Day of Amazement – Technovation Calgary, 2018

Last weekend, I spent a day with an amazing set of young women.

I was invited to be the judge of the chapter of the Technovation Challenge in my hometown of Calgary, Canada.  Volunheroes - Technovation 2018Twelve teams of teenage girls worked to conceive, pitch and build a mobile application that addressed a problem in their community.  Team after team of young women hit the stage to share their vision and accomplishments, and to later give demos to the judges and the crowd.  What a *great* idea this whole enterprise is! While I only had to commit a weekend, there were a ton of people who put hundreds if not thousands of hours into this opportunity.  For any of you who feel like it is impossible to impact the ‘pipeline problem’, take a look at getting involved! As I understand it, Technovation is global and there might be an opportunity to work with girls in your own area. I wish I could explain the sense of agency I got from these girls, they were out there getting it done.  Also, I almost fell off my chair when one of the girls answered a live question about privacy of user data by noting that they could use a product like Auth0 to help!  My jaw hit the floor.

I am so excited to have seen this program in action, to see the tools that were chosen and the approaches that were taken.  I can’t think of a better way to teach entrepreneurship, technical fearlessness, presentation skills and teamwork.  I am in personal awe of Mea Wang, who works as an associate professor in the computer science department.  To pull this off is a spectacular accomplishment, thank you for paying it forward – you are making a huge difference.

The best lesson for me was a simple one. You might have thought these girls would be wowed by me! A real woman in tech! We get trained by twitter and the media to think we are rare and to be remarked upon.  But no – in reality I was just a random old person.  The people who are making impacts in the lives of these girls are not some fancy person with an “accomplishment”.  It is the men and women they see every day, acting in local roles of knowledge and authority, encouraging and building and expanding these girls’ dreams.  Kudos to all of you who act in that capacity.

 

Well here I am!

I am officially a Microsoft employee, holy smokes.  I’m pretty blown away by this initial experience… I’m sure you’ll all view what I say next according to whatever confirmation bias you bring into this — but the initial Microsoft experience is pretty spectacular, and I say this as someone who isn’t pre-conditioned to see everything with rose-colored glasses.  These people take *care* of their people.  I love that.  I also love the charitable giving program.  I don’t know if I’m allowed to describe it, but I can’t wait to max it out.  I love the corporate commitment to sustainability.  If you’re going to be in a bubble, it should be a self-aware bubble, right? This is an incredibly self-aware bubble, and I wouldn’t want it any other way.

My two axes of initial judgement are pretty simple — how do you treat your people and how do you ONBOARD them.  This was a pretty slick onboarding.  Within a day I had initialized at least 3 factors of authentication, maybe 4 depending on how you count such things. I could access resources that mattered, and it was a pretty seamless experience.

Stay tuned – in future updates we will get to see me tackle new standards, and my failures will hopefully be your learnings. Or at least your entertainings :)  My scope will expand and I can’t wait to share that. It is a lot less scary when you are backed by the incredible team that Alex Simons has built here.  Life is full of possibilities!

 

The Game’s Afoot!

After eight and a half years at Ping Identity, I am amazed to say that I’m moving on. I have had the privilege of working with incredibly talented people, from the CTO team to the product management team, to the entire field sales and technical corps.  I am so proud of what Ping has made in the last eight years and of the things that we have chosen to hold dear: quality software, long-term deep relationships with customers, and leadership in identity standards through practicing what we preach.  Also, serious costume parties 🤪

Some of my favorite PingIdentians

My other incredible windfall has been to meet brilliant and talented customer architects. They have taught me so much about the bigger picture, the reality that all the vision has to fit into, before it can resonate.

Last, I want to say something about the two people who were my direct superiors at Ping, Patrick Harding and Andre Durand.

Andre and Patrick (and costume parties)

Patrick and Andre took a chance on a relatively unknown Canadian identity geek, brought her onto the team and gave her support, autonomy, and opportunity.  I would not be the person I am without the mentorship and friendship of these two amazing people.  Thank you for believing in me.

Sometimes life surprises you – and I was recently surprised by an opportunity to really challenge myself in terms of growth and impact. So – onwards!  I am excited to say I am joining the Microsoft Identity team, working for Alex Simons as Director of Identity Standards. I can’t believe that I somehow get to work in the rarified air of this team, with some of the people I admire the most in Identity.  It took about 30 seconds of discussion with Alex to realize that this opportunity represented a chance to work with incredibly smart people, participate in complex problems that have to be solved at massive scale, and most importantly, to be able to advocate for standardized solutions to those problems, allowing for the whole industry to adopt secure patterns even if they don’t have the reach or resources of a company like Microsoft.

Anyone who knows me knows that getting to talk identity standards like OAuth & OpenID Connect all day every day is my idea of heaven; I can’t wait to see how the bits fit together for customers at the consumer and multi-tenant enterprise scale of MSFT.  What will the future hold for identity standards? I have a few strong opinions in this area, but there is a whole new world of perspective awaiting. I hope I can some part in defining that future, wherever we all end up.

Stay tuned, I hope to do a lot more writing here, now that I can really focus on driving industry conversation, and I can’t wait to work with everybody in my new role!

Wish me luck!

I will miss you all, stay in touch!

 

Saturday Night in London

It’s about 9:30pm on Saturday.  I’m in a bar, on Hackney road in London, that I simply stumbled upon while wandering around.  It is an incredible place.  It is called “The Natural Philosopher” and I heartily approve.  It is an odd and slightly twisted cross between an old fashioned victorian study, and a curio shop.  I would take a picture – but this isn’t the kind of place you take a picture in.  It’s meant not for Facebook check-boxing, but for people to sit and be in the moment.  And here I am, in the corner, working away at the laptop.  Better than trying to snap pictures though.

I haven’t written here for a long time.  But I dream about it.  I live a kind of guilt-driven life in some ways – how can I write here, when there are so many other greater priorities, outstanding commitments, all the things people are waiting for me to deliver?

But, sometimes the time is right.  My world is a lovely place, I have an amazingly balanced life, whereby I have good measures of intellectual stimulation, external validation, loving support, and independent exploration.  There are frustrations too, but there always are.

I think I will write here again soon.  There is so much to talk about, amazing changes and improvements in the identity world, pushed by sometimes surprising forces.  And I’ve started playing with the Arduino, so there is wonder there that I would enjoy sharing.

In the meantime, I shall enjoy this strange, unexpected, odd bar in a place I have always wanted to explore.  Even if I am the strange one in the corner with a laptop, the screen probably gives me an even more surreal look than the decor…

 

 

 

 

 

When your Empire has no Clothes

How many data points does it take to call something a trend?  With the hack and subsequent data dump of the internal files of Hacking Team, a company most of us never even knew existed until this week, the world is getting to see a very public examination of the naked inner workings of an organization. This is the second time I can think of this kind of hack occurring.  The first was, of course, Sony Pictures.

Some number of hackers have turned two different organizations inside out from a digital perspective, exposing even the mundane stuff for public ridicule.  And some of the most harshly ridiculed practices of all in both cases involved passwords and credentials.

In the case of Sony Pictures, the effect was acutely embarrassing.  Scores of Excel spreadsheets, detailing personal, business, and IT system passwords, with filenames like “website passwords” and “usernames & passwords”.   When Gawker writes an article detailing what morons you are,  you know it’s bad:  http://gawker.com/sonys-top-secret-password-lists-have-names-like-master_-1666775151

sonypicturespasswordfiles

In the case of Hacking Team, enough data was dumped for both the obvious stupidity to come to light, but also for hashed passwords to be brute forced, to be gleefully revealed in horrific detail on twitter.  The examples below are (a) a dump of the admin’s Firefox password manager, and (b) an excel spreadsheet containing VPS credentials.

hackingteamexample2

hackingteamexample

 

 

 

 

So, let’s assume that this ‘dump and roast’ trend is really a trend, and will continue.  Perhaps it puts a little more personal skin in the game.  We all get lazy. We all take shortcuts.  But perhaps now that there is a risk that all those shortcuts get dissected at a later date, with a very sharp scalpel.

Trying to look competent during examination by your Future Hacker Overlords.  It’s an odd thing to imagine as a security influence.  But right now, it feels like it might become a thing….

Reflections of an Identity Geek on the JLAW Fail

I’m sitting here, in the dark, when I should be sleeping. Thinking about how 100 different iCloud accounts were manipulated to give up their secrets.  We should all be taking a hard look at what constitutes account recovery in this day and age of the internet. Disclaimer – I haven’t had a coffee yet this morning.  If I sound like a raving lunatic, this may be why.

As the dust settles, it appears that the attackers walked in the front door.  Well, the side door actually.  Data is sketchy, but it looks like account recovery processes at Apple were manipulated to give access to attackers.  Why can this even happen?

1.  We design only for the Lowest Common Denominator

When an account recovery loop is assembled by a service, it is the same loop regardless of who you are. Or how savvy you are.  Or how likely you are to be targeted for a given threat.  Why is this?   Why not keep the base recovery experience as the one where you get if you can barely spell computer and these password things are scary.  But why not let people with stronger needs self-identify?  Allow people to ask to jump through more hoops, to supply more, and better, information in order to receive more, and better protection from targeted attacks?

I know exactly why this kind of “better security” doesn’t happen.  Because for every JLaw attack, where the security could have helped, there are 10,000 regular people who would turn on a feature like this and then get locked out of their account.  There, I said it. The lowest common denominator is: that the public expects is that even if they do everything wrong, even if they cannot in any reasonable or provable way identify themselves as the actual owner of the account, they should still get their data back.   And the cost of dealing with those 10,000 upset locked-out people, both in PR and support terms is very real.  More real and more common than cost associated with the relatively few that get hacked.

2. We have purposely created a Stateless Machine

When you choose to try to recover an account today, you generally do so in a vacuum.   You are asked to identify yourself, and the information you give is often considered in isolation.  Do these two strings representing your dog’s name and your first school match the hashed strings stored in our database?  Yes?  Great!  Keys to the kingdom!   Doesn’t matter that somebody has been trying and failing to do the same thing three times a day for the last week.  No sense of suspicion is placed on this success as a possible culmination to all those failures.  This is part of why an attacker can keep calling help desks over and over until they succeed, and why they can keep using online forms over and over until they succeed.  Also — see #1, whereby it isn’t that unusual for people to really fail at knowing their recovery information and to still expect success.

The whole reason these systems were built to be stateless is because they were built to scale.  But those requirements need to be examined.   It should also be a requirement to at least try to recognize when an attacker could be systematically probing recovery systems, ranging from digital forms to help desks, maybe even in-person resources, or direct emails to IT staff.

3. We keep the User in the dark

If somebody is systematically probing at a given user’s account, don’t you think it would be valuable to tell them, so that they can try to form their own understanding of their safety?  If you’ve locked yourself out of your account, I’m sure you won’t mind the notifications.  And if you haven’t locked yourself out of your account, those notifications may be very important. For example, receiving a notification from every one of your email accounts and your bank in a 24 hour period is something that may not be so significant to each system, but should ring serious bells for the individual.  There are programs like Shared Signals that are evolving to help with cascading identity attacks, but for now, the only person who might see the pattern is the user.   And they are not involved in the process.

4. Users don’t care until it’s too late

It’s true.  There are lots of optional things people could do to be safe that they never bother with.   But perhaps, if there was a way to make users aware of recovery question guessing attempts against their account, users might get scared a little sooner, and carefully contemplate their options.

The WORST THING about this breach

I understand the prosaic duh moment going on where people note that the best way to not have naked pictures stolen is to not have naked pictures taken.  But this should in no way mask the failure that has taken place from an implementation standpoint.  We need to safely store and share sensitive things. As a society. We need to trust that accounts we create and populate with our most treasured data are not just swiss cheese for anyone willing to stalk a specific target.  The old canard of “Doctor it hurts when I do this”/ “then don’t do that” doesn’t help if the underlying problem is disease rather than a boo boo.  This issue is not a boo boo, and turning the iphone camera off will not prevent the spread of the disease, it just prevents one symptom from showing.

Recommendations

If the identity fairy came to visit and granted me three wishes, here is what I would wish for.  These aren’t qualified recommendations in any sense — just a place to start.

  1. Provide options for users to customize their own recovery ritual.
    1. Include things like
      1. Turning on notifications for events like calls to the help desk or for use of the password reset form
      2. Adding additional or alternate recovery steps
        1. Additional identity proofing steps before help desk support will engage  – like requiring a 2FA authentication before the call continues
        2. Requiring that KBA answers be retired (or at least flagged for review) after a certain number of incorrect guesses
        3. Turning on additional 2-factor authentication for services that may not normally be protected (see above for an example
  2. Architect for recognition of accounts that self-identify (or are verified) as likely targets
    1. Help Desks should be able to recognize high-fraud-risk accounts
    2. Audit and accountability should be elevated
    3. Work towards a point where the system figures out who the high-risk accounts are in real time
  3. Track the use of recovery mechanisms, and make the history available to the user.
    1. How many times has a recovery question been used
    2. How many times has the form been submitted with the user’s user name
    3. How many times and when has the help desk been notified

The sun is long-up now. Time for reflection to end, and reality to intrude again…

The next conversation to be had

Ok, now that CIS and Catalyst conferences are (almost) out of the way, we need to rally the identity geeks and start talking about OAuth and OpenID Connect design patterns.   We need to get some public discourse going about token architectures for various real world business access scenarios.

The value proposition needs to be made more concrete.  So let’s try to push on that rope in the next few months.

 

Facelift

I’ve finally had time to spruce up the site a bit! Feels good to move things around.  You know me, I like playing with the federated identity options — so have taken out the google identity toolkit.  I have a half-formed plan to install the Facebook plugin and then perform experiments on their new anonymous login and granular consent features….  of course that will eventually come out too.    Commenting and registration methods have never been stable, at least not since the infocard integration was taken out. Good thing you’re all hardy :)  so if you want to comment and say hi, you’ll probably have to recover your password.

copyright Pamela Dingle 2014

 

 

Certificate Impossible

I’m writing an iOS app.  Loving it too, learning a lot.  More on that in a bit.

Today when I tried to update my github repostory, I received a certificate error that said “XCode can’t verify the identity of the server github.com”.  Because I’m a paranoid idiot, I decided to get to the bottom of it.   A search on Stack Overflow scared the crap out of me — the “accepted” answer is to just “make the prompt go away” by blindly choosing to trust the certificate.  That is theoretically the worst, laziest, most insecure answer in the world and we as an industry should be castigating such a brutal security recommendation, right?  But before casting stones, what *should* be done?

Here’s what I found about the intermediate certificate presented by github:

  • The intermediate certificate that shows up in the certificate chain given by github.com is called “DigiCert High Assurance EV CA-1”.
  • It was issued Nov 9 2006, expiring Nov 9 2021.
  •  It has a SHA-1 fingerprint of 4A 35 8B 25 35 28 61 42 F6 0F 4E 9B 57 E2 AE 11 6D AB F0 F5.
  • It was issued by a CA certificate called “DigiCert High Assurance EV Root CA” with a serial number of “08 BB B0 25 47 13 4B C9 B1 10 D7 C1 A2 12 59 C5”.
  • The certificate gets a little green checkmark to say that the certificate is valid.  I assume this means that the certificate passed CRL and OSCP checks

 

To try to clear this up, I went to the Digicert website, to their root certificates page at https://www.digicert.com/digicert-root-certificates.htm, to validate this intermediate certificate.  I downloaded the certificate called “DigiCert High Assurance EV CA-1” and confirmed that the downloaded cert matched what was shown on the website:

  • There is an intermediate cert on the website called “Digicert High Assurance EV CA-1”.
  • It has a SHA-1 fingerprint of DB C7 E9 0B 0D A5 D8 8A 55 35 43 0E EB 66 5D 07 78 59 E8 E8.
  • It was issued Nov 9, 2007, expiring Nov 9 2021.
  • It was issued by a CA certificate called “DigiCert High Assurance EV Root CA” with a serial number of “03 37 B9 28 34 7C 60 A6 AE C5 AD B1 21 7F 38 60”
  • The certificate gets a little green checkmark to say that the certificate is valid.  I assume this means that the certificate passed CRL and OSCP checks

So,  where does this leave us? Let’s just recap.

  • I get a warning about a certificate when I try to use XCode to go to github.
  • When I view the certificate, the operating system pronounces the cert as “valid”.
  • Neither the thumbprint nor the issuer serial number match the values advertised by Digicert as the correct values for that intermediate CA certificate.

So what is an honest but paranoid person supposed to do now?   The chain presented by github both fails when XCode looks at it programatically (not that I can tell you exactly why the programmatic fail occurs) and when I attempt to manually validate.

It is very possible that Digicert has issued two intermediate CA certificates.  For example companies define rollover certificates all the time, so that there is always one valid certificate for business continuity.  But given that both these certificates expire on the same date, these particular certificates kinda suck as rollover certificates.   If DigiCert had reissued the CA certificate due to fraud or misadventure I would *hope* that one of these two certs should fail CRL and OSCP checks.  But that hasn’t happened either.

Conclusion: Based on the resources available to me, I have to conclude that the intermediate certificate offered by github is evil.  Either that, or Digicert has wasted a bunch of my time by not simply documenting the second thumbprint for the second valid instantiation of the intermediate certificate.

If the former is true, I have no idea what to do.  If the latter is true, I still have no idea what to do.  Color me completely unable to move forward.  Yay security.

For the 2 people who actually bothered to read this to the end, here is a screenshot of the three certificate detail screens for the intermediate certificate — the leftmost cert is the intermediate certificate from the github error, the middle cert details are from the intermediate cert downloaded from Digicert directly, and the rightmost window is the DigiCert details window.   Fill your boots. Any recommendation on how I could actually move forward here short of emailing digicert support would be gratefully accepted.  I’ll let you know what I find out from my email to support@digicert.com.

 

 

 

Time to Act!

Did you know that a vote is on at the OpenID Foundation to approve an initial implementer’s draft of OpenID Connect?

Your action is required.

If you haven’t looked at these specs yet,  go to http://openid.net/connect.    If you have only limited time, check out the Basic Client Profile to get an idea of what we’re talking about, or look at Nat Sakimura’s OpenID Connect in a Nutshell.

If you don’t even know what I’m talking about,  you need to go find out.  OpenID Connect is an identity layer on top of OAuth 2.0.   It abandons the redirect-based structure of OpenID 2.0 completely, and instead embraces the API security layer.   While OAuth 2.0 takes care of the mechanism of asking for a token and using that token,  OpenID Connect creates a scope that protects a standardized set of identity services:  these services provide roughly the same set of attributes, authentication context, and session expiry information that you would get in a SAML assertion.

SAML, OAuth 2.0, and OpenID Connect, when taken together, allow identity and issuer/session information to become a known common quantity, traded either on the front channel or the back channel, consumable by the largest enterprises and the simplest mobile applications, and secured at any level of assurance.

If you are already an OpenID Foundation member, you simply need to visit a website, login with your openid, and cast your vote.  Go to https://openid.net/foundation/members/polls/62 to cast your vote.

If you aren’t an OpenID Foundation member, becoming a member is simple and affordable, you can join as an individual for USD $25.  Visit https://openid.net/foundation/members/registration to join, and then you too can cast a vote.

You only have 5 more days, voting closes on February 15th,  do not wait until the last minute!