Archive for Conferences

Internet Identity Workshop #11

I sampled the program of the 11th Internet Identity Workshop (unconference) held at the Computer Museum in Mountain View (the 2nd this year, see my notes from IIW10, also in MTV).

OAuth 2.0:

  • The spec still needs work on the Security Considerations section before it can be finally approved. Contributors sought
  • Some early adopters have voiced issues around endpoints supporting both 1.0 and 2.0 profiles at once
  • Mike Jones has taken over part of the spec process (bearer token), which will be packaged as a different profile (and RFC)
  • JSON Web Token (JWT) defines a specific token format. The claims in a JWT are encoded as a JSON (digitally signed)
  • Are the lessons learned from SAML usage being properly leveraged?
  • What would it take for OAuth to be adopted in the enterprise (Kerberos being the obvious benchmark). What’s missing in OAuth to pass enterprise or DoD vetting (e.g., what’s the minimal entropy for the verification code?)


  • Several reports on user experience testing
  • PayPal described its experience as OpenID provider. They contribute high-quality identity datapoints like verified/certified shipping address. A client can override shipping address but doing so bears an impact to the risk rating
  • There’s now an OpenID retail advisory committee (RAC)
  • OpenID Connect (OpenID redux atop of OAuth 2.0) is a WIP to extend OpenID by bringing profile, data, etc. (like portable contacts and activity streams) along across sites

Microsoft’s U-prove certificates:

  • The intellectual properties stem from the acquisition 2 years back
  • Protocols specification was published in March 2010 (RSA conference). There exists an open source SDK
  • It’s a new kind of certificate which permits thinning of the claims therein, while preserving the capability to crypto verify
  • Value props include: minimal disclosure, derived claims (e.g., from DOB to 21-or-older claims), unlinkable claims (like coins, unlike bills), negation claims (I’m not in that list)
  • Proponents anticipate an ecosystem that works for gov agencies (e.g., DMV), enterprises, consumer, devices

Personal data stores (PDS):

  • It’s the utopian place where I could manage all web data concerning yours truly, whether it’s stored by value or by reference
  • Example: my search results going back 1 or 3 years
  • Value props include: empower consumer to manage data value chain (or purposely delegate the same); centralize and enforce a permission regimen (e.g., mint nonce to access my PDS); find like consumers; data portability and exchange across multiple PDS; high-quality and quicker scoring

Email is not dead just yet:

  • Idea: use it as the pervasive, common denominator transport (SMTP) and repository (folders) for seamless federation of social networks
  • Key concepts demonstrated in the Mr. Privacy research effort by the MobiSocial team at Stanford
  • Webfinger resolves an email address into a set of machine-friendly service endpoints
  • Inbound email can result in an extensible set of action handlers (like calendaring or Xobni already leverage)
  • Potential use of OAuth for folder-level access

Leave a Comment

Redress apps for Cloud – Netflix

Adrian Cockroft of Netflix (and a former eBay colleague) recently described his journey to run Netflix services off of a public cloud, effectively and efficiently.

Along with Alex Stamos’ security talk that I profiled in the previous same-title blog, Adrian’s talk is easily the best public account of Cloud enterprise “pathfinding” that I have come across in a long long while. From different angles, both talks reach the conclusion that it’s better to re-architect the whole thing rather than tinkering with it. Both talks bear no hype, frills, or inflated expectations.

Adrian goes on to list the “undifferentiated lifting” that is left for Netflix to do and should come instead off-the-shelf from the Cloud portfolio of services:

  • middle-tier load balancing
  • caching
  • encryption services (I’d imagine he means key management services in general)
  • distributed application management (a tough nut to crack, this one!)

which we will hopefully see soon in Clouds near us. Thank you for sharing, Adrian!!

Leave a Comment

eBay’s Technical Voice

eBay has recently launched a tech blog to give voice to the many technical leaders that are hard at work to advance the world’s largest marketplace. Hugh Williams kicked it off with the first post on Site Speed for eBay Search Results.

While I’m at it, I single out four presentations that my colleagues recently gave at JavaONE 2010. They touch on some recent (or recent-1) interests of mine.

Login Failed, Try Again: 10 Best Practices for Authentication in the Cloud, Farhang Kassaei. Farhang does a really good job at delineating the functional roles of Secure Token Service (STS), Identity Providers (IdP), Relaying Party (RP), Guards, policy elements, etc. that enable eBay’s secure scale-out operations like Cloud. I’m number one fan of this architecture and actively championed it to make it a pillar of eBay Mobile architecture.

More Best Practices for Large-Scale Websites: Lessons from eBay, Randy Shoup. A small set of principles underpins some massive scale-out and extensibility stories. I’ve had the pleasure to co-keynote with Randy at LADIS08. That presentation had the first installment of Randy’s renowned best practices.

Concurrency Grab Bag: More Gotchas, Patterns, and Tips on Practical Concurrency, Sangjin Lee. As he did at Java ONE 2009, Sangjin continues to contribute nuances and new results to the Java Concurrency body of work (like Brian Goetz’s et al.)

7 Deadly Sins of Enterprise Java Programming and Deployment in the Multicore Era, Mahesh Somani co-presented with Intel. This presentation marries valuable lessons in concurrency with some handy tutorial material on Intel’s published roadmap (e.g., need to re-sync on Tick Tock, Nehalem vs. SandyBridge, 45 vs. 32 nm, etc.). I’m still looking for a public URL to this presentation.

Leave a Comment

Identity Abuzz: Notes from IIW10

I spent two days at the Internet Identity Workshop 10. IIW events are set in an open space, unconference style. True to its workshop designation, it’s a place to do work collegially. It’s not a place to give scholarly papers or some polished slide gesticulation.

I list hereafter the topics that I engaged on at IIW10, in a similarly frugal style. They complete my sweep of the Identosphere that I had started here.

OAuth 2.0 – The authors clarified several points in the specification (is the refresh token entirely optional? yes) and kindly requested help to turn the I-D into a RFC that can pass muster with the IETF security directorate (esp. for the security considerations section);

UMA – User Managed Access provides a method for a user to control access to her resources, wherever they might be. For this, UMA defines an authorization manager. The authorization manager reacts to requests by online services acting on a user’s behalf and makes access decisions based on user policy. My colleague and identity extraordinaire Eve Maler is a leading force behind this effort. UMA is set to leverage OAuth 2.0 and various card, token technologies. I saw the demo of a UMA system built by the SMART team at Newcastle University;

Personal Data Stores (PDS) and an internetwork of PDS (PDX for Personal Data eXchange) using XDI-like protocols;

OpenID Connect –  It combines OpenID federated login with OAuth 2.0 access authorization;

PingPong IdP Discovery 1.0 – We all advocate the freedom to register with one or more Identity Providers (IdP) among many available. As such, we need a protocol to assist in the IdP discovery and thus determine which IdP(s) can authenticate a given user;

Mozilla’s account manager –  This work exemplifies identity in the browser. Unlike password managers, it includes ways for a site to advertise to the browser multiple styles of identity artifact (e.g. Openid, InfoCards, or plain old passwords) and current state (signed in or not);

A meta-point: These identity systems are distributed systems and, not surprisingly, pose the same challenges as any other distributed system: get the naming rules right, identify and manage all dependencies, spell out consistency requirements and the companion failure semantics, etc.

Leave a Comment

Berkeley BEARS Symposium

Ever since I moved to the left coast, UC Berkeley has become the most frequent destination of my research outings (it used to be MIT when I lived in Boston). I’m a regular guest at their RADlab retreats. Yesterday, I joined the 1-day Berkeley EECS Annual Research Symposium (BEARS). The morning was packed with four first-rate keynotes and a panel:

The future of devices, Elad Alon. Nano-electromechanical relays are a promising alternative to CMOS-based technologies and their unavoidable energy leakage. Like any other relay, nano-relays are leakage-free albeit much slower than CMOS and not as reliable. To mitigate these side effects, Elad is looking into more complex logic circuits and the opportunity to exploit parallelism (like in a N-bit adder or an ADC/DAC).

The future of computation, Kurt Keutzer. Deeper pipelining is not sustainable, parallelism is the saving grace. For this, Intel Larrabee and Nvidia Fermi are hugely exciting new processors. But how do we change the code to leverage the new silicon? There is early indication that algorithm/code conversion pays off with up to 100x improvements to time-to-result (teams started off from commodity software, like public domain support vector machines libraries – libsvm). Kurt did a great job at describing the whole ecosystem of parallel and show why/how it’s labor intensive. We need more/better frameworks to absorb these costs.

The future of Mobile, Eric Brewer. iPhone has converged dozen gadgets into just one (and more so every day). Inside, there are many discrete HW components taking up space and power, hinting that smartphones can either shrink further or carry more logic into them. Access is the smartphone’s killer app. Increasingly, mobile is a key factor in developing countries. There, it can save lives (e.g, a cellphone “microscope” contraption to detect malaria in the field; a diagnostic device connecting heart monitor and other sensors via the headset jack). The SIM card may become a good, universal place to store a private key. In developing countries, this setup actually works quite well because it’s already common practice for folks to own a SIM card and share a physical phone. Within every country, there’s a growing digital divide between urban and rural connectivity, with impact to just as many aspects of life as mobile touches.

The future of the Cloud, Michael Franklin. Cloud momentum will continue to be fueled by these value props: variable cost, cost associativity (1000 CPUs for 1 hr same as 1 CPU for 1000 hrs), risk transfer, and get the IT gatekeepers out of the way. There will be more devices and more virtual resources joining the cloud, including mechanical turks seamlessly blended in. Quite fittingly, there will be a new program at UCB to best harmonize Algorithms, Machines, People (AMP). It will launch in Jan 2011 when RADlab wraps up.

Energy panel hosted by Greg Papadopoulos. Can we innovate in energy the same way we innovated in technology? Three principles that served us really well in EECS and are worth cross-pollinating into energy are: a) layer decoupling, b) distributed innovation, and c) best equip for en-masse customization. A smart power grid is a dumb grid with many different smart endpoints. Some food for thoughts: Make solar panels become as cheap as a sheet of glass; Do nothing well (i.e., energy proportionality); Don’t recycle, up cycle.

The day was nicely complemented by open houses in the various departments, with plenty posters and demos. For ease of tech transfer to my children, I single out the demo of the software-intensive Starmac quadrorotor flying machines by the Berkeley Sensor and Actuator Center (see really cool videos 1, 2, 3 … heck, thou shalt see cool toys, green grass and the blue sky, once you’ve survived those pesky 3D Fourier transforms :)

Leave a Comment

Black Hat 2009

I’m increasingly involved in security and thus managed to make a brief appearance at the Black Hat 2009 Briefings in Las Vegas.

I enjoyed the program. Hereafter some of my personal take-away and favorite sound bites.

Smartphones. There will be exploits:

  • Target volumes and personal data becoming interesting, really interesting
  • Hordes of 1st-time programmers writing code … which raises the significance of application/system separation that one can depend on
  • Also, some seasoned engineers who built highly reliable telco protocols (e.g., SS7, SMS) are now asked to operate in a hostile open world … the price of convergence
  • To witness, at Black Hat some folks gave a public account of an iPhone vulnerability exposed with a SMS attack vector. Before Black Hat was over, Apple issued the v3.0.1 patch release (though they had been given a few weeks lead on this exploit)

Smartphones. There will be patches:

  • What’s a reasonable time-to-patch benchmark given gazillion of units in the field?
  • Apple’s “monoculture” can play out as a strength (homogeneous field, iTunes-centralized lifecycle for patches) and a weakness (magnet for new targeted exploits)
  • Others will have to ripple their patches through OS release cycles, hardware manufacturers, providers’ security policies, and the various QA cycles therein

Smartphones. There will be tussles:

  • The Apple/Google one is already capturing the news
  • Microsoft and Nokia won’t let it go by without a fight
  • Android’s licensing model (Apache style, no permission to use) is due to make wave in the whole mobile OS segment (some impressive uptake numbers reported by presenters)

Cloud Computing:

  • Hackers/rootkiters have taken notice of the Cloud but are still struggling to figure out the new implications (New attack vectors? Is everything Cloud Computing?). Just like everyone else!
  • SaaS/PaaS exploits: any new “Cloud” material here other than the OWASP10 vectors!?
  • IaaS exploits: any new “Cloud” material here other than VM attack vectors (like device drivers flaws or pseudo-random generation)!?
  • A presenter talked about legal and regulatory implications (e.g., data is subpoenaed and then what) — this was distinctively “Cloud”


  • Bruce Schneier provided some excellent food for thoughts on the psychology of security (ref. to his essay)
  • The traversal of x.509 certs is still a weak spot after all these years… Basic constraints are not enforced properly and OCSP is easily subverted by toggling a return code, which is inexplicably left out of signature (I haven’t had a chance to validate this claim). Net out, end-to-end SSL is less secure than we think…
  • According to a presenter, the hacker-proof shield of Cisco IOS stems from the 250,000+ different images of IOS that resulted from just as many release trains since inception. To hackers’ detriment, each release scrambles waymarks and other reference points thus making it virtually invulnerable
  • I wrote about my serendipitous Mach OS encounter in an earlier post

Black Hat 2009 material is here.

Leave a Comment

You walk into a conference and the topic is … Mach OS

I know that I’ve worked on a technology that stands the test of time if, after some 20 years, there’s still some buzz around it at a conference.

This is obviously the case of Unix.

It must be the case of Mach as well. This week, I made an appearance at Black Hat 2009 and stumbled upon a session entirely dedicated to Mach-based rootkits for Mac OS X. The presenter, Dino Dai Zovi, did a good job at describing Mach. Why would someone hack Mach nowadays? Because it’s possible and is a fun thing to do ;-) It turns out that Mach is a fairly obscure piece in the Mac OS X ensemble and makes a hacker’s maneuvers a lot less likely to be detected.

Among things, Dino talked about MiG stubs (I did a total overhaul of MiG in 1993) and Mach-O. He recreated a sort of NetMsgServer (which has never been adopted by Apple Inc. as far as I can tell) with which he can siphon or inject Mach IPC messages. In my last Mach endeavor, I created a NetMsgServer that could work over INET.

Back in the days,  Rick Rashid opened Mach conferences by saying that the Mach crowd used to fit inside an elevator.  Twenty some years later, a couple hundred people still crowd a conference room for a solid Mach speech.

I’ve had the fortune to hone my system skills on Mach 3.0 along with a terrific team at the Open Software Foundation and the proxies into the team at CMU.  I’m obviously very pleased that Mach still beats inside my home desktop, laptop, and smartphone. I believe that Dino’s public contribution makes a compelling case for code hardening and pen-testing of the venerable Mach (which I surely hope it will happen on time for Snow Leopard!).

Leave a Comment

CTO Forum – “Cloud Computing: the Dawning of the Utility Age”

I have accepted Basheer Janjua’s invitation to participate to this CTO Forum hosted by Fujitsu in Sunnyvale. I took on the double duty of being a panelist and a session leader. I really liked Andy Bechtolsheim’s keynote. He’s quite excited about Clouds (“they are the biggest thing since the Web”) and the macro-economic conditions playing in favor of cloud adoption. I chaired the session on Accountability, Compliance, Reliability and Security in the ‘Cloud’. To kick-off the discussion, I used some of the slides that I presented at the Cisco Symposium a few days earlier. The ensuing dialogue in the room reflected the diverse viewpoints and pain points, which span the whole spectrum of people + process + technology + information (as a technologist, I know that I tend to over-emphasize the technology angle).

Leave a Comment

Cisco Cloud Computing Research Symposium

Fresh from election night celebrations, I spent two days at an excellent workshop organized by Flavio Bonomi’s research team at Cisco, for researchers and industry leaders to mix and together pierce through Clouds. I really enjoyed seeing Vint Cerf (for a second I was asked to give the plenary address on his behalf while he was delayed in traffic … luckily he made it in at the very last call), Randy Katz, Kubi, Bob Grossman, Stephen Savage, Bruce Davie, Monica Lam.

Vint gave a stellar (pun intended) overview of the IP-based store-and-forward protocols now used in deep space explorations. What a great story of technology re-use. With regard to the topic du-jour, he drew an analogy between Internet early days and Cloud early days, and went on to propose a set of inter-cloud themes. My recollection of Internet early days is that (D)ARPA played a pivotal role in setting up a super-partes agenda and funding the same, long before it became a trillion dollar affair (and the Wellfleet and Cisco began duking it out at the IETF). Thus, I asked Vint and the crowd, what is the equivalent of (D)ARPA’s in the highly commercialized and ever-so-hyped Cloud journey? Has the Cloud geenie come out of the bottle all too soon?

I gave this presentation which succinctly summarizes eBay’s scale-out journey and lays out some banana peels (Faux PaaS ;-) ) in Cloud Computing that we must steer clear from.

Leave a Comment

eBay Architecture Summit

My colleague Randy Shoup has organized an architect summit at eBay. Randy has invited the who’s who of architects who are currently driving eCommerce and Cloud platforms.  The candid conversation on what has worked for them and what hasn’t quite (don’t we all have one such list?) was phenomenal. As well, I was struck by how the various eCommerce operations can produce quite a different footprint at the infrastructure level. Take, for instance, the ratio of data read vs. write. You will find that there are quite a few operating points, depending on whether you’re looking at fixed-price catalogue business vs. auctions vs. photo websites.

I especially liked the sessions on how technology can best assist functional partitioning and sharding (when to push complexity deep into the infrastructure or to invoke the e2e argument instead) and the discussions on consistency in large-scale distributed systems (intra-partition consistency, probabilistic consistency, …).

Leave a Comment