I use a VM on my mac to run Windows for the sole purpose of using remote desktop to my work laptop. Yes, I know that Microsoft offers a free RDC client for the Mac. But the client doesn't support multiple monitors on a mac and that's a show stopper for me. I've been using VMWare Fusion 2 & 3 for a bunch of years now and I can't say I was ever really happy with it but it seemed to do the job. But I recently compared VMWare Fusion 4 to Parallels 7 and for my use case Parallels 7 is slightly better than VMWare Fusion 4 and with Parallel's upgrade offer for VMWare Fusion 3 users it's a no brainer in my opinion to switch to Parallels 7. So I have. More details below the fold.
Continue reading Parallels 7 vs VMWare Fusion 4 Average, percentiles and measuring service performance
Measuring the performance of services is tricky. There is an almost irresistible desire to measure average performance. But measuring service performance using averages is pretty much guaranteed to provide misleading results. The best way (I know of anyway) to get accurate performance results when measuring service performance is to measure percentiles, not averages. So Do Not use averages or standard deviations, Do use percentiles. See below for the details.
Continue reading Average, percentiles and measuring service performance Distributed Storage Reading List
My technical wanderings of late at Microsoft have taken me into the realm of massively distributed storage. Of course, I've been here before but this time I need to bring some other folks along. So I was asked to put together suggested readings to help people come up to speed. I thought the list might be of general interest so I'm posting it here.
What do you think? Is this a good list? A bad one? What would you suggest?
Continue reading Distributed Storage Reading ListSharing sparse disk image bundles across OS X machines
Normally using my Mac is a simple joy. But recently I created a sparse disk image bundle on my main OS X box and wanted to share it with other OS X boxes. This is quite possible but requires some very arcane commands to make work. I explore those commands below.
Continue reading Sharing sparse disk image bundles across OS X machinesUser IDs – managing the mark of Cain
Facebook's latest privacy debacle was driven by their failure to properly manage user IDs. This is not a new problem area and as the EFF points out, Facebook has done this before. So while I don't know if Facebook will be interested in this post, those who care about protecting their user's privacy in an age of data sharing may want to have a look at the threats and defenses needed to share user IDs across sites. Securing user IDs isn't easy.
[Update 10/22/2010: Changed the title and intro and added three new sections at the end.]
Continue reading User IDs – managing the mark of CainOAuth 2.0 Bearer tokens – unsafe at any speed?
Eran's latest article raises a number of specific security threats by way of arguing that bearer tokens are irredeemably insecure. In this article I examine the attacks Eran calls out and demonstrate that they are already addressed by OAuth 2.0. Eran's article does bring up the interesting question of - do we need defense in depth for the tamper resistance and confidentiality provided by SSL/TLS?
Continue reading OAuth 2.0 Bearer tokens – unsafe at any speed?Bearer Tokens, Discovery and OAuth 2.0
Part of my day job is working on adding discovery to OAuth 2.0. This article provides a summary of some of that work. So I was more than a little concerned when I saw a blog article from Eran Hammer-Lahav, the editor of OAuth 2.0, asserting that OAuth 2.0 couldn't support secure discovery. Very worried that something was terribly wrong I carefully read Eran's article. I summarize below what I believe his concerns are and explain how I believe those concerns would be addressed by extensions to OAuth 2.0 to support discovery. I also explain how Eran's article helped me find a flaw in my own proposal and how I propose fixing that flaw.
Continue reading Bearer Tokens, Discovery and OAuth 2.0Building full delegation in OAuth – This time in English
OAuth enables a very simple type of delegation, a user can delegate permissions between two services that they have accounts on. In other words, OAuth lets a user delegate permission to themself. But full delegation allows arbitrary users of arbitrary services to give permissions to each other. In this article I summarize the two key extensions to OAuth needed to enable it to do full delegation. The first is ’on behalf of’ (e.g. a service saying ”I am making this request on behalf of user X”) and the second is a very simple directory service. The rest of the article tries to use something like plain English to explain how these features could work in OAuth. Continue reading Building full delegation in OAuth – This time in English
Thoughts on updating finger services
Having a finger service as a directory to find information about users and services appears to be absolutely necessary if ad-hoc information sharing between people and services is to be possible. But just having a way to finger a person or service is less than 1/2 the battle. The real challenge is making it possible for services to update their user’s finger information in an ad-hoc manner. I explore the issues around dynamic finger update in this article. Continue reading Thoughts on updating finger services
Using OAuth WRAP and Finger for ad-hoc user authentication
The OpenID community has worked long and hard to make ad-hoc logins possible on the web. Part of that process has been experiments with a number of different technologies and approaches. Below I make my own proposal for how to handle ad-hoc logins on the Internet using OAuth WRAP and my own spin on Finger. I offer this up as food for thought. Continue reading Using OAuth WRAP and Finger for ad-hoc user authentication