December 9, 2008 by mabatche.

Lately, I have been pondering strong authentication again.

The company I work for uses RSA tokens. I find these quite nice in that they really are a decent form of two-factor authentication. The real problem here is simply cost and management. Tokens work well if you have tons of money to purchase them. So, enter the soft-token. They are nice, and we have used them for a while now. The real problem here, is that they are still just as hard to manage as the hardware tokens. If not harder, since you havee to manage that software on whatever device it is living on.

I have seen other forms of tokens, like the “bingo-card” as I call is, that looks like a bingo card, and is technically cheaper than the RSA solution.

Also, there are a ton of vendors in the two-factor token market now adays so pricing pressure is causing most vendors to lower their prices.

i do think biometrics have a place in the world, but I think the logistics surrounding them, and the general ambiguity of the technology makes it hard to implement for an enterprise.

So, I was wondering (if anyone still reads this blog lol) if anyone has any experience with things other than tokens and biometrics? Or, if anyone has run across anything bizzare that might be of interest to someone looking to change the way authentication is viewed.

When I think of authentication, I tend to think of it from 3 aspects or 3 types. (there certainly are more).

1 - simple authentication that verifies your identity and thats it. Like a username and password combination that simply allows you access to something.

2 - role based access after authentication. I suppose this is really authorization after the authentication piece.

3 - graded authentication that allows you access to resources of some type based on how you authenticated to something.

This third type is the type I have recently been focusing on. What I find strange (well, maybe not strange, but annoying really) is that outside of two-factor and biometric (well, I guess there is out of band, like a cell-phone type of thing), there really hasn’t been a lot of changes to things in this space. I know some vendors will disagree with me, and tell me that their out of band stuff, like doing verifications at a cell phone, or calling a person back after authenticating is an advance, but I really see that as a incremental kind of thing. I also see this approach as a limited one since it relies on something that some people may not have.

There has been the cardspace/id card stuff that allows people to identify themselves in a “card” on their client that is then presented to a website for authentication. This I suppose I do find compelling since it at least is somewhat interesting to me. But, to date it really hasn’t caught on much.

Smartcards are neat, since they are typically cheaper than a token, but I have found that to really do anything strong with them, you still require a password of some kind.

Well, sorry for the rant, I was just sort of brain dumping on the blog… Authentication has been top of mind for me lately, and really, I am astounded at how far we haven’t come.

Posted in Federation, Identity Management | No Comments »

April 27, 2008 by mabatche.

I haven’t been following the whole ID Card landscape very much to be honest. But lately I was looking over Project Bandit, and downloaded the Digital-Me card selector. It looks pretty promising and can potentially see a lot of very interesting uses for this stuff. But, my question is, does anyone know of a site I can try this against that supports it? Or am I just flat out missing something? I know this is new stuff, but at the moment, I have the card selector and nothing to use it with… Anyone know of anything? And if not, if I were to attempt to set something up would anyone be interested?

UPDATE: So I was looking around some more on ID-Cards, and ran across this great video here. It’s basically a little mini-tutorial on how to get card-space working with a website with very minimal effort. I may mess around with this some more just to see what I can do with it.

Posted in Uncategorized | No Comments »

March 26, 2008 by mabatche.

Been a while since I’ve posted anything. My apologies if anyone is actually reading this stuff.

I’ve been thinking a lot more about that first question I ever posted.. “Wheres my opensource IDM solution”. And I certainly received some messages from a few people that pointed a few out to me - They all looked fairly promising.

But, I keep wondering if it would be possible to write a module that attaches itself to an openldap server (sort of like a persistent search on steroids) that could subscribe to changes that occur there. That way, you could use openLDAP as a “meta-directory”. From there, you could write connectors that connect to target systems.

This seems a lot like Novell’s IDM, only sort of the opensource brother to it.. without the XML/DirXML engine… (which i imagine is patented somehow anyways).

Any thoughts? Im just kind of rambling on here….

Posted in Identity Management | 1 Comment »

October 9, 2007 by mabatche.

I have recently been thinking a lot about role based access in large enterprises. I have personally been involved in quite a few Role Based initiatives, and I got to thinking.. Given the typical bureaucracy that goes along with a large corporation, and given the somewhat disjointed nature of roles in most organizations, can one actually achieve *true* role based access?

I think it depends on what your definition of roles is.

Roles - The Problem:
The trouble with IDM solutions and Role Based Access, is that every vendor out there tells you.. “Sure, we do role based access.” I have even had a few vendors tell me that they will come in and figure out what my roles are for me, and then work with that.
Where I think most fall short, is that in every large company I have ever been to, they don’t know what their own roles are… let alone have some external entity figure it out for them.
The real problem is that a “role” can be anything a company defines it as. It can be something as simple as pay-grade = ROLE or something as complex as your practice+group+pay-grade+manager-reporting-relationship+tenure+location = ROLE. So, as you can see, I think a “role” is a relative thing.
This trouble around roles is where I think most IDM/Role projects fail.

Technology:
Most companies focus their time on the technology behind IDM/Roles and not enough time figuring out what roles mean to their organization. (I have found myself guilty of this at times).
Technology is great, but in the end when doing IDM projects, the technology is just a means of getting your data pushed around from one place to the other. The data is the truly important piece to the IDM puzzle. If you understand your data, the technology is simple. If you don’t, then you’re doomed to have a terrible IDM implementation.

The Data:
I would venture to say, the most large enterprises have a good idea of what they are paying their employees, but, when asked what their employees roles are or what makes up that role, they might not have an answer.
When creating a Role Based Framework, you have to be able to define what makes up a role in its entirety. So, an example might be and Administrative Assistant, what is needed to fulfill this particular role? A File and Print account? An eMail account? Financial reporting Account? PeopleSoft Account? Special access to Admin databases? A home Directory? Special Access for their location?
- As you can see, a simple role like Administrative assistant can become very complex. Imagine having to do this for a company that potentially has thousands of roles?

This is why I think Roles (as they are talked about today) are not achievable on any kind of scale. While some may disagree with me here, I think if done on a large scale, roles are just too messy this way.

Self Service:
Many IDM vendors are pushing the concept of self-service as a way to help the problem of roles/access provisioning by taking out the middle man and allowing data owners to do their own approval and access granting. I think this is a great concept and can be a good fit in any organization of size. But, self-service has a problem as well.. That is, knowing who the data owners actually are.
Most big organizations have a hard time pulling this off as well. Over the years data owners change, data changes, where data lives changes so if there were owners of the data in the beginning, chances are.. They don’t know who they are now.

Recommendation:
So, if you find yourself working on one of these Role projects at a large shop, before you even start talking about technology you need to ask yourself and the organization the following questions:
1 - Do you already have a rock solid idea of what your roles will look like and what each role *means*?
- Not just what the role name is, you need to know exactly what it means data wise and access wise when someone gets that role applied to them.

2 - If the answer to #1 is no, then the conversation needs to turn away from technology and turn into a matter of exploration to determine if its even possible to figure out what roles are, given current data. Often you will find that given the data, roles are not definable. If this is the case, the the conversation usually turns into.. let’s make up some roles.

I think the right place to be when thinking about roles is somewhere between knowing your roles completely, and providing self-service.
I think that if you can get to a point where you have say, 10-20 general roles out of 1000, and those general roles provide 80% of the people the access they need from day one, then you have succeeded at roles. After you figure out the general roles, then you can add self-service to catch the rest of the 20% that you couldn’t automate in the first place.

So, basically after all this rambling, I think what I’m trying to say is…

1 - Generalize your roles. Being too specific just makes things way to complicated.
2 - Knowing that you generalized, you need to provide a way to make up for the difference. This is where I think providing self-service and workflow comes into the picture.

So, once again, sorry for the rambling.. just had to get it off of my chest.

Posted in Uncategorized | 1 Comment »

September 11, 2007 by mabatche.

In a previous post, I noted that I had not seen any open source IDM solutions that were really focused on provisioning. I had seen quite a few that were focused on SSO and federation. After my post, a blogger pointed out to me a company called Diamelle that had something in that space. To be frank, I havn’t had any spare time to dive into it. But, on the surface, and from what I’ve read, it looks like it could have some good traction.

Another one has popped up since then called Velo. I saw it in response to this post. From the looks of it, it appears to be playing heavily in the provisioning space. Also, it appears to be offered under the GPLv2.
I watched the 2 demos they had up on their website, and it appears to be a descent looking interface. Im assuming its a push/pull type of technology, but I could be wrong since I havn’t actually used it. Either way, more choices in the IDM provisioning space can only be a good thing. Ill be checking this one out next chance I get. So far though given Diamelle, and Velo, at least there are some choice out there.

Posted in Identity Management | No Comments »

September 4, 2007 by mabatche.

So, if you know me. you know I’m no chef. BUT, I do like to grill. I have never really made ribs on the grill before, so this last monday (labor day) I set out to do just that. I figured, I would post how I did it, because one of my biggest pet peves, are when people post how-to’s for recipies, they always assume you know how to cook, and where to actually get everything. So, I provide links, and suggestions on where to do that. (not that it will help anyway..) its just a rib recipie for petes sake!

Ok, I have a gas grill. You know one of those Charmglow stainless steel ones from Home Depot. (this one to be exact. Nothing fancy. Just a boring ole gas grill.) I read all sorts of stuff on the internet about how you can’t really make good ribs on a gas grill, or how charcol is the *only* way to go. It sort of discouraged me. But, im here to tell you that you can make some very very very good ribs on a boring ole regular guy gas grill. Heres how.

First, you will need some supplies.
1 - Hickory Wood Chips (I used the weber firespice brand) but really anything will work. I bought mine at the local truevalue hardware store. (caspers). but, turns out, you can get em at amazon also. And they have a much lager collection. See this link. Here.

2 - A Smoker box (I used this one. Also bought at true value, but it was cheaper at amazon.com. Here.

3 - 1 Gallon of apple Cider. (from your local grocery store.) Brand doesn’t matter.

4 - 1 Bottle of Tobasco sauce. I used the regular ole boring tobasco.

5 - A Rib Stand for your grill. I used the weber brand one. But you can find many here on amazon.com.

6 - A gas grill with a pretty full tank.

7 - Alluminum foil.

8 - A spray bottle.

9 - Olive Oil (doesn’t matter what brand/type. I used extra virgin stuff from the local store).

10 - Some kind of small pan to hold some water/apple juice.

11 - The RIBS of course. I used a full slab of baby back pork ribs from the local store. I seriously think this would work with just about any type of ribs.. pork or beef. (im doing beef next time). But make sure they have the bones in them. (not boneless). And make sure you remove that membrane from the back of them before you cook them. (if you don’t it won’t hurt anything.. its just a little wierd.).

Ok, now that you/we have all that stuff. Heres what you do. Its pretty simple.

Take your woodchips, and put a few handfuls into some tupperware/medium sized bowl.
Next, poor enough water into the bowl with the woodchips so that they are mostly submerged. Then, take your apple cider and mix in about 2 cups full or so. Then, cover them, and let them soak for at least an hour. The goal here is to get the chips pretty soggy so that they will smolder when placed in the smoker on the grill.

At the same time as the chips. (or there abouts). Take our your ribs and and place them into some tupperware as well. then poor in a generous amount of apple cider and about 10-15 little dots of tobasco. Make sure you get the ribs nice and wet. Then cover em up and place them in the frige. The goal here is to let them marinate in the cider for at least an hour. (the longer the better, but remember you’re gonna wanna cook these ribs for a long time, so do this first thing in the morning, or the night before to make sure you get a good long marinade.).

Ok, Now you wait for everything to soak/marinate. Now is a good time to get everything else ready.

While we are waiting, take your spray bottle and fill it up about 3/4 the way with apple cider.
Next, add a few drops of tobasco to the mix. Then fill it up the rest of the way with olive oil. (note that I used a pretty small spray bottle.. not some huge thing. So, just be your own judge of how much to mix.) The goal here is to get a cider/oil/tobasco concoction that you can spray on your ribs while they are cooking.

Ok, next, lets get our grill ready. You want to cook these things really really really slowly to get the best flavor/tenderness. My grill has 3 burners on it. Left-Middle-Right. I turned the right burner on as low as it would go, and left the other two completely off. This let my grill heat up to only about 225F. This is the sweet spot. Anything much hotter than this and things start to dry out. 250F works as well.. just don’t get too hot.

Next, I took aluminum foil and covered the entire left side of my grill. This is going to be where the ribs are going to sit on their rack.

Next, My grill has one of those upper levels that always seem kind of useless. Up there, I took a very small square glass pan, and filled it up with apple cider. I then just sat it on that little shelf. This evaporated during the cooking process and really helped keep things moist. Once all this is in place, your grill is all set to go.

Now that’s all done, lets get back to our ribs/woodchips.

Take your woodchips our of your water/cider mix, and place them into your smoker box. (don’t worry, you don’t have to use them all.). Then place the smoker box on the right hand side of your grill over where the burner is running. Then just leave them there for the duration of your cooking. (this will provide in our case a hickory flavor that a traditional smoker would usually provide).

Now, its time for the ribs. Since I used a full slab, I cut the slab in half and stood each half slab up on the rib stand that I linked to previously. Now, take the stand/ribs out to your grill and sit them down on the left hand side opposite the burner thats running. Make sure they look comfortable, as they are going to spend the next 6 hours that way.. :).

After placing the ribs, take your spray bottle, and spary them down with your oil/cider/tobasco mixture.

now, for the next 6 hours we go into rib maintainance mode. Every 30-45 minutes go back out to your grill and spray down your ribs with your spray bottle mixture. Also, while there, make sure that the grill isn’t getting much hotter than 225F. Otherwise, its all for nought. Make sure you are diligent about the temperature and the spraying of the ribs, this is what makes them so darn good. (attention to the small details can make this better than you imagine).

Ok, in hour 5 or so, you can if you want to.. apply your favorite barbecue sauce with a brush. I did this with some sweet baby rays, about every 15 minutes or so in the 5th hour. It was pretty damn good.

Ok, now that your in your 6th hour, and the ribs look freaking awesome… go get em and eat!

(sorry for the long winded post about ribs.. they were just so damn good!)

Mark.

Posted in Random Stuff | No Comments »

August 16, 2007 by mabatche.

Step 1
Download and burn the mini CD iso from the opensuse.org website. I found it here. This is the 10.3 miniboot.

The 10.2 miniboot can now be found here.

Step 2
Boot off or your newly burnt mini CD.

Step 3
Once at the screen where you can choose “Installation”, press the F4 key and choose HTTP.

Step4
Now, when prompted for the server place the following in that field suse.mirrors.tds.net
Now, when prompted for the directory, place the following in that field /pub/opensuse/distribution/10.2/repo/oss/

Step5
Now, choose installation and your off and running!

Step6
Wait……… installing over the internet isn’t the fastest thing in the world, but it works pretty well.

Note, that this doesn’t take into account anything like proxy servers, or nfs mounts, or anything like that. These 5 steps assuming you have a direct connection to the internet.

Updated: I changed the link to point to the 10.3 miniboot CD. It should work for 10.2 as well. (But I have not confirmed this).

Posted in Uncategorized | 4 Comments »

May 29, 2007 by mabatche.

I poseted my resume like everyone else does.  Nothing special.  I’ve been with the same company for 10 years and recently was wondering if there is anything else out there.  Don’t get me wrong, I actually like my job.  But you never know unless you look.  So, here is the resume.  Its a work in progress, this is just the first draft, so if it isn’t all that pretty, i apologize. 

 Mark.

Marks Resume (No Addresses)

Posted in Uncategorized | No Comments »

May 11, 2007 by mabatche.

A few days ago, I put up a little article asking where my open source IDM solution was. Looking across someone elses blog, I was directed to this link here.
Its a very cool mapping tool used to create a map of known open source IDM projects and their status. I found this very helpful. Maybe you will as well.

Posted in Identity Management, Uncategorized | No Comments »

May 11, 2007 by mabatche.

I just started putting together a list of all the pam modules I can find that are open source. It can be found here.

I’ve been getting a bit frustrated at finding some of these. Many of these are very useful! And it would be nice to a one place to go to find out about some of these… Sooo.. im starting this little list and updating it as i come across them.

Mark.

Posted in Directories, Identity Management, Uncategorized | No Comments »