My current solution for the login problem is less than ideal. I use the java program Password Safe to save my accounts+passwords, which it generates randomly. The pass phrase for my password safe is pretty complex, and I change it on about an annual basis. The program re-locks the safe after 5 minutes of inactivity, so this is reasonably safe against casual compromise. Of course, keyboard shoulder surfing and a subsequent theft of my machine (or temporary control) could render it useless, but I’m willing to accept those risks and do what I can to maintain control of the laptop. If somebody steals my laptop, unless they can crack the encryption quickly, I feel pretty good that I’ll have enough time to restore from backup, change all the passwords, and set a new combination.

However, this is basically as good as our current “status quo” of online fractured identity can get. And I still don’t have anything to bring all of my online presence together.

I recall with fond memories watching Dick Hardt’s amazing Identity 2.0 presentation from the audience at OSCON 2005. I came away thinking to myself “oh good, somebody is on it.” I put it out of my mind as a systems administrator with a lot of things to think about on the backend, and no real concern for the frontend.

Fast forward 5 years, and I see that we’re not much better off now. Dick Hardt’s company Sxip produced Sxipper, which is pretty cool, but still puts it on the users to safeguard and manage their data. Oh and really, I never heard about it until I went looking for Sxip again, and I don’t know anybody using it, I think its just a cool curiosity, not a solution.

This really is an issue that affects people, but they may not know it. Look at the trouble this guy went through to make google accounts useful for people with multiple email addresses. As we start sharing and sending and moving data, our identities clearly can’t be defined as email addresses anymore. I have 3 that I use a lot, and a couple of others that just refuse to die for whatever reason. Changing them means trying to find every site on which I’ve used them. UGH.

OpenID was, and still is, a promising direction. There are some definite security pitfalls in the way its been done in the past, but I think they’ve solved most of them. It doesn’t really satisfy Dick’s Photo ID requirement where the issuer doesn’t get to know what you’re using it for. Still I love when I sign up for a site and I can use my OpenID login. I use my launchpad.net account for this, mostly because it was the first site that had a very clear “this is your open ID url” link.

FOAF-SSL or “WebID” also seems interesting as a way to promote social credibility and utilize existing technologies rather than try to invent the whole thing. Even twitter seems to have rudimentary support. But its still a long way off from being in control of our identity. Given the meager number of relying parties, I’d say it may not ever get there, which is too bad.

So now I’m just confused. How and when are we going to get this done? When can I say “this is me, here’s some proof that this is me, now lets get something done.”?

Social networks sort of try to do this with the social proof of many friends. But at issue there is how closed off those social relationships are. Facebook wants me *on Facebook*. They don’t want to enable me to also use myspace or my Ning community seamlessly.

Until we as users know why we’d want that, and somebody is able to provide it, I guess I’m just stuck with my password safe.

First off, let me say that these guys didn’t have to be retarded to lose this much data. In fact, there are (were?) probably a lot of really talented people who designed and built this system to avoid such things.

I’m an optimist, so I have to believe somebody raised their voice at a meeting when data was shipped off to some loosely linked company from some past relationship. The finger pointing going on now is exactly what nobody ever wants to see happen to something they built.

Nirvanix says it has not deleted any customer data, and promises that its Storage Delivery Network is immune to the problem that plagued The Linkup. At The Linkup, a “system administrator ran a script that misidentified active account data and disassociated physical files from their owners,” Nirvanix says. “This led to files being marked offline in the old Streamload/MediaMax file system when they shouldn’t have been.” Iverson, meanwhile, claims it was a Nirvanix engineer who caused the data loss.

Hiring managers beware.. if you receive a resume of a Systems Administrator from the San Diego area with a couple of years missing and immediate availability, you might want to ask him if he knows what the -f argument to rm does.

We’ve all been there at the meeting that produces this type of situation though. Somebody finds some amazing 3rd party vendor that will do for the company what now takes a little resources, but will, when the company gets successful, take a lot of resources. Rather than scale our business up, why not just jump onto the coat tails of some other already successful business and rake in the dough, not needing any real technology, just gluing things together.

This is the essence of things like Amazon S3 and EC2, and Google’s AppEngine. These companies have built massive clusters to deal with their biggest days.. and somebody over there got smart and said “hey, 1% of our architecture is 200 times the power of most startups. We should sell it to them.”

The problem is, one day Amazon will need that power, and they won’t think twice about cutting off their tiny little source of revenue to make sure they can sell copies of Oprah’s latest selection. Their core business is selling stuff over the web, so why should they care if EC2 and S3 go slow, stop working, or function better than most people’s multi-thousand-dollar-a-month contracts with ISP’s.

So, if something is key to your success, even if its not “your core competency”, I say build it into your business model to gain that competency. I wouldn’t pay somebody to pack my parachute if I were a sky diver. I’d pay somebody to teach me, maybe even to check it for me, but I want to know that I packed it right when I pull the cord.. I don’t want a little flag to fly out saying “Sorry, We gave up our parachute packing business 2 days ago. Might want to start praying..”