Tuesday, October 06, 2009

Learning Authentication

Securing mission critical applications is vitally important. Everyone can agree on that. Securing access to personal information is also vitally important. I'm sure there'll be no arguments with that one either. And I'm also quite sure that there will be no arguing with the fact that not all applications carry the same risk and therefore they can be secured in various manners ranging from pretty insecure to secure to the point where even with all the necessary credentials it is still hard to get access.

When I was young, I had a ZX Spectrum 48Kb. When I switched it on (because in those days I had no concept of “booting”), I was presented with a fairly blank screen and a cursor. At this point, I would normally type LOAD “” and insert a cassette into my attached cassette player. A program would load (normally a game to be fair) and I would enjoy the pleasure of using the program (or playing the game) for quite some time thereafter. No authentication necessary.

These days, our children need to be a lot more careful as they typical use computers in a state of always being connected to the internet. But is it reasonable to expect a young child to enter a User ID and Password when they want to play “Dora The Explorer” on the Cbeebies website? Maybe they should have to authenticate at an early age – after all, it is teaching them good practice, yes?

Well, there's probably no harm in having a child click on a photograph of themselves when it comes to authenticating at the OS level and then getting access to a customised desktop with all their favourite links on it (such as the now infamous Dora) but what about a password?

Would it be fair to ask a child of 10 to construct an eight character password which had to have alphabetic, numeric and symbols in it? They might be able to do that and remember the password. What about a child of 6? What about a child with learning difficulties? I would suggest that a hard to remember password would be inappropriate – especially if all they were trying to access is the aforementioned Dora in her quest to defeat the naughty Sniper!

So what would be an appropriate means for this demographic to learn the beauty of authenticating themselves? Retina recognition? Finger-prints? Visual cues? Let's examine...

Bio-metrics may seem like a fun way of authenticating and it certainly has merit except that not every PC or laptop comes equipped with the necessary hardware to enable it. Should we all rush out and buy finger print readers? I'm thinking not.

Passwords aren't necessarily an option even if we make the passwords very weak indeed. Maybe the children aren't at a stage in their development where they can recognise the characters on the keyboard let alone use the keyboard appropriately.

Visual cues? Consider the scenario whereby the child in question clicks on their own photograph to authenticate and is then presented with four images of animals from which they have to select their favourite. Now, consider the scenario whereby the child is presented with four colours from which they have to select their favourite. All of a sudden, we are actually verifying that there is a good chance that the child is who they say they are. The child is learning the beauty of IT security in a safe environment with visual cues which are protecting non-critical services. The authentication process is probably one of the least secure mechanisms I can think short of no authentication whatsoever. However, in an environment where security doesn't matter and for the benefit of educating the young and getting them used to the concepts of identifying themselves and verifying that they are who they say they are, then it probably has merit. (And no doubt has already been done many times before.)

I spend my life working with IBM Tivoli security products, focussing on Tivoli Access Manager and Tivoli Identity Manager. I haven't come across an EAI for such an authentication mechanism but would imagine it would be easy to implement and could be very useful within learning environments. Maybe I'll write one in my spare time!

So is there a drawback? Of course there is. And it is the same drawback that exists for all user credentials. Setup, user registration or the provisioning process. That issues seems (to me, at least) to rest with the educators who can talk the child through the process and explain the reasons behind it.

Thursday, October 01, 2009

Vista v Ubuntu

I had enough of Vista recently. Watching that little blue circle circling and circling and circling. And all the while the hard disk light would flash and flash again and flash once more. But nothing seemed to be happening.

I felt like exacting violence on my laptop and then finally decided that it was time for my workhorse laptop to get the Ubuntu treatment. After all, I'd done it on other machines so why not the machine I work with almost all the time.

The long and short of it is that Ubuntu and Vista are living happily on my ThinkPad and I can boot into either. They both have almost an identical list of applications installed - Apache Directory Studio, MySQL Workbench, Tweetdeck, Filezilla, Password Safe, Firefox, Thunderbird, Picasa, Google Earth, Skype, Open Proj, VMWare Player. I have Open Office rather than Microsoft Office and Kivio rather than Visio; GIMP rather than Photoshop and Pidgin in place of Live Messenger.

Today I was sent a spreadsheet that wouldn't play ball in Open Office so I booted into Vista. What an eye-opener - I hadn't done that in a while and I was so annoyed that I thought I would do it again and run time trials!

Boot-time to logon prompt
Vista: 30 seconds
Ubuntu: 20 seconds

Logon, launch Excel/Openoffice and open spreadsheet
Vista: 53 seconds
Ubuntu: 29 seconds

Shutdown
Vista: 81 seconds
Ubuntu: 9 seconds

Those times are dramatic (especially the shutdown time). But it is even worse when multi-tasking. Launching just a couple of applications within Vista renders it almost impossible to use. I have run CCleaner just 2 weeks ago because the slowness of the machine was so bad. CCleaner made a massive improvement but still not enough to push me towards Linux.

I am looking forward to Windows 7, to be fair. But it would have to be absolutely amazing to convince me to ditch my sleek Ubuntu setup.