Archive for the 'security' Category

OpenID, Diso and Vidoop – there, that covers it

[UPDATE:  In my note about Vidoop, I inferred that they had made a deal with AOL; in fact, they are just one of several “white-listed” OpenID providers.  I’ve fixed the language, and pointed to where I got that mistaken impression.  Thanks, Sam, again, for the pointer.]

I attended part of the OpenID camp this weekend, because I’ve been interested in single sign-on for a while, as the first step in the fight against dozens of silos of walled social networks. Here’s a brief report back, because the first rule of any camp is to Talk About (Bar/OpenID/Whatever)Camp:

  • Since I’m not a coder and the acronym soup was over my head, I jumped in on the conversation about recommendations for OpenID providers. At it’s most basic, a provider will offer a URL which is the basis against which other sites will verify your registration and log-in information (a good primer screencast is here). People can make their own OpenID servers with the addition of just a little HTML code; other sites offer a full OpenID identity management (like myOpenID). Right now, an end site can display one of several different personas you create, which can contain varying degrees of information – but the personas are either all-on or all-off. I.e. if you want to display little info, you set up a very simple persona; if you want to share more, you set up a more complete persona. But either one you choose will display all the information in that persona to whoever visits the URL. Chris Allen (who pointed me to a good dissection of privacy he had written) suggested that in addition to offering the ability to have different personas on an OpenID server, it should also allow different levels of authorized information based on permissions levels, minimally a type of “if I show you myOpenID, you show me yourOpenID.” In the subsequent Diso discussion (see below) Chris M. also suggested that OpenID providers offer the identity information in hcard / microformat (natch) so it can be parsed by a wider range of subsequent tools for Diso purposes. (Standards and format flame wars over there, please – I’m just a messenger…)
  • Check out There, I said it. Vidoop is a new OpenID provider, and they helped sponsor this camp (as well as SixDegrees and others). OK, so I have to thank Sam from Vidoop for putting up with my noob questions and explaining some of the more tricky use cases for me. And Vidoop has one (of several) interesting business model(s) – they don’t use passwords for your account login; instead, it’s categories of images that you choose as your recognizable set. For hosted services (for example, AOL), the other images that are not part of your set can be branded – AOL, or whatever. Yes, that makes no sense until you set up an account and see how it works – then read their blog post.
  • I got to sit in on a bit of Chris Messina’s DiSo description. Thank god, because the Google page doesn’t really capture it in any succinct fashion (to be honest, Chris took 15-20 minutes before we got the full picture). In essence, it’s a way of using open source tools and standards (like WordPress) to build social networks that are not tied to a particular platform (like, uh, Facebook?). There’s a lot of great potential there, as well as a lot of work to even just get different services to communicate – much less be plug and play to the average use. But it’s great to see my personal peeve (a rant from a year and a half ago) of walled-garden social networks confirmed by people far smarter than me.

Technorati Tags: , , ,

Powered by ScribeFire.

Online banking so-called security?

I just purchased something online, and the purchase was interupted by my Visa card company in order for me to secure my Visa identity and purchases.  When I entered my password, it replied snarkily that it did not “meet” the standards the bank applied to passwords….  Because my password included a symbol!  I’ve noticed this across the board with bank and credit card online login / password systems – they almost categorically do not allow symbols!  (Uh, which make passwords stronger?….)

The main “banking” exception I’ve found is PayPal – being an online company, they clearly figured out that online users wanted the security of adding symbols to their pwds.

(and once everyone starts entering the “security code” that appears on the back of credit cards into online purchase forms, those too will no longer be secure as we suffer the vagaries of poor data deletion and management by online firms……)

powered by performancing firefox

Some cool new Drupal modules

Or what I learned at OSCMS part whatever

  • Viewfield: I can’t put it any simpler than the description for the module itself. “Nodes hold content. Views save queries. Wouldn’t be great if a node could hold a saved query? Now it can.”
  • Persistent login: The new persistent login module is much fancier than the original one that was built into previous versions of Drupal. For example, Drupal makers the persistent login session cookie for 3 weeks. If your login cookie is stolen (using a PHP hack?) – there’s not much you can do about it; you can re-login, but that cookie will last for 3 more weeks for whoever stole it (more notes on this here). The new persistent login will track previous logins, and be able to warn your account if someone’s accessed it with a stolen cookie / token. As the guy said, “It’s actually more secure.” It also requires you to enter your password when making special edits (like your account password) – you can even set (via admin) the pages which will require a password (like the Mac’s security system when updating software).

Technorati Tags: ,

powered by performancing firefox

OSCMS – Rasmus on PHP

RasmuS Lerdorf oh PHP and Internet security. (One of the sessions I attended at OSCMS)

(For what it’s worth – if you have any issue or disagreement with my barely technical descriptions below, please take it up “in original” – i.e. with Rasmus, and not me. PHP security auditing is not my job, and I’m just giving a basic report back).

Rasmus began his talk by saying “Basically, you should never ever ever click on a link.” Or even mouse over it, apparently. Now, I’m not a PHP coder, but most of what he explained was understandable by me, and thus scary. His main point was to illustrate that you can “inject” javascript into PHP (and thus almost any webpage) quite easily, and hence you have to be a) very diligent about your PHP scripting, b) even more diligent about your web browsing.

For example, a (trap) page could load in invisible

section that listed a number of popular websites – including Yahoo and Bank of America – that would not be visible to the person browsing. Javascript could then analyze whether any of the links had been “followed” by checking the color state of the link – the logic being if the link to Bank of America has been followed, you probably have an account there. Then the javascript could then check any other open browser tabs, and compare them to the standard homepage (like Bank of America, for example). If not, then that (likely) means you are currently logged in – and the javascript can make actions on that account!Sure, you can argue that there’s a lot of programming involved to get that far, and then much more to actually do anything fun with the bank acocunt you’re logged into. Rasmus went on to describe another type of attack that loads an invisible IFrame in your browser window that could log keystrokes; and even take actions on other open browser tabs (a more sophisticated version of the above). He showed how this is possible on something as simple as a “mouseover” command in PHP – using sophisticated javascript injection attacks.

Someone asked him if he ever developed a tool to scan pages for the types of holes in poorly formatted PHP that he was talking about. He admitted he had, but he did not make the tool avaialble, because he would discover too many large corporate sites (including banks) that had vulnerabilities. In his words, “I didn’t want to be the guy that released the tool that broke the web.”

(If anyone finds a link to his presentation – did he even have any slides? – lemme know.)

Technorati Tags: , ,

powered by performancing firefox