Day: June 18, 2006

PEOPLE IN THE PROTOCOL

A nice post from identity guru Pete Rowley of Red Hat: 

I have been at the Burton Catalyst this week. At the reception I was discussing with Paul Trevithick about how I define user-centric identity. The phrase I use is “the people are in the protocol.” Though I wasn’t expecting it, the next day Paul was on a panel when he was asked what user-centric identity was and he quoted me. Cool, but then the next day another panel was asked about the quote and whether having people in the protocol was just a way of excluding other protocols and groups. Well since I wasn’t on the panel to answer that I thought I would take the opportunity to do so here.

When I say protocol I mean it in its broadest sense, in the sense that showing my driving license to a cop at a traffic stop and the cop returning it to me is a protocol. In that transaction I am in possession of the information, I have full knowledge of what information I would pass along to the cop, and I also have the choice of saying no – even if that might result in bad things happening. So people in the protocol means that rather than being an end node that may begin a transaction and perhaps be the recipient of the end results but with only vague or even no information about the information passed in the transaction, they are rather a conduit for all identity decisions in an environment of informed consent. This necessarily means that the protocol must pass through the user, or in other words appear on the screen and be approved by the user. That is an architectural philosophy that results from Kim Cameron’s laws of identity and it is a necessary one in order to gain user buy in. It is also just the right thing to do.

It turns out that it really isn’t hard to architect identity systems to include freedom and choice, but it might not be what one would create if the issue were never considered. It is also not too difficult to re-architect to take account of the philosophy – some work has already begun in SAML for example. Putting people in the protocol is the first step towards providing a scaleable identity framework that takes account of the requirements of the important part – the person. The first step towards treating the users of identity systems with respect.

NOVELL BANDIT

Here's a piece from Network World about Novell's new open-source identity initiative, called Bandit:

Novell has launched an ambitious open source identity management project, which aims to allow companies to integrate different identity systems and provide a consistent approach to securing and managing identity.

Called “Bandit,” the company quietly initiated the project earlier this year, and has been donating engineering resources and code to get things started.

Novell has a track record in identity management products and some credibility in the open source world, due to its acquisition of SuSE Linux, and is hoping that a freely available integration layer will mean more sales for the whole identity management market.

“Novell's initial sponsorship of the Bandit project is a natural extension of our leadership in both identity and open source, and we are gratified to see the groundswell of community support,” Novell Executive Vice President and CTO Jeff Jaffe said in a statement.

The company has lined up support for Bandit from a number of key industry players, including ActivIdentity, Eclipse, IBM, Liberty Alliance, Microsoft, Novacoast, Red Hat, Sun, Sxip Identity, Symantec and Trusted Network Technologies.

“The Identity Metasystem provides a model for identity interoperability across the industry. We're happy to see Novell playing an active role in helping realize the Identity Metasystem and look forward to working with them to ensure interoperability between our respective products,” said Kim Cameron, architect of Identity and Access for Microsoft, in a statement.

The Bandit services will work with existing industry standards such as the WS-* standards, Liberty Federation and Eclipse Higgins. Indeed Bandit has some overlap with the open-source Higgins effort, Novell has acknowledged, and Bandit's developers are planning a Higgins context provider based on Bandit's Common Identity service. The context provider is the way the Higgins framework accesses different identity repositories.

Ultimately, Bandit aims to provide an easier approach to problems such as secure, role-based access and regulatory compliance reporting, Novell said. The project's four main components are the Common Authentication Services Adapter (CASA), the Common Identity service, the Role Engine service and the Audit Record Framework service.

Industry analysts have said the initiative appears promising, given Novell's background and the apparent willingness of other heavyweights to participate.

“This is not the first open source identity management initiative, but the involvement of identity management heavyweight Novell is significant,” said Neil Macehiter, partner at analyst firm Macehiter Ward-Dutton, in a research note. “The fact that the project is focusing on higher-level identity management issues gives it added significance.”  

Dale Olds, the distinguished engineer behind the initiative, has shown a lot of leadership in the open source community by throwing Novell's support behind Information Cards.  He's a serious guy – serious about interoperabilility.

Dale's belief that identity can't have boundaries or borders is palpable.  We'll all benefit from his work.

GONE PHISHING

My friend and colleague Steven Woodward has started a blog at Steve's Identity Corner.  He told me he will be writing about uses for Information Cards emerging from his conversations with customers.  For now he is structuring his pieces around a look at phishing – he'll be drilling down into how Information Cards help address the problem. 

Over the last few years we have all experienced the constant barrage of Phishing attacks. These are not only a pain for all of us as end users, as we carefully pick through our email trying to figure out what’s real and what isn’t, but also an unending headache for those trying to run the commercial web sites we link to.  So let’s take a step back for a moment  to look at how these attacks are possible, after all we’re smart people we shouldn’t be fooled that easily ….

There are three distinct steps to any Phishing attack for the sake of making this simple let’s just call them Casting the Bait, Reeling in the Catch and Stealing the Prize.

Casting the Bait – since the initial goal of the phisher is to get you to go to their web site the first thing to do is to deliver you a URL in an email message. This email has to convince you that not only is it from a real company but that you should take the additional action of clicking on the link it contains. We’ve all seen the “there has been a change in your account details and we need you to verify them” email, complete with nice graphics and company logo’s from a familiar company. The first few times we see these we naively click on the link and off we go to who knows where to try and verify our account details. Of course given the amount of spam we all receive it’s not surprising that at times it’s hard for us to tell the good mail from the bad. In recent years many efforts have been made to reduce the amount of spam and as the junk mail filters have become more sophisticated we are weeding out a lot more than we used to, but there is still more work to be done.

Reeling in the Catch – have you ever thought about how easy it is to fake a web site, think about that for a moment if I go up to any webtsite today I bet I can copy half their logo’s and art work straight off of their home page. In no time at all a half decent web designer could mock up a site that is close enough to the real thing to fool 90% of the people who saw it.

In fact that’s what Researchers at Harvard University and UC Berkeley did in order to do some research on Phishing. Now compare that with how hard it is to fake a real brick and mortar business, say a bank or a book store. One of the reasons so many people get phished is because it is very hard for most users to tell the difference between a fake site and the real site. In fact many users today have no idea what any of the so called security measure’s we have in place today even mean. Ask some of your non-technical friends to explain what an SSL certificate is and how they can tell when a site has one. Now ask them how they know that’s a real cert and not one that was issued to a spurious company in Nigeria. On the whole we as an industry have come up pretty short in terms of protecting our users from going to sites that they can’t identify.

Stealing the Prize – in many cases the prize is your username and password. Firstly this is because the Phisher can now get access to the site that they faked, secondly the chances are you also use that username and password other places, and they are going to go after those too.

But wait. I hear you cry, “I have several passwords that I use on different sites depending on the value associated with an account.”

So imagine this, you get tricked into going to a fake site, it asks you for your username and password, you type them in and “User Authentication Failed, please try again”. So you think to yourself maybe I used one of my other username and password pairs, so you try again, and fail. Eventually you think maybe I just typed the password wrong the first time! So you re-enter it and the site lets you in (and redirects you to the real site), now the Phishing site not only has the username and password for the site they faked, but chances are they also stole the other 4 combinations you use.

And yes this happened to someone I know, oops. So username and passwords aren’t solving the problem today of how we get users to authenticate to our sites. And we need to keep it simple enough that all users from the technically savvy to novice users can just as easily and securely authenticate, without the need for username and password.

As you can see the method of attack is pretty straightforward and if wasn’t for the fact that we prefer to operate on the right side of the law, I’m sure we could all make a pretty decent living doing it. One of the big challenges for us as an industry is that it covers multiple technologies email clients, browsers, SSL certificates and user authentication systems, all of which may be provided by different vendors, any one of which doesn’t feel like they can solve the problem.

Over the next few weeks I’m going to cover each of these topics and explain the work that we are doing here at Microsoft to address  these issues and in addition other industry wide efforts I come across. I’m not saying that we can stop these attacks completely but by changing the rules a little we can at least start to fight back. Lets face it we are dealing with some pretty sophisticated criminals intent on stealing from all of us if they can, we just have to make it a lot harder for them to do their job.