One of the main problems, as I see it, with security research is the chicken and the egg. Let’s say you come up with a snazzy new protocol, but this protocol requires a smart client (or modification to a browser). Additionally, you have some identity providers that are not terribly difficult to develop, but are not deployed. Now, how do you justify deploying all these modifications or new service providers if there are no clients to take advantage of them? On the other hand, how do you justify upgrading all the clients to support a protocol that has no identity providers?

The real answer is that you compromise. Either you find some company whose business model can benefit directly from the technology and have them be a champion, and hope that you can get enough marketing (yes you heard me, marketing) and people interested that it creates some momentum and adoption.

One of the coolest protocols I’ve read about is SRP. It’s the bomb, really. Password based, strong cryptographic properties, mutual authentication—both the client AND the service provider are authenticated, phishing attacks to obtain your password are not an issue. I could go on, it’s got some serious coolness. Additionally, some work at BYU shows how it can be extended to make it solve a lot of problems that OpenID is aimed at, without the drawbacks. (Heck, it even allows you to delegate access to other users.)

Problem is, SRP and its extensions require a smart client, and modification of service providers. Chicken and the egg. Drat.

Thoughts:

I’m wondering if it can be adopted by compromise, by providing a signed java applet to perform the smart client responsibilities for wireless authentication.

Another thought, what if you could get one half of the problem solved, like getting widespread deployment of the smart client, the other side could very easily drop into place.

Early Adopters

Interesting tech is usually adopted by the geeks before it goes mainstream. Now, not all things the geeks embrace make it mainstream, but a lot of things mainstream were solidly in geek territory in the beginning. One way to get early adopters is to:

• make a polished smart client for the linux desktop (gnome/kde)
• on the server make your software as easy to use as an apache module etc.

The key is real solutions that at least the geeks can use today.

Ride Someone Else’s Coattails

OK. Everyone agrees that smart phones/smaller devices are going to be a key part of the foreseeable future. Why not use this trend to lift usable security mechanisms out of their academic tar pit? Just to be controversial I’m going to say Android is going to be huge. What if someone stepped up, and implemented this slick, efficient, just-what-the-doctor-ordered password smart client for the Android platform that happened to support SRP? Let’s say it took off like the iPhone, I think it is realistic to see broader adoption of SRP across the board if, in a year after launch there are 90 million installed clients with active users.

You’ve run in to this before. You’re at home, looking up some academic papers and you always run in to a couple that you can’t track down on the internet at large. You’ve got to get them from on of the major digital libraries. Sure, your university has a campus subscription—but you’re not on campus. You flounder trying to get something to work from the command line. No dice.

Here’s my trick.

Use SSH to set up a proxy back to your campus and send your web traffic through the campus network so that it looks like you’re on campus. I’ve got a Mac so ssh is easily available from the command line. I have gotten this to work using Putty on Windows though.

SSH supports SOCKS (a protocol for proxying traffic). It will open up a port locally (of your choosing) and any traffic to that local port will be carried over your secured ssh connection and come out the other side and the remote host you’re connected to will proxy all the data.

ssh -D 9000 username@cs.yourschool.edu

With this command ssh will listen on your localhost on port 9000. Configure Firefox to use a web proxy, Firefox -> Preferences -> Advanced Tab -> Network -> “Configure how Firefox connects to the Internet” . Choose the Manual proxy configuration radio button. For the SOCKS entry the host is, localhost, and the port is whatever you specified for the -D option (I used 9000). Hit OK and you’re done.

Firefox will now pipe all your web traffic over ssh to your remote server. You are now “on campus” as far as anyone looking at your origin IP address is concerned.

I’d turn off the proxy (just set it back to no proxy in Firefox’s settings) after downloading what you’re after to avoid any network delay.

This technique is sometimes useful in situations at conferences where the wireless is blocked on port 80, but not on port 22 (ssh’s port). This is completely unconfirmed—you didn’t hear it from me.

Out of the fuss over the parody video ‘Here Comes Another Bubble’ (succinct summary) an intriguing idea is set forth over at scripting news

Most conferences are so boring. I want to do a conf on a hot subject when it’s still hot in the blogosphere. This may be a good subject for such a quickly organized conference. What do you think of the flash conference idea for this??

I’ve never though about a flash conference before. Not just for this topic, but so many others as well.

Fantastic idea. Love it.

At home we have a MacBook. My wife can’t stand using the trackpad—she’s got to have a mouse. For our anniversary I got her a Kensington bluetooth mouse. I wanted a bluetooth device because I didn’t want any USB receiver sticking out the side to get bumped or broken. Took all of 45 seconds to hook it up.

Seamless.

Is that because we’ve got a Mac or is it because Bluetooth is cool?

Yeah I know, this is supposed to be a technology blog. This one’s for posterity.

I get severe canker sores. Huge. They hurt. They are no fun. It’s technically called Apthous Stomatitis . I’ll get open canker sores about the size of a dime or worse that last for several weeks. That wikipedia link and other sites enumerate many attempted treatments. Some things that work for one person just has no positive effect for another. I’ve tried most of them and none of them seem to help.

When I was growing up, baking soda applied directly to the sore would help it heal faster. It hurt like heck though. My cankers get larger nowadays and the baking soda technique just hurts like crazy and doesn’t help at all.

My contribution to posterity is to merely document a treatment I heard about which has helped me. I got this home treatment from my cousin, who is a doctor. I’m not a doctor so don’t mistake this for medial advice.

The treatment is to use a styptic stick or pencil. They’re not as common nowadays but you can still find them in drug stores. They’ll be marketed as a way to stop bleeding if you’ve nicked yourself shaving.

You run a little water over the styptic pencil and then apply it directly to the sore. It chemically cauterizes the sore. Sometimes it stings a little bit, but not terribly so. It’s nothing compared to the hurt from baking soda or salt. You will get a pretty potent taste of citrus.

So, if you are one of the unfortunate sufferers of recurrent severe cankers and nothings seems to work, using a styptic pencil might be worth a try.

I know I’m not like some people who get 600 hits in one day from Reddit . I’ve been told that the true measure of “getting on the map” is when spammers take notice of you. They’ve noticed my blog, probably due to my incredibly massive readership. I thought I had my blog settings to moderate comments, but I was mistaken. Sorry if any of you were exposed to some of those terrible comments over the last couple of days.

My current blogging engine is Mephisto which has built-in support for Akismet . So far Akismet has taken care of the problem. I’m getting several hundred spam comments everyday, but none are getting through. None of the comments were particularly clever, but the volume is just no fun to keep track of by hand.

My university has a content filter (Dan’s Guardian) which uses blacklists as well as phrase weighting. I hadn’t thought about it before, but one drawback of using filters on the content is that when I went to remove spam comments, the comments triggered the content filter and kept me out of my own blog when I was trying to delete those very comments. Fortunately a semester ago they allowed a bypass that logged your action and let you through. Without that safety hatch I wouldn’t have been able to rectify the situation.

I was on the phone with my Mom and she had a document she wanted to send me.

Devlin:

Mom, you’ve got a scanner. You can email it to me.

Mom :

Laughing It would be easier for me to send it in the mail!

She’s telling the truth. Yes my mom is a very competent computer user. It’s just not easy enough. It’s not just her, it’s me too. The number of programs and such that you’ve got to get to work together is too many. The single button touch thingeroos on new all-in-ones don’t cut it. The software to listen for the scanner’s “convenience buttons” gum up the whole works, they consume insane amounts of memory and don’t ever seem to work right anyway.

It’s a sad reflection on the state of usability in software when the postal system, the POSTAL SYSTEM of all things is easier to use.

Witnessed on campus this morning.

A girl saw a friend and tried to get her attention by yelling, “Jennika! Jennika!”

No response.

Thinking that onlookers must think she’s crazy for yelling at apparently the wrong person, she she looks over at us and succinctly explains why the friend is oblivious.

“iPod. What can you do?!”

This blog, The Daley Devlin, was almost named Half Baked. I still haven’t ruled out the possibility of renaming it. In the conversation I have with myself, my mind says that I can really write about topics that I haven’t completely worked through, but I don’t feel like I can yet. I’m OK with some fairly unpolished prose, but I haven’t been able to force myself to write about unpolished ideas. We can’t always be right. It’s OK to be wrong, as long as we learn from our mistakes, right?

This post is just me trying to get psyched up for actually doing it.