May 20, 2008

FBI indictments raise hope

May 19, 2008 BUCHAREST, ROMANIA – Thirty-eight individuals with ties to international organized crime have been charged in two separate indictments involving computer and credit card fraud schemes, Deputy Attorney General Mark R. Filip, Romanian Prosecutor General Laura Codruţa K övesi, U.S. Attorney for the Central District of California Thomas P. O’Brien and Acting U.S. Attorney for the District of Connecticut Nora R. Dannehy announced today. The Deputy Attorney General made the announcement with the Romanian Prosecutor General to highlight the extensive and continued cooperation between the two countries in addressing these types of international crimes. The announcement comes less than one month after U.S. Attorney General Michael B. Mukasey announced the Department’s new Law Enforcement Strategy to Combat International Organized Crime.
The FBI, following up on an announcement last month, has moved into an aggressive mode in prosecution for computer crimes. This indictment includes 33 individuals on 65 counts in Los Angeles, and 7 individuals in Washington, DC involving phishing scams. It also includes search warrants being issued in Romanian.

The locations of the operations included: the United States, Canada, Pakistan, Portugal and Romania.

The phishing scams were mainly target as messages from Citibank, Capital One, JPMorgan Chase & Co., Comerica Bank, Wells Fargo & Co., eBay and PayPal. All very common subjects for such attacks.

The role of identity here is unequivocal, and much work remains to be done both on existing protocol strata, including email and SIP, as well as emerging identity protocols, such as Liberty Alliance, openID, and Oauth (to name but a few).

As these new protocols mature, and their use broadens, they will form the basis for new attack surfaces for such criminal behaviors. The Liberty Alliance has been focusing some of it's talents directly in this space in the form of the Identity-Theft Special Interest group, and began working on this topic as far back as 2004.

Oddly, this topic, which has some momentum at earlier IIW events, was not touched as a primary topic at the most recent session. As an industry, we need to think about reversing this trend.


Technorati Tags: ,

May 11, 2007

Know SAML cold

I came across this series tonight while traipsing through Technorati SAML searches. JeffH, however, got there before me.

SAML and ColdFusion - Part 1 (December 29, 2006)
SAML and ColdFusion - Part 2 (February 9, 2007)
SAML and ColdFusion Part 3 : XML Digital Signatures (April 16, 2007)
SAML and ColdFusion Part 4 : Setting Up the Library (April 26, 2007)
SAML and ColdFusion Part 5 : Signing a Document (May 1, 2007)
SAML and ColdFusion Part 6 : Validating an Assertion (May 10, 2007)

Nicely done!

Labels: , ,

Privacy and the Almighty Dollar

Apparently Google feels that operations in China are more important than user privacy... still. In a shareholder vote held yesterday, they voted against a proposal which outlined the following:
  1. Data that can identify individual users should not be hosted in Internet-restricting countries, where political speech can be treated as a crime by the legal system.
  2. The company will not engage in pro-active censorship.
  3. The company will use all legal means to resist demands for censorship. The company will only comply with such demands if required to do so through legally binding procedures.
  4. Users will be clearly informed when the company has acceded to legally binding government requests to filter or otherwise censor content that the user is trying to access.
  5. Users should be informed about the company's data retention practices, and the ways in which their data is shared with third parties.
  6. The company will document all cases where legally binding censorship requests have been complied with, and that information will be publicly available.
While much coverage on this issue has focused on the censorship issues while operating (for example) in China, ignored were the stipulations about disclosure to third parties and data retention practices.

The shareholders were advised by Google Sr Executives that this measure should be voted down, as it would prohibit their operations in China. While I understand this point of view, at some point, conscionable corporations are going to have to face data protection, disclosure, and retention issues head on. Perhaps a more well informed shareholder base will be required to force such practices on public companies.


1 point for the dollar, 0 for privacy.

Labels: , ,

Apr 30, 2007

PII's Journey - Chapter 1

From the “What do two identity architects chat about while waiting for the plane to board” department.

Companies large and small gather personally identifiable information all the time (never mind that they rarely really need to, other than to fulfill their ill-conceived belief it will make my experience better or their wallets thicker). The data they get (lies, generally, unless it's important business) might be sent over TLS and the like, and may be covered by one or more privacy policies conveniently referenced far-far-away from the 'Submit' button... but there is never any mention what really happens to that data, after it's collected. Follow PII on it's epic journey through networks, servers and tapes in 'PII's Journey - an EPIC tale'.

It's a sad sad story....

Once upon a time, somewhere in one of the happier nooks of the internet, there was a little bit of data, named PII, just leaving it's owners computer, destined for important tasks at www.example.com. It was carefully sent, nice and snug under the covers of it's good friend TLS, and informed by some pleasing P3P policies, whereby it was assured no harm would befall it upon arrival at it's destination.

Feeling emboldened by anticipated loving care, it speed into the warm embrace of www.example.com's host, which was clearly identified by the DNS and the subject of a certificate upon which it's TLS road was paved (where said cooboration was of course carried out with the greatest of care).

Little PII, arriving in it's new home, is passed most respectfully to WWW's close friend and helper, apps.example.com, who generally assists in matters more complex than simple HTTP. PII looks backward, somewhat forlornly, at it's companion and confidant P3P and TLS, who accompanied him on the begin of his epic quest to conduct some important business.

PII arrives at apps (well it thinks that's her name, anyway), and is quickly swished through memory and swapped about a bit in apps file system, while apps performs what PII is certain is most difficult and arduous work. Variables and arrays and other structures serve as short stopping places. PII sees all sorts of other, unfamiliar and unrelated data too. Some seemed to be in classes, and PII wondered what instruction they were getting, and if they too were there for the same purpose.

PII doesn't mind so much the jostling and bumping about, knowing that it's mission is vital. At last, after what seemed like thousands of milliseconds, it is instructed to rest, with some other PII, at database.example.com... well, apps told PII that was his name... he arrived at a somewhat anonymous-looking dotted quad. Poor PII, not knowing what to do, and wishing to go home after recent mishandling, finds a row to rest in, and closes it's weary eyes.

PII dreams of the good times it spent with TLS and P3P, all the frolicking about, obediently following the directions of BGP and IP. It fondly remembers the comforting covenants of Jurisdiction and Purpose... of Recipient and Remedy. As the dream grows somewhat dark in nature, a shadow of database is seen in the distance, and PII sees itself moving slowly towards it, completely detached from Purpose and Reason, and with no special protections for its' journey. After fading into the distant ether, PII can no longer see itself, and hope's it's copy can remember all the promises made when it first began it's epic voyage.

Stayed tuned, for the continuing (mis)adventures of PII...

Apr 29, 2007

Bewitched flatware

George reported last week the magentic qualities of his flatware. And were it not for the photograph, none of us would have beleived him.

I can now report a second sighting of the unusual phenomena. I, unfortunately, did not have the camera handy, as I was held captive by the tray table, and the flight attendant (4/28 UA951 crew .. if your out there, wonderful job, by the way) whisked away the knife before I could capture the event in silicon (does anyone capture events on 'film' anymore?).

The flatware must have been stored outside the airplane during departure, as it's surface temperature was low enough to bond skin to metal.

Discussions ensued in Brussels, at the IOS confence as to the cause of the magnetic charge, but no consensus could be reached. But it is strangely coincident with the re-emergence of metal knifes on flights.


Labels: , ,

Apr 27, 2007

Trusting SIP

My good friend and colleague with others have for over a year now been working on a trait-based authorization specification for SIP known to some as 'SIP-SAML' . This fulfills the requirements outlined in “Trait-based Authorization Requirements for the Session Initiation Protocol (SIP)”, which specifies bindings and profiles for attribute statements (and assertions) from SAML artifacts. This then informs SIP intermediaries with the necessary material to make policy decisions about handling SIP signals (and the subsequent messages), among other use cases.

I've recently discovered that some have considered applying openID in a (slightly) similar manner for SIP mentioned here.

As the above reference articulates, improvements are required to the base openID architecture to accomplish this. Perhaps a token transformation via Liberty Alliance Authentication Service (pdf) accomplishes this objective.

Labels: , , ,

Apr 26, 2007

The swiss beverage empire

I'm here in Brussels for the Liberty Alliance Members meeting and Identity OpenSpace event, and they have been making certain we maintain our appetites by supplying cannabis in liquid form.

These need to be in the states. Both are quite good. It's a shame that the notion of a cannabis-based beverage would never fly in the US.
...
I think i need a snack now.

(Finally found the vendors website)

Labels:

Jun 6, 2006

Open Space Logo Mashup


I've just registered for the upcomming Identity Open Space in Vancouver. A co-production of the Liberty Alliance and the good folks over at unconference and IIW.

I couldn't resist mixing the logos.

Hope to see you there.