Well, the first-ever release of a major public company’s financials via the Web, in advance of the conventional newswire service, is history. It went OK, but we can do better. Obviously, these discussions have been going on for a while, and observant readers may have noticed I visited Washington last March. However, the go-ahead to do the numbers on the Web came very recently, and so the mechanism was an ordinary RSS feed. We should publish this in Atom, and do it over a TLS channel, and supply a digital signature. Stand by for next quarter.

You’d be surprised how much work it is to set up for this kind of a high-volume public Web event. When I went to the sun.com people last week and said “Oh, and you’ll be switching over to TLS and Atom in the three working days left, right?” they laughed at me. Today, I noticed that while the RSS feed was updated spot on the top of the hour, it took a few minutes for the actual earnings release to trickle through the various levels of cache. There’s a first time for everything, that’ll get cleaned up.

Why TLS? · For the non-geeks, this means that the feed URI will start with https:, it’ll be a secure channel. This just has to happen, because otherwise there’s a potential gold mine for a smart bad guy.

What the smart bad guy does is figure out how to (temporarily, locally) hack the DNS, say in a few key Manhattan offices, during trading hours. He sets up a fake sun.com and puts a fake news release in the feed claiming that we’re the subject of a major SEC investigation, having first shorted a few million shares. Ouch!

Why Digital Signature? · This idea was first proposed by James Snell, and it’s a good one. Mind you, the benefits are a little bit theoretical, since no feed-reading clients that I’ve seen actually check a digital signature. The argument for this is similar to that for TLS; a bad guy who could somehow insert a fake press release into the feed could make zillions by gaming the share price. A verifiable digital signature would let someone reading the feed know that the news in it really truly did come from Sun.

My hope is that if we and a few others start using signatures, the people who write clients will start checking them. This is the Internet, and we’re playing with real money and shooting live ammunition; gotta be careful.



Contributions

Comment feed for ongoing:Comments feed

From: Laurent Szyster (Jul 31 2007, at 03:14)

Eight years ago I lead the development of a reinsurance EDI/SOAP hub secured with SSL/TLS transport encryption, using server and client X509 certificates for peer identification and authorization.

What I learned from this experience is that "if you think that cryptography is the solution to your security problems then you don't know what cryptography is and you don't know what your security problems are".

TLS encrypted transport and X509 certificates are very good at preventing unauthorized access to a network service. They are less useful when it comes to ensure safe use of an application.

Re-insurers are - to say the least - adverse to risks and they know how to avoid many of them. Most have been in this business for a few centuries now.

The best way they found to prevent fraud has not changed for a while. They audit every process and transactions, regardless of the technology applied.

The question is: who's going to audit your editorial process, your X509 client and server certificate distribution process, etc?

Well, people reading those news are the ones that should be in a position to audit how the feed items are edited, reviewed and published.

The safest way they can do that without relying on computer technology is by comparing the item your system produces with other news sources.

If they fail to do so, thinking that cryptography solved their security problem, they may have to suffer from "something you believe in but don't understand".

Technological superstition.

[link]

From: Mike Willis (Aug 01 2007, at 19:39)

Undoubtedly you are aware of the recent SEC approval for delivery of corporate quarterly results via RSS/Atom.

As the Founding Chairman of XBRL International, I am wondering if Sun

is/would consider using XBRL to format the reported information for

delivery via RSS/Atom. The XBRL format would enable investors/analysts to immediately incorporate the reported information directly within their models for analysis and assessment.

Thank you for any consideration of this request.

Best Regards

Mike

[link]

author · Dad · software · colophon · rights
picture of the day
July 30, 2007
· Technology (85 fragments)
· · Publishing (156 more)
· Business (112 fragments)
· · Sun (63 more)

By

I am an employee of Amazon.com, but the opinions expressed here are my own, and no other party necessarily agrees with them.

A full disclosure of my professional interests is on the author page.