Tuesday, October 13, 2009
He who steals my identity steals - not very much?Good article in the Wall Street Journal today ("The Fallacy of Identity Theft") by Julia Angwin. She starts off:
"As far as I know, no one can steal my identity. Even if my bank account number, my credit card number and all my passwords are stolen, I am fairly confident that I will still be me and the thief will be a different person.
She goes on to show that the problem is really fraud, the people who have their identity "stolen" don't lose much and, in truth, the amount of fraud is dropping. Her conclusion?
"It turns out that 'identity theft' is one of the most brilliant linguistic constructs ever, with its terrifying specter of losing not just your money – but your soul. Maybe it's time that we renamed it what it is: a fear campaign designed to get us to buy expensive services that we don't need."
Thursday, October 01, 2009
Tell us what you really feel...In an Open Letter to Steve Ballmer, Craig Burton rants about the ridiculous policy Microsoft has for controlling updates and enhancements:
As we drove further down to path to understand why, we were told the following unbelievable conversation. (The following is not an exact quote, but close.)
And what was the momentous change Burton was asking about?
Unfortunately, Ballmer has never understood the importance of identity to the fabric of computing, so he's never going to permit what he would perceive as "feature creep" in the regular monthly updates. That's good news for Microsoft's competitors, and bad news for it's customers.
Thursday, July 02, 2009
Snoopy SearsWorld +dog seems to be cock-a-hoop over the new authentication that Sears has enabled, claiming OpenID is now accepted. Well, it is, but you'll only see it if you know it's there and go looking for it. First you'll be presented with a NASCAR box showing badges for Facebook, Yahoo, Google, Twitter, AOL and MySpace. Clicking on the [more] link gets you a choice of OpenID or Windows Live. But it isn't just authentication that Sears wants.
Click on the Facebook link, for example, and you see "Allowing Signin.mysears.com access will let it pull your profile information, photos, your friends' info, and other content that it requires to work."
Click on the Twitter link and get: "The application Signin.mysears.com by Sears would like the ability to access and update your data on Twitter."
Do I really want Sears to know who my friends are (and how to contact them)? Do I really want Sears to be able to update my Twitter data (whatever that is)?
Decidely and emphatically, NO!
Some may think this is a step forward for OpenID, but it's not. It's a step back for privacy.
Monday, June 22, 2009
Half empty?Although the city of Bozeman, MT has now dropped it's requirement that job seekers, to be considered for a job, must provide login information and passwords for social network sites in which they participate, the story notes: "...the passwords already given by previous applicants will remain the confidential property of the City. "
They admit that it was poor policy to collect them. The ethical thing to do would be to immediately discard them - safely. Until you do that, Bozeman, you're still going to be at the top of the anti-privacy list.
Just one more reason to drop the use of passwords in favor of a biometric authentication. Even Bozeman, I'd hope, wouldn't ask you to leave your finger on file!
Thursday, May 14, 2009
Buzz phrase du jourCame across another, to me, really dumb term this morning: Private Clouds. I'm still not all that comfortable with "cloud computing," mind you. Differentiating it from last year's Software as a Service (SaaS) where the service is outsourced presents issues to me - issues of why call something a new name when the old one works just as well. So too with this oxymoron "Private Clouds". The author starts by appropriating (from the Berkeley RAD Lab's cloud computing report) a definition of cloud computing. Of course, he goes on to state "...that the RAD Lab specifically states that they do not consider internal (i.e., private) clouds to be 'real' clouds..." This doesn't stop him, though and he blunders on.
Perhaps I just understand this part better, but his comments on Identity Management left me chuckling:
"A robust identity management system needs to be in place to enable automation. Requests for computing services will come not from a sit-down meeting where authentication and authorization will be done on a personal basis - i.e., direct face-to-face interaction enabling the resource granter to identify the legitimacy of the request and the requestor - but from an service request via a software-enabled mechanism like an internal portal."Ask any mid-sized to large enterprise IdM manager when was the last time that provisioning was done via a "direct face-to-face interaction"! Automated, even self-service, IdM has been around since long before the "cloud" paradigm was ever contemplated and its use does not constitute evidence of the elusive "private cloud" architecture, but of a robust enterprise IdM system.
Calling a POCS (Plain Old Client-Server) system a "private cloud" simply because you've added some self-service elements succeeds only in muddying the waters at a time when clarity is needed. Let's agree to drop this foolish term.
Tuesday, April 28, 2009
Government nonsenseMy Network World colleague Mitch Kebay points out that the National Institute of Standards and Technology's Computer Security Division has just published SP 800-118, “DRAFT Guide to Enterprise Password Management” which now awaits comments. Mitch suggests it needs those comments "for improvement," but that shipped has already sailed. The only improvement would have been to not waste the time to write and publish it.
Username/password for enterprise authentication is not only poorly implemented, not only passe but also very dangerous. The ONLY guideline NIST should issue for enterprise passwords is STOP USING THEM.
Of course, with the heavy government involvement in business that the current economic crisis is enabling, a simple ban on username/password or a requirement for strong authentication would make much more sense.
© 2003-2006 The Virtual Quill, All Rights Reserved Home