Identity Associates Blog

Sovereign Keys

2012-01-07T17:54:00.000-05:00

I'm starting to look into Sovereign Keys, covered in more detail in [1] and [2].

That the current PKI system is brittle is accepted by many people. Brainstorming and prototyping new internet service authentication approaches is first-order important, and Sovereign Keys is worthy of further investigation and support.

Seems like Sovereign Keys does introduce a few new concepts that need security analysis; the timeline servers offer an interesting capability, I wonder about vulnerabilities. For that matter, I wonder about patents in this space. There is a minefield of granted timestamping patents and while the timeline servers may not specifically address timestamping, I wonder of some of those patents were written generally enough to impact Sovereign Keys.

Note that a proposal from Adam Langley and Ben Laurie of Google [3] also introduces the notion of a public append-only log, in some ways similar to timeline servers, but not domain-specific.

[1] https://www.eff.org/deeplinks/2011/11/sovereign-keys-proposal-make-https-and-email-more-secure
[2] https://git.eff.org/?p=sovereign-keys.git;a=blob;f=sovereign-key-design.txt;hb=HEAD
[3] https://threatpost.com/en_us/blogs/google-researchers-propose-new-plan-shore-ca-system-112911

Python Decorators

2011-11-18T09:38:00.001-05:00

Thanks to Stack Overflow (pretty much always awesome!) here is the best explanation of Python Decorators I have found.

http://stackoverflow.com/questions/739654/understanding-python-decorators/1594484#1594484

CA/Browser Forum - Certificate Baseline Requirements

2011-11-17T09:11:00.001-05:00

Here: http://www.gerv.net/temp/Baseline_Requirements_Draft_50.pdf

Focused for now on certificate policies for issuing certificates used to trust publicly-available servers, this document (draft 50) represents lots of hard work and expertise and provides a good stake post for practioners.

We need equally comprehensive work on application and service design, deployment, and management for relying parties so that the trust inherent in the certificate issuance process is not squandered in error-prone implementation "in the wild."

NIST Cloud Computing Reference Architecture updated

2011-09-09T16:00:00.000-04:00

Source document here:

http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/ReferenceArchitectureTaxonomy/NIST_SP_500-292_-_090611.pdf

app engine pricing

2011-09-08T08:29:00.000-04:00

So, App Engine announced new pricing. It looks to be more expensive, and many would say this is an understatement. It is more expensive, and/but you can probably take some steps to manage and design for the pricing model. What you need to keep in mind is that "instances" are now a fundamental pricing component, where they weren't before. Managing instances thru latency and caching to reduce instance use are directions you need to consider. Here are two useful articles:

http://code.google.com/appengine/articles/managing-resources.html
and
http://highscalability.com/blog/2011/9/7/what-google-app-engine-price-changes-say-about-the-future-of.html

Look at using caching and datastore more efficiently, and use the Admin console to experiment with the scheduler. In particular, the "Lower Max Idle Instances" is a good place to start. Check the managing-resources article above for more details. I expect that more information will be forthcoming as well.

UPDATE: I expected more, but who knew this soon. From Peter Magnusson who is director of the AppEngine team, read his Google+ post for more context.
https://plus.google.com/110401818717224273095/posts/AA3sBWG92gu

Minor note: glad to see Python 2.7 about to be rolled out.

global CA Infrastructure reminds us again its broken

2011-08-30T08:55:00.000-04:00

via an attack using a fraudulent SSL certificate apparently targeted at users in Iran.

Google statement here: http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

EFF here: https://www.eff.org/deeplinks/2011/08/iranian-man-middle-attack-against-google

Apparently Google Chrome browser detected the bad certificate out of the box, and Mozilla Firefox and Microsoft IE moved rapidly to revoke the root cert of the issuing CA. Thanks are due an observant Google Chrome user who first noticed and reported the certificate warning. The browser community moved rapidly to address this problem, which is good. Reporting and action channels for problems are clearly improving and indicate a focus on this issue at the major vendors.

Some points I draw from this:

Good reaction is required, but pro-activity (as seen with Google Chrome) is critically important in making the global CA infrastructure stronger and more resilient.

Google's pinning worked in this case, but I agree with this Hacker News discussion - that pinning is needed, and works, only emphasizes that the CA infrastructure is broken. I'm not sure we can find a "golden band-aid" to address how broken it is. Its ironic or not I suppose that browser technology is needed to identify weaknesses in the security infrastructure used to protect browser activities. Browsers as the early-wanting systems for CA compromise. Browser updates as the new revocation system.

I think the goals the EFF has with its SSL Observatory are important and I think the work they are doing in general in this area is really valuable.

I guess I better start learning more about Convergence http://convergence.io/

* UPDATE: For the reader interested in an advanced analysis, this from Dan Kaminsky: http://dankaminsky.com/2011/08/31/notnotar/

Here is a related risk analysis: http://security.blogoverflow.com/2011/08/31/a-risk-based-look-at-fixing-the-certificate-authority-problem/

Further Update: two informative posts from TOR:
https://blog.torproject.org/blog/diginotar-debacle-and-what-you-should-do-about-it
and: https://blog.torproject.org/blog/diginotar-damage-disclosure

You know you have a broken system when well-meaning people provide their own best-effort solutions:
https://kuix.de/blog/index.php?entry=Firefox-Add-On:-CA-Knockout

an attack on AES-128

2011-08-18T07:39:00.002-04:00

A recent paper explains an attack on AES-128. Best to think of it now as AES-126, more or less.

paper here: http://research.microsoft.com/en-us/projects/cryptanalysis/aes.aspx

presentation here: http://rump2011.cr.yp.to/d41bd80f6680cfd2323e53fbb9a62a81.pdf

Conventional wisdom says attacks get better over time; once a chink in the armor is found it can lead to more effective attacks. The Wikipedia article on SHA-1 shows a slow but steady improvement in attacks since the 2005 work by Wang etc.... It seems to me that it is possible that any single attack strategy probably approaches some upper limit for effectiveness. The real-world problems arise when the upper limit effectiveness of that attack is sufficient to break an algorithm easily with ordinary computing power. (of course, the "cloud" redefines the amount of computes available to the ordinary user)

It'll be very interesting to see if the techniques used to attack AES-128 now allow for significant improvement over time.

developer attention

2011-08-17T10:20:00.002-04:00

I can testify to this, from Life and Code: http://lifeandcode.tumblr.com/post/8993770468/why-you-shouldnt-interrupt-developers

Specifically:

Much research has shown that software development is particularly demanding of cognitive resources: you have to keep a lot of stuff in your brain at the same time while programming. Even a one-minute interruption erases this info, and it can take 10-15 minutes to re-establish the programmer’s mental state.— Jakob Nielsen, August 2011

transferring domain name

2011-07-08T13:02:00.001-04:00

identityassociates.com will be offline for a bit as I transfer the domain name, and switch hosting providers. IA will move to Google Apps.

NSTIC Privacy Workshop

2011-07-01T16:43:00.000-04:00

I had the opportunity to attend much of the two day NSTIC Privacy Workshop held in Cambridge Massachusetts this week. I haven't been following this NIST-backed effort as closely as I probably should have, so the workshop in Cambridge was a perfect opportunity to catch up with NSTIC, at least through the lens of privacy.

A few observations:

The people involved are experienced and sharp. The process seems inclusive, which bodes well. The meeting was well run.
There was some deja-vu for me based on some PKI experiences in working groups I participated in over 10 years ago in the financial sector. Identity, authentication, authorization, attributes, etc... all being discussed in similar ways. Its dangerous to look too closely at that past experience, though, because use cases, technology, and the environment are so substantially evolved from that time frame.
More than one speaker noted the compelling issues on the horizon regarding mobility, location based services, "big data" mining and related advances, noting this may rapidly outstrip the worries we have about current ad-network dominated problems.
Once again, Identity Woman, aka Kaliya Hamlin, seems to be two steps ahead. Will the Personal Data Ecosystem Consortium trump traditional standards processes by leveraging the entrepreneurial energy of competing startups? Running code FTW?
So what do I worry about? I'd love for the vision and zeal of the privacy advocates to win the day, but I'm not sure that is feasible. Maybe we need to ensure that NSTIC allows privacy-enhancing approaches to be first-class citizens in any adopted standard, and a true market will emerge whereby citizens and consumers have the right and ability to chose to use privacy-enhancing solution. And let the NSTIC infrastructure itself not leak privacy. A bad scenario, in my opinion, would be for the NSTIC process to be co-opted by the biggest firms, and NSTIC results in a legal, regulatory, and operational framework that in practice serves to meet the widest dreams of the greediest internet marketers at the expense of meaningful citizen privacy.

National Strategy for Trusted Identities in Cyberspace (NSTIC): http://www.nist.gov/nstic/

epic.org has a great overview paper on NSTIC here: http://epic.org/privacy/nstic.html

personal data ecosystem consortium: http://personaldataecosystem.org/

each day better than the next

2011-06-25T12:22:00.000-04:00

So it continues to be an interesting time in the infosec world. Just off the top of my head, the last several months have seen Stuxnet, RSA SecureID being breached, account credentials compromised at Citibank and Google/Gmail, a CA compromised, and lots of activity from Anonymous and Lulzsec. Dropbox security was broken for a time, and there is all too plentiful evidence that people deploying solutions on Amazon Web Services are leaving gaping security holes.

Some attacks show alarming sophistication and are extremely targeted. Others exploit well-known attack vectors that could have been closed had reasonable security practices been followed.

In any event, lots of work remains. Where to start....

new AWS security whitepapers

2011-05-19T10:12:00.002-04:00

Amazon Web Services continues to be a preferred destination for many people moving apps to the cloud. Security and related concerns continue to be important for enterprise-grade applications, and the AWS team has released more content helping users understand security models on AWS.

Overview of Security Processes: http://d36cz9buwru1tt.cloudfront.net/pdf/AWS_Security_Whitepaper.pdf

and

Risk and Compliance: http://d36cz9buwru1tt.cloudfront.net/pdf/aws-risk-and-compliance-whitepaper.pdf

(Not sure I'm loving these URLs, but... you can always find the latest here: http://aws.amazon.com/security)

App Engine evolves - Google IO 2011

2011-05-18T15:41:00.001-04:00

Google's App Engine continues to evolve, and lots of steps were taken or announced at Google IO 2011 last week. I'll use this post to collect thoughts and evaluations as I think thought all that I learned.

This post on App Engine blog is a good place to start: http://googleappengine.blogspot.com/2011/05/year-ahead-for-google-app-engine.html

So, App Engine won't be as "free". App Engine pricing will increase, and the previously-discussed App Engine for Business has been folded into App Engine pricing tiers. Here is a current FAQ on App Engine pricing:
https://groups.google.com/group/google-appengine/msg/739169f799d8e69a? It makes some sense to me that Google has had a chance to learn how much its costs to run this service, and it seems fair to reflect that knowledge into the business model.

App Engine is no longer in preview mode. Also a good thing, this includes providing SLA terms, corporate support, and other features that will make App Engine easier to explain to enterprises.

More soon...

another cloud security document - security considerations

2011-04-18T09:48:00.002-04:00

From Australia, recorded here for posterity, etc... Thanks to @Beaker for tweeting about this.

http://www.dsd.gov.au/publications/Cloud_Computing_Security_Considerations.pdf

In my opinion, this document is particularly valuable because its list of detailed security considerations is more comprehensive than most; it provides a very good starting point for developing your own checklist.

Australian DSD home site: http://www.dsd.gov.au/infosec/cloudsecurity.htm

more on global CA infrastructure from Dan Wallach

2011-04-08T11:55:00.001-04:00

I decided not to update my previous post, it was getting a little straggly with so many updates. Anyway, Dan Wallach's content-dense post is worth of its own entry here on this humble blog.

Dan Wallach writing on Freedom to Tinker makes several good points in following up on the recent CA compromise, here:
http://www.freedom-to-tinker.com/blog/dwallach/building-better-ca-infrastructure

Dan includes a bunch of useful links and discusses a couple of short-term promising approaches, for example:

A straightforward idea is to track the certs you see over time and generate a prominent warning if you see something anomalous. This is available as a fully-functioning Firefox extension, Certificate Patrol. This should be built into every browser.

and,

In addition to your first-hand personal observations, why not leverage other resources on the network to make their own observations? For example, while Google is crawling the web, it can easily save SSL/TLS certificates when it sees them, and browsers could use a real-time API much like Google SafeBrowsing. A research group at CMU has already built something like this, which they call a network notary. In essence, you can have multiple network services, running from different vantage points in the network, all telling you whether the cryptographic credentials you got match what others are seeing. Of course, if you're stuck behind an attacker's firewall, the attacker will similarly filter out all these sites.

UPDATE: Google is now doing almost exactly what I suggested.

The joke has always been - every year starts fresh with: "This is the Year of PKI". PKI will never have a "year" - it will continue to develop organically, being improved locally and globally through the efforts of lots of security technologists working collaboratively, unfortunately sometimes in response to the efforts of bad actors.

useful paper: Assessing Cloud Security

2011-04-02T08:59:00.000-04:00

thanks to Context Information Security. See: http://contextis.co.uk/resources/white-papers/assessing-cloud-node-security/

The attack vectors discussion is concise and helpful, and the sample assessment report was interesting; although one assumes the white paper is also designed to drum up business....

Overall, a useful addition to the cloud security library.

NIST Cloud Computing Reference Architecture

2011-04-01T09:20:00.000-04:00

I'll have to dig into these 26 pages. NIST continues with their useful work addressing cloud definition, categorization, and architecture.

Collaboration site here: http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/WebHome

Reference Architecture (PDF) here:
http://collaborate.nist.gov/twiki-cloud-computing/pub/CloudComputing/Meeting12AReferenceArchitectureMarch282011/NIST_CCRATWG_029.pdf

trusted Certificate compromise - a sophisticated attack

2011-03-23T07:33:00.006-04:00

thanks to ioerror at Tor Project for in-depth discovery and analysis of this situation, described here: https://blog.torproject.org/blog/detecting-certificate-authority-compromises-and-web-browser-collusion

summarizing snippet:

Last week, a smoking gun came into sight: A Certification Authority appeared to be compromised in some capacity, and the attacker issued themselves valid HTTPS certificates for high-value web sites. With these certificates, the attacker could impersonate the identities of the victim web sites or other related systems, probably undetectably for the majority of users on the internet.

If you are interested in PKI and its security in a global sense, I recommend you read the article. A couple of observations. First, the right thing seemed to happen, emphasis on 'seemed' so far, in that the affected CAs identified an issue and notified relevant parties rapidly. And 'fixes' were rolled out by the browser manufacturers. Even more interesting to me is the glimpse into the people and systems that are collaborating to monitor this global PKI infrastructure and report on its robustness, bringing light to a murky, complicated area. Having visibility into the operations of the global PKI is a good thing for all of us.

UPDATE: More on this topic from Peter Eckersley of EFF. I didn't know that IP addresses associated with the attack were Iranian. Also, Peter links to a statement by Comodo. Here are Peter's remarks: https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https

Another UPDATE: Paul Roberts at ThreatPost offers some common-sense wisdom, via Paul Turner, for managing your certificates, and your certificate exposure I suppose. See: http://threatpost.com/en_us/blogs/forged-certificates-five-steps-secure-your-enterprise-032411

Yet Another UPDATE: Comodo hacker statement released, discussed in detail by Errata Security: http://erratasec.blogspot.com/2011/03/comodo-hacker-releases-his-manifesto.html Yes, Iranian. Yes, not that hard to do, apparently.

Perhaps Final UPDATE: Ben Adida offers a useful analogy about evolution in discussing how the global PKI became brittle enough to permit this kind of compromise. In my opinion Ben is always thoughtful and his insights and analysis help me to see issues from new perspectives. His discussion is here: http://benlog.com/articles/2011/03/30/intelligently-designing-trust/

on understanding AWS EBS

2011-03-22T09:45:00.000-04:00

Great post by Adrian Cockcroft about EBS. See: http://perfcap.blogspot.com/2011/03/understanding-and-using-amazon-ebs.html

This is one of the best overviews I've seen and it succinctly explains architectural attributes you should be well aware of. The diagrams are very helpful. Thanks Adrian. I'll be referring to this often.

AWS here: http://aws.amazon.com/

Federal Cloud Computing Strategy

2011-03-02T12:03:00.000-05:00

Thanks to CIO.gov here: http://www.cio.gov/pages.cfm/page/IT-Reform-Series-Federal-Cloud-Computing-Strategy-Published for publishing this strategy document.

This provides as good an overview and introduction to the benefits of Cloud Computing as I've seen, albeit from a federal agency adoption perspective. Here is the direct link to the PDF: http://www.cio.gov/documents/Federal-Cloud-Computing-Strategy.pdf

Vivek Kundra, USA's CIO is driving this effort. Follow Vivek on Twitter: @VivekKundra

NIST addresses Cloud Security and Privacy

2011-02-23T16:42:00.000-05:00

NIST recently issued a draft document on cloud security and privacy - http://csrc.nist.gov/publications/drafts/800-145/Draft-SP-800-145_cloud-definition.pdf

Additionally they've republished their cloud definition as a draft document, and started a wiki to facilitate communication about cloud standards, research etc...

More here: http://www.nist.gov/itl/csd/cloud-020111.cfm, and the wiki is here: http://collaborate.nist.gov/twiki-cloud-computing/bin/view/CloudComputing/

Security has been a reason, and probably a good one, for enterprises to delay moving applications to the cloud. As a result, cloud security has had plenty of attention, not just from NIST, as noted here previously. It continues to be my opinion that security will be a reason to adopt cloud-based solutions, and not a reason to delay. As transparency, agreed standards, business models and service agreements, and technical improvements continue - small, mid-sized, and even larger companies will rely on cloud providers for security. Security talent, solution architecture and infrastructure as well as management attention will be another shared resource provided by the cloud. It is in the cloud providers business interests to solve this problem.

further research available on Stuxnet

2011-02-16T06:55:00.000-05:00

Symantec updates its report, available here: http://www.symantec.com/connect/blogs/updated-w32stuxnet-dossier-available

Stuxnet is very interesting as it almost assuredly represents the first case of significant cyber-warfare seen in the wild. Its cautionary and we'll see how cyber-warfare evolves from this template. I'd be cautious with those USB disks....

App Engine SDK requires SSL

2011-02-13T21:23:00.000-05:00

As a Python user I had to teach my environment to use SSL to upload code. This requirement was introduced in a recent SDK release. It was a little complicated, but the best guidelines I found to make it work were here:

http://www.developerzen.com/2010/09/23/the-complete-guide-to-setting-up-python-development-environment-on-windows/

You need to follow all the steps right through "Install Support for SSL".

new App Engine SDK - 1.4.2

2011-02-12T09:08:00.001-05:00

see: http://googlecode.blogspot.com/2011/02/app-engine-142-sdk-api-updates-and.html

and since I'm a Python guy, the Python SDK notes detail a few specific goodies: http://code.google.com/p/googleappengine/wiki/SdkReleaseNotes

I'm excited about support for Django 1.2 and the improve presence capability in XMPP

And, not strictly related to the SDK, from Guido's Tweet stream, something I've wanted for a while:

Check out the Permissions tab on your #appengine Admin Console. New feature: Role dropdown! Owner, Developer, Viewer.

Google offers two factor authentication

2011-02-11T10:26:00.000-05:00

This doesn't solve everything, but it'll be a good capability to add to a site or two I have developed. See:
http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

getting started with AWS

2011-02-01T14:38:00.000-05:00

I've been doing a lot recently with App Engine. For several reasons I need to do a few things with Amazon AWS. In particular, I need to play with Elastic Beanstalk, but that is not for today. For today, I've collected three links to getting started.

EC2 for Poets from Dave Winer

Set up an AWS LAMP server connected to a RDS database, from Pamela Gay via Star Stryder

And, of course, from the AWS documentation: Get Started with EC2

Elastic Beanstalk

2011-01-19T07:26:00.001-05:00

Elastic Beanstalk minimizes one of the objections I have about AWS - its lack of a simple deployment capability. This, as other commentators have spelled out, brings AWS even closer to being able to offer a pure PAAS in its portfolio, and bridges a gap with Google's AppEngine.

More information here: http://www.allthingsdistributed.com/2011/01/aws_elastic_beanstalk.html
and here: http://aws.typepad.com/aws/2011/01/introducing-elastic-beanstalk.html

I believe that PAAS solutions that support Java will offer the best early path for enterprises to bring their apps to the cloud. Elastic Beanstalk is starting with a Java container but promises more. I'd like to see a Python/Django environment - Django might well be able to evolve into a cross-cloud platform approach and help address the 'lock-in" issue.

AWS Achieves PCI DSS 2.0

2010-12-17T17:23:00.000-05:00

Congratulations to Amazon AWS on achieving validated service provider status. Details here:
http://aws.typepad.com/aws/2010/12/aws-achieves-pci-dss-20-validated-service-provider-status.html

From the Amazon Web Services blog, a relevant snippet:

"Until recently, it was unthinkable to even consider the possibility of attaining PCI compliance within a virtualized, multi-tenant environment. PCI DSS version 2.0, the newest version of DSS published in late October 2010, did provide guidance for dealing with virtualization but did not provide any guidance around multi-tenant environments. However, even without multi-tenancy guidance, we were able to work with our PCI assessor to document our security management processes, PCI controls, and compensating controls to show how our core services effectively and securely segregate each AWS customer within their own protected environment. Our PCI assessor found our security and architecture conformed with the new PCI standard and verified our compliance."

Security is always one of the first objections raised when discussing moving important apps with regulated data to a cloud provider. Its been my opinion for a while that cloud providers will be in position to offer best-in-class security solutions sooner or later. First, the business model cries out for it - cloud providers can attract more applications, and more significant applications, if they can address security requirements. Second - cloud providers will be in good position to address security by leveraging scarce security expertise across all their hosted applications. I expect providers like Google, Amazon, Rackspace, etc... can attract and retain excellent security professionals to make sure thior infrastructure is buttoned up tight. Or as tight as is feasible. Not to say there won't be breaches, there will be, but they should be able to do the job right. We might have to pay a few extra dollars of course.

Cloud Security - 2010 Google Faculty Summit

2010-08-08T16:02:00.000-04:00

Here is a set of videos from a Google Faculty Summit recently; the focus is on security and privacy, particularly from a research point of view. I'm working my way thru them, and I can vouch that these are worthwhile and mind-opening.

See: http://research.google.com/university/relations/facultysummit2010/

App Engine SDK

2010-08-03T14:14:00.000-04:00

A new pre-release SDK has been announced for App Engine. Of particular interest to me, and I expect useful in a current project, are:

Multitenancy is now supported in the datastore, allowing better compartmentalization of user data.
Automatic image thumbnailing is now available in the Images API using get_url_base().
Users can now serve custom static error pages for over_quota, dos_api_denial, and default cases.

For more details, see: http://groups.google.com/group/google-appengine/browse_thread/thread/6b02929cb6832c3a#

OpenStack

2010-07-20T09:33:00.002-04:00

The interwebs are abuzz with news of OpenStack - an open source cloud stack initiative incorporating NASA's Nebula, Rackspace code, and the work of many others.

Here are three helpful links if you want to learn more:

GigaOM: http://gigaom.com/2010/07/19/why-openstack-matters-cloud-insiders-weigh-in/

TechCrunch: http://techcrunch.com/2010/07/18/openstack-org-rackspace-open-sources-their-cloud-services-platform-and-gets-nasa-on-board/

ZDNet: http://www.zdnet.com/blog/open-source/nasa-gives-openstack-instant-credibility/6878

My take: The "Cloud" continues as an area of rapid, relentless innovation. The cloud market is exploding with new approaches, technologies, architectures, etc... A credible open source effort to develop open technologies for enterprise and government cloud deployments will help foster competition and fight vendor lock-in for this market. Innovation is occurring too rapidly for standards efforts to make sense yet, but open work will lead to good results in interoperability as well.

update: this article discusses NASA's decision to drop Eucalyptus from Nebula. it provides an interesting insight about commercializing open source. (and, en passant, a discussion of Eucalyptus scalability). see: http://www.theregister.co.uk/2010/07/20/why_nasa_is_dropping_eucalyptus_from_its_nebula_cloud/

update 2: more from Andy Oram at O'Reilly Community: http://broadcast.oreilly.com/2010/07/openstack-offered-as-rackspace.html

update 3: Fred Trotter note the applicability of Open Stack to HealthCare IT:
http://www.fredtrotter.com/2010/07/26/openstack-and-software-freedom-in-healthcare-it/

PKI in the news - revoking certificate associated with malware

2010-07-19T14:51:00.001-04:00

VeriSign (working with Microsoft) is revoking the public key certificate associated with the signing key used (subsequently?) to sign some drivers that were part of a malware distribution. Here is a summary article: http://threatpost.com/en_us/blogs/verisign-revokes-certificate-used-sign-stuxnet-malware-071710, thanks to the high-quality site Threatpost.

The article also describes innovations in the malware loading mechanism, which are of less interest to me. I look forward to an article with more technical details that can address PKI-related question like:

If the certificate expired in June, why is it still necessary to revoke it? (Kind of an academic question - many applications don't check revocation status, much less expiry dates.) but, for the record.

How did the malware distributor access the private signing key used to sign the driver? It would be very interesting to know how the driver-signing trust chin was broken.

I've worked with PKI in the past, with several companies and in a few consulting engagements. PKI is always interesting, technically challenging, and prone, unfortunately, to failures of differing types due to its underlying complexity. Can't live with it, and can't live without it. (And can't shoot it.)

more cloud taxonomy

2010-07-07T06:47:00.001-04:00

A post from Stefan Reid teases a full report from Forrester laying out a more comprehensive cloud taxonomy. I continue to believe that you can't successfully make decisions about a cloud strategy unless you have a good grasp of what is meant by cloud, and what types of cloud might influence your decision strategy.

This graphic suggests you should consider private clouds to be primarily a visualization story.

I have no relationship to Forrester but if understanding cloud taxonomy is important to you, this may be a useful report. Link: http://blogs.forrester.com/stefan_ried/10-07-06-forresters_cloud_computing_taxonomy

cloud performance

2010-06-22T08:51:00.000-04:00

From @acroll at O'Reilly Radar, this post offers a snapshot of a cloud performance study by bitcurrent. I continue to like Google App Engine.

Thanks to bitcurrent and WebMetrics for doing the study and making it available. All details are available at the webmetrics site: http://www.webmetrics.com/landingpage/bitcurrentcloud/

(image: http://www.bitcurrent.com/wp-content/uploads/2010/06/BCtest-postchart.png)

some snapshots from Google I/O 2010

2010-05-27T14:20:00.000-04:00

Some real content in a post to come real soon now.

another Cloud Computing article with definitions (among other things)

2010-04-27T10:11:00.001-04:00

from ACM: http://cacm.acm.org/magazines/2010/5/87259-why-cloud-computing-will-never-be-free/fulltext

The author includes the first reference that penetrated my awareness of "Cloud 2.0" - what he calls value-based Clouds.

two more good Cloud presentations

2010-04-09T16:09:00.000-04:00

David Chappell has an excellent presentation on cloud platforms, PDF here: http://www.esri.com/events/devsummit/pdf/chappell-slides.pdf

Here is an overview of Microsoft's Azure: http://www.slideshare.net/lynnlangit/windows-azure-platform-2626957

secure development in the cloud - force.com

2010-04-07T16:46:00.000-04:00

The guys at force.com have added a section in their developer area focused solely on secure development. Some of this is force.com specific, but there is a lot of generally useful information condensed well on the site.

See: http://blog.sforce.com/sforce/2010/04/introducing-forcecom-secure-cloud-development.html

cloud computing overview

2010-04-02T16:25:00.002-04:00

due to Communications of the ACM: http://cacm.acm.org/magazines/2010/4/81493-a-view-of-cloud-computing/fulltext

This is a good overview that makes several key points that help with the definition of cloud computing, and related nomenclature and classification. I believe that the hype around cloud is so high that many vendors and solution providers bend over backwards to define cloud computing so that whatever they are pitching is a key cloud component you can't live without. Articles like this help provide a framework to sort out the clutter.

Their list of 10 obstacles and opportunities is particularly well-done and insightful.

getting started with cloud security

2010-01-05T16:25:00.005-05:00

Think of this post as a trailhead for learning more about the various issues, opinions, and resources relevant for cloud security. I don't claim this is complete, or the best way to start, but it might be helpful if you're interested in cloud security and you are just beginning.

First, a couple of useful resources on cloud computing in general:

The Economist has a briefing on cloud computing, focusing on how companies like Microsoft, Google, and others (not to forget Rackspace) will compete in this new space:
http://www.economist.com/displaystory.cfm?story_id=14637206

NIST is looking closely at cloud frameworks, taxonomy, and security:
http://csrc.nist.gov/groups/SNS/cloud-computing/

There are many very good technical resources that address cloud security. I can suggest the following:

Technology Review, published by MIT, has a 5 page article on cloud security:
http://www.technologyreview.com/web/24166/

The Cloud Security Alliance is the go-to resource for cloud security, in my opinion, and in particular you should read the latest rev of their Cloud Security Guidance.

enisa published a Cloud Computing Risk Assessment:
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment

Several more focused and technical resources are also helpful, and include Craig Balding's European RSA 2009 presentation:
http://www.slideshare.net/craigbalding/what-everyone-ought-to-know-about-cloud-security

Here is a very illuminating presentation given at BlackHat USA 2009:
http://www.slideshare.net/astamos/cloud-computing-security

The site for the ACM's 2009 Cloud Computing Security Workshop has a number of presentations and papers you can download if you are interested in more technical topics:
http://crypto.cs.stonybrook.edu/ccsw09/

There are very many blogs that address or mention cloud security. Rather than try (and fail) to provide a comprehensive list, I'll suggest you look at Chris Hoff's blog Rational Survivability. For the record - Chris led a discussion of security at Cloud Camp Boston and that discussion introduced me to some of these resources (thanks Chris, my head hurts now...). Chris also is a leader in the A6 working group.

Maybe in another post I should try to list the various experts that, on Twitter, are helping to drive this forward. Maybe.

UPDATE: Check out http://cloudpaas.org/ for an interesting matrix laying out features and capabilities of various clouds.

its all about key management

2009-12-25T11:40:00.003-05:00

Bruce Schneier has it right with respect to the recent kerfuffle about unmanned drone video encryption. See: http://www.schneier.com/blog/archives/2009/12/intercepting_pr.html

UPDATE: there is always room for debate. Ben Adida agrees that key management is difficult, but suggests that syndicating the video stream may offer an alternative approach. See: http://benlog.com/articles/2009/12/27/sometimes-its-not-counter-intuitive/

My opinion: Designing real-world security solutions is hard - to further the debate we would need to dive deeply into the use cases and understand the detailed requirements and flows - then analyze the existing solution in light of current technology and practices. I'll bet there are some details about requirements and use cases that haven't been shared publicly. Just saying.

EC2 Vulnerability?

2009-11-18T10:58:00.000-05:00

Academic research suggests attack vectors for cloud computing applications.

see: http://www.technologyreview.com/computing/23792/

Seems like a cloud should not leak, even implicitly, structural information about configuration, etc... Also seems like there are reasonable approaches to plug these types of leaks, but the larger point is that there are surely many ways to attack cloud-based services, and creative security researchers (and hackers) will find them.

medical records online, or in the cloud?

2009-10-23T11:41:00.000-04:00

Caution should prevail; see: Medical Records: Stored in the Cloud, Sold on the Open Market

Never underestimate the power of birthday, ZIP code and gender for identification.

a cautionary tale about cloud security

2009-10-04T15:11:00.000-04:00

Well described by the BitBucket team - a problem with an attack on their AWS-based infrastructure. See: http://blog.bitbucket.org/2009/10/04/on-our-extended-downtime-amazon-and-whats-coming/

In the end it looks like the right thing happened, but certainly there were a few travails along the way. This episode suggests you need your own sophisticated technical resources to work the problem with the cloud provider team.

For those who worry that finger-pointing or delay in problem identification can occur with your cloud provider, this episode confirms some of your fears. Its early yet, and over time providers will be able to distinguish themselves by their tools and techniques for rapid identification and resolution of problems, including security-related attacks like this one. Its a learning curve for all involved.

crypto agility

2009-09-14T14:09:00.001-04:00

MSDN offers a good overview and rationale for crypto agility here: http://msdn.microsoft.com/en-us/magazine/ee321570.aspx

In my opinion, if you're programming crypto, you should be an expert developing library code that application programmers use. If you're developing a library, then there is no excuse for ignoring crypto agility. IMO.

If you're an application developer - don't develop your own crypto. Evaluate and choose developed code with a good reputation that meets your requirements.

security considerations in coding

2009-07-31T10:00:00.000-04:00

There is a lot of value in considering security in our software development lifecyle.
Here is a good resource to identify coding issues during development or review.

See the top 25 most dangerous programming errors: http://cwe.mitre.org/top25/index.html

New Crypto Library

2009-07-23T06:35:00.001-04:00

with Python bindings!

NaCl: Networking and Cryptography library: http://nacl.cace-project.eu/

Thanks to http://cace-project.eu/

bar camp boston 4

2009-04-27T11:36:00.000-04:00

Spent Saturday at BCB4 - http://www.barcampboston.org/ twitter #bcb4

It was well worth my investment of time, and I regret not being able to attend Sunday as well. The un-conference concept worked well, the organizers did a great job, and several of the sessions I attended were really useful and interesting.

In particular: Raw Data: Facilitating Data Reuse on the Web, and How to Go from PHP to Django

There were other sessions I missed that I would have liked to attend but for the restriction on being in two places at once.

Here is a quick random snap of some of the crowd

twitter

2009-03-03T10:31:00.003-05:00

well, i'm starting to play around with Twitter. can't say I see all the uses yet, but I've found some that are helpful, especially using Search to follow topics I have an interest in.

more soon.

2009 National Infrastructure Protection Plan

2009-02-22T09:31:00.000-05:00

The 2009 National Infrastructure Protection Plan is available for download from DHS here: http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm

An inital scan suggests this will be a helpful report to read if one is suffering from a late-night bout of insomnia.

breaking SSL?

2009-02-20T08:36:00.000-05:00

A presentation at Black Hat demonstrated some techniques for breaking SSL. Thoughtful analysis provided by Dan Kminsky in this post, including a reference to a PDF of the original presentation.

As frequently happens, you can find securiy holes in how the crypto algorithms are integrated into an application that humans use.

Reading thru Dans analysis provdies some good insight in how to understand the problems and attacks.

Python's beginnings

2009-02-04T06:49:00.007-05:00

Python is my implementation language of choice - I find it approachable, intuitive and powerful. I still have much to learn about it but feel productive using it for small tools or larger tasks (for example, with Django.)

Python's creator, Guido van Rossum, is writing a series of blog entries describing The History of Python - reading these provides fun insight into the early development of a great language. Thanks Guido.

Jam Cell Phones During Terror Attack?

2009-01-09T09:52:00.001-05:00

Surely this idea needs rethinking/recasting. http://blog.wired.com/defense/2009/01/nypd-eyes-disru.html

I would imagine attack planners would have backup plans in case they lost communication in any scenario. On the other hand, ordinary citizens wouldn't - no warnings to family members, no reports to authorities. Ordinary people enabled by communcation technology brought that 9/11 hijacked plane done in Pennsylvania - avoiding greater catastrophe in Washington.

why were you using MD5 anyway?

2008-12-30T15:16:00.002-05:00

Just published at the CCC is a documented attack on PKIs with CAs that use the MD5 hash algorithm. Its been known for some time that using MD5 is a mistake - perhaps soon someone will build a browser plug-in to generically warn if any of your certs base trust on MD5.

Here are the details in a well-written paper - creating a rogue CA certificate.

Update: the estimable Ed Felten explains this issue in real world terms: http://www.freedom-to-tinker.com/blog/felten/researchers-show-how-forge-site-certificates

browser security resource

2008-12-30T08:55:00.000-05:00

Very useful document available from Google: Browser Security Handbook

I expect Google security guys will keep this Wiki up to date. If you're interested in understanding browser security issues then this is a good resource to work through. With so many apps moving to the cloud, and the browser as the default client, every programmer should understand browser security.

securing cyberspace

2008-12-10T17:07:00.000-05:00

Securing Cyberspace for the 44th Presidency

from CSIS

Read through this for a useful perspective on probable emerging policy changes that will shape the infosec landscape for some time to come. I looked through it quickly hoping to find contributors combining great technical and policy background, and hoped that someone like Dan Geer would be involved. Rest easy - he was.

NIST hash function update

2008-11-22T09:40:00.001-05:00

Watching from afar, particularly via the mailing list discussions, I've been following the progress on the NIST hash function competition. Bruce Schneier offers an update in Wired: America's Next Top Hash Function Begins

The process issues and questions are almost as interesting as the math - in my opinion the NIST competition model provides a good, and improving, model for harnessing the talents of interested experts to develop new tools we can all benefit from. I imagine there are many other domains where this approachis or could be valuable.

the Basic Idea of Public Key Cryptosystems

2008-11-22T09:30:00.001-05:00

for the permanent record, here is a good (and colorful) very basic introduction to asymmetric cryptography, from the ever valuable Good Math, Bad Math

perspectives

2008-08-15T17:33:00.000-04:00

Perspectives - more innovation arising from attempts to provide simpler solutions to real problems than PKI is perceived to offer.

coming soon - new Identity Associates service

2008-08-06T07:56:00.000-04:00

Soon I will refocus the Identity Associates service portfolio and add a new service. Watch this space for more details...

GMail and https

2008-08-06T07:51:00.000-04:00

If you're a gmail user, you should start using gmail over https. See this article for more details.

eraser

2008-08-06T07:45:00.000-04:00

Started using eraser recently. Easy to use solution for scrubbing data off disk. I use it to eliminate confidential client data from my laptop.

Google IO

2008-06-10T08:40:00.002-04:00

Attended the Google IO developers conference in SF a couple of weeks ago. Focused on App Engine but also tried to learn more about Open Social.

App Engine looks almost ready for prime time (SLAs anyone?) and I'll build a trial app on it shortly.

worrisome?

2008-04-07T16:17:00.003-04:00

This post in Freedom to Tinker by Harlan Yu describes worries associated with Phorm's approach to the market. Phorm works to assure people that they preserve privacy, and I can't look under the covers sufficiently to validate that claim. Harlan raises serious and appropriate questions about their violation of the end-to-end principle of the Internet if it is true that Phorm is rewriting and redirecting HTTP traffic,

not making it to RSA conference this year

2008-04-04T11:15:00.001-04:00

Unfortunately. Immersion in an unrelated project is dominating my schedule. Maybe next year.

more voting machine mayhem

2008-04-04T11:12:00.002-04:00

Ed Felten describes woes with voting machines in New Jersey.

I still think voting is too important to trust to commercial enterprises.

Windows Cardspace

2008-03-16T11:19:00.001-04:00

It'll make sense to pick up this book, Understanding Windows Cardspace, soon. Here is an overview from IdentityBlog

Security vs. Privacy

2008-02-25T11:21:00.001-05:00

No one says it better than Bruce Schneier in this post.

Particularly relevant point:

The debate isn't security versus privacy. It's liberty versus control.

NIST announces competition for SHA-3

2007-11-02T13:41:00.000-04:00

this just in: Cryptographic Hash Algorithm Competition

As a software guy, it'll be interesting to watch the planning and work involved to integrate the result of this competition into widely deployed security protocols.algorithm agility anyone?

burton group on OpenID

2007-11-02T13:27:00.000-04:00

In the Security and Risk Management Strategies Blog, Bob Blakely asks appropriate questions in his post WHAT IS OPENID FOR?

Having some PKI background (I'm recovering....) I know these are the questions upon which identity systems can founder.

In particular:

4. What is the threat model?

What threats is OpenID designed to protect against? Accidental failures at a participating party? Malicious behavior by users? Malicious behavior by relying parties? Malicious behavior by OpenID providers? Wiretappers? Hackers attempting to penetrate a relying party? Hackers attempting to penetrate a provider? Hackers attempting to penetrate a client system? Cryptanalysts?

HTTP signatures

2007-10-30T09:29:00.001-04:00

James Clark has a thoughtful sequence of posts on signing HTTP responses, where, in Jim's words:

"The purpose of the proposal that I've been developing in this series of posts is to allow somebody that receives a representation of a resource to verify the integrity and origin of that representation; the mechanism for achieving this is signing HTTP responses."

Besides the utility of the approach, reading these posts provides a good lesson in how to think about solving a technical problem.

FOAF and OpenID use case

2007-10-30T09:19:00.000-04:00

See http://dig.csail.mit.edu/breadcrumbs/node/206 for a good explanation of a use case that combines OpenID and FOAF.

Its an interesting confluence of technologies where a powerful anti-spam commenting capability emerges out of some new-ish building blocks. Be authenticated to comment if you are a friend of a friend......

As the post points out, there is a relationship conceptually to Six Apart's work on "Opening the Social Graph" - an effort and direction I find compelling. I'd rather own my own identify particulars instead of outsourcing them to some of a multitude of service providers.

tunneling SSH

2007-10-30T09:14:00.000-04:00

From NateSpace, SSH tunneling for dummies

I've used SSH from time to time, but not for a few years. This well-written post explains how to use SSH in the context of IRC.

password security lore

2007-09-29T15:42:00.000-04:00

Coding Horror shares some wisdom on password storage and using rainbow tables to crack passwords.

OpenID, OAuth

2007-09-29T15:26:00.000-04:00

So, trying to sort out Open ID and what I can really use it for. Seems like its a lite-weight, low-security model for web single-sign on. And now OAuth is here to help with API and protocol support.

Simon Willison and David Recordon's OpenID tutorial from O'Reilly OSCON 07, via SlideShare.

Here is "A Recipe for OpenID-Enabling Your Site", from Plaxo.

O'Reilly Radar claims Open Authentication Comes Closer to Reality with OAuth.

Here is the OAuth blog, with links to the latest spec. How does OAuth fit in? From OAuth:

"The OAuth protocol enables websites or applications (Consumers) to access Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic methodology for API authentication."

I'm working on a project right now where OAuth may come in handy.

Pamela Samuelson on copyright reform

2007-08-03T11:21:00.000-04:00

Pamela Samuelson wrote this article (pdf) outlining thoughts about copyright reform and a potential model copyright law.

A process for copyright reform is necessary, in my opinion, for no other reason than to raise the issues broadly and make societal decisions about the best approach. Perhaps I'm naive. One also hopes for an approach that is easy to comprehend for non-lawyers.

At any rate, Pamela's article is a great place to look to understand where we are and how we could move forward.

(thanks to various sites in the blogosphere for raising this paper to my attention.)

Simon Willison on Open ID

2007-06-28T15:31:00.000-04:00

For a while I've been looking for a good introduction to Open ID, and for now I think this video of Simon's Google talk is the best I've found.

Simon provides a great overview of how Open ID fits into the Internet ecosystem; the talk is focused more on the capabilities Open ID offers to consumers and providers than underlying technical details of the protocol, etc...

Simon mentions a few useful links, recorded here for completeness:
OpenID.net
OpenID Enabled
Simon Willison’s Weblog
and, idproxy.net

Next Steps for XML Signature and XML Encryption

2007-06-21T11:36:00.001-04:00

A call for participation for an upcoming W3C Workshop on Next Steps for XML Signature and XML Encryption. I'm glad to see work in this area continuing - improving the utility of these standards in applications and legal use cases is near and dear to my heart.

WebDAV for Certificate Publishing and Revocation

2007-06-08T13:28:00.000-04:00

Interesting idea, and one worth tracking:

Use of WebDAV for Certificate Publishing and Revocation

SAML, Liberty, etc... presentation at iiw2007

2007-05-16T15:51:00.000-04:00

Altho I am not able to attend iiw2007 in person, its good to see great information from the conference being shared on the web.

In particular, this material from Eve Maler, posted on her blog, is a very useful and succinct overview of SAML, Liberty, Concordia, and some related concepts.

Adobe Acrobat and Reader security

2007-05-03T17:43:00.000-04:00

For some time I've believed that Adobe has not taken full advantage of their widespread platform in terms of providing security for documents, etc... Adobe is making considerable headway in improving its stance with respect to document security and related matters.

In this post, John Landwehr provides a set of links to updated information from Adobe on Acrobat and Reader security.

.Net framework 2.0 and certificates

2007-03-18T12:33:00.000-04:00

MSDN magazine recently published a very useful article on supporting certificates in applications with the .net framework 2.0. This will come in handy in a project I'm looking at now.

Wordpress and OpenID

2007-03-18T12:27:00.000-04:00

Wordpress announced that

You can now use your WordPress.com blog as an OpenID.

Couple this with the fact that Earthlink now provides Wordpress for use with its business accounts, and this gives me an opportunity to try out two new things at once.

Schneier on Vista content protection

2007-02-13T07:01:00.000-05:00

See DRM in Windows Vista, by Bruce Schneier. Perhaps a good way to summarize this view is that Hollywood should be very careful about what they wish for. Relying on Microsoft to provide the players and controls for your premium content may cause you to be pwned.

NIST's Plan for New Cryptographic Hash Functions

2007-01-26T10:09:00.000-05:00

"Due to recent attacks on the SHA-1 hash function specified in FIPS 180-2, Secure Hash Standard, NIST is initiating an effort to develop one or more additional hash algorithms through a public competition, similar to the development process for the Advanced Encryption Standard (AES)."

For all the details, see the NIST site.

I think this will be a very interesting thread to follow. In particular, because hash algorithms are implemented so widely, the choices of standards groups and coders around algorithm agility, as Bruce Schneier points out, may be significant.

response to Vista content protection FAQ

2007-01-26T10:04:00.000-05:00

published by Peter Gutmann here

Vista content protection FAQ from Microsoft

2007-01-21T08:47:00.000-05:00

In response to Peter Gutmann's paper (referenced here a couple of posts ago) Microsoft has issued a faq on the Windows Vista Team Blog. My reading of the faq suggests that some of the more inflammatory concerns may not be worries. However there is enough spin and fine print to suggest that there remains plenty to worry about. The faq is a fine exercise in implicitly and explicitly suggesting that Vista content protection is a natural evolution of the feature set, with lots of collateral improvements as side benefits. Not sure I'm buying that line....

NIST FAQ on Evaluation of Laboratories that Test Voting Systems

2007-01-19T11:39:00.000-05:00

As we mentioned previously, the trustworthiness of electronic voting systems is at the basis of confidence in our election processes, and our democracy.

NIST recently posted a FAQ on Evaluation of Laboratories that Test Voting Systems. NIST's ongoing involvement in this issue is a requirement from our perspective.

a great paper on Vista Content Protection

2006-12-27T16:03:00.000-05:00

by Peter Gutmann, see: "A Cost Analysis of Windows Vista Content Protection." Peter's substantial contributions to the PKI literature have helped me learn about many of the thorny issues that arise when you actually try to do something with PKI. His writing style is approachable, clear, and sometimes leavened with a little humor.

In this paper, Peter turns his eye towards Vista's content protection technologies, and the costs imposed as a result on hardware developers, driver writers, and of course, eventually, end-users.

Seems to me Vista may be a major step in a downward path taking the PC from general-purpose computing device to set-top box.

XMLSIG For Dynamic Languages

2006-12-26T17:22:00.000-05:00

XMLSIG For Dynamic Languages is a sourceforge hosted project sponsored by Verisign developing code providing xml digital signature libraries for scripting languages, including in particular Python. Wish we had this a few years ago for an XML product we were building.

I've started looking through the code and its pretty solid. I suppose the next step is to install it and build a Python app or two to see how easy it is to work with. I can think of a couple of fun things to do.

This will make it easier to develop SAML-based apps in Python.

OpenSSO - Open Federation

2006-12-15T14:24:00.000-05:00

Last month Sun's OpenSSO project announced Open Federation. The architecture and use case documents are particularly helpful. Now I'll have to dig in deeper to understand how best to use this code.

more on: NIST draft report on electronic voting systems

2006-12-06T08:24:00.000-05:00

So, the TGDC's meeting received coverage from mainstream media, and very reputable bloggers. Here are some relevant links:

article in the Washington Post.

blogpost by Ben Adida - who I believe is a most reputable commentator on this topic, and his blog benlog is always illuminating.

its hard to imagine a more important topic -- fair, accurate, and trustworthy voting is at the foundation of democracy.

NIST draft report on electronic voting systems

2006-12-02T09:09:00.000-05:00

a link to the paper and Q&A is available via vote.nist.gov, in particular Draft Report on Voting System Vulnerability.

Federated Identity Management article

2006-10-27T08:47:00.000-04:00

Written by Sarah Scalet, this article discusses clearly some of the issues with rolling out federated identity solutions in the real world.

As always, business relationships and legal factors need to be addressed when rolling out a security-related solution that crosses organization boundaries.

OASIS Digital Signature Services v1.0 public review

2006-10-15T20:23:00.000-04:00

More information here: http://www.oasis-open.org/archives/tc-announce/200610/msg00003.html

Having built, in an earlier life, an XML digital signature server (and encryption service), this is worth looking at closely. Maybe its time to dust off that old code....

Anonymous Blogging

2006-10-12T07:48:00.000-04:00

Ethan Zuckerman of Berkman Center for Internet and Society and Global Voices recently published a post on Anonymous Blogging with Wordpress and Tor. I haven't tried this recipe yet, but I plan to.

This is interesting because the goal of protecting one's identity is very significant in some situations, and it also shows how capabilities can be knit together to solve a complicated problem.

I assume it won't be too long before some blogging solution makes this easier out of the box.

Welcome!

2006-10-12T07:37:00.000-04:00

Welcome to the Identity Associates blog.

There is a lot going on in identity, privacy, anonymity, and security. Its impossible to monitor, analyze and assess all the activity in the field. When I spot something I think is notable or important, or want to draw your attention to something I've been thinking about or working on, I'll post here.

I hope readers will find this blog useful and enjoyable.