once again. They are pretty good, use HTTPS where it counts, don’t email my stored password around, and I even let them verify bank accounts. But they are not without some issues. In the interest of cutting to the chase, I’ve emailed James Varga (CEO) & Stuart Fraser (CTO) links to this post.
MQTT and Personal Clouds
17, May 2013 by · 4 Comments
In an email to the Personal Clouds list, Johannes wrote:
Let’s say I’d like to use MQTT to make the doorbell in my house communicate with the living room lights. I think what would have to happen is this:
- the doorbell and the living room lights would have to be an MQTT client each
- somewhere in my house I’d run an MQTT server
- doorbell and living room lights need to find that server, and register with it, one as a “producer” of information, one as a “consumer”
- some piece of code that runs the logic (“If somebody rings the doorbell like …—…, flash the living room lights in red”) must run somewhere in my house
- that piece of code would subscribe to appropriate topics as producer and consumer on that MQTT server
Am I getting this about right?
My response outgrew an email so I’m posting it here.
Why break stuff?
28, April 2013 by · 2 Comments
If you are a project manager in charge of building your company’s new, strategic, bet-the-business application, you are probably going to look for people exceptionally skilled in designing and building complex architectures. We all know people like this. They have an almost magical ability to conceptualize an idea, lay out a precise roadmap from here to there, and then deliver the most amazing products. The ability to build something from nothing, and to so do with exceptional skill, is a rare gift. It requires a certain mindset which we all have to varying degrees, but that for a very few seems inborn and as natural as breathing. It is an orientation toward synergistic processes. And if you need security, that’s the problem.
Developing a security architecture or finding weaknesses in existing systems requires an orientation toward entropic processes. For the best security architects, this mindset seems inborn and as natural as breathing. While it is possible to have deep skill in both the synergistic and entropic domains, people are primary in one or the other. It is very similar to right or left handedness. Application people are comparable to the right-handed crowd, security people to the left-handers. Each group has varying degrees of dexterity in the non-dominant domain but true ambidexterity is extremely rare. The difference is that when you are staffing a project you don’t go out of your way to make sure there are few left-handers on the team. You may go out of your way to hire a security specialist or two but how do you identify the best candidates? Sure, you look at their track record of successful security work. But do you look for their primary orientation as synergistic or entropic? Now that you know, will you ever not look for that trait in a security specialist again?
My name is T.Rob, and I break stuff.
Why leave IBM?
20, April 2013 by · 10 Comments
Since announcing my departure from IBM, there have been many questions about the move:
“What happened?”
“Why are you leaving?”
“Is there a non-compete that keeps you from coming back and working for us?”
I want to put any speculation to rest and explain all this in one place so I can just send a link. It’ll be easier for all concerned. Let me take these in order.
What happened?
Nothing “happened” in the sense of a precipitating event or ill will on anyone’s part. Sorry but there is just no dirt to dish here. If you want drama, go read The Odd is Silent and search for “Nosy Store Clerks.”
Why are you leaving?
Best explanation I’ve written is posted on Facebook:
IBM’s expectations of me in PLM were preventing me from spending as much time as I’d like in the WMQ community. As a PLM you are doing all sorts of behind-the-scenes work that takes time from public-facing activities and are often working on things that are unannounced and confidential and you can’t talk about at all. So it was actually difficult to do that and contribute externally. My intention is to work more in the community and be a bigger asset to WebSphere Messaging externally than I was internally.
Fact is I’m pretty good as a consultant and fairly suck as a product manager. It seemed like a good idea at the time, didn’t work out and neither I nor IBM have hard feelings about it. In fact, I’m cleared to work through ISSW so can continue to serve the same customers even as I’m out meeting new ones. It can only get better for me, for IBM and for the WMQ community out there with this move.
If you’ve worked with me as a consultant, you know when it comes to deep technical topics I’m in my element. Give me a set of requirements to design from, or a misbehaving system to troubleshoot, or a security perimeter to penetrate, and stand back. But whether it’s my Asperger’s, my temperament, or a deficiency in “soft skills,” or some combination of all these, I wasn’t nearly as effective as in product management as I am in a technical or teaching role. Not that I was bad at it, but I can’t stand to toil away being merely good at one job knowing there’s another where I excel.
Can you work for us?
Yes! I’m available as an independent or if you have a preferred vendor list, I have agreements with several established services firms, one of which is bound to be on your list. As alluded to in the last section, IBM Software Services is one of the firms I’m able to sub-contract through. In the few cases where there’s a non-compete issue, all I need to do is refer you to the IBM Software Services Practice Manager.
Bonus question: So why not go back to ISSW?
I’m extremely interested in Internet of Things, Personal Clouds, Vendor Relationship Management and Identity Management. IBM doesn’t cover all these spaces and where they do they tend to specialize. I’m a “deep generalist”. I want to do all of these at once. And, of those they do cover, IBM tends to work in the Enterprise space whereas some of the things that most entice me are happening in startups.
So who is my target market? Anyone from my regular large enterprise customers all the way to the small startups at the other end of the spectrum. And if you are located in one of the two states I have yet to visit (Alaska and Hawaii) I’ll figure out an incentive for you.