Skip to main content

Posts

Showing posts from July, 2007

Share your dog's name, lose your identity?

From the BBS: Web networkers 'at risk of fraud'.
Credit information group Equifax said members of sites such as MySpace, Bebo and Facebook may be putting too many details about themselves online.It said fraudsters could use these details to steal someone's identity and apply for credit and benefits.So, to protect the credit bureau's business models, we're all supposed to try to hide every mundane details of our lives?  The name of my dog is not a secret; if credit bureaus assume it is, they are making a mistake. 

Here's the solution:  Make the credit bureaus fiscally responsible for identity theft, with penalties for failing to use good security practices.

Tags: , , ,

Open Authorization, Permissions, and Socially Enabled Security

The session I proposed at Mashup Camp, Open Authentication and Authorization for Mashups, went pretty well (though I should have done more marketing).   Unfortunately none of the people on the OAuth group were at Mashup Camp, but perhaps we generated some more interest and use cases for it.

Consider a user navigating web services and granting various levels of permissions to mash-ups; a mash-up might request the right to read someone's location and write to their Twitter stream, for example.  The first time this happens, the user would be asked something like this:

The TwiLoc service is asking to do the following on an ongoing basis:
- Read your current location from AIM, and
- Create messages on your behalf in Twitter.
How does this sound?
[ ] No [ ] Yes [ ] Yes, but only for today


The user would also have a way to see what permissions they've granted, how often they've been used (ideally), and be able to revoke them at any time.

Now, of course, users will just click through and …

At Mashup Camp today and tomorrow

I'm at Mashup Camp IV today and tomorrow.  Ping me if you're around too and want to chat.


Tags: ,

Implications of OpenID, and how it can help with phishing

:Last month, Simon Willison gave a talk at Google (video, slides) which is a good intro and summary of technical implications of OpenID.  He points out a very important point:  OpenID does outsource your security to a third party; so does sending a "forgot your password" email to an arbitrary email address.  All of the attacks that work against OpenID also work against these emails.

So the implication is that the security policies that you currently have around "forgot your password" are a good starting point for thinking about OpenID security.  Specifically phishing vulnerabilities and mitigations are likely to be similar.  However, OpenID also changes the ecosystem by introducing a standard that other solutions can build on (such as Verisign's Seat Belt plugin). 

OpenID really solves only one small problem -- proving that you own a URL.  But by solving this problem in a standard, simple, deployable way, it provides a foundation for other solutions. 

It doesn&#…

Disorder, Delamination, David Weinberger

David Weinberger's presentation in Disorder: Feature or Bug? at Supernova 2007 was like watching a great rock singer deliver a passionate performance you just know is destined to be a classic.  How good was it?   The IRC channel went dead.  That's the conference equivalent of everybody waving their lighters in the air.  Um.  Well, you just had to be there.  I can't find a video.  Anybody have a bootleg?

Anyway.  David's now posted a new essay well worth reading, Delamination Now!. Also, well worth acting on.  Money quote: "[T]he carriers are playing us like a violin." 
Tags: , , , , , ,

There she blows! (The Moby Dick Theory of Big Companies)

Having spent some time in the belly of the whale[1], I can testify that the decision making process of a large company is indeed a chaotic system even when seen from the inside.  The variables that control decisions are very well hidden.

The Pmarca Guide to Startups, part 5: The Moby Dick theory of big companies

[1] In the same whale as pmarca in fact, though in a somewhat different location along the alimentary tract.

Tags: , , , ,

35 views of social networking

Fireworks, Social Compacts, and Emergent Order

Yesterday the family went to see the 4th of July fireworks just outside the Google campus, in Charleston park.  Great park, lots of friendly helpful people, the kid had a blast running in the water fountain, and he saw his first fireworks show.  It was great!

Then, we left (quickly, to avoid the crowds) and immediately got snarled in traffic.  Of course everyone was leaving at the same time so we expected it to be slow, but we were literally not moving for a quarter of an hour.  After a while we figured out that we couldn't move because other cars kept joining the queue ahead of us from other parking lots.  Around this time, other people started figuring this out too and started going through those same parking lots to jump ahead.  This solution to the prisoner's dilemma took about 30 minutes to really begin to cascade:  Everyone else began to drive through parking lots, under police tape, on the wrong side of the road, cutting ahead wherever they could to avoid being the sucke…

Theory P or Theory D?

Which theory fits the evidence (Raganwald):

Theory P adherents believe that there are lies, damned lies, and software development estimates. ... Theory P adherents believe that the most important element of successful software development is learning.

Maybe I'm an extreme P adherent; I say that learning is everythingin software development.  The results of this learning are captured incode where possible, human minds where not.  Absolutely everything elseassociated with software development can and will be automated away.

Finally:

To date, Theory P is the clear winner on the evidence, and it’s noteven close. Like any reasonable theory, it explains what we haveobserved to date and makes predictions that are tested empiricallyevery day.

Theory D, on the other hand, is the overwhelming winner in themarketplace, and again it’s not even close. The vast majority ofsoftware development projects are managed according to Theory D, withlarge, heavyweight investments in design and planning in adv…

Theory P or theory D?

Whichtheory fits the evidence (Raganwald):

Theory P adherents believe that there are lies, damned lies, andsoftware development estimates. ... Theory P adherents believethat the most important element of successful software development is learning.

Maybe I'm an extreme P adherent; I say that learning is everythingin software development.  The results of this learning are captured incode where possible, human minds where not.  Absolutely everything elseassociated with software development can and will be automated away.

Finally:

To date, Theory P is the clear winner on the evidence, and it’s noteven close. Like any reasonable theory, it explains what we haveobserved to date and makes predictions that are tested empiricallyevery day.

Theory D, on the other hand, is the overwhelming winner in themarketplace, and again it’s not even close. The vast majority ofsoftware development projects are managed according to Theory D, withlarge, heavyweight investments in design and planning in advanc…