BT shareholders should stop worrying about the cost of fibre. Everyone wants fast broadband and the current plans aren’t so expensive that they’ll take years to pay off.

I noticed the other day that the market didn’t take well to the news that BT is really moving forward on plans to roll out fibre across to the UK to drag broadband speeds into the 21st century (think 8Mbps DSL is fast? - check out Korea, or Paris where they’re laying 30Mbps fibre). Cable coverage in the UK is a joke (NTL bought the cheapest demographic data it could find for high population density and ended up cabling multiple occupancy council estates where it couldn’t get licenses to offer a service and running out of money before it got round all the consumers and small businesses that actually wanted cable modems).

Now the analysts at Point Topic have done some interesting sums. BT’s proposal to cover 40% of the homes in the UK for £1.5bn works out at £150 per household - a lot less than the £800 each in previous calculations for doing all 25 million households. And making that pay dividends to all those worried shareholders will only take about £3 per household, according to Point Topic, because BT will be making savings on operating costs. Fibre means new services to sell; we might finally be able to get seamless roaming between landline calls, mobile calls and VOIP - it’s all IP underneath, after all. Some of the bandwidth will doubtless get eaten up by pay-for IP TV services.

And the regulator will need to keep an eye on who you can buy fibre from or we’ll be back to a monopoly faster than you can tell Sid pirated content isn’t the only reason anyone wants a fast connection (when did you last use an MSDN CD instead of downloading the ISO?). The industry has been asking OFCOM to promise it will be able to make money out of fibre as if it was something new and different. There may more trenches to dig in remote areas - although you can blow fibre down an existing conduit with compressed air - and you have to get the termination right, but it’s not rocket science. As Tim Johnson at Point Topic puts it, “by and large BT’s shareholders should be able to finance the investment, carry the risk and reap a good profit in return.”

Bandwidth; it’s a business, not a right, but it should be good business all round.
-Mary
 

Imagine a second, simpler operating system on your PC with fixed features, so it’s more secure - after all, if you can’t add more programs you can’t add a virus either. It would have to start up quickly, so that Windows wasn’t waiting for it, so it would be ideal for listening to music and watching video. I’m not thinking about virtualization per se, although that’s one way to achieve something similar; this is two operating systems side by side, both with access to the PC hardware, but one of them does much more limited and circumscribed things.

Can you tell what it is yet?

No, actually, I’m not talking about Palladium - sorry, Microsoft Next Generation Secure Computing Base. That grew out of an attempt to reassure Sony that it would be OK to allow DVD movies to play on a PC without piracy becoming endemic and turned into a much more useful and visionary idea about using public key cryptography not to identify people but to secure machines. It would have been a good way to implement the DRM it was associated with in the public eye, though wouldn’t have forced it on anyone who didn’t want to run it. Palladium loaded a secure piece of software called the TOR that acted as a secure area that could only run trusted code (written to public APIs), where the apps would be invisible to the main OS - all secured by the machine-specific key in your TPM and some new technology from Intel. 

Ironically, trust was the issue with Palladium; nobody trusted Microsoft to either be building a secure system that didn’t impact on a very robust interpretation of free speech or if it was, to do it right. The smallest part of the concept made it in a couple of versions of Vista as BitLocker; whole disk encryption secured by the TPM.
But the Palladium concepts are showing up in a lot of other places, including the NSA’s Security Enhanced Linux and Citrix’s Security Enhanced Xen - a small OS that runs as a secure virtual machine with isolated applications, using the TPM and Intel’s new hardware virtualization technology …

Intel even uses the words Trusted Computing Base, which might be a hostage to fortune given the fate of Palladium. The DRM discussion hasn’t started yet, but there’s a trusted channel to the keyboard, mouse, memory - and the graphics subsystem, which is what some thought would allow copy-protected DVDs to be watched in the secure area of Palladium, without the option to copy them. This time around it’s more likely to be copy-protected downloads: killing off HD DVD has actually made Blu-Ray less likely to get mass adoption,  as player and disc prices stay high.

There are far more benefits to Palladium-style secure computing than protecting the movie industry or saving the banking industry from having to upgrade anti-fraud backends. You may keep your AV up to date and your company documents secure, but one in six of all PCs that touch the Google site has a bot and they’re all sending you spam.

And while the systems that look so much like Palladium that I get déjà vu are still a little way off, Asus is already selling machines with Express Gate. Granted, this is more like the embedded operating systems you see on a lot of media notebooks; it boots up in eight seconds and lets you see your photos and play your music. It has an Internet connection, so you can browse the Web without waiting for Windows. But it also uses the TPM in Montevina and you can treat it as an isolated operating system, says the press release: “Friends and family can use your notebook to nip online, use IM, listen to music, play and view without having access to your data, the system or the Windows environment.” Very Palladian.
-Mary

With Intel’s 40th birthday on the horizon (and with it the 40th anniversary of the microprocessor), Intel’s Pat Gelsinger took a few minutes yesterday to ruminate on the past, present and future - and to take a few questions.

Beginning with a look back to the i386, and the shift from 16 to 32-bit computing, Gelsinger pointed to a time of technical and industry transition, much like today. It was the point where Compaq moved ahead of IBM, and Windows and Microsoft began to shape the software industry. We’re in the middle of another shift at the moment, what Gelsinger called the “third era of Moore’s Law”.

The first era was the age of invention, with the second concentrating on scale and manufacturing. Gelsinger calls the third era “The right hand turn”, where the industry starts to concentrate on energy efficiency. He went on to describe the industry’s success as resulting from “the power of compatibility”, where compatible software means that each generation of silicon can inherit the work of the entire industry (with just a little recompile along the way). There have been plenty of changes in Microprocessor design, purely by increasing numbers of transistors - the power controller on Intel’s Nehalem processors is bigger than Gelsinger’s first processor. There’s a sheer complexity to these machines, which Gelsinger described as “the most advanced things ever built”.

That’s the past and today, so what about tomorrow? Intel reckons on having 10 years of visibility into the future of silicon. Gelsinger described silicon as “the scaffolding for half the periodic table”. The future will be much the same, even if it’s based on silicon nanowires and spintronics. The first big change will be in just a couple of years, with the shift to 450mm wafers. The investment this requires will be huge, and Intel expects this to trigger a wave of industry consolidations - just to help pay for the new fabs.

Gelsinger also sees Intel’s IA architecture as a key differentiator between it and the rest of the industry. As multicore systems become more and more common, and as IA scales up to teraflop terascale systems and down to milliwatts, software will be compatible between all the different versions of the architecture. There of course will be different languages and libraries (especially for parallel processing systems), but code will be portable.

The result will be what Gelsinger calls an “AE724″ world. Bill Gates’ vision was a computer on every desk and in every home, Intel’s is much more ambitious. It’s a world where everyone has access to the Internet, with computing embedded into the environment and the infrastructure - everywhere you can imagine. It’s certainly a big picture - and one that will mean a shift in the way we develop applications and in how we design networks and data centres.

We blogged about GPU-based computing last week, and Gelsinger was asked about Intel’s response to NVIDIA’s CUDA and AMD’s CTM. Describing CUDA as “an interesting footnote in the history of computing”, Gelsinger talked about GPU computing as a cool idea that required a new programming model. He felt that this would be hard to deal with compared to general purpose computing techniques, and suggested that Intel’s massively multicore Larabee would be the right answer in the long term.

It’s true the microprocessor and the software stack make a huge difference. I probably wouldn’t have dialed in to the conference call if Skype didn’t connect to US 1-800 numbers for free from anywhere in the world. Whether the future’s all Intel is another question. IA is an important architecture but there’s still space for low power alternatives like ARM, or for specialised co-processors from the likes of Toshiba, Azul, AMD and NVIDIA. General purpose silicon is just one way of working - and if you’re prepared to target a specific niche there’s still plenty of scope to make a very healthy profit with specialised silicon.

–Simon

One of the highlights of the Future in Review conference is the chance to go to the supercomputing visualization lab at the University of California in San Diego, CalIT2. It’s run by Larry Smarr, who used to run the National Computing Supercomputing Applications where told one of his graduate students, Marc Andreessen,  to write a visual browser for the World Wide Web Tim Berners-Lee was working on over at CERN. When they showed NCSA Mosaic off, “everybody told us nobody needed it”, he says.

Given how wrong, that turned out to be, it’s worth keeping an eye on what Smarr thinks is important – bandwidth and pixels. Not content with the bandwidth of Internet2, he’s been putting together a multigigabit network connecting universities around the world for sharing data and collaborating over video conferencing. And making video real enough to suspend your disbelief means a lot of pixels; the 60-foot screen in the CalIT2 lecture theatre has four times the resolution of HD, the standard digital cinema will use when the movie theatres work out how to make money from it. To kick off the evening, Smarr invites Microsoft’s Curtis Wong to show off the 12 terabytes of images in the new World Wide Telescope, a map of the sky that zooms from star fields to galaxies to the solar systems coalescing inside them out of dust, fading into infra-red and wavelengths that show more structures.

The 30″ screens on most desks around the lab are dwarfed by the 200 megapixel video wall - eleven rows of five 30″ Dell screens crammed side by side to make one giant display with 100 times the resolution of HD. There are displays that wrap around the edges of a small room, stretching over your head and powered by eight HD projectors, that show us the surface of Mars in 50 million pixels rather than the 2 million pixels from the Word Wide Telescope.
 
It’s not size to prove screens can keep getting bigger; Larry Smarr thinks we need the bigger view. “We’ve artificially limited our brain by this stupid million pixels on a screen and we’ve unblocked that.” So how much more can we see; is there a limit? “Reality! You don’t see everything you think you see - it’s not as simple as pixels. There’s a limit to what you can resolve spatially, above 24 frames per second you don’t really see more. But the brain is capable of absorbing about 1gigabit per second, 24 bits deep 16 million colours. ”

From medical images to satellite maps, there are plenty of images to enjoy at that size. You can see the intricate details inside cancer cells or watch winter spread over the world. You can stand inside a building that exists only as a CAD diagram and walk through lifesize doors to see if the layout works. You can step forward to see the hidden sketch under a Leonardo painting, revealed by infrastructure-red photography and displayed so you can see every line. Or you can watch life-size opera live from the Concertgebouw in Amsterdam, or the opening ceremony of the Nobel prize from Japan and fill like you’re almost there. Every candle flame, every reflection, the brocade patterns on every kimono, the expression on every face.

These are the technologies that are coming to office video conferencing if you have the network bandwidth. Smarr advised HP on developing the Halo system and he’s putting in a Cisco TelePresence room at CalIT2 for academics to use for collaborations. The commodity hardware and open source software that powers the high-resolution screens isn’t as expensive as those. Each screen of what Larry Smarr calls the optiputer - systems connected by optical fibre that make up a worldwide computer system - costs about $2,000. But of course the bandwidth is what really raises the price tag.  Cisco TelePresence needs about 10Gbps; the big screen system is over ten times more.
-Mary

No battery ever lasts long enough. The extended battery on the HP 2710 tablets Simon and I carry give us a full day of work, nine to ten hours or less if we turn on Wi-Fi. I’ve been typing since 8am this morning and online a few times and it’s now 1pm and I have four hours left. That’s just about acceptable, but it’s never enough - I’m wondering where the nearest power socket is. Two technologies we saw at the Future in Review conference this week could produce much longer battery life - if they ever make it to market.

Lithium ion batteries work by packing as much lithium as possible into the positive and negative electrodes inside the battery and them moving ions from them, through the electrolyte fluid and out to your device. The more lithium you can get into the electrode, the more ions you can get out of it. That’s how Yi Cui of Stanford is hoping to get a battery that lasts ten times longer. He’s replacing the usual copper electrodes with silicon, which can store ten times as many lithium ions .

That’s not news; we’ve known for 30 years that silicon stores more lithium, but it also swells up more than copper because of that - and when it swells up, the electrode breaks. Yi Cui’s breakthrough was using silicon nanowires that are much more supple; each wire is only 100 nanometres wide, but they’re very long. Silicon is also more stable than copper, so increasing the energy density doesn’t make it more likely for batteries to explode the way it does with current batteries. It doesn’t make it hotter either, because it’s the internal resistance of the battery that causes the heat, not the capacity.

Ten times as many lithium ions doesn’t mean ten times the battery life; by the time you add in the rest of the battery system, including the electrolytes and the packaging around it all, and some further developments that are still under wraps, you could get double the battery life of lithium ion today.

Startup Seeo is starting with the other half of the battery, replacing the electrolyte fluid with a plastic film that’s very like the polymers used to make motorcycle helmets. For one thing that means it’s much safer - no matter how hot the battery gets it won’t catch fire. But it also works with other battery chemistries than lithium; according to Seeo, some of the lithium replacements they’re looking at could give you 50 to 70 times the energy density of lithium, so you get a choice between smaller devices or longer battery life in the same size we lug around today.

We’ve seen a lot of new battery technologies over the years and few of them have made it to market. One promising zinc battery might finally show up in notebooks PCs this year, maybe, possibly - four years after I first saw it running a laptop. It’s not just that the chemistry might turn out not to work as well as it did in the lab. At the moment you can only charge a silicon lithium battery 100 times before it won’t charge enough to be worth using; that has to go up to 500 times before you’d think about putting it in a mobile phone you’d keep for two years and more like 1,000 for a notebook. Both Seeo and Yi Cui are aiming to charge as quickly as lithium ion, but they’re not there yet - silicon lithium batteries could take an hour to charge.

And hardware manufacturers have to see enough of a demand to change the power supply and charging system in a laptop or phone. Seeo’s lithium battery might fit into an existing device but that’s more about safety than longer battery life; a different chemistry will need a different charger. Silicon lithium batteries run at a slightly different wattage and the value that tells the system the battery is fully charged and doesn’t need more power is also different.

So are these new technologies going to languish the way others have? Maybe not. For one thing, people will pay more for longer battery life, so manufacturers have an incentive to switch. And for another, with the price of oil and petrol still rising, electric cars are looking more likely and both these technologies promise to scale up enough to power cars. When you can do that, a smaller battery for a phone or a PC almost comes for free.
-Mary

Do you speak fluent geek? Or would you rather your computer learned to speak your language? To those of us who’ve done a little programming, a regular expression is pretty clear. But when I’m reminding myself to call an airline or make a payment on my credit card, I think in comfortable phrases with fuzzy edges; Monday morning, any time before the banks close on Thursday. When it comes to doing the accounts, I’m more likely to think ‘last January’ than January 2007. When Windows XP said ‘My Documents’ it sounded like a toddler in a tantrum; when Outlook says Last Week, Last Month or A Long Time Ago, it sounds halfway human. A halfway human teenager, to whom everything more than four weeks old is ancient, but that’s more comfortable than inhuman precision.

Fuzzy human thinking is hard for computers, because sometimes the rules are hard to learn (when do banks close? When does my particular bank close? Is next Thursday tomorrow or in a week’s time if it’s 11.55 on Wednesday?). For other things they’re impossible to learn because we don’t know what they are. How do you tell the difference between a photo of a cat and a cartoon of a dog? You just know which is which, and you know instantly - but you can’t describe how you know well enough to teach the rules to a computer.

Jeff Hawkins, who once founded Palm, has been working on the neuroscience of what humans can do to turn it into something you could teach a computer. The neocortex of the brain, where this recognition happens, unfolds to about the size of a dinner napkin; ‘my dinner napkin is talking, your napkin is listening,’ as he puts it. And in the neo-cortex, recognition patterns are distributed hierarchically and in sequences. We learn spatial patterns and the sequences things happen in, which Hawkins calls hierarchal temporal memory. The brain is predicting what’s likely to happen next and confirming what you’re seeing, hearing and feeling by passing signals up and down the hierarchy. Hawkins’s company Numenta has software for working with hierarchal temporal memory; car manufacturers are using it to try and understand traffic, governments are more interested in identifying who is speaking on a particular phone call.

Even though Hawkins thinks HTMs in silicon can be millions of times faster than the rather slow neurons in your head, it’s going to be a while before computers really understand what we say. In the mean time, there are a few systems that can fake it quite well. Tripit is a travel service that knows the format of the confirmation messages you get from airlines, hotels and car hire companies; forward all the confirmations for your next trip and it will extract the information and combine it into an itinerary, along with weather reports and suggestions for local restaurants and activities. Instead of having to print out a sheaf of papers to carry with you, you can get the details you need in a single email on your phone.

Tripit doesn’t understand everything; the company needs to work out the format for every hotel chain individually and they haven’t started on conference registrations yet. ReQall aims to understand free speech, as long as you use the right keywords – like ‘remind me’ or ‘ask Simon’. You can email, text, IM or phone ReQall and use standard English – “remind me to call Virgin Atlantic at noon on Monday”- and come Monday you get a reminder by email, IM, phone or SMS as you prefer. It’s natural, it works the way people work and it understands at least half of the things you want it to understand.

It’s like asking a friend to remind you of something, but always having them remember to do it. In fact, sign a friend up, and as long as they agree,you can have them sent reminders too. Think of it as outsourced nagging…

-Mary

Well, Tim O’Reilly has an idea, because he came up with the term. And the new O’Reilly Web 2.0 consulting practice ought to know. In fact one of the reasons the company set up the consultancy arm is to get everyone to agree on a definition, because we can’t have a good conversation about the  benefits Web 2.0 can bring business if we mean something different.

Some people think of Web 2.0 as just about social networks or about sharing user-generated content. By other definitions, anything built with Ajax is Web 2.0, but that would make Outlook Web Access the first ever Web 2.0 service. Is it just having a blog? That doesn’t make Dell a Web 2.0 success. O’Reilly’s original definition was coined before Facebook or YouTube and before blogs were popular and it doesn’t depend on a particular programming language or style. He wanted to explain why Amazon was so successful, why eBay dominated online auctions, how Google was beating everyone else at search. His answer was that they were mining what users thought about the books they were buying, the people they were buying from and the Web pages they linked to and turning that into information for other users.

Web 2.0 is a combination of collective intelligence and network effect, taking user-generated content and metadata and using it to add value, creating applications that get better the more people use them. “Every true Web 2.0 company,” says O’Reilly, “is building a database that grows better with the number of participants.”

Social networks and blogs and interactivity on the Web site are all part of that, but the heart of it is much more structured data. So far, the big Web 2.0 success stories have mostly been companies that started online. If Web 2.0 is really that significant it should help companies who’ve been around for decades as well; how does a blog help if you make shoes or run a phone company? Mostly by letting you turning your customers into unpaid consultants.

The O’Reilly consultants have a fund of amusing mistakes by companies that didn’t get the point, from AT&T saying they wanted to reach out to unhappy customers who were ready to move to another provider - but didn’t want to create a community just to listen to people complaining - to a large consulting firm that was horrified at the idea of letting customers talk to each other.

There was the watch company that cancelled plans to send out images of a new watch to key bloggers because they didn’t want to spoil the effect of their million-dollar launch party and had to watch a grainy picture from a cameraphone go round the blogs instead - making the watch look cheap and nasty. One large retailer declares confidently that ‘none of our employees use Facebook’; that means they’re not in the ‘I hate working here” group trying to find out what’s wrong with the company. Another retailer is spending $2 million on research about shoppers that it won’t see for 13 months, when it will be completely out of date.

A blog won’t fix a company that makes bad products or has terrible customer service; but having a way to hear what customers are saying and respond to it can - if the company is actually able to change. “Going Web 2.0″ for the sake of looking up to date is pointless; using technology to build a relationship with customers is valuable. 

Is any of that the same as Web 2.0 for online services? Not really. And the O’Reilly folks actually admit that. When they talk to a company, they use the term ’social Web’ because Web 2.0 is ‘distracting’.
-Mary

Microsoft makes a lot of noise. The company holds dozens of conferences, broadcasts its ambitions in every market from mobile phones to data centres to next-generation TV, goes on a buying spree, gets taken to court by everyone from Novell to the EU. HP also makes acquisitions and has ambitions in a lot of markets and employs over twice as many people as Microsoft, but it doesn’t make nearly as big a splash in the industry, for some reason. It’s not for lack of success. Microsoft boasts of the 31 million Windows Mobile phones it’s sold; HP boasts that eight out of every ten text messages are sent using HP technology (inside the mobile operators rather than in your hand).

Wherever Microsoft is, HP is there too (from mobile phones to data centres to next-generation TV); in almost all cases, selling infrastructure rather than competing software. The exception is system management and when a dealer asked Mark Hurd this week why he’d asked Steve Ballmer along to the event where HP was sharing what it wanted dealers to get excited about this year, Hurd pointed out that even there HP takes a wider view. “Microsoft is very focussed about managing Windows environments and Microsoft environments. That’s what’s important to them. And it makes sense for them to be the best in the world at that. We have to be the best in the world at managing heterogeneous environments; we have to be able to take an IBM environment, a Linux environment, a ‘insert name here’ environment and be the best. Microsoft has to optimise simplicity of management of the Microsoft environment. We don’t believe the world will ever be exclusive to Microsoft.”

Ballmer wasn’t offended by that and used the broader view line himself, emphasising all the places from printers to blade servers where the two companies collaborate. He’s also banking on HP to put some style and sparkle back in a PC marketplace that can look lacklustre compared to Apple products that look good even when they can’t compete on features. “We’ve got a lot of work we’re doing on the future of the PC and what that looks like; driving down price, driving up features, driving more excitement. Certainly neither Microsoft or HP likes the shots we’ve been taking with Apple’s adverts and the blah blah blah… On the consumer side there’s so much opportunity today, we can add value to business productivity ; we’re stepping back to remind ourselves what we can do.”

Adding features matters more than driving the price down to get businesses to keep buying new PCs every three years rather than pushing older machines to last a decade and that’s where HP Labs comes in.
HP cares about research, but it’s a means to an end – solving problems by creating products and services – rather than pure knowledge. For pure knowledge you stay in academe; although Microsoft’s Bill Buxton points out that he left academic research for commercial when he was asked to write business plans rather than papers. Mark Hurd is totting up his R&D dollars but it’s not the cost he complains about; “We spend 4.2 billion in R&D to get the best products and services and then only go after half of the market.”

Rather than squeezing the research budget specifically, he’s leveraging it and putting more emphasis on the D than the R. HP Labs looks five to ten years ahead, but it also collaborates with engineers to create products. Microsoft Research uses a mix of technology transfer and researchers who move across to product development groups to shepherd their project into the commercial world. The really important thing is that they can always go back to research afterwards; their job is guaranteed to be there.

HP takes a different approach. Phil McKinney is the CTO of the personal systems group – everything from iPaqs to the Blackbird gaming system that’s selling to developers to the 2710p tablet PC we both use to the shiny and cute new 2133 Min-Note UMPC (which manages to achieve Apple levels of desirability despite the Via C7-M processor – which might make it even more like an Apple product). But he also runs the Innovation Programme Office and I don’t think it’s named IPO by accident; it’s certainly about taking things public.
The way it works is that a team from the IPO works side by side with the researchers (quite literally; they sit at the next desk). For 12-18 months the two teams work together; the researchers carry on researching, the designers build products and gradually the researchers do less and less and the designers do more and more. Then one day the designers have learned everything the researchers have found out and they spend six months running that into the final product.

There are 28 products in the pipeline with the IPO, coming out two a year – which means starting with 1,800 pipedreams that get whittled down to 200 ‘workable’ ideas. Blackbird was the first, cherry-picking existing HP technologies like blade cooling and push-fit hard drives. The new DreamColor screens are the second. These are LCD screens with colour accurate enough to satisfy DreamWorks and there’s a 30” screen on the way. And there’s a team in HP Labs right now, sitting next to the data centre than rendered Shrek 2, working on the next project. Odds are, it will be something that Microsoft will be interested in…

-Mary

Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.

Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.

The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.

Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).

Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.

• “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
• “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
• “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.

Way back when consumer digital maps were new, I went in to see the Dorling Kindersley World Atlas on DVD. We were looking at the California map and I wanted to see where the Apple headquarters were. I said ‘Cupertino’ and the helpful PR said ‘OK but I thought we could finish the demo and then have lunch’. We looked at each other blankly for a little while; they’d heard a rather curt ‘cup of tea now!’ rather than a place name. Even if you know you’re talking about location, there’s room for error. When you put San Jose into Dopplr, you get 25 places, none of them in California.

Fire Eagle - Yahoo’s new location service, which will act as a universal broker between location services like the Loopt system Google Maps uses on mobile phones and services like Dopplr - is trying to be smarter about identifying what you type. It knows that Grand Canyon is a place. And if my GPS has sent one location and I’m typing another in on the Web, it doesn’t just take the latest update.

It knows that my GPS co-ordinates in Campbell are actually inside the better-known San Jose area, so it can pick the most accurate designation. But if the last place my GPS knew I was before the batteries ran out was 60 miles away in Southern San Francisco, Fire Eagle will say I’ve moved on.

As a geek, I’m delighted. I’ll have much more chance of having an interesting conversation if a friend can see I’m not just in California but in San Francisco, not just in San Francisco but at the Moscone Center, not just at Moscone but leaving the press room and heading for the West Hall. I want the friend travelling from New Zealand for the Web 2.0 conference to know exactly where I am. I want my editor to know pretty well where I am, although if I’m interviewing a source in the bar rather than writing up copy in the press room I might want a fudge factor of 50 feet. My sister wants to know which state and maybe which city I’ll be in. The PR person trying to reach me probably only needs to know which timezone I’m in.

But do I want every Facebook user - including the burglar who’s spotted we look at a lot of new smartphones - to even know I’m out of the office? My personal blog is more likely to have a photo of the drawer unit I decoupaged at the weekend than of the drawer unit in place, with two monitors and a scattering of mobiles on it, for much the same reason; or if it has the more revealing image, I’ll be limiting it to ‘friends and family’ via settings on Flickr and LiveJournal.

Actually, of course, I’ll have to do both, as the two sets of identities don’t match up. If LiveJournal users annoyed at the way the new Russian owners of the site have handled introducing adverts on all free accounts migrate to other services, it will be even harder to include the people I want to publish to, because the only cross-site identity that’s really in use is OpenID and it’s not ready for primetime.

For one thing it’s not supported by every site (or even a large proportion of them), and there’s a mix of support for the older, less secure OpenID 1.1 and the newer, stricter OpenID 2. And even with the newer, stricter OpenID 2, OpenID isn’t secure; it’s vulnerable to attacks from either end of the connection, and the middle - that’s because it’s little more than a simple, lightweight way of saying ‘that URL over there? It’s me, that is’.

It doesn’t say what the URL you’re pointing at is, only that it’s some URL that supports OpenID. Mary.WeHackYouForMoney.com is a valid OpenID (well, it would be if I paused to register the domain and set up the OpenID code).

Open ID is good for the simplest of single sign-on systems (for more complex enterprise SSO, take note that IBM just bought Encentuate). It lets me say, without an API, that the me on Facebook is the me on Flickr, LiveJournal, LinkedIn and so on (because I have to tell each site to accept the OpenID request from the next one, so I must have the username and password to get into each previous account).

Anil Dash of Six Apart (former owners of LiveJournal) mentioned to me at Etech 08 that several large customers (for values of large enough to run Oracle)  are using Open ID for employees and partners so they can prove they work for the company in online discussions. Proving identity is a nice idea; but Open ID just proves they have access to a domain that sounds about right. To have an Internet-wide identity system that will let me choose friends  across a mix of sites and services, there’s going to have to be something a little stricter, like SAML, WS-Federation.

Identity systems like Higgins, Bandit and Microsoft CardSpace could all work together to let me pick an information card with the information I want to assert about myself and an identity provider I want to have back it up. Then you’d know that Experian says I’m on the electoral role and IT Pro says I’m a writer here - and when you choose to let me see where you are in the world you’d know who you were showing your itinerary to.

And if you’re still expecting CardSpace to make the same mistakes as Passport and pass your details on from every site using it to Microsoft… About the same time IBM bought Encentuate, Microsoft bought Credentica; not so much for the UProve software as for the maths behind it. This is a provable protocol that lets you outsource information provision without letting the information provided out of your system. Instead of boning up on CardSpace and SAML, you could say to your usual IT consultancy ‘bill me for a CardSpace system that proves my employees work here’. The information provider would assert that your CTO was your CTO, but it would never get his name to pester for a new contract. The information provider wouldn’t see my travel dates or my list of who I count as a friend. Identity, location - and a bit of privacy.
-Mary