The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.
SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.
Phishing has always been completely avoidable
SSO without strong auth is and always will be simply nuts
SAML gets its right
James McGovern asks why we don't see enterprisey folks focusing on SOA *and* security? Well there are a lot of reasons here, but lets look at some facts. Most enterprisey folks look at security in binary terms - inside the firewall or outside the firewall. When a transaction is "inside the firewall" they can do silly things like load all their transaction on to something like MQ Series with no authentication, send it to the mainframe which runs their entire book of business, and in essence run their transactional backbone on anonymous ftp. Because its "inside the firewall"
Just saw the Hunter S. Thompson movie - Gonzo, and if you are a fan you should to. Lots of good stuff in there, the film links various part of his life and career, and gives a pretty unvarnished view of the high highs and the low lows. Weaves in writing, politics, and fame seamlessly. I have never really had as much fun as early on in my career in the early-mid 90s I was a web programmer in Aspen, hacking CGI/PERL. Among the most fun things was building and running HST's site. My boss, Ed, was his neighbor. Ed was also seriously allergic to bees. One day he was alone in his house and got stung. He was dying. Luckily Hunter was due over to his house to watch a basketball game, walked in and called 911. My boss woke up in the ambulance with Hunter pounding on him chest and screaming at him. Ed said - "Waking up to that face screaming at me, I didn't know if I was alive or dead." Seeing the movie it was also great to see a lot of the Woody Creek folks again like George Stranahan, who lovingly said about Hunter - "my friend and neighbor who never paid his rent, broke up my marriage and taught my children to smoke dope. " Of course, there was no way he could match his early productivity and this is true of almost all artists. Most of the last two decades were wasted from a writing standpoint. However his piece written on 9/11 is as good as its gets:
The towers are gone now, reduced to bloody rubble, along with all hopes for Peace in Our Time, in the United States or any other country. Make no mistake about it: We are At War now -- with somebody -- and we will stay At War with that mysterious Enemy for the rest of our lives.
It will be a Religious War, a sort of Christian Jihad, fueled by religious hatred and led by merciless fanatics on both sides. It will be guerilla warfare on a global scale, with no front lines and no identifiable enemy. Osama bin Laden may be a primitive "figurehead" -- or even dead, for all we know -- but whoever put those All-American jet planes loaded with All-American fuel into the Twin Towers and the Pentagon did it with chilling precision and accuracy. The second one was a dead-on bullseye. Straight into the middle of the skyscraper.
Nothing -- even George Bush's $350 billion "Star Wars" missile defense system -- could have prevented Tuesday's attack, and it cost next to nothing to pull off. Fewer than 20 unarmed Suicide soldiers from some apparently primitive country somewhere on the other side of the world took out the World Trade Center and half the Pentagon with three quick and costless strikes on one day. The efficiency of it was terrifying.
We are going to punish somebody for this attack, but just who or what will be blown to smithereens for it is hard to say. Maybe Afghanistan, maybe Pakistan or Iraq, or possibly all three at once. Who knows? Not even the Generals in what remains of the Pentagon or the New York papers calling for WAR seem to know who did it or where to look for them.
This is going to be a very expensive war, and Victory is not guaranteed -- for anyone, and certainly not for anyone as baffled as George W. Bush. All he knows is that his father started the war a long time ago, and that he, the goofy child-President, has been chosen by Fate and the global Oil industry to finish it Now. He will declare a National Security Emergency and clamp down Hard on Everybody, no matter where they live or why. If the guilty won't hold up their hands and confess, he and the Generals will ferret them out by force.
Good luck. He is in for a profoundly difficult job -- armed as he is with no credible Military Intelligence, no witnesses and only the ghost of Bin Laden to blame for the tragedy.
One unintended lesson I take away from Hunter's life is how important patience is. Obama is a politician and may yet disappoint us all, but I gotta believe Hunter would be seriously impressed. If he had waited another couple of years, he may have seen a lot of the stuff he fought for in 1968 and 72 come to fruition. Sometimes you are just 36-40 years ahead of your time and you have to be ok with that and figure out how to deal if possible. (Note - it sure sometimes feels this way in software security). Speaking of security:
by Hunter S. Thompson (1955).
Security ... what does this word mean in relation to life as we know it today? For the most part, it means safety and freedom from worry. It is said to be the end that all men strive for; but is security a utopian goal or is it another word for rut?
Let us visualize the secure man; and by this term, I mean a man who has settled for financial and personal security for his goal in life. In general, he is a man who has pushed ambition and initiative aside and settled down, so to speak, in a boring, but safe and comfortable rut for the rest of his life. His future is but an extension of his present, and he accepts it as such with a complacent shrug of his shoulders. His ideas and ideals are those of society in general and he is accepted as a respectable, but average and prosaic man. But is he a man? has he any self-respect or pride in himself? How could he, when he has risked nothing and gained nothing? What does he think when he sees his youthful dreams of adventure, accomplishment, travel and romance buried under the cloak of conformity? How does he feel when he realizes that he has barely tasted the meal of life; when he sees the prison he has made for himself in pursuit of the almighty dollar? If he thinks this is all well and good, fine, but think of the tragedy of a man who has sacrificed his freedom on the altar of security, and wishes he could turn back the hands of time. A man is to be pitied who lacked the courage to accept the challenge of freedom and depart from the cushion of security and see life as it is instead of living it second-hand. Life has by-passed this man and he has watched from a secure place, afraid to seek anything better What has he done except to sit and wait for the tomorrow which never comes?
Turn back the pages of history and see the men who have shaped the destiny of the world. Security was never theirs, but they lived rather than existed. Where would the world be if all men had sought security and not taken risks or gambled with their lives on the chance that, if they won, life would be different and richer? It is from the bystanders (who are in the vast majority) that we receive the propaganda that life is not worth living, that life is drudgery, that the ambitions of youth must he laid aside for a life which is but a painful wait for death. These are the ones who squeeze what excitement they can from life out of the imaginations and experiences of others through books and movies. These are the insignificant and forgotten men who preach conformity because it is all they know. These are the men who dream at night of what could have been, but who wake at dawn to take their places at the now-familiar rut and to merely exist through another day. For them, the romance of life is long dead and they are forced to go through the years on a treadmill, cursing their existence, yet afraid to die because of the unknown which faces them after death. They lacked the only true courage: the kind which enables men to face the unknown regardless of the consequences.
As an afterthought, it seems hardly proper to write of life without once mentioning happiness; so we shall let the reader answer this question for himself: who is the happier man, he who has braved the storm of life and lived or he who has stayed securely on shore and merely existed?
A ship is safest at port, but thats not why we build ships.
iang surveyed the events that conspired to our present ever mounting economic problems. Interestingly enough Charlie Munger identified much the same themes (not all the particulars) way back in Wesco Financial's 1990 letter
Granting the presence of perverse incentives, what are the operating mechanics that cause widespread bad loans (where the higher interest rates do not adequately cover increased risk of loss) under our present system? After all, the bad lending, while it has a surface plausibility to bankers under cost pressure, is, by definition, not rational, at least for the lending banks and the wider civilization. How then does bad lending occur so often?
It occurs (partly) because there are predictable irrationalities among people as social animals. It is now pretty clear (in experimental social psychology) that people on the horns of a dilemma, which is where our system has placed our bankers, are extra likely to react unwisely to the example of other peoples' conduct, now widely called "social proof". So, once some banker has apparently (but not really) solved his cost-pressure problem by unwise lending, a considerable amount of imitative "crowd folly", relying on the "social proof", is the natural consequence. Additional massive irrational lending is caused by "reinforcement" of foolish behavior, caused by unwise accounting convention in a manner discussed later in this letter. It is hard to be wise when the messages which drive you are wrong messages provided by a mal-designed system.
In chemistry, if you mix items that explode in combination, you always get in trouble until you learn not to allow the mixture. So also, in the American banking system.
So Munger identified this volatile combination about 17 years ago at least. In the same letter Warren Buffett added:
A few small sections of Mr. Munger's letter have been excluded: When Berkshire's report exceeds 72 pages, we have problems in binding it. Because of this limitation, either Charlie's letter or mine had to be cut and I decided a coin flip was appropriate. In fact - as things turned out - I finally decided nine flips were appropriate. -- W.E.B.
"Could things possibly get worse? I don't know, but I am an optimist -- so I certainly hope things do get worse. Nothing else should satisfy an intelligent investor."
Nor was one of the leading Web 2.0 experts, Clay Shirky, reassured either, writing at
Open House Project: “They can enforce it the way we enforce parking rules, which is to miss most violations, and then bring in draconian enforcement of enough violations to have a chilling effect. This will also allow the Rules Committee to wield enforcement selectively as a stick.” Representative Capuano, who has described the internet as “a necessary evil,” would be one of the enforcers and he is part of a larger Democratic House leadership whose speaker, Nancy Pelosi, also supports a revival of the long-defunct “Fairness Doctrine” that made it unprofitable for broadcast networks to permit robust political expression on air.
Looks like a good diversion from normal critical DC wealth destroying activities, and baseball steroid and NFL team filming practices investigations,
More ominous still would be the precedent of the U.S. government designating “official” external websites — imagine having the power to select “official” newspapers — that would have to hew to House regulations and be as free as possible from political or commercial advertising. Given the ubiquity of blogads, most blogs, bulletin boards, and discussion forums would be shut out of the conversation with our nation’s elected officials. Essentially, Capuano is demanding that the internet adapt itself to the House of Representatives instead of the House adapting to the reality of the internet.
Arnon cites his paper which builds on Deutsch, Gosling and Joy's famous Fallacies of Distributed Computing, specifically Fallacy #4 "the network is secure" These are common mistakes people make when building disiributed apps. Arnon blogged this:
This is a great way to think about the problem, and as Arnon says its not just an issue with SOA security, its a pervasive issue. If you think REST+SSL is a security architecture then you should consider what threats you are choosing *not* to deal with.
In my opinion, assuming the network is secure for an SOA is not only naïve but negligence pure and simple. The whole premise of moving an organization to SOA is connectedness and integration. So, unless your SOA will fail it will be connected to other systems. Whether you are building RESTful systems, WS-* SOAs, EDAs or any combination of these architectural styles, If you won’t treat the services boundary as a border and secure it – you will be sorry…
Security in SOA should be considered at the "grand-scheme" level with issues like authertication, authorization but also at the single service level, looking at issues like DDOS, SQL injection, elevation of privilige and what not. A trivial thing like exposing a transaction beyond service boundaries can translate to an attacker denying services in your system simply by locking out your database. Again, this is just a simple example.
The other thing about Security is that you have to consider it early. patching security "later on" can have devestating effects on a system's capabilites esp. in areas related to performance. I have seen even military systems that had to go through serious rework, just because Security was added as an afterthought instead of handled early on
On Monday I did a talk on Web Services security at the MSP OWASP. The talk was ok, but not as good as at RSA because I Brian Chess did a better job with some of the stories than me. What was really good though was a number of questions and answers afterwards.
Good story to keep in mind for those of you working on CBAC. Claims neeed protection and verification. Why steal an identity when you can capture a claim? (hattip: askelizabeth)
The Russian mob comes to town with a new scam—medical identity theft.
When FBI special agent Ted Price peered through the window of a dingy brick storefront on Southwest Morrison Street in March, it was what he didn’t see that caught his attention.
The business, called UnimedCorner, claimed to provide ailing seniors with orthotics—braces and other devices to correct foot, joint and back problems.
Price and other federal investigators were skeptical.
On Unimed’s showroom floor, Price saw wheelchairs, motorized scooters, a variety of canes and, on the walls, a selection of amateurish paintings and framed photographs. There was no evidence, however, of the kinds of equipment for which Unimed had billed Medicare nearly $2 million in the previous couple of months.
“I observed wheelchairs and canes through the window but did not see any orthotics in the store,” Price later wrote in a search-warrant affidavit. “It is a sign of fraud that the store is not stocking the items [for which] it is billing.”
By the time Price arrived on the scene, the company’s owner, a shadowy Russian immigrant named Alexandr Shcherbakov, was long gone.
Today, Shcherbakov’s store sits undisturbed. The message light on the phone blinks, dead potted plants droop and a stuffed toy monkey slumps in a glass display case.
And behind the cash register hangs a framed poster of television’s best-known mobsters, the Sopranos.
From interviews and information presented in federal affidavits, it is clear Shcherbakov moved to Oregon to commit a crime elegant and lucrative enough to make Tony Soprano envious: medical identity theft.
“Medical identity theft is the new frontier for organized crime,” says Alex Johnson, a former FBI agent who investigates fraud for Regence BlueShield. “Pretty much anybody can set up a mom-and-pop operation and start cranking out claims.” Someday, most Americans will need a cane, wheelchair, home hospital bed or another of the items healthcare professionals call “durable medical equipment,” or DME.
For those over 64 and without private insurance, there’s a good chance federally funded Medicare will pick up the tab for that equipment. Last year, according to federal statistics, Medicare spent $8.6 billion on DME.
Here’s the way the system is supposed to work: A doctor prescribes a device such as a wheelchair for a patient, who presents his prescription to a DME supplier. The supplier provides the equipment and bills Medicare, which typically pays 80 percent of the cost. Unlike pharmacists, who fill prescriptions under strict scrutiny of state and federal watchdogs, DME suppliers are lightly regulated. “DME is very vulnerable to fraud,” says Consuelo Woodhead, the chief healthcare fraud prosecutor for the U.S. Attorney’s Office in Los Angeles. “It doesn’t require any background in medicine, any kind of professional licensure or appreciable capital.
There are barriers of entry in other medical fields, but not in DME.” To operate, DME suppliers simply need a place of business, a business license and liability insurance. Unlike pharmacists, DME suppliers operate under an honor system: The feds count on them to supply the equipment they claim to provide to the beneficiaries who need it.
That honor system is not working.
The epicenter of DME fraud, according to the federal Department of Health and Human Services, is South Florida, where Medicare billing for DME quadrupled from 2002 to 2006 to $1.7 billion. Investigators found much of that increase was due to fraud. In 2006, federal inspectors revoked the licenses of 634 DME suppliers in South Florida, nearly half the DME dealers in the region.
Later the same year, raids in Southern California yielded similar results: The feds shut down 95 DME suppliers. Many of the DME suppliers shut down around Los Angeles were run by immigrants from the former Soviet Union. It’s probably no coincidence that when the feds raided Los Angeles DME suppliers, some Angelenos fled to cities where there was less scrutiny—such as Portland.