Quite a while ago I read a paragraph about OpenID. My initial reaction was something like "no way". However, I was recently encouraged by a colleague to have another look.
I must say that my initial reaction ("no way") was shaped primarily from reading "What is OpenID?" on the official OpenID website, coupled with a significant amount of personal experience/interest learning about information security systems. So, when I see the terms "Single Sign On (SSO)" and "authentication" and "identity" used in describing OpenID, I immediately thought that this solution was being considered as a means of establishing a high degree of trust. Continuing with this perception, the fact that OpenID is based on a completely decentralized authentication architecture, just didn't add up.
While looking at OpenID this time, I actually went through and tried to establish the worthiness of OpenID as it is being used today. Which is not, from what I've gathered , a mechanism to establish trust. The idea of using the criteria discussed in Bruce Schneier's book "Beyond Fear" came to mind, but I didn't feel that the five questions he uses when evaluating a security solution where completely appropriate when applied to OpenID as it is being implemented today:
What are you protecting?
What are the risks associated with what you are protecting?
How well does the solution address the risks?
What risks are introduced by the solution?
What costs/trade-offs are associated with the solution?
To establish the worthiness of OpenID in my mind, I answered the following questions:
What problem does OpenID solve?
Establishing an identity on multiple Internet-based services and all the associated issues (control of personal information, inconvenience of providing credentials, potential loss of password discipline)
How well does this solution address the problem?
OpenID does address the issues associated with having identity-related information stored on multiple services.
What risks are introduced by OpenID?
The risk of phishing attacks increases with this model, but as when using MyOpenID as your credential provider you can set a personal icon, as well as a feature called SafeSignIn to reduce the risk of phishing to an acceptable level (for me). Another risk is trusting this decentralized credential provider with any information that you provide. For instance, MyOpenID "promises" to honor your privacy.
What are the costs associated with OpenID?
From the perspective of the OpenID end user, there is no money involved. The software to be an OpenID server or relying party is free of charge as well. However, although the software is free to the developer, from what I understand implementing or integrating an OpenID server or service is not trivial.
You'll notice that I've rephrased the criteria to establish the worthiness of OpenID as a general system rather than a security-focused system. This, as I mentioned before, is because I am evaluating how OpenID is being used today. OpenID does not seem to be used to protect assets of significant value and therefore trust is not a big concern. However, having said that, I do believe that this framework could be applied today within an organization to establish a lesser degree of trust than made available through more centralized and costly approaches (e.g. PKI, Federated Identity, domain-based schemes). Along these lines, this framework could potentially be used as another type of centralized scheme. These scenarios would go against the "open" in OpenID; if that meets your needs, fine.
As OpenID matures the framework is expected to support the establishment of varying degrees of trust based on the sorts of credential providers that become available. It will be interesting to see the level of trust people will accept in an online environment using a completely decentralized security mechanism, as well as the exploits. It will also be interesting to see which service providers are willing to give up collecting phone numbers, street addresses, and so on, of consumers.
OpenID solves a common problem with little cost or risk involved. As a service provider, if you would benefit from providing an SSO environment to your consumers, and the value of your online assets is inline with the level of trust (low) established with OpenID, then I would suggest that using OpenID is not such a crazy idea.
Tuesday, March 27, 2007
What I like about Shmoo
Shmoocon is the East Coast's DEFCON. It is a conference where haxors and various other security players present their clever findings to a melting pot of enthusiasts hungry for wizardry. A couple of colleagues and I just returned from Shmoocon 2007 which took place this past weekend at the Wardman Park Marriot in Washington D.C., and felt that is was time and money ($150) well spent. It is my understanding that the lone objective of Shmoocon is to build the security community, and that any money left over after paying the bills goes to the Electronic Frontier Foundation (EFF) and perhaps other charities.
This was the 3rd annual Shmoocon, but the first one for me. I actually heard of this conference for the first time last year while at DEFCON. Word of mouth seems to be a good enough way to market this con. I understand that the first con had about 300 people, but the last one, and the one this year sold out. I would estimate the attendance to have been around 1000 to 1200 people. To land the tickets, I stayed up late and purchased them online (while celebrating the New Year) as soon as a block of tickets were released on January 1st; I missed out on a previously released block.
Enough background. If you're still reading this, you're probably wondering "what does he like about Shmoocon"? I'll break it down in the terms Shmoocon uses to describe itself; different, affordable and entertaining. This conference is not that different from DEFCON in concept, but far from what I think you would call normal if all you've been exposed to is FOSE or RSA, or some other multi megaCorp sponsored event; no suits; I liked that. This con keeps it real.
It is different in content as well. The three tracks (Build it!, Break it!, Bring it on!) covered topics ranging from physical security to security ethics; from hacking the airwaves to hacking disposable cameras; from entropy-based analysis of encrypted protocols to discussion like "Standard Bodies - What are these Guys Drinking?". To help solidify the essence of this conference, I'll share a stream of tools, comments and thoughts that registered with me in no particular order will in attendance:
network access controls fostering false sense of security - PCB Express - embedded web servers the size of an RJ45 coupler soon to be wireless - hard drive dissection - MHDD and Victoria - increased use of VMware in the community - lots of security related design flaws among Windows Mobile applications - SIPinator is cool - OpenWRT - SRTP - fwsnortbleeding snort - IPtables - PSAD - Netcat - Honeynet scan challenge - defense-in-depth - content filters less effective as more traffic is encrypted - statistical analysis of encrypted traffic - PISA - these shmoocon bags do make great six-pack coolers!
As you may have gathered, you can walk away with a sense of knowing a bit better where things stand in the security community, untethered from share-holder equity.
As far as affordable, we paid $150 to get in. Some pay less, some pay more; it has to do with how they make the tickets available. The bottom-line is that it is a huge bargain. Especially, if you happen to live in the D.C. metro area. We didn't stay at the Wardman Park Marriot, but it is a great place to operate out of on the first weekend of Spring.
Entertaining? Yes it was; a combination of hanging out at Times Square (closer to 42nd Street) and Oktoberfest (did I mention that the Shmoocon bags could hold a six-pack?). I loved that everyone seemed to have such varying personalities and background (Punk to CSO), but all were there with the common goals of soaking up some leet wisdom and insight, and having a good time.
Thanks Shmoocon. Well done!
This was the 3rd annual Shmoocon, but the first one for me. I actually heard of this conference for the first time last year while at DEFCON. Word of mouth seems to be a good enough way to market this con. I understand that the first con had about 300 people, but the last one, and the one this year sold out. I would estimate the attendance to have been around 1000 to 1200 people. To land the tickets, I stayed up late and purchased them online (while celebrating the New Year) as soon as a block of tickets were released on January 1st; I missed out on a previously released block.
Enough background. If you're still reading this, you're probably wondering "what does he like about Shmoocon"? I'll break it down in the terms Shmoocon uses to describe itself; different, affordable and entertaining. This conference is not that different from DEFCON in concept, but far from what I think you would call normal if all you've been exposed to is FOSE or RSA, or some other multi megaCorp sponsored event; no suits; I liked that. This con keeps it real.
It is different in content as well. The three tracks (Build it!, Break it!, Bring it on!) covered topics ranging from physical security to security ethics; from hacking the airwaves to hacking disposable cameras; from entropy-based analysis of encrypted protocols to discussion like "Standard Bodies - What are these Guys Drinking?". To help solidify the essence of this conference, I'll share a stream of tools, comments and thoughts that registered with me in no particular order will in attendance:
network access controls fostering false sense of security - PCB Express - embedded web servers the size of an RJ45 coupler soon to be wireless - hard drive dissection - MHDD and Victoria - increased use of VMware in the community - lots of security related design flaws among Windows Mobile applications - SIPinator is cool - OpenWRT - SRTP - fwsnortbleeding snort - IPtables - PSAD - Netcat - Honeynet scan challenge - defense-in-depth - content filters less effective as more traffic is encrypted - statistical analysis of encrypted traffic - PISA - these shmoocon bags do make great six-pack coolers!
As you may have gathered, you can walk away with a sense of knowing a bit better where things stand in the security community, untethered from share-holder equity.
As far as affordable, we paid $150 to get in. Some pay less, some pay more; it has to do with how they make the tickets available. The bottom-line is that it is a huge bargain. Especially, if you happen to live in the D.C. metro area. We didn't stay at the Wardman Park Marriot, but it is a great place to operate out of on the first weekend of Spring.
Entertaining? Yes it was; a combination of hanging out at Times Square (closer to 42nd Street) and Oktoberfest (did I mention that the Shmoocon bags could hold a six-pack?). I loved that everyone seemed to have such varying personalities and background (Punk to CSO), but all were there with the common goals of soaking up some leet wisdom and insight, and having a good time.
Thanks Shmoocon. Well done!
Subscribe to:
Comments (Atom)