Identity Woman

Independent Advocate for the Rights and Dignity of our Digital Selves

ID Topics

Free Phone but only if you use the number we give you????

· · Leave a Comment

I just got a pitch from the Spring Ambassador program for a free phone and free calling and data for 6 months. I am like cool (some how I have landed as a tech somebody cause only those folks get free phone offers). I can transfer the number that is only good in the bay area to this new phone and get out of the MetroPCS getto that I am in. All of you who know I have 2 cel phone (one for the bay area one for outside) will be happy to have me be integrated back on to one phone.
I write them asking that I have a phone number I have be used. They write back and say:

Because of the way the Ambassador phones are set up, you are unable to change the phone number of the phone for the duration of the 6 months. However, you are able to transfer your existing number to the phone after the 6 month period, if you wish.
Thank you,
The Sprint Ambassador Team

Notice they didn’t even sign their names…so much for having a real market conversation between people. I am just talking to their “team.”
It proves how dumb the phone system is. If these guys can’t figure out how to technically give me my phone number to use it doesn’t do me a whole lot of good. In terms of identifier management it just adds to the complexity – not decreasing it.
Hopefully they will figure this out and let me use my own number.

Clarity in Blogging – What do you want from me.

· · Leave a Comment

I would like to ask you all a question – What do you want and need out of my blogging? This morning I have been writing relatively short context sensitive posts.
One person has contacted me and tole me that they ‘have no idea what I am talking about’ and there are not enough links to create context. I am at Mix06 – in case that wasn’t obvious. The Microsoft live web conference.
What kind of posts do you like best? What do you want more of? should I wait till the end of the day at a conference and post all at once? What works? Thanks for your feedback.
To comment on this blog you need to create and account on the login screen here and then click on comment.

What is the map of the challenge? Usability and Web Authentication

· · Leave a Comment

Last week for two days I was at the W3C workshop on usability and authentication. It was hosted at the top of a citibank building in Brooklyn. We had to present ID at the door to get upstairs.
The room was a very long rectangle room with three presentation screens and 2 giant columns. It is a terrible lay out. The first morning we heard 3 ppt presentations about ‘the problems’ of for usable security and authentication. Maybe people are 1/2 present doing e-mail and other things.
I really wanted to interactively (as in facilitated face to face discussion) create a map of the problem space. By the end of two days I sort of got it but I know we as a room could have come up with that in 1/2 a day and then sent the rest of the time really working on ideas for solutions.
There are a bunch of constituencies.
Browsers – Firefox, Opera and IE (Microsoft)
Big websites – AOL, Yahoo, Google.
Certificate Authorities – Verisign
Banks
They all want security of verifying websites to be more usable and understandable to normal folks. So there was usability experts.
I think I understand why ‘standards bodies’ and processes get bogged down. They are really not very innovative in their face to face technology – presentations for a two days do not create a positive energetic vortex and community to move forward on solving problems.
I am really tuned into this need to get better at our face to face process so our ideas and innovations for the online world can actually work.

Law and Order SVU: Identity Use Case

· · Leave a Comment

Last night I was on JetBlue from NYC to Vegas. I don’t watch TV normally but JetBlue I get to 🙂 last night I – mostly watched Law and Order. In one of the episodes an interesting use case comes up. They are investigating a murder. The victim has a stamp on his arm from a gay club. They go an investigate the club and who was there. Turns out that the club scans everyones drivers licenses and keeps a log of all the people who go in. I wonder how prevalent these identity scanning systems are – does anyone know or know where to find out. What are the regulations about their use and what is the ‘agreement’ that people who are scanned. The Club owners say that the system cost $11,000 and the reason they got it was because they were busted for serving alcohol to a 15 year old girl. The police investigators look through list of people who were at the club that night. It turns out that the cop’s son is on the list.

Internet Identity Workshop is announced May 1-3 in Mountain View

· · Leave a Comment

It seems only appropriate that while PC Forum is going on with the theme Erosion of Power: Users in Charge that the we are announcing the second Internet Identity Workshop.
May 1-3, 2006, Computer History Museum, Mountainview CA
Workshop Wiki
The Internet Identity Workshop focuses on user-centric identity and identity in the large. Providing identity services between people, websites, and organizations that don’t necessarily have a formalized relationship is a different problem than providing authentication and authorization services within a single organization.
Goals
The goal of the Internet Identity Workshop is to support the continued development of several open efforts in the user-centric identity community. These include the following:
* Technical systems and proposal like YADIS (LID, OpenID, Inames), MetaIdentity system, Infocards, and the Higgings Project
* Legal and social movements and issues like Identity Commons, identity rights agreements, and service providers reputation.
* Use cases for emerging markets such as user generated video (e.g. dabble.com), innovative economic networks (e.g. interraproject.org), attention brokering and lead generation (e.g. root.net), consumer preferences (e.g. permission based marketing), and civil society networking (e.g. planetwork)
The workshop will take place May 2 and 3, 2006 at the Computer History Museum. We will also have a 1/2 day on the first of May for newbies who want to get oriented to the protocols and issues before diving into the community. If you are new to the discussion, we encourage your attendance on May 1st because of the open format we’ll be using to organize the conference.
Format and Process
At the last identity workshop we did open space for a day. It was so successful and energizing that we will be using this format for both days. If you have a presentation that you would like to make or a topic that you know needs discussion in the community you can propose it here on the wiki. We will make the schedule when we are face to face at 9AM on May 2nd. We do this in part because the ‘field’ is moving so rapidly that we your organizing team are in no position to ‘know’ what needs to be talked about. We do know great people who will be there and it is the attendees who have a passion to learn and contribute to the event that will make it.
Part of the reason for moving to the Computer History Museum is to have better space for running this kind of effort with an expanding community. We expect a large and energized community to attend and are counting on plenty of participation. Don’t be put off by that, however, if you’re just getting into this. Come and learn. You won’t be disappointed.
Cost
We are committed to keeping this conference open and accessible. Having a venue that will support our doubling in size also means that it costs a bit more.
We decided to have a tiered cost structure to support accessibility as well as inviting those who are more able to pay to contribute. If you want to come we want you there. If cost is an issue please contact us and we can discuss how to make it work.
* Students – $75
* Independents – $150
* Corporate – $250
The fees are used to cover the cost of the venue, organization, snacks and lunch both days. We encourage you to pre-register since we will limit attendance at the event to 200 people. The IIW workshop in October sold out and we expect strong interest in this one as well.
Sponsorships
Our goal is to keep the workshop vendor neutral, but we will be accepting limited sponsorships for the following:
* Morning Break, May 2, and 3 ($800 each)
* Afternoon Break, May 1, 2, and 3 ($800 each)
* Lunch on May 2 and 3 ($2400 each)
* Conference Dinner, May 2 ($4000)
If you or your company would like to sponsor one of these workshop activities, or have ideas about other activities contact me. You will not get any extra speaking time for sponsoring but you will get thank-yous and community ‘love.’
Organizers
IIW2006 is being organized by:
* Kaliya Hamlin
* Doc Searls
* Phil Windley
The Brigham Young University Enterprise Computing Laboratory is providing logistical support and backing for this workshop.

Technorati Tags:

MyAPI we need it now

· · Leave a Comment

So, right now they only way to verify that I own an account online “that I am who I am” is giving a third party the login to my account.
I want myAPI a secondary login for making assertions of ownership of an account as well as access to data in that account – like the books that I have bought, my linked in contacts, my budy list etc..
We need standard ways to access (via MyAPI) and share this information (putting information in standards formats (xri perhaps?) so that it can be integrated and aggregated by me and services that I want to use).
MyAPI has a different password then my ‘primary’ account and perhaps there are a few different levels of privileges.

Technorati Tags: , , , ,

The Intention Economy by Doc

· · Leave a Comment

This piece on the Intention Economy by Doc is really great. It speaks to what I see as the subtle convergence of ideas from communities that I belong to. In spiritual activist world intention is a big deal “what is your intention” is not an infrequent question or frame invited around self reflection.
The social venture and social enterprise communities are big into finding a balance between intention and making money.
From the article.

Is “The Attention Economy” just another way for advertisers to skewer eyeballs? And why build an economy around Attention, when Intention is where the money comes from? 
I have developed a real problem with the perspective behind what a number of people have been saying about Attention behind the podia. That perspective is sell-side. Its point of view is anchored with sellers, not buyers.
Hence my idea: The Intention Economy.
The Intention Economy grows around buyers, not sellers. It leverages the simple fact that buyers are the first source of money, and that they come ready-made. You don’t need advertising to make them.
The Intention Economy is about markets, not marketing. You don’t need marketing to make Intention Markets.
The Intention Economy is built around truly open markets, not a collection of silos. In The Intention Economy, customers don’t have to fly from silo to silo, like a bees from flower to flower, collecting deal info (and unavoidable hype) like so much pollen. In The Intention Economy, the buyer notifies the market of the intent to buy, and sellers compete for the buyer’s purchase. Simple as that.
The Intention Economy is built around more than transactions. Conversations matter. So do relationships. So do reputation, authority and respect. Those virtues, however, are earned by sellers (as well as buyers) and not just “branded” by sellers on the minds of buyers like the symbols of ranchers burned on the hides of cattle.
The Intention Economy is about buyers finding sellers, not sellers finding (or “capturing”) buyers.
Even though I’ve been thinking out loud about Independent Identity for years, I didn’t have a one-word adjective for the kind of market economy it would yield, or where it would thrive. Now, thanks to all the unclear talk at eTech about attention, intentional is that adjective, because intent is the noun that matters most in any economy that gives full respect to what only customers can do, which is buy.
Like so many other things that I write about (including everything I’ve written about identity), The Intention Economy is a provisional idea. It’s an observation that might have no traction at all. Or, it might be a snowball: an core idea with enough heft to roll, and with enough adhesion to grow, so others add their own thoughts and ideas to it.
As for the Linux connection, I believe that The Intention Economy is, by necessity, built on free software and open source principles, practices, standards and code. It’s not something that requires any company’s “platform” or “environment”. That’s why, much as I like the services provided by companies like Orbitz (which is built on LAMP, and does a very good job), I believe no company’s system can encompass The Intention Economy. The encompassing has to work the other way around. In other words, silos are fine. But the choice can’t be “nothing but silos”.

I think the foundational statement here is this necessity these new economic models be built on free software and open source principles, practices, standards and code.

You can see this trend happening in the face to face community gatherings of techies with the flowering of independent conferences that are built on open source principles. They don’t have a high barrier to entry and people come together because they have an interest – they figure out what they want to talk about and do together. We have used these to bring the identity community together at the Internet Identity Workshop. Camps are happening etc.
The essential nature of identity systems that go to the core of who we are – or are becoming in the digital age means that the platforms that we use to exchange this information must be OPEN. Jair and I have talked about this a bunch. We must be able to see the code that our operating systems are built on if they are managing our personally identifying information. How do we know there is not an NSA back door into Microsoft vista to peer on us. Despite what MS says can we believe them – we could if we could see the code. Hopefully they will get with Jeffery Moore and understand the comodification of the stack.
We also must improve privacy protection for third party storage of information – breaking out of the ‘secrecy paradigm’ that the courts interpreted – if someone knows information about me then it is not secret so they can share it. This does not jive with or norms of social disclosure of information.

Technorati Tags: ,

Spime, ThinkLinks, Blogjects : New vocab for the internet of things from bruce sterling.

· · Leave a Comment

Bruce’s keynote at etech – was awesome – here are the highlight new words for us to use to think about emerging technology.
Spime – trackable space and time
They are virtual objects first and actual objects second
We can engage with objects better throughout lifecycle.
We won’t have to track our own inventory in our heads – it will be all catalogued and searchable. Where are my shoes – I will just google them.
Spime is a verbal framing device – verbal pointer because I need single sylable noun to call attention to it.
A ‘theory object” passed around it is a concept that is acreating attention.
It has links and attention, website, FAQ – flash – DB and “user centric graphic web abs”
Bruce of course interject that he is a writer and likes Black ink on white paper – so I hates “all this stuff”
ThingLInk (unique idenfiers)
Can be put everywhere – [ it sounded a lot like XRI]
Blodjects – weblog objects that evoke discssion.

Technorati Tags: ,

Password Security: What Users Know and What They Actually Do

· · Leave a Comment

Password Security: What Users Know and What They Actually Do posted on Bruce Schneier’s blog.
The finding that participants in the current study use such simplistic practices to develop passwords is supported by similar research by Bishop and Klein (1995) and Vu, Bhargav & Proctor (2003) who found that even with the application of password guidelines, users would tend to revert to the simplest possible strategies (Proctor et al., 2002). In the current study, nearly 60% of the respondents reported that they do not vary the complexity of their passwords depending on the nature of the site and 53% indicated that they never change their password if they are not required to do so. These practices are most likely encouraged by the fact that users maintain multiple accounts (average = 8.5) and have difficulty recalling too many unique passwords.

GOP Phone Home

· · Leave a Comment

From the everyone-has-an-angle dept: Minnesota GOP’s CD Raises Privacy Concerns
ThinkProgress blog is reporting that the Minnesota Republican Party has been distributing a new CD about a recent proposed amendment. The CD poses questions about some of the hot-button issues like abortion, gun control, and illegal immigration. The problem with this CD, however, is that it “phones home” to the Minnesota GOP, without making it clear that your name is attached. So, if you take a look at the CD and take time to answer the questions, beware. Once you are finished they will know not only who you are, but where you stand on the issues at hand.

RSA: Symantic CEO Keynote

· · Leave a Comment

I wonder how much he paid to talk to us. He was black which was interesting. Later in the Day at the Cyber-Security Industry Alliance party he was the center of the conversation. He sounded like he was channeling Marc Canter about eLife and DLA’s. He also mentioned this line in the middle that speaks to some of the issues we are working on.
We can’t allow trust to continue to erode. Trust is the foundation of the online world.
Chair of the Board and CEO
His vision for the digital lifestyle
Any time, anyw here

  • e-life
  • buyit
  • destintation
  • package
  • e-busines
  • building relationships
  • enabling ideas
  • Drving business growth
  • increating productiv ity
  • Imagine a connected world
  • that just gettings started

The digital lifestyle that we all live today.
The way that people access the web.
Digital interactions are ubiquitous.

  • Bills, Mail – scanned and tracked.
  • Groceries – plugged into supply change.

eLife is here and changing how we live and what we expect out of our lives the two are intertwined.
Expectations for us are growing everyday. To protect family photos fincaical plans. Trust is the issue and they expect that we protect this information as if it was their own.
They want companies to protect their identity and protect critical digital assets – this is a customer demand.
Protect the databases of prime target information. New compliance and regulatory demands…expensive operational changes. Risk based aproach. Shift – burden on the enterprise…each and everyone of us enterprises adn consumers must prove that we are trusted partners risk must go down.
Companies have built into business models – real time tracking managing, self service customer.
Written into assumptions about growth. Cost to process a consumer loan – $10 now, was $200. Can’t go back to old way of doing business. this new way must succeed. Give business to someone they can trust.
Security becomes competative advantage. Security garatees – trump comfort of local we will hurt the whole economy…this is the real hidden threat. LOSS of consumer confidence in the digital world.
Broad adoption of firewalls and intrusion detections. Mitigating the virus and worm challenge – low hanging fruit. Today bigger challenge.
Sophisticated criminal elements. They are interested in anonymity then notoriety. Looking for personal financial information. Not that technically sophisticated.
Socially engineered attacks. Nieavate of most internet users.
150 million fishing e-mails…
Large scale data breaches. Identity theft growing threat to the digital lifestyle. 6 years top list of FTC…50 million americans exposed.
We can’t allow trust to continue to erode. Trust is the foundation of the online world.
Protect the relationships of these digital interactions of this great new world we have created. We need to debunk the myth that just securing the divice. Impossible. to one narrowly focused company to secure
We must join together to solve the global community challenge.
Create a trusted online community. In the digital worlds consumers are the weakest link…we must protect them from themselves.
Customers must meet minimum security…symantec…end point solutions.
Enterprise brand is protected…More aggressive ensuring information protection. Data be retained in a secure manner. Actively look for ways to protect things.
New – Scan for anonomlyes [yuck] Managing security risk part of keeping informaiton safe. Backup and recovery…
Join togehter create trusted online community- end users convienent and safe experience. easy to walk into store get a sense of place – feeling about if it is smart to give them our business…we don’t have our sixth sense….up to the business commuinty to asses what is safe. Must develop sixth sense for
Process for costomers and busiensses authenticate identities to each other. you are your…they are they…authenticated as real.
Trusted community – way to search online world safely. Does the site pose a threat to you? Click and hope. Site safty and security. sites credability in search results. credability rating updated by users as part of broad community.
We all need to develop interactions and information protection. Relationships between costomers and businesses. All of us need to take the lead in pushing for policy changes – privacy protection the business community should push for comprehensive privacy legislation.
US privacy legislation. Protecting children online. Comprehensive response. Information protect and every step along. We need one law that protects all consumers and encourages inovation in data security technology. Uniform laws. TRUST is the foundation of this new world. millions relying on the digital world for work and play. No company can ingonore the safty of there interactions. undermines the trust in brand and business.
Ease and enjoyment of digital lifestyle. Online banking…credit card…healthcare focus on protection.

  • We must join together and take responsibility.
  • Beyond walls of individual companies.
  • Comprehensive end to end.

Continue to eductcat consmerus…

Bruce Schneier: Why Security Has So Little To Do With Security

· · 1 Comment

Sorry for the delay this is Bruce Schneiers talk at RSA on Why Security has so Little to do with Security.
There is no such thing as absolute security!
Security involves trade-offs:

  • If no airplanes flew – 9/11 couldn’t have happened.
  • Air port security has trade offs – tax dollars, time, “calmness”)
  • Gated communities offere more security but less privacy vs. buying home alarm system costs money and convenience.
  • We are not wearing bullet proof vests… we don’t want to spend the money or fashion tradeoff.

We make decisions every day about these trade-offs
Additional security depends on the risk and the effectiveness of the counter measure. People are security consumers the right question is ‘it worthit.’

  • People RARELY perform this analysis explicitly
  • People succumb to fear and uncertainty
  • People beleive falus promieces
  • peopel regularly do things that compromise their security
  • people don’t do what they say

Security trade offs can be financial, social and non-security
The Barrier model doen’t quite work…There are legitimate users and attachers are bounced. Failures in this model are that the good guys get bounced or the- bad guys in. When system fails most likely fail against legitimate users!!!
Threat = Attacker -> Goals -> Attacks
There are multiples of all these criminals and hobbiest hackers
Attackers – can also be legitimate users (they can get a lot of information about systems to find out how they work – 9/11 they flew airlines).
Attacks divert to other targets…(go attack someone else)
Assets are owned by someone else. -> Trade offs are made by the asset owner. They don’t make the decision.
Security system (access control tarmack, passengers)
ASSETS (airplane)
Perceived Risks + Other considerations “everything else” [ social/moral | technological | legal | economic ]
The owner of the asset around which risks can be mitigated.
Owner -> Policy -> Trusted people -> Trusted systems – security systems to protect assets.
There are things we can not do to protect assets:

  • Banks – strip search everyone who comes into bank.
  • House – put landminds in lawn

Legitimate users influence owners:

  • We can’t put cameras in dressing rooms.
  • Government – wanted to ban laptops on airplanes (legitimate users forced decision)

Trusted people influence: –

Urin test for federal employees in Regan years. They said no.

The effectiveness of security system…minor component in complex decision graph.

Look at the sum of the stuff pointing at the owner. Every security decision affects multiple players and the party who gets to make the decision will make one thats’ benificial to him.
Every security decision affects multiple players… Look at Guns on airplanes .. pilots, flight attendants, citizens legislators
If they don’t want to buy it they are not ‘irrational’ it is rational within their world view…
Every player has his own unique perspective, his own trade-offs and his own risk analysis. You have to evaluate security options based on the positions of the players. Often security decisions are made for non-security reasons. The major security issues have nothing to do with security technology.
Detecting counterfeit money there is no incentive to detect it. I as a customer if we find it in our wallet just want to spend it the merchant if they find it will not report it as long as they can deposit it.
Look at KAL 007 the last western flight to get shot down over Russian.

  • The reason was that the prior time a western airline flew over Russian airspace general in charge lost his charge. So this general did not want that to happen to him. The agenda general who decides to shoot plane down (I need to save my career.)

Look at salesclerks and credit card verification.

  • They never check – they don’t care it is not their agenda. Make transaction go through with minimal stress. Owner of store more likely to check.

Look at Tylenol poisonings and random stupid crimes

  • Security is the science of tamper resistant packaging. They are silly security measures but they address the real problem (public no longer trusts over the counter drugs).

Look at banning things on airplanes.

  • Didn’t ban matches and lighters – cigaret lobby got to congress.. better the knitting needle lobby

SECURITY PROXIES are a way we address risk.
Proxies are players who acts in the interest of other players
(airline security:TSA…airlines not alowd to compete on everyone – more secure airlines, background checks – less secure airlines – no lines)
Proxies are a necessary aspect of the security because people arn’t proficient at risk management. Proxies are not going to make the same risk management decisions that the people they represent would have…
Home building inspectors
They ultimately work for the real estate business if deny to many timse they won’t have business…They are Mercenaries. If you hire them make sure you pay them….turn around and attack people who hire them.

DVD region encoding

  • There are secret features to defeat…manufactures as proxies…manufactures want the cheat codes piss of media companies.

Government regulatory bodies

  • yes safety but also their jobs (my comment: embedded autonomy)

Banks’ verification of signature on checks

  • They don’t do this – why check? No security problem until customer complains. Push security onto the consumer. Bank to centralize security – checks signatures? distirubuting it is cheaper then…

Banks’ verification of balance in account

Compare – bank security of overdrafts – they will spend a lot to deal with that kind of fraud.

Cell phone security against eavesdropping

  • Ridiculous that they don’t have encription. Phone companies don’t care – voice privacy not affect bottom line. In who’s agenda is voice privacy? the customers.

Cell phone security against third-party batteries

  • Third party batteries they care – security device ‘security of their revenue’

Security is never an isolated good. It always makes sence in the context of a greater system. That system is more important then security. Security is a secondary consideration ( it is an after thought). Understanding the context is just as important understanding the security.
The context of the interent today is a lot of spying stuff. Fighting the context won’t help…must work with the context.
Subscribe to Crypto-Gram: Free Monthly Security Newsletter

Questions:
About Proxie diversion: NSA protects us by snooping on us. NSA – protect ours and attack theres. Equities issue If you are in the NSA and tell Microsoft about major flaws…If you don’t then do you tell them — you can spy on chinese etc. defend good guys or attack bad guys. NSA eaves dropping on Americans. Police start making these decisions you get security that looks like a police state – powers of investigation and who. That is the way they think… This is a good example of proxie divergence. Important that the POLICE don’t run the countyr. somone above the police making the decisions above them civilian control of intelligence – pull the proxie back a bit.
Someone in government today [elected official]…their agenda in getting re-elected is measures to incent proxies properly understanding it we might be able to correct for it. Elections are about fundraising. Clever electoral reform systems…try to deal with proxie problem recognize them and then figuring out risk…I act as a proxie for corporation and vendors. What are the METRICS for measureing risk.
Regulations not most of my data is not controled by me company X (Choicepoint) the have controle over it but I am not a costomer…
The delta value is extreme. underprotected….
Regulation to choice point to take security more serioiusly. Does it work? is it effective? Increasing the cost to the company – make it more expensive to ignore security – vendors SOX is good for us there is more money to spend more money on security.

Bruce Schneier: Economics of Security

· · Leave a Comment

Sorry this is so late but I have been in a state of overwhelm. Better late then never. Burce Schneir’s talk at RSA on the economics of security.
ECONOMICS MATTER!
What are the Economics of Security.
Their are Trade-Offs (Balance cost and benifits) and Externalities.
What are the costs of failure?

  • Money
  • Proprietary Information Lost
  • Regulatory Noncompliance
  • Bad Press
  • Loose Costomers

The things that don’t matter
“If your security guys have to work over the weekend.”
What are the costs of security?

  • pay one of thoes companies
  • convenience

We have a very poor understanding of risk. It is very difficult to explain technical risks to non-technical people. There is real confusion in the media it seems. There is a real lack of real data on risks. You could get some good data of your risk of being mugged way home to hotel tonight? There is no good data on internet crime. CSI computer crimes survey – self selected and things people recognize.
The Problem – low risk – high cost events.
Normally you calculate the value of risk mitigation by the probability of being attacked times damage if you are attacked. This gives dollar of how much to spend to protect self. The math doesn’t work for low risk high cost events. This is what makes counter terroism is really hard to talk about. The poor understanding of risks and costs.
EXTERNALITIES
They are using it behind our back.
This is an effective way of dealing with risk. effect of decision not born by decision maker. A lot of the cost of security failures are externalities choice point made tradeoff.
Choice point – spend less on security then data is worth.
There are some costs born by the vendors.
Insecure home computers (my mother has one of those – go home twice a year)
The security of all of us demends on all of us. It is in our best interest that her computer is clean – she doesn’t care (why should she). For her the effects to you are largely an externality.
Badge cloning… RSA solved its security problem… They make it your problem. See this post that explains it all. When you want to manage and externality. We as a group don’t want RSA to do this we have two strategies to prevent this.
1) laws and regulations
2) sue
To get people who are not affected by the risk of insecurity to address it raise cost of not being secure.
Laws…ATM fraud two different trajectories
US -> assumed to be the responsibility of the BANK
UK -> assumed to be the responsibility of bank customer.
UK banks were not loosing money due to ATM fraud
US banks were.
UK security languished
Point principle. make entity in best position to mitigate the risk responsible for the risk.
UK – customer was responsible but had no ability to improve the situation. All do not use the system.
Banks deal because it was there problem.
Rogers cel phone company – whenever phone is cloned. They charge the customer and they wait to turn phone off sooner or later depending on their ability to pay this bill.
IT ECONOMICS

  • Economic incentives to get big quickly.
  • Fast growing and insecure vs. slow growing and secure.
  • High fixed cost and low marginal costs.
  • Very different economics.
  • Hard to recover capital investment…block – patent, brand, compatability wall…get people into network to recover costs.
  • High switching costs. – One browser to another isn’t either. PAIN.

Shapiro-Varian theorem
Net present value of software company = switching costs…
this means interesting characteristics.
Then you end up with accessory control. Third party batteries.
plugins…..
So companies are driven to make switching cost higher..less likely go to competitor.
The Market for Lemons.
Markets where lowsy products are sold.
when market with asymetric information…
bad products drive out good products…good used cars $2000 and bad used cars $1000 – equalibrium price $1500…
Software a lot like that.

  • It is hard to tell good product from bad product.
  • Product for lemons… good ones drive bad out of the market.
  • Costomers not able to make intelligent buying decision..
  • Make a bad product you can cover with Marketing.
  • Monoplistic/ologopily markets…
  • features low and prices high…

Address and align interest and capabilities. Entities ability to mitigate being responsible.
Italy…tax fraud as national hobby.
Tired of going after merchants. Any customer w/i of store w/o valid receipt fined. Customer demand receipts. Make the customer CARE!
Sign you see on 7-eleven. your purchase free if you don’t get a receipt. Employee theft. Cash Register created to prevent employee theft. Paper tape. audit of all transactions. The way you commit fraud – transactions that don’t show on register tape. put sign up and hire customer – they for that 15 seconds becomes security guard. Managing externalizes in a way that solves security problem.
Security is a process not a product.
It needs a holistic approach
To understand the security problem and the stake holders.
Understand the security and non-security trade-offs you must align the economic incentives (required – all solutions will work if this is true)
Implement countermeasures to reduce risk.
Iterate as technology changes things
If we think as society we think we need better security. Capabilities change…
Liabilities…moving them around is hard.
Regulations – absorb more of the losses…
This depends on politics..making more expensive for credit card Companies or databrokers… that is what we have to do!
Security monitorinig and loging…SOX.
Banking requires more layers of authentication.
Logging is now popular – cause it is more expensive to not do it.
Failing and audit is expensive for companies.
Are the logs good or not is not the question. What is important is that you have them.
The concern is not what we log and how long we keep the logs.
Saving something is cheaper then throughing it away. More data is collected and cheaper to collect. Much more then needed use for other purposes.
Yahoo and google…better to collect then not to collect.
Only way to deal – make it illegal.
We must make it more profitable not to collect.
Illegal to use for auxiliary purpose (euro model)
Don’t mind produce books that I might like…
Companies will compete on what ever economic playing field you give them.

Bruce Schnider is brilliant!!!!

· · Leave a Comment

I saw Bruce Schnier twice at RSA and missed the third time he was on stage for a debate on Real ID. If you don’t read his blog you should. I was excited to see him at RSA and he surpassed my expectations. He is a very clear communicator and full of common sense. He handed out Individual-I stickers and his book of San Jose Restaurant Reviews.
Individual-i stands for:

* Freedom from surveillance
* Personal privacy
* Anonymity
* Equal protection
* Due process
* Freedom to read, write, think, speak, associate, and travel
* The right to make your own choices about sex, reproduction, marriage, and death
* The right to dissent

The next few posts are what I transcribed as best I could while he talked.

Higgins opens up

· · Leave a Comment

Big News in Identity Today
Project Higgins – which is being managed by the Eclipse open source foundation — is developing software for “user-centric” identity management, an emerging trend in security software. It enables individuals to actively manage and control their online personal information, such as bank account, telephone and credit card numbers, or medical and employment records — rather than institutions managing that information as they do today. People will decide what information they want shared with trusted online websites that use the software.
This is the first user-centric identity management effort to follow the open source software model, where hundreds of thousands of developers contribute — and continually drive improvements through collaborative innovation. Being an open source effort, Higgins will support any computer running Linux*, Windows* or any operating system, and will support any identity management system.
“To move online security to the next level, there has to be fundamental resolve among consumers, government and business to quickly adopt a system where the individual has more control over how information about them is managed and shared,” said John Clippinger, Senior Fellow for The Berkman Center. “Our aim is to construct an open and widely accessible software framework that puts the individual at the center of the identity management universe. With this framework in place, it will be easier for society to begin the migration to more secure online environments, where trusted networks can not only be easily formed, but effectively enforced. For in the end, security is not just technological, but social.”
Higgins will make it simple and secure for someone to change an address across all their online accounts with a single keystroke; delegate who can see what elements of their medical records; or change a password across online banking and brokerage accounts. For example, a person can grant their insurance company broad access to their personal information and medical records, while at the same time limiting the amount of data made available to their cable company. In turn, businesses can create new channels of communication with customers – enabling information to be shared securely across networks to deliver targeted, relevant products and services.

A service I use got bought by Google…mmmm…

· · Leave a Comment

So I started using MeasureMap several months ago the first week it was live . I LOVE it…but it just got bought by Google. I am not a big fan of Google these days…now they have all the traffic and links on my blog. Are they going to start charging me for this service? How do they monazite this service? I have no problem with them making money but as a user of the service I would like to know exactly how they plan do it and plan it.

MarcCanter: Giants must open or die

· · Leave a Comment

Marc Canter has had a glimps into the future of microsoft

For sure – each of these giants will make their own decisions, in their own due time, but at the end of the day – if they don’t open up – they’ll eventually lose their customer.
At least we have a way to connect these giant worlds together (and take us small little fry along for the ride at the same time.) That’s a huge breakthough and is the foundation of us building the distributed web infrastructure. What I’ve been chanting about is our own Open Source Infrastructure and the other kinds of open standards we need…..
StructuredBlogging.org is an attempt to keep all the various formats of microcontent compatible. Our upcoming PeopleAggregator APIs will provide basic social networking capabilities – to all – and a way of inter-connecting disparate social networks into one giant distrbuted mesh.

The world of media needs standards like Media RSS and one could imagine burgeoning new standards around Tags, Reputation, Events and Musical tastes and preferences.

It is nice to see the itags included in the list of open source infrastructure. Thanks Mark.

Julian Bond was in the audience and immediately complained “they’ll never be a LAMP version of Infocards” – but what I wanted to explain to Julian was that Microsoft is in the business of taking care of themselves, just as Yahoo, Google and AOL are – as well. So don’t expect a Linux version of anything from Microsoft, but you CAN expect meta-identity compatible ID systems for LAMP – that’s for dam sure.

 

Julian don’t be so sure about this statement.

Queer Identities and discrimination online

· · Leave a Comment

So there is a big hubub going on around World of Warcraft

[the new “golf” in case you haven’t heard yet – I can’t wait until we have WoW day pre DIDW instead of real golf…what do you think Vince ;)].

around discrimination towards the queer community. Dana Boyd’s latest post was brought my attention to this issue and in an update highlighted why this relates to identity in particular.

As has been noted over and over again, queerness is an identity not just a set of sexual practices. By silencing people’s identities and not allowing people to have bigot-free spaces, Blizzard is upholding a level of discrimination that far outweighs the _potential_ sexual harassment that might occur if people’s sexualities were known.

More about the situation from Dana…

I’ve already heard on numerous occasions that there is intense homophobia within the chatrooms on WoW and this had already made me quite uncomfortable. But Blizzard’s response is just disgusting. How can they call a queer-friendly guild sexual harassment given that this is an attempt by the queer community to create space? Furthermore, there’s so much sexism in the chats (aside from the creatures) that no one from Blizzard can actually argue that they are preventing sexual harassment. I can’t help but wonder about the state of other forms of discrimination and prejudice within the system (particularly since “race” is critical to the narrative of WoW). That said, i don’t care enough to find out – i can’t justify spending personal money on a company with these values.

Identity and privacy …. falling google stock price

· · Leave a Comment

From Slashdot.
While the company says it isn’t worried about the stock price correction, there are other issues at hand.” From the article: “Google is under mounting pressure from many traditional industries: telecommunications companies do not like its plan for free internet phone calls, book publishers and newspapers have filed a lawsuit to try to prevent it from digitising library materials, governments are worried about its satellite-imaging service Google Earth and privacy advocates have a growing list of concerns about everything from its e-mail service to its desktop search function, both of which may make it easier for hackers or government agencies to gather information about individuals without their consent.”

Kaliya's the shit. Be there or be square.Enlighten yourself through her