Tuesday 27 January 2009

passwords and security

You would think that by now, thirty or more years after cash machine cards became common we would be quite good at handing out passwords to users in an efficient and secure manner. After all banks seem to do this all the time.

However there seems to be a desire to ignore the human factor. While we spend a lot of time making sure that our systems are protected against miscreants. We spend a lot of time making sure that users of these systems have passwords of the appropriate strength and complexity, we tend to ignore the messy business of getting these passwords to the right user.

It's a messy business involving getting the correct bit of paper with their user id and password neatly printed on it into users hands along with instructions to change their password at first logon, the idea of course being that students will immediately rush to a computer, type in their password and chnage it to something suitably cryptic and memorable.

They of course, do no such thing. They lose the paper. In fact why should they worry about their uni password, after all they have a computer of their own and it's only when they need to first upload an assignment into the LMS, use the student printing system, or use some special software for a course module do they need to use their login id.

Unlike ten or twenty years ago, students don't need a computer account to do a lot of their work. They use hotmail or gmail for email, play with facebook for social networking, and work on their laptops. They no longer need to use the public access machines for bread and butter computing, ie word processing, email etc so they don't. And they get their connection from an isp.

Instead they lose the bit of paper, their account expires, and thrity days later there's a great hoo-ha. Not good.

So the marketing people solve the problem by giving the students something that their less likely to lose, like a free coffee mug with a sticker with their password on it (dishwashers guys, people have them these days), or a usb drive with a sticker.

Great ideas, but you can imagine what happens in a share house with or without a dishwasher - there's too many the same, too much confusion potential, not to mention the possibilty of id theft.

So we need to think about how we deliver id's and access. As smart card readers are not universal, and there's four different types out there we can't do chip and pin. But students do need their student cards to get discount at the book co-op, get into night clubs and all the other important details of student life, and it does handily have their photo and uni number on it, so maybe the trick would be an orange removable sticker with their initial password on it.

This woud work, because a student id card has sufficient value and utility you want to hang onto it. There will still always be the people who don't do their initial login, but advertising campaigns about "don't be an orange plonker" might work. The other nice thing is that students get their cards when they register, and when they register they provide us with a proof that they are who they say they are however imperfect that is. Yes there's a risk someone might strick the wrong sticker on somone's card, but then the worst thing is they can't login ...

Thursday 15 January 2009

storytelling as social glue

Interesting article in the Telegraph about how victorian novels tell us how to behave, ie act as social glue.

No surprises there, The Romans and the Greeks did it with myths, and then when they got too sophisticated for fiary stories, developed a set of philosophies - stoicism anyone?

Same is true for Confucius, Bhudda, the Koran, and so on, all encoding precepts of how people ought to behave.

So it's hardly surprising that the secular port modern middle classes use victorian novels to tell them how to behave, or dare one suggest, the glossy tv adaptions of those novels? So much more cultural and refined than soap operas or star trek.

However, besides being snarky, there's a point here. Story telling does reinforce ideas of how to behave, and given that society is increasingly secular in the UK and Australia it's hardly surprising that Victorian novels with their 'moral' themes serve as an exemplar, given their accessibility via glossy dramatisations, at least to the overwhelmingly female middle class audience for these dramatisations.

So, where do those people who are not middle class, not female, and not of an anglo cultural background get their exemplars from?

Wednesday 14 January 2009

ooky goo interfaces and netbooks

Interesting article in the NYTimes on how Microsoft has an opportunity for putting its operating system(s) on net books due to the general lack of consumer interest in having linux on netbooks.

This is something quite clear here in Australia where most of the big distributors only offer the xp versions of netbooks into the retail market. And I reckon is part of the reason is the 'ooky goo' interfaces that most netbook linux versions sport. Firstly, people know how to use XP, and this makes it easy to customise, ie install software. As an aside, I got a test moodle + xampp install running out of the box on an xp laptop in twenty minutes earlier this week, excluding download times. It was frighteningly easy, and I used xp as I couldn't find a decent near-zero config linux package.

This isn't the case with netbook linux distros - for example take a gander at these instructions as to how to install skype on a linux based acer aspire one. Hardly easy. Yet as we know it's easy to install apps under ubuntu or any other linux distro with a decent package manager/repository infrastructure.

And yes, you could take a netbook and put linux on it. But again it's not easy. Ignoring various driver incompatibilities, you need to either hunt down an external cd drive, or else configure up a suitable usb drive. Not rocket science, but it involves extra expense, and you have to want to do it.

So you end up with the guy going to the store, seeing the ooky-goo hobbled linux interface or the xp interface, and off course they go for the 'real' one, not the playschool version, so we end up with XP.

Having vendors produce, or endorse/support a pre-rolled full distro distributed on a usb stick might be the way. Give the users a version that will work, will install, on a $10 USB stick. sell it at cost, or even put it in the box with the linux machines.

And why should they do this - well they escape the Microsoft tax, and with a lot of educational organisations looking at (a) giving students netbooks to solve the computer access problem and (b) looking at open source to get their licencing costs under control it might just be a unique selling proposition.

Me I'd settle for fluxbuntu, open solaris, xbuntu, or whatever on a netbook. Just as long as wireless worked, skype worked, and I could surf and write notes, and install the one obscure app I havn't realised I need ...

Mobile printing delivered

Back in October I blogged about our need to provide a mobile printing solution.

Well we now have a solution that's ready to roll. Basically it's not dissimilar to the original implementation plan:

+deploy linux vm with cups printing to virtual queue wth ldap authentication
+provide a simple web based app to allow release of job to pharos
+provide a ipp aware universal driver to users
+provide a job to clean out unprinted jobs on a daily basis

User have to create an ipp queue on their own machine using a standard driver and using their uni username and password as credentials. We will be providing documentation for XP, Vista, OS X (Tiger and Leopard) and Ubuntu. This queue runs over ssl to ensure that their credentials are encrypted and we do an ldap authentication to validate them. The cups print queue then puts the job in a Pharos print queue, passing over the user id to ensure that the job is allocated to the correct user.

Ubuntu was chosen as it's Computer Science's preferred teaching distro. They also happen to have a couple of print release stations already. Pragmatically, as everything can be configured from the gnome cups management application, the ubuntu instructions should work for all common distros.

Obviously we need to cache their credentials locally for printing but given most mail cleinet do this anyway it's no great problem. And they of course need to use their uni id for printing and not the local account details on the computer which could be any thing from 'Admin' to 'pink pussy cat'

Users then go to a print release station on campus to release the job to print on a pre-designated public printer, ie if they go to building A, and release a job it goes to building A's public printer.

Students will also be encourages to use WebDav to save copies of their work to their student filespace so that they can print the work again using a public access machine, just in case their laptop battery dies at a crucial moment.

Given an expanson of public wireless network provision on campus this service should sho steady growth. Also expect it to be popular with on campus student dorms, but less so with students who live off campus.

And the beauty is that the solution has cost us nothing, apart from an ssl certificate. We have the old pc's for print release stations, a VMware site licence, a Pharos licence already, and the rest is open source.

Enhancements for the future would be

  • web based print release station
  • direct pdf submission
  • Open office based virtual print shop to import and print documents in a variety of formats

of these I think to last is the sexiest, but being pragmatic the students would probably really like a web based print release station so they could avoid having to line up at busy times.

(None of this work is truly my own - I had the initial ideas but George Seaton and Adam Reed should get full credit for turning my whiteboard scribbles into reality)

Friday 9 January 2009

sun open solaris labs

I've been playing off and on with open solaris. For those of you who fancy a dabble but don't find spending an hour or so building vm's a useful and enjoyable way of spending your time sun have launched a we browser based sandbox service enabling you to access an open solaris session through a browser.

Your mileage may vary on this - I found it so slow and had so much network latency as to be almost unusable, but then I'm a long way away topologically from the learning centre.

That said it's worth a go if you're at all curious to see what it looks like. And providing a demo service does make access to seeing what it looks like (and convincing people it's not a finger in the ear exercise in complexity) that little bit easier.

Monday 5 January 2009

hosting apps and the student portal

Anyone who reads this stuff regularly will know tha I am a fan of using thin client technology to allow students access to applications required for their course work over the internet using their own computers. Saves us spending on student labs and because execution takes place at our end it can be platform and browser independent.

Having just read about OpenGoo, it occurs to me that we can take this idea a little further by providing access to set of basic webapps via the student portal in much the same way as we can provide access to mail or to moodle as an LMS.

The nice trick is that we can of course customise these webapps so we can have course centric options like 'publish to workspace' ie our sakai collaboration server (think poor man's sharepoint), 'share with' to share it with individuals for joint project work, print to a central print queue and indeed 'submit to moodle' to check in completed assignments for assessment and making - and all doable via a browser without any implications about operating system or platform - meaning that while no-one is going to type an essay on the war of spanish succession on their iPhone, they can at least print share and submit it ...

The other nice trick, taking a lesson from google, is that hosting these apps and integrating the with whatever webmail service you provide gets rid of external applications as document viewers for attachments, again allowing you to view that word document or pdf on your iPhone, after all if it's good enough to read an e-book on it's good enough to read a university circular on, or indeed pdf's of suggested readings for a tutorial group (the e-reading brick?) ...

OpenGoo

Still catching up on material from over the break, but I came across this post about OpenGoo, which pricked my interest.

OpenGoo is open source, which means that you can coile the code and host it on the webserver of your choice. Crucially, what this means is that if you're uneasy about using Zoho, WindowsLive or GoogleDocs for corporate applications, but want the any box, any time, any where, versatility of web based applications and document sharing, you could install OpenGoo on your own webserver, in much the same way as you might install your own wordpress install for a blogging platform, or one of the twitter work alikes for microblogging, or something like sqmail for webmail functionality. That way you get the functionality but can be assured that you know where the data is and who can access it.

With the growth in netbooks and smartphones, and in ad hoc enterprises where people bring their own computing device, this could be a hot topic in 2009. Get some people together, get a server share the work and that way all the data's on the server and none on people's machines, so it doesn't matter if someone drops out, or worse goes to join the opposition ...
(and we don't need to worry about where it's hosted etc)

Windows 7 HomeGroups

Over the break, Microsoft's Windows 7 engineering group came out with a really thoughtful post about how people use computers at home and developed the concept of the HomeGroup.

Essentially, it comes down to the fact that most people in a house know each other and are happy to share resources, be it media, data, files, printers with each other, and that it should be easy for people to join a home group. Also as people are happy to share security within the group does not have to be as restrictive a model as outside - the consenting adults concept.

And certainly that's the way we work at home. We share computers, we share printers, we bring home office computers, shuffle data back and forth between them, and we're happy to let Mandy, Judi's niece, use our bandwidth and our printers when she comes to house sit. Crucially we don't expect to share our data with her or her to share herr data with us.

Microsoft being Microsoft, of course view it as something specific to the Windows 7 world and probably as a marketing proposition. Given that windows operating systems probably run on 95% of all home machines probably and Microsoft would like users to upgrade to Windows 7 that's probably a fairly justifiable approach.

We, of course, are part of the other 5% at home, Linux and OS X, although Judi has a school XP based laptop, and Mandy has a noname XP laptop. And there's the rub, firstly not everybody runs windows 7 (or indeed any Windows OS) or will want to upgrade. After all if you've a noname laptop that works for you why would you? You use it for your life and when it's too old or too slow you go and buy another newer one from Officeworks or JB Hi-Fi.

So the home group concept needs to be extended a little. It needs to be multiplatform and easy to give people differential access. Essentially we need an internet fridge or other appliance that machines (not people) authenticate to when they connect to your home network.

Why machines?

People share machines, and a surprising number of people don't put passwords or anything on their home machines - just auto log in and go.

So think of our house - we want all our machines to access printers and any file services we have running. We want our work machines to access our printers when they come home but that's about it. Much the same for Mandy. We do not however want the kid over the back to access our printers, or indeed anything else. We want a home gatekeeper that knows about machines and if they can access printers or mount file services.

Autoconfiguration is probably tricky, but going to a single web page and setting options much as one does with a home router can be made sufficiently simple that it's easy to have machines configured to mount devices when they're at home but not when they're not, by using the network locale to 'know' where a machine is. After all Mandy's machine might be a member of two or three home groups, ours, her share house, her boyfriend's share house ...

Friday 2 January 2009

the twitter feed ...

As an experiment it seems worthwhile - I've around five twitterers actively following me, plus guessing from the number of connections to the home page of this blog, around another five people checking manually for updates. No idea how many people use the rss feed or my facbook status.

Which given that the content is unstructured and eclectic, with zero marketing, and actually is only stuff I think is interesting on my scan through various feeds etc each day is good.

As an experiment I was going to can it some time around now but actually it costs me only a few keystrokes and a few bytes out of my banwidth quota, it's probably worth continuing the experiment a little longer. Interestingly there's a couple of other more well known bloggers out there starting to use twitter in much the same way as a link posting tool, I'll be checking them out to see if there's any more refinements to try ...