Delegated Authentication

Delegated authentication differs from federated authentication model in that the authentication authority delegates authentication yet again. It's a double-sided star system where the authentication authorities sits in the middle acting as a directory of sort.

Delegated authentication model is not appropriate for weak authentication uses. So I doubt we'll see banks pushing customers to some federated authentication authority whenever they click on the sign-in button. Where it makes sense is protecting high-value transactions with strong and/or multi-party multi-factor authentication.

As cryptic as what I wrote above may sound, the net effect is that a) consumers will be able to buy their favorite secure token at Fry's and use it to protect their bank account without worrying about whether the bank supports the device or not, b) banks of all sizes will be able to support a wide range of authentication methods cheaply, and c) strong authentication vendors will be able to market their products and services directly to consumers.

The biggest hurdle for delegated authentication is that the cost of fraud risk have already become part of the balance sheet. Risk exposure is aggregated and taxed horizontally so that finanical risk is shared as part of operating cost. The net result is that individual customers face minimal financial risk which leaves them little incentives to be interested in strong authentication unless they are required to use them by their banks.

Instant Outlining and Wiki

While there are similarities between Instant Outlining (IO) and Wikis, there are subtle differences. Instant Outlining is more about people and relationships where Wikis are more about documents and collaboration. Instant Outlining is more about now and decentralization where Wikis are more about history and centralization.

I think the two can be combined to get the full benefits of both: a beast with multiple heads of Instant Outlines and the body of a Wiki with full versioning support. Ross, I think you need to ask Uncle Fluffy to tell you a story.

Education Revolution Ahead

It hasn't happened yet but I think the situation in South Korea is perfect now for the birth of the next generation in education. I think most of know what it will look like but the gap between theory and practice must be bridge and I think the bridge will be built in South Korea soon which give the rest of the world solid enough delusions to dive into it, delusions because the bleedging edge is always wider than one expects.

The necessary ingredient is the unseemly mixture of despair and hope heated over high tech and righteousness which South Korea has in abundance unlike countries like Japan where changes come in longer breaths and elders are still strong enough to suffocate the foolish youngsters. Given enough time and right circumstances, shortcomings of a society will become unexpected assets.

Smoke Day

I smoked today. Actually, I smoked just now with only 31 minutes left in the day. Not really a cigarrete even, more a mini-cigar that was sitting in a forgotten corner of the house until now. So horrible yet so comfortable. I've been on nicotine candy for the past three months and haven't been able to get off it. That's not really quitting, more like pausing. And I've been in an irritating state of mind for the past three months. Damn. I feel like a loser. The worst part of smoking these days is the guilt. I don't know if I am back to smoking or not yet. I am taking it one day at a time at this point. For now, allow me this pleasure of hating myself for this self-inflicted wound.

More on Daily Witchhunt

English article from a Korean newspaper on the Internet witchhunt problem in Korean. Apparently, the college the girl attended (note the past tense) got stepped on as well. I also found a series of links on another Korean phenomenon, snitch economy, but they are all in Korean unfortunately.

According to some eye witness accounts of the incident, she was just 'slow'. She had a lot of bags (?) so she put her dog down on the floor. When her dog pooped, she made the mistake of cleaning her dog first. The old women in red jacket got upset at that and threw a plastic bag at her. The girl then panicked and ran, after cussed at the women. Her manner sucked but I don't think she deserved to be lynched.

BTW, the girl appologized in public via a Cyworld 'hompy'. Again, she apologized like a clueless badly mannered person. No surprise there. Would she have learned to behave better if people on the train took turns bashing her face in? I don't think so. But then 'beating sense' into a person is a popular practice in Korea.

Sidebar Communication

Hollywood social networks are using IM Status (i.e. Busy, Away) as a communication channel (i.e. Status: Need Work). Excellent idea!

For Dave's Instant Outliner, this could be done very easily so one could see status of team members, friends, and family.

For blogrolls, a short status description element can be added to each feed. Blogroll has to be live though for this to work. How would it look? Where you see the orange XML pseudo-image on my blogroll to the right, you would see short messages from the bloggers like Need Work, Help Wanted, In Japan, Sick, or simply RIP for grave bloggers.

Note that the status could be little graphics like Sparkline or an image. Status of a dog, for example, will be a webcam snapshot.

Wie and Hee-Seop Choi Day

Just finished watching Wie, cute 15 year old Korean-American amateur golfer, finish second place in the LPGA Championship, just 4 shots behind Annika Sorenstam. Excellent. Too bad her amateur status means she won't get the prize money ($160K!).

Meanwhile, Hee-Seop Choi (LAD) is having another great back-to-back home runs. He hit 2 on Friday, 1 on Saturday, and 2 so far today, all against Minnesota Twins. Go Choi!

Update:

Make that three! He homered again in the 6th, right after I pushed the submit button. Crazy. Let's see if it works again. 😉 Go Choi!

Korean Netizens Attack Dog-Shit-Girl

It began in a subway train with a girl whose dog made a mess on the train floor. When nearby elders told her to clean up the mess, she basically told them to fuck off. A nearby enraged netizen then took pictures of her and posted it, without any masking, on a popular website which started a nationwide witchhunt.

Within hours, she was labeled gae-ttong-nyue (dog-shit-girl) and her pictures and parodies were everywhere. Within days, her identity and her past were revealed. Request for information about her parents and relatives started popping up and people started to recognize her by the dog and the bag she was carrying as well as her watch, clearly visible in the original picture. All mentions of privacy invasion were shouted down with accusations of being related to the girl. The common excuse for their behavior was that the girl doesn't deserve privacy.

While the girl clearly behaved badly, those Korean netizens' behavior is even worse and inexcusably so. Abuse by the mob is indistinguishable from abuse by dictators yet they just don't see it in the heat of righteousness. Are they wary of ruining her life or hounding her into suicide? I doubt it. To quote some of them: her life deserves to be ruined and she won't kill herself because she is a thick-skinned bitch.

WTF?

Update:

What would I have done if I was at the scene? I would have just cleaned up the mess without saying anything just like the elderly man did: mess is cleaned up and the girl, embarrassed at the right level.

Transparent society? It looks more like a society of gadget-wielding finger-pointers to me.

Update:

Dog 'Poop' Girl Redux is an excellent recount of the DSG incident and news trail that followed.

Using Random Names Against Browser Frame Injection Vulnerability

As you can experience though this Secunia Multiple Browsers Frame Injection Vulnerability test page and recently reintroduced into Firefox,  other websites can easily inject their own page into a frame from another website. How does it work? Just set the link target to the name of the victim's frame.

One possible quick protection against frame injection uses random frame names. If the name is random, they can't target the frame. For dynamic content pages, random frame name can be saved as a session attribute and injected on the fly into outgoing pages. For static content pages, javascript code can be used along with a session cookie to set frame contents from the client-side.

Note that older unpatched version of browsers that allows cross-domain script access to frame names are still vulnerable. I've checked that IE6 SP2 and Firefox 1.0.4 do not. Not sure about others though.

Caveat: I whipped this up after only a brief study of the vulnerability today so beware that it is offered only as-is.

Identity as a Verb

To me, identity is not something one has, like InfoCard or a key, but something one does, a verb if you will. Identity is like the equal sign of an equation. For identity to happen, you need both sides of the equation.

In the real world, identity happens when I see someone I met before. I compare the face in front of me with the face I remember and, voila, identity happens. Identity stops happening as soon as the person walks away or the person hits me hard enough to faint.

Likewise, online identity happens when a website and I agree on some piece of secret and then I later show it. Yup, the website would say, you showed us what we saw before. As soon as that is done, the website has to give me something else because identity is an event and the website will forget who I am otherwise. Usually, they give me a ticket which I have to show everytime I say something. When I am done with the website, the ticket is thrown away.

But does the website know who I am? Nope. If I tell them that I am the Don Ho who sang Tiny Bubbles, they'll accept that so, when online identity happens later, they'll be able to say Yup, you showed us what we saw before from a guy who claimed to be Don Ho.

At this point, I forgot what I was going to say. It's too bad that, like identity, enlightment is a verb.