1. The CanadIAM Blog – this blog is dedicated to the Canadian take on Identity and Access  Management, thanks to the organizing efforts of Mike Waddingham over at Code Technology.  It’s just getting off the ground, but I think it will attract a very strong community — make sure you add it to your blog reader!
2. The ICE Conference — this will be the very first Canadian tech conference that I’ve spoken at, I can’t wait to actually meet folks from my own backyard and compare notes and experiences!   The conference is in Edmonton on November 2-4, 2009 – the only sad thing is that it happens to conflict with the Internet Identity Workshop;  as a result I’ll have to split my time between the two rather than getting the full benefit of either, which is such a shame!

It is great to see these kinds of resources evolving, and I think it speaks to the maturity and growth of I&AM practices in Canadian organizations.   I believe that the best way to be successful in many of these ventures is to share – and what better way than to do so than with a group of people who have strong common interests.

Photo credit: http://www.flickr.com/photos/michael40001/1828017204/

Take, for example, Rocky Mountain Bank of Wyoming USA.  An employee of the bank emailed sensitive details about 1375 customers to the wrong Gmail user, and now the bank is suing Google to discover who this anonymous user is, in an attempt to try and figure out just who they managed to gift their data to, and whether their gift kept on giving.    In the meantime, the Gmail account of a completely innocent bystander has been deactivated by court order.

As I see it, Rocky Mountain Bank is in their own little hell right now – they are being widely ridiculed, they have initiated an expensive legal action that can only partially assuage their fear of exploitation by a third party, they have at least 1375 really pissed off customers, and they have incurred some amount of liability and/or responsibility to those customers should their data be criminally exploited in the future.

You can think of these guys as one more incompetent organization and call them names.  Or you can think of it as one more organization whose eyes have been opened to the cost and danger of playing fast and loose with customer privacy.  Perhaps we simply have to hit a tipping point where enough people are close enough to enough victims that our societal internal risk meter changes.  If you look at it that way, every breach can also be viewed as an education…  and I’m a big fan of education.

So congratulations Rocky Mountain Bank on having your eyes opened as a corporation, serving as an example for others, and personally educating 1375 otherwise clueless end users.  It is appreciated.

They encouraged their own Sears and Kmart CUSTOMERS to download a piece of software that seriously compromised privacy, transmitting banking details, unrelated shopping card details, and online prescription orders back to the mothership.

To me, this is worse than an accidental breach.  This isn’t about ignorance or stupidity, but about willful intent to do harm.  A whole group of people inside this organization decided it was a good idea to write a piece of software that “monitored consumers’ online secure sessions – including sessions on third parties’ Web sites – and collected consumers’ personal information transmitted in those sessions, such as the contents of shopping carts, online bank statements, drug prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for Web-based e-mails” (from the FTC notice).   How could this project be designed, written, approved, and then evangelized without anyone raising the ethical issues?  How about the lack of respect shown to the very group of people whose privacy the Sears Holding group should have felt beholden to protect?  Worse, why *could* it be done? Oh yes, right.  We all use operating systems every day that have an egregious lack of granularity in access control.

There is little to do except spit in Sears’ general direction – so I do.   Ptooey.

This exact same issue has come up on the OSIS list with respect to privatepersonalidentifiers – some have argued that it is perfectly safe to store raw ppid and modulus information at the RP,  and I cannot tell you how STRONGLY I disagree with that idea.

Luckily, Gunnar has pointed me to the perfect example:  apparently the HSBC France banking site has been hacked,  and guess what?  They are storing their customer’s passwords in clear text too (surprise surprise).  And a handy little SQL injection attack gives the hacker everything he needs to log in as anyone he can think to query for.

Had the HSBC stored their passwords in some kind of encrypted format,  the same attack would have netted the hacker a fraction of the value,  because there would still be a significant and likely cost-ineffective amount of time and work necessary to turn the data into a set of credentials that could be used for actual authentication.  This is why encryption of passwords is an industry best practice, and why you will and should be laughed out of this community if you can’t get such a simple mitigation right.

If an RP stores the ppid and modulus of a self-issued information card in clear text, and that RP becomes the victim of a SQL injection attack,  a hacker has everything they need to get in the front door too.   The data must be stored in a way that mitigates this danger,  period.  I consider this to be identity 101 for information cards, and anyone who writes an RP should consider this to be a best practice.

The truth is:  yes I am disappointed, and no I don’t understand.  I am sure this all about somebody somewhere insisting that I not be served until they get their pound of flesh.  I’m willing to PAY for my little part of whatever kickback has to happen – but apparently that isn’t enough.  It would seem that profitability can only be found in a scheme that rewards large demographics and denies everyone else.  What a shame.

The  potential exists – and I think it is worthwhile to ask why.  Most people have been taught to guard their passwords, but have been carefully instructed to feel no responsibility for the other ways in which an attacker could access their account.  Why is it we can educate about password complexity and reuse, but don’t want to explain under what circumstances a “personal identification” answer might be used?   Why is it we will force a user to change their password every three months, but the email address that would be used in case of a password recovery effort is never tested, and security questions are never refreshed or reinforced?   Why is it that we as a culture have recognized the concept of a “fire drill” in the real world, and advise people to understand alternate exit routes in cases where the elevators are out of order, but in the online world, we feel that advising those users who happen to be of the more concerned persuasion to familiarize themselves with and verify the operation of the page behind their “forgot my password” links is a crazy and unthinkable thing to ask?

If you are someone who worries about being hacked, and if you are willing to take a little bit of time and energy to at least understand the risk you might be facing, my advice to you is:  Go forth and recover.

Go ahead.  Recover all of your accounts.  You probably needed to rotate those passwords anyway.  Find those “forgot password” links and click ‘em. Chances are, you will be able to reset your password in an automated fashion,  either by answering a pre-specified question, or by getting a link sent to an email account (sometimes, both approaches are combined).    If you are asked a question, is the answer guessable?  Is it searchable?  Is it short? Is it a single dictionary word?   Can you control the guessability of the answer, or is it a hard-coded format such as a postal code or a birthdate?   If you are emailed a link, follow the chain to your email provider and recover your password there too.   Is it more pre-specified questions?  Are they the same questions? Were you required to click on a link sent to yet another email address?  If so, follow the chain again.  Rinse and repeat.  This is the same trail that a hacker would follow – often they find something you’ve forgotten, something out of date, an expired account or a typo that you never would guess could end up in a compromise of your identity.  Password recovery mechanisms were used to compromise Sarah Palin’s email account, and also used to steal corporate data from Twitter.   If you can satisfy yourself that the password recovery loop is closed, that your answers are not guessable, that you haven’t specified incorrect, out-of-date, or non-existent email addresses, and that the services you use don’t use unsafe mechanisms, you will be safer.

Don’t believe me?  Check out the techniques this guy used to compromise the identity of a mere acquaintance.  He gained access to supposedly “secure” accounts whose password recovery mechanisms depended on password recovery mechanism that depended on grossly guessable data.

Should you have to do this?  No.  Not according to almost anyone in this business.  Are you expected to do this?  Of course not.  How many people actually memorize an alternate exit route from every hotel room they ever stay in?  Only the ultra paranoid, I am sure.  Still, if you care, if you are motivated,  and if you want to know what to do, perhaps this can be a starting point.

This is the second screen of my credit card provider’s authentication workflow.  They are asking me to answer my “Personal Identification Question”, and asking me to type 3 random digits of my password instead of my entire password.  The ramifications of this set of implementation choices just blows my mind.    Three strikes and you’re out, if you ask me:

1. Downright Terrible Personal Identification Questions

Anyone who reads my blog can probably figure out my favorite hobby, I even mention it on my about page.  That question was one of five terrible security questions. Three of the questions are standard web access management fare. They aren’t great, but at least the 8-character minimum character limit keeps away answers like “golf”, “ford”, and “rex”.   The other two questions are in my mind criminal however.  No financial institution should give a customer the option to use their mother or father’s name as a method of personal identification.  I can’t believe anyone put those questions into production. The worst part: because of the list given, those two questions are the only ones that can be answered in a straightforward way while also fitting the complexity rules.

2. Removing The Guesswork from Password Hacking

Then there is the 8-character password. I could have sworn that one of the variables that make a password tough to brute force is the fact that the length is unknown.  If you *know* you’re working with 8 characters, you can seriously narrow down your brute force parameters.  Plus the only punctuation allowed is an underscore.  Ouch.

3. One-way Hashes are *so* 2008

Since my bank is performing character matches on my password, there is no way that they are using a one-way hash algorythm to store my password.   If they were, they would be able to match the whole thing or nothing at all.  Instead, they have chosen to be able to retrieve my password and play with it.  I can only hope that it isn’t stored in clear text, but frankly anyone who asks “What is my mother’s name” as a security question can’t be too worried about security.  Don’t get me wrong,  HSBC is very worried about the appearance of security, in fact I was forced to positively acknowledge a big long page of statements about how firewalls are used, and how they require me to use 128-bit encryption. In spite off all the assurances, it seems to me that I’m at risk in a number of ways now, and all so that the password interface can be turned into a primitive and easily overcome turing test.

So, what am I missing?  Is there some brilliant element to this setup that makes up for the sins that appear to have been committed?  Something that will make me happy my credit is in the hands of this company?  I hope so, because right now I feel like maybe it’s time to do my best ‘rat leaving a sinking ship’ impression.

The logistics summary is short: Burton Group has just plain gotten it right.  Good food, free, reliable internet access even in the room, power for laptops, nice hotel.  They even arranged an airport shuttle discount.  They paid a lot of attention to the cost incurred by their attendees, and it was appreciated.

I’ll tell you the truth.  I’m not going to particularly talk about the content of any given presentation.  After 8 years, a large portion of the content is pretty well ingrained in my head, and while I learn new things every time, each little twist and turn has really become a single data point contributing to an overall set of trends.   I think of the following points as indicators – but you be the judge of the truth of that statement.

1. Presentations fit to take home to Mom

This is literally the first year of all the years I have been attending Catalyst that I have downloaded presentations and recommended them to those that could not attend; that’s how good some of these presentations were.   The speaker notes were critical in being able to pass these presentations on, so thank you to the speakers who took the time to be sure that their presentations were consumable after the fact.

2. Cloud Track

The cloud track presentations I saw this year were fantastic, but I hope that this is the first and last time that  Burton focuses primarily on “Cloud”.  Why?  Because I hope that after this year, everyone will be savvy enough and discerning enough to get past such a broad topic rollup.   A lot of attendees I talked to had been sent to Catalyst with the mission of  “understanding this cloud thing”, and I think that the Burton Group very astutely served the needs of their attendees – but while general education is important,  there were people there who were frustrated because they wanted to talk about actual concrete things that Enterprises might want to do in the cloud.   You can only start with the layered diagram of SaaS, PaaS, IaaS, and SIaaS (Software Infrastructure as a Service, newly defined by the Burton Group) so many times.  Unless you were interested in virtualization, which seemed to be covered very thoroughly, I don’t believe that many of the cloud sessions put a targeted group of people with a common business goal in the same room,  however I also don’t believe that this would have been a realistic goal for this year anyway.

This track is going to be very popular and profitable for Burton Group – it is a great team, producing great content.  I look forward to seeing how it evolves & matures in the next year.

3. Lightning Rounds

(Lightning rounds are a series of extremely short on-stage spots given to vendors who have product announcements to make: 4 minutes & 4 slides, if I recall correctly)

The lightning rounds started in 2008 and were expanded this year.  I believe they were very well received, in fact I heard people say that they were the best content of the day.  I hope Burton Group thinks long and hard about what that means.   For a very long time, ‘vendor’ has been a dirty word at Catalyst – with the result that attendees can only find out about products through the sanitized views of the analysts or the drunken haze of the hospitality suites.  Granted, the analysts are smart and make great points, but – the danger is that the whole experience becomes homogenized, and no matter how great the quality is,  homogeneity is boring.   Looking at the neat pastel-colored items on the agenda this year, that’s all I could think.  Oh, yet another customer use case.  Oh, a panel.   All fitting into a certain template.

The lightning rounds were refreshingly template-free, but more importantly, they let the attendees make a direct connection with the vendors.  Some vendors did not use their time wisely, some did, but no matter what the attendee could be the direct judge, and in the worst case the suffering was short.  I’d like to see more of that, and I think it benefits everyone, assuming the goal is to create a thriving identity ecosystem.

4.  Where are “The Regulars”

My recollection of the early part of 2000 was that there was a set of non-Burton people who could always be counted on to further the discussion.   Burton analysts provided the meal, but ‘the regulars’ provided the spice, both in the blogosphere and on stage.   I haven’t seen very many recurring spots given to regular non-Burton speakers any more, and I think that’s a shame.  I’m not sure if it is because these people have different jobs and focuses, because the space is simply more commodotized and the characters have moved on to more interesting new problems, or because Burton has abandoned the policy – but I think the conference is the poorer for it.   I’d like to see Burton take a chance and try to cultivate a new breed of thought leaders, agitators, and characters in this space, who can grow with the technology and help attendees gain multiple and growing perspectives over time, rather than only hearing from yet another different customer who took on and solved one task one time,  in one context, and who you will never hear from again.

Why are the regulars important?  Because they represent a growing trusted relationship that engages people.  We need those trusted standouts who can transcend vendor allegiances, who can tell the truth not only from a neutral standpoint but also sometimes from a decidedly non-neutral standpoint.  We need people who can bridge gaps and serve as public touchstones for the topics of the day.

I have a list of people I think would excel at this, but it would be much more interesting to see who Burton Attendees would nominate for the job.

By the way,  Frank (shown here) really enjoyed the conference.   Especially the hospitality suites with the icy martini bars… if you were at Catalyst you have probably already met Frank, otherwise you’ll be seeing more of him as I travel around.