Oren’s Weblog

Asbed’s memorable quote (regarding students): You gotta reach ‘em to teach ‘em.

Mobility at MIT – Michael Gettes
MIT Mobile Framework
m.mit.edu – went live summer 2008. went open source spring 2009. v2.0 went live fall 2009
also have an SMS service which covers earlier phones like RAZRs.
- want to deliver to multiple platforms – all smartphones, feature phones, and PDAs.
Applications
Purely web based – native apps strategy TBD.

Web apps built with community participation. CIO funded up to $250k per initiative – total funding around $750k.

A bunch of universities are using their platform (27+).

Architecture (top down)
- browser detection (WURFL) – abstracts a lot of the UI issues across devices. (wurfl.sourceforge.net)
- SMS is parallel to that – both talk to Content Generator api layer.

Lots of work in rethinking apps to work in the smaller form factor.

Students building lots of apps – there’s a course (6.087) in building mobile applications.
Allocate about 25% of Andrew Yu’s time to work with faculty and courses. “one person can make a big difference.”

MIT Research on mobile – near field communication trial; Center for future banking; Open transaction network; Organic indoor location discovery.

1.5 FTE dedicated to mobile platform, plus contractors (including students).

iMobileU – vision: create a collaborative framework for higher ed institutions to jointly develop and enhance mobile solutions as open source projects. Kicked off Summer 2009. https://spaces.internet2.edu/display/imobileu/

60% of accesses are iphone (and ipod touch).

Candy Borland – Mobile at USC – http://mobile.usc.edu
What we did with no money (aside from what they have to do central web sites).
75% iPhones (including iPod Touch), 11% Android, 7% Blackberry, 5% other – major USC web site mobile use.
Done purely web-based apps, targeting webkit browsers. You can do most of what you need with the web – can’t talk to the sensors on the phone (accelerometer, compass, etc). Thinking about native apps, but haven’t gone there yet. Bus schedule is one of the most popular.
Doing an aggregated RSS feed reader (with some personalization) – reader.usc.edu

Design point – Need to have a thumbable UI.
Question – will Apple (and others) make sensors accessible from the web interface?
Another question – is the back-end ready for the mobile world?

Tim Flood – iStanford – A Mobile STudent Interface
Challenges and opportunities
- Approaching as an administrative user interface for their Peoplesoft system, about which people ask: “can’t you do better than this?”
(implemented Peoplesoft in 2000-2001, already regard it as a legacy system).
- Highly motivated students, capable campus partners. Worked with two teams of students so far: CourseRank – a web 2.0 interface to courses; TerriblyClever.
- want to encourage multiple interfaces to admin systems.
- Decided to develop for iPhone – didn’t want to wait for standards to evolve. Thought over time they could migrate to other platforms. To date have had no requests for iStanford to run on other devices.
- Anthropology research at Stanford – 9% of respondents pet their iPhones, 3% have names for them, 21% of grad students and 15% of undergrads describe iPhone as “appendage”

iStanford today – now have authentication working. Doing simple course adds and drops. Can view grades and study lists. Using Web Services and RSS feeds.

Klara – Duke has added student financial transactions and status to their iPhone app.

Planning for tomorrow – View the mobile platform as the successor to the Stanford ID card. Financial transactions, Access and privilege control, Student ID. Also want an app they can use during emergencies – be able to locate people and have them report where they are; view student bills (being worked on now, hopefully for release in February); announcements and advertisements platform that uses GPS; Places (dining, etc) with locations on map (modeled on Duke’s); Library search, map, stack maps, hours; Class textbook information; Dining app (like Chipotle or Starbucks apps); AskJane (knowledge base for student services); iTunes U and authenticated class video.

Pleasant surprises – 65k downloads of iStanford, where population is ~20k people.
Let your clients design your UI (the TerriblyClever guys) – don’t need to include all the functionality you can.

Student can be unpredictable (and the can be bought out overnight). This can impact your strategy.
Testing is a learning experience, and so is submitting to the App Store.

Early on committed to using the power of the tools at hand – if there’s a way to enhance the experience using the properties of the device itself they’ll develop for it and figure out how to accomodate those that don’t have the device.

Brett Pollak – UC San Diego Mobile
Campus web manager and product manager for campus-wide CMS.
Many of the same problems with mobile usability that we had with web design in the 90s – small resolution, low bandwidth, connectivity problems, lack of flash/javascript support, etc.

Did a survey to prospective students about mobile browsing behavior.
40 respondents: 70% had smartphones, 40% had iPhones. 20% visited ucsd.edu from mobile device. They wanted: maps, student directory, courses, calendar, news.

The decided to provide student functionality – maps, news, directory, courses, shuttles. All audiences benefit from these. Decided to use TerriblyClever. App launched in June ‘09. Around 10k active users to date. Just launched Blackberry app. Shuttle schedule is the most popular, then courses, directory, maps, athletics, photos, news then YouTube.

They’ve contracted with mir3 for opt-in emergency notifications. Klara notes that at Duke parents in particular love that functionality. Would be nice if it were more integrated with the web for notifications too.

Podcasting and videocasting of courses at discretion of professor. 27 locations across campus, including all of the 24 large lecture halls. 95 courses podcast this quarter, 6 with video. http://podcast.ucsd.edu

Where they’re going – integrate WEb content managed by CMS with app functionality from Terribly Clever. Keep apps and m.ucsd.edu in sync. Support broader group of smartphones. Integrate “add-ons” such as Worldcat Mobile (library catalog search).

Feedback is that people really like the “one-stop shop” of the iphone app.

Elazar notes (in response to a question) that they’re not necessarily wed to this vendor forever – now that they’ve done the hard work of getting the data interfaces in order they could migrate to another platform.

Michael asks the question of where we want to take all this – the vendor route or go our own route. It’s not just about the iPhone – what about the upcoming tablets? Shel notes that it’s not just about the vendor options, but the size of the investments. ERP wave is over, so it’s a matter of being nimble – making targeted investments where we don’t have embedded incentives to keep them beyond their reasonable life. Not the kind of time scales we previously dealt with. Go into investments with smaller amortization periods – like 30 months. Bill Clebsch – it’s about unbundling of sets of services – moving from being service providers to service brokers. Rate of market change is accelerating. Landscape, particularly in mobile, is undergoing tremendous change. Need to start looking at all our businesses that way – the way of ERPs is gone. The ill effects of ERP live on – we’ll spend the next decade trying to take that apart. Klara – what’s giving the value add? It’s not the infrastructure – if there’s a framework we can put our information in without developing.

Tim points out that there’s a lot of work to be done with our existing systems on integration – that’s the logjam. The key is web services. Takes a minimum 9 month cycle to get something changed in Peoplesoft – that’s unacceptable. Can the web services in the ERP be developed to allow more agility. Elazar – the iPhone app gave tremendous value which can’t be measured – students and alum are extremely proud. All about timing – a year from now that wouldn’t have value. Serge – it’s a giant carrot we can use to get people to do all sorts of good things with back end systems.

Question about authenticated access to mobile apps. Michael – personal certs on iPhone for access to web apps, as well as shibboleth access. Bruce – iPhone OS doesn’t handle kerberos. Worked with TerriblyClever to integrate security. Not perfect, but didn’t let that stop them from moving forward. Not a true single sign-on across apps. Ken – precipitates the deeper question about Shib for non-web apps. Lots of work going on in that space, but so far seem to be one-off solutions until we understand the pattern.

Elazar asks about other uses. Shel says that their field stations have an iPhone app using the camera for data collection. They want to have higher resolution and want to tie it into the sensor nets for real-time connections. Serge – is anybody looking at developing student response systems? Apple has one available. Tim – students ask for a more seamless experience across the student system and Sakai. Someone notes that there’s a radiology measuring tool on the iphone.

Tim – there have been some discussions between TerriblyClever and CollegeNet about doing iphone access to 25Live (successor to Resource25) for event scheduling, via 25Live’s web services.

Can You Trust Me Now? RL “Bob” Morgan (U Washington)

Grade submission as an example – worked as a paper process, using bubble sheets which got scanned. The paper is the artifact – it’s about who’s holding it. Eventually gets back to the registrar’s office, then processed by people who are supposed to do something with the signatures but don’t really have a way to verify.

Online submission process- Instructors enticed by gradebook app in LMS, users sign on to LMS with NetID. Instructor of record inserts grades, reviews, and submits.

Old process relied on physical practices and personal relationships. New process relies on integrity of LMS and its connection to student system, accuracy of authorization, reliability of NetID system in all its parts.

What assurance do we have it’s the right person submitting the grades? Not comparable to the old process which was not about the person as much as the piece of paper.

Should we use two-factor authentication? What are instructors’ practices in protecting workstations and data? Data protection policy said that if you’re dealing with personal data then 2 factor should apply. But decided not to, based on the level of data you have access to. What are peers doing, are there standards?

That’s the assurance problem statement.

Basics of identity assurance

What are the risks to applications – they need to provide services to the world, protect their stuff, not be hacked. There are other kinds of risks – bad programming, database security, etc. What is identity? From the app point of view, anything about a requesting party that can be used to make an access control or resource allocation decision. Maybe just a userid, maybe much more. Traditionally much of the data is stored within an app, which implies practices that have to be justified to whoever oversees it. Now we like to externalize services. Motivates need for formal description – what is the app trusting, how do you talk about it?

One size doesn’t fit all – apps come in different sizes and shapes. Even if we thought there was one true identity everyone should use (popular a few years ago), evidence shows you can’t do that all the time. There are things that users just won’t do – if I have to provide a whole bunch of info about myself to use an app, I might not be willing to provide it. High assurance by its nature requires more work and information from the user. We need a range of practices. Need good ways to describe them.

Elements of IdM practice – about which apps migh want assurance. Registration and identity proofing – how does the notion of the existence of a person with an address and a relationship to the institution get into the identity system in the first place? How do we know it’s true? Relies on other information coming in from the world – photo ID, who’s doing the checking. How do we create a credential for that person? (typically userID and password). How do we know the credential is in the hands of the right person. Those processes can be expensive and rely on staff to support. Authentication services – has to work well all the time. What about managing additional user info (email address, e.g.)

End up with different practices for different kinds of people. We might present a huge matrix of possibilities to apps.

Elements about IdM operators – Organizational maturity – documented procedures, leadership consistency, authority of population/orgs in question. Operations change management, security, user support, logging, privacy.

Levels of assurance – in SAML there’s an elaborate spec about how in a authentication response you can put a megabyte of data about how assurance and identity proofing was done. Most reasonable people think that needs to be simplified.

US Government leads the way – OMB 04-04 (Dec. 2003) promotes e-authentication for e-government, using external identity providers. Characterizes risks into four levels. Support those levels with standards saying what the practices for each level should be. E-Auth esablished program to evaluate IdPs. They’ve been working on revisions ever since. Hoping to issue it this year. A set of universities were evaluated five years ago.

The four levels 1 – little or no; 2 some; 3 high; 4 very high
l1 – typical internet account – no tie to real-world identity. Use email address. Do you know that it’s a person? Is the billg account on LinkedIn really Bill Gates? You get assurance that the person coming back is the same person.

l2 – standard business practice. Identify person, know who they are, refer back to real-world docs. Don’t get it right all the time, but mostly we do. Usernames and passwords

l3 exta-secure business practice – use two factor authn

l4 – if you have to ask you can’t afford it.

The government moves on…
E-auth has some problems. Funding not stable, not serving needs of agencies. Shut down March 2009.
Working with NIH to work directly with InCommon and universities. using practices consistent with CAF/800-63.
Maybe this should be the way it works – agencies working with their constituencies (doh!) GSA now has an ICAM office endorsing that approach.
InCommon fills the vacuum – InCommon IDentity Assurance. To give us enough formality to work with the agencies we want to work with. InCommon would be certifying that an entity had met the requirements – InCommon Silver.

InCommon Assurance documents
Identity Assurance Assessment Framework – describes overall approach, processes, role of IT organization and auditors.
Bronze/Silver Profiles – details of compliance elements, much taken verbatim from E-Auth CAF, also in “auditor-friendly” checklist form
Published November 2008 – a number of campuses working on it, nobody yet saying they comply.

Gov 2.0
Obama administration seeks to transform government transparency, delivery via web
A lot of effort people coming to Washington, sharing info. A lot driven by social networking like we were discussing this morning – citizen engagement. OpenID is a big thing for citizens authenticating to government – informed the GSA to make it happen.

A big tent for protocols, trust providers – ICAM creates more modular structures – not just SAML and PKI, but a process for blessing other protocols – Identity Scheme Adoption Process – hold up protocol against 800-63. “Comparability” is the principle. There’s also a Trust Framework Provider Adoption process. Documents published summer 2009. Profiles fro OpenID (level 1 only), Information Card protocols.

Who ya gonna trust? Kantara Initiative – successor to Liberty Alliance, working in many identity areas. Has industry-oriented group working on its own Assurance Framework, also parallel to CAF. Set up operational Assurance Certification process similar to InCommon. One of the big auditing houses, for example, might offer that certification as a service. Has applied to GSA to be TrustFramework Provider. InCommon could end up being a certifier in the Kantara framework. Kantara is more of the model of big business using “auditors in white coats”. InCommon is helping to shape how the rest of the world is being created.

OpenID Foundation and Information Card Foundation – newly empowered by government interest. joined together in opposition to Kantara to develop the Open Identity Framework model – allows for self-certification. Really promoted for “open government.” Used InCommon docs as starting point. Google and Yahoo are at the table.

InCommon applying to be a TFT at some point.

Assurance and Privacy

Trust framework – new section came in about privacy principles – Adquate notice about using federated authn; users must auth in; only required info is sent.

Dealing with ICAM privacy reqs – InCommon developing privacy addendum to its assurance program. Notion is that existing university policies cover, so we don’t need to adopt the technical means mentioned.

New FERPA rules 2009 – suggest that student data protection requires “good” authentication practice, but how good is good? Working to get InCommon Silver blessed for this.
National Student Clearinghouse – student-self-service access – want to impose standards on campuses. Working to get Silver blessed for this.

What’s a campus to do? Work to comply? Some schools are doing. Doing the practice is different than complying with regs. Define its own levels/profiles? Do the four levels really meet our needs?

What means compliance? To meet silver do all users have to be Silver? No. It is fine for one IdM system to have user entries at many different levels. One user might be at different levels depending on hwo they signed on. But system as a whole must meet Silver system criteria.

Can we rely on existing proesses – if we can’t, can this work?

Who does the audit? – Hoping internal university audit.

Password issues – interpreting password-protection requirements is hardest technical part of compliance.

Klara Jelnikova (Duke -> Chicago) Duke’s Identity Assurance Journey

Identity Managment joint across Duke University, Duke Medicine and Duke Health System. Card Office technology part of the identity management space. Card system shared too.

Identity Assurance – Round 1
NIH InCommon pilot as a start of a structured discussion. Research faculty cahmpions InCommon bronze compliance. Held tech expo this fall – room was packed with research faculty for id management session. Other faculty viewed some aspects (like password expiration) as “Orwellian”.

Chasm? Using IdM to manage different assurance levels within a single IdM. Business needs drive higher levels. Aligned with InCommon categories. Model has been expanded for unified DU, DM, DHS, account management.

Health System Challenges – People have legitimate need for high level assurance apps but fall otuside Duke HR – contract or temp nurses or affiliated physicians. Adding Helath System credentialing system as a system of record. Non traditional apps such as shared clinical workstations. Need for PIN tracked in core IdM (with appropriate card coding. Speed of authentication (swipe and PIN versus username and password). Highly specialized apps and equipment – tough integration.

Lessons learned – having a clear busines caseis key. Incremental approach. Working on documentation towards InCommon levels. Hard to work on documentation. Health System can be a great ally as long as you can manage the complexity.

My opinion – we’re enjoying a new golden age of music. The proliferation of available music production and distribution tools driven by the Internet have unleashed a complete torrent of creativity that may very well be unprecedented. The problem now is not seeking out rare finds, but trying to figure out which of the gazillions of options to spend precious time and attention on. Luckily, we’re also seeing great people stepping to the fore to help find good music. My favorite resources for finding new tunes lately have been the ever wonderful John Gilbreath, now on radio five mornings a week at KBCS, and two great NPR offerings, the Blog Supreme jazz blog and the All Songs Considered web site and podcast. I spend a fair amount of time listening to Accujazz Radio on the web, which has a great selection of different jazz channels to pick from. I’ve also used the lists on emusic a lot. Other great local sources to follow have been trumpeter and bandleader Jason Parker’s One Working Musician blog and Twitter feed, and all the good work happening at KEXP.

So that’s how I find music, but what have I found that I liked this year?

• Allen Toussaint – The Bright Missisippi.

  The New Orleans r&b icon goes further back to the sources of New Orleans jazz and finds the spirit still burning bright.

• Visqueen – Message to Garcia

  Lots of late ’70s New Wave influences get modernized in Rachel Flotard’s fine return to power-pop-punk form. I hear echoes of Blondie, the Ramones, Joan Jett, and the Cars, underneath the fine writing and singing. This one I find addictive.

• Jason Parker Quartet – No More, No Less

  Local trumpeter, blogger, and tweeter Jason Parker put out this fine release this year, and it’s been in heavy rotation in my household ever since. Nothing revolutionary or outré, but fine jazz from some of Seattle’s best young lions. Support your local jazzers!

• Miguel Zenón – Esta Plena

  OK – so he’s both a MacArthur (who said he’s “at once reestablishing the artistic, cultural, and social tradition of jazz while creating an entirely new jazz language for the 21st century”) and a Guggenheim fellow, on the faculty at the New England Conservatory, and he’s not yet 35 – you can tell he’s a real slouch. Zenón’s Earshot concert at the Triple Door was a 2009 highlight for me, and this album where he delves deep into the plena rhythm of his native Puerto Rico is at once modern and traditional, and swings hard with sweat, brains, and joy.

• Darcy James Argue’s Secret Society – Infernal Machines

  When I was a kid in the ’70s Don Ellis was the hip big band. This is much (MUCH!) better. Darcy James Argue is reinventing the big band tradition, with a healthy dose of indie rock and a steampunk aesthetic that is intensely appealing. He writes a great blog, too!

• Ben Allison – Think Free

  Fine moody, cinematic jazz from bassist and composer Ben Allison along with a good crew of co-conspirators including violinist Jenny Scheinman, who’s showing up everywhere these days. I also like his Think Free Project, where he’s encouraging musicians and film makers to use his compositions as a springboard for creativity and asks them to post the results.

• Chick Corea and John McLaughlin – The Five Peace Band

  Fusion Lives! The old guys can still play rings around most anybody, and are clearly having a ball with an all-star band composed of Kenny Garrett, Christian McBride, and alternating drummers Brian Blade and Vinnie Colaiuta. Better than a quadruple shot Americano!

• Booker T. – Potato Hole

  Speaking of old guys, Booker T. is another one not content to rest on his considerable laurels. He gets together here with the Drive By Truckers and some lead guitar from Neil Young and produces a fine modern set of greasy, soulful instrumentals.

• Eric Clapton and Steve Winwood – Live from Madison Square Garden

  More old dudes! I’ve always had a weakness for Steve Winwood’s soulful voice and great songwriting, and it’s great to see him get back together with Clapton in what is essentially a Blind Faith reprise. The songs are mostly terrific and the band is in a solid classic groove. Get your ’60s nostalgia on!

• Mark Isham + Kate Ceberano – Bittersweet

  This was a discovery from eMusic. Mark Isham is a West Coast jazz and film musician who plays trumpet, and Kate Ceberano is an Australian pop singer. In an era where every pop vocalist seems to feel the need to issue an album of jazz standards, this one stands out for its smoky atmosphere and understated elegance. If you walked into a nightclub and heard this you’d have a very fine evening indeed. Okay, they’re both Scientologists – what’s up with that, anyway?

• Fly – Sky & Country

  Lyrical, spare, almost introspective chamber jazz that stakes out its own territory. Mark Turner, Larry Grenadier (who’s one of my favorite current bassists), and Jeff Ballard explore the sax-bass-drums trio format, which I know from experience is not easy. Beautiful music that deserves more than a casual listen.

• Passion Pit – Manners

  Fun! Poppy! Synths! Beats!

• Mulatu Astatke / The Heliocentrics – Inspiration Information 3

  The London-based jazz-funk-hiphop collective perhaps best known for being DJ Shadow’s backing band get together with esteemed Ethiopian musican Astatke and cook up a hard grooving melange that is a blast to listen to, but hard to not move to. Pan-global-funkalicious-jazzy-afro-jazz!

There’s lots more from 2009 that I haven’t caught up with yet – Bill Anschell and Brett Jensen’s duo offering, Phoenixs’ Wolfgang Amadeus Phoenix, Dirty Projectors’ Bitte Orca, Vijay Iyer’s Historicity, Henry Threadgill’s Zooid – This Brings Us To, Vol. 1, and so much more – and here comes 2010! So much music, so little time. What are your 2009 faves that I should check out?

Here’s the score from the predictions made at our 2008 New Year’s Eve Party for the year to come – I’m scoring on a 0-10 scale:

Tom – one car company will go under. – Score: 0, but only because of federal intervention.
Ed – Keith Richards will die. Score: 0 – Keith Richards will outlive us all.
Jeannie – Economy will not recover. Score: 5 – Depends on who you ask (or whether you’re currently working).
Michele – Sara Palin will disappear to raise her grandson. Score: 5 – she disappeared from the Governor’s office, only to return in our nightmares as a trashy book author and darling of the lunatic fringe.
Michele – Michael Jackson will die. Score: 10. Wow. Prescience in our midst.
Oren – Seattle will have another snow event this winter. Score: 0. What a stupid prediction.
Tom – BB King will die. Score: 0. BB King will live almost as long as Keith Richards.
Michele – Katie will decide to go to grad school. Score: 0, as far as I know.
Chris – We’ll pay less for gas (on an overall average) than in 2008. Score: 10, check it out here.
Manny – They’ll discover that George W. Bush and Dick Cheney are one and the same person. Score: well, come on now.

And finally – the prediction on how many games the Mariners will win:
Oren: 80
Tom: 74
Marcia: 76

Score: The M’s did better than any of us dared to predict, finishing the year at 85 wins and 77 losses. Just wait till this year!

Check back in a few days for our 2010 predictions!