Posted 12:46 PM (2) comments

He who steals my identity steals - not very much?

Good article in the Wall Street Journal today ("The Fallacy of Identity Theft") by Julia Angwin. She starts off:

"As far as I know, no one can steal my identity. Even if my bank account number, my credit card number and all my passwords are stolen, I am fairly confident that I will still be me and the thief will be a different person.

Yes, the criminal will be masquerading as me. But anyone who knows me – my husband, my children, my colleagues, my doorman, my employer – will not be fooled. If 'I' was actually stolen, I believe that would be called a kidnapping."

She goes on to show that the problem is really fraud, the people who have their identity "stolen" don't lose much and, in truth, the amount of fraud is dropping. Her conclusion?

"It turns out that 'identity theft' is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money – but your soul. Maybe it's time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don't need."

Excellent!

Labels: fraud, FUD, rant, theft

Posted 9:43 AM (0) comments

Tell us what you really feel...

In an Open Letter to Steve Ballmer, Craig Burton rants about the ridiculous policy Microsoft has for controlling updates and enhancements:

As we drove further down to path to understand why, we were told the following unbelievable conversation. (The following is not an exact quote, but close.)

Changes like you are requesting can only happen in an “in-band” release of Windows. These sort of changes are prohibited from going out in the Tuesday updates. What goes out with in-band releases the Tuesday updates is controlled by—Steve Ballmer.

Well F*&% me. Dude, after all of these years, you are still micro managing the Windows release! Now I know why Microsoft is now been relegated to insignificance in the identity market. The reason is simple. Internal policy, managed by you, prohibits product mangers from keeping up with trends and innovation.

And what was the momentous change Burton was asking about?

In our meeting, we discussed how many man hours it would take to modify CardSpace to support context-automation. The answer is a few days of work at the most. When asked how long before such a simple change would find its way into CardSpace, the answer came back as two years at best, maybe.

Unfortunately, Ballmer has never understood the importance of identity to the fabric of computing, so he's never going to permit what he would perceive as "feature creep" in the regular monthly updates. That's good news for Microsoft's competitors, and bad news for it's customers.

Labels: Burton, cardspace, metasystem, Microsoft, rant

Posted 1:53 PM (0) comments

Snoopy Sears

World +dog seems to be cock-a-hoop over the new authentication that Sears has enabled, claiming OpenID is now accepted. Well, it is, but you'll only see it if you know it's there and go looking for it. First you'll be presented with a NASCAR box showing badges for Facebook, Yahoo, Google, Twitter, AOL and MySpace. Clicking on the [more] link gets you a choice of OpenID or Windows Live. But it isn't just authentication that Sears wants.

Click on the Facebook link, for example, and you see "Allowing Signin.mysears.com access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."

Click on the Twitter link and get: "The application Signin.mysears.com by Sears would like the ability to access and update your data on Twitter."

Do I really want Sears to know who my friends are (and how to contact them)? Do I really want Sears to be able to update my Twitter data (whatever that is)?

Decidely and emphatically, NO!

Some may think this is a step forward for OpenID, but it's not. It's a step back for privacy.

Labels: openid, privacy, rant

Posted 10:23 AM (0) comments

Half empty?

Although the city of Bozeman, MT has now dropped it's requirement that job seekers, to be considered for a job, must provide login information and passwords for social network sites in which they participate, the story notes: "...the passwords already given by previous applicants will remain the confidential property of the City. "

Why?

They admit that it was poor policy to collect them. The ethical thing to do would be to immediately discard them - safely. Until you do that, Bozeman, you're still going to be at the top of the anti-privacy list.

Just one more reason to drop the use of passwords in favor of a biometric authentication. Even Bozeman, I'd hope, wouldn't ask you to leave your finger on file!

Labels: passwords, privacy, rant

Posted 11:01 AM (0) comments

Buzz phrase du jour

Came across another, to me, really dumb term this morning: Private Clouds. I'm still not all that comfortable with "cloud computing," mind you. Differentiating it from last year's Software as a Service (SaaS) where the service is outsourced presents issues to me - issues of why call something a new name when the old one works just as well. So too with this oxymoron "Private Clouds". The author starts by appropriating (from the Berkeley RAD Lab's cloud computing report) a definition of cloud computing. Of course, he goes on to state "...that the RAD Lab specifically states that they do not consider internal (i.e., private) clouds to be 'real' clouds..." This doesn't stop him, though and he blunders on.

Perhaps I just understand this part better, but his comments on Identity Management left me chuckling:

"A robust identity management system needs to be in place to enable automation. Requests for computing services will come not from a sit-down meeting where authentication and authorization will be done on a personal basis - i.e., direct face-to-face interaction enabling the resource granter to identify the legitimacy of the request and the requestor - but from an service request via a software-enabled mechanism like an internal portal."

Ask any mid-sized to large enterprise IdM manager when was the last time that provisioning was done via a "direct face-to-face interaction"! Automated, even self-service, IdM has been around since long before the "cloud" paradigm was ever contemplated and its use does not constitute evidence of the elusive "private cloud" architecture, but of a robust enterprise IdM system.

Calling a POCS (Plain Old Client-Server) system a "private cloud" simply because you've added some self-service elements succeeds only in muddying the waters at a time when clarity is needed. Let's agree to drop this foolish term.

Labels: cloud, rant, saas

Posted 8:54 AM (0) comments

Government nonsense

My Network World colleague Mitch Kebay points out that the National Institute of Standards and Technology's Computer Security Division has just published SP 800-118, “DRAFT Guide to Enterprise Password Management” which now awaits comments. Mitch suggests it needs those comments "for improvement," but that shipped has already sailed. The only improvement would have been to not waste the time to write and publish it.

Username/password for enterprise authentication is not only poorly implemented, not only passe but also very dangerous. The ONLY guideline NIST should issue for enterprise passwords is STOP USING THEM.

Of course, with the heavy government involvement in business that the current economic crisis is enabling, a simple ban on username/password or a requirement for strong authentication would make much more sense.

Labels: authentication, passwords, rant