Day: March 6, 2006

This article appears in the March issue of Wired.

Working late one night a few months back, I was just about to sign off when I decided to check my email. At the top of my inbox was a message from PayPal, “confirming” a change in my email address. But I hadn't changed the address. In an exhausted panic, I clicked the link to correct an obvious fraud.

For a split second the browser opened not to PayPal but to an unrelated IP address. Then, almost instantaneously, the screen was replaced by what looked exactly like a PayPal window, requesting my password to sign in. This wasn't PayPal; it was a phishing bot. Had I been just a little drowsier, I might have been snagged by the fraud in the very act of trying to stop it.

We who celebrate the brilliance of the Internet – and in particular, its end-to-end open design – tend to ignore the maliciousness that increasingly infects it. The Net was built on trust, and it lacks an adequate mechanism to prevent fraud. Thus, it's no surprise that phishing expeditions nearly doubled last year – and phishing is just one of many evils proliferating online. It's only a matter of time until some virus takes out millions of computers or some senator's identity is stolenin. When that happens, the liberties inherent in the Internet's early design will erode even faster than the liberties said to be protected by the Constitution.

Now, with the debut of the InfoCard identity management system, Microsoft is leading a network-wide effort to address the issue. To those of us long skeptical of the technology giant's intentions, the plan seems too good to be true. Yet the solution is not only right, it could be the most important contribution to Internet security since cryptography.

The InfoCard system will first be distributed with Vista, Microsoft's newest Windows OS, set for release this year. The system effectively adds an “identity layer” to the Internet, accomplishing what security companies have been promising for years: making it difficult to falsify an identity and easy to verify your own. Here's how it works: Users’ computers (and potentially cell phones and other devices) will hold files called InfoCards that give encrypted sites access to authenticated information about the user. An American Express InfoCard, for example, might carry your name, address, and account number, all authenticated by American Express. When a Web site requests personal data, you choose whether to release that information, securely and with the verification of the card's issuer.

The resulting system is more precise and comprehensive than the hope-it-works hodgepodge of security measures we use now, argues Kim Cameron, Microsoft's chief architect of identity and access. “Auto-complete and cookies and passwords are part of a patchwork solution. With InfoCards, users will always know exactly what's happening and can always control it.”

This might sound scary to friends of privacy. It shouldn't. The InfoCard system gives you more control over your data, not less. The protocol is built on a need-to-know principle: While an InfoCard might hold 30 facts about me, only the data I choose to reveal is shared. If I need to certify that I am a US citizen, then that fact is verified without also revealing my name, age, or place of birth. And when it comes to that fake PayPal site, the InfoCard system wouldn't recognize it – it wouldn't have theproper credentials.

Again, if this sounds scary to those suspicious of Microsoft, it shouldn't. It's a protocol – a set of rules for exchanging information – not a Microsoft product. Any company can provide certified protection for data using the protocol, and many will. So unlike Microsoft's Passport system, the dubious personal info repository that alarmed many people a few years ago, no central administrator decides how privacy is protected or trust secured. Instead, the protocol solves the problem of security the same way the Internet solved the problem of browsers – through competition on an open, neutral platform. This is infrastructure for a digital age. It's TCP/IP for privacy and security.

None of this means there isn't a role for (smart) government policy and laws against online fraud or theft. There plainly is. But if this identity layer sticks, then there is a wider range of solutions to the problem. In particular, there is one that seemed impossible to me just a year ago, one that's consistent with the decentralized design of the Internet. That's an extra?ordinary gift to the online world, from a giant that increasingly depends on the Net's extraordinary design.

Here is Dave Kearn's “The real deal about IBM, Novell and Project Higgins” from Network World's Identity Management Newsletter of 03/06/06:

You must have seen at least one of these headlines last week:

“Project Higgins: IBM's response to Microsoft InfoCard?”

“IBM developing online ID system similar to Microsoft's InfoCard”

“Open Source Higgins Project Takes On Microsoft's InfoCard”

“IBM And Open Source Allies Prepare To Take On MS’ Infocard”

“IBM Bucks Microsoft's Infocard”

And my personal favorite:

“Passport's heir gets open source competition”

The one thing they all had in common is that they were all wrong, misleading even. The Higgins Project (as you read here last fall) is a “framework to build user-centric, ID-enabled services.” InfoCard, on the other hand, is an application or services for the Windows platform enabling a user to plug their identity into what's called the “identity metasystem,” a loosely defined, constantly morphing fabric allowing ID providers and ID consumers to transact ID activity in a secure, privacy-protecting way using the worldwide IP network.

It would be possible to use the Higgins framework to construct a service that participated in the identity metasystem, though it wouldn't necessarily compete with Microsoft's InfoCard but, rather, be complementary to it.

The flap all started when IBM and Novell issued a press release announcing that they would contribute software to the Higgins Project and that IBM would “incorporate Higgins technology within its Tivoli identity management software.” This is interesting, because Higgins really is a framework that allows developers to incorporate identity-based services into their applications. Hasn't IBM already integrated identity into its applications?

The situation was further muddled by this quote in the press release from Tony Nadalin, distinguished engineer and chief security architect at IBM: “Open source ensures… that customers won't be locked into a proprietary architecture when they adopt user-centric identity management systems.” Reporters and editors took that to be a direct slap at Microsoft. But, as Nadalin explained (via e-mail): “Joining this project was a direct result of customers coming to IBM wanting interoperability with Microsoft Infocards and IBM software (along with interoperability with other identity systems like SXIP, LID, OpenID, etc), so we needed a framework with service interfaces that would allow this to occur and IBM believes it's best if this is done in an open source community.”

So no matter what the various technology scandal sheets are saying, no matter what “spin” people try to put on this, it boils down to IBM and Novell recognizing that they need a way to participate in the user-centric identity arena and choosing the well-established Higgins Project as their vehicle to do so. It really is a tempest in a teapot!

I hadn't even seen “Passport's heir gets open source competition”. It really makes you want to pull your heir out.

I had to laugh reading Jason Hogg's HoggBlog, dedicated to “Patterns and practices: integration, web services and security.” Here's a recent post, part of an interesting series about the RSA Conference in San Jose:

How many times have you had a security solution / process forced upon you that for whatever reason is unworkable – forcing you you to work around it?

The classic example is of course where tough password policies are implemented that make it impossible for people to remember passwords without writing them down. The last place you would expect this mistake to be made is at a conference organized by RSA – but for the second year in a row this is exactly the challenge that many attendees experienced whilst trying to access the secure wireless network.

I spent over an hour trying to connect to the wireless network. I even followed the 6 page instruction document that you can obtain after tracking down their help desk. I spent a further 15 minutes with a help desk guy who was also unable to help… until it worked for a brief 5 minute period. Naturally minutes after I left the help desk the connection stopped working again.

Prior to my presentation today I asked how many people had laptops – the answer was about 1/2 of the room. I asked how many people had successfully connected to the network and I would guess only about 20% of that group had managed to connect. I asked how many people had connected without any problems – and only 1 person put his hand up! Not great odds…

Now don't get me wrong – I understand the importance for RSA to be perceived as being security conscious – but it appears that little consideration was given for simplicity or usability. I wonder if any usability testing was actually performed?

The really funny thing is that I was talking with a Chief Security Architect from a Fortune 50 company and mentioned the problems I was having and he said he had the same problems and suggested that I wonder down the hall to the foyer of the Hilton hotel – where there is free public wireless Internet available.

Perfect! The wireless network at the Hilton worked like a charm – but for myself and obviously many other attendees to be productive we have had to completely bypass the security system that RSA set up and go and use an alternate completely insecure solution…

I think this scenario is worth formalizing as an anti-pattern. I wonder what we should call it? Respond with ideas… Also feel free to respond with other of these Dogbert like scenarios if any spring to mind…