Playing with CardSpace Geneva Beta

There are two interesting new selector features to play with in the CardSpace Geneva beta.  The first is the idea of the card tile,  where (as I understand it, no guarantees of accuracy here) the browser interacts with the selector to discover, cache, and display the image of the last card you have used at a given RP as part of the context of the Relying Party page (rather than as a separate context).  The Relying Party never sees or can access the image of your card.  This mashup-like user interface is meant to be personalized and more inviting to users.

The second new feature is the “always use this card at this site” checkbox.  If you check this box while authenticating with a card, you will subsequently see your card tile, but after clicking that card tile, the rest of the process happens without further interaction.  Web site operators can veto this convenience if they wish, by adding a new parameter called ‘requireUserInteraction’ to the information card trigger object and setting the value to true.

I think the always use feature really works well in combination with card tiles, as the user retains context without having to push more buttons.  I don’t know how to non-destructively change my mind about always using a given card at a particular site though. I tried restarting the browser, restarting the machine, and clearing “private” data from the browser without effect.  I tried going to the control panel and opening CardSpace directly, but nothing there helps.  Short of deleting & reinstalling the card, one click of that checkbox and I become permanently committed to a silent transaction with the Federated Identity demo website forever more.  I’m sure this lack of choice is temporary (after all this is a beta) – but if possible, I would love to see more on the CardSpace blog about the planned persistence model for this feature, and about what the plans are for letting people manipulate it or even disable it.

When I first heard of card tile feature, I hated it.  Now that I see it in use, I understand the value proposition, but I still have to point out that this little picture represents a critical piece of user context information.  I can’t help but think that to allow the card tile image to be manipulated by the browser is to eventually serve it to the bad guys on a platter.   I hope I’ll be proven wrong.

Other thoughts:

• Visually, I worry that the card tile feature lacks a strong enough branding consistency for people to easily identify where on a given page the information card trigger form is — if, for example, I happen to use a card which blends into the page, it might be confusing.  Even with the example site,  it isn’t immediately obvious that the picture placed front and center is also intended to be a control.
• Along that same line, I wonder how much control the web designer has over the size, style, and placement of the card tile.  Is there a standard form factor or is the sky the limit?
• I hope that a card provider could also have the power to disallow the “always use” feature for certain types of cards.
• Will there be some kind of maximum limit to how long that little checkbox lasts?
• Currently the beta card service and RP service appear to be a closed circle – I’m very excited to see the beta get to the point where I can start to play with these features using my own code base.

Check out the blog entry from the CardSpace Team:  http://blogs.msdn.com/card/archive/2008/11/18/the-cardspace-geneva-selection-experience.aspx Mike Jones also blogged on this: http://self-issued.info/?p=94

• If you play with this beta,  remember YOU NEED TO GET THE CARD FIRST, as it is a managed card, and self-issued cards aren’t part of the beta yet.
• If you aren’t seeing the card tile, check Mike’s blog entry above for a link that explicitly asks for that feature.
• When you click on the card link to import the card,  nothing happens; the card installs, but the selector doesn’t open or even give you a popup.  I’m not sure if this is by design, or if the acknowledgement of successful install just hasn’t been put in yet — but I hope it is the latter, because without some kind of feedback, people like me assume that it either didn’t work or that it is still running and that I therefore have to wait.  I only discovered that my work was done when I clicked the link a second time & was asked if I really wanted to install a dupe.

Can’t look this gift horse in the mouth

This one takes your password

And this one too

Today was an interesting day for the Identity geeks of the world.  A viral outbreak of concern broke out among twitter users over site called “Twitterank”.    Twitterank asks for your credentials and displays a number theoretically outlining your theoretical socal viability in the twitterverse.

Once the word “phishing” became attached to the service, people became fascinated.  I have no idea of the order of it all – but several things happened:

• A ridiculous number of people decided to try out the alleged phishing site.  Some of them even changed their password afterwards.
• References were passed around to a site called “Twitterawesomeness” that appears to exist as a very pointed statement about how easy it is to phish a site like twitterank. The disclaimer states:

I’m in ur Twitterz, stealin ur credz!
It’s ok, 178 other people gave their passwords too!

• The author of Twitterank came out with this statement:

I’m not out to steal ur twitterz. Frankly, I wish I didn’t have to ask for your account info, but Twitter doesn’t offer APIs using any other authentication mechanism (according to the docs). So blame them.

So let’s see then:

1. twitterank is right.   The best way to protect the passwords of the users of your service is to provide alternatives to giving away your password.   Granting permission for another entity to see your data is something Twitter can securely enable – or ignore.  We know where they stand so far.
2. twitterawesomeness is right too.  It doesn’t matter whether twitterank is crooked or honest.  Anyone who wishes to spend the 10 minutes to emulate twitterank’s main page can harvest passwords, if they can get people to click on a modified link.  Obviously not a difficult task – especially when people only see a “tinyurl” for most of the links they click.  Heck, just register “twitterrank.com”.  People will come to you.
3. To all you folks who changed your password — do you use that password anywhere else?  Cause if I were going to steal username/password combinations, it certainly wouldn’t be to read a twitter stream.  But I’m sure nobody would be crazy enough to use the same combo at twitter and at their bank…  what about the password you might have had when you tried the service a month ago?
4. In fact – even if you don’t use that combination at your bank, I might be able to still get there. I would use the credentials to harvest your email address from twitter, and then try to login to that email account.    If I was lucky and got a hit, I could then start putting your email address into password recovery pages for all sorts of interesting places.  Once you have email, you have the keys to the kingdom.

Of course, I could also just phish your bank site.  Occam’s razor applies here.  Still, the point has been proven.

Mashable Link

ZDNet Link

IIWish I was there

Go ahead.  Have fun without me…

*whimper* *pout*

I’ll just stay home and feel sorry for myself while you all solve the worlds problems.  Maybe leave a few just so we can meet again in May, ok?

The least you can do is take lots of pictures,  and write GOOD NOTES so us remoteys can keep up.

Enjoy,

Pamela

Of Trolls & TOSs

Electronic Arts has just backed into an interesting twist to the TOS story.   They are linking your online terms of service to the physical video games you buy — if you violate their online TOS, your right to run every video game linked to that account will be revoked.

This adds a massive lightning stroke of accountability into the affair, doesn’t it?   Suddenly, the forums aren’t just a “value-add”, they are also a potential “value-take-away”.   I have this picture in my head of Family Member A explaining to Family Members B and C how A lost his/her temper in the EA forums last night, and now the whole family has lost not only their access to their games, but possibly their game statistics & reputations too, depending on what EA does to enforce the ban and the subsequent serial number invalidation.    Ah, it all comes back to Identity mgmt and asset mgmt, doesn’t it?

I suppose you could consider this the Real-time Blackhole List approach to reputation & social networking.

The Beginning – of the middle.

Those of us in OSIS have half-joked about the I4 Interop event being the end of the beginning — but yesterday, the announcement of Geneva ushered in a new beginning.  It is still a long road ahead,  but mark my words, the momentum changes here.

I was recently asked in a rather public forum whether people are really using Information Cards.  The answer was a reluctant no.   There are a few pools of use that are extraordinary, the largest being in Europe.  There are many very interested parties.  There is development happening all over, but not released yet.  I am ok with this however,  because the truth is,  this technology will break out when it is not just cool, but also the obvious choice for the job.

In the past, this technology has been evangelized as the end of passwords, which is, in my mind, a mischaracterization.  It is not the end of the password.  It is the end of the login form.   It is the end of that uncertain little piece of html out there that may or may not be well written, or well protected, and may not actually even be the place you trust.   That may sound like a small little piece of the pie – but when you combine that little piece with the power of the underlying protocols,  and the massive usability problem that confronts us now in the security space,  what we get is a lot closer to the complete picture.

Why is this complete picture necessary?  Ah, well this is the thing, isn’t it?  People keep asking me, why would we ever NEED information cards?  We’re already busy, we don’t want to add something we have to work hard to understand to our Enterprises or to our products, and we’re getting by JUST FINE thank you very much…

Microsoft answered that question yesterday too, with Azure.   As I’ve said before, your provisioning problems can be ignored when removal of network access can act as a master switch for all the nonexistent process in the Enterprise.    Once your Enterprise starts pushing critical business functions outside of the Enterprise, there is no choice but to evolve your Enterprise towards claims-based Identity, federation, SAML, information cards, and this whole next generation of accountability.   In order for Azure to exist,  MS had to find a way to push credentials out into the cloud as well — and here we are.

This is the vision.  And the opportunity,  long awaited.   For those of you who might think that this sounds like a great Microsoft conspiracy here,  remember the protocols that this identity layer rests upon are OPEN, and although MS was involved, so were a huge number of other people and companies. Anyone can play. Instead of simply engineering an Identity layer for themselves,  Microsoft has instead worked within the community to enable something much greater.  I have been lucky enough to see just how much work, time, money, and care has been put into making sure that there are tools, products, and services out there that give people choice in the Identity Infrastructure they use to interact with services such as Azure.

I tip my hat to all you folks on the federated identity team at Microsoft — past and present members.   You have walked and will continue to walk a tough line,  but I hope that now, at least the story gets easier. Thank you.

Seeing- if not red, at least strong magenta

A friend of mine sent me this link to a report attempting to help improve the quality of communication at conferences, entitled Fifteen Obstacles to Dialogue and written by Mark Gerzon.

I have an obvious bias here, so please take that into account, but I honestly can’t quite believe my eyes:

The gender trap, while much more subtle, is double-edged. On the one hand, a conference with a series of all-male panels undercuts itself, particularly if it is otherwise progressive. When conferences repeat the importance of “participation” or “the role of women in development” but then have less than 10% female participation, charges of hypocrisy are in the air, even if not spoken.

On the other hand, if women are placed on panels or in roles precisely to counteract the male dominance, this can also backfire. A series of panels with a single woman, while perhaps better than all-male ones, begs the question of why the single woman was included. One should either be serious about equitable female representation, or let the chips fall where they may. Better honest male chauvinism than manipulative tokenism.

Let’s start with that last sentence, shall we?  It seems to me that male chauvinism is mentioned in the context of blind partiality for male participants, and tokenism is mentioned in the context of blind partiality for female participants. I love how blind partiality for men is described as honest, while blind partiality for women is described as manipulative.  I suppose that it was too complicated to simply advocate against any kind of partiality based on gender.

I’m sad as well about the statement made by this author that the inclusion of one female on a panel begs the question of why that woman was included.   The implication seems to be that it is better to avoid the appearance of tokenism than to let that lone female participate.  The implication also seems to be that people would naturally assume that a woman is unqualified and a “token” before they would believe that the woman is as qualified as her co-panelists.  Otherwise, presence of a single woman on a panel wouldn’t “beg” anything.

Lastly, it can only be assumed that equitable female representation is an onerous burden.  Given the author’s unstated assumption that people assume tokenism before qualification for women panelists & presenters, I’m not sure why “equitable” female representation would result in a more positive audience impression than representation by one female in a panel.  If anything, according to the author’s logic, the likelihood of attendees accusing organizers of tokenism would grow as the number of women grow – after all, the more women involved, the greater the likelihood that some of them are unqualified, right?

A trap indeed.

You know you’ve made it when:

Your blog makes it into the pr0n search index:

My mom would be so proud 🙂

Small Note on IE Protected Mode

I ran into an interesting phenomenon the first time I used IE protected mode.   I’m documenting it here, in case somebody else gets into this situation.

My test blogs are at http://pamelaproject.com, but my login page and the rest of my administrative pages are protected using HTTPS.   Past use had resulted in my having added https://pamelaproject.com to my trusted sites list in IE.

If you use the default settings for enablement of protected mode in IE,  Internet sites operate with protected mode on, while trusted sites operate with protected mode off.  When I attempted to go to my blog front page,  IE was in protected mode – but by authenticating, I changed from an Internet Site to a Trusted Site, and changed protection mode.  The result was extremely unsatisfactory.

Upon logging in, a separate IE instance started, showing an authenticated WordPress admin page.  I could view my profile or use other admin functionality.  If I tried to visit my main WordPress site blog front page content however,  I was taken to my original IE instance — where I could view my front page, but where I was not authenticated.  It was a lovely catch-22: If I tried to comment, I’d end up in IE window #1, with no user session.  If I tried to authenticate, boom!  I’d end up in the IE window #2, authenticated, but with nothing to comment on.

Fun huh?

To fix this problem, you can simply remove the https url of your site from your trusted sites list, so that everything runs in the same protection mode.  You can also meddle with your protection mode settings per site classification — after all, what’s the point in turning protection mode off for trusted sites, if doing so causes complexity rather than reducing complexity? At least if everything is in protected mode, you don’t have unasked-for windows popping up when you least expect them.  Of course, I haven’t used IE enough recently to know if there are other reasons why you would want protection turned off.   I suppose only time will tell.