Things I read today that I found interesting and worthy of comment August 27th:
- Sony’s New eBook Software Takes Aim at Kindle – Answer to last question: Yes.
Things I read today that I found interesting and worthy of comment August 18th:
- PlayStation 3 Slim is Real, Coming in September for $299 – Need to check the specs on the Slim vs. what's on store shelves now. If can get more storage on the existing, then I'll get that as the actual size and weight of the device matters to me not at all.
Things I read today that I found interesting and worthy of comment August 17th:
- Layar Augmented Reality Now World Wide on Android, iPhone is Next – Hmmm, I'll have to give this type of thing more thought. At first my reaction is the reverse-engineering function of this type of application in that it builds a great database of where you are and what you're interested in. Not that such data isn't available to be aggregated into a scary situation by Google and others today, but this raises the bar even one more level. However, like most technology today, there's a trade-off of what you give up for what you get. The mention of using augmented reality in conjunction with Wikipedia, made me think of the uses I could have put such technology to use while wandering the streets of Venice or Rome. Not using Wikipedia of course as I take everything on that site with a grain of salt, but this seems like a natural progression for the tourist book folks and even some history publishers to build something very interesting.
I'd used something like that for limited functionality, but increasingly, I'm turning off all but the most basic phone functions of my Blackberry to retain as much privacy as I can in an increasinly overly-connected-n-tracked world.
Aug 132009
Lose, Lose When You Talk About Race (Victor Davis Hanson)
http://www.victorhanson.com/articles/hanson080209.html
Superb article, ignore anything I’ve typed here and go read this post from Mr. Hanson. No, really, go on, I’ll wait.
Good stuff, eh? Troubling that those that don’t fall over in a swoon over our current President are presumed to have only one possible reason… his race. Really ticks me off. There are plenty of people of many races for whom I would gladly vote, not because they are that race, but because of their beliefs, values and hence, character. Isn’t that what Martin Luther King, Jr. expressed as the realization of his “I Have a Dream” speech?
I don’t despise Obama because of his race, I despise him as I did Clinton and Carter, because of their hideous world-view that socialism is the direction America should go. Now we can argue about who wanted to make the most changes the fastest in this discredited and proven destructive direction, but 2/3 were plain ol’ white guys and I despised them equally as much as Obama. I do think he may be the most dangerous as so many conservative, supposed leaders remain cowed to point out that the Emperor wears no clothes because that would be racist.
Nuts to that! A wannabe socialist dictator should be opposed and given no quarter just because someone might call us a rude name. Oh and guess what, I equally despise Nancy Pelosi and Steny Hoyer and they are plain ol’ white people. Obama would probably consider them “typical white people” like his grandmother. I don’t despise them because of their color. Heck, I couldn’t pick them out of a lineup as I don’t watch news, but I know what they believe and therefore they are my enemy. Nothing to do with race, theirs or Obama’s.
Things I read today that I found interesting and worthy of comment August 12th:
- Social Media Pillows Are All Kinds of Awesome – Home decor for nerds.
- Special Report: Is US Chief Information Officer (CIO) Vivek Kundra a Phony? (John C Dvorak/Dvorak Uncensored) – Go John! More Obamanation fodder. Guess the mess-sigh-ah likes to surround himself with those of equal experience in their various roles, but then czars never really had to have any qualifications beyond divine right anyway.
- Xbox 360 officially the only console to stream Netflix – sorry, PS3 and Wii (Darren Murph/Engadget) – Interesting. I guess that somehow the browser on the PS3 is somehow prevented from doing the streaming that is available on a PC browser?
- Remakes of Classic Bullfrog Games a Possibility From EA – Populous was the first PC game I ever played. I played it on a friend's PC as I wasn't able to afford such a luxury at the time. I'd love to see this available again on something other than the poorly received DS port.
- Twitter Down: It Was An Attack – Do these attacks not happen to FB, MySpace, Google, Yahoo, etc.? For being all the rage, seems the operations team is either incompetent, seriously under-staffed or under-funded. Could also be the underlying design is seriously flawed in some regard, I guess… back to incompetent then?
Yah, I'm on a serious flame-baiting rampage today, not consciously, just happening. - Capcom Platinum Hits Three-Pack Coming to Xbox 360 – Solid games, but if they didn't fix the controls on Dead Rising, which was a fabulous, but poorly executed game on a controls-level, count me out. Otherwise, a great value if you even have interest in 2 / 3.
- Facebook: No Sponsored Status Updates Allowed – Complete and utter B.S. I'm going to purposely start mentioning brands in my status updates from here on out. Let FB figure out if I'm paid or not. If I mention my company, which clearly pays me, is this a violation? Must be some Obamanation wanna-be's at FB, eh?
- Snow Leopard vs. Windows 7: The War of the Wallpapers (Philip Elmer-DeWitt/Brainstorm Tech) – Yeah, because stock wallpapers are so critical to an OS. Only really points to who is marketing to whom (or is that whom to who? or whom to whom?). Apple markets to the "I'm so much cooler than the masses" crowd while Microsoft is marketing to those masses. Checking the market adoption numbers bears out the obviousness of this example. What would be interesting is to know the average time in each OS that stock wallpapers are used as a user's wallpaper vs. being switched out for something custom by the user.
- Fear and Impatience are Killing the Nabaztag Bunnies – Nuked your passport yet? I'll be doing that as soon as I get my new one.
- The Top 100 Search Terms Queried by Kids – Got kids online? Wondering what they are searching for? Check out this article. Yeah, I know YOUR kid isn't searching on "Sex" or "Porn". Someone with kids want to share why "Fred" is in the top 10?
- Firefox Tips: 5 Ways to Spice Up Your Sidebar – FireFox… Fah, I say! Yep, unnecessarily inflammatory FF hating… Why? Cuz it's fun!
- How To: Backup And Search All Your Friends' Tweets In Google Reader – Actually, yes, I do want my tweets to come to me in RSS as some folks, for example Drudge Report, post to Twitter, but don't provide an RSS feed (yeah, weird). I like the functionality Dave Winer has built, but need an automated "scraping" function that I could setup to automatically generate the OPML and import to my Google Reader for a daily "semi-live" feed.
- Fair-use argument fairly useless against DMCA – Two thoughts:
1) A pox on both political parties for the hideously general and consequently over-reaching DMCA.
2) You really want these same morons to control all aspects of your actual, real LIFE with any type of Health Care (i.e. freedom and liberty reducing) "plan"? Seriously, it isn't any more difficult than that. - Report States U.K. PS3 Stock Clearing for Price Cut – Back-pressure is building as several BluRay items are out that I'd like to acquire, but not enough to drop $400 on a PS3. They drop the price and keep a couple free games in the mix and I'll probably to make this my Christmas present to myself.
Things I read today that I found interesting and worthy of comment August 11th:
- 10 Ways to Archive Your Tweets – Archiving tweets! Wow, if you're putting information out on Twitter as a main source of content for which you don't have alternate backup? For people that really want to recall what all their friends had for meals for the last year? I readily admit that I don't get what Twitter is really any good for unless you also like to watch American Idol, TMZ, Entertainment Tonight or are trying to build your credibility as a "with it" tech blogger.
I keep logging into my account and checking out the supposedly "hot" things to follow and am completely put off by the dizzying stream of short, tiny-url'd and hence, completely useless posts.
Aug 112009
VDHs Private Papers: The Great American Debt.
I couldn’t say it any better than he did. The realities of the catch-22 we the voters have put ourselves in with regard to our lack of any discipline is why I don’t believe we’ve yet gotten anywhere near the “bottom” of this economic downturn. There’s a lot of self-delusion at work from the citizenry to the press to the government and until we decide to act like adult citizens and elect adult representatives, we’re in for a long period of pain.
Of course for some that ”hope for change”, this emasculating of America is exactly the goal. Remake America in the image of the rest of the banana republic / statist / second-rate nations. It would be more honest if they just jumped right to the equalization tactics of out-and-out communist regimes of the past and take the doctors out of the hospitals to the fields and the farmers into the hospitals, but then enough true Americanism still runs through enough citizen’s veins that an honest, up front, straight-forward approach wouldn’t be tolerated.
I do have some hope that at least the health care scam has been seen through by enough people that perhaps their vision will be cleared about all else that is being done to “take care of them”. Remember my comment about adults earlier? This is what I mean. Are we adults who care for ourselves and our own or are we mere child wards of the state?
Things I read today that I found interesting and worthy of comment August 10th:
- Iwata Says Vitality Sensor to Launch “Not Too Late” in 2010 – Maybe this will be big in Japan, but this smells like the Gameboy headset thingamajig. Yeah it went over so well I can’t even remember the actual name.
- US Government Reviewing OpenID For Login on .Gov Sites – Interesting development, but definitely not something I want the government to establish. Cool, if like NIST, they set out some standards and establish a bit of lingo we can all use to define standards, but this should be something driven and overseen in the private sector.
Things I read today that I found interesting and worthy of comment August 5th:
- Authenticators back in stock at the Blizzard store – LOL! Just mentioned the Bliz Authenticator in my last comment on the state of cloud computing security and here is an article about them being back in stock. I need to see if I can easily switch to Mobile Authenticator from my current key fob.
- The Cloud Isn't Safe?! (Or Did Black Hat Just Scare Us?) – Good article that ends in a solid and I believe, accurate analysis of the state of cloud computing. Bottom line is that there are vulnerabilities everywhere that humans setup and run machines. To think that your large IT team is doing better than the large Amazon or other service provider of choice seems a bit naive to me. The daily dose of "organization has X million user's data compromised" bears this out.
I do take issue with one element of the Password section. Certainly I agree that single factor password systems need to die. Certainly users are resistant to complexity and "extra steps", but are they really? For applications that contain data, items (real or virtual) or even real money which customers care about, they repeatedly show up for the stronger authentication when offered. If you tried for months to get a Blizzard Authenticator for $6.50, but couldn't because they were sold out, then you know what I mean. The real problem is that users are resistant to having to do have "extra steps" that differ from site to site.
Of course this is the holy grail of online identity, to be the entity that issues THE CREDENTIAL for use across everything. Remember Microsoft Hailstorm that became a gimped Passport that is now just another silo'd ID used at MS sites? OpenID, InfoCards and several initiatives are at work trying to at least be the basis upon which THE CREDENTIAL may be issued. Of course THE CREDENTIAL in this age of phishing, pharming, trojans, etc. must be a strong credential. It will be interesting to see what technology and which IDPs (ID Providers) win the day.
- Vonage Churning Subscribers, Stomachs – Though I know folks even in my own family that have switched to Vonage and are generally happy. This entire concept has always made me leary. For one thing I've never liked the idea of having all my communications options in one basket. "The internet is down" is still heard too often throughout my house and I consider my cable modem very reliable, but it suffers the occasional blip ranging from seconds to minutes over the course of a month. I'd be very unhappy to be losing not only my online data connectivity, but voice in the midst of any of the business calls I have throughout the week.
I also rely on my phone for connectivity to items in my house such as my security system. Sure, I have backup wireless connection too, since wires are easy to cut, but still POPS (plain ol' phone service) is well tested, reliable and works in power outages unlike my cable modem.
My main phone is my cell phone and indeed that is the only number anyone has for me that I want to actually contact me. My home phone doesn't ring anywhere and consequently that's the number I give anyone I don't want to hear from or who might be selling that to folks I definitely don't want to hear from.
With the ever-growing adoption of cell phones as the primary phone, the growing adoption of smartphones and the emergence of alternate communication services such as Skype and Google Voice, Vonage and its brethren seem like a transitional offering that may have already peaked. Perhaps Vonage should widen its offerings into the Google Voice direction so can gather those that transition beyond their current offering?
Aug 042009
I’ve taken a lot of questions lately on the topic of KBA. KBA (Knowledge Based Authentication) is a general term that covers several types of scenarios where users are asked a set of questions to verify their identity for situations where there isn’t another credential available to authenticate the user. There are various cases where this is used:
- A user you don’t know.
- A user you do know.
The user you don’t know
Typically this is when a user shows up to register for service and likely will end up with an authentication credential at the end of the process, which they will use going forward to authenticate themselves. KBA is generally used in this case to prove or establish the identity of the user and again, generally for services where the user’s true identity really matters because of regulations or other legal “know your customer” types of strictures.
The user you do know
This is for the situation where a registered user who does have a valid credential / identity with you, but for some reason isn’t able to utilize that authentication mechanic to login. Typical use cases for this are when the user is for one of the following reasons unable to login with their proper credential:
- User has forgotten their password.
- User does not have access to their second (or third) factor in a strong authentication situation. Anyone who has needed to login when they didn’t have their hardware (OTP token, hardware smartcard) or software token (cookie, software token, software smartcard) has at one time or another encountered this scenario.
Types of KBA
There are three methods of accomplishing KBA.
- Questions the user knows, but you do not. Generally speaking these Q&A pairs are obtained via services that utilize public or semi-public data sources to ask questions about a user. These questions can take a wide range of form and are often referred to as “out of wallet” questions as they questions that couldn’t be answered by a thief who as stolen a users wallet.
- Provide the address where the user lived during a range of dates.
- Provide the amount of a recurring payment (mortgage, car, etc.)
- Provide the proper relationship (spouse, father, sibling, etc.) the user has with a name person.
- Other questions that can be directly or indirectly built from public and semi-public information.
- Questions both the user and you know because of a prior existing relationship outside the online channel. These Q&A pairs are derived from information you have about the user from a relationship you have with them outside the online relationship. This can take any number of forms, but the typical scenario most are familiar with are:
- Amount of last transaction
- Account number used to make transactions
- Other information you have that the valid user should know or be able to readily obtain.
- Questions you and the user both know because the question / answer pairs were setup as part of the online relationship. These Q&A answer pairs are either previously arranged (consequently often referred to as “static KBA”), usually at registration or something setup post-registration as part of the user’s profile specifically for helping the user accomplish authenticating themselves when there is an issue using their normal authentication credential.
Clearly, KBA Type #1 is great to use for those users you don’t know and want to identify as being exactly the person they claim to be. If you are setting up an online relationship from scratch and don’t have any prior basis upon which to “know your customer” and need to know that John Smith is the John Smith at 123 Main St., Somewhere, Ohio, U.S.A. and want to do this all online, then is a good way to go about it. There are a fair number of services that provide exactly this function, generally used at registration or initial provisioning of login credentials. One of the main considerations to bear in mind when shopping for these services is how well they structure the questions such that the legitimate user can answer them and an attacker can’t obtain the answers from publicly available sources or guess the answers. This can be harder than it sounds as balancing the increased security of this type of KBA vs. static KBA and keeping the questions from frustrating and confusing end users, is a tricky proposition.
This isn’t to say that KBA Type #1 can’t be used for other use cases such as self-service forgotten password resets or “step-up” authentication or other secondary authentication use cases. It can be used for those as well, but may be a higher cost type of transaction than using either KBA Type #2 or #3.
KBA Type #2 is a lower cost option when having an existing cusstomer you know sign-up online for services. This can also be used for other use cases as well, though asking questions that aren’t too readily guessable or aren’t reused too often can be difficult depending on the amount of variable, private or semi-private information you have on your customers. For instance, my mobile phone bill doesn’t vary that much month to month and the people I call are probably pretty easy to guess for anyone willing to spend a bit of time researching me, so those types of questions wouldn’t serve very well.
Which brings us to KBA Type #3. All of us that participate in much of anything online are familiar with this one. You set up an account and at registration are asked to setup at least one or more questions to be asked for any number of reasons including:
- Self-service “forgot your password?” scenarios
- Various renditions of, “We don’t recognize you having used this computer”, “We want to verify you’re identity”, “Reset your <proprietarily named security “token”>”. This occurs when you are logging in from a device the site doesn’t recognize or you or your anti-virus / anti-malware software deleted your cookies such that the authenticating site wants to make sure you aren’t an imposter.
- Step-up authentication. You attempt some transaction or behavior deemed “risky” by the site, so again, they want to ensure you aren’t an imposter.
You usually get to pick from a list of drop down questions and in some cases even can write your own questions. This is popular since it is inexpensive as there is no service provider to pay and reduces the number of help desk calls for high frequency events, such as “I forgot my password”.
There are a couple drawbacks.
- You don’t want to have users setup questions that are easily guessed or readily discovered (mother’s maiden name) or for which the set of answers is small (many people have the favorite color blue).
- Users don’t remember answers to less obvious questions, fail the step and call the help desk anyway.
- The simpler you try to make it by keeping the number of questions low and even with complicated questions, the entire scenario of static KBA is prone to phishing and guessing attacks. After all, KBA Type #3 (aka “static KBA) is just another single factor, something you know, shared secret, i.e. a ”password”.
There have been an increasing number of news items about the compromise of politicians, celebrities and even services being “owned” via KBA compromise. Which brings me back to the beginning of this article and why I am hearing so many questions and such confusion over the issue of KBA.
Folks want to know:
- What are the best questions to ask?
- How many questions should I ask?
- Do I provide questions or let the user pick their own?
- Should I use static / Type #3 KBA at all or go with Type #1 KBA for all use cases?
These are tough questions to answer in the face of KBA’s growing list of failures. Mark Diodati over at Burton Group has written a ton on the issues of KBA and in a May 29th article states what my personal opinion is with regard to KBA: “Can We Finally Commit to the End of Knowledge-Based Authentication?“.
Yahoo and Google, who in the last year have both had high-profile users in the news with compromised accounts because of hacked KBA, have apparently decided that KBA needs help. They are both offering the ability for end-users to use their mobile phones instead of KBA for resetting passwords and I hope for any other secondary authentication opportunities that may arise in the use of their services.
Yahoo’s wording is: “Having your mobile number will help future password reset attempts. ” I thought for sure I had a security question setup on Yahoo, but now can’t find it anywhere. My test drive of their forgotten password procedure tonight shows that my phone is the default or I can pick a non-Yahoo email to use for the ID verification step. No security question offered. I don’t know how much they are promoting this yet, but hopefully a lot and soon.
Google’s Account setting page lists email, SMS to your phone and a security as options for password recovery. When I ran my test there tonight I was advised that an email and a SMS phone message had been sent to assist me in recovering my password and a link for each was provided so I could pick which I wanted to use. While Google does still have a security question and answer, that can’t be used until my account has been idle for 24 hours. Interesting compromise.
Which brings me to the title of this article “Trend in KBA?”. Google and Yahoo are moving away from KBA, static, Type 3 KBA to be exact, shouldn’t those for whom reputation is even more important consider doing so? I know this is a battle that till now has been dominated by the business and bean counter side of the organization while the security folks get ignored as usual as being unrealistic and alarmist. Time to listen to the security folks and dump KBA.
