Microsofts new Identity Server code-named Geneva beta 1 is announced at the PDC in Los Angeles. The beta 2 is announced for the 1st half 2009, RTN in the 2nd half 2009. The Geneva platform will extend the Security Token Service (STS) technology and support the OpenID protocol and the SAML 2.0 protocol. The Geneva Server will succeed the Active Directory Federation Services 2.0. And the Geneva CardSpace Client will be the streamlined Version of Windows CardSpaces in Vista and XP. Zermatt will be renamed as the Geneva Framework, an extension to the .Net Framework 3.5.
The STS will be extended with the Active Directory. The Geneva Server will supports WS-Federation, WS-Trust and the SAML 2.0 protocol. There you have the Microsoft Service Connector, the Microsoft Federation Gateway and the .Net Access Control Service. Theses services reach via the Microsoft Federation Gateway (MFG) into Azure, the Service Cloud, and will give the cloud a identity service. MFG will support LiveID. Like the .Net Access Control (NAC), another Azure service, the release date for the MFG is unknown.
The Bochumer Students did some hacking exercises on Windows CardSpace. But they need to have the user as part of their hacking team to achieve their goals. In one of my more ruminant thinking moments I found a much more easier way to hack CardSpace and here is my Proof of Concept. For hacking CardSpace you just need a phone. I transcribed and translated my attempt:
Me: ring ring
Phone: "Hello, Angela Merkel, how can I help you"
Me: "Hello, am I speaking to Mrs. Merkel?"
Phone: "Yes, how do you know?"
Me: "And your first name is Angela?"
Phone: "Yes"
Me: "My name is William Gates from Microsoft. We are doing a telephone survey on internet security. You can earn $50 by answering every question correctly and win $5000 extra cash. Do you want to take part?"
Phone: "5000 wow, that is... of cause I want"
Me: "Do you have a home computer with Microsoft XP or Microsoft Vista?"
Phone: "Yes"
Me: "Do you have Internet access?"
Phone: "Yes"
Me: "You are doing great. Could you please start the computer and log in? Do not forget to enter your password."
Phone: "Oh, no problem, it its already online - it always is. I have no password."
Me: "Excellent, this will make it so much easier! You will have a good chance to win the first price!!"
Phone: "Really, oh, it's so exiting!"
Me: "Do you use a messenger or email from Microsoft, Google or any other provider?"
Phone: "I use Google. Does that any mean a dissadvantage?"
Me: "No, you still can win the $5000. Could you give me your email adress?"
Phone: "angela.merkel@gmail.com - shall I spell it?
Me: "Yes, please."
Phone: "a-n-g-e-la-DOT-m-e-r-k-e-l-AT-g-m-a-i-l-DOT-com"
Me: "Thanks, a lot. I will send you a email with an attachment. This attachment is absolutely secure. There will be several security warnings to show you how secure our software is. Please answer every messagebox with "yes" or "continue" so that our software will be able to complete the survey. I will be waiting on the phone to assist you on every question the software will display."
....
after sending a freshly created trojan program, I helped the lady installing a new root certificate and some other malicious software, changed her network configuration to my malicous DNS server.
...
Me: "Thanks, a lot for your cooperation. Would you now please start Windows CardSpace?"
Phone: "Windows what?"
Me: "Oh, you do not know Windows CardSpace? Let me just help. You start....then enter your password...do not mistype it. Do you know that it is against federal law to mistype your password more than two times? Perhaps you spell it loudly that usually helps a lot..."
Phone: "e-u-r-o-p-a-2-0-0-8"
Me: "Well done. To assure, that everything is well done. Please open your browser and enter 'www.mypasswordfishing.com'."
Phone: "I did it. I see a website, where I can enter my banking and credit card informations"
Me: "Great. You have it. That means you just won the $5000. Congratulations. We need this information to send you the money as fast as possible. Do not forget to enter your social security number and passport number and date of issue. If you enter everything correctly you will have the money in less then one hour."
Phone: "Really, I won? I can not believe it."
Me: "You, will see, do not worry. Thanks a lot for your cooperation. Have a nice day."
Phone: "I have to thank you....."
You do not think, this will work? You are wrong. It works well. Not with you of cause, you read this blog, your passwords will not be fished that easy. But there are a lot of computer users in the world who will be easily stripped naked of the default security. The weakest link in the security chain is not Windows CardSpace or any other software - it is the user.
Some students at the Bochum Ruhr University, Germany, claim to have hacked Microsoft Cardspace and published a paper "On the Insecurity of Microsoft's Identity Metasystem CardSpace" at their Proof of Concept website. In Fact Xuan Chen und Christoph Löhr did a great job, but did they really hack CardSpace or did they only show how complicated the fishing and hacking will be if you use Microsoft CardSpace?
Personally I think they only showed us the problems you will have in hacking or token fishing with Microsoft CardSpace. There are several preconditions to fulfill: you have to go fishing in a insecure environment. As Kim Cameron put it in his blog, the user has to cooperate to the hacker by insecuring his system (changing default security, accepting certifcates and ignoring warning messages). Which means the attack needs a browser or a desktop where you can start your Dynamic Pharming attack. This kind of attacking had been greatly described by Chris Karlof, J.D. Tygar, David Wagner (UC Berkeley), and Umesh Shankar (Google) in their paper. And there are countermeasures known already like Strengthened Browser Security Policy. The Bochumer students did nothing new, but exactly this is the fact, that should bother us the most.
As long as users, browsers and webservers allow to "steal someones website" you will be able to steal the identity of the webite user by faking to be the "good guy". Microsoft CardSpace is a identity layer bases on trusted communication and based on a secured environment. If the environment is wide open to intruders, every authentification mechanism is vulnerable.
This blog had been silent for some times. There are reasons for that: Christian's last posting gave us an impression of how disappointed he was regarding some strategical decisions at microsoft with openID. We all know his strong engagement in the CardSpace idea. In the following discussion we decided to change our focus a bit and Christian decided to change his contract to a more loosely one. He wanted to have more flexibility in technical and private aspects. We thank Christian for his work and I am looking forward to have him here with us as in any further engagement of ATE Software in Identity Management as an expert and prominent consultant.
In fact ATE Software is not out of the identity business, we are still investing (You will see us as a founding member of the Information Card Foundation). But we changed our focus on the need of a commercial success and we had to do some internal shifting. "Connected Identity and Directory" as a R&D department is now integrated in our two existing business lines for frontend and backend. The two heads are Frank Samjeske (Security and Backend Services) and Jens Peter Kleinau (Rich and Smart Clients). Christian will do some consulting for us both if needed.
We will gladly stay in contact and see that our participation to the workgroups and foundations groups will steadily grow.
Best wishes, Jens Peter
June 24, 2008 – Australia, Canada, France, Germany, India, Sri Lanka, United Kingdom, United States – An array of prominent names in the high-technology community today announced the formation of a non-profit foundation, The Information Card Foundation, to advance a simpler, more secure and more open digital identity on the Internet, increasing user control over their personal information while enabling mutually beneficial digital relationships between people and businesses.
Led by Equifax, Google, Microsoft, Novell, Oracle, and PayPal, plus nine leaders in the technology community, the group established the Information Card Foundation (ICF) to promote the rapid build-out and adoption of Internet-enabled digital identities using Information Cards.
Information Cards take a familiar off-line consumer behavior – using a card to prove identity and provide information – and bring it to the online world. Information Cards are a visual representation of a personal digital identity which can be shared with online entities. Consumers are able to manage the information in their cards, have multiple cards with different levels of detail, and easily select the card they want to use for any given interaction.
“Rather than logging into web sites with usernames and passwords, Information Cards let people ‘click-in’ using a secure digital identity that carries only the specific information needed to enable a transaction,” said Charles Andres, executive director for the Information Card Foundation. “Additionally, businesses will enjoy lower fraud rates, higher affinity with customers, lower risk, and more timely information about their customers and business partners.”
The founding members of the Information Card Foundation represent a wide range of technology, data, and consumer companies. Equifax, Google, Microsoft, Novell, Oracle, and PayPal, are founding members of the Information Card Foundation Board of Directors. Individuals also serving on the board include ICF Chairman Paul Trevithick of Parity, Patrick Harding of Ping Identity, Mary Ruddy of Meristic, Ben Laurie, Andrew Hodgkinson of Novell, Drummond Reed, Pamela Dingle of the Pamela Project, Axel Nennker, and Kim Cameron of Microsoft.
“The creation of the ICF is a welcome development,” said Jamie Lewis, CEO and research chair of Burton Group. “As a third party, the ICF can drive the development of Information Card specifications that are independent of vendor implementations. It can also drive vendor-independent branding that advertises compliance with the specifications, and the behind-the-scenes work that real interoperability requires.”
- more -
The Information Card Foundation will support and guide industry efforts to enable the development of an open, trusted and interoperable identity layer for the Internet that maximizes control over personal information by individuals. To do so, the Information Card infrastructure will use existing and emerging data exchange and security protocols, standards and software components.
Businesses and organizations that supply or consume personal information will benefit from joining the Information Card Foundation to improve their trusted relationships with their users. This includes financial institutions, retailers, educational and government institutions, healthcare providers, retail providers, travel, entertainment, and social networks.
The Information Card Foundation will hold interoperability events to improve consistency on the web for people using and managing their Information Cards. The ICF will also promote consistent industry branding that represents interoperability of Information Cards and related components, and will promote identity policies that protect user information. This branding and policy development is designed to give all Internet users confidence that they can exert greater control over personal information released to specific trusted providers through the use of Information Cards.
"Liberty Alliance salutes the open industry oversight of Information Card interoperability that the formation of ICF signifies," said Brett McDowell, executive director, Liberty Alliance. "Our shared goal is to deliver a ubiquitous, interoperable, privacy-respecting federated identity layer as a means to seamless, secure online transactions over network infrastructure. We look forward to exploring with ICF the expansion of the Liberty Alliance Interoperable(tm) testing program to include Information Card interoperability as well as utilization of the Identity Assurance Framework across Information Card deployments."
As part of its affiliations with other organizations, The Information Card Foundation has applied to be a working group of Identity Commons, a community-driven organization promoting the creation of an open identity layer for the Internet while encouraging the development of healthy, interoperable communities.
Additional founding members are Arcot Systems, Aristotle, A.T.E. Software, BackgroundChecks.com, CORISECIO, FuGen Solutions, the Fraunhofer Institute, Fun Communications, Gemalto, IDology, IPcommerce, the Liberty Alliance, ooTao, Parity, Ping Identity, Privo, Wave Systems, and WSO2.
Further information about the Information Card Foundation can be found at www.informationcard.net.
Since Thursday we all know that Microsoft joined OpenID Foundation (Kim, Mike). First of all: Of course, not a bad news at all.
Microsoft´s Bill announced openID integration for Windows CardSpace February 2007. Ok, it seems that his goal becomes reality.
I worked for and living in CardSpace since 2 years ago, it was and is a nice and exciting time for us. Readers of my blog know e.g. my ToolBox activities, speaking actions on several conferences and of course, many many times just telling customers what Windows CardSpace is.
The Internet still needs an identity layer. No question.
The Internet still needs users that are aware of that moving in the digital clouds is like moving in reality.
The Internet still is YOU.
Of course, openID really tries to solve many identity related issues. Windows CardSpace, too.
In detail there are many differences between openID and Windows CardSpace, but that not bad at all.
Today, I just want to write about a personal perspective. My question is: "Microsoft joined openID Foundation".
How this message was assimilate in Germany?
It just a few words: "Microsoft don´t trust there own technology". "CardSpace is obsolete ?!" Not a joke.
German news sites reported about the joining of Microsoft in way that ANY customer and ANY end consumer must think in this way.
Things like "passport failed, openID comes in".
Things like "openID and Microsoft are one team"
Things like not any word about Windows CardSpace. Not any.
In my opinion Microsoft did a big mistake. Personally I had the chance to get in touch with a really really large customer that holds millions of identities. We get an email from this customers (and he really wanted to get in touch with Microsoft CardSpace). In his mail the customer explained his situation like "Hey, what´s going on, is Microsoft killing Windows CardSpace?") At the end of the day the customers STOPED the project because of he don´t trust CardSpace anymore. Hey MS, What´s this?
I think there are many many people at MS who are able to explain things for the press in a way they understand what is going on.
Why does Microsoft didn´t explain the hole picture in the moment of releasing such a news?
Things like "We want to kill the phishing issue of openID because Windows CardSpace makes it possible"
Things like "We believe in Windows CardSpace because..."
Things like "We joined the openID Foundation because....."
Things like "If you want to create proved identities use Managed Cards, Microsoft and OASIS has a concept"
Things like "Of course Microsoft want´s to be part of open standard systems, so we decided to join openID Foundation, but this do not mean that we will kill Windows CardSpace, far from it, we enhance Windows CardSpace by generation openID´s in a secure environment"
Things like "We believe in WS-Trust and Token Based Systems, so of course we will not drop away the concept of a security token service" (in private: for a Microsoft Gold partner like my company one of the main business values to earn money).
I really could write more "things", but not my job.
I just want to say, that I am not angry because MS joined openID Foundation. The only thing I want to advert: "Please don´t make the same mistake as in passport times". Think about your partners. E.g. we had the chance to push CardSpace to the clouds, we have the customer and the project. Since a half year we are talking with customers. Now it´s time to rock. And now we get (in Germany) a message that a customer must misunderstand. Not good. Really not good.
My wish is a sensible communication way with messages related to identity and Microsoft. We all know that this is a hot story.
Guys like Kim, Don, Mike really make a good job and I know the need to push things forward. That´s not my point. It would be cool to get in touch and get news like this before our customer get´s it :-) Because I have to argument why and how, and I want to do this really god with a deep knowledge of Microsoft´s future perspective.
Do not misunderstand this post, please! Thanks :-)
We waited a long time but now it´s time to download Visual Studio 2008 via your MSDN subscription or just download the 90 days trial from http://msdn2.microsoft.com/de-de/vstudio/aa700831.aspx.
In the next couple of days I´ll provide a new version of the Visual Studio ToolBox Suite for Windows CardSpace that will use new .NET 3.5 identity management components.
Enjoy!
Last week I spoke about the question why we need an identity metasystem in times of web 2.0 at the XTOPIA conference. Lori Grosland interviewed me there. Thanks to Lori :-) Great Job!
Last week I visted the OMD conference in Düsseldorf. http://www.media-treff.de/ interviewed me there about identity in the context of Web 2.0.
The interview is in german.
Link: http://www.media-treff.de/index.php/2007/10/09/im-gesprach-christian-arnold-zur-indentitat-im-netz-identity-20/
There is a interesting discussion in the clouds. Based on Kim´s mind related to What if we fail, Dale Olds of Novell and Ben Laurie’s recent piece on CardSpace I decided to start the ultimate "Show me your CardSpace Application" poll. I´ll post my mind about CardSpace vs. Passport vs. Microsoft afterwards.
So, this post should collect as much as possible links and comments to guys that build applications or websites that are using Windows CardSpace to provide secure login or transfer of digital identity claims. I´ll publish the results day to day in a new link list.
So, feel free the leave a comment what you have done or just use the contact form to submit your description.
I just want to say that CardSpace is much more than a "product" that can be used on Microsoft Websites. First of all it´s not a product. Secondly it´s one of the options that the "Generation Me" needs. Control and Choice.
Personally I am knowing many different and cool applications that are using Windows CardSpace (I build some hehe). I want to underline the word application. There are applications like the Otto Store which is an application that is build completely with the help of WebServices. Integrated into a large backend powered by, and this is the main point, JAVA(!). We build a facade in front of hundreds of sun servers :-) So, how? By talking standards :-) That´s all.
I agog to receive your feedback!
"Trust your service: Management by delegation"
Today many services are working in the context of digital identities. In this session I want to provide another point of view: Identity delegation.
I will show up a way to implement a well defined token based delegation coupon that can be used by services to work on behalf of a user.
We will have a look at real world examples where you find services that should work based on delegation coupons - but do not do it. We want to find out when and why it could be a problem to implement delegation based services.
on November 26, read more at
www.idworldonline.com/?christianarnold
Since month we get an interesting question: "When will LiveID support Windows CardSpace?". Answer: "Shortly".
So, shortly is now :-)
Since some hours you can use (beta) an information card to sign in Windows Live ID:
You could use a Personal Card to enhance your existing user account. So just go to:
http://login.live.com/wlogin.srf?appid=0016000080002409&alg=wsignin1.0&appctx=%2fDefault.aspx
and try it out :-) You are just one click away to feel the next footstep inside the ecosystem!
Mike Jones told us that the information card icon is available now.
The icon looks like this. You should use it if you want to show that users are able to login or submit an information card:
You can download the icons here. Please read the guidelines.
Of course, I updated my login page :-) I would suggest you use this icon if you are using my ASP.NET 2.0 ToolBox for Windows CardSpace.
While I gave the last TechTalk session at Microsoft, Munich a participant told us that in germany the personal data of german citizens are not stored centralized.
Actually this was true.
Today I received a very important message. In the next couple of weeks all citizen related data will be transfered and stored centralized. In the past in germany there was no data store on a federation level. Every commune had its own data store to manage these data. Many detractors are talkling about the "state with full control over his citizens".
Of course, technology is able to provide an answer to store data at one place. But technology is not able to provide an answer for social questions.
Identity Management and in detail some kind of digital passport issued by the administration do not need a centralized identity provider. Of course, to store data in one place is much easier to manage and maintain, but this is only a technical question.
There are always two sides: You could use these datastore to provide a better service or you could use it to keep an eye on the data owners.
We need rules and laws how to handle personal data. Not more, not less. Independent we are talking about passports, creditcards or self issued identity.
More Posts
Next page »