Saturday Night in London

It’s about 9:30pm on Saturday.  I’m in a bar, on Hackney road in London, that I simply stumbled upon while wandering around.  It is an incredible place.  It is called “The Natural Philosopher” and I heartily approve.  It is an odd and slightly twisted cross between an old fashioned victorian study, and a curio shop.  I would take a picture – but this isn’t the kind of place you take a picture in.  It’s meant not for Facebook check-boxing, but for people to sit and be in the moment.  And here I am, in the corner, working away at the laptop.  Better than trying to snap pictures though.

I haven’t written here for a long time.  But I dream about it.  I live a kind of guilt-driven life in some ways – how can I write here, when there are so many other greater priorities, outstanding commitments, all the things people are waiting for me to deliver?

But, sometimes the time is right.  My world is a lovely place, I have an amazingly balanced life, whereby I have good measures of intellectual stimulation, external validation, loving support, and independent exploration.  There are frustrations too, but there always are.

I think I will write here again soon.  There is so much to talk about, amazing changes and improvements in the identity world, pushed by sometimes surprising forces.  And I’ve started playing with the Arduino, so there is wonder there that I would enjoy sharing.

In the meantime, I shall enjoy this strange, unexpected, odd bar in a place I have always wanted to explore.  Even if I am the strange one in the corner with a laptop, the screen probably gives me an even more surreal look than the decor…

 

 

 

 

 

When your Empire has no Clothes

How many data points does it take to call something a trend?  With the hack and subsequent data dump of the internal files of Hacking Team, a company most of us never even knew existed until this week, the world is getting to see a very public examination of the naked inner workings of an organization. This is the second time I can think of this kind of hack occurring.  The first was, of course, Sony Pictures.

Some number of hackers have turned two different organizations inside out from a digital perspective, exposing even the mundane stuff for public ridicule.  And some of the most harshly ridiculed practices of all in both cases involved passwords and credentials.

In the case of Sony Pictures, the effect was acutely embarrassing.  Scores of Excel spreadsheets, detailing personal, business, and IT system passwords, with filenames like “website passwords” and “usernames & passwords”.   When Gawker writes an article detailing what morons you are,  you know it’s bad:  http://gawker.com/sonys-top-secret-password-lists-have-names-like-master_-1666775151

sonypicturespasswordfiles

In the case of Hacking Team, enough data was dumped for both the obvious stupidity to come to light, but also for hashed passwords to be brute forced, to be gleefully revealed in horrific detail on twitter.  The examples below are (a) a dump of the admin’s Firefox password manager, and (b) an excel spreadsheet containing VPS credentials.

hackingteamexample2

hackingteamexample

 

 

 

 

So, let’s assume that this ‘dump and roast’ trend is really a trend, and will continue.  Perhaps it puts a little more personal skin in the game.  We all get lazy. We all take shortcuts.  But perhaps now that there is a risk that all those shortcuts get dissected at a later date, with a very sharp scalpel.

Trying to look competent during examination by your Future Hacker Overlords.  It’s an odd thing to imagine as a security influence.  But right now, it feels like it might become a thing….

Facelift

I’ve finally had time to spruce up the site a bit! Feels good to move things around.  You know me, I like playing with the federated identity options — so have taken out the google identity toolkit.  I have a half-formed plan to install the Facebook plugin and then perform experiments on their new anonymous login and granular consent features….  of course that will eventually come out too.    Commenting and registration methods have never been stable, at least not since the infocard integration was taken out. Good thing you’re all hardy :)  so if you want to comment and say hi, you’ll probably have to recover your password.

copyright Pamela Dingle 2014

 

 

This Woman in Tech says: Thank you

I’ve been reading the various recent articles about women in tech bubbling around the interwebs with mixed feelings.  I’ve seen a lot of these debates go by, and although I have strong opinions (I know, you’re surprised, right?), I usually choose not to comment here.

There is only one thing that I find myself wanting to say publicly in this week’s resurgence of the debate, and that is: Thank you.   I have had the incredible blessing of being surrounded by group after group of intelligent, thoughtful men and women who have not only treated me equally and fairly, but have encouraged my abilities and helped me to reach greater and greater heights.  I have nobody to blame, but many to acknowledge – and why should the jerks get all the press time?

I may not be on anyone’s top 30 women in tech, and I may never be the CxO that people seem to so desperately need all women in tech to be, but I have a fulfilling and challenging job and I have achieved my primary goal in my career, which is to work with people who make me smarter every day. By the only standards that count (mine), I have it all.

I believe that a lot of women have fought difficult fights over the years so that I could have this kind of positive experience, and I know that not all women in tech have been so fortunate.  To those women who take on the establishment in this area – You have my support, gratitude and thanks.  You take the heat today so that the next generation of girls can simply accomplish and wonder what all the fuss is about.

Why am I writing this?  I don’t know. I suppose, it seems wrong for the unhappy examples to be the only examples out there. What I do know, is that I am one of the luckiest women in tech; the people who stand out in my life are not the ones who tried to hold me back, but the ones who have helped me fly.  Thank you, to some of these exceptional people: Darcy, John, Cliff, Don, Cullen, Alan, Tammy, Tim, Pete, Doug, Brian, Dave, Janelle, Kaliya, Gordon, Derek, Barb, Bob, Kim, Craig, Mike, Vittorio, Ben, Sydney, Dale, Patrick, Julie, Sean, Andrew, Gil, Laura, Andre, and so many more.

Digital Dumpster Diving

Brian Krebs wrote a fascinating post recently on keylogger results that are being posted in various cloud locations.  As Brian put it, insult is added to injury — not only has your machine been compromised, but the results are hanging out on the internet to be scavenged by random opportunists who know what to look for.

And to think that the biggest worry used to be shredding our documents to prevent physical opportunists from sorting through our leavings…

Photo credit:  http://www.flickr.com/photos/sumit/

Patience only goes so far

Mike Waddingham writes about how Facebook has run afoul of the Office of the Privacy Commissioner of Canada and will likely end up in court.

He notes:

I’ve never had a Facebook account.  I can be patient.

But those that still trust Facebook with personal information — and haven’t bothered to examine the minutia of the site’s privacy settings — will continue to have their personal information shared with 400 million users and thousands of advertisers, data aggregators and, well, pretty much anyone else on the Internet.  At least until the wheels of justice grind to conclusion…

You may not have a Facebook account – but when everybody else around you does, it’s like pulling one string out of a rug — you can still see the pattern.  You’re still in the photos.  Your holidays may still be announced.  Your birthday may still be announced. You’re still husband of, and father to, and friend of friend for all sorts of people who will share freely about you.  Perhaps you aren’t as semantically dereferenceable as you otherwise would be – but you aren’t invisible either.

On the other hand, if are ever accused of a crime, chances are that some other poor schmuck’s picture will end up on the evening news… that’s handy.

One last point — Mike forgot to add governments to the list of places you are sharing your personal information with.   Facebook gives governments the ability to collect and analyse the one thing that is still uncool for them to ask for – details of private lives.  As long as we all remain overfed and obsessed with who won Survivor and how to get an iPad, nobody will mind that Facebook is the worlds greatest surveillance tool.  I hope it stays that way for a very long time.

CardSpace *OR* ADFS 2.0

Microsoft announced last Tuesday that CardSpace 2.0 beta would not be releasing at the same time as ADFS 2.0.  That fact may not have immediate significance to you, but it certainly does to me.  Microsoft, you’ve blown it.

On one hand, I’m immensely relieved. A premature release of CardSpace 2.0 would have removed personal card support from the desktop, meaning that CardSpace would have been relegated to nothing more than Home Realm discovery.

On the other hand…  We won’t know for sure until ADFS 2.0 ships, but from what I and other people have seen from the beta and release candidate versions, Microsoft has broken backward compatibility with CardSpace 1.0.  This means that unless Microsoft has taken recent steps to regress their information card issuance code, ADFS 2.0 will ship in information card limbo.

I am trying not to care and failing miserably.   Let’s face it, Microsoft can release their software in whatever shape they see fit.  If they want to, they can release an initial version of a client with no server, and then release a version of the server *years* later that can’t work with the initial client, and can’t be deployed with the later client because that later client “isn’t done yet”.  I’m sure that the collateral damage is the least of their problems, and I actually know and understand better than most what internal and external pressures may have been brought to bear.   Resources are precious, and both FIM and ADFS have slipped themselves, so somebody had to draw a line.

But see, people were waiting.  Big companies, waiting to run information card pilots.  Governments, excited to use ADFS 2.0 to implement higher-assurance consumer identity projects.  There weren’t a huge number of interested parties, but dammit, they were BIG interested parties.  Those interested parties need a sustainable closed circle — a production server and a production client.   Not a production server that can only work with a client that “isn’t done yet”.

In the meantime, there is a very hardy little information card community that can at least now stop the horrible waiting and wondering game with respect to ADFS 2.0 and CardSpace 2.0.  The choice for the immediate future is becoming clear:  CardSpace 1.0 remains the defacto standard for information cards.  The rest is moot. Regardless of the hole that Microsoft may have dug for itself,  the quality and uniqueness of the interactions that the IMI spec makes possible are undeniable, and I hope inevitable in some variant. I continue to believe that this protocol represents our best hope to regain rational control over our own digital relationships.

It is entirely possible that companies like Azigo and Avoco Secure will see the silver lining here and do the extra work to shim up the ADFS server to work again with the rest of our ecosystem.  We’re not out for the count, and at least now we finally know what the biggest player in our space plans, even if it is a big fat WTF…

Burton Group: is this thing on?

Is it just me, or has the Burton Group gone dark?  Outside of twitter, I haven’t heard anything from anybody on anything.

Are they publishing somewhere else now and just haven’t bothered to update their old blogs to help existing followers to make the move?  Or maybe now that they are part of Gartner, we shouldn’t expect any kind of presence, just a set of reports in the mail and a webinar every so often?

It’s a bit of a boggling strategy, really.  If there was any time for them to be pushing into the public eye, I would have guessed it to be now.