Investigators are treating the explosions as acts of vandalism, not terrorism, Shields said.

"Under the Criminal Code, it would be characterized as mischief, which is an intentional vandalism. We don't want to characterize this as terrorism. They were very isolated locations and there would seem there was no intent to hurt people," he said.

It's not all good, though. Here's a story from Philadelphia, where a subway car is criticized because people can see out the front. Because, um, because terrorist will be able to see out the front, and we all know how dangerous terrorists are:

Marcus Ruef, a national vice president with the Brotherhood of Locomotive Engineers and Trainmen, compared a train cab to an airliner cockpit and said a cab should be similarly secure. He invoked post-9/11 security concerns as a reason to provide a full cab that prevents passengers from seeing the rails and signals ahead.

"We don't think the forward view of the right-of-way should be available to whoever wants to watch ... and the conductor and the engineer should be able to talk privately," Ruef said.

Pat Nowakowski, SEPTA chief of operations, said the smaller cabs pose no security risk. "I have never heard that from a security expert," he said.

At least there was pushback against that kind of idiocy.

And from the UK:

Transport Secretary Geoff Hoon has said the government is prepared to go "quite a long way" with civil liberties to "stop terrorists killing people".

He was responding to criticism of plans for a database of mobile and web records, saying it was needed because terrorists used such communications.

By not monitoring this traffic, it would be "giving a licence to terrorists to kill people", he said.

I hope there will be similar pushback against this "choice."

• Moderator: Nick Hoover, Senior Editor, InformationWeek
• Speaker - Anne Berkowitch, Co-Founder & CEO, SelectMinds
• Speaker - J.B. Holston, CEO and President, NewsGator
• Speaker - Umberto Milletti, CEO, InsideView

Businesses can take advantage of social networks by finding innovative ways to reach out to people. Looking at who you know and how you know them can benefit you. Knowing a personal connection to someone that you are trying to contact (for sales) is helpful. The blurring between home, personal, and business life is making this information more available and better able to leverage. People are able to capture more valuable long term information from social networks.

A lot of social network applications can be taken from the talent management space. Deploying alumni networks as a talent source is also a great asset. Alumni represent a well-known and relevant population. This provides a great economic benefit from a social network.

If you are running a sales organization and looking at building a pipeline of leads, consider how these leads are relevant. The ability to get more leads is apparent in finding the right person, right connection, and right contact. Underlying everything are productivity and efficiency. How much time are sales reps spending researching and pursuing each opportunity? With information on social networks, the time can be greatly decreased. Knowledge sharing is something that can be actively measured.

The ROI varies with the business issue that’s trying to be addressed by a particular network. Recruiting for example has a very concrete, measurable ROI. Knowledge share gets a little more tricky. How do you measure how much is shared and the impact on business systems? Businesses need to determine what specific goal they are trying to address.

CFOs want to see ROI, not intuitive information. If you can demonstrate engagement and participation in these networks and knowledge sharing tools, more and more executives are getting comfortable seeing how it’s used at a qualitative and process level. It’s a very case by case basis.

One major crisis that we see in our customers is the competition between sales and marketing. Each wants to do their own thing, they go together like oil and water. However, the push of the economy is now forcing them work together. This is a great opportunity for IT to step in and help them collaborate and be more productive.

Other resistance from companies are how to manage what they are trying to accomplish while still giving employees free reign of sites like Facebook. What are the incentives for using these technologies? How does it fit into your company culture and productivity scale? You must bring meaning to the structure of engaging in social networks.

Social networks like LinkedIn and Facebook would not exist if people did not contribute information to them. However, if people don’t know that it is there, it does not exist. People need to see the value and get drawn in to engage. There are two ways that companies get into social networks. Tie it into the business process. The general idea of social networks are intuitive and easy to understand, which make it an easier case to present to chief executives. Make it clear - how do you go about it and what’s the value?

Social networks are intrinsically about extending the network, the more contacts you have, the more to choose from when researching a specific contact. It also has to be integrated into your dataworkflow. Companies are going to build a variety of networks inside and outside the enterprise. The big companies (SAP, IBM) are all rushing to offer collaborative and social network functionality. However, this is not entirely useful unless it’s integrated into the entire infrastructure.

Part of the problem is that good security people need to know the following skills:

• IT technology: since the data more often than not is in a computer, you need to understand them
• People technology: policies and procedures for managing people
• Business sense:  understanding that you’re supporting business goals
• And for Government:  politics

Back when I was PFC Rybolov, my battalion commander told me something along the lines of “The intelligence world is a hard job, you have to be able to out-infantry the infantry, out-mechanic the mechanics, out-radio the radio guys, and you need to know a language.”  Security is pretty much the same thing–you have to out-techie the techies, out-business the MBAs, and out-jerkify the auditors.  =)

Sound complicated?  Yes, it is, and it’s hard to find people who can do all this.  IT is an employment niche, IT security is a niche to a niche.  And there isn’t enough people who have the experience to do it.

So how do we mitigate the staffing shortage?  Here is what we are doing today in the Government:

• CyberCorps scholarship program for undergrads and graduate students with a minimum government service obligation.
• Using other career fields in “crossover roles”–yes, accountants can be used for some light security tasks.  Some things that we think of as security are really Quality Assurance and Change Control jobs that we have a vested interest in making work.
• Using contractors in some roles such as ISSO, ISSM, etc.
• Automation as much as possible.  Technical is easier, the policy and procedures side takes longer.  What you’ll find out eventually is that good IT management is good security management.
• Hanging on methodologies to “automate” the process side of security.

Now this is cool and all, but it’s hard to sustain and really hard to justify as a long-term solution.  In order to support the Government, we need to create more people.  Cybercorps is a start, but the need is so much larger than the supply that we have to consider better ways to create Government security dweebs.

Do we need Security Awareness and Training?  Yes we do, but much more than what is being provided (think system administrator training and procurement specialist training, not end-user training), and as an internal recruiting pipeline.  Still, I don’t think that we can recruit enough people to “the dark side” and that we need to look outside the Beltway for people.  Problem is that DC is such an insular community and we don’t speak the same language as the rest of the world.

Bookmark to:

Before announcing the winners of the 2007 CEP Blog Awards I thought it would be helpful to introduce the award categories to our readers.

I have given considerable thought to how to structure The CEP Blog Awards.   This was not an easy task, as you might imagine, given the confusion in the event processing marketspace.   So here goes.

For the 2007 CEP Blog Awards I have created three event processing categories.   Here are the categories and a brief description of each one:

The CEP Blog Award for Rule-Based Event Processing

Preface:   I was also inclined to call this category “process-based event processing” or “control-based event processing” and might actually do so in the future.   As always, your comments and feedback are important and appreciated.

Rule-based  (or process-based) event processing is a major subcategory of event processing.     Rule-based approaches to event processing are very useful for stateful event-driven process control,  track and trace, dynamic resource management and basic pattern detection (see slide 12 of this presentation).   Rule-based approaches are optimal for a wide-range of production-related event processing systems. 

However, just like any system, there are engineering trade-offs using this approach.  Rule-based systems tend not to scale well when the number of rules (facts) are large.  Rule-based approaches can also be difficult to manage in a distributed multi-designer environment.  Moreover, rule-based approaches are suboptimal for self-learning and tend not to process uncertaintly very well.  Never the less, rule-based event processing is a very important  CEP category.

The CEP Blog Award for Event Stream Processing

Stream-centric approaches to event processing are also a very important overall category of event processing.  Unlike a stateful, process-driven rule-based approach, event stream processing optimizes high performance continuous queries over sliding time windows.  High performance, low latency event processing is one of the main design goals for many stream processing engines. 

Continuous queries over event streams are genenerally designed to be executed in milliseconds, seconds and perhaps a bit longer time intervals.   Process-driven event processing, on the other hand, can manage processes, resources, states and patterns over  long time intervals, for example, hours and days, not just milliseconds and seconds.  

Therefore, event stream processing tends to be optimized for a different set of problems than process-based (which I am calling rule-based this year) event processing.  Similar to rule or process-based approaches, most current stream processing engines do not manage or deal with probability, likelihood and uncertainty very well (if at all).

The CEP Blog Award  for Advanced Event Processing

For a lack of a better term, I call this category advanced event processing.   Advanced event processing will more-than-likely have a rule-based and/or a stream-based event processing component.   However, to be categorized as advanced event processing software the software platform must also be able to perform more advanced event processing that can deal with probability, fuzzy logic and/or uncertainty.   Event processing software in this category should also have the capability to automatically learn, or be trained, similar to artifical neural networks.  

Some of my good colleagues might prefer to call this category AI-capable event processing (or intelligent event processing), but I prefer to call this award category advanced event processing for the 2007 awards.  If you like the term intelligent event processing, let’s talk about this in 2008!

Ideally, advanced event processing software should have plug-in modules that permit the event processing architect, or systems programmer, to select and configure one or more different analytical methods at design-time.    The results from one method should be available to other methods, for example the output of a stream processing module might be the input to a neural network (NN) or Bayesian Belief (BN) module.   In another example pipeline operation, the output of a Bayesian classifier could be the input to a process or rule-based event processing module within the same run-time environment.

For all three categories for 2007, there should be a graphical user interface for design-time construction and modeling.    There should also be a robust run-time environment and most, if not all,  of the other “goodies” that we expect from event processing platforms.

Most importantly, there should be reference customers for the software and the company.     The CEP Blog Awards will be only given to companies with a proven and public customer base.

In my next post on this topic, I’ll name the Awardees for 2007.     Thank you for standing by.  If you have any questions or comments, please contact me directly.

These are a rather concise set notes that I've taken while looking over his code more closely. I created a wiki page to quickly hack up this list. Here's what it looks like now:

• Fx helps you implement a custom STS
  • STS can issue managed cards (see below)
  • Fx provides a base class for your STS, (it's currently called SecurityTokenService)
  • You derive from this base class and supply a "ScopeProvider" implementation which answers (at least) two questions:
    • What type of claims your STS can issue (you have to generate a list of claim URIs that you will be issuing)
      • This is helpful for issuing managed cards, which need to specify which claims an IdP supplies
    • What claims should be issued for a given user request, which consists of:
      • Information about the target relying party (AppliesTo), which is not always known (an auditing STS will know this, for example)
      • The AuthorizationContext for the user requesting the token (this gives you the incoming set of claims from the user)
      • The actual RST if you want to look at it (this is a WS-Trust thing)
      • The issuer's credentials (you need this to generate the claim set)
  • User authentication methods (an STS needs to authenticate the user before issuing a token)
    • Kerberos
    • X509 Certificates
    • SAML from personal cards
    • Username/Password
• Fx helps you expose your STS using WCF
  • Fx supplies a custom ServiceHostFactory (currently called WindowsInformationCardServiceHostFactory)
  • This allows you to create a .SVC file for a WCF endpoint to expose your STS
• Fx supplies an HttpModule for the traditional ASP.NET authentiation pipeline
  • According to Vittorio, this "automates a lot of the validation work in the framework". It's called FederatedAuthenticationModule, which gives a hint as to its function. It probably sets up HttpContext.User like a traditional authn module would. It's probably not specific to building an STS (remember the Fx is also used to build relying parties)
  • There's a custom config section that configures this module. Vittorio uses it to say, "use my SSL cert as my relying party cert". This is probably required in case the client wants to authenticate using a card.
• Issuing managed cards
  • Fx provides a function to generate a managed card, as well as a class that represents it (it's currently called InformationCard)
    • You can specify the default name and image for the card you issue, controlling what the client sees when she installs your card
    • Fx provides an information card serializer: InformationCard<-->XML (this is what the user installs into her identity selector - an XML representation of the card)
• Fx provides a utility to generate a PPID, which is a pretty complicated task!
  • Currently takes three inputs to gen a PPID for the relying party to use:
    • Client's AuthorizationContext
    • The relying party (AppliesTo)
    • Issuer's credentials
• Fx provides some helpers for reading claims from an AuthorizationContext
  • I notice a ClaimsContext class that allows you to write code like I show below, although I'm not sure how it figures out how it deals with multiple ClaimSets.

string email = myClaimsContext[ClaimTypes.Email]

• Fx provides a set of ASP.NET login controls (three right now):
  • FederatedPassiveSignIn (I'm guessing this is for doing traditional ADFS v1 style logons)
  • InformationCard (login control that accepts information cards)
  • SignInStatus (probably similar features to ASP.NET's LoginStatus)
• Fx helps you build relying parties
  • InformationCard login control
    • You can specify whether you want to accept personal or managed cards
    • If you accept managed cards, a wizard will take a card file as input to automatically configure the control (great idea, guys!)
    • Wizard shows claims supported by the managed card, and you can select which ones you want (either optionally or required)
    • There appears to be a SignInMode that you can use to establish a session. I'm guessing that this issues an ASP.NET Forms logon cookie or something equivalent. This is probably one of the things that the HttpModule deals with (reading that cookie and using it to configure HttpContext.User).
    • Here are the control's identity-related events:
      • SecurityTokenReceived
      • SecurityTokenValidated
      • SignedIn
      • SignInError
    • Here's a picture Vittorio shows that shows a number of the properties of the control if you want to try to guess more about what it's going to do: