Opinions from Burton Group's CEO and Research Chair
 | January 11, 2007 |
Hurry, Get 'Em While They're Hot!
Here's yet another rude awakening regarding phishing and how bad things are really getting. According to this story on the Wall Street and Technology site, "analysts in the 24x7 Anti-Fraud Command Center operated by RSA discovered what they are calling the Universal Man-in-the-Middle Phishing Kit being sold in online forums."
Here's the kicker:
"Using the kit, fraudsters can easily create a fraudulent URL that communicates with the legitimate Web presence of the targeted organization, be it a financial institution or otherwise. In doing so, when victims clicks on the URL provided in the phishing e-mail, they then interact with the legitimate Web site via the fraudulent URL."
As Gerry Gebel pointed out in an internal email, this attack isn't new. What does seem to be new is the availability of a ready-made kit that will, at least in theory, allow a much larger swath of criminals to launch the attack.
January 11, 2007 in Identity Management | Permalink | TrackBack
| January 09, 2007 |
Signs of the Times?
Courtesy of the Boing Boing blog, we have a link to the picture of the day on the Signs of the Times site, which. Boing Boing quotes someone called Numlok as saying, accurately, that the poster looks like something right of the movie "Brazil."
January 9, 2007 in Identity Management | Permalink | TrackBack
| November 08, 2006 |
Seriosity Looks Interesting
I found this post on Esther Dyson’s blog fascinating. In the post, Esther discusses a startup called Seriosity, which, Esther says, is “using the kinds of reward systems used in games – its own in-world currency, in a word – to encourage whatever behavior a corporate customer wants to encourage.”
In various forums, Mike Neuenschwander, Lori Rowland, and Bob Blakley have been saying that reciprocity and other social/behavorial systems may well prove at least as important as identity when it comes to creating workable virtual spaces. And in many presentations, I've said that I think virtual gaming environments can teach all of us a thing or two about identity.
It sounds like Seriosity is experimenting with these same principles. Hard to tell how far the company is going from Esther’s post. But here’s another tantalizing quote from that post, in which Esther quotes the founder describing her experience with World of Warcraft: “. . . everything is so transparent; you can know people deeply by their behavior.” Esther says the company is attempting to apply the principles and systems games use to reinforce and encourage behavior to the business world. And, most importantly, Esther adds that “it’s not the game that rewards people; it’s other people.”
This seems right in line with what Mike, Lori, and Bob have been saying. Bottom line, I’d like to know more, and continue to think that these kind of efforts deserve the so-called “identity community’s” attention.
November 8, 2006 in Identity Management | Permalink | TrackBack
| September 22, 2006 |
IdPS Blog is Up
Just in case you didn’t catch it an earlier post, we have started an Identity and Privacy Strategies blog. This is a group blog, and the analysts from our IdPS service will be posting their views there on a regular basis.
September 22, 2006 in Identity Management | Permalink | TrackBack
Microsoft's Open Specification Promise
As has been widely reported, Microsoft announced its Open
Specification Promise last week. A lot of folks have already posted about it
(see here, here, and here ). But, given the overall importance of the
announcement to the identity community, I wanted to make our thoughts on the
subject known, and to give credit where it’s due. (Note: This entry is cross posted at both my blog and our new Identity and Privacy Strategies blog.)
In summary, Microsoft has decided to offer the Open Specification Promise (OSP) for the Web services protocols that support CardSpace in particular, and the InfoCards architecture in general. The OSP provides an alternative to Microsoft’s “reasonable and non discriminatory/royalty free” (RAND/RF) licensing agreement, which most open source developers didn’t like. As I understand it, the OSP essentially provides an assurance that Microsoft won’t sue anyone implementing the specifications covered by the document. So developers don’t even have to agree to a license; they can implement the covered specifications without fear of being sued. (With certain, mostly comprehensible exceptions.)
Before I comment on the OSP, however, let me first provide the disclaimer almost every technologist I talk with about licensing issues gives me: I’m not a lawyer, and so my comments should in no way be construed as having legal weight. (If you’d like to see an analysis of the OSP document from a legal perspective, see Andy Updegrove’s excellent post from last week.) But Microsoft’s announcement has more than legal ramifications. Microsoft’s move could have a significant impact on the market, and that’s where we come in.
In short, the OSP is a significant, positive step forward for both Microsoft and the community working to create a better identity infrastructure for the Internet. The people who have been tirelessly advocating the move within Microsoft deserve an enormous amount of credit for making it happen. (Kim Cameron deserves some special recognition at this point in what has been a long process.) At this, point, one of the most significant obstacles to widespread development around the InfoCard architecture has been removed, and that’s good news for everyone involved.
Some Background
I’ve been following the InfoCard effort for a long time with a great deal of interest, primarily because I’ve always thought it was a great idea. But I also had some concerns about how it would be received in the market, at least early on. Circa 2002, it was fair to say that, given Microsoft’s history, any idea the company put forward for addressing the identity problem—regardless of its merit—would likely meet large amounts of skepticism and, at least in some cases, outright resistance from many market players.
From the first time he ever spoke with me about the functionality we now know as CardSpace, for example, Kim has been consistently insistent about the need for and importance of cross-platform support. I certainly agree that a consistent user experience—regardless of the operating system and device a person chooses to use—is profoundly important to addressing the identity problem. But I’ll have to admit that I wondered many times if Microsoft would really let Kim do what he thought needed to be done. And as I talked with other folks about InfoCard as the concept began to take shape, I heard more than a few people express varying degrees of skepticism about Microsoft’s true intentions or Kim’s ability to convince the powers that be to move in a more open direction.
But by decidedly atypical and relentless means, Microsoft has done a great deal of what seemed nearly impossible only a few years ago, overcoming the skepticism and building good will. Consequently, there is a palpable and sincere desire on the part of a lot of people to implement the InfoCard technologies. And three or four years ago, many of these people wouldn’t have even considered working with Microsoft on a beer run, much less an identity system.
Still, licensing was a huge obstacle to seeing that good will and intention translated into demonstrable action and working code. With only a few exceptions, everyone I talked to over the last six months or so—from open source developers to commercial software companies—indicated that until the licensing issue had been put to bed, they really couldn’t (or wouldn’t) build anything. And they had a point. Were I in their shoes, I would insist on clear licensing terms as well.
Enter the OSP
With the OSP, then, Microsoft has taken what is for it a bold
step, removing one of the most significant obstacles to widespread InfoCard
development. The OSP makes it clear that Microsoft isn’t laying some elaborate
and sinister trap for everyone, that it truly is offering something of
significant value to the industry and a huge opportunity to developers looking
to build better identity management systems.
Yes, there are still some details to work out (I’ll get to those in a moment). And yes, neither CardSpace nor InfoCard’s supporting system are slam dunks in today’s transitional market place. But the OSP is concrete evidence that even those with valid reasons to doubt Microsoft’s sincerity are running out of excuses for ignoring InfoCard. Without it, the overall InfoCard effort was stymied. With it, the InfoCard effort can move forward in the way Kim has always intended. And for that both Kim and Microsoft deserve recognition and gratitude.
About Those Remaining Issues
Several folks have commented that it’s not just the specifications
that matter, but the implementation details. And they’re right. (While I’ve
heard similar things from a few people, most of these issues are summarized in
the Higgins project’s draft response to the OSP.)
Microsoft has published an implementation guide for CardSpace,
but the details it includes on how to implement the specifications covered by
the OSP aren’t covered by the OSP. (You can find the guide, as well as other
details on implementation, on MSDN.) In particular, there are schema and
meta-data models that are crucial to getting what Paul Trevithick calls “functional
equivalence” with CardSpace on other platforms. The CardSpace user interface is
an equally important issue. While efforts like the Higgins Trust Framework may
not copy the CardSpace UI down to every pixel, interoperable implementations must
emulate the basic sequence of events in
the CardSpace interface (what Kim Cameron has called “ceremony”) if we’re to get the common user experience to which Kim
aspires. These implementation details must be covered by the same kind of
promise.
But if Microsoft can accomplish what’s embodied in the OSP as it now stands, then it seems reasonable to assume that what remains is haggling over details, that the licensing issue is finally on a downhill path. In other words, the fat lady has sung, and we’re just waiting for the coda. And now the onus has shifted to those who have professed a willingness to implement InfoCard technologies and interoperate with Microsoft if the licensing details could be favorably resolved. Microsoft is living up to its end of the bargain, and now it’s your turn. Those who’ve already started development, without waiting on the licensing issues, have some advantage. My advice to those who have been waiting? Get busy.
September 22, 2006 in Identity Management | Permalink
| August 06, 2006 |
Cloning RFID Passports
While the MacBook hack story seemed to get the most press from the Blackhat Conference last week, the RFID chip cloning story was, perhaps, the more important one. Bruce Schneier posted his views on the subject, pointing to the Wired News story and reconsidering his position of the security of these devices. (After the US federal government announced the intention to encrypt the data on the chip, Schneier dropped many of his objections.) According to this cNet news story, Lukas Grunwald, a researcher with DN-Systems, showed how to clone passports with RFID tags with a laptop, a $200 RFID reader, and a smart card writer. In theory, the copied chip could be used in a forged passport.
Hopefully, this story won’t die. RFID-based passports just seem like a bad idea.
August 6, 2006 in Identity Management | Permalink
The End of This Story?
The Wall Street Journal Online reported yesterday that two teenagers were arrested in the well-publicized case of the theft of a laptop and hard drive containing the personal identity information of some 26.5 million veterans and military personnel. According to the story (fee-based/login required), the teenagers did not target the VA employee’s home, and did not know what information was on the drive until after the story broke. The WSJ story also says that the laptop and hard drive were “turned into the FBI June 28 by an unidentified person in response to a $50,000 reward offer,” and “that the FBI has determined with a high degree of confidence that the files weren't compromised.” (Later: Here's a link to a New York Times story on the same subject.)
That sounds like good news. But as Scott Blackmer pointed out in his discussion of this incident during his Catalyst presentation, the toughest part of a case like this is that, at the time of the theft, it’s often impossible to know the motives of the criminal. One could logically assume that—as it turned out to be in this case—petty theft for quick cash, not targeted theft for more sinister motives, is the most likely scenario. But until that’s proven, the victims of such a crime can’t operate based on that assumption. Organizations must operate on the worst-case scenario assumption, that the identity information has been, or will be compromised, and that the thief knows what they have.
In his talk, Scott estimated that it cost the federal government $25 million just to set up and operate the call center necessary to handle the inbound inquiries from veterans. That doesn’t include offering each person credit monitoring services. And if this were a non-governmental organization (say, like the University of Ohio), the cost of law suits (win or lose) would be astronomical.
And this is just the beginning. The costs associated with breaches, measured in terms of reputation damage, money spent on managing the mess, and potential civil and criminal penalties will keep going up. The best thing organizations can do is to seriously consider what kind of identity information they really need to keep, define the minimum necessary, and keep no more than that minimum. As I’ve said before, aggregating identity information aggregates risk, so even with a minimum amount of data retention, systems must be architected accordingly.
August 6, 2006 in Identity Management | Permalink
| August 04, 2006 |
What About Bob?, Part II
Now that it’s generally known Bob Blakley is working for us,
I can do something I’ve been meaning to do anyway: Point out a fine example of
his work. At Catalyst (way back in June), Bob gave an excellent presentation outlining
the most credible business model for an identity provider—at least in theory—I’ve
seen to date. It remains to be seen if anyone can make it work in practice. But
the basic ideas resonate with me in a way nothing else has to date.
To summarize, Bob insisted that we don’t need an “identity
meta system,” but instead need a “meta-identity system.” This was a clever play
on words, because Bob really wasn’t taking issue with the meta-system
architecture. He was simply making the case that, instead of enabling the
exchange of identity information, the meta-system should enable the exchange of
identity meta-data. Drawing an analogy to the Oracle at
The obvious benefit is that, by following this model, an IdP
would keep a person’s identity information secret. But more to the business model point, that
information is a core asset, and the IdP thus has a vested interest in keeping
it secret. It’s precisely such an alignment of business and individual
interests that could make an IdP work; it's just the kind of enlightened self-interest that makes the
world go round.
It’s a great talk, highly recommended.
To help get the word out (literally), we posted a podcast of Bob's presentation, and you can get both it and the slides here. Eric Norlin commented on the talk here. Bob himself posted a summary of the talk to his weblog, and in the process responded to some of Eric’s questions.
August 4, 2006 in Identity Management | Permalink
| July 28, 2006 |
A Sandbox to Play In
Pamela Dingle, who always has the intestinal fortitude to ask the best darn questions at Catalyst (and other conferences), has posted a good “quick start” guide for anyone wanting to play around with Windows CardSpace. Via that post, I found this CardSpace “sandbox” site, which has some interesting pointers on it.
July 28, 2006 in Identity Management | Permalink
| July 25, 2006 |
A Trip to the Beachhouse
My esteemed colleague Mike Beach, whom many of you may know from his involvement in SAML, presentations at Catalyst, and all-around top notch thinking about identity and security, has started blogging. I encourage visits to his “beach house.”
July 25, 2006 in Identity Management | Permalink
