Identity Theft or Bank Robbery?

May 10th, 2010  / Author: Pamela

Joe Baguley from Quest put me onto this HYSTERICAL clip from a UK comedy radio duo on Identity Theft. It highlights the culpability question brilliantly:

Update: This one’s fantastic too, the “Identity Killer”:  http://www.youtube.com/watch?v=20bpV50uZ5Y

CardSpace *OR* ADFS 2.0

May 3rd, 2010  / Author: Pamela

Microsoft announced last Tuesday that CardSpace 2.0 beta would not be releasing at the same time as ADFS 2.0.  That fact may not have immediate significance to you, but it certainly does to me.  Microsoft, you’ve blown it.

On one hand, I’m immensely relieved. A premature release of CardSpace 2.0 would have removed personal card support from the desktop, meaning that CardSpace would have been relegated to nothing more than Home Realm discovery.

On the other hand…  We won’t know for sure until ADFS 2.0 ships, but from what I and other people have seen from the beta and release candidate versions, Microsoft has broken backward compatibility with CardSpace 1.0.  This means that unless Microsoft has taken recent steps to regress their information card issuance code, ADFS 2.0 will ship in information card limbo.

I am trying not to care and failing miserably.   Let’s face it, Microsoft can release their software in whatever shape they see fit.  If they want to, they can release an initial version of a client with no server, and then release a version of the server *years* later that can’t work with the initial client, and can’t be deployed with the later client because that later client “isn’t done yet”.  I’m sure that the collateral damage is the least of their problems, and I actually know and understand better than most what internal and external pressures may have been brought to bear.   Resources are precious, and both FIM and ADFS have slipped themselves, so somebody had to draw a line.

But see, people were waiting.  Big companies, waiting to run information card pilots.  Governments, excited to use ADFS 2.0 to implement higher-assurance consumer identity projects.  There weren’t a huge number of interested parties, but dammit, they were BIG interested parties.  Those interested parties need a sustainable closed circle — a production server and a production client.   Not a production server that can only work with a client that “isn’t done yet”.

In the meantime, there is a very hardy little information card community that can at least now stop the horrible waiting and wondering game with respect to ADFS 2.0 and CardSpace 2.0.  The choice for the immediate future is becoming clear:  CardSpace 1.0 remains the defacto standard for information cards.  The rest is moot. Regardless of the hole that Microsoft may have dug for itself,  the quality and uniqueness of the interactions that the IMI spec makes possible are undeniable, and I hope inevitable in some variant. I continue to believe that this protocol represents our best hope to regain rational control over our own digital relationships.

It is entirely possible that companies like Azigo and Avoco Secure will see the silver lining here and do the extra work to shim up the ADFS server to work again with the rest of our ecosystem.  We’re not out for the count, and at least now we finally know what the biggest player in our space plans, even if it is a big fat WTF…

Burton Group: is this thing on?

April 22nd, 2010  / Author: Pamela

Is it just me, or has the Burton Group gone dark?  Outside of twitter, I haven’t heard anything from anybody on anything.

Are they publishing somewhere else now and just haven’t bothered to update their old blogs to help existing followers to make the move?  Or maybe now that they are part of Gartner, we shouldn’t expect any kind of presence, just a set of reports in the mail and a webinar every so often?

It’s a bit of a boggling strategy, really.  If there was any time for them to be pushing into the public eye, I would have guessed it to be now.

XAuth: First Take

April 20th, 2010  / Author: Pamela

XAuth has had me fascinated since it was announced yesterday.  If you haven’t heard of it yet, I think Dare Obasanjo’s summary is one of the better descriptions, although his site seems to be having issues this morning.

What is XAuth?  It appears to be one service, running on one domain, that will maintain the login state of every user at (ideally) every consumer Identity Provider in the world, in real time.  A service users have to opt out of.  The goal is discovery of authenticated providers.

There are interesting nuances here. As far as I can tell, for the large providers who are already a fixture on the standard NASCAR page, adopting Xauth means that their logo can only be shown on fewer pages than they are today. This means that Google, Microsoft Live and Yahoo! are essentially volunteering to delist themselves from NASCAR pages when the user is not registered or not logged in.  Meanwhile Facebook and Twitter, who are not at this time involved in XAuth, will be there on every single NASCAR page, holding their spot, nice and predictable, day in and day out.  If you travel to Zoho, for example, and you are logged out of both Facebook and GMail, you will only see Facebook’s logo.   And since xauth.org is by design a single point of failure, any service disruption that threatens revenue for the relying party is likely to result in an abrupt re-adoption of a static NASCAR page.  So – what is it that these providers gain from such a dance?

They get to remove the user from the equation.  Relying Parties and Identity Providers get to finally discover each other all by themselves, they can talk right over everybody’s heads without prompting users.  In one sense, I completely get this!  Business runs so much smoother when the decisions get made en masse.  Asking the user is time-consuming, difficult, and frequently unappreciated.  And eventually you just have to solve the problem and get stuff done.

XAuth, if it succeeds, will be the antithesis of user-centric identity.   It is what happens when companies with businesses to run finally realize that asking users is a thankless, hopeless task that can only get in the way. We all know it is easier to ask forgiveness than permission – for better or worse, XAuth is that principle, taken to its logical conclusion.

Privacy vs. Profiling

April 9th, 2010  / Author: Pamela

This raised the hairs on the back of my neck:

How Visa Predicts Divorce

Imagine the scenario. You’re in a bad relationship. You want out. Suddenly, magically, targeted ads start showing up all around you — ads for lawyers, counsellors, mid-life-crisis objects of desire. Your credit card company has sold your profile, and everyone is excited to be the first to offer you those services you need – before even you know you need it. Score one for the semantic web.

We’re bringing it on ourselves. We are inputting our lives into systems whose success depends on monetizing trends, and we are absolute in our own consistency as subjects — after all, that’s how you get those loyalty points right? But is there a line? Recognizing and monetizing a home move? An affair? A divorce? Political affiliation? Terminal illness?

Perhaps it’s time to say welcome to our new profiling overlords… or maybe we should just go out and buy both premium birdseed AND cheap motor oil at Canadian Tire. Ha. That’ll learn ‘em.

My Friend Steven

March 19th, 2010  / Author: Pamela

A few years ago, I met Steven Bender at the Burton Group Catalyst Conference in San Francisco.   Steven’s company, iMagic Software, had a product that did keyboard biometrics, and I was immediately fascinated.  I thought that their product had a ton of potential that wasn’t being recognized – everyone was pigeon-holing it as strong authentication, when in fact it could be used silently to track password sharing, something that I thought had far more potential.   If you aren’t familiar with that product space, the idea is that in addition to your password, data is transmitted about the rhythm in which you typed your password.  Your rhythm becomes another factor that can be used to detect impostors.

If you’ve met Steven, you’ll understand when I say he was larger than life.  He was persistent as hell, and he loved to tell stories.  Sometimes it was challenging to get a word in edgewise :)  When Steven was convinced of something, nothing in the world could stand in his way.  I grew to really respect both his cheerful approach and his scrappy determination.

He called me about a month ago about a project he was working on — a very ambitious project to collect a massive amount of impostor data for his favorite password, frodolives.  iMagic had created a facebook application with the hope of having a wide range of people type the same password, so that research could be done on how to better keep impostors out.     The plan was to incent people to enter the password by having them enter to win an iMagic t-shirt.  I told him honestly that he’d have a much better turnout if he instead donated to charity — that way people would be much more likely to enter the password multiple times, and he wouldn’t have to worry about delivering t-shirts after the fact.   I’m happy to say he took my advice.

Sadly, Steven won’t get to see the results of his experiment, he passed away March 5th.  I had a chance to see him just days earlier and I missed him – I’ll regret that forever. It’s hard to really comprehend that he’s gone; it still feels like some day he’ll simply call.

The iMagic facebook app can be found at http://apps.facebook.com/trustable_passwords.  Consider typing ‘frodolives’ a few times into it, if you have the time.

Can’t wait for TEC

March 18th, 2010  / Author: Pamela

The Experts Conference is in Los Angeles this year.

I can’t wait — and if this picture makes no sense, you will just have to ask an Active Directory MVP.

Commercial Phishing

February 5th, 2010  / Author: Pamela

Twitter broke a very interesting story this week about a hacker who bulk-harvested account details by installing backdoors in a popular torrent hosting solution.  Users registered for a valid service, and received value in return, but all the while, their details were being stolen.

This would be a pretty boring phish, except for the part where users re-use passwords and account names ALL THE TIME.  The current trend is upsell — harvest a low-value throwaway password at an insecure site and then see what high value matches can be made with the same username and password.

Identity Theft via phishing used to be a consumer identity problem, but Cloud services and extranets have changed that.  There is now a new game in town:  commercial phishing.  If your enterprise users are uninformed enough to use their work email and a standard, muscle-memory-password at a site like a torrent site, attackers now have a growing list of possible commercial candidates for that account.  Of course there is always the chance that the worst case scenario will happen and an attacker will harvest your entire Enterprise Directory.   You may say, my company is obscure, what use would hacking my company be?   Well, if you use outlook web access,  and your AD password is phished, and your accountant uses his/her work email address for password recovery on your corporate banking site, there is a path for an attacker to get at your organization’s money from the internet.

I think it’s hysterical that a company will spend all sorts of money for education of their workforce around physical safety and nothing on account safety.  Why is there not a brightly colored data safety reminder on  every floor, something to idly inspect while you’re waiting for the elevator?  As much as you scoff at the idea, the very prosaic advice that this fire poster offers DOES help in muscle-memory situations.  The strategy of setting out simple rules and making them highly visible does work.

Not only does a sign like this not exist for account safety, I don’t even think that there is agreed-upon text to go on it.  No wonder we’re in the state we’re in.

Oracle Waveset

January 29th, 2010  / Author: Pamela

Acquisitions!  Can’t live with ‘em, can’t wait until they stop holding up progress.   At least now we have new fodder for speculation.

What’s great about the Snoracle merger finalizing:  already I’ve seen more blogs from more people in “the know” who are reaching out than I can recall ever seeing from the Identity team at Oracle.   Nishant has always been the sole Oracle blogger in my acquaintance, but a few other voices are being heard – if you aren’t listening, you should be!  I am really excited about the idea that this merger could herald a cultural shift at Oracle towards more transparency.

The dust has settled on the initial announcements, and the big surprise is that OIM (previously Thor) has been chosen as the strategic provisioning product.  I can see all sorts of technical reasons why this might be the case – I imagine that the original Thor product had already been heavily retooled for integration into the fusion middleware suite.  Any other strategic considerations (size of existing customer base, ease of expansion, etc) really don’t have as much weight as those of us on the outside had been assigning for a simple reason:  the Waveset customer base is captive. There is no competitor right on the heels of either OIM or Waveset, no hungry beast to prey on dissatisfaction or fear around assimilation costs or adapter growth/expansion for Waveset.  As such, Oracle can play it cool by supporting Waveset long enough to appease nervous customers, cherrypick the functionality that is missing from OIM, and eventually find a migration path once the dust has settled.

So then, we have the following communities:  1) Existing OIM customers, who are relieved I’m sure. 2) Existing Waveset customers, who are probably unimpressed, but who will hopefully be well supported and given a migration path. 3) New customers, who are in the worst position, having had their choices narrowed. Will prospective customers keep asking for “Oracle Waveset” (the re-rebranded name of Sun Identity Manager)?  Or will memories fade fast?  There is a hole now – will another product fortuitously step in, for example Forefront Identity Manager 2009 2010?

I also wonder what kind of pressure SaaS will put on applications that traditionally are provisioning hard cases.  If you are an software vendor competing against SaaS services, and that SaaS service offers a provisioning API that allows for a 10-minute integration into an automated Enterprise infrastructure, wouldn’t you be worried? Will bricks & mortar software companies feel compelled to compete?   I hope and pray that this will be the case – and frankly I can’t figure out why on earth any software vendor would prefer to have a provisioning tool bypass its core logic and reach into the backend database to twiddle bits.

The access front is interesting, if not surprising.  Given that OpenSSO was opensourced, I don’t think anyone really felt it was likely to replace OAM, but in this case there is a migration path that sees customers stay with the pre-Oracle codebase and maintain the code themselves (I hear there are integrators out there already offering up a new neck to choke with respect to codebase management and support).  Oracle has said that there are a few things that they will adopt from OpenSSO, but I imagine that the opensourcyness of OpenSSO might be a barrier there, most engineers I know are loathe to mix license types in a product.

No matter what happens, at least it’s now able to happen openly.  As Green Day sings:  “every new beginning comes from some other beginning’s end“.  The world marches on, but I’ll always remember the long hours I spent in the Sparc 1 and Sparc 2 labs at university; on Sparc 5′s and 20′s at the beginning of my career; and the time spent on the ever-renamed directory that started at Netscape, went to iPlanet, then SunOne, then suffered from all sorts of horrible marketing mangling around “Java” and “Enterprise”.  The pre-marketing-mangled Sun brands will always make me smile; they were representative of a bright shiny world that I felt awed to be a part of.

Brace Yourself

January 24th, 2010  / Author: Pamela

I believe that what Apple releases next week will herald the end of broad adoption of general computing devices.   The introduction of their tablet will begin in earnest a trend towards tightly integrated, tightly controlled sealed-hardware computer devices that allow the majority of the population to accomplish the most popular computing tasks without doing anything more than visiting the app store.  Not as your “mobile” computing solution by the way — as your only computing solution.

Why wouldn’t the world move in this direction?  Why shouldn’t your computer be as easy to use as your smartphone? Why fiddle with drivers and desktops and operating systems if all you ever do is surf the web and send email to your grandchildren?  Even if you want more than the basics, why go through long and complicated application installs when you can just click a button?

This is the future, and those of us in industries like identity management had better stop and pause right now, because per-application passwords have no place in the world of the app store.  They are difficult to type on a touchscreen, and inconvenient in exactly the way that the new push-button paradigm seeks to overcome.   This could be the best thing — or the worst thing to happen to those of us working on protocols which replace password storage.

There is no doubt that passwords *will* be hidden from the user from now on.  In the same way that nobody types a telephone number into their phone anymore (they just use Contacts),  nobody will type a username or a password.  Heck, they won’t even type the URL of the service.  Details will be hidden, the pain taken away.  We have a small window in time to affect the way in which that happens, before users forget what it was like to have to figure out which user name went with which password and which site.

Don’t believe me?  If you have an iPhone, you should try PageOnce‘s Personal Assistant app.  I reviewed PageOnce ages ago:  it aggregates accounts of all kinds, giving a consolidated dashboard and allowing you to login without typing your password.  I panned the service: not only do you have to give your passwords away, but you have to go out of your way to pageonce for that very first account login – why do that when you can go directly to the website and log in?   On a general purpose computing device, the service has no use to me.  On the iPhone however?   Pure solid gold.  Clicking that little “Personal Assistant” icon is always easier than typing in a URL for the original website.  Not only do I never have to remember credentials, I am essentially given a menu of my accounts, and I’m one click away from transacting.

But, you say – it’s just mobile.   What really matters is the desktop.  I say you’re wrong.   I say that the ubiquity of the smartphone is coming to a desktop near you, courtesy of Apple Computers Inc.  I say that we had better *start* our strategy thinking about what happens when a user has an expectation that authentication should be no more complicated than making a phone call on a smartphone.

If we don’t make it that easy, somebody else will do it.  Of that you can rest assured.