OpenID Summit and IIW

November 5, 2009 in Uncategorized | Leave a comment

I’ve been a bit lax at writing in my blog but I am just busy.

However, this may be of interest. Avoco Secure, the company I work for have just released a Cloud Selector for Information Cards. I gave a talk about this at the OpenID Summit adn The IIW conference in California this week.

A Cloud based Information Card Selector is great as it allows Information Cards to be used across all operating systems and browsers and even on mobile devices ,like the iPhone and Blackberry.

This means that you can use Information Cards anywhere, from any device giving them much greater usability.

The anti-phishing aspects have been improved too using shared secret technology and encrypted session tokens.

 You can read a press release here: http://www.prweb.com/releases/2009/11/prweb3140224.htm

And see and test it out using our test implementation here: https://www.secure2cardspace.com/

 

Death and Digital Identity

August 15, 2009 in digital identity, privacy | Leave a comment

Last week a family member (Kebab John as he was known to his friends and family) died.

He was pretty young, 43, and spent a lot of time on-line, social networking that sort of thing. Now, of course, he doesn’t do that any longer as he is in the great ‘data center in the sky’.

During his funeral, yesterday, it occurred to me that he would have had many sets of logon’s credentials to the various sites he frequented. This persistence of being in the virtual world when your real world person dies will become more and more prevalent as we become more and more likely to be digitally native.

Digital versions of John are now floating about in cyberspace like a headless ghost or a dog without an owner. I’m not sure if John had shared these credentials with any of his immediate family (such as my niece or great nephews) but if he didn’t, then they are there to stay, for a long while, at least.  It occurred to me that as our digital identity becomes ever more sophisticated and gives us ever more access to on-line (and offline) resources that we should have some sort of mechanism for allowing those identities to die with us. True we could rely on family and friends to delete them for us – but how many of your (no doubt myriad) of digital credentials do you share with others?  

Identities such as digital certificates do have a life span (usually a year) but that’s a long time to allow the potential for someone to use that ID, say if the PC of the deceased is sold on. I think that Information Cards could be the solution.  We need a mechanism to allow the identity to die with us, or to be released onto a family member by some sort of system like a digital will so they can use it to let our digital world know about our demise. I think that a Relationship Card linked to a web service (perhaps government run) that could update the Card details might be the answer, then at least you would have a link to the real world and give family members the option to control and shut down the deceased’s on-line accounts – and protect the family from potential fraud at a time when they can least deal with it…just a thought.

Interesting application of Information cards…

May 13, 2009 in digital identity | Leave a comment

Just found this on Becta’s website: http://emergingtechnologies.becta.org.uk/index.php?section=etn&rid=14542

“Schools in Washington State in the US are testing Microsoft’s new Geneva security technology. In order to validate their credentials, parents will bring identity documents into their children’s schools to form the basis of an electronic ‘information card’ that will be stored on each child’s personalised netbook computer. When learners access secure websites or protected educational content, systems will access the stored information to confirm their identity. This pilot project is designed to implement a vision for ‘end-to-end trust’ first outlined by Microsoft at the RSA security conference a year ago and articulated in Digital Playgrounds: Creating Safer Online Environments for Children“.

Cloudy definitions

May 7, 2009 in Cloud computing | Tags: | Leave a comment

I was recently asked to define Cloud computing and I hesitated in my answer. It must be the most overhyped phrase in computing since, forever. It seems to me to be one of those areas that really does live up to its name, i.e. cloudy. Maybe it is best to try and think of an analogy, rather than giving a technical definition and the best analogy I can come up with is doing computing related tasks via a sort of interactive television: The computing processes and what the end user does and sees on the screen, is being performed on a server somewhere else in the world.

However, from what I understand, Cloud computing is a work in progress and as such, has a number of variants – each of which, will no doubt, consolidate out before the final, interactive television type version, is in our midst. There is definately room for a mix of Cloud and desktop computing and I think that for me, and probably a lot of people, this is the best way to enter the Cloud. I say this mainly because, what worries me is, the increasing disconnect between our real and digital persona’s. As our computing lives become more cloudy, the touch and feel of a personal computer that links us directly into the digital world is becoming more loose and distant. Human beings have this inherent feature built into their phyche called ‘trust’ which is often hard won and easily lost: I just can’t see the move from desktop computing onto remote servers as being an easy one, I have seen various surveys saying that the reason for a slow uptake of Cloud computing is down to bandwidth and security and I can really see that this would affect uptake but I also have a very strong feeling that it will be human perception that will be the drawback and that if we want to move permanently into the Cloud, we will need to take this into account.

How can you separate out security from identity? And a man called Alex from RSA

May 1, 2009 in data security | Leave a comment

molesworth460Well I don’t think you can and I’ve been working in IT security since the early 1990’s.  In those days, mentioning IT security to anyone usually elicited a response of being nonplussed (what do you mean data security?) or defensiveness (I don’t have security problems, how dare you insinuate…). Attitudes towards IT security have changed drastically since then, probably because of all the high profile leaks of sensitive data (helped along by slack attitudes towards security by world governments): Companies now place security as one of their highest profile projects.

That aside, IT security has changed in other ways too. One of the more recent consolidations of ideas in IT security, and a real move forward, has been around how digital identity and security are two sides of the same coin. More and more people are understanding that a digital identity is key to being able to associate a security policy with a data object – by doing this, it means that you can tailor polices based on a persons reputation so they can be much more pertinent to an individual - an example being that if you linked some version of a reputation level system to, for example, an Information card issued by an organisation, then that organisation could, in turn, tailor the use of that card by a relying party (for example the access system of a website or a data protection agent) so that the individuals reputation determines what they could and couldn’t access. It is a very simple concept (technically a bit more difficult). Organisations and companies are getting this, however, many in the IT security industry , the people who should be  most able to understand this concept, are not getting it.

I turn now to Pam Dingle’s experience with a man called Alex from RSA (see here: http://eternallyoptimistic.com/2009/04/26/rsa-2009-aka-dear-mr-kirschner/#comments). Pam is a renowned expert in the area of digital identity – remember the intimate connection between securing information and digital identity. Pam tried to get a pass to RSA because she is a blogger in the area of data security. Her blog is extremely informative and no doubt used by many people in IT security to inform themselves. Alex however decided that Pam’s blog wasn’t worthy of a pass into RSA, because she didn’t write about IT security. What hope is there  for the security industry to educate itself and innovate, when those who are supposedly deep in the industry can’t even work out what IT security is and can be – Alex, as Molesworth would say, you are a fule!

By the way, for people reading this outside of the UK – here is some info on Molesworth: http://en.wikipedia.org/wiki/Nigel_Molesworth

I’m not sure about Google Street View but it feels wrong

April 27, 2009 in privacy | Leave a comment

bigbrother1There has been a complaint from Privacy International http://www.privacyinternational.org/ about Google Street View breaching individuals rights to privacy. The Information CommissionersOffice responded saying that Privacy International were being silly and over dramatising (my words) the situation. Maybe they are.

I can sort of understand the argument, that we already have TV broadcasts showing people walking past, which is the equivalent to Street View, but I don’t know; Google leaves a sour taste in my mouth. There is something inherently intrusive about having your whereabouts splashed all over the words PC’s – the TV argument doesn’t hold weight when you think of it in terms of longevity of the image – you tend to see the image of a passer-by in a broadcast fleetingly, whereas the Street View image lasts a lot longer. I just a have a bad feeling about this and no doubt conspiracy theorists are having a great time linking, world governments, to the surveillance of their citizens, to Google Street View: The UK being the most likely offender in that respect with their obsession with watching their citizens.

Then again maybe Google Street View is just an updated version of the 15 minutes of fame that we all strive for (well actually not everyone wants that and I think, therein lies the problem).

I know that if I was on Google Street View I would feel as if my privacy had been invaded and would not be pleased about it…Lets see if over the coming years anyone takes Google to court over violations of theirprivacy…

Identity in pre-history

April 22, 2009 in digital identity | 2 comments

made_in_africaI’m reading a very good book at the minute by the archaeologist Clive Gamble, ‘Origins and Revolutions: Human Identity in Earliest Prehistory’ which looks at the reasons behind our human identity going back to the first signs of H. sapiens.

The reason I bring it up, is that with all the talk about digital identity around at the minute, it surprises me that little philosophical or anthropological discussion seems to be going on and you would think this was fundamental to the whole area of digital ID’s : After all, how can you make something workable if you don’t understand the reason why you are doing it?

As I read more into the book, I’ll report back on interesting bits.

Hot Housewives…

April 22, 2009 in Uncategorized | Leave a comment

…well that title should bring the punters in. Really, however, I opened up my WordPress blog yesterday and there was a Google ad for ‘Hot Housewives’ I was very annoyed. Why can’t they just buy a fan and cool down. But really, it was embarrassing and offensive. WordPress  – can’t you use some intelligence in your filters to make sure blogs don’t get offensive ads popping up? Please…

 Hmmm… just thought that I’ll probably get loads of embarrassing Google ads now that Ive used that title…hmmmm – might have to pull this posting

is the end nigh for Facebook?

April 20, 2009 in Cloud computing | 2 comments

I admit I am not a fan of Facebook, in fact I think it is a sorry symptom of the state of the Western world. It must have some positive aspects but I can’t really see past the horrendous negative aspects, for example, the feeling of failure if you don’t have a list of friends as long as the on screen page: some people collect miniature bottles, others collect Facebook friends.  I’ll let you into a secret, Facebokers…they aren’t real friends, they are digital friends and the don’t have the same loyalties.

That brings me onto an interesting question – are loyalties in the Land of digital really less so than real world loyalties, at a guess I’d say they are very much less loyal?

Anyway, back to the original premise of my posting. I think that Facebook/Faceache may be loosing its new fangeldness (honeymoon period is over if you prefer). People are starting to delete their accounts (she smiles to herself and lets out a he, he). The latest I heard was a friend of my son in law who had decided he didn’t want the government to read his personal details and decided Facebook wasn’t good enough to give up his privacy for after all. This is music to my ears as it’s people standing up and saying “how dare you spy on me and look at my private details”. Maybe Facebook might be a bit more respectful of its user base if we see more and more people leave for this reason.

Also, of course, it would be nice to remember who your real friends are…

Privacy = respect

April 16, 2009 in privacy | Leave a comment

One thing that strikes me about our digital life, is the attitude that seem to be prevailing around the whole idea of privacy. I was at a workshop recently and horrified at the general

 ’oh well, the youth of today don’t care about privacy so maybe we shouldn’t’

 attitude.

Well actually privacy is actually a form of respect and we should remember that always. When we sign up for some digital account (Google in particular springs to mind) and the privacy statement says that you agree to let Google share your personal details, to me, that is Google not respecting me as an digital individual – and quite honestly, how dare they.

The EU has a different view and rightly so. They believe that we all deserve privacy and respect – http://www.publictechnology.net/modules.php?op=modload&name=News&file=article&sid=19687 - thank you the EU – you may not get everything right, but this time you have.