Monthly Archives: April 2014

Government Identity on the Web

How should governments respond to identity on the web?

Today Troy Hunt (a fellow MVP) was quoted in the Sydney Morning Herald in relation to an article about myGov (http://my.gov.au) which is a portal for Australian citizens to access Medicare, eHealth, Centrelink, Child Support and NDIS records. The basic premise of the criticism is that myGov doesn’t support two-factor authentication (2FA)¬†and that this represents a security concern.

Later a conversation between technology professionals on Twitter is speculating about the security around how passwords are stored within the database. Personally I would be extremely surprised if the cornerstone of the Australian Government’s online strategy would store user passwords in plain text instead of a hash and salt combination, but this might be foolish optimism on my behalf. It would be great if someone in the know could actually confirm this, and then perhaps explore the 2FA¬†topic that Troy and others have raised.

I believe that any 2FA implementation would need to be “recommended but optional”. 2FA requires a device capable of generating a token which is supplied along with your username and password. For some users having this additional device might pose a challenge, there are still people in Australian society which do not have access to mobile phones, let alone smart phones. By making 2FA optional it allows those citizens to scale their security to something to what is within their means, alternatively the government could provide special token generators upon request if they wanted to make 2FA mandatory (I’d personally still want to use my phone).

Stepping back a bit, I think there is a much more interesting question about identity on the web and the government’s response to it. On one hand I really want myGov to be secure, on the other I would like it someone open so that as a developer I can create an application that can acquire a verified identity from users. Imagine a local council being able to significantly automate its processes by allowing local residents to file paperwork by signing forms with an OAuth-based flow that jumps out to myGov to gather scoped personal information and perform non-repudiation tasks.

Such a capability would necessarily require a very stringent security audit of the myGov platform prior to being opened up along with the creation of a community of developers who know how to work with the various APIs provided by the myGov platform.

Ubiquitous Connectivity & Time-based Internet Billing

I am currently sitting on board the Dawn Princess with anchors down in Akaroa. I am half way through a two week cruise around New Zealand with my family. It’s a good break from our busy lifestyle back in Melbourne.

The timing of our family holiday is a little awkward because I am missing the excitement around the announcements made at BUILD 2014 last week. Or I would be if I wasn’t able to connect from the Internet from the ship as the details unfold.

Aboard the Dawn Princess is a ubiquitous Wi-Fi network which is available in all the staterooms and most of the common areas. The Wi-Fi network routes through a satellite connection backed by MTN Satellite Communications. When using the Internet I pay at a rate of approximately $0.30 to $0.80 per minute depending on the package.

Having cruised before I was aware of these pretty steep charges so we organised a local SIM card for mobile data access when ashore. The mobile data plan is of course tied to data volume usage rather than time. Time-based billing for Internet access to be strange in this era of mobile computing. The thing that I miss most about not being connected all the time is the absence of casual interaction with my information sources (e-mail, social media, news headlines, browsing etc).

I certainly can’t afford to be online all the time to receive these notifications, so for BUILD 2014 content, I logged in to get a quick synopsis of what is being discussed and disconnect. When I was ashore I set my various mobile devices to download content (such as the keynote videos).

The whole experience has left me pondering why satellite access (at least in this instance) is charged on a time based model. Surely the ship maintains a constant satellite connection so why not allow passengers to be constantly connected and then bill a lower rate for actual usage. The administrator of the ship-based network could apply QoS to the traffic to ensure essential traffic is given preference.

Another curious aspect of the setup here is that I can’t access OneDrive or OneNote (which is backed by OneDrive). I can understand that the ship might not want passengers syncing their local content across the link (especially with all the high resolution photos captured) but it sure is a pain when I want to access one of my Notebooks from OneNote. This makes me think that the critical resource is indeed bandwidth, but by charging for time the ship ensures that passengers don’t accidentally set their devices syncing constantly.

Overall I have been pretty impressed with the strength of Wi-Fi connectivity on the ship (kudos to Princess Cruises for that). I just wish that the route to the Internet didn’t have such a big toll gate in front of it. Is there a cruise ship out there that caters to geeks wanting to be constantly connected?

Maybe someone from MTN Satellite Communications could explain why satellite communications might be billed on a time basis.