I spent two days at the Internet Identity Workshop 10. IIW events are set in an open space, unconference style. True to its workshop designation, it’s a place to do work collegially. It’s not a place to give scholarly papers or some polished slide gesticulation.

I list hereafter the topics that I engaged on at IIW10, in a similarly frugal style. They complete my sweep of the Identosphere that I had started here.

OAuth 2.0 – The authors clarified several points in the specification (is the refresh token entirely optional? yes) and kindly requested help to turn the I-D into a RFC that can pass muster with the IETF security directorate (esp. for the security considerations section);

UMA – User Managed Access provides a method for a user to control access to her resources, wherever they might be. For this, UMA defines an authorization manager. The authorization manager reacts to requests by online services acting on a user’s behalf and makes access decisions based on user policy. My colleague and identity extraordinaire Eve Maler is a leading force behind this effort. UMA is set to leverage OAuth 2.0 and various card, token technologies. I saw the demo of a UMA system built by the SMART team at Newcastle University;

Personal Data Stores (PDS) and an internetwork of PDS (PDX for Personal Data eXchange) using XDI-like protocols;

OpenID Connect –  It combines OpenID federated login with OAuth 2.0 access authorization;

PingPong IdP Discovery 1.0 – We all advocate the freedom to register with one or more Identity Providers (IdP) among many available. As such, we need a protocol to assist in the IdP discovery and thus determine which IdP(s) can authenticate a given user;

Mozilla’s account manager –  This work exemplifies identity in the browser. Unlike password managers, it includes ways for a site to advertise to the browser multiple styles of identity artifact (e.g. Openid, InfoCards, or plain old passwords) and current state (signed in or not);

A meta-point: These identity systems are distributed systems and, not surprisingly, pose the same challenges as any other distributed system: get the naming rules right, identify and manage all dependencies, spell out consistency requirements and the companion failure semantics, etc.

Ever since I moved to the left coast, UC Berkeley has become the most frequent destination of my research outings (it used to be MIT when I lived in Boston). I’m a regular guest at their RADlab retreats. Yesterday, I joined the 1-day Berkeley EECS Annual Research Symposium (BEARS). The morning was packed with four first-rate keynotes and a panel:

The future of devices, Elad Alon. Nano-electromechanical relays are a promising alternative to CMOS-based technologies and their unavoidable energy leakage. Like any other relay, nano-relays are leakage-free albeit much slower than CMOS and not as reliable. To mitigate these side effects, Elad is looking into more complex logic circuits and the opportunity to exploit parallelism (like in a N-bit adder or an ADC/DAC).

The future of computation, Kurt Keutzer. Deeper pipelining is not sustainable, parallelism is the saving grace. For this, Intel Larrabee and Nvidia Fermi are hugely exciting new processors. But how do we change the code to leverage the new silicon? There is early indication that algorithm/code conversion pays off with up to 100x improvements to time-to-result (teams started off from commodity software, like public domain support vector machines libraries – libsvm). Kurt did a great job at describing the whole ecosystem of parallel and show why/how it’s labor intensive. We need more/better frameworks to absorb these costs.

The future of Mobile, Eric Brewer. iPhone has converged dozen gadgets into just one (and more so every day). Inside, there are many discrete HW components taking up space and power, hinting that smartphones can either shrink further or carry more logic into them. Access is the smartphone’s killer app. Increasingly, mobile is a key factor in developing countries. There, it can save lives (e.g, a cellphone “microscope” contraption to detect malaria in the field; a diagnostic device connecting heart monitor and other sensors via the headset jack). The SIM card may become a good, universal place to store a private key. In developing countries, this setup actually works quite well because it’s already common practice for folks to own a SIM card and share a physical phone. Within every country, there’s a growing digital divide between urban and rural connectivity, with impact to just as many aspects of life as mobile touches.

The future of the Cloud, Michael Franklin. Cloud momentum will continue to be fueled by these value props: variable cost, cost associativity (1000 CPUs for 1 hr same as 1 CPU for 1000 hrs), risk transfer, and get the IT gatekeepers out of the way. There will be more devices and more virtual resources joining the cloud, including mechanical turks seamlessly blended in. Quite fittingly, there will be a new program at UCB to best harmonize Algorithms, Machines, People (AMP). It will launch in Jan 2011 when RADlab wraps up.

Energy panel hosted by Greg Papadopoulos. Can we innovate in energy the same way we innovated in technology? Three principles that served us really well in EECS and are worth cross-pollinating into energy are: a) layer decoupling, b) distributed innovation, and c) best equip for en-masse customization. A smart power grid is a dumb grid with many different smart endpoints. Some food for thoughts: Make solar panels become as cheap as a sheet of glass; Do nothing well (i.e., energy proportionality); Don’t recycle, up cycle.

The day was nicely complemented by open houses in the various departments, with plenty posters and demos. For ease of tech transfer to my children, I single out the demo of the software-intensive Starmac quadrorotor flying machines by the Berkeley Sensor and Actuator Center (see really cool videos 1, 2, 3 … heck, thou shalt see cool toys, green grass and the blue sky, once you’ve survived those pesky 3D Fourier transforms

I’m increasingly involved in security and thus managed to make a brief appearance at the Black Hat 2009 Briefings in Las Vegas.

I enjoyed the program. Hereafter some of my personal take-away and favorite sound bites.

Smartphones. There will be exploits:

• Target volumes and personal data becoming interesting, really interesting
• Hordes of 1st-time programmers writing code … which raises the significance of application/system separation that one can depend on
• Also, some seasoned engineers who built highly reliable telco protocols (e.g., SS7, SMS) are now asked to operate in a hostile open world … the price of convergence
• To witness, at Black Hat some folks gave a public account of an iPhone vulnerability exposed with a SMS attack vector. Before Black Hat was over, Apple issued the v3.0.1 patch release (though they had been given a few weeks lead on this exploit)

Smartphones. There will be patches:

• What’s a reasonable time-to-patch benchmark given gazillion of units in the field?
• Apple’s “monoculture” can play out as a strength (homogeneous field, iTunes-centralized lifecycle for patches) and a weakness (magnet for new targeted exploits)
• Others will have to ripple their patches through OS release cycles, hardware manufacturers, providers’ security policies, and the various QA cycles therein

Smartphones. There will be tussles:

• The Apple/Google one is already capturing the news
• Microsoft and Nokia won’t let it go by without a fight
• Android’s licensing model (Apache style, no permission to use) is due to make wave in the whole mobile OS segment (some impressive uptake numbers reported by presenters)

Cloud Computing:

• Hackers/rootkiters have taken notice of the Cloud but are still struggling to figure out the new implications (New attack vectors? Is everything Cloud Computing?). Just like everyone else!
• SaaS/PaaS exploits: any new “Cloud” material here other than the OWASP10 vectors!?
• IaaS exploits: any new “Cloud” material here other than VM attack vectors (like device drivers flaws or pseudo-random generation)!?
• A presenter talked about legal and regulatory implications (e.g., data is subpoenaed and then what) — this was distinctively “Cloud”

Miscellaneous:

• Bruce Schneier provided some excellent food for thoughts on the psychology of security (ref. to his essay)
• The traversal of x.509 certs is still a weak spot after all these years… Basic constraints are not enforced properly and OCSP is easily subverted by toggling a return code, which is inexplicably left out of signature (I haven’t had a chance to validate this claim). Net out, end-to-end SSL is less secure than we think…
• According to a presenter, the hacker-proof shield of Cisco IOS stems from the 250,000+ different images of IOS that resulted from just as many release trains since inception. To hackers’ detriment, each release scrambles waymarks and other reference points thus making it virtually invulnerable
• I wrote about my serendipitous Mach OS encounter in an earlier post

Black Hat 2009 material is here.

I know that I’ve worked on a technology that stands the test of time if, after some 20 years, there’s still some buzz around it at a conference.

This is obviously the case of Unix.

It must be the case of Mach as well. This week, I made an appearance at Black Hat 2009 and stumbled upon a session entirely dedicated to Mach-based rootkits for Mac OS X. The presenter, Dino Dai Zovi, did a good job at describing Mach. Why would someone hack Mach nowadays? Because it’s possible and is a fun thing to do It turns out that Mach is a fairly obscure piece in the Mac OS X ensemble and makes a hacker’s maneuvers a lot less likely to be detected.

Among things, Dino talked about MiG stubs (I did a total overhaul of MiG in 1993) and Mach-O. He recreated a sort of NetMsgServer (which has never been adopted by Apple Inc. as far as I can tell) with which he can siphon or inject Mach IPC messages. In my last Mach endeavor, I created a NetMsgServer that could work over INET.

Back in the days,  Rick Rashid opened Mach conferences by saying that the Mach crowd used to fit inside an elevator.  Twenty some years later, a couple hundred people still crowd a conference room for a solid Mach speech.

I’ve had the fortune to hone my system skills on Mach 3.0 along with a terrific team at the Open Software Foundation and the proxies into the team at CMU.  I’m obviously very pleased that Mach still beats inside my home desktop, laptop, and smartphone. I believe that Dino’s public contribution makes a compelling case for code hardening and pen-testing of the venerable Mach (which I surely hope it will happen on time for Snow Leopard!).

I have accepted Basheer Janjua’s invitation to participate to this CTO Forum hosted by Fujitsu in Sunnyvale. I took on the double duty of being a panelist and a session leader. I really liked Andy Bechtolsheim’s keynote. He’s quite excited about Clouds (“they are the biggest thing since the Web”) and the macro-economic conditions playing in favor of cloud adoption. I chaired the session on Accountability, Compliance, Reliability and Security in the ‘Cloud’. To kick-off the discussion, I used some of the slides that I presented at the Cisco Symposium a few days earlier. The ensuing dialogue in the room reflected the diverse viewpoints and pain points, which span the whole spectrum of people + process + technology + information (as a technologist, I know that I tend to over-emphasize the technology angle).

Fresh from election night celebrations, I spent two days at an excellent workshop organized by Flavio Bonomi’s research team at Cisco, for researchers and industry leaders to mix and together pierce through Clouds. I really enjoyed seeing Vint Cerf (for a second I was asked to give the plenary address on his behalf while he was delayed in traffic … luckily he made it in at the very last call), Randy Katz, Kubi, Bob Grossman, Stephen Savage, Bruce Davie, Monica Lam.

Vint gave a stellar (pun intended) overview of the IP-based store-and-forward protocols now used in deep space explorations. What a great story of technology re-use. With regard to the topic du-jour, he drew an analogy between Internet early days and Cloud early days, and went on to propose a set of inter-cloud themes. My recollection of Internet early days is that (D)ARPA played a pivotal role in setting up a super-partes agenda and funding the same, long before it became a trillion dollar affair (and the Wellfleet and Cisco began duking it out at the IETF). Thus, I asked Vint and the crowd, what is the equivalent of (D)ARPA’s in the highly commercialized and ever-so-hyped Cloud journey? Has the Cloud geenie come out of the bottle all too soon?

I gave this presentation which succinctly summarizes eBay’s scale-out journey and lays out some banana peels (Faux PaaS ) in Cloud Computing that we must steer clear from.

My colleague Randy Shoup has organized an architect summit at eBay. Randy has invited the who’s who of architects who are currently driving eCommerce and Cloud platforms.  The candid conversation on what has worked for them and what hasn’t quite (don’t we all have one such list?) was phenomenal. As well, I was struck by how the various eCommerce operations can produce quite a different footprint at the infrastructure level. Take, for instance, the ratio of data read vs. write. You will find that there are quite a few operating points, depending on whether you’re looking at fixed-price catalogue business vs. auctions vs. photo websites.

I especially liked the sessions on how technology can best assist functional partitioning and sharding (when to push complexity deep into the infrastructure or to invoke the e2e argument instead) and the discussions on consistency in large-scale distributed systems (intra-partition consistency, probabilistic consistency, …).

When Ken Birman and his extended research group take a leading role in organizing a workshop, you can rest assured that it’s going to be a top-notch workshop. In the early 90s, I had the fortune to come across Ken Birman, Robbert van Renesse, Werner Vogels, and their group at Cornell working on virtual synchrony, Isis, U-net, Horus, etc. … I drew upon their work when I was at the OSF RI developing real-time distributed Mach OS … and managed to keep an eye on their work ever since. It was great to come down to LADiS and mix with that research crowd again. Sadly, just when I went down memory lane with this group, I happened to learn that Jay Lepreau — another leading light to me and a good, passionate mentor — had passed away the night before.

I had the fortune to travel to LADiS with an esteemed colleague of mine, Randy Shoup. We co-authored and co-delivered this presentation on eBay’s scale-out journey. Judging from the questions and comments during and after our presentation, I would say that the presentation was well received. At LADiS, I enjoyed meeting James Hamilton of MSR. James’ talk and ours resonated on a number of topics related to internet-scale datacenters and their “this is life in a big city” nuances … whenever we went down different avenues, we seemingly complemented one another. Sure thing, I will be reading his blog from now on.

From the LADiS technical program, I single out the sessions on data collection/dissemination and resource management as the most relevant to my work. I will dig into many of these papers as soon as the proceedings are out. I’m still somewhat cold to Byzantine Fault Tolerance (BFT). I appreciate the intellectual challenge of arbitrary faults. However, I like to think that the application specific context and coding defensive practices (e.g., skeptics) go a long way towards addressing these faults without BFT replication. For what it’s worth, I cannot see myself producing a compelling TCO case for any of the BFT replication approaches that I have heard about. Specifically, the TCO would need to reflect the expanded operationalization complexity. OTOH, I’m not working in air traffic control environment either…

NOTE: I’ve accepted to work on a paper that summarizes the key themes and points heard at LADiS.