Wednesday Sep 30, 2009

foaf+ssl in Mozilla's Fennec works!

At yesterday's Bar Camp in La Cantine I discovered that Mozilla's Fennec browser for mobile phones can be run on OSX (download 1.0 alpha 1 here). So I tried it out immediately to see how much of the foaf+ssl login would work with it. The answer is all of it, with just a few easy to fix user experience issues. I really am looking forward to trying the Nokia N810 Internet Tablet for real.

Anyway here are quick snapshots of the user experience.

Getting a certificate

First of all the best news is that the <keygen> tag, now documented in html5 works in Fennec. This means that one can get a client certificate in one click without going through the complex dance I described in "howto get a foaf+ssl certificate to your iPhone".

This is how easy it can be. Go to

After filling out the form, you can create yourself an account on

To make your WebId useful all you need to do is click on the "Claim account with SSL certificate" button -- which could certainly be phrased better -- on the account creation successful page:

Once clicked, your browser will start calculating a new public private key pair, send the public key to the server which will turn it into a certificate, and send that back to your browser, which will then add it to they keychain! All you will see of this whole transaction is:

The Fennec message here is a bit misleading: you should not in fact need to keep a backup copy of your certificate. Foaf+ssl certificates are very cheap to produce. And without a link to the keychain from the popup, most users won't know what is being talked about, or how to keep a backup. Also on a cell phone they may well wonder where to put the backup anyway. So in this case it is wrong, and not that helpful. Much better would be to have a popup say: "Your certificate has been installed. Would you like to see it?" Or something like that. Most people won't care.

Using the certificate

You can then test the foaf+ssl certificate on any number of sites. The site has a login button for example that when clicked will get the browser to ask the user to choose a certificate. And, this is where the User Interface choices made by the Mozilla team are just simply embarrassing. Not unusable, but just really bad.

No user ever cares about these details! It is confusing. Do you think users have issues with URLs? Well what do you think they are going to make of the old outdated Distinguished Names?

Just compare this with the User Experience on the iPhone

Quite a few bug/enhancement reports have been reported on this issue on the Mozilla site. See for example Bug 396441 - Improve SSL client-authentication UI, and my other enhancement requests.

Still this user interface issue should be really easy to fix, as it is just a question of making things simpler, ie. of reducing the complexity of their code. And clearly on a cell phone that should be a priority.

Another issue I can see on the Fennec demo browser, is that I could not find a way to remove the certificates.... That would be quite an important functionality too.

But in any case using foaf+ssl on Fennec is the easiest of all cell phone browsers to use currently - and one of the rare ones, if not the only one, that works correctly! So kudos for that! Fennec and the Nokia N810 is the place to look for what a secure life without passwords, without user names, and a global distributed social network can look like on a mobile platform.

Tuesday Sep 29, 2009

Another great Bar Camp in La Cantine

Today, well yesterday (Tuesday) I was at a Bar Camp on Cloud computing, social networks, the Open Stack and Geolocation in the very friendly La Cantine organized by Silicon Sentier in Paris.

La Cantine is a great place to meet lots of people anytime. You can just stop by and drink some coffee while hacking a project on the web. But today with guests from Google, Mozilla, Sun (me and some others) and a very enthusiastic and technical audience the place was full of energy.

As it was a Bar Camp the timetable organized itself. A track on social networks appeared, and so of course I presented foaf+ssl as I had done 10 days before at the Social Web Bar Camp, except that we had to do this without projector this time as we, 20 or so people, were gathered around the bar. So for those who were there who would really like to get a better overview of what this enables, I recommend the following links:

  • The second video of the blog "FrOSCon: the Free and Open Source Conference in Sankt Augustin, Germany", (best viewed in Firefox 3.5 at present)
  • The essential web site, where one can put together in a few clicks a foaf file and on browsers other than Internet Explorer, get a certificate in one click, (Firefox and Opera are recommended)
  • The foaf+ssl wiki which contains the links to all the papers and howtos, including the essential mailing list.

This was also the occasion of meeting a lot of very knowledgeable people from Google such as Patrick Chanezon for example, and from the European Mozilla team, such as Tristan Nitot. I was so busy answering questions sadly that I missed quite a lot of the other talks. But I did make a lot of good contacts, that I will now be following up on.

Sunday Sep 20, 2009

Social Web Bar Camp in Paris

social web bar camp program drawn up on the black board

After flying in from Berlin on Friday and celebrating the Jewish new year late into the night with Ori Pekelman, I woke up earlyish on Saturday to go to the Social Web Bar Camp organized in and by La Cantine, the very friendly Parisian conference, community, meeting space for creative people in the digital age.

At 10am the conference started and people slowly arrived for the freely available espresso coffee and pastries. The conference was free too, being sponsored by the member organizations of La Cantine. At 10:20am as the coffee had worked itself into the 60 or more attendees, Ori started the workshop (picture) by having everybody introduce themselves shortly by name and 3 tags. The Bar Camp rules of the game were then explained:

  • Everybody is a participant
  • You make the event
  • Feel free to move between sessions if you feel you are not getting what you were looking for at one of them
  • Write up your interests on the black board, this will be used to create the time table.
So the sessions were put together on the spot there and then.

Of course I put up a session on foaf+ssl and Distributed Social Networks on the black board, for the session starting at 11am.

After a last coffee, a little over 20 people gathered in the room. I connected the laptop to the projector, introduced myself and the W3C Social Web XG, before starting the presentation (slides in pdf) which I have been giving in various universities and hacker spaces around Europe for the past 5 months. (see the FrOSCon video for example)

picture of the discussion in the foaf+ssl session

A round table discussion of this size has a very different dynamic to conference presentations. It is a lot more free flowing and people can ask question and did as I went through the presentation, leading to lively discussions on security, identity and web architecture. At times it seemed in danger of veering off into widely philosophical discussions, but somehow we always got back to the topic helped by the real implementations of foaf+ssl that are now available. Somehow we did in fact manage to complete covering the subject by 12:30 including an excursion into a description of the very real business opportunities this enables.

From the twitter posts (tagged #swcp) and the invitations to follow up with other French public and private institutions that I got over the course of the day, I can only say that this conference was a great success. I could not have started my 1 month stay in Paris in a better way. I will clearly be very busy during the coming month, before my return to Berlin.

Thanks to Huges M for the photos. More of his pictures are available on his flickr account under the #swcp tag.

Further pointers

Monday Sep 14, 2009

Freiheit statt Angst - Freedom, not fear

Freiheit statt Angst photos

This weekend in Berlin, 20 thousand people, from most political backgrounds, came to protest against increasingly intrusive and worrying surveillance measures of all kinds, made possible by modern information technology, under the banner Freiheit statt Angst. As governments and businesses automate the collection of information about individuals, worries are starting to grow about how that information could be used. In Germany for example the request by the government that the ISPs keep records of the mail headers of all the communications between people for 6 months, was among one of the major motivators bringing people out. The growing use of video surveillance cameras - not as bad as in the UK here, though they were clearly lining the street along the road of the demonstration - is another vector of resentment. Electronic RFID enabled passports containing personal information readable at a distance and being put into operation soon, generate a lot of worries, quite understandable, especially after listening to Chris Paget's RFID cloning presentation. The German Chaos Computer Club has further pages undermining the use of these technologies, such as the article "How to fake fingerprints" where you can learn how to capture fingerprints left over on a glass, make a copy of it, and duplicate it anywhere you choose. Others are worried about the creation of centralised medical data banks, citing the cases where massive amounts of data have been lost by companies directly involved in telecommunication infrastructure, such as when the information of 17 million T-mobile customers was stolen. If telecoms companies can't secure their data, who will be able to do it? These and many other cases bringing issues of privacy, security and data ownership are fueling a debate that is strong enough to move 20 thousand people to the street: quite a feat, considering the abstract nature of the debate.

The following video covers the issues from a German perspective very well (an english version will be available here soon)

If these issues sound remarkably like those arising in France, the UK, and other European Countries, it is that the movement for internet rights is a global phenomenon, reacting to technological problems that span borders as the July/August issue of Internationale Politik argues. Clearly these topics need to be debated in much more depth and with much more seriousness, by involving much larger sections of the community. One just cannot magically solve complex problems with misguided laws, however comforting it may seem at first to be. Bad solutions introduced in a climate of fear, can only grow the insecurity and mistrust between citizens, governments and business. With Germany's historical proximity to both fascist and communist surveillance regimes, these issues of trust are alive and healthy here. Hopefully other countries won't be misled by their distance to such horrors into thinking that it cannot happen to them. The only solution is active participation in the debate.

Here are some photos I took from the roof of the Green bus which gives a good idea of the size of the protest. You can clearly see the large Pirate Party bus at the back, with their Orange banner, the Red Left convoy, the CCC bus covered with video surveillance cameras, and their Federal Trojan Horse, with the sign "watch the watchmen!"

Schauble-Freie Zone Start of "Freiheit Statt Angst" demo CCC camera truck Pirate Party Pirate Party

IMG_0413 Noch kein terrorist "überwacht die überwacher" on the Federal Trojan horse green drum beat

The Green party was escorted by some of the top Green politicians

Ströbele and Claudia Roth at "Freiheit Statt Angst" IMG_0419 stasi 2.0: Vollbeschaftigung durch vollüberwachung

The large Anti-Fascist convoy was ironically the most escorted by the police. Perhaps the use of face covering masks, illegal in Germany for citizens, though not it seems for the police, was what attracted the security forces. Their presence certainly formed a good symbol of the problem between privacy, public statement, anonymity, and surveillance.

Break out of Control

Add to that the fact that there were close to a thousand police officers for a demonstration the police claimed had attracted only 10 thousand individuals, and we have a police to demonstrator ration of 1/10, which goes only to increase the surveillance message. As the following photos show quite clearly the demonstration was peaceful. Put 20 000 geeks on the road on a sunny day, and you get something like this:

Nur Diktatur braucht Zensur you will wish we were apolical potentially troublemaking citizen IMG_0428 Sammel album 2.0
IMG_0430 IMG_0431 IMG_0432 My info belongs to me todo list IMG_0436
Löschen statt sperren who watches the watchmen freiheit statt angst It is your feat, but it is our freedom Freiheit Statt Angste - Die Linke Fretiheit Statt Angst
The data tentacles Big Boss is watching you Against the state of surveillance

The result in the press was quite positive. Here are some of the articles I gathered from following Twitter #fsa09 tag for a few minutes:

One story that made the round of Twitter, the blogosphere and the news was the following incident of police brutality captured by a demonstrator on video:

[Update Tuesday 15 September: It seems this incident was provoked by a demonstrator asking the police for their Identification number, which they are obliged to give, but which they don't like handing out, preferring to treat those who ask for it as troublemakers. This is a long standing issue as the following article "Anonymität schützt Polizisten" - Anonymity protects the police explains. So in short the police themselves and the state by extension are very keen on anonymity, but refuse the same for the demonstrators and the public which is being placed every day under increasing surveillance measures. Luckily the attack was caught on High Definition video by a member of the Chaos Computer Club, helping identify the police who committed the excess. This resulted in the CCC publishing the following press release "Chaos Computer Club fordert bundeseinheitliche Nummernschilder für Polizisten": CCC calls for nationwide number plates for Police.]

Clearly then the same tools that can be used to create a surveillance society, can also be used when distributed to the citizenry as a means of watching the watchmen. Perhaps that is the lesson of the demonstration: the need to reduce the asymmetry of surveillance technology. It should be understood that Kant's Categorical Imperative - "act only according to that maxim whereby you can at the same time will that it should become a universal law" - applies especially to legislation. If you want to watch others don't be surprised if they then watch back. If you want anonymity, don't refuse it to others.


Wednesday Sep 09, 2009

RDFa parser for Sesame

RDFa is the microformat-inspired standard for embedding semantic web relations directly into (X)HTML. It is being used more and more widely, and we are starting to have foaf+ssl annotated web pages, such as Alexandre Passant's home page. This is forcing me to update my foaf+ssl Identity Provider to support RDFa.

The problem was that I have been using Sesame as my semweb toolkit, and there is currently was no RDFa parser for it. Luckily I found out that Damian Steer (aka. Shellac) had written a SAX bases rdfa parser for the HP Jena toolkit, which he had put up on the java-rdfa github server. With a bit of help from Damian and the Sesame team, I adapted the code to sesame, create a git fork of the initial project, and uploaded the changes on the bblfish java-rdfa git clone. Currently all but three of the 106 tests pass without problem.

To try this out get git, Linus Torvalds' distributed version control system (read the book), and on a unix system run:

$ git clone  git://

This will download the whole history of changes of this project, so you will be able to see how I moved from Shellac's code to the Sesame rdfa parser. You can then parse Alex's home page, by running the following on the command line (thanks a lot to Sands Fish for the Maven tip in his comment to this blog):

$ mvn  exec:java -Dexec.mainClass="rdfa.parse" -Dexec.args=""

[snip output of sesame-java-rdfa compilation]

@prefix foaf: <> .
@prefix geo: <> .
@prefix rel: <> .
@prefix cert: <> .
@prefix rsa: <> .
@prefix rdfs: <> .

<> <> <> ;
        <> <> , 
                     <> .

<> rdfs:label "About"@en .

<> a foaf:Person ;
        foaf:name "Alexandre Passant"@en ;
        foaf:workplaceHomepage <> , 
                               <> ;
        foaf:schoolHomepage <> , 
                            <> ;
        foaf:topic_interest <> ,
                            <> ;
        foaf:currentProject <> , 
                <> ;
        <> """
\\nDr. Alexandre Passant is a postdoctoral researcher at the Digital Enterprise Research Institute, National University
of Ireland, Galway. His research activities focus around the Semantic Web and Social Software: in particular, how these
fields can interact with and benefit from each other in order to provide a socially-enabled machine-readable Web,
leading to new services and paradigms for end-users. Prior to joining DERI, he was a PhD student at Université 
Paris-Sorbonne and carried out applied research work on \\"Semantic Web technologies for Enterprise 2.0\\" at
Electricité De France. He is the co-author of SIOC, a model to represent the activities of online communities on the
Semantic Web, the author of MOAT, a framework to let people tag their content using Semantic Web technologies, and
is also involved in various related applications as well as standardization activities.\\n"""@en ;
        foaf:based_near <> ;
        geo:locatedIn <> ;
        rel:spouseOf <> ;
        foaf:holdsAccount <> ,
                          <> ,
                          <> , 
                          <> , 
                          <> .

<> a rsa:RSAPublicKey ;
        cert:identity <> .

_:node14efunnjjx1 cert:decimal "65537"@en .

<> rsa:public_exponent _:node14efunnjjx1 .

_:node14efunnjjx2 cert:hex "8af4cb6d6ec004bd28c08d37f63301a3e63ddfb812475c679cf073c4dc7328bd20dadb9654d4fa588f155ca05e7ca61a6898fbace156edb650d2109ecee65e7f93a2a26b3928d3b97feeb7aa062e3767f4fadfcf169a223f4a621583a7f6fd8992f65ef1d17bc42392f2d6831993c49187e8bdba42e5e9a018328de026813a9f"@en .

<> rsa:modulus _:node14efunnjjx2 .


This graph can then be queried with SPARQL, merged with other graphs, and just as it links to other resources, those can in turn link back to it, and to elements defined therein. As a result Alexandre Passant can then use this in combination with an appropriate X509 certificate to log into foaf+ssl enabled web sites in one click, without needing to either remember a password or a URL.

Monday Aug 24, 2009

FrOSCon: the Free and Open Source Conference in Sankt Augustin, Germany

[froscon logo goes here]

At HAR2009 a couple of people put me in contact with Dries Buytaert, the creator and project lead of Drupal, the famous Open Source content management platform based on php. Dries is leading a very interesting effort aimed at integrating the semantic web stack in Drupal. So I was really happy when he responded to the introduction. He suggested we meet at FrOSCon the Free and Open Source conference located in Sankt Augustin, near Bonn, Germany. I really wanted to stay a bit longer in Amsterdam, but this was just too important an occasion to miss. So I packed up my bag Friday, and after meeting up with Dan Brickley, the co-author of the Foaf ontology who needs no introduction, I caught the last train towards Germany. This turned into a 5 hour trip with 5 changes on slow local trains as those were the only ones I could bring my bicycle onto without first packing it into a box.

[note: this blog uses html5 video tag to view ogg video files, and is best viewed with Firefox 3.5]

Going to FrOSCon turned out to be a very good idea. First of all I met Dries and introduced him quickly to foaf+ssl. It took less than 15 minutes to explain how it worked, for Dries to get himself a foaf certificate on and to try it out. If this were made easy to use on Drupal sites, it would be a great way to get some very creative people to help build some cool apps making the most out of distributed social networks...

On Sunday Dries gave a very good keynote "The secrets of building and participating in Open Source communities". Building Open Source communities is not easy, he starts off with, yet it is fundamental to any successful project. He then goes on to elaborate on 6 six themes which from his experience allow a community to thrive and grow:

  • Time: it takes time to grow a community. Open source communities are always a bit broken, like the internet: there is always something not functioning, but the whole works very well.
  • Software architecture:
    • make the code modular,
    • centralise the source code, so that people who contribute modules, and others can find the code
  • Ecosystem: allow volunteers and commercial organizations to work together. Each has something to bring to the party. Everybody has to be equal. And don't have roadmaps, as they disencourage experimentation and rigidify processes. "Trust, not money is the currency of Open Source"
  • Tools, Community Design patterns:
    • Adoption: easy registration. RSS feeds, documentation
    • Identity: profiles, avatars, buddy lists, contacts
    • Group support: issue queues, trackers, activity streams, reputation
    • Conversations: messaging, comments, forums, blogs, interest groups, planet/aggregator
    • Development: CVS/SVN/git/bzr issue queues. release management
  • Mission: Have a mission that goes beyond the project. In the case of Drupal it is democratizing online publishing. And the core values are
    • Be open to Change
    • Collaboration
    • 100% transparency
    • Agile
  • Leadership: "leadership is not management". Replace planning with coordination (see Clay Shirky's talk "Institution vs collaboration")
Coming from someone with real experience in a very successful project these words are very much worth listening to:

Just before the start of Dries' keynote you may have noticed an announcement about a change in the program. The talk on Subversion was canceled due to the inability of the speakers to attend, and it was replaced by a talk on distributed social networks. Yep! During the party the evening before I was told there could be a slot for me to give a talk on foaf+ssl the next day. So on the suggestion of Naxx, an open source grey hat security specialist I had met in Vienna, and who I was surprised to see here again, I spent the whole evening rewriting my slides for Apple Keynote. Naxx spends 3/4 of the year traveling giving talks on security and he had a few hints for me on how to improve my presentation skills. I tried to remember a few of them, and to make sure I did not wave my hands as much as I did at HAR. Here is the result "The Social Web: How to free yourself of your social networks and create a global community:

(The slides for this talk are available online here)

Please do send me some feedback on how I can improve both my talk and my presentation of it. I may have gone a bit too deeply here into technical details for example, and I should probably have added a section on the business model of distributed social networks. As the last talk of the conference there were only 40 or so attendees, but I was really thankful for the last minute opportunity given to me to present on this topic.

Naxx who helped me work on my presentation skills, gave a very interesting and worrying talk "Malware for Soho Routers: The war has begun", where he showed just how easy it is to hack into everyday home routers and turn them into zombie machines ready to launch an attack on the web. I had always thought that financial incentives would lead large telecoms to make sure that such routers were secure. Not at all it seems. Short term profit motives have led many of them to buy the cheapest machines with the worst possible software (web pages built with shell scripts!) with laughable security. Security may be on the news everyday since September 11 2001, but clearly it was always just a sham. Listen to his talk, and be very worried:

Time either to help out on a open source project for secure routers, or to invest money in a cisco one!

Finally I do have to say that the prize for best presentation (I saw) clearly has to go to Simon Wardley from Canonical, for his funny, entertaining and educational keynote "Cloud Computing". If you have been wondering what this beast is, this will really help:

Well that's it from the FrOSCon, which in german is pronounced FroshCon, "Frosch" being the german for Frog, hence the logo. It was great attending, and I have the feeling of having made a huge leap forward here on my tour.

Thursday Aug 20, 2009

Camping and Hacking at HAR2009

HAR2009 logo

On Monday 10 August evening I arrived under a light drizzle in Vierhouten in the Netherlands, after cycling the last 100km section of the 300km that I had traveled from the University of Koblenz. I just had time for a beer and a soup, as the c-base bus arrived from Berlin. Night was falling fast, and so we all got together and helped put up the large colorful tent on the edge of a still mostly empty field. The BSD camp next to us had worked out how to get some electricity and kindly let us have enough to power a lamp and a couple of laptops. So we could relax and listen to some music, as it got colder.

I travel very light weight on my bicycle for obvious reasons. So I don't carry a tent with me. Instead I go from hotel, to youth hostel, to family couch. I have not tried the Couch surfing network yet, but it's an extra option I could use. Here on the camp, in the middle of the forest, none of the options were available. So I was very grateful to Dirk Höschen for having taken a nice tent with him for me to sleep in, and also to Rasta for having given me some blankets and furs he happened to have to sleep on. The thick down coat I had carried with me from France, finally came in useful, in the cold nights that followed.

C-base tent at HAR2009
(the tent to the right was the one I slept in)

HAR (Hacking At Random) is an international technology and security conference, with a strong free software, freedom of information political leaning. I had not heard of it until I reached Berlin, but was told so much good about it from so many different people, that I was convinced to go. I was lucky to get some last minute tickets, from some friends of a friend from the Viennese Metalab who could not make it. The 2000 tickets had all been sold out a month ago. Needless to say I had largely missed the deadlines for submitting a presentation. The organisers though were interested enough in what I was presenting on Distributed Social Networks that they gave me a couple of 2 hour workshop sessions to present. The first one of them was filmed, but I am not sure where the video is yet. (I'll update this when I get a link to it.) On Saturday I was lucky to get a 10 minute slot on the Lightening Talks track. This was recorded (slides here)

(( Mhh, one learns a lot from being filmed. I was not so aware how much I gesticulate with my hands. Something I picked up in France I think, but without the french mastery...))

Given how foaf+ssl builds up on X509 and relies on existing Internet infrastructure this conference was an excellent place to come to and learn the latest on holes and limitations in these technologies. Perhaps the most relevant talk was the one given by Dan Kaminsky x509 considered harmful, which he gave while downing a bottle of excellent whiskey - as I found out while talking to him after the presentation.

In his talk Dan really beats home the importance of DNSSEC, the next version of DNS which is about to get a lot higher profile as the root DNS server moves over to it at the end of this year. The x509 problems could mostly disappear with the rollout of DNSSEC, which is good for me, because it means we can continue working on foaf+ssl. Also foaf+ssl relies a lot less on Certificate Authorities. The only place where that is important is for server authentication (which is where DNSSEC comes in). Client certificates can be self signed as far as foaf+ssl is concerned.

If there was a main theme I got from this conference, then it was clearly the importance of the deployment of DNSSEC. It may be a lot more heavy weight, and a lot more complex than what we have currently, but the problems are getting to be so big, that it is unavoidable. For a good presentation of these issues see Bert Hubert's talk, the man behind PowerDNS:

For an overview/introduction of what DNSSEC is, how it functions and what problems it solves, see Rick Van Rein's presentation Cracking Internet: the urgency of DNSSEC.

Sun Microsystems is also supporting the DNSSEC effort. In this security alert, you can read

Note 1: The above patches implement mitigation strategies within the implementation of the DNS protocol, specifically source port randomization and query ID randomization making BIND 9 more resilient to an attack. It does not, however, completely remove the possibility of exploitation of this issue.

The full resolution is for DNS Security Extensions (DNSSEC) to be implemented Internet-wide. DNS zone administrators should start signing their zones.

If your site's parent DNS zone is not signed you can register with the ISC's DNSSEC Look-aside Validation (DLV) registry at the following URL:

Further details on configuring your DNA zones for DNSSEC is available from the ISC at the following URL:

The issues addressed by these talks are not just technical, they have political implications for how we live. There were many good talks on the subject here at HAR, but my favorite, perhaps because I followed the story in France so carefully, was the one given by Jéremie Zimmermann co-founder of Quadrature du Net a French site with an English translation, that does an excellent job tracking the position of French and European politicians on issues related to web freedom. Jeremie's talk on Hacking the Law was on Sunday noon, the last day of the talk, and there were some technical problems getting the projectors to work. The best way to get it for the moment is to download it from the command line

curl -o jeremie.ogv
And view in in your favorite ogg viewer. I think the talk starts around the 20th minute.

The talks will hopefully be placed online soon in an easier to access manner.

But HAR2009 was not just about talks. It was also about meeting people, talking, exchanging ideas. Some of the best parties were organised by the Chaos Computer Club a German wide hacker's club that deals with security and political issues, and that is widely referenced by the German media, when in need of enlightenment. They had a great tent with an excellent view of a pond, and at night had excellent DJs to create just the right ambiance to meet people. Mix that together with some Tschunk a cocktail of Club-Mate - the Germanic hacker drink - and Rum, and I found it difficult to go to sleep before 4am.

On Monday morning I cycled the remaining 100km to Amsterdam, one of the most easy going, beautiful towns in Europe, where I am writing this.

Monday Aug 03, 2009

Berlin is a funky Zoo

The improbabily drive seems to have been in full swing on Saturday. After getting the second pair of keys for my new Berlin appartment and passing them to my flat mate Alex, I got on my bike and drove towards the Chaos Computer Club some 7 km away. My GPS was running out of batteries, and died completely as I reached the Jannowitzbrücke. As I looked around for directions, I recognized that I was right next to the c-base computer/culture club. So I cycled over, went in, plugged in my GPS into my laptop to recharge, and one thing leading to another got into a number of fun conversations. Amongst others I met Tobias Mathes and introduced him to secure distributed social networks which really seems to be a hit in Berlin.

I asked about how one gets to find a good party, as I had not celebrated my birthday, the date of the move in having coincided with it. There are too many options I was told. "Any party will do" I replied. Tobias invited me to come along to the Arena Sommer Safari party where his favorite DJ was playing. I had no idea what to expect, but was happy to go along as a night-club tourist.

We walked 1km and arrived at street packed full of puffed up, often shaved or crew cut men and their (sometimes fake) blond girl friends. A very unusual group for Berlin. I was told they were mostly from the northern smaller and poorer parts of Berlin. As I collected my €20 ticked we ran into aroemchen, a strong and very friendly Bavarian woman who had an electronic keyboard and a big cardboard star popping out of her backpack. She was the DJ and was herself waiting for her singer elahi. There must have been 5000 to 10000 people trying to get in. Streams of bodies pushing for the large entrance to an old brick building, beer bottles rolling on the floor, people pushing each other forward, backwards, sideways... Avoiding to step onto large muscular tough looking dudes toes. Inside was a huge space with a band playing in the distance. I did not feel like swimming through the crowd onto the packed dance floor, and was content looking at the various characters that turned up, some of them reminding me of the outrageous Backardi advertisment.

Somehow Tobias managed to end up getting a VIP pass for me and I found myself invited up to the stage floor, behind the DJ table, where we sat down after getting a large bottle of water. Tobias took out a Sony camera, and started filming the transition as DJ Aroma took the stage. From that position I was able to see the band spinning and singing 8 meters away, and the crowd dancing to the disco-punk sound released by our two Bavarian friends. I had a few beers and my head was swooning to the beat as I got up to dance to the final Berlin is a funky zoo.

The Zoo is not as bad as it used to be
It is only very funky since the 90ies
A lot of different species can be found
       come round
  stay for a while or longer
share their food and their behavior.
Try to get a little smoother
And though there's not a lot of luxury in our crew
It's ok to stay for me and you
because it's wild and funky in our Zoo
(Wild and funky in our zoo)

Berlin is a funky Zoo
Berlin is a funky Zoo
Berlin is a funky Zoo
yea Berlin \*is\*  \*a\* funky Zoo!

The teddy bears from Schöneberg
It loves to run in underwear
The beary is gay and never gray
he likes to stay the nights away

The monkeys in the Blue 8 Bar
in Herman platz which is quite far
The bar is far but not beyond
there's food around and drinks along

The drink is not beer but iron here
And TV says its weird here
But the mix is the mix, it's just the truth
Just like nature in the Zoo
Berlin is a funky Zoo
Berlin is a funky Zoo
Berlin is a funky Zoo
yea Berlin \*is\*  \*a\* funky Zoo!

Chuck is selling hemp or chicken
playing games and being tricky
Oh such lovely food here for the bear
but only with the propper gang wear

proper lease the penguin
looking like on heroin
spending weekends at the ranch
searching fish at minimal trance

you also find the panda bear
without bamboo but dancing square
in the black colcolgova 
which is not just very far

but in Kreuzberg and in Hein
another spot for hogs and swine
being naked like the fish
the old sweaty berlinish

Berlin is a funky Zoo
Berlin is a funky Zoo
Berlin is a funky Zoo
yea Berlin \*is\*  \*a\* funky Zoo!

The bearfoot ? is in the park
Dancing somedays till it's dark
No one watching and the groups
perfect playground lovely fos (?)

The bear lives in this funky zoo
just at times its like a loo
At other times it's cool and fresh
It's seduction and its fresh

the bear is heavy ego-tying(?)
living in this crazy shrine
He loves to dance just like you
cause Berlin is a funky zoo

Berlin is a funky Zoo
Berlin is a funky Zoo
Berlin is a funky Zoo
yea Berlin \*is\*  \*a\* funky Zoo!

Next thing I was watching the sun rise over Berlin.

Saturday Jul 25, 2009

Saving Face: The Privacy Architecture of Facebook

In his very interesting thesis draft Saving Face: The Privacy Architecture of Facebook, Chris Peterson, describes through a number of real life stories some very subtle and interesting issues concerning privacy and context that arose during the rapid evolution of the now 250 million member social network.

Perhaps the most revealing of these stories is that of Junior High School student Rachel who broadcast the following distress status message my grandmother just friend requested me. no Facebook, you have gone too far! Chris Peterson develops: Rachel and her grandmother are close. She trusts her grandmother. She confides in her grandmother. She tells her grandmother "private" things. She is certainly closer to her grandmother than many of her Facebook Friends. So what's the big deal? Rachel explains:

Facebook started off as basically an online directory of COLLEGE STUDENTS. I couldn't wait until I had my college email so that I could set up an account of my own, since no other emails would give you access to the site. Now, that was great. One could [meet] classmates online or stay in touch with high school mates [but it] has become a place, no longer for college students, but for anyone. [About] five days ago, the worst possible Facebook scenario occurred, so bizarre that it hadn't even crossed my mind as possible. MY GRANDMOTHER!? How did she get onto facebook?...As my mouse hovered between the accept and decline button, images flashed through my mind of sweet Grandma [seeing] me drinking from an ice luge, tossing ping pong balls into solo cups full of beer, and countless pictures of drunken laughter, eyes half closed. Disgraceful, I know, but these are good memories to me. To her, the picture of my perfectly angelic self, studying hard away at school, would be shattered forever.

The paper is full of legally much more serious stories, but this one is especially revealing as it makes apparent how the flat friendship relation on Facebook does not take into account the context of the relationship. Not all frienships are equal. Most people have only very few friends they can tell everything to. And most often one tells very different stories to different groups of friends. In the physical world we intuitively understand how to behave in different contexts. One behaves one way in church, another in the bar, and yet another way in front of one's teachers, or parents. The context in real life is set by the architecture of the space we are in (something Peter Sloterdijk develops at length in his philosophical trilogy Spheres). The space in which we are speaking and the distance others have to us guides us in what we should say, and how loud we can say it. On Facebook all your friends get to see everything you say.

It turns out that it is possible to create an equivalent contextual space on Facebook using a little know and recently added feature, which allows one to build groups of friends and specify access control policies on posts per group. Chris shows clearly that this by itself is not enough: it requires a much more thorough embedding in the User Interface so that the intuitive feel one has in real life for who hears what and to whom one is speaking is available with the same clarity in the digital space. In the later part of the thesis Chris explores what such a User Interface would need to do to enable a similarly intuitive notion of space to be available.

Applications to the Social Web

One serious element of the privacy architecture of Facebook (and other similar social networks) not covered by this thesis, yet that has a very serious impact in a very large number of domains, is the constant presence of a third party in the room: Facebook itself. Whatever you say on these Social Networks, is visible not only to your group of friends, but also to Facebook itself, and indirectly to its advertisers. Communicating in Facebook puts one then in a similar frame of mind to what people in the middle ages would have been in, when mankind was under the constant, omnipotent and omniscient presence of God who could read every thought, even the most personal. Except that this God is incorporated and has a stock market value fluctuating daily.

For those who wish to escape such an omni-presence yet reap the benefits of online electronic communication, the only solution lies in the development of distributed secure social networks, of a Social Web where every body could own what they say and control who sees it. It turns out that this is possible with semantic web technologies such as foaf and access control mechanisms based on ssl.

One very positive element I take from this thesis is that the minimal technical building blocks for reconstituting a sense of context is the notion of a group and access control of resources. In a the Social Web we should be able to reconstitute this using the foaf:Group class and foaf+ssl for access control. On this basis Chris Peterson's user interface suggestions should be applicable in a distributed social network.

All in all then I found this thesis to be very rewarding and a very interesting read. I recommend it to all people interested in the Social Web.

Friday Jul 24, 2009

How to write a simple foaf+ssl authentication servlet

After having set up a web server so that it listens to an https socket that accepts certificates signed by any Certification Authority (CA) (see the Tomcat post), we can write a servlet that uses these retrieved certificates to authenticate the user. I will detail one simple way of doing this here.

Retrieving the certificate from the servlet

In Tomcat compatible servlets it is possible to retrieve the certificates used in a connection with the following code:

protected void doGet(HttpServletRequest request, HttpServletResponse response)
             throws ServletException, IOException {
       X509Certificate[] certificates = (X509Certificate[]) request

Verifying the WebId

This can be done very easily by using a class such as DereferencingFoafSslVerifier (see source), available as a maven project from so(m)mer repository (in the foafssl/ directory).

Use it like this:

  Collection<? extends FoafSslPrincipal> verifiedWebIDs = null;

  try {
     FoafSslVerifier FOAF_SSL_VERIFIER = new DereferencingFoafSslVerifier();
     verifiedWebIDs = FOAF_SSL_VERIFIER.verifyFoafSslCertificate(foafSslCertificate);
  } catch (Exception e) {
     redirect(response,...); //redirect appropriately

If the certificate is authenticated by the WebId, you will then end up with a collection of FoafSslPrincipals, which can be used for as an identifier for the user who just logged in. Otherwise you should redirect the user to a page enabling him to login with either OpenId, or the usual username/password pair, or point him to a page such as this one where he can get a foaf+ssl certificate.

For a complete example application that uses this code, have a look at the Identity Provider Servlet, which is running at (note this servlet was trying to create a workaround for an iPhone bug. Ignore that code for the moment).


The current library is too simple and has a few gaping usability holes. Some of the most evident are:

  • No support for rdfa or turtle formats.
  • The Sesame RDF framework/database should be run as a service, so that it can be queried directly by the servlet. Currently the data gathered by the foaf file is lost as soon as the FOAF_SSL_VERIFIER.verifyFoafSslCertificate(foafSslCertificate); method returns. This is ok for a Identity Provider Servlet, but not for most other servers. A Java/RDF mapper such as the So(m)mer mapper would then make it easy for Java programmers to use the information in the database to personalize the site with the information given by the foaf file.
  • develop an access control library that makes it easy to specify which resources can be accessed by which groups of users, specified declaratively. It would be useful for example to be able to specify that a number of resources can be accessed by friends of someone, or friends of friends of someone, or family members, ....

But this is good enough to get going. If you have suggestions on the best way to architect some of these improvements so that we have a more flexible and powerful library, please contact me. I welcome all contributions. :-)

Thursday Jul 23, 2009

How to setup Tomcat as a foaf+ssl server

foaf+ssl is a standards based protocol enabling one click identification/authentication to web sites, without requiring the user to enter either a username or a password. It can be used as a global distributed access control mechanism. It works with current browsers. It is RESTful, thereby working with Linked Data and especially linked foaf files, enabling thereby distributed social networks.

I will show here what is needed to get foaf+ssl working for Tomcat 6x. The general principles are documented on the Tomcat ssl howto page, which should be used for detailed reference. Here I will document the precise setup needed for foaf+ssl. If you want to play with this protocol quickly without bothering with this procedure I recommend using the foaf+ssl Identity Provider service which you can point to on your web pages, and which will then redirect your users to the service of your choosing with the URLEncoded WebId of your visitor.

foaf+ssl works by having the server request a client certificate on an https connection. The server therefore needs an https end point which can be specified in Tomcat by adding the following connector to the conf/server.xml file:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
Note: the default https port is 443, but it requires root privileges.

Servers authentify themselves by sending the client a certificate signed by a well known Certificate Authority (CA) whose public key is shipped in all browsers. Browsers use the public key to verify the signature sent by the server. If the server sends a certificate that is not signed by one of these CAs (perhaps it is self signed) then the web browser will usually display some pretty ugly error message, warning the user to stay clear of that site, with some complex way of bypassing the warning, which if the user is courageous and knowledgeable enough will allow him to add the certificate to a list of trusted certs. This warning will put most people off. It is best therefore to buy a CA certified cert.(I found one for €15 at trustico.) Usually the CA's will have very detailed instructions for installing the cert for a wide range of servers. In the case of Tomcat you will end up with the following addition property values:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
               keystoreType="JKS" keystorePass="changeme" 

And of course this requires placing the server cert file at the keystoreFile path.

There are usually two ways for the server to respond to the client not sending a (valid) certificate. Either it can simply fail, or it can allow the server app to decide what to do. Automatic failure is not a good option, especially for a login service, as the user will then be confronted with a blank page. Much better is to allow the server to redirect the user to another page explaining how to get a certificate and giving him the option of authentication using OpenId or simply the well known username/password pattern. To enable Tomcat to respond this way you need to add the clientAuth="want" attribute value pair:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
               keystoreType="JKS" keystorePass="changeme" 
           sslProtocol="TLS" clientAuth="want" />

Most Java Web Servers on receiving a client certificate, attempt to automatically validate it, by verifying that it is correctly signed by one of the CA's shipped with the Java Runtime Environment (JRE), verifying that the cert is still valid, ... As the SSL library that ships with the JRE does not implement foaf+ssl we will need to do the authentication at the application layer. We therefore need to bypass the SSL Implementation. To do this Bruno Harbulot put together the JSSLUtils library available on Google Code. As mentioned in the JSSLUtils Tomcat documentation page this will require you to place two jars in the Tomcat lib directory: jsslutils-0.5.1.jar and jsslutils-extra-apachetomcat6-0.5.2.jar (the version numbers may differ as the library evolves). You will also need to specify the SSLImplementation in the conf file as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
               keystoreType="JKS" keystorePass="changeme" 
           sslProtocol="TLS" clientAuth="want" />

Usually servers send in the request to the client a list of Distinguished Names of certificates authorities (CA) they trust, so that the client can filter from the certificates available in the browser those that match. Getting client certificates signed by CA's is a complex and expensive procedure, which in part explains why requesting client certificates is very rarely used: very few people have certificates signed by well known CAs. Instead those services that rely on client certificate tend to sign those certificates themselves, becoming their own CA. This means that certificates end up being valid for only one domain. foaf+ssl bypasses this problem by accepting certificates signed by any CA, going so far as to allow even self signed certs. The server must therefore send an empty list of CAs meaning that the browser can send any certificate (TLS 1.1). With the JSSLutils library available to Tomcat, this is specified in the conf/server.xml file with the acceptAnyCert=true attribute.

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="50" scheme="https" secure="true"
               keystoreType="JKS" keystorePass="changeme" 
           acceptAnyCert="true" sslProtocol="TLS" clientAuth="want" />

At this point you have set up your Apache Server correctly. A user that arrives at your SSL endpoint and that has a couple of certificates will be asked to choose between them. Your client code can the extract the certificate with the following code:

       X509Certificate[] certificates = (X509Certificate[]) request

You can use these certificates then to extract the WebId, and verify the SSL certificates. I will write more about how to do this in my next blog post.

Monday Jul 20, 2009

two months of foaf+ssl talks

For the past one and a half months I have been traveling through Europe giving talks on foaf+ssl, the RESTful authentication protocol for the Social Web. Here is a short summary of where I have been.

18 May 2009, Salzburg Research
On my way cycling from Fontainebleau to Vienna, I stopped by in Salzburg, Austria, where the offices of the organisers of the EU sponsored KIWI (Knowledge in a Wiki) project, which Sun is participating in, are located. I introduced the group there to foaf+ssl, and they are now working on an implementation for their award winning semantic wiki.
20 May 2009, Semantic Web Company
Right after arriving in Vienna, I met up with Andreas Blumauer, editor of the recently published Springer Book "Social Semantic Web". Hopefully my presentation will make its way in some form or another into the next edition :-). Andreas also gave me an overview of the powerful yet easy to use thesaurus management system named Pool Party, they are developing.
1 June 2009, European Semantic Web Conference, Heraklion
Ian Jacobi who had come to Crete for the occasion, helped me present the paper FOAF+SSL: RESTful Authentication for the Social Web in the SPOT track. The other papers presented in that track all fitted together very well, giving a very good overview of the topics that need to be covered in this space. I will be rereading them soon. The ESWC conference was also a great opportunity to do a number of quick one to one presentations by demoing it working on the iPhone. ( Sadly the latest OS release broke the SSL stack, making my iPhone so much less useful )
18 June, Vienna University of Technology
In Crete I met Christoph Grün who helped organize a slot to present at the Institute of Software Technology & Interactive Systems. Christoph is working on Online Tourism web services, which would be a great use case for foaf+ssl. Imagine a group of people deciding to organize an outing on a tourism wiki site, where all members of the group would get access to that outing after a simple drag and drop of a foaf:Group URL onto the outing project console.... No account setup required.
23 June, Metalab Hacker's Club, Vienna
While in Vienna I gave a presentation at the Metalab, an open meeting space for hackers of all walks of life. As it happened a journalist from the well known French newspaper "Le Monde" happened to be present and wrote up an article "Les nouvelles tribus du Net" (now paying) on the lab, mentioning my presentation en passant.
2-3 July, Sun Microsystems Kiwi Meeting, Prague
The Kiwi group met in Prague for a couple of days to synchronize their work. After having won the best semantic web application prize at the European Semantic Web Conference in Crete, the mood was very positive. This was a good place to introduce the rest of the group to the potential of foaf+ssl, which is currently being implemented in Kiwi by Stefanie Stroka.
13 July, University of Leipzig
I spent a whole day with the excellent Agile Knowledge Engineering and Semantic Web team at the University of Leipzig. After an update on their latest work with DBPedia, Ontowiki, xOperator, ... I presented foaf+ssl. After lunch we then spent the afternoon on a very helpful hands on session. There are still enough rough edges in the different implementations of foaf+ssl that a bit of guidance can save a lot of time. End result, a few days later Sebastian Dietzold notified me that Philipp Frischmuth had written a first implementation available publicly at During our session we also discovered a bug on, which was soon fixed.
15 July, University of Potsdam
Hagen organised a very well attended meeting at the University of Potsdam. The questions following the talk were very good, and showed a large interest. Sadly we did not have time for a hands on session, as my next meeting was just a few hours later. Hands on sessions are still very important, as they help turn a talk into an experience. It helps a lot that Melvin Carvalho enhanced to make it very easy to create both a foaf file and a linked certificate, so with time these hands on sessions should be easier and shorter to do.
15 July, New Thinking Store, Berlin
I finished the day with a presentation at the New Thinking Store in Berlin, organized by Martin Schmidt. This was an opportunity again to present to Web 2.0 and more directly practical people.

Friday Jun 19, 2009

Nobody is responsible

Peter Sloterdijk animates a program on the major German Television Station ZDF, entitled the Philosophical Quartet. The latest program of his, which could be translated as Risk and Responsibility: the art of being Nobody is very much worth watching (if you speak german). Sloterdijk starts off the program by reminding us of the ancient story of Ulysses and the Cyclops. In order to free himself from the blood thirsty monster, Ulysses boldly plunged a red hot stake into the sleeping monsters only eye who screaming in pain and rage asked who it was who had done that. Ulyses answered that his name was "Nobody". As the cyclops friends then arrived alerted by the screams of their fellow, and asked him who had done this deed to him, that they could avenge him, they received the answer Nobody. Thinking therefore that the Gods had done that to him, and that he was thus responsible for his deeds, they left him to die in his pain.

This story is used as a spring board by the quartet - the 2 philosohpers and 2 guests: Beatrice Weder Di Mauro swiss economist member of the German 5 wise men board of economic affairs, and novelist Bodo Kirchhoff - to look into the question that nobody seems to be to blame, or accepts the blame, for the massive financial meltdown that saw more money evaporate in a year than all the biggest robberies of all time piled one next to the other over the whole course of humanities history. Clearly something went wrong. Something needs to change, some things need to stop, some to die... The point is well made that the bankers that gave themselves such huge salaries on account that they were responsible for the huge benefits they made, seem to have lost all sense of responsibilty in the crisis. What then is it that needs changing? What criteria should be set in to avoid such errors in the future? One proposal - perhaps a very harsh one for all attempts at mergers - is that you should never allow a system to grow to such a level that it cannot fail, or better: never allow a system to grow so that when it is time to ask for responsibility for a crisis, the only answer can be Nobody.

Peter Sloterdijk, radical cure to twitter

Do you feel like you are in a binary discussion on some topic, that goes back and forth with no apparent progress? Do you feel you have gotten so involved in a micro topic, that you feel that you may be missing the big picture? Is perhaps the phantasy of such a big picture you have taken as your background, itself the cause of the problem you are dealing with? Do you find yourself preaching that God is dead, or not? Are you preaching? Why?

Peter Sloterdijk, one of the most famous contemporary German philosopher, is known to write very large books that span over all domains of human activity from philosophy to history, to technology, aesthetics, biology, religion and economics, in a passionate, often humorous, sometimes jolting way, linking these in a fluid narrative that flows healthily through the barriers of all academic disciplines. Sloterdijk diffuses dualisms through fluid depth of analysis, carefully linking both sides of a debate in such a way that they can be seen to be part of the same surface reflecting a third party that had not yet been seen, the real topic of the discussion perhaps, of which he goes on to draw the history and evolution.

So in his latest book "Du mußt dein Leben ändern" ("You must change your life"), which I have nearly finished reading here in Vienna, Sloterdijk starts off with the a beautiful poem by Rilke of the same title (english translation with german original here ) where Rilke describes what could be called a religious call for transformation whilst looking at an ancient Greek stone torso of Apollo he had come across in the Louvre museum in Paris. The undeniable reality of this upward sentiment of transformation, is what Sloterdijk then goes on to describe the history of throughout his book, linking it to the exercises that Olympic athletes of our times to always further push back the boundaries of what humanity is capable of, which he then traces back to the budhist philosophers and their spiritual exercises, the ancient greek schools of thought, and the exercises the early Christians followed to break through the barriers of death, by for example entering the Roman circus' to be devoured calmly by Lions. This pursuit of transcendental improvement can then be found to have moved from the monasteries of the middle ages into the artisans workshops where the practices of meditation were put to use in the building of the Protestant work ethic...

For those who speak German here is a very interesting interview of him in October of last year on a Swiss television channel talking about the financial meltdown that occurred.

(Thanks to Michael Zeltner for the link on his very interesting blog. More parts here).

And here, for the French speaking of you here is an interview with Elisabeth Levy where they discuss modern media, rumours, and more.

For english speakers here is a talk on Reality Peter Sloterdijk gave a last year before the opening of the large swiss nuclear collider, which I think made the news. (The sounds is not very good, but the points he makes are serious and funny simultaneously):

Thursday Jun 11, 2009

The foaf+ssl world tour

As you can see from the map here I have been cycling from Fontainebleau to Vienna (covering close to 1000km of road), and now around Cyprus in my spare time. On different occasions along my journey I had the occasion to present foaf+ssl and combine it with a hands on session, where members of the audience were encouraged to create their own foaf file and certificates, and also start looking into what it takes to develop foaf+ssl enabled services. This seems like a very good way to proceed: it helps people get some hands on experience which they can then hopefully pass on to others, it helps me prioritize what need to be done next, and should also lead to the development of foaf+ssl services that will increase the network value of the community, creating I hope a viral effect.

I started this cycle tour in order to loose some weight. I still have 10kg to loose or so, which at the rate of 3kg per 1000km will require me to cycle another 3000km. So that should enable me to visit quite a few places yet. I will be flying back to Vienna where I will stay 10 days or so, after which I will cycle to Prague for a Kiwi meeting on the 3rd of July. After that I could cycle on to Berlin. But really it's up to you to decide. If you know a good hacker group that I can present to and cycle to, let me know, and I'll see how I can fit it into my timetable. So please get in contact! :-)

Friday May 29, 2009

Link Roundup for Friday 29 May 2009

Linked Data is getting a lot of press:

On a the Social Web front:

There is a new project called Interactive Knowledge Stack (IKS), which is a Semantics Based Open Source platform for Small to Medium CMS Providers.

Thursday May 21, 2009

Identity in the Age of Cloud Computing

The Aspen Institute published a 90 page round table report in April entitled "Identity in the Age of Cloud Computing: The next-generation Internet's impact on business, governance and social interaction" under a generous Creative Commons License. I read the freely available pdf over the last week with interest, as it covers a lot of the topics I am talking on this blog, and gives a good introduction into cloud computing (of which I have not yet written).

The paper is a report by J.D. Lasica of a round table discussion with a number of very experienced people that occurred just before the 2008 presidential election. It included people such as Rod Beckstrom, Director of the National Cyber Security Center of the United States Department of Homeland Security, David Kirkpatrick Senior Editor of Internet and Technology at Forune Magazine, Professor Paul M Romer of Stanford University, known for his work on New Growth Theory, Hal Varian, chief ecoomist at Google, and many more...

The discussion around the table must have been very stimulating. Here is my take on the paper.


Identity turned out to be the core of the discussion. The abstract summarized this best:

Throughout the sessions personal identity arose as a significant issue. Get it right and many services are enabled and enhanced. The group tended to agree that a user-centric open identity network system is the right approach at this point. It could give everyone the opportunity to manage their own identity, customize it for particular purposes, (i.e., give only so much information to an outsider as is necessary for them to transact with you in the way you need), and make it scalable across the Net. Other ways of looking at it include scaling the social web by allowing the individual to have identity as a kind of service rather than, as Lasica writes, "something done to you by outside interests."

The Cloud

The cloud is a way to abstract everything in the connected web space. It is the way the user thinks of the net. It is nebulous. Where information and services are is not important. This is the experience people have when they read their mail on gmail. They can read their mail from their computer, or from their cell phone, or from their hotel, or from their friends computer. The mail and the web, and their flickr photos, and their delicious bookmarks are all there.

The cloud from the developer's point of view is very similar. He buys computing power or storage on Amazon, Google, GoGrid or the upcoming Sun Cloud. Where exactly the computer is located is not important. If demand for the service he develops grows, he can increase the number of machines to serve that demand. This of course is a great way to quickly and lightly get startups going - no need to get huge financing for a very large number of servers to deal with a hypothetical peak load.

The Social Networks on the cloud also allow people to link up and form virtual and short lived organizations for a task at hand. This again reduces costs enabling the companies to get started for very little money, very quickly, try out an idea. The paper does not say this: venture capital is no longer needed -- good thing too, as it has been serverely reduced by the current recession.

The Cloud and Identity

The cloud is the abstraction where the physical location of things becomes unimportant. What operating systems run the software we use, what computers they run on, where these computers are, all that is abstracted away, virtualized into a puff of smoke.

What is of course still needed is a way to name things and locate them in the cloud. What is needed is a global namespace, and global identifiers. These are indeed known as a Universal Resource Locator (URL). Since everything else is abstracted away, URLs are the only consistent abstraction left to identify resources.

It is therefore just one small step for the panelists to agree that something like foaf+ssl is the solution to identity on the cloud. It is user centric, distributed, permits global social networks, and allows for people to have multiple personalities... Foaf+ssl provides exactly what the panelists are looking for:

open identity would provide the foundation for people to invent and discover a new generation of social signals, advice services, affinity groups, organizations and eventually institutions. Because the identity layer is grounded on the principles of openness and equality, anyone would be able to create social networks, tagging systems, repu- tation systems or identity authentication systems.

Wednesday May 20, 2009

You are a Terrorist!

Every country in Europe seems to be on the verge of introducing extremely powerful legislation for state monitoring of the internet, bringing us a lot closer to the dystopia described in George Orwell's novel Nineteen Eighty Four. Under the guise of laws to help combat terrorism or pedophilia - emotional subjects that immediately get everybody's unthinking assent - massive powers are to be given to the state, which could very easily be misused. As internauts we all need to make it our duty to follow very closely these debates, and participate actively in them, if we do not want to find ourselves waking up one morning in a world that is the exact opposite of what we have been dreaming of.


In Germany a new Data Retention law passed already it seems in 2008, allows the state (quote)

to trace who has contacted whom via telephone, mobile phone or e-mail for a period of six months. In the case of mobile calls or text messages via mobile phone, the user's location is also logged. Anonymising services will be prohibited as of 2009.

To increase awareness of this law Alexander Lehmann put together this excellent presentation, with English subtitles, Du bist Terrorist!:

Du bist Terrorist (You are a Terrorist) english subtitles from lexela on Vimeo.


The passage of the hadopi law in France, will create a strong incentive for citizens to place state built snooper software on each their computers in order to make it possible to defend themselves against accusations of copyright infringement. But that is nothing compared to the incredibly broad powers the state wishes to give itself with Loppsi 2 law (detailed article in Le Monde, and Ars Technica) which would give the president the power to insert spyware onto users computers (which could record anything being done of course), create a very large database of people's activities, help link information from various databases, and much more... The recent case of the sacking of the web site director of the once national, now private, TF1 television channel for having communicated his doubts on Hadopi privately to his Member of Parliament - as reported on Slashdot recently - does not give one much faith in the way privacy is being handled currently by the government.

The United Kingdom

In the UK the Home Secretary Jaqui Smith had proposed to create a database dubbed Big Brother to log every single activity of every one of it's citizens - in order of course to root out the very 21 century crimes of pedophilia and terrorism (did the IRA not operate before the internet? Are pedophile rings something that only emerged with the internet, or is it that they just became more visible?). She had to pull back somewhat from the initial proposal, and now wishes all that information still to be tracked, but only to be kept on the service provider's databases as reported by the Daily Mail, The Telegraph, The Independent...


So are we now all suspected terrorists, pornographers, pedophiles, murderers, subversives, ... that the governments must know all about us? We may have voted for the current government and have complete faith in their use of these tools. But what when the opposition comes in, and takes hold of those same powers? Will we be as comfortable then? The excellent 2006 film The Lives of Others shows just how intrusive the East German state was on its own citizens during the cold war - and that with the very limited tools they had available. With modern computing tools, that type of spy operation could be done at much much lower cost and so perhaps even be viable for the state.

If you feel things just can't go this wrong, then I would also recommend watching Julie Taymor's adaptation of Shakespear's Titus Andronicus. It really is important to realize that things can go badly, very very badly wrong. Ignoring a problem, not taking responsibilities in fighting them will lead to disaster, as the current economic crisis - predicted years before it occurred, but without any action being taken - should have amply proven by now. Sadly for people who predict danger, if people do act on the danger and avoid it, nobody may even notice how close to danger they really were. So our actions may remain unsung. But at least we may put some chances on our side not to wake up in a new form of dictatorship, worse than any ever dreamed of by our those who helped forge our democracies.

Thursday May 14, 2009

FOAF+SSL: RESTful Authentication for the Social Web

The European Semantic Web Conference (ESWC) will be held in Heraklion on the Island of Crete in Greece from 31 May to 4 June. I will be presenting the paper "FOAF+SSL: RESTful Authentication for the Social Web" which I co-authored with Bruno Harbulot, Ian Jacobi and Mike Jones. Here is the abstract:

We describe a simple protocol for RESTful authentication, using widely deployed technologies such as HTTP, SSL/TLS and Semantic Web vocabularies. This protocol can be used for one-click sign-on to web sites using existing browsers — requiring the user to enter neither an identifier nor a password. Upon this, distributed, open yet secure social networks and applications can be built. After summarizing each of these technologies and how they come together in FOAF+SSL, we describe declaratively the reasoning of a server in its authentication decision. Finally, we compare this protocol to others in the same space.

The paper was accepted by the Trust and Privacy on the Social and Semantic Web track of the ESWC. There are quite a number of interesting papers there.

I have never been to Greece, so I have a feeling I will really enjoy this trip. Hope to see many of you there.

Tuesday May 12, 2009

Some Feedback on the Garmin Edge 705 cycle GPS

Garmin Edge 705 GPS

After close to 500km of cycling with my new Garmin Edge 705 I think I have enough experience to be able to bring the community some valuable feedback on this device.

Improvements since previous model

Compared to my old Garmin Etrex Legend, which I blogged about in July 2005, the Edge is a huge improvement.

  • The old Etrex had a ridiculous limitation of 24MB of memory, which was ok for loading up maps for a circumference of 100km of your neighborhood, but not enough for cycling long distance across Europe. The Edge 705 can take 2GB extension memory cards and is able to load the road maps of all of Europe. That is great: It means I don't have to carry a computer everywhere I go - even though I do currently - and I don't have to load up maps onto the Edge once every day.
  • The price has fallen dramatically. The GPS + the maps of Europe came to €400, half the price nearly of the previous model.
  • The Edge can better calculate cycle roads. I noticed this last Friday when having carefully used my laptop to draw out the road from Troyes to my destination I found myself on a two way road which would have been very pleasant had it not been for the 20 ton trucks passing me every minute in both directions. I stopped, asked the Edge 705 to calculte the road free of any of my interferences, and it immediately found a little dirt track to get me off that road (even though I had specified that I'd rather wish to avoid dirt tracks). The dirt track punctured my tire, which I found then was in a pretty bad state anyway. But rather have the tire punctured, than my head...
  • The Edge 705 comes with a heart rate monitor
  • It knows the elevation one is at, and the rate at which one is climbing
  • It can calculate the calories spent: it added no calories when I was zooming downhill without pedaling

Compared to Cell Phones

Before buying my Etrex I had inquired into whether a cell phone could have done the job. I did the same this time, and I have to say that it very nearly did. I found quite a number of iPhone add ons for cycling (listed on my delicious account) and I think for something close to the same price as the Garmin Edge, I could have put something together. It would have required

  • an extra battery pack (or two) to extend the battery life (perhaps Mophie's Juice pack Air
  • a cycle mount (such as this one perhaps)
  • some protection against rain. The Otterbox iPhone armor series would have been nice, but is no longer produced it seems. But perhaps Mophie's juice back with a waterproof bag would have been enough.
  • a heart monitor which is really important when out for some serious exercise. such as smhearlink perhaps?
  • Some turn by turn navigation software. Google Maps is really amazingly good, much better and faster than Garmin's software available on PCs amazingly enough. It has a pedestrian and a car mode, but not a cycle mode which is a pity. Still this would need to be tied up with the heart rate monitor, some visualization tool to tell you how fast you are going, some way of giving you directions, etc... This may come with a release of the next version of the iPhone, and I have seen some impressive demos of software called xGPS that provides turns by turn navigation on a jail broken iPhone.

All of this was perilously close to being possible. With a bit of energy I could have gotten all of this to work. What stopped me, was the data costs in Europe. I was going to leave France, go to Germany, Austria, the Czech republic, and Greece at the very least. And of course as soon as you leave your country of origin, data rates are simply not affordable: 9€ a Mega Byte. So that was clearly not an option. So the Garmin by allowing me to carry all the maps on the device and not requiring any internet connection is just the only solution for the international cyclist.

The bad

The Garmin software is also meant to work on OSX now, which it did not a few years ago. But it still does not work very well. I expressed my annoyance publicly after spending 8 hours trying to install the maps on the 2GB SIM card, and failing to. I had to do it from Windows in the end. That is a very very bad initial experience. It was a sunny day, and instead of being out on the road, I spent it trying to install and re-install software. I very nearly gave it all back there and then.

The Garmin software for OSX and PCs is dead slow. Google whose servers are on the other side of the world, has much faster responses. My feeling is that Garmin, being an MS-DOS company, does everything through disk access, because I could swear that it is not much faster on my dual 2.33Ghz Intel than it was on my 1.3Ghz Power Book.

Also the Garmin software does not have a cycle route calculation mode. It is only designed for cars. So you can't really sit down on your PC and calculate your route in advance there, because it won't be the same as what your GPS comes up with.

The cycle calculation mode on the Edge could do with a lot of improvements:

  • Cycles are not cars. You can do a U-turn on a bicycle in an instant - you don't have to find the next intersection to make a turn. If on a cycle I don't turn after being warned, it is probably because I don't want to turn.
  • In Germany and Austria, I noticed that Garmin does not seem to have such a good idea of where the cycle paths are. It would be really helpful to the GPS to know those.
  • The Garmin path calculation algorithm is very slow. I think it recalculates the whole route whenever one makes a wrong turn. It should really just make a quick adaptation, and find the shortest smallest change required to stay on the same route.
  • I am just about to check, but one very important list of shops the Garmin Edge should have are the cycle shops.


The Garmin Edge holds a good advantage over the onslaught of cell phone options, but if I were them I'd be watching the cell phones very carefully. They are not at all far from being able to offer some very decent, or equivalent solutions. (How far that is depends on your ideas of how quickly roaming rates will fall in Europe)




« July 2016