I was asked about Batman – here is what I have

The background is that someone asked me, “Who are all those Robin’s?” and can you recommend some titles.  I wrote the following and thought it is a good cheat for a blog entry.

Bruce Wayne is dead (sorta). He died in Batman R.I.P and Final Crisis (both available in trade) about a year ago. He will be coming back in a mini-series starting next month.

There have been four Robins.
Dick Grayson – he grew up and became Nightwing and led the Teen Titans/Titans. He has recently taken over the Batman mantle and is fighting crime in Gotham and is a member of the JLA.

Jason Todd – He was killed by the Joker. Batman kept his costume on display in the batcave to show respect and to caution against endangering minors. Todd came back to life as a complicated side effect of Infinite Crisis. He is a bit mad and is now the villain the Red Hood.

Tim Drake – Proved himself capable by discovering Batman’s identity when he was young. Currently calling himself Red Robin and trying to find a way to bring Bruce Wayne back – he doesn’t believe he is really dead.

Damian Wayne – Son of Bruce and Talia ah’Ghul (Talia is the daughter of Ras al’Ghul). He was born and raised without Batman’s knowledge. Talia recently brought Damian to Bruce. Damion is acting as the current Robin to Grayson’s Batman.

In an interesting turn – Damian as Robin is the hard-bitten focused one and Grayson as Batman is the optimistic carefree type.

In order: Todd comes back in Infinite Crisis, Bruce finds out about Damian in Batman comics, Batman dies in R.I.P and Final Crisis,  new status quo with new Batman, Robin and Red Robin following the Battle for the Cowl.

The Dark Knight Returns and Dark Knight Strikes Again is a different continuity. The Robin there – Carrie Kelly  has never been a Robin in the main timeline.

Other major players in Batman – Batwoman, Oracle, Huntress, Batgirl, Azrael, Commissioner Gordon.

Other than Tommy Elliot and Red Hood most of the Batman villains are mostly the same. Riddler is now a private detective and Penguin runs a legitimate nightclub. Then plan to kill Batman was done by a group called the Black Glove and headed by a Dr. Hurt.

OK – I’m not a huge Batman reader, so some of this is sight unseen. I’ll star the stuff I’ve read and like.

The titles are mostly of the collected storylines.


  • *Batman and Robin (flagship title)
  • *Batwoman (in Detective Comics)
  • Red Robin
  • All-star Batman and Robin (different continuity)

(There should be at least one collection out for each of these titles)


  • *The Dark Knight Returns
  • *Batman: Year One
  • *Arkham Asylum
  • *The Killing Joke

(Almost all of current Batman builds from these.)

Other Foundations:

  • *The Long Halloween
  • Son of the Demon


  • Heart of Hush
  • *R.I.P
  • The Black Glove
  • Hush
  • *Whatever Happened to the Caped Crusader
  • *Broken City

In the last 10 years:

  • Officer Down
  • No Man’s Land (4 volumes)
  • Fugitive
  • Murderer
  • Dark Knight Strikes Again (Sequel to the Dark Knight Returns)

Batman’s Family:

  • *Catwoman:The Dark End of the Street and Crooked Little Town
  • *Catwoman: Selina’s Big Score
  • *Gotham Central: In the Line of Duty
  • Birds of Prey: Of Like Minds

Any comic store should carry these trades. I didn’t go for anything too rare. I’d recommend Wizard’s. Alternatively, I hear Happy Harbour is also good.


Event Comics

You know what I like?  Event comics.  But real comic fans shouldn’t like event comics; a real fan should recognize them for cheap marketing ploys that emphasize flash over story, continuity, character and good taste.

An event being defined here as a cross-over, double-sized issue, or spin off one-shot or mini-series or maxi-series.  There are other marketing ploys – cover variants, bonus swag, change of creators, renumbering, etc, but for my purposes I’m not calling them events.

So popular wisdom often states that folks get burnt out by events.  And that customers have a fixed pool of money to spend on comics so while an event might elevate the event comics it comes at the expense of other comics – often by the same publisher.

But it seems that they do indeed sell comics.  So while they may go in and out of style, we can be assured that sooner or later they will always come back into style.

Anyways, I like them.  Some of my favorite comics as a child were some of the cross-overs I read – mostly JSA/JLA/All-Star Squadron Crisis issues.  Although they pale in scope to many of the events which followed.

Good Events vs. Bad Events

Here I think are some ways to distinguish a good event from a bad-one.

1) The event should matter.  I talked about the illusion of change before.  In events, some change to the status quo should arise.  This is something the main publisher are mostly doing pretty well these days.  But there are drawbacks – the JLA series has been doing ‘adapting to the new status quo’ issues for the past two years.  It seems to have not actually told any stories.

2) It shouldn’t go on too long.  In the past five years there have been several 52 issue weekly events and several 7 or 8 issue monthly events (with a hoard of tie-ins and delays).  Some of the best have been the reverse – four issue series like Anhilation that were quickly done.  It is tough to maintain a fever pitch of interest for a whole year.

3) Tie-Ins should make sense.  The ‘red sky’ issue is a trope from one of the original big cross-overs.  It refers to titles that indicated that they were part of the event, but which actually only showed by by having a scene where the cast noticed the sky was red.

4) The event should arise from something going on in the core series of the event.  The reverse is the event just takes over the title for the duration of the event, pausing ongoing plots, which are then resumed when the event is over.  It can be especially hard for tie-ins to have this make sense.  Last year the great fables cross-over interrupted the normal Fables title to resolve the big plots of the Jack of Fables title.  These plots basically just derailed Fables for 3 months.  Grr.

5) There should be time between events.  If my first suggestion is followed let’s have time to explore the changes resulting from the event.

6) Key aspects of the event should happen in the event.  This might be clear from examples – Batman didn’t actually die in Batman R.I.P – not until next month in Final Crisis.  Captain America didn’t die in Civil War instead he died a month later in a denouement issue in Cap’s own title.

7) Using death to underline that the event is important sucks.  Supergirl and Flash bought it in Crisis on Infinite Earths.  Nearly every cross-over since has had to compare to that.  And most often the death seems like a stunt instead of a valid consequence of the story.   As an editor I’m not sure how I’d guide a writer, but as a reader I know when it annoys me.  Unfortunately both Johns and Bendis have this in their back pocket as normal tools.

In the last few years many of my suggestions are being followed.  Other than #2 and #7.

Shared World

One of the neatest aspects of an event it that it gives the opportunity to explore shared world in the big publishers comics universe.  An opportunity for characters that normally exist within their own continuities to interact with the other characters.

It can be tricky to setup, but seeing a double page spread of all the heroes and all the villains facing off against one another can be awesome.  Lump in the throat stuff – if you can get worked up by comics.  Or having Superman or Thor show up as the cavalry in the nick of time?  It has been done before, but if it doesn’t happen every month it can still work.

Also a status quo change can have a line wide effect.  That can be really invigorating.  Even though at some point we know that such a ubiquitous change will need to be reversed.

The end

I like what I like.  I’m a liker, but a well run event often highlights some of the strengths that can only be done in the comic book worlds that exist in publishers shared worlds and serialized stories.  And it would be nice if marketing never impacted story, but this is reality and sometimes that will happen.  When it does, it can be done well and it can end up being a win-win for both the publisher and the readers.

Identity Management

So my field in IT is Identity and Access Management (IAM).  Go away if you don’t want to learn what that is.

I came buy this interest though high level network protocols, operating systems and cryptography.

OK – so one of the main challenges in IT is dealing with access control.  You are custodian of some resource (like a program) or data and you need to control who has access to it.  If it was a physical resource you could put it in a secure location under lock and key, but even that is often more compkicated than it sounds.

For networked programs, you are advertising the location of your resource onto the network (which might be public or private).  So it comes down to about four or five concepts:

  1. Authentication
  2. Identity Proofing
  3. Authorization
  4. Other benefits/complications
  5. Data Security/Transmission Security


How do you prove to the resource that you are the person allowed access?  Basically you provide a credential (like a used id) and proof that the credential is yours.  That generally is one of three things:

  1. Something you have – like your debit card, or a key card or a smart card.
  2. Something you know – like a password, pass phrase or answers to security questions.
  3. Something you are – A fingerprint, signature, retinal scan, etc.

Within each category some ways (factors) to authenticate a credential are weak and some are stronger.  The overarching wisdom is that to achieve strong authentication you need multiple factors from different categories.

Authentication protocols are really neat.  There are lots of hidden gotchas.  Is the resource you are talking to actually the resource you intend?  Is there someone in the middle listening or modifying your authentication?  Once authenticated how long is it good for?  Once authenticated can someone hijack your session?  And about a dozen other considerations.

And then you get into encryption.  How to keep the whole authentication transaction secure?  And with asymmetric keys the key exchange itself can be you credentials exchange.

About 12 years ago I read this introduction to the Kerberos Authentication protocol.  I still like it. http://web.mit.edu/Kerberos/dialogue.html  Kerberos is a common authentication protocol now used within Windows Operating systems.

Identity Proofing

It may not be obvious, but successfully authenticating does nothing to prove that you are who you say you are.  At best it says that you are the same person to whom I issued the credential.  Consider getting a gmail account.  To sign in you need your e-mail address and a password.  But that address can be anything – when you signed up for gmail you might have chosen Queen.Victoria@gmail.com as your address.  It doesn’t mean that you are Queen Victoria.  And gmail doesn’t care – it only cares that it is the same person using that credential every time.  There is no identity proofing.

Consider an application that provides access to your medical records.  Now we need some identity proofing.  Generally identity proofing happens only once – before the credential is issued.  Authentication happens every time you access the application.

Another big difference is that authentication is all about distrust.  Identity Proofing relies on trust.  Here are some major methods of identity proofing:

  1. Presenting another trusted credential – like a driver’s license or passport.  In this case, you are trusting whoever issued that credential to have done good identity proofing.
  2. A trusted witness – A 3rd party who is trusted by both the register and the registrar vouches for the identity.
  3. An oath is sworn or a contract signed – The person swears (or affirms) their identity.  Trust here in the consequence to a fraudulent oath being sufficient to prevent such fraud.

Neat.  Obviously any identity proofing scheme is only as good as what it trusts.  And sooner or later a chain of trust has to dead end somewhere.


So you’ve obtained a credential and authenticated with it.  What should you be allowed access to?  For instance consider our medical records application.  You should be able to see your own medical records.  Your doctor should be able to see all their patients records and occasionally other doctors patients for whom they are providing consultation.

Now managing access control for every credential is very hard.  So generally some guidelines are used to allow this management.  In general, you give each credential the minimum access necessary.  Second you group like credentials together and manage access based on the group rather than the individual.

The current grouping mechanism in vogue is role based.  So instead of making a group of everyone who needs access to a certain printer you are making a group of everyone who is a marketing manager.  In theory this means that future management is easier.  Adding a new person, having them acquire a new role or leave an old one as easy operations.  But it means the setup and design can be quite complex.

Also you can split authorization into coarse grained – which is often built into the authentication protocol – and distinguishes which resources a credential can access.  And fine grained, which is normally part of the application, which controls which features of an application are accessible.

Other Benefits and Complications

The devil is in the details.  For instance, does the group that does identity proofing need to be the same as the one doing authentication to be the same as the one doing authorization to be the same as the one running the resource?  Of course not.

And that can be flipped a dozen ways.  What about having credentials supplied by two different trusted partners allow access to your application?  Federation might be the answering to your needs.

Auditing and compliance – we need to track everything.  When is a credential used?  To access what?  When did registration occur, or enrollment?  Are there any changes to the credential?  And reporting – who out of all the issued credentials actually has access to your resource.

Oddly, once you’ve collected all the information necessary for identity proofing, authentication and authorization, that data itself might be useful for other reasons.  If you’ve setup role-based authorization your groups likely map to the actual organizational structure of your business.  At the very least you should have a workable phone book/e-mail directory.  But with some imagination that directory can be used for many other purposes.  Take Windows. It leverages the directory made from its credentials for e-mail routing, patch distribution, and desktop lockdown.

Data Security and Transmission Security

Strictly speaking it isn’t part of IAM, but it would be a shame if you secure your access management if your systems can be bypassed and the resources and data read or modified  regardless.  Right?

The same cryptographic systems sitting at the root of your authentication systems can also be used for encryption of your resources and data when it is being transmitted or sitting on the hard drive.  You can try and ensure that your access control systems need to be used to get at the data.

The End

I’ve only brushed the surface.  If y’all want more information I’d consider googling some of these things:

Kerberos, SAML, Radius, PEAP, RSA, PKI, 802.1x, privacy, identity theft, OpenID, Identity Cards, NIST 800-63, FIPS 140-2

Never done this before


Your nemesis waits
It watches you, peering back
Mocking your flaws
Eyes flashing

Do not grasp its hand if offered
It will be cold
Cold and the nails long and sharp

Released you should rejoice
For now you will face adversity
Traditionally it wears a crown of deer
But to you it might appear as weakness

And gone disappeared
No longer in the mirror but
Out in the world
Achieving success as
Clouds gather

The winds rise
And time passes
It will return

Its face is lined, weathered
Its mouth is still cruel
Teeth bright
Bright and sharp

Snaps and curses
Saps your will
Freezes your marrow
Seconds slow

If?  Not courage
Warmth and inevitability

Who stares back now
Hating and trapped

Schedule based Personal Inertia

Is it just me?  I think it is.  Likely some deep seated neurosis.

Inertia is the physical property of an object to remain in motion or to stay at rest unless acted upon by an external force.  I have the same issue with my schedule.

I’m a schedule person.  I make a task list everyday or I just pick up on yesterday’s tasks list.  I’m pretty awesome at diligence and moving through the list.  But I have a number of drawbacks –

  • Changing the list?  Nuh-uh.  I hate changing the list.  Under my own initiative it likely isn’t going to happen.
  • Doing something not on the list?  That isn’t in my path.
  • Starting in the absence of the list? I dunno.  Let me get back to you.
  • Removing a recurring item from the list?  These get embedded deeper and deeper the more often they occur.

Now an external force can make changes.  If something needs to happen and it requires change, that can apply and force that changes the inertia.

Normally this doesn’t cause an issue, but it can have some surprising results.

The “We are not a chore that should be on a list!” retort.  See chore or pleasure it needs to get on the list or it won’t happen.  This includes things like visiting my parents.  But don’t let them know it.  No one likes to know they are on the same schedule as chores and it is very hard to explain how not everything on the list is a chore.

The “Hey, you wanna go out tonight?” request.  That isn’t on the list.  And it isn’t a force directly on the list – no urgency.  Instead it is like a friendly light a mile off the highway.  I’ll need to change my own momentum to get there.  And this is despite knowing that the offer, if accepted, will be better than anything currently on the list and maybe the best time I’ll have this week. Offers phrased as requirements can bypass this.

The “But it’s comic book day” excuse.  A deep sense of unease of a normal part of the list is skipped.

Anyway – does that happen to anyone else?

Serialized Storytelling

One of the aspects to comics I enjoy the most is their use of serialized storytelling.  This is not unique to the comic book medium, but the way it is handled is interesting.

Serialized storytelling is telling a story in installments.  Contrast it with a typical movie or novel that contains a complete story.  Each comic generally contains only a fragment.  Contrast it with a sitcom which may be serialized, but which generally doesn’t carry plot and character elements forward between installments.

Serialized storytelling happens in many mediums.  Epic fantasy series, tv miniseries, movie franchises and more are common.  In the past there used to be radio serials and serialized novels (Dickens did this).  Comics distinguish themselves from other mediums in two ways.  First, they engage in a long form serial.  Often the comic has no planned end point and will continue as long as interest in the series and characters is maintained.  Second, the series is not tied to particular creators.  If an artist, writer, inker, colorist or letterer should leave the series they will be replaced by another.

Obviously this storytelling style is not used in all comics.  It is most common at the big two publishers – Marvel and DC.  At other companies long form serials exist, but are often tied to particular creators (E.g Hellboy, Spawn) or have an eventual end point to reach (e.g. most Vertigo titles and manga).  Other publisher do short form serials (We3), original graphic novels (Blankets), or use a sitcom type storytelling (Archie).

What are the advantages of this type of storytelling?  For the publisher it is obvious, they maintain a successful franchise.  And lately that franchise can be a source of licensing and other media adaptations.  For the consumer, there are a number of benefits as well.  Often it is possible to grow up with the characters in the stories.  There are suspense techniques such as the cliffhanger that are most effective in serialized stories.  It can provide a sense of continuity and consistency which many might find comfortable.  In fact, getting a monthly dose of story can be habit forming.  The contrast between different creators working on the same property is exciting.  Finally, the accumulated history of a long running serial is itself a source of interest and future story ideas.

This storytelling type does place several constraints on the story though.

Endings – there are no true endings in a long form serial.  So the satisfaction of finishing a story may never be reached. Normally comics deal with this in a variety of ways.  While the A plot may continue across many issues, often each has one or two B plots that are told within each installment.  Another option is to provide a single character POV arc in each installment – the plot may not finish but some resolution is found for the POV character.  A third option is to resolve parts of an A plot.  In most complex comics all three approaches and others are followed to give each installment a sense of completeness.

Change and the illusion of change – One of the hallmarks of a good story in most forms is that the characters are profoundly changed by the end of the story.  In a long form serial this might be difficult because either there is no end or the character change would cause the characters to no longer be suitable for the continuance of the story.  This is often bypassed through what is called the illusion of change.  True change might only occur to minor characters or characters specific to a certain A plot.  Major characters might change, but certain key attributes are left the same.  Aging is not generally acknowledged and in fact stories that deal with details associated with signs of aging – like graduations, marriage or having children – are only rarely done.  And often the changes are reversed the next time creators change on the property.

Unknown continuity – One of the most common tropes in character based dramas is unresolved issues from the past.  This can be tricky in a long form serial because the past in often very well accounted for and issues were resolved as they were raised.  When this is ignored it is called retroactive continuity (or a retcon).  Retcons take two normal forms.  In the first there is an assumption of an untold relationship or event from the character’s past.  This often happens when a new character is introduced – the existing characters might already know them from some unspecified point in their past.  The other example is when something that did happen is changed ala Bobby Ewing in Dallas trope.

These constraints can be met in a variety of ways.  While explicitly acknowledging that they are being handled rarely results in good stories, often the most powerful stories occur when these constraints are an inspiration to the stories.  An egregious example is the mystical annulling of Spider-man’s wedding.  A lackluster example is Morrison’s insistence in current Batman that everything that has happened to Batman and all the styles in which they were told are equally true and valid.  My favorite is using the discrepancies in Daredevil’s character and past portrayals by Miller in Born Again to allow for a mental breakdown and rebuilding.

Paired with another interesting aspect of comic storytelling – the shared world – serial stories can be truly unique.  I’ll talk about shared worlds some other time.

For fan of comic books, the serialized story is often one of the aspects that is most attractive.  However, that aspect is not commonly acknowledged in most reviews.  It provides opportunities and drawbacks for the creators.  It results in stories that are not often found any where else.