jspωiki
Web Blog

Create a new entry. Note that if your entry starts with a heading it will be used as the title (e.g., "! My Title").

18-Aug-2018 09:39
2018-08-18#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
17-Aug-2018 19:30
2018-08-17#

Netflix #

I hate that Netflix shows me these shows which are not in English. They provide a poor interface for making selections or searching and their suggestions generally suck.

I Ran Across Today these: (From Netflix has tons of hidden categories — here's how to see them)
Why they would not make them links is unknown.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
12-Aug-2018 20:20
O2018-08-12#

Ran Across Today#

The OMB identified cybersecurity as one of 14 Cross-Agency Priority (CAP) Goals [2] established in accordance with the Government Performance and Results Modernization Act of 2010.

More Information#

There might be more information for this subject on one of the following: ...nobody

11-Aug-2018 09:25
2018-08-11#

Donald A. Norman Living with Complexity#

"I distinguish between complexity and complicated.
I use the word “complexity” to describe a state of the world.
The word “complicated” describes a state of mind.

The dictionary definition for “complexity” suggests things with many intricate and interrelated parts, which is just how I use the term.
The definition for “complicated” includes as a secondary meaning “confusing,” which is what I am concerned with in my definition of that word. I use the word “complex” to describe the state of the world, the Appropriate complexity.
To the average person, the cockpit of a modern jet airplane is incredibly complicated and confusing. Not for the pilots: to them, the instruments are all logical, sensible, and nicely organized into meaningful groups.
"

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
10-Aug-2018 08:59
2018-08-10#

Ran Across Today#

Hu: The Missing Element#

When did the acronym PEBKAC become a commonly accepted trope in security? Blaming users for security failures may be a convenient out, but it is also misguided. Identity and access management, at the center of bringing people into the security equation, should be making things better. But all too often we suffer from the same bad habit of thinking technology can solve all problems - if only the users would listen and do as told. But times, and expectations, are changing. Shifting from “users” to “people” requires us to move security away from being a dark art, and transform it into something more approachable, more human.

Humorous RFCs#

  • Internet Toaster
  • RFC 527 — ARPAWOCKY
  • RFC 748 — Telnet randomly-lose option, M. Crispin, 4/1/1978, 2 pp.
  • RFC 968 — `Twas the Night Before Start-up, V. Cerf, 12/1/1985, 2 pp.
  • RFC 1097 — Telnet subliminal-message option, B. Miller, 4/1/1989, 3 pp.
  • RFC 1121 — Act One - The Poems, J. Postel, L. Kleinrock, V. Cerf, B. Boehm, D. Waitzman , 9/1/1989, 6 pp.
  • RFC 1149 — A Standard for the Transmission of IP Datagrams on Avian Carriers, D. Waitzman, 4/1/1990, 2 pp.
  • RFC 1216 — Gigabit Network Economics and Paradigm Shifts, P. Kunikos, P. Richard, 3/30/1991, 4 pp.
  • RFC 1217 — Memo from the Consortium for Slow Commotion Research (CSCR), V. Cerf, 4/1/1991, 5 pp.
  • RFC 1300 — Remembrances of Things Past, S. Greenfield, 2/1/1992, 4 pp.
  • RFC 1313 — Today's Programming for KRFC AM 1313, Internet Talk Radio, C. Partridge, 4/1/1992, 3 pp.
  • RFC 1437 — The Extension of MIME Content-Types to a New Medium, N. Borenstein, M. Linimon, 4/1/1993, 6 pp.
  • RFC 1438 — Internet Engineering Task Force Statements Of Boredom (SOBs), L. Chapin, C. Huitema, 4/1/1993, 2 pp.
  • RFC 1605 — SONET to Sonnet Translation, W. Shakespeare, 4/1/1994, 3 pp.
  • RFC 1606 — A Historical Perspective On The Usage Of IP Version 9, J. Onions, 4/1/1994, 4 pp.
  • RFC 1607 — A View from the 21st Century, V. Cerf, 4/1/1994, 13 pp.
  • RFC 1776 — The Address is the Message, S. Crocker, 4/1/1995, 2 pp.
  • RFC 1882 — The 12-Days of Technology Before Christmas, B. Hancock, 12/1/1995, 5 pp.
  • RFC 1924 — A Compact Representation of IPv6 Addresses, R. Elz, 4/1/1996, 6 pp.
  • RFC 1925 — The Twelve Networking Truths, R. Callon, 4/1/1996, 3 pp.
  • RFC 1926 — An Experimental Encapsulation of IP Datagrams on Top of ATM, 4/1/1996, J. Eriksson, 2 pp.
  • RFC 1927 — Suggested Additional MIME Types for Associating Documents, C. Rogers, 4/1/1996, 3 pp.
  • RFC 2100 — The Naming of Hosts, J. Ashworth, 4/1/1997, 3 pp.
  • RFC 2324 — Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0), L. Masinter, 4/1/1998, 10 pp.
  • RFC 2325 — Definitions of Managed Objects for Drip-Type Heated Beverage Hardware Devices using SMIv2, M. Slavitch, 4/1/1998, 8 pp.
  • RFC 2549 — IP over Avian Carriers with Quality of Service, D. Waitzman, 4/1/1999, 6 pp., updates RFC 1149.
  • RFC 2550 — Y10K and Beyond, S. Glassman, M. Manasse, J. Mogul, 4/1/1999, 14 pp.
  • RFC 2551 — The Roman Standards Process -- Revision III, S. Bradner, 4/1/1999, 37 pp.
  • RFC 2795 — The Infinite Monkey Protocol Suite, S. Christey, 4/1/2000, 20 pp.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
08-Aug-2018 11:19
2018-08-08#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

07-Aug-2018 08:14
2018-08-07#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
29-Jul-2018 07:47
2018-07-29#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
21-Jul-2018 19:22
2018-07-20#

Ran Across Today#

By unknown  Permalink  Comments? (0)
16-Jul-2018 09:50
New World of Business#
The ultra competitive environment that we The days of stove pipe organizational structures must be broken down to small reactive teams. Our old Command and Control operating model was well-suited for complicated and predictable challenges. Some of these challenges still exist today and may respond to the industrial-era practices that we know so well. However, as the pace of change accelerates, the challenges we face are becoming less and less predictable. Those practices that were so successful in the past are counter-productive in less predictable environments.

To provide some examples, think about these statements: [2]

  • Uber, the world’s largest taxi company, owns no vehicles.
  • Facebook, the world’s most popular media owner, creates no content.
  • Alibaba, the most valuable retailer, has no inventory.
  • Airbnb, the world’s largest accommodation provider, owns no real estate.”
  • Amazon is the largest Internet retailer in the world as measured by revenue and market capitalization, and second largest after Alibaba Group in terms of total sales. The amazon.com website started as an online bookstore and later diversified to sell video downloads/streaming, MP3 downloads/streaming, audiobook downloads/streaming, software, video games, electronics, apparel, furniture, food, toys, and jewelry. The company also produces consumer electronics—Kindle e-readers, Fire tablets, Fire TV, and Echo—and is the world's largest provider of cloud infrastructure services (IaaS and PaaS).
These companies are indescribably thin layers that sit on top of vast supply systems (where the costs are) and interface with a huge number of people (where the money is). The New York Times needs to write, fact check, buy paper, print and distribute newspapers to get their ad money. Facebook provides a platform for us to write our own content, and Twitter monetizes the front page of newspapers, which happens to now be the Twitter feed. Our relationships are no longer with the original content Service Providers. Within organizations the same change and similar turmoil is taking place. The monolithic data silos within the organization now need to be shared with not only other organizational silos but even with third-parties.

In the Lean Enterprise, the preface starts off with some quotes:
"Software is eating the world." Marc Andreessen
"In an industrial company, avoid software at your own peril...a software company could disintermediate GE, someday, and we're better off being paranoid about that." Jeff Immelt

Agile, Cloud computing, Microservices, Functions as a Service#

Are terms you hear about but most of these technologies are only to allow the organization to become more responsive by adding Business value

Monolithic Architecture#

Monolithic Architecture in which functionally distinguishable components (for example authentication, data input and output, data processing, error handling, and the User Interface) are all interwoven, rather than containing architecturally separate components.

Mainframe computing is an example of a Monolithic Architecture.

Over time there are more and more requirements added to the application. At some point the Monolithic application becomes so complex that even a small change causes significant effort as to the interdependencies between the different components within the application. Probably the first component to be refactored from the monolithic application was Authentication. In the mainframe world was the External Security Manager (ESM). (Think RACF and ACF/2). This allowed mainframe applications to at least share user information.

Likewise, the first applications for the PC were also monolithic applications.

Likewise when networking (before the Internet) started, we had monolithic applications.

Authentication was probably the first thing that was refactored was to allow external Authentication Method. This is generally where we are today in many organizations. Many applications, middle-ware, and even some operating systems allow for external Authentication. ( although almost none allow for external Authorization )

And now the Internet. And again the first thing that has was abstracted from WEB Applications was Authentication (think Social Login etc).

Along the way, several things did happen to applications. Model-View-Controller (MVC) is probably the best known. Applications were broken into separate components within the application. We came up with the “Front-End” and “Back-End” developers.. But these components still were all within the same application. They were still for the most part within the same process. (But could be multi-threaded)

Now we are at the next phase and we will talk about:

API Economy#

API Economy is evolving out of Responsive Organizations that realize:

At amazon, in 2002, Jeff Bezos issued a mandate:

  • All teams will henceforth expose their data and functionality through service interfaces.
  • Teams must communicate with each other through these interfaces.
  • There will be no other form of inter-process communication allowed: no direct linking, no direct reads of another team’s data store, no shared-memory model, no back-doors whatsoever. The only communication allowed is via service interface calls over the network.
  • It doesn’t matter what technology they use.
  • All service interfaces, without exception, must be designed from the ground up to be externalizable. That is to say, the team must plan and design to be able to expose the interface to developers in the outside world. No exceptions.

The mandate closed with: "Anyone who doesn’t do this will be fired. Thank you; have a nice day!"

Another prime example of industrial-era Organizational practices is General Electric which inspired awe for many of it 126 years:

  • In 1896, GE was one of the original 12 companies listed on the newly formed Dow Jones Industrial Average
  • In 2008, GE was bailed out by the federal government and Warren Buffett
  • In 2011, GE ranked among the Fortune 20 as the 14th-most profitable company.
  • In 2012, GE was listed as the fourth-largest in the world among the Forbes Global 2000
  • In 2017, GE ranked among the Fortune 500 as the 13th-largest firm in the U.S. by gross revenue.
  • In 2018, GE was removed from the Dow Jones Industrial Average as the stock was down about 55 percent over the past year.

Bounded Context#

Bounded context tries to define boundaries of our complex domain into business context. Bounded contexts are important because they allow us to define an ubiquitous language that is shared and valid within a boundary. A monolithic application is a bounded context in itself. The application must be deployed as a whole. That is, there is one war or exe file that comprises the application. Likewise, each team or area within an organization is a bounded context.

Finance department only exposes some of the activities that happens within their department. Likewise the monolithic application only exposes some of the activities that happens within the application. Even within applications there are bounded contexts. The database is a bounded context that often has dependencies for consumers. If the structure of the database is changed, then any consumers for the data also has to change. The database is said to be “tightly” coupled to all of the consumers as modifications in one requires changes in the other. As an example, as Identity Specialists we need to know a lot about IDM. However, the folks writing a Web application only need to know how to use what we provide them. So, in our organization we have two Teams. IDM Team and the Web development team. Each of these teams represent a bonded context.

Law of Pluralism of Operators and Technologies#

An modern application or system must channel and enable the inter-working of multiple technologies run by multiple providers. Some application for boating is written to provide as weather as a function of boating. The original monolithic design the app read the NOAA weather reports and stored the data in a database each day. They then retrieved the data based on Zip Code from their database for each user. Then it was discovered that a weather provider service could provide them with already formatted data through an API. They would no longer need to know about the details of the weather data, or store the data and the data was provided in real time. The application went from using data within a tightly-coupled datastore to getting data from a REST API. In this case the Bounded Context of the Weather Data was abstracted or refactored from within the Bounded Context of the application.

Business value#

The real purpose of all of Information Technology is to provide business value. Business value is to enhance the customer’s experience.

Agile#

Agile methodologies were developed to allow adding business value in a quick and efficient manner to allow the organization to adapt quickly as things change. Automatic and Continuous delivery/deployment is an goal agile. Big Design Up Front (BDUF) This is when you make a design at the beginning of a project. Usually this is the point where you actually know the least about what you are designing. Most of us have seen many times in these multi-month (or multi-year) projects where a decision made at the beginning of the project that it was known to be a bad idea to go that way when the implementation was being done? Yet the when discovered, the now seemingly foolish design needed to progress because we had to meet the timelines.

Emergent Design#

Emergent Design is where solution will emerge little by little as you progress through the process, typically using very short Red Green Refactor cycles. Emergent Design starts with a rough idea about the Business value you want to deliver, and defer most of the design the decisions until you know more. (Last Responsible Moment)

Architecting within Information Technology is hard. The requirements shift more rapidly than they do for architects who design and build buildings—as do the tools and techniques at their disposal. The things we create are not fixed points in time. Once launched into production, the software will continue to evolve as the way it is used changes. For most things we create, in Information Technology it is accepted that once the software gets into the hands of our customers we will have to react and adapt, rather than it being a never-changing artifact. Thus, Information Technology architects need to shift their thinking away from creating the perfect end product, and instead focus on helping create a framework in which the right systems can emerge, and continue to grow as we learn more.

Microservices#

Microservices are an approach to distributed systems that promote the use of finely grained services with their own life cycles, which collaborate together.

Because microservices are primarily modeled around business domains, they avoid the problems of traditional tiered architectures.

Microservices also integrate new technologies and techniques that have emerged over the last decade, which helps them avoid the pitfalls of many service-oriented architecture implementations. Microservices did not just get invented, but rather emerged from a world of technologies which came before them, such as:

Summary#

All of these concepts are to deliver Business value on at a faster pace so that the Organizational Entity is more Responsive to Customers

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
12-Jul-2018 10:42
2018-07-12#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
11-Jul-2018 14:42
2018-07-11#

Loss of Perimeter #

It used to be that a predictable, IT controlled network contained your Sensitive Data. You could use firewalls and IDS to physically insulate your infrastructure from outside threats. The perimeter is a Application-centric approach where the protection is focused on the keeping folks out of the Application or off a Secure network.

But this perimeter has dissolved. Users are increasingly connecting via the public Internet, Cloud computing or Mobile Devices. To quote Forrester Research,
“There is fatal flaw in the main assumption underpinning perimeter-based security — the assumption that there is a ‘trusted’ internal network where data is safe and an ‘untrusted’ external network where data is unsafe. This implicit trust assumption is both incredibly naïve and untenable.”

Many Organizations continue to focus the bulk of their security spending on endpoints, as well as server and network security software solutions.

Yet as organizations turn to new Cloud computing and Mobile Device infrastructure, they are losing control they once had over their IT assets. In the age of IoT and the work from anywhere mantra where 70% of employees have substantially more access than they need, proper implementation of a Identity and Access Solutions is no longer a nice-to-have for Organizations.

According to the U.S. DOJ Assistant Attorney General for National Security, "every internet connected device will eventually be compromised. The only question is when."

Data-centric security is a more pragmatic approach. In essence, with Data-centric security you shift your focus from securing networks, applications and endpoints to identifying, controlling and securing your Sensitive Data. Instead of trying to protect everything, focus on protecting what matters most – your most important data. With Data-centric security, effective risk-based security is centered on three goals:

The foundational security technologies to accomplish these three goals are Data Classification and Data loss.

Infrastructure as a Service (IaaS) platforms from Google, AWS, Azure, and others.

IDaaS is effectively a user management system for and a web application SSO platform for a select few web applications.

The Identity-as-a-Service approach doesn’t take into account on-prem infrastructure and resources like Windows, Mac, and Linux systems which are typically out of scope of the cloud-hosted directory.

On-prem resources typically can not be connected to the directory, either. On-Premise directory service approach is more a user management system for a specific platform rather than an independent identity provider.

The challenge for any normal organization is how to deal with identity management for both Cloud and Associate identitties as most Organizational Entities are hybrid.

The Details For starters, it’s important to talk more about hybrid infrastructure. Many people think that hybrid means that you have your own data center or servers located on-prem and then cloud infrastructure as well. When it comes to how to manage your identities, the definition for hybrid becomes a lot wider. IT admins are responsible for connecting their users to systems, applications, and networks regardless of the location or platform. In fact, the challenge for IT is how to have True Single Sign-On™ across a wide range of IT resources.

The question for IT admins becomes, will the IDaaS Directory be able to handle a user identity across an organization’s entire IT infrastructure? Unfortunately, the answer is no.

What is required is for a well managed hybrid solution. Some of the desired features are:

One Identity#

Create and manage a single identity for each user across your hybrid infrastructure. Where possible, a single point for Authenticaiton. Where this is not possible, keep users, groups and devices in sync.

Single-Sign On Provide single sign-on access to your applications including thousands of integration ready SaaS apps. Users log in once, their cloud apps automatically sign on and they’re away. Hopefully these SaaS apps utilize open standards as SCIM 2.0,

Self Service Users can securely manage their own services by registering new devices or changing passwords resulting in less strain on IT resources

Diiferent User Pools

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
09-Jul-2018 13:47
2018-07-09#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

04-Jul-2018 07:49
2018-07-04#

Ran Across Today#

Thinking About Today#

Cloud Data Store products require Security Considerations as the methods are different than Local device Data Stores. Ldapwiki has spoken with Companies using large Object storage products where they have found the following:
  • it so difficult to know if the data in Object storage is being used by someone or not
  • It could take so much CPU to delete or migrate the data
That they just continue to pay to store the data as it is "cheap" to store.

There is also concerns in some Cloud Service Providers where there is a concern with Zombie Data

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
02-Jul-2018 15:47
2018-07-02#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

01-Jul-2018 08:35
2018-07-01#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

23-Jun-2018 07:34
2018-06-23#

Ran Across Today#

Who Owns the Data#

June 22, 2018: a 5-4 landmark decision, the United States Supreme Court ruled Friday that police must obtain a search warrant to access an individual's cellphone location information.
Chief Justice John Roberts said that cellphone location information is a "near perfect" tool for government surveillance, analogous to an electronic monitoring ankle bracelet. The writers of the Constitution, he said, would certainly have understood that an individual has a privacy interest in the day-to-day, hour-to-hour and even minute-to-minute records of his whereabouts — a privacy interest that requires the government to get a search warrant before gaining access to that information.

Roberts also said Friday's decision does not call into question the use of security cameras and other techniques, and it "does not consider other collection techniques involving foreign affairs and national security." What it does do, he said, is "ensure that the progress of science does not erode the Fourth Amendment" guarantee of privacy.

The four dissenting judges wrote separattly:

Kennedy's dissent noted that "cell site records are created, kept, owned and controlled by cellphone service providers, who even sell this information to third parties." Therefore, he said, Carpenter cannot claim ownership or possession of the records and has no control over them.

Alito chimed in even more strongly. "The Court's reasoning fractures two fundamental pillars of Fourth Amendment law, and in doing so, it guarantees a blizzard of litigation while threatening many legitimate and valuable investigative practices upon which law enforcement has rightfully come to rely," he said.

He called the majority decision "mystifying" and "puzzling," and he noted that service providers routinely charge cellphone users a fee to inspect their own records. "It would be very strange if the owner of the records were required to pay in order to inspect his own property," Alito said.

Thomas said that the case should turn not on whether a search occurred but on whose property was searched, and "the Fourth Amendment guarantees individuals the right to be secure from searches of their persons, houses, papers and effects." Here, he said, the records don't belong to Carpenter but rather to the service provider.

So even at the United States Supreme Court there are big questions as to Who Owns the Data

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
12-Jun-2018 14:28
2018-06-12#

Ran Across Today#

A recent study reported that 37% of consumers now spend 27% of their time on Mobile Devices.

Sex Offender Registration and Notification Act (SORNA) which The United States Department of Justice decided to apply the law to a man convicted prior to the law’s passage. The United States Supreme Court is set to decide: Is it constitutional for United States Congress to delegate their power to decide details like "when and how" to an unelected bureaucrat — the United States Attorney General in this case — or must such details be decided by United States Congress itself, in advance, so that everyone can know exactly what the law is?

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
10-Jun-2018 09:02
2018-06-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
03-Jun-2018 08:34
2018-06-03#

Ran Across Today#

John Doerr#

TNBT

  • Green Technology and energy is a big deal and currently it is not sustainable with "Global Weirding". Thinks Africa will starve due to can not grow crops.
    • Opower good
    • NEST good
    • Not good TSLA
    • Apple will build a Car
    • Better batteries is the key and it is a storage and a Energy Density and is the KEY to rapid Electric cars deployment.
  • Digital health
    • Magic Leap
  • Social Local and Mobile (SoLoMo) (Local and on-demand)
    • Health Care
    • Education
  • Security - hacking etc.

What makes a startup great: (In Order)

  • Technical Excellence - Not because of the people there but the ability to Attract the talent.
  • Outstanding Founders and Management - The leadership and commitment will allow Speed of Execution (Thomas Edison said innovation without execution is a hallucination) Execution matters enormously.
  • Strategic Focus on Large or unserved market
  • Execution That is How Fast do you execute
  • Reasonable Finances - Some raise too much some raize too little.

If making money is your number one goal is not by cutting a tough deal with an investor or a venture capitalist so by being ruthlessly intellectually honest about what the risk is in your venture.

Evaluate new fields: Hang out with Really smart innovators people.

  • MIT Technology Review

Qualities in Oppruntuneers

  • Gut feeling
  • People you just know you will get into trouble with.
  • Jeff Bezos - intensity -

Learning and Growing#

If running a startup:
  • Know how to sell
  • Lead a team
  • Personal Networking
  • Public Speaking - Big deal
  • Get in on ground floor as they have smart people.
  • Passion
  • Teams make it happen
  • Book The Monk in the Riddle

Mercenaries vs. Missionaries #

Ideas are easy but execution is everything and only Team do execution.

Health Care#

Education#

20% of kids in american public schools fail to know how to read. Saul Kahn - Kahn Academy Smartphones 70% of teenagers use Mobile in Classroom.

Higher education is a great national treasure yes is leading there despite some of the archaic tenure base systems and the pressure that there are on these institutions globally we know that education higher education taught costs too much and it's not available to enough people MOOC will not

so I think these MOOCs are not going to replace the physical universities and indeed if you look at Coursera two-thirds of their students are outside the u.s. 60% of them are not enrolled in any kind of formal undergraduate program and they're just getting started so I think this whole area is pretty exciting but it's going to take a long time because fundamentally it's the second largest most screwed up part of the American economy the teachers the parents and the students are not linked in any rational economic system.

Well that begs the question John what is the most screwed up part of the American economy who thinks yeah health care any other answers no it's health care why is that it's because same thing the patient's the providers and the payers are not linked in any rational economic system who knows how much it really costs to have their last health care procedure an independent of what it costs who knows how much you paid for it who knows how to measure whether or not that work health care in the United States is a three trillion dollar industry.

I just want to put that in context you know excited we are about Facebook and Google and Twitter and all these ad based online systems online advertising globally is about a 250 billion dollar industry it's less than 1/10 the size of just health care in the US he took US health care and made a country out of it it'd be the fifth largest country in the world just our Health Care the only bigger countries would be the United States itself of course Germany Japan China and then there's U.s. Health Care bigger than all of France all of the gross domestic product of France of 66 million people is less than three trillion dollars and we know a third of its wasted a trillion dollars is unnecessary it's over utilization.

It's mistakes and errors u.s. doesn't have demonstrably better health care than in other countries and so this is this is a system that's well positioned for improvement and the really exciting thing about where we are right now in time this moment in time is the combination of data big data innovation changes that are possible due to the Affordable Care Act entrepreneurs there's an entrepreneur here in the audience who's launched a stealth company there's going to I believe transform the healthcare industry these forces are coming together in a way that if I was building my career right now I think I'd major in computer science and big data and go to work for a company in this field because this is valuable work when people lose their health care.

insurance or people they love they die or they go bankrupt or they get divorced or it cuts very very deep and so health care health care innovation you asked the question about the FDA and the FDA has improved its act slowly during the Obama administration but you know fundamentally they were using procedures to approve clinical trials that didn't exploit the targeting in the personalization of gene based therapies they're gradually making changes in that part of the system so let's see we touch education online we touch healthcare

China#

global how do Western companies succeed in China I don't know there's very few examples of it there's a strong commitment on the part of the Chinese government to foster and encourage national winners there's a law that's been fast-tracked for both the second and third reading next month in the middle of March that would require any provider of innovation or work technologies to host all the data on the Chinese citizens on their ground to provide a front door not a back door of access to those to provide their Source code data and this has been put forth not by the Ministry of of information but by the national security agencies and I believe if past if fast-tracked it would cost companies like Apple to leave China and that would be an extraordinary change this is not in the interest of the Chinese people but it's a it's a very difficult place to do business I think if you're going to succeed in China the way LinkedIn has the way Evernote has its you're required to partner with local national champions. And of course pretty famously Google says we won't tolerate their censorship we won't be part of it we're going to pull out of the out of the country. Really know we don't have the data to decide yeah tough call largest market in the world maybe being there we'll move it towards democracy.

Women#

but maybe not I haven't talked about women in technology I'm the proud father of two adopted daughters and the tech industry is terrible with respect to women and you know how in a time when we can't get enough technical talent we haven't figured out how to address this problem I don't know I talked to John Hennessy the president of Stanford about it and I said why aren't there more women who stay the course right through CS he says look they look at the work that's done in CS the exercises the use of talents and this is just crummy you know you're programming in a solitary environment you're not leveraging your leadership or your ability to connect with and motivate others and so I think it's a combination of the curriculum I think it's the role models it's a lack of mentoring and and this is this is a national waste the venture capitalist industry is even worse than than the tech industry per se the average number of females in the venture industry is 4% what kind of message do you think that sends to female entrepreneurs I'm proud my own partnership has 20% of our general partners and investing professionals as female in therefore first of all we make better decisions and second of all I think we're more attractive to female founders which I I want to back I want to be part of their innovations in changing the world as much as anyone else's this is a problem we're finally starting to talk about it I hope we do something about it I hope we get results fast.

last question hi I'm ash I'm a political science student um a senior and I was wondering you mentioned that the industry average in VC firms is at 4% of women if you're a woman and you're hoping to break into the VC industry what would you suggest a woman do women in DC my advice here applies to women and men in VC and I think if you want you cannot buy the right to be on a board of directors you do not buy the right to advise entrepreneurs you gotta earn that right you better earn it by virtue of experience maybe you'll be extremely lucky but my advice is go be a successful entrepreneur. Figure out how hard it really is to raise money to make a payroll to fire one your co-founders to inspire a team to grow an organization how about how hard it is to manage through managers and managers when you don't know the names of everybody that's in your company you figure out how to do those things and you will be highly sought after by venture firms by venture firms. because that's the real deal venture capital is a service industry and so my partners and I while we've started companies we're not confused about what our role is we do not run these companies we are there to serve the entrepreneurs to provide them with the best advice that we can when they want it and sometimes when they don't and then to back them to help accelerate their vision and after all the reason we invested is their vision much better than ours I don't think there's anything wrong with hanging around venture firms like getting a summer internship there or getting a sense of it go to companies that have been backed by good VC firms if that matters to you but for the most part.

When I first came to Silicon Valley I thought I wanted to intern at and work at a venture firm why because I heard they had something to do with starting companies and the advice I got was d'Or forget it actually no VC firms would hire me they said go get a job at a real tech company and there was this little chip company getting started called Intel and that's what I did I'm one of the luckiest people in the world it worked out really well.

Resume#

oh the resume question names burnishing your resume internship I go for substance over resume but I wouldn't even an intern at Google and somebody looks that you've been at Google that's going to move you higher up in well it's a great place to network it's a well respected technical company and that applies to a number of other companies as well it's just kind of the truth and that's what I'm sticking with how do I keep my networks alive it's a network you got to communicate and you got to be choice 'fl about who you want to communicate with it be clear about what you want to do and hopefully have some fun while you're doing it as well I do like to say there's always extra points for humor so communicate like crazy use the social networks use the professional networks live live life to the crazy fullest as you possibly can.

I'll tell you what I've run a little over time now it's it's 6:05 I think what we're going to do is close with four more questions and if anybody wants to leave right now you certainly can yep we get a mic there can you talk a little bit more about the sharing economy and which company is your thing you're really hot in the area yes especially wish which is sub vertical should we be looking into sharing economy love to do that let's get three more questions up here what do you think about social entrepreneurship and this new fascination with impact social entrepreneurs love them love to talk briefly about resumes internships.

sharing economy#

Sharing economy I just made a commitment to an amazing company well we're big investors in uber and that's looking good so far I think that's going to work out but

ok two more um hi I'm Lucas I'm a mechanical engineering student and I would like to see what you think about companies like SpaceX and like space exploration space.

Food#

there's a lot of interest in food right now how many people use Sprigg ever not so many people can you buddy use Montreat here yeah more mantri by a factor of six to one I'm gonna go see Spring tonight mantri on Thursday this week so did I miss one more question

social entrepreneurship#

On social entrepreneurship regardless of the field here's the definition of entrepreneurs entrepreneurs do more than anyone thinks possible with less than anyone thinks possible. That's the amazing thing they do more than anyone thinks possible with less than anyone thinks possible and that can be in a Silicon Valley VC startup that can be in a non-profit like a hospital that can be Muhammad Yunus in creating micro loans that can be bottle in the red organization in raising the global fund to bring antiretrovirals to an AZ t2 largely women in Africa with AIDS there's great work to be done for social entrepreneurs and a lot of ways that's harder it's hard to recruit great people to entrepreneurial organization but both the satisfaction and the impact of the work the degree to which it changes the world certainly can be greater than your next incremental photo web sharing site that too many people are pursuing.

Books#

you asked about my three favorite books for problem solving I told you how to find out about those that's just send me your three

Failures#

How about ventures that kind of met those criteria but in the end didn't win and I think the reason is they got sometimes they were too early so Friendster and MySpace they were too early but other times primarily they don't execute ideas are easy executions everything it takes a team to win

there's never been a better time#

so did each of you there's never been a better time than now to build an entrepreneur of the career there's never been a better time now to start a venture and I did say go join a big company but if you're the next Mark Zuckerberg I'd like to see you right after this meeting thank you very much.

jdoerr@kcdp.com Send him 3 your favorite books ask for slides.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
02-Jun-2018 08:17
2018-06-02#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
31-May-2018 12:48
2018-05-31#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
24-May-2018 09:43
2018-05-24#

Ran Across Today#

"aging society” in the US — where the proportion of the population over 65 is greater than the proportion under age 15 — and that the effects of the low birthrate “will reverberate for years to come."[1]

The replacement fertility rate of 2.1 — enough to renew the population — is typically viewed as the optimal level for stability. But in 2017, the total fertility rate, or number of births each woman is expected to have in her childbearing years, dropped to 1.76 in the United States.

"To put this in perspective, the total fertility rate hovered above 3.0 in the early 20th century, declined to replacement levels of about 2.1 in the 1940s; reached a peak of 3.7 in the post-World War II baby boom; and then declined rapidly to relatively stable low levels in the 1970s,"

Italy, Japan, Germany, United Kingdom, France and the United States all have birth rates under the replacement fertility rate.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
23-May-2018 10:03
2018-05-23#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

22-May-2018 13:35
2018-05-22#

Ran Across Today#

  • WAR - Willing, Able, Ready

More Information#

There might be more information for this subject on one of the following: ...nobody

16-May-2018 08:15
2018-05-16#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

13-May-2018 09:29
2018-05-13#

Thinking About Today[1]#

"a decentralized view of authority" is a viewpoint expressed by Whitfield Diffie which he believed By creating the proper cryptographic tools, he felt, you could solve the problem— by transferring the Data Protection from a disinterested Third-party to the actual user, the one whose privacy was actually at risk. He fantasized about a company that would invent and implement such tools. He even had a name for this imaginary concern: Privacy Protection, Incorporated.

OpenLedger#

Matias Wireless Aluminum Keyboard - Space Gray[2]#

Bought this 2018-03-11. What I like:
  • fells ok
  • extended keyboard (Number, home and arrow keys)
  • Wireless and it works.
  • Works over Bluetooth with upto 4 machines (albeit not at same time)

What I do not like:

  • Letter embossing wears off and Some keys become shiny with use
  • Without know the secret code of the blinking CAPS Lock lights, do not know if it is turned on or charging or off.
  • Charge does not last as long as some folks implies. I can NOT go for more than a week or two.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
02-May-2018 08:43
2018-05-02#

Ran Across Today#

If men were angels#

If men were angels, no Government would be necessary. - James Madison

Bruce Schneier in Liars and Outliers elaborates; "If men were angels, no security would be necessary. Door locks, razor wire, tall fences, and burglar alarms wouldn't be necessary.
Police forces wouldn't be necessary. Armies? Countries of angels would be able to resolve their differences peacefully, and military expenses would be unnecessary."

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
29-Apr-2018 08:27
2018-04-29#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

26-Apr-2018 14:30
2018-04-26#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

23-Apr-2018 14:42
2018-04-23#

Thinking About Today#

When we think about todays cyber security threats:

Almost all of these are Implementation Vulnerability rather than a Protocol Vulnerability

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
19-Apr-2018 18:27
Overview#
Web Blog_blogentry_190418_1

Thinking About Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
17-Apr-2018 09:06
2018-04-17#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
14-Apr-2018 09:00
2018-04-14#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

13-Apr-2018 07:57
2018-04-13#

Distributed Ledger Technology and Ethereum#

When you buy tokens (known as “Ether,” or ETH) on Ethereum, you are buying “work units” in a massive, cryptographically secure computer and cloud network spanning the entire globe.

Although it can be exchanged for and used as currency, ETH’s primary purpose is to incentivize nodes on the Ethereum network to process information and data. The fee paid to nodes on the network is called “gas,” and is paid in fractions of an ETH coin (like 0.00000010 ETH). This is unlike Bitcoin, which is intended to be used purely for financial transactions. Ethereum can do that too, but it can also, for example, run javascript-like code on a webpage, or host static content like image files.

Storing or changing data on the Ethereum blockchain costs ETH, but it is a one time cost. Retrieving the data is free, which is great for static content on web pages, like images. When a website hosts an image on the Ethereum blockchain, users can retrieve that image by pointing to its hash. Or rather, the website administrator would do this, and you as the user would have no idea. You would load the image from the Ethereum network in your browser without realizing it. It would look and act like a normal website, but underneath is a series of extremely complicated mathematics (aptly called mathemagic by the Ethereum Foundation) that make the most widely used encryption today look like crayon drawings.

So what about dynamic content? This is where Smart contracts come in. Developers can use Smart contracts to store memory or to “do something” on the blockchain. For example, imagine a (pretty awesome) website where users input a number, and the website computes and returns double that number. In this case, the website would send the submitted number to a smart contract that would store it in memory, then perform the doubling calculation and finally output the result. If the user wants to recall a calculation they made previously, or submits the same number as before, this can be done without needing to re-submit to the contract. All transaction history is permanently stored within the blockchain. You only have to calculate or “do the thing” once, and never have to waste precious CPU time again. You can simply recall the previous transaction and return its stored result. As more transactions are appended to the blockchain, computation becomes more efficient.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
12-Apr-2018 09:24
2018-04-12#

Thinking About Today#

The need for trust and middlemen allows behemoths such as Google, Facebook, and Amazon to turn economies of scale and network effects into de facto monopolies.[1]

The real promise of blockchain technology, then, is not that it could make you a billionaire overnight or give you a way to shield your financial activities from nosy governments. It’s that it could drastically reduce the cost of trust by means of a radical, decentralized approach to accounting—and, by extension, create a new way to structure economic organizations.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
11-Apr-2018 08:06
2018-04-11#

Thinking About Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

09-Apr-2018 20:08
2018-04-09#

Thinking About Today#

Before you go off thinking that this Cloud Service Provider is best, remember your Cloud computing objective. All of these mentioned have some capabilities in most of the same areas, but what do you need from a Cloud Service Provider? Most Organizational Entity use more than one Cloud Service Provider based on the many different Cloud Services Models that are required.

Generally, this is a good break down on the Cloud Service Providers:

Google and Microsoft keep blending different businesses together to come up with a total cloud number. Should Microsoft's Office 365 and Google's G-Suite be included in Cloud Service Provider numbers?

GCP chief Diane Greene lamented that people have been "grossly underestimating" GCP's revenue, suggesting that this was the reason the company finally put a number on its cloud business: $1 billion each quarter.

Payment Card Industry Security Standards Council (PCI DSS)#

Cloud Service Providers Encryption Data At Rest#

Cloud Service Provider Products#

Biggest Cloud Service Provider?#

Well how would you like to measure them?

From a pure sales standpoint AWS is bigger than the next two. Google and Azure
Azure shows fast growing numbers but most of that is from their Office Products.
Size? We do not know. Google is very secretive on their sales and customer list. As an example, Apple only recently revealed that they used Google Cloud Platform for their iCloud Data Store. This, sort of, implies that perhaps most(?) IOS and Android Apps may store their data on Google Cloud Storage.

It is presumed Google probably has more active capacity than the others. (Other rumors on NSA and several other acronym-Government Entity may also)

Cloud Identity Providers#

Ldapwiki is trying to determine if these are any different than Social Login?

Be sure to read Legitimacy of Social Login

OpenID Connect Federation#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
29-Mar-2018 09:51
2018-03-29#

Thinking About Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
27-Mar-2018 13:34
2018-03-27#

Thinking About Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

26-Mar-2018 13:33
2018-03-26#

Thinking About Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

10-Mar-2018 10:59
2018-03-10#

Thinking About Today#

LASER is an acronym for Light Amplification by Stimulated Emission of Radiation and is based on a Fundamental Research described in a 1917 paper by Albert Einstein on the quantum theory of radiation. It was 43 years later (1960) that the first LASER showed up.

More Information#

There might be more information for this subject on one of the following: ...nobody

09-Mar-2018 09:00
2018-03-09#

Ran Across Today #

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
24-Feb-2018 09:35
2018-02-24 #
22-Feb-2018 09:05
2018-02-22#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
14-Feb-2018 09:53
2018-02-14#

OAuth 2.0 and Authentication#

We run across a lot of question similar to: How the resource server can know who is the user and what are his permissions?

Too often people are trying to solve the the wrong problem. Let's pretend there is a Web Application (OAuth Client) that provides the Weather to a User (Resource Owner).

The Web Application keeps some data about the user, perhaps their Zip Code so the Web Application can serve up the Weather each time the user comes to the Web Application. Perhaps the Web Application uses a cookie to store the Zip Code.

Obviously the Web Application has a relationship with the user.

The Web Application needs to know ONLY some identification of the User. The Web Application should not be too worried if the user is really authentic, only needs to know the User Zip Code.

The Web Application then calls a weather API and provides the Zip Code to the Weather Service API (ie Resource Server). The Web Application obviously has a relationship with the Weather Service API, but the user does not. There is no reason that the Weather Service would need to know anything about the user.

So how can we apply OAuth 2.0 with this scenario?

The Web Application could use OAuth 2.0 to obtain Consent from the user and set up a relationship with the user. However, in this case, there is no relationship between the Weather Service API Resource Server and the User. The relationship is between the Web Application and the Weather Service API. We could certainly use OAuth 2.0 to provide this relationship as the Web Application (ie OAuth Client) and the Weather Service API (ie Resource Server).

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
12-Feb-2018 10:39
2018-02-12#

Demonstration for Authentication and Authorization#

Primary purpose#

Demonstration of Best Current Practice and Poor Practices for Client applications use of OAuth 2.0, OIDC (maybe UMA) surrounding Authentication and Authorization.

Client HTML Application#

A HTML application which will make API calls to https://api.example.com and possibly other third-party API resource servers to obtain data and end-user information. Use Javascript using node.js as it is well known and adaptable to most other WEB based apps including mobile.

Use of HTML5 where possible

API Resource Server#

An API server with no relationship to End-Users (only Client Apps). Assume this would use OAuth 2.0 at least to start.

Various Providers#

Desire to work with multiple Authentication Providers using OAuth 2.0 and OIDC. Desired Providers:

Desired Features#

There are a few features that would be nice to incorporate:

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
05-Feb-2018 09:51
2018-02-05#

Distributed Consensus

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
31-Dec-2017 11:11
2017-12-31#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

25-Dec-2017 08:42
2017-12-25#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

23-Dec-2017 09:55
2017-12-23#

Ran Across Today#

Are biometrics a safe way to speed up airport security?#

"Of course, using these biological traits, or biometrics, to verify a person’s identity makes some people nervous. Seidman Becker stressed that everyone’s data is securely encrypted and that no one other than Clear has access to it."

Yea, I am sure that other folks have said that too but there are a log of Third-party Risk.

Estimates are 40% of Breaches involve Third-parties

90% of Organizational Entities plan to expand their use of Third-parties

Two Regulatory Agencies cover Third-party Risk:

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
21-Dec-2017 09:36
As we think of the end of another year and ponder the future, I found this series of articles a must read.

Perhaps the series of articles best points out the opportunities that we should be looking into for 2020 and that to get there, we should start now.

Ran Across Today#

Third-party Risk continues to be an ongoing issue. Some of the recent issues:

A Cloud computing-based data repository belonging to Alteryx, has publicly exposed Data Store from the data analytics firm's partner Experian and the United States Census Bureau containing sensitive personal information on 123 million Americans. - 123 million sensitive PII records exposed, most US households hit

Domino's Pizza Blames Supplier For Data Breach: Hackers Are Probing Third-Party Weaknesses

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
20-Dec-2017 07:56
2017-12-20-#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
19-Dec-2017 09:26
2017-12-19#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

18-Dec-2017 09:03
2017-12-18#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
13-Dec-2017 15:38
2017-12-13#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
11-Dec-2017 09:07
2017-12-11#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Dec-2017 09:05
2017-12-08#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Dec-2017 09:06
2017-12-02#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Dec-2017 08:57
2017-12-01#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Nov-2017 11:58
2017-11-28#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Nov-2017 18:40
2017-11-25#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Nov-2017 09:38
2017-11-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
02-Nov-2017 14:14
Web Blog_blogentry_021117_1
Edge Proxy is a proxy process that runs alongside your service proxies your services traffic through the Edge Proxy's own internal system and usually uses some kind of middleware (such as prometheus) for monitoring, metrics to track this traffic. Ambassador is built on Envoy and provides more functionality.
By unknown  Permalink  Comments? (0)
26-Oct-2017 12:04
2017-10-26#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
12-Oct-2017 07:45
2017-10-12#
By unknown  Permalink  Comments? (0)
11-Oct-2017 08:57
2017-10-11#

Ran Across Today#

Trust Is Now Business Currency#

In 2016, we predicted that cybersecurity would be a major issue in the presidential election and that an executive would step down due to a breach. Both came true. And it will get worse. Targeted espionage, ransomware, denial of service, privacy breaches, and more will escalate in 2017. The impact of those events will be significant:
  • A Fortune 1000 company will fail because of a cyber breach.
  • Health Care breaches will become as common as retail breaches.
  • More than 500,000 internet of Things devices will be compromised.
  • Within 100 days, the new US president will face a major cyber crisis.
  • National Security risks will drive agencies to expand surveillance technologies, creating legal and ethical conflicts between governments and people.
Your customers are more aware of, wary of, and frustrated with security and privacy risk, and you will increasingly gain or lose affinity based on how much they trust your company.

The Next Technology Revolution Technology has already changed the world: the way people live, the power customers have, and how businesses operate. The pace of innovation can be dizzying. The next wave of technologies is poised to remake industries and customer experiences. These technologies will come in three forms:

  • Engagement technologies that will create profoundly different virtual, physical, and digital experiences that are harmonized across journeys.
  • Insights technologies that will convert the promise of personalization and predictive analytics into reality and be able to operate at the micro level at scale.
• Supporting technologies that will drive new levels of speed and efficiency and underpin this next technology revolution.

Future Prediction#

Key technologies that will reshape how businesses operate and interact with customers

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
10-Oct-2017 18:34
2017-10-10#

Ran Across Today#

urn:ietf:wg:oauth:2.0:oob#

Date: Tue, Oct 10, 2017 at 11:02 AM Subject: Re: OAUTH-WG Questions on urn:ietf:wg:oauth:2.0:oob To: oauth <oauth@ietf.org>

urn:ietf:wg:oauth:2.0:oob is a Google thing that is not part of the OAuth 2.0 specification.

I think it was mostly a windows thing.

It is not a real redirect URI it is used as a flag to the Authorization sServer to have the result returned "Out Of Band" and the user cut and paste the token.

On Windows applications could snoop the title bars of other apps so programmatically retrieve the token value from the title bar.

I don’t really want to put effort into expanding all the reasons this is not secure.

I don’t honestly know what would happen if you sent that redirect URI to a non Google AS probably nothing good. It is not part of the OAuth specification and not something people should use without having a good reason and understanding the security implications.

William and I documented several ways to implement native applications on OSX and Windows in RFC 8252.

On windows you are really best off using a UWP app and the native token broker with the code flow.

Documentation https://developers.google.com/api-client-library/python/auth/installed-app

This value signals to the Google Authorization Server that the Authorization Code should be returned in the title bar of the browser, with the page text prompting the user to copy the code and paste it in the application. This is useful when the client (such as a Windows application) cannot listen on an HTTP port without significant client configuration.

When you use this value, your application can then detect that the page has loaded, and can read the title of the HTML page to obtain the Authorization Code. It is then up to your application to close the browser window if you want to ensure that the user never sees the page that contains the Authorization Code. The mechanism for doing this varies from platform to platform.

If your platform doesn't allow you to detect that the page has loaded or read the title of the page, you can have the user paste the code back to your application, as prompted by the text in the confirmation page that the OAuth 2.0 server generates.

John B.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
07-Oct-2017 22:28
2017-10-07#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Oct-2017 09:46
2017-10-05#

Operation Aurora#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Oct-2017 08:34
2017-10-03-#

Thoughts#

Digital Identities are only owned if they are an authoritative source created by the user. So a typical Organizational Entity SHOULD NOT create Credentials for a customer. More than likely, the user already has a userId created at some Social Identity Providers that SHOULD be used for Authorization to your API. There is nothing stoping you from performing further Identity Proofing for your Assurance that the Social Identity.

If the remote userId is only accessing your API then there is no need for you to be aware of the End-User’s Identity and you would use OAuth 2.0.

If there is an End-User accessing your API and you need the Digital Identity of the End-User, then OpenID Connect should be used.

All creation and management of userId and resources should be performed via SCIM 2.0.

Privileges and OAuth Scopes#

A Privilege allows (or Denies) an Entity to perform a specific Resource Action

Generally we recommend that you create an Privilege (think OAuth Scopes) for each Resource Action (maybe down to the method level) that can be taken against each API.

Then roles (often associated to Groups) be created which are collections on OAuth Scopes that represent business Roles.

OAuth Scopes SHOULD be domain based URIs that reflect Positive Privilege that is granted to the OAuth Client.

  • com.example.userid.create
  • com.example.userid.read
  • com.example.userid.update
  • com.example.userid.delete
This implies that if the OAuth Scope is NOT present within the Access Token at the Resource Server the Resource Action is denied.

Then a role could include these (and probably other) OAuth Scopes might be:

  • com.example.user.admin

Customer Service Representatives would typically have a role that might be something like:

Which would allow the CSR to read the user data but perform no updates.

Access Control for OAuth 2.0#

Access Control for OAuth 2.0 and OpenID Connect becomes the process of determining whether a OAuth Scope has been Authorized by a Trustor to the Trustee (OAuth Client).

Single Sign-On#

In OAuth 2.0 and OpenID Connect the combination of the iss and the sub can be used for Identity Correlation a particular entity.

Real World#

Ok, I know this is not what happens in the real world: But it is what we should strive for.

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Oct-2017 11:42
2017-10-02#

Ran Across Today#

If someone can gain control of a device, they can read the messages without needing decryption compromising endpoints – both smartphones and personal computers – is getting easier all the time by the use of spyware

Suppose a organizational Entity or government Entity (EvilRegime) wants to spy on you and everyone you communicate with. To protect yourself, you’ve installed an end-to-end Encryption tool, such as Signal, for messaging. This makes eavesdropping – even with a court’s permission – that much more difficult for EvilRegime.

But what if EvilRegime tricks you into installing spyware on your device? For example, they could swap out a legitimate upgrade of your favorite game, "ClashBirds", with a compromised version. Or, EvilRegime could use a malware "network investigative technique" as a backdoor into your machine. With control of your endpoint, EvilRegime can read your messages as you type them, even before they are encrypted.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Sep-2017 09:09
2017-09-20#

Ran Across Today#

Can I Use: https://caniuse.com/#search=samesite

More Information#

There might be more information for this subject on one of the following: ...nobody
06-Sep-2017 11:22
2017-09-06#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
24-Aug-2017 07:26
2017-08-24#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Aug-2017 12:05
2017-08-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
15-Aug-2017 07:59
2017-08-15#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
09-Aug-2017 08:08
2017-08-09#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
07-Aug-2017 11:24
2017-08-07#

Some Thoughts about Authentication and Authorization#

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Aug-2017 08:31
2017-08-04#

Ran Across Today#

Which brings us to the second reason for this post, the difference between “Architecture” and “Design”. In a nutshell, architecture is a type of design where the focus is quality attributes and wide(er) scope whereas design focuses on functional requirements and more localized concerns.

Randy Shoup - Techniques for dealing with shared data, joins, and transactions in a microservices architecture#

https://www.infoq.com/presentations/microservices-data-centric

Scratch Notes...

Software combines #

Organizes
  • Small Teams directly defined within a particular function of the business.
  • Teams need other teams.

Processes - Test Driven Development#

  • Testing increases velocity
  • Tests make better code
  • Provides courage to try new thing, knowing you can refrator something and know it will work or not.
  • Tests allow fast failures

We do not have time to do it right? - Do you have time to do it more than once?

  • The more time constraints the more it is better to build it right (80/20 rule)
  • Better to build one thing right than two things half-right.

Continuous Delivery #

  • Release smaller sprints.
  • Allows rapid experiments

DevOps#

  • You build it, you Run it.
  • End-to-end ownership of what you write - Full lifecycle of software.
  • No separate QA team
  • No separate Deployment team

Evolution to microservices#

  • ebay 5th generation
  • Pearl
  • C++ 3.4 million lines of code
  • Java - Several different Java Apps
  • Polyglot of microservices.

Twiter similar.#

Amazon #

  • Mono perl and c++ OBIDOUS
  • Java Scala

No place started with Microservice and no place at this scale is NOT using Microservice.

Microservices may not be the right for startups. Monos are ok.

Microservices #

  • Scope is single purpose
  • Moduler and independenrt
  • SOA done properly (Bounded Context)

Isolatated persistence

  • No sneaking in to look at the other guys data.
  • Same team that writes the micorservice owns the data store OR - use a external data store
  • Still ISOLATED
  • Only external access to data store is via public interface

Event-triggered should be a first-class object#

  • A thing happend - Something I cared about
  • Asynchronous Operation - No care if someone is listening.
  • State changes or events must be used.
  • Why - Represents how the world works

Must be within an interface within microservices

  • interface is for any data into or out of a microservice
  • Stich Fix is still a mono data base with 175 tables
    • Single point of failure.

Solution is decoupling data how to do it #

  • Write a service interface to isolate data access for the table.
  • Rinse and repaet
  • Simple discussion but a lot of code changes and joins etc.

Bounded context mentioned many times.

Managing data within microservices.

  • shared data
  • Joins work well in mono-data

One service OWNS the data (Customer)

  • Every other service is a RO non-authoritative service

Approach one just look it up? - Every other service looks it up

If too expensive to do ...Eventing from Customer service

Shared metadata - Much of it does not change often.#

  • colors, US States, Shoe Sizes zip codes ....

Joins in microservices #

  • Approach one - Joins in application
  • make two calls to different services.
  • Works well for one-to-many just as a Web page does.

Approach two

  • Maintain a cache of a join
  • Item feedback example many-to-many
  • Listens to items service and feedback service to make join ....
  • Materializing a view in realtime
  • NoSql does this

Transactions #

Easy in relation db. ACID etc.
  • SAGA Pattern -
  • Commit - Workflow that updates different data stores.
  • Rollback - reverse workflow
  • Serverless - Functions as a Service is a great way to do this.

Big believer Lambda Google Cloud functions Azure Functions - triggered by events and produces an event

Stich Fix is hiring - 50% are remote

Events that do not arrive or like SLP exactly once deliver out of order more than once

Evens should use - At least once deliver

  • More than once Mutiple times - Item impotent
  • Out of order - Do you care - Consumer must maintain state
Create customer Delete Customer when out of order this is a probabilistic Cuncurrent replicated data types or Tomombstones

At most once - think of UDP

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Aug-2017 21:01
2017-08-03#

Ran Across Today#

"In 2016, over $80B was spent on cybersecurity, and yet the number of breaches skyrocketed to 4.2 billion incidents last year alone. Minimizing an organization’s attack surface while its network continues to expand requires a paradigm shift in security strategy. Security of the past is no match against today’s evolving threats." -Tom Kemp CEO Centrify

More Information#

There might be more information for this subject on one of the following: ...nobody
02-Aug-2017 13:51
2017-08-02#

More Information#

There might be more information for this subject on one of the following: ...nobody
01-Aug-2017 08:43
2017-08-01#

Ran Across Today#

Sovrin Foundation - Phil Windley (@phil), Chair of the Sovrin Foundation Board of Trustees, just posted this announcement that the Sovrin Provisional Network went live at 17:30 GMT today.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Jul-2017 07:49
2017-07-31#

Privacy#

People say they want privacy.

More people are using End-to-end Encryption apps than before.

But in real life, I think it is mostly what people say. People are unwilling or un-able to do the work to be private.

Unable #

Privacy is hard. Encryption is hard and few people understand how to use it let alone how it works.

Un-Willing#

Because privacy is hard it take more time and effort. Just try to send an encrypted email to someone.

Try to get two people to agree to use an Instant Messaging application that offers End-to-end Encryption.

Government Entities and Privacy#

I want privacy to keep my information from people that I do not want to know what I am doing or saying. More than anyone else I want privacy from Government Entities.

More Information#

There might be more information for this subject on one of the following: ...nobody
30-Jul-2017 14:07
2017-07-30#

Access Control and OAuth 2.0#

An access_token does NOT contain a Resource Owner's claims, but it contains the subject of the delegation of privileges to the OAuth Client (application). "Subject" is a technical term and it means a unique Identifier. Simply saying, "subject" is a user ID in your database.

At a Resource Server endpoint, you should:

  • 1 Extract an access_token from the request. (RFC 6750)
  • 2 Get detailed information about the access_token from the Authorization Server. (RFC 7662)
  • 3 Validate the access_token. The validation includes (a) whether the access token has expired or not, and (b) whether the access token covers scopes (permissions) that are required by the protected resource endpoint.
The steps above from 1 to 3 are an Access Control against OAuth Client applications). OAuth 2.0 (RFC 6749) is used for this.

Using OpenID Connect You can confirm that an id_token has been issued by a right party by verifying the JSON Web Signature (JWS) (RFC 7515) attached to the id_token. An id_token itself is not a technology to protect Web APIs. But you may be able to use it for that purpose if you use at_hash claim in an id_token properly (see "3.1.3.6. ID Token" in OpenID Connect Core 1.0). However, at a protected resource endpoint.

After the steps above, then you will do:

The steps above from 4 to 6 are an Access Control against the Authenticated Resource Owner.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Jul-2017 07:39
2017-07-29#

Universal Inbox#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
28-Jul-2017 10:03
2017-07-28#

There appears to be an increased interest in two divergent ideas in regards to privacy.

The Five-Eyes are exploring the back-door into Encryption while at the same time there appears to be an increased interest into privacy.

Ran Across Today#

  • LIGHTest
  • STORK - a platform which allows people to use their national electronic ID to establish new e-relations with foreign electronic services

STORK #

STORK project is to establish a European Union eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their National Identity Card eID.

Cross-border user authentication for such e-relations will be applied and tested by the project by means of five pilot projects that will use existing government services in European Union Member States. In time however, additional service providers will also become connected to the platform thereby increasing the number of cross-border services available to European users.

Thus in the future, you should be able to start a company, get your tax refund, or obtain your university papers without physical presence; all you will need to access these services is to enter your personal data using your national eID, and the STORK platform will obtain the required guarantee (authentication) from your government.

User-centric Approach = Privacy Guarantee

The role of the STORK platform is to identify a user who is in a session with a service provider, and to send his data to this service. Whilst the service provider may request various data items, the user always controls the data to be sent. The explicit consent of the owner of the data, the user, is always required before his data can be sent to the service provider.

STORK project has been completed! is stated on the website and refers to a STORK 2 but there website is not found.

Zero Trust#

Zero Trust is a data-centric network design that puts micro-perimeters around specific data or resources so that more-granular rules can be enforced and implemented.

BeyondCorp is an implementation by Google for a Zero Trust Model.

The Zero Trust Model is simple: cybersecurity professionals must stop trusting packets as if they were people. Instead, they must eliminate the idea of a trusted network (usually the internal network) and an untrusted network (external networks). In Zero Trust, all network traffic is untrusted. The Zero Trust

Forrester’s Zero Trust Model has three key concepts:#

  • Ensure all resources are accessed securely regardless of location. Assume that all traffic is threat traffic until your team verifies that the traffic is authorized, inspected, and secured. In real-world situations, this will often necessitate using encrypted tunnels for accessing data on both internal and external networks. Cybercriminals can easily detect unencrypted data; thus, Zero Trust demands that security professionals protect internal data from insider abuse in the same manner as they protect external data on the public Internet.
  • Adopt a Principle of least privilege strategy and strictly enforce Access Control. When we properly implement and enforce Access Control, by default we help eliminate the human temptation for people to access Protected Resources. Today, Role Based Access Control (RBAC) is a standard technology supported by network Access Control and infrastructure software, Identity and Access Management systems, and many applications. Zero Trust does not explicitly define RBAC as the preferred access control methodology. Other technologies and methodologies will evolve over time. What is important is the Principle of least privilege and strict Access Control.
  • Inspect and log all traffic. In Zero Trust, someone will assert their identity and then we will allow them access to a particular resource based upon that assertion. We will restrict users only to the resources they need to perform their job, and instead of trusting users to do the right thing, we verify that they are doing the right thing.

In short,Zero Trust flips the mantra "trust but verify" into "verify and never trust." Zero Trust advocates two methods of gaining network traffic visibility: monitoring and logging. Many security professionals do log internal network traffic, but that approach is passive and does not provide the real-time protection capabilities necessary in this new threat environment.

Zero Trust promotes the idea that you must inspect traffic as well as log it. In order to do so, network analysis and visibility (NAV) tools are required to provide scalable and non-disruptive situational awareness. NAV is not a single tool, but a collection of tools that have similar functionality. These NAV tools include network discovery tools for finding and tracking assets, flow data analysis tools to analyze traffic patterns and user behavior, packet capture and analysis tools that function like a network DVR, network metadata analysis tools to provide streamlined packet analysis, and network forensics tools to assist with incident response and criminal investigations.

There are only two Data Classifications that exist in your organization:

  • Data that Someone Wants to Steal
  • Everything Else
The first type is sensitive or toxic data, which can be easily identified with the equation 3P + IP = TD.

The three P's stand for Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry (PCI); IP is intellectual property; and TD is toxic data.

Forrester breaks the problem of securing and controlling data down into three areas:

  • Defining the data. This involves data discovery and data classification. Security and risk professionals, together with their counterparts in legal and privacy, should define data classification levels based on toxicity. This allows security to protect properly data based on its classification once it knows where that data is located in the enterprise.
  • Dissecting and analyzing the data. This involves data intelligence (extracting information about the data from the data, and using that information to protect the data) and data analytics (analyzing data in near real time to protect proactively toxic data). Look for security information management (SIM) and network analysis and visibility (NAV) solutions to intersect with big data to enhance security decision-making.
  • Defending and protecting the data. Data defense is the fundamental purpose of cybersecurity, and is the area where organizations focus most today. To defend your data, there are only four levers you can pull — controlling access, inspecting data usage patterns for abuse, disposing of data when the organization no longer needs it, or “killing” data via encryption to devalue it in the event that it is stolen.

Zero Trust is:

  • applicable across all industries and organizations – It is an easy to implement way to improve safety that any organizations can implement.
  • not dependent on a specific technology or vendor – Zero Trust is a vendor neutral design philosophy that allows maximum flexibility to create architectures that meet specific demands.
  • scalable – Vital information is protected while public facing data travels freely.
  • focuses on keeping internal data safe and would not result in any foreseeable encroachment on Civil Liberties.

micro-perimeter around each resource

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Jul-2017 20:18
2017-07-27-#

Ran Across Today#

S&T is a novel, powerful, and Open Source research tool for keyboard acoustic eavesdropping. It allows users to perform keyboard acoustic eavesdropping Side-channel attacks: training a Machine Learning model on the different noise of each key of someone's keyboard, and then use this model to understand what he's typing from keystroke noise alone. https://github.com/SPRITZ-Research-Group/Skype-Type

More Information#

There might be more information for this subject on one of the following: ...nobody
24-Jul-2017 08:31
2017-07-24#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Jul-2017 09:45
2017-07-23#

Biometric authentication runs afoul of religion in West Virginia#

An article Biometric authentication runs afoul of religion in West Virginia

Not For Identification Purposes#

Whenever you see someone talk about a new Identity items remember Not For Identification Purposes

Ran Across Today#

Appears most of the questions people encounter with OAuth 2.0 and OpenID Connect involve the Client-side application and how to perform integration.

Either they are trying to "roll-their-own" and deal with the too many details or they have general implementation issues from an architecture point of view such as Single Sign-On and using with multiple Applications or microservices.

What Auth0 and Microsoft get right is the simplicity.

In a traditional application Access Control and Authentication is done at the beginning of the session. There was a "user repository" where the application would call to obtain the Digital Identity information.

When we move to microservices this type of service would require each microservice to have this same ability to call the "user repository" which is not efficient or vary scalable.

Many of the posts we see on OAuth 2.0 and OpenID Connect implementation issues revolve around:

Prompt Parameter #

Well really the challenge revolves around questions like: and there are several more.

Most of these can be solved by:

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
22-Jul-2017 08:53
2017-07-22#

No thinking to day.

NGINX

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Jul-2017 09:32
2017-07-17#
By unknown  Permalink  Comments? (0)
16-Jul-2017 09:29
2017-07-16#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Jul-2017 19:36
2017-07-14#

Ran Across Today#

Well not today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
13-Jul-2017 08:12
2017-07-13#

Ran Across Today#

So end-users have continued to lap up messaging applications and tools at unprecedented rates, but they become ever-more siloed and fragmented as user bases. Over-the-top messaging apps have each developed their own dedicated communities, but they are still islands in a large connected sea.

Consumers may like their rich functionality but they remain limited and reliant on friend, family and work contacts all utilizing the same downloaded app. This also implies that only Mobile Network Operators with IP network coverage are able to give end-users full continuity of coverage and a seamless user experience across multiple networks.

WHAT IS Messaging as a Platform (MaaP)? To most users messaging is just an ‘app’ – a program on their phones they use to keep in touch. Advanced Messaging will change that though – messaging is now becoming a ‘platform’ on which applications will be built to deliver whole new levels of interaction and experience.

This is where SMS is headed.

End-users simply want all the services they need as quickly and conveniently as possible, and MaaP lets operators deliver that. If you want to book a taxi, a flight or look up train times for example, you will not need to download a specific new app – just hit your messenger. MaaP removes that barrier of another app to download and connects suppliers directly to consumers.

Messaging as a Platform will give operators all new possibilities for developing and implementing innovative services, and most importantly, for generating new revenues.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
11-Jul-2017 00:50
2017-07-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Jul-2017 09:32
2017-07-04#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
28-Jun-2017 09:18
2017-06-28#

Side-channel attacks #

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Jun-2017 11:38
2017-06-26#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
25-Jun-2017 10:45
2017-06-25#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Jun-2017 09:37
2017-06-23#

Biometric Authentication#

More Information#

There might be more information for this subject on one of the following: ...nobody
22-Jun-2017 16:34
2017-06-22#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
20-Jun-2017 09:27
2017-06-20#

Founding Member IDPro
.

Next Things#

It has been said that Chatbots (Artificial Conversational Entity) will be how we will converse with the Internet.

No more HTML forms for filling in our information we will use conversation with a Artificial Conversational Entity that will prompt us for answers.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
19-Jun-2017 15:19
2017-06-19-#

The Internet of Things Will Expand Connected Life Despite Concerns About Vulnerabilities, Risks and Infringements of Civil Liberties[1]#

Among the key themes emerging from 1,201 respondents' answers were:
  • People crave connection, it's human to connect; it is magical, even addictive.
  • As life increases in complexity, convenience is the default setting for most people.
  • The always-on younger generation can't imagine being anything but connected.
  • Resistance is futile: Businesses will punish those who disconnect and social processes reward those who connect.
  • Fully withdrawing is difficult; maybe impossible.
  • You can't avoid using something you can't discern; so much of the IoT operates out of sight that people will not be able to unplug completely.
  • Risk is part of life; the IoT will be accepted despite dangers because most people believe the worst-case scenario won't happen to them.
  • More people will be connected and more will withdraw or refuse to participate.
  • Some will opt out.
  • The IoT isn't that grand, so why worry either way?
  • Effective regulatory and technology-based remedies will emerge to reduce threats.
  • Governments should be doing more to regulate negligent companies, punish bad actors.
  • Lack of trust and safety and privacy issues will move those with fears to withdraw from the IoT.
  • "TMI" and less-than-stellar performance from complex technology systems will drive dropouts.
  • The dangers are real, whether or not people choose to disconnect; threats are likely to turn into attacks and other acts, possibly some violent.
  • Security and privacy issues are magnified by the rapid rise of the IoT.
  • IoT security concerns endanger civil liberties.

Doc Searls - "The only way to fully reduce vulnerability to surveillance and other forms of Bad Acting is to give individuals full control over the things in their lives. Today we are only beginning to evolve toward that end state; but the demand will be there, which is why there will be a business in it, and it will come to pass"

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Jun-2017 09:05
2017-06-18#

Ran Across Today#

Two part for the Certificate Request Process

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Jun-2017 10:02
2017-06-17#

Gluu Server#

The Gluu Server includes a variety of components, each of which serves a different purpose. You can use any or all of the following:

Using oxd to support federation in an application provides both technical and business advantages:

oxd consolidates the OAuth2 code in one package. If new vulnerabilities are discovered in OAuth2/OpenID Connect, oxd is the only component that needs to be updated. The oxd APIs remain the same, so you don’t have to change and regression test your applications;

oxd is written, maintained, and supported by developers who specialize in application security. Because of the complexity of the standards–and the liability associated with poor implementations–it makes sense to rely on professionals who have read the specifications in their entirety and understand how to properly implement the protocols;

Centralization reduces costs. By using oxd across your IT infrastructure for application security (as opposed to a handful of homegrown and third party OAuth2 implementations), the surface area for vulnerabilities, issue resolution, and support is significantly reduced. Plus you have someone to call when something goes wrong!

OAuth 2.0 #

SAML vs OpenID Connect#

Metadata#

Both SAML and OpenID Connect have Discovery Mechanisms

Clients#

SAML has

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
15-Jun-2017 12:54
2017-06-15#

Best Practices OpenID Connect#

Minimal id_token verification#

OPTIONAL id_token verifications:

Read the OpenID Connect Implementer's Guides

Advanced OpenID Connect Clients#

OpenID Connect Client#

OpenID Connect DO THESE#

OpenID Connect DO NOT THESE#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
12-Jun-2017 08:49
2017-06-12#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
30-May-2017 11:23
2017-05-30#

Ran Across Today#

  • Credential Stuffing is the process of using automated systems to brute-force a website with login information stolen from another site, hoping it will match with an existing account.

More Information#

There might be more information for this subject on one of the following: ...nobody
27-May-2017 11:27
2017-05-27#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
25-May-2017 08:46
2017-05-25#

Golden Ticket#

More Information#

There might be more information for this subject on one of the following: ...nobody
24-May-2017 11:08
2017-05-24#

Ran Across Today#

Appears NetIQ changed all the XDAS Events with the lated eDirectory 9.0.3.0 (40005.12)

More Information#

There might be more information for this subject on one of the following: ...nobody
21-May-2017 09:56
2017-05-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
05-May-2017 11:28
2017-05-05#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Apr-2017 08:20
2017-04-29#

Ran Across Today#

Personal Metadata[1]#

Personal Metadata digital information about users' location, phone call logs, or web-searches – is undoubtedly the oil of modern data-intensive science and of the online economy. This high-dimensional metadata is what allow apps to provide smart services and personalized experiences. From Google's search to Netflix's “movies you should really watch,” from Pandora to Amazon, metadata is used by commercial algorithms to help users become more connected, productive, and entertained. In science, this high-dimensional metadata is already used to quantify the impact of human mobility on malaria or to study the link between social isolation and economic development.

Metadata has however yet to realize its full potential. This data is currently collected and stored by hundreds of different services and companies. Such fragmentation makes the metadata inaccessible to innovative services, researchers, and often even to the individual who generated it in the first place. On the one hand, the lack of access and control of individuals over their metadata is fueling growing concerns. This makes it very hard, if not impossible, for an individual to understand and manage the associated risks. On the other hand, privacy and legal concerns are preventing metadata from being reconciled and made broadly accessible, mainly because of concerns over the risk of re-identification.

Data ownership and privacy[2]#

Perhaps the greatest challenge posed by this new ability to sense the pulse of humanity is creating a "new deal" around questions of privacy and Data Ownership. Many of the network data that are available today are freely offered because the entities that control the data have difficulty extracting value from them.

As we develop new analytical methods, however, this will change. Moreover, not all people who want access to the data do so for altruistic motives, and it is important to consider how to keep the individuals who generate this information safe. Advances in analysis of network data must be approached in tandem with understanding how to create value for the producers and owners of the data while at the same time protecting the public good. Clearly, our notions of privacy and ownership of data need to evolve in order to adapt to these new challenges.

This raises another important question: how do we design institutions to manage the new types of privacy issues that will emerge with these new reality mining capabilities? Digital traces of people are ubiquitously preserved within our private and public organizations— location patterns, financial transactions, public transportation, phone and Internet communications, and so on. Certainly new types of regulatory institutions are required to deal with this information, but what form should they take?

Companies will have a key role in this new deal for privacy and ownership. One suggestion is that there is an incentive system, one that gives added value to the users. Market mechanisms appear to be a particularly interesting avenue of exploration, since they may allow people to give up their data for monetary or service rewards. Ideally, this would be put into place in order to gain approval from the majority of the population to use data collected from their digital interactions.

Other important considerations revolve around data anonymity.The use of anonymous data should be enforced, and analysis at the group level should be preferred over that at the individual level. Robust models of collaboration and data sharing need to be developed; guarding both the privacy of consumers as well as corporations’ legitimate competitive interests are vital here.

What must be avoided is either the retreat into secrecy, so that these data become the exclusive domain of private companies and remain inaccessible to the Common Good, or the development of a “big brother” model, with government using the data but denying the public the ability to investigate or critique its conclusions.

Neither scenario will serve the long-term public interest in having a transparent and efficient government.

The new deal on data#

The first step toward open information markets is to give people ownership of their data. The simplest approach to defining what it means to "own your own data" is to go back to Old English Common Law for the three basic tenets of ownership, which are the rights of possession, use, and disposal:
  • possession: You have a right to possess your data. Companies should adopt the role of a Swiss bank account for your data.You open an account (anonymously, if possible), and you can remove your data whenever you’d like.
  • use: You, the data owner, must have full control over the use of your data. If you’re not happy with the way a company uses your data, you can remove it.All of it. Everything must be opt-in, and not only clearly explained in plain language, but with regular reminders that you have the option to opt out.
  • disposal: You have a right to dispose or distribute your data. If you want to destroy it or remove it and redeploy it elsewhere, it is your call.

Ownership seems to be the minimal guideline for the "new deal on data". There needs to be one more principle, however—which is to adopt policies that encourage the combination of massive amounts of anonymous data to promote the Common Good. Aggregate and anonymous location data can dramatically improve society. Patterns of how people move around can be used for early identification of infectious disease outbreaks, protection of the environment, and public safety. It can also help us measure the effectiveness of various government programs, and improve the transparency and accountability of government and nonprofit organizations.

Web Blog_blogentry_290417_1 and IoT#

In this IoT scenario, billions of devices collect data out in the world and send it back to somebody's cloud for storage and/or processing. That data has value, not only to the company generating it, but to the technology companies that provide the data-crunching services. And as whole notion of "big data" involves aggregating data from many sources, analyzing it, slicing and dicing it, the issue of data Provenance and Data Ownership becomes murkier.[3]

More Information#

There might be more information for this subject on one of the following: ...nobody

http://fortune.com/2016/04/06/who-owns-the-data/

By unknown  Permalink  Comments? (0)
28-Apr-2017 08:44
2017-04-28#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Apr-2017 08:26
2017-04-23#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Apr-2017 09:53
2017-04-21#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Apr-2017 08:30
2017-04-18#

API Chaining#

Object-oriented Programming#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
16-Apr-2017 09:53
2017-04-16#

Advanced Key Processor (AKP)

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Apr-2017 09:10
2017-04-14#

Verifiable Claims#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Apr-2017 04:09
2017-04-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
06-Apr-2017 09:18
2017-04-06#

Next Generation Identification#

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Apr-2017 08:34
2017-04-04#

Nishant Kaushik [1]#

"What that means is that after sending her through a strong Identity Proofing process (like in the banking example above), part of what came out of it is a weak authentication credential. The strength and rigor of those credentials have nothing at all to do with the strength and rigor of the process that was used to establish them. In other words, there is absolutely no correlation between the assurance of the identity and the assurance of the authentication. We simply cannot solve our security woes without addressing this mismatch."

From what I believe he is implying, is that regardless of the Identity Proofing during the Credential Enrollment, there is a "weak" credential issued and / or there is a weak assurance between the credential and the Authenticator.
Or are they the same. They do have the same outcomes. That is a weak credential or a weak connection between the credential and the Authenticator

I know at a bank I use, the only Authentication Method that I can use is password-based

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Apr-2017 09:13
2017-04-03#

Ran Across Today#

I always wonder why there are so many words. Saw this word today: proffer. Had to look it up.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Mar-2017 09:34
2017-03-24#

Enough is Enough[1]#

I am sick and tired when I see statements like: "When considering that users' inability to properly protect and manage passwords causes over 90% of cyber attacks, it is evident that our current IAM approach which mostly uses passwords for authentication cannot support the security of the future state where many devices will be interconnected," says Henry Bagdasarian, Founder of Identity Management Institute and cybersecurity thought leader."

Where i have an issue is: "When considering that users' inability to properly protect and manage passwords".

First let look at: the " inability to properly protect and manage passwords".

So "user's" are told to:

  • user strong passwords (generally this means password more than 10 characters)
  • do not use the same password on any other of the 200+ sites you visit
  • Many times users are told to change their password every so many days.

And we think anyone can do this and still remember passwords?

The problem is not the user's "inability to properly protect and manage passwords", it is that that IAM professionals would even consider this is an accomplishable feat.

The IAM Professionals have failed to deliver or implement a reasonable alternative.

The article goes on and says "Identity Management Institute predicts that organizations will slowly move away from passwords". No kidding? That has been said for more than 10 years.

Perhaps a better question is why are so many Service Providers still asking for passwords and keeping PII data? We have very strong Authentication abilities now with the use of OpenID Connect and Social Identity Providers which many offer Multi-Factor Authentication where the credentials are never revealed to the Service Provider.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Mar-2017 09:08
2017-03-18#

Typically#

Typically, when we access a Website we do this in an effort to access Data of some type. Perhaps we need to access data about the news or we go to our Financial Institution to access our bank account. The "news" and our bank account are Protected Resources. The news may not requires Authentication to read the news, but we probably can not change the news without Authentication.

When we access the news, the website may not need to Authenticate the user (to read the news). (Even though the website may perform Identification using a cookie or some other method.)

When we access our Financial Institution we will and probably insist that Authentication be performed on the user accessing our bank account.

Use case Copy Password#

We have all probably used these sites or applications. These "Client Applications" allow us to access some Protected Resource. Like our bank account.

Some of these create a "Password Vault" in which you store your passwords to other sites. Hopefully they protect this "Password Vault" well. Then they replay your password to the other sites to access the Protected Resources. (This is impersonation, not delegation). The Protected Resources thinks it is you accessing the resources and has no idea it is "Client Applications".

This use-case also exposes the user's credentials to the "Client Application".

One of the biggest violators I know of is Quicken.

Some other Client Applications may just ask for our credentials to access the bank account in real time and do not use a Password Vault.

In both of these Use cases, the Protected Resource (our bank account) has no methodology to determine that ti was the Client Application accessing the Protected Resource rather than Us. This is impersonation. The Client Application is impersonating us and the Protected Resource has no method of Auditing to say otherwise.

Use Case Enterprise LDAP Authentication #

Many enterprises use a central LDAP for authentication services. Interestingly, this pattern is similar to the Password Vault Authentication Method. When using LDAP for authentication, a Client Application collects credentials directly from the user (in Plaintext) and then replays these credentials to the LDAP server to determine if they are valid. The Client Application must have access to the plaintext password of the user during the transaction; otherwise, it has no way to perform LDAP Authentication.

In a very real sense, both these Use Cases is a form of Man-In-The-Middle attack on the user, although one that is hopefully benevolent in nature.

In a typical Enterprise LDAP Authentication setup, the user's credentials may be exposed to several applications and each of these applications are an exposure to an attacker.

Both of these approaches, the Client Application is impersonating the Resource Owner, and the Protected Resource has no way of distinguishing a call directly from the Resource Owner from a call being directed through a Client Application.

Both of these approaches, are a Password Anti-Pattern of Sharing Your Password

The import differences Delegation vs Impersonation #

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
08-Mar-2017 17:50
2017-03-08#

Anonymity#

More Information#

There might be more information for this subject on one of the following: ...nobody
07-Mar-2017 09:52
2017-03-07#

Ran Across Today#

OpenID Connect MODRNA Authentication Profile 1.0

OpenID Connect Account Porting defines mechanisms to support a user porting from one OpenID Connect Provider to another, such that Relying parties can automatically recognize and verify the change.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Mar-2017 11:34
2017-03-01#

Complexity and why OAuth 2.0 and OpenID Connect Help#

In a traditional WEB Access Management product there are three primary methods used:

How WEB Access Management product implemented#

In many, if not most, WEB Access Management product implementations only "course-grained" access is protected by the WEB Access Management product. "Fine-Grained" access is typically done within the Application. ( APIs and Microservices of course excluded here]).

So when a new application comes on-board a new application needs to be configured, the Access Management team must configure the setup the protected URLs. The WEB team knows what needs protected but not how to configure the Access Management tool. The Access Management team know how to configure the Access Management but not what to protect. This implies a communication, often via Change Control Process where information can be lost or miss-understood.

When using OAuth 2.0 and OpenID Connect, once OAuth Client is setup, the Web Team can control Application access using the security-constraint within the Web container which is a concept they are familiar.

As the Application can obtain Identity State using OpenID Connect the requirement for WEB Agents WAM becomes less important.

Many WEB Access Management product implementations#

Many of the WEB Access Management products use OpenID Connect to communicate with their agents.

The advantage of WEB Access Management products#

The big advantage provided by these WEB Access Management products is the management of the Policy Information Point where the policies which determine access to Protected Resources are stored. In many Organizations, the Policy Information Point is not well utilized as many organizations have never classified applications or performed Data Classification sufficiently to be able to make proper use of this centralized Policy Information Point. The effective Policy Information Point and Policy Enforcement Point is within the Application.

There is also some advantage of the WEB Access Management products in the use of a formalized and centralized Policy Administration Point providing the organization has performed the proper Data Classification

OpenID Connect, where the rubber meets the road#

OpenID Connect allows the Applications Team, who is, typically, really deciding the Access Control policy to implement Access Control in methodology they are most familiar without having to go through change control process to have the desired actions implemented by another group.

OpenID Connect #

OpenID Connect also has an advantage in that the Application never even sees the Credentials of the user which provides an added security benefit.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Feb-2017 09:44
2017-02-24-#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Feb-2017 14:48
Overview#
Web Blog_blogentry_210217_1

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Feb-2017 17:27
2017-02-20#

Industry 4.0 #

Industry 4.0 encompasses a promise of a new industrial revolution.

One that marries advanced manufacturing techniques with the Internet of Things to create a digital manufacturing enterprise that is not only interconnected, but communicates, analyzes, and uses information to drive further intelligent action back in the physical world.

EMPTY THE REPOSITORY: WHY VIRTUAL TOKENS ARE BETTER FOR AuthZ#

If you’re using a business application, it is very likely to have a user repository attached. This is usually a simple database containing an ID and list of authorized actions for each user. It’s a simple system, and as a 2014 survey showed, its downfall is that the average enterprise has over 500 applications in use. We know that the number is closer to 500,000 applications running per enterprise. With one repository per application, the challenge of managing these repositories cannot be understated.

Several solutions have been tried, with LDAP (Lightweight Directory Access Protocol) as the most popular. This is, in effect, is a single directory designed to share user and authorization information between many applications. Its advantages are that it is an industry standard designed so that every developer can freely integrate it into their product. The drawback however, is that it didn’t fit all AuthZ needs and so wasn’t widely adopted.

The Problems with Repositories Mimic those of Static AuthZ#

In addition to the problem of volume, repositories have drawbacks common with other traditional forms of AuthZ.
  • Administration: In order to change permissions for a given application, the repository needs to be updated. Either manually or by a provisioning system, in both cases it’s a complicated task that requires time and resources.
  • No Flexibility: Authorizations don’t change based on any variables. For example, a cyber security event, or user login through a mobile device, won’t remove any assigned permissions. . Repositories are static, however, and their users & permissions must be programmed in advance.
  • Inefficient Distribution: With over 500 repositories in the average enterprise, the problem isn’t just a matter of scale. It is difficult to apply AuthZ policy consistently over such a large volume of databases. If the AuthZ policy isn’t applied consistently – whether due to accident or indifference, then certain applications may become security risks.

Virtual Tokens Provide the Answer#

Virtual tokens take one of the traditional aspects of AuthZ and flips it on its head. What if, instead of storing AuthZ information in large repositories within each application, you instead reduce it to a small repository fitted for an individual user? This is what a virtual token represents. Upon access, this token is sent to the application, which responds accordingly.

This approach displays some marked advantages over the traditional repository approach. For one, it’s responsive -the data carried by the virtual token allows the application to respond dynamically based on conditions described by the AuthZ token. Secondly, virtual tokens are allowed to be small, containing only the information that’s necessary for the app to authenticate and authorize the user.

Say NO to Provisioning#

Lastly, virtual tokens reduce the need to maintain all those repositories, so no more unmanaged AuthZ, no more “ghost” IDs.

Oracle bets Java EE future on REST APIs#

REST Ahead
.

Oracle is banking on REST and JSON to modernize Java EE for microservices and the cloud. ... He cites features such as a new API to dynamically configure Java EE applications, native support for OAuth/OpenID Connect, health check services, and Java SE 9-based modularity.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Feb-2017 13:18
2017-02-20#

OAuth 2.0 Use Cases#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Feb-2017 09:20
2017-02-10#

Did some work on the ideal IAM Charter

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
09-Feb-2017 11:42
2017-02-09#

Passwords just Do Not Scale#

We have all heard the Common rules:
  • Create unique passwords that that use a combination of words, numbers, symbols, and both upper- and lower-case letters.
  • Avoid using the same password at multiple Web sites.
  • and several more..
So if you have 27 passwords, an average I saw, and another statistic I saw was 35% are not using strong enough passwords.

A strong password can be generated at passwordsgenerator.net (Funny the site is not secure no HTTPS) loks like:

,!V@G8z[-9D#hF.J
So no one will ever remember such a thing and many "Secure Sites" may not allow some of the characters within the password or not allow 16 characters.

So we need 27 of these passwords for the average person. NOT GOING TO HAPPEN!

Generally sites would be better off requiring a password and Multi-Factor Authentication.

Mobile Device and Authentication in Financial Organizations#

Conclusion[1] Americans are spending a growing share of their digital time on mobile. According to recent data released by KCPB, adults in the United States spent 5.6 hours per day on their Mobile Devices in 2015, an amount of time that has grown at a compound annual growth rate of 10.98% since 2008. Financial institutions are scrambling to offer consumers mobile access to their products and service that is comparable to access available via the online Web available through the desktop computer since this is the experience consumers have come to expect. This shift to mobile has placed financial institution’s security and authentication needs in a state of flux as the FIs experiment with new ways of delivering banking services securely through the mobile channel.

In addition, each financial institution has its own unique view of risk and requires solutions that can be customized to fit its risk management governance model and often individual product risk profiles.

Financial Institutions recognize that they need more sophisticated fraud management and identity verification processes than user ID and passwords alone. Biometric identification through fingerprint, voice, and facial recognition is of growing interest as a way to balance security with improving the user experience. However, Biometric tends to come later in the fraud detection value chain. Early in the process, financial institutions need to be able to balance the need for enhanced risk processes with the all-important customer experience. Creating too much friction in the account acquisition or on-boarding process is noncompetitive, as financial institutions know. What they need is thus multi layered authentication workflows that allow them to apply rules in a logical manner that prevents unnecessary input or verification steps. Mobile is also opening up new tools to fight fraud, as these devices come with a range of sensors that allow a much deeper understanding of who the user is (i.e., the user’s identity and patterns of behavior). FIs are looking to build capabilities that address this aspect by investing in solutions that leverage geolocation, for example, and other relevant data.

The increased sophistication of cutting-edge software solutions to fight fraud brings financial institutions the opportunity to use these tools to build mobile identities with carrier data for their account holders. By creating a more nuanced and complex identity, one that incorporates personal, device-dependent data and location data into a comprehensive view, will allow financial institutions to provide a far more seamless experience for the “good” consumer and allow faster and more effective identification of fraudulent account activity.

Balancing Authentication Simplicity and Security[2]#

When it comes to verification/authentication, the key to keeping the process convenient for the mobile consumer is to ensure that the solution can do the following:
  • Keep the consumer in the mobile channel
  • Take place in near real-time with little lag
  • Require little to no manual data entry from the user
  • Run in the background and remain invisible to the user (as much as possible)
  • Pair with an additional layer of security (e.g. biometrics) for a second factor of authentication
Using these five guidelines for end-user convenience, most organizations can create a mobile authentication process that is both simple and secure.

By creating a secure mobile ID verification process that is also a convenient experience for customers, financial marketers enable customers to move through the buying process more quickly, while at the same time keeping fraudsters out. They are also able to reduce or eliminate costly manual reviews, which in turn, helps keep the overall cost of acquisition and managing customer relationships lower. Further, mobile ID verification/authentication meets Know Your Customer (KYC) and other compliance requirements.

Mobile ID verification can also make the digital account opening process easier on customers and improves the experience by allowing them to stay in the mobile channel for ID verification. This varies from other ID verification methods, in which users would typically need to leave the mobile channel to send a scanned copy of their ID documents to the business through unsecure email or fax channels or even visit the branch office.

It’s important to note that user experience is key for customer acquisition and mobile on-boarding. With a mobile ID verification user experience that is just as quick and easy as mobile users expect, digital marketers are able to improve the customer journey metrics for mobile self-service and boost customer satisfaction.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Jan-2017 17:09
2017-01-23#

Ran Across Today#

Mobile Moment From here book, The Mobile Mind Shift, she spakes of Mobile Moment as: ".. a point in time and space when someone pulls out a mobile device to get what he or she wants immediately, in Context"

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Jan-2017 10:42
_2017-01-10#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Jan-2017 09:32
Identity Management has been around for a long time, even before we started automatting Web Blog_blogentry_030117_1.

In a typical Identity Management installation, we create users in LDAP and apply some Access Control Models control access to various Target Resources.

We may synchronize the Digital Identity from one repository to another. There are probably several methods used in most Organizational Entity from some perl scripts to sophisticated IDM Vendor Products.

Well, it is now 2017 and we have better, safer methods available.

Today a Organizational Entity must implement a dynamic IAM solution that serves employees, customers, partners and devices, regardless of location. This is the evolution of IAM to Identity Relationship Management (IRM).[1]

As customers look for and expect more ways to engage with businesses, companies are making the shift from the closed, protective world of IAM to the open, evolving, and confidently secure IRM universe. This is because identity and Access Control tools are a necessity for managing trust relationships with parties inside and outside of a company – relationships that are now tied directly to the business’ top line.

This shift in business emphasis has a direct technical impact on how we think about identity and Access Control. As a result, we need to take into account the following business-focused pillars when choosing an IRM solution:

  • CONSUMERS AND THINGS over employees
  • ADAPTABLE over predictable
  • TOP LINE REVENUE over operating expense
  • VELOCITY over process

Changing Business Values & A New Technical Approach to IAM#

IRM solutions that are able to satisfy the business needs of an organization and the new values of the CIO will shape the future of IAM. The shift to cloud, social, moble, and SaaS is revolutionizing the Organizational Entity, and IAM needs to evolve to help businesses capture new opportunities without worrying about the associated complexities that are a result of this change.

This shift in business emphasis has a direct technical impact on how we think about identity Management and Access Control. Through this shift we have must come to value:

  • INTERNET SCALE over enterprise scale
  • DYNAMIC INTELLIGENCE over static intelligence
  • BORDERLESS over perimeter
  • MODULAR over monolithic

Where do We Go in 2017#

To address the need for Identity Management or more so Identity Relationship Management, we have to build on a solid base.

We need to establish your security infrastructure on protocols and standards that have been peer-reviewed and are seeing market adoption.

For a long time, lack of such standards has been the main impediment for large organizations wanting to adopt RESTful APIs in earnest. This is no longer the case since the advent of the Neo-Security Stack:

These protocols gives us all the capabilities we need to build a secure and INTERNET SCALE API platform using OAuth 2.0 and OpenID Connect for the base.

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Jan-2017 10:29
2017-01-02#

RBAC is not RBAC and RBAC on paper is difficult ( StackOverflow 2012)#

RBAC is not RBAC is not RBAC and RBAC on paper is difficult, but nearly impossible to implement in a real-life.

Everyone has their own "idea" of RBAC and most everyone uses different terms for everything associated with RBAC. Generally from an LDAP implementation perspective you seldom have all the "pieces parts" to do a proper implementation within LDAP.

The "pieces parts" in simple terms are:

  • S = Subject = A person or automated agent or Users
  • P = Permissions = An approval of a mode of access to a Target Resource
  • T = Target Resources = The Object to which you want to assign permissions

The Role, at minimum, needs to associate a Permission and a User. The Target Resource could be outside of LDAP entirely. So it could be an Application on a Tomcat server or simply the right to read "other" entries within the LDAP Server.

So typically the best you will do within LDAP is to setup an object which has a list of users and if there are some resources that are within LDAP, assign the proper directory permissions for those target resources.

Then there is the little problem implementation.#

We have now need a Policy for implementation of our Role. So our role, we will call it USER-READ-ONLY, is not useful without a policy on how it is to be used.

In our case, we could just say the USER-READ-ONLY Role can read anything in our Organization.

So we now have a Policy. Where is this policy stored? The Digital representation of a Policy is stored in the "Policy Information Point" or PIP.

How do we interpret the Policy Supplied from the PIP? Policies are interpreted by the Policy Decision Point (PDP).

Who decides if a Subject (user) can access a resource? The Policy Enforcement Points (PEP).

Putting all this policy stuff together we end up with the digital representation of the Policy is provided by the Policy Information Point to the Policy Decision Point which then passes the decision to the Policy Enforcement Point where the access is permitted or denied.

So in our RBAC story, where is the PIP, the PDP, and the PEP? Well if the Target Resource is in the LDAP directory, then it is the LDAP directory that is the PIP (which we probably hardcoded and is not abstracted, the PIP likewise and the PEP too, and that was easy.

But if it is our Tomcat Application, it MUST be a method within the Tomcat Application that can interrupt knows must use a method to say "I have this Subject (user) and he wants access to this Target Resource (inventory) to perform this Permission (READ-ONLY)".

Sure there are some standards for all this stuff. (Google XACML, RFC 3198, ISO 10181-3, NIST) but they are Standards with wide gaps for practical implementations.

So keep in mind REAL implementations of RBAC is hard.

Sure IMHO, we should know about RBAC, study the papers and make it a strategic direction, but the real life implementation across a broad base of vendors and applications, well we are just not there yet.

-jim

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Jan-2017 09:37
2017-01-01#

Risk-Trust-Access Control#

In reviewing some papers on Authentication I was reminded that there must be some reason to perform Authentication before you start.

To perform Authentication and or Authorization, you must start with Risk. If there is no Risk, then there should be no Authentication and if there is no Authentication, there can be no Authorization.

To determine Authentication, you must perform do Risk Assessment. Yet many, no most, Organizational Entities I have worked for or observed have never "really" performed a Risk Assessment. And those wo say they have have only placed generic terms on Risk Management and loosely classified data in some policy. Little attention or emphasis is placed on how and where Classified Data is stored or protected from an Unfortunate event

RAT#

Authentication Authorization and Accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These combined processes are considered important for effective network management and security. As the first process, authentication provides a way of identifying a user, typically by having the user enter a valid user name and valid password before access is granted.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
22-Dec-2016 14:20
2016-12-22#

RAT#

DevOps is a term used to refer to a set of practices that emphasizes the collaboration and communication of both software developers and other information-technology (IT) professionals while automating the process of software delivery and infrastructure changes.[1][2] It aims at establishing a culture and environment where building, testing, and releasing software can happen rapidly, frequently, and more reliably.

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Dec-2016 06:49
2016-12-04#

Key Performance Indicator (KPI) is a measurable value that demonstrates how effectively a company is achieving key business objectives. Organizations use KPIs to evaluate their success at reaching targets. Learn more: What is a key performance indicator (KPI)?#

More Information#

There might be more information for this subject on one of the following: ...nobody
01-Dec-2016 12:32
2016-12-01#

Ran Into Today#

Decentralized Identifier

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Nov-2016 11:56
2016-11-23#

Ran-Across-Today#

  • Cloud Access Security Brokers (CASBs) are on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Nov-2016 11:54
2016-11-17#

Identity Ecosystem Framework News#

Towards a Trusted Framework for Identity and Data Sharing#

Where he mentions several sources on Identity Ecosystem Frameworks

"The WEF Blueprint for Digital Identity argued that financial institutions are well positioned to drive the creation of such digital identity ecosystems because they already serve as intermediaries in many transactions, are generally trusted by consumers as safe repositories of information and assets, and their operations, - including the extensive use of customer data, - are already rigorously regulated."

"Finally, as was the case with the Internet, government needs to play a leadership role in the creation of such highly complex identity ecosystems by supporting the required R&D, experimental testbeds, and legal frameworks."

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
08-Nov-2016 13:29
2016-11-08#

Path to a Functional Certificate#

So you decide you need to add HTTPS to that apache WEB server that you have been running for 5 years with on HTTP.

How would you do that?#

You have a few options.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
28-Oct-2016 11:20
2016-10-28#

Ran Across Today#

Well, not just today, but again and I revisit Identity Proofing

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
13-Oct-2016 12:40
2016-10-13#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Sep-2016 17:00
2016-09-21#

OAuth Scope Example#

We put together an OAuth Scope Example based on real-life example.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
10-Sep-2016 12:34
2016-09-10-#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
05-Sep-2016 09:00
2016-09-05#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
29-Aug-2016 12:53
2016-08-29#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Aug-2016 12:54
2016-08-28#

Ran Across Today#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Aug-2016 14:04
2016-08-27#

Ran across today#

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Aug-2016 11:37
2016-08-26#

Contract of Adhesion#

Most EULA and Privacy Policies are a Contract of Adhesion

Today I wanted to file a complaint at the Federal Communications Commission for a phone scam that was directed at myself. However, due to their Privacy Policy it is to me, unconscionable that anyone would, if they read the Privacy Policy which reads in part:

"Any comment that you submit through this website may be made public, including any personally identifiable information that you provide in your submission. We may share your comment with others, including the public, in aggregated form, in partial or edited form, or verbatim."

This is indeed so, almost comical, as elsewhere on their site they state:

"For this unique relationship to flourish, we endeavor to publish your comments whenever possible, but expect conversations to respect traditional conventions of polite discourse. The FCC will remove and/or decline to publish any comment that:

  • Contains obscene or vulgar language
  • personal attacks of any kind, or offensive terms that target a specific race, color, sex, sexual orientation, national origin, ethnicity, age, religion, or disability;
  • promote commercial services or products (relevant non-commercial links are not per se prohibited);
  • are off-topic; or
  • make unsupported accusations.
Comments will be accepted or rejected in whole – we do no edit comments to remove objectionable content."

So it is not that they do not read and moderate comments, it is just, I assume, that they do not care if your Personally Identifiable Information is disclosed to the public.

As far as I can tell this is a direct violation of the Federal Privacy Act.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
25-Aug-2016 15:33
2016-08-25#

What's New#

In the past we needed to provide Authentication and Authorization at the application level and that Digital Identity was verified, via various methods, back to LDAP. Using LDAP we typically only used password Authentication.

When we started using LDAP, most of the applicaitons were traditional monolithic applications which all of the application work was done within one large application often with some back-end storage database.

This scenario allowed us to provide Consistent Sign-On so end users only had one username/password combination and, in general, all was well.

Then we wanted Single Sign-On and so we added an WEB Access Management system in front of LDAP. These proprietary WEB Access Management systems did allow HTTP Single Sign-On in most cases. We often added GSSAPI to the mix so we could usually get the credentials from the Windows Client Operating System and use it to perform Authorization to the WEB Access Management and provide even a broader range of Single Sign-On and, in general, all was well.

Then Security Assertion Markup Language (SAML) came along and we could connect to outside monolithic applications and provide even a broader range of Single Sign-On and, in general, all was well.

Then the world started changing. The monolithic application wanted became too large and complex to handle and their appetite for access to data not within their databases became more and more desirable. We added more and more attributes to LDAP which we synchronized from this data-store to that data-store and the Identity And Access Management systems became too complex to handle.

The monolithic application projects became larger and more complex. Then Identity And Access Management projects became more and more complex.

As tends to happen in the technology world, programmer's started using Lean Product Development to simplify and prioritize what was really necessary. These Lean Product Development caused the monolithic applications to be broken down into smaller "chunks" of applicaitons that were loosely coupled. These loosely coupled applicaitons have become (and will become even smaller) and adds to the agility of the Lean Product Development.

This continued Lean Product Development has led to the movement to Application Programing Interfaces where nearly any application, monolithic or not, can have almost "instant" access to the data.

And in this API Economy, Application Programing Interfaces (APIs) act as the digital glue that links services, applications and systems. This allows businesses to make the most of their data to create compelling customer experiences and open new revenue channels.[1]

What does it mean to Identity And Access Management teams?#

More work and more learning. We used to only need to provide Authentication and Authorization services for users and now we need to be able to determine if this Application is able to access some API or other application on be-half of this user.

The good news, we have help. OpenID Connect provides the tools to make all this happen and there are a lot Open Source projects that can help.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Aug-2016 12:22
2016-08-21-#

Ran Across Todat#

More Information#

There might be more information for this subject on one of the following: ...nobody
20-Aug-2016 12:42
2016-08-20#

Ran Across Today#

Parameters, Attributes, Claims#

In RFCs there are many terms without universal understandings.

Parameters, Attributes, Claims are often used terms in RFCs and often used interchangeably.

Looking at RFC 7519 which uses Parameters within JOSE Headers (Section 5) and "Header Parameter Names Registration" (Section 10.4) and then uses "Claims" in "JWT Claims" (Section 4) and "JSON Web Token Claims Registry" (Section 10.1).

Then in "Replicating Claims as Header Parameters" (section 5.3) "...allows claims present in the JWT Claims Set to be replicated as Header Parameters..". So what is the difference in "Claims" and "Parameters"?

And then to be make RFCs even harder to comprehend, in Security Event Token (SET) draft-hunt-idevent-token-03 we add "Attributes". Where they state: "The following are attributes that are based on RFC 7519 claim definitions and are profiled for use in an event token".

So is there any difference in Parameter, Attributes, Claims

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Aug-2016 11:04
2016-08-17#

Internet Drafts#

Trusted Platform Module (TPM)#

Financial Industry Regulatory Authority Inc (FINRA) #

Financial Industry Regulatory Authority Inc (FINRA) is a private corporation that acts as a Self-regulatory Organization (SRO).

FINRA is the successor to the National Association of Securities Dealers, Inc. (NASD) and the member regulation, enforcement and arbitration operations of the New York Stock Exchange.

It is a non-governmental organization that regulates member brokerage firms and exchange markets. The government agency which acts as the ultimate regulator of the securities industry, including FINRA, is the Securities and Exchange Commission.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
15-Aug-2016 17:54
2016-08-15#

Pros and cons of Authenticator App Code]#

Pros#

SIM swapping won’t hijack your MFA codes if you’re using an Authenticator App. The codes depend on the app itself, not on your SIM card. Authenticator apps work even when you don’t have mobile coverage. Cons
  • Authenticator Apps depend on a shared secret that both the app and the server need to store. This “seed” is combined with the time to generate the MFA code. If an Attacker can crack the app or the server and recover the secret, they can clone your MFA codes indefinitely. SMS codes are just random values sent by the server, so there is no “seed” by which a crook could predict the next one in sequence.

When you access online services from your Mobile Device, you’ll usually be running the Authenticator App on the same device. This means the crooks have a common point of compromise for both factors of your MFA. A second, lightweight “feature phone” used for SMS codes makes it easier to keep the Authentication Factors apart.

More Information#

There might be more information for this subject on one of the following: ...nobody
09-Aug-2016 11:50
2016-08-09#

From today#

We constantly see people wanting to know where and ho to perform Token Storage.

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Aug-2016 23:10
2016-08-08#

Today we Found#

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Aug-2016 12:33
2016-08-05#

Java Authentication Service Provider Interface for Containers#

More Information#

There might be more information for this subject on one of the following: ...nobody
02-Aug-2016 07:50
2016-08-02#

Things from today#

  • Credential Service Provider
  • Attribute Provider (AP) - Manages and provides assertions of identity attributes to other relying and federated parties.
  • Attribute Provider Statement (APS) - A document that captures the security, privacy, data protection, and attribute management practices of a given attribute provider or party acting as an attribute provider for a given set of transactions.
  • Attribute Value Metadata (AVM) - Data describing an asserted value for an associated attribute.
  • Authorization - The decision to permit or deny a subject access to resources (e.g., network, data, application, services) based on the evaluation of access control policies.
  • Credential Service Provider (CSP) - An entity that issues digital credentials to subjects and issues or registers authenticators for subjects’ use. A CSP may be an independent third party, or may issue credentials for its own use. A CSP may provide and verify attributes or may include attributes provided or verified by other entities.
  • Federation - A process that allows for the conveyance of identity attributes and authentication information across a set of networked systems.
  • Identity Provider (IDP) - A CSP in a federation that manages the subject’s primary authentication credentials and issues assertions derived from those credentials.
  • Metadata - Structured information that describes, explains, locates, or otherwise makes it easier to retrieve, use, or manage an information resource. Metadata is often called data about information or information about information.
  • Relying Party (RP) - An entity that relies upon a subject’s authenticator(s) and credentials or an IDP’s assertion of a subject’s identity, typically to process a transaction or to grant access to information or a system.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Jul-2016 10:34
2016-07-31#

What I ran across today#

Phil Windley#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Jul-2016 14:43
2016-07-26#

What I ran Across today#

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Jul-2016 10:34
2016-07-14#

A Schema for Logging the LDAP Protocol#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Jul-2016 12:02
2016-07-10#

General Data Protection Regulation (GDPR)#

General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a Regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU). It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.[1] When the GDPR takes effect it will replace the data protection directive (officially Directive 95/46/EC) [2] from 1995. Perhaps confusingly for some, there is a new directive as well as a new regulation; it will apply to police procedures, which will continue to vary from one Member State to the other.[3]

The regulation was adopted on 27 April 2016. It enters into application 25 May 2018 after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by governments.[4]

More Information#

There might be more information for this subject on one of the following: ...nobody
06-Jul-2016 13:39
2016-07-06#

Mobile wallets: Where do I keep my receipts?#

Since Google's released its first mobile wallet five years ago, a slew of companies have released their own mobile wallet products.

Among them are Apple Pay and Samsung Pay, retailers like Walmart and Kohl's, and even banking institutions including Chase Pay and Capital One. However, even though new Mobile-Digital Wallets continue to the market with a frequent cadence, they have yet to be widely adopted by consumers. And, as the market continues getting more saturated, it begs the question, will they really ever get enough traction to take off?

Even though companies continue to heavily invest in the development of Mobile-Digital Wallets by increasing their compatibility with various point-of-sale systems and including more of what consumers want, none of the current options on the market have taken into account a fundamental part of the shopping experience: receipts.

This lack of forethought begs the question, if consumers are expected to carry out entire transactions using only their mobile device – because it's more convenient – why should they still be expected to keep track of paper receipts? Mobile wallets need to prioritize digital receipts and include them as a basic utility in their solution. Doing so will play a key role in increasing consumer adoption.

and more at: Mobile wallets: Where do I keep my receipts?

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Jul-2016 22:04
2016-07-04#

Where to Store Photos#

I have accumulated more than 50k photos and more than 2 GB of video files.

Some of these media files will never be shared, but at any given moment there have been times when I needed to share them with a select group of My Contacts and or to share them with any of the Social Network sites.

There are several constraints I have for any online storage:

  • Storage - cost to store this amount of data online is usually prohibitive
  • Sharing - Some of these photos are not in the public domain and so copyright And Intellectual Property Rights must be retained by Resource Owner
  • Must be able to detect an existing Media File Exist and be able to make copy or replace the file
    • Google is terrible at this. I have never been able to find a method to stop creating dupicates. Heck, I do not even know how it happens.

More Information#

There might be more information for this subject on one of the following: ...nobody
19-May-2016 16:55
2016-05-19#

What I learned today#

More Information#

There might be more information for this subject on one of the following: ...nobody
15-May-2016 16:25
2016-05-15#

The Moments Ahead for Identity#

At that moment we will have forged great relationships with our chief customer officer Chief Privacy Officer chief information security officer identity professionals at this moment will have a strong voice at the decision-making table but this is not possible if we continue to take a project centric view of identity and not a program centric this is not possible if we don't shift to this notion of an outcomes-based identity in the moment to head there are really only two things that manner
  • mitigating risk
  • customer delight
that's what we're gonna be measured on we're gonna be measured on how well we mitigated risk for our enterprises we will be measured on how well we delight of our customers.

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Apr-2016 22:56
Overview#

Dogs vs Drones#

  • An estimated 4.7 million dog bites occur annually in the US.
  • An estimated 368,245 persons are treated in emergency departments for nonfatal dog bites annually.
  • Approximately 42% of dog bites occurred in children aged less than 14 years.
  • Dog bite rates were significantly higher for boys (293.2 per 100,000) than for girls (216.7 per 100,000).
  • Work-related dog bites are also a significant injury problem, 16,476 dog bites, or 7.9% of total dog bite injuries were work-related.
  • Children sustained 3.2 times higher bite rates that required medical attention than adults (6.4 per 1000 v. 2 per 1000).
  • Young children were more likely than adults to be bitten on the head, neck or face.
  • In 1986 there were 585,000 dog bite injuries that required medical attention.
  • By 1995 there were 800,000, a 36% increase from 1986 to 1995.

More Information#

There might be more information for this subject on one of the following: ...nobody
16-Apr-2016 14:25
2016-04-16#

HIPAA has failed!#

HIPAA includes a section, Title II, entitled Administrative Simplification, requiring:
  • Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
  • Protection of confidentiality and security of health data through setting and enforcing standards.

From and patient perspective, HIPAA has failed on both items.

Anyone who has recently been to a Doctor's office can relate to my recent experiences.

Went to my primary Health Care Provider and was of course required, as in if you do not sign, no service, several pages of complex and meaningless to the average patient, of HIPAA forms. This was in addition to the fact that I had already been to this Health Care Provider's web site and filled out several forms and agreed to HIPAA items there.

I provided my primary Health Care Provider with printed records from my personal medical records a history of related procedures and previous diagnoses. I also provided, by way of paper forms, answers to my medical history.

And as often happens, my primary Health Care Provider referred me to a "Specialist" Health Care Provider where I again was required to several pages of complex and meaningless to the average patient, of HIPAA forms.

The "Specialist" Health Care Provider asked about the history of related procedures and previous diagnoses and by way of paper forms, answers to my medical history.

BTW, they are both in the same building complex.

The "Specialist" Health Care Provider suggested we do a procedure and I scheduled an appointment at the clinic where the procedure is to be performed. I was told to arrive 15 minutes earlier than the appointment, when I again was required to several pages of complex and meaningless to the average patient, of HIPAA forms AND asked about the history of related procedures and previous diagnoses and by way of paper forms, a answers to my medical history.

BTW, they are both in the same building complex, in fact, the clinic was used the same waiting room.

So how has HIPAA done on "Improved efficiency in healthcare delivery by standardizing electronic data interchange"?

My Personal Health Record (PHR)#

I have tried for years to find a method of obtaining my Personal Health Record as an Electronic Medical Record and have yet to find nothing out there is even close.

In this case, My primary Health Care Provider had a nice and pretty well thought out portal where I could:

  • schedule and cancel appointments
  • See and pay bills including Insurance results
  • see medical information that was performed by my primary Health Care Provider.

However, I could not:

  • Upload any data to the site.
  • Send email to my my primary Health Care Provider (Or any other method of communication)

Whenever I have asked Health Care Providers why they do not have these capabilities they site either money or Federal Health Care Laws.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
15-Apr-2016 17:59
2016-04-15#

Backend as a Service#

Backend as a Service allows developers to concentrate on the purpose of their applications without dealing with the common details for applicaitons. Common details for applicaitons like:
  • How they Authenticate
  • How they upload files
  • How Back-end communication is performed.
End-users do not typically care about the common details for applicaitons but rather how well the application fits their needs.

A common user experience is more important than the wizardry or technical details that developers often think are important.

One of the keys to a good User Experience is to have have the same feeling about the program regardless of device and use. Users expect a universal, and effective, User Experience.

As an example, security experts tell users things like:

Not dealing with common details for applicaitons also allows developers to more done faster.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
06-Apr-2016 12:20
2016-04-06#

Web Linking#

Universal Links, Custom URI schemes, Mobile deep linking, #

In the context of mobile apps, deep linking consists of using a uniform resource identifier (URI) that links to a specific location within a mobile app rather than simply launching the app. Deferred Deep Linking allows users to deep link to content even if the app isn't already installed. Depending on the mobile device platform, the URI required to trigger the app may be different.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Mar-2016 12:45
Overview#

Managing Privileged Accounts#

Recently when working with a client there was a scenario where some "White-Hat" hackers who already had full administrative access to a machine and possessed many specialized tools was able to obtain the credentials of another administrator.

Now to be clear, the organization already was:

  • using separate administrative accounts for each user.
  • the administrative accounts were separate from the user's non-administrative account
  • administrative accounts had a password expiration policy that was enforced.

What was Done#

There was a decision to:
  • reduce the access to the Microsoft Active Directory team's accounts less than "Domain Administrators"
  • place "all" "Domain Administrators" access within a check-out Privileged Account Management system.

The organization already had a Multi-Factor Authentication application in place and it was suggested that this be used instead.

Conclusion[1]#

Organizations can substantially benefit by having a process in place for the use and management of administrative privileges. A robust process for the management of administrative privileges includes:
  • Providing clarity on what administrative privileges are necessary
  • Minimizing the use of shared administrative accounts
  • Having a method of being able to verify the privileges associated with each account
  • Having a method of reliably controlling and monitoring the use of account privileges

Not only will having a robust process for the oversight of administrative privileges bring peace of mind to management, it will also provide organizations with better security. Developing a robust process for the management of administrative privileges involves first developing policies for administrative privilege use and then determining the appropriate mechanisms to enforce those policies.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Mar-2016 13:30
Overview#

OpenID Connect Use Cases#

More Information#

There might be more information for this subject on one of the following: ...nobody
15-Mar-2016 16:31
2016-03-15#

Portable Contacts#

Portable Contacts is an open protocol for developers to make it easier for developers to give their users a secure way to access the address books and friends lists they have built up all over the web. The goal of the project is to increase data portability by creating a common and open specification to bridge proprietary contacts Application programming interfaces (API) such as Google's GData Contacts API, Yahoo's Address Book API, and Microsoft's Live Contacts API. It combines OAuth, XRDS-Simple and a wire-format based on vCard harmonized with schema from OpenSocial.

The editor of Portable Contacts specification was Joseph Smarr of Plaxo and the project co-maintained by Chris Messina. Portable Contacts is used by services such as Google Contacts,[1] Windows Live Messenger Connect,[2] as well as other specification such as OStatus.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
14-Mar-2016 12:25
2016-03-14#

Internet Of Things And the Numbers#

Speaking with a developer that had been working with a Manufacturing Company working with farm planters. He was saying that the company wanted to track:
  • When each seed that was planted
  • How much fertilizer was put on each seed

This then implies, that each seed might need a Digital Identity for each seed.

So I was wondering, in the world of Internet Of Things, just what numbers are we talking about?

If you use 30" rows and 5.5" spacing, there would 30,700/seed per acre. The US alone plated 90,000,000 acres of corn in 2015.

So when we do those calculations, we came up with 20,700 * 90,000,000 = 2,763,000,000,000 or two trillion seven hundred sixty-three billion identities in the US alone each year.

As there are currently only 7,408,433,000 (7.4 Billion as of 2016-03-14) people in the world, we get some ideas as to the scale of the Internet Of Things.

John Deere collects and shares data collected by 200,000 telematically-enabled machines to provide growers with timely and accurate data for optimal growing conditions.

A Tractor and a planter consists of:

  • Tractor has 20 CPUs and 6 million lines of code.
  • A 24 row planter 77 cpus, 7 million lines of code and

Each seed 1.5 deep and 5" apart with 3.3 cm accuracy at at 10 mph

Each planter row plants 80 seeds / second (24 rows * 80 seeds/ser = 1,920 seed/sec per platner)

Even if they are not all identities, it is a lot of data. And there will identities for some level along the way:

  • Each tractor?
  • Each Application?
  • Each user that accesses the data?

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
11-Mar-2016 14:13
2016-03-11#

Cross-platform Authentication#

More Information#

There might be more information for this subject on one of the following: ...nobody
07-Mar-2016 16:15
Overview#
The IPFS Project

The InterPlanetary File System (IPFS) is a new hypermedia distribution protocol, addressed by content and identities. IPFS enables the creation of completely distributed applications. It aims to make the web faster, safer, and more open.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Feb-2016 14:58
2016-02-18#

Researchers find two flaws in OAuth 2.0[1]#

In a PDF submission to Arxiv, the researchers said in the first attack (known as an HTTP 307 Temporary Redirect), identity providers (IdP) inadvertently forward user credentials (ie, username and password) to the relying party (RP) or the attacker. In the second attack, a network attacker can impersonate any victim.

FIRST
"This severe attack is caused by a logical flaw in the OAuth 2.0 protocol and depends on the presence of malicious identity provider,” the researchers said.

"In this attack, the attacker (running a malicious RP) learns the user's credentials when the user logs in at an IdP that uses the wrong HTTP redirection status code."

The researchers said that in order to fix this problem, only HTTP 303 codes should be permitted in OAuth, since "the HTTP 303 redirect is defined unambiguously to drop the body of an HTTP POST request.

SECOUND
The second flaw involves an attack on the RP website: "The attacker confuses an RP about which IdP the user chose at the beginning of the login/authorisation process in order to acquire an authentication code or access token which can be used to impersonate the user or access user data." ] The Man-In-The-Middle (MitM) attack enables a hacker to change user data and fool the RP into treating it as the IdP the user wants.

"As a result, the RP sends the Authorization Code or the access token (depending on the OAuth mode) issued by the honest IdP to the attacker, who then can use these values to login at the RP under the user's identity (managed by the honest IdP) or access the user's protected resources at the honest IdP."

The researchers said to fix this, OAuth 2.0 should include the identity of the IdP in the redirect in some form. "More specifically, we propose that RPs provide a unique redirection endpoint for each IdP. Hence, the information which IdP redirected the browser to the RP is encoded in the request and the RP can detect a mismatch."

Using the "status" parameter within the Authorization Request or using the PK???? would stop this issue.

More Information#

There might be more information for this subject on one of the following: ...nobody

By unknown  Permalink  Comments? (0)
14-Feb-2016 17:36
Overview#

OpenID Connect#

When a user signs in successfully on a Identity Toolkit-enabled] site, Identity Toolkit’s widgets set a cookie named “gtoken”. It is a JSON Web Token (JWT), a cryptographically-signed JSON object encoded in base 64. The Identity Toolkit JWT is very similar to an OpenID Connect ID token and we will refer to this as the Identity Toolkit ID Token.

Identity Toolkit ID Token does NOT conform to the OpenID Connect specification in one important way. The user_id field in an OIDC ID token is the identifier of the user at the IDP. The user_id field in the Identity Toolkit ID Token is a global identifier, unique across all IDPs, for this user, in the context of your site or app. It is not shared with other sites or apps which use Identity Toolkit. In other words, Identity Toolkit does not provide a global identifier across different developers (relying parties).

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
08-Feb-2016 15:44
2016-02-08#

Security "folks"#

I have found it very easy to make systems secure if you do not have to live with those decisions.

In many organizations I find the Security "folks" laying down rules.

However, those Security "folks" do not have to deal with:

  • working with the end-users
  • the "day-to-day" work of keeping the environment working.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Feb-2016 01:01
2016-02-03#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
31-Jan-2016 04:55
Overview#

Ran into today#

Certification Authority Rating And Trust (CARAT) #

These Guidelines are intended to help organizations create closed, but interoperable Public Key Infrastructures (PKIs) that can be used to facilitate pilot projects employing public key technology.

Such organizations, called Policy Authorities in this document, can use the Guidelines to analyze their particular needs and to construct a PKI that will meet those needs. One important product of that analysis is likely to be a Certificate Policy, which may be thought of as a charter for a particular PKI.

A Certificate Policy defines who the parties are, the relationships and obligations of the parties to one another, and what uses are acceptable within the PKI. The last part of these Guidelines includes high level drafting instructions for Certificate Policy writers. The Guidelines suggest that Policy Authorities use contracts to make the provisions of a Certificate Policy legally binding among the parties

More Information#

There might be more information for this subject on one of the following: ...nobody
20-Jan-2016 14:29
2016-01-20#

Back-channel Communication#

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Jan-2016 12:27
2016-01-08#

Minimum Viable Platform[1]#

Steffen Hedebrandt also talks about the idea of the Minimum Viable Platform. Hedebrandt defines this, in its most basic terms, as something that connects producers with consumers through value/interaction.

Here’s a little more on what Hedebrandt means when he talks about the idea of a business as a platform:

"Apple and Google have created these app stores where you can share whatever you build with people, rather than having this example of where you buy raw materials, create something, put it in a shop and hope that it sells."

Some other Examples:

  • airbnb
  • uber
  • youTube

Log Everything#

In a recent meeting we were asked to participate in a new Logging POC. The discussion went something like:
  • I asked what was being logged?
  • the response was everything
  • I elaborated, is this for Auditing or Metrics?
  • the response was everything
My conclusion, they have no idea what they want to accomplish. Seems like I see more and more of this type of thing happening within large corporations. Apparently some area has a bunch of money and they need to make an impact so they try everything instead of defining what the use cases are and then finding a solution.

Auditing Monitoring Metrics Logging#

Metrics#

What questions can Metrics answer?
  • How many users are on my Site?
  • How slow is the PayPal API?

Generally, metrics some in various categories:

  • Business Metrics - How many widgets we sold, were returned etc.
  • Application Metrics -
  • System Metrics - How much disk space is in use, what is the CPU load?

Measure->Collect & Sample->Store->Query & Graph

Metric Processes#

  • Dashboards
  • Complex Alert Processing (CEP)
  • Anomaly Detection
  • Alerting

Type of Metric Tools#

  • Gauges - Measures a value
  • Counters - Increment or Decrement integers
  • Meters - Measure the rate at which a set of events occur
  • Histograms - Measures the Distribution of values
  • Timers - A timer is a histogram over a duration

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
07-Jan-2016 15:15
2016-01-07#

Adaptive Directory Access Protocol (ADAP)#

More Information#

There might be more information for this subject on one of the following: ...nobody
05-Jan-2016 19:25
2016-01-05#

Consent Specifications#

We have already looked at Minimum Viable Consent Receipt and today ran into Health Level Seven Privacy Consent Directive (PCD) from Fast Healthcare Interoperability Resources

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Jan-2016 23:11
2016-01-01#

User-centric Identity vs System-centric Identity#

The term User-centric Identity is getting bandied about a lot these days. It's generally understood to be a different way of expressing the entire identity transaction as opposed to what might be called the "enterprise-centric" approach traditionally used within provisioning, federation and even simplified sign-on situations. There is still much confusion as to exactly what steps are necessary to make the transaction truly user-centric, though.

Unfortunately, when most people outside the identity field look at the two supposedly opposed organizational methods they simply don't understand what all the fuss is about as both methods revolve around the identity of people, the users. There's also nothing that mandates that either method is solely concerned with the identity of people; both can (and are) extended to the identity of things, concepts, protocols and more.[1]

Identity 2.0, also called digital identity, is set of methods for identity verification on the internet using emerging user-centric technologies such as Information Cards or OpenID. Identity 2.0 stems from the Web 2.0 theory of the World Wide Web transition. Its emphasis is a simple and open method of identifying transactions similar to those in the physical world, such as driver's license.[2]

Industry analyst firm the Burton Group described it as follows: "In Identity 2.0, usage of identity more closely resembles today's offline identity systems, but with the advantages of a digital medium. As with a driver's license, the issuer provides the user with a certified document containing claims. The user can then choose to show this information when the situation requires".

The current internet model makes taking one's identification difficult from site to site. This was described in the Burton Group report as, "today's identity systems—which represent a "1.0" architecture, feature strong support for domain management but exhibit scalability and flexibility limitations when faced with the broader identity requirements of Internet scenarios." In that light, user-centric proponents believe "federation protocols (from Liberty Alliance, the Organization for the Advancement of Structured Information Standards OASIS, and the Web Services working group) are bastions of a domain-centric model but do little to recast the architectural foundations of identity systems to support grander structures."[3]

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Dec-2015 11:48
2015-12-27#

SSL-TLS Interception#

"The Transport Layer Security (TLS) Protocol Version 1.2" (RFC 5246) clearly states "The TLS protocol provides communications security over the Internet"

Yet everyday millions of people work behind TLS Proxies that provide no security and no indication to the end-user that the connection is NOT secure. Some of these conditions are "legal" TLS Proxies operated by organizations that the end-user has provided their consent for their employors to spy on them. There are of course MANY others that the typical Internet user has no idea that they are using a TLS Proxy.

Many "free" WI-FI systems and most Hotel and Motel systems utilize TLS Proxies often operated by their chosen provider.

Many Internet Providers utilize TLS proxies for all of their connections.

These TLS Proxies typically Decrypt the "supposedly" secure TLS communication and perform inspection and logging of data all unknown to the end-user. These TLS proxies are of course subject to review by any number of Government authorities often without the end-user being notified.

Many of these TLS proxies generate certificates on-the-fly and present them to the user as a "valid" certificate signed by one of the hundreds of Certificate Authorities builtin to the browser or added by the employer.

Regardless of the technology used, the TLS Proxy is by definition a Man-In-The-Middle attack and TLS does not detect the attack. Which clearly does not "The TLS protocol provides communications security over the Internet"

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Dec-2015 12:39
2015-12-26#

Things for today#

  • custom URI scheme
  • reverse domain name notation
  • browser-view - A full page browser with limited navigation capabilities that is displayed inside a host app, but retains the full security properties and authentication state of the system browser. Goes by different names on different platforms, such as SFSafariViewController on iOS 9, and Chrome Custom Tab in Chrome for Android.

Most of this comes from:https://tools.ietf.org/html/draft-wdenniss-oauth-native-apps-00

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Dec-2015 12:20
2015-12-23#

Zero-knowledge proof#

OAuth 2.0 & XACML[1]#

Authorization has many different facets, and to describe OAuth solely as an ‘authorization standard’ begs confusion with the other authorization facets. For instance, the EXtensible Access Control Markup Language (XACML) is manifestly focused on authorization, but there is effectively no overlap at all between XACML and OAuth 2.0 (in fact they are nicely composable).

In the case of obtaining the Resource Owner’s consent before the token is issued to the client, the OAuth 2.0 Authorization Server effectively plays the role of the XACML Policy Information Point, in which the policy is defined and subsequently stored as an XACML policy. In this case, the XACML policy might record the fact that the Resource Owner consented to the client being able to read their attributes held at the Resource Server, but not make any changes. Once it receives the token from the AS, the client can then use that token on its API calls to the RS. At the resource server, an XACML policy enforcement point (PEP) would intercept the API call (let’s assume it was an HTTP POST that attempted to add some new attribute to the resource owner’s store) and call out to the XACML policy decision point (PDP) to obtain an access control decision. In this case, as the resource owner has previously specified that the client could read but not write, the POST request would be denied and the PDP would respond accordingly to the PEP.

To be clear, OAuth does not presume or require an underlying XACML infrastructure. The point here is only that OAuth and XAMCL, while both authorization-centric, are compatible.

OAuth 2.0 & SAML[2]#

As you might expect for two general purpose security frameworks, there are a number of different integration points between OAuth 2.0 and the Security Assertion Markup Language (SAML), including:

We show compare some of the various facets of Standards Based SSO.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
17-Dec-2015 16:26
2015-12-17#

Why OAuth#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
14-Dec-2015 12:19
Overview#

OWIN#

Kept hearing about OWIN and that it was some standard.

More Information#

There might be more information for this subject on one of the following: ...nobody
12-Dec-2015 11:56
2015-12-12#

Stumbled On#

PrivacyLens gives users fine grained control of what information is sent from an identity provider to a service provider. It derives from, and augments the capabilities of uApprove. It is installed by embedding it into an existing installation of the Shibboleth Identity Provider.

uApprove is a User Consent Module for Shibboleth Identity Providers v2.x to enforce acceptance of terms of use and user attribute release consent. It serves the following purposes:

  • The user is informed about the release of his data (attributes) to a Service Provider (SP) when he accesses the SP for the first time or if his data changed.
  • The administrator of an Identity Provider (IdP)
    • can ask the user to accept an IdP's terms of use before accessing any services
    • gets a tool that implements data protection laws by enforcing user consent before personal user attributes are released to an SP
    • knows when a particular user gave consent to release which attribute and value to a particular SP

From the user's point of view, uApprove is an application which presents him a webpage, on which

  • he may have to accept or decline the Terms of Use of an Shibboleth Identity Provider upon first access to the system (this option can be disabled by configuration)
  • he can globally accept the release of all his/her attributes to any Service Provider
  • he has to accept the release of his/her attributes upon first access to a given Service Provider (if the global release has not been approved)
Shibboleth IdPv3 comes with built-in user consent that obsoletes uApprove!

More Information#

There might be more information for this subject on one of the following: ...nobody
07-Dec-2015 12:33
2015-12-07#

Galois-Counter Mode (GCM) is a block cipher mode of operation that uses universal hashing over a binary Galois field to provide authenticated encryption.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Nov-2015 13:03
2015-11-29#

New entries#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Nov-2015 13:01
2015-11-26#

Privacy-Preserving Attribute-Based Credential Engine#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Nov-2015 15:38
2015-11-23#

JSON-LD#

Data is messy and disconnected. JSON-LD organizes and connects it, creating a better Web.

More Information#

There might be more information for this subject on one of the following: ...nobody
18-Nov-2015 11:13
2015-11-18#

Mutual SSL Authentication#

Found this nice article on Mutual SSL Authentication

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Nov-2015 13:10
2015-11-14#

CommonAccord#

More Information#

There might be more information for this subject on one of the following: ...nobody
04-Nov-2015 11:47
2015-11-04#

Blockchain Other Uses#

Along with bitcoin transactions, the blockchain can be used to store any digital data. While some view such uses as “bloating the blockchain”, bitcoin’s decentralized nature means that they cannot effectively be stopped. This led the developers of Bitcoin Core, the official bitcoin client, to introduce an official mechanism for adding arbitrary metadata to transactions in early 2014[1]

This mechanism is used by services such as Proof of Existence and BlockSign to notarize the existence of a document by embedding a digital signature of that document inside a transaction.

Other Blockchains#

Sidechains[2]#

The distributed Bitcoin mining network performs quadrillions of calculations every second that maintain the integrity of its blockchain. Other blockchains are not remotely as secure, but they innovate much faster. Sidechains, an innovation proposed and developed by the startup Blockstream, allow for the best of both worlds; the creation of new blockchains "pegged" to Bitcoin, so that value can be transferred between them, which can conceivably be automatically secured by Bitcoin miners via “merged mining.”

The sidechains vision of the future is of a vast globe-spanning decentralized network of many blockchains, an intertwined cable rather than a single strand, each with its own protocol, rules, and features — but all of them backed by Bitcoin, and protected by the Bitcoin mining network, as the US dollar was once backed by gold. Sidechains can also be used to prototype changes to the fundamental Bitcoin blockchain. One catch, though: this will require a small tweak to the existing Bitcoin protocol.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Nov-2015 13:34
2015-11-03#

The definitive guide to form-based website authentication#

https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication?rq=1

Server Name Indication#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Nov-2015 12:57
2015-11-01#

Forget Firewalls - Enterprise Data is your New Perimeter[1]#

One of the biggest challenges modern enterprises are facing is the evolution toward connected businesses. To survive in this fiercely competitive environment, businesses strive to be as agile as possible, to continuously adopt new business models and to open up new communication channels with their partners and customers. Thanks to rapidly growing adoption of cloud and mobile computing, enterprises are becoming more and more interconnected, and the notion of a security perimeter has almost ceased to exist.

Since you can NOT protect your infrastructure, you must protect your data.

  • Information must be self describing and defending
  • Policies and controls must account for business context
  • Information must be protected as it moves from structured to unstructured, in and out of applications, and changing business contexts
  • Policies must work consistently through the different layers of technologies we implement.

The process has been termed as Information Rights Management and you involves the following:

  • Data Discovery - You must know where your data exists - You can not protect what you do not know.
  • Data Classification - Not all data is created equal and every organization has its own data taxonomy
  • Data Visibility - You need to know who is using your data at anytime, inside and outside of your network.
  • Data Protection - All sensitive data must be Encrypted Data At Rest, Data In Transit, Data In Process In the Wild
  • Data Security Analytics - You must be able to make data decisions in real time if a data breach is detected.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
30-Oct-2015 11:57
2015-10-30#

Transaction Authentication Numbers#

A transaction authentication number (TAN) is used by some online banking services as a form of single use one-time passwords to authorize financial transactions. TANs are a second layer of security above and beyond the traditional single-password authentication.

TANs provide additional security because they act as a form of two-factor authentication. Should the physical document or token containing the TANs be stolen, it will be of little use without the password; conversely, if the login data are obtained, no transactions can be performed without a valid TAN.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Oct-2015 01:18
2015-10-28#

CyLab Usable Privacy and Security Laboratory#

From a twitter entry we ran across CyLab Usable Privacy and Security Laboratory

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Oct-2015 16:08
Overview#

API-Gateway#

The API-Gateway should have some some ability for Authentication Methods and some Access Control Models integration.

These are some of the players:

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Oct-2015 14:12
2015-10-23#

NIST Privacy-Enhanced Identity Brokers#

The National Cybersecurity Center of Excellence (NCCoE) at NIST has released a Building Block White Paper "Privacy-Enhanced Identity Brokers"

"An Identity Broker can provide business value to both RPs and IdPs since each RP and IdP only needs to integrate with the identity broker once. The value to the RP is quite simple connect once (to the identity broker) and accept many types of credentials. Yet the identity broker may raise risks to individual privacy; the broker, if deployed incorrectly, is in a significant position of power, as it creates the potential to track or profile an individual’s transactions. In addition, it could gain insight into user data it does not need in order to perform the operations desired by IdPs and RPs.

Privacy Enhancing Technologies (PETs) are tools, applications, or automated(?) mechanisms which—when built into software or hardware—reduces or eliminates adverse effects on individuals when their personal information is being collected and/or processed. PETs implemented by identity brokers can reduce the risk of superfluous exposure of individuals’ information to participant organizations that have no operational need for the information, as well as shrink the attack surface for unauthorized access.

This document describes the technical challenges unique to integrating Privacy Enhancing Technologies with Identity Brokers. It suggests scenarios suited for exploring the tradeoffs of mitigating or accepting specific privacy risks. Ultimately, this project will result in a publicly available NIST Cybersecurity Practice Guide—a description of the practical steps needed to implement a reference architecture that addresses existing challenges in the current identity broker marketplace."

The complete document can be found at: https://nccoe.nist.gov/sites/default/files/nccoe/Privacy_Enhanced_Identity_Brokers_Building_Block_WP.pdf

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
16-Oct-2015 11:06
Overview#

WebSEAL#

"WebSEAL is a high performance, multi-threaded Web server that applies fine-grained security policy to the Tivoli Access Manager protected Web object space. WebSEAL can provide single sign-on solutions and incorporate back-end Web application server resources into its security policy."

WebSEAL normally acts as a reverse Web proxy by receiving HTTP/HTTPS requests from a Web browser and delivering content from its own Web server or from junctioned back-end Web application servers. Requests passing through WebSEAL are evaluated by the Tivoli Access Manager authorization service to determine whether the user is authorized to access the requested resource.

WebSEAL provides the following features:

Supports multiple authentication methods Both built-in and plug-in architectures allow flexibility in supporting a variety of authentication mechanisms.

Accepts HTTP and HTTPS requests Integrates and protects back-end server resources through WebSEAL junction technology Manages fine-grained access control for the local and back-end server Web space Supported resources include URLs, URL-based regular expressions, CGI programs, HTML files, Java servlets, and Java class files.

Performs as a reverse Web proxy WebSEAL appears as a Web server to clients and appears as a Web browser to the junctioned back-end servers it is protecting.

Provides single sign-on capabilities

More Information#

There might be more information for this subject on one of the following: ...nobody
11-Oct-2015 12:52
2015-10-11#

Defining some parameter pages for Char#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Sep-2015 11:46
2015-09-29#

Principle of least privilege#

Secure by design#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
18-Sep-2015 11:28
2015-09-18#

Password-Based Key Derivation Function#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Sep-2015 08:39
2015-09-03#

NIST uses three NIST Special Publication subseries to publish computer/cyber/information security guidance, recommendations and reference materials:

NIST's primary mode of publishing computer/cyber/information security guidelines, recommendations and reference materials; A new subseries created to complement the SP 800s; targets specific cybersecurity challenges in the public and private sectors; practical, user-friendly guides to facilitate adoption of standards-based approaches to cybersecurity; A general IT subseries used more broadly by NIST's Information Technology Laboratory (ITL), this page lists selected SP 500s related to NIST's computer security efforts. (Prior to the SP 800 subseries, NIST used the SP 500 subseries for computer security publications; see Archived NIST SPs for a list.)

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Sep-2015 16:29
2015-09-02#

Article 29 of Directive 95-46-EC#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Aug-2015 09:09
2015-08-29#

Common Domain for Identity Provider Discovery#

Service providers need a way to determine which identity provider in a circle of trust is used by a principal requesting authentication. Because Circles of Trust are configured without regard to their location, this function must work across DNS-defined domains. A common domain is configured, and a common domain cookie written, for this purpose.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-Aug-2015 08:56
2015-08-27#

#

A number of folks have been discussing liability topics in side-email, and I wanted to share some excerpted thoughts here in preparation for Friday’s subgroup call. (Unfortunately, I can’t be on the call myself; Dazza has graciously agreed to facilitate.)

The top liability/adoption conundrum I think we face is the one of whether a resource server (RS) can become comfortable with “outsourcing” protection to an authorization server (AS). An imperfect but apt analogy in the identity world is the relationship between relying parties (RPs) and identity providers (IdPs). Adrian has been describing this as wanting to define a “safe harbor” for the RS.

And looking at what use cases to start with, we’ve got a healthcare elephant in the room, so I suggest we tackle it and see how it goes. :-)

A pattern we’re seeing in the HEART Profile group use cases involves: Alice visiting a primary care provider (PCP) for the first time; we can imagine her offering for the PCP’s electronic health record (EHR) system to connect up to "her AS" (*more about this in a sec).

So we’re just talking about very initial UMA steps here, not even a whole flow, and there don't even have to be any Bobs in the picture yet (unless he’s needed for Third-Party off-screen extra purposes).

(I realize not every jurisdiction in the world has private-sector PCPs, but I believe that in some public-sector systems, private PCPs work under contract to the government — might they feel liability pressure?)

What do I mean by "her AS"?#

Adrian and I had a really interesting exchange about what the relationship should be between the RS, Alice, and "Alice’s AS".

Adrian's take:

  • The RS has no right to object to whatever AS Alice wants to tell it to use, because it has no stake in the matter — it just does what the AS tells it to, it gets safe-harbor protection by getting a list of assurances that either come built-in with UMA, or are can be built on top of it (I’m not sure I understand the whole list...).

Eve's take:

  • I really want to believe this. Obviously, what I want us to be able to build is an ironclad case for this! But an RS in real life has to act as an OAuth client to an UMA AS, has to trust that the AS actually does the right thing in coughing up tokens, that it’s secure, etc. Without those “trust framework” types of assurances, it would be crazy — or, more to the point, the CEO, CFO, and CIO of the RS operator would be crazy — to allow Alice to just point to Zeke’s Nocturnal AS (motto: “We Fly By Night”).

In fact, if Alice built her own AS, it could be even shadier because she could participate in collusion with it to put lots of other people’s data at risk — the AS may end up seeing identifiers and claims of requesting parties, and maybe Alice is opening up the AS at home and looking at all the data. (Not that the RS may strictly care about these vulnerabilities, but *I* care…)

In case it turns out to matter for use case exercise purposes, here are some candidate variations on the chosen AS that I identified:

  • Alice-AS: Alice runs her own AS, whether on a home server or at her ISP or in AWS or whatever
  • Social-AS: Alice chooses her own AS, say, run by Google or Facebook or some similar service (a la social IdPs) through a “NASCAR" interface
  • Gov-AS: Alice uses a public-sector AS
  • Private-AS: Alice uses the AS offered by the same closed system in which the RS runs (a la the new Privacy Control Center in Google Apps)

Do the scenario, the goal, the roles, and the UMA flow give enough to work with in mapping to contractual parties?

===============================================================================

to wg-uma #

I just belatedly saw another note from Adrian that made a crucial clarification. He suggests that “when a resource has only one Resource Owner, there is a benefit in allowing that RO to specify the AS”. UMA only enables one (lowercase, technical) resource owner per resource, so I think what this really may mean is that "the data rights ownership inheres 100% in the individual RO" (or something like that).

Would examples of data like this include health data stored in an EHR system?... I get the feeling that the data rights are never 100% on the RO's side, because the service operator may have data retention rights/requirements and so on.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-Aug-2015 11:48
2015-08-26#

IDENTITY, CREDENTIAL, & ACCESS MANAGEMENT#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Aug-2015 12:09
2015-08-24#

Trust Framework in Healthcare Technologies#

Keith Hazelton keith.hazelton@wisc.edu via kantarainitiative.org
This post to the UMA WG challenges our OTTO presumption that federations are an inescapable precondition for the solution. The specific challenge comes from what Adrian says about the health record domain. —k

From: <wg-uma-bounces@kantarainitiative.org> on behalf of Adrian Gropper
Date: Wednesday, August 19, 2015 at 14:39
To: Eve Maler
Cc: "wg-uma@kantarainitiative.org UMA"
Subject: Re: WG-UMA Legal Use Case - User Managed vs. Controlled Access

Eve,

I really don't see how to introduce UMA in healthcare or anywhere else if the use-case is as in the university e-transcript case study. That model is unrealistic, at least in healthcare:

  • Presumes adoption of shared data models and scopes (the HEAR in the demo) to a practical extent for authorization management. FHIR is moving in that direction and promises standardization for interchange purposes but authorization is a higher bar because it presumes that Alice's comprehension, state, and federal data protection mandates (42CFR) will align with the interchange standards. There is no reason to believe this alignment will happen. FHIR is governed by a group of industry peers for their interchange purposes. Authorization is not necessarily on their agenda. My example is healthcare specific, but I suspect it applies to most other verticals, probably even education.
  • Presumes adoption of identity and other federations. There are absolutely no ID federations in healthcare and none are even on the horizon. Healthcare may be a more extreme case but we see similar behavior in many other industries that serve consumers. In finance, consumer ID federation is limited to small transactions at ATMs. Education is a misleading outlier because the participants are peer higher education institutions. ID federation will happen sooner or later but the path is far from clear and UMA should not wait if we want real-world adoption for IoT and selected verticals.
  • The outsourced model for general purpose authorization management is currently the Apple App Store and they have no reason to adopt standards in the near term. We see the Apple authorization domain moving from the regular apps, to HealthKit apps, to payment, and now to HomeKit. UMA will enter the market as the standard for businesses that want to compete with Apple's strong privacy protections. Substitutability of the Authorization Server will be essential to competing with Apple and other walled gardens of authorization.

I'm not as close to other verticals as I am to healthcare but it seems to me that the evidence points in the direction of dynamic registration of the UMA Authorization Server first, followed by dynamic registration of the client second. Although I'd like to see every implementation of UMA include OIDC by default, like MITRE ID Connect does, the more we rely on federation of identity and standard authorization data models, the less likely we are to succeed.

Adrian

HEART Profile WG#

The HEART Working Group intends to harmonize and develop a set of privacy and security specifications that enable an individual to control the authorization of access to RESTful health-related data sharing APIs, and to facilitate the development of interoperable implementations of these specifications by others.

MVCR#

Demo of User-Managed Access (UMA); UMA where consent means Minimum Viable Consent Receipt (MVCR) needed; Value proposition and Real World use.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
23-Aug-2015 10:31
2015-08-23#

Defining Trusted Infrastructure#

I am part of a group at EMC assigned with defining and developing our point-of-view on trusted infrastructure. We started by checking out what the industry was already saying. The most credible definition we came across is from the Trusted Computing Group (TCG), a well-respected nonprofit organization that defines security specifications.

A taxonomy for securely sharing information among others in a trust domain#

In any given collaboration, information needs to flow from one participant to another. While participants may be interested in sharing information with one another, it is often necessary for them to establish the impact of sharing certain kinds of information. This is because certain information could have detrimental effects when it ends up in wrong hands. For this reason, any would-be participant in a collaboration may need to establish the guarantees that the collaboration provides, in terms of protecting sensitive information, before joining the collaboration as well as evaluating the impact of sharing a given piece of information with a given set of entities. The concept of a trust domains aims at managing trust-related issues in information sharing. It is essential for enabling efficient collaborations. Therefore, this research attempts to develop a taxonomy for trust domains with measurable trust characteristics, which provides security-enhanced, distributed containers for the next generation of composite electronic services for supporting collaboration and data exchange within and across multiple organisations. Then the developed taxonomy is applied to a possible scenario, in which the concept of trust domains could be useful.

http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=6750210&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6750210

Open Trust Taxonomy for OAuth2 References #

http://ilpubs.stanford.edu:8090/675/1/2005-11.pdf:

Gathering Information#

  • Identities
  • Information Integrity

Dealing with Strangers#

Strangers Peers that appear to be new to the system. They have not interacted with other peers and therefore no trust information is available. Adversary A general term we use to apply to agents that wish to harm other peers or the system, or act in ways contrary to “acceptable” behavior.

Reputation Scoring and Ranking#

Inputs#

Regardless of how a peer’s final reputation rating is calculated, it may be based on various statistics collected from its history.

Output#

In the end, the computed reputation rating may be a binary value (trusted or untrusted), a scaled integer (e.g. 1 to 10), or on a continuous scale (e.g. 0,1).

Peer Selection#

Once an agent has computed reputation ratings for the peers interested in transacting with it, it must decide which, if any, to choose. If there is only one peer, and the question is whether to trust it with the offered transaction, the agent may decide based on whether the peer’s reputation rating is above or below a set selection threshold

Blockchain#

Although the Open Trust Taxonomy for OAuth2 Blockchain idea is appealing, the Blockchain is a Unforgeable Entity store in that once entered, the content can not be removed.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
22-Aug-2015 09:12
2015-08-22#

Identity Trust Framework#

A legal definition.[1] A Trust Framework is the governance structure for a specific identity system consisting of:
  • the Technical and Operational Specifications that have been developed –
    • to define requirements for the proper operation of the identity system (i.e., so that it works),
    • to define the roles and operational responsibilities of participants, and
    • to provide adequate assurance regarding the accuracy, integrity, privacy and security of its processes and data (i.e., so that it is trustworthy); and
  • the Legal Rules that govern the identity system and that --
    • regulate the content of the Technical and Operational Specifications,
    • make the Technical and Operational Specifications legally binding on and enforceable against the participants, and
    • define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system.

Examples of Identity Trust Framework#

These are Examples with no regard to the compliance to anything else:
  • FICAM: processes and controls for determining an identity provider’s compliance to OMB M-04-04 Levels of Assurance
  • ISO 29115 Draft: a set of requirements and enforcement mechanisms for parties exchanging identity information
  • Kantara: a complete set of contracts, regulations or commitments that enable participating actors to rely on certain assertions by other actors to fulfill their information security requirements
  • OIX: a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.
  • OITF Model: a set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information
  • NATE
  • DirectTrust

NSTIC 4/15/2011 Final#

The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.

A Trust Framework is developed by a community whose members have similar goals and perspectives. It defines the rights and responsibilities of that community’s participants in the Identity Ecosystem; specifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. . . . In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.

Examples of complete Trust Frameworks might include

More Information#

There might be more information for this subject on one of the following: ...nobody
  • [#1] - - based on data observed:2015-05-18
By unknown  Permalink  Comments? (0)
06-Aug-2015 07:24
2015-08-06#

WG-OTTO#

WG-OTTO -- This is the Open Trust Taxonomy for OAuth2 Work Group

Vectors of Trust#

The NIST special publication 800-63 SP-800-63 defines a linear scale Level Of Assurance (LoA) measure that combines multiple attributes about an identity transaction into a single measure of the level of trust a relying party should place on an identity transaction. Even though this definition was originally made for a specific government use cases, the LoA scale appeared to be applicable with a wide variety of authentication use cases. This has led to a proliferation of incompatible interpretations of the same scale in different trust frameworks, preventing interoperability between these frameworks in spite of their common measurement.

Since identity proofing strength increases linearly along with credential strength, the LoA scale is also too limited for describing many valid and useful forms of an identity transaction. For example, an anonymously assigned hardware token can be used in cases where the real world identity of the subject cannot be known or is verified through some out of band mechanism.

This work seeks to decompose the elements of the LoA values in a way that they can be independently communicated from an Identity Provider (IDP) to a Relying Party, making comparison between Trust Frameworks possible.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Aug-2015 16:56
2015-08-04#

Constrained Application Protocol#

The Constrained Application Protocol (CoAP) is a specialized web transfer protocol for use with constrained nodes and constrained networks in the Internet of Things. The protocol is designed for machine-to-machine (M2M) applications such as smart energy and building automation.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Jul-2015 08:55
2015-07-31#

How native applications can link[1]#

A separate (but complementary) feature coming to both Android M and iOS 9 is an improvement on how native applications can link between themselves, and their associated web servers. Both Android's App links and Apple's Universal Links allow application developers to claim an association with a particular web domain. Once claimed, any http(s) addresses to that domain will be interpreted by the OS as belonging to that application and not the default system browser. Similar to the previous custom URL schemes used for inter-app messaging, the new linking mechanism promises to close the security issue associated with custom URLs, namely how it was possible for other applications to squat on the URLs of a given app, and so gain access to the data shared by those URLs. By requiring that an app developer, in order to lay claim to a particular domain, be able to demonstrate ownership of that domain by placing a specific file on that domain, the new link mechanisms will shut out the hackers.

The Native Applications Working Group (NAPPS) WG in the OIDF is in the process of discussing the impact of these new mobile OS features on the emerging NAPPS spec. Apple's Universal Linking and Android's App Links both appear to provide a meaningful security enhancement and so it may make sense for NAPPS to stipulate their use. ... Again, in the context of a native application getting the user authenticated against an OAuth AS, the new linking mechanisms promise to provide additional assurance that the tokens are being issued to a valid application, and not some malicious application that was able to get itself installed and squatting on the valid custom scheme URLs. (The Proof Key for Code Exchange by OAuth Public Clients (PKCE) mechanism was motivated by the same risk, though PKCE allows the AS to ensure only that the tokens were returned to the particular application that requested them, which could be a bad app).

More Information#

There might be more information for this subject on one of the following: ...nobody


By unknown  Permalink  Comments? (0)
29-Jul-2015 10:39
2015-07-29#

InComm's drive to bring open-loop prepaid to Mobile-Digital Wallets[1]#

In June, Pew Charitable Trusts estimated that some 23 million adults use general purpose reloadable prepaid cards in the U.S. on a regular basis.

InComm, one of the leading prepaid program providers worldwide, sees an opportunity in that number to entice more consumers — particularly the financially underserved and millennials — to use mobile payments at a time when more contactless terminals are present in U.S. storefronts thanks to the current EMV shift underway nationwide.

To accomplish this, InComm has partnered with Gemalto to use the digital security company's Allynis Trusted Services Hub to digitize its open-loop prepaid card offerings so that consumers can add them to select mobile wallets. Gemalto last year introduced Allynis as a way to help banks, transportation companies and other financial services providers make the right connections with mobile network operators and original equipment manufacturers to access the coveted secure element on NFC-enabled smartphones.

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Jul-2015 18:03
2015-07-26#

OAuth, OpenID Connect and User Manage Access is allowing IDAM to become decentralized which allows the ability to scale and allow agile federation.#

https://kantarainitiative.org/confluence/display/uma/Privacy+by+Design+Implications+of+UMA

OAuth 2.0 has three Entities #

- Is responsible to be or Authorization server to the PIP

In OAuth 2.0 there is no specification as to how the Authorization Server and the Resource Server communicate. Typically is assumed they are within the same security domain, often on the same server, and the communication is proprietary.

In User Managed Access, the Resource Server may outsource protection to a centralized Control Console.

In User Managed Access, the Authorization Server implements standardized APIs for privacy and selective Sharing.

User Managed Access adds an additional Entity the Requesting Party (Bob). The usage case was what if Alice wants to share with Bob.

The User Managed Access specification further defines relationships between the Entities:#

Resource Server and OAuth Client#

Resource Server exposes whatever it wants and is protected by the Authorization Server, Just like in OAuth 2.0 The Requesting Party Token maybe thought of as the Access Token from OAuth 2.0 with a few extra properties which make it more flexible and is presented to the Authorization Server Requesting Party Token Endpoint.

Authorization Server and Resource Server#

In User Managed Access the Authorization Server has to Interact with the Resource Server perhaps over the Internet as they could be operated by different companies.

The Authorization Server exposes a Protection API which is protected by the Protection API Token which allows the Resource Server to inform the Authorization Server via the Resource Set Registration Endpoint of which Resources need protected and which OAuth Scopes are applicable to each Resource. This communication is defined within the Auth 2.0 Resource Set Registration.

The Authorization Server is the authoritative source for the Resource Owner (Alice), but, the Resource Server is authoritative for what it's API can dp and what the Resource Owner (Alice) has created there.

The Resource Server may have a one-to-many relationship(s) with Authorization Servers.

Resource Owner (Alice) must consent to the Authorization Server and Resource Server working on her behalf which is done with via the Protection API Token.

Authorization Server and OAuth Client#

User Managed Access exposes a Authorization API protected by an Authorization API Token or AAT for the OAuth Client. In User Managed Access the Authorization Server can consume User Managed Access, SAML or OpenID Connect based Claims for Authorization.

Requesting Party (Bob) must consent to the OAuth Client working with the Authorization Server as "claims" about him may need to be revealed to pemit his access to the Resource Server which is done via the Authorization API Token.

Authorization Server and Requesting Party (Bob)#

If the Requesting Party (Bob) can prsent

In User Managed Access

Key Use Cases for User Managed Access http://bigdata.csail.mit.edu/

Managing Personal Data Store Access#

Where Alice the owner of the Personal Data Store determines others Authorization.

Protected Resource Sharing#

Blue Button (http://www.healthit.gov/patients-families/blue-button/about-blue-button)#

Tradiional WAM vs User Managed Access#

Traditional WEB Access ManagementUser Managed Access
Complex and feature-richRESTful and simpler
Usually proprietaryStandard interop baseline
Mobile/API ??Mobile/API-Friendly
Brittle deployment architecture (Agents)Just call Endpoints
NOT agnostice to Authentication methodagnostic to Authentication Method and federation
Hard to source distributed Policiesflexible in policy expressions and sourcing
Usually coarse-grainedLeverages API's "scope-grained Authorization"

Enterprise User Managed Access case study

Out-Of-Band Actions that are not in the specifications Alice decides what resources are protected which is not in the specifications. Alice also sets the policies in regards to protections of Resources.

xacmlinfo.org/2011/10/30/xacml-reference-architecture/

Some References for user Managed Access

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Jul-2015 10:21
2015-07-21#

ShoCard[1]#

ShoCard certifies and stores ID documents into the Blockchain, so that you can securely retrieve them later and prove your identity whenever you need to. Its first use case is for bank and credit card identification processes.

Your ShoCard is basically a tiny file that only you can manipulate. When you create your ShoCard, you first scan your identity document and sign it. Then the mobile app will generate a private and public key to seal that record. It is encrypted, hashed and sent to the network of communicating nodes running bitcoin software for later use.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
05-Jul-2015 13:13
Overview #

2015-07-05#

Edge-Node#

01-Jul-2015 10:13
2015-07-01#

Tap-to-pay#

1. "A Microsoft-sized opportunity: Payment processing" - The payments industry doesn't know much about Microsoft's plan for mobile payments, but Thomas Yohannan gives his take on the situation.

In March, Microsoft introduced a "tap-to-pay" feature that will be in its forthcoming Windows 10 for phones and small tablets (a.k.a. "Windows Mobile"), which would support Host Card Emulation.

Newer Android phones use HCE to transmit NFC signals to terminals, which means third-party developers can use this process to build NFC functions into their apps. Just as important, the elimination of the Secure Element makes the payment platform carrier independent, and hence carrier agnostic. These advances are sure to be greeted well in the marketplace, but what is more intriguing is where Microsoft is headed with the possible introduction of mobile payments into their ecosystem.

Based on a money transmitter license that was granted in Idaho, it appears as though the Redmond, Washington-based company is looking to go up against Android Pay, Apple Pay and the LoopPay system that helps form the base for Samsung Pay. Some may see this as a proactive approach by Microsoft to keep pace with competitors in the payments space. However, Microsoft may be trying to become a backend processor.

This move may put Microsoft in direct competition with PayPal, Square and Intuit. These companies have built the backend and have transaction engines to process payments, so they know how to send cash. However, unlike these backend processors, the advantage Microsoft would have is it would help establish potentially secure payment solutions not tied to hardware solutions. Creating a competitive product in this space would be advantageous for an enterprise software company like Microsoft.

Card Verification Method#

There is a fine line between Cardholder Verification Methods and Card Verification Methods.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
29-Jun-2015 11:47
2015-06-29#

Encryption And Hashing#

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Jun-2015 06:57
2015-06-25#

Locked Account Check#

More Information#

There might be more information for this subject on one of the following: ...nobody
21-Jun-2015 09:00
2015-06-21#

How to provide password authentication for an Application UserID?#

When using most other connections to services, like LDAP, databases, OAuth 2.0 etc, with an application how can we store the password securely and still be able to obtain the cleartext password to perform required functions?

Basic Approaches #

These are Basic Approaches to Application password storage.
  • Store a password(s) behind a password - Basically this means that we require you to type in some passphrase as application starts in order to read the accounts.xml file, and, to be truly secure, require you to type it again if you write to it.
  • Obscure a password - This means we do something to store the password in some format other than plain text, then the application automatically convert to plaintext (in memory). This is security by obscurity, and is a Very Bad Thing in that it gives application owner a false sense of security that we believe would be worse to have than to let informed users deal with the password issue themselves. Consider that a naive application owner might think that it is safe to share the accounts information, because the passwords are "encrypted".
  • Store the password in plain text and control access to the file - This is what is probably best. Store the password in plain text, but the file itself is only readable by application owner.

References:
  • Mozilla - Let’s talk about password storage - https://blog.mozilla.org/webdev/2012/06/08/lets-talk-about-password-storage/
  • Apache - EncryptedPasswordStorage- https://wiki.apache.org/subversion/EncryptedPasswordStorage
  • MonoWall - Why are some passwords stored in plaintext in config.xml? - http://doc.m0n0.ch/handbook/faq-plaintextpass.html

Persona#

What is Persona.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Jun-2015 07:33
2015-06-20#

Why OpenID Connect#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
16-Jun-2015 16:02
2015-06-16#

redirect_uri#

Standards Based SSO#

OpenID Connect turns SSO into a standard OAuth-protected identity API

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
14-Jun-2015 23:05
2015-06-14#

OAuth 2.0 Authorization#

Here we show the Authorization Code Grant Type which would typically be used for WEB Server type applications.

Some basic conditions must exist in advance:

1) The Resource Owner (user) accesses the OAuth Client (The Photo application).

2) The OAuth Client constructs the Authorization Request as a URI, adding the following parameters:

    • response_type - REQUIRED Value MUST be set to "code".
    • client_id - REQUIRED The client identifier
    • redirect_uri - OPTIONAL as it may be registered with Authorization Server in advance.
    • scope - OPTIONAL The "Desired" scope of the access request
    • state - RECOMMENDED An opaque value used by the client to maintain state between the request and callback.

3) The Resource Owner (user) is redirected by the OAuth Client (The Photo application) with the Authorization Request to the Authorization Endpoint on the Authorization Server.

4) The Resource Owner (user) Authenticates the Authorization Server.

5) The Resource Owner (user) is then redirected to the redirect_uri of the OAuth Client (The Photo application).

6) When the OAuth Client (The Photo application) redirect_uri is accessed, the OAuth Client (The Photo application) connects directly to the Authorization Server and creates Access Token Request which includes:

7) If the Authorization Server can accept these values, the Authorization Server sends back an Access Token Response which includes:

8) The OAuth Client (The Photo application) can now use the Access Token to request resources from the Resource Server. The Access Token serves as both:

There is no OpenID Connect involved with this operation. This is all part of OAuth 2.0 Protocol

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
09-Jun-2015 10:01
2015-06-09#

ProjectVRM#

More Information#

There might be more information for this subject on one of the following: ...nobody
08-Jun-2015 10:46
Overview#
Smart Home adoption will only gain momentum if the different devices can be connected into over-arching use cases, but currently the market for Home Automation and Internet Of Things gadgets is heavily fragmented.

Some of the Frameworks#

Eclipse SmartHome#

Eclipse SmartHome is designed as a set of OSGi bundles that can be run on any OSGi container, such as Eclipse Equinox or Apache Felix. All that is required underneath is a Java7-compliant Java Virtual Machine (JVM), which are available for all major platforms and architectures such as x86 or ARM.

Freedomotic#

Freedomotic is an open source, flexible, secure Internet of Things (IoT) development framework, useful to build and manage modern smart spaces. It is targeted to private individuals (home automation) as well as business users (smart retail environments, ambient aware marketing, monitoring and analytics, etc).

openHAB#

openHAB a vendor and technology agnostic open source automation software for your home. Build your smart home in no time!

pimatic#

smart home automation for the raspberry pi is a home automation framework that runs on node.js. It provides a common extensible platform for home control and automation tasks. (Runs on raspberry pi )

HomeKit#

HomeKit is a framework in iOS 8 for communicating with and controlling connected accessories in a user’s home. You can enable users to discover HomeKit accessories in their home and configure them, or you can create actions to control those devices. Users can group actions together and trigger them using Siri.

Google's ??? Nest/Nearby/Android@home ???#

Google as always, has a lot of things on the fire but no product has shown up.

2lemetry#

2lemetry is an Internet of Things platform and technology company that powers the connected enterprise, tying people, processes, data and devices together—transforming raw data into real-time Actionable Intelligence.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
03-Jun-2015 10:54
2015-06-03#

Some things ...#

I have been meaning to look into some of these things:

Identity Broker#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
01-Jun-2015 10:37
Overview#

Google gets back into mobile payments with Android Pay#

Google gets back into mobile payments with Android Pay

Responsive Organizations#

We talk a lot about Agile and Lean and a lot of this is written off as being for ONLY for software developers.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
27-May-2015 15:14
2015-05-27#

Neo-Security Stack#

OAuth Scopes#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
26-May-2015 14:46
2015-05-26#

The Changing Device Mix#

By 2017, 87% of connected devices will be phones and tablets. IDC's connected device tracker.

More Information#

There might be more information for this subject on one of the following: ...nobody
19-May-2015 11:38
2015-05-19#

Social Login#

The term Social Login has come up more and more.

More Information#

There might be more information for this subject on one of the following: ...nobody
18-May-2015 16:24
Overview#

PicoContainer#

PicoContainer's most important feature is its ability to instantiate arbitrary objects. This is done through its API, which is similar to a hash table. You can put java.lang.Class objects in and get object instances back.

More Information#

There might be more information for this subject on one of the following: ...nobody
16-May-2015 09:45
2015-05-16#

Microservice#

Eric Evans, the founder of Domain-Driven Design (DDD)#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
10-May-2015 09:59
Overview#

FreeIPA#

More Information#

There might be more information for this subject on one of the following: ...nobody
14-Apr-2015 16:13
2015-04-14-#

FLAIM Attribute Containerization#

Getting lots of system IndexDefinitions created by IDM adding lots of values to some attributes.

Edirectory Indexes are created automatically when an attribute has more than 25 values or if the value of the attribute is more than 2048 bytes.

Such attributes are moved to a separate attribute container and indexes are created for them. These auto-generated indexes are marked as system indexes.

EDirectory does not permit deleting system indexes and hence, any attempt to delete them gives an error.

To workaround this issue, add the following value in the in _ndsdb.ini file in the DIB directory, and then restart ndsd:

  • disablemovetoattrcontainer=true

This prevents the attributes from being moved to the attribute container. However, this command will not affect the attributes that are already there in the container.

We have also seen conditions where there were a very large number of attributes in use on many entries. When one of the entries added the 25th value, the existing index is dropped and the system index is created. When this happens, there is a time when there is no Edirectory Indexes on an attribute. This causes very slow searches.

When there are many entries with several values, creating the new index took forever.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
06-Apr-2015 18:29
Overview#

Comment: Testing Note

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
02-Apr-2015 14:06
2015-04-02#

example.com#

example.com, example.net, and example.org are second-level domain names reserved by the Internet Engineering Task Force through RFC 2606, Section 3,[1] for use in documentation and examples. They are not available for registration.

More Information#

There might be more information for this subject on one of the following: ...nobody
31-Mar-2015 15:03
2015-03-31#

DirXML 4.0.2.0 SE#

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
24-Mar-2015 12:17
Overview#

Certificate Management Protocol#

Certificate Management over CMS#

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Mar-2015 16:37
2015-03-03#

CITester#

More Information#

There might be more information for this subject on one of the following: ...nobody
03-Mar-2015 11:59
2015-03-03#

PayPal strengthens mobile plans with Paydiant acquisition[1]#

One of PayPal's biggest issues over the past few years is its inability to gain a strong foothold inside retailers' physical storefronts. But its announcement Monday to acquire mobile-wallet technology provider Paydiant helps the company address two problems at once as the mobile payments market continues to undergo a remarkable transformation.

"PayPal has done payments really well, but they've had issues on both the mobile and offline side of things," James Wester, research director of global payments for IDC Financial Insights, told Mobile Payments Today in an interview. "This shores up both areas in one acquisition. It gives PayPal a credible way of saying they have a different path to mobile payments compared with Apple and Google."

That path begins with Paydiant's white-label technology, which provides retailers with a mobile wallet and other value-added services such as loyalty. The company counts Capital One, Harris Tweeter supermarkets, Orange Leaf, and Subway as its biggest partners. And Paydiant is the mobile-wallet technology provider behind the Merchant Customer Exchange’s CurrentC app. Going forward, it will be business as usual for Paydiant and its current partners.

"There are no changes on that front," Paydiant Co-founder Chris Gardner told Mobile Payments Today in an interview. "We started having conversations with our customers recently to give them a heads up about PayPal and the reaction has been overwhelming positive.

"It's pretty hard to imagine we would get a negative reaction when we told them we're adding the might of PayPal while those merchants still get to use our white-label platform."

PayPal did not disclose the terms of the agreement, but re/code reported the purchase price at $280 million. Paydiant will stay at its current Newton, Mass. location for now, but PayPal has a rather large presence in downtown Boston despite its West Coast roots.

In keeping with the mobile payments theme, PayPal also announced it is adding contactless acceptance to it PayPal Here mobile card reader.

The connection Paydiant's relationship with PayPal goes back almost a year as it integrated the company's payments platform about six months ago.

"Our approach has always been to support the payment mechanisms retailers want to use," Gardner said.

That mantra is at the center of this particular marriage.

Paydiant uses a technology-agnostic approach and tailors a merchant's mobile wallet to work with whatever a business thinks is best: Bluetooth, NFC, QR Codes or even a combination of methods. The end goal, Gardner said, is to help the merchant sell more goods regardless of the technology used to complete the transaction.

"People like to say it's NFC versus QR codes, but I think the reality is we're collectively solving a business problem here and the goal is to create great experiences for consumers, particularly how it pertains to retailers," Gardner said.

Paydiant's line of thinking jibes with the one-size-fits-all approach PayPal pursues with merchants. PayPal now can offer retailers payment acceptance options, business loans, and way to break into mobile payments.

"We want to be a real partner to retailers because that is a key differentiator that we have on a global scale," Chris Morse, PayPal's director of communications, said in an interview. "It's us being much more aligned with the retailers' and this relationship helps us extend that."

Current market#

How this relationship eventually benefits MCX remains to be seen, but Wester believes the merchant consortium now has more credibility.

"Outside of the payments industry, are people going to recognize that PayPal now is a partner with a company that is partnered with MCX to make the CurrentC app?," Wester said. "That may be a long chain that PayPal will have to reinforce with consumers, but I think there is a credibility issue of having PayPal involved. It's a recognized payments option for consumers in the online space."

MCX might need to lean heavily on PayPal's recognition if and when CurrentC launches because it sits squarely behind the eight ball now thanks to recent developments in the last few weeks.

"MCX needs to get out there now," Wester said.

When it does, CurrentC will face competing systems as the Mobile wallet market now has more defined landscape.

"I think at one point, we thought we would have one wallet to rule them all and everyone else would be picking up what's left," Wester said. "Now what we're seeing are wallets with similar user experiences and that benefits them all.

"We now have all of the sensible, viable mobile payment platforms out there and now it's going to be up to the consumer to decide what they want to pay with."

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Feb-2015 09:52
2015-02-28#

Tim Cook Says Apple Watch Could Replace Your Car Keys#

Why does anything "said" by Apple get headlines. Does anyone think this is something innovative?

Many home automation systems have used bluetooth or NFC to unlock doors for homes. The key here is trying to "Just Get Along" so that patent, ego and political barriers will allow companies to engage in coopetition to do what the customers desire.

Apple Car and Android Car and (I assume Samsung Car) is not the right way. We need a Car API that can be used for all.

More Information#

There might be more information for this subject on one of the following: ...nobody
25-Feb-2015 16:41
2015-02-25#

Mobile-Digital Wallets#

There are several Mobile-Digital Wallets and we think they are important to watch due to the generally strong Authentication used. Some of them are:

More Information#

There might be more information for this subject on one of the following: ...nobody
10-Dec-2014 11:48
2014-12-10#

Authentication Failures#

More Information#

There might be more information for this subject on one of the following: ...nobody
19-Nov-2014 12:25
2014-11-19#

ldapPermissiveModify #

The current LDAP modify operation can be extended by setting the ldapPermissiveModify option to TRUE. If you attempt to delete an attribute that does not exist or to add any value to an attribute that already exists, the operation goes through without displaying any error message.

Discarding transaction because of optimization#

When the engine examines a complete transaction and decides that the transaction results in no change, it throws the transaction away.

For example, if you have a client that removes an attribute value and then adds the same attribute value back, that transaction results in no change so the engine will discard it.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
04-Nov-2014 17:37
2014-11-04 #

Processes and Threads[1] #

In concurrent programming, there are two basic units of execution: processes and threads. In the Java programming language, concurrent programming is mostly concerned with threads. However, processes are also important.

A computer system normally has many active processes and threads. This is true even in systems that only have a single execution core, and thus only have one thread actually executing at any given moment. Processing time for a single core is shared among processes and threads through an OS feature called time slicing.

It's becoming more and more common for computer systems to have multiple processors or processors with multiple execution cores. This greatly enhances a system's capacity for concurrent execution of processes and threads — but concurrency is possible even on simple systems, without multiple processors or execution cores.

Processes #

A process has a self-contained execution environment. A process generally has a complete, private set of basic run-time resources; in particular, each process has its own memory space.

Processes are often seen as synonymous with programs or applications. However, what the user sees as a single application may in fact be a set of cooperating processes. To facilitate communication between processes, most operating systems support Inter Process Communication (IPC) resources, such as pipes and sockets. IPC is used not just for communication between processes on the same system, but processes on different systems.

Most implementations of the Java virtual machine run as a single process. A Java application can create additional processes using a ProcessBuilder object. Multiprocess applications are beyond the scope of this lesson.

Threads #

Threads are sometimes called lightweight processes. Both processes and threads provide an execution environment, but creating a new thread requires fewer resources than creating a new process.

Threads exist within a process — every process has at least one thread. Threads share the process's resources, including memory and open files. This makes for efficient, but potentially problematic, communication.

Multi-threaded execution is an essential feature of the Java platform. Every application has at least one thread — or several, if you count "system" threads that do things like memory management and signal handling. But from the application programmer's point of view, you start with just one thread, called the main thread. This thread has the ability to create additional threads.

More Information #

There might be more information for this subject on one of the following: ...nobody
01-Nov-2014 22:03
Overview#

Page Views#

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Oct-2014 07:47
Overview#

U2F#

Working with U2F and Yubico#

Purchased a FIDO U2F Security Key
  • ASIN: B00NLKA0D8
  • Item model number: Y-123

The Yubico Demo Site requires a Chrome Extension to operate. The Extension allows the

Registered at Yubico Demo Site demo site that allows testing of the device:

  • enter userID/Password
  • touch U2F device
  • Registration Successful

Login at Yubico Demo Site:

  • enter userID/Password
  • touch U2F device
  • Authentication Successful

The site will allow you to register the same userID as an existing userID which overwrites the data. So if you password does not work, you will need to re-register your device.

Windows and OS X#

I tested on OS X and Windows:
  • OS X Yosemite running Chrome Version 40.0.2194.2 dev (64-bit)
  • Windows 7 Professional running Chrome Version 38.0.2125.104 m (64-bit)

Mobile#

Then went to try the mobile App. Downloaded App:
  • enter userID/Password
  • touch U2F device
  • Nothing happened

Turns out, if you want to use mobile devices, you need the Yubico NEO:

  • ASIN: B00LX8KZZ8
  • Item model number: Y-072

AND you need NFC

I ordered the Yubico NEO and will report back when I get it.

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
20-Oct-2014 18:38
Overview#

DirXML Engine Version#

Hoto determine the DirXML Engine Version.

More Information#

There might be more information for this subject on one of the following: ...nobody
15-Oct-2014 12:43
2014-10-15#

Discussion on Kanban#

More Information#

There might be more information for this subject on one of the following: ...nobody
23-Sep-2014 10:42
2014-09-23#

RFC 5805#


Forwarded message ---------- Michael Ströder asked:

Which LDAP servers have support LDAP transactions as defined in RFC 5805?"#

was asked by Michael Ströder

Some answers:

UnboundID #

The UnboundID Directory Server has full support for LDAP transactions as described in RFC 5805. These transactions are also supported through the UnboundID Directory Proxy Server in configurations in which all backend servers have identical sets of data, as well as support for transactions in certain entry-balanced configurations (where the data may be split up into multiple non-identical sets.

In addition, the UnboundID LDAP SDK for Java includes a simple in-memory directory server that is primarily intended for application development and testing purposes rather than any kind of production use. This in-memory directory server also provides full support for LDAP transactions.

OpenLDAP#

Howard Chu: It's currently in OpenLDAP's git repo and support will be in release 2.5.

Is (it) RFC 5805 used with any particular use-cases?#

Howard Chu: The main driver this time around was supporting Samba 4. A lot of the Microsoft AD-related attributes require referential integrity to be maintained atomically.

OID#

OID claimes support for RFC 5805 http://docs.oracle.com/cd/E28280_01/admin.1111/e10029/rfcs.htm

More Information#

There might be more information for this subject on one of the following: ...nobody
17-Sep-2014 16:56
2014-09-17#

from-reset="true"#

When the DirXML Filter has a value set to RESET, then the engine will send a document to the Subscriber Channel similar to:
  <input>
    <modify class-name="User" from-reset="true" qualified-src-dn="dc=com\dc=willeke\OU=people\OU=Int\uniqueID=molly1" src-dn="net\willeke\people\Int\molly1" src-entry-id="203791">
      <association>19e01092f77c1741914fd10fd4a5aa79</association>
      <modify-attr attr-name="L">
        <remove-all-values/>
        <add-value>
          <value timestamp="1375354879#36" type="string">HOUSTON</value>
          <value timestamp="1408446289#7" type="string">CYPRESS</value>
        </add-value>
      </modify-attr>
    </modify>
  </input>

The key XML Attribute to notice is the from-reset value is present.

More Information#

There might be more information for this subject on one of the following: ...nobody
26-Aug-2014 15:16
2014-08-26#

Flow of a Password Flow From Active Directory to eDirectory#

More Information#

There might be more information for this subject on one of the following: ...nobody
28-Jul-2014 13:43
2014-07-28#

DirXML Error in Microsoft Active Directory Driver#

Mapping:

  • L-l
  • S-st

Note that st on Microsoft Active Directory is defined as:

( 2.5.4.8 NAME 'st' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

and Edirectory:

( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'S' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )

And l on Microsoft Active Directory is defined as:

( 2.5.4.7 NAME 'l' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE )

and Edirectory:

( 2.5.4.7 NAME ( 'l' 'localityname' ) SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} X-NDS_NAME 'L' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '128' X-NDS_NONREMOVABLE '1' )

So the issue is these are Single-Valued on Microsoft Active Directory and not on EDirectory.

As the Filter is as merge default, then there is an attempt to merge the values on AD, which results in an error.

AFIK, if the filter were set to IDV, then the problem would be solved. (I did it, just did not save it.)

Or we could use the Rule Handle Multi-to-single valued conversions

Input document:

    <modify cached-time="20140728110308.012Z" class-name="user" event-id="idv01#20140728110308#4#1:ff02b957-77d2-45a6-fe86-57b902ffd277" qualified-src-dn="dc=net\dc=willekedir\OU=people\OU=Int\uniqueID=tungals1" src-dn="\NWPROD\net\willekedir\people\Int\tungals1" src-entry-id="162887" timestamp="1406545375#9">
      <association state="associated">79fd787a59f8554a843804aa376de0c5</association>
      <modify-attr attr-name="st">
        <add-value>
          <value timestamp="1406545375#8" type="string">OH</value>
        </add-value>
      </modify-attr>
      <modify-attr attr-name="l">
        <add-value>
          <value timestamp="1406545375#9" type="string">DUBLIN</value>
        </add-value>
      </modify-attr>
    </modify>

Produced this DirXML Error with the LDAP Error

  <output>
    <status event-id="idv01#20140728110308#4#1:ff02b957-77d2-45a6-fe86-57b902ffd277" level="error" type="driver-general">
      <ldap-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">
        <client-err ldap-rc="20" ldap-rc-name="LDAP_ATTRIBUTE_OR_VALUE_EXISTS">Attribute Or Value Exists</client-err>
        <server-err>00002081: AtrErr: DSID-030F154F, #1:
        0: 00002081: DSID-030F154F, problem 1006 (ATT_OR_VALUE_EXISTS), data 0, Att 8 (st)</server-err>
        <server-err-ex win32-rc="8321"/>
      </ldap-err>
    </status>
  </output>

The LDAP_ATTRIBUTE_OR_VALUE_EXISTS implies there is already a value for the Att 8 (st).

More Information#

There might be more information for this subject on one of the following: ...nobody
By unknown  Permalink  Comments? (0)
21-Apr-2013 08:58
Developing a Spring 3 Framework MVC application step by step tutorial#
I have spent hours and hours working on trying to understand and work with Spring.

I have figured out there are some advantages; but, I consider Spring "Fragile".

It was supposed to be, in the beginning, a simpler way than J2EE. I am not sure that is any longer true.

Tutorials#

I have done many of the Tutorials for Spring. At least half of them fail. Usually, they fail do to the complexities of the many dependancies required for Spring to operate.

Generally, Spring hides a lot of these dependancies by using Maven, which when it works is wonderful, but Maven too still a complex implementation.

Simple Spring Tutorial#

I found this Simple Spring Tutorial that worked and it was helpful. I think the reason it worked was it is Simple. Gets the points of Spring across.

The Simple Spring Tutorial still asks you to go to: "Download the latest version of Spring framework binaries from http://www.springsource.org/download".

They mention they used spring-framework-3.1.0.M2.zip for the Tutorial. Of course, when you go there, the distribution is "spring-framework-3.2.2.RELEASE-dist.zip".

But, you can, if you hunt, find the "spring-framework-3.1.0.M2.zip" files.

This one worked, or at least, I could make it work, with a little effort. The Simple Spring Tutorial was posted on July 15, 2012, which only 9 months old. I wonder if it will work in 12 months?

Developing a Spring 3 Framework MVC application step by step tutorial#

We got through the simple one, let us try something bigger.

You are instructed to: Download all Spring Framework JAR from here. The current release shown there is "spring-framework-3.2.2.RELEASE-dist.zip".

Then you are instructed these are the "Required Jars :"

  • commons-logging-1.1.1.jar - Well, this is not part of the here., but I knew what he meant. Do you?
  • hsqldb.jar (Used for HSQLDB) - Well, this is not part of the here.. I hunted it down.
  • org.springframework.aop-3.1.1.RELEASE.jar - I found: spring-aop-3.2.2.RELEASE.jar
  • org.springframework.asm-3.1.1.RELEASE.jar - Never did find this in the 3.2.2
  • org.springframework.beans-3.1.1.RELEASE.jar - I found spring-beans-3.2.2.RELEASE.jar
  • org.springframework.context-3.1.1.RELEASE.jar - Found: spring-context-3.2.2.RELEASE.jar
  • org.springframework.core-3.1.1.RELEASE.jar - Found: spring-core-3.2.2.RELEASE.jar
  • org.springframework.expression-3.1.1.RELEASE.jar - Found: spring-expression-3.2.2.RELEASE.jar
  • org.springframework.jdbc-3.1.1.RELEASE.jar - Found: spring-jdbc-3.2.2.RELEASE.jar
  • org.springframework.transaction-3.1.1.RELEASE.jar - Found: spring-tx-3.2.2.RELEASE.jar (Well, it was the only one that looked close)
  • org.springframework.web-3.1.1.RELEASE.jar - Found: spring-web-3.2.2.RELEASE.jar
  • org.springframework.web.servlet-3.1.1.RELEASE.jar - Never did find this in the 3.2.2

So what is a person learning Spring supposed to do? Well, I downloaded the "old" 3.1.1 release. All the jars are present.

Issues with Developing a Spring 3 Framework MVC application step by step tutorial#

I did find a couple of issues with the Developing a Spring 3 Framework MVC application step by step tutorial.

The application does not run. I requested the source code to see if there are typos or ???.

Created the SpringJdbcDao Interface as follows:

package com.dao;

public interface SpringJdbcDao
{
}
For some reason the author implied it was not required "because it doesn’t contain any special code". I guess newbies are supposed to know how to create the file.

In the "JBTJdbcController", the line:

 mfssService.insertMfssMemDts(vngmem);
Should be:
mfssService.insertMemDts(vngmem);

In the dispatcher-servlet.xml file:

http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
Should be:
TBD

In the "SpringJdbcDaoImpl.java" file, the line:

return springJdbcDao.searchMemDts(vngmem);
Shows as an un-implemented method in 'SpringJdbcDaoImpl'.

The Problem#

The fact that an application written a year ago will not run on the current release implies to me there is a problem. With security issues being revealed all the time, there is a demand to upgrade to the "latest" versions. With Spring, this could cause a re-write of the application.

If my premise is true, then I know how this works in a large organization. Instead of being agile, the management of "Fragile" applications, due to fear, puts out the sentiment of "Do not Touch it" unless we have too.

Am I missing Something?#

Let me qualify. I am not a fulltime developer. Though I have written a lot of applications, they are not complex enterprise applications that "Developers" work on everyday.

But is sure seems to me, that Spring has become very complex and now has all the issues of J2EE that it was intended to solve.

Or, am I missing something.

29-Jul-2012 08:01
OS X Mountain Lion#
The upgrade appeared to be painless. Well except for the the 4+ hours for the download and installation time.

Things that Did Not Work#

  • Eclipse - See below
  • NeoOffice - Got warning on launching to upgrade. Upgraded to the 3.3 Beta 2 and it launched.
  • Java - REMOVED Java 1.6 from my machine!#@$()*(*@Y$%

Things that Are Still Broken#

  • Time Machine - Still wants to back up when I am using the machine. Still Just Plain Stupid!

Eclipse#

Launching Eclipse reveals "To open “Eclipse.app,” you need a Java SE 6 runtime. Would you like to install one now?" Checking Java reveals:
ava -version
java version "1.7.0_04"
Java(TM) SE Runtime Environment (build 1.7.0_04-b21)
Java HotSpot(TM) 64-Bit Server VM (build 23.0-b21, mixed mode)

Check Eclipse for new Downloads and see that Juno (version 4.2) is available. Download the package and launch Eclipse and get the same error.

Found a link which says to accept to install. Not sure I really care about Java 1.6, but may want need it and I really do not want to mess with this any longer.

Well this worked, but now, as expected, my default Java is now 1.6.

15-Jul-2012 18:01
Jalbum and Server Mode#
I have been using Jalbum in normal and "server mode" for several years.

We keep our security camera JPGs organized using a combination of bash scripts and Jalbum.

Jalbum Reference#

http://jalbum.net/en/help/manuals/console-mode

You can find the parameters from the command:

java -jar JAlbum.jar -help
jAlbum v10.2.1 started in console mode

Options and their default values:
-characterEncoding 
-ftpForceUTF8 false
-skin Turtle
-excludeByDefault false
-imageLinking LinkScaled
-projectFile 
-directory 
-scalingMethod ScaleMedium
-metaData true
-thumbSize 124x124
-exifUserComment true
-updatedDirsOnly false
-classicReaders false
-cpuCores 8
-copyOriginals true
-thumbnailPrefix 
-urlEncode false
-customImageOrdering 
-ftpServer 
-webPassword 
-closeupPrefix 
-remoteDirectory album
-slides true
-writeUTF8 true
-showInRecentAlbumsList true
-visibleOnProfilePage true
-widgetInjection true
-closeupDirectory slides
-smartUpload 
-outputDirectory album
-skinsDirectory /usr/share/jalbum/skins
-ftpPort 21
-slideDirectory slides
-runTool 
-reverseOrder false
-uploadAll 
-remoteFS info.cqs.remotefs.RemoteFSBean@40110c31
-imageSize 640x480
-hiResDirectory hi-res
-internalVersion 10.2.1
-hardwareScaling false
-pageExtension .html
-subdirs true
-ftpUser 
-useThumbForFolderIcon true
-keepMetaData false
-iptcCaption true
-textEncoding UTF-8
-ignorePattern \..*
-style Black.css
-includeHiResImages true
-accountProfileName 
-includeDirectories true
-qualityPercent 85
-passiveMode true
-pageNamer 
-jpegComment false
-rows 4
-baseDirectory 
-displayVersion 10
-protocol ftp
-makeThumbs true
-albumWidth 560
-dateFormat 
-imageBackgroundColor #ffffff
-suppressIEWarnings true
-textFileComment true
-resourceDirectory res
-exifImageDescription false
-thumbnailDirectory thumbs
-readXmp true
-mediaRSS true
-albumHeight 420
-sharpenPercent 25
-highQualityThumbs true
-indexPageName index
-excludeBacklinks false
-connected false
-myjalbum false
-programDirectory /usr/share/jalbum
-highThumbnailCompressionQuality false
-superimposeFilmIcon true
-directoriesFirst true
-includePattern 
-skinProperties 
-imageOrdering OrderByDate
-titleSource IPTCObjectName
-cols 6
-notifyFollowers true
-ftpPassword 
-progressiveMode false
-user.<your variable> <value>
Required arguments are -directory and (-outputDirectory or -sameDirectory)
Elapsed time: 0.316s
15-Jul-2012 10:22
2012-07-15#
Just some notes on today.