Fun with Secret Questions

If you’re working in security, this will make you laugh. Hard.

“Ally Bank wants its customers to invent their own personal secret questions and answers; the idea is that an operator will read the question over the phone and listen for an answer. Ignoring for the moment the problem of the operator now knowing the question/answer pair, what are some good pairs? Some suggestions:

Q: What the hell is your fucking problem, sir?
A: This is completely inappropriate and I’d like to speak to your supervisor.”

You MUST READ the comments to the original post – there’s some HILARIOUS stuff in there, like

Q: Sir, before I begin, I would like to remind you that we do not serve gays, latinos, women, or people over the age of 50. Are you any of those things, sir?
A: Yes and I’ll be seeing your ass in court.


Google desparately need to implement Identity Management

I’m a really really happy user of lots of Google services. I have my own domain linked to Google Apps For Your Domain (GAFYD). I use Google Docs. I’ve been a GMail user before. I put pictures I want to share on Picasa. May contacts are in Google Contacts. Some of my appointments are shared through Google Calendar. Of course I jumped on Google Wave immediately…

So, all should be fine, right?


The trouble began when Google Apps For Your Domain became available, and I had to migrate my data over from the old GMail account. I ranted enough about this, so I’ll spare you the repeat.

Ever since I completed that move, I feel like a second class citizen for all services that use Google’s authentication system, and the worst thing is – this is even true for Google’s own services.

Picasa, for example, is not included in Google Apps, so I have to use a different login. That GMail login uses the same email address than Google Apps, but a different password. You can run face recognition, but unfortunately Picasa can not access the Google Apps contacts for names, faces or email invitations – you have to maintain a second set of identities.

I still have my old email account which uses the same email for login, so that makes for all kind of strange confusing messages. I now have two Google Calenders, two Google Docs sites, both completely separate yet under the same email address.

Do you know all those other services that allow you to pull in your contacts from GMail? You probably guessed it – they can’t access my Google Apps account.

It gets even better when you pull Google Wave (they give you _yet another_ email!) and Buzz into the mix – complete confusion guaranteed.

This post has been sitting as a draft for a few weeks, only recently Gina Trapani picked up the issue on Smarterware. They found someone at Google with a half ass explanation, but do come on – there has to be a better way!

“When you add Android into the mix, Contacts get weird. Because, I think, you can add your Google Apps account to Android and not your “vanilla” Google Account. (GT: Yes, this is true.) But, when you sign in to Google Voice on Android, you will need to enter the password (which might be the same) of your vanilla Google Account. BUT, on Android, your Contacts are read from the system’s phone book. Not necessarily the vanilla Google Voice Google Account that has its separate contacts (accessible through the normal Google Voice webapp). Ugh. The “Contacts” issue is by far the most ‘hurting’ in this whole scenario.”

Eh… ok….

An update to the post brimgs it to the point:

“Clearly FREE vanilla Google Accounts get more preference than potentially-paid Google Apps accounts, which doesn’t make a whole lot of sense.”

Welcome to third class citizenship.

What’s your experience with this – how do you make it work for you?

CardSpace – First time user impressions

At European Identity Conference 2009, Kim Cameron gave another inspiring talk about claims based authentication and Microsoft’s CardSpace (Geneva) Implementation.

After the conference, the nice folks of Kuppinger Cole sent out an Information Card to all participants that will grant access to conference material.

Unfortunately, that’s not as easy as I thought. CardSpace was not installed on my PC, and the login page had no hint on how to get it. I found *something* eventually (don’t remember the exact location), but that did not work out properly. I had the Control Panel and could install the Information Card, but this is what I got when I tried to use it:



I googled some more and found the Geneva Team Blog, where I followed the link to download the latest release.
That gave me this message:


So – no CardSpace for me, it seems.

European Identity Conference – Day 1

OK, back in the hotel after the first day of this years European Identity Conference in Munich.


My colleagues have a booth on the ground floor presenting SAP’s Compliant Identity Management solution.
This year, I’d say conference attendance is a lot higher than last year. That would also correlate with our experience that Identity Management is getting traction in the market; we’re seeing a lot of interest from customers.


The keynote presentations were reasonably good, I’d count Kim Cameron and Dave Kearns as the most interesting ones, as they are very much forward thinking and not directly product related (at least not with a commercial interest). They also had lots of quotable stuff for my own presentations ;)


Back on the expo floor, I had two interesting encounters.

Next to the bar, a company called “SecurIT” had a batch of Pokens on the counter, and they were nice enough to give me one! A Poken is a small USB device that links to a profile that you can link all your social network identities to. When you meet someone who also has a Poken, you hold the two together as a kind of handshake and your Poken profiles are being exchanged. Let’s see if I can find someone else who has one….

The conference material also had a voucher for another small identification device called the “YubiKey“. This one blew me away – it acts as a USB HID (human interface device) and on the press of a button, it emits a 40 character generated password. That again links to a server that you can implement for your infrastructure which will verify your authentication. The company is called “yubico” and originates from Sweden. Their web site has a free SDK and offers many implementation paths. Integration into SAP Netweaver should be pretty straightforward, maybe that might be an option for some customers. If you’re an SAP developer interested in playing with it, let me know.

All in all, a very exciting day. I met lots of people, and I’m looking forward to networking even more over the next days – after all that’s the best part of taking part in a conference.

The Twitter backchannel is quite active, the hashtag is “#eic”. Let’s see how that develops over the next few days.

European Identity Conference 2009 – May 5th to May 8th


I’ll be spending the rest of this week visiting European Identity Conference 2009 in Munich. I was there last year, and it’s an event worth visiting – a diverse set of great personalities in the identity space, and a perfect opportunity for networking.

I’ll be blogging and twittering (use hashtag “#eic2009”) here, and you can follow more information about the event on EventTrack.


See you there!

How a baby became Bin Laden

I’m always wondering about the trend to more IT in passports, government transactions and medical systems. Stuff like that has been pushed by the industry for years now, never even bothering about its usefulness or – behold – business case. In my view, this is driven purely by vendor sports.

Look at this

“Jeroen van Beek takes the passport of a 16-month-old British boy and puts it on to a £40 smartcard reader the size of an iPod. He punches a code into his computer and, within seconds, the information contained in the passport’s microchip appears on screen.

This is not supposed to happen, as communication between the chip and the reader uses powerful encryption, but a renowned British computer expert called Adam Laurie worked out how to crack the code 18 months ago.
On his computer, Mr van Beek alters the cloned chip and removes the image of the child, the Times photographer Michael Crabtree’s son, Thomas, and replaces it with the image of Osama bin Laden. He does the same with the passport of my partner, Suzanne Hallam, installing the image of Hiba Darghmeh, a Palestinian suicide bomber instead. And, if the chips had contained other biometric data, such as fingerprints or iris scans, he could have changed those too.”

Passports are often valid for 5 years or more. From the sales pitch until the roll-out, the technology used is probably 5 years old already.

I have spent roughly 10 years in PKI and security related topics, and I haven’t seen a single technology that could be secure over such long time periods.

Last week we were starting to test an application that I implemented for a customer. Part of that application does approval workflows, so we had to create test users. We did not want to disturb real users with emails, so the customer created the test users with “” email addresses.

After about a week we started getting bounce messages from ;)

The emails that were sent also contained user names and passwords for newly created users. Granted, only for test systems that are not accessible from anywhere, but still: in this day and age, you need to be careful with email systems.

I wonder how many emails, and how many ones with “interesting” content, the postmaster for is receiving from people all over the world…

Time to ask yourself: what are you entering in the email address field when you’re testing something, or providing dummy data in a web registration form?

Kim Cameron – Booze vs. Godwin’s Law

Kim Cameron reports on a canadian night club scanning ID cards in order to bring down crime and violence:

“The Tantra Nightclub in Calgary had a practice of scanning driver licences before allowing people in. Clearly it is collecting and storing personal information as it includes an individual’s photograph, license number, birth date, address, and bar codes with embedded information unique to the individual driver’s license.

The club says that “We’ve got hard data that it works, we that says crime and violence is down in our venues by over 77%.” On the other hand, the Information and Privacy Commissioner described ID scanning as a deterrent to violent behaviour “conjecture” not backed up by hard data and ordered the club to stop the practice.”

Of course, this violates the laws of identity, and Kim has harsh criticism:

“The owner is apparently bitter. But he could get around these problems if he would just change the club’s name to something more fitting. How about the Mein Kampf Eagle Lounge? Then having a functionary scanning ”your papers” would just be part of the show – justifiable by any measure.”

This again brings Godwin’s law into the game, which is never a good start.

Actually, I think the topic around anonymous behaviour vs. behaviour when your identity is disclosed deserves a more down-to-earth type discussion. This is also a use of identity, even if identity gurus frown upon that. There’s no use in simply dismissing that, we need to provide guidance that creates a real alternative to collecting data.