6 year old installs keylogger

Here is a strange one via Pamela Dingle's eternal optimist:

How girl, 6, hacked into MP’s Commons computer

I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…

This kind of dongle plugs in between the keyboard and the computer.  So there is one simple solution:  don't type in secrets that could allow someone to gain access to your accounts. 

My view:

  1. CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack – assuming no physical access to the computer itself.
  2. Normal Kerberos login would be vulnerable.
  3. Username / password IdP's could be protected from this attack through use of the additional per-card secret described here – assuming non-InfoCard password access was not supported.
  4. One time password (OTP) systems would be unaffected. 

BTW, I now have OTP integrated with my own managed card demo code.  When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.

Windows Financial Services “Best of the Blogs” list

I'm pleased to see the editors of Windows in Financial Services put identityblog on its “Best of the Blogs” list.   Welcome to any readers who “get here from there.” 

It's impressive for a publication so intensely focussed on financial services to invite its readers into a parallel universe which, as the editors put it, “…addresses the innumerable ramifications of this growing problem [identity theft – Kim]…”.  Yup.  There are definitely a lot of ramifications around here.

Identity theft is fast progressing as a huge threat to financial institutions everywhere, especially in the area of online banking.  In his “Identity Weblog,” Kim Cameron, Microsoft’s architect for identity, addresses innumerable ramifications of this growing problem, ranging from illegal sale of stolen credit card information on the Web, to whether or not schoolchildren should be fingerprinted, to technical solutions such as encryption. 

In an April 2nd entry, Kim answers questions from his readers about CardSpace, an encryption technology that can be enabled for .NET 2.0 through the use of Visual Studio 2005 Toolbox for Windows CardSpace. C lick below to read Kim’s advice on subjects such as how CardSpace prevents phishing – even when used in conjunction with passwords – and to find out how to ask him ID-related questions of your own.

So, welcome to any new readers and please make yourselves at home.  Extra bonus:  you'll have a chance to use CardSpace when posting comments.

Cobbler's children

Here's an “ouch that hurts” posting by Jackson Shaw at Quest:

I received this email today regarding my identity partner's account that I have at Microsoft. Isn't it unfortunate that given Active Directory Federation Services (ADFS) and CardSpace that I have to do this?

Shaw, Jackson, The password for the extranet account issued to blah\JShaw will expire on Mar 15 2007. Please proceed to the following URL to change the password: https://Home.EP.Microsoft.com/login.aspx

NOTE: Failure to change the password before the expiration date will result in the account being locked and access will no longer be provided.

Thank you, The Extranet Management Tool Team

For assistance, please contact your administrator, site owner or support team.

I have zero time to figure out who my administrator, site owner or support team is.

I do know my Quest userid and password and wouldn't it be nice if that just worked??

Jackson is right.  Everything about this is bizarre.  I too love those “contact your administrator” messages – best of all, when I'm the administrator, but in all other cases too. 

Anyway, we are now getting close to the point where Microsoft marketing and other sites will start to light up.

With the sheer number of sites we have, and the attacks on our perimeter, our IT guys have to go about this in an organized way.  I spoke with Microsoft's internal IT security architects not long ago and was amazed at how well they have thought through the implications of the claims-based approach, privacy issues, uses for CardSpace, and so on. 

Meanwhile a lot of our sites are tied to Windows Live ID, so when it turns on Information Card support, the benefits should start to be widely felt.

Today Jackson did a piece outlining the Laws of Identity and  concludes:

I installed WinFX the other night on my Windows XP system and created my own Information Cards and then used one to logon to Kim's blog – it worked! [He's so surprised? – Kim]

Now if I could a Quest property or two to accept either OpenIDs or InfoCards…

Hey, Jackson – let's get some live company-to-company interaction happening with the technologies we all want to introduce.  Why don't we approach the Extranet Management issue from both ends – you from the quest end, me from this end?  Maybe others would want to jump on as well… The proof of the shoe is in the walking.

P.S.  Why don't you talk with Pamela about getting onto blogging software that accepts Information Cards too?  Mike Jones has done it.

UPDATE: Here is a posting on our progress in getting ADFS (Federation Services) going on our extranet, so the collaboration proposed above should be “way simple”.  And it's good to see that Brian Puhl not only listened to your original comment but did so much to move things ahead.

newtelligence CardSpace API

Sergey Shishkin reports that a new developer's kit will be released by newtelligence AG.

newtelligence AG announces plans to release the newtelligence CardSpace SDK, a Software Development Kit for Microsoft Windows CardSpace. The SDK, based on newtelligence expertise in information security, will help developers build more robust CardSpace-enabled application on the .NET platform – with ease.Microsoft .NET Framework 3.0 was released in November 2006 and introduced Windows CardSpace – a user-centric digital identity solution.

CardSpace allows developers to leverage federated security and single sign-on in their solutions. As a leading security expert company, newtelligence investigated .NET Framework 3.0 and Windows CardSpace starting from its early, pre-released versions and developed technology samples to clearly demonstrate to customers the underlying technology as well as provide best practices for its use.

Although CardSpace is based on the standardized web service security protocols (WS-* standards), developing CardSpace-enabled applications is challenging. Developers have to possess solid knowledge not only in web service security protocols but also in cryptography and XML.

newtelligence SDK for Windows CardSpace will provide a comprehensible API for key CardSpace application scenarios: Programmatic creation of managed information cards; requesting and validating security tokens in Microsoft Windows and web applications; and issuing security tokens. Use of the API will increase software security and developer productivity: Writing secure software is simplified and less software coding is required to achieve the desired, secure functionality. To aid understanding of the SDK and of CardSpace in general, a reference application and additional code samples covering different aspects of the API usage will accompany the SDK.

The newtelligence CardSpace SDK will contain complete source code of the API and is intended for personal use only. For more information regarding availability, licensing or reuse of the SDK, please contact us.

One of Sergey's readers comments:

How about just releasing it instead of announcing the announcement 😉

Sergey responds:

Dominick, the work is in progress now. The release is of course the goal 🙂

I'm glad to see Dominick so itchy.  Sergey says he will host a discussion about the API on his blog.

Without BE, templates ARE your biometrics

The more I learn from Alex Stoianov about the advantages of Biometric Encryption, the more I understand how dangerous the use of conventional biometric templates really is.  I had not understood that the templates were a reliable unique identifier reusable across databases and even across template schemes without a fresh biometric sample.  People have to be stark, raving mad to use conventional biometrics to improve the efficiency of a children's lunch line.

Alex begins by driving home how easy template matching across databases really is:

Yes, that’s true: conventional biometric templates can be easily correlated across databases. Most biometric matching algorithms work this way: a fresh biometric sample is acquired and processed; a fresh template is extracted from it; and this template is matched against previously enrolled template.

If the biometric templates are stored in the databases, you don’t need a fresh biometric sample for the offline match – the templates contain all the information required.

Moreover, this search is extremely fast, such as 1,000,000 matches per sec is easily available. In our example, it would take only 10 sec to search a database of 10,000,000 records (we may disregard for now the issue of false acceptance – the accuracy is constantly improving). Biometric industry is actively developing standards, so that very soon all the databases will have standardized templates, i.e. will become fully interoperable.

BE, on the other hand, operates in a “blind” mode and, therefore, is inherently a one-to-one algorithm. Our estimate of 11.5 days for just one search makes it infeasible at present to do data mining across BE databases. If the computational power grows according to Kim’s estimates, i.e. without saturation, then in 10 – 20 years the data mining may indeed become common.

Kim already suggested a solution – just make the BE matching process slower! In fact, the use of one-way slowdown functions (known in cryptography) for BE was considered before. The research in this area has not been active because this is not a top priority problem for BE at present. In the future, as long as the computer power grows, every time the user gets re-enrolled, the slower function will be applied to keep the matching time at the same level, for example, 1 sec.

Other points to consider:

  • BE is primarily intended for use in a distributed environment, i.e. without central databases;
  • the data mining between databases is even much easier with users’ names – you wouldn’t even need biometrics for that. We are basically talking about biometric anonymous databases – a non-existing application at present;
  • if a BE database custodian obtains and retains a fresh biometric sample just to do data mining, it would be a violation of his own policy. In contrast, if you give away your templates in conventional biometrics, the custodian is technically free to do any offline search.

These arguments are beyond compelling, and I very much appreciate the time Alex and Ann have taken to explain the issues.

It's understandable that BE researchers would be concentrating on more challenging aspects of the problem, but I strongly support the idea of building in a “slowdown function” from day one.  The BE computations Alex describes lend themselves perfectly to parallel processing, so Moore's law will be operating in two, not one, dimensions.  Maybe this issue could be addressed directly in one of the prototypes.  For 1:1 applications it doesn't seem like reduced efficiency would be an issue. 

Why couldn't the complexity of the calculation be a tunable characteristic of the system – sort of like the number of hash iterations in password based encryption (PBE)?

Mike Jones and self-issued.info

Everyone who has met me has probably met my colleague Mike Jones, who put his work as a researcher at MSR on hold because he got so interested in user-centric identity and Information Cards.  He has now started to blog – check out the InfoCard showing Mike and Dale onstage at Novell Brainshare. 

For those new to Information Cards, you don't normally share an InfoCard with someone else.  This was truly a “they did it because they could” moment… 

On March 21st at Novell’s BrainShare 2007 conference, Dale Olds and I co-presented the session “Who are you? From Directories and Identity Silos to Ubiquitous User-Centric Identity”. Our presentation was a brief history of digital identity solutions, ranging from a password per application to interoperable user-centric digital identity using the Information Card metaphor and several steps in between.

demo self-issued cardThe coolest thing in the session was the first public demo of the Bandit/Higgins cross-platform Identity Selector. During the demo Dale and I both used the same self-issued Information Card (that I created on the BrainShare show floor 🙂 ) to log into a Bandit relying party site, Dale from Linux and me with Windows CardSpace. As Dale and Pat Felsted blogged, two days later the Bandits also demonstrated their selector running on the Mac. Also see Pat’s post on the Details of the Cross Platform Identity Selector.

Great progress towards enabling everyone to answer the question “Who are you?” online with the Information Card of their choice!

BTW, you'll see that Mike, like me, is using pamelaware for WordPress – and accepts comments through infocards.  If you use WordPress, you should check it out.

Clarifications on biometric encryption

Ann Cavoukian and Alex Stoianov have sent me a further explanation of the difference between the “glass slipper effect”, which seems to be a property of all biometric systems, and the much more sinister use of biometric templates as an identifying key.

Kim raises an interesting point, which we would like to address in greater detail:

“This is a step forward in terms of normal usage, but the technology still suffers from the “glass slipper” effect. A given individual's biometric will be capable of revealing a given key forever, while other people's biometrics won't.  So I don't see that it offers any advantage in preventing future mining of databases for biometric matches. Perhaps someone will explain what I'm missing.”

Let us consider a not-so-distant future scenario.  When the use of biometrics grows, an ordinary person will be enrolled in various biometrically controlled databases, such as travel documents, driver licenses, health care, access control, banking, shopping, etc. The current (i.e. conventional, non-BE) biometric systems can use the same biometric template for all of them. The template becomes the ultimate unique identifier of the person. This is where the biometric data mining comes into effect: the different databases, even if some of them are anonymous, may be linked together to create comprehensive personal profiles for all the users. To do this, no fresh biometric sample is even required. The linking of the databases can be done offline using template-to-template matching, in a very efficient one-to-many mode. The privacy implications explode at this point.

Contrast that to BE: it would be much more difficult, if not impossible, to engage in the linkage of biometric databases. BE does not allow a template-to-template matching — the tool commonly used in conventional biometrics. In each BE database, a user has different keys bound to his biometric. Those templates cannot be matched against each other. You need a real biometric sample to do so. Moreover, this matching is relatively slow and, therefore, highly inefficient in one-to-many mode. For example, running a single image against 10,000,000 records in just one BE database could take 0.1 sec x 10,000,000 = 1,000,000 sec = 11.5 days.

Kim is basically correct in stating that if an individual's real biometric image was somehow obtained, then this “glass slipper” could be used to search various databases for all the different PINs or keys that “fit” and, accordingly, construct a personal transaction profile of the individual concerned, using data mining techniques. But you would first have to obtain a “satisfactory” real image of the correct biometric and or multiple biometrics used to encrypt the PIN or key. All of the PINs or keys in the databases can and should be unique (the privacy in numbers argument) — as such, if an individual's actual biometric could somehow be accessed, only an ad hoc data mining search could be made, accessing only one entry (which would represent an individual privacy breach, not a breach of the entire database).

However, with BE, the actual biometric (or template derived from that biometric) is never stored – a record of it doesn’t exist. Without the actual biometric, data mining techniques would be useless because there would be no common template to use as one's search parameter. As mentioned, all the biometrically encrypted PINs or keys in the databases would be unique. Furthermore, access to the individual's biometric and associated transaction data would be far more difficult if a biometrically encrypted challenge/response method is employed.

In contrast, current biometric methods use a common (the same) biometric template for an individual’s transactions and, accordingly, can be used as the search parameter to construct personal profiles, without access to the real biometric. This presents both a privacy and security issue because not only could profiles be constructed on an ad hoc basis, but each template in a database can be used to construct profiles of multiple individuals without access to their real biometric. We thus believe that this alone makes biometric encryption far superior to standard current biometric methods.

Ann Cavoukian and Alex Stoianov

I had not understood that you can so easily correlate conventional biometric templates across databases.  I had thought the “fuzziness” of the problem would make it harder than it apparently is.  This raises even more red flags about the use of conventional biometrics.

Despite the calculation times given for BE matching, I'm still not totally over my concern about what I have called the glass slipper effect.  It would be a useful area of research to find ways of making the time necessary to calculate the BE match orders of magnitude longer than is currently the case.  If today it takes 11.5 days to search through 10,000,000 records, it will only take 4 hours in ten years.  By then the kids we've been talking about will be 16.  Won't that make it less than a minute by the time they are 26?  Or a quarter of a second when they're in their mid thirties?

One very sad story

This article by ZDnet's Mitch Ratcliffe on Identity Rape and Mob Mentality sends shivers down the spine.  Partly because a bunch of our friends are involved.  Partly because the dynamics are just scarey.

Allen Herrell, one of the accused attackers in the Kathy Sierra controversy, has written a long email to Doc Searls explaining that his entire online identity has been compromised. If true, and I believe it, because I have known Allen for many years, it appears there have been many more victims here than Ms. Sierra.

I am writing this from a new computer, using an email address that will be deleted at the end of this.

I am no longer me. My main machine despite my best efforts has been hacked, my accounts compromised including my email. and has been disconnected from the internet.

How did this happen? When did this happen? shit doc, i don't have a fucking clue. I thought i was pretty sharp. I guess not.

just about every online account that i have has been compromised. Most importantly my digital identity and user/password for typepad and wordpress. I have been doing damage control, for my clients. How the fuck i got to be part of this mess is revolting.

The Kathy Sierra mess is horrific. I am not who ever used my identity and my picture!!

I am sick beyond words over this whole episode. Kathy Sierra may not be on my top 10 list , but nobody deserves this filthy character assaination (sic). 

A lynch mob mentality has come over the Blogosphere. Kathy Sierra has ever right to be angry about the messages directed at her, but her allegations appear to have been misdirected and misinformed, because they relied on simplistic analysis of the sites and assumed that appearance and reality were identical. And she's making it worse, writing today:

You're damn right I'm *linking* these folks to these posts. You're wrong about their involvement. The posts and comments were NOT made by–as you said–heinous trolls.

Whoever made the posts was a registered member, and they *know* who made the comments — he was one of their participants. I never said Jeaneane was the one creating the noose picture or comment. I said she was a participant in and “celebrated” and encouraged meankids.org. I believe that when prominent people encourage this kind of behavior, they don't get to wash their hands of it, ethically.

I should be more clear, though, that while *someone* broke the law with the noose photo/comment, I'm definitely NOT suggesting that anyone else did anything legally wrong.

But I think Hugh put it better than I can:

–You might not be the guy raping the cheerleader, but if you're the one standing by saying, “go go go!” you share some responsibility.–

Not legal, but ethical. I don't believe any of these folks should be able to create these forums, *celebrate* them, send people there, and actively participate… and then claim complete innocence. If you hand someone a loaded gun. and encourage them to shoot…

The rape metaphor applies to everyone involved who had words and images they find deplorable attributed to them. But it is far more important to understand that the rape claimed attributed to them probably didn't happen wasn't their doing in the first place. The gun shoved in Chris Locke, Jeneane Sessums, Frank Paynter and Allen Herrell's hands is as likely to be illusory as not. We need proof, not accusations, just like in the physical world.

Trolls created the impression of a crime and sat back to watch human nature show its worst side. They are still enjoying it.

As Chris Locke explained in his email to me yesterday, he took the offensive postings down “shortly after it appeared.” Nevertheless, Bert Bates, Kathy Sierra's Head First Java co-author has commented on this blog, saying “By definition, these ‘posts’ were made by the author(s) of the site – it IS a small circle of candidates.” When you factor in the possibility that accounts were co-opted, according to this definition, anyone who has ever had their email address spoofed is responsible for the content of the messages sent under their name.  (Post continues here…)

There are so many things to be learned from this story that it boggles my mind. 

It brings back a conversation I had with Allen (The Head Lemur) at Ester Dyson's Release 1.0 conference, years ago, where we first talked about identity.  He was skeptical (as is his wont) but I had good fun talking to him.  And there is no doubt in my mind that we should, as our civilization has learned to do, consider Allan innocent until proven guilty – and there doesn't seem to be any sign of that. 

The worst is that I hear stories like this all the time.  Not just in my work, but from my family. 

My daughter tells of a lady friend who's gmail account was broken into – resulting in pandemonium that – if it weren't so unbearable – would be the stuff french farces are made of. 

My son's instant messaging account was hacked by the ex of a ladyfriend he wasn't even dating.  Again, he was dragged through weeks of confusion and reconnection. 

So one of the things that separates this story from all the others happening all over cyberspace is just that we know the people involved.  The broad strokes are common today given the randomness of web security and identity.

To make matters worse, imagine technical people saying, in a world of passwords and keystroke loggers, “these ‘posts’ were made by the author(s) of the site – it IS a small circle of candidates…”  Help me.

It's a great proof point that even though blogs don't involve high finance, they still need high quality security.  The loss of privacy and loss of dignity we have witnessed here can't really be undone, even if one day they can be forgotten.  Protecting identity and protecting access is not a joke.

Some days, when I'm really tired, I look at the vast job ahead of us in fixing the internet's identity infrastructure, and wonder if I shouldn't just go and do something easy – like levitation.  But a story like this drives home the fact that we have to succeed. 

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets.  This won't extinguish either flaming or trolling, but it can sure make breaking in to someone's site unbelievably harder – assuming we get to the point where our blogging software is safe too.

New CardSpace show

Richard Turner and Garrett Serack have been featured in a CardSpace episode on Microsoft's popular .NET Show:

The .NET Show hosts Microsoft's Richard Turner, product manager, and Garrett Serack, community product manager, to talk about how Microsoft CardSpace solves the problem of securely managing your digital identity on the web.

CardSpace supports an industry-wide secure method for allowing users to authenticate themselves to websites and applications that removes the need for users to remember countless account names and passwords.

Two new CardSpace videos by Richard Turner

My colleague Richard Turner  has just done a Channel 9 CardSpace Simple Demo that begins with a detailed look at the user experience, exploring many features of the interface, explaining why we put them there, and showing CardSpace working with both IE 7 and FireFox. 

It then moves on to a code walkthrough using visual studio, showing how to tweak your site so it accepts Information Cards (produced by CardSpace or other interoperable implementations).

I suspect the hardest part of enabling a site for Cardspace V1.0 is setting up the ssl certificate.  And Richard must agree, because he has gone the extra length and produced a second Channel 9 video that shows How to Configure IIS to Support Windows CardSpace.  I sure wish I had this when I started fooling around with this stuff!

The source code for the demo will be posted here this week.  Richard is working on other related videos as well.