We announced it recently: Be acquired the U-Prove technology by a company called Credentica and quite some key members of Credentica have joined us. When we announced it, my excitement was – well – limited. It was another company we bought. But when I started to look into it, I started to understand the potential of the technology.

Think about the following scenario: You want to offer a chartroom for teenagers. Typical problem of this scenario is, how do you make sure that the teen can come in and the perverts stay out and leave the teens alone? What you usually do is, collecting all kinds' o information (name, address etc) in trying to find a way proving the age. With that, you just created a privacy problem and probably not, what I would like to see as a parent. So, U-Prove now allows you to verify an attribute of the identity (in this case the age) without revealing the whole identity. If you think it through, this gives you all new ways of creating tailored services without having to care about the privacy problems as you do not collect any PII anymore – cool isn't it?

If you want to read more, read Brand's blog (one of the founders of Credentica): http://idcorner.org/2008/03/06/microsoft-acquires-credenticas-u-prove-technology/

Or Kim Cameron's blog: http://www.identityblog.com/blog.php#post-934

I am looking forward seeing this integrated e.g. into CardSpace and then you adopting it.

Roger

Well, I was thinking hard whether I shall blog on that or not. But then a friend of mine brought up a valid point: I am always claiming that a lot of issues on the Internet are missing a public debate yet, what is more important - and this might well be one of those.

I do not want to take a position here and I am clear, looking at the map of my visitors, that the debate would be pretty one-sided:

However, it is an interesting project: http://psiphon.civisec.org/ and if you want to know the details: http://psiphon.civisec.org/samples/psiphon_guide.pdf

To quote from their website:

psiphon is a human rights software project developed by the Citizen Lab at the Munk Centre for International Studies that allows citizens in uncensored countries to provide unfettered access to the Net through their home computers to friends and family members who live behind firewalls of states that censor.

Living in a European country it is normal for me to have the freedom of speech and it is interesting and encouraging to see that the debates on what people want on the web as well is going to happen

Roger

As you all know: I rarely blog on competitors and – even rarer – blog about them negatively. But this time I definitely had to:

As most of us I have QuickTime on my PC as well as a Java VM. I know that there are alternatives for this software and the same is true for RealPlayer, which is – for me – from Privacy perspective about where Windows Media Player has been about 6-7 years ago but this shall not be the theme here.

Regularly I am prompted by Apple to install updates – for software I do not even have. So, I am not only prompted regularly to install security updates for QuickTime (and there are a lot) but they want to force iTunes down on my machine since quite some time. Regularly I tell this updater not to prompt me anymore for this update but this seems to be valid for the current version of the product only. Today it got even worse: I was prompted again by this so-called updater to install updates and was asked to install Safari! It was not just a proposal, it was already preselected by Apple – so kind!

As well today I was asked to install a newer version of the Java VM on my private PC and guess what – why do I each time I install an update on the Java VM have to tell this installer that I do not want to install the Google toolbar? I have to de-select it as – kindness of sun – it is already pre-selected!

Why the heck do we invest a huge amount of time to teach consumers to switch on the update engines in order to get Security Updates and then our industry partners come and behave in such an irresponsible way? Let the user choose what he/she wants and then stick to it.

Now, I hear you saying that we pushed IE7 out as a Security Update. Yes, this is true but this is different than the two examples above: First of all, we only updated existing installations of Internet Explorer. So, the user chose to install it or buy a Windows with it and we updated it. From our perspective (and this was a long discussion internally) the security progress in IE7 compared to IE6 was so significant that we decided to push it out via Automatic Update.

Sun, Apple and others: Start to let the consumer choose. I do not hope that you need this kind of business models to make profit! Security Updates have to be strictly separated from the business goals as this is a job to make sure your customers use your technology in a secure way.

I will switch off these updates and try to stay current manually as these policies are simply not acceptable to me as a user

Roger

I usually do not blog on Advisories we release as I guess that you subscribed to the corresponding alerts. If not, you should do that now here.

This one is a little bit different as I know that quite some people within Microsoft are working during Easter because of this vulnerability. Therefore I want to make sure that you have seen it. Please read the Advisory called Vulnerability in Microsoft Jet Database Engine (Jet) Could Allow Remote Code Execution and make sure you do your proper risk assessment

Roger

Quite some of you read my initial post on that – and I like the comments I got. Now, it seems that I am not the only one being angry:

I quote from What Microsoft can teach Apple about software updates

For the record, I think Apple is dead wrong in the way it's gone about using its iPod monopoly to expand its share in another market. Ironically, an excellent model for how this update program should work already exists. It's called Windows Update, and it embodies all the principles that Apple should follow.

And: Apple Software Update (btw John is the CO of Mozilla). It seems that John and me are in agreement:

It's wrong because it undermines the trust that we're all trying to build with users. Because it means that an update isn't just an update, but is maybe something more. Because it ultimately undermines the safety of users on the web by eroding that relationship. It's a bad practice and should stop.

[I'll make 2 points that I want to make very clear: (1) this is not a criticism of Safari as a web browser in any way, and (2) I have no objections to the basic industry practice of using your installed software as a channel for other software. This is specifically a criticism of the way they're using the updating system. I'd much prefer to be writing about Firefox, but this practice hurts everyone and is important to note.]

A comment to this blog post: If Microsoft did the identical action, install some non-user-selected software using their software update channel, there would be cacophony across the Internet.

Roger