Christian shows his controls for Visual Studio

Christian Arnold has now done a video where he shows how simple it is to add Information Card support to the “out of the box” Visual Studio membership provider. He has written some really cool controls. 

I think Christian is right on target – at the head of the pack in terms of getting this type of tool out there.  He invites people to download his controls and try them out.

When I first ran the video from his page it chopped off the properties part of the screen – which is the interesting part.  If this happens just right mouse click on the player and select “full screen”. 

Beijing's new Internet identity system

According to the Financial Times, the Chinese government has clear digital identity ideas of its own. 

It's a simple solution, really.  Just make sure the government knows who everyone is and what they are doing all the time while they use the internet.  This applies as much to your identity as an “elf” as to your identity as a professional. 

Under a “real name verification system” to crack down on internet usage – and prevent internet addiction among the young – Chinese police are to check the identity card numbers of all would-be players of internet games.

While it is unclear how rigorously the system will be enforced, Monday’s move highlights Beijing’s desire to more closely regulate the internet and reduce the potential for anonymity…

The same crack down will help ensure Chinese bloggers aren't inconvenienced with the kinds of vexing issues we've faced here with the Sierra affair.

Chinese leaders recently announced a broad push to “purify” the internet of socially and politically suspect activity, and have been keen to push users to use their true identities online. Beijing is also looking at ways of implementing a “real name” system for bloggers to curb “irresponsible” commentary and intellectual property abuse.

It might sound a bit draconian to our ears, but Hu Qiheng of the China Internet Association said bloggers’ real names would be kept private “as long as they do no harm to the public interest”.  That's clearly benevolent, isn't it?  We all know what the public interest is.

According to FT: 

China’s 18-digit ID numbers are mainly based on place of birth, age and gender and are unique to each citizen, but widely available software can generate fake but plausible numbers.

Under the new system, Chinese police would check each number, a government official, Kou Xiaowei, said on Monday.

Players whose IDs showed they were under 18, or who submitted incorrect numbers, would be forced to play versions of online games featuring an anti-addiction system that encourages them to spend less time online, he said.

Minors who stayed online for more than three hours a day would have half of their game credits cancelled; those who played for more than five hours a day would have all of their credits taken away.

As far as I know, the proposal that age verification be used to combat addiction is entirely original (patented?)  The analysis of how this proposal stacks up against the Laws of Identity is left as an exercise for the reader.

More here…

For the person who has everything

Whenever a patent is granted, the first sign of it is a flurry of weird mail emanating from a well-oiled spam machine that never seems to fail.  It is delivered right to your home address, presumably because the government releases information without setting any conditions on its use.  Beyond having to sort through more garbage, the whole premise of the marketing campaign is creepy.  Here's an example courtesy of Patent Awards:

Your patent commemorative is more than metal and wood – it is tangible evidence that you have made a contribution to this world and future generations.  One of our customers, Mr. Hank Cutler, said it best:

It is always rewarding to have tangible evidence of one's work, apart from publications.  [Gee!  I didn't know that my father/grandfather/great grandfather did that, but here's a plaque to prove it.  Guess I'll have to do better than that.]  Their presence, in family hostory, fuels future generations to do better things.”

What better reason is there to buy a patent commemorative plaque or frame?  Create your lasting memory so that your “presence, in family history, fuels future generations to do better things” by placing an order for your patent plaque or frame today!

Funny, I think of the tangible evidence as being the success of some technology.  The patent is just a necessity for protecting your business in 2007.

The family history stuff is stupefying.  The last thing I would want is to consciously drive my own children to compete with me.  I'm just glad that they are out of beta . 

But hey.  The plaques are so reasonable – anywhere between $128 and $525.  Let's get a bunch. 

Leaving a comment

Information Card Selectors are the digital equivalent of a wallet to hold your cards.  Digital Me and Azigo produce selectors that run not only WIndows but on Mac and Linux.  (Unfortunately I don't yet have working links for some other offerings that I've seen.)

Selector Windows XP Windows Vista Macintosh OS X Linux
Digital Me Yes (Firefox) Yes (Firefox) Yes Yes SUSE
Azigo Yes (Explorer, Firefox) Yes (Explorer, Firefox) Yes (Firefox)

On XP, you can also run the same version of CardSpace used on Vista:

1. If CardSpace is not installed (as will be the case on XP), when you click on the Information Card logo or LOG IN link on my home page, you will see this:

2. No problem.  Just click the .NET Framework Runtime 3.0 and get the download happening.   Go out for a coffee.  Or even a Martini.

3. Next you'll need to do the usual license approval, and the real installation will start.  Hint:  go do some instant messaging or work on something else for a while.  It takes a while but costs you nothing!

4.  Go back and follow the instructions for Vista.

Digital identity allows us to manage risk – not prove negatives

Jon's piece channeled below,  Steven O'Grady‘s comments at RedMonk and  Tim O’Reilly’s Blogger's Code of Conduct  all say important things about the horrifying Kathy Sierra situation.   I agree with everyone that reputation is important, just as it is in the physical world.  But I have a fair bit of trouble with some of the technical thinking involved.

I agree we should be responsible for everything that appears on our sites over which we have control.    And I agree that we should take all reasonable steps to ensure we control our systems as effectively as we can.  But I think it is important for everyone to understand that our starting point must be that every system can be breached.  Without such a point of departure, we will see further proliferation of Pollyannish systems that, as likely as not, end in regret.

Once you understand the possibility of breach, you can calculate the associated risks, and build the technology that has the greatest chance of being safe.  You can't do this if you don't understand the risks.  In this sense, all you can do is manage your risk.

When I first set up my blog to accept Information Cards, it prompted a number of people to try their hand at breaking in.  They were unable to compromise the InfoCard system, but guess what?  There was a security flaw in WordPress 2.0.1 that was exploited to post something in my name

By what logic was I responsible for it?  Because I chose to use WordPress – along with the other 900,000 people who had downloaded it and were thus open to this vulnerability?

I guess, by this logic, I would also be responsible for any issues related to problems in the linux kernel operating underneath my blog; and for  potential bugs in MySQL and PHP.  Not to mention any improper behavior by those working at my hosting company or ISP. 

I'm feeling much better now.

So let's move on to the question of non-repudiation.  There is no such thing as a provably correct system of any significant size.  So there is no such thing as non-repudiation in an end-to-end sense.  The fact that this term emerged from the world of PKI is yet another example of its failure to grasp various aspects of reality.

There is no way to prove that a key has not been compromised – even if a fingerprint or other biometric is part of the equation.  The sensors can be compromised, and the biometrics are publicly available information, not secrets.

I'm mystified by people who think cryptography can work “in reverse”.  It can't.  You can prove that someone has a key.  You cannot prove that someone doesn't have a key.  People who don't accept this belong in the ranks of those who believe in perpetual motion machines.

To understand security, we have to leave the nice comfortable world of certainties and embrace uncertainty.  We have to think in terms of probability and risk.  We need structured ways to assess risk.  And we then have to ask ourselves how to reduce risk. 

Even though I can't prove noone has stolen my key, I can protect things a lot more effectively by using a key than by using no key! 

Then, I can use a key that is hard to steal, not easy to steal.  I can put the lock in the hands of trustworthy people.   I can choose NOT to store valuable things that I don't need. 

And so, degree by degree, I can reduce my risk, and that of people around me.

Richard Gray on authentication and reputation

Richard Gray posted two comments that I found illuminating, even though I see things in a somewhat different light.  The first was a response to my Very Sad Story

One of the interesting points of this is that it highlights very strongly some of the meat space problems that I’m not sure any identity solution can solve. The problem in particular is that as much as we try to associate a digital identity with a real person, so long as the two can be separated without exposing the split we have no hope of succeeding.

For so long identity technical commentators have pushed the idea that a person’s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say ‘This digital identity is nothing more than a string puppet that I control. I didn’t do this thing, some other puppet master did.’

What’s the solution? I don’t know. Perhaps we need to stop talking about identities in this way. If a burglar stole my keys and broke into my home to use my telephone it would be my responsibility to demonstrate that but I doubt that I could be held responsible for what he said afterwards.  Alternatively we need non-repudiation to be a key feature of any authentication scheme that gets implemented.

In short, so long as we can separate ourselves from our digital identities, we should expect people not to trust them. We should in fact go to great lengths to ensure that people trust them only as much as they have to and no more.

 He continued in this line of thought over at Jon's blog:

As you don’t have CardSpace enabled here, you can’t actually verify that I am the said same Richard from Kim’s blog. However in a satisfyingly circular set of references I imagine that what follows will serve to authenticate me in exactly the manner that Stephen described. 🙂  [Hey Jon – take a look at Pamelaware – Kim]

I’m going to mark a line somewhere between the view that reputation will protect us from harm and that the damage that can be done will be reversible. Reputation is a great authenticating factor, indeed it fits most of the requirements of an identity. It's trusted by the recipient, it requires lots of effort to create, and is easy to test against. Amongst people who know each other well its probably the source of information that is relied upon the most. (”That doesn’t sound like them” is a common phrase)

However, this isn’t the way that our society appears to work. When my wife reads the celebrity magazines she is unlikely to rely on reputation as a measure for their actions. Worse than this, when she does use reputation, it is built from a collection of previous celebrity offerings.

To lay it out simply, no matter who should steal my identity (phone, passwords etc.) they would struggle to damage my relationship with my current employer as they know me and have a reputation to authenticate my actions with. They could do a very good job of destroying any hope I have of getting a job anywhere else though. Regardless of the truth I would be forced to explain myself at every subsequent meeting. The public won’t have done the background checks, they’ll only know what they’ve heard. Why would they take the risk and employ me, I *might* be lying.

Incredibly, the private reputation that Allen has built up (and Stephen and the rest of us rely on) has probably helped to save a large portion of his public reputation. Doing a google for “Allen Herrell” doesn’t find netizens baying for his blood, it finds a large collection of people who have rallied behind him to declare ‘He would not do this’.

Now what I’m about to say is going to seem a little crazy but please think it through to the end before cutting it down completely. So long as our online identities are fragile and easily compromised people will be wary to trust them. If we lower the probability of an identity failing, people will, as a result, place more faith in that identity. But if we can’t reduce the probability of failure to zero then when some pour soul suffers the inevitable failure of their identity, so many more people will have placed faith in it that undoing the damage may be almost impossible. It would seem then that the unreliability of our identity is in fact our last line of defence.

My point then is that while it is useful to spend time improving authentication schemes perhaps we are neglecting the importance of non-repudiation within the system. If it was impossible for anyone other than me to communicate my password string to an authentication system then that password would be fine for authentication and it wouldn’t even be necessary to encrypt the text wherever it was stored!

Jon Udell on the Sierra affair

Jon Udell put up this thought-inducing piece on the widely discussed Sierra affair earlier this week, picking up on my piece and the related comment by Richard Gray.   

Kim Cameron had the same reaction to the Sierra affair as I did: Stronger authentication, while no panacea, would be extremely helpful. Kim writes:

Maybe next time Allan and colleagues will be using Information Cards, not passwords, not shared secrets. This won’t extinguish either flaming or trolling, but it can sure make breaking in to someone’s site unbelievably harder.

Commenting on Kim’s entry, Richard Gray (or, more precisely, a source of keystrokes claiming to be one of many Richard Grays) objects on the grounds that all is hopeless so long as digital and real identities are separable:

For so long identity technical commentators have pushed the idea that a person’s digital identity and their real identity can be tightly bound together then suddenly, when the weakness is finally exposed everyone once again is forced to say ‘This digital identity is nothing more than a string puppet that I control. I didn’t do this thing, some other puppet master did.’

Yep, it’s a problem, and there’s no bulletproof solution, but we can and should make it a lot harder for the impersonating puppet master to seize control of the strings.

Elsewhere, Stephen O’Grady asks whether history (i.e., a person’s observable online track record) or technology (i.e., strong authentication) is the better defense.

My answer to Stephen is: You need both. I’ve never met Stephen in person, so in one sense, to me, he’s just another source of keystrokes claiming to represent a person. But behind those keystrokes there is a mind, and I’ve observed the workings of that mind for some years now, and that track record does, as Stephen says, powerfully authenticate him.

“Call me naive,” Stephen says, “but I’d like to think that my track record here counts for something.”

Reprising the comment I made on his blog: it counts for a lot, and I rely on mine in just the same way for the same reasons. But: counts for whom? Will the millions who were first introduced to Kathy Sierra and Chris Locke on CNN recently bother explore their track records and reach their own conclusions?

More to the point, what about Alan Herrell’s1 track record? I would be inclined to explore it but I can’t, now, without digging it out of the Google cache.

The best defense is a strong track record and an online identity that’s as securely yours as is feasible.

The identity metasystem that Kim Cameron has been defining, building, and evangelizing is an important step in the right direction. I thought so before I joined Microsoft, and I think so now.

It’s not a panacea. Security is a risk continuum with tradeoffs all along the way. Evaluating the risk and the tradeoffs, in meatspace or in cyberspace, is psychologically hard. Evaluating security technologies, in both realms, is intellectually hard. But in the long run we have no choice, we have to deal with these difficulties.

The other day I lifted this quote from my podcast with Phil Libin:

The basics of asymmetric cryptography are fundamental concepts that any member of society who wants to understand how the world works, or could work, needs to understand.

When Phil said, that my reaction was, “Oh, come on, I’d like to think that could happen but let’s get real. Even I have to stop and think about how that stuff works, and I’ve been aware of it for many years. How can we ever expect those concepts to penetrate the mass consciousness?”

At 21:10-23:00 in the podcast2, Phil answers in a fascinating way. Ask twenty random people on the street why the government can’t just print as much money as it wants, he said, and you’ll probably get “a reasonable explanation of inflation in some percentage of those cases.” That completely abstract principle, unknown before Adam Smith, has sunk in. Over time, Phil suggests, the principles of asymmetric cryptography, as they relate to digital identity, will sink in too. But not until those principles are embedded in common experiences, and described in common language.

Beyond Stephen O'Grady's piece, the reactions of Jon's readers are of interest too.  In fact, I'm going to post Richard's comments so that everyone gets to see them. 

Formula for time conversion

The remarkable William Heath, a key figure in the British Government's IT ecosystem and publisher of ideal government, lands a few of his no-nonsense punches in this piece, both sobering and amusing, on institutional learning:

The original Microsoft Hailstorm press release is still there, bless them! Check out all the hype about “personalisation” and “empowerment” with proper protection of privacy (see extracts below). Complete ecstatic fibs! The apogee of Microsoft’s crazed, childish egocentricity. And it all sounds so familiar to the rhetoric of UK government ID management.

Then April 2002 – Microsoft shelves Hailstorm eg NY Times abstract

And Microsoft announced Kim Cameron’s laws of identity in 2005, and Infocards in 2006.

How fast does Microsoft adapt to customers and markets compared to governments, do we estimate? Is “one Microsoft year = seven government years” a reasonable rule of thumb? In ID management terms the UK government is still in Microsoft’s 2001. So for the UK government to get to Microsoft’s position today, where the notion of empowering enlightenment is at least battling on equal terms with forces of darkness and control and the firm is at the beginning of implementing a sensible widescale solution will take UK government and IPS another forty years or so.

Could we get it down to one MS year = 3.5 UK gov years? That means we could have undone the damage of committing to a centralist panoptical approach in just 21 years. Aha.  But Microsoft doesn’t have elections to contend with… (Continued here.)

I know a number of folks who were involved with Hailstorm, and they are great people who really set a high bar for contributing to society.  I admire them both for their charity and their creativity.  It is possible that the higher the standards for your own behavior, the more you will expect other people will trust you – even if they don't know you.  And then the greater your disappointment when people impune your motives or – best case – question your naivity. 

It requires maturity as technologists to learn that we have to build systems that remain safe in spite of how people behave – not because of how they behave. 

Of course, this is not purely a technical problem, but also a legal and even legeslative one.  It took me, for example, quite a while to understand how serious the threat of panoptics is.  Things always look obvious in retrospect. 

I am trying to share our experience as transparently and as widely as I can.  I have hoped to reduce the learning curve for others – since getting this right is key to creating the most vibrant cyberspace we can. 

6 year old installs keylogger

Here is a strange one via Pamela Dingle's eternal optimist:

How girl, 6, hacked into MP’s Commons computer

I assume a physical keyboard logger like this could still be used to steal an IdP username & password, even with all the secure desktop stuff that the CardSpace client has built in…

This kind of dongle plugs in between the keyboard and the computer.  So there is one simple solution:  don't type in secrets that could allow someone to gain access to your accounts. 

My view:

  1. CardSpace self-issued cards ( based on public key technology) and managed cards backed by a self-issued card or certificate would both be immune to this attack – assuming no physical access to the computer itself.
  2. Normal Kerberos login would be vulnerable.
  3. Username / password IdP's could be protected from this attack through use of the additional per-card secret described here – assuming non-InfoCard password access was not supported.
  4. One time password (OTP) systems would be unaffected. 

BTW, I now have OTP integrated with my own managed card demo code.  When used with CardSpace it has very nice security properties because the channel from CardSpace to the IdP is encrypted using information in the managed card and the password can never be reused.

Windows Financial Services “Best of the Blogs” list

I'm pleased to see the editors of Windows in Financial Services put identityblog on its “Best of the Blogs” list.   Welcome to any readers who “get here from there.” 

It's impressive for a publication so intensely focussed on financial services to invite its readers into a parallel universe which, as the editors put it, “…addresses the innumerable ramifications of this growing problem [identity theft – Kim]…”.  Yup.  There are definitely a lot of ramifications around here.

Identity theft is fast progressing as a huge threat to financial institutions everywhere, especially in the area of online banking.  In his “Identity Weblog,” Kim Cameron, Microsoft’s architect for identity, addresses innumerable ramifications of this growing problem, ranging from illegal sale of stolen credit card information on the Web, to whether or not schoolchildren should be fingerprinted, to technical solutions such as encryption. 

In an April 2nd entry, Kim answers questions from his readers about CardSpace, an encryption technology that can be enabled for .NET 2.0 through the use of Visual Studio 2005 Toolbox for Windows CardSpace. C lick below to read Kim’s advice on subjects such as how CardSpace prevents phishing – even when used in conjunction with passwords – and to find out how to ask him ID-related questions of your own.

So, welcome to any new readers and please make yourselves at home.  Extra bonus:  you'll have a chance to use CardSpace when posting comments.