Monday, May 12, 2008

Back-to-myMac brings the Mac Back

An interesting story coming out of White Plans, NY talks of a woman who's apartment was burglarized with close to $5,000 of electronics stolen including a couple of Apple laptops and how she was able to help catch the culprits as well as get her stuff back.

The thief apparently was using the computer and one of the victim's friends (who knew her laptop was stolen) noticed a few days later that she was logged in (presumably on some instant messenger) and called her.

The woman was able to use Apple's "Back To My Mac" application on another computer to get control of her stolen laptop and activated the camera in the laptop, taking pictures of the thief. A quick review with her friends and they figured out that the guy was a friend of a friend of one of her roommates who had been at the apartment a few weeks before.

A quick call to the police and they arrested the thiefs as well as getting back most of the stolen electronics.

I'm guessing that she's happy she wasn't one of those self conscious users who tape over the camera to keep something like this from happening and I'm not at all worried about the thief's privacy violation. Of course, the chances of other thiefs really being this stupid to make use of a stolen computer without wiping it clean are probably pretty low, so I'm not sure how often this kind of think can happen (but you know they still do give out the annual Darwin awards).

Tags : / / / /

Posted by Conor P. Cahill at 5:34 AM 1 comments Links to this post
Labels: ,

Thursday, May 01, 2008

I've been cleared

I've joined the US's Registered Traveler Program. Clear (a subsidiary of Verified Identity Pass Inc.) operates the local facility here at Dulles, so I joined their network.

In exchange for submitting to (and paying for) a background investigation and biometric authentication (fingerprint in my case, though they also had iris scanners there it wouldn't work on me) you get to have a very short security line -- though you still go through the same "take-off-your-shoes" security process. They seem to be working on getting some form of scanner approved for scanning shoes while they are still on your feet, but recently they did not pass the TSA testing that was done.

The cost of the program from Clear is $128 (at least for the first year -- they weren't clear on what subsequent years will cost). $28 of that goes to the TSA for the background investigation and the rest to Clear (of which, I'm sure, a portion goes to the airport). You can extend that by a year when you use a discount code (and the party who gave you the discount code also gets a year -- so there's something in it for everyone. My discount code, if you're interested in getting a free month added to your subscription is: DSCAM1142273 - use it to your hearts content.

One might ask why I would join the program given that I was already a United 1K member and able to use the premium passenger lines at Dulles. There were several reasons including:

  • The premium lines are only available when the flight you a premium member on the flight you are leaving Dulles on. I have seen the staff turn away United premium members when they were booked on some other airline where they did not have status.
  • Even with the premium lines, you can still get stuck in a slow line (I have waited as long as a half hour in the line) and if I'm tight for a flight, that can be too long.
  • The program is available at other airports (though I'm not sure if I'm only able to use it at Clear supported airports or any registered traveler airport) and in particular, San Jose Airport -- which has no premium lines and where the line for early morning flights can be crazy long -- is one of the Clear supported airports.
  • I travel often enough that the time savings, even if small, is worth it (in my opinion).

Of course, about 2 weeks after signing up (and paying), I received an email from Marriott (where I am a Platinum member, of course) with the following offer:

So, after I signed up I found out I could have gotten it for free. I called them expecting to get the "Gosh, I'm sorry, but it's too late now" and was pleasantly surprised to hear "No problem sir, we'll just extend you another year". Good deal!

You might be wondering what I think now that I'm a member. I've used it on 5 of my last 8 flights (Portland International Airport does not yet participate in the Registered Traveler program), nor is it available at foreign airports. In Dulles it's down with the employee security line it workes great -- in fact, the people from Clear are almost too helpful (trying to help gather things ready to go through security). I've timed it with another person who was going through the premium security line and I was about 10 minutes faster then them at a time when the lines were short. In San Francisco the clear area opens at the front end of the regular security line, emptying directly into the xray scanners (so, essentially, you jump to the front of the line).

One thing on the negative side, if you're traveling with people, you can't bring them with you, so either you have to go through the regular lines, or you have to split up. That already happened to me when I was traveling with George on our way to the European Identity Conference in Munich -- that's how I figured out that there was a 10 minute difference (it was an experiment!). Not sure what I'm going to do when I am traveling with my family to England & Ireland this summer -- I don't think my wife will be as easy going about it as George was :-).

All-in-all, I'm a happy customer..... And remember, if you want to sign up, use the discount code "DSCAM1142273" so we both can get a free month :-).

Tags : / /

Posted by Conor P. Cahill at 7:37 AM 2 comments Links to this post
Labels: , ,

Monday, February 18, 2008

Updated Liberty Open Source

I've updated my Liberty ID-WSF Open Source Toolkits again. This time to reflect the minor changes made in the Advanced Client specifications as they were finalized within the Alliance.

For those of you who aren't familiar with this code, I have two toolkits available -- a C++ client and an Axis1/Java Server -- which implement the Liberty ID-WSF protocols (both the basic framework and substantial portions of several services).

This new release of the toolkit does not add new functionality -- it only brings the code up to match the final specifications.

Have fun!

Tags : / / / / / /

Posted by Conor P. Cahill at 3:24 PM 0 comments Links to this post
Labels:

Saturday, February 16, 2008

What's wrong with this picture?

I went to login to my discover card account to review my account activity (something I try to do on a regular basis). Using a bookmark (to make sure I don't accidentally enter a typo that gets me to a hackers site -- plus I'm lazy and a single click is easier than typing in the URL), I get to the web site and I notice something that isn't right (in my opinion). Take a look at the picture below and tell me if you see it before reading past it.

Look at the URL. It's non-SSL (http: vs https:). When I noticed that, I figured that somehow my bookmark was messed up, but looking at the bookmark, it does specify https:. What happens is that Discover is redirecting you from the SSL endpoint to the non-SSL endpoint. This happens with IE and with Mozilla whether directly connected or through a proxy server, so it's clearly something done on the server and not a side effect of the client.

That wouldn't be all that bad if Discover just had a link on the home page directing me to a login page that was SSL protected. That isn't the case. The home page prompts for the user's credentials. Now the technical people out there might say that the data from the login form is probably submitted via an SSL endpoint so the data is protected. However, without looking at the source code, the user can't know that.

In addition, since the URL itself isn't protected, the user (me in this case) doesn't have any way to know that they are actually talking to Discover. This could be a MITM phishing site.

So, if you do go to Discover's site to view your account, I suggest that you select the login link in the upper right corner before you enter your credentials. This will bring you to an SSL protected page where you can verify that the host you are talking to is discovercard.com and not some MITM.

Tags : / /

Posted by Conor P. Cahill at 5:21 PM 2 comments Links to this post
Labels:

Monday, November 19, 2007

Time Machine

One of the current "joke" emails flooding the internet is an email showing pictures from a 1977 JC Penny catalog. Given that the email referred to "blog fodder" I decided to search around and I've found the original post. Definitely worthy of a read.

Strap In, Shut up and hold on -- we're going back.

If you remember this stuff... If you wore this stuff... I'd suggest that you not share those identity attributes -- unless you don't mind being the butt end of many jokes for the rest of your life.

Tags : /

Posted by Conor P. Cahill at 4:12 AM 0 comments Links to this post
Labels:

Thursday, November 15, 2007

Anti-gulllibility training

I've always felt that one of the most important tasks for a parent is to teach their kids to not be gullible. I routinely work on such training with my kids. In fact the other day, I was way into the story about how Los Angeles schools, while not getting many snow days, do get closed for bad hair days. Unfortunately, while my daughter was well into the "realy?" stage, my wife piped up with "They do not!" cutting me off at the knees.

Nothing is a better example of the importance of such training than the comment in response to Paul's revealing post about Microsoft's Identity Assistants.

So parents, take this as a warning. Train your kids in anti-gullibility before they make a fool of themselves publicly.

Tags : / /

Posted by Conor P. Cahill at 5:18 AM 0 comments Links to this post
Labels:

Wednesday, November 07, 2007

Madsen's Lemmas (or is it Lemmi)

Paul writes about attributes and how they won't be trusted for self assertion when the value of the attributes is used to distinguish levels of service.

In the context of any given application, a Relying Party will be unwilling to accept a self-asserted identity attribute without verification if there exists the possibility of differentiated advantage to the user in claiming one value for that attribute over another.
And follows with the corollary:
For any given identity attribute, there exists an application context in which there can be differentiated advantage to the user in claiming one value for that attribute over another.

Combining the two would make one think that Paul is arguing that self asserted identity attributes will never be accepted, but I'm pretty sure he didn't mean that.

In any case, I think there's another side to this puzzle in that the self asserted attributes can be accepted and used when the result makes it useless for the user to lie about them. If I order something with Paul's credit card, name, address and phone number, it generally will be accepted, the transaction will complete, and the vendor will ship the product -- it will just end up at Paul's house rather than mine, so I won't benefit from it (but I bet Paul was surprised when those enlargement pills showed up :-)).

So I would write the lemma more along the lines of:

There exist some set of cases where a Relying Party provides such differentiated levels of service that they will require third party attestation and/or confirmation of attributes in order to enable access to such differentiated levels of service.

PS. Paul, if you need to fake your IP address to make it look like you're coming from the US, let me know... I can give you access to my proxy server (without, of course, any guarantees as to snooping on the traffic :-)).

Tags : / /

Posted by Conor P. Cahill at 10:38 AM 2 comments Links to this post
Labels: ,
Subscribe to: Posts (Atom)