Matt Honan, a journalist, wrote this week about an “epic hack” involving his identity. His report is a scary, thought-provoking chronicle of how a lot of little things conspired to cost him all his photos of his daughter’s first year. My colleague, John Fontana, wrote an excellent piece about it. I am struck once again about how complex our society has become - politics, daily life, and certainly, digital identity. More and more skill is required to be an average citizen. And in Matt’s case, more than many of us would think reasonable. You shouldn’t need a PhD in the Internet just to protect your identity and privacy.

  • John Fontana: Mat and Phobia start a revolution!
    “Two gigantic and Internet connected cloud services have been exposed for their house of cards and everyone is looking. Mat is left licking his wounds and admitting his errors. Every cloud service or enterprise with a Web app is reexamining email, identity, identity services, passwords, password policies, security, verification, liability and customer service. And tens of millions of customers are along for the scary ride that at any moment threatens to stop their hearts, soil their pants, and sink their digital life.”

There are several more articles about this, and OAuth, and many other topics in identity and privacy.


  • Matt Honan: How Apple and Amazon Security Flaws Led to My Epic Hacking
    “In the space of one hour, my entire digital life was destroyed. First my Google account was taken over, then deleted. Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages. And worst of all, my AppleID account was broken into, and my hackers used it to remotely erase all of the data on my iPhone, iPad, and MacBook.”
  • Nishant Kaushik: The Epic Hacking of Mat Honan and Our Identity Challenge
    “It's a powerful article at an emotional level too, and I hope the mental images of Mat losing all those digital memories - photos, videos - of the first year of his child's life gets people to pay attention. But I want to take this opportunity to discuss both the simpler, individual level implications of this as well as the larger identity ecosystem level implications of this.”
  • Dave Kearns: Hacker pwns Apple and Amazon
    “As I said, it's an excellent piece, with only one or two minor flaws but flaws that need to be discussed and, hopefully, corrected.”
  • Time: The Username/Password System Is Broken: Here Are Some Ideas for Fixing It
    “But there’s a bigger problem that Honan’s hack brings to light, and that’s how broken the username/password system has become. Every online service we use invites another security threat–a way for hackers to sniff out passwords or glean the information they need to reset an account elsewhere. As Honan himself notes:”
  • Chris Hoff: The Soylent Green of “Epic Hacks” – It’s Made of PEOPLE!
    “However, the recent rash of commentary from security wonks on Twitter and blogs regarding who is to “blame” in Mat Honan’s unfortunate experience leaves me confused and misses an important point.”
  • Eve Maler: Identity Protocol Gut Check
    “Protocol gut check. That's how someone recently described some research I've got under way for a report we're calling the "TechRadar™ for Security Pros: Zero Trust Identity Standards," wherein we'll assess the business value-add of more than a dozen identity-related standards and open protocols. But it's also a great name for an episode of angst that recently hit the IAM blogging world, beginning with Eran Hammer's public declaration that OAuth 2.0 -- for which he served as a spec editor -- is "bad."”
  • Helen Whelan: OAuth 2.0: Don’t Throw the Baby Out with the Bathwater (video & slides)
    “In the wake of Eran Hammer's resignation from the OAuth 2.0 working group, @gbrail and @edanuff discussed the usability of OAuth 2.0 for your APIs, identifying problematic areas of the spec and understanding how to avoid them, and why rolling back to OAuth 1.0 or "rolling your own" is not a great idea.”
  • Stephen Wilson: Taking stock of the IdM scene
    “An awkward fracas has broken out in the identity standards community over the process that led to the drafting and approval of OAuth 2.0. I've participated in many standards committees myself and I agree they're difficult environments, populate with self-selected mega brains with commensurate egos, and they're much complicated by corporate interests. The arguments over committee machinations and the protocol itself concern arcane stuff that goes on under the hood of identity management. So the fuss doesn't matter all that much ... except that as I've said before, a bigger starker problem meanwhile goes unremarked; namely, there's something wrong with the very idea of Federated Identity!”
  • John Fontana: Artists explore trust by asking users for passwords, then publishing them
    “A group of graphic design students were curious, if they simply asked people to hand over their passwords would they do it. And "Trust Me, It's Art" was born.”
  • On Breaking SAML: Be Whoever You Want To Be
    “In Pro­cee­dings of the 21st USE­NIX Se­cu­ri­ty Sym­po­si­um, 2012
    In this paper, we de­scri­be an in-depth ana­ly­sis of 14 major SAML frame­works and show that 11 of them, in­clu­ding Sa­les­force, Shib­bo­le­th, and IBM XS40, have cri­ti­cal XML Si­gna­tu­re wrap­ping (XSW) vul­nerabi­li­ties. Based on our ana­ly­sis, we de­ve­lo­ped an au­to­ma­ted pe­ne­tra­ti­on tes­ting tool for XSW in SAML frame­works. Its fe­a­si­bi­li­ty was pro­ven by ad­di­tio­nal dis­co­very of a new XSW va­ri­ant. We pro­po­se the first frame­work to ana­ly­ze such at­tacks, which is based on the in­for­ma­ti­on flow bet­ween two com­po­n­ents of the Re­ly­ing Party. Sur­pri­sin­gly, this ana­ly­sis also yields ef­fi­ci­ent and prac­tical coun­ter­me­a­su­res.”
  • Martin Kuppinger: Preparing Your Enterprise for the Generation Y: BYOD & Mobile Device Management
    “Podcast: A plethora of mobile devices are invading the enterprise at incredible speed, raising issues in areas like access control, policy enforcement, security of confidential data on users’ devices, and many others. Practices of “bring your own device,” (BYOD) and “company owned, personally enabled,” (COPE) are trying to describe methods of mitigating the risks involved. In this training, KuppingerCole Principal Analyst Martin Kuppinger will help IT professionals to find their best way through the myriad of recommendations and solutions related to this issue, and implement the right corporate policies and security tactics.”
  • Craig Burton: Scenario: The Future of Authentication - 70341
    “A number of significant trends are causing the authentication (AuthN) and authorization (AuthZ) architectures and technologies to significantly change.”
  • Stephen Wilson: Facebook privacy paper printed in IEEE Technology & Society
    “Stephen's analysis of Facebook's privacy compliance problems -- jointly developed with Salinger's Anna Johnston -- has been published in the IEEE "Technology and Society" magazine. Pre-print copy attached.”
  • John Fontana: Will Sgrouples end social networking’s attack on privacy?
    “Nearly 15 years after founding, Mark Weinstein is back with Sgrouples and says it’s time privacy becomes the hallmark of social networking.”
  • Keen On… David Cho: Why Privacy Is The Valley’s Next Big Thing [TCTV]
    “According to David Cho, the co-founder and CEO of Sidebark, 2012 is the year that privacy will go big (if not public). That’s because, as Cho told me when he came into our San Francisco studio, we want to share our most personal data with our most personal friends – and that can only be done by making privacy the default feature of a social network. Therein lies the rationale behind Sidebark, Cho’s new start-up which, by relying on our emails, is attempting to make “permissions” the operating-system of his privacy-centric network. And that’s why, Cho insisted to me, users can – in contrast with Facebook, Google + et al – really trust Sidebar with their most intimate photos and content.”
  • Seth Godin: The difficult challenge of media alignment
    “My suggestion: Twitter has the opportunity to become extraordinarily aligned with their best users. Offer the top users the opportunity to pay $10 a month. For that fee, they can get an ever-growing list of features, including analytics, verification, 160 characters, who knows...”
  • Bill Nelson: The Diminishing Non-Digital World (or How to get Outed by a Photo Booth)
    “Even within the sacred confines of a photo booth our privacy is not really private at all. Ironically, photo booths now take digital photos which are then stored on the kiosk’s computer hard drive. While this expedites the printing process, the possibility of those photos being shared with unintended parties is very real. At least that is what I observed shortly after the reunion when pictures from the photo booth began appearing on Facebook. At first I thought that attendees were scanning their own photos and posting them. This thought was immediately dismissed when I saw my own pictures start to appear.”
  • Dave Birch: Real names, real problems
    “There is an assumption, which is reasonably well-founded I think, that many social media companies want to develop "Real Names" policies of one form or another not to prevent trolling or to protect the kiddies in one way or another, but to help with the commercialisation of their services and the monetization of the identities that they hold. Whereas the identity "Dave Birch of Consult Hyperion" may be worth something to commercial organisations (debt collectors, payday loan sharks and so forth)  -- according to real names thinking -- the identity "Leadbelly Gutbucket, mightiest of the Dwarven heroes of Ravenscrag Pass" may not. Hence the drive to find out who people really are.”
    [In cyberspace, no-one knows you’re a dogbot]
  • The Open Group: Identity Management: Entities and Entitlement (4 of 5)
    “The fourth video of the five part Identity Management series presented by the Jericho Forum, "Entities and Entitlement," explores the bigger picture of identity management and how the concepts of a core identifier and an identity ecosystem can be expanded to include all entities that require identity in the digital world.”
  • Third Parties Are IAM's Third Wheel
    “Connections with suppliers, partners, and contractors need better foresight and planning”
  • The 2012 Identropy Culture Book
    “The energy, camaraderie and intense creativity we felt during the all-hands are contagious and very motivating, and we believe that it is a direct result of our focus on company culture, which we continued to nurture over this past year.  Being able to see that the theory we have learned actually works in practice, and that the results are in most cases a lot better than one could have predicted is truly fascinating and satisfying at the same time.  Our company strength and success is directly correlated to the consistency by which we adhere to our core values.”


  • Francois Lascelles: OAuth World Tour
    “Steve and I had another great Tech Talk in Vancouver this week, discussing the recent controversy around OAuth 2.0 and the state of the standard in general. A couple of questions that came up (thank you Michael and David, among others) were around the availability of libraries for iOS and Android platforms”
  • Ronnie Mitra: Using WebSockets – Part 1: Minding the Gates
    “One of the most exciting features introduced with HTML5 was support for WebSockets. The WebSocket protocol has been through a lot of churn over the last two years, with browser vendors desperately trying to keep pace with changes in the specification. Thankfully, the standard has now become stable enough to be utilized in enterprise projects.”
  • IANA Registry for OAuth 2 Created
    “The Internet Assigned Numbers Authority (IANA) has created the registry for OAuth 2 parameters.”
  • Mashery: I/O Wraps: Building Client Libraries (and much more)
    “On July 17, we released I/O Wraps, a semi-automatic client library generator. Following the pattern of I/O Docs, we have made it completely open source and available on GitHub. The elevator pitch for API providers: “Take your I/O Docs configuration file, feed it into I/O Wraps, and out come native language API wrappers.””

Cloud Computing

  • Drummond Reed: The Difference Between a Personal Cloud and a Personal Data Store
    “In short, if a personal cloud is a virtual personal computer in the cloud, then a PDS is its virtual file system. Note that this does NOT mean the PDS stores all its data in the cloud. In fact, one of the most salient features of a full-featured PDS is that it will provide controlled access and sharing of data stored in native data stores anywhere on the wired or wireless Web. These native data stores become a virtual part of the personal cloud by virtue of a secure semantic data sharing protocol like XDI.”
  • Phil Windley: Services in the Personal Cloud Operating System
    “The personal cloud operating system will need a set of consistent services. This post begins to flesh out some of the details behind the roadmap I published last week.”
  • Phil Windley: The Layers and Components in a Cloud OS
    “This diagram shows the organization of components in the personal cloud operating system.”
  • Mike Amundsen: Programming in the Cloud
    “Quite a bit has been written about how the Cloud is altering the landscape for platform, software and infrastructure providers but not as much has been said about what all this means for developers. I recently decided to find out for myself by going on an “all-cloud diet”. In practical terms, this meant I used a sealed netbook or smartphone to do all my work.”
  • The IT world’s love-hate relationship with OpenStack
    “OpenStack has had a great week with eBay coming out as a user and Rackspace rebranding around the open source cloud project, but life isn’t all good in OpenStack world. There are still plenty of questions over its governance and development models that keep skepticism strong.”
  • LinkedIn unloads upgraded API to expand sharing power
    “LinkedIn widens its reach across the web with new developer tools designed to promote a full circle of sharing and attribution.”
  • Simon Wardley: Interesting moves by VMware
    “However, VMware (or more specifically its master EMC) is very astute. There's an awful lot of value which can be gained by providing a commodity infrastructure services through the development of a wide ecosystem and the exploitation of such through an ILC (innovate-leverage-commoditise) model.”

Valuable Identity

  • Jonathan Sander: Is the ID ecosystem #NSTIC wants too much risk for an IdP?
    “I’m gearing up to go to the NSTIC convened steering group meeting in Chicago next week. Naturally, my inner nerd has me reviewing the founding documents, re-reading the NSTIC docs, and combing through the by laws that have been proposed (all of which can be found here). I am also recalling all the conversations where NSTIC has come up. One trend emerges. Many people say they think the NSTIC identity provider responsibilities are too much risk for anyone to take on. With identity breaches so common now that only targets with star power make the news, there does seem to be some logic to that. If your firm was in the business of supplying government approved identities and you got hacked then you are in even hotter water, right?”
  • John Fontana: NSTIC’s steering group gathering long list of members
    “A week ahead of its first ever face-to-face meeting, the NSTIC Identity Ecosystem Steering Group (IESG) is already collecting a long list of participants.”
  • Identity Ecosystem Steering Group Leadership Nominations
    “In Wednesday’s reminder about the August 15-16 Identity Ecosystem Steering Group (IESG) meeting, we encouraged all Identity Ecosystem stakeholders to review the list of Steering Group leadership nominees and consider nominating others for one of the 18 leadership positions.  Below is the most current list of nominees.”
  • Identity Ecosystem Steering Group Leadership - Announcements
    [A collection of all the information leading up to the Kickoff event this week.]
  • Webinar Materials Now Available
    “Last week, the Identity Ecosystem Steering Group (IESG) Secretariat hosted an informational webinar about what you can expect from the first meeting of the Steering Group in Chicago, August 15 and 16. If you were unable to participate in the webinar, or you’d like to revisit any of the information presented, you can view the two-hour event in its entirety here. The slide deck used during the webinar is available here.”
  • Kaliya For Mayor! « Elect Kaliya to Govern the New Internet Identity Strategy from NSTIC Kaliya For Mayor!
    [Love the Web site!  Never could there be a more passionate voice for the rights of us little people!]
  • Michael Daniel: Collaborative and Cross-Cutting Approaches to Cybersecurity
    “As I reach the end of my first two months as Cybersecurity Coordinator, I wanted to highlight a few of the Administration’s recent accomplishments working in partnership with the private sector, and also preview some of our future activities.”
  • IDMGOV: RFI/RFP Language for Federation Solutions and Identity Proofing Solutions
    “As noted in my earlier blog post "Comply with Requirements Quickly and Easily with RFI and RFP Templates", FICAM is working to make it easier for Agencies to align with OMB/NIST/FICAM policies. Given below is recommended language that aligns with policy for incorporation into Agency RFIs and RPFs.  The language covers both identity federation solutions, when the Agency is acting as a relying party, as well as identity proofing solutions.”
  • GSA OGP Announces an Industry Day on Federal Federated Identity Solutions
    “As the next step, the FCCX Tiger Team would like to hear from industry vendors on how they might implement a privacy-enhancing, cloud-based, federated credential exchange service. As an overview, the following topics should be addressed in your written response which will be due by 5 P.M. EDT on Monday, August 20, 2012”
  • Starbucks and Square to Team Up
    “Cash moved one small step nearer to its deathbed with the announcement on Wednesday that Square, the mobile payments start-up, would form a partnership with the Starbucks Coffee Company. This fall, Square will begin processing all credit and debit card transactions at Starbucks stores in the United States and eventually customers will be able to order a grande vanilla latte and charge it to their credit cards simply by saying their names.”
  • US small businesses ditch banks over online fraud
    “Around three quarters of small and medium-sized businesses (SMBs) in the US have fallen victim to online banking fraud and many are ditching their provider as a result, according to research from Guardian Analytics and Ponemon Institute.”


* Required Fields