Secrets and Lies….thoughts!

This evening I finished reading Secrets and Lies by Bruce Schneier.

Compared to a number of technical books I have read recently, this is probably one of the oldest publications. Due to the way that technology moves, I wasn't sure how relevent this book would still be. However, having come across Bruce through his reputation and after reading his blog for some time I decided to give it a go anyway.

My first impressions of the book were very positive. It was very thorough in covering the subject matter relating to digital security. I must compliment Bruce on his ability to explain usually technical jargon in a very non-technical and understandable way. Whilst I found this refreshing, I must admit that as a 'techie', I didn't learn a lot technically that I didn't already know (I think all techies must know about Alice and Bob's keys by now!)

However, where I was impressed was a number of times throughout the book where Bruce has suggested non-standard uses of technologies, or, non-standard attacks, or, non-standard approaches to things. His ability to see the bigger picture and think outside the normal boxes is clever and shows someone who knows his field intrinsically. This was further demonstrated with the number of times Bruce translated his definitions into non-computer related scenarios. At one stage he even explained attacks using the film "Star Wars" as the example (How cool is that!!) I also thought his use of attack trees was very useful.

In conclusion, whilst I found the core of the book a bit limiting in terms of learning new subject matter (for someone with a technical background), Bruce's different angle of approach to each subject area meant that there was still plenty of material worth reading in the book. For someone who is fairly new to the field of digital security, this book is an absolute must.

My next read is Bruce's, Beyond Fear. I'll let you know how I get on…..

Secrets and Lies….thoughts!

This evening I finished reading Secrets and Lies by Bruce Schneier.

Compared to a number of technical books I have read recently, this is probably one of the oldest publications. Due to the way that technology moves, I wasn't sure how relevent this book would still be. However, having come across Bruce through his reputation and after reading his blog for some time I decided to give it a go anyway.

My first impressions of the book were very positive. It was very thorough in covering the subject matter relating to digital security. I must compliment Bruce on his ability to explain usually technical jargon in a very non-technical and understandable way. Whilst I found this refreshing, I must admit that as a 'techie', I didn't learn a lot technically that I didn't already know (I think all techies must know about Alice and Bob's keys by now!)

However, where I was impressed was a number of times throughout the book where Bruce has suggested non-standard uses of technologies, or, non-standard attacks, or, non-standard approaches to things. His ability to see the bigger picture and think outside the normal boxes is clever and shows someone who knows his field intrinsically. This was further demonstrated with the number of times Bruce translated his definitions into non-computer related scenarios. At one stage he even explained attacks using the film "Star Wars" as the example (How cool is that!!) I also thought his use of attack trees was very useful.

In conclusion, whilst I found the core of the book a bit limiting in terms of learning new subject matter (for someone with a technical background), Bruce's different angle of approach to each subject area meant that there was still plenty of material worth reading in the book. For someone who is fairly new to the field of digital security, this book is an absolute must.

My next read is Bruce's, Beyond Fear. I'll let you know how I get on…..

In the context of reputation

Principles of Reputation

Phil Windley originally posted his thoughts on this topic which Dave Kearns has commented on here.

This has raised quite a lively discussion in the office, particularly with Paul .Whilst I agree on most of the points raised by Phil, I have to disagree with the comments that Dave is making on persona. To quote:

"That is, no single persona could have more than one reputation. So each digital context of your identity would develop both it's own persona and it's own reputation. That reputation belongs to you, but it's neither created nor maintained by you. That does mean, of course, that you need to always be aware of your reputation to guard against it becomming an adverse attribute for your persona."

This is where I have the problem. Dave is stating that a persona (a 'view' of your identity) is derived from the context of the identity. I would disagree. I believe that I a particular persona has multiple contexts associated with it and that each context has a different reputation.

For example, I have the identity 'Paul Toal'. One view of my identity is my 'work' persona. This is the view of my identity as perceived when I am at work. This obviously differs from my 'home' persona. However, even within my work persona, my reputation around the office with my fellow employees is different from that of my reputation with clients that I work for. Therefore, even though it is my single persona, the context (employees or clients) means that I have different reputations for each.

This is the same as what Phil is saying in his post:

"Reputation exists in the context of community."

Another of Dave's comments is that "reputation belongs to you." Again, I disagree. The reputation is about you but is not owned by you. It is purely a weighted aggregate concerning what people say about you. Take eBay's feedback for example. The result of your reputation is a percentage score which is aggregated from the feedback of all individual people you have transacted with.

The whole discussion of reputation does start to come round full circle when you start to look at the weighting. If I ask my a colleague at work what they think about the Prime Minister and ask a stranger in the street, firstly, both their opinions would be based on Tony's reputation. Secondly, would I put more weighting on my colleague's opinion because I know them as opposed to the stranger. Of course I would! However, it is because of their reputation that I know them and therefore place more emphasis on their opinion.

I think a lot more discussion will take place around reputation before we get a consolidated understanding of where it can fit into Identity and how we can use it. This is where I do agree with Dave. As he quite rightly states:

"Once we've been able to get a grip on what reputation is, perhaps then
we can move on to how to leverage that reputation within identity
transactions."

Is Google a master of its own demise?

More evidence that Google's core business is hurting

In the above post, Jason talks about the problems that seem to be dogging Google at the moment. To quote him:

"Why did Google feel the need to lie about this incident? I think it's
because, as I postulated earlier, they have so many people gunning to
break their algorithms that they just can't keep up. People are
figuring out how to "hack" Google's engine, in a sense, and it's
diluting the relevancy of Google's results."

As he quite rightly states, Google are hitting the same problems that Microsoft hit a few years ago with viruses.

The problem as I see it is that attackers target the big, popular giants. Whether this is because of the fame associated with successfully finding a bug in the software from a major vendor or whether its because it is seen as more of a challenge i'm not sure. Google is the target of attacks because of its current success and popularity. This is the same for any product. For example, look at Skype. When it was first released, people started using it and the user base grew. It is only in the past 12 months or so when it has become really popular that people have started finding security holes in it. Or is it that people were finding the holes before but they weren't as publicly published.

Its an ever decreasing circle. The more popular a product gets, the more security flaws are found and hit the headlines. The more headlines that are hit, the more popular the product gets leading to more attackers targetting it and finding more security flaws.

The big vendors could always solve this problem by releasing more bug-free code in the first place 🙂

Approaches to Role Definition

In two recent posts by Nishant Kaushik of Oracle (Part 1 & Part 2), he has made some very good observations around understanding the process of defining roles as part of an Identity Management infrastructure.

As can be clearly seen from his posts and my experience (and probably lots of others out there), there is no single process that will be right or suitable for all organizations. As usual, it all depends on the individual circumstances of the organization and what they are trying to achieve.

Great post Nishant!

More Open Source – Linux coming to the end user

My previous post explained my interest in open source software and how I try to use it where ever possible.

A couple of days ago while browsing round the web I noticed that the new version of Ubuntu (6.0.6) has been released. Having been quite a fan of 5.10 I immediately set about downloading it. The new version comes in two different flavours; server and desktop. I decided to download the desktop version first. As with previous versions, the desktop version downloads as a live CD.

Two minutes later I had a fully up and running Linux desktop. Nothing special there as there are literally hundreds of live linux CDs on the web. However, what struck me about Ubuntu was the tidiness of this particular distribution. Remembering that this is aimed at an end user it had all the main applications you would expect to find on an end users desktop:

  • OpenOffice 2.0
  • GAIM
  • GIMP
  • Firefox
  • Evolution

However, still nothing particularly amazing there. So I decided to click the icon on desktop to install it. 15 minutes later and I had a fully installed and working desktop with all the same applications.

Now I am no Microsoft evangelist but I have to admit that Microsoft have the ability to make software intuitive and easy to use. Take MS Word for example. If I am typing a document and don’t know how to do something, without referring to the online help (being a techie) I can usually click around and find the option where I would expect to look. The whole interface is fairly intuitive. The same goes for Windows. MS have being very successful at making Windows easy to use.

Traditionally, I believe that the thing which has stopped Linux from being more widely adopted as a standard end-user desktop is this lack of intuition within the software and the necessity to have more technical knowledge to be able to accomplish tasks within the OS.

With the new version of Ubuntu I am seeing a definite catch up in the usability of this OS by non-technical users. For example, there is now the equivalent of Windows auto update. After booting the software I was immediately offered the chance of automatically updating the 10 or so bits of code that were now out of date. I also decided that I wanted to install some more software, so clicked on the menu and there it was “Add/Remove Programs”, with a nice categorised list of applications to install. No more worrying about getting the dependant packages correct. This takes care of all that for you. After selecting the software to install, the machine realised I needed admin rights. So instead of throwing an error and failing, I was asked for the admin password, genius!!

I still think the linux world has a bit of a way to go before we can truly see widespread adoption of Linux but with Microsoft upping the hardware specs with each new release of their software (have you seen the minimum specs for Vista yet), I can see more and more organizations as well as end user looking for the realistic and affordable alternative. Linux might just at last be that alternative!

Supporting Open Source

For a long time now I have used open source software where ever possible in favour of the commercial alternatives. One of the main reasons for this is to save costs of expensive licenses but increasingly recently I am finding myself use more and more open source packages because I actually prefer the functionality that some of the products give me. For example. take a look at the number of extensions you can get now for Firefox and Thunderbird (to name two).

Among the list of products I use are:

My most recent addition to this list is GNUPg for Windows to enable me to sign and/or encrypt emails as well as a number of other clever functions like signing and encrypting both the clipboard and files. Through the use of Enigmail for Thunderbird, use of my PGP keys are almost seamless. Compared to the commercial version of PGP now available, I would have said that functionally it is more or less as good. Its certainly suitable for everything that I need it for. I have made my public key available (see the link on the right) if anyone wants to send me an email.

MORAL: The moral of this story is that if you aren't already using open source software for a lot if not most of your common applications, take a look, you really don't know what you are missing.

A third option for Identity Management

A Feast of Identity Management

I was intrigued by a post I read from Dave Kearns this afternoon about how Identity Management can be likened to a restaurant meal. Whilst I find the analogy a little unpalatable (sorry ;-)) I think he raises a really interesting point.

Traditionally we have always thought of enterprise solutions as either 'best of breed' or 'product suites'. Gartner has clearly stated that product suites are what the industry will be looking for moving forward. However, Dave is suggesting that vendor led product integrations offer a third option which captures the best of both worlds.

I think this could offer a very real option to customers. I wonder what Gartner will make of this!

National ID Cards and Compartmentalizing Identity

There has been a lot of talk over the past week or so about compartmentalizing Identity and how this won't work with the National ID cards. The comments have mostly originated from the article by Michael Osborne of IBM. He makes some very interesting points explaining some of the fundamental floors in the governments plans for National ID cards.

However, one of the very valid points he makes is around the compartmentalization of Identity to enable the identity data to be used in different contexts. Kim Cameron, Paul Squires and Emergent Chaos all make comments about this. I think the points that are made are all valid but have been blogged to death so I won't add to the comments.

However, I was interested in one comment that Michael made in particular relating to a possible solution to the centralised database problem. His suggestion was to store the data locally on the ID card and have all the processing of the data happen on the card. Whilst I think that this is potentially a good solution since it will solve a lot of the problems associated with a central database I aren't sure that I understand how this would elleviate the problem of context and compartmentalized data.

To take Paul Squire's example; suppose I am in a bar and need to prove my age to the bartender but no other information. How do I ensure that my identity context on the card is correct so that the bartender is prevented from seeing my full profile? Alternatively, how do I allow my doctor to see certain information while preventing him from seeing my criminal record (not that I have one)? I would love to hear comments from anyone who might suggest ways in which this could be achieved.

The more I think about and read about the National ID card scheme it infuriates me that the government is pressing ahead with this scheme even though it is destined to fail for a number of reasons (as highlighted by lots of other bloggers), not least to mention:

  • Running over budget (don't all government projects)
  • All the issues surrounding privacy
  • Failure to actual tackle terrorism despite being the main justification for their introduction
  • etc
  • etc

Hopefully, one day the government might see sense and realise what a stupid idea ID cards really are. Unfortunately, that will probably be after spending millions of pounds of taxpayers money to deploy them!!

The last one to be connected

A few weeks ago an old colleague emailed me an invite to join him on LinkedIn. I must admit that I had never heard of this site. However, trusting my friend, I clicked the link and signed up for an account.

I then started to search for people that I knew; work colleagues, friends, customers etc. It seems that I must be about the last person on the planet to have discovered this site and register for an account. Nearly everyone I seem to search for already have accounts, some with more established networks that others.

So, if you know my and would like to link to me, click here.