Airing my hypocrisy on OpenID

 Digital Life, Identity, Security  No Responses »
May 222008
 

This is what I posted over at Web Worker Daily in response to a great post by Mike Gunderloy, “OpenID: A Contrarian View“.

I have to confess that as closely as I follow and often espouse the value of OpenID, I’m a complete hypocrite as I don’t use it day-to-day. I like OpenID more as a demonstration of what we need than an actual solution to that need. I play with some of the IPs offerings waiting to see if someone is going to offer a secure IP solution with additional security services of real value.That being said, I’ll comment on the three points:

1) I do need “it” with “it” being defined as simple single signon. Today I’m one of those Roboform-aholics using it to fulfill that very real need. However, keeping Roboform or any other thick client solution synched up across several PCs and my mobile device is not fun. I’d love to have Roboform Online (or equivalent) retaining my full control and with some solid security.

2) I completely agree, a universal solution is a must and any OpenID IP would be well-served to take into account non-OpenID site support.

3) I don’t trust it and neither does anyone that’s been paying attention to the plethora of articles, papers and demos. That’s why the predominant use is to non-critical applications. OpenID is a SSO protocol without any security model. That’s fine, just so long as OpenID proponents don’t try to argue otherwise. Security needs to be added either as part of a service offering or at another protocol layer over which OpenID travels.

Phew, nice to get that out in the open! I feel internal hypocrisy levels falling…

 Posted by at 12:34 pm

Identity theft confusion

 Digital Life, Identity, Tim's Opinion  1 Response »
May 222008
 

While reading the article, “Brits risk card fraud with slack security“, I was struck again by the confusion around the various types of fraud and what falls into the bin of “identity theft”.  The article holds no surprises for anyone that’s ever watched the general public interact with their cards on and offline.  Hence, it really isn’t worth reading, but hey, I gotta keep up and wading through some of this drivel is necessary.

The paragraph that raised my ire and prompted this post is:

A third of those surveyed by Which? said money had been fraudulently taken from their credit card or bank account. However the “vast majority” got all the stolen money back. The consumer group says this seems to suggest that ID theft insurance is “unnecessary for most people”.

At first reading I blamed the journalist for being a moron, then realized they were just channeling the stupidity of the “consumer group” representative.  Since when is my money my identity?  I have long said that I’d much rather a crook get into my account of whatever type and run up $3,000 worth of fun for themselves.  There’s lots of protections for me to get my money back, but even if there weren’t I’d much rather be out $3,000 than have that same crook steal enough identity data to go open brand new accounts with my name on them.  In the first theft, I’m out $3,000.  In the second theft, I’m out lots and lots of money, hours, sleep with lawyers involved, etc.  I’ve experienced the stolen card number case and really, that has been completely painless (thanks AmEx).  I definitely fear having my identity misappropriated (can’t really steal it, just abuse the heck out of it) and having my credit ruined with all the subsequent pains that follow.

It is completely irrational to state that because banks protect their users by reimbursing them for fraudulent account use that users shouldn’t protect themselves from a significantly higher impact theft with equally significant costs.

 Posted by at 10:45 am

HD format or formatless war continues

 Audio-Video, Digital Life  No Responses »
May 202008
 

The HD format war continues though now the battle is more about whether there needs to be a “format” or not.  Discs are on their way out, we all know this is coming, but it may be coming even sooner than I’d imagined.  The digital-haves may skip BluRay for movies and go straight to digital.  The digital-have-nots may skip BluRay sticking with the regular DVD format until they become digital-haves.  After all is the typical American home likely to invest in big HD sets and players sooner than they’ll get access to broadband and a computer?  I sure as heck don’t know the answer to that one, though the geek in me wants to say the latter, but some average-joe instinct calls me back to the former.

These thoughts hit me as I was reading this article “When discs go the way of disco“, by John Murrell over at SiliconValley.com and it also brought to my mind why I haven’t yet bought a BluRay player (i.e. a PS3) or really gotten crazy on buying HD discs.  I did buy a HD-DVD player attachment to my Xbox 360 and bought roughly 8 discs in the excitement before I realized just how much the same movies on the same physical media (plastic disc) were costing me over and above regular DVDs.

I’ll admit that over the DVD years I have accumulated quite a collection of DVDs ranging from movies to TV shows.  I’d bet that my average price for those has fallen drastically to $10 or maybe even a little under.  I keep my eye out for good old movies and shows on special and am a huge fan of the $4.99 special.  Consequently, when I reached for that 9th or 10th HD-DVD at $24.99+ I balked and all purchases ceased and just as well as HD-DVD took a bullet to the brain-pan in the interim.  However, I’m not all that interested in jumping on the BluRay bandwagon yet.

This certainly isn’t because there is no difference between a DVD and HD disc, there absolutely, definitely is.  I purchased the most recent Harry Potter disc last fall which has DVD on one side and HD-DVD on the other.  I accidentally started watching the regular DVD side and was very disappointed until I realized my mistake and the difference was remarkable.  Remarkable enough to pay a premium for?  Yes, but not a 60+% difference and certainly not for BluRay which is still adding features that HD-DVD has had all along.

Since I am a HD snob at this point, instead of buying discs, we’ve been recording HD versions of movies via PPV via DirecTV or via Xbox Live.  I don’t get the “extras”, but really the extras on most movies anymore are really not interesting.  Commentaries anymore seem to be more about the movie makers getting together and getting caught up with each other than providing any in-depth discussion of the content of their film.  Of course this may be due to the fact that there really hasn’t been much in the way of great films for the last couple years…  Sorry, back on topic.  Consequently, for me the economics of spending $4.99 for a HD movie that I can watch whenever I want and repeatedly, but without owning physical media seems like a bargain compared to owning physical media of a movie I’ll probably not watch all that often after a couple years of its release for $24.99.  Besides in a couple years BluRay discs will be back down to the $14.99 level with bargain discs beginning to appear.  Maybe then, the economic calculation will change again, but then again I have over 2TB of storage on my network already so…

 Posted by at 11:27 am

Spock difficulties with defining who is “me”

 Digital Life, Identity  No Responses »
May 202008
 

Got this in an email for posting up my picture of Phormtaiqr on Spock.comPhormtaiqr

“Spock users have flagged and deleted a picture which you contributed to Tim Renshaw’s search result. Flagging and deletion occurs for a number of reasons. Sometimes it is because information is factually incorrect, sometimes it is because contributions are inappropriate. For more information please visit our community guidelines.”

I have reviewed the community guidelines and am not sure why my picture was removed.  It was not a picture involving nudity, it was not copyrighted (indeed Blizzard is quite happy too have me promote World of Warcraft by spreading my in-game image hither and yon) and is indeed a picture of me that many of my friends will know as me.  The “me” is from an online game, actually the online game / community World of Warcraft, through which I have met many people and this picture is the only “me” they have ever seen.

I suggest that Spock review their own community guidelines to ascertain what they are going to define as “me” and “my identity”.  This will of course have non-trivial impacts on what reputation of “mine” they are defining.  If the site is only going to work on purely “real me” identities, that’s fine, but I believe that really sells the site’s reputation possibilities short.  Reputation matters a great deal to me in virtual spaces.  One of the core ideas behind forming Clans and Guilds in virtual worlds is around the idea of reputation.  Anyone who has put on a headset and ventured into Halo on Xbox 360 knows that you don’t want to just hang out and play with just any schlub online.

I continue to watch Spock with a level of interest, but I don’t believe their allowing themselves enough breadth and interconnectivity to all that defines “me” online such that my reputation can really be meaningful across all the various entities representing me online.

 Posted by at 11:22 am

Stupid rant of the day

 Rant, Tim's Opinion  No Responses »
May 202008
 

Been too busy working on a super secret project that hopefully will morph into an important part of my future to really spend much time posting here, but couldn’t pass up this opportunity to vent some curmudgeonly steam.

Saw this article on a super smart guy researching whether or not Abraham Lincoln may have suffered from a rare disease.  The part that got me going was the opening sentence, “Did John Wilkes Booth shoot a dying man?”.  Wouldn’t it have been actually more newsworthy if John Wilkes Booth had shot a non-dying man?  Is everyone else in on some piece of history I missed, principally that in some way Lincoln was otherwise immortal except for Mr. Booth’s magic bullet?

That said, would this have been the same magic bullet that ricocheted around so devastatingly through JFK’s limo in Dallas?  Was the bullet also silver?  Were Lincoln and JFK related by the fact they were secretly werewolves or some other such immortal creature with an Achilles heel weakness to magic bullets?

This would be a fun book / screenplay / comic to write.  Could write it into the Underworld universe for the next movie, which might then actually be interesting, or just take it into a stand-alone fictional effort.  Unless of course it isn’t fictional and Lincoln wasn’t in fact dying when Booth shot him, but would have lived forever which would have been cool, cuz I’d still vote for him.

Make a great day, I gotta get back to work.

Originally published April 14, 2008

 Posted by at 11:10 am

See you at RSA next week

 Digital Life, General  No Responses »
May 202008
 

So I’ve finalized my plans to attend the RSA Show again this year.  Will be the first time I’ve been there not attached to a vendor exhibiting on the show floor.  Should be liberating!

I’ll be networking as I pursue several avenues of opportunities for my “next gig”.  Good news is that there is a lot going on and I’m really looking forward to linking up with friends, old and new.

The main non-networking item I’m interested in at the show is the OSIS Identity Interop.  There’s a lot of buzz in the identity space and I’m anxious to see what the reality of the situation is with real vendors, real products and real useful applications and use cases.  So far, I read a lot of good ideas, see a lot of work being done in various efforts around specs, protocols, etc., but haven’t seen any services or implementations that make me exclaim, “aHA! There’s something useful and secure, I’ll trust my online life to THAT!”.

Given that, you can imagine that my main focus as I examine my “next gig” options, is how to participate in the creation of exactly that service or application.  I believe all the pieces exist already today to put in place and create a revolutionary service, but all I see are the most timid steps forward.  This doesn’t mean that something won’t be announced at the show this week and I certainly hope it is and that we all can be using it by the end of next week!

Leave me a comment here or email me if you’d like to get together at the show and kick around some ideas or just grab an adult beverage <grin>.

Originally published April 4, 2008

 Posted by at 11:06 am

How often do you need to crack something, really?

 Digital Life, DRM  No Responses »
May 202008
 

How often do you need to crack something, really?  Once is all you need.

Information Week has this story on Blu-Ray Copy Protection Breached and the response from the BD+ encryption provider has me scratching my head.

“BD+ is a security response system designed to react to security attacks, not prevent them entirely. As part of this system, updated BD+ security code is continuously developed so that BD+ customers obtain ongoing value from the use of this technology.”

First, though I am often a guilty party, I hate sloppy language.  Of course their system isn’t designed to prevent attacks, it should be designed to prevent successful compromise having launched the attack.  Sure, it’s great if you can prevent someone from running at you with a baseball bat, but that’s really hard to do, especially on the open internet (see, sloppy analogy… guilty).  Its really, really important though that the bat and your head don’t meet.  That would count as a successful compromise of your defenses… crunch!
Second, this an admission that the BD+ system was successfully breached and content has been copied against the producer’s / protector’s wishes and therefore likely already a very busy Bittorrent.  So now that Movie X is a freely and widely available digital copy, how’s BD+ going to put the cattle back in the barn?  If someone in the Cryptography Research division of Macrovision can twiddle some algorithmic dials and make all those currently cracked discs become “uncrackable” again (“uncrackable again” is an oxymoron, right?) that will be impressive…

But useless.  The movie is already out there.  It can’t be retrieved, right?  Is Eric Rodli stating that they can make some adjustments and break all the digital copies sitting on all the hard-drives of those Bittorrenting miscreants?  I guess it isn’t beyond the realm of possibility that a copy could have embedded in it some type of “phone home or don’t play” mechanism, but that would be immediately obvious without any need for tweaking back at BD+ headquarters.

If I didn’t think this wasn’t a bunch of hot air, I’d investigate further, but there’s no need.  While very feasible that some algorithmic changes could be made to change how the next batch of Blu-Ray discs are protected and even feasible that currently cracked discs could get re-un-cracked (ouch that hurts to type) given the online nature of Blu-Ray (or is that in the next release when they’ll nearly catch up to HD-DVD technologically?), this is all just a bunch of Quixotic energy being wasted and defended.  This version got cracked, the next version will get cracked and once cracked there “ain’t no going back to re-un-cracked”.
Hey, that has a nice rhyme to it.  Makes it easier to type and say the second time around.

Originally published March 25, 2008

 Posted by at 11:00 am

Fast opening browsers, really an issue?

 Digital Life, Rant  No Responses »
May 192008
 

This is the first of what will likely become a series and so categorized as a Rant:

OK, so this is the last example of the day and nothing against Rafe, his post is just the last straw over the last couple days, where I’ve heard that how fast a browser opens really, really matters to the reviewer / commentator.  Seriously?  How often are people opening and closing their browsers that speed of launch is any kind of a measuring stick for the quality of a browser?  The only time I’m launching a browser is at some point after I boot my PC and then never shut down the browser until the PC does so at shutdown.  Nearly everything I do anymore occurs in a browser or is destined to be submitted, emailed, stored, etc. through the browser.  Why close it?

Rant off…

Some rants will be more serious than others.  This one’s not so serious, use your browsers any stupid way you want <grin>.

Originally published March 19, 2008

 Posted by at 3:00 pm

A friend asked me about IronKey

 Digital Life, Gear, Security  No Responses »
May 192008
 

A friend asked me about IronKey today and my first recollection was that I stopped by their booth last year at RSA. So I initially responded that far as I could remember, it was just another secure USB storage play. But since he was asking, I figured I would revisit it, especially when he mentioned that Bill Harris is currently their Chairman of the board. He was with Intuit, then PayPal, then pAssmark (yes, that’s the proper spelling, where the “p”, like the security is silent) and sits on a variety of boards. Why does that matter? Bill Harris has been involved in a lot of things that run parallel to my own career over the past decade and he’s found lightning-strikes more than once. Me? No lightning yet <grin>.

So like anyone, I started with the web site and it pretty much confirmed my recollection. I read the most recent article from their PR page and it revealed some interesting details. I won’t recap it, you can go read it at your leisure.

Certainly has some nice functionality, but the price is prohibitive even for me, one of the paranoid and willing to pay to resolve my condition. I’m completely happy carrying Roboform2Go around on a much cheaper finger biometric USB. I further protect the Roboform data encrypted with a second-factor key-file setup using TrueCrypt. Though Roboform touts their use of AES for encrypting their data, big deal, the weakness is still the fact they are at base, reliant on a password from which they generate keys. Me, I’m big into true multi-factor security, you know, some combination of:

  • Something you know (password / passphrase),
  • Something you have (typically a smartcard, but in my case files I use as my TrueCrypt keys on a separate device),
  • Something you are (biometric of choice, in my case my fingerprint(s).

So using my finger biometric USB, with TrueCrypt using key-files from another location and of course my Roboform password, I get all three factors. Purchasing Roboform, my biometric USB and free TrueCrypt comes in well under the $149 Ironkey price for their 4GB. The other benefit of my configuration is that for the same dollars spent on Roboform ($40) and TrueCrypt (free) I can do the same thing using all 80GB of my iPod or at least whatever is left over with my podcasts on the iPod. Sure, in this case I only have two factors, not three, but they are still two solid factors such that anyone stealing or finding my iPod would have no ability to get at the encrypted data (remember the files I use as my TrueCrypt keys are not on the iPod itself). Of course, there may not be many others in the general consumer market likely to be aware of the cheaper, more flexible options and how to use them to construct their own secure portable storage.

Of course, IronKey isn’t the only game in town and at their price, I’m not sure the security advantages are going to be obvious to those comparing IronKey to GuardID’s IDVault. If the purchaser is looking for secured surfing I suspect the IDVault will win, but if secure data storage on a portable device is the goal, IronKey all the way. These devices are actually nothing alike, but will Joe Noob at Best Buy rack understand beyond $40 vs. $150? It all comes down to marketing as usual and Bill Harris does know how to do that, so I’m not betting against him and the IronKey team. I’m just not likely to be one of their customers unless their service offering increases in some interesting direction… say, making CardSpace cards portable and still secure such that IronKey serves as my Identity Provider playing with OpenID while also making OpenID secure.

Yeah, that would have my attention and likely my $$.

Hey Bill or Mr. Harris, if you prefer; I’m available to help with that <grin>!

Originally published March 18, 2008

 Posted by at 2:54 pm

No true identity, Open or otherwise, in sight

 Digital Life, Identity, Security  No Responses »
May 192008
 

We are well into the era of Web 2.0 with social networking all the rage.  At work, we are using an increasing number of web applications and services.  Consequently, we are spreading around an incredible amount of sensitive information about our families, employers, associates and ourselves.  Amazingly, we have made no real gains in creating an environment where:

  • We can assert our own identity with any security or assurance,
  • Protect our data from trivial compromise,
  • Ascertain the identity of others in “the social network” and consequently,
  • Know who to trust at what levels.

What’s the story?  Where are the solutions?  Should I found a start-up to address it?

Do you, dear reader (Hi, Dad!) know of any products or services addressing this to your satisfaction?

P.S.  Wow! about 5 minutes after initially posting this, I ran across this blog entry by Ashish Jain.  Great stuff and cuts to the heart of my point.  Also very troubling as Ashish is quite involved with SignOn.com (Ping Identity related) an OpenID IP.

Originally published March 17, 2008

 Posted by at 2:24 pm
 Older Entries