Here's a proposal for a low tech, de-centralized, remote authentication system with profile management. It's aimed at all those low security situations where you need to login to a website but don't want to go through the hassle of creating an authenticated profile.

The basic approach is a simple web service. This web service should support and be implemented in XML-RPC, ReST and SOAP (in order of priority). It would take two string parameters; an ID and password. It would return True or False. This service would usually be available in a standard location (say "remote.login", /xmlrpc/, port 80) or can be found via some auto-discovery mechanism such as RSD.

The intention is that this web service is widely implemented either as standalone CGI files on personal websites, or as a service on more centralised systems like Typepad, Slashdot, etc etc.

On the server side, anyone building systems that require login but are not overly concerned about security should add support for external authentication. If the user types in something like ID: foo@bar.com it will pass foo and the password to the web service at bar.com. If it returns true, then either log the person in against foo@bar.com or create a user record linked to foo@bar.com and log them in against it.

For this to get widespread implementation at least three things are needed.

1) Simple stand alone CGI programs in the major languages (eg perl, php, python, or whatever) that implement the service. These should include a minimally simple interface to maintain a fairly short list of ID/Password pairs.

2) A set of toolkits in all the major languages for server-side applications to implement both sides of remote login.

3) Support for remote login built into successfull apps like slash, php-nuke, movable-type, blogger, etc etc.

Extensions and Issues

The biggest issue I see is that there is minimal security and minimal hiding of passwords but this doesn't actually matter. We're not trying to replace Passport, Liberty or PingID. What we are doing is creating a standard for those tens of thousands of websites that need minimal authentication. Many of us currently solve this by using the same ID and Password wherever possible. This system formalises this by letting us control that common ID-Password ourselves in one place. It also avoids the problem of having to create jbond23, jbond23uk, j23bond and so on because jbond has already been taken.

This idea immediately suggests some standard, possibly using FOAF, to let an end user or participating sites provide basic user profile information to a site that is creating a new user record. I have in mind some similar approach of minimal cgi program for de-centralization, toolkits for App coders and support in major platforms for a standardised foaf, vcard or similar set of data. This data could then be used to pre-populate user records.

If this takes off, it'll need a name. Really Simple Authentication is appealing, but RSA is already taken... Simple External Authentication (SEA) looks possible.

Acknowledgements

This whole essay was inspired when I went back and had another look at the current state of Drupal. For a year or so Drupal has had a remote authentication system that let you log in to a Drupal site using an ID and password from another site. They currently have support for Drupal, Blogger, Delphi Forums, Manila, Yahoo, Jabber, LDAP. The code and techniques are admirably simple and would provide a good basis for the more general approach outlined above. http://drupal.org/node/view/312

You probably know about Deanspace http://www.deanspace.org/ which is based on Drupal. Every Deanspace site supports this style of remote auth.

Helen Murdoch chatting online now in the Ecademy Chat room
[from: JB Ecademy]

DeanSpace, the project by Howard Dean supporters to develop software to support local political campaigns has got to v0.95. This is a packaged and customised version of Drupal, the base for Ecademy.

What's interesting is that the software is GPL, free and downloadable by anyone so it could be used as easily by Republicans as by Democrats.

So are any Ecademy members involved in local political campaigns in the UK? How about pushing this at the Liberal-Democrats? Or whatever political campaign you're involved with? [from: JB Ecademy]

According to Marc's Voice Ecademy is a Social network for "British Intellectuals".

Uh-huh. I'm not sure whether to take that as a compliment or some deeply ironic and sarcastic sneer. Since Americans don't usually do irony, I guess it's a compliment!
[from: JB Ecademy]

This one is too funny. A bunch of people have phone pranked the RIAA, iTunes, record labels, and artists and then transcribed the results. The RIAA Prank: Do They Really Care About Kazaa, Grokster, and Napster? :

JH: You guys ARE going to sue me! I knew it! I never should have downloaded Beethoven's Ninth Symphony! Oh, NO!!!

JH: I don't want an Apple. They're too heavy.

APPLE: We have some light ones too, like an iBook.

JH: I heard that iBooks can only be used in Starbucks. LOL! [from: JB Ecademy]

BT Puts WiFi in Payphones

Most excellent. [from: JB Wifi]

No Wires, No Charge (TechNews.com) : Intel Corp. and a smattering of other technology companies are coordinating a wireless giveaway next week. About 5,000 WiFi "hot spots" around the country that normally charge for wireless Internet access will offer it free all day Sept. 25.

So, BT Openzone, T-Mobile, Surf'n'Sip and all the others, how about doing this in the UK as well? [from: JB Wifi]

WiFi SIP Cellular to Be Released

There's quite a few paid hotspots that require a number to be typed in and a brower window kept open. So it's interesting that Jeff Pulver says this. "Pulver said his offering will work in an office or anywhere there is an "open hot-spot." Initially, the phone will not operate in a paid WiFi environment, such as those in Starbuck's coffee houses and other locales." [from: JB Wifi]

Fool.com: Steal This Column [Commentary] September 12, 2003 : But here's the kicker: America Online, despite serving as a high-speed hub of P2P commiseration, is part of the same AOL Time Warner (NYSE: AOL) media giant that owns Warner Music, one of the five major record labels. It's a conflict of interest that became notoriously transparent when the RIAA's list of 261 violators reportedly didn't include a single AOL subscriber.

So as the names trickle in (including the likes of a repentant Yale professor and a 71-year-old man who claims he was unaware that his visiting grandchildren were loading up on song files), one has to wonder how differently this all would have played out if they had signed up with America Online -- or if Verizon (NYSE: VZ) owned a record label.

Do I need to add any comment?

BTW. Clearly, downloading MP3s -- illegal ones, in most cases -- is the killer app driving DSL and cable modem growth. [from: JB Ecademy]

If you like conspiracy theories you'll like Project Censored : Censored 2004: The Top 25 Censored Media Stories of 2002-2003

This appears to be a comparatively serious analysis with real references and frequently contributions from the original journalist who broke the story. But you still have to make your own mind up about how real all this is. [from: JB Ecademy]

Following the amazing RIAA actions in the USA and a comment here about "if you can't do the time don't do the crime" I thought I'd put together a list of hypothetical actions and see which were illegal and which legal. Bearing in mind that under the law, ignorance is rarely a defence.

Purchase
1) I buy a copy of Eminem's latest record in HMV for 12.99

2) I buy a copy of Eminem's latest record in a supermarket for 9.99

3) I buy a copy of Eminem's latest record from a guy down the market who's selling CDs out of a flight case for 4.99

4) I buy a copy of Eminem's latest record at a car boot sale for 3.99

5) I buy a copy of Eminem's latest record in HMV, it has the CD Audio logo on the packaging. But it won't play on my PC.

Fair use
6) I rip my Eminem CD to MP3

7) I lend my CD to my son. He listens to it on his walkman on the way to school while I listen to the MP3 at home.

8) I lend my CD to my son. He listens to it in his room while I listen to the MP3 at my desk.

9) I email the MP3 to my daughter at her boarding school.

10) I go to an Eminem concert and record the concert to a minidisk player

11) I go to a Grateful Dead concert and record the concert to a minidisk player

12) I make a copy of the two recordings and give them to friends

13) I copy the two recordings to my website

14) I make CDs of the recordings and sell them down the market

15) I make a compilation MP3 CD of my favourite chillout music. I give it to someone I meet at an Ecademy meeting. When I get home I make another one.

16) We're moving house and I need to clear out the old LPs. I sell them by the case down the market. I've kept the best ones on MP3.

17) I mash up my Eminem single with Madonna's "Like a Virgin" and some sampled drum and bass. I put it on my website and it's picked up by XFM who play it on the radio.

18) I buy a Japanese import DVD and play it on my DVD player that has been hacked to play multi-region.

Downloading
18) I download a copy of Eminem's latest single

19) I then buy the CD

20) I download a few tracks from an album I have on vinyl but which is scratched to pieces

21) I download a few tracks from an album I bought on cassette but which destroyed itself and is currently by the side of the M11

22) I download Edgar Broughton's classic "Out demons out" which has been deleted from the catalogue and is unavailable anywhere

23) I buy a track off iTunes. I then auction the track on eBay.

24) I listen to an Internet Radio station and rip the data to an MP3 so I can listen to it later

25) I buy a DRM protected song over the net. I use a Linux utility to extract a clean unprotected MP3.

26) I buy a DRM protected song over the net. I record the analogue output to a clean unprotected MP3.


Sharing
27) I have a collection of 5000 MP3s. I use Kazaa for 18-22 but I have the checkbox clicked to disable sharing

28) I run Kazaa but only share a directory where I keep the copyright-free music.

29) I run Kazaa on a high speed line as a Supernode, but I don't use it myself to share music.

30) 95% of my collection is ripped from CDs I've bought. I don't download much but I leave it running with all these shared as a public service.

31) I'm searching Kazaa for a copy of "The invention of TV by bees", a bizarre art house movie. I download a bunch of vids but don't notice that one of them is kiddie porn.

32) I'm running my Kazaa on the company LAN. The IT department have blocked it at the firewall so it's only sharing with other people in the company.

33) I built an app to make it easy for my college to share documents. Without my knowledge some people are using the same app to share music.

34) My ISP is getting hammered with Kazaa traffic. We install a Kazaa proxy to try and keep the traffic within our network.

35) My record company routinely uses music sharing analysis software as market research.

36) My record company has started seeding the music sharing networks with fake songs that actually have Madonna saying "F*ck you"

37) My record company has used sub-poenas to get ISPs to give up the names of Kazaa users

38) Kazaa sued the people who reverse engineered Kazaa lite under the DMCA and get Google to remove links to them.

39) My record company released a virus onto the net which damaged the hard disks of people running Kazaa.

40) My ISP blocks all Kazaa traffic

Damn! This stuff is morally and legally ambiguous. Meanwhile, there are currently 2,900,243 people sharing 585,953,440 files on Kazaa.
[from: JB Ecademy]

In the ongoing saga of hacking the Linksys WRT54G, Rob Flickenger has achieved NoCatSplash on the Linksys WRT54G. From the readme,

This package will turn your Linksys WRT54G access point into a NoCat open
portal. This means that users will be presented with a "splash page" of
your choosing, and must click a button before they can access the network
from your AP.

Why is this important? Well it's another major stage along the way of creating an AP that a private individual can use to create a free hotspot. And to do it in a way that is controlled and secure rather than simply leaving their network and internet connection open. There are commercial "Hotspot-in-a-box" packages from people like Toshiba but these tend to be significantly more expensive and built in way that expects the owner to charge for access. That charge might be via scratch and sniff cards or via partnering with a WISP. What they don't do (I think) is allow a small operator to simply give away access. The alternative of using consumer grade APs doesn't really work because they don't have enough capability in the router to properly limit access for guests. The last alternative of using a general purpose PC attached to a commodity AP to control access currently forces you down the Unix route.

So what we're seeing with this experiment is something that might become a simple to install GPL update to radically extend the capability of a consumer grade AP. What remains to be seen is the extent to which Linksys encourage this. There's a very interesting route here where Linksys essentially get out of the software business and concentrate on their hardware manufacturing and distribution business. They would do this by packaging and shipping a Linux distro that had been largely developed, debugged and maintained by the open source community.

The fly in the ointment in this scenario and in the ongoing problems with the Linux GPL is the drivers for the Broadcom chipset. It appears that Linksys/Broadcom cannot get FCC approval for the device if the device drivers are open source since that opens up the possibility of user level tinkering with a software controlled radio. And hence persuading the overall box to break FCC rules for license exempt radios. It's not at all clear yet if there's a way out of this. Linksys/Broadcom may well be caught between the FCC and the GPL license with no solution that satisfies both. Ultimately this is bad for everybody. [from: JB Wifi]

Net4Nowt :: News Story : WiFi hotspots in every library on government agenda says E-Commerce Minister Stephen Timms

My local library has got a WiFi setup, but it's restricted and WEP encoded. [from: JB Wifi]

I've been playing with iRate this morning. It's a music download system with a difference.
- All music is copyright free and collected from web sites that are giving away songs.
- You rate each song on a 5 way "This Sux" to "Love it!" scale.
- The system suggests downloads based on your ratings via collaboration with the preferences of other users. It's the same idea as Amazon's "People who bought this also liked that".
- It's almost like a radio where it's downloading the next song while you'e listening to the last one.
- It's open source and has versions for all major operating systems.
- There are currently >2000 users
- It's V0.2 and still a little clunky but works well enough to see that it's got real potential.

[from: JB Ecademy]

As an experiment, I've started an Ecademy chat room on MSN. Come and say hello. [from: JB Ecademy]

RIAA keeps 12-year-old quiet with $2,000 bill

So here's the RIAA sueing a 12 year old living with her single mother in a housing authority apartment. Rather than simply drop the lawsuit, they're settling out of court for $2000 that the family can surely ill afford. As the Reg says we now have some points on the graph. $2000 for pre-teens, $15,000 for college students. Want to take a guess at what they'll want from a middle class adult in full employment?

Is this an example of "Ready, Fire, Aim" or is it "Click, BANG, OWWW, my FOOT"?

For some satire on this absurdity, try this report on the "RIAA's massive detention facility in Mojave, CA."

For those of you disgusted by this and determined never to give the record industry another penny, can I recommend iRate. It's a download system for public domain music only with a built in collaborative rating system to help you find public domain music you're likely to enjoy.

As we speak there are 2,903,824 people logged into Kazaa but the USA is still asleep. [from: JB Ecademy]

There's a new hotspot directory and news magazine on the block. )( JIWIRE - your guide to wi-fi : Hotspot Directory and Glenn Fleishman, Mr Wi-Fi Networking News, is on the staff.

Most impressive for a US site is that I put in Hertford, UK and it found the 6 IBG hotspots nearby. The maps are from Mapquest and not great, but hey, it works. [from: JB Wifi]

Hard to believe but it looks like they really went ahead and did it. Yahoo! News - Recording Industry Sues File Swappers

There's some curiously strange statistics in this story. "the (261) people who were sued as "major offenders" who distributed about 1,000 copyrighted music files on average." Now 1,000 songs is about 67 CDs and it's about 5Gb. Which is a mere 12.5% of the latest Apple iPod My own modest collection is 4000 files in 12.5Gb of which 90% were legally obtained by ripping them from CDs I'd bought. So having 1000 songs on your hard disk is not exactly unusually large.

Meanwhile "Apple also noted today that it has sold more than 10 million songs through the iTunes Music Store, the company's popular music service. The iTunes Music Store enables Mac OS X users to buy and download commercial music for $0.99 a song through iTunes, Apple's music playback software."

Now I don't want to get into the legalities, ethics or realpolitique of all this. I just want to ask a question. Can anyone think of a single other industry that sued it's biggest and most enthusiastic customers? Apart from the Government of course. [from: JB Ecademy]

Times Online - Newspaper Edition : Number of wi-fi hotspots to treble. Britain’s network of “wi-fi” hotspots is set to treble in size, making it far easier for travelling business people to make use of high-speed wireless internet access.

Britain was forecast to have 4,000 wi-fi hotspots by the end of the year. But The Cloud, the leading wi-fi provider, has reached a deal with NWP Spectrum, which operates 8,000 pay phones in airports, universities and other locations, to install wi-fi equipment at as many of these sites as it thinks make sense.

The Cloud have a roaming agreement with BT Openzone. I've been trying to find a press release from The Cloud or Openzone but haven't spotted it yet.

This approach of adding WiFi to internet kiosks and public payphones makes complete sense to me. [from: JB Wifi]

I've just discovered the UK Gov Forum for discussion of the Proposed EU Constitution

Gosh. A public forum for the people to discuss what the politicians are up to. It's a little slow and clunky, but I guess the fact that it exists at all is a cause for celebration. [from: JB Ecademy]