WordPress 2.1.2 and Project Pamela

I've installed a new version of WordPress – and Project Pamela's InfoCard plugin (more later) – and I'm using it to run my blog as of NOW.  If you see anomolies, let me know.

The good news is Project Pamela's InfoCard plugin is really slick.  It worked right out of the box. 

It doesn't require WordPress 2.1.2, but I wanted to get to the latest revision.

The bad news is that if you currently log in with an InfoCard you will have to respond to an email sent by the system in order to be switched over to the new way of doing things at my end.  Pretty painless though.

ISSUE: Password registration is still not enabled while I figure out exactly how it works

WordPress 2.1.1 dangerous, Upgrade to 2.1.2

Any product that is really successful is going to be attacked.  Over time the attacks will become progressively more sophisticated.  Given how popular – and how good – WordPress is, it doesn't surprise me that it has attracted enough attention that someone eventually broke through. 

Guess what?  I'm running 2.1.1 in my test environment.  Good thing I haven't flicked the switch.  Anyway, here's the scoop as explained by WordPress:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.

Finally, we reset passwords for a number of users with SVN and other access, so you may need to reset your password on the forums before you can login again. (More here…)

Am I ever relieved that I'm using Project Pamela's InfoCard plugin in the new environment!  I haven't written about it yet, since I've been evaluating the beta.  But thanks to Project Pamela, I will just have to download 2.1.2, and change one line in one WordPress file to get InfoCard login working with it.  Let's drink a toast to proper factoring!  I'll be writing about this amazing plugin soon.

By the way, I have good news for the old-fashioned.  I'll be able to turn on username / password for comments again, since version 2.1.2 gets over the registration vulnerabilities in my current version. 

The whole episode brings up the interesting question of how to secure a widely distributed software project.  The more desirable you are as a target, the better the tools you need.  One day I hope to talk to the WordPress folks about incorporating InfoCards into their development process.


Tailrank blog links

Tailrank did a nice summary of some of the blogging around our announcement. It's a cools site, where the results look something like this:


CardSpace & OpenID: Working together


Found 4 days ago
The OpenID community has been having quite a few discussions about phishing and what we can do to help mitigate that problem. We have come up with a whole list of solutions that work together nicely to help address the problem. …

Microsoft and OpenID – commentary


Found 4 days ago
Here are other posts on Microsoft and OpenID announcement: Kim Cameron (Microsoft) post Michael Grave (VeriSign) post “this is a significant step toward the convergence needed in the identity space” David Recordon (VeriSign) post “Convergence isn't new for OpenID, rather continues to show how …

Microsoft to Support OpenID Log on System


Found 4 days ago
Time, Walk, Step, Turn Hosted on Zooom r [I am CEO of Zooomr] WIRED Blogs: 27B Stroke 6 : In a keynote speech at the RSA security conference earlier today Bill Gates reportedly announced that Microsoft was going to support OpenID. …

Microsoft Working on OpenID Support


Found 4 days ago
It looks like we just announced that we'll be supporting OpenID at the RSA conference. Official details are in the press release Microsoft Outlines Vision to Enable Secure and Easy Anywhere Access for People and Organizations which states To further enable the vision of secure and easy anywhere access, …


Found 4 days ago

With the Vista launch behind him, Bill Gates and Craig Mundie, Microsoft's chief research and strategy officer and security patron, were on stage the 16th annual RSA Conference in San Francisco before a crowd of about 15,000 security geeks and professionals. …



Found 4 days ago

You can read it around the web, but, hot on the heels of the creation of the OpenID Foundation , the news from the RSA Security conference is that Bill Gates has announced Microsoft's intention to support OpenID 2. …



Found 3 days ago

Sometimes wishes to come true. It was only a few days ago that I posted a rant about Yahoo's decision to impose Yahoo ID's on Flickr account holders . And I was just one of the many voices in the blogosphere raised against Yahoo's decision. …



Found 3 days ago

There's lots of buzz in the blogosphere today about the big Cardspace/OpenId collaboration that was announced this morning at RSA. Whodathunk that a technology rooted in the RESTful open source ecosystem could intermingle with a technology built by the WS-* wonks without trigging some bizarre matter/antimatter explosion. …



Found 4 days ago

User-centric identity infrastructure just took another key step forward today: Janrain, Sxip, Verisign, and Microsoft announced they will all be working together to help OpenID users get the benefits of CardSpace and vice versa. …



Found 4 days ago




Found 4 days ago

For those of us who've been helping to promote OpenID, today's announcement that Microsoft will work to get OpenID and Cardspace working well together is absolutely no surprise. Kim Cameron, Mike Jones and the rest of the crew have been saying both very rosy things, as well as giving some well-appreciated constructive criticism. …



Found 3 days ago

Unbelievably sleepy old Microsoft (we spend $4bn on R&D but has anyone seen a return) beats dithering Yahoo (should we support it or should we buy OpenID) and arrogant Google (we hate OpenID and Microformats, we only use complicated stuff we invent) to officially announce support for the OpenID movement today at the RSA conference. …



Found 3 days ago

Just when you thought it was safe to make assumptions regarding whether or not MSFT understood the ” Don't Fight The Internet ” rule of doing business on the 2. …



Found 3 days ago

Microsoft, Verisign, Sxip and JanRain have announced that they will all support the OpenID protocol in their upcoming products. Kim Cameron has the scoop (but then he would have, being the ‘Chief Architect of Identity’ at Microsoft). …



Found 3 days ago

CardSpace OpenID collaboration :



Found 4 days ago




Found 4 days ago

(There's always a dilemma between “publishing soon” and “polishing for peer review.” This is my first attempt at blog-based collaborative peer-review. Let's see how it goes!) The Problem Phishing is a serious issue, and it's only getting worse. …



Found 3 days ago

This is great news for the OpenID community – having companies like Verisign and Microsoft onboard certainly help the chances of achieving a way to manage your persona on the web! OpenID ( Radar post ) got a big boost today when it gained support from Microsoft . …



Found 4 days ago

This morning at RSA Bill Gates and Craig Mundie announced MSFT support of OpenID2.0 . ( Johannes has a good summary of the points they made too ) I wouldn't go so far to say that they got Married. But what exactly was announced? …



Found 3 days ago

Thomas Hawk submits: In a keynote speech at the RSA security conference yesterday, Bill Gates reportedly announced that Microsoft was going to support OpenID. OpenID is an open, decentralized identity system that attempts to provide a solution to the multiple log on ID systems to access various sites across the internet. …



Found 3 days ago

I'm proud to announce that, as of this morning, we are going to be taking ClaimID in a slightly new direction. We're going to be concentrating our efforts on being an OpenID provider, one that is extremely simple and easy to use. …



Found 3 days ago

So I haven't had any time to talk to Kim or Dick – but here's my take on this deal between Microsoft and their CardSpace/InfoCards standards efforts and the OpenID community (Sxip, JanRain and Verisign. …



Found 3 days ago

Microsoft and the OpenID community have decided to support each other. In depth coverage here. Congrats to all! THis is important news! Getting Microsoft to recognize and then support an open effort like OpenID is a first step. …

Cool Tailrank page

I love Tailrank and its little pictures of blogs as this page on the CardSpace OpenID Collaboration Announcement shows.  I wonder how long the pages persist?  I'll have to remember to come back and look at this link in a couple of months.

Meanwhile, I thought I would explore Tailrank further and got to the part where I had to sign in and said to myself, “No, I don't have time for that”. 

Then it occured that this was just one more concrete example of a Web 2.0 opportunity going down the drain.

It seems so clear to me the Web 2.0 community should climb on board this user-centric identity thing ASAP. 


Scary phishing video from gnucitizen

Here's a must-see that punctuates our current conversation with – are you ready? – drama and numerous other arts.

Beyond the fact that it's just plain cool – and scary – as a production, it underlines one of the main points we need to get across.  The evolution of the virtual world will be blocked until we can make it as safe as the physical one. 

As Pam says, “this video really captures the panic involved in being hacked…”.  That's for sure.

Back in action

My day job has conspired with the holidays to play havoc with my blog over the last while. 

What can I say?  Maybe something good will come out of it.  At least those of you who subscribe to my feed got a bit of peace and quiet!  And I feel rested and relatively renewed.  I missed writing.

At the same time, there were many exciting identity-related developments that came to my attention but which I wasn't able to pass on.  Sorry about that.  There was simply no way to “do everything simultaneously all at once”.

But on the positive side of the balance sheet, I was able to complete some work on how Cardspace actually behaves over the wire. 

I've put together a PHP implementation of the Identity Provider end of things which I hope will help better convey, in a cross-platform fashion, what is possible with the identity provider paradigm and how Cardspace actually uses the WS protocols.  I hope this, in conjunction with some important new documentation by Arun Nanda, will aid in the development of other compatible InfoCard implementations.

All that remains is to write about all this stuff.  So, here we go…


Proposed Eighth Law of Identity

Here is a compelling multi-media proposal by the legal department of Ontario's Privacy Commissioner for an Eighth Law of Identity:

Illustration of the eighth law of identity

Download full-size deposition here.

The “technology” version of the law appears on the left, and the policy-oriented version on the right.

Today's Internet is a Gourd's Paradise. It is only through user-centric pumpkin-to-machine authentication that we will be able to leverage the true weight of the gourd.

Today's Internet is a Gourd's Paradise. It is only through user-centric pumpkin-to-machine authentication that we will be able to leverage the true weight of the gourd. The synergistic combination of omnidirectional identifiers and correlation handles on a per-vegetable basis could be the sustainable architecture behind the meta-zucchini infrastructure.

Any metasystem needs to realize that pumpkins may vary in physical appearance, but their basic architecture is the same: stem, seeds and pulp represent the core of our constituent squash identity system.

We hope our commentary will stimulate oral interfacing across the vegosphere and among the “gourderati”.

That all lawyers could be so gainfully employed!

Grandstanding to drive up his ratings?

When Doc Searls was first telling me about blogging, he asked if I wanted to see something incredible.  Then he typed the word “doc” into a certain search engine, and the first or second result was the address of his blog. 

I was amazed.  He was right up there.  On a level with the Department of Communications.  He still is today (try it!)

So a while ago, I decided to check out the results for “Kim”.  Narcissistic? I guess.  And worse, the kind of thing that irreversibly links your identity to the audit trail of your searches. 

But I was curious.

Let's face it.  As I've said before, this blog is the “hair on the end of the long tail.”  It was obvious I wouldn't be in the same league as Doc. And we all know the entire country of Korea has the name ‘Kim’.  One search engine lists 227 million references.  So my hopes weren't high.

But despite all this, the results were pretty amazing: 


Better search engine


Was it possible?  I beat out Kim Jong-il, president of North Korea, who came in at number 8.  In fact I easily passed him at 5!  I could see he's maybe not the most popular person in the world, but still, he does run a country, a country much discussed in some circles.  Anyway, I decided to check out a competing engine:


Canadian version of well known search engine

Not quite as good, maybe, but hey, Rudyard Kipling and Kim Basinger are certainly both more fundamentally accessible than identityblog (!), so it seems right.

Anyway, over time I came to take this state of affairs pretty much for granted.

But last week, visiting Canada, a friend asked me what would happen if he just searched for ‘Kim’, so I told him to try it.  He went to www.google.ca, and to my horror I could see that I had slipped

American version of well known search engine

Suddenly the reality of the situation sank in.  Was the underground nuclear test that Kim Jong-il set off just grandstanding intended to increase his search engine ranking?  

Had Kim Basinger and I actually been in grave danger all along for thwarting a dictator's desire to appear at the top of a result set? 

The poor helpless souls in some CNN documentary flashed before my eyes, and I acepted that losing out to Jong-il wasn't all bad.

And then the kicker.  I VPNed to a computer back in the States, so I could get to the US versions of the search engines (on my friend's ISP it was impossible to get to the actual “.com” site rather than “.ca”).

Guess what? Back in the States it was business as usual.  Kim Basinger and I were still up ahead of Jong-il, despite all of his antics.  My friend and I had been looking at a rating that was somehow Canada specific.

I guess that for search engine experts all of this would come as no surprise.  But I am pretty curious about how these international variations in ranking come about.


Can this really bee?

Ian Brown's Blogzilla brings us this report on bugs in the British passport system.  

Yet surely all is not lost.  There are, after all, British politicians with an advanced understanding of privacy and computing.  For example, I would hope the technologically savvy Earl of Erroll, with his informed colleagues the Baroness Gardner of Parkes, the Countess of Mar, Lord Avebury, the Earl of Northesk, and Lord Campbell of Alloway, could prevail upon the good graces of Lord Sainsbury of Turville to have Britain move beyond the strange incident Ian brings to our attention. 

Remember the huge ID cards report row last year between the government and the LSE's Simon Davies? The Home Secretary Charles Clarke (remember him?) went on the Today programme and accused Davies of fabricating evidence for the LSE's report on the ID cards. Ministers from Blair down took turns inside and outside Parliament to rubbish and defame him at every possible opportunity. It turned very nasty and Davies for the remainder of the year was very much Enemy Number One for the Home Office.

Of course subsequent events vindicated the report. The ID scheme is falling to pieces in exactly the way it predicted.

Simon went to the Passport Office in London yesterday to renew his passport. As he approached the interview counter a huge wasp appeared from nowhere, hovering over his head and dive-bombing staff. Interview officers scrambled for cover and retreated to the back of the room. Overheard was the comment “Where the hell did THAT come from?” followed closely by an accusatory glance at Simon and the remark “It came in with HIM!”

The wasp continued to hold position over Simon's head while staff ducked and weaved to avoid the beast. Three security people were called in to deal with the crisis. For a full fifteen minutes work in the passport office came to an abrupt halt as a fearless security official danced around the room, batting the hapless wasp with a handy copy of Her Majesty's passport guidance notes.

The wasp was finally dispatched to insect heaven but not before some people had formed the view that this was all an ingenious and pre-meditated campaign strike against the passport office.

Interestingly, once all the wasp-induced chaos had settled, the officials refused to renew his passport. They said it was “damaged” because a little of the laminate on the data page was lifting. What a surprise for a ten-year old paper document.

Anticipating possible problems establishing his identity, Davies had with him a dozen identity documents, including his LSE card, bankcards, bank statements and utility bills and a three-inch thick pile of newspaper stories with his photo — including articles in the Daily Mail which showed his passport photograph and others from the Sunday Times and the Guardian with his current photo. It was to no avail. He was told that these were all unacceptable as a means of establishing that he was who he said he was. His current passport was not an acceptable form of identity either.

Whether Simon brought a trained wasp into the passport office is something we may never be able to verify, but in the end the Home Office got their own back. He now cannot attend the United Nations Internet Governance Forum in Athens next week, at which he was scheduled to speak.

There may be some who wonder at Ian's complete objectivity.  But let's not dwell on minutae.  I hope Britain will find some way that the visionary Simon Davies can address the upcoming United Nations conference.


A Merit Badge That Can't Be Duplicated

From the Los Angeles Times

Boy Scouts can earn badges for woodcarving, raising rabbits and firing shotguns.

But in the Los Angeles area, Scouts will now be able to earn their stripes by proselytizing about the evils of copyright piracy.

Officials with the local Boy Scouts and the Motion Picture Assn. of America on Friday unveiled the Respect Copyrights Activity Patch — emblazoned with a large circle “C” copyright sign along with a film reel and musical notes.

The 52,000 Scouts who are eligible may earn the patch by participating in a curriculum produced by the MPAA. To earn the badge, Scouts must participate in several activities including creating a video public-service announcement and visiting a video-sharing website to identify which materials are copyrighted. They may also watch a movie and discuss how people behind the scenes would be harmed if the film were pirated.

But will the patch be a badge of honor or a scarlet letter of uncoolness?

Richie Farbman, 13, is raring to go, eager to warn others about the dangers of illegal downloading while adding to his more than 20 activity badges.

“I think it's really good to get the message out that it's bad,” said the Redondo Beach Scout. “You can see your friends doing it and tell them why it's bad. I think if you're a role model, you can stop people.”

But Richie said he knew his perspective wasn't shared by many of his classmates. “A lot of people don't think they're going to get in trouble,” he said, “so they do it anyway.”

Other teenagers say Richie and his Scouting buddies face an uphill battle. “Everyone knows it's illegal already, but they do it anyway,” said Kevin Tran, a senior at Taft High School in Woodland Hills. “They can't afford to buy CDs and DVDs, and they see it [on the Internet] for free, so why not do it?”

Officials at the Scouts’ Los Angeles Area Council said they approached the MPAA with the idea nine months ago, emphasizing that the entertainment industry lobbying group did not make financial donations to secure the badge program.

The inspiration for the new badge came from Hong Kong, where the local Boy Scouts organization had its members pledge not to use or buy pirated materials. In addition, the Scouts agreed to search Internet file-sharing sites and turn in sites and users they see violating the law. The campaign was launched at a stadium before a slew of pop stars where the so-called “youth ambassadors” pledged to stem the rise piracy.

The move raised concerns from civil libertarians, who feared the group was creating thousands of young spies to snitch on copyright abusers.

Victor Zuniga, a spokesman for the Scouts’ Los Angeles Area Council, said his group decided on a less aggressive approach: The Scouts won't be asked to police the Internet for pirates.

“Our program is educational,” Zuniga said, adding that the badge probably would be offered elsewhere if was successful here.

Stephanie Scott, a mother of two Boy Scouts, said the anti-piracy badge has something other Scouting activities lack. “This one is tailor-made for the city boy in L.A.,” she said. “Scouts may just as soon go for this one rather than Wilderness Survival.”

MPAA Chairman Dan Glickman said partnering with the Boy Scouts made sense because so much of the pirating was being done by teenagers. “The truth is: So many kids today are savvy with computers and Internet technology and can download anything,” he said.

Although teenagers might roll their eyes at the new badge, some technology-industry analysts said it was a good idea.

“It's actually an incredibly savvy recognition that all the legal and legislative protection, all the technological intervention is clearly not enough to shut dA fown the Internet,” said Eric Garland, an analyst with BigChampagne, which tracks file-sharing networks. “You have to go after the will of the people. Make it an ethical issue.”

But to many teens, it's not so much about ethics as it is money. “Sure [Scouts] should learn downloading is illegal. But if you can't afford to buy it, then they're going to do it anyway,” said Kevin Nguyen, 16, Chatsworth High. “There's no way to control it.”

To quote Slate:

A mom's take: “This one is tailor-made for the city boy in L.A.” As long as the L.A. city boy is an aspiring studio hack.

A friend tells me various youth organizations are working on “Downsizing” and “Outsourcing” badges as well.  The boys have to convince a company of their choosing to adopt a program resulting in a pre-negotiated reduction in salaries and benefits.  There has been talk of offering a supplementary badge for eliminating women staffers.