30 Jun 2015

feedPlanet Identity

Courion: Tech Tuesday - From Encryption to BYOD Security

Access Risk Management Blog | Courion

encryption

Pita Bread Helps Researchers Steal Encryption Keys

In possibly the most delicious hack ever, a team of Israeli security researchers at Tel Aviv University have developed a way of stealing encryption keys using a cheap radio sniffer and a piece of pita bread. Truly a sight to see.

Lee Munson, NakedSecurity.com

Polish airline, hit by cyber-attack, says all carriers are at risk

Flight delays just got a little more advanced. A Polish airline was hit by a cyber-attack grounding around 1400 planes. There was never any danger to passengers because the attacks happened while no planes were in the air. However, the company says that the hack could happen to anyone, at any time making this a worldwide issue.

Wiktor Szary and Eric Auchard, Reuters.com

Details and insight for VARs: Medical Devices and Security Risk

If you liked last week's blog about the unique challenges facing healthcare today, then you'll love this look into how medical devices are becoming "key pivot points" in the war against hackers and cyberattacks.

Megan Williams, Business Solutions- bsminfo.com

The great debate: To BYOD or not to BYOD

Do you BYOD? As if security wasn't already difficult enough to control within your network and its devices, now security teams have to worry about the exponential threat of "bringing your own device". This article gives 8 best practices for BYOD security and an insightful look at this new challenge.

Keith Poyster, ITPortal.com

blog.courion.com

30 Jun 2015 1:32pm GMT

Matthew Gertner - AllPeers: How to Have Fun while Exploring Paris Alone

Paris, or more commonly known as the "City of Love," is a destination that a lot of couples dream of exploring. The city has that dazzling beauty and teeming with - qualities that are hard to find in other modern cities. If you have a passion for culture, history, fine dining, and shopping, Paris will surely captivate your fancy. However, just because it is known as the "City of Love" doesn't mean that you can't enjoy its beauty on your own. Sometimes, having a bit of "me time" can work wonders for your mind and body. This article will provide…

The post How to Have Fun while Exploring Paris Alone appeared first on All Peers.

30 Jun 2015 10:03am GMT

29 Jun 2015

feedPlanet Identity

Julian Bond: My first public post in G+. 8 July 2011, a week or so after the launch.

My first public post in G+. 8 July 2011, a week or so after the launch.
https://plus.google.com/+JulianBond23/posts/1qBXL7B367V

I've been searching for something in G+ that let's me see all the posts I've commented on. I can't find it yet.

4 years later. There's still no way of getting a list of all the posts you've commented on.
 I've been searching for something in G+ that let's me see all the posts I've… »
I've been searching for something in G+ that let's me see all the posts I've commented on. I can't find it yet.

In the process I discovered a whole set… - Julian Bond - Google+

[from: Google+ Posts]

29 Jun 2015 7:14am GMT

Katasoft: Hello, Stormpath!

micah_hair

I'm Micah and this week I joined Stormpath as a Developer Evangelist, supporting Java and the JVM.

In this new role, I get to do some of my most favorite activities as my job: coding, pairing with other developers and writing. I am part of a growing team of software engineers who not only write code, but get to express all that nerdy goodness through interactions in the developer community.

About me

I developed an interest in computers right at the beginning of the personal computer revolution when I was in 6th grade. I first played with CBM PETs in school (pop quiz: What does PET stand for? No googling! Answer below). My first home computer was a Commodore Vic-20. Then a Commodore 64 and even the rare SX-64 (LOAD"*",8,1 - anyone?).

computers

After learning what I was doing with my 300 baud modem and phreaking tools, my parents sought a less felonious outlet for my interest. My father, a dentist, purchased an Osbourne 1 (CP/M for the win!) and had me help him automate his office.

Since then, my love affair with technology has continued to develop and evolve.

I've had a wide ranging career working at the Syfy Channel for its first online presence, large banks and insurance companies including JP Morgan Chase and Metlife, and startups.

The two primary themes throughout have been my love of APIs and information security. My recent code kata on spreadsheet column name conversion exercises both algorithmic thinking and creating APIs.

I'm very proud of my password generator program, Passable, both as an iOS app (sorry Android!) and as a Google Chrome extension.

The code for these projects (and others) are on my github page.

I'm a maker at heart, whether it's refurbishing a Dark Tower game or building out a MAME arcade cabinet.

mame

Jumping at Stormpath

While I love writing, my last blog post on my personal site was back in 2013. I co-authored a book in 2006. I published articles in the 2000's in Java Developer's Journal and Dr. Dobbs, among others.

When I saw the Developer Evangelist position at Stormpath, I jumped at it! Getting to work with some of the top security people in the world, engaging with other developers, developing software to support other developers and writing are all baked into the work. Somebody pinch me - I must be dreaming!

What I'll Be Working On

I'll be focusing on making the experience of using Java and Stormpath more awesomer (technical term) than it already is. It's an exciting time to be working in Java. The addition of a functional style of programming to the language, lambdas and the stream api have totally revitalized the Java language and community. The breadth of frameworks is remarkable, and you can now setup a fully functional MVC, single page, websocket enabled app in seconds using tools like Spring Boot or Dropwizard. Never before has Java been so accessible and I am excited to work with you on integrating Stormpath into your stack.

I am so psyched that Stormpath exists! The audacity to take on such a critical facet of the technology landscape makes me excited and a little queasy at the same time (in a good way).

How I See Stormpath

For you Java #nerds out there, Stormpath is a little like spinning up your own threads. Sure, the language has syntax to do it, but the container does it much better and safer than you or I ever could. So, I'll rely on my handy container to manage concurrency and I will focus on the task at hand.

Likewise, while you could roll your own security layer and (hopefully) use best-practices, Stormpath does it better. All you need to do is break out your handy REST API skills and you're all set.

Part of my role here - and my passion - is to be here for YOU, the Software Engineer. Feel free to reach out to me at: micah@stormpath.com. I am looking forward to meeting online and in person!

BTW, PET = Personal Electronic Transactor

29 Jun 2015 5:00am GMT

27 Jun 2015

feedPlanet Identity

Julian Bond: The dubstep pioneers talking about how it happened.

The dubstep pioneers talking about how it happened.

http://www.vice.com/en_uk/read/an-oral-history-of-dubstep-vice-lauren-martin-610/page/0
vs
http://energyflashbysimonreynolds.blogspot.co.uk/2015/06/dubstep-in-hindsight.html

Well it's History now.... 15 years since its earliest dawn-glimmers....seven years or so since it got hijacked / "went down the wrong path" - leaving the faithful bereft, making them disperse, or launch the postdubstep era

---

If you're interested, that oral history is well worth reading. 
The VICE Oral History of Dubstep | VICE | United Kingdom »
The story of a genre, as told by some of its most pivotal players.

[from: Google+ Posts]

27 Jun 2015 9:58pm GMT

Julian Bond: The Essential Guide to Cyberpunk

The Essential Guide to Cyberpunk
http://io9.com/the-essential-cyberpunk-reading-list-1714180001

It's not a bad starting point and you could do worse than read everything any of those authors have ever written. Or just start with Mirrorshades and follow the links to each author. But also these books and everything by these people as well.

Paul Di Filippo - Ribofunk
Lucius Shephard - Life During Wartime
Michael Swanwick - Vacuum Flowers
Mink Mole - Alligator Alley
Jeff Noon - Needle in the Groove
Walter Jon Williams - Hardwired
Ken Macleod - The Execution Channel
Jack Womack - Random Acts of Senseless Violence
Samuel Delaney - Dhalgren
Ian McDonald - The Dervish House
Misha - Red Spider White Web
Martin Bax - The Hospital Ship
Paolo Bacigalupi - The Windup Girl
St. Jude (R.U.Sirius, Mondo2000) - Cyberpunk handbook : the real cyberpunk fakebook

http://www.librarything.com/tag/cyberpunk

Back in the 80s and 90s I read everything cyberpunk I could find. My tastes veered off though towards Slipstream and the sort of cross breed between Cyberpunk, Slipstream, Magical Realism and the late 60s New worlds crew like JG Ballard. Part of the reason for that is that the writing is generally better. It's a common criticism of early books by new SciFi authors that the writing is often terrible even while the ideas are interesting.

What's a bit sad is how much of that stuff is getting really hard to find now, long since out of print and pulped. Anyone got a copy of Lewis Shiner - Deserted Cities of the Heart?
 The Essential Cyberpunk Reading List »
It’s now been over three decades since cyberpunk first exploded, and in that time we’ve seen gorgeous movies, read fascinating books, and seen dozens of offshoots like steampunk (and my new favorite, deco punk) develop. Here are the 21 cyberpunk books you absolutely must read.

[from: Google+ Posts]

27 Jun 2015 8:28am GMT

25 Jun 2015

feedPlanet Identity

Gluu: Announcing the formation of the OTTO WG

Note: This announcement originally appeared on the Kantara Initiative website. We are pleased to announce the formation of the OTTO WG! OTTO stands for Open Trust Taxonomy for OAuth2. We hope that you will participate in this innovative new work group! Learn more about the OTTO WG Join the OTTO WG The working group will … Read more >>

25 Jun 2015 7:47pm GMT

Katasoft: Build An API Service in Node.js with Stormpath, Twilio and Stripe

BTC SMS Intro

Building a full-fledged API service isn't as hard as you may think. By taking advantage of some really useful API services and open source libraries, you can rapidly develop an API service in an incredibly short amount of time!

In this article, I'm going to walk you through the process of building an API service that uses SMS to keep you up-to-date with current value of Bitcoin: Bitcoin SMS!

This API service:

  • Lets users sign up and register for your site.
  • Verifies new user accounts by sending them an email and making them click a link.
  • Generates API keys for developers automatically.
  • Bills developers on a per-API call basis.
  • Handles credit card billing with Stripe.
  • Sends SMS messages via Twilio.
  • Finds Bitcoin exchange rates via Bitcoin Charts.
  • Stores user account data securely with Stormpath.

If you're at all interested in building API services, or API companies - this article is meant specifically for you!

NOTE: Prefer video over a long article? If so, you can actually watch my screencast where I cover the same things in video form on Youtube here: https://www.youtube.com/watch?v=THDPG2gH7o0

ALSO: all of the code we'll be writing here can be found on Github here: https://github.com/rdegges/btc-sms

What We're Building: BitCoin SMS API Service

BTC SMS Demo

What we're going to build today is a publicly available API service called BTC SMS which allows developers to make API calls that send SMS messages to specified phone numbers with the current value of Bitcoin.

The idea is that a lot of people might want to know the value of Bitcoin at a specific point in time - in order to buy or sell their Bitcoin - so this API service makes that information easy to access by sending SMS messages to a user with the current value of Bitcoin.

The API service we're building will allow developers to make requests like this:

POST /api/message
{
  "phoneNumber": "+18182223333"
}

In the above example, this request would kick off an SMS message to +18182223333 that says something along the lines of "1 Bitcoin is currently worth $525.00 USD."

Here's how it'll look:

BTC SMS API Call

Now, since we're actually building an entire API service here - and not just a plain old API, we'll also be charging money! We'll be charging developers 2 cents per successful API request in order to cover our costs, and make a little bit of profit =)

So, now that we've briefly discussed what we're going to be making - let's actually make it!

Set Up Twilio, Stripe and Stormpath For Your API

To get started, you'll need to create some accounts that we'll be using for the rest of this guide.

Twilio for SMS

First, you'll want to go and create an account with Twilio. Twilio is an API service that lets you do all things telephony related: send and receive calls and SMS messages.

For the purposes of the application we're building, we'll only be using Twilio to send SMS messages, but there's a lot more it can do.

Signing up for a Twilio account is free, but if you want to actually follow through with the rest of this article, you'll need to purchase a phone number you can send SMS messages from - and this typically costs $1 USD per month + 1c per SMS message you send.

Here's what you'll want to do:

  • Sign up.
  • Visit the Numbers Page and click "Buy a number".
  • Purchase any phone number that is SMS ready:

Twilio Buy a Number

  • Now that you have a phone number, write down that phone number, you'll need it later.
  • Next, go to your Account Page and copy your API key credentials so you can use them later on. Twilio gives you two API tokens: an "AccountSID" and an "AuthToken". Both of these are necessary to have. Make sure these stay private.

Twilio API Credentials

Stripe for Payments

Next, let's create a Stripe account. Stripe is a payments provider that allows you accept Credit Cards, Debit Cards, and even Bitcoin as payment options on your site.

Since this demo application will be charging users money for the amount of API calls they make, this is necessary.

Once you've created your Stripe account, you'll want to set your Stripe dashboard to TEST mode - this lets you view the development mode sandbox where you can use Stripe like normal, but with fake credit cards and money:

Stripe Test Dashboard

Next, you'll want to visit your Stripe API Keys page to view your Stripe API keys. The ones you'll want to use for testing are the Test Secret Key and Test Publishable Key values:

Stripe API Keys Image

Be sure to take note of both those API key values - we'll be needing those later.

Stormpath for Authentication and API Key Management

Now that we've got both Twilio and Stripe setup, go create a Stormpath account. Stormpath is a free API service that lets you store user accounts and user data. It makes doing stuff like signing users up for your site, managing users, and doing things like password reset and authorization really easy.

Instead of needing to run a database to store your user data in, we can use Stormpath to simplify and speed up the process. It also comes with some nice pre-built login / registration / password reset pages that make things really nice.

Once you've signed up for Stormpath, you'll want to create a new API key and download it locally:

Stormpath Provision API Key

When you generate a new Stormpath API key, you'll automatically download an apiKey.properties file - this contains your API key information. This file contains two values: an API Key ID and an API Key Secret - we'll need both of these later.

Next, you'll need to create a new Stormpath Application. Generally, you'll want to create one Application per project you work on - since we're building this BTC SMS project, we'll create an Application called BTC SMS:

Stormpath Create Application

After creating your Application, be sure to copy down the REST URL link - we'll be needing this later on to reference our Application when we start coding =)

Bootstrapping an Express.js Application

Now that we've gotten all of our required API service accounts setup and configured properly, we're ready to start writing some code!

The first thing we'll need to do is create a minimal Express.js application that we can use as we move forward.

Here's the files / folders we'll be creating, along with a brief description of what each of them contains:

btc-sms
├── bower.json
├── index.js
├── package.json
├── routes
│   ├── api.js
│   ├── private.js
│   └── public.js
├── static
│   └── css
│       └── main.css
└── views
    ├── base.jade
    ├── dashboard.jade
    ├── docs.jade
    ├── index.jade
    └── pricing.jade

4 directories, 12 files

  • btc-sms: This is the project folder we'll use to hold all of our code.
  • bower.json: This is the bower package file which contains our front-end dependencies. If you haven't heard of bower, it's a package manager for front-end libraries like Twitter Bootstrap.
  • index.js: This is the main 'entrypoint' of our Node application. This is where our Express web app is defined, and our middlewares are configured.
  • package.json: This is our Node package file - this contains our library dependencies, and packaging information.
  • routes: This folder holds all of our route code (this is the code that actually makes stuff happen).
  • routes/api.js: This file contains our API code.
  • routes/private.js: This file contains the code that renders our private pages (the customer dashboard).
  • routes/public.js: This file contains our public pages code.
  • static: This folder holds all of our static assets: CSS, Javascript, etc.
  • static/css/main.css: This is our CSS file to make things look decent.
  • views: This folder holds our template code.
  • views/base.jade: This file holds our base template code. This holds the basic HTML page outlines, navbar, and stuff like that.
  • views/dashboard.jade: This file holds our private dashboard page code. This includes some billing logic.
  • views/docs.jade: This file holds our public API documentation.
  • views/index.jade: This is our main home page.
  • views/pricing.jade: This is our public pricing page.

The Views

Now that we've seen what our app looks like at a structural level, let's take a look at the views.

Taking a look at the views first will give you a good understanding of how the site looks / functions before digging into the backend code.

base.jade

The base.jade view contains a page outline and navbar that all pages of the site use. This lets us build a 'modular' website with regards to the front-end of the website:

block vars

doctype html
html(lang='en')
  head
    meta(charset='utf-8')
    meta(http-equiv='X-UA-Compatible', content='IE=edge')
    meta(name='viewport', content='width=device-width, initial-scale=1')
    title #{siteTitle} - #{title}
    link(href='/static/bootswatch/sandstone/bootstrap.min.css', rel='stylesheet')
    link(href='/static/css/main.css', rel='stylesheet')
    <!--[if lt IE 9]>
    script(src='/static/html5shiv/dist/html5shiv.min.js')
    script(src='/static/respond/dest/respond.min.js')
    <![endif]-->
  body
    nav.navbar.navbar-default.navbar-static-top
      - var nav = {}; nav[title] = 'active'
      .container
        .navbar-header
          button.navbar-toggle.collapsed(type='button', data-toggle='collapse', data-target='#navbar-collapse')
            span.sr-only Toggle navigation
            span.icon-bar
            span.icon-bar
            span.icon-bar
          a.navbar-brand(href='/') #{siteTitle}
        #navbar-collapse.collapse.navbar-collapse
          ul.nav.navbar-nav
            li(class='#{nav.Home}')
              a(href='/') Home
            li(class='#{nav.Pricing}')
              a(href='/pricing') Pricing
            li(class='#{nav.Docs}')
              a(href='/docs') Docs
            if user
              li(class='#{nav.Dashboard}')
                a(href='/dashboard') Dashboard
              li(class='#{nav.Logout}')
                a(href='/logout') Logout
            else
              li(class='#{nav.Login}')
                a(href='/login') Login
              li(class='#{nav.Register} create-account')
                a(href='/register') Create Account
    block body
    script(src='/static/jquery/dist/jquery.min.js')
    script(src='/static/bootstrap/dist/js/bootstrap.min.js')

Some important things to take note of:

  • We are using Twitter bootstrap for design. This lets us build a well structured site without doing a lot of work.
  • We are using a Bootswatch theme for Bootstrap to make the site look a little bit better than your normal Bootstrap site. The theme we're using simply overrides some of the basic Bootstrap styles.
  • At the top of our template, there is a block called vars - this lets us define template-specific variables later on.

index.jade

Our index.jade template renders the home page of our site - it's just a simple static page:

extends base

block vars
  - var title = 'Home'

block body
  .container.index
    h1.text-center Get BTC Rates via SMS
    .row
      .col-xs-12.col-md-offset-2.col-md-8
        .jumbotron.text-justify
          p.
            #{siteTitle} makes it easy to track the value of Bitcoin via SMS.
            Each time you hit the API service, we'll SMS you the current Bitcoin
            price in a user-friendly way.
          a(href='/register')
            button.btn.btn-lg.btn-primary.center-block(type='button') Get Started!

You'll notice that our Get Started! button is linking to a registration page - this registration page is generated automatically by the Stormpath library that you'll see later on.

docs.jade

The docs.jade template is just a static page that contains API documentation for developers visiting the site:

extends base

block vars
  - var title = 'Docs'

block body
  .container.docs
    h1.text-center API Documentation
    .row
      .col-xs-12.col-md-offset-2.col-md-8
        p.text-justify
          i.
            This page contains the documentation for this API service.  There is
            only a single API endpoint available right now, so this document is
            fairly short.
        p.text-justify
          i.
            Questions? Please email <a href="mailto:support@apiservice.com">support@apiservice.com</a>
            for help!
        h2 REST Endpoints
        h3 POST /api/message
        span Description
        p.description.
          This API endpoint takes in a phone number, and sends this phone an
          SMS message with the current Bitcoin exchange rate.
        span Input
        .table-box
          table.table.table-bordered
            thead
              tr
                th Field
                th Type
                th Required
            tbody
              tr
                td phoneNumber
                td String
                td true
        span Success Output
        .table-box
          table.table.table-bordered
            thead
              tr
                th Field
                th Type
                th Example
            tbody
              tr
                td phoneNumber
                td String
                td "+18182223333"
              tr
                td message
                td String
                td "1 Bitcoin is currently worth $225.42 USD."
              tr
                td cost
                td Integer
                td #{costPerQuery}
        span Failure Output
        .table-box
          table.table.table-bordered
            thead
              tr
                th Field
                th Type
                th Example
            tbody
              tr
                td error
                td String
                td "We couldn't send the SMS message. Try again soon!"
        span Example Request
        pre.
          $ curl -X POST \
              --user 'id:secret' \
              --data '{"phoneNumber": "+18182223333"}' \
              -H 'Content-Type: application/json' \
              'http://apiservice.com/api/message'

pricing.jade

Like our docs page - the pricing.jade page is just a static page that tells users how much our service costs to use:

extends base

block vars
  - var title = 'Pricing'

block body
  .container.pricing
    h1.text-center Pricing
    .row
      .col-xs-offset-2.col-xs-8.col-md-offset-4.col-md-4.price-box.text-center
        h2 #{costPerQuery}&cent; / query
        p.text-justify.
          We believe in simple pricing.  Everyone pays the same usage-based
          feeds regardless of size.
        p.text-justify.end.
          <i>Regardless of how many requests you make, BTC exchange rates are
          updated once per hour.</i>
    .row
      .col-xs-offset-2.col-xs-8.col-md-offset-4.col-md-4
        a(href='/register')
          button.btn.btn-lg.btn-primary.center-block(type='button') Get Started!

dashboard.jade

The dashboard.jade file is where users land once they've either created or logged into an account.

This page does a few things:

  • Displays the user's API keys.
  • Displays the user's account balance, and lets users deposit money into their account.
  • Displays the user's usage information (how many API requests has this user made?).

The way we're accepting billing information on this page is via the Stripe Checkout Button. To learn more about how this works, you can visit the Stripe site.

What happens is essentially this: if a user clicks the Stripe button, a Javascript popup will appear to collect the user's payment information.

When the user is done entering their information, this credit card info will be validated by Stripe, and a unique token will be generated to allow us to bill this user later on.

Here's the dashboard code:

extends base

block vars
  - var title = 'Dashboard'

block body
  .container.dashboard
    .row.api-keys
      ul.list-group
        .col-xs-offset-1.col-xs-10
          li.list-group-item.api-key-container
            .left
              strong API Key ID:
              span.api-key-id #{user.apiKeys.items[0].id}
            .right
              strong API Key Secret:
              span.api-key-secret #{user.apiKeys.items[0].secret}
    .row.widgets
      .col-md-offset-1.col-md-5
        .panel.panel-primary
          .panel-heading.text-center
            h3.panel-title Analytics
          .analytics-content.text-center
            span.total-queries #{user.customData.totalQueries}
            br
            span
              i.
                *total queries
      .col-md-5
        .panel.panel-primary
          .panel-heading.text-center
            h3.panel-title Billing
          .billing-content.text-center
            span.account-balance $#{(user.customData.balance / 100).toFixed(2)}
            br
            span
              i.
                *current account balance
            form(action='/dashboard/charge', method='POST')
              script.stripe-button(
                src = 'https://checkout.stripe.com/checkout.js',
                data-email = '#{user.email}',
                data-key = '#{stripePublishableKey}',
                data-name = '#{siteTitle}',
                data-amount = '2000',
                data-allow-remember-me = 'false'
              )

Static Assets

Now that we've taken a quick look at the views, let's take a quick look at the static assets we'll be using.

In our case, since there's not a lot of styling done here - we've only got a single CSS file:

/*
 * Navbar settings.
 */
ul.nav.navbar-nav {
  float: right;
}

li.create-account > a {
  color: #fff !important;
}

/*
 * Index page settings.
 */
.index h1 {
  margin-top: 2em;
}

.index .jumbotron {
  margin-top: 4em;
}

.index button {
  margin-top: 4em;
  font-size: 1em;
}

/*
 * Dashboard page settings.
 */
.dashboard .api-keys {
  margin-top: 3em;
}

.dashboard .api-key-container {
  min-height: 4em;
}

.dashboard .widgets {
  margin-top: 4em;
}

.dashboard .api-key-secret {
  color: red;
}

.dashboard h3 {
  font-size: 1.2em !important;
}

.dashboard span.api-key-id, .dashboard span.api-key-secret {
  font-family: "Lucida Console", Monaco, monospace;
  margin-left: .5em;
}

.dashboard .left {
  float: left;
}

.dashboard .right {
  float: right;
}

.dashboard .panel {
  padding-bottom: 2em;
}

.dashboard .panel-heading {
  margin-bottom: 2em;
}

.dashboard .analytics-content, .dashboard .billing-content {
  padding-left: 2em;
  padding-right: 2em;
}

.dashboard .account-balance, .dashboard .total-queries {
  font-size: 2em;
}

.dashboard form {
  margin-top: 2em;
}

/*
 * Pricing page settings.
 */
.pricing .price-box {
  border: 2px solid #f8f5f0;
  border-radius: 6px;
  margin-top: 4em;
  margin-bottom: 4em;
}

.pricing h2 {
  margin-bottom: 1em;
}

.pricing .end {
  margin-bottom: 2em;
}

/*
 * Documentation page settings.
 */
.docs h1 {
  margin-bottom: 2em;
}

.docs h2 {
  margin-top: 2em;
  margin-bottom: 2em;
}

.docs h3 {
  /*padding-left: 2em;*/
  font-weight: bold;
}

.docs span {
  font-size: 1.2em;
  padding-left: 2.7em;
  font-weight: bold;
  margin-top: 1em;
  margin-bottom: .5em;
  display: block;
}

.docs .description {
  font-size: 1.2em;
  padding-left: 2.6em;
}

.docs .table-box {
  padding-left: 3em !important;
  margin-top: 1em !important;
}

.docs pre {
  margin-left: 3em;
}

package.json and bower.json

Now, let's get into some real code!

Below is the package.json file that declares all of our Node.js dependencies, and makes installing this application simple:

{
  "name": "api-service-starter",
  "version": "0.0.0",
  "description": "An API service starter kit for Node.",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [
    "api",
    "service",
    "starter",
    "kit"
  ],
  "author": "Randall Degges",
  "license": "UNLICENSE",
  "dependencies": {
    "async": "^0.9.0",
    "body-parser": "^1.12.3",
    "express": "^4.12.3",
    "express-stormpath": "^1.0.4",
    "jade": "^1.9.2",
    "request": "^2.55.0",
    "stripe": "^3.3.4",
    "twilio": "^2.0.0"
  }
}

To install this project, you can simply run $ npm install from the command line - this will automatically download all Node dependencies for ya =)

Likewise, you can also use bower to automatically download and install all front-end dependencies via $ bower install. The bower.json file makes this possible:

{
  "name": "api-service-starter",
  "main": "index.js",
  "version": "0.0.0",
  "authors": [
    "Randall Degges <r@rdegges.com>"
  ],
  "description": "An API service starter kit for Node.",
  "keywords": [
    "api",
    "service",
    "starter",
    "kit"
  ],
  "license": "UNLICENSE",
  "private": true,
  "ignore": [
    "**/.*",
    "node_modules",
    "bower_components",
    "test",
    "tests"
  ],
  "dependencies": {
    "jquery": "~2.1.3",
    "bootstrap": "~3.3.4",
    "respond": "~1.4.2",
    "html5shiv": "~3.7.2",
    "bootswatch": "~3.3.4+1"
  }
}

Application Setup

Now that we've covered the basics, let's take a look at what makes our project tick: the index.js file. This holds the main Express.js web application, configures our libraries, and initializes our web server:

'use strict';

var async = require('async');
var express = require('express');
var stormpath = require('express-stormpath');

var apiRoutes = require('./routes/api');
var privateRoutes = require('./routes/private');
var publicRoutes = require('./routes/public');

// Globals
var app = express();

// Application settings
app.set('view engine', 'jade');
app.set('views', './views');

app.locals.costPerQuery = parseInt(process.env.COST_PER_QUERY);
app.locals.siteTitle = 'BTC SMS';
app.locals.stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY;

// Middlewares
app.use('/static', express.static('./static', {
  index: false,
  redirect: false
}));
app.use('/static', express.static('./bower_components', {
  index: false,
  redirect: false
}));
app.use(stormpath.init(app, {
  enableAccountVerification: true,
  expandApiKeys: true,
  expandCustomData: true,
  redirectUrl: '/dashboard',
  secretKey: 'blah',
  postRegistrationHandler: function(account, req, res, next) {
    async.parallel([
      // Set the user's default settings.
      function(cb) {
        account.customData.balance = 0;
        account.customData.totalQueries = 0;
        account.customData.save(function(err) {
          if (err) return cb(err);
          cb();
        });
      },
      // Create an API key for this user.
      function(cb) {
        account.createApiKey(function(err, key) {
          if (err) return cb(err);
          cb();
        });
      }
    ], function(err) {
      if (err) return next(err);
      next();
    });
  }
}));

// Routes
app.use('/', publicRoutes);
app.use('/api', stormpath.apiAuthenticationRequired, apiRoutes);
app.use('/dashboard', stormpath.loginRequired, privateRoutes);

// Server
app.listen(process.env.PORT || 3000);

The first thing we'll do is import all of the libraries necessary, as well as our route code (which we'll hook up in a bit).

The next thing we'll do is define our Express.js application, and tell is that we're going to be using the Jade template language for our view code:

var app = express();

// Application settings
app.set('view engine', 'jade');
app.set('views', './views');

Once that's been done, we'll initialize some global settings:

app.locals.costPerQuery = parseInt(process.env.COST_PER_QUERY);
app.locals.siteTitle = 'BTC SMS';
app.locals.stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY;

The COST_PER_QUERY and STRIPE_PUBLISHABLE_KEY values are being pulled out of environment variables. Instead of hard-coding your credentials into your source code, storing them in environmental variables is typically a better thing to do as you don't need to worry about accidentally exposing your credentials.

The COST_PER_QUERY environment variable tells our app how many cents we should charge for each successful API request - in our case, we'll set this to 2.

The STRIPE_PUBLISHABLE_KEY environment variable should be set to our Stripe Publishable Key that we retrieved earlier on when we created a Stripe account.

Here's an example of how you might set these variables from the command line:

$ export COST_PER_QUERY=2
$ export STRIPE_PUBLISHABLE_KEY=xxx

Next, we'll use the express.static built-in middleware to properly serve our app's static assets:

app.use('/static', express.static('./static', {
  index: false,
  redirect: false
}));
app.use('/static', express.static('./bower_components', {
  index: false,
  redirect: false
}));

And… After that, we'll initialize the Stormpath library:

app.use(stormpath.init(app, {
  enableAccountVerification: true,
  expandApiKeys: true,
  expandCustomData: true,
  redirectUrl: '/dashboard',
  secretKey: 'blah',
  postRegistrationHandler: function(account, req, res, next) {
    async.parallel([
      // Set the user's default settings.
      function(cb) {
        account.customData.balance = 0;
        account.customData.totalQueries = 0;
        account.customData.save(function(err) {
          if (err) return cb(err);
          cb();
        });
      },
      // Create an API key for this user.
      function(cb) {
        account.createApiKey(function(err, key) {
          if (err) return cb(err);
          cb();
        });
      }
    ], function(err) {
      if (err) return next(err);
      next();
    });
  }
}));

The express-stormpath library makes securing our website really easy.

I'll cover the different options, and what they do below.

  • The enableAccountVerification flag tells the library that when a user signs up for our site, we should email them a link to click on to verify their email address.
  • Stormpath let's you provision API keys for each user account. Since we're building an API service, this is ideal. The expandApiKeys option makes Stormpath automatically pull down a user's API key information and keep it cached to speed up API requests.
  • Stormpath also lets you store user data using something called custom data. Basically, each user can have a big old JSON dictionary stored on their account with whatever data you want. In our case, we'll be using this to store a user's account balance as well as the total amount of requests they've made to our service. The expandCustomData flag makes this operation faster by automatically downloading this information and keeping it in a local cache.
  • The redirectUrl setting tells Stormpath where to redirect a user after they've logged into the site.
  • The secretKey setting should be a long random string that stays private - this is used to secure the user sessions.
  • Lastly, the postRegistrationHandler lets us run code after a new user has signed up on the site. What we'll do here is initialize a user by creating an API key for them automatically, as well as setting their account balance and total queries to 0.

Now that we've configured all our middleware, the last thing we need to do is include our route code:

app.use('/', publicRoutes);
app.use('/api', stormpath.apiAuthenticationRequired, apiRoutes);
app.use('/dashboard', stormpath.loginRequired, privateRoutes);

The way this works is like so:

  • First, we'll tell Express to serve our public routes.
  • Then, we'll tell Express to serve our API routes, but to require that a user authenticate with their API key before being allowed to access any of these routes.
  • Lastly, we'll tell Express to render our private (dashboard) routes, but to require a user to be logged in via the website to access these pages.

The Stormapth middlewares included here automatically handle all of the authentication logic for us 100%. If we try to access the /dashboard page without being logged into the website, for instance, we'll be immediately redirected to the login page and forced to authenticate.

If we try to access an API route without using Basic Auth, we'll get a 401 UNAUTHORIZED message with a nice JSON error.

The Routes

The main part of our application is the routes. This is where all the magic happens: billing, API code, SMS code, etc.

Let's take a look at each route, and dissect how exactly they work.

public.js

First, let's look at our public routes. These routes are responsible for serving our 'public' pages on the website:

'use strict';

var express = require('express');

// Globals
var router = express.Router();

// Routes
router.get('/', function(req, res) {
  res.render('index');
});

router.get('/pricing', function(req, res) {
  res.render('pricing');
});

router.get('/docs', function(req, res) {
  res.render('docs');
});

// Exports
module.exports = router;

As you can see, nothing is happening here except that we're rendering our pre-defined Jade templates.

private.js

The private route file contains only a single route: our dashboard page. Because our BTC SMS app only has a single page for logged-in users (the dashboard) - this is where that logic is contained.

If we were building a larger site, which had many private pages that only logged in users could access, they'd be included here also:

'use strict';

var bodyParser = require('body-parser');
var express = require('express');
var stormpath = require('express-stormpath');
var stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);

// Globals
var router = express.Router();

// Middlewares
router.use(bodyParser.urlencoded({ extended: true }));

// Routes
router.get('/', function(req, res) {
  res.render('dashboard');
});

router.post('/charge', function(req, res, next) {
  stripe.charges.create({
    amount: 2000,
    currency: 'usd',
    source: req.body.stripeToken,
    description: 'One time deposit for ' + req.user.email + '.'
  }, function(err, charge) {
    if (err) return next(err);
    req.user.customData.balance += charge.amount;
    req.user.customData.save(function(err) {
      if (err) return next(err);
      res.redirect('/dashboard');
    });
  });
});

// Exports
module.exports = router;

Let's see how this works.

First, after creating an Express router, we're using the bodyParser middleware to decode form data.

On this page, we'll have a form that allows us to accept payment from a user, and because of this, we'll need the ability to read the form data we're receiving. This is what the bodyParser middleware is used for:

router.use(bodyParser.urlencoded({ extended: true  }));

This middleware let's us access form data via req.body. So, for instance, if a form field called username was posted to us, we could access that data by saying req.body.username.

Next, we'll register a router handler for the GET requests to our dashboard page:

router.get('/', function(req, res) {
  res.render('dashboard');
});

This code simply renders the dashboard page if a user visits the /dashboard URL in their browser.

Next, we'll register a POST handler for the dashboard page:

router.post('/charge', function(req, res, next) {
  // stuff
});

This code will get run if a user attempts to deposit money into their account:

Stripe Deposit Money

What happens in our template code is all of the card collection and verification stuff. When we receive this POST request from the browser, what that means is that the user's card is valid, and Stripe has given us permission to actually charge this user some money.

In our case, we'll be charging users a flat fee of 20$.

Using the stripe library, we'll then charge the user's card:

stripe.charges.create({
  amount: 2000,
  currency: 'usd',
  source: req.body.stripeToken,
  description: 'One time deposit for ' + req.user.email + '.'
}, function(err, charge) {
  if (err) return next(err);
  req.user.customData.balance += charge.amount;
  req.user.customData.save(function(err) {
    if (err) return next(err);
    res.redirect('/dashboard');
  });
});

Once the user's card has been successfully charged, we'll also update the user account's balance, so that we now know how much money this user has paid us.

And… That's it for billing! Quite easy, right?

api.js

The last route we need to cover is the API route. Since our API service only has a single API call, this file only holds one API route. If we were building a more complex API service, however, this file might be a lot longer:

'use strict';

var bodyParser = require('body-parser');
var express = require('express');
var request = require('request');
var twilio = require('twilio')(process.env.TWILIO_ACCOUNT_SID, process.env.TWILIO_AUTH_TOKEN);

// Globals
var router = express.Router();
var BTC_EXCHANGE_RATE;
var COST_PER_QUERY = parseInt(process.env.COST_PER_QUERY);

// Middlewares
router.use(bodyParser.json());

// Routes
router.post('/message', function(req, res) {
  if (!req.body || !req.body.phoneNumber) {
    return res.status(400).json({ error: 'phoneNumber is required.' });
  } else if (!BTC_EXCHANGE_RATE) {
    return res.status(500).json({ error: "We're having trouble getting the exchange rates right now. Try again soon!" });
  } else if (req.user.customData.balance < COST_PER_QUERY) {
    return res.status(402).json({ error: 'Payment required. You need to deposit funds into your account.' });
  }

  var message = '1 Bitcoin is currently worth $' + BTC_EXCHANGE_RATE  + ' USD.';

  twilio.sendMessage({
    to: req.body.phoneNumber,
    from: process.env.TWILIO_PHONE_NUMBER,
    body: message
  }, function(err, resp) {
    if (err) return res.status(500).json({ error: "We couldn't send the SMS message. Try again soon!" });

    req.user.customData.balance -= COST_PER_QUERY;
    req.user.customData.totalQueries += 1;
    req.user.customData.save();

    res.json({ phoneNumber: req.body.phoneNumber, message: message, cost: COST_PER_QUERY });
  });
});

// Functions
function getExchangeRates() {
  request('http://api.bitcoincharts.com/v1/weighted_prices.json', function(err, resp, body) {
    if (err || resp.statusCode !== 200) {
      console.log('Failed to retrieve BTC exchange rates.');
      return;
    }

    try {
      var data = JSON.parse(body);
      BTC_EXCHANGE_RATE = data.USD['24h'];
      console.log('Updated BTC exchange rate: ' + BTC_EXCHANGE_RATE + '.');
    } catch (err) {
      console.log('Failed to parse BTC exchange rates.');
      return;
    }
  });
}

// Tasks
getExchangeRates();
setInterval(getExchangeRates, 60000);

// Exports
module.exports = router;

Like our private.js routes, we'll also be using the bodyParser middleware here to read in API request data.

We'll also be making use of the twilio library to send SMS messages to users, as well as the request library to fetch the current Bitcoin exchange rates from bitcoincharts.

The bitcoincharts site provides a publicly available API that lets you grab the current Bitcoin exchange rates. This is where we'll be grabbing our Bitcoin value information from =) You can find more information on this here: http://api.bitcoincharts.com/v1/weighted_prices.json

So, once we've defined our Express router, the first thing we'll do is declare some globals:

var BTC_EXCHANGE_RATE;
var COST_PER_QUERY = parseInt(process.env.COST_PER_QUERY);

The BTC_EXCHANGE_RATE variable will be set to the current value of Bitcoin in USD, and updated frequently. This is what we'll use when we send out SMS messages to users.

The COST_PER_QUERY variable is the amount of money (in cents) that we'll charge a user for each successful API request made.

Next, we'll define a helper function called getExchangeRates which queries the bitcoin charts API service to find the current value of a Bitcoin:

function getExchangeRates() {
  request('http://api.bitcoincharts.com/v1/weighted_prices.json', function(err, resp, body) {
    if (err || resp.statusCode !== 200) {
      console.log('Failed to retrieve BTC exchange rates.');
      return;
    }

    try {
      var data = JSON.parse(body);
      BTC_EXCHANGE_RATE = data.USD['24h'];
      console.log('Updated BTC exchange rate: ' + BTC_EXCHANGE_RATE + '.');
    } catch (err) {
      console.log('Failed to parse BTC exchange rates.');
      return;
    }
  });
}

This function simply makes the request, then extracts the data. Finally it assigns the current value to the global BTC_EXCHANGE_RATE variable defined earlier.

After that's done, we'll invoke this function in two ways:

getExchangeRates();
setInterval(getExchangeRates, 60000);

First, we'll call it immediately so that as soon as our program starts, we get the current BTC value.

Next, we'll call it on a setInterval job, which executes once per hour (in milliseconds). This ensures that every hour we'll update the BTC exchange rate to the latest values.

Finally, we'll implement our API route /api/message, which is what developers will be using to send SMS messages with the current BTC exchange rate information:

router.post('/message', function(req, res) {
  if (!req.body || !req.body.phoneNumber) {
    return res.status(400).json({ error: 'phoneNumber is required.' });
  } else if (!BTC_EXCHANGE_RATE) {
    return res.status(500).json({ error: "We're having trouble getting the exchange rates right now. Try again soon!" });
  } else if (req.user.customData.balance < COST_PER_QUERY) {
    return res.status(402).json({ error: 'Payment required. You need to deposit funds into your account.' });
  }

  var message = '1 Bitcoin is currently worth $' + BTC_EXCHANGE_RATE  + ' USD.';

  twilio.sendMessage({
    to: req.body.phoneNumber,
    from: process.env.TWILIO_PHONE_NUMBER,
    body: message
  }, function(err, resp) {
    if (err) return res.status(500).json({ error: "We couldn't send the SMS message. Try again soon!" });

    req.user.customData.balance -= COST_PER_QUERY;
    req.user.customData.totalQueries += 1;
    req.user.customData.save();

    res.json({ phoneNumber: req.body.phoneNumber, message: message, cost: COST_PER_QUERY });
  });
});

This API route will:

  • Check to ensure that the incoming request data is formatted properly. Each incoming request must supply a phone number so we know who to SMS.
  • If no phone number is supplied, we'll return an HTTP 400 response, along with an appropriate error.
  • If the BTC exchange rate isn't available for some reason (maybe the bitcoin charts API is down), we'll return a 500 status code along with an appropriate JSON error message.
  • Lastly, if the user doesn't have enough money in their account to pay for this request, we'll reject the request with a 402 status code an another appropriate error message.

Once we've done the error handling stuff, we'll use the Twilio library to send an SMS message from our pre-purchased phone number (process.env.TWILIO_PHONE_NUMBER), with our pre-formatted message.

If, for any reason, the SMS message sending fails, we'll return a 500 with an error message.

If the SMS message succeeds, we'll subtract 2 cents from the user's account balance, increment the user's total queries counter, and then return a successful JSON response message.

It's that simple!

Running the App

To run the app, as you saw through the code explanations, you'll need to define some environment variables.

Here is a full list of the required environment variables you need to set to run this thing:

$ export COST_PER_QUERY=2
$ export STORMPATH_API_KEY_ID=xxx
$ export STORMPATH_API_KEY_SECRET=xxx
$ export STORMPATH_APPLICATION=https://api.stormpath.com/v1/applications/xxx
$ export STRIPE_SECRET_KEY=xxx
$ export STRIPE_PUBLISHABLE_KEY=xxx
$ export TWILIO_ACCOUNT_SID=xxx
$ export TWILIO_AUTH_TOKEN=xxx
$ export TWILIO_PHONE_NUMBER=+18882223333

These variables will be used automatically in the project code to make things work as needed.

Once these variables have been defined, you can then run your own instance of the BTC SMS app by saying:

$ node index.js

And then visiting http://localhost:3000.

To deposit money into your account using Stripe (in test mode), you can use the credit card number 424242424242, with any fake expiration date and CVC number. This will deposit funds into your account.

Lastly, to make successful API requests, you can use the cURL command line tool like so:

$ curl -v -user 'API_KEY_ID:API_KEY_SECRET' -H 'Content-Type: application/json' -data '{"phoneNumber": "+18882223333"}' 'http://127.0.0.1:3000/api/message'

Be sure to substitute in your own phone number and API credentials (taken from the BTC SMS dashboard page).

What Did We Learn?

Building a simple API service isn't really all that hard. In just a few hours you can structure, plan, and implement a full-fledged API company with only a few small, free-to-use services.

The old days where launching a company took a lot of time and effort are long gone. Using API services to speed up your development can save you a bunch of time, effort, and problems.

I hope that this tutorial gave you a little bit of inspiration, taught you something new, and hopefully gave you some new ideas for your own cool projects.

Be sure to check out Stormpath, Twilio, and Stripe for your next projects =)

Oh - and if you have any questions, leave us a comment below!

PS: If you're currently learning how to build API services and do stuff with Node.js, I'd recommend really writing this code out and playing around with it yourself. There's no better way to learn this stuff than by messing around with it on your own =)

-Randall

25 Jun 2015 5:00pm GMT

ForgeRock: Joining the ForgeRock Band

It's been almost a decade since I had a "first week" at work and as I contemplated my first 5 days, I realize that it simply didn't feel like a first week at all. I felt at home immediately. From the beginning, Mike, our CEO, was clear about the culture at ForgeRock as I went…

The post Joining the ForgeRock Band appeared first on Home - ForgeRock.com.

25 Jun 2015 2:58pm GMT

ForgeRock: Joining the ForgeRock Band

It's been almost a decade since I had a "first week" at work and as I contemplated my first 5 days, I realize that it simply didn't feel like a first week at all. I felt at home immediately. From the beginning, Mike, our CEO, was clear about the culture at ForgeRock as I went…

The post Joining the ForgeRock Band appeared first on Home - ForgeRock.com.

25 Jun 2015 2:58pm GMT

Courion: Healthcare's Unique Security Challenges

Access Risk Management Blog | Courion

In the past few weeks, the U.S. Government has repeatedly been in the news for its recent hack-allegedly by the Chinese-which leaked over four million personnel records. However, this wasn't the only group infiltrated by Chinese hackers in the past few months; According to the popular blog Mashable, over four million medical records were also stolen. This hack exemplifies a growing concern and a new set of challenges for healthcare organizations surrounding the use of digital records. Now that healthcare records are all digitized and shared over networks and multiple devices, these records have become very valuable to criminals while hospitals, clinics and other organizations are still trying to find the best way to protect them.

Healthcare Data Security and Privacy

While the issues surrounding digital records and possible breaches are the most often reported, they are not the only challenge unique to healthcare organizations. Aside from keeping your records safe, organizations must concern themselves with personnel issues such as the need for multiple people to have access to records. Not only do doctors and nurses need access to patient records but now the billing department, insurance companies and regulatory committees do as well. Some of these positions can easily be credentialed with role based access; some of them are temporary employees or work across different functional areas and need access to different things at different times. It is hard for the organization to maintain proper access control and security with so many unique needs.

On top of the multiple user access requests are the multiple devices that the information needs to be available on. No longer are records and information kept behind the nurses' station in folders or on desktops; now healthcare professionals are using multiple laptops, tablets, phones, and other mobile devices in their practices. The need to provision all of these devices for any new employee can take days-if not weeks-to get up and running. There is also the need to be able to remotely wipe access to all information if the device is lost or stolen. According to the most recent Healthcare breach Report from bitglass, 68 percent of all healthcare data breaches since 2010 were due to device theft or loss. It is extremely difficult to roll out a process that would cover all of these needs on so many different devices.

roadmap to healthcare hipaa and byod mobile security

One last issue highlighted in the news recently is the vulnerability of specialized medical equipment to be hacked. In another Mashable article, it is reported that drug pumps may be hackable in fatal ways because they enable a hacker to increase or decrease the dosage of drugs. One of the reasons it's so hard to regulate these devices is because they are on a closed loop and can't be easily scanned for malware. The IT department cannot add software because it is an FDA issue and therefore the hospital has a hard time monitoring. So how is the security team supposed to monitor devices that they do not have full access and transparency to? For that matter, how is one team going to maintain visibility into all of the moving pieces of infrastructure and personnel in their organization?

medical equipment

The best way to mitigate these risks is to implement an Identity and Access Management (IAM) solution. These solutions are known to improve accuracy through their automated provisioning policies and are also instrumental in providing transparency into all access and credentials in an organization. An IAM program helps with personnel risk by giving role-based access and visibility into all roles and credentials of any individual. It will also automatically grant credentials to any new employee across all devices and will take away that access once he or she is terminated. This provisioning or de-provisioning can be done by any verified owner/administrator both on a desktop and on any mobile device, making the speed and scalability of the project fit to any organization's needs.

The risks for healthcare organizations will continue to grow as both the Internet of Things and the sophistication of hackers mature in the next few years. IAM solutions are driven by real-time data that allow you to make the most informed decisions possible. Imagine having information on what accounts were most at risk so that you could monitor the risk of data breaches; what if you could automatically wipe sensitive data from a laptop when your doctor forgot it on the plane? IAM solutions can allow you to mitigate these risks and give you visibility into your systems. While the risks and attacks will never stop coming for your organization, with IAM, you will have the ability to recognize these attacks sooner and fight back.

blog.courion.com

25 Jun 2015 12:30pm GMT

Kantara Initiative: Maciej Machulak – Innovators Under 35

This week we are extra proud of the work of one of our most key contributors - Maciej Machulak. Recently Maciej was named one of 2015's Innovators Under 35 for is work to develop UMA. Maciej is the UMA WG vice-chair and in this role his commitment and passion has been integral to the success […]

25 Jun 2015 8:17am GMT

24 Jun 2015

feedPlanet Identity

Mike Jones - Microsoft: JWK Thumbprint -06 addressing SecDir review comments

A new JWK Thumbprint draft has been posted addressing the IETF Security Directorate (SecDir) comments from Adam Montville. The changes clarify aspects of the selection and dissemination of the hash algorithm choice and update the instructions to the Designated Experts when registering JWK members and values. The specification is available at: http://tools.ietf.org/html/draft-ietf-jose-jwk-thumbprint-06 An HTML formatted […]

24 Jun 2015 8:34am GMT

23 Jun 2015

feedPlanet Identity

Courion: From Cyber Security to Phishing Attacks #TechTuesday Roundup

Access Risk Management Blog | Courion

open lock, close lock

A British firm now allows people log into their bank accounts using emojis-

Smiley face. Thumbs up. Is that a crab? The language of teens and tweens everywhere may soon be protecting your sensitive information. That's right, a British firm is trying out emojis in passwords which they believe will lead to better security. The company claims that using emoji passwords is mathematically more secure. We'll let you decide for yourself.

Lucy England, BusinessInsider.com

Bad News! LastPass breached. Good news? You should be OK…

When the company that promises to keep your passwords safe and secure gets hacked, do you feel safe? The good news here is that because of their authentication data, it doesn't look like the hackers were able to get into encrypted user data.

Paul Ducklin, NakedSecurity.com

@duckblog

Cardinals Investigated for Hacking Into Astros' Database

We've grown used to seeing hacks on banks, retailers, and others with sensitive information that they can sell or share. However, hacking has now made its way to America's favorite pastime. In the last week, the St. Louis Cardinals were accused of hacking into the Houston

Michael S. Schmidt, NewYorkTimes.com

Magazine Publisher Loses $1.5 Million in Phishing Attack

While we have all become savvy to the Nigerian Prince Email scam, there is a new phishing attack on the horizon and it's coming from the inside. Bonnier Publications was the target of an attack that cost them $1.5 million in transfers. Hackers accessed credentials for a previous CEO and used his email account to order accounts payable to electronically transfer $3 Million to a Chinese bank. Luckily the publisher caught on before the second payment was due.

Ashley Carman, SCMagazine.com

Has your Samsung phone been hacked?

Another mobile hack? That's right, it was reported this week that possibly 600 million handsets are vulnerable to an attack that allows hackers take photos and read texts on your phone. Users are being urged to stay away from unsecure Wi-Fi networks until the bug is fixed. No word yet on if you can use this as an excuse for all of those selfies.

Sarah Griffiths, MailOnline

blog.courion.com

23 Jun 2015 12:34pm GMT

Mark Dixon - Oracle: No, I don’t want to engage!

Do you ever wonder why in the world you receive the ads you do on Facebook or other online venues? Methinks personalized, targeted advertising still has a long way to go.

23 Jun 2015 3:05am GMT

22 Jun 2015

feedPlanet Identity

Kaliya Hamlin - Identity Woman: Internet Identity Workshop #21 Registration is open

Here is the registration for the 21st Internet Identity Workshop. Join us its going to be great. Powered by Eventbrite

22 Jun 2015 10:09pm GMT