Tuesday, October 21, 2008

Detective Assigned

It's been a few days and I've had no update on the case of my robbery. So this morning I called the detectives in Boston to see if there's any news. Evidently my case had not yet been assigned to a detective, so they made the assignment while we were on the phone. Detective Walsh got my case -- let's wish him luck (or break a leg, or whatever one is suppose to wish for a detective).

Friday, October 17, 2008

Robbery Update

Later on Wednesday (the day of the theft) I got to speak with the hotel detective again. He think s he knows who stole my watch and ring. They saw him on the hotel security cameras. The community of hotel security people evidently keeps in touch, because he said he learned from his colleagues at other hotels that the guy was active at other hotels earlier in the week. He asked me to file a police report so they could try to get fingerprints from the coffee cup.

Speaking with the Boston police I learned it could be several days before a detective gets assigned to my case. Frown.

Yesterday I asked the police if it would be worth my effort to check area pawn shops, because I had a couple free hours before I needed to catch my plane home. The policeman said it was a good idea, and that occasionally someone is able to find their stolen property at a pawn shop.

I looked in the yellow pages and found two pawn shops within 15 minutes walk of the hotel. In all my life I had never before been in a pawn shop, so I was beginning to look forward to a new adventure.

In the first shop reality hit. The shopkeeper said I might have a very slight chance of finding my watch, but a gold ring would just be quickly melted down and used for other jewelry. I asked if there might be certain shops where stolen jewelry is more likely to show up; he said that any jewelry store buys gold jewelry, and that a thief would go to a jewelry store before a pawn shop because at a pawn shop they have to fill out paperwork, and at a jewelry store they can just sell it.

Onward to the next planned stop, which was around the corner and about three blocks away. Rounding the corner I immediately saw a jewelry shop with a large sign indicating they buy old jewelry. Upon entering the store, I saw it was more like a mini-market than a single store. Counters lined both walls all the way to the back of the store. Every 8 or 10 feet of counter was staffed by a different vendor. That was a LOT of second hand jewelry to look through.

Continuing my journey to the planned second stop, I encountered two more of the jewelry mini-markets. After looking through five shops in three blocks, and seeing that the same type of neighborhood extended for many more blocks, and assuming I'd continue to find a jewelry shop or two on every block, I determined that this haystack was much too large.

Every time I look at my bare wrist to see what time it is, I feel hassled that I now have to look somewhere else. But the loss of the ring is much worse. There's a lot of sentimentality attached to a ring of almost 19 years. Also, some of you who know that I'm a consummate fidgetter, and that my ring was my favorite subject to fidget with. Now I feel a loss every time I reach for my ring to give it a spin on the table, or move it from finger to finger, or slide it up and down my tie, etc.

I'm thinking about contacting the jeweler who made my original ring so long ago, to have him make me a new one just like the old one. Who knows, perhaps the same gold that was in my old ring will have made it's way to my jeweler friend, and my new ring will end up with my old sentimental gold. At least I can choose to believe that, and probably nobody can prove me wrong.

Wednesday, October 15, 2008

Recognizable Compromise - I was ROBBED!!!

Interesting experience this morning at my hotel in Boston.

I woke about 4:30 this morning with an upset stomach. I opened my door to see if the USA Today was there (it was). I read for maybe a half hour and went back to sleep. At 7:00 my alarm went off and I got up. About 7:40 I put my watch and wedding ring on the bathroom shelf to get into the shower. After my shower while getting dressed I looked for my watch and ring, but couldn't find them. Even though I was "sure" I put them on the bathroom shelf, I looked on the dresser, the desk, the bed, and all around wondering where I could have put them. I found a disposable coffee mug on the floor between the bed and the wall and thought how careless the cleaning staff must have been the day before to have left behind a coffee mug. I picked it up to throw it away, and it was nearly full of still warm coffee. I don't drink coffee.

I looked in the closet - nobody there. I went to the door (a few minutes before 8:00) and noticed the chain lock was not locked. I opened the door to see if anyone was still in the hallway - nope.

The hotel detective arrived perhaps 10 minutes after my call. He had a printout of all my door openings and closings. We saw my opening of the door at 4:30, but no closing of the door until ~7:57. I had noticed yesterday that the door sometimes sticks and I have to pull or push it to get it completely closed. In my early morning stupor, I was evidently not very thorough about closing the door.

The detective is now looking at surveillance tapes and records of other doors near mine that were opened near 7:57. Perhaps a crime of opportunity - an unlocked door with an audible shower on. Sadly there is no surveillance camera that can see my door; the only one is by the guest elevator. I don't think it can see the stairway exit from there either. Hopefully the thief passed within view of the elevator.

The desk is at the wall furthest from the door. I think I must have turned off the shower (scaring the thief away) before s/he made it that far into the room. My wallet was on the desk. My computer was on the desk, unlocked (hey - I was still in the room), and with my SecureBadge in the card reader. That's quite eerie, because my day job colleagues and I just recently had an email debate on whether a TPM chip in a notebook coupled with the TPM chip's PIN constitutes two-factor authentication. In comparing TPM to smart card, we considered this exact scenario and arrived at the conclusion that stealing a PC with a TPM chip and PIN is the same as if stealing a PC together with the user's smart card. If you use a smart card for Windows logon (like I do), do you leave your smart card in the hotel room when you go out to dinner? Or do you travel with your smart card in the same bag as your PC?

This experience highlights to me the importance of one consideration for assessing the strength of various authenticators; i.e., recognizable compromise. If the thief had not left their coffee mug, I'd still be scratching my head wondering where I put my watch and ring.

Monday, October 13, 2008

Let's do it all again!

Last week Project Concordia decided to undertake definition of a Concordia Identity Reference Model. Because of the work on the Identity Happens blog, I was asked to lead the Concordia effort. I'm pleased that a more formal forum is now home to this effort. Please continue to participate at the Concordia wiki.

Tuesday, October 7, 2008

A New Concept for the Model

These last couple weeks we've used the model to help cogitate testing IDs at my day job. We discussed two main approaches:
  • The Subject is a tester, and the testing ID is one of the tester's Digital Personas.
  • The Subject is a conceptual entity. The tester has a new kind of relationship to the Digital Persona as an Invoker. Generally the Subject and Invoker are the same Entity; however, with Testing IDs the Invoker is not the same Entity as the conceptual Subject.
After much discussion we favored the second approach (note that this is our preference - some other organization may prefer something different).

Although we haven't discussed other use cases yet, we anticipate the concept of Invoker may also be pertinent to discussions about group accounts, root accounts, help center support scenarios, and perhaps others. We think this warrants adding the concept of Invoker to the general model. Here's what that might look like:

The rest of the people at my day job haven't seen this yet, so I'm not sure if they'll like it. Do you like it?