September 2010 Archives

On September 1, 2010, the Federal CIO Council released the "Federal Enterprise Architecture (FEA) Security and Privacy Profile (SPP), Rev. 3."  A lot has changed since the last revision of the FEA SPP was publish (June 1, 2006).  I look forward to seeing what the CIO Council has come up with.

I will update this post with analysis of the document as soon as I digest it.

FEA SPP Version 3 (5meg word document): http://www.cio.gov/documents_details.cfm/uid/480F4A03-BDBE-6B59-FF19F5759D020C31/structure/Enterprise%20Architecture/category/Enterprise%20Architecture

Readers -- I encourage you to discuss the document here in the comments section.

On September 1, 2010, the Federal CIO Council released the "Federal Enterprise Architecture (FEA) Security and Privacy Profile (SPP), Rev. 3."  This updated the FEA SPP Published on June 1, 2006.  A lot has changed int he privacy landscape over the past four years. 

I will update this post with analysis of the document as soon as I digest it.

FEA SPP Version 3 (5meg word document): http://www.cio.gov/documents_details.cfm/uid/480F4A03-BDBE-6B59-FF19F5759D020C31/structure/Enterprise%20Architecture/category/Enterprise%20Architecture

Readers -- I encourage you to discuss the document here in the comments section.


Run a system that uses SSH for remote access? IBM suggests the following three steps to help lock down your SSH connection:

  1. Changing SSH's standard port to an unusual value and reinforcing SSH configuration so that simple-minded attacks just bounce back.
  2. Defining a restricted list of users who are allowed to log in.
  3. Completely hiding the fact that you even allow SSH access and requiring a special "knock" sequence to be recognized as a possible user.

Read more at http://www.ibm.com/developerworks/aix/library/au-sshlocks/index.html

Gov 2.0 Live Blogging Day 2...

| No Comments | No TrackBacks
1056
Deep Dive: Identity, Privacy, and Informed Consent in the Age of the Internet Tim O'Reilly (O'Reilly Media, Inc.) -- Tim O'Reilly kicked it off with a personal statement about quickly reacting to "privacy incidents" with legislation and regulation.  "It is so easy to cut off a new technology before we understand it, before it realizes it's potential."  Tim would rather figure out the tech and then figure out the wrongs and rights.

1100

Is it Possible to Share and Protect Sensitive Information? John Clippinger (Berkman Center Harvard University), Loretta Garrison (FTC), Dorothy Attwood (AT&T), Hilary Ward (Citibank)  -- Monetization of data.  Protecting data and sharing it at the same time.  How do you we create a framework to allow the utility of this data to be realized but being respectful of people's data.  Attwood: we need a paradigm shift but allowing them to share but also giving them control.  We need innovation around the tools to allow this.  It is a difficult test to stop the bad guys and bad practices but allow innovation.  Mr Clippinger suggested that the Fair Information Practices are outdated.  Garrison: It is a very challenging new world.  There is no anonymity on the internet.  No agreement on what compromises sensitive information.  No rules of the road.  Tech is moving too rapidly and outpaced policy making.  Enhanced notice for behavior advertising is needed.  "Reliance on notice, in the past, has been demonstrated that you cannot expect consumers to read these notices, understand whats going, and make decisions."  We need to factor in expectations of consumers.  Attwood: functionalizing privacy controls around behavioral advertising, making them actionable to individuals.  Garrison: If users don't want to be tracked that should be able to say no. (Note: Will update with review...)

1117
The Future of Privacy Jules Polonetsky (Future of Privacy Forum) -- Shared anecdotes about opt-in on facebook. Does not want to talk privacy but rather responsible data sharing and use.  Technology solutions will fix privacy issues before policy and regulation.  Facebook has made privacy a hot-topic issue, a populist issue.  Featurizing My thoughts: Jules thinks that the value of the data, the experience, will start to outpace the concerns of privacy.  The privacy concerns are simply from people who don't get it, who don't understand.  I disagree.  Notes: will digest and update.  Tim O'Reilly tweeted: "@timoreilly: idea that many privacy problems are actually issues of responsible data use #g2s [clever reframing to minimize issue]"

1129
The Robin Sage Experiment -- Very sadly, this was canceled.  I think this is an excellent and important study.Check out my write up and interview about the experiment: http://www.privacywonk.net/2010/09/the-robin-sage-experiment-interview-with-ogali-om.php

1129
Future Shock: Cognitive Radio and Spectrum Policy Dan Reed (Microsoft) -- Demand for spectrum (wireless signals) is outpacing ability to allocate.  We are shifting into a many device world.  Must be nimble as we think of our policies with spectrum.

1141
Cloud Changes Everything Steve Herrod (VMware) -- The idea of cloud nirvana is that the cloud will solve all problems.The real challenge people have is that they are stuck in a legacy mess and looking to get into cloud optimizations.  Cloud shifts money expenditures...capital and operational allocations.  If you have money to build a data center and run a data center, how does cloud work into that?  Where there used to be a huge upfront cost, now it is a service you pay for like electricity.  How does the cloud work with education?  VMWare is launching a new foundation focused on education.  Herrod discussed an example called The Illini Cloud, linking schools together to build a co-op cloud and pooling their resources.

1310
A Conversation with California Secretary of State Debra Bowen Debra Bowen (State of California) -- Open Source voting machines! "The place where you can make the argument best for open source software is in the elections process."  I cannot agree more with this.  Proprietary voting machines, whose code cannot be review, do not support the public election process.  Open source, open review, open process for a private vote.

1332
Why We Need Open Source Electronic Voting Systems Gregory Miller (Open Source Digital Voting Foundation) -- Bryan Sivak (http://twitter.com/BryanSivak), CTO of Washington DC stepped in for Gregory to present. Trust the Vote Project is the flagship effort of the OSDV Foundation.  Open standards, ballot counting, and more."If I think about what Gov 2.0 truly means to me, this is a great example: reinventing voting in the 21st Century."

Missed a few sessions here...will back fill.

1426
Creating Passionate Citizens Kathy Sierra (Creating Passionate Users) -- Reverse-engineer passion...passion is people who are so into a subject, getting better at, and sharing.  Where ever there is passion, there are people kicking ass. Create deeper, richer experiences and help better get better at a thing."Stop trying to make a killer app, and instead focus on making a killer user."   Annnnnnnnnnd Kathy used lolcats as an example of passionate users.  Win!   Amazing presentation.

1435
The Need for Enterprise 2.0 in the Military Blake Hall (TroopSwap.com) -- Democratization of Military information.  Need to reverse information flows from bottom up to top down.

1450
Gov 2.0, Federal Use of Social Media and the Law Elizabeth Hochberg (General Services Administration) -- brand protection, IP, trademark, and laws.  Engage lawyers early on.  Compliance with policies and most laws is NOT impossible.  Great presentation, we need more tech savvy lawyers in Gov. A picture of all the laws that apply to Gov 2.0 products:

Photo by Steve Radick.

1507


One Step, Many Feet: How Technology is Changing the Relationship Between Citizen and Government Stacy Donohue (Omidyar Network)  -- detailing the Omidyar network


For those unable to attend, here is my attempt to live blog the event.  Check out the official website http://www.gov2summit.com,follow the twitter hashtag #g2s, sign up for live streaming and check out the speaker presentations and videos here: http://www.gov2summit.com/gov2010/public/schedule/proceedings

Note to readers: This is less of a live blog and more of a live notes page. I hope it conveys some meaningful content to you.  if you have have any questions, please drop me a line.  Also please note the links above that go to primary-source info (copies of presentations and videos) for the conference.

07 September 2010
Schedule of Speakers:http://www.gov2summit.com/gov2010/public/schedule/grid/2010-09-07

0900
Tim O'Reilly's Welcome -- Tim cautioned that, as history has shown us, all revolutions take time.  The captains of industry, upon seeing the personal computer, scoffed at it.  Ditto to the power of the internet.  Those changes happened as the usefulness was realized.  Played a pre-made movie featuring Mass DOT and NYC DOT for successes of open data uses.

0910
The Currents of Our Time
Carl Malamud (Public.Resource.Org) -- Highlighted NARA's revamping of the Federal Register.  Over $250M spent on Electronics Records Archive (ERA) for the past decade.  Connectivity issues abound to the point where a server made be driven with a rent-a-cop to a test agency to download records and then driven to WV for uploading to ERA.  They measure throughput in bits per gallon.  Carl gave many more examples of excess and waste in many agency systems.  He discussed the history of reform through government, from the development of the aviation industry to the development of the FDA.  We need to finish the Open Government initiative, update FOIA laws and abolish the use of pay-for-data systems.  "If we can put a man on the moon surely we launch the library of congress into cyberspace."  "Our nation's attic should be open for all to use."  We need to rethink the way we design systems.  We need an all hands on deck approach to system design, we need to reboot .gov.  Absolutely amazing speech.  Please look for the video at http://www.gov2summit.com. Full text of speech here: http://public.resource.org/currents/

0937

Government Data and the Invisible Hand Harlan Yu (Princeton University-- Author of paper "Government Data and the Invisible Hand."  Tim O'Reilly stated the paper greatly influenced his thinking on open government.  Haraln wants government to publish more data, to close the disparity between dot com and dot gov.  Government cannot innovate as private industry.  In order for the government to increase transparency, it should reduce its role on providing data on government websites.  Instead, his paper suggests the government simply publish raw data and allow citizens to innovate. Publish raw data, provide rich metadata, and apply cryptographically securely signatures to the data. "When raw data is an afterthought openness and transparency suffer." 

0947
Why EMR's Will Transform Healthcare Jim Traficant (Healthcare Solutions, Government Communications Systems Division)  -- Shared a deeply personal story about his medical history; a two-time liver transplant receiver.  The health system has all of the data you could hope for but none of the information you need to make a decision. Meaningful use means saving lives. Interoperable electronic medical records are nice, but what we really need is is an interoperable healthcare system. 84 days to 24 seconds to access information at NHIN Connect.  That is real change.

1000
XBRL in the Federal NIEM Framework Mark Bolgiano (XBRL US), Donna Roy (DHS) -- Interview session hosted by Tim O'Reilly;.XBRL and NEIM explained by Mark and Donna respectively. Extracting legacy data from legacy mainframes is the biggest challenge we face.  Donna, (not a direct quote) "we need to build privacy and security into our data as it moves." Mark stated a lot of people think that a lot of the financial crisis was an information crisis, a paper process that could not be analyzed.  O'Reilly, Programmatic analysis and measurement of data is a critical task. Mark, "it's like a denial of service attack...reports to SEC are huge html documents with no links."  Roy, responding to privacy question, "privacy in the context of NIEM, we think privacy starts first, second, and third.  Since the middle of the model is person-centric, portions of the model have been marked as privacy sensitive.  NIEM needs to have privacy built in."  O'Reilly: do we need to change our definition of privacy as identity becomes more important.  Roy: "We need to expand out what out definition of privacy is."  It's contextual information tied to personal information.

1016
Open Government Scorecard Ellen Miller (Sunlight Foundation) -- Sunlight is concerned about the forward progress of the Open Government Initiative.  12 out of 30 agencies in those initial publications of Open Government Data plan did not list new data sets to publish.  Only 75 new data sets have been put forward through the open government initiatives.  Real high value data is missing in action.  Sunlight labs announce ClearSpending -- found $1.3 TRILLION dollars in broken reporting in 2009. We must push for gov 2.0 and make sure the citizens engage.

1025
U.S. Cybersecurity Policy, Strategy, and U.S. Cybercom General Keith Alexander (National Security Agency)  -- Five agenda points.  1. Cyberspace is critical to all of us.  Gen. Alexandrer provided some historical stats on internet usage.  250k probes into DoD networks every hour. As director, ensures everything we do protects our civil liberties and preserves rights under the Constitution while supporting the mission.  Challenge before (securing cyberspace) us is large and daunting.

1103
Open Government, Idea Generation, and the Department of Transportation John Porcari (Department of Transportation)  -- Open and transparent communication and collaboration.  DoT is aiming to make vast amounts information available to public.  #1 VisualDOT -- will push out data on flight delays, drunk driving, etc. #2 IdeaHub -- crowdsourcing ideas from employees. #3 RegulationRoom.org -- more transparent and openness to rule making.  Should not have to hire a lobbyist to have input into a rule or regulation.  (I missed a point Mr. Porcari had...)

1116
Building a "Holy Cow Machine" for Healthcare Todd Park (Health and Human Services) sits down with Tim O'Reilly to discuss his role as a federal entrepreneur.  Todd announced a new challenge at health2challenge.org and BlueButton. I love this idea...especially as it applies to broader privacy markets.  I'd like to goto Google and click a BlueButton to get my data.  Give me everything you have on me.  Ditto facebook.   

1133
PayPal: What We Do with Private Data from 200 Million People Osama Bedier (PayPal)  -- Sits down with Tim O'Reilly.  Some paypal stats: 210 Million accounts.  $140 billion processed.  Over $1 billion and hundreds of millions of bank accounts and ten years of transaction history on file.  Bedier: Earliest privacy problem of scale on the internet: sharing your credit card information on file.  "[Paypal] is maniacal about security."  Bedier says identity is critical for future transactions, like healthcare.  Paypal must prove identity, making sure you are who you say you are. Bedier suggests partnering with those who have established identity practices & assurance platforms, allow them to help you with those services. Mobile devices and internet: Paypal is a wallet.  Credit cards and bank info live in your wallet.  So does identity. Security is ensuring you only share the information you want with the right people.  I appreciate PayPal's position, especially with an emphasis on security, but something is unnerving to me about the history of transactions Paypal keeps on file...

1150
Stability Out of Chaos from Information Sharing Michele Weslander Quaid (US Government)  -- Stability Out of Chaos from Information Sharing in Afghanistan to save lives and foster mission success.  Building partnerships is critical to success in both training Afghan forces to defend themselves and conduct humanitarian missions.  How can an internet connection allow people from around the world to support the mission? Enter: UnityNet.  Eliminate barrier to entry and get afghans online to collaborate, build communities, etc.

1157
The Future of the Government Platform Clay Johnson (InfoVegan.com), Sanjeev Bhagowalia (U.S. General Services Administration) --  a conversation between Clay and Sanjeev (aka Sonny).  Lots of projects discussed, data center consolidation, FedRAMP for cloud, Forge (source code repo for gov), and more.  Clay: what's going on with the cloud? Sanjeev: Announced a contract for Infrastructure as Service and an e-mail RFI for e-mail as software service.  Working with NIST for security.  Mentioned upcoming OMB policy for allowing High, Medium, Low systems in the cloud.  Sanjeev: Announced Challenge.gov, which will host all future government challenge.  Clay: Scared by the lack of new blood in government sponsored contests.  A new method for getting old ideas within government as those participating are the same-old folks. Clay: if we want true participation, why not take advantage of existing platforms such as sourceforge, github, etc instead of building out a government only community/new community.  Sanjeev: We look toward the success of DoD's milforge, where we have to careful of code quality and security. 

1212
Reimagining FCC.gov for the 21st Century Consumer Julius Genachowski (Federal Communications Commission ), Steven VanRoekel (Federal Communications Commission)  -- Had to miss this session...

1315
Closing the Technology Gap Aneesh Chopra (Federal Office of Science and Technology Policy), Vivek Kundra (Office of Management and Budget)  -- Missed the beginning 5 minutes of this session.  Kundra: How do we drive fundamental change between technology and the economy? Kundra: "We need to continue democratizing data, drive innovation from 3rd parties faster." Kundra: Targeting about $30B on IT project investments that are no longer on schedule.  Shining light on poor projects.  12 projects at VA.  We've not only canceled but also turned them around.  Kundra: "In the same way open data is moving ownership to the American people, Challenge.gov is encouraging them to be co-creators."

1343
Government Challenges. Your Solutions. Bev Godwin (U.S. General Services Administration)  -- Provided an overview of Challenge.gov.  Success from amazing partners (whitehouse and ChallengePost).  Contest examples: Kids.gov "How to Become Presidnet," EPA "Game day challenge," HHS "connecting kids to coverage" and more.  Members of the public: Sign up and get started.  Support, discuss and share.  Federal employees sign up and post new challenges.http://www.privacywonk.net/foia/mt.cgi?__mode=view&_type=entry&id=48&blog_id=1&saved_changes=1

1353
Next Generation Models for Education Jim Shelton (U.S. Department of Education) -- Next generation models of education but first understand today.  One student. http://www.privacywonk.net/foia/mt.cgi?__mode=view&_type=entry&id=48&blog_id=1&saved_changes=1 How do you get one student to where they need to be?  if you do that everytime we have a successful education systems, if you don't the system is broken.  1.3 million who stop out or drop out.  50% finish highschool and figure out they are not properly prepared for college.  15.5 students per teacher.  30 percent increase in spending since the 70s. 0.1 percent improvement on national reading scores since the 70s.  3.2 million teachers ready to go out every day and help those interactions between student and teacher to help people learn.  In Partnership with national education foundation.  Educators to define biggest classrooms challenges.  $1000 or less.  Community will vet the challenges, then propose solutions to those challenges.  50 state standards make it difficult for solutions to hit the mark.  We need one national standard.  One on one interactions with teachers and students lead to 2 standard deviations of progress.  How do you get ten fold productivity in our current system?  Steps toward Advanced Development and 1:1 interactions: Peers & Experts in social networks (knowledge sharing), Adaptive Algorithms, Massive data mining, cloud computing, low cost devices, and ubiquitous broadband.

1404
The Startup Visa: Why We Need More Immigrant Entrepreneurs Brad Feld (Foundry Group) -- Missed this talk...

1417
Increasing Innovation by Speeding Up SBIR and SBIC Sean Greene (U.S. Small Business Administration. ) -- "If power corrupts, powerpoint corrupts absolutely."  SBIC -- effectively a fund of funds.  $16B under management.  Gave birth to VC market int he 50s, now it more of a late stage investment.  Zero cost to tax payers.  SBIR: two phase process, can fund up to $1M for R&D conducted in small companies.  Not a lot of companies know about this. Referenced MIke Cassidy speech, "Speed is the Primary business strategy."  It took, on average, 15 months to fund research through SBIR.  Across the board, we implemented change to bring it down to 6 months and doubled the number of funds coming through the program.  Speed in government is slow but it is being improved.  Even in the government space, think like a start-up.  Think big. 

1429
The Power of Pull John Seely Brown (Deloitte Center for the Edge)  -- Platform approach to learning.  Push to pull learning economy.  Move from stocks of knowledge to flows participating in knowledge flows.  Mobile devices as curiosity amplifiers. Startl -- an accelerator/incubator for teachers to create their own ipad/iphone/andoird apps. Connexions -- open courseware.  "Lenses" applied for social software for peer review of open course material to ensure validity and accuracy.  Need to shift from centering on institutions to centering youth around interest-driven learning communities. 

1445
A Smart Grid for Education Dale Dougherty (Make/O'Reilly Media) -- Maker fair is a community learning event. Organize the resources that are already in the system.  Organize data, find learning events, student self-reporting (what happens in this self-learning environment?), metering and feedback, education lacks an open platform.  

1458
TED: The First 21st Century University? June Cohen (TED Conferences) -- 700 talks viwed 300M times around the world.  TED gave away the content for free.  The more we gave our content away the more people wanted to pay us for it.  What TED learned: people love to learn.  TED feeds the hungry for people to learn.  Bringing education content online is difficult, you must think not like an educator but more like a rock star.  TED presents their educators like rockstars.  Engage superspreaders...those who will push your content out there for you. Content should be geared toward a generally educated audience, not a policy wonk or geek.  Use plain english.  Evoke contagious emotions.  Harness the power and wisdom of crowds, take a leap of fatih.Never under-estimate the power of human storytelling.

1519
Learning Powered by Technology Karen Cator (US Department of Education) -- Mobility 24x7 access, social interactions for learning, digital content, print to digital -- four moves to bring learning into 21st century.  80 page paper at http://www.edu.gov/technology
Learning: 21st center expertise, how people learn, personalized learning, universal design for learning
Teaching: Highly effective, connected, online, formal + informal, inspired
Assessments: measure what matters for continuous improvement, embedded assessments, real time feedback, persistent learning records, universal design, continuous improvement.
Infrastructure: 24x7 community wide, broadband, access points, supported,
Research and Development:how do we design the future

1545
The Singapore Miracle and Gov 2.0 Peter Ho (Singapore), Peter Schwartz (Global Business Network)  -- missed this presentation.

1622
Improving Customer Service Peter Levin (Department of Veterans Affairs), Thor Muller (Get Satisfaction)  -- VA had a very manual, paper bound, adversarial relationship with the Veteran.  It is manual and paper bound. 

1630
Redefining Public/Private Partnerships Nicholas Gruen (Government 2.0 Taskforce (Australia))  -- The public/private partnership
will allow greater access to knowledge in the world.
  Great speech, check it out on the videos.  I was paying too much attention to type.

1653
"Big Data" and Analytics in Government David McQueeney (IBM Federal ) -- Highlighted continuous, real time, monitoring for federal regulation/compliance assessments.  Heavily focused on analytics.  Watch the video...




Do you know who all of your social networking connections really are?  Can you vouch for each of them personally?  Do you trust each of those connections to keep your information safe? 

Earlier this summer, Thomas Ryan, Co-Founder & Managing Partner of Provide Security, LLC., began an experiment he dubbed Robin Sage with the intent of exploiting the trust that seems to be inherent in social media.  The trust that what a person's profile says is true.  The trust that, if my friends are friends with someone, that person must be legit.  In his 28-day experiment, Thomas built an identity simply by joining mailing lists, Twitter, LinkedIn, and Facebook and by choosing credentials that invoked a notion of status within the INFOSEC community.

In Thomas' words, "Given the vast number of security breaches via the internet, The Robin Sage Experiment seeks to exploit the fundamental levels of information leakage--the outflow of information as a result of people's haphazard and unquestioned trust. The experiment was conducted by creating a blatantly false identity and enrolling on various social networking websites. By joining networks, registering on mailing lists, and listing false credentials, the conditions were then set to research people's decisions to trust and share information with the false identity. The main factors observed were: the ability to exploit other individuals' level of trust based on gender, occupation, education/credentials, and friends (connections)."

For some reason the normal amount of security we take into real life interactions falls away online.  In real life, we very rarely talk to strangers about our jobs, especially if those jobs are of importance to national security.  Yet in the online world, the Robin Sage identity received job offers from government and corporate sectors and options to speak at a variety of security conferences, with no verification that this person was, in fact, real or even a true expert.  However, there were individuals who called Robin out as a fraudster.  Omachonu Ogali, security researcher and (full disclosure) good friend, was one of those individuals.  I wanted to pick his brain as to how he identified Robin Sage as a fraudster and what happened soon after.  Below is an interview I conducted with Omachonu over e-mail after discussing the topic in person:
The National Archives and Records Administration has released a study on the use and value of web 2.0 records today.  The "Report on Federal Web 2.0 Use and Record Value" can be accessed here: http://www.archives.gov/records-mgmt/resources/web2.0-use.pdf.

From the report: "The study identifies characteristics of the information that is found in web 2.0 formats and how those characteristics affect the value of the information. It also provides a basis for determining whether Federal records created using web 2.0 tools should be retained for a temporary period of time or are permanent and ultimately transferred to the National Archives.

This study does not describe or dictate how to schedule or manage web 2.0 records. It does not focus on specific technological issues, identify permanent web 2.0 records, or assess any specific NARA or agency policy or guidance. This study does note key management issues that participating agencies addressed through the course of the study."


Paul M. Wester, Jr., Director of NARA's Modern Records Program describes the study:

"The purpose of the study was to gather information on how Federal agencies use web 2.0 tools to create and share information and how this might affect the value of the recorded information in the tools. The tools included internal and external blogs, wikis, social networking, and other collaborative web-based technologies.  During this review, several characteristics were identified as affecting the record value of this information, including:

* Extensive duplication of information
* The ability to record increasing aspects of process
* Syndication of content to reach new audiences
* Additional structure and context
* Perceptions of the authoritativeness and longevity of content

The study concluded that based upon function and use, records created should continue to be assessed based upon business, evidential, informational, and contextual values. The concepts of temporary and permanent value have not changed.

The team received a significant response from agencies that were both interested and willing to participate with the study, which allowed the team to make recommendations for future actions and to identify areas for further research.  These recommendations included clarifying the definition of a Federal records, addressing transfer requirements for permanent web 2.0 records, mitigating public expectations of content longevity, and integrating records management into agency social media policy, among others.

Please visit the Records Express Blog and post questions or comments on the study."