21 Dec 2014

feedPlanet Identity

Julian Bond: Following on from the list of 2014 lists.

Following on from the list of 2014 lists.

I wouldn't have found these without the best of year lists and it turns out they're really rather good.
* Grouper - Ruins
* HTRK - Psychic 95 Club
* Toumani Diabate & Sidiki Diabate - Toumani & Sidiki
* Tinariwen - Emmaar
* Moodymann - Moodymann
* Kangding Ray - Solens Arc
* Gazelle Twin - UnFlesh

Music you owe it to yourself to investigate and you may not have heard of, yet.
* Al Dobson Jr. - Rye Lane Vol 1
* Throwing Snow - Mosaic
* Grumbling Fur - Preternaturals
And as far as I can tell, pretty much anything on the Mood Hut and 1080p labels. Especially Jack J.

Most over-rated (according to me). Mostly because they're SO PAINFUL to listen to.
* Scott Walker / Sunn O))) - Soused
* SDLaika - That's Harikari
* Arca - Xen
* Fatima Al Qadiri - Asiatisch. Nice idea but it just turned out a bit boring.

Best reviewing technique for when you need to be told what to think about all this stuff.
* TinyMixTapes. For instance, read the Beyonce review here.

Best musical comment on the SNP.
* King Creosote - From Scotland With Love

Music Genre that most needs to be clubbed to death and then cleansed with fire.
* PC Music and that whole QT, Sophie, electroclash, alt lit, happy hardcore, Eskibeat, K-pop, J-Pop, 8-bit thing. Seriously, it's horrible. How did that happen?
[from: Google+ Posts]

21 Dec 2014 12:19pm GMT

Julian Bond: The best list of the best lists of the best music of 2014,

The best list of the best lists of the best music of 2014,

- Dazed and Confused http://www.dazeddigital.com/best-of-2014
- DiS http://drownedinsound.com/lists/bestof2014
- DJ Broadcast http://www.djbroadcast.net/features/featureitem_id=433/Top_100_Albums_of_2014_100__71.html
- Dummy http://www.dummymag.com/lists
- Electronic Beats http://www.electronicbeats.net/en/features/columns/audiocccult/audioccult-vol-30-the-shriek-of-2014/
- Fact Magazine http://www.factmag.com/category/endofyear/
- Fader http://www.thefader.com/2014/12/09/best-tracks-of-2014
- Gottwood festival (??) http://www.gottwood.co.uk/top-albums-of-2014/
- HypeM http://hypem.com/zeitgeist/2014/
Best albums for specific moods.
- Juno http://www.junodownload.com/plus/2014/12/05/best-of-2014-top-30-albums/
- Pitchfork http://pitchfork.com/features/staff-lists/
- Paste http://www.pastemagazine.com/blogs/lists/2014/12/the-50-best-albums-of-2014.html
- RA http://www.residentadvisor.net/feature.aspx?2328
- Rob Booth https://www.facebook.com/photo.php?fbid=10152594669375095&set=a.10150577837775095.373247.626640094&type=1
- TinyMixTapes http://www.tinymixtapes.com/features/2014-favorite-50-songs-of-2014
- TheQuietus http://thequietus.com/articles/16739-albums-of-the-year-2014
Obviously pretentious, or pretentiously obvious?
- The Wire (Maybe next month) http://www.thewire.co.uk/issues/charts/
- Thump/Vice http://thump.vice.com/words/the-50-best-albums-of-2014-50-41
- Vinyl Factory http://www.thevinylfactory.com/vinyl-factory-releases/the-top-100-vinyl-releases-of-2014/11/
- WeekID http://theweekid.com/category/selected/best-of-lists/
- XLR8R http://www.xlr8r.com/tags/best-2014

Now we need: "Best music released in 2014 after the 2014 lists had gone to press." We also badly need "Most over-rated of 2014".

And purely in the interests of cultural research and shared cultural values, here's the mashups of Pop 2014
Danthology https://www.youtube.com/watch?v=OOHYCZLmbyc
DJ Earworm https://www.youtube.com/watch?v=BjYWwZYLYEs
It's seems pretty clear that 2014 is "The Year of the Butt". And that pop music is more aggressively amped-up than ever.

ps. Follow the links. The ones above are often entry points for many more 2014 lists on the same website.
[from: Google+ Posts]

21 Dec 2014 7:52am GMT

Drummond Reed - Cordance: The Google Flight Info Trick

When I first stumbled across this, I thought I was the only one who hadn't heard about it. Now I find myself telling other travelers about it all the time and am constantly amazed that they don't know it. If … Continue reading

21 Dec 2014 4:51am GMT

Brad Tumy - Oracle: New blog Site for TUMY | TECH

I hope that you have enjoyed these blog posts, as much as we have enjoyed sharing them

21 Dec 2014 12:51am GMT

17 Dec 2014

feedPlanet Identity

Kuppinger Cole: Secure Mobile Information Sharing: Adressing Enterprise Mobility Challenges in an Open, Connected Business

In KuppingerCole Podcasts

Fuelled by the exponentially growing number of mobile devices, as well as by increasing adoption of cloud services, demand for various technologies that enable sharing information securely within organizations, as well as across their boundaries, has significantly surged. This demand is no longer driven by IT; on the contrary, organizations are actively looking for solutions for their business needs.

Watch online

17 Dec 2014 10:41am GMT

Katasoft: Launch a SaaS – and Battle Your Robot – With Stormpath

Can a fighting robot be an educational tool? Jonathan Wagner thinks so. Wagner is the mastermind behind Gigabots, an educational robotics platform developed in conjunction with Mozilla that makes use of realtime event and data synchronization.

Wagner is Co-Founder and CEO at Big Bang, a company that creates software that makes it easy for people to connect devices in realtime. Big Bang's platform is a publish-subscribe system - with benefits. It allows software developers to create real-time applications on mobile or desktop devices as well as Internet-of-Things based devices. Like Robots that dance and teach kids about technology.

Gigabot Prime

Gigabot Prime

Mozilla was interested in software and applications that use high-speed connectivity for educational settings. The Gigabots - a partnership with Gigabots and Mozilla - are a connected robotics platform, using Lego Mindstorm EV3 robots, the Gigabots API and the Big Bang cloud service to connect the bots in realtime.

The company has already piloted Gigabots in classrooms and Maker Faires, receiving praise from parents, kids, and educators alike. "The kids absolutely they love it, we've had such an enormous response from them," Wagner said. Gigabots are just one of the projects running on the Big Bang cloud service platform, currently in private beta.

Gigabots Dashboard

The Big Bang RealTime Platform

Big Bang is a data synchronization platform that allows devices and applications to send and receive data in realtime to other connected applications. Whether it's a desktop client, web browser or awesome robot, applications are connected to a common API with streaming events or automatic data synchronization across all the channels. "It gives you the building blocks you need to create really sophisticated real-time applications without having to write all your own software and without having to maintain your own infrastructure and servers."

BigBang Website

How did Wagner cook up the idea for software that facilitates real-time connectivity? Experience in the video game industry proved to be ample inspiration.

"At my previous company, we created middleware for games: massively multiplayer games, virtual worlds, and simulations. We had customers like Ubisoft, Disney, MTV and Viacom," Wagner explained.

He often encountered developers who were interested in developing a mobile game, but had no experience doing any of the networking necessary for the application.

Even beyond the gaming world, Wagner noticed an increasing demand for real-time features in traditional applications. While that's easy for large, experienced companies with impressive resource pools to pull off, it is much more difficult for a novice developer.

"Developers are starting to want those types of features in every application and so the Big Bang platform makes it easy to create those types of applications and those types of experiences for users."

Wagner decided that the solution was to create technology to make the real-time connectivity process simpler and easier. In doing so, he turned to Stormpath.

A User Management for SaaS

Like developers turn to the Big Bang API for data synchronization, Big Bang came to Stormpath for user management. "Its one of those basic parts every application needs and that you have to write, but it's not really the main point of your application," says Wagner.

Stormpath powers login and registration to the Big Bang service, handling both authentication as well as authorization. For a SaaS, separating users into secure, partitioned directories is key, as is managing the different roles within those partitioned tenants.

"We use Stormpath to manage authentication for our customers. When our customers create applications on our platform, their users are also authenticated with Stormpath" Big Bang also relies on Stormpath for Token Authentication and session management.

In the future, Big Bang may need to expand its use of Stormpath into external directories, such as an LDAP or Active Directory server owned and hosted by a customer, or social login like Google Apps. Wagner sees Stormpath as an authentication platform that will scale as his use cases grow and get more defined.

Big Bang is built on a micro-services architecture in Node.js and Java, and has used the Stormpath Node and Java SDKs as their development plan has matured. "It's made it really easy to iterate, because I haven't had to worry about migrating data from different environments. I don't have to worry about replicating data from production to staging to testing and those kinds of things," he said.

He also benefitted from the feature-richness of the Stormpath API. "I didn't have to set up all of the little fiddly things like password resets and all that kind of jazz. It's really important for a product. Everyone expects it from every product, so it doesn't really distinguish you."

BigBang Platform Login

Building Blocks

If you want to check out how the Big Bang Platform can connect devices in your app, check out the repo for their JS client and sign up for their open beta.

If you want to spend more time building awesome stuff - like dancing robots or a disruptive SaaS - get started with Stormpath. Its free for developers to play with. And we love Startups.

17 Dec 2014 5:00am GMT

16 Dec 2014

feedPlanet Identity

Phil Hunt - Oracle: Standards Corner: IETF SCIM Working Group Reaches Consensus

On the Oracle Fusion blog, I blog about the recent SCIM working group consensus, SCIM 2's advantages, and its position relative to LDAP.

16 Dec 2014 3:41pm GMT

Katasoft: Making Python Authentication Fast

Python Logo

You know what's really lame? Slow websites.

Unfortunately, certain parts of the authentication process are supposed to be slow. This may seem counterintuitive, but slowness in the authentication process is a big part of being secure.

This article talks about how authentication works in Python (not just hashing), and how you can make your site faster for your users without compromising your security.

I'll walk you through Python pseudocode, and show you exactly what you need to understand to ensure your auth system is as quick as possible.

Password Hashing is Slow

When a user signs up on your website, and gives you their password - the best practice is to hash the user's password before storage. This means you'll use a hashing algorithm like bcrypt or scrypt which translates a password string into a bunk of gibberish that cannot be reversed.

Once you have a hash, there's no way to recover the original password.

Here's the important bit: strong hashing functions like bcrypt and scrypt are meant to be slow!

The more CPU, RAM, and time required to compute a hash means an attacker will need to spend that much longer attempting to brute for a password.

Pretend for a moment, that you've hacked a company user database and now have access to all user password hashes.

Let's also say that these are bcrypt 10 hashes.

If you're trying to figure out what the password are, there's only one thing for you to do: brute force them.

To do this, you might write some code that iterates over every possible password combination (in the example below I'm using the brute library on PyPI):

$ pip install brute

# crack.py
from brute import brute


for pw in brute(length=8):
    if HASH_TO_CRACK == bcrypt(pw):
        print 'Password is:', pw

In the example above, we'll iterate over every possible password of 8 characters and less, attempting to brute force it.

Each time you generate a new possible password, you'd then run it through the bcrypt function, get the resulting hash, and compare it to the hacked password hash you have. If you get a match, it means you've successfully brute forced the user's password!

But here's the kicker: bcrypt and scrypt take a while to compute, and use a lot of resources.

Since both bcrypt and scrypt are mathematically slow to compute, attackers have a much harder time brute forcing these hashes as it requires a lot of computer resources ($$$).

So, since we now understand how hashing works, and why it is time intensive - let's talk about authentication.

NOTE: If you're interested in learning more about password security, you might want to read through an article we wrote a while back on the right way to do password security - it's a good read. And if you want even more info, check this out.

How Authentication Works

When a user typically registers or signs into a site, you're going to be hashing their password, and either storing it in a database or comparing it to a value in a database - but what happens after that? You remember the user either with an ID in a session, or via an API key of some sort.

Here's some pseudocode:

# register.py
user = User('r@rdegges.com', 'hithere!123')
user.save()     # save this user to the database

# Create a new session cookie in the browser, which holds the user ID.
session.create('session', user.id)

The idea is that a user ID will be stored in the user's browser via cookies - this way, the next time the user requests a page on your site, the user's browser will send that cookie with the user's ID along to your server, allowing you to look up this user's account information, without needing the email address and password again.

Here's some more pseudocode:

# views.py
user = User.find(id=session)

As you can imagine - finding a user account by ID is very quick (no password hashing is necessary).

So - what this means is that only the initial user creation and login processes are slow - the rest of your site can still be fast!

But let's not stop just yet.

Optimizing for Speed

Since user data is typically required on every page of a website, this data is accessed very frequently.

If you're using a database like Postgres or MySQL, this means that if you have a few hundred website users, you might be querying your users table in the database a couple hundred times per second.

That's quite a few queries!

If your site needs to do other things, you might be unnecessarily slowing down page loads.

So what can you do to speed things up? Cache!

Caching is the solution to most speed and performance problems - and making user data quickly available is one of the most effective ways to speed up your site.

The idea is pretty simple: keep a key / value store in memory that consists of a user ID for the key, and the user's account data as the hash.

This helps, because the next time a user makes a request for a page on your site, and sends you their session cookie, instead of querying the database to find the account, you can instead query an in-memory cache directly for this information.

This might be the difference between 1ms and 100+ms in every user request: that's a lot of saved time! While it doesn't seem like much on it's own, when you start adding in latency caused by other parts of your application, you can really speed things up a lot overall.

For caching, you'll most likely want to store this data in a cache system like memcached or redis, both of which have awesome python libraries.

In pseudocode, you'll likely do something like this:

if session:
    user = cache.get(session)

    # If no user was found in the cache, try querying the database directly.
    if not user:
        user = User.get(id=session)


If you're using a web framework like Django, you can really easily do all of the things mentioned in this article by simply using the built-in auth system.

If you're using another framework / tool, you might want to google around for libraries - there are typically a few good options to help with this stuff regardless of what tooling you're using.

Lastly, if you're using Python / Flask / Django, and want to get all the awesomeness of best practices around user storage and security, you might want to check out our developer service: Stormpath.

Our service stores user accounts and user data for you, taking care of password hashing, encryption, data security, best practices, and everything else.

It's free to use for most applications, and integrates easily into Python, Flask, and Django apps.

The latest release of our Python library includes built-in support in-memory, memcached, and redis caching to ensure your site is ALWAYS as fast as possible, out of the box.

If you'd like to get started with Stormpath, you can check out our libraries here:

To learn more about what Stormpath is doing for password security, check out our security page.

16 Dec 2014 3:00pm GMT

Julian Bond: Snout. [as Wall] Thus have I, Wall, my part discharged so; And, being done, thus Wall away doth go.

Snout. [as Wall] Thus have I, Wall, my part discharged so; And, being done, thus Wall away doth go.
A Midsummer Night's Dream : W Shakspear.

James Bridle of New Aesthetic and Drone Drawing fame goes on a walk. He follows the edges of the London Congestion Zone, documenting some of the CCTV cameras he sees. The edge of the congestion zone is the 3rd wall around the city. The first being the Roman City Wall, the second is the anti-IRA Ring of Steel. It's the first wall that is largely virtual consisting principally of ANPR cameras.

In Park Lane, he was accosted by a pair of security guards who performed a citizen's arrest and held him until the Police turned up. "When they arrived, the police officers explained that carrying a camera in the vicinity of Central London was grounds for suspicion."

This reminded me of a London Met and Transport Police campaign.

A key part of that was a poster campaign http://voidstar.com/images/cctv.jpg "A bomb won't go off here because weeks before a shopper reported someone studying the CCTV cameras.", "Don't rely on others. If you suspect it, report it". This scary bit of Orwellian double speak prompted an Internet meme generator long since gone. The phrase "don't rely on others" prompted me to mash the image up with some Hawkwind lyrics from Sonic Attack. "Think only of yourselves" http://voidstar.com/images/sonic_attack.jpg The message is clear though. Only look at CCTV cameras out of the corner of your eye because if you pay too much attention to them, you'll be suspected of harbouring thoughts of terrorism.

But then there's London Transport's posters. http://www.yourlocalguardian.co.uk/yoursay/schools/10148054.ORWELLIAN_STYLE_TRANSPORT_FOR_LONDON_POSTERS__A_HUMOUROUS_SATIRE_OR_SUBTLE_HINTS_OF_TOTALITARIANISM_/ This all begins to get scarily post modern. Is this some hipster designer taking the piss out of their brief and sneaking it past some middle management sign off? Or is it doubleplus-good propaganda that works better at inserting the idea into our brain because we laugh at it.

James Bridle can be found here.
The Nor » All Cameras Are Police Cameras »
This essay is the first of a series of reports from The Nor, an investigation into paranoia, electromagnetism, and infrastructure. Map-500. On the morning of Thursday, 30th October 2014, I set out to walk the perimeter of the London Congestion Charge Zone, a journey of some twelve miles around ...

[from: Google+ Posts]

16 Dec 2014 2:12pm GMT

15 Dec 2014

feedPlanet Identity

Katasoft: How to Win at White Elephant

Friday night marked the Stormpath Annual Holiday Party, and ended two weeks of conspiracy and planning for the White Elephant gift exchange that would be played that night. We are not a rowdy bunch. We actively recruit teammates with low ego, and a bent towards compromise and collaboration over competition and office politics. We don't have a "brogrammer" culture. But we take games seriously.

Very. Seriously.

Over team lunch at the Baywatch diner on Friday, Brent and I discussed our strategies for the evening's White Elephant. My planning had begun two weeks in advance. Several coworkers told heart-wrenching stories of White Elephant gift planning gone awry. "Rainzilla nearly destroyed the package!" It was pretty clear that White Elephant is "a thing" - not just a benign game, but in fact a way to earn the respect and admiration of your colleagues. However fleeting. It somehow matters.

Team Stormpath

What Is White Elephant?

To be clear, White Elephant is not a game you can technically win, and there are a lot of ways to play. These are the rules we use:

  • Everyone brings a wrapped gift of $20-25, including dates and significant others
  • The gifts go under the tree at the Christmas party. After we have all stuffed our faces with Kelsey's homemade smorgasbord of baked goods, we gather at the tree and draw numbers.
  • The first person chooses a gift, unwraps it and smiles graciously.
  • The next person - and everyone thereafter - can either steal that gift or open a new one.
  • If your gift is stolen, you can open a new one or steal. This can cause a cascade of present theft and good-humored chagrin.
  • You can't steal right back from someone who just stole from you.
  • Gifts can be stolen three times, after which it is no longer in play.
  • After the last player has gone, player number one can steal any gift that is still in play. This is why you want to be player number one.

White Elephant refers to a "dud" gift that might be added to the stock of gifts under the tree. We don't play that way, because who wants a dud gift? If there is a clear and obvious dud, stealing cascades can go berserk.

How to Win at White Elephant Gift Exchanges

Let's be clear, winning white elephant is not about getting the best gift, its about giving the best gift. You win by bringing the gift that gets stolen so many times, it goes out of play and the final recipient grins gleefully while several people shoot them looks of mock violence.

You can also win by bringing something that is so widely acknowledged as exceptionally cool, that is treated with a reverence that transcends theft.

Team Stormpath 2

How to Win:

1) Serve a Big Market The ringers at the Stormpath White Elephant were a pizza stone, a set of fancy chopsticks and a semi-satirical motivational poster. Why does this work? We have a very high-concentration of foodies and cooks. Also of people who used to live in Japan. And we all enjoy the rotating motivational posters, a la "Fuck Mediocrity", on the wall of our Developer Evangelist's home office, seen in daily hangouts and occasionally video tutorials. Products that get the most demand are the ones that satisfy the biggest market need. Think about your coworkers as a mini-market. What are their greatest needs?

2) Take Your Office Meme To Etsy Stormpath has a strong office meme around Star Wars. We watch it (Machete Order, thank you very much) as a team for family movie nights. Joe Stormtrooper is our default account on the website. Our entire demo recreates the StarWars universe as a user model. We have a directory for the Sith Empire that includes subgroups for "Imperial Officers" and "Bounty Hunters". Every office has a meme, and Etsy has an impressively wide array of custom handmade stuff that speaks to that meme. I had a painful moment Friday morning when I discovered Stormtrooper coasters while shopping for my mom.

3) Don't Forget the Significant Others At Stormpath parties, we include wives, husbands, girlfriends, boyfriends, or even parents. While its pretty easy to buy something that will be a hit with half a dozen rabid Star Wars fans, the SO's are often an overlooked target audience. Plus, there is nothing that is going to score you more points with the guy who sits next to you than bringing something his girlfriend or boyfriend thinks is awesome. Look for something trendy, innocuous, that someone would never buy for themselves. E.g. 2011 whiskey stones, 2012 corksicle, 2014 pizza stone.

4) Booze While this may not work for every company, its entirely possible booze is the trump card white elephant gift. Brent won big props for bringing a jar of Apple Pie Moonshine. If you have a Costco card, you may be able to get a ridiculously large bottle of… anything. Just the fact that its big will make it popular. Also, look around for a Pre-Christmas wine deal. Even the snobbiest wino is happy with a good $25 bottle of wine. (I speak from hiccup experience)

5) Bells and Whistles Sometimes its not the gift itself, but a feature of the gift that makes it interesting and desirable. This year, I had a win and a loss. The win was a small box artisanal champagne-flavored marshmallows… dipped in gold. The loss was three boxes of handmade marshmallows in three different flavors. The "winner gift" was more popular not because anyone thought they would taste better. There were even fewer. But they were dipped in gold - the "bells and whistles" feature made it more desirable.

From everyone here at Stormpath, Happy Holidays! May your parties be filled with victory and good noms.

15 Dec 2014 5:35pm GMT

Kuppinger Cole: Cloud Compliance Remains a Challenge

In Karsten Kinast

The cloud is reality - but still legally controversial in the details. So what do we need to consider for the future with regard to liability, especially as there are few practical alternatives for data management in the cloud and many already see the cloud as unmatched in value from an economic viewpoint?

Over and over again, references are made to the cloud's problems with multiple national and international data protection laws. Among other things "sensitive data" - for example, health data - internationalization presents huge legal problems with data management in the cloud. The problem, though, is not seen this way by all supervisory authorities responsible for data protection.

Often underestimated, however, is the fundamental legal point of criticism regarding the lack of data sovereignty of the cloud user and the lack of control options for the cloud provider. Questions abound, such as:

  • Where does the data reside?
  • Are technically necessary copies deleted as required by law?
  • Can the cloud user see, understand and control the data security with his/her provider?

This problem field is clear but it appears less helpful if it's stated as: "classic data protection does not function in the cloud". You can, however, get closer to the truth if you note that the cloud's own manner of functioning has not yet been recognised by law as regards the aforementioned control options - at least not in Europe. The legislators now demand, for example, control over the service providers to whom one entrusts his/her own data or that from third parties. This control only functions with the help of transparency in regard to important questions:

  • Who can currently access the data?
  • As regards third party data, can I learn these points from the cloud provider when my own customer wants to know this from me?
  • In short: am I still master of the data?
  • Can I even still accept responsibility for the data entrusted to me or do I fail on the factual power of the cloud provider and the technically functional method of the cloud?

As to the question of control options, you should put your cards on the table and demand that the European legislators revise their own regulations for the cloud that acknowledge the missing control possibilities as collateral damage to the cloud. It seems feasible to subject cloud providers, in return, to specific obligations so the basic concepts of data protection pursued by the control rights can be achieved by an alternative route. Should an established legal conception - the necessity of the control principle - be abandoned in order to help a modern type of data management out of the juridical problem area? Or will data protection do its job of protecting the citizen only if complete visibility and control continues to be codified?

Occasionally legislators and bureaucrats represent that one must simply reinterpret the current data protection legislation: A technical interpretation of the data protection law would solve the problem. Analogously, a meaningful technical solution does not have to stand in the way of unfashionable, non-IT oriented law. That sounds compelling. A revision of the data protection law would thus not be necessary at all. Caution is called for once again: As opposed to the copyright law, data protection law is not commercial law. Data protection is a personal right. Hence, the interests of the citizens in data protection principally ranks behind a technical and thus economy-friendly interpretation of the law. As a result, the issue of control and data sovereignty in the cloud remains unresolved to date.

This is the reason why it is occasionally claimed that the cloud is "illegal," or even "extra-legal". This is certainly not the case. Yet the obligations with regard to liability law are not to be underestimated with regard to data sovereignty and the cloud customer. As such, you may be liable, under certain circumstances, for possible shortcomings of the cloud provider although you only purchased the cloud service. This always involves the chain: Cloud provider - Cloud customer - Customer of the cloud customer. As a cloud customer, you are in the middle and must ensure a proper level of data protection to your own customers which is simply not offered as depicted, and with regard to control, is also not realisable, because the data in the cloud is ubiquitous and, for example, no specific information can be given as to the whereabouts of the data.

Even if one accepts this problematic liability and takes the risk of data protection non-compliance further aspects of the cloud are also problematic in terms of data protection legislation. This concerns, for example, data quality. Especially as regards the already mentioned sensitive data which may, if at all, only be brought into the cloud if a detailed examination of this individual case appears to be admissible. This depends on the technical framework conditions, but also on the Terms and Conditions of the provider.

Further discussions concerning the legality of the cloud could involve:

  • Data access through third parties, especially legal authorities (not only data protection, but also knowledge/trade secret protection)
  • Technical-organisational measures (not only available, but rather also documented and manageable)
  • Subproviders (missing transparency regarding their linking, technical-organisational measures implemented)
  • Terms and Conditions

The following always applies (as already mentioned): If I myself "purchase" the cloud and use it to provide services to third parties, I cannot, generally, disclaim responsibility; I must be liable, if need be, for the above mentioned "purchased" deficiencies to my contractor, my employees etc.

15 Dec 2014 2:40pm GMT

IS4U: FIM 2010: Eliminating equal precedence


Precedence can be tricky in certain scenarios. Imagine you want to make FIM master for a given attribute, but you need an initial flow from another data source. A good example is the LDAP distinguished name. If you have a rule that builds the DN automatically based on a base DN and one or more attribute values, the object is provisioned with the correct DN on export. But when you want to visualize this DN in the FIM portal, you need to be able to flow it back. If FIM is master over the distinguished name attribute, this flow will be skipped "Not precedent".

So you have to consider the option of using equal precedence, since manual precedence is not possible in combination with the FIM MA. But equal precedence is dependent on the synchronization cycle order: "the last one to write the attribute wins". Therefore it is not an option if FIM needs to be the absolute master of the DN attribute and you want to make sure that it always has the value you expect it to have.

Single valued attribute

The solution I came up with to work around this issue involves using two separate metaverse attributes. The flow is illustrated by following table.

Datasource Metaverse FIM Portal
ds_attr mv_attr1 fim_attr

By using two metaverse attributes, both requirements are satisfied:

Multi valued attribute

We tried to apply this solution for multi valued attributes as well. A well known attribute that fits this use case is proxyAddresses. Initially, some exchange attributes are set in AD, such as mailNickName and homeMdb. Exchange generates some proxyAddresses based on defined rules. These aliases need to be available in FIM if FIM is used to manage this information.

To our surprise, the solution did not work in this case. After some investigation, the explanation was simple. The two metaverse attributes were not equal, which resulted in unexpected values after two or more synchronization cycles.

  1. Delta import delta sync FIM MA: fim_attr flows to mv_attr2
  2. Export AD MA: mv_attr2 flows to ds_attr
  3. Delta import delta sync AD MA: ds_attr flows to mv_attr1

The third step is expected, but does not update the entire value of mv_attr1 (key here is "entire"). The delta import delta sync step checks only changed attributes (and for multi valued attributes only changed entries). The value of ds_attr was just exported, so FIM compares its value with the originating metaverse attribute, which is mv_attr2. Since the values of mv_attr2 and ds_attr match, the export is successfully confirmed. But the value of mv_attr1 remains unchanged and is different from mv_attr2. In the next synchronization cycle, the value of mv_attr1 will be synchronized to the value of fim_attr, which results in an unwanted value.

If full synchronizations are used, everything works as expected because all entries in the multi valued attribute are taken into consideration. On a delta sync, only the changed fields are evaluated. We applied an advanced import flow to allow the flow of addresses generated by Exchange for newly create mailboxes.

if (csentry["ProxyAddresses"].IsPresent 
  && mventry["ProxyAddresses"].Values.Count == 0)
  mventry["ProxyAddresses"].Values = 


The proposed configuration allows two-way updates while enforcing precedence for one data source. However, it does not work for multi valued attributes using delta synchronizations.

15 Dec 2014 1:56pm GMT

14 Dec 2014

feedPlanet Identity

Kaliya Hamlin - Identity Woman: Internet Identity Workshop #20 is in April !!

IIW is turning 20 ! That is kind of amazing. So much has evolved in those 10 years. So many challenges we started out trying to solve are still not solved. I actually think it would be interesting as we approach this milestone to talk about what has been accomplished and what we think is […]

14 Dec 2014 11:31pm GMT

Kaliya Hamlin - Identity Woman: ID Anthology – the community “cannon”

A few years ago I pulled together the start of a community anthology. You could think of it as a cannon of key blog posts and papers written in the Identity Gang and circulated around the Internet Identity Workshop and other conferences back in the day like Digital Identity World. I think with IIW coming […]

14 Dec 2014 11:25pm GMT

Kaliya Hamlin - Identity Woman: A Preliminary Mapping of the Identity Needs in People’s Life Cycles

This start of a paper and idea for an interactive Exercise to be done at the ID360 Conference was written by myself and Bill Aal. It was submitted to the 2014 ID360 Conference put on by the Center for Identity at the University of Texas at Austin. Over people's life cycles there are many different […]

14 Dec 2014 10:12pm GMT

Anil John: My 10 Most Popular Blog Posts of 2014

Most popular 2014 blog posts by Anil John

14 Dec 2014 7:45pm GMT