Category: Digital Identity

WordPress 2.1.1 dangerous, Upgrade to 2.1.2

Any product that is really successful is going to be attacked.  Over time the attacks will become progressively more sophisticated.  Given how popular – and how good – WordPress is, it doesn't surprise me that it has attracted enough attention that someone eventually broke through. 

Guess what?  I'm running 2.1.1 in my test environment.  Good thing I haven't flicked the switch.  Anyway, here's the scoop as explained by WordPress:

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately.

Longer explanation: This morning we received a note to our security mailing address about unusual and highly exploitable code in WordPress. The issue was investigated, and it appeared that the 2.1.1 download had been modified from its original code. We took the website down immediately to investigate what happened.

It was determined that a cracker had gained user-level access to one of the servers that powers wordpress.org, and had used that access to modify the download file. We have locked down that server for further forensics, but at this time it appears that the 2.1.1 download was the only thing touched by the attack. They modified two files in WP to include code that would allow for remote PHP execution.

This is the kind of thing you pray never happens, but it did and now we’re dealing with it as best we can. Although not all downloads of 2.1.1 were affected, we’re declaring the entire version dangerous and have released a new version 2.1.2 that includes minor updates and entirely verified files. We are also taking lots of measures to ensure something like this can’t happen again, not the least of which is minutely external verification of the download package so we’ll know immediately if something goes wrong for any reason.

Finally, we reset passwords for a number of users with SVN and other access, so you may need to reset your password on the forums before you can login again. (More here…)

Am I ever relieved that I'm using Project Pamela's InfoCard plugin in the new environment!  I haven't written about it yet, since I've been evaluating the beta.  But thanks to Project Pamela, I will just have to download 2.1.2, and change one line in one WordPress file to get InfoCard login working with it.  Let's drink a toast to proper factoring!  I'll be writing about this amazing plugin soon.

By the way, I have good news for the old-fashioned.  I'll be able to turn on username / password for comments again, since version 2.1.2 gets over the registration vulnerabilities in my current version. 

The whole episode brings up the interesting question of how to secure a widely distributed software project.  The more desirable you are as a target, the better the tools you need.  One day I hope to talk to the WordPress folks about incorporating InfoCards into their development process.

 

New book on Cybercrime

Speaking of new ways for a vendor to win my loyalty, here's an email I got today:

Dear Amazon.com Customer,

We've noticed that customers who have expressed interest in The Digital Person: Technology And Privacy In The Information Age by Daniel J. Solove have also ordered Cybercrime: Digital Cops in a Networked Environment (Ex Machina: Law, Technology, and Society) by J. M. Balkin. For this reason, you might like to know that J. M. Balkin's Cybercrime: Digital Cops in a Networked Environment (Ex Machina: Law, Technology, and Society) is now available. 

You can order your copy for just $22.00 by following the link below.

Cybercrime: Digital Cops in a Networked Environment (Ex Machina: Law, Technology, and Society)
  

J. M. Balkin

Price: $22.00

Book Description

  • “Cybercrime is written by the leading academic experts and government officials who team together to present a state-of-the-art vision for how to detect and prevent digital crime, creating the blueprint for how to police the dangerous back alleys of the global Internet.”

    — Peter P. Swire, C. William O'Neill Professor of Law, the Ohio State University, and former Chief Counselor for Privacy, U.S. Office of Management & Budget.)

  • “A timely and important collection of materials from highly qualified authors. Cybercrime will provide a wealth of new insights both for general readers and for those who study and teach about the legal and policy implications of the internet.”

    –David Johnson, Visiting … Read more)

I actually received this in my mail this morning.  I remember when I got my first email from Amazon, I started fuming.  My reaction was, “No!  This can't be! Not SPAM from Amazon!”.  It seemed incredible.

Then I read the message.  And guess what.  It wasn't SPAM.  Why?  By intersecting its knowledge of my interests with that of other people who share them, Amazon is able to make book suggestions that are just as cogent as most people I know.  This is what I call a relationship.  It isn't based on confinement or bombardment.  It's based on service.  The service is user-centric in a great way.

Now, moving down a level of abstraction, I think I'll buy the book.

Identity Selector Permutations

Check out this interesting set of Identity Selector Permutations posted by Paul Madsen on his ConnectID blog.

In trying to make sense of the various combinations of OS, browser, plugins etc for enabling a client with a Cardspace compatible identity selector, I created the following graphic (click to enlarge…)

Caveat: It's almost certainly wrong in places, and doesn't account for Higgins.  

 

Update: Neil Macehiter adds some details.

  • Chuck's extension appears to require Firefox 2
  • XMLDAP requires Java 1.5
  • CardSpace on XP requires .NET Framework 3
  • #1 is the all Microsoft scenario
  • #2 ties Firefox into the Cardspace identity selector through the selector from Kevin Miller.
  • #3 ties Firefox into Cardspace through Kevin's plug-in, but allows for the scenario of a user choosing to use a different identity selector than Cardspace
  • #4 is Chuck Mortimer‘s Firefox plugin as an alternative identity selector to Cardspace.
  • #5 is a non-Cardspace identity selector for Safari.

 

Scary phishing video from gnucitizen

Here's a must-see that punctuates our current conversation with – are you ready? – drama and numerous other arts.

Beyond the fact that it's just plain cool – and scary – as a production, it underlines one of the main points we need to get across.  The evolution of the virtual world will be blocked until we can make it as safe as the physical one. 

As Pam says, “this video really captures the panic involved in being hacked…”.  That's for sure.

We need severe crypto

Someone just pointed out this super strong message from the Energy Field that is Marc Canter (founder of Macromedia and Broadband Mechanics):

Kim Cameron sets the record straight: State of the market or chance to get things right?  And he has nothing against OpenID.  But Kim is the god head and groks this shit better than any of us – so please listen to him!  ID is a hell of a lot more than SSO or authentication and if we’re to stop phishing, and spoofing and ID theft – we need severe crypto, locked down, secure ID systems.

No one can say Marc doesn't speak in thunder bolts.  This is better summary of what I've been trying to say than I can manage (I would have elided the “god head” part!)

 

Identity Crisis Podcast

Identity Crisis If you haven't read Jim Harper's book, Identity Crisis: How Identification Is Overused and Missunderstood I urge you to do so as soon as you can.

I was initially a bit skeptical about this book because – I hope my more politically inclined friends will forgive me – it was published by what I assume is a political “think tank”.  I worried it might reflect some kind of ideology, rather than being a dispassionate examination of reality.

But in this case I was wrong, wrong, wrong. 

Jim Harper really understands identification.  And he is better than anyone at explaining what identification systems won't do for us – or our institutions. He carefully explains why many of the proposed uses of identification are irrational – delivering results that are quite unrelated to what they are purported to do.  In my view, getting this message out is just as important as explaining what identity will do.  In fact it is a prerequisite for the identity big-bang.  There are two sides to this equation an we need to understand them both.

He directly takes on the myth that if only we knew what peoples’ identifiers were, “we would be safe”.  Metaphorically, he is asking what kind of plane we would rather fly in – one where the passengers’ identifiers have been checked against a database or one where they and their luggage have been screened for explosives and guns? 

I think he will convey to “lay people” why a so-called “blacklist” is one of the weakest forms of protection, showing that all you have to do is impersonate anyone not on it to sneak through the cracks.

The book is full of important discussions.  It has chapters like “Use identification less” and “Use authorization more.”  I have only one criticism of the book.  I would like to see us separate the notion of identity, on the one hand, and individual identification (or identifiers) on the other.  We need return to the original meaning of identity: the fact of being who or what a person or thing is.

As a simple example, suppose I'm a service provider building a chat room for children, and want to limit participation to children who are between 12 and 15.  Let me contrast two ways of doing this. 

In the first, all the children are given an identifier.  To get into the room, they present their identifier and prove they are the person to whom that identifier was given.  Then the chatroom system does a lookup in some public system linking identifier and age to make the access control decision.

In the second, the children are given a “digital claim” that they are of some age, and a way to prove they are the person to whom that “claim” was given.  The chatroom system just queries the claim to see if it meets its criteria.  There is no reference to any public or even private identifier.

My point is that the first mechanism involves use of an identifier.  The second still involves identity – in the sense of being what a person is – but the identification, so rightly put into question by Jim's book, has been put into the trashcan where it belongs.

The use of an identifier in our first example breaks the second Law of Identity (Data Minimization – release no more data than necessary). It breaks the third Law too (Fewest Parties – since it discloses use of information to a central database unnecessary to the transaction).   Finally, it breaks the Fourth Law (using an omnidirectional identifier when none is required).

The book was written before “claims-based thinking” began to gain mindshare, and so it's missing as a category in Jim's discussion of advanced identity technologies.  But we've talked extensively about these issues and we have concluded that we have no theoretical difference – in fact the alignment between his work and the Laws of Identity struck us both as remarkable given that we come at these issues from such different starting points. 

Jim's book is wonderful reading.  It should help newcomers better understand the Laws of Identity.  And this week the Cato Institute in Washington held an event at which Jim spoke, along with James Lewis, Director and Senior Fellow, Technology and Public Policy Program Center for Strategic and International Studies; and Jay Stanley, Public Education Director, Technology and Liberty Project American Civil Liberties Union.

Download the podcast or watch the video here.

 

Practical Guide To Certificate Installation for the Disinterested

It's a bit tricky to install certificates and keys, and harder still when you want to use the same certificate on both Windows and *NIX boxes.  Most of us don't have to install certificates very often (!), but that doesn't make it any easier! If you're like me you forget at least one of the annoying little essential details.

So partly in light of questions I've been receiving, and partly so next time I encounter these problems I remember how I answered them, I'm putting together what I hope might be a useful “Practical Guide to Certificate Installation for the Disinterested“.  In other words, I'm NOT discussing how to use certificates in production environments.

I'm kind of starting in the middle, but I've got three pieces ready so far.  If you're not familiar with this area, OpenSSL is an open source tool for managing certificates and IIS is Microsoft's Internet Information Server (i.e. Web server).  If you see problems with my instructions, please let me know.

Now for the pithy titles:

I'm also going to tackle the issue of creating InfoCard-compatible certs for testing and developing purposes.  If others want to add other sections let me know.

 

World's leading identity politician

When it comes to dealing with identity, Australia has already “been there, done that.”  In 1987 there was a massive public revolt against a proposed national ID card that imprinted several of the Laws of Identity on the psyche of the nation.

None the less, the country faces the same challenges around health care and social benefits as every other: the need to streamline benefits processing, reduce fraud, and improve information flow where it is vital to the health and safety of individual citizens.

Over the last few years this had led a whole cohort of Australians to think extensively about how identity, privacy and efficiency can all be served through new paradigms and new technology. 

On its second try, Australia went in a fundamentally different direction than it did with its 1987 proposal (reminiscent of others that have hit the wall of public opinion recently in other countries).  This time, Australia started out right – bringing privacy advocates into the center of the process from day one. 

The cabinet minister responsible for all of this has been Joe Hockey, who seems to have a no-nonsense approach based on putting users in control and minimizing disclosure.

Finally!  Our first glimpse of a government initiative that is, at least in its inception, fully cognisant of the Laws of Identity.  Beyond this, instead of swimming with dull proposals based on Berlin-wall technology,  Australia is leading the way by benefiting from new inventions like smartcards with advanced processors and web services that can together put information ownership in the hands (and wallets) of the individuals concerned.

Here's the story from The West Australian

Police, State governments and banks will not be able to demand access to the new $1.1 billion smartcards under new laws aimed at stopping them becoming de facto national identity cards.

Responding to a report to be released today by Access Card task force chairman Allan Fels, Human Services Minister Joe Hockey will announce changes to ensure individual cardholders have legal ownership over them.

In a speech to be delivered to the National Press Club today he says most government and bank-issued cards remain the property of the issuer but in what may be a world first, the new laws will ensure the cards cannot be demanded for ID purposes.

Professor Fels foreshadowed the legislation in June when he warned consumers needed to be given as much control over the card as possible, and that the Government faced major security concerns if it did not protect cardholders from having to produce the card as identification.

Mr Hockey says the legislation will be introduced next year.

The Government will be able to turn off access to health and welfare benefits if the owner of the card is no longer entitled to them.

The high-tech cards, to be rolled out across Australia from 2008, will replace 17 health and social services cards, including the Medicare card, healthcare cards and veterans’ cards.

They will include a digital photo and name but not the holder’s address and date of birth, and the microchip will store certain health information and emergency contact details.

The Government says it will not be compulsory, but has admitted it will be hard to avoid because it will be required for all government services.

Nearly every Australian will need to carry a smartcard by 2010.

In his speech, Mr Hockey will argue that Australia has been a “complacent comfort zone” when it comes to aspects of card technology and security.

“Many other countries, particularly in Europe, replaced the magnetic strip with a microchip long ago,” he says.

He denies the scheme will result in one giant data base.

“Your information will stay where it presently is, the agency relevant to that information, the agency you deal with,” he says.

The Government hopes the scheme will wipe out $3 billion in welfare fraud a year.

Shadow human services minister Kelvin Thomson said the Government had engaged in precious little public debate about the card.

“Concerns include the threat to privacy from surveillance by corporations and governments, as well as the financial plausibility of a Government-run $1.1 billion IT project,” he said.

“In the United Kingdom, the Blair Government has been forced to put their proposed smartcard on hold due to overwhelming public opposition.”

If Joe Hockey's proposal is as enlightened as it appears to be, I hope every technologist will help explain that our current systems are far from being ideal.  We mustn't get too hung up on simply preventing deterioration of privacy through absurdist proposals, because the current bar is already too low for safety. 

We need to follow Australia in being proactive about strengthening the fabric of privacy while achieving the goals of business and government.

Virtual gardens with real-world walls

Here is a fascinating piece from OZYMANDIAS that oozes with grist for the User Centric mill.  This seems to be about walled gardens with barbed wire.  Please don't take what I'm saying as being critical of Sony in order to puff some other company (like, er, my own).  I'm talking about the general problem of identity in the gaming world, and the miserable experience much of the current technology gives us.  I think I should be able to represent my gaming personas as Information Cards – just as I would represent other aspects of my identity – and use them across games (and one day, even platforms) – without linkage to my molecular identity. 

News on the web today is that Xfire is suing GameSpy for how their GameSpy Comrade “Buddy Sync” feature creates friends lists. To quote:

Now Battlefield 2142 is caught up in a legal tangle between rival in-game instant messaging programs Xfire and GameSpy Comrade. On October 16, Viacom-owned Xfire filed suit against News Corp subsidiary IGN Entertainment over its GameSpy Comrade program, which comes on the Battlefield 2142 disc. IGN Entertainment also owns IGN.com, a GameSpot competitor.   

Xfire is claiming that GameSpy Comrade's “Buddy Sync” feature illegally infringes on its copyrights. Buddy Sync retrieves users’ friends lists from other instant messaging programs like AOL Instant Messenger and Xfire, and gives players the option of automatically inviting those friends who have GameSpy accounts to join the users’ friends lists on Comrade.

If you read a bit deeper you find that what's basically being challenged is GameSpy's use of information (friends lists) that has been publicly published by Xfire on their website. Xfire claims that GameSpy's reading of that data is to enable GameSpy to bolster their own friends lists:

In a filing in support of the restraining order, Xfire CEO Michael Cassidy specified how his company believes the Comrade program works. First, Cassidy said it reads the user's Xfire handle from the XfireUser.ini file, then visits a formulaic URL on the Xfire site to get a list of the user's friends (for instance, to find the friends list of Xfire user Aragorn, Comrade would go to http://www.xfire.com/friends/aragorn). The names on that friends list are then compared with a central IGN database of Comrade users’ Xfire handles, and if any matches turn up, the user is asked if they want to invite those people to their Comrade buddy lists.

I am not a lawyer, and can't definitively comment on whether information that's made public in this fashion can or cannot be harvested. My gut is that it's probably kosher – we have plenty of website scraping applications in the wild today that do just this, including best price searching sites. What does fascinate me is how this suit highlights how busted Sony's PS3 online network is, and how companies are fighting to position themselves to take advantage of this financially. Bet that seemed to come out of right field. Wink But here's where I'm coming from.

I wrote earlier about why Sony's enabling of Xfire for PS3 games wasn't as exciting as it might seem. Take a read, and then let's talk about just what the experience of being an online user on PS3 is likely to be like.

So I buy my PS3, bring it home, and go online. The first thing I'm going to be asked to do is create some sort of Sony Network ID. That “Sony ID” will apparently bring basic presence and communication features via the crossbar interface. So far so good. Now I decide to play Insomniac's Resistance, which recently stated the following:

Insomniac's Ted Price: “The buddy list is specific to Resistance. And we decided not to bother people in-game with messages. If you have a new message sent to you while you're in a game, you'll see your “buddy list” tab flashing when you re-enter the lobby after playing a game. The buddy list tab is where you can access your friends, ignore list, messages, etc.”  

1Up (to reader): “Does this mean there's a system-wide friend's list, but you have to compile game-specific friends lists for each online game you participate in? That doesn't make much sense, and hopefully today's event will clear up the situation.”

Yes Virginia, that's exactly what this means. Even though I already have a “Sony ID”, I may have to create a new “Resistance ID” to play. And then start thinking about just how broken the experience is when you try to invite someone to a game. Do you send it via the Resistance UI? What screenname do I send it to? If I want to add you to my “Sony ID” friends list, do I need to send you an in-game message to ask you what your real “Sony ID” name is? What about game invites? How does that work across even just these two IDs?

You think that's bad? Now let's open up a few more games from different publishers. Each of these publishers had to make a choice of what online interface to use – again, because Sony's online network just isn't ready. So they'll choose between writing their own (as did Insomniac for Resistance), or perhaps licensing Xfire, or GameSpy, or Quazal, or Demonware. So now we have five potential networks with different namespaces, and an inherent  lack of ability to communicate (chatting, voice, invites, finding friends, etc.) between them, and even across to just the “Sony ID” namespace. Think we're done? Nope… what happens if each publisher doesn't stick with the same online solution for all of their games? This is very likely as most publishers use different developers – so even across a single publisher, you may find fragmented communities.

The only consistent tie all of these different community fragments has is that a user should always have their Sony ID. That gives you a lifeline to be see friends when they are online… but only in the crossbar UI. Will you even be able to see what game they're playing? What about what network that game uses, and whether that friend is logged into it? How will you get messages in a timely manner? Remember Ted Price's quote above? “And we decided not to bother people in-game with messages. If you have a new message sent to you while you're in a game, you'll see your “buddy list” tab flashing when you re-enter the lobby after playing a game.” Doesn't sound like a user-centric design decision to me.

So… back to Xfire and GameSpy. I said earlier this suit is a direct result of how busted Sony's online network appears to be, and I just described some of the issues you'll likely be facing later this month. Yes, it's targeted at a PC title right now (Battlefield 2142), but that's just noise. What we're really seeing with this suit are online middleware companies trying to position themselves to become the eventual defacto solution that publishers will use. Just as with web search and instant messaging, these companies are trying to get momentum and user base that will cause them to be the “PS3 online” solution of choice. And this suit is simply one of many battles we'll see in this space, especially as PC and console crossplatform connectivity becomes more important in the coming years.

When my role as a player is really valued, I will be seen as owning my own buddy list.  Using zero knowledge technology, it will be possible for me to hook up with any of my buddies’ personas – across various games and without committing sins of privacy.

 

Podleaders Interview for those new to the Laws

Tom Raftery at http://www.podeladers.com/ interviewed me recently for his PodLeaders show (42 mins 15 secs).  Here is his description of what we talked about:

My guest on the show this week is Kim Cameron. Kim is Microsoft’s Identity Chief and as such is responsible for developing CardSpace – Microsoft’s successor to the much reviled Passport. Kim elucidated the Seven Laws of Identity and is developing CardSpace to conform to those laws. If he manages this, he will have changed fundamentally how Microsoft deals with people.

Kim is also responsible for Microsoft recently releasing 35 pieces of IP and promising to never charge for them.

Here are the questions I asked Kim and the times I asked them:

Kim, I introduced you as Microsoft’s Identity Chief, what is your official title in Microsoft? – 0:35

What does the Chief Architect of Identity do in Microsoft? – 01:02

Why is it necessary to have identity products in software? – 01:29

How do I know who I am dealing with on the internet? How is that problem being solved? – 03:56

And you as Microsoft’s Identity Architect are coming up with a way to resolve this called CardSpace… – 07:08

You were saying CardSpace is to be platform independent, I run a Mac, will it run on the Mac? – 15:26

You mentioned a couple of companies, are the offerings from these companies going to interoperate or are we going to have another version of the VHS/BetaMax wars? – 17:45

Audience questions
Rob Burke

Perhaps more than any of the other Vista-era technologies, in order to really catch on, CardSpace requires broad cross-platform adoption. Kim personally is doing a lot to showcase the use of CardSpace’s open standards. What does the broader effort to engage with other platforms and communities look like, and how is CardSpace being received? – 21:10

CardSpace uses an intuitive wallet-and-credit-card metaphor. One of the features of a wallet is that it’s portable – I several pieces of identity with me at all times. I tend to move between computers a lot. What provisions are there in CardSpace for helping me keep mobile (in a secure way)? – 25:07

What happens if your laptop containing your InfoCards gets lost and/or stolen? – 28:00


Dennis Howlett

What’s cooking on the identity managemnt front at MSFT? We’ve been hearing about this on and off for a while – we need progress if we’re not to be weighed down byt having to remember so many usernames and passwords for the servics we consume. – 30:35


My questions again:

Will there be a lot of re-engineering of web apps required to roll out these technologies? – 34:03

And finally you mentioned that this is the first version what can we expect in the next versions and when will they be released? – 39:58

Download the entire interview here
(19.3mb mp3)
Let me make one thing clear about Microsoft's Open Specification Promise: many people were involved, and Microsoft's legal people, along with their colleagues representing open source thinkers aned companies, deserve all the credit. 

Check out the other interviews on the site (I think I'm number 48).  Doug Kaye was number 47, and there are lots of good things to listen to while on the treadmill (physical or metaphorical).