Identity and hypocrisy

September 20, 2007

I relaized today that I’m a hypocrite.

On the one hand, I’m a big proponent of OpenID. I think that tying identity to individuals, rather than services, makes sense and is the only sensible way to handle id management on the internet.

That doesn’t mesh well, though, with my general security policy and open derision for people who use the same password for everything. OpenID is essentially using the same password for everything, or at least it’s the same single point of failure security model. I guess I’ll have to lay off the single passworders.

People who use short, all-lower-case, dictionary words are still firmly in my sights, though.

Posted by Jay Savage
Filed in life, opensource, security, tech
Leave a Comment »

On platform lock-in

September 14, 2007

I’ve been mulling over David’s recent (ok, not that recent but RL’s been interfering) post on vendor lock-in and encouraging more PC use in his Mac-centric office. The premise is that having multiple OS will make your company more flexible and better able to respond to potential disasters. The example he gives is viruses. I don’t buy it.

First of all, the insurance policy isn’t worth the cost and hassle of supporting a mixed environment. Mixed platform file sharing and authentication is still hairy, and the people who can make a mixed network run smoothly demand, and rightly so, about 1.5 times the salary of monoculture techs. And at the end of the day, when disaster strikes you still only have somewhere between 10% and 20% of your machines up and running. For most businesses, that’s as good as none. Even 50% isn’t really enough capacity to effectively conduct business, so the money spent on the contingency plan is essentially money down the drain. Sure, a person’s machine may work, but if the people she collaborates with don’t have access to their files, if the people she relies on for reports and data mining don’t have connectivity or database access, or if the department fileserver is down, the fact that she has a bootable box is inconsequential. Buying all your employees large-capacity smartphones so they have backup access to email and important files is cheaper–and better insurance–than forcing some of them onto alternative platforms.

Second, the real concern isn’t employee workstations, it’s data. Unless the data center has redundant backups on servers running multiple OS, you’re still lock in for all practical purposes. If you lose the file server, you lose everything, no matter what your people have sitting in front of them. And the same is true of files on employee machines. It doesn’t matter if the person next to you has a PC if your files were on a compromised Mac, and vice versa. Files aren’t commodities. Simply having access to other files on other machines doesn’t solve the problem of a wide-scale outage.

For an internet services firm like David’s, of course, it’s important to have a bunch of machines running multiple OS to test usability and browser compatibility, but that’s a different question from disaster recovery. It can also be largely accomplished through virtualization.

The argument that Microsoft is still the de facto standard is more compelling, but I don’t really buy it. I didn’t understand it a decade ago, and I don’t understand it today. Data networks are about, well, data. As long as I can open your files and you can open mine, who cares whether the red “x” at the top of my windows is on the right or the left? If businesses want security, they should be looking at open file formats (and filesystems), not OS. Worry about vendor lock-in in for data and applications, and the platform will take care of itself.

Of course, that is one definite advantage of David’s plan: physically running multiple OS means his applications have to be platform-neutral, and probably rely on open–or at least widely-supported–file types. And that is a disaster plan I can get behind.

Posted by Jay Savage
Filed in tech
1 Comment »

On Student Nature

September 12, 2007

I just had a conversation with an instructor about making his Blackboard course available to students. By default, we make courses unavailable to students because 1) not everyone uses an LMS for every course and 2) even the ones who do don’t need emails from nosy students wondering when materials will be posted. This particular instructor uses Blackboard, but had forgotten to make his course available this semester. Needless to say, he started getting a stream of emails from students saying they couldn’t see the course. So far, so good, but here’s the kicker:

He thought the issue was with a few student accounts and took him several days to track down the real problem because when he asked in class who had read the assignment he posted, nearly half the class raised their hands. A significant number of his students were so unwilling to admit the they hadn’t done their homework they claimed to have completed the task even when it was physically impossible for them to have done so.

The interesting question is how many of the students who raised their hands had tried to access teh site. My gut reaction is that most of the people who raised their hands hadn’t even tried, didn’t realize anything was wrong, and didn’t want to admit to slacking. I’m sure, though, that a few of those raised hands belonged to people who had tried, failed, assumed either it was their fault or the instructor wouldn’t care whose fault it was, and were too scared to publically admit their failure.

(on a completely different note: why doesn’t Flock have spell checking?)

Blogged with Flock

Posted by Jay Savage
Filed in life
Leave a Comment »