fidzu : Identity

Chaipuccino is not a thing, no matter what Starbucks may say. If you run a cafe and you have Chai tea bags as well as the usual English Breakfast, then congratulations. But putting hot frothed milk in a fancy tea pot, adding a chai tea bag and serving it with a fancy cup is just plain wrong. Please just treat it like Workman's Tea. A mug, tea bag, boiling water and a splash of milk once its brewed a bit is fine.

And Starbucks, no thanks for the Chai Tea Latte. Maybe some people like it, but I reckon that's just wrong as well.
[from: Google+ Posts]

One of the first steps taken to protect a system from authentication errors is the determination of its assurance level requirement. That risk assessment process takes as input potential harm and likelihood of harm. This blog post looks at the applicability of the likelihood factor when assessing assurance level requirements for Internet connected systems.

The classic "E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]" defines risk from authentication error as a function of two factors: (a) potential harm or impact and (b) the likelihood of such harm or impact. The categories of harm and impact and how to apply them, per OMB-04-04, can be found in my earlier blog post on HOW-TO Conduct a Risk Assessment to Determine Acceptable Credentials.

The key point to note is that most risk assessment methodologies allow for "tuning" the risk using a "likelihood of harm/impact" factor, which looks something like this:

Risk of Authentication Error = Potential Impact/Harm * Likelihood of Impact/Harm

But how does one determine the "likelihood of harm" number? The two classic approaches are to explore "base rates" or to consult with experts. But there is a gotcha with experts:

The simplest and most intuitive advice we can offer [...] is that when you're trying to gather good information and reality-test your ideas, go talk to an expert. Here's what is less intuitive: Be careful what you ask them. Experts are pretty bad at predictions. But they are great at assessing base rates.

Decisive: How to Make Better Choices in Life and Work

So a prediction by an expert may not be all that valuable. But what about the base rates? My concern there is the constantly evolving threat environment that is the Internet, and how base rates that are based on past data are an unreliable predictor of the future.

So my recommendation in this particular case is rather simple. In this type of evaluation set the "likelihood" factor equal to 1. DO NOT discount the likelihood of harm, and ALWAYS assume there is a likelihood of harm:

Risk of Authentication Error = Potential Impact/Harm * 1

What that means is that, if as part of your assurance assessment you need to factor in the impact or harm from an alien invasion, do not discount the likelihood! Stand firm, fully account for it, and put into place compensating controls to mitigate the consequences.

RELATED INFO

• E-Authentication Guidance for Federal Agencies (OMB-M04-04) [PDF]
• HOW-TO Conduct a Risk Assessment to Determine Acceptable Credentials

---

These are solely my opinions and do not represent the thoughts, intentions, plans or strategies of any third party, including my employer

Something to get lost in. http://electronicexplorations.org/?show=zhou Fairly short and quirky mix of tunes "that I would want to listen to". Recommended.

---

[from: Google+ Posts]

Today is National Buttermilk Biscuit Day. Biscuits fill me with joy, as do community integrations, so here's a post packed with deliciousness from the amazing people in the Stormpath community. (First, here's an awesome biscuit recipe. Happy Biscuit Day!)

• CAS-Addons, now with Richer Stormpath Support
• Python Login Skeleton for Stormpath

CAS-Addons, now with Richer Stormpath Support

Python Login Skeleton for Stormpath

Brian Peterson just released a simple and very intuitive login skeleton for Stormpath that uses the Stormpath Python SDK. This makes it really (I mean, really) easy for Pythonistas to use and understand Stormpath.

He also did a great job of explaining and diagramming the actions of the SDK. Fork it, play with it, send him (and us!) your suggestions and pull requests. As we roll out the Python SDK update, which will include 2.7 support as well as a simplifying refactor, we'll also be updating this handy tool. Nice work!

Shock horror. Festivals are expensive and only middle aged, middle class people can afford it.
http://www.factmag.com/2013/05/16/study-60-of-young-people-priced-out-of-festivals-average-festival-costs-420

Which explains how white, middle aged and middle class, Glastonbury can appear to be. (sez, the balding old git).

---

[from: Google+ Posts]

Access Risk Management Blog | Courion

Securing an enterprise is no mean feat and is made more difficult by the rapidly expanding use of software in the Cloud. Although security is often cited as a concern with a move to the Cloud, what may not be fully appreciated is how cloud computing amplifies the existing risks of how to best manage millions, if not billions of identity and access relationships.

Check out this article by Kurt Johnson, Courion VP of Strategy and Corporate Development, to learn about the need for real-time access intelligence to manage the risk of improper access to systems and resources that span the enterprise and the Cloud, as well as how organizations can reduce risks before they become bona fide breaches.

Click here to read the full story.

blog.courion.com

I am not happy with the FIDO Alliance and their FAQ do not eliminate my concerns.

The major concern beeing: "Why isn't this going straight to a standards body?"
Their answer:

The FIDO authentication protocol needs to be part of a standardized, interoperable ecosystem to be successful. Building this ecosystem requires the active commitment of everybody from hardware chipset vendors, to the manufacturers of back-end server systems. Coordination across the divergent interests of these players is a complex affair, and one that current technical standards bodies are not well suited to handle.

The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to implement.

This is what standardization bodies working groups are for. Work on protocols and formats. Work on security considerations. Use the experience of "the community".

So FIDO is developing a protocol and will then present it to one standardization body...
Meanwhile it is a closed thing and it costs relevant amounts of money to join the alliance.
This neither free nor open.

During IIW there were several sessions on FIDO (1, 2). Each full of good intentions and marketing speek but no substance. No real information. You have to join the alliance to get that. Well, ...

Somebody at Nok Nok Labs convinced somebody at Paypal to hire them and found FIDO. Why Google joined despite Google's support for the W3C WebCrypto group I have no idea.

The W3C WebCrypto group is were this belongs. This might need rechartering of the group. But that is doable. Especially if the proposal is backed by a prototype implementation. Especially if it is backed by by Paypal, Lenovo, Google, Nxp and others.

I believe that we need better authentication methods beyond username and password. I think that bring your own (hardware) identiy might work to that goal. I believe that mobile phones, and SIM cards and NFC help to achieve this. I believe that the mobile wallet is the right user interface to choose your identity.

I believe that doing it in a closed group is not the right way.

After the recent wrestling match in the blogosphere that included vendors and analysts on XACML, I want to provide some best practices for access control/authorization.

The wrestling match is covered in my earlier post.

Let me insert my favorite punch line before I mention the best practices.

Authentication is finite while Authorization is infinite.


Best practices for access control:

1. Know that you will need access control/authorization.

2. Externalize the access control policy processing

3. Understand the difference between coarse grained and fine grained authorization

4. Design for coarse grained authorization but keep the design flexible for fine grained authorization

5. Know the difference between Access Control Lists and Access Control standards

Fig: Typical XACML Fine Grained Access Control Architecture

6. Adopt Rule Based Access Control : view Access Control as Rules and Attributes

References

Realists have no idea how they ended up living on this once hospitable planet with all these fools

---

[from: Google+ Posts]

16 May (tonight), MS Stubnitz, Canary Wharf, London for some Real time, Algorithmically Generated Techno wholly or predominantly characterised by the emission of a succession of repetitive conditionals.

http://algorave.com/stubnitz2/
http://algorave.com/
http://thenextweb.com/shareables/2013/05/11/algoraves-get-people-together-to-dance-to-music-generated-in-real-time-by-algorithms
http://feedproxy.google.com/~r/TheNextWeb/~3/zsUdjhOM5tY/
http://boingboing.net/2013/05/11/algoraves-dancing-to-algorith.html

Time to dust off the Music Tech dissertation and rhythm generator using Markoff Chains in the time domain.

---

[from: Google+ Posts]