Recently I came across YubiKey, which is a hardware token generator from a young Swedisch comapny called Yubico. YubiKey is a small and slim USB device with just one button. If you push it, the device produces a 1-time password and sends it to the server. Compared to token generators in card format, you don´t need to manually enter your 1-time password anymore through a computer keyboard, which makes YubiKey unreachable for trojans directly listening to keyboard entries. One more remarkable thing is, that Yubico offer an identity platform for their device, which already contains an OpenID Server.

If this device holds it´s promise, there should be reason to worry for the other players in the strong authentication market. I wrote a mail to Yubico´s CEO Stina Ehrensvärd, asking for some background and a sample device, and got an answer within minutes. So I´now waiting for the YubiKey and will keep you informed.

I´m definately amongst the last ones to join the crowd blaming German Universities to lag behind international standards with regards to their educational program, especially in the fields of technology and computer sciences. But reading this press release, issued by the Faculty of Network and Data Security at University Bochum (sorry, the English version of their website seems to not work), makes me think.

The press release says, that two students of said faculty “broke” Microsoft´s CardSpace through some kind of man-in-the-middle-attack, where they took over an existing session between a user authenticated with an InformationCard and Microsoft´s InfoCard sandbox in manipulating a DNS server. Reading through the description of this “attack” shows, that the sophisticated part of their work was to manually change the DNS settings of their client computer in a way, that it resolved webadresses through an internal DNS service within their institute (where they have admin access to) which they had manipulated before in adding a round robin entry for the sandbox server, redirecting every second client request to an evil system, which then stole the session token.

So, what are the learnings from this intended act of creative distruction? Yes, once again we learn (what we have known for decades now), that without a proper client certificate, man-in-the-middle-attacks are possible, independently from the authentication methods and tools used, and that SSL/TLS provide means to avoid the risk of such attacks, as well independently from the authentication methods and tools in place.

It is great that University Bochum is teaching their students how these things work and eventually, we may have a generation of well educated IT experts knowing how to make corporate IT infrastructures and the Internet more secure. Maybe, they should add some HTML training courses to their timetable as well. If you look at this description of a “hacker course” that university is offering, some nice error messages coming from malformed HTML are displayed, like this one:

System Message: WARNING/2 (<string>, line 11)
Block quote ends without a blank line; unexpected unindent.

But what is the message behind that press release saying that University Bochum students broke “Microsoft´s Identity Metasystem CardSpace”? Just to feed some outdated opinion about Microsoft producing error-prawn and insecure Software? To my opinion, this is not enough for some productive discussion on how to increase security.

Today I listened to a podcast where Kevin Cunningham and Darran Rolls from Sailpoint Software talk in an interview with Jackie Gilbert about their impressions they brought back home from EIC 2008. Besides describing EIC as an event not to miss next year (thanks!), they compare the US and European identity management markets and agree that there are more similarities than differences when it comes to GRC. Yes, compliance requirements are increasing everywhere in the world and SOX is not the only framework responsible for this increase.

I think it was Kevin who mentionned one important difference: Privacy and data protection for employees seem to be stronger regulated here in Europe than it is in the US. This may be true, although they don´t really play a role in reality, as recent espionage cases like the one within Deutsche Telekom impressively show.

It is absolutely impossible, that somebody in a position like Jerome Kerviel can hold trading positions for 50 bn Euros and burn 10% of that amount. It is impossible, because

• banks nowadays would never rely on simple password protection for their trading systems.
• they all have state-of-the-art identity management in place and manage business roles in a way that one single trader could not crash the whole bank
• such big deals would always be routed through acknowledgement processes where duties are segregated
• Strong Authentication techniques and strict authorization would let all employees of a bank feel, that it is impossible to operate with multiple identities falsifying acqunowledgement processes
• risk dashboards would turn red and start screaming long before such a damage occurs

And, just to be complete: no, it is not possible to attack PIN/TAN online banking transactions, ATM Cards cannot be falsified and it never rains in Hamburg.

In a recent post, I  wrote about those 25 Million British people, whose bank information had been “lost”. Jeremy Clarkson, a British TV presenter, wrote in his Sun newspaper column, that such a loss is of no value for somebody who may now own this data. To proof this, he published his own Barclays Bank account information. He now had to admit, that somebody exploited this information and transferred 500 GBP from his account to some welfare organization. So he either was lucky or didn´t have more on his account, I suppose.

Today, I had to put an end to a story lasting for months now, where I tried to change my mobile phone contract I have had at Vodafone since 1996, through cancelling any contract which may exist under my name/my address/my bank account number/my customer number(s).  It all started, when my employer was generous enough to take over my phone contract. Therefore, invoice address and bank account information had to be changed. I wanted to take this occasion and get rid of some add-ons I had been chased to subscribe to through aggressive telemarketing, which I actually never used and did not miss. And I wanted to change from one flatrated type to another one suiting better my phone habits.

As telcos in general may not be too famous in terms of customer service quality, I did not expect it to be easy.  But what happened was far beyond my imagination:

The first trial (phone, eMail) did not have any effect.
After the second trial, my contract had been changed, add-ons were not cancelled, bank account information was not changed, invoice adress was not changed.

Next attempt: they still cash my bank account with a rising amount of money. But I don´t get any invoices any more. When I phone them, they cannot trace any changes in their CRM database Everything up to now seems to have reached at some wrong place. They then sent me a form by post where I have to apply for bank account and invoice address change. Several days after I did so, I received a written confirmation to my private address, that

• They do not have a mobile phone contract under my customer number
• I signed the mobile phone contract in August 2003
• My bank information is (private bank account)
• My invoice address is (private address)

They enclosed a photocopy of my non-existent contract which they say was dated August 2003, but in fact contains August 1996 as contracting date. This photocopy is the only piece of correct information I received. Which does not help me too much, as I have it myself.

Today I received a call from a person from Vodafone service or telemarketing (I don´t know, and I don´t care anymore) who tried to explain, why invoices do not reach me anymore. The person phoning me did not know, that bank account information and invoice address had changed or should have been changed. Nor did that person know anything about contract changes. He then said, that he will call Vodafone and ask about the status. Hä?

I hope for the future of that company, that I am a grand exception.

According to BBC news, UK Chancellor Alistair Darling has admitted “loss” of 25m records by UK Revenue and Customs. 2 disks containing personal information including names, birth dates, National Insurance Numbers and bank account details of 25 million people, essentially of all families resident in the UK with at least one child under 16. He added, that there has been no evidence that this data has fallen into the hands of bad guys, but adviced those 25 million people to watch their bank accounts.

Translated from political into real world language, this means that those disks have indeed fallen into wrong hands, and that most probably some identity theft and fraud activity is already going on.

I don´t know much about how UK public services are dealing with IT governance, with compliance issues and wether they are aware of the risks related with large collections of identity information. But I assume that it is not so different to the situation over here in Germany, where governmental institutions

• are absolutely resistant against any external IT related expert advice
• have little or no internal expertise in that field
• always insist on having access to any kind of data collection, even if it does not make any sense and even if they do not have the manpower to extract identity  information from that data

Sad enough but true - governments themselves are amongst the biggest threats to modern civilization.

On this year´s Digital ID World in San Francisco, Doc Searls held a keynote on Vendor Relationship Management (VRM), a concept he has been contributing to as a Harvard (Berkman Center) fellow. According to Doc, VRM is the inverse of Customer Relationship Management (CRM) and provides methods and tools for individuals to deal with customers.

VRM being still quite early in it´s evolution, definately is extremely interesting, as it is one of the first initiatives to look into what can be done on top of User Centric Identity, besides decentralized authentication and some kind of Web-SSO. VRM puts customers into the lead position, and thus improves the relationship between demand and supply.

In the VRM mailing list, which is very interesting to listen to, there has been some discussion around the question, who actually owns identity related information. I posted the following contribution:

Information cannot be owned

I would like to point to the fact that information cannot be owned, because it is not kind of an object which may be attributed to a subject by law (which itself is information as well). There is a very good publication about the ownership of information from Jean Nicolas Druey: http://cyber.law.harvard.edu/home/uploads/339/Druey.pdf .

So, talking about the persistence and flow of identity information between parties and through market places, we should not try to think, that we can own that information. If I understand the VRM discussion and the concept of user centric identity right, it is about creating a more balanced position between parties taking part in whatever market place, where some kind of “rules layer” on top of the information layer gives me the power to influence it´s flow. I´m not the owner of my doctor´s diagnosis, even if it concerns me. But I may have some rights influencing the distribution of this diagnosis, because it affects me. We need a home for these rights, instead of trying to own information.

VRM, how I understand it, is about creating kind of a rules metasystem above or beyond the walled gardens we currently have.

Ariel Gordon and Aude Pichelin from France Telecom (FT) yesterday announced at the 6th Digital ID World in San Francisco release of an OpenID service to their 40 million subscribers. Congratulations to the OpenID community for this big success. It is not surprising that it is FT with it´s Orange brand being the first company running an internet scale OpenID service. On the one hand, it´s a smart company. They strongly contributed to the emergence of the SAML standard and pushed IBM into the Liberty Alliance some 3 years ago. On the other hand, if there is any industry which can make a business out of running OpenID services, it´s the telcos, because they are wired right through to our purses.

But OpenID was only a smaller part of FT´s advanced identity management strategy, which consumed less than 3% of their total project budget and therefore shouldn´t have been too difficult to give it a go. The rest of the budget went into something I would call the foundation of the future (post-UMTS) telco business modell, converging management of identities for voice and non-voice services through wireline and wireless and using the SAML v2 standard to open up the whole infrastructure for plug & play style partnership business.

Telcos on their own haven´t been too good in creating services needed or otherwise attractive enough to be broadly used, since they invented SMS. So they need partners taking care for this in order to survive.

Being more and more reduced to an IP tunnel provider, telcos at least should try to make the most out of it in offering a powerful infrastructure for mobile and wireline services. FT have done their homework in an obviously excellent way, clearly focussing on the improvement of the user experience through simplifying sign-on within their SAML based converged infrastructure. They pull authentication information from the DSL and appliance level, add available user information and use these to provide reliable identities even without forcing them through login and account creation processes.

Ariel described, that during downtimes of their identity system with users being forced to sign on manually, online service sales drop by 50%. Even if this does not necessarily mean, that they have doubled sales, because part of those 50% would just return after the service is back up, there seems to be space for a pretty quick return on investment and revenue growth.

I have invited Aude, Ariel and Hervé, the latter on being technically responsible, to come to Munich for next years European Identity Conference and talk about latest developments.