security

Facebook Fading

by

I was just looking back on my previous post about Facebook. The little sparks of contact and inspiration that came from the discovery of new friends and old, quickly turned into a nuisance. Although I still check in on my own profile every now and then I barely use it at all. One of my big concerns has been around the constant need to share private information with every application developer that wanted me to use their app.

I should be able to see exactly what data is being shared and be able to limit it and control its use. Until this happens I am unlikely to signup to too many more applications on Facebook.

It is fascinating watching how the “gen y” crowd is using this and other social networking services. They are totally fearless about sharing every last detail about their lives. It makes me feel like an old fart to say so but the way that they these services is completely different to my own. They practically live in these worlds; or rather they co-exist in both the online and offline worlds.

For me though these worlds are still quite separate and the world of Facebook has taken a noticeable back seat to the rest of the non-Facebook universe.

Who do You Trust?

by

FEDERATED DIGITAL IDENTITY

In the context of providing a strong authentication solution the concept of a Federated Digital Identity is often mentioned. This essay seeks to explore this concept to review and challenge the benefits that ‘Federation’ of digital identity management can provide.

However before discussion Federation the concepts of a Digital Identity and even Identity itself will be briefly discussed.

Read more

The problem with whitelists

by

A Computerworld article today referred to a report published by the National Consumers League in Washington DC, proposing ‘A Call to Action’ for fighting phishing. Although I haven’t fully reviewed the report, the text that popped out at me was a recommendation to use ‘whiltelists’ to stop phishing attacks.

A whitelist is simple a list of places that are good and safe to go to. Ideally you would add the website address of all of the banks and financial institutions to the list, and all of the legitimate online vendors. Then anyone not on this list would be considered, at best as unknown, and at worst blocked by default.

The problem with whitelists is in their management. How does a vendor get on this list? Who manages the list? What happens if a legitimate vendor changes the web address of their payment page?

Quite quickly this becomes an operational nightmare, particularly if considered on a global scale. I can see this being beneficial if there is a way to create and manage personal whitelists, where the customer identifies a site as being good and trusted. Unfortunately this can then become the next target of the social engineers, by tricking customers into adding their fake sites to private whitelists.

Glancing at the rest of the paper it looks like a great resource, but the 6th recommendation for action ‘ISP’s and domain name owners can cooperate on whitelists’ sounds simple but will be operationally infeasible.

The phishing battle continues…

Identity Blog Comment

by

Yesterday I respondeed to Kim Cameron’s Identity Blog posting titled INTERVIEW ON OPENNESS AND PRIVACY, discussing an interview between Bill Gates and the Financial Times. I just wanted to get my comment up here in case Kim never authorises it on his site. He may not trust me.

Bill Gates: “That’s called federation, where we take their trust statement and we accept it, within a certain scope. So they don’t have to get another user account password. There’s no central node in this thing at all, there never can be. Banks are a key part of it, governments can be part of it. The US, probably not as much.”

This statement highlights the number one problem that a federated identity system is going to face – the federation of trust. Compared to the problem of trusting ‘trust’ identity management is a piece of cake. Yet the discussion continually seems to revolve around the sharing of identity secrets, but it is the trust of the owners of the identity secrets that is the greatest challenge. It is fairly clear that in the world today trust is an expensive commodity that is not easily transferable.

I believe that there needs to be a way of abstracting this trust problem to one or more (competing?) third parties. The question is ‘who do you trust’?

Identity Blogging

by

It is time to get this site going about more than just my ‘idle’ mumblings and out of date running updates. There is a topic of conversation that my career has revolved around like a satellite around a planet. It is the story of online identities and their use and misuse.

For me this has appeared in projects where two ISP businesses have brought their customers under one organisation and these customers do not have unique username to identify them selves to the new ISP. What! Two “Fred”s! Will the real “Fred” please step forward? Hmm, if only it was that simple. In the late ’90 when ISP’s and online portals were coming together this happened time and again, and it was always messy.

At around the same time the ‘kiddies’ got their hands on software that would allow them to steal passwords from customers in the school holidays. So now usernames and passwords are under siege. A single stolen password could be reused by the baddies over and over again without recourse.

Then spam came along and polluted the one personal identifier that the whole internet had agreed from the outset would be unique. Bugga. Stopping spam and protecting mailboxes became another major project. Without a way of identifying who the hell sent the spam in the first place, or even being sure who sent what looks like the good email, then all manner of arcane solutions had to be employed.

By now the ‘kiddies’ have grown up and are selling their password stealing skills to the spammers who are selling their spam networks to real criminals, who don’t want you email. They want your bank account. Enter the rise and rise of ‘phishing’.

So now I am looking at ways of improving on the humble static password. When was the last time you changed yours? Are you sure nobody else knows it?

All of these things tie right back to ‘identity’ (as the industry insists on calling it). Who am I? Who are you? And how do we prove it to each other in such a way that it doesn’t get in the way of what we were trying to do in the first place.

I want to talk about this here because there is a lot in this idle mind that I need to get out. I know this stuff and I hear some of the biggest names in many different industries grappling with the same problems and, in my opinion, in quite misdirected ways. This surge of blog energy was inspired by an interview with Kim Cameron on Microsoft’s Channel 9. I get frustrated because i believe that they are trying to solve the wrong problem, and as a result won’t get the outcome they are seeking.