I'm not in any way involved with OASIS (although Champaign Supernova was a cool tune) but I think I can clear up some misunderstandings about SAML.
First up, it does not extend or alter XML specs in any way, it is a specification for creating authentication and authorization assertions USING XML.
It will not compete with Passport, but federated authentication systems that could compete with Passport could be designed to use SAML (see Liberty Alliance, or Internet2's Shibboleth).
IT does NOT (I said NOT) send your password from one place to another. The whole idea is to provide a common "security language" if you will to allow two different types of authentication realms to communicate. What happens is site A trusts site B, and they have worked out a deal where site B's users are allowed to access a resource at site A. So a user wanting to get into site A coming from site B would authenticate into their security realm at site B, and site B would send a SAML assertion to site A claiming that the user is who they say they are. This assertion is a blob of XML data that is digitally signed by site B. It can also be encrypted using XML-Encryption or just sent over an SSL connection. This is very useful in higher education (where I live) since some schools intelligently use KerberosV for authentication, while some poor deluded schools use something like LDAP (pop quiz, what is it about a directory access protocol that sounds like "authentication system"?). It is nice to allow these different systems to talk to each other using a common language.
There are three types of SAML assertions, Authentication, Attribute, and Authorization Decision. An Authentication assertion simply claims that this user was able to log in. An attribute assertion contains information about the user (think Unix groups). Authorization decision is pretty much self explainatory.
Yes, XML is an annoying buzzword which clueless managers (who learn everything they know from trade rags) think should be used for everything. However this is actually a legit use of the technology. If your goal is to have a generic security language, you might as well use a generic data format.
To actually use some of this stuff, check out the OpenSAML project developed by Internet2's Middleware team. Also look at Liberty Alliance and Shibboleth.
Liberty Alliance is more of a competitor to Passport than Shibboleth (although the two seem to be VERY similar). My understand about Shibboleth is that it is primarily for Higher Ed, not really geared toward business (thus its dependance on the EduPerson schema)
I've been working with Scott and Co to get the upcoming Beta release up to par. We have been running the Alpha 2.5 code in production for a class at PSU for a few months now. If you need any help or want to compare notes feel free to email me (mxe20@psu.edu).
I've avoided Apple computers all my life. I have worked with all flavors of Unix (except HP-UX), Windows, DOS, and OS/390 in my short career (I'm 24). However lately I noticed that more and more people have iBooks and tiBooks at meetings, conferences, and generally everywhere I go. I work for a largish university (PSU) and am involved in several consortiums like internet2, Educause, etc.
Lately I gave in and started inquiring what all the fuss was about and learned about OS X and started following apple a little closer. Well, to make a long story short, I'm typing this slashdot comment on a flat panel iMac:) So yeah, I never took apple seriously until about a year ago, but now I'm pretty impressed with them and see them making a comeback (if nowhere else, certainly in higher education).
I still use the other operating systems for servers and whatnot, but I will probably end up using OS X as my primary desktop once it gets a little more polished (as cool as it is, it still has a ways to go, but I have no doubt it will get there)
There seems to be alot of misconceptions about Liberty. As I understand it, the framework allows you to "assert" your identity to a remote location by a trusted third party. Perhaps your trusted third party is your bank, or your University, or your ISP. You authenticate with them, then a packet of data asserting who you are is digitally signed by this trusted third party and sent to where ever. If the remote location trusts the third party to assert identities, then you are in.
This does not seem to be about having the same password on every site, or even having ANY password on a site. It is federated authentication (and possibly authorization, but I don't know how they would do that, possibly with SAML assertions).
You need to understand the difference between saying something false/wrong (what you believe I accuse you of), and saying something unsubstantiated (what I actually think you did).
Actually, I didn't start this thread, I just jumped in randomly.
Again, you are arguing an all or nothing approach. I never said the concept of a slippery slope always applies, however there are times when it can. Let's say a group with a stated interest in getting to F, does A, then B, then C, it is fair to assume they are trying to get to F. To say that they are not because some websites refute the possibility of a slippery slope is ignoring all actual evidence that it may be taking place.
That is how things work, if you want to get a population to accept something they would never accept outright (free speech outlawed, gun confiscation, PPV, DRM, etc) you have to do it slowly. I do not understand people who believe that this is somehow impossible or a logical falicy just as much as I cannot believe people who always assume that it is taking place. Both approaches ignore the specific situation and are both logical falicies.
Either way, all it proves is people do not like having that used against them. The slippery slope is not a hard and fast rule that always applies, but there are hundreds of times where it does apply. Simply dismissing it out of hand is as logically flawed as assuming it always applies.
Let's see if I can explain this. I am going to type very slowly and use small words so that you can understand.
This may be difficult for you to grasp
We could have had a good discussion on this subject, and I concede that I had some misconceptions earlier regarding the nature of this project.
However, I refuse to lower myself to your petty level of immaturity. It appears that you have yet to master the art of making your point without sprinkling in liberal doses of condesending remarks. I see no provocation on my part to illicite such a reaction, and I must conclude that you are either too young to engage in a mature conversation, or have some serious anger management issues to work out.
The default install of Windoze 2000 contains at least 120 known vulnerabilities
So my earlier question stands, why not (a) use something else if it is so insecure or (b) demand Microsoft fix it. Why is it the US government's job to do a private company's job for them?
Many of us security professionals have had to deal with Neanderthal bosses unwilling to allocate to us the time and/or people to properly secure our connected systems.
Don't I know it. My background in is s/390 security, DCE security, and I am currently working with PKI, and Internet2's shibboleth and OpenSALM products. I'm not the "clueless, diaper-wearing, anti white house slashdot weenie" you would like to portray me as:)
Those of us in the security community believe that the US government is the best vehicle for publishing and communicating these standards.
Agreed, their committment to PKI has helped move Universities to looking at it seriously and making plans to use it.
But there is another, even more serious issue: millions of clueless Americans connecting home PCs to the Internet through high-bandwidth connections, oblivious to the collective danger that millions of potential DDOS zombies pose to the nation's critical infrastructure.
However, many of these people would not trust a binary issues by the US Federal government. I never questioned their competance, but I (and many other) do question their motives. They have a well documented desire to electronically spy on citizens. From the FBI's prespective, it would be irresponsible to NOT include a "magic lantern" like program with this.
The idiotic anti-government paranoia I've seen expressed in response to this is, frankly, highly inappropriate.
The people that brought you Carnivore and Magic Lantern are to not be questioned when they give you a binary to run on your PC?
I understand the reason but I do not understand the execution. Ignoring all "magic lantern" issues, this is just the wrong way to fix it. The government and some companies (Chevron??!) are going to audit the security of Windows, find the flaws and distribute a program to alter it so they are fixed...
This is easier than just asking Microsoft to design a secure version of Windows? Come on, you already found them guilty of being a monopoly, perhaps a nice sentence would be "make a secure version of Windows".
If Windows insecurity is such a threat to homeland defense, shouldn't the government be cracking down on the company making the laughably insecure software? Or perhaps simply not using it since it is (by the government's own admission) insecure?
Or just demand the source code and distribute their own secure version. It worked with NSA-Linux:)
One difference though is that Bluestem only provides authentication, leaving it up to the application to supply its own authorization database. Shibboleth (and Liberty Alligence, the more I read the tech specs, the more I am positive they are the same thing) provides authorizaztion information along with the authentication.
If Uni B requires a valid Oracle un/pw because the access to the data behind the web pages is acl protected based on who the Oracle identity is, then the real problem is how the web page at Uni B, once it trusts that the user is who he says he is, logs into the Oracle db with the correct un/pw. How are the valid credentials converted to the right un/pw?
That certainly would be unfortunate. Although if you allow yourself to be locked into an auth solution that is not flexible and that you have no control over, there is not much that ANY technology can do to fix that. I suppose you could design a system that stored the username and password on your backend and match it up with the certificate data. Kinda circumvents the whole point if you ask me though...
In a situation like that, how would you even design an INTER-organization single sign on system? Assuming you wanted to use PKI or Kerberos, you would still have to solve the same problem. Until you have that, an intra-organization single sign on system is impractical.
If Oracle (or whatever your authn or authz at Uni B) only accepts a valid un/pw to establish identity and grant access, what technology (or whose software) is responsible for converting the credentials to this un/pw? Where is this un/pw stored?
You would probably have to do it yourself. I would hope the un/pw would be stored on the same machine as the DB, and that security on that machine would be tight.
It is not centralized at all, please read the specs. There is no "them", it can use your existing "service provider" (assuming company auth system, university auth system, ISP auth system, etc). It is basically a "common authZ/authN" language that service providers can speak to each other.
I do not believe this limits you to any system. It seems to delegate the authentication/authorization to your "service provider" (not totally sure what they mean by that) who could potentially use ANY system. The important thing is that after you authenticate with them, it generates a short term certificate, signed by the "service provider" and encoded with authorization info.
First up, this is very similar (possibly even based off of) the Internet2 middleware project, Shibboleth. Incorporating similar technology such a SAML assertions. In the interest of disclosure, I am working on a setting up Shibboleth at my University as a method of allowing intra-University authentication AND authorization. So I can talk somewhat about that (although I do not in any way speak for Internet2, I do not work for them, I probably will get some details mixed up, have a grain of salt, etc.)
This is not about central authN or authZ (authentication and authorization), it is about utilizing existing auth databases and methods and allowing them to talk to each other. An example, if I may:
A student at University A wants to take a web based class offered at at University B. The two Universities have a partnership established but unfortunatly University A uses Kerberos as a central authentication tool and University B uses Active Directory (Uni B obviously never plans to scale, but I digress). Either way, Uni A is not going to give Uni B the user's password, and Uni B really does not want to add every external user who is going to take this class through the partnership.
The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.
The important part to all this is (1) inter-realm authentication: There is not one single database of users and authZ info, there are multiple players who pre-agree on authZ info, but maintain their own internal user databases and methods of authN. Presumably, the ability to say what the external entities can see about the users could be delegated down to the users themselves. (2) Authorization: Everybody is familiar with single sign on concepts that only prove who you are, how about ones that also say what you are allowed to do, what groups you belong to, and what access you have. DCE did a fine job of this (and Microsoft did a fine job of renaming DCE to Active Directory and calling it innovation) but it did not talk to other authN/authZ systems.
If the Liberty Alliance is as close to Shibboleth as I think it is, then it offers something we have never had before. A framework for a single sign on system that is not centrally managed, but leaves control to seperate entities that mutually trust each other.
Let's face it, when it comes to something like this you don't want all your eggs in one basket, especially if that basket has to answer to stockholders and has possibly the worst security reputation in the shory history of computing (really, I don't know why Hailstorm failed...)
This looks promising and it appears to be an approach that nobody has taken before. So don't assume it is just Sun's version of Passport, the technology seems vastly different. Specifically, it seems to be designed with the user's best interest in mind, not a single corporation's.
In my experience the most important machines are not accessable from the internet. Our mainframe has high availability, but it sure is not running a webserver. Not to mention it is firewalled off from the outside world.
The ICQ protocol is nice (I'd argue that the jabber one is better though) while the "official" ICQ windows client is the single WORST IM client in the history of the Internet. All the pointless buttons, pop up windows, insane default settings, etc.
The ICQ client should be displayed in every CompSci UI design class as the way not do design UIs.
With the exception of the cheapest disposable cameras, I have never seen a camera that did not let you control the flash. Sure they have an "auto-flash" setting, they also have an "off" setting.
Allow me to step in and clear this up, since you seem to be completly missing what the other poster is saying.
His point (and only point) is that flashes will do nothing to help the people taking the pictures (the ones who are using the flashes, not the director)
In fact, re-read his postings and pretend there is no director, no film crew, and no matrix. Forget about them. He is not addressing a concern that has anything to do with them.
He was mearly poking fun at people who think that a tiny flash will somehow illuminate a giant outdoor area for the benefit of their camera exposure.
Slashdot Mirror
I'm not in any way involved with OASIS (although Champaign Supernova was a cool tune) but I think I can clear up some misunderstandings about SAML.
First up, it does not extend or alter XML specs in any way, it is a specification for creating authentication and authorization assertions USING XML.
It will not compete with Passport, but federated authentication systems that could compete with Passport could be designed to use SAML (see Liberty Alliance, or Internet2's Shibboleth).
IT does NOT (I said NOT) send your password from one place to another. The whole idea is to provide a common "security language" if you will to allow two different types of authentication realms to communicate. What happens is site A trusts site B, and they have worked out a deal where site B's users are allowed to access a resource at site A. So a user wanting to get into site A coming from site B would authenticate into their security realm at site B, and site B would send a SAML assertion to site A claiming that the user is who they say they are. This assertion is a blob of XML data that is digitally signed by site B. It can also be encrypted using XML-Encryption or just sent over an SSL connection.
This is very useful in higher education (where I live) since some schools intelligently use KerberosV for authentication, while some poor deluded schools use something like LDAP (pop quiz, what is it about a directory access protocol that sounds like "authentication system"?). It is nice to allow these different systems to talk to each other using a common language.
There are three types of SAML assertions, Authentication, Attribute, and Authorization Decision. An Authentication assertion simply claims that this user was able to log in. An attribute assertion contains information about the user (think Unix groups). Authorization decision is pretty much self explainatory.
Yes, XML is an annoying buzzword which clueless managers (who learn everything they know from trade rags) think should be used for everything. However this is actually a legit use of the technology. If your goal is to have a generic security language, you might as well use a generic data format.
To actually use some of this stuff, check out the OpenSAML project developed by Internet2's Middleware team. Also look at Liberty Alliance and Shibboleth.
Finkployd
Liberty Alliance is more of a competitor to Passport than Shibboleth (although the two seem to be VERY similar). My understand about Shibboleth is that it is primarily for Higher Ed, not really geared toward business (thus its dependance on the EduPerson schema)
I've been working with Scott and Co to get the upcoming Beta release up to par. We have been running the Alpha 2.5 code in production for a class at PSU for a few months now. If you need any help or want to compare notes feel free to email me (mxe20@psu.edu).
Finkployd (mark earnest)
I've avoided Apple computers all my life. I have worked with all flavors of Unix (except HP-UX), Windows, DOS, and OS/390 in my short career (I'm 24). However lately I noticed that more and more people have iBooks and tiBooks at meetings, conferences, and generally everywhere I go. I work for a largish university (PSU) and am involved in several consortiums like internet2, Educause, etc.
:) So yeah, I never took apple seriously until about a year ago, but now I'm pretty impressed with them and see them making a comeback (if nowhere else, certainly in higher education).
Lately I gave in and started inquiring what all the fuss was about and learned about OS X and started following apple a little closer. Well, to make a long story short, I'm typing this slashdot comment on a flat panel iMac
I still use the other operating systems for servers and whatnot, but I will probably end up using OS X as my primary desktop once it gets a little more polished (as cool as it is, it still has a ways to go, but I have no doubt it will get there)
Finkployd
We've seen this thing before...
:)
Yes we have, it was called DIVX
I have not yet lost ALL faith in technology consumers, they also rejected the Pentium serial number.
Finkployd
There seems to be alot of misconceptions about Liberty. As I understand it, the framework allows you to "assert" your identity to a remote location by a trusted third party. Perhaps your trusted third party is your bank, or your University, or your ISP. You authenticate with them, then a packet of data asserting who you are is digitally signed by this trusted third party and sent to where ever. If the remote location trusts the third party to assert identities, then you are in.
This does not seem to be about having the same password on every site, or even having ANY password on a site. It is federated authentication (and possibly authorization, but I don't know how they would do that, possibly with SAML assertions).
Finkployd
You need to understand the difference between saying something false/wrong (what you believe I accuse you of), and saying something unsubstantiated (what I actually think you did).
Actually, I didn't start this thread, I just jumped in randomly.
Finkployd
Again, you are arguing an all or nothing approach. I never said the concept of a slippery slope always applies, however there are times when it can. Let's say a group with a stated interest in getting to F, does A, then B, then C, it is fair to assume they are trying to get to F. To say that they are not because some websites refute the possibility of a slippery slope is ignoring all actual evidence that it may be taking place.
That is how things work, if you want to get a population to accept something they would never accept outright (free speech outlawed, gun confiscation, PPV, DRM, etc) you have to do it slowly. I do not understand people who believe that this is somehow impossible or a logical falicy just as much as I cannot believe people who always assume that it is taking place. Both approaches ignore the specific situation and are both logical falicies.
Finkployd
Either way, all it proves is people do not like having that used against them. The slippery slope is not a hard and fast rule that always applies, but there are hundreds of times where it does apply. Simply dismissing it out of hand is as logically flawed as assuming it always applies.
Finkployd
If it is on a web site, it must be true :)
Finkployd
Let's see if I can explain this. I am going to type very slowly and use small words so that you can understand.
This may be difficult for you to grasp
We could have had a good discussion on this subject, and I concede that I had some misconceptions earlier regarding the nature of this project.
However, I refuse to lower myself to your petty level of immaturity. It appears that you have yet to master the art of making your point without sprinkling in liberal doses of condesending remarks. I see no provocation on my part to illicite such a reaction, and I must conclude that you are either too young to engage in a mature conversation, or have some serious anger management issues to work out.
Good day
Finkployd
The default install of Windoze 2000 contains at least 120 known vulnerabilities
:)
So my earlier question stands, why not (a) use something else if it is so insecure or (b) demand Microsoft fix it. Why is it the US government's job to do a private company's job for them?
Many of us security professionals have had to deal with Neanderthal bosses unwilling to allocate to us the time and/or people to properly secure our connected systems.
Don't I know it. My background in is s/390 security, DCE security, and I am currently working with PKI, and Internet2's shibboleth and OpenSALM products. I'm not the "clueless, diaper-wearing, anti white house slashdot weenie" you would like to portray me as
Those of us in the security community believe that the US government is the best vehicle for publishing and communicating these standards.
Agreed, their committment to PKI has helped move Universities to looking at it seriously and making plans to use it.
But there is another, even more serious issue: millions of clueless Americans connecting home PCs to the Internet through high-bandwidth connections, oblivious to the collective danger that millions of potential DDOS zombies pose to the nation's critical infrastructure.
However, many of these people would not trust a binary issues by the US Federal government. I never questioned their competance, but I (and many other) do question their motives. They have a well documented desire to electronically spy on citizens. From the FBI's prespective, it would be irresponsible to NOT include a "magic lantern" like program with this.
The idiotic anti-government paranoia I've seen expressed in response to this is, frankly, highly inappropriate.
The people that brought you Carnivore and Magic Lantern are to not be questioned when they give you a binary to run on your PC?
Finkployd
huh
I'm lucky to get 2.5 out of mine. Of course I'm using a pcmcia wireless card (did not go with the integrated wireless option)
Finkployd
I understand the reason but I do not understand the execution. Ignoring all "magic lantern" issues, this is just the wrong way to fix it. The government and some companies (Chevron??!) are going to audit the security of Windows, find the flaws and distribute a program to alter it so they are fixed...
:)
This is easier than just asking Microsoft to design a secure version of Windows? Come on, you already found them guilty of being a monopoly, perhaps a nice sentence would be "make a secure version of Windows".
If Windows insecurity is such a threat to homeland defense, shouldn't the government be cracking down on the company making the laughably insecure software? Or perhaps simply not using it since it is (by the government's own admission) insecure?
Or just demand the source code and distribute their own secure version. It worked with NSA-Linux
Finkployd
*ahem*
:)
#12902
Finkployd
I had not heard of that one, pretty interesting.
One difference though is that Bluestem only provides authentication, leaving it up to the application to supply its own authorization database. Shibboleth (and Liberty Alligence, the more I read the tech specs, the more I am positive they are the same thing) provides authorizaztion information along with the authentication.
Finkployd
If Uni B requires a valid Oracle un/pw because the access to the data behind the web pages is acl protected based on who the Oracle identity is, then the real problem is how the web page at Uni B, once it trusts that the user is who he says he is, logs into the Oracle db with the correct un/pw. How are the valid credentials converted to the right un/pw?
That certainly would be unfortunate. Although if you allow yourself to be locked into an auth solution that is not flexible and that you have no control over, there is not much that ANY technology can do to fix that. I suppose you could design a system that stored the username and password on your backend and match it up with the certificate data. Kinda circumvents the whole point if you ask me though...
In a situation like that, how would you even design an INTER-organization single sign on system? Assuming you wanted to use PKI or Kerberos, you would still have to solve the same problem. Until you have that, an intra-organization single sign on system is impractical.
If Oracle (or whatever your authn or authz at Uni B) only accepts a valid un/pw to establish identity and grant access, what technology (or whose software) is responsible for converting the credentials to this un/pw? Where is this un/pw stored?
You would probably have to do it yourself. I would hope the un/pw would be stored on the same machine as the DB, and that security on that machine would be tight.
Finkployd
It is not centralized at all, please read the specs. There is no "them", it can use your existing "service provider" (assuming company auth system, university auth system, ISP auth system, etc). It is basically a "common authZ/authN" language that service providers can speak to each other.
Finkployd
I take a stab at answering this here.
Finkployd
I do not believe this limits you to any system. It seems to delegate the authentication/authorization to your "service provider" (not totally sure what they mean by that) who could potentially use ANY system. The important thing is that after you authenticate with them, it generates a short term certificate, signed by the "service provider" and encoded with authorization info.
Finkployd
First up, this is very similar (possibly even based off of) the Internet2 middleware project, Shibboleth. Incorporating similar technology such a SAML assertions. In the interest of disclosure, I am working on a setting up Shibboleth at my University as a method of allowing intra-University authentication AND authorization. So I can talk somewhat about that (although I do not in any way speak for Internet2, I do not work for them, I probably will get some details mixed up, have a grain of salt, etc.)
This is not about central authN or authZ (authentication and authorization), it is about utilizing existing auth databases and methods and allowing them to talk to each other. An example, if I may:
A student at University A wants to take a web based class offered at at University B. The two Universities have a partnership established but unfortunatly University A uses Kerberos as a central authentication tool and University B uses Active Directory (Uni B obviously never plans to scale, but I digress). Either way, Uni A is not going to give Uni B the user's password, and Uni B really does not want to add every external user who is going to take this class through the partnership.
The solution Shibboleth offers is that Uni B can simply "point back" to a url at Uni A that is protected with their central authentication system, and if the student can log in there, Uni A creates a digitaly signed certificate identifying the user to Uni B AND any relevant authZ information. Meaning that the the list of students allowed to take this class is managed by Uni A and Uni B never has to worry, the signed certificate proves all they need to know. There is obviously more to this but check out the above web site for the specifics.
The important part to all this is (1) inter-realm authentication: There is not one single database of users and authZ info, there are multiple players who pre-agree on authZ info, but maintain their own internal user databases and methods of authN. Presumably, the ability to say what the external entities can see about the users could be delegated down to the users themselves. (2) Authorization: Everybody is familiar with single sign on concepts that only prove who you are, how about ones that also say what you are allowed to do, what groups you belong to, and what access you have. DCE did a fine job of this (and Microsoft did a fine job of renaming DCE to Active Directory and calling it innovation) but it did not talk to other authN/authZ systems.
If the Liberty Alliance is as close to Shibboleth as I think it is, then it offers something we have never had before. A framework for a single sign on system that is not centrally managed, but leaves control to seperate entities that mutually trust each other.
Let's face it, when it comes to something like this you don't want all your eggs in one basket, especially if that basket has to answer to stockholders and has possibly the worst security reputation in the shory history of computing (really, I don't know why Hailstorm failed...)
This looks promising and it appears to be an approach that nobody has taken before. So don't assume it is just Sun's version of Passport, the technology seems vastly different. Specifically, it seems to be designed with the user's best interest in mind, not a single corporation's.
Finkployd
In my experience the most important machines are not accessable from the internet. Our mainframe has high availability, but it sure is not running a webserver. Not to mention it is firewalled off from the outside world.
Finkployd
Gaim supports EVERY protocol that Trillian does, plus many that Trillian does not.
Finkployd
The ICQ protocol is nice (I'd argue that the jabber one is better though) while the "official" ICQ windows client is the single WORST IM client in the history of the Internet. All the pointless buttons, pop up windows, insane default settings, etc.
The ICQ client should be displayed in every CompSci UI design class as the way not do design UIs.
Finkployd
With the exception of the cheapest disposable cameras, I have never seen a camera that did not let you control the flash. Sure they have an "auto-flash" setting, they also have an "off" setting.
Finkployd
Allow me to step in and clear this up, since you seem to be completly missing what the other poster is saying.
His point (and only point) is that flashes will do nothing to help the people taking the pictures (the ones who are using the flashes, not the director)
In fact, re-read his postings and pretend there is no director, no film crew, and no matrix. Forget about them. He is not addressing a concern that has anything to do with them.
He was mearly poking fun at people who think that a tiny flash will somehow illuminate a giant outdoor area for the benefit of their camera exposure.
Finkployd