Sean Convery

Here’s my rough notes from the second morning keynote on Day 2, please expect rough writing. My comments / editorializing in brackets prefaced with “SJC”

Scott Wallace: The National Alliance for Health Information Technology

Huge problem, no identity management in healthcare

“When you’ve seen one hospital, you’ve seen one hospital.” Little standardization between hospitals.

Healthcare information is all personal. Information known about you regarding health does not change over time for employment, insurance, etc. Once disclosed, it is gone forever. Your reputation can be fundamentally affected.

Economics of Personal Healthcare

• All I want - full access
• Others should pay for it - Insurance
• I’m not paying for others - Medicare

The healthcare triangle is the relationship between the provider, the patient, and the payor (insurer). This leads to complexity in the way the information systems are constructed.

We all outsource healthcare which means information must be shared in order to get good care.

Information must be shared for exams, diagnostics, etc.

All this information exists in paper but paper tends not to move around: (Lab, Doctor’s office, hospital, nursing home) - Labs tend to do the best job.

Electronic in the healthcare industry means you faxed something.

30 years ago you had a family doctor, only hospital when near death. But today there are specialists, distributed care, and much more sophisticated information. (Static X-Ray vs. 64-slice CT)

Healthcare is desperately in need of tools to manage this info.

Rand did a big study: “Healthcare is the nation’s largest, most inefficient information enterprise.”

Access, Errors, Quality, Efficiency

Access:

Kaiser Family Foundation puts 16% of the population: 44 million people as uninsured. Highest rate of spending per capita and lowest rate of access.

Errors:

We kill 98,000 people a year in victims of healthcare. 250,000 doctors - (doctor’s always deny they killed anyone)

Thinks part of the cause is bad information systems

Quality:

Rand - Patients recieve the appropriate care 53% of the time. Why? Information can’t be shifted appropriately. $500B a year is wasted in healthcare.

Another report, To Err is Human, - Information needs to follow a patient around from doctor to doctor.

Information flow problems are caused in part by paper systems. Lots of waste has to do with information needed being unavailable. How many times have you had a test repeated because the info wasn’t available or trusted?

Why still paper based in healthcare?

• Systems
• Economics
• Security and identity

Systems:

No innovators in healthcare, no iPods. Physicians intolerant to change. Big IT innovation in healthcare is still not huge (average large healthcare IT company does 1.5 billion in revenue). Support requirements, etc. scare people away

Economics:

Economics are resistant to change. The purchasers aren’t the beneficiaries (10% goes to providers). Fee for service, no quality differential, no efficiency reward.

Children’s hopsital in LA. Did 140million IT deployment. Took acute care cases and made them ambulatory, allowed folks to keep patients out of hospital. About 8 months after they finished the deployment they were nearly bankrupt so everyone else is afraid to deploy for fear they will reduce their business. This is a big impediment.

Fee for service: Doctors get paid the same across markets regardless of how good or bad they are. This stifles innovation. If you as a doctor only get paid by use, you don’t want to cut down the number of uses.

Security and Identity:

Classic problem of how to share and who to share with.

“if we are worried about privacy in healthcare why do we have gowns that open in the back”

Privacy means keeping secrets. We have blinds on bathroom windows because we want privacy. In healthcare when they say privacy they mean confidentiality: limited disclosure towards only specific people.

HIPAA issues - Look into electronic health records to protect data confidentiality you get much better poll results from consumers. Speak in a language of confidentiality, not privacy.

Some Identity Issues

• Policy
• Stakeholder Engagement
• Technology and Clinical Practice

Policy

Identity links to confidentiality

HIPAA - created lots of state laws to be more severe than the federal base. Things mandated in one state might be illegal in another state

Legislation to block unique ID - wanted to create nation healthcare ID to track your healthcare information. Two years later HHS was told not to work on it by congress.

Big debate in healthcare now is do we have a national system or a regional system

Need appropriate protections and sanctions since the data is so critical. Need to prove if you get leaked healthcare information that you didn’t use it. Stealing banking info gets you in jail, less clear if you steal someone’s healthcare information.

Stakeholder Engagement

Consumers are completely disengaged from this problem. They think there doctor has all the relevant information. The average group practice doctor has 3000 patients. Consumers don’t know how little their doctor’s know about them.

Only way to get consumers engaged is to discuss convenient information. No need to show insurance card over again or discuss medial allergies.

Clinicians are worried about accuracy and completeness of information which often leads to repeating tests. False positives and negatives if information is wrong is a huge problem.

Technology issues

Unique or algorithmic matching? Still sense that nation ID is necessary in some circles but algorithmic matching is viewed with a skeptical eye.

Need to inform the policy debate in the public and congress

Must defer to the policy consensus - so many standards, engineers need to agree that some standard is needed.

Question Steven Spraig (sp) - Wave Systems - Trusted computing opportunity with the PC’s hardware ID. All PCs will have a common method for identity within a hospital. How can these standards be brought into awareness in healthcare?

Healthcare IT people are extremely cynical since they’ve been burned in the past. Tone down your message to something you really know you can do.

nahit.org

Technorati Tags: Digital ID World, identity, Healthcare

Here’s my rough notes from the third session, please expect rough writing. My comments / editorializing in brackets prefaced with “SJC”Dick Hardt - SXIP IdentityTalk around Identity 2.0. Need temporal awareness to understand what something is.Vitamins: hard to sell as it prevents something in the futurePainkillers: easier to sell as it stops something badViagra: very easy to sell - allows something new[SJC: Dick went through a variation on his great Identity 2.0 prezo. Deltas below]Need to know past behavior of a job applicant in order to evaluate how he’ll do in the futureLet’s look at:Yahoo-Single account for multiple services. Big set of silos. When they bought flickr they had problems since flickr needed its own identityMicrosoft-.net Passport failed. Windows Live ID is a rebranding. Info-card is a good evolution since the user is at the center.Google-Google has single account, lots of silos.As a user I’d like my own account but for google this is a vitamin not viagra.Ebay -Has silo identities but also has reputation, has past behavior as a predictor of future behavior.Single account via identity 2.0 has single point of failure. But you already have one login per site with the big sites and you can make the one login more secure. You can reduce the risks of that single login by making that login more secure. [SJC: Single points of failure are still single, no matter how secure, see the previous talk on a national ID card]Wikipedia could benefit from reputationSlashdot uses karma, what about using that karma from slashdot in other places like games. It becomes an alternative currency [SJC: Read Down and Out in the Magic Kingdom by Cory Doctorow]Panel is now introduced:Moderator: Dan Farber, Editor In Chief, ZDNetPanelists:Michael Barret - CISO Paypal - Previously president of Liberty AllianceMichael Graves - CTO VerisignJim Piala (sp) - Product manager Windows LiveDF: What does MS say about Dick’s comments?JP: Windows live and windows live ID has a key focus on identity interoperability (issuers and technologies). Need to give people control of their identities. Users like to have multiple identities, some with the same provider, some with different providers. See big opportunities with WS* and InfocardsMG: Verisign is not moving out of areas than it has been in. It is more heavily investing in those areas. Securing enterprises, PKIs, etc. Military grade deployments. Sees real growth in what companies like SXIP and Microsoft’s infocard, OpenID WG, etc.MB: Identity gets more complex and standards hoped to go somewhere are just part of the problem. More difficult issues are what the earlier presentations explored. For financial services, can you actually pay? Less about identity, more about is what you just did similar to what you did in the past.MG: Cardspace is an important technology to integrate with. Verisign could provide network based technology to help control the endpoint. How do I know that I can trust DNS. Cardspace provides a good toolkit to evaluate thisDF: When will the walled-garden approach be resolved. How do you make them more permeable?MB: I never though this would happen fast. I am skeptical. Some evidence on the horizon. Hardware based authentication has to be broadly federated in order for it to work. Unconvinced that we have the protocols and the exchange mechanisms around the authentication exchange and the tie to the identity itself.JP: All about business drivers. Not sure that economic incentives are there to allow full federation. Tightly coupled business offerings linking with one another might make more sense.MG: Verisign is taking a very different and disruptive line. We make lockdown tech for financial institutions to manage risk. On the other end, there is the user centric notion which we believe in. Federation does not lead to universal identity. We don’t have the retail presence to risk by making a big change. Comes down to a failure of faith in federation. SSO is a better option as part of the OpenID framework.DF: How do you convince a Yahoo or someone similar to adopt any of these solutions.MG: You don’t, the walled gardens are last to migrate to the new future. Balance between content to keep a user in a site and the tipping point which would cause them to leave the site. Do you want to be a silo, or a hub to allow folks to flow in and out? Interoperability needs to happen via a mesh of hubs which broker these identifiers.JP: Two reasons why we might see more users getting out of the garden. First, users need to be at the center of the experience. They care about this and are frustrated by it being closed. Users themselves will drive this. What if you could take your EBay rep to another site, how can I take my XBox live reputation to another forum? Second, no walled garden is completely walled. Partnership will be present between the gardens.MB: We don’t have protocols which describe trust levels bewteen systems (i.e. paypal, skype, and ebay). With three auths in our own systems, how do I cross-correlate theseQuestion from audience, Mike Jones from MS: Depending up the value of the information secured by an ID, the current username/password standard either is good enough or not manageable nor able to be secured. How do we get users away from this?JP: Different applications require different levels of assurance. This isn’t a bad thing, nor an impediment to federation. You just need the identity to match the scenario.MG: Lack of success has not been because passwords are not adequate. It has been because they’ve been too difficult to use. Risk and fraud needs to be managed. Need a growth path to make things better.MB: Each component of identity can break. At that point you are trying to predict which transactions are legitimate and what you should do to mitigate the risk. Need business specific standards. Phishing problems around user-driven identity. Not much traction in email signature standards. One of the things we are doing is to limit the phishing attacks from paypal is to sign every outbound email to try and make some progress.Question from Phil Becker, DIDW: Question in the mind of Windows Live offerings, Enterprise IdM has advanced the notion of self service and scaling improvements to make all this more deployable. Software as a service and other service based offerings might invert the outlook, when does Windows Live start to be sell to a business. Could a business use their own authentication and then assert that to Windows Live?JP: That is exactly what is happening. That used to be achieved using password synch between AD and Windows Live ID. Using ADFS (AD Federation Service) and WS* in the future to allow enterprises to manage their identities themselves in accordance with governance but are accepted at Windows Live services. Federation is a user experience improvement.Question from Jeff Smith - Office: Age for purchasing alcohol are minimalist things for specific transactions. What are verisign’s thoughts on this?MG: We are providing the infrastructure for this like Infocards is.MB: I am doubtful whether these sorts of systems will work the way Infocards is described. This is because of the commercial dynamics of this. In practice these kinds of problems are dealt with in low-tech AUP type policies. The elegant conceptual mechanisms… I’m just unconvinced that they’ll emerge in the marketplace. Just because some merchants and consumers might want them, there may not be enough economic traction to make this happen. Need the plumbing first.JP: The requirement for claims creates an interesting requirement on the system. Claims need to be verified perhaps by a legal framework. Few digital identities have been vetted to that level. Some electronic ID programs in Europe meet that requirement. There are no comparable identity issuers in the US.Question from Jon Donovan, Network Appliance: All this seems consumer centric, how does this apply to enterprises? How can I trust other identities from a reputation perspective?MG: There’s a big gap between nothing and a government issued ID. Nothing to perfect. Stepwise evolution is needed.Paul Bran (sp) - Brighton Consulting: When can I use a better credential?MB: If something is fradulent what is the cost to the consumer, business, or insuring entity? We honor all legitimate transactions at paypal. We exonerate customers 100% when it is not. This isn’t about technology, it is about the business decision in understanding the risk and cost. I’m a great believer in opening federation up, but the question becomes, when an auth fails because they can’t get online if their token is destroyed, how do you get that person online? At American Express we had lots of scars, but when a customer called with a forgotten password, half of the time they just forgot their username. We need to be able to disambiguate this.JP: Large PKI/smartcard islands are increasing and more interoperability would allow these systems to be used online. Cardspace / Inforcards might be another way to increase adoption of more systems.Pam Dingle from ? - Windows Live ID and Infocard are not the same thing and even in Vista they are separate. What is the nature of the integration planned?JP: Windows Live ID is a hosted service at Microsoft, we’re excited about Infocard as an alternative means but we believe that as a large company we’ll need a dedicated identity service as well as use newer techniques.

Technorati Tags: Digital ID World, Infocards, Identity 2.0, Windows Live ID

Here’s my rough notes from the second session, formatting be damned. My comments / editorializing in brackets prefaced with “SJC”

Jim Harper - Director of Information Policy Studies, Cato Institute - Author of Identity Crisis

• Wanted to write a book about why we don’t want a national ID card. How do you know who
• Typical identity: Something you are, something you have, something you know
• Wants to add a fourth, something you are assigned. (Your name, your location, etc.)
• How would a national ID card work? Then you can examine the issues around it.

Threats to national ID cards

• Surveillance - easy to tie separate sets of data together.
• Power - information is power, access to data allows the government to find you and affect your life. Access to databases reverses the incentive structure: ordinary incentive is for law enforcement to learn about crime, then track down who did it. With more data it is easier to say anyone must have done something wrong, and then start mining that data to find out what it was.
• Tend towards insecurity - Identity fraud is made easier by the existence of SSN. Single key system means one error compromises multiple systems [SJC: Sounds like some of the issues with biometrics]

Need heterogeneous ID system so that consumers can select the systems they need without participating in a single system.

Think of authorization as coming first. In everything you do, you decide if something is going to go forward or not. Let’s call that authorization. Hugs, handshake, alcohol sales, network access, etc. all have authorization steps. What do I need to know about you in order to shake hands with you? What do I need to know about you in order to hug you?

What level of proof do I need that what I know about you is correct? That level of proof is authentication. Authorization: what you are allowed to do. Authentication: degree of proof provided to allow that transaction to transpire.

So many DHS programs are unwisely relying on identity. Just knowing who someone is not necessary. Don’t need to know who the person sitting next to you is, just need to know that the person on plane can’t hurt you. [SJC: This doesn't seem to apply at all to enterprise networks. I hope he realizes this isn't a universal constant]

RealID act was passed in May of 2005. By May of 2008 states need to issue ID cards in compliance with federal standards. Standards like no more mail-in renewals etc. Dedicated adversaries will bypass these systems (pay-off DMV folks, etc.) but it will be painful to the rest of us.

Big laugh from crowd by suggesting that Identity should be 3rd or 4th, not center. Talks about using a fake-id at all of his dealings requiring credit cards.

Phil came on at the end to suggest that this talk is all about understanding what you accomplish with a given identity check.

Here’s my rough notes from the first session, please expect the writing quality and grammar to be degraded. My comments / editorializing in brackets prefaced with “SJC”

Rob Clyde, VP of Technology, Office of the CTO
Phil Becker, Editor in Chief, Digital ID World

Phil: Identity in computing started with security
Rob: Looking at protection, what can we do to protect the information, interactions, etc. Attacks are now financially based. Identity theft is key.
Phil: Shift from locking things down to providing protection?
Rob: Yes, protection and confidence to allow folks to do what they want to do online
Rob: Lots of past business if focused on information and infrastructure, now focused on protecting the interaction
Phil: This also raises company’s confidence in what they are doing re: compliance / regulation perhaps?
Rob: Compliance is huge. Two pieces: 1. Comply with regs, 2. IT governance in general to provide competitive advantage. Sloan biz school found those with strong IT governance were 20% more profitable…
Phil: Why is that true?
Rob: Choosing projects carefully, linking IT carefully with the business
Phil: Compying with business vs. security outlook - lockdown is keeping people out, protection is opening things up to get what you need to get done.
Rob: Huge paradigm shift. NAC is a big shift. Cellphones are another. 15 yrs ago device choice was employer mandated, today, device is generally chosen by the employee / consumer. But still most of us need to use laptop defined by the employers. With policy frameworks, users can choose which devices they want at the laptop level provided they comply with policy [SJC, this sounds great but security is one of a dozen pieces around desktop operations, what about software licenses, support calls, etc., I'm not sure the endpoint platforms have the simplicity of a cellphone to make this viable. If desktops did just a couple things, this makes more sense. I'd like to see this in the future though.]
Phil: What about the dumb network vs. smart network debate?
Rob: Need to manage security via policy but trying to push support from the IT department to the end user itself…
Phil: What happens to categories in products themselves around security? NAC itself will reach across some of these boundaries.
Rob: One thing that will happen is a lot of interoperability. Lots of SIMs out there but big problem is IP address or process can be determined but that identity is much harder to determine. NAC + Endpoint compliance defines the “What” which is closely linked to the “Who.”
Phil: Any thoughts on how the evolution of this? What comes first?
Rob: 802.1X will drive this with endpoint compliance, NAC, and 802.1X. Slow uptake on 802.1X. Non-.1X is more prevalent today.
Phil: Could they unite at the identity store and management level first and then move down the stack?
Rob: No single identity store will happen, lots of stores long term but the exchange of information will be key.
Phil: Looking out at the world re: 802.1X, do you see the other protocols there to do the interconnection that is desired?
Rob: Lots of good ideas, many fairly immature. Most of work is around identity information exchange and SSO. Problem is how do you establish the identity in the first place? Broker-based identity? How can the end-user trust the server. Those are the though problems.
Rob: Easier for enterprises since they have to show up to get a badge and that could be leveraged moving forward. In B2C, this is harder. Many have stopped giving out information online. People concerned about websites stealing identities.
Phil: Is this where we need 3rd party broker?
Rob: Yes, we’re there on the money risk, but not the identity theft risk.
Phil: Security evolution requires identity management. Links between event detection and identity itself. How does this come together?
Rob: This has to come together. Security of exclusion has accounted for most of the revenue so far. Security of inclusion is the wave of the future. Need more collaboration, etc.
Phil: What is the wavefront of where the money is going which allows us to see this?
Rob: The nature of the threat is now more financially motivated. Companies are concerned about the insider threat. IT governance and regulation. These things cause this convergence.
Phil: Purpose of the network is to remove the concept of location as being significant. Network security has been about building perimeters which undermines the overall goals of the network.
Rob: Mindset that wants to go that way, but lots of mandated security, etc. People would like to see a different way. Perhaps making your internal network the Internet essentially using secure applications. Jericho is looking at this. 25% of help desk time is spent resetting passwords. Lots of additional problems, perhaps we need less IT over time for desktop support.
Phil: How can customers prepare?
Rob: How can I manage the network by policy rather than by specific configurations and mandated software. Look for apps that are more web based which protects things. This allows a smaller perimeter.
Phil: So people in the office are outside the perimeter just like remote workers?
Rob: Sure, just like a VPN connection. [SJC - The peer-to-peer issues here are huge. Hub and spoke networks sacrifice an awful lot of functionality and availability]

Technorati Tags: Digital ID World, Symantec

I’m sitting up front at the conference as I write this. For those of you reading this blog who attend the conference, up front are two rows with tables, and more importantly AC power! I’ll try blogging some of the sessions I attend though I’m sure I’ll miss some and others–as happens at any conference–may not have anything very useful to say. I’m very interested to see how the network and application guys get along around the subject of identity. Well they are telling us to sit down as Phil is about to get started.

Technorati Tags: Digital ID World

No I didn’t intentionally try to start the day in acronym hell, it just sort of worked out that way. I’m sitting here at Digital ID World catching up on things and it appears that Eric Norlin is continuing his thoughts on a conversation started in July around NAC and its relationship to the identity management space in general. He writes:

As I’m reading through the confusing acronyms (NAC, NAP, etc) - I’m wondering if it isn’t time for the group of innovative vendors in this space (Forescout, ConSentry, TNT, Identity Engines, Apere, Caymas, Juniper, etc) to rename their offerings with a more descriptive term: “Network Identity Management,” or “N-IdM.”

I agree but have one wrinkle to add: identity has always existed on the network, just not in the terms that the IdM folks typically think about. If I put back on my networking hat for a moment, identity in the network can be lots of things:

• MAC Address
• IP Address
• DNS Hostname
• IPsec digital certificate
• User identity (password, OTP, smartcard, etc.)

Identity in the IdM space typically means “user” while in the networking space it simply means “identifier” which is a superset of “user.” I say all this because one of the challenges to using the term “network identity management” is when you say “network identity” to a networking guy they think of the above with the last two items barely on the list if they make it at all. At my company we’ve been speaking to press and analysts about “network identity management” (using that exact phrase) for about a year and we certainly run into a fair number of analysts who “get it” and we quickly continue down the conversation. However, we also run into folks who think of DNS and DHCP appliances as network identity and think about NAC as the new thing we are trying to talk to them about.

I agree with Eric that NIdM is the correct term and that AIdM and NIdM are both subsets of the broader IdM space. Similarly, NAC is a subset of NIdM, just like guest management and secure wireless are.

As an aside, let’s be honest: NAC is just a newer word for AAA. AAA sounds stodgy and old, NAC sounds new. Think of all the words that are used instead of “firewall” these days and you’ll have another example of the phenomenon. For still another, IDS became IPS. NAC has the mind-share for the moment, but I’d be amazed if it stuck around as a term for the long haul.

Technorati Tags: NAC

Update 9/11/06: Kim Cameron’s blog is picking up the biometrics thread as well.

The topic of biometric authentication is making the rounds in various blogs. Phil Becker writes that he considers biometrics “the only true identity based authentication” with everything else as “an approximation of identity validation to some acceptable degree of risk or certainty.” Dick Hardt takes issue with this:

Someone can lift my fingerprint from the case of my laptop, create a facsimile and use that with the fingerprint reader. A fingerprint can actually less secure in some ways then a password. No authentication technology is 100%, just like nothing can be 100% secure. Adding multiple factors to authentication is how we increase certainty.

Also, at my favorite potpourri blog BoingBoing I read that schools in Georgia are allowing a fingerprint scan to buy lunches which prompted a small debate about the merits and risks of biometric authentication. Here’s a snipped of the original post:

Schools in Rome, Georgia, are implementing a system that lets children “pay” for their school lunches with a fingerprint scan. Previously, students had to enter a personal ID number to access their lunch accounts.

I don’t think Phil’s post was necessarily extolling the virtues of biometrics so much as trying to draw a distinction between the different forms of authentication and how they can be used in a basic case study. However, the virtues of biometrics are worth discussing. Before I sat down to write this, I looked back at the section on biometrics in my book. With the assumed gracious permission of my publisher, here is the relevant copy:

Biometrics incorporates the idea of using “something you are” as a factor in authentication. It can be combined with something you know or something you have. Biometrics can include voice recognition, fingerprints, facial recognition, and iris scans. In terms of enterprise security, fingerprint recognition systems are the most economical biometric technology. The main benefit of biometrics is that users don’t need to remember passwords; they just stick their thumb on a scanner and are granted access to a building, PC, or VPN connection if properly authorized.

Biometrics should not be deployed in this fashion, however. The technology isn’t mature enough, and even if it were, relying on a single factor for authentication leaves you open to holes. One option is to consider biometrics as a replacement for a smart card or an OTP. The user still must combine the biometric authentication with a PIN of some sort.

A significant barrier to biometrics is that it assumes a perfect system. That is, one of the foundations of public key cryptography is that a certificate can be revoked if it is found to be compromised. How, though, do you revoke your thumb? Biometrics also assumes strong security from the reader to the authenticating system. If this is not the case, the biometric information is in danger of compromise as it transits the network. Once this information is compromised, attackers can potentially launch an identity spoofing attack claiming a false identity. (This is one of the main reasons including a second factor in the authentication process is desirable.)

Although this could also be considered a strength from an ease-of-use standpoint, the final problem with biometrics is when the same biometric data is used in disparate systems. If my government, employer, and bank all use fingerprints as a form of identification, a compromise in one of those systems could allow all systems to be compromised. After all, your biometric data is only as secure as the least-secure location where it is stored. For all these reasons, look carefully at the circumstances around any potential biometric solution to an identity problem.

I was curious if I would agree with my statements made back in 2004 when the book was first published. As it turns out I’m willing to cede that biometrics are more mature as a technology today but I’ve not yet read anything which indicates that the core vulnerabilities have been addressed. As listed above, those are:

1. Single-factor deployment is most common
2. Revocation is impossible (Or its corollary, a perfect system is assumed)
3. One piece of biometric data can be used in authentication decisions across multiple autonomous systems (weakest link problem)

I’ve yet to read a paper which convincingly addresses these issues in a way that doesn’t depend on each given deployment doing the right thing. Consider the extent of the security used in Rome, Georgia. Perhaps it is quite significant. However, I wouldn’t be surprised if biometrics was deployed purely as a convenience feature without a lot of regard for security. When that Georgia student goes on to bigger and better things his biometric data can be used again, perhaps to authenticate him to his financial institution or to grant him access to a foreign country. Though I’ll admit biometric attacks aren’t trivial, the impact of the attacks are monumental particularly if they allow an adversary to assume the identity of the victim in multiple systems. Imagine the worth of an entire school system’s biometric data. This could include tomorrow’s potential business and government leaders not to mention your average consumer going about their lives. I’m not trying to be alarmist here, but despite multiple discussions of the risks, people don’t seem to be listening. I’d love to be corrected here as the IT guy in me loves the simplicity of biometrics. For the time being though, I haven’t seen a way to avoid the risks.

Technorati Tags: biometrics, identity

I called out a Kodak camera which supports 802.1X in an earlier post. Now Tandberg has a high-end video conferencing system which supports the protocol as well. Whether this can be taken as a proxy for increased corporate 802.1X demand or simply a manufacturer taking advantage of pre-built features in network stack remains to be seen. In even better news for 802.1X, this page at HP’s website claims their latest Jetdirect cards support 802.1X as well.

Technorati Tags: 802.1X