Monthly Archives: May 2009

Sauce for the gander

It seems having the same sauce for the gander as the goose is ruffling some feathers at the U. of Chicago:

A group of University of Chicago students think it’s time the campus focused more on its men.

A third-year student from Lake Bluff has formed Men in Power, a student organization that promises to help men get ahead professionally. But the group’s emergence has been controversial, with some critics charging that its premise is misogynistic.

Others say it’s about time men are championed, noting that recent job losses hit men harder and that women earn far more bachelor’s and master’s degrees than do men.

I suspect this may be more attention seeking than anything else. But it does raise an interesting question; why is some gender disparity more problematic than others? Why is the dominance of men in the IT field worthy of efforts to rectify when a similar disparity in the fields of education and health care is not?

In the same article:

The group’s birth comes at a time when the recessionary ax has fallen especially hard on men. In April, the national unemployment rate for men was 10 percent compared with 7.6 percent for women, said Mark Perry, an economist at the University of Michigan in Flint.

That gap is an “all-time historical high,” said Perry, who attributed it in part to a loss of jobs in male-dominated fields such as manufacturing and construction.

At the same time, he noted, women today hold about three out of the four jobs in education and health care — both stable or expanding job fields.

Future employment is also an issue, some experts say. Since 1981, women have collected 135 for every 100 bachelor’s degrees awarded to men, according to Perry. The gap is even wider at the master’s level, with women trumping men 150 to 100, he said.

[Update] I didn’t notice at first, but the Mark Perry quoted in the article is the same Mark Perry of the Carpe Diem blog. That is one of the finest blogs out there if you want a different slant on how the economy works. It well worth checking out.

IdM Integration

Mark Diodati has this article about what he terms Identity 2.0, while I agree with his assessment that much of IdM seems frozen in time, I’m not sure I really agree with what he considers the new identity management. ESSO, for instance, is something I can’t really say has changed a whole lot in the last five years.

But Mark makes a great point about integration in IdM:

For example, organizations are integrating enterprise SSO with provisioning and strong authentication products to improve application security. Provisioning products provide better security because they can change passwords more frequently in both the target application and the user’s enterprise SSO wallet. Strong authentication systems (like OTPs) solve the “keys to the kingdom” problem — eliminating weak password-based authentication, which enables access to many applications.

Meanwhile, WAM and federation products are “best friends forever” because neither product provides the complete security package for Web applications, but when combined, work synergistically. WAM provides the authorization and session management, while federation provides the enterprise-to-enterprise (E2E) SSO functionality.

Another trend in the enterprise is the coupling of provisioning and strong authentication systems (e.g., OTP or smart card). When integrated, the provisioning system can manage most aspects of the authentication device. Two benefits are the elimination of near-duplicative identity management processes and timelier identity lifecycle management, which becomes especially important when employees are terminated.

Cheap and easy

Mark Dixon has an excellent point in this post on why we still use passwords:

It was ease of use, not a technology-driven obsession with safety,  that led to wide adoption of the seat belt.

I think we face the same thing with passwords.   Intellectually, it is simple to understand why we should get rid of passwords.   However, in practice, widespread adoption will be triggered more by ease of use than perception of safety.  When an easier method for authentication emerges, people will adopt it – not because it is safer, but because it is easier.  If that easier method is also more secure, voila!  We will have achieved our desired result.

While I agree with Mark’s point, there is an important distinction that is not getting made in this discussion, the difference between personal and professional accounts. And this distinction goes right to the heart of Mark’s argument.

For personal accounts (for example your Facebook, Yahoo, LinkedIn, or Twitter account) ease of use is the single biggest driver. People will not, in general, use another authentication technique that isn’t as easy as passwords. Actually it has to be easier than passwords by an order of magnitude or it won’t displace the incumbent technology. It also has to be understandable to the average user so they believe that it really is secure (one could argue this is really just another aspect of ease of use). Try explaining client certificate authentication to your grandmother if you don’t believe me.

Also, the sensitivity of the account really makes little difference. Most users won’t treat their on-line banking account any different than their Facebook account. Bank of America offers a SecureID option for their on-line banking. That should be a no-brainer right? I don’t have any numbers but I would be shocked if they were getting anywhere north of %1 adoption of SecureID by their customers.

For professional accounts (your PC, enterprise resources, or hosted service account) ease of use is not the primary driver, cost is. Cost is understood by most enterprises to mean the monetary cost of your credential plus the measurable cost to support you using it. I used the word “measurable” for a reason. Most companies don’t care how hard it is for you to understand and use a specific authentication mechanism if you are a salaried employee. That cost is hidden to them. On the other hand the cost to the company for you to call the help desk if you have an authentication problem is measurable and tracked along with the cost to issue new credentials when needed.

For both personal and professional accounts, passwords rule the roost because they are easy to use, cheap to deploy, cheap to support, and easy to understand.

But if an authentication mechanism becomes popular that is cheap to deploy and support, it may have a chance to displace passwords for professional accounts.

Nor anywhere else for that matter

Phil Windley has this interesting post on Cloud Security. There are a lot of good thoughts here, but this one stood out:

Host intrusion detection systems (HIDS) work fine on cloud infrastructure, but are hard to do at higher levels of the stack. Network intrusion detection systems (NIDS) are impossible to do at most providers. The traditional notion of “perimeter” is not necessarily available in the cloud.

Nor anywhere else for that matter, I would add. No notion is more irrelevant today than perimeter security, yet it continues to be the cornerstone of many organizations strategy. I always suggest keeping the perimeter in place but secure everything behind it as if it doesn’t exist.

Two years in jail for blogging harsh criticism?

Eugene Volokh blows the whistle on what had been an under the radar move to ban cyber-bullying. Unfortunately this effort could also be used to jail bloggers and twitters that are less than polite. From the Volokh Conspiracy Blog:

Federal Felony To Use Blogs, the Web, Etc. To Cause Substantial Emotional Distress Through “Severe, Repeated, and Hostile” Speech?

That’s what a House of Representatives bill, proposed by Rep. Linda T. Sanchez and 14 others, would do. Here’s the relevant text:

Whoever transmits in interstate or foreign commerce any communication, with the intent to coerce, intimidate, harass, or cause substantial emotional distress to a person, using electronic means to support severe, repeated, and hostile behavior, shall be fined under this title or imprisoned not more than two years, or both….

[“Communication”] means the electronic transmission, between or among points specified by the user, of information of the user’s choosing, without change in the form or content of the information as sent and received; …

[“Electronic means”] means any equipment dependent on electrical power to access an information service, including email, instant messaging, blogs, websites, telephones, and text messages.

“Severe, repeated, and hostile” sound likes half the stuff you see on the internet. I doubt that this bill would pass constitutional mustard. But if it did the ramifications are rather frightening.

ARS Technica has an excellent article on the subject here.

And what would any censorship effort be without the requisite mainstream media cheerleading? You can find that here.

The accidental identity thief

When is identity theft not identity theft? According to the supreme court it’s when there is no intent to steal a specific person’s identity. See this Wired article:

A unanimous Supreme Court ruled Monday the government has been overstepping the boundaries of identity theft legislation when targeting immigrants who use phony citizenship documents to acquire jobs.

The 2004 legislation, which typically carries a two-year maximum term, has also been threatened against illegal immigrants in exchange for them agreeing to be deported, like the 400 illegal immigrants working under false pretenses at an Iowa meatpacking plant last year.

The justices said that the government, in order to prove such charges, must demonstrate that a defendant “knowingly” hijacked the identity of somebody else. In the case before the justices, an Illinois illegal immigrant steelworker was charged under the statute after submitting a fake Social Security number that, without the worker’s knowledge, happened to match a real number.

Jeff’s OpenID account gets hacked

No, not me (at least not me so far as I know). The Jeff in question is Jeff Atwood of the Coding Horror blog (one of my favorite dev blogs). Jeff relates how his OpenID account was hacked here and here. It’s fascinating reading, especially because the hacker was of the friendly sort who apparently just did it to point the vulnerability.

The hacker was able to obtain the unsalted hash of Jeff’s password on a different site. He then looked up that password using one of the reverse hash web sites available. He then guessed Jeff’s OpenID provider and tried the password there. Since Jeff had used the same password in both places, the hacker was able to log into OpenID and impersonate Jeff at Jeff’s StackOverflow web site, which depends on OpenID.

Here is an interesting question: is it dangerous to reveal your preferred choice of OpenID providers? I suspect there is nothing dangerous about, given peoples propensity to flock to one of the big players anyway. Even if there are a plethora of OPs, the bad guys will just script a solution that tries a list known OPs until a hit is made.