The New Studio

I have a bet with a colleague. It's a very serious bet with the highest possible stakes (No, silly, not our immortal souls. A bottle of good Scotch).

My colleague thinks that either movies or music will still be sold with Digital Rights Management in 2012. I, on the other hand, know DRM will be long gone by then. It should be gone now, because it doesn't work. But that's not why it will be gone. It will be gone because it's bad for business.

DRM is bad for business for lots of reasons, but the most important reason is very, very simple.

All products generate sales by exposing people to the product. People who are exposed to the product and don't like it aren't potential customers; they'll never pay. The people who like the product after they're exposed to it are potential customers; they're the addressable opportunity - the "fan base". The people who like the product and decide to buy it are the paying customers. The trick in business is to maximize the number of paying customers.

The first step in the DRM business model is this:

1. Shrink the fan base by making it impossible for potential fans to try the product.

Any business model that starts this way will be destroyed by a business model that increases the size of the fan base.

The music industry has figured this out, and DRM for music is already dead. Every major label now sells DRM-free music, and Radiohead has proved pretty conclusively that people will pay good money, voluntarily, if you put good music up on the Web with no restrictions. Not only that, they'll pay a premium for limited-edition collector's sets, and they'll still buy shipping containers full of your CDs - and your brand new vinyl LPs.

It's amazing that it took Steve Jobs to teach the music business that DRM was a bad bet; after all, record label executives are the same people who used to bribe DJs to give music away free on the radio. But two cheers to the labels anyway; freeing music will result in more music and better music; it may even allow artists to keep some of the money they are currently turning over to agents, managers, and label executives. (well, ok, probably not. But we can always hope.)

Hollywood is lagging behind the music business; Hollywood still hasn't admitted that the DRM business model is a guaranteed loser. There's a reason Hollywood hasn't admitted this: the stakes are too high. As Upton Sinclair famously put it, "It is difficult to get a man to understand something when his salary depends on his not understanding it".

Hollywood isn't run by people who watch movies or who make movies. It's run by people who fund movies. The purpose of a modern movie studio is not to make movies. It's to make money. A lot of money. Not for directors or actors or writers (especially not for writers!), but for studio executives and producers. Whether the movies are good is a minor concern. The major concern is whether the revenues are good.

At this point I want to make it clear that I am a capitalist, and I'm completely behind the idea of businesses making a profit. The problem I have with the Hollywood studios is that their business model is increasingly driving them to try to make more money by making the product worse. This is bad for the audience, of course, because it means we have to watch a lot of awful movies. But in the long run it's also bad for the studios, because it means that someone is going to come along and put them out of business by making a better product for less money (Clayton Christensen explained how this phenomenon kills successful companies in his book "The Innovator's Dilemma". If you're a studio executive, read the book. Now, before it's too late. If you're too busy to read the book, you can just read the Wikipedia entry.)

Movies are hugely expensive today. Paying movie stars is very expensive; exotic locations are very expensive; special effects are very expensive; unionized crew and soundstages are very expensive; and distribution and advertising are insanely expensive. If you believe Wikipedia, the average cost to produce a Hollywood feature is now about $50 million; the cost of advertising and distribution drives the total to $100 millon.

This is a big problem for the studios. If you're spending $100 million, you can't afford a failure. You've got to make the $100 mil back just to break even.

You might think people who are putting $100 million into a movie and who can't afford a failure would make damn sure the movie was great.

You'd be wrong.

You can't make a great enough movie to guarantee $100 million dollars in ticket sales; almost no stories are that good, and almost no movies are that good. Even movies which are that good won't necessarily make $100 million - maybe they'll just win a lot of Oscars and change the way a generation thinks about the world - and leave you famous and $80 million in debt.

Studio executives are smart businesspeople. They know they can't make a good enough movie to earn a profit on a $100 investment. So instead do the only thing they can. They make movies which will sell more than $100 million worth of tickets even if they suck.

They do this by appealing to their audience the same way the Roman emperors appealed to their audience: bread and circuses. Brad Pitt all oiled up in leather armor? You got it. Bruce Willis crashing a car into a helicopter? No problem. Halle Berry giving a blowjob? Absolutely. You want the good guys to win? We can do that. Want the guy to get the girl? Why the hell not?

This stuff is mesmerizing in the previews. But once the audience gets into the theater, the game's up. The audience figures out very quickly that they've been tricked. The story makes no sense. The special effects are just a gimmick to distract us from the boredom of the action. The sex isn't as good as what we can get free on the Internet. The characters are two-dimensional robots; we hope in vain that they'll die.

By the time the audience is in the theater, though, it's too late - the studio has won. All the studio needs is four days. Opening weekend. The studio makes its money before the audience realizes the movie sucks, and before they can tell their friends. The chumps who wander into the theater a week later, or watch the movie in foreign markets, or buy the DVD, are gravy.

Theater owners and distributors love this. Zillion-dollar blockbusters with lots of sex and blood and explosions and huge advertising budgets keep the seats filled, and the money keeps pouring in.

The dark side of all this, of course, is that there are no theater seats left for good movies - especially good movies with small advertising budgets. Even if you save your pennies and make a very good movie for $1 million, you still have to pay $40 million in advertising and distribution to compete with the people who make bad $100 million movies.

Actors and directors know this, and they do things to try to sneak the occasional good film into the theaters. George Clooney makes movies that suck (Ocean's Twelve) to earn enough money to advertise movies that don't (Good Night and Good Luck). Robert Redford runs a festival whose whole purpose is to convince distributors that good movies have a big enough audience to fill a few of their valuable seats for a week or two.

All this explains why DRM makes sense to movie studios; the single most important thing a studio has to do is to make sure nobody sees the movie before opening weekend. Because if anybody sees it early and starts telling people it's no good, the whole house of cards collapses, and everybody loses giant piles of cash. If DRM can allow studios to send the movie to reviewers and Oscar voters without taking a chance that a copy will get loose and screw up the release - well, bring it on! If it can protect dailies and rough cuts and test screening copies from escaping into the wild - hallelujah! This is the most important reason studios use DRM; preventing DVD piracy is nice, but a tax on recordable DVDs would do that job just as well, and a tax on DVD drives or computers would solve any problem the studios might have with P2P sharing.

The elephant in the room is this: Seats don't watch movies. Peoples' eyes do. And movie fans can use their eyes even if they're not in a scarce and expensive movie seat.

If you can make a good movie really cheap, the Internet will let you distribute it free to many more people than you could ever get into all the movie theaters in the world for a weekend. And if you can make a good movie really cheap, you don't need to get paid very much to make a profit.

This means you can take a chance the Hollywood studios can't take. If you can make a movie really cheap, and distribute it for free, you can afford a flop. If people don't like the movie, you're out a few bucks but you don't have to sell ten thousand pounds of crystal meth to pay your creditors. But if people really love it, you can make a lot of money. And you can make money lots of ways - you can charge for downloads, you can charge for DVDs, you can charge for posters, you can charge for action figures. You can even charge distributors to show your movie in a real theater, because you've already proved that there's an audience.

Wanna know a secret?

You can make a good movie really cheap.

Just ask Robert Rodriguez. (And he did it back when it was still pretty hard; you're much better off. You can buy your own HD camcorder for less than $1,000. Not chicken feed, but not close to $100 million. You'll need a good script and good actors, of course, but hey - nobody promised you a rose garden.)

The Hollywood studios know this.

It frightens them.

It should.

Someone's going to come along and create a New Studio. It's going to have a new business model that lets creative people make a decent living making good, cheap movies. It's going to trust its audience to pay for quality films. It's going to grow its fan base by distributing entire movies on the Internet with no DRM, just as Radiohead distributed music on the Internet with no DRM. And if the old Hollywood studios try to compete against it with DRM-encumbered movies that shrink their fan base while the New Studio grows its fan base, the Hollywood studios are going to die.

Mike Masnick at Techdirt has already explained the theory of how to make money selling free goods. I won't try to summarize Mike's Grand Unified Theory of the Economics of Free because I want you to read the real thing. But I do want to agree publicly with what I think is his most important point:

"Saying you can't compete with free is the same as saying you can't compete period."

I'm going to try to apply Mike's theory to the movie industry by posting a business plan for the New Studio. I'll do it in chapters. I hope you like it. I hope you use it. I'm waiting to see your movies.

Maybe you don't believe it can be done; fair enough. But if you don't think you can compete and make money by selling people things they could get for free, I want to ask you one question.

When was the last time you bought a bottle of water?

What rough beast, its hour come round at last.... ?

Online retailer Life is good has entered into a consent decree with the US Federal Trade Commission to settle claims that its assurances of privacy protection to consumers were false. Davis, Wright, Tremaine LLP's excellent Privacy and Security Law blog has coverage of the decree here.

Corporate counsel and Chief Information Security Officers need to pay very close attention to this decree; it lays the groundwork for a standard of due care in the protection of consumers' private information. In my opinion this is, to use Churchill's famous phrase, "the end of the beginning" for information security and privacy as a liability-free zone.

Bruce Schneier, who has just been selected to receive CPSR's Norbert Wiener award, has long advocated liability as a step toward better computer security.

Whether you agree with Bruce or disagree with him, the FTC's action means that you now must acknowledge, and start to plan for, the possibility of liability for your security failures. You must also begin to prepare for the imposition of legally mandated minimum standards on your security programs, at least if those programs protect private information.

As Ronald London, who posted the Privacy and Security Law blog's entry on the Life is good consent decree, so mildly puts it, "The FTC's announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs".

A word, to the wise, is sufficient.

Reed's Jazz and Supper Club: Hail and Farewell

Christmas is a mean season in the restaurant business; it's when the landlords raise the rent.

Reed's closed two weeks ago, on a Tuesday. On the Monday I was at the bar, talking to the friends I've made there over the years, and enjoying a perfect Imperia Vodka martini (up, dry, shaken, with a twist. As it should be.) The next afternoon there was a little sign on the door with the bad news. I saw the whole show; I was at the soft opening the day before Reed (yes, Virginia, there is a Reed) opened the club to the public; I had a drink at the bar on the last night, and I spent many happy afternoons there in between.

Reed's was special in lots of ways. The food was great, the staff was great, the location was great, and the decor was great. But there are other places with those advantages; three things about Reed's really made it stand out for me.

First was the music. Reed's was, as its name advertised, a Jazz club. They're rare everywhere these days, but especially so in Texas. There's only one other good Jazz club in Austin; it's called the Elephant Room. The music at the Elephant Room is first-class, but the club is impractically far away from my house - and there's another thing, too.

A great Jazz club is special because of the music, but also because of the crowd. The crowd can dance, to start with. The crowd tends to drink martinis, and wouldn't dream of ordering a Jagerbomb. The crowd is, to put it bluntly, a little older than the average bar crowd. The crowd has fewer tattoos than the usual bar crowd, but the ones it does have come with interesting stories. Most everyone in the crowd, in fact, comes with an interesting story or two.

And that was the second really special thing about Reed's: it made people tell their stories. The bar was what did the trick. It wasn't a long, straight wooden bar like the ones you'll find at a thousand faux Irish pubs all over the world (and at the real Irish pubs - the ones in Ireland - too). Reed's bar was an enormous stone bar, built like a ratcheted gear. It curved all the way around the ground floor - the bartenders inside a continuous, smooth, concave curve and the customers outside on stools around a series of curved sections like shark's fins laid on their sides one after another.

You couldn't sit side-by-your-neighbor's-side staring sorrowfully into your drink at Reed's bar. The curve and the notches made you look at your fellow man; the martinis helped you get over your shyness and talk to him, and the jazz gave you something to start the conversation with. Strangers talked to each other all the time, and if they kept coming back (which a lot of them did) they became friends.

The third thing that made Reed's special was the light. In the afternoons the sun poured in through the frosted windows and filled the whole place with warm gold light. The lamps - inverted cones hanging from the ceiling above the bar - showered pools of the same gold light onto the drinks and the customers. And the mirrors behind the bar picked up all of this gold and threw it out into the dining room.

The light begged to be photographed. I took thousands of pictures at Reed's. Some of them ended up on the CD covers of the bands who played there; others hung on the walls in the dining room in big 20x24 editions, and still others filled a 2006 calendar I made for the staff and the regular customers. The ones I'm proudest of are hanging in 8x10 frames on the walls of the mothers of the bartenders and waitressess and hostesses.

From time to time I'd ask permission to post a particularly good one on flickr; you can see a slideshow of them here.

The Buddha taught me that the cause of my suffering is attachment to things that change - so I won't mourn the passing of Reed's Jazz and Supper Club. But I will remember. Thanks, Reed, for the memories.

The 2007 CECI Award

It's time once again for the event the whole blogosphere awaits with breathless anticipation - the presentation of the annual CECI award!

Once again this year the judges (me) have sifted through the year's dross and spent Guy Fawkes' Day mulling over who's made the greatest contribution to clear thinking about identity, privacy, security, and risk.

As I made my decision I've had a few things on my mind. I've had in mind, for example, why the principal deputy director of National Intelligence thinks we need to change our definition of privacy. The short answer is that the current definition is very inconvenient to the government. How inconvenient? Well, for one thing, it prevents them from spying on all of us without a good reason.

Since we haven't changed the definition of privacy yet, the US Government is being forced to go to all the embarrassment and expense of arguing (in public! how undignified!) in United States v. Warshak that you and I have no expectation of privacy in email communications because we've signed an agreement with our ISP to let them examine our emails under certain circumstances.

(Side note: is anyone but me thinking "Wait! The fourth amendment doesn't say anything about expectations of privacy! It just says that there won't be unreasonable searches and seizures, and there will be warrants based on probable cause supported by oath or affirmation, and particularly describing the persons or things to be seized"?)

The definition of "privacy" which deputy director Donald Kerr would like us to adopt, in deference to the government's needs, is that "government and businesses properly safeguard people's private communications and financial information."

What does he mean by "properly safeguards"? Probably something like this: that the government and the supermarket will only arrest you, send you to Guantanamo, and deny you access to legal counsel if the FBI thinks your falafel purchases are suspicious; if you eat only a patriotic American quantity of Falafel, you have nothing to fear.

And I've been thinking about why so few people agree with Mark Klein that all this is a problem.

Which brings me to our winner.

The 2007 Ceci Award goes to Andrew Napolitano, former New Jersey Superior Court Judge and current Fox News analyst (I know, I know, but stay with me for a minute), for his most recent (2007) book "A Nation Of Sheep".

Napolitano's basic argument in "A Nation Of Sheep" is this:

1. The Natural Rights theory says that our fundamental rights come from God and still exist even when they aren't enforced or even respected by the government.
2. This theory is necessary as a defense against government encroachment, because government does not actually acknowledge any power higher than itself...

   (even when it says stuff like "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights, that among these are Life, Liberty and the pursuit of Happiness. That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed")

   ...but while it is willing to coerce the governed to permit the usurpation of their rights it is embarrassed to say in public that it does not believe in God's supremacy - so attributing rights to God is the only way to make the government acknowledge their legitimacy.
3. Even attributing rights to God doesn't do us any good if we don't confront government whenever it tries to usurp the rights God gave to us.
4. But most of us are sheep, and won't confront the government...
5. Therefore it falls to a few wolves to prevent all of us from falling into slavery.

He's right. Read the book. If, after reading the book, you're feeling sheepish, consider the example of Mark Klein and ask yourself if you've seen any of your natural rights being confiscated lately. If so, ask yourself what you've done about it.

Congratulations to Judge Napolitano on his award. As usual, an acceptance speech in the comments is not required, but would be most welcome.

Turn Off Your Flash

You're at a party. Or maybe walking on the beach at sunset. Your eye is attracted to a scene. You take out your camera and look through the viewfinder (or at the LCD). You adjust the framing, and, trembling with excitement, you push the shutter button.

You examine the results.

They suck.

What happened?

I'll tell you what happened: your flash spoiled the shot.

What you saw was interesting. What the camera saw was ordinary. The difference was the light. You saw beautiful, interesting, colorful ambient light coming from an interesting direction.

Your camera saw 5500-degrees-kelvin daylight-colored strobe light beamed straight from your eyeball to the subject.

Now stop for a moment and consider a question: if you looked at the scene and liked the light you saw, why did you change it?

So stop changing it.

Look at the picture above. It's a picture of my friend Andre. I took it last week in a shot bar called Chupito's in Barcelona (if you're in Barcelona, go there. You'll like it). Chupito's is very dark. The blue color on Andre's (white) shirt is fluorescence induced by a UV tube illuminating the drink menu on one wall. The red color on Andre's face comes from a very dim incandescent bulb about a foot away from the two of us.

If I'd used flash, It would have lit Andre evenly (so I would have lost the contrast between the shadow on the right side of his face and the brightness of his shirt on the same side) and the flash would have overwhelmed the the red and blue colors of the dim lights. The result would have been a much less interesting picture - a picture which would have looked a little like the one I took of Andre earlier this year in a boring hotel corridor at a different event: This isn't a bad picture, but it's not nearly as interesting as the one from Chupito's. One reason the Chupito's picture is more interesting is that the color of the light is more interesting. If you use flash, your pictures will all be taken in daylight-colored light. But the color of the light isn't the only important thing about the Chupito's picture. The shadows are important too. If you use flash, your pictures will all be lit from your position - that is, they'll all be front-lit, and they won't have very interesting shadows.

Here's another picture; it's a picture of my colleague Mike, and it's front-lit: Again, it's not a bad picture, but it's got no interesting shadows. I have another picture of Mike (taken in a different bar in Barcelona) which is much better, because it's lit more interestingly. Here it is: If I'd taken this picture with a flash, there would be no shadow on the left side of Mike's face (on the right in the picture), and the picture would be much weaker.

The moral of this little story is: if you see light you like, turn off your flash. If you turn off your flash, you might need a fast lens on your DSLR, or a tripod for your point-and-shoot, but your pictures will be much better.

(Full disclosure: if you really learn how to use flash, you can get great results. Joe McNally has really learned how to use flash. He uses lots of flashes, most of them off-camera, triggered by wireless remotes, and some of them filtered to provide interesting colors of light. If you want to really learn how to use flash, instead of just turning it off, a great place to start is strobist. And if you ever get a chance to take one of Joe McNally's workshops, do it. He's a great photographer, a great teacher, and a great storyteller.)

Family Matters

I've been doing most of my blogging here and here for the last few months. In the meantime, my sister has started a stamping blog, and my daughter, a digital native, has started to write about what identity means to the next generation (among other subjects). Upcoming posts here will include:

• Turn Off Your Flash
• What Is Privacy, Really?
• Fear and the Bigger Haystack
• Privacy, Tolerance, and a Free Society
• The Boggs Tax

Outsourcing Terrorism to the Victims

Osama bin Laden can retire now; he's worked himself out of a job. We don't need actual attacks to keep us in a state of terror anymore. All we need is Lite-Brite pictures of cartoon characters.

Yesterday, Boston was paralyzed by a terror alert arising from a Cartoon Network guerilla advertising campaign gone wrong. If you believe the Boston Herald, the Boston Police Department spent a million dollars on the incident, and it probably created much larger costs by tying up the city's roads and bridges all day. Those expenses may be only the beginning - Boston will spend an enormous amount of money on lawyers if the city follows through on its promise to throw the book at Turner Broadcasting and at the two artists who created the campaign.

Federal, state, county, and city officials have all been quoted emphasizing the seriousness of the situation. Tom Menino, Boston's mayor, explicitly tied it all back to 9/11, saying "It is outrageous, in a post 9/11 world, that a company would use this irresponsible marketing scheme".

Menino suggests an interesting and important question: what, exactly, is "irresponsible" in this post-9/11 age?

The attitude of terror - that everything unfamiliar is dangerous, and that any time you see something that's not completely familiar, you should stop what you're doing, panic, and run and hide - is not responsible. Osama bin Laden wants you to assume the attitude of terror. He wants you to freak out and call the police every time you see a little pile of white powder, even though the probability is zero that it's anything more dangerous than sugar, salt, or coffee creamer.

The attitude of helplessness - that the world is so dangerous there's nothing you can do to protect yourself except to surrender your judgment, your rights, and your defense to government experts - is also not responsible. George W. Bush wants you to assume the attitude of helplessness. He wants you to leave the war on terror to him, after you let him suspend habeas corpus, the accused's right to counsel, and the requirement for judicial warrants to authorize wiretaps.

These attitudes are irresponsible, because if we adopt them, our fears drive us to attack ourselves. We spend money responding to imaginary threats. We lock ourselves in our homes and suspect everyone and everything. We turn toys into weapons, strangers into enemies, and jokes into crimes. We put cameras in every room and policemen on every corner. When we've done all these things, the terrorists don't need bombs, airplanes, and anthrax anymore; they've outsourced terrorism to the victims, and we'll finish the job ourselves.

If we don't want to become bin Laden's subcontractors, what is responsible? Simple: thinking clearly - thinking for yourself - about risks and precautions is responsible. As I've already noted, Sam Hughes explained it best.

If Boston takes millions of dollars of public money which could be used to investigate and prosecute real terrorist threats, and spends those millions instead on persecuting a couple of cartoon marketers who have (possibly completely accidentally) embarrassed the Boston Police, that won't be responsible. And it won't be popular, either. Enough Americans can still tell the difference between real enemies and phantoms. Some folks who recognize a phantom when they see one are already selling the t-shirt.

Update: Bruce has an excellent entry on this too.

The Dumbest Advice Yet on Iraq

Did James Webb really say this tonight???

"As I look at Iraq, I recall the words of former general and soon-to-be President Dwight Eisenhower during the dark days of the Korean War, which had fallen into a bloody stalemate. "When comes the end?" asked the General who had commanded our forces in Europe during World War Two. And as soon as he became President, he brought the Korean War to an end. These Presidents took the right kind of action, for the benefit of the American people and for the health of our relations around the world. Tonight we are calling on this President to take similar action... "

When comes the end? Not yet! Has Webb noticed that Eisenhower's action stationed tens of thousands of American troops in Korea for (as of the current date) MORE THAN FIFTY YEARS, at the end of which the stalemate has not resolved but rather hardened to the point where we now face a dictator threatening us with nuclear weapons??? Is this an experience we want to REPEAT?

Could Webb have chosen any better example to SUPPORT President Bush's claim that leaving Iraq would leave us with a "nightmare scenario"?

Five Things

Pam "tagged" me with a challenge to post 5 things you might not know about me and "pass it on". OK...

1. Stirred. Not shaken.
2. I have an IMDB entry. How weird is that? Surely the Oscar is just a matter of time.
3. Although some (tiny, ridiculous) dogs seem to have found their way into my house via some other family members, my own personal pets are more highly evolved. They are, in fact, cats. Balinese.
4. I still use film. In fact, I still develop it in the sink!
5. I was the last PhD graduate of the University of Michigan's late, great Computer and Communications Science department. (John Holland was the first.)

Now for the hard part: Avery, Marcus, Lori, Adam, and Al: Tag, you're it!

Your mission, should you choose to accept it, is to tell us five things we wouldn't otherwise know about yourself, and then accelerate this little pyramid scheme's consumption of Internet bandwidth and server storage by tagging five people whose oddities or secrets you'd like to know.

Happy Holidays to all!

The 2006 CECI Award

Ladies and Gentlemen, follow the red carpet for a very special treat: the presentation of the first annual CECI Award for clear thinking about security, privacy, identity, and risk.

The nomination and selection process is, like that for the Nobel prizes, mysterious - so don't ask. Nominees who fall short are not humiliated by having their unsuccessful candidacies announced and discussed.

The award is simply bestowed, here, by me, in a suitably magisterial fashion, with appropriate fanfare, pomp, and circumstance (and a little gold picture of Magritte's notapipe).

The 2006 CECI Award goes to David Murakami Wood and a large cast of co-authors, expert contributors, and reviewers for the publication of "A Report on the Surveillance Society". This report was prepared for the Information Commissioner of the United Kingdom. It is in the opinion of the CECI Award selection committee (me) the best government report of the Millenium to date, and it sets a standard which is unlikely to be excelled often in the remaining 994 years.

The report's scope is breathtaking, but its focus is intense. Its language is clear, direct, and even elegant. Its importance cannot be overstated. To select a representative quote seems almost a disfigurement; the thing should be taken as a whole. Still, as an advertisement for what you absolutely must read - and I am in no way kidding or exaggerating here - I offer you the very first paragraph:

"We live in a surveillance society. It is pointless to talk about surveillance society in the future tense. In all the rich countries of the world everyday life is suffused with surveillance encounters, not merely from dawn to dusk but 24/7. Some encounters obtrude into the routine, like when we get a ticket for running a red light when no one was around but the camera. But the majority are now just part of the fabric of daily life. Unremarkable."

I will have a lot to say on topics this report addresses in the coming months, but I am not likely to improve on any topic it addresses directly. I invite you to read it. Your children's lives will be profoundly affected by how well you understand the issues it raises, and by what you choose to do based on your understanding.

Congratulations to the recipients. An acceptance speech in the comments is not required, but would be most welcome.

In the Crosshairs

Ars Technica has just published this story about a system you'll want to check out. You'll want to, but you won't really be able to.

The system is designed to collect large amounts of personally identifiable information about every person entering or leaving the United States for the purpose of assigning each individual a "risk assessment" rating. It will be implemented and operated by US Customs and Border Protection, a unit of the Department of Homeland Security.

If you travel a lot, the system will pretty quickly contain your name, address, telephone number, email address, frequent-flyer numbers, travel itineraries, and other information. It would surprise me if it didn't eventually include some credit card information.

The most surreal aspect of the system is its name: THE AUTOMATED TARGETING SYSTEM. Whoever approved that moniker obviously doesn't work in public relations. But in fact Customs and Border Protection clearly isn't too concerned with public relations. While your AUTOMATED TARGETING SYSTEM record can be accessed by courts, government officials at all levels including international, law enforcement, congressional offices, contractors, researchers, the Department of Justice, the National Archives, and intelligence agencies, it's not subject to the protections of the United States Privacy Act, and you can't access it yourself for purposes of reviewing the record's accuracy and correcting errors.

If you're worried about the privacy implications of this, well, you'll probably have lots of company. But don't let your privacy worries distract you so much that you don't worry about another important problem: the accuracy of the "risk assessment" which will be performed using your data.

Since the risk assessment criteria haven't been published, it's not easy to analyze any weaknesses that might exist. But it's not hard to predict that these weaknesses will be profound. Here's a fairly simple question I'd ask if I were assessing the system:

What risk rating would the system have assigned to Timothy McVeigh? Mohammed Atta? Omar Abdel Rahman? Brandon Mayfield? Hugo Chavez? Pope Benedict XVI? Aldrich Ames? John Walker Lindh?

I'm also interested to know whether a "high" risk rating will be considered sufficient justification for initiating an investigation of a US citizen or resident alien, and if so, what due process will be granted to the individual who is investigated.

This type of system (a large-scale system constructed in secret to solve a poorly understood but highly politically sensitive problem) has always resulted in failures, cost overruns, and injustices in the past. There's no reason to predict that THE AUTOMATED TARGETING SYSTEM will be the exception to the rule.

Heeding the Message

It takes a big man to admit that he's made a mistake, especially in politics.

It takes an even bigger man to think it over carefully enough to propose doing something genuinely useful. Rep. Markey has done both; here's what he wrote in his latest press release, covered on Chris Soghoian's blog:

Under the circumstances, any legal consequences for this student must take into account his intent to perform a public service, to publicize a problem as a way of getting it fixed. He picked a lousy way of doing it, but he should not go to jail for his bad judgment. Better yet, the Department of Homeland Security should put him to work showing public officials how easily our security can be compromised.

Exactly. This is the kind of thinking we need more of. Kudos and thanks to Rep. Markey for a courageous and helpful statement.

Shooting the Messenger

Congressman Ed Markey (D-Mass) has called for the arrest of Chris Soghoian, a University of Indiana graduate student who created a website which enabled printing of fake Northwest Airlines boarding passes.

If Congressman Markey, who represents himself as an authority on technology and civil liberties issues, and who publicises national security vulnerabilities on his own congressional website, is surprised by the fact that boarding pass security is a joke, then he hasn't been paying attention for a long time.

Boarding pass security has always been terrible. ABC reported on this vulnerability in June. Bruce Schneier wrote about it as early as 2003, and explains here why he's not worried that it's still easy to forge print-at-home boarding passes.

The print-at-home vulnerability has been covered at Stupid Security and elsewhere (here too!).

Publishing instructions for how to do it isn't new either.

In fact, Slate has pointed out that you don't even need to forge a boarding pass to get past airport identity checks - you can just use somebody else's real one.

Providing an easy online utility to automate forgery may indeed be new. But before we start arresting people, let's think for a minute about who we should be locking up. Real villains - not security researchers - should be at the top of our most-wanted list.

What say we start with the people who actually want to commit terrorism? Congressman Markey lists Homeland Security and Defense among his top issues. You may have noticed that we haven't caught Osama yet.

Once we arrest the people who create the threats, we should go after the people who create the vulnerability. This would be airlines (who allow you to print insecure boarding passes at home in an easily-forgeable format) and the TSA, who take a cursory look at your forged boarding pass and wave you through their checkpoints.

Then let's look for the guys who have failed to hold the airlines and the TSA accountable for their failures. Congressman Markey's bio says he's one of them: "As the third most senior Democrat on the House Homeland Security Committee, he has emerged as a leader in both legislative and oversight activities in the areas of nuclear, aviation, rail, liquefied natural gas and chemical security." If this oversight were effective, Chris Soghoian wouldn't have been able to build his website and we wouldn't be talking about it.

Bruce is right that the real problem is elsewhere. But even if this were a real problem, arresting the messenger wouldn't solve it. Congressman Markey undboutedly knows that - and he also knows that loud law-and-order noises sound good in an election year.

Pink for October

Special this month: Ceci n'est pas un Bob will be Pink for October to promote awareness of breast cancer. Plus, pink is cool.

Getting Crowded In Here

From the shameless promotion desk: my Identity and Privacy Services team at the Burton Group has started a blog. I'll be posting there too from time to time, but what makes me really happy is that you'll get to hear the same voices I hear every week at work.

Check it out.

O Brave New Web

... That hath such creatures in it.

Your friends and associates: Collect 'em! Trade 'em! I'll give you eight bucks for a mint Babe Ruth rookie card, or six for a Larry Ellison business card!

Jigsaw has been slashdotted today via a story in the San Francisco Chronicle.

Have I mentioned The Absurdity of "Owning One's Identity"?

Jigsaw's claim that user activity will keep information up to date in their system isn't particularly convincing to me, by the way: I used their "Find out if you are in Jigsaw" feature to discover that information for "blakley@us.ibm.com" IS in their database. I'd like to meet him. I bet we'd have a lot to talk about.

Jim Fowler, Jigsaw's CEO, says he's thought deeply about the moral issues Jigsaw raises, and that everything's OK. To investigate that claim, try the following thought experiment:

Meditate on Jigsaw. Breathe deeply. Let your feelings flow.

Meditate on LinkedIn. Breathe deeply. Let your feelings flow.

Explain your feelings.

Want a hint? LinkedIn is different from Jigsaw - it requires you to accept an introduction before it dishes the dirt on you. That's a tiny step in the right direction, but I'd rather have a Meta-Identity System than either of these Web 2.0 Identity Systems. It would be easy to do this for business contact information.

Here's you visiting a Business Contact Identity Oracle:

You: "Do you know Bob Blakley?"

Oracle: "Yeah, I know him".

You: "Great! Give me his email address."

Oracle: "Pound sand, loser."

You: silence while thinking for a minute.

You: "OK, if I give you MY email address, and a message, will you send it to him?"

Oracle: "Gladly."

Now wasn't that easy?

On Burton

It's always disconcerting to be discussed in public... Jamie's post touches all sorts of topics which hadn't even occurred to me. I suppose there's a lot that could be said about many of these topics, but the only thing I really want to say is that if you want to know why I chose The Burton Group as the next place to go, look here. If you haven't heard these folks speak, or read their reports, you have a treat coming. They're making a difference in the industry (SAML wouldn't have happened without them, for example), and I'm looking forward to pitching in and helping.

We Interrupt This Program...

As of today, I've moved from IBM to The Burton Group, where my job title will be Principal Analyst. I'll be working on Identity, Privacy, Security, and Risk Management. The views expressed here are still mine, and don't necessarily reflect the positions or opinions of either employer.

The Meta-Identity System

Let’s start with a question: “In the Identity Metasystem, how can Identity Providers Exist?”

It seems simple in principle; someone sets up an Identity Provider server which has a Web Services Security Token Service (STS) and a policy engine. The server invites “subjects” to create profiles (lists of identity attributes) and then creates signed tokens asserting those profiles for consumption by Relying Parties. All this is easy to do.

The Paradox of the Identity Provider

What’s hard is:

• Paying for the Identity Provider server and the service it provides.
• Convincing Relying Parties that they should rely on information provided by a third party (the Identity Provider) rather than maintaining identity attribute information themselves.
• Assigning liability when a relying party asserts that a claimed identity attribute is incorrect.
• Assigning liability when a subject claims that the wrong identity attribute claim was released to a Relying Party.
• Making subjects whole when a security failure “leaks” subject identity attributes directly from the Identity Provider.
• Assigning liability and making subjects whole when a security failure “leaks” subject identity attributes from a Relying Party.

There’s a vicious circle here. Relying Parties won’t want to outsource identification of their transaction partners unless they can feel sure that the Identity Provider’s information is better than their own, or unless they can be indemnified against losses arising from mis-identification. Identity Providers, therefore, have to spend a lot of money on data verification, or liability insurance, or both. But to spend a lot of money, Identity Providers need to make a lot of money. This means that either their fees or their transaction volumes need to be very high. To generate high fees and high transaction volumes, Identity Providers need to have a valuable asset. And (here’s the rub) if Identity Providers provide their subjects’ identity attributes to Relying Parties, they don’t have an asset - because they’re giving it away to their customers.

The Potemkin Village

Parenthetically, by giving identity attributes to Relying Parties, Identity Providers turn the Identity Metasystem into a kind of Potemkin Village - a false front hiding emptiness and weakness. The Identity Metasystem's subjects rely on the Identity Provider to safeguard their private information, but the Identity Provider can’t safeguard information which is sitting in Relying Party systems. Unless the Relying Party's systems change, the implementation of the Identity Metasystem does nothing to reduce the total privacy risk of the environment it’s introduced into - though it may increase Relying Parties’ liabilities for that risk, because the Identity Provider’s contracts may create liabilities for Relying Parties who mishandle the information they provide.

The Meta-Identity System

If this seems gloomy, there’s good news. The technical infrastructure of the Identity Metasystem contains the seed of a solution to both problems (“How does the Identity Provider make money?” and “How do we avoid building a Potemkin Village?”). That seed is metadata.

In order to build an asset, the Identity Provider has to stop giving its crown jewels - identity data - to its customers. It can do this simply by changing what it puts into the claims it hands out to Relying Parties. Instead of answering a Relying Party’s query “How old is Bob?” with the claim “Bob is 45”, it can answer “How old is Bob?” with the claim “Bob is over 18”. Instead of answering the query “Is Bob a good credit risk?” with the claim “Bob’s credit history is (fifty-page report goes here)”, it can answer “Is Bob a good credit risk?” with the claim “97% of people with credit histories similar to Bob’s repaid loans of under $200,000 on time.”

Claims like these contain metadata rather than data. From the point of view of the Identity Provider, identity metadata has two big advantages over identity data. The first advantage is that using identity metadata in claims allows the Identity Provider to provide a service to its customers without handing over its core asset - and in fact using identity metadata allows the Identity Provider to build the value of its asset by developing expertise in analyzing raw identity data and transforming it into more and more accurate and useful metadata.

The second advantage of using metadata instead of data is that it allows the Identity Provider to provide a service to Relying Parties while minimizing the disclosure of specific personal information to those parties - thereby reducing privacy risks to subjects. Once the Identity Provider gets out of the business of providing raw identity data, of course, it no longer makes sense to call it an “Identity Provider”; calling it an “identity metadata provider” sounds hopelessly geeky, though, so I propose instead to call it an “Identity Oracle”, since what it’s really doing is answering questions about an identity.

As a technical community and as a society, we can realize a lot of benefits by eliminating Identity Providers. Instead of building an Identity Metasystem with Identity Providers, we should build a Meta-Identity System with Identity Oracles. The technical infrastructure of the Identity Metasystem doesn’t need to be changed - all that needs to change is what we put in the claims and the way we think about the system.

I gave a talk about this at the recent Burton Group Catalyst Conference. The talk includes a lot of material I haven’t discussed here; if you’re interested in listening to the talk, the Burton Group has kindly posted it in podcast form here, along with the accompanying slides.

Memorial Day

I attended a high-school graduation in a local church on Sunday; the liturgical paraments expressed the perfect wish for Memorial Day. My long silence was not idleness; May has incubated many thoughts, to which you'll soon be exposed. If you've been anticipating the fulfillment of promises made in past posts, you won't be disappointed.

Auto-exposure

Since Phil took the bait, here's a simple test you can do to find out whether automation is homogenizing your photographs. Take one of your photos and open it in Photoshop. Then do this:

Filter > Blur > Average

Image > Mode > Grayscale

Now use the Eyedropper tool to sample any point in the image.

Finally, look in the Color Palette and see what percentage of gray is "average" for your picture.

If the answer is about 50%, you probably used auto-exposure. Phil likes aperture-priority automation. He justifies its use this way:

"I don't think the automation in the camera makes a great deal of difference. Once you have decided what you want to take a picture of, compose the shot and focus on the topic of interest there are only two real choices you can make on a camera; aperture and shutter speed. And the choice of one strongly constrains the other"

This is true - if you want the average density of your photo to be 50% gray. Your camera wants the average density of your photo to be 50% gray, because that's the average for a photo with a "full range of tones" more or less evenly distributed (for example, a picture of a human subject outdoors in the daytime on a grass lawn.)

Here's a photo I took at Reed's late last year. I saw some shadows on the wall in a dark corner and thought they looked interesting in a brooding, film-noirish way. The corner was very dark, and I wanted the picture to look dark, the way my eye saw it. If you run the Photoshop action I've described above on this picture, you'll see that its average gray percentage is 95%.

When I took the picture, I knew that the normal exposure for ambient light in Reed's is about 1/60 of a second at f/2 on 400 speed film. In dark corners, there's much less light. I shot this picture (manually) at 1/30 at f/2. If I'd used aperture-priority automation at f/2 (assuming my camera did that, which it doesn't), the camera would have noticed that the wall wasn't lit, and it would have set a shutter speed of either 1/4 or 1/2 second - resulting in a picture with an average gray percentage of about 50%, which would have looked like this:

I like my picture a lot better than the one an automatic exposure meter would have generated. I could have tricked my F-100's auto-exposure system into producing the picture I wanted by setting "exposure compensation" to tell the F-100 that the scene was supposed to be dark. But then what good is the automation? I already know the scene is dark, and it's no harder to set the exposure values manually than it is to set exposure compensation manually - so all the automation does is make it more likely that I'll get lazy and end up with a bad picture.

Automation won't hurt your "average" pictures (photographs of people in daylight, for example), because those are the pictures it was designed to produce. It is much more likely to hurt dark or light pictures, or anything else "out of the ordinary".

Open up a bunch of your pictures and try the Photoshop experiment I've described above. If your highest gray density is only 10% higher than your lowest, turning off autoexposure will probably improve your photography.

How I Take A Picture 1: Take Responsibility

I have a Nikon F-100. It's a great camera. It has lots of advanced functions. It winds the film onto the takeup spool as soon as I close the camera back. It reads the ISO sensitivity of the film off the film cassette and sets it automatically. When it gets to the end of the roll, it automatically rewinds the film. I can set it to leave the film leader out of the cassette, or to wind the film all the way into the cassette with no leader sticking out. The F-100 has aperture-priority and shutter-priority automatic exposure, and a program mode, and a "flexible program" mode, which lets me change the aperture or the shutter speed and automatically compsenates for the exposure difference by changing the setting I haven't touched. The F-100 has spot metering, center-weighted average metering, and "matrix metering". It has autofocus. It has TTL auto-flash with distance sensing, which measures the light as it hits the film and closes the shutter when just exactly the right amount of light has gotten in. It has exposure compensation and flash exposure compensation. It shoots 5 frames a second. It fits my hand like a glove.

I never use it.

I got tired of turning all those features off.

I turned them off because I realized after a while that my first step in taking a picture should be to take responsibility. Taking responsibility was hard with the F-100. It was always whispering to me. It would say things like "The light just changed. I could handle that for you - why don't you just let me set the exposure while you worry about more important things?" or "It's really dark in here. Why don't you just let me add a little flash?" And since I'm lazy and weak, I'd sometimes give in and let the F-100 take some of the responsibility I should have been taking.

The F-100 handled those responsibilities beautifully. It made far fewer mistakes than I did.

You're wondering why I wanted to take responsibilities away from a machine which handled them better than I did. Here's why: because the F-100 was a slut. Everything it did for me, it would have done for you too. It was homogenizing my photography.

Imagine this. You and I are standing in front of Kilauea. There's a Pacific cyclone a hundred miles offshore, and the biggest thunderhead either of us has ever seen is towering over the ocean behind the volcano, showering lightning bolts like Steven Spielberg on a $200 million budget. The volcano itself is erupting spectacularly, and to top it all off, there's an incredible sunrise behind us spraying orange and pink light all over the clouds and casting a huge rainbow over the volcano and in front of the storm.

The light's changing fast, so I have the F-100 on Program auto-exposure, in matrix metering mode and autofocus. I take a picture. You forgot your camera, so you ask to borrow the F-100 and you take a picture too.

We just took the same picture. Of a once-in-10-lifetimes scene. Not only that, we both took the same picture as all the other tourists standing around looking at the scene through the viewfinders of their auto-everything cameras. We all took the pictures our cameras wanted to take, not the pictures we wanted to take.

If I were using the all-manual Leica IIIf shown at the top of this blog entry instead of the F-100, I would have to make a bunch of creative choices. I would have to choose a shutter speed and an aperture setting, for example. The combination of the two would determine whether the scene in the picture looked "normal", "dark", or "light". But each individual choice has implications beyond darkness and lightness. A slow shutter speed would give me more lightning bolts, but it would blur the lava spewing out of the volcano. A wide aperture would blur the foreground, and would slightly decrease the overall sharpness of the picture. If I want a slow shutter speed and a wide aperture, I get a lot of light. That's OK if I want the picture to look lighter than the scene looked in real life - but if I don't want that, I'll need to put some filters in front of the lens to block some of the light.

When I use the IIIf, I have to think about what I want the picture to look like before I push the button. It has no automation, so it can't whisper the siren song of automation in my ear. It doesn't want me to take average pictures - pictures just like yours and everyone else's - because it doesn't want me to take any particular kind of pictures at all. All the creativity and intelligence stay in my head, where they belong.

If you want to take pictures just like everyone else's, set your camera to automatic.

If not, take responsibility. Set your camera on manual.

If that sounds scary, don't worry; in the next entry in this series I'll tell you what to do next.

Within This Decade

Security professionals have known for many years that your password is one of the weakest points in the security of the web of computing devices and services you use.

We’ve been trying to do something about the problem for as long as I’ve been in the business.

We started by obfuscating passwords on servers after we figured out that the password file was an attractive target for attackers. UNIX was a pioneer in this area, though as usual MULTICS was there first.

Obfuscating and encrypting passwords has never worked very well, because a large percentage of passwords are very easy to guess in just a few attempts.

But protecting passwords on servers didn’t work for another reason too: you could read them off the network as they zipped by. We’ve tried encrypting them on the network (TLS became an IETF standard in 1999, by which time its predecessor SSL had already been in use on the Internet for three years), and we’ve tried pushing their use to the client system to keep them off the network entirely (Kerberos became an IETF standard in 1993, by which time it had already been in use at MIT and elsewhere for many years).

Keeping passwords on the client assumes a bunch of things which aren’t true. It assumes clients are secure; they aren’t. It assumes passwords aren’t trivially easy to guess; they usually are. And it assumes that the user won’t tell the password to anyone who asks. Phishing attacks are what you get when the bad guys figure out that you will tell your password to anyone who asks.

It’s bad enough that passwords aren’t very secure; what’s even worse is that they’re a huge pain too. We all hate them because we have to change them all the time and they’re hard to remember. Your organization probably has a bunch of rules for good passwords: they have to be at least “some number of” characters long; they have to include a bunch of weird characters you can’t find on your keyboard; you’re not allowed to use your name, or your account name, or more than two characters from your last password - and so on. All these rules are just variants of the Two Platonic Password Composition Rules:

1. Pick something you can’t remember.
2. Don’t write it down.

No problem, right?

We security guys have known for a long time that the right way to deal with passwords is to get rid of them. We resolve to do it periodically, but these resolutions are like New Years’ resolutions to lose weight - somehow we never get around to finishing the job.

In 1998 the Internet Architecture Board got a bunch of us together to take a look at what the security architecture of the Internet should look like. We agreed on almost nothing - with one exception:

“One security mechanism was deemed to be unacceptable: plaintext passwords. That is, no protocol that relies on passwords sent over unencrypted channels is acceptable.” IETF RFC 2316, 1998.

Eight years later lots of websites still ask for your password over an unencrypted HTTP connection (but giving examples wouldn’t be nice).

In 2003 the National Academy of Sciences got a bunch of us together to take a look at authentication technologies and how they affect your privacy. Unsurprisingly, we agreed again:

“Static passwords are the most commonly used form of user authentication, but they are also the source of many security weaknesses... great care should be taken in the design of systems that rely on static passwords.” “Who Goes There?”: Report of National Academy of Sciences Panel on Authentication Technologies and Their Privacy Implications, 2003.

The report doesn’t come right out and say we should just get rid of passwords - because at the time I argued passwords were still OK in some contexts and that an out-and-out ban would be an overreaction to the risk.

I was wrong.

Static passwords are an unacceptable hazard, good alternatives exist, we should get rid of static passwords in favor of those alternatives, and we should do it fast.

We’ve been saying this for years; it’s time to get off our butts and do it. Bill Gates agrees; in his keynote address to the RSA Conference last week, he called passwords "dinosaurs", and noted that they're becoming the weak link in the security of the Internet.

As penance for my past sins, I’m going to issue a challenge to the information security community from my little soapbox here:

“I believe that this community should commit itself to achieving the goal, before this decade is out, of providing every computer user with a strong authentication device and the infrastructure required for its universal acceptance.”

What do I mean by “a strong authentication device”? It’s a device with the following properties:

1. It’s always with you
2. You notice quickly if you lose it
3. No one else has one exactly like it
4. It keeps a secret you can’t remember without writing it down
5. It never does the same thing twice

Why these characteristics and not others? Because: if your device never does the same thing twice and no one else has one exactly like it, you need to have your particular device to authenticate yourself, and you need to have it every time you authenticate yourself. If you lose it, you can't authenticate yourself, Period.

Luckily, it's always with you, so you can authenticate yourself. Since it's always with you, you can always use it to authenticate. Because you always use the device to authenticate yourself, you're always authenticating with a secret which you can't remember without writing it down – and because the device keeps the secret, neither you nor anyone else knows it.

Because the secret is this strong, it can't be recovered by guessing or by brute-force enumeration, as in a dictionary attack. This means that in order to get the secret and use it, your enemy has to get the device itself.

But if the enemy does get the device itself, you'll know immediately, because you notice quickly if you lose it.

And once you know the enemy has the device, you will of course take steps to cancel it and get another right away.

The overall effect here is to reduce the number of ways your authentication can be attacked, and to reduce the period of time during which the enemy can profit from a successful attack.

We need to get a strong authentication device into the hands of every man, woman, and child on the planet.

To do that, we’re going to need lots of strong authentication device providers and lots of innovation. The devices are going to need to be cheap, they're going to need to be trivially easy to use, and they're going to have to come in all shapes, sizes, and colors to fit with the widest possible variety of lifestyles.

If you want strong authentication in your cell phone, we need to give it to you in your cell phone. Want it in your iPod? We need to put it there. Wristwatch? Why not? Car key? Sure. Glass eye? Well, I don’t want to beta test that one, but we’ll - ahem - look into it.

Strong authentication devices aren’t a panacea. There are lots of problems they won’t solve. Bruce argues that they won’t even solve the phishing problem - and he’s right. But here’s what strong authentication will do:

1. It will shorten your window of vulnerability after your authenticator is stolen. Today, if someone phishes your password, or uses a password-cracking program to recover it, or looks over your shoulder while you type it into a login screen, you might not notice for a long time. During this long time, the password thief may do you a lot of harm. When you have a strong authentication device, you notice it’s missing the first time you go to use it, so you can report the loss and stop the damage.
2. It will force anybody who wants to hijack your authenticator without stealing it to interact with you every time he wants to use your identity. Today, a phisher who gets your password once can use it as often as he likes. Since a strong authentication device never does the same thing twice, the phisher who wants to use your identity has to get you to give him a one-time value, and then he has to use that value before it expires and before you use it. If he wants to use your identity again, he has to get back in touch with you to get a new one-time value. As Bruce notes, the phisher can do this using a man-in-the-middle attack, or he can plant a Trojan Horse on your client system. But both of those things are harder than sending you an email and waiting for you to respond, and both are things we can, and must, defend against in other ways.

If we’re going to use authentication at all, there’s no excuse for using weak authentication. Let’s fix the problem. We’ve got 4 years. We've also got a roadmap. The OATH consortium, which I've been participating in for the last two years, is dedicated to promoting the development and adoption of open, strong authentication technologies.

OATH isn't a standards body, and it doesn't make money off strong authentication. Instead, it encourages and publicizes. OATH has endorsed the development of an open, one-time password standard called HOTP at IETF. OATH has also published a reference architecture for strong authentication, and we're working on identifying the work that needs to be done to make that architecture a reality.

If you agree that we need to get rid of passwords and replace them with something better, I'd like you to do something about it.

If you can, I'd like you to help us advance the cause of the strong authentication by joining OATH.

If you don't feel that you have something to contribute, or if you're already working on something else equally important and don't have the time to join this crusade, you can still do something very important: you can ask the providers of your information systems and services this simple question:

"Why do I still have to use a password? It's annoying for me, it's expensive for you, and it's insecure for all of us – can't you give me something better?"

If you don't get an answer that makes sense, keep asking.

Sorry, Jim, Reputation is a Story

Jim Kobielus disagrees with me that your reputation is "just a story".

He proposes an alternative:

"Reputation is a computed halo—positive or negative--around our socially contextualized identities...

Reputation is a score computed by relying parties in order to determine whether or not to authorize the reputed party to access resources such as jobs, communities, romantic encounters, time of day, etc....

Reputation is an assurance that someone is worth our while."

I'm sorry to say that this is just wrong. All these computations take reputation as an input rather than producing it as an output.

Easy example: Is George W. Bush "worth our while"? Peoples' answers differ violently, on the basis of exactly the same set of information. The information is the reputation. Whether the reputation is "good" or "bad" depends upon where you stand.

The dictionary (American Heritage, of course) agrees with both of us, but gives Jim's definition priority:

reputation: NOUN: 1. The general estimation in which a person is held by the public. 2. The state or situation of being held in high esteem. 3. A specific characteristic or trait ascribed to a person or thing: a reputation for courtesy.