At the Ideas Project apparently women don’t have any ideas.

As some of you may or may not know, I founded a women’s-only technology conference, She’s Geeky. There has been a bunch of conversation in this past week about the lack of women speakers at tech events (in fields like web 2.0, social media, government where there is significant female participation).

It got started with this top 10 list put out by the Speakers Group that included NO women. Then O’Reilly published its first round of speakers for Web 2.0 Summit that was only 20% women. Allyson Kapin called him out, started a petition, and a whole discussion got going in Twitter. It continued with the inc500 conference.

This morning via a link I ended up on this website: The IDEAS Project. This is a site talking about the big ideas of the social web and the future of identity, collaboration, standards development, and norms on the digital web. The pictures speak for themselves.

200907291144.jpg

200907291144.jpg

200907291145.jpg

200907291146.jpg

200907291146.jpg

For those of you counting:

  • 5 women out of 50
  • racial diversity by my observation 2 asian people and 2 black people
  • No one under the age of 30 and not that many under the age of 40.

Monitor Talent is behind the site and it is sponsored by Nokia and powered by Xigi.

Many of the men here have written books or have academic credentials.

Of course it is a social media site, so any one can contribute. I just don’t want to contribute to a place that is so skewed in one direction in terms of the starting point. This is not a hard core IT subject, this is social media and use of the web and the network in a forward looking way. Looking along the side, all the contributed ideas so far come from handles with male names.

It all makes me wonder:

  • Who is a real “authority” on a subject?
  • If you have a title and a position at an institution this means you must know, right?
  • If you have written a book you must have it right?

Some friends are in this “talent pool” like Jerry Michalski, Clay Shirky, Doc Searls, Laura Fitton, Christine Heron, Esther Dyson, Bob Fankston, David Hornick, Robert Scoble, Kevin Werbach, Andreas Weigend, Ross Mayfield, Charlene Li, Jeff Clavier.

I am curious if they asked about the gender balance reflected in this project up front?

Have they worked to recommend that Monitor Talent pick up more women talent? or even proactively suggested monitor seek to develop women talent?

The web offers a huge opportunity to change who is seen and referenced as having authority and we need to take advantage of this change the web offers.

I know this… I I have never had a formal position at any company, yet IdM leaders at major companies like Microsoft, SUN, Novell, Burton Group, PayPal, Google, Yahoo!, etc. point at my blog, and I have, at least within that world, a lot of authority as a community leader – I have led 15+ events on the topic of user-centric identity in the past 5 years and and spoken about 3 times a year at other events. I am very very comfortable talking about the topics in my industry, this is what I DO – I am an evangelist, a communicator, but this alone didn’t translate into being able to speak without training, practice or support. (I currently don’t proactively seek to speak because I had a bad experience and it rattled me.)

I think we need to work on moving beyond just taking at face value “old” positional authority like having a title at a university and proclaiming expertise – it doesn’t mean those people participate in the communities that are actually driving the innovation they speak about.

There is a systemic issue here. I hope that it can be addressed by the whole community.

Here are some talented women in identity if you ware wondering who they are.

Missing: Privileged Account Management for the Social Web.

This year at SXSW I moderated a panel about OpenID, OAuth and data portability in the Enterprise. We had a community lunch after the panel, and walking back to the convention center, I had an insight about a key missing piece of software – Privileged Account Management (PAM) for the Social Web – how are companies managing multiple employees logging in to their official Twitter, Facebook and YouTube accounts?

I thought I should also explain some key things to help understand conventional PAM then get to social web PAM in this post covering:

  1. regular identity management in the enterprise,
  2. regular Privileged Account Management in the enterprise
  3. Privileged Account Management for the Social Web.


1) IdM (Identity Management) in the Enterprise

There are two words you need to know to get IdM and the enterprise: “provisioning” and “termination“.

a) An employee is hired by a company. In order to login to the company’s computer systems to do their work (assuming they are a knowledge worker), they need to be provisioned with an “identity” that they can use to log in to the company systems.

b) When an employee leaves (retires, quits, laid off, fired), the company must terminate this identity in the computer systems so that the employee no longer has access to these systems.

The next thing to understand is logs.

So, an employee uses the company identity to do their work and the company keeps logs of what they do on company systems. This kind of logging is particularly important for things like accounting systems – it is used to audit and check that things are being accurately recorded, and who did what in these systems is monitored, thus addressing fraud with strong accountability.

I will write more about other key words to understand about IdM in the enterprise (authentication, authorization, roles, directories) but I will save these for another post.

2) Ok, so what is Privileged Account Management in the Enterprise?

A privileged account is an “über”-account that has special privileges. It is the root account on a UNIX system, a Windows Administrator account, the owner of a database or router access. These kinds of accounts are required for the systems to function, are used for day-to-day maintenance of systems and can be vital in emergency access scenarios.

They are not “owned” by one person, but are instead co-managed by several administrators. Failure to control access to privileged accounts, knowing who is using the account and when, has led to some of the massive frauds that have occurred in financial systems. Because of this, the auditing of logs of these accounts are now part of compliance mandates in

  • Sarbanes-Oxley
  • the Payment Card Industry Data Security Standard (PCI DSS),
  • the Federal Energy Regulatory Commission (FERC),
  • HIPAA.

Privileged Account Management (PAM) tools help enterprises keep track of who is logged into a privileged account at any given time and produce access logs. One way this software works is: an administrator logs in to the PAM software, and it then logs in to the privileged account they want access to. The privileged account management product grants privileged user access to privileged accounts [1].

Links to articles on PAM, [1] Burton Group Identity and Privacy Blog, KuppingerCole, Information Security Magazine.

3) Privileged Account Management on the Social Web.

Increasingly companies have privileged accounts on the social web. Dell computers has several for different purposes. Virgin America, (they link to the account from their website – thus “validating” that this is their real account), JetBlue, Southwest Airlines, Zappos CEO, (employees who twitter), Comcast Cares (Frank Eliason) (interestingly comcast on twitter is blank).

Twitter is just the tip of the iceberg – there are also “fan pages” on Facebook for brands. Coca-Cola, Zappos, NYTimes, Redbull, Southwest, YouTube Channels, Dunkin’ Donuts, etc, etc. on thousands of other platforms and yet-to-be-invented services.

These are very powerful accounts – they are managed and maintained by many employees around the clock and are the public voices of companies.

I have yet to see or hear of any software tools to enable enterprises to manage Social Web privileged accounts. How are companies managing access by multiple employees to these accounts?

Is there software that does this yet?

Is anyone working on these kinds of tools?

Leave your comments here or tweet with me @identitywoman

“anonymous” sperm donation…not so anonymous any more

I found this via retweets from Tim O’Reilly on Bio-Medicine.

The boy tracked down his father from his Y chromosome, which is passed from father to son unchanged. The gene variant patterns it carries can help trace the concerned paternal line, according to a report in New Scientist. All that it cost the boy to trace his father was $289 paid to FamilyTreeDNA.com for the service. In fact, his genetic father had never supplied his DNA to the site. For investigation, the site needed someone in the same paternal line to be on file. After nine months of waiting and making his contact details available to other clients, the boy was contacted by two men with Y chromosomes closely matching his own. These two were strangers, but the similarity between their Y chromosomes suggested there was a 50 per cent chance that all three had the same father, grandfather or great-grandfather.

Though the boy’s genetic father was anonymous, his mother knew the donor’s date and place of birth and his college degree. Using another online service, Omnitrace.com, he bought the names of all who had been born in the same place on the same day. Only one man had the surname he was looking for, and within 10 days he had made contact.

Legal Haze for Social networks. Identity and Freedom of Expression.

200907091809.jpg

The picture pretty much sums the conundrum up.

Is it ok for individuals to promote pot on these social networking services?

Should social networks allow marijuana dispensaries to have organizational presences?

(from an e-mail from Fast Company promoting this article)

The question is, whose laws do social networks have to follow? The Web may seem borderless, but as companies like Google and Yahoo have found in China and, more recently, Twitter and Facebook found in Iran, virtual boundaries do exist. So what’s a company like Facebook or Twitter to do? It will be interesting to see how Silicon Valley finesses this one, particularly because the companies are based in California where the dispensaries are considered legitimate enterprises (at least in the eyes of the law).

I poked around on twitter and found a whole Marijuana movement

along with the Stoner Nation Facebook page and Stoner Nation Twitter and on Blogger and their own site.

Interestingly I searched in Facebook to find the stoner nation page and it was not listed when typed as two words but was when I typed it the way their name is listed as one word – StonerNation .

It is not a surprise to see seems there are many fans of Stoner Nation who are using Facebook accounts without their real names. Like Oregon Slacker , Stoner Stuff, and Drink Moxie.

I think this liminal space between the legal and illegal (at least this is factually the case in california) is quiet interesting. The freedom to express oneself and organize around change is something that is important to maintain on the web – clearly these three people have chosen to weave a line – expressing their opinion and support and involvement around marijuana online and not releasing their “real names” on facebook or twitter where they are expressing support and involvement in movement organizing but making the choice that saying who they are may negatively affect them in their ‘daily life’ – whether it be a small town where they live that would be unaccepting or a profession they hold that would not be understanding. I think these rights and issues go beyond “just” drug use but also extend to sexual and other minorities. The marijuana community is activating right now because there is a ballot initiative here in 2010 to legalize pot and tax it (potentially generating 1.2 billion dollars in revenue annually for the state).

I think a question we all have in building the evolving open and social web is how do we support citizens having the freedom to express themselves online and in social contexts. What are the particulars of online identity that enable this as a possibility and don’t rule the fundamental right of freedom of expression out? I am specifically thinking about the equivalent to anonymously joining a social movement march in the physical world.

SSN’s can be guessed

This just in from slashdot:

“The nation’s Social Security numbering scheme has left millions of citizens vulnerable to privacy breaches, according to researchers at Carnegie Mellon University, who for the first time have used statistical techniques to predict Social Security numbers solely from an individual’s date and location of birth. The researchers used the information they gleaned to predict, in one try, the first five digits of a person’s Social Security number 44 percent of the time for 160,000 people born between 1989 and 2003.

This is from the Wired coverage:

By analyzing a public data set called the “Death Master File,” which contains SSNs and birth information for people who have died, computer scientists from Carnegie Mellon University discovered distinct patterns in how the numbers are assigned. In many cases, knowing the date and state of an individual’s birth was enough to predict a person’s SSN.

“We didn’t break any secret code or hack into an undisclosed data set,” said privacy expert Alessandro Acquisti, co-author of the study published Monday in the journal Proceedings of the National Academy of Sciences. “We used only publicly available information, and that’s why our result is of value. It shows that you can take personal information that’s not sensitive, like birth date, and combine it with other publicly available data to come up with something very sensitive and confidential.”

Basically it means we shouldn’t be honest about our date of birth and home town on Facebook (or any other social network) or we are making ourselves vulnerable to discernment of our SSN’s. I wonder if they can figure out mine? I received my as an adult when I was attending college in California.

I decided to poke around and see what Facebook had up about Identity Theft. I did find a link to this study that created a profile by “Freddi Stauer,” an anagram for “ID Fraudster,”.

Out of the 200 friend requests, Sophos received 82 responses, with 72 percent of those respondents divulging one or more e-mail address; 84 percent listing their full date of birth; 87 percent providing details about education or work; 78 percent listing their current address or location; 23 percent giving their phone number; and 26 percent providing their instant messaging screen name.

Sophos says in most cases, Freddi also got access to respondents’ photos of friends and family, plus a lot of information about personal likes and dislikes, and even details about employers.

Facebook users were all too willing to disclose the names of spouses and partners, with some even sending complete resumes. One facebook user divulging his mother’s maiden name—the old standard used by many financial and other Web sites to get access to account information.

Most people wouldn’t give this kind of information out to people on the street but their guard sometimes seems to drop in the context of a friend request on the Facebook site, O’Brien says.

According to Sophos, the results of what it calls its Facebook ID Probe has significance for the workplace as well as personal life because businesses need to be aware that this type of social-networking site may pose a threat to corporate security.

I have tried to search the Facebook blog to see what they have to say about identity theft and apparently they haven’t mentioned it.