Ping Identity > Blogs > PingTalk 

PingTalk Blog

So you love Cheerios and you're not afraid to like the brand online, download coupons from the Web site, and sacrifice your legal rights for it. What?

People scratch their heads over the privacy policies on social sites like Facebook and Google, but here is first evidence of how those policies could warp as virtual and physical worlds blend.

General Mills recently introduced its new privacy policy including "legal terms" that prevent those that demonstrate affinity for the company, such as interacting with the brand online, from later suing the company if an issue arises. People that have a dispute over products are restricted to using informal negotiation via email or going through binding arbitration to seek relief.

"Although this is the first case I've seen of a food company moving in this direction, others will follow -- why wouldn't you?" said Julia Duncan, director of federal programs and an arbitration expert at the American Association for Justice, a trade group representing plaintiff trial lawyers. "It's essentially trying to protect the company from all accountability, even when it lies, or say, an employee deliberately adds broken glass to a product."

One legal expert said, "You can bet there will be some subpoenas for computer hard drives in the future." The New York Times has the scoop.

 For more scoops of identity-related goodness, read on.

(Updated April 15 to include recommendation to update shared credentials)

While the OpenSSL Heartbleed bug continues to feed a patching frenzy across the Internet, those using PingFederate, PingOne and/or PingAccess can rest easy.

None of our platforms is vulnerable to the bug. No updates or patches are required. However, customers that share certificates across applications and platforms, including PingFederate, should exercise due diligence on their non-Ping platforms. Ping recommends that credentials at risk should be changed out. The change would include any private keys, passwords, shared secrets, and any other credentials on the application that might be used for authentication to PingFederate, or that have some other shared usage within PingFederate. No updates or patches are needed for the Ping software.

Ping's Security Engineering confirms that PingFederate does not use the affected software. But for the sake of transparency, customers should note that we do distribute and use OpenSSL with our Apache Integration Kit for Windows, but our package does not contain the vulnerable code, we don't use it to run HTTPS, and it's not a method that is exposed.

In addition, our Apache Integration Kit for Linux is dependent on the OS's OpenSSL library, but we do not distribute the library - just use it. But it is key to note that we aren't using the library in a way that is exposed. However, PingFederate may be exposed indirectly to Heartbleed when configurations of PingFederate incorporate certificates created or used by another application or platform that has been compromised, e.g. a shared certificate. Follow our recommendations listed here.

In addition, Beau Christensen, Ping's director of infrastructure operations, confirmed that Ping Identity's cloud services, notably PingOne, are not affected by the Heartbleed vulnerabilities. He said that as a precautionary measure, "we are forcing credential updates across all systems, and are rotating public certificates and keys." His full report is available here.

Also, the engineering team for PingAccess, our mobile, Web and API access management platform, confirmed it was not affected by the bug.

Brian Whitney, Beau Christensen, Paul Marshall, Stephen Edmonds, Andrew King, Bill Jung, Yang Yu and John Fontana contributed to this blog.

OpenSSL Ping sso. cleared.png

The Heartbleed bug landed an MMA-style left hook on the Internet's security jaw this week. Zulfikar Ramza, chief technology officer at Elastica, saysthis_week_in_identity-sm logo.png Heartbleed cast a shadow over beliefs that the Internet is safe for transactions. "For people to be able to transact with confidence online, they had to believe that SSL was sacrosanct." Sadly, it was not.

John Biggs: Heartbleed, The First Security Bug With A Cool Logo
Heartbleed was one of the first "branded" exploits, a computer bug that has been professionally packaged for easy mass consumption. How did happen?

xkcd's stick-figure look at Heartbleed
Exploits aren't funny, but in the stick-figure world anything is fair game.

To stem the bleeding, read on...

If there was any doubt that it's a bad idea to hard-code a default password in firmware, this_week_in_identity-sm logo.pngespecially a password that is the same as the name of the product, then look no further than Phillips to end the skepticism.  The result: it takes no skills to "hack" 2013 Phillips Smart TV models.

Turn off the TV and read on 

For the last two decades, authentication has been limited to the use of static passwords and token/One-Time-Password (OTP)-based solutions.

That limit needs to be lifted in order for businesses to minimize risk; to secure end-users' data, privacy and identity; and to free the mobile computing revolution to meet its lofty expectations. Current authentication techniques can't hit those high-water marks.

Forrester Research analyst and IAM expert Eve Maler takes a look at some of this_week_in_identity-sm logo.pngthe variables presented in secure authentication when looking through the lens of the "Age of the Customer." Maler says companies need to up their game in authentication strategies and take on "usability vulnerabilities" with the same gusto they tackle security vulnerabilities.

Read on for more topics we took on this week.

In three years, you will no longer log into a website directly. Mobile authentication and single sign-on will become commonplace. For the first time since the mid-1990s, we will start to experience fewer passwords than the password proliferation we endure today. Federation will, for the first time since the early 2000s, begin to link and consolidate our identities faster than we're able to fragment them.

 This past week we announced the acquisition of accells technologies, a mobile identity and multi-factor authentication company out of Israel that has developed some incredible technology we'll be sharing with all of you very soon!

I've always believed that identity will one day converge around our mobile devices, but there are a number of things about this acquisition that have me really excited right now.

Is Fin's Bluetooth ring the future controller in the Internet of Things world? You be the
judge. The company says, "Fin is a trendy gadget you can wear on the thumb and make your whole palm a digital touch interface." Can this device go from trendy to mainstream and become the centerpiece for running all connected "things?" The company more than doubled its Indiegogo goal, raising more than $200,000. Will initial interest give rise to great success or sore thumbs.

More from the IoT file:

Kyle Vanhemert: Needy robotic toaster sells itself if neglected
His name is Brad, and he's an addict. And a toaster. What if the smart objects of the future aren't just smart, but also potentially jealous, petty or vindictive? 

Butter your toast and read on.

Mozilla tried and tried to catch fire with a federated identity service called Persona but could never get the big email providers to buy in and take it global. this_week_in_identity-sm logo.pngPersona's goal of having half of the Internet on Persona by the end of last year did not materialize. Chris Duckett reports that the project has been handed back to the Mozilla community, although Mozilla intends to continue support for Persona and is not looking to shutter the service in 2014.

Read on for other items of interest

The first casualty of the Target breach is the company's highest ranking technology executive. Beth Jacob, chief information officer and executive vice president for technology services, announced her resignation from the retailer, which publicly this_week_in_identity-sm logo.pngconfirmed in December that credit and debit card information for 40 million of its customers had been compromised. Target also said on Wednesday that it would create a high-level position to focus on web security.