inside the man

Tuesday, May 31, 2005

Einstein's cosmos

PBS Religion and Ethics has a thoughtful paper on the influence of religion and philosophy on Albert Einstein's science.

"In Spinoza Einstein also found a champion for his belief in a deterministic universe that could be understood by human reason. Spinoza's pantheistic philosophy held that the cosmos was an extension of God or Nature and was therefore fundamentally immutable and strictly ruled by cause and effect. Einstein regarded Spinoza's conception of the universe so highly that he committed what he called the biggest blunder of his career in an effort to preserve his own vision of it. In 1915, he inserted an extra term, the 'cosmological constant,' into his theory of general relativity so that it would yield a static universe similar to the one described by Spinoza instead of the expanding one his calculations produced without it."
Tags:

Sunday, May 29, 2005

Today's public service announcement


The loon (QuickTime)


Courtesy of the Canadian Wildlife Service.
The trump card falls: copyright infringement linked to terrorism

When the MPAA and RIAA dreams, what do they dream about? Ubiquitous Internet surveillance? Maybe. Tax payer funded enforcement of their copyright? They already have that. The ultimate trump card in American politics - a terrorist link to IP piracy? Well, this dream came true this week as members of the LAPD intellectual property crime unit told congress the following:

"Some associates of terrorist groups may be involved in IPR crime... During the course of our investigations, we have encountered suspects who have shown great affinity for Hezbollah and its leadership."
Tags:

Friday, May 27, 2005

A Google hack for libraries

In this age of hacking Google Maps and other Google services, why shouldn't libraries get into the game? Kenton Good posted a great idea to deep link the University of Alberta's OPAC to Google Print, allowing searchers to view a few images of actual pages of the actual book. However, this may not be simple to pull off.

"I am a little annoyed with the lack of hooks into their interface. At first glance at least they seem not to have indexed any ISBNs so linking in via ISBN seems to be a no go. They also don’t seem to have a predictable way to link to the ‚“main record‚” for an individual item. Take this example of a book called Da Vinci Deception. The URL syntax ends up looking like this: http://print.google.com/print?id=Ht8cIwrFEgkC . Anybody have any idea how Da Vinci Deception = Ht8cIwrFEgkC?"

It is hard to say whether the value of this id field is a feature or an oversight. It does look suspiciously like intentionally unpredictable (and quite possibly cryptographic) 12-character unique identifier. That means that we may have to do this the hard way.

One idea would be to create an HTTP agent that queries Google Print, one title at a time (yes, I know you have millions), and screen scrapes the results page to harvest the right URL, possibly after performing a match on the author. You could, of course, make the agent's request rate "polite" or Google might shut you down. Then, with data in hand, you could load the Google Print URLs into a junk MARC field, and make the necessary OPAC tweaks to display the link. On a go forward basis, whenever new titles are loaded, you could perform smaller batches of scraping.

Having said that, hopefully there is an easier way. If you find one, please share. Have you thought of asking Google for help?
Security through human visual discrimination

Spurred by the release of a paper (pdf) by Berkeley researchers on computer security through human visual discrimination, there has been a round of interesting discussion, debate, product announcements. I thought that there would be some value in summarizing some of the key links here.
Tags:

Thursday, May 26, 2005

30th annual German Protestant Convention has record turn out

Optimism, social change, and national pride drive record numbers to Hanover.

"Some 400,000 people flocked to the city of Hanover Wednesday for the opening of the 30th annual German Protestant Convention -- a record number that reflects a renewed national interest in religious values."


Tags:
Today's public service announcement


The harlequin duck (QuickTime)


Courtesy of the Canadian Wildlife Service.

Wednesday, May 25, 2005

If you use PGP, you may be a pervert

A disturbing ruling from the Minnesota justice system. The fact that a man charged with taking nude photographs of a minor had PGP installed on his computer - even though he had not encrypted anything with it - was admitted as evidence against the man. This decision was held up under appeal this week.

"The case, although never put before a jury, could establish the precendent that the use of an encryption programme might be admitted as evidence of criminal intent, as least in Minnesota. The attitude seems to be 'if you have nothing to hide why do you need secrecy tools'"
A list of real web application hacking stories

Jeremiah Grossman has posted an outstanding list of article describing, or at least referring to, real security incidents involving web application vulnerabilities. This is possibly the best available list in existence.
Tags:

Tuesday, May 24, 2005

White bison for sale!

A white bison, a great omen to many natives, has come to a ranch near Fort St. John, BC leading to a great commercial opportunity. To quote the owner Karen Blatz:

"We would definitely consider selling him. It could be to the native Americans, or even if a circus or a zoo wants something rare to put in there to draw the crowds. That would be good too, but he definitely needs more exposure than where we live."
greasemonkey

I know that I have been slow to get to this one, but greasemonkey is just plain cool.

"Greasemonkey is a Firefox extension which lets you to add bits of DHTML ('user scripts') to any web page to change its behavior. In much the same way that user CSS lets you take control of a web page's style, user scripts let you easily control any aspect of a web page's design or interaction."

Basically, hack the UI of any or all websites that you surf.
Publishers protest Google Library project

First Europe, and now academic publishers make what will ultimately be ineffective protests against Google Print.

Yahoo News reports:

"A group of academic publishers is challenging Google Inc.'s plan to scan millions of library books into its Internet search engine index, highlighting fears that the ambitious project will violate copyrights and stifle future sales."

Slashdot has this one too.
OpenID PingPong

As a follow up to my earlier post on the OpenID protocol flow, Ben Hyde has put together this sequence diagram making it a bit easier to visualize the OpenID process. This really looks very promising.
The advantage of red

This CBC Quirks and Quarks podcast describes recent analysis of Olympic combat sports that shows that the competitor wearing red has an advantage. If further analysis confirms this advantage, sporting governing bodies will have to rethink their uniform policies.
Today's public service announcement


The snow goose (QuickTime)


Courtesy of the Canadian Wildlife Service.

Monday, May 23, 2005

What to do about "Real ID?"

Does RealID make you want to fight the man? Does it bring out your inner anarchist? Or does it just make you want to live in Canada? In any case, Thomas L. Knapp has your answers.

Friday, May 20, 2005

Proof of concept: browser-based field encryption with Blowfish via Ajax

I could not wait to post this when I found it. Richard Schwartz, noted Domino hacker, I salute you!

"I was able to spend part of last night and today working on building an Ajax-based host-proof app, and I've got a proof-of-concept working for the first piece of the puzzle. My proof-of-concept app combined a JavaScript implementation of the Blowfish crypto algorithm, and some additional Javascript lifted from Jake's sample Ajax database along with my own HTML and scripting to build a single page in a Domino database, along with one form, one view, and one agent. The result is an app that you can see and try out here."
A real (beta) example of an Ajax enabled security mechanism

Hot on the heals of my musings about the potential of Ajax to transform secure web communications, the OpenID project was brought to my attention - thanks Jeremiah.

What OpenID essentially is, is a protocol that allows a user to go to a foriegn site and quite easily request that her home site provide her identifying information to the foriegn site. In order for the transaction to succeed, the user must tell her home site to release her information to the foriegn site. This way the foriegn site never has to handle the user's credentials but can choose to to trust, or not trust, the identifying information provided from the user's home site.

While an OpenID user can carry out an OpenID transaction using classic HTTP, OpenID implementations require Ajax support. There are Ajax and a classic HTTP demos up here. All of this from Danga, the folks who brought us LiveJournal.

OpenID will require some careful analysis from the security community before its degree of security is well understood (remember that SSL 1.0 never saw the light of day due to serious flaws). To support this end, Imran Ghory posted the following formalization of the protocol to the yadis mailing list today:
The format I've used is

Source
---------> Information being sent
Destination.

I've used various other bits of notation
(for example information being sent is
prefixed by the name of whoever generated
the data so the flow of information can be
seen) but hopefully it's mostly self-
explanatory.

So here it is:

User
---------> User_server_url
Consumer


Consumer
---------> User_server_url
---------> Consumer_Request_for_id_server_url
User-site


User-site
---------> User-site_id_server_url
Consumer


Consumer
---------> User-site_id_server_url
---------> consumer_nonce
---------> consumer_return_to_url
---------> consumer_trust_root_url
---------> user_server_url
User


User
---------> consumer_nonce
---------> consumer_return_to_url
---------> consumer_trust_root_url
---------> user_server_url
id-server


id-server
---------> user_server_url
---------> consumer_return_to_url
---------> consumer_nonce
---------> id-server_timestamp
---------> id-server_signed
---------> (id-server_timestamp,
---------> user_server_url,
---------> consumer_return_to_url,
---------> consumer nonce)
User


User
---------> user_server_url
---------> consumer_return_to_url
---------> consumer_nonce
---------> id-server_timestamp
---------> id-server_signed
---------> (id-server_timestamp,
---------> user_server_url,
---------> consumer_return_to_url,
---------> consumer nonce)
Consumer

While we await the security verdict, OpenID remains a perfect example of providing new capabilities by breaking out of the "use SSL and you're done" web app security rut. The transformational potential of this sort of federated single sign-on system is tremendous.
What We Want From Our ILS Vendors

Mr. Good points out another outstanding future-thinking ILS post from Ross. All he is demanding is an ILS with a modern application architecture. Well worth reading.
Sikh asylum detainee sues US prison authorities over turban

BBC reports that a Sikh who has been held in a California prison for eight years awaiting an assylum application decision. Harpal Singh Cheema has only been allowed to wear his turban while in bed.

Many Sihks elect to be initiated, or baptized, into the Khalsa, which entails a solemn ceremony and a series of vows including a commitment to always display the five physical articles of faith, including wearing a turban.

This is reminiscent of the controversy over Sikh turbans in Canadian Legion halls and, of course, French legislation outlawing the display of overt religious symbols in schools.

Thursday, May 19, 2005

Green light for the open-ils to proceed to completion

The open-ils project is an ambitious attempt to create an open source integrated library system spearheaded by the Georgia Public Library Service.

The open-ils blog says it best,

"we’ve come to an important milestone in the Evergreen project. When we started on this path, we determined that we would stop approximately a year into the project, assess our progress, and determine if we should continue. We’ve come to this point, and the PINES Executive Committee has unanimously “blessed” the Evergreen project, and gave their permission for the project to continue. We’re very excited about this decision."

The blog post has screenshots and links to their demo OPAC and circulation system.
Canadian court rejects music industry's quest for individual identities

arstechnica notes that the Canadian Federal Court of Appeal has denied (pdf decision) the CRIA's attempt to force ISP to disclose the identities of file sharers.

"While privacy advocates and those in favor of more lenient fair use doctrines will applaud the decision, it must be noted that the court's ruling is not a blanket protection for online anonymity. Two things are likely now: first, the CRIA and friends will attempt to meet the standards of evidence, which is not impossible. Second, they'll start suing individual file sharers directly, likely in the 'John Doe' format we're used to seeing here in the US."

I had previously blogged about this here.
Go in the English language press!

It is exciting for go players in the English speaking world to see any coverage of professional go in English. Here is an excerpt from this morning's edition of the Shanghai Daily, Chinese pull off upset wins:

"Chinese go chess players shook their Japanese and South Korean counterparts at the pre-quarterfinals of 10th LG Cup in Seoul yesterday, booking six seats in the last eight. Teenager Chen Yaoye upset world No. 1 Lee Chang-ho of South Korea, highlighting the reserve strength of China and sparking hopes of regain its dominance of the sport which has a solid following in China, Japan and South Korea."

Note that China's number one ranked player, Gu Li, also defeated the Japanese veteran, Kobayashi Koichi in the same tournament.



Hopefully, the East Asian press will run more go stories in their English language editions in the future. The English edition of the Daily Yumiuri carries Rob van Ziejst's weekly English go column, The magic of go. Of course, the most reliable English sources for professional go news are web sites. Both GoBase and Go4Go are outstanding - add the Go4Go news and game record rss feeds to your favorite feed viewer. Or check out my go links.

Wednesday, May 18, 2005

More on Ajax and secure web communications

It has been brought to my attention that I need to clarify my earlier post on the potential of Ajax for secure web communications.

The main point that I want to get across is that embedding cryptographic services in the Ajax engine layer of an Ajax modeled web application may be an outstanding approach for some applications. And that this is a true statement even though every web browser has perfectly good cryptographic capabilities built in already - namely SSL/TLS (I'll just say TLS from here on).

First, let's understand what TLS is for. TLS offers essentially three cryptographic services:
  • Message confidentiality - only the intended recipient can see plaintext;
  • Message integrity - the message arrives intact and cannot be modified without detection; and
  • End-point verification - users can be certain that they are communicating with the intended server and, if client-side certificates are used, the client machine is also verified.
This is great. In fact, it is spectacular. TLS is the most commonly used cryptographic protocol on the web and has no known serious deficiencies, and it is all most web applications need. However, what if your web application needs other cryptographic services beyond those provided by TLS such as the following?
  • Nonrepudiation,
  • Secure timestamping,
  • User authentication, and
  • Digital signatures.
And these are just a few possibilities. What if your web application needs, as was the case with hushmail, to interoperate with a cryptographic technology other than TLS such as openpgp/gnupg?

My argument is that the "Ajax engine" layer of the Ajax model is a promising place to embed cryptographic services in web applications when something other than TLS is needed.

Imagine, as an illustrative example, that you had a web site for providing legal advice. On this system, all legal advice has to be digitally signed by the originating lawyer in order to ensure the integrity of the advice, and all advise must be encrypted so that only the intended recipient, and not even the system administrator, can read it. There are at least two cryptographic functions needed here, neither of which can be fulfilled by TLS in this context:
  • Signing/verifying signatures, and
  • Encryption/decryption.


Legal advice scenario 1: Crypto services on the server side

As the architect of this application, you have two choices. First, the standard solution would be to deploy all cryptographic functions on the server side then use TLS to secure all communications with browsers. Second, you could deploy the crypto on the browser side of the equation. These two scenarios have very different risk profiles and there may be reasons to choose one over the other. Since the plain text of the legal advice is produced on the server side in the first scenario, there is a risk of disclosure at the server. Whereas that risk is transferred to the browser side of the equation in the second scenario.


Legal advice scenario 2: Crypto services in the Ajax engine

Now this brings me to the crux of my argument. If the risk profile of the second scenario is acceptable, Ajax is an ideal web application architecture. All communications between server and browser could be in XML format, and signed and encrypted XML in the case of legal advice. Crypto services would reside in the Ajax engine layer, and asynchronous communications could be used to provide an outstanding user experience through prefetching of required cryptographic keys and assorted user interface goodness. As I have said before, when it comes to security technology, diversity is good.
The web is boring, Google can have it

The register has a provocative little piece on the folly of Google's thrust for world domination as revealed by Cringley. The argument is that Google is missing the boat by focusing on the HTTP protocol - there are other IP applications that are much more interesting.

Tuesday, May 17, 2005

Today's public service announcement


The great blue heron (QuickTime)


Courtesy of the Canadian Wildlife Service.

Sunday, May 15, 2005

Newsweek apologises for flawed Koran desecration report

As a follow up to my earlier post, The global press is abuzz with reports that the Newsweek report claiming that a copy of the Holy Koran was flushed down a toilet by US staff at Guantanamo Bay is inaccurate. This report triggered violent anti-US demonstrations around the world resulting in numerous deaths.
Hacking is good, and now piracy is good too!

What's next? Evil is good?

A few years ago, Wired ran a piece called "Keep your enemies closer - why hackers are good for business - an vice-versa". An now the O'Reilly Radar has sited a Mindjack piece called "Piracy is good: How Battlestar Galactica killed broadcast TV". The common thread is that these folks can help with non-traditional marketing if properly harnessed.

Saturday, May 14, 2005

Celebrating over a year of Bailey the buffalo on the web

You may find this hard to believe, but many people have not visited the web site of Bailey the bison. For those not in the know, Bailey spends quality time in her owners' home watching TV. There are even shots of Bailey with the Prime Minister of Canada and the Premier of Alberta.

Today's public service announcement


The Caribou (QuickTime)


Courtesy of the Canadian Wildlife Service.

Friday, May 13, 2005

Ajax and secure web communications
Updated May 13, 2005

The blogdriver's post on the Ajax Summit got me thinking.

First, it brought back ambivalent memories of hundreds of hours of consulting time spent telling clients that they cannot have client-server style features like search string autocomplete or search-as-you-type á la Google Suggest in their web applications. These memories are ambivalent because on one hand some of these conversations were very challenging like smashing rocks with your bare forehead. On the other, it was precisely the non-client-server nature of everything that we were doing with web apps back in the day (a few years ago) that made what we were doing so cool and made us web folk feel like members of a secret cabal. Now, of course, times have changed again, and with approaches like Ajax you can do this stuff on the web - the smooth responsiveness of moving around in Google Maps is my favorite example to prove this point. Gone forever is the mystique that was once attached to writing Perl CGIs (although mod_perl is still pretty interesting), being the only one in the office who could use Photoshop to make a decent looking GIF with a non-dithering CLUT, and being able to edit raw HTML without a reference!

Secondly, and more to the point, it occurred to me that there is an excellent information security opportunity here. If you have a need for secure web communications your current options are limited to the following:
  • Use SSL/TLS available to your browser combined with an authentication mechanism of your choice at the application layer;

  • Use SSL/TLS available to your browser with client side certificates, which is rarely done for a number of reasons including usability issues; or

  • Establish a VPN connection lower down the OSI stack then pass on the user's authentication credentials to web applications that need them.
While the Ajax model was not conceived by the geniuses at Google (no hyperlink needed), Adaptive Path, or wherever, as an information security tool, I believe it may hold the key to reconceiving secure web communications. Imagine, if you will, combining the Ajax model as articulated by Garrett with maturing XML security standards in order to meet ever increasing security and privacy needs. With encryption and signature services, and key management and/or client side authentication services embedded in the Ajax Engine layer, combined with identity management and access control on the server side, one can envision a powerful new class of secure web communications. And authentication could be handled through a PKI-based mechanism, kerberos, or something else.


Figure: A concept for Ajax-driven secure web communications (and it could even be easy and productive to use)

This Ajax-driven model could provide web applications with modular access to an array of cryptographic services such as:
  • Confidentiality
  • Sender and receiver validation
  • Message integrity
  • Non-repudiation
  • Authentication
  • Secure timestamping
The key problem to overcome in this model is how to ensure the integrity of the crypto services in the Ajax Engine layer. This is of course a fundamental question in all virtual machine implementations. For your reading pleasure on this topic, I refer you to the recently updated 95 page US DOD VM design guide (pdf).

Secure email vendor hushmail has gone part way down the Ajax road in delivering PKI-based secure email and other security services via the web. Essentially, the folks at hushmail have placed a Java applet implementation of OpenPGP where the Ajax Engine would go. The JVM applet container is responsible for handling authentication, encryption, and signatures (pdf description). The php driven user interface, which falls a little short on the usability front in comparison with other webmail competitors, then interacts with the applet container via JavaScript. While hushmail's application architecture is analogous to the Ajax model, hushmail falls short in the realm of asynchronous communications. All hushmail communications are strictly synchronous when significant user experience gains could be made through judicious use of asynchronous preloading of unread mail, preloading the contents of mail folders, matching addresses in your address book as you type, and probably other areas.


Figure: An over simplified hushmail architecture

Will Ajax be the next big thing in secure web communications design? I honestly do not know. At the very least, the concept of embedding security services into the Ajax Engine layer provides an alternative model to currently deployed secure web communications models - and in the metaphorical ecosystem of information security, diversity is good.

Notes: "Maturing" XML security standards (referred to above):

Thursday, May 12, 2005

VPN crypto flaw

The Register reports an IPSec flaw. The details and recommended remedial actions are linked in the post. The quick version is that you need to reconfigure if you are using ESP without integrity protection, although there are some other vulnerable modes as well.
Uproar over US Koran desecration

The Muslim world is justifiably enraged over a recent Newsweek report that US personnel at the Guantanamo Bay detention facilities had flushed at least one copy of the Koran down the toilet (also covered by NPR and elsewhere). Such an act is legally blasphemous in many Muslim states and punishable by death in Pakistan and Afghanistan. With the recent US track record for the treatment of prisoners of war, "detainees", and "enemy combatants", it is easy to find this allegation to be credible. I doubt that Condoleezza Rice's commitment that "appropriate action" will be taken if this allegation proves true will be sufficient to quell the unrest in Afghanistan and elsewhere.

Wednesday, May 11, 2005

Today's public service announcement


The oft malined wolf (QuickTime)


Courtesy of the Canadian Wildlife Service.

Tuesday, May 10, 2005

Bruce Schneier has posted a scathing critique of the US REAL ID bill. When I read this, the following thought went through my head, "Hey, I cannot fly in Canada without showing ID - I thought this was a free country without checkpoints." The following quote makes Schneier's compelling position very clear.

Schneier on Security: REAL ID: "REAL ID doesn't go into effect until three years after it becomes law, but I expect things to be much worse by then. One of my fears is that this new uniform driver's license will bring a new level of 'show me your papers' checks by the government. Already you can't fly without an ID, even though no one has ever explained how that ID check makes airplane terrorism any harder. I have previously written about Secure Flight, another lousy security system that tries to match airline passengers against terrorist watch lists. I've already heard rumblings about requiring states to check identities against 'government databases' before issuing driver's licenses. I'm sure Secure Flight will be used for cruise ships, trains, and possibly even subways. Combine REAL ID with Secure Flight and you have an unprecedented system for broad surveillance of the population.

Is there anyone who would feel safer under this kind of police state?"

Monday, May 09, 2005

Today's public service announcement


The black bear (QuickTime)


Courtesy of the Canadian Wildlife Service.

Friday, May 06, 2005

Free Comic Book Day 2005

Free comic book day is Saturday, May 7! Check out the website for participating comic stores near you.
FUD at slashdot over Google Web Accelerator

Assorted security and privacy fears are starting to rise around Google's newly announced web proxying service. Discussions have also arisen around what widespread use of Google's new service would do to the already limited accuracy of web logs.
Teacher-librarian's lament




A StatsCan report was released this week covering school libraries and teacher-librarians in Canada. I will likely have more to say about this in coming days, but for the moment, let me make the following observation. In Canada, in the 2003-4 school year, 1 in 4 schools had a teacher-librarian on staff. In my home province of Alberta, 7 out of every 100 schools had a teacher-librarian. In the ironic words of a rather insighful Edmonton cab driver regarding education funding in Alberta, "We don't need no fancy book-learning."
US federal court rules that universities do not have to rat out students to the RIAA

In an interesting court decision earlier this month, a federal judge ruled that the Univeristy of North Carolina at Chapel Hill and NC State University are not required to give personal information about their students accused of p2p file swapping to the RIAA. To quote the students' attorney,

This does not give students a license to steal music. What we're dealing with is the methods by which RIAA is trying to find out about people. There has to be a balance by which people's privacy and the rights of companies like RIAA are measured.

Wednesday, May 04, 2005

The most amazing toilet in Canada

The Edmonton Japanese Community Association is home to what I assert is the most amazing toilet in Canada.



Not only does it look like something out of a Terry Gilliam movie, it does much more than flush.



It washes, front and back, blow dries, and has both seat and water temperature control!

Today's public service announcement


The cougar (QuickTime)


Courtesy of the Canadian Wildlife Service.

Tuesday, May 03, 2005

The SANS Top 20 Vulnerabilities consensus list updated

The first quarter 2005 update to the SANS Top 20 Internet Security Vulnerabilities list was released yesterday (press release). Information security professionals will be very familiar with this living list. If you are wondering why you should be interested in this document, consider the following taken from the introduction to the list,

The Top-20 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. They come from the most security-conscious government agencies in the UK, US, and Singapore; the leading security software vendors and consulting firms; the top university-based security programs; many other user organizations; and the SANS Institute. A list of participants may be found at the end of this document.

The SANS Top-20 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws. We will update the list and the instructions as more critical threats and more current or convenient methods of protection are identified, and we welcome your input along the way.

Monday, May 02, 2005

Europe resists Google Print

Germany, Hungary, Italy, Poland, and Spain are rallying around a French led alternative to Google Print. Jean-Noel Jeanneney of the French National Library describes Goolge's endeavor as "the confirmation of the risk of crushing American domination in the definition of how future generations conceive the world."

I had briefly mentioned the advent of Google Print previously. If you are feeling naughty, you can also explore isometrick's post on hacking Google Print.
Today's public service announcement


The American Robin (QuickTime)


Courtesy of the Canadian Wildlife Service.

Sunday, May 01, 2005

Go in the Washington Post

The April 28, 2005 issue of the Washington Post has a story on go.
2005 Alberta Go Tournament

Liang Yu has put together a thorough photo essay of the 2005 Alberta Open Go Tournament held in Edmonton, Alberta, Canada at the Edmonton Japanese Cultural Association.
Photographer, I am not


Lawrence Lessig speaking at the 2005 Alberta Library Conference. Unfortunately, my photographs did not turn out well.

Blog Archive

About Me

My photo
Edmonton, Alberta, Canada
Returned to working as a Management Consultant, specializing in risk, security, and regulatory compliance, with Fujitsu Canada after running the IT shop in the largest library in the South Pacific.

CC Developing Nations
This work is licensed under a Creative Commons Developing Nations license.

Site Meter