We may not do Burning Man in the UK, but we can do The Big Green Gathering. And one star attraction there this year was the iTrike: The World's First Solar-Powered Internet Rickshaw! which provided WiFi connected Internet access to a satellite base station, streaming video and music all while sitting in a sofa and being gently pedaled round the campsite. Yes. That is a giant pantomime Zebra next to the giant fluffy sheep. [from: JB Wifi]

OhMyGod! Like gag me wth a spoon! It's the official George Dubya Bush Campaign Blog!

You've got to admire a website that has menu options for both "Compassion" and "Homeland Security"

Come on Tony Blur. Get with the program. It's time you had one too. [from: JB Ecademy]

Quick and dirty solution to putting your Skype account on your profile. People can then click on it to call you.

Cut and paste this into your profile notes.



and change your_skype_id to your Skype ID.

eg



If enough people want this I'll add it as a field on the database. [from: JB Ecademy]

Most cable and ADSL modems these days have a USB port rather than ethernet. You typically have to pay extra for an ethernet connection. This makes sense as it means that the connected PC can use it's typical one ethernet port to share the connection with a LAN without having to install an extra port.

So why do none of the consumer grade WiFi Router/AP/Hub combination boxes have a USB port for the WAN side of the box? Surely direct connection to an ADSL or Cable modem is their primary market?

If you have this setup of a USB modem and Ethernet Wifi box, how are you supposed to rig everything up? ADSL - Modem - PC - WiFI - LAN ? In which case, the router functions are unused. Or do you have to buy a USB-Ethernet adapter to go ADSL - Modem - Adapter - Wifi. [from: JB Wifi]

SEA - Simple External Authentication or Simple Single Sign On for the rest of us now has a mailing list and a wiki.

Mailing list

Wiki

I'd meant to post this earlier but have had a little time out. Anyway here's some thoughts on the WiFi event.

1) The panel seemed to be perfectly OK with a private individual using whatever open access point they found. This is a real position that I mostly agree with from a pragmatic point of view. However I really wonder whether the guy from SUN understood what he was suggesting. If someone in SUN put in a rogue Access point inside their firewall would they really be OK with me using it from outside the building?

I know that this is a grey area where the law clearly says that un-authorised access is illegal. But I'm puzzled about the real world implication. It's not hard to configure Win XP to auto-associate with open access points. Now if an AP is unencrypted, responds to DHCP, provides an internet gateway and my laptop uses it and then downloads email with no interaction from me, It's pretty hard to see what harm I'm causing, or what bad intent I have. And again in the real world, it's pretty unlikely that anyone will notice or prosecute me. So without saying whether it's right or wrong, legally or morally, you have to end up going "who cares".

2) The advice from several panel members about securing your use of a public (or private) access point was to use a VPN. And I and others sat there listening to this and thought "Hmm? VPN? to where exactly?" Now if I was an employee from a large corporate wth a large IT department, and I was using internal systems then I'd agree absolutely and I'd expect the IT dept to sort it all out so that my access was secure. But for the rest of us as private individuals, or employees of SMEs, or BigCo employees who aren't using internal apps, all we really want to do is surf the web and deal with email. For the web surfing, security is either irrelevant, or should be secured with https in the normal way.

So that leaves us with email. Now just about the only security issues with email are exposing the password and being able to send email. The first can be solved with TLS/SSL encryption. The second can be solved with SMTP AUTH again secured with SSL. And if we're concerned about keeping the email contents secure then we should be using S/Mime or pgp. Now SSL and SMPT/AUTH are supported by almost all email readers and typically only require a couple of extra checkboxes to configure. So the only problem left is that our typical ISP's email or corporate email system don't yet support SSL and SMTP AUTH.

So we should be demanding that our ISPs support these standards, perhaps as a premium service. We should be demanding that our IT dept support them. And if they don't then we should be using "wires only" broadband with a boutique email only ISP that does all this as well as spam blocking and virus checking. And for the WISPs and Hotspot operators, there's a secondary business for you. [from: JB Wifi]

I've been trying various VoIP systems both at home and on Wed afternoon over the WiFi service at Cafe Grand Prix. Here's a quick summary.

MSN Messenger. I've never been able to get audio or video to work with full support going both ways. There always seems to be some firewall or NAT problem. MSN6 seems to be marginally easier than ealier versions and Netmeeting. Bu like I say I've never managed to get a full two way audio and video link. Attempts in the last week and over the WiFi failed as usual.

FWD. I've had success in the past using standard SIP systems along with FWD's SIP proxy to get through firwalls. However on the WiFi both my SIP clients failed to connect through the gateway. This was using SJPhone and XTen Xlite. Presumably some essential ports wer being blocked.

Skype. It just worked. No firewall problems. Good quality. No difference between home and wifi. One conversation was with a guy in Spain and the quality was at least as good as a cellphone. Another conversation was with someone using a laptop with the built in mic and speakers. Until he'd said, I couldn't tell. The one thing to be aware of is background noise such as music as this can increase the bandwidth needed and hence reduce quality if the bandwidth is limited.

So even though Skype is proprietary, the combination of hype, PR and code quality looks like winning out. And using it from a WiFi hotspot seems to be trivial.

Now this brings up the last issue. Most paid for Hotspots use a captive webpage for sign in. This is fine as long as your device has a browser. But if your device is a dedicated VoIP phone, you may be stuck. This probably means that the minimum device is a PDA. And it also means we're still a long way from VoIP over WiFi being anything like as easy as using a cellphone. [from: JB Wifi]

My VoIP over WiFi report is here. [from: JB Ecademy]

What are the news sources you regularly read for information about WiFi? Do you know of any others with an RSS feed? I'll start:-

802.11 Planet http://www.80211-planet.com/
80211b News http://wifinetnews.com/
Channel 'wifi' http://topicexchange.com/t/wifi/
CNET WiFi http://www.news.com/
Computerworld Mobile/Wireless News http://www.computerworld.com/
CYBERFROST.net http://www.cyberfrost.net/weblog.php
DailyWireless http://www.dailywireless.org/
E3 http://www.e3.com.au/
GoogleNews: WiFi WLAN 80211
http://news.google.com/news?num=15&scoring=d&q=wifi+OR+WLAN+OR+80211
InfoWorld: Wireless http://staging.infoworld.com/cgi/redesign/subjectindex.wbs?
year=&month=§ion=&startcount=1&topic=WIRELESS
Muniwireless http://www.muniwireless.com/reports/
net stumbler dot com http://www.netstumbler.com/
Network World on Wireless and Mobile http://www.nwfusion.com/topics/wireless.html
O'Reilly Wireless Dev Center http://meerkat.oreillynet.com/
Reiter's Wireless Data Web Log http://reiter.weblogger.com/
Sifry's Alerts http://www.sifry.com/alerts/
Techdirt Wireless News http://techdirt.com/news/wireless/
Voxilla http://www.voxilla.com/
Warchalking http://www.warchalking.org/
WiFi Tech http://www.wifitech.com/ [from: JB Wifi]

Websites within 100 miles of Ecademy

The localfeed from London weblogs. And in RSS.

Perhaps we should add this to DailEnews? [from: JB Ecademy]

Bruce Sterling's Ten Technologies That Deserve to Die

1. Nuclear Weapons
2. Coal-based power
3. The Internal-Combustion Engine
4. Incandescent Light Bulbs
5. Land Mines
6. Manned Spaceflight
7. Prisons
8. Cosmetic Implants
9. Lie Detectors
10. DVDs

Incidentally Bruce has a catalogue of all his online work here. Now where's the RSS file? [from: JB Ecademy]

I've now implemented half of Drupal's remote authentication. If you go to any Drupal site, you can log in and create a user record by using your ecademy ID and password. So for instance you can go to drupal.org and log in with id= your_ecademy_login@ecademy.com and password= your_ecademy_password.

I'm working on the reverse of this. To be able to create a user record and login to Ecademy using credentials that are validated against other Drupal, jabber, blogger or whatever sites.

If anyone is interested in trying to extend this to a much more general (but low tech) single sign on system please get in touch. [from: JB Ecademy]

I want to try an experiment with VoIP (Voice over IP) to see just how effective it is. To that end I'm running as many clients as I can manage. eg

MSN Messenger with webcam
julian_bond@voidstar.com

Skype
julian.bond

FreeWorldDialup using SJPhone or Xten Xlite
sip:21125@fwd.pulver.com

I particularly want to try this over the WiFi link at Cafe Grand Prix tomorrow afternoon. If you can use any of these systems, please give me a call, but particularly give me a call around 4-6pm BST Wed Oct 1. [from: JB Ecademy]

Ecademy now has a semi-permanent IRC channel.

irc://irc.freenode.net/ecademy

You'll need an IRC client such as mIRC or Chatzilla to access it.

We probably won't be adding a Java web client unless someone can recommend a cheap/free tool that actually works ok. [from: JB Ecademy]

I want to try an experiment with VoIP (Voice over IP) to see just how effective it is. To that end I'm running as many clients as I can manage. eg

MSN Messenger with webcam
julian_bond@voidstar.com

Skype
julian.bond

FreeWorldDialup using SJPhone or Xten Xlite
sip:21125@fwd.pulver.com

I particularly want to try this over the WiFi link at Cafe Grand Prix tomorrow afternoon. If you can use any of these systems, please give me a call, but particularly give me a call around 4-6pm BST Wed Oct 1. [from: JB Wifi]

Kendra Wiki is thinking along similar lines.

There's a thread on the decentralization mailing list following it.

More thoughts:-

Ignore the actual protocol for a moment. Site alpha.com validates with Site bravo.com. Site Alpha knows that UserID="foo" + Password="bar" + URL="bravo.com/sea/" = True. The remaining security question is the reputation or authenticity of the web service at bravo.com/sea/ This is the added value that centralized single sign-on systems claim to provide. I guess my argument is that there are very large numbers of situations where that last layer of authentication is not needed. So if it's not needed, stop trying to solve that problem and come up with the simplest solution that is "good enough" to answer the layer below.

The real security question is whether the end user is comfortable giving ID+Password+URL to alpha.com. Arguably, alpha.com is building a database of these triples in the knowledge that they *might* be useful elsewhere.[2]

In terms of protocol, I'm probably getting it wrong and ignoring prior art. I'm sure there are challenge-response approaches where the password never goes down the wire (SPA? APOP?). And if necessary the whole authentication transaction can be hidden with TLS[1].

In terms of UI, the user would need to provide ID;Password;URL;Protocol Where protocol is one of SEA, Drupal, Blogger, Delphi Forums, Manila, Yahoo, Jabber and LDAP[2]. And URL may be part of ID for some protocols.

[1]Such a shame that there's a commercial lock on TLS certificates. [2]Several of these take advantage of an existing API that includes password. I suspect that a bit of screen scraping and cURL could extend this to Passport, AOL, and quite a few others. Clearly, ID+Password+Passport is worth quite a bit more than ID+Password+Manila but also has much more potential for abuse.

---

Jeffrey Kay wrote:
>The basic idea behind authentication are that you have to trust the
>authenticating authority. If you can't then the system fails.

Back in the real world, there's a reductio ad absurdam problem with this. Most "Authorities" (eg Passport) are only really warranting that this ID is associated with an email address which appeared to once have a human reading it. Even eCommerce SSL certificates only really warrant that a domain had a fax number associated with it at one time.

So let's try a use-case. I got it into my head that the Deanspace software could be used by the Liberal-Democrats in the UK. While doing the research, I signed up at geeks4dean.com and told them to validate against jbond:drupal.login:voidstar.co m/xmlrpc.php. When the password I gave them validated, they picked up my foaf file and thumbnail and auto-created a profile for me. There's an audit trail and if necessary someone could look at voidstar.com and find content going back a few years. They could check the pgp signature on the foaf file. The domain has some history. Email addresses that include @voidstar.com appear all over the web. There's a CV up there. So clearly voidstar.com is a pretty good authenticating authority for jbond. Now I go to expats4dean.co.uk and tell it to validate on jbond:drupal.login:geeks4dean.com/xmlrpc.php They create their own profile based on the one at geeks4dean.com which originally came from voidstar.com.

When I start posting extreme libertarian anarcho-capitalist tracts on expats4dean.co.uk and they decide to ban me, they can post all over their site, geeks4dean.com, this mailing list, bloggercon and anywhere else they choose that the entity that calls itself jbond and lives at voidstar.com is not to be trusted.

ISTM that this has proved at least as effective as the big centralized authenticating authorities. And we didn't have to involve them at all.

I feel sure that I'm re-inventing wheels here. And I've no doubt that I'm glossing over deep problems. But I refuse to accept that this problem needs either some BigCo in the middle, or incredibly complicated web services that are all spec and no implementation.

---

Here's a proposal for a low tech, de-centralized, remote authentication system with profile management. It's aimed at all those low security situations where you need to login to a website but don't want to go through the hassle of creating an authenticated profile.

The basic approach is a simple web service. This web service should support and be implemented in XML-RPC, ReST and SOAP (in order of priority). It would take two string parameters; an ID and password. It would return True or False. This service would usually be available in a standard location (say "remote.login", /xmlrpc/, port 80) or can be found via some auto-discovery mechanism such as RSD.

The intention is that this web service is widely implemented either as standalone CGI files on personal websites, or as a service on more centralised systems like Typepad, Slashdot, etc etc.

On the server side, anyone building systems that require login but are not overly concerned about security should add support for external authentication. If the user types in something like ID: foo@bar.com it will pass foo and the password to the web service at bar.com. If it returns true, then either log the person in against foo@bar.com or create a user record linked to foo@bar.com and log them in against it.

For this to get widespread implementation at least three things are needed.

1) Simple stand alone CGI programs in the major languages (eg perl, php, python, or whatever) that implement the service. These should include a minimally simple interface to maintain a fairly short list of ID/Password pairs.

2) A set of toolkits in all the major languages for server-side applications to implement both sides of remote login.

3) Support for remote login built into successfull apps like slash, php-nuke, movable-type, blogger, etc etc.

Extensions and Issues

The biggest issue I see is that there is minimal security and minimal hiding of passwords but this doesn't actually matter. We're not trying to replace Passport, Liberty or PingID. What we are doing is creating a standard for those tens of thousands of websites that need minimal authentication. Many of us currently solve this by using the same ID and Password wherever possible. This system formalises this by letting us control that common ID-Password ourselves in one place. It also avoids the problem of having to create jbond23, jbond23uk, j23bond and so on because jbond has already been taken.

This idea immediately suggests some standard, possibly using FOAF, to let an end user or participating sites provide basic user profile information to a site that is creating a new user record. I have in mind some similar approach of minimal cgi program for de-centralization, toolkits for App coders and support in major platforms for a standardised foaf, vcard or similar set of data. This data could then be used to pre-populate user records.

If this takes off, it'll need a name. Really Simple Authentication is appealing, but RSA is already taken... Simple External Authentication (SEA) looks possible.

Acknowledgements

This whole essay was inspired when I went back and had another look at the current state of Drupal. For a year or so Drupal has had a remote authentication system that let you log in to a Drupal site using an ID and password from another site. They currently have support for Drupal, Blogger, Delphi Forums, Manila, Yahoo, Jabber, LDAP. The code and techniques are admirably simple and would provide a good basis for the more general approach outlined above. http://drupal.org/node/view/312

You probably know about Deanspace http://www.deanspace.org/ which is based on Drupal. Every Deanspace site supports this style of remote auth.

Helen Murdoch chatting online now in the Ecademy Chat room
[from: JB Ecademy]

DeanSpace, the project by Howard Dean supporters to develop software to support local political campaigns has got to v0.95. This is a packaged and customised version of Drupal, the base for Ecademy.

What's interesting is that the software is GPL, free and downloadable by anyone so it could be used as easily by Republicans as by Democrats.

So are any Ecademy members involved in local political campaigns in the UK? How about pushing this at the Liberal-Democrats? Or whatever political campaign you're involved with? [from: JB Ecademy]

According to Marc's Voice Ecademy is a Social network for "British Intellectuals".

Uh-huh. I'm not sure whether to take that as a compliment or some deeply ironic and sarcastic sneer. Since Americans don't usually do irony, I guess it's a compliment!
[from: JB Ecademy]