I've now implemented half of Drupal's remote authentication. If you go to any Drupal site, you can log in and create a user record by using your ecademy ID and password. So for instance you can go to drupal.org and log in with id= your_ecademy_login@ecademy.com and password= your_ecademy_password.

I'm working on the reverse of this. To be able to create a user record and login to Ecademy using credentials that are validated against other Drupal, jabber, blogger or whatever sites.

If anyone is interested in trying to extend this to a much more general (but low tech) single sign on system please get in touch. [from: JB Ecademy]

I want to try an experiment with VoIP (Voice over IP) to see just how effective it is. To that end I'm running as many clients as I can manage. eg

MSN Messenger with webcam
julian_bond@voidstar.com

Skype
julian.bond

FreeWorldDialup using SJPhone or Xten Xlite
sip:21125@fwd.pulver.com

I particularly want to try this over the WiFi link at Cafe Grand Prix tomorrow afternoon. If you can use any of these systems, please give me a call, but particularly give me a call around 4-6pm BST Wed Oct 1. [from: JB Ecademy]

Ecademy now has a semi-permanent IRC channel.

irc://irc.freenode.net/ecademy

You'll need an IRC client such as mIRC or Chatzilla to access it.

We probably won't be adding a Java web client unless someone can recommend a cheap/free tool that actually works ok. [from: JB Ecademy]

I want to try an experiment with VoIP (Voice over IP) to see just how effective it is. To that end I'm running as many clients as I can manage. eg

MSN Messenger with webcam
julian_bond@voidstar.com

Skype
julian.bond

FreeWorldDialup using SJPhone or Xten Xlite
sip:21125@fwd.pulver.com

I particularly want to try this over the WiFi link at Cafe Grand Prix tomorrow afternoon. If you can use any of these systems, please give me a call, but particularly give me a call around 4-6pm BST Wed Oct 1. [from: JB Wifi]

Kendra Wiki is thinking along similar lines.

There's a thread on the decentralization mailing list following it.

More thoughts:-

Ignore the actual protocol for a moment. Site alpha.com validates with Site bravo.com. Site Alpha knows that UserID="foo" + Password="bar" + URL="bravo.com/sea/" = True. The remaining security question is the reputation or authenticity of the web service at bravo.com/sea/ This is the added value that centralized single sign-on systems claim to provide. I guess my argument is that there are very large numbers of situations where that last layer of authentication is not needed. So if it's not needed, stop trying to solve that problem and come up with the simplest solution that is "good enough" to answer the layer below.

The real security question is whether the end user is comfortable giving ID+Password+URL to alpha.com. Arguably, alpha.com is building a database of these triples in the knowledge that they *might* be useful elsewhere.[2]

In terms of protocol, I'm probably getting it wrong and ignoring prior art. I'm sure there are challenge-response approaches where the password never goes down the wire (SPA? APOP?). And if necessary the whole authentication transaction can be hidden with TLS[1].

In terms of UI, the user would need to provide ID;Password;URL;Protocol Where protocol is one of SEA, Drupal, Blogger, Delphi Forums, Manila, Yahoo, Jabber and LDAP[2]. And URL may be part of ID for some protocols.

[1]Such a shame that there's a commercial lock on TLS certificates. [2]Several of these take advantage of an existing API that includes password. I suspect that a bit of screen scraping and cURL could extend this to Passport, AOL, and quite a few others. Clearly, ID+Password+Passport is worth quite a bit more than ID+Password+Manila but also has much more potential for abuse.

---

Jeffrey Kay wrote:
>The basic idea behind authentication are that you have to trust the
>authenticating authority. If you can't then the system fails.

Back in the real world, there's a reductio ad absurdam problem with this. Most "Authorities" (eg Passport) are only really warranting that this ID is associated with an email address which appeared to once have a human reading it. Even eCommerce SSL certificates only really warrant that a domain had a fax number associated with it at one time.

So let's try a use-case. I got it into my head that the Deanspace software could be used by the Liberal-Democrats in the UK. While doing the research, I signed up at geeks4dean.com and told them to validate against jbond:drupal.login:voidstar.co m/xmlrpc.php. When the password I gave them validated, they picked up my foaf file and thumbnail and auto-created a profile for me. There's an audit trail and if necessary someone could look at voidstar.com and find content going back a few years. They could check the pgp signature on the foaf file. The domain has some history. Email addresses that include @voidstar.com appear all over the web. There's a CV up there. So clearly voidstar.com is a pretty good authenticating authority for jbond. Now I go to expats4dean.co.uk and tell it to validate on jbond:drupal.login:geeks4dean.com/xmlrpc.php They create their own profile based on the one at geeks4dean.com which originally came from voidstar.com.

When I start posting extreme libertarian anarcho-capitalist tracts on expats4dean.co.uk and they decide to ban me, they can post all over their site, geeks4dean.com, this mailing list, bloggercon and anywhere else they choose that the entity that calls itself jbond and lives at voidstar.com is not to be trusted.

ISTM that this has proved at least as effective as the big centralized authenticating authorities. And we didn't have to involve them at all.

I feel sure that I'm re-inventing wheels here. And I've no doubt that I'm glossing over deep problems. But I refuse to accept that this problem needs either some BigCo in the middle, or incredibly complicated web services that are all spec and no implementation.

---

Here's a proposal for a low tech, de-centralized, remote authentication system with profile management. It's aimed at all those low security situations where you need to login to a website but don't want to go through the hassle of creating an authenticated profile.

The basic approach is a simple web service. This web service should support and be implemented in XML-RPC, ReST and SOAP (in order of priority). It would take two string parameters; an ID and password. It would return True or False. This service would usually be available in a standard location (say "remote.login", /xmlrpc/, port 80) or can be found via some auto-discovery mechanism such as RSD.

The intention is that this web service is widely implemented either as standalone CGI files on personal websites, or as a service on more centralised systems like Typepad, Slashdot, etc etc.

On the server side, anyone building systems that require login but are not overly concerned about security should add support for external authentication. If the user types in something like ID: foo@bar.com it will pass foo and the password to the web service at bar.com. If it returns true, then either log the person in against foo@bar.com or create a user record linked to foo@bar.com and log them in against it.

For this to get widespread implementation at least three things are needed.

1) Simple stand alone CGI programs in the major languages (eg perl, php, python, or whatever) that implement the service. These should include a minimally simple interface to maintain a fairly short list of ID/Password pairs.

2) A set of toolkits in all the major languages for server-side applications to implement both sides of remote login.

3) Support for remote login built into successfull apps like slash, php-nuke, movable-type, blogger, etc etc.

Extensions and Issues

The biggest issue I see is that there is minimal security and minimal hiding of passwords but this doesn't actually matter. We're not trying to replace Passport, Liberty or PingID. What we are doing is creating a standard for those tens of thousands of websites that need minimal authentication. Many of us currently solve this by using the same ID and Password wherever possible. This system formalises this by letting us control that common ID-Password ourselves in one place. It also avoids the problem of having to create jbond23, jbond23uk, j23bond and so on because jbond has already been taken.

This idea immediately suggests some standard, possibly using FOAF, to let an end user or participating sites provide basic user profile information to a site that is creating a new user record. I have in mind some similar approach of minimal cgi program for de-centralization, toolkits for App coders and support in major platforms for a standardised foaf, vcard or similar set of data. This data could then be used to pre-populate user records.

If this takes off, it'll need a name. Really Simple Authentication is appealing, but RSA is already taken... Simple External Authentication (SEA) looks possible.

Acknowledgements

This whole essay was inspired when I went back and had another look at the current state of Drupal. For a year or so Drupal has had a remote authentication system that let you log in to a Drupal site using an ID and password from another site. They currently have support for Drupal, Blogger, Delphi Forums, Manila, Yahoo, Jabber, LDAP. The code and techniques are admirably simple and would provide a good basis for the more general approach outlined above. http://drupal.org/node/view/312

You probably know about Deanspace http://www.deanspace.org/ which is based on Drupal. Every Deanspace site supports this style of remote auth.

Helen Murdoch chatting online now in the Ecademy Chat room
[from: JB Ecademy]

DeanSpace, the project by Howard Dean supporters to develop software to support local political campaigns has got to v0.95. This is a packaged and customised version of Drupal, the base for Ecademy.

What's interesting is that the software is GPL, free and downloadable by anyone so it could be used as easily by Republicans as by Democrats.

So are any Ecademy members involved in local political campaigns in the UK? How about pushing this at the Liberal-Democrats? Or whatever political campaign you're involved with? [from: JB Ecademy]

According to Marc's Voice Ecademy is a Social network for "British Intellectuals".

Uh-huh. I'm not sure whether to take that as a compliment or some deeply ironic and sarcastic sneer. Since Americans don't usually do irony, I guess it's a compliment!
[from: JB Ecademy]

This one is too funny. A bunch of people have phone pranked the RIAA, iTunes, record labels, and artists and then transcribed the results. The RIAA Prank: Do They Really Care About Kazaa, Grokster, and Napster? :

JH: You guys ARE going to sue me! I knew it! I never should have downloaded Beethoven's Ninth Symphony! Oh, NO!!!

JH: I don't want an Apple. They're too heavy.

APPLE: We have some light ones too, like an iBook.

JH: I heard that iBooks can only be used in Starbucks. LOL! [from: JB Ecademy]

BT Puts WiFi in Payphones

Most excellent. [from: JB Wifi]

No Wires, No Charge (TechNews.com) : Intel Corp. and a smattering of other technology companies are coordinating a wireless giveaway next week. About 5,000 WiFi "hot spots" around the country that normally charge for wireless Internet access will offer it free all day Sept. 25.

So, BT Openzone, T-Mobile, Surf'n'Sip and all the others, how about doing this in the UK as well? [from: JB Wifi]

WiFi SIP Cellular to Be Released

There's quite a few paid hotspots that require a number to be typed in and a brower window kept open. So it's interesting that Jeff Pulver says this. "Pulver said his offering will work in an office or anywhere there is an "open hot-spot." Initially, the phone will not operate in a paid WiFi environment, such as those in Starbuck's coffee houses and other locales." [from: JB Wifi]

Fool.com: Steal This Column [Commentary] September 12, 2003 : But here's the kicker: America Online, despite serving as a high-speed hub of P2P commiseration, is part of the same AOL Time Warner (NYSE: AOL) media giant that owns Warner Music, one of the five major record labels. It's a conflict of interest that became notoriously transparent when the RIAA's list of 261 violators reportedly didn't include a single AOL subscriber.

So as the names trickle in (including the likes of a repentant Yale professor and a 71-year-old man who claims he was unaware that his visiting grandchildren were loading up on song files), one has to wonder how differently this all would have played out if they had signed up with America Online -- or if Verizon (NYSE: VZ) owned a record label.

Do I need to add any comment?

BTW. Clearly, downloading MP3s -- illegal ones, in most cases -- is the killer app driving DSL and cable modem growth. [from: JB Ecademy]

If you like conspiracy theories you'll like Project Censored : Censored 2004: The Top 25 Censored Media Stories of 2002-2003

This appears to be a comparatively serious analysis with real references and frequently contributions from the original journalist who broke the story. But you still have to make your own mind up about how real all this is. [from: JB Ecademy]

Following the amazing RIAA actions in the USA and a comment here about "if you can't do the time don't do the crime" I thought I'd put together a list of hypothetical actions and see which were illegal and which legal. Bearing in mind that under the law, ignorance is rarely a defence.

Purchase
1) I buy a copy of Eminem's latest record in HMV for 12.99

2) I buy a copy of Eminem's latest record in a supermarket for 9.99

3) I buy a copy of Eminem's latest record from a guy down the market who's selling CDs out of a flight case for 4.99

4) I buy a copy of Eminem's latest record at a car boot sale for 3.99

5) I buy a copy of Eminem's latest record in HMV, it has the CD Audio logo on the packaging. But it won't play on my PC.

Fair use
6) I rip my Eminem CD to MP3

7) I lend my CD to my son. He listens to it on his walkman on the way to school while I listen to the MP3 at home.

8) I lend my CD to my son. He listens to it in his room while I listen to the MP3 at my desk.

9) I email the MP3 to my daughter at her boarding school.

10) I go to an Eminem concert and record the concert to a minidisk player

11) I go to a Grateful Dead concert and record the concert to a minidisk player

12) I make a copy of the two recordings and give them to friends

13) I copy the two recordings to my website

14) I make CDs of the recordings and sell them down the market

15) I make a compilation MP3 CD of my favourite chillout music. I give it to someone I meet at an Ecademy meeting. When I get home I make another one.

16) We're moving house and I need to clear out the old LPs. I sell them by the case down the market. I've kept the best ones on MP3.

17) I mash up my Eminem single with Madonna's "Like a Virgin" and some sampled drum and bass. I put it on my website and it's picked up by XFM who play it on the radio.

18) I buy a Japanese import DVD and play it on my DVD player that has been hacked to play multi-region.

Downloading
18) I download a copy of Eminem's latest single

19) I then buy the CD

20) I download a few tracks from an album I have on vinyl but which is scratched to pieces

21) I download a few tracks from an album I bought on cassette but which destroyed itself and is currently by the side of the M11

22) I download Edgar Broughton's classic "Out demons out" which has been deleted from the catalogue and is unavailable anywhere

23) I buy a track off iTunes. I then auction the track on eBay.

24) I listen to an Internet Radio station and rip the data to an MP3 so I can listen to it later

25) I buy a DRM protected song over the net. I use a Linux utility to extract a clean unprotected MP3.

26) I buy a DRM protected song over the net. I record the analogue output to a clean unprotected MP3.


Sharing
27) I have a collection of 5000 MP3s. I use Kazaa for 18-22 but I have the checkbox clicked to disable sharing

28) I run Kazaa but only share a directory where I keep the copyright-free music.

29) I run Kazaa on a high speed line as a Supernode, but I don't use it myself to share music.

30) 95% of my collection is ripped from CDs I've bought. I don't download much but I leave it running with all these shared as a public service.

31) I'm searching Kazaa for a copy of "The invention of TV by bees", a bizarre art house movie. I download a bunch of vids but don't notice that one of them is kiddie porn.

32) I'm running my Kazaa on the company LAN. The IT department have blocked it at the firewall so it's only sharing with other people in the company.

33) I built an app to make it easy for my college to share documents. Without my knowledge some people are using the same app to share music.

34) My ISP is getting hammered with Kazaa traffic. We install a Kazaa proxy to try and keep the traffic within our network.

35) My record company routinely uses music sharing analysis software as market research.

36) My record company has started seeding the music sharing networks with fake songs that actually have Madonna saying "F*ck you"

37) My record company has used sub-poenas to get ISPs to give up the names of Kazaa users

38) Kazaa sued the people who reverse engineered Kazaa lite under the DMCA and get Google to remove links to them.

39) My record company released a virus onto the net which damaged the hard disks of people running Kazaa.

40) My ISP blocks all Kazaa traffic

Damn! This stuff is morally and legally ambiguous. Meanwhile, there are currently 2,900,243 people sharing 585,953,440 files on Kazaa.
[from: JB Ecademy]

In the ongoing saga of hacking the Linksys WRT54G, Rob Flickenger has achieved NoCatSplash on the Linksys WRT54G. From the readme,

This package will turn your Linksys WRT54G access point into a NoCat open
portal. This means that users will be presented with a "splash page" of
your choosing, and must click a button before they can access the network
from your AP.

Why is this important? Well it's another major stage along the way of creating an AP that a private individual can use to create a free hotspot. And to do it in a way that is controlled and secure rather than simply leaving their network and internet connection open. There are commercial "Hotspot-in-a-box" packages from people like Toshiba but these tend to be significantly more expensive and built in way that expects the owner to charge for access. That charge might be via scratch and sniff cards or via partnering with a WISP. What they don't do (I think) is allow a small operator to simply give away access. The alternative of using consumer grade APs doesn't really work because they don't have enough capability in the router to properly limit access for guests. The last alternative of using a general purpose PC attached to a commodity AP to control access currently forces you down the Unix route.

So what we're seeing with this experiment is something that might become a simple to install GPL update to radically extend the capability of a consumer grade AP. What remains to be seen is the extent to which Linksys encourage this. There's a very interesting route here where Linksys essentially get out of the software business and concentrate on their hardware manufacturing and distribution business. They would do this by packaging and shipping a Linux distro that had been largely developed, debugged and maintained by the open source community.

The fly in the ointment in this scenario and in the ongoing problems with the Linux GPL is the drivers for the Broadcom chipset. It appears that Linksys/Broadcom cannot get FCC approval for the device if the device drivers are open source since that opens up the possibility of user level tinkering with a software controlled radio. And hence persuading the overall box to break FCC rules for license exempt radios. It's not at all clear yet if there's a way out of this. Linksys/Broadcom may well be caught between the FCC and the GPL license with no solution that satisfies both. Ultimately this is bad for everybody. [from: JB Wifi]

Net4Nowt :: News Story : WiFi hotspots in every library on government agenda says E-Commerce Minister Stephen Timms

My local library has got a WiFi setup, but it's restricted and WEP encoded. [from: JB Wifi]

I've been playing with iRate this morning. It's a music download system with a difference.
- All music is copyright free and collected from web sites that are giving away songs.
- You rate each song on a 5 way "This Sux" to "Love it!" scale.
- The system suggests downloads based on your ratings via collaboration with the preferences of other users. It's the same idea as Amazon's "People who bought this also liked that".
- It's almost like a radio where it's downloading the next song while you'e listening to the last one.
- It's open source and has versions for all major operating systems.
- There are currently >2000 users
- It's V0.2 and still a little clunky but works well enough to see that it's got real potential.

[from: JB Ecademy]

As an experiment, I've started an Ecademy chat room on MSN. Come and say hello. [from: JB Ecademy]