If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

I moved into a new house a few months ago and it seems that the good old TV licensing people have finally realised I exist. Having received a threatening letter from them, I went online to register (apparently, the whole process can now be done online - including having the license in purely electronic format; I’ll explain why this makes sense shortly). Good subject that I am, I’d actually tried this a couple of months ago, but they didn’t have my address on record, therefore I couldn’t.

I registered, put in my details, including my bank details to set up the direct debit and a few minutes later I got an e-mailed response saying that my application was being processed and that my license would be emailed to me within three days. First of all - what takes three days? Shouldn’t this process be, essentially, real-time - with the exception for the direct debit confirmation and let’s face it, if I don’t pay the license can be revoked fairly easily.

The e-mail arrived this morning - titled “Please open the attachment to access your TV License” and from the weird address of (the web site is actually at tvlicensing.co.uk) - why not make it consistent? Usually when I get emails with a title like that I bin them straight away, but in this case I thought I’d make an exception. I opened the email, which contained a number of remote images (thankfully Thunderbird won’t display them), as well as an HTML attachment and a button “Read Message” to click on. The basic content of the email is that my license is encrypted (good) and they need to send me another email with a link to it. This might just be me, but this whole process doesn’t make much sense.

Still being wary of the attachment itself I save it to the desktop and view the source, it’s basically a web page with Voltage secure content. That explains it all then… Voltage is a clever method of delivering encrypted email content without the need for traditional key management so works very well in consumer/public facing scenarios (it’s known as IBE - Identity Based Encryption). For some reason Thunderbird had displayed the HTML attachment inline of the message, leading to my confusion.

Clicking on the button actually sent me to a web page with a message saying that functionality in certain mail clients prevents the system from working correctly and, if that’s the case, one should forward the original email to another address, which presumably is set to autorespond with the link to the actual license.

I can see the intent with the system and it’s nice to see a public body doing something sensible with secure email, but the implementation just seems odd - a reliance on people opening attachments and clicking on links seems to contradict the advice given about phishing. Having completed the process I’m struggling to find a reason for the extra security - all I could see on-screen was my license (essentially just a number), information about what it covers and the amounts that will be paid by direct debit. The link is good for one time only, so now I’ve closed that browser tab I can’t get back to it. I’d also question what threats this was to counter - if someone were to be intercepting/monitoring my email, then all they’d need to do is follow the same link (or just forward the message to the address helpfully provided) to see my license details.

In summary - a good idea generally, but seems to be a poor implementation. The most intriguing aspect of this is that I don’t have an actual license (and since I can’t re-click on the link, can’t get even an electronic version), but that’s fine because I don’t need one. For years the TV licensing authority scared people with the notion of “detector vans” travelling round the streets finding people watching TV without a license. At last they’ve come clean and admitted that all they really have is a big database of every address in the UK, can tell which are licensed and manage the rest by exception, which must be a lot cheaper to enforce and if we’re going to have the license, I’d prefer that.

There have been a couple of identity related stories in the media over the past couple of days that grabbed my attention. First was the (long awaited, on my part) “identity” connection with John Darwin, in which it’s finally been revealed that he used a “Day of the Jackal” style identity switch to get a new passport.

For those that don’t know, this method is simply one of getting a replacement birth certificate for someone born roughly the same time as yourself (so your physical age appears right for your new identity), preferably one who doesn’t have too many other formal records attached to them (Darwin managed to get a certificate for someone who died at a few months of age). All one needs to apply for a passport is, essentially, a birth certificate (which are public record). What I find amusing is that this sort of “attack” was supposed to have been stopped - the BBC has a story on it from over four years ago… (although I confess that I’ve not checked exactly when Darwin got his new passport).

Darwin’s exploits were only secondary in my thoughts in comparison to the latest scandal involving UK Government departments and data leakage. This time round it’s the DVLA (Driver and Vehicle Licensing Agency) in Northern Ireland? who sent unencrypted disks, via public courier to the agency’s head office (Swansea), which have gone missing.

Whilst there was a huge outcry over the recent events involving child benefit data this seems to have attracted less attention, but still may result in some major problems. I concede that events involving people directly, especially bank account details and even more when it involves children’s details are more emotive, but much of the data leaked there was public record anyway (for anyone who thinks handing your bank details to a stranger is a bad idea I suggest you look at your chequebook sometime).

This case of data leakage contains car information - makes, models, colours, registration plates, chassis numbers &c - all of which is incredibly useful to someone wishing to clone a vehicle. Vehicle cloning is, apparently, on the increase, and the way that our systems handle this needs to be looked at. With the right information it wouldn’t be too difficult to make any of the same model car look like another - a quick respray and plate change should do it. The victim wouldn’t know until the fines start rolling in (or worse - the cloned vehicle is used for a more serious crime and the police come knocking at the door). Aside from the stupidity of sending unencrypted, critical, data through public networks (whatever the channel), there are? two things that come to mind about this situation.

Firstly, this highlights the problems caused by having an automated justice system with a reliance on cameras, IT systems and “business logic”. It’s something I’ve commented on before, but we’ve lost the human touch in security and law enforcement - a well trained, experienced? (and well paid) policeman with the ability to make decisions and trust their own? judgement is far better than a computer - when something is “wrong” they can tell and take action, when someone innocent is “bending” the law they can take action without over-penalising them. If a vehicle is being used illegally there may be other ways to tell it’s cloned - most likely by cross-referencing the driver and car. This would require a stop and search, but with appropriately targetted action I don’t see the issue - and we take a far more scattergun approach to drink driving…

The second point is related to a comment I made previously about biometric identifiers in humans. Once an identifier has been cloned these are very difficult to correct for the victim? - unenrollment is simply not possible. If someone uses my fingerprints for regular nefarious activity I can’t just change mine to avoid being arrested every few days - likewise, if my car is cloned I can’t (easily) change the major identifiers for it.

Essentially, in almost all areas of life, it is the reliance on automated systems, computers and oversight that creates the environment where identity fraud, car cloning (and worse? crimes like? human trafficking) can thrive. The presence of a human touch is the best deterrent to these crimes. I realise that modern life means a return to the days of seeing your bank manager to get a loan is unlikely - we have to deal with processes that scale well, but there has to be some element of humanity in every system - preferably close to where it interfaces with the people that really matter. Like everything else in security, it’s a trade-off.

Over the next few days I’ll be moving this blog, my email and a few other things to a new host. There could potentially be issues with DNS propagation over that time.

My new hosting? company is Vista Pages.

See you on the other side!

I’ve been extremely quiet on this front for the past couple of months, largely due to a few major changes that have taken place.
First of these was my purchase of a house, which led to me being without an Internet connection for a while and has severely eaten into my time. More importantly, from the point of view of what I write about here, is my change in job.
As of earlier this month, I no longer work for Enline and am now employed by Lloyds TSB. The good news on this front is that I’m still working in security and will have plenty of opportunities to put my experience in identity and access management to good use. As the identity industry matures I feel that the financial sector will have to take a lead in developing the right systems around the way that people interact with them and much of this will fall within the “identity” remit in an arena where security is of the utmost importance.

This morning’s news sees a call from Lord Justice Sedley for all people in the UK including visitors to be required to submit DNA to the national database that is currently being populated. Sedley’s reasons for saying this are not primarily political, but more about fairness and removing the bias that exists in these systems, but regardless, I think this marks a dangerous move for the judiciary.

There are a number of potential problems with a DNA database, which will start to become more apparent as the number of records increases and technology moves on. A comment from Sedley demonstrates my biggest concern with any such database

It also means that a great many people who are walking the streets and whose DNA would show them guilty of crimes, go free?

This displays the very real public opinion that DNA (along with fingerprints, for that matter) are infallible proof of guilt of a crime when, in fact, there can be errors made at any stage of the process. DNA gets around - look in my car, for example, there are DNA samples from me, my family, my girlfriend, my colleagues, the guy who changed a tyre recently and probably many more. If my car becomes a crime scene just how many people will be under suspicion?

Taking this a step further, it’s already possible to plant DNA evidence (it’s easy enough to collect, as my car demonstrates) and at some point in the future will be a trivial task to synthesise it and no doubt to mask it as well. What needs to happen is that the police perform robust investigation, collecting real evidence and determining motive; DNA samples can never be anything other than circumstantial and should certainly not be used as prima facie evidence of guilt.

One of the biggest issues with any biometric identifier is that it is impossible to change - once my DNA (or my fingerprint) has been used for some nefarious purpose then I can never change - there could be someone who (within the bounds of scanning accuracy) is my genetic “twin” to whom I am permanently linked. Every crime he commits would result in my arrest! We’ve seen this situation with the no-fly lists using names (which admittedly are certainly not as unique as DNA).

As with many of these discussions, it’s not the database itself that’s the problem, but the purposes to which it can be put. Unfortunately no legal restraints can be put in place that will guarantee such a system will not be abused and therefore I have little choice but to criticise the initial implementation - as I’ve done already with other systems in our “database state”. I do have nothing to hide, but there is still plenty to fear from this.

Again, another quiet spell, but things have been happening that have kept me away from blogging. I should be able to post on this very shortly…

I was recently re-reading Neal Stephenson’s “In the Beginning…Was the Command Line” (also available online for free) and I was struck by some of the comments that Stephenson makes during his essay and how they relate to the (even more) modern problems facing computer use, particularly in the Internet age.

The key point from the essay is about how the use of GUIs impacts on and impedes a lower level understanding of what’s really going on. Stephenson obviously deals with operating systems but makes an interesting point about how the metaphor of a GUI extends into other areas of the life; the levels of abstraction apply to television, books and other areas of culture. Stephenson uses the interesting story about Disney World as a pre-packaged interpretation of a real experience and it’s certainly one that rings true after a little thought.

“By using GUIs all the time we have insensibly bought into a premise that few people would have accepted if it were presented to them bluntly: namely, that hard things can be made easy, and complicated things simple, by putting the right interface on them.”

This particular quote struck with great resonance, thinking recently, as I had been about identity related issues from a non-technical angel and most interestingly from a psychology perspective. Twice in the past few weeks pub conversations have descended into questions of self image, presentation, reflection, multiple personae - questions, ultimately of “identity”. This was followed by a dinner conversation during which Erving Goffman’s theories on some of those matters were referenced (as you can tell I have a thrilling social life).

Ultimately, all our interactions are identity based - in a conversation the language, tone and vocabulary change according to the audience. The underlying identity doesn’t change, but the presentation of that will vary (there’s been some interesting research recently about how in fact, people do change according to who they surround themselves with however). One of the goals of digital identity management is? to make our online interactions as seamless and natural as our face to face ones.

This leaves me wondering - I do tend to agree with Stephenson’s quote above about how, when we abstract something with metaphors, the underlying concepts become more difficult to understand. There’s been discussion in the past about how impersonation and delegation fit into the identity model and I’m starting to question how we can best use such concepts within a solid identity system.

Identity federation systems provide a level of abstraction that reduces the amount of control that individual users have - the “user centric” model is there to redress that for the consumer space (in the enterprise space any identity is owned by the employer and not the employee), but even there the goal is to reduce the complexity that the user sees - providing a GUI over the command line of the underlying system.

Whilst making systems easier to use, providing metaphors and interoperability layers we need to ensure that the people at both ends of an identity transaction can determine what happens throughout.

Stepping away from my usual topics for a while…

I was watching the news this evening and there’s been more coverage of the Yorkshire floods, which after a week don’t seem to be residing and have left thousands homeless along with several dead. All in all, pretty serious stuff.

The point that occurred was about disaster relief funds - every so often we’re asked to put our hands in our pockets to help those less fortunate - earthquakes in Pakistan, tsunamis in Indonesia and (dare I say it?) hurricanes in the USA have all attracted pleas for our money. There’s been constant mention of the costs of repair, rehousing &c along with how many of these unfortunates don’t have insurance yet not a single mention of a relief fund has been made. I’ve found this one, but I wonder what the people of Hull think of that?

So much for charity beginning at home!

Discovering Identity: Facebook and Identity: Will you Join?

I actually joined facebook a few weeks ago and haven’t really done anything much with it. I guess I’m getting old since I don’t get what all the fuss is about. However, people I know from work, friends and members of my family were already using it so I thought I’d give it a go.

I’ve joined the “Digital Identity” groups that Mark Dixon refers to here (along with some others). Apart from seeing how many people are on facebook and have an interest in “identity” I’m not sure what the benefit is! One thing that is obvious is the number of people in the “OpenID” group - that is popular

So, if you’re on Facebook and reading this, let me know!

Schneier on Security: Portrait of the Modern Terrorist as an Idiot

qwghlm.co.uk » Blog Archive » Be Careful

Schneier on Security: Terrorist Special Olympics in the UK

I was going to comment on the Schneier post “Portrait of the Modern Terrorist as an Idiot” anyway, but when reading Chris Applegate’s look at the most recent terrorism attempts here in the UK I thought I’d jump to it rather than put it off any longer. My initial thoughts on Schneier’s original piece was largely in agreement. One thing that irks me is that the label “terrorism” gets bandied around far too often; after all it helps with introducing draconian laws (what happened to the paedophile threat?) and selling newspapers!

Terrorism is, in reality, an extremely complex issue. One man’s terrorist is another’s freedom fighter and the line between them can be extremely fine and will depend largely on whether one agrees with the status quo or not, but we can see just how often the label is applied when, in my opinion at least, it’s really undeserved. Those who make idle threats to our freedoms are not terrorists (a good number of the so-called terrorists hadn’t even got as far as attempting to buy the required equipment) and a good many of the others are nothing but common criminals who should be treated as such.

The events of last week and over the weekend haven’t changed much. As Chris points out (initially - he followed it up with a more serious post) the best response to these people is a combination of pity and contempt, mixed with a good dose of “Ha Ha” (Nelson style). Schneier’s second post backs this up and returns us to the point - whilst we paint terrorists as idiots by misusing the term there are always those who’ll make the label stick by actually being idiots.

As usual, the response to these “attacks” has come in two different forms - the general populace of the UK, already struck with a real terror of floods leading to abandoned homes, overflowing resevoirs and loss of life have responded with the classic “stiff upper lip” method whilst our Government has responded with some talk about checking professional immigrants more thoroughly - especially those working in the NHS. Horses and stable doors spring to mind.

This is exactly the sort of thing that has been derided in past - the reactive method will not work as terrorists can be (unless they’re stupid) resourceful and will find ways to get around our defences. If we ramp up protection at airports then what’s to stop them from targeting hospitals, schools, railways or any other public facility? My favourite quote attributed to Gerry Adams seems particularly apt.

We only have to be lucky once, you have to be lucky all the time

Enterprise Architecture: Thought Leadership: Thoughts on CardSpace and Java

I’ve not been very active recently due to a whole combination of things and I’m still working my way through a huge backlog of RSS posts. I was going to wait until I’d got closer to the present day before really commenting on anything, but that could take forever and, frankly, this post by James McGovern really caught my attention for a couple of reasons.

I work with both CA SiteMinder and Oracle Access Manager which James mentions (along with products from Ping Identity and others) which will be impacted by the use of Cardspace, plus when describing it to a colleague earlier the question of how it will affect web authentication mechanisms (including single-sign on and traditional federation) was raised.

CardSpace itself has the potential to be disruptive to a good proportion of what I’d term the “Enterprise Identity Management” space - those occupied by the large vendors (including CA, Oracle, HP & Sun) and could become a de facto standard for web authentication. Like any disruptive technology the important thing is to find a way to adjust and take advantage of changes in the market.

When looking at CardSpace there are three components to think about - the client (identity selector and browser plugin), and two servers? - service provider (SP) and identity provider (IdP). Traditionally clients have been given away in order to sell the server components and this will obviously continue - the clients will be (and ARE) included in the OS and browser, which leaves the only way to make money from this to be with the servers.

As James comments - the plan is to make the service provider components easy to embed in any web application. Code obviously exists for .NET, there’s an Apache module and Java will be along soon - there’s still an opportunity for the enterprise providers (and those of us who sell and implement their products ). There’s obviously a lot of logic to be implemented about which provider’s cards will be accepted, which attributes are requested (and which are mandatory!) - wrapping this in a nice, easy to use UI and combining with centralised authentication and session management with policy enforcement will be one way that evolution can occur in web access control systems.

The biggest area where enterprise identity management systems will be able to take advantage of this change in paradigm, of course, will actually be in taking on the role of card issuer/identity provider - an area where there has (so far) being the least amount of sample code and deployment advice, but conversely there are greater complexities to deal with as adoption becomes more widespread. The role of identity provider will be key for adoption of the technology.

No matter what the technology there are? aspects of producing a secure web application interface that, in many cases, are best handled by a specialised security product that can abstract and centralise them - authentication, directory connectivity and session management are difficult to handle and this is the reason why products such as SiteMinder, Oracle Access Manager and Ping Login exist (and the reason why consultants exist).