There were a lot of wet eyes at Ping this week, from laughing ourselves sick watching a couple of videos about password that got shared on our community mailing list. Take a listen - they’re not too long. You should find at least one nerve that gets struck as you nod, knowingly, or maybe jump up screaming around the room!
- Toby Turner: PASSWORD RANT
[A great password rant]
- Don Friesen: Forgot Password
[Another great password rant]
- StackOverflow: Human Verification
“Are you a human being? We apologize for the confusion, but we can't quite tell if you're a person or a script. Please don't take this personally. Bots and scripts can be remarkably lifelike these days! Enter the CAPTCHA displayed below, and we'll be out of your way.”
There were a number of other items of interest to the identity community, although none as funny:
- Gunnar Peterson: What Is It You Would Say That You Do Here?
“Here is a dangerous question to start the new year: Does your company actually need a security department? If you are doing CYA instead of CIA, the answer is probably no.”
[A must-read for anybody in security. Gunnar introduces the three EEEs of security, and I didn’t know whether to laugh or cry.]
- John Fontana: Passwords hanging around like an ugly old dorm couch
“Forrester analyst Eve Maler says passwords will be an authentication method for the foreseeable future, but changes in IT attitudes can make that palatable.”
- Phil Hunt: 2012: No Time To REST For The Holidays
‘This past year has been one of the biggest years of change I've seen in a while. It started off with the expected priority of delivering and using cloud based services at the top of everyone's mind. However, it soon became apparent that the usual way of delivering services (e.g. ones based on SOAP) was not what was going to make that happen. It is now apparent that cloud hosted services will be largely based on REST and JSON. A monumental change in service architecture being driven by the market…”
- Joni Brennan, Kantara: IAWG – Separating Token and Attribute Manager Functions
“On Nov 30 Kantara held a “Trusted ID” F2F meeting in Washington DC to talk strictly Assurance and alignment with Government based AuthN requirements like that of NIST 800-63 and ISO 29115. We should make clear that, for Kantara, “Government alignment” is not a US initiative but a global initiative. We believe that digital identity should be voluntary, pervasive, privacy enabling, and with-out-borders (portable across jurisdiction and domain if you choose).”
- Galen Gruman: The dangers of a single identity
“The focus on having a single ID you can use everywhere ignores how the world actually works, in a scary way”
- Ericka Chickowski, Dark Reading: Single Sign-On Mythbusting
“It's no secret that single sign-on (SSO) has been hunted down for years like a mythical identity management treasure--get it right and all those identity and access management (IAM) woes are cured, right? Well, not exactly, say experts.”
- Pamela Dingle: Certificate Impossible
“Today when I tried to update my github repostory, I received a certificate error that said “XCode can’t verify the identity of the server github.com”. Because I’m a paranoid idiot, I decided to get to the bottom of it. A search on Stack Overflow scared the crap out of me — the “accepted” answer is to just “make the prompt go away” by blindly choosing to trust the certificate. That is theoretically the worst, laziest, most insecure answer in the world and we as an industry should be castigating such a brutal security recommendation, right? But before casting stones, what *should* be done?”
[No way is a Ping Identity geek like Pamela going just let this go! We like to cross the eyes and dot the tees. (Shirts by Paul)]
- Phil Hunt: OAuth2 Threat Model is now RFC 6819
“The contents of this specification originally formed the security considerations for RFC 6749, but after some good working group discussion the working group decided to break the considerations in two parts: RFC 6749 would contain considerations of interest to implementers, while the Threat Model would be of broader interest to deployers. That document is now published as RFC 6819.”
- InCommon Webinar: Scalable Privacy: An NSTIC Pilot program for the Identity Ecosystem
“1 pm ET | Noon CT | 11 am MT | 10 am PT
Speaker: Ken Klingenstein, Senior Director, Middleware and Security, Internet2
Host and Moderator: Rodney Petersen, Managing Director of the Washington Office and Senior Government Relations Officer, EDUCAUSE”
- IDESG: 3rd Plenary Meeting
“When: February 5-7, 2013. Tentative Agenda
Where: Phoenix Convention Center - 100 N. Third St., Phoenix, AZ 85004”
- IdentityWoman: European Identity Workshop in Feb`
“The European Identity Workshop.
February 12-13 in Vienna.
Registration is here.
Internet identity, identity federation and personal data online are complex, continually evolving areas. The event is inspired by similar events such as the Internet Identity Workshop in California, Identity North in Canada, and Identity Next in the Netherlands, with a focus on European perspectives and initiatives. At EIW, participants will seek deeper understanding, and better solutions to challenges like: ...”
- Internet Identity Workshop XVI #16 - 2013A
“Phil Windley, Kaliya Hamlin, & Doc Searls
Tuesday, May 7, 2013 at 8:00 AM - Thursday, May 9, 2013 at 4:00 PM (PDT)
Mountain View, CA
Super Early Bird Ticket Feb 18, 2013”
- Alex Gaber: Measuring Hackathon ROI for APIs
“I often get asked whether hackathons actually provide API publishers with any true, measurable return on investment (ROI). The simple answer is “yes” – and the positive benefits of hackathons are now undeniable. However, the benefits can be a little hard to quantify, making ROI tricky to measure objectively.”
- John Fontana: Cloud authorization standard in the works
“The Cloud Authorization (CloudAuthZ) technical committee (TC) spun up Dec. 4 at the Organization for the Advancement of Structured Information Standards (OASIS) to tackle standards for determining the most optimal way to enforce policies on who can do what within a cloud environment.”
- Netflix wants open-source developers, cloud alternatives
“Netflix has made a name for itself by open-sourcing tools to fill gaps in Amazon Web Services’ cloud and make deployment easier to manage. Now it wants to show off the other goodies it has in the pipeline — and recruit open-source development whizzes in the process. The company will host an Open Source Open House at its Los Gatos, Calif., headquarters February 6, which will feature talks by Adrian Cockcroft, Netflix cloud architect, and Ruslan Meshenberg, director of cloud platform engineering.”
- Heather Clancy: Cloud service answers question 'who are you?'
“Verifying a customer's identity online can be incredibly challenging, but Scottish company miiCard is offering a potential solution for small businesses.”
- Adrian Lane, Gunnar Peterson: Understanding Identity Management for Cloud Service: The Solution Space
“Adrian and Gunnar here: After spending a few weeks getting updates from Identity and Access Management (IAM) service vendors – as well as a couple weeks for winter break – we have gathered the research we need to delve into the meat of our series on Understanding and Selecting Identity Management for Cloud Services.”
- Debra Spitler: Turning NFC-enabled BYOD smart phones into secure credentials
“HID Global explored these issues during pilots of NFC-enabled smart phones with Netflix and Good Technology. In both pilots, proximity readers used with cards, key fobs or tags were replaced with HID Global’s iCLASS SE access control platform including iCLASS Seos credentials that are portable for use on NFC-enabled smart phones.”
- Gunnar Peterson: What's the Worst Security Posture for Mobile?
“To say its early days in Mobile is an understatement. To say its early days in Mobile security is (and I know its only January) an early candidate for understatement of the year. Making sweeping statements about Mobile anything is hard. But there are a number of promising green shoots spring up out of the ground in Mobile security. Will these sprouts grow into mighty oaks or get crushed like so many Orange Books before them? Remains to be seen.”
- John Fontana: NSTIC set to fire up more identity pilots
“The nearly two-year-old NSTIC effort is ready to commit more funding to building an online identity system to stimulate and secure online interaction and transactions.”
- Jason Miller: Cloud is the next chapter in the government's identity management saga
“Flash forward to fiscal 2013, the Postal Service issued a draft request for proposals and a final RFP to create and run a Federal Cloud Credential Exchange (FCCX). The system would let citizens log onto federal services using usernames and passwords from third parties, such as Google or PayPal, as long as those companies meet federal standards under the Federal Identity Credential and Access Management framework (FICAM).”
- Henry Helgeson: 2013: The Year Payments Finally Emerge From the Dark Ages?
“When it comes to emerging victorious, other factors — especially security — are important. But benefits to the consumer and the merchant are the number one determining factor. When both parties get something great out of mobile payments that they never had before, then the revolution will prevail; it will be win-win for everyone.”
- FDIC Publishes Study on Mobile Payment Risks
“They did, however, note a few risks. For example, a major risk of mobile payments is that many solutions are provided by non-banking entities unfamiliar with the necessary measures required to ensure transaction security, and most solutions require cooperation between multiple players.