Archive for January, 2013

Web SSO or federated

Thursday, January 31st, 2013

Gartner is predicting that federation that will displace web single signon in the coming 3-4 years.

Halleluja! Web SSO is purely a hack – either installing shims on web application servers or proxying authentication to web apps and intercepting/storing/injecting passwords from some (hopefully secure) database.

With luck, more apps will support federation and WebSSO will fade away.

More on entropy in passphrases

Tuesday, January 22nd, 2013

It’s been a while since I wrote about using passphrases, and the illusion that it necessarily increases security, since users are likely to choose short, grammatically sensible sentences.

It seems that someone has actually gone to the trouble of doing the analysis, reconfirming that passphrases are not as secure as one might think:

A bit of an academic read, but basically it just confirms my assertion that going from complex passwords to long-but-likely-all-lowercase-letters passwords is not of much security benefit.

Who owns your data anyways?

Monday, January 21st, 2013

I recently went in for a routine blood test, and asked the lab to send me a copy of the results – just so that I’d be able to track long term trends on my own.

Turns out, it’s their policy to *not* do that. They will only send my results to my doctor. My doctor is more reasonable – he agreed in advance to let me take away a photocopy when I next see him.

This does raise an interesting question, though. Who owns data that was acquired by measuring some aspect of my physical self? Surely, I should be entitled to at least a copy of that? In the current legal system, at least where I live (Alberta, Canada), that is explicitly not the case. I think the current state of affairs is unethical and indeed offensive on some level.

How does this work in other jurisdictions? Do people have the right to a copy of their own medical records? If not, what legal or ethical justification makes the lab or your physician the owner of data about you, but excludes your access to the same thing?

Perhaps this is a context where legislation is required — to force caregivers to share data about their patients with those same patients, either for free or for some nominal administrative fee (really, what does it cost them to fax the test results twice, or e-mail me an attachment, or photocopy something for me if I’m on-premise?).

Is there a valid counter-argument to the notion of sharing data about someone with that someone?

This is analogous to credit reports in the financial sector and consumer data aggregation in the advertising space. I take it there are already reasonable protections in those spaces. Perhaps it’s time for the healthcare community to catch up!