Pete Rowley

Bob Lord reports that NSS (Network Security Services), the crypto library that powers software such as Firefox, Thunderbird, Open Office, and Fedora directory server, has recently been FIPS 140-2 level 2 validated by NIST. This is an important milestone because NSS is the only open source crypto library that is validated to level 2 (the highest available certification for software). Level 1 allows use in a single user environment, while level 2 allows a multi-user environment: and that not inconsiderable detail allows NSS based software to be deployed into security sensitive environments that resemble the commonly used configuration for modern operating systems.

This is also an important milestone because it means that software applications that use the NSS library for crypto while also following the security policy of the validation are also legitimately able to claim compliance. The reason for that is that NSS draws the crypto boundary behind its APIs and no private keys are accessible to applications. This means that a whole bunch of software just became usable in an ever increasing number of environments requiring FIPS 140-2 level 2 validation.

Congratulations to the NSS team.

Recently Kim Cameron has been defending CardSpace against various assertions that it won’t work offline. As I pointed out some while back, that is pure nonesense. I’ll let you read Kims blog for the details of how such a system might work with CardSpace, but I’ll just say it has to do with delegation. And that’s just a big word for access control, in this case user centric decentralized access control.

There really is no big secret to how this stuff is possible - at some point in time an offline user will be online, and during that time instead of ceding their credentials to the service in the sky (or worse, it happens without choice), they spend the time granting access specific to the service that needs access. That’ll be a statement along the lines of “Pete’s blog is allowed to view this flickr photoset.”, not “here’s my password dude, do as you will”, or indeed “hey, IdP, see that service? That’s me that is.” I have to agree with Kim on the notion of impersonation - at no time should anybody give the required access level for impersonation of themselves, on or offline.

There be dragons.

Like to chat online? Of course you do. Like third parties snooping in on your conversations? Of course you don’t. Unfortunately that is the reality today, there is no lack of IM sniffers out there and that makes your conversations vulnerable to capture even to the unsophisticated. Beyond employers spying on employees, any sensitive company information you might divulge could be going right into the ears of your competitors.

There is good news though, Bob Lord has written about secure AIM that his team added to the AIM client 5 years ago using open standards. Apparently people who write books about this sort of thing have never noticed the security tab in the AIM configuration so they don’t write about it. That’s a bit of a shame given that secure AIM uses certificate based chat encryption and signing. In other words you know who you are talking to, and you know you are only talking to that person. He even offers to help the gaim team if they want a compatible implementation. I do note that there are some crypto plugins for gaim but there is an obvious advantage to supporting the same scheme as AIM and an open standard intended for the purpose at the same time.

Over the last few months there have been a number of highly publicized thefts of databases containing the identity data for thousands of people, in some cases in millions. To some this might give the impression that the problem is getting worse quickly. Well I suppose that is part of the story, but a greater factor in this is that until recently these thefts were simply kept under wraps. What you don’t know can’t be raised in your defence. One might suppose that this change of heart in reporting these thefts is due to some realization that it is the right thing to do. But no, actually it has more to do with newly enacted state laws requiring that people be informed when their data has been stolen or may have been stolen, and no doubt companies in states without those laws consider reporting thefts in order to prevent new laws. My question is, do these laws go far enough?

In the wake of the Enron scandal public companies have been required to, among other things, enforce and monitor much stricter rules governing access to data and reporting of that access. That is data pertinent to the running of the business. The focus of the rules are to protect shareholders who have a financial stake in the company. But what about the members of the public who have their data compiled into these vast databases without any say so or control? What protections do they have? I dont believe it is enough to force reporting of stolen identity data, embarressing though it may be. Without responsibility the report merely equates to “You’re screwed, sucks to be you.” If you have any doubt that that is all it amounts to then consider these facts that can be accessed at Identity Theft Resource Center:

1. Victims now spend an average of 600 hours recovering from this crime, often over a period of years. Three years ago the average was 175 hours of time*, representing an increase of about 2470%.

2. Based on 600 hours times the indicated victim wages, this equals nearly $16,000 in lost potential or realized income.

3. While victims are finding out about the crime more quickly, it is taking far longer than ever before to clear their records and recover from the situation.

4. Even after the thief stops using the information, victims struggle with the impact of identity theft. That might include increased insurance or credit card fees, inability to find a job, higher interest rates and battling collection agencies and issuers who refuse to clear records despite substantiating evidence of the crime. This “tail” may continue for more than 10 years after the crime was first discovered.

5. Based on the ITRC study, today the business community loses between $40,000 - $92,000 per name in fraudulent charges, based on reported fraud losses seen by surveyed victims. While this conflicts with other findings by other groups, there was a wide range of responses by the ITRC study respondents. The answer is that we may never know the true financial impact of this crime due to mis-classification of identity theft crime definitions by the business community and by victims.

6. The emotional impact on victims is likened to that felt by victims of more violent crime, including rape, violent assault and repeated battering. Some victims feel dirty, defiled, ashamed and embarrassed, and undeserving of assistance. Others report a split with a significant other or spouse and of being unsupported by family members.

7. Today victims spend an average of $1,400 in out-of-pocket expenses, an increase of 85% from years past.

8. Approximately 85% of victims found out about the crime due to an adverse situation - denied credit or employment, notification by police or collection agencies, receipt of credit cards or bills never ordered, etc. Only 15% found out through a positive action taken by a business group that verified a submitted application or a reported change of address.

9. Victims report a lack of responsiveness from those entities to whom they turned for help similar to results reported in 2000*. These include police, collection agencies, credit issuers, utility companies and financial institutions.

Sucks to be you.

Under these rules, which have only been in force for a few years I have been notified 3 times that my data may have been stolen. In each case my recompence was a free year long subscription for monthly credit activity reports. I guess that does mean I get to know it sucks to be me potentially much sooner, but well, it would still suck to be me. There is no element of finacial responsibility attached to the database compilers lack of adequate security. The reason is really quite simple - it’s no skin off their nose if I go under at the hands of identity thieves. Well, the only way that can be changed is by law.

I’m talking about the kind of responsibility that business understands - fiscal. How about a scheme like this: next time an employee of your company thinks it is a good idea to carry your entire database of identity data around on a laptop that subsequently gets stolen, your company is obliged to foot the bill for any and all identity related fraud, including all incidental costs, for all the people with information in the database for say, the next five years. Of course, given that the details have been stolen, it would be that companies burden to prove in any one case that it was not their leak that resulted in the crime. With something like that in place you better believe those who safe guard the data will be paying a lot more attention to the guarding part than simply the compiling part. I should imagine that there would be some motivation to also stop relying on the pathetically idiotic proofs of identity in common use now, such as social security numbers and the like.

At the end of the day, if the costs incurred by the victims of stolen identity data, both fiscal and in pure inconvenience, are never accounted for then as history shows us, there is insufficient motivation to treat the data with the care that the public deserves. It’s time to make those who profit from data accumulation pay for the cost of the breaches. Make it a cost of doing business, not a cost of living.

Sometimes a promise is better than just any old promise, sometimes it is worded in such a way as to legally bind the promiser from reneging on that promise in any meaningful way. There is a legal term used for this kind of binding promise: estoppel. Sometimes such a promise might be made by mistake, and estoppel is used to make the promising party honor the promise in court. That is, it is used to defeat a lawsuit made by the promiser against you. Sometimes the promise is made by the promiser with the intention of binding themselves to the promise with full knowledge the promise essentially relinquishes any legal claim.

Why is that useful? Well, in many spheres standards are used to ensure interoperability between vendors, so that for example a nut and bolt vendor can produce nuts and bolts compatible with other nut and bolt vendors, and software vendors can produce software that interoperates with the software of other vendors. This is why when you buy a nut or a bolt you are concerned only with the size of the part and not which vendor made the part with which it is to connect. However, standards that have technology that is covered by current patents or even patent applications present a problem for the vendors that do not own the patents. At any time the patent owner may reveal the patent ownership, charge fees, or even deny a vendor the ability to create or sell technology based on the compromised standard. It doesn’t stop there, patents allow the holders to sue end users, i.e. the customers of those vendors. The term open standard is often used to describe these standards that are intended for interoperability, but of course the current system of software patents prevalent in the US can often render the “open” part redundant. However, a patent holder might decide that their interests are better served by wide implementation of a standard, and in these cases a binding promise makes good sense.

As much as patents might be painful for corporations, they have an especially chilling effect on open source. You see corporations can assess a risk of being sued and decide that the level of risk is acceptable. It has become a cost of doing business. However, in the open source world each code contributor to a project is potentially liable, each end user is liable, and each distributor is liable. A distributor of open source software has a special, moral, responsibility to protect those to whom they distribute and those who are subsequent recipients. It is not possible to assess risk in the same way as a proprietary software company because all of those subsequently effected by the decision cannot possibly have an input. If it is known that there are even potential patent issues with a software technology, it behoves the potential distributor to pass. In fact, the GPL requires it. That is why you will not find an mp3 player as part of any Red Hat distribution - the mpeg 3 “open standard” specifies patented technology, so despite what you may have believed, it isn’t “free”, not as in beer, nor any other way.

But make a promise, a legally binding promise, that you will not assert your patent claims against anyone who implements those claims in their software and you have something that open source can work with. That is what Microsoft just did with regards to the WS-* set of web services standards. This step enables open source implementations of the underlying protocols of CardSpace a.k.a. infocards. Given the interest that OSIS has in this space, that is pretty significant. Without such a promise, infocards would be a single vendor proprietary technology, and that would be in violation of law 5.

Let’s review the opening:

Microsoft irrevocably promises not to assert any Microsoft Necessary Claims against you for making, using, selling, offering for sale, importing or distributing any implementation to the extent it conforms to a Covered Specification…

I think we have a winner, and in no small part due to the efforts of Kim Cameron and Mike Jones of Microsoft. Thanks guys!

In Why Johnny Can’t Authenticate Ben Laurie makes the point that:

I often hear it argued that using something better than passwords will fix the problem, for example, public/private key pairs. There’s actually two fundamental reasons why this ain’t so…

• So long as its possible for users to recover from losing their keys (or passwords, or whatever it is they use to authenticate) in a way that can be imitated by phishers, they will not be helped by these protocols. Phishers currently concentrate on getting people’s passwords simply because that’s the low-hanging fruit. Pluck that fruit and they’ll move on to recovery (which obviously cannot use anything the user can’t hold in their head).
• Computers aren’t secure and users can’t be trusted to make good decisions about what to run. Start using public/private key pairs and they’ll be stolen by viruses and worms instead of fake websites and spam. Indeed, trojans that log keys in order to steal passwords already exist.

This perfectly reasonable opinion really speaks to the current state of affairs. It is war out there and right now the phishers are winning. But I wonder if it really is an unwinnable war, or whether the current state of the art is simply too bogged down in its own dogma to see passed it. In the end no single thing will save us from the phishers since there are just too many angles of attack. However I would like to think that a combination of technologies and user training through good rituals will make phishing a long shot so long that it is not worth the risk of the attempt. I do wish our banks would help out by using what is available now though.

The Liberty Alliance made a bold statement in Vancouver last week when it opened its doors for the first time to the hoi polloi. Now this was something interesting enough to demand a visit in of itself, but with the addition of an Open Space after the Liberty meeting, well, you knew I was going to be there right?

The first two days consisted of the regular business of the Liberty Alliance where visitors were allowed to attend any session except for the super secret board stuff. I attended many of the technical sessions which were interesting, though sometimes hard to follow as an outsider without access to the documents under consideration. I also took part in a session around privacy concerns that not only assured me that Liberty has them but that they are serious about dealing with the issues. The conversation turned at one point to outside perceptions of Liberty itself and its lack of openess to its internal process and draft documents. Somewhat ironic was the point made that nowhere was there to be found any information regarding the location of the Liberty conference, at least not to those without access to internal websites. A consequence of this being the first open meeting no doubt. In all, an interesting and worthy meeting.

The final two days were spent on the Open Space which was run in unconference format by Kaliya Hamlin and was excellent as usual. Topics ranged from SAML to Liberty People Service to how should we rename this user centric identity thing? Kim Cameron wrapped up with a lunchtime introduction to CardSpace that by popular demand lasted for nearly two hours. At one point Kim was asked whether Apple would have an identity selector like CardSpace and Kim redirected the question to me in my capacity as OSIS representative. As the newly appointed unofficial spokesman for Apple I suggested that if Steve Jobs would call me I’d hook him up.

So Steve, call me.

I’ve been waiting a while for Phil Becker to complete his series of the top five identity fallacies so that I can blog them in one go. The series is very insightful and I would urge anyone interested in digital identity to read them. So here they are:

1. We’ll Add It In Later

2. Enterprise Identity is Hierarchical

3. Centralized Management Means Centralized Data

4. Identity is Monolithic

5. Net 2.0 Can Happen Without Solving Identity

Enjoy.

Kim Cameron has blogged about a conversation we have been having recently about the OSIS (Open Source Identity Selector) project. Negotiations have been underway for many months in order to get to a point where all parties are comfortable that legal and other issues are in order. I am happy to say that Red Hat has been involved with this process from the beginning.

I agree with Kim on the importance of the participation of Red Hat. As the leading Linux distribution it provides a platform for the project and a significant distribution channel, all things required for ubiquity. Ubiquity and cross platform support is a major goal for OSIS and the identity meta-system in general.

When I met with Paul Trevithick and Mary Ruddy some months ago to discuss Higgins it was clear to me that there was an alignment in project goals. Architecturally Higgins represents an uncannily good fit so I am very pleased to see the client effort folded into the Higgins project. Perhaps Higgins suitability is not so surprising given the exchange of ideas and collaboration that has been going on in the identity gang.

In the coming months I hope to be in a position to enable support for information cards on this site with end to end open source software. Watch this space.

Paul Madsen has blogged about the recent SAML profile that dials down the security requirements for low risk use cases. The profile is a worthy effort and I welcome the attempt to lower the barriers for adoption in domains where full crypto means no deployment. However, Paul concludes:

I don’t know just how much effort was expanded by Scott & Jeff on this work - I do know that far more would have been required to be “adding” security at this point.

As is true for haircuts - you get into trouble if you take too much off the first time.

Hey Paul, hair grows. Check out the fine mop that I sport. If I had waited until that monster had matured before being born I would have had trouble getting adopted too. Therefore I must conclude that Paul has a secret yearning to be a hairdresser since on the rare occasion I visit one they all but refuse to cut my hair too. It really is like a bad ui:

“Are you sure you want me to cut your hair?”