Google Site Search

Google
 

Friday, November 30, 2007

Why does Facebook want my Date of Birth?

This is a common problem with all internet websites. They want to know my date of birth. Because they want to ensure that either I am above 18 years old or that I need to be wished by other folks on my birthday.

How can I be sure that their database is not compromised? Just because I get a lengthy privacy safeguard letter or url from facebook, orkut and other websites, it does not mean that I can feel SAFE.

Look at a detailed look at psychological, social and privacy related issues with Online Social Networking sites at my blog entry.

Basically, what Facebook is trying to do is comply with COPPA (Children's Online Privacy Protection Act) to try and find if you are above the age of 13 years of age and in addition tell your friends about your birthday. By default, the birthday is public in your profile (which is another screwed up default).

I think the following would have sufficed and been better:
a) "Is your age 13 years or above?"
b) Please give us your date and month of birth.

DO NOT FORGET TO TURN OFF DATE OF BIRTH VISIBILITY IN YOUR PROFILE.

Dangers of Facebook in a corporate environment: http://anil-identity.blogspot.com/2008/11/facebook-and-corporate-users.html

Wednesday, November 28, 2007

The story of OpenDS and the departing Neil Wilson

Some of you may know about Sun's Open Source Java Based Directory Server called as "OpenDS"

To quote from their web page:
OpenDS is an open source community project building a free and comprehensive next generation directory service. OpenDS is designed to address large deployments, to provide high performance, to be highly extensible, and to be easy to deploy, manage and monitor.


Why was I interested in OpenDS?
The reason I was interested in OpenDS was that at JBoss, we needed an all java based LDAP server for automated testing. The alternative to OpenDS was and is ApacheDS. At the time of evaluation, ApacheDS had larger footprint with reference to number of third party dependencies. Hence we had chosen Sun's OpenDS for some basic ldap based automated testing. No, our test infrastructure is not build on ldap, if that is what you were thinking. We were using OpenDS as a small footprint ldap server to test our ldap integration for JBoss Application Server.

Why is this Blog Entry talking about OpenDS?
The reason I had to write this was the shocker sent by OpenDS founder, chief architect and everything - Neil Wilson. Here is his blog entry.
An Open Letter to the OpenDS Community and to Sun Microsystems

The letter is basically a bridge burning rant from the departing Neil. This signifies the future death of the OpenDS project. Even though Sun may have resources allocated to this project, the brain/the soul of this project was in the initial founders and they are let go. I do not know what exactly transpired between Neil's superiors and Neil&co, but it is certainly a loss for open source Java software world.

I have the utmost respect for Neil and I can say OpenDS was a good DS in the making. It still had a long way to go to match the other well trenched native LDAP servers.
Neil had single handedly created SLAMD. Slamd is a distributed load testing engine/framework sitting on top of a LDAPv3 compliant server. It was slick when I played with it 4-5 years ago.

Neil seems to be a gentleman. I came to this conclusion after emails shared over years on slamd and openDS on mailing lists, as well as the congratulatory blog post at the news of ApacheDS attaining LDAPv3 certification. Here is the blog entry.

Are we totally screwed with the potential demise of OpenDS?
Not really. We still have OpenLDAP and Red Hat Directory Server (not Java based though). Frankly, we can live without an all Java based Directory server. When such a need arises, we can choose Apache DS. In fact Apache DS is feature rich in comparison to OpenDS. :)

Apache-directory-server-makes-testing-ldap-useful

Competition between ApacheDS and OpenDS was essential to a healthy Java based Directory Server area. But in the end, ApacheDS prevails.

Both Alex Karusulu (Apache DS) and Neil Wilson (formerly OpenDS) are smart, energetic and passionate-about-ldap folks. So competition between these two projects was good for the ecosystem.

What will Neil do going forward?
I cannot speculate here or do some wishful thinking. I do not know him PERSONALLY.

It takes a long long long time to really build a directory server that is usable in production. Plus the ldap servers are a commodity now. So I would not predict that Neil would build another DS. I certainly hope that he remains active in the open source world so that folks can use the good practical skills that he has. Additionally, his Directory Server skills will be an asset in the consulting world (probably he will do that). :)

I am sure Neil will make it big in the Identity Management/Ldap market.
Good Luck to Neil in his future endeavors.

Updates:
The new community leader of OpenDS has provided the perspective behind.
=========================================
Sun is committed to a transparent, participatory Open Source OpenDS
community. We will continue our investement in OpenDS.

We very much appreciate the contributions from all current and former
Sun employees to the OpenDS Community. The OpenDS community remains
open to anybody that wants to contribute to it.

Some clarifications, in light of recent comments:

* The origin of OpenDS was a proprietary project at Sun.
Sun founded the OpenDS community in 2006 to host the evolution
of the project under an Open Source license.

* We recently discovered that the Governance document for OpenDS had
changed ([1]).

[1] https://opends.dev.java.net/source/browse/opends/trunk/www/public/docs/dev-docs/OpenDS-Governance.html


* Since the change had not been discussed with the broader community nor
with Sun, we wanted to have the change reverted. We asked the Sun
employees involved in the original change to back it out. They
refused and then resigned from the community, requiring the new
project owners to make the change.

* We did not ask anyone to resign from the OpenDS community and we
welcome and encourage community participation.


The OpenDS project team is fully committed to the Open Source
principles as our actions will show.


Regards,
Ludovic Poitou, OpenDS Community Leader
===========================================================

Andy Oliver responds as:
===============================
This response is woefully insufficient. It also doesn't contradict what
Neil said exactly. You're not running this as an open source project.
So you welcome free labor but aren't ponying up the open source
development part.

Show some actions that indicates said commitment. Your (Sun) actions
have shown a lack of it and this email is nothing but "spin" and damage
control.

You didn't asked them to resign...you just gave them no other choice.
Who cares about the semantic differences?

OpenDS is presently open source in license only. At present only a
community fork could correct this as you're only showing a commitment
to talking about how open sourcey you are without actually being so.

-Andy
============================================

legolas wood says
Hello Neil,
I am sorry to hear that the project is going to such a way like this. An
open source project should be open in nature and somehow closed for
destructive changes. It should not be controlled by a company because
the company is providing the main artifacts.

You are leaving the project and this is not a good news for community
including me. I have solved dozen of my problems by using your reply in
the mailing list and it is not something that I forget. I should thank
you again both for all replys you have provided in the forum whether for
my questions or other people's questions.
I think community members should asks current board members to post an
official reply to this letter.

Thank you for posting the truth. I wish you a good future and a good job.
have good time.
=====================================

Eduardo Pelegri-Llopartsays:
I do agree that Neil was extremely responsive and that he will be missed. But I think it is fair to give a chance to the current team to prove themselves.

[1] https://opends.dev.java.net/servlets/ReadMsg?list=users&msgNo=623
[2] https://opends.dev.java.net/servlets/ReadMsg?list=us

=====================================
Trey Drake, the former OpenDS Community leader has given his take here:
https://opends.dev.java.net/servlets/ReadMsg?list=users&msgNo=628

=====================================

I agree with legolas. Neil was the face of OpenDS. He would answer user
queries and many times he would personally implement some of the feature
requests that we put in. This type of commitment will lack in the future. Eduardo says we need to give a chance to the current team (and we will. :) )

Additional Links from the media:
1) Sun bullied, used threats to gain control of open source project, former owner says
2) Does OpenDS need a fork
3) OpenDS Users Mailing List (All the drama is here for the month of November 2007)


Give me something to see before I go?

Sun CEO Jonathan Schwartz raving about the growing OpenDS community (In a picture of course). See Here. The picture is from Ludo's blog.

I am getting the feeling something fell through the cracks here, in this project. Company lay-offs is a business decision.

Disclaimer: The replies and additional updates including media links are provided to give overall
perspective to the story and the responses from folks. I am not passing any judgement on anybody here. I am just disappointed that there was so much drama in a potential successful project in the Open Source World.
"No More Updates to this blog entry. Please check the OpenDS users mailing list for November 2007 linked above for information"

UPDATE: The dust has settled on this matter. OpenDS development has continued. So back to business now. Neil Wilson has another blog post in continuation, Clarifications on the Open Letter.

Saturday, November 24, 2007

Online Social Networks : Tubing , Phishing Targets - What next?

The Online Social Network(OSN)s have been immensely popular in recent ages. They have ridden high on the basic nature of human beings - to socialize. Examples include, as of June 2007, MySpace had 114 million visitors [1].

With the proliferation of social networks on the internet and the need to get as many users as possible, in the shortest period of time, security has taken the back seat. The result - phising, identity theft, Cyber Stalking and attacks such as Tubing. This is what happens when security is not taken into consideration during the conception/design phase.

Just as the windows world is facing constant threats with Viruses, Trojans etc, any popular idea that does not try to be secure by design will find harmful glances from the cyber trash.

It is highly encouraging to see a position paper from ENISA on ensuring security in Online Social Networks.

Some of the notable points from the paper [1] are:
- Discourage banning of OSN from Schools.
- Cyber Stalking is increasing due to OSN.
- The OSN are encouraging users to divulge as much private information as possible (which in turn can be mined and misused for marketing/financial gains). This has been validated by a survey in the UK [3]


Out of the 10.8 million in the UK signed up for social sites, one in four have posted confidential or personal information, according to "Get Safe Online."


This issue has manifested further in developing economies such as India [4] [5] where people's lives has started revolving their daily interactions with Online Social Networks such as Orkut.

Ragini got on last year and already boasts of over 3,200 'friends' — a blend of a few real buddies, many passing acquaintances, strangers, and even people she hates in the real world.

Having the largest number of friends has become crucial for Ragini. On days that she gets less than 10 new be-my-friend requests or no messages (scraps) on her page, she gets depressed, claim her parents.


Competition for friends can be so fierce that some have even resorted to faking friend lists. Sixteen-year-old Mohit Kapoor, for example, has put up 20 benami (fake) profiles and keeps scrapping himself daily. "This not only pads the number of scraps I receive, but I can also brag about things indirectly," grins Mohit.


BBC [6] has an article on why an Internet watchdog is warning the youth to be careful with OSN.

The ICO also said young people could be putting themselves at risk of identity fraud because of the material they post on social networks such as Facebook and MySpace.


Many enterprises have jumped into Web 2.0 without even giving any special thoughts to Security. An article on it in InformationWeek [2] sheds light on this scary aspect.

The problem is that malicious hackers are increasingly focusing their attention on using Web 2.0 technologies as entries into unsecured companies. Hackers and spammers, for instance, can create their own pages on social networking sites and riddle them with malicious code to infect their social networking peers. One worm planted in a MySpace page infected more than 1 million users. And malware writers are beginning to target vulnerabilities in Ajax-based applications, which help make the Web 2.0 sites so dynamic.


Privacy Concerns
Many social networking sites like Facebook want your date of birth during registration. This piece of information is mandatory for you to use their service. I am unsure as to why this sensitive and risky information is needed rather than a check box that asks whether you are older than 18 years. Additionally, what is the guarantee that the company will keep this information safe from prying employees and potential sale to marketing companies. A good indicator of this is employees of social networking companies able to peek at your usage history on their sites, for example, what profiles you have been viewing lately [7].

References:
[1] ENISA Position Paper No.1 Security Issues and Recommendations for Online Social Networks

[2] Study: Companies Dive Into Web 2.0 Without Securing Risks

[3] UK Survey Finds Social Networking Sites Raise Security Risks

[4] Social networking can be real pain

[5] Adults also prone to faking having online friends

[6] Young warned over social websites

[7] Facebook employees know what profiles you look at.

Be safe when you use and/or adopt Web 2.0 Applications.

Scott Wright is a 20 year veteran in the computer world and is currently a Security Management Consultant in Ottawa. He has pointed me to a poll that he has created. Please check it out and vote anonymously.

Does your organization allow you to access social networking sites (eg. Facebook) from its network?

Additionally, you should be aware that the more personally identifiable information is available on these social networking sites, the more spam you are going to receive, as per a new report: Spam gets dirty in 2008


==========================================

Tuesday, November 20, 2007

Tip 12: Encrypt Datastore Passwords in JBoss JCA

JBoss JCA Encrypt DataStore Password

This wiki gives you the instruction to encrypt the data store password. Please also have a look at http://wiki.jboss.org/wiki/Wiki.jsp?page=EncryptKeystorePasswordInTomcatConnector
for subtle details on PBE (Password Based Encryption) mainly the details on password, salt and IterationCount.

Caveats:
1. Note the Password Based Encryption deals with a tuple (password, salt, iterationcount). So ensure that you use the same salt and iteration count that you used during the opaque password generation in your MBean with JaasSecurityDomain.

Here is an example:
java -cp jbosssx.jar org.jboss.security.plugins.PBEUtils welcometopbe 15 somepassword server.password
Encoded password: E5rtGMKcXPP


Note the encoded password is my own cooked up (so it may not be the result of your command execution).

Now, this is how you configure your MBeans.

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
<constructor>
<arg type="java.lang.String" value="ServerMasterPassword"/>
</constructor>
<attribute name="KeyStorePass">
{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">welcometopbe</attribute>
<attribute name="IterationCount">15</attribute>
</mbean>

As you see the salt and interation count in the MBean definition
is exactly the same used in the Password generation.

If you see this error in your log, it means that you are using a
different salt/iterationcount than the one you used during
password generation. Also verify that your DS depends on the MBean defining the JaasSecurityDomain.
java.security.InvalidAlgorithmParameterException:
Parameters missing


2. If JBoss cannot find the password file, then you will see an error such as:
ERROR [org.jboss.security.plugins.FilePassword] Failed to decode password file

Here is an example of a postgres-ds.xml that encrypts the DS password.


<?xml version="1.0" encoding="UTF-8"?>

<!-- ===================================================================== -->
<!-- -->
<!-- JBoss Server Configuration -->
<!-- -->
<!-- ===================================================================== -->

<!-- ==================================================================== -->
<!-- Datasource config for Postgres -->
<!-- ==================================================================== -->


<datasources>
<local-tx-datasource>
<jndi-name>DefaultDS</jndi-name>
<connection-url>jdbc:postgresql://localhost:5432/teste</connection-url>
<driver-class>org.postgresql.Driver</driver-class>

<security-domain>EncryptedHsqlDbRealm</security-domain>
<metadata>
<type-mapping>PostgreSQL 8.0</type-mapping>
</metadata>
<depends>jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword</depends>
</local-tx-datasource>

<mbean code="org.jboss.security.plugins.JaasSecurityDomain"
name="jboss.security:service=JaasSecurityDomain,domain=ServerMasterPassword">
<constructor>
<arg type="java.lang.String" value="ServerMasterPassword"/>
</constructor>
<attribute name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.server.home.dir}/conf/server.password</attribute>
<attribute name="Salt">12345678</attribute>
<attribute name="IterationCount">17</attribute>
</mbean>
</datasources>

Sunday, November 18, 2007

HTTPOnly Cookies

To mitigate cross site scripting dangers, Microsoft pioneered the usage of HTTPOnly cookies.

One of the more common security problems plaguing Web servers is cross-site scripting. Cross-site scripting is a server-side vulnerability that is often created when rendering user input as HTML. Cross-site scripting attacks can expose sensitive information about the users of the Web site. In order to help mitigate the risk of cross-site scripting, a new feature has been introduced in Microsoft Internet Explorer 6. This feature is a new attribute for cookies which prevents them from being accessed through client-side script. A cookie with this attribute is called an HTTP-only cookie. Any information contained in an HTTP-only cookie is less likely to be disclosed to a hacker or a malicious Web site. The following example is a header that sets an HTTP-only cookie.


The cookie looks like:
Set-Cookie: USER=123; expires=Wednesday, 09-Nov-09 13:12:10 GMT; HttpOnly


This is certainly a positive step. Now Firefox (V3) has agreed to support HTTPOnly cookies. Opera (v9.5 onwards) also is going to have support for HTTPOnly cookies.

According to Johnathan Nightingale of Mozilla (over email), "This allows site authors to specify that certain cookies, e.g. session tracking cookies or those with otherwise sensitive information, be available only as part of the http request, and not accessible to script. This is opt-in, but it has the advantage that the user is protected without a need to involve them in the decision process. It also preserves the innocent cases of script-based cookie manipulation where no sensitive information is involved."

As far as I know, there is no support for configuration of cookies to be HttpOnly in Apache Tomcat. What you can probably do is create a tomcat valve, which on the return path pumps in the HttpOnly cookies via the header.

response.setHeader("Set-Cookie", something=" + value + "; HttpOnly");

UPDATE (25 SEPT 2008): There is HttpOnly support being included in the Servlet 3.0 specification, which will probably approved soon. This will make Tomcat/JBossWeb to support it asap. Check Rajiv Mordani's post.

Tubing - another phishing mechanism using YouTube

Apparently, there is a dangerous phishing scheme utilized to endanger YouTube fans as well as those who trust YouTube. The scheme is called TUBING.

What happens is that you get an email or other mechanism to watch a YouTube video. You have to note that the URL of the video will not be pointing to a YouTube server but rather a malicious server. As part of the video, you will be asked to install some code. If the code is accepted, then you have exposed yourself to attacks.

WebSense has a nice article on the topic of TUBING.

Because email addresses can be spoofed, IP addresses can be spoofed, https can be spoofed, it is advisable to scan the url before you try to open a YouTube video.

Saturday, November 17, 2007

I authenticated you but are you WHO you say you are?

Ok, you may say that the whole goal of the authentication process is to identify and ascertain that you ARE who you say are. But how has the authentication process progressed over years and how safe has it been?

Some thoughts:
a) Overwhelmingly majority of the world's authentication systems have been based on passwords. Dictionary attacks and weak passwords aside, this phenomenon has just led to disasters and nothing else. Your systems may have incorporated a Password Policy but over time your users get tired of coming up with new passwords because your system will not accept any of your old passwords. Remember that many of your users are smart and will create strong passwords, but they cannot generate them often, BECAUSE your system is not the only system that they interact with. They interact with a large number of systems. So they are more prone to create 2 or 3 strong passwords and try to use them around. Now, if you have a password policy, then they will not be able to use these small set of passwords they have generated, to keep themselves safe. What are they going to do? They will generate one - write it someplace or store it in a text file on their laptop. There you go. Your password policy brought you probably compliance with some regulation, but screwed your users.

b) There are many banks and financial institutions still using social security number as the primary means of identifying you, in place of regular user chosen "username". Of course, I understand that customer support costs money. Hence you chose the simplest means of uniquely identifying a US based customer. If you have read my earlier blog post about "The Underground Digital Economy", you will have jitters like I have about such approaches. The main point is that a PHISING email sent to any person will get an user entering his SSN as the username and password. The password is not very significant here because apart from the particular bank/financial institution being in danger, the SSN captured has basically exposed the victim to multiple frauds.

c) Multi Factor Authentication: This comes in multiple flavors, typically two factor authentication. You have another piece of credential apart from your password to identify you. This additional piece can be a token card, hardware device or some kind of a mutually agreed answer to a question. Well, Bruce Schneier is not very excited about the Two Factor Authentication.

d) Knowledge Based Authentication:I will not go into details about KBA. But you can read the harm caused by it. Also Bruce is not pretty convinced about Secret Questions.

There are other authentication mechanisms that I am NOT going to dive into.

Wish I could give you an answer to safely authenticate someone, without endangering your infrastructure as well as the legitimate user you were trying to authenticate. Once I know the answer, I will tell you.

Friday, November 16, 2007

Short Interview: Oasis XACML Interoperability Event at Burton Catalyst Conference

Hal Lockhart, OASIS XACML Chair had interviewed all the participants of the Oasis XACML Interoperability Event at the Burton Catalyst Analyst Conference in San Francisco. You can hear me rave about our efforts here in this podcast:

OASIS XACML Interop Event

Tuesday, November 13, 2007

W3C Security Context - First Working Draft

If you have not checked out the First Working Draft of "Web Security Context: Experience, Indicators, and Trust", then you may be missing out on what will probably be driving your safe internet browsing behavior in the next 3-10 years and beyond.

Some brownie points if you repeat the names of the editors.

Are you concerned about your privacy?

I am sure the answer is YES.

If you live in the US and inform the US Postal Service that you are moving to a new location, it invariably happens that you will receive a Welcome packet from USPS at your new address. Guess what the packet contains? Apart from the regular USPS stuff, you will see coupons from Home Depot and other neighborhood stores. How did they come to know that you were moving? Of course the USPS told them. Or they already provide coupons to USPS to place in the welcome packet. I prefer the latter to be the case.

Now, let me give you another instance. You go to ToysRUs or any other store, you will be asked, "Can I have your phone number?". You either will meekly tell them or ask them as to why they need it. The response will be that it is to send marketing material (coupons etc). I am sure that they are quite concerned that we do not receive enough junk mail and the USPS needs to justify a post man for your street. :)

The November 12th issue of Information Week has an excellent article on Privacy Vs. Personalization: Can Advertisers Ward Off Looming Threat Of Do Not Track List.
The summary is:
It's time to give consumers a say over all that data being collecting on them. Otherwise, a Do Not Track list--or worse--could be in the future.


I have been an Amazon customer for the last 10 years. They keep track of everything I do. What books I search on; What products I view, search and buy. Based on a book I bought 4 years ago, they will make new recommendations. I do not care so much about the data mining or whatever fancy term that they are doing, with my association with Amazon. But I will be very very worried if my online behavior is shared with non-amazon parties. Of course, Amazon's privacy policy will assure me that it will never happen.


Mathew Ingram
writes a nice article on "Facebook’s No-Pseudonym Policy Is Short-Sighted", in which he quotes a NewYorker cartoon
In the early days of the Web, about 15 years ago, The New Yorker ran a now legendary cartoon in which two dogs are sitting in front of a computer, and one is saying to the other, “On the Internet, no one knows you’re a dog.”


Google's social networking site, Orkut has an interesting feature that tells you who viewed your profiles recently. Well, this is clearly a violation of trust that an user has, when he registers with Orkut. Now how do I ensure that people do not know that I checked their profiles.

Look at this Business Week article on "Looming Online Security Threats in 2008"
Web-based services, including social networks MySpace and Facebook, are becoming prime targets for hackers seeking your personal information

The Underground Digital Economy

The October 2007 issue of the ISSA journal has a very alarming article called as "The Underground Digital Economy" by Dean Turner.

The summary of the article is : Driven by the promise of big profits, cybercriminals have built the foundation of an underground digital economy.

Figures have been taken from the "Internet Security Threat Report" from Symantec.

Interesting revelation is:
A credit card from a US based bank will sell for USD 1 to USD6 while a full identity (US bank account information, CC data, date of birth, mother's maiden name and SSN, sell for USD 14-18


A question I have is - which phase of the WWW are we entering into? My thought resonates with the question I had put to Sir Tim Berners-Lee in person - "Does the current growing Internet Fraud menace keep him awake at night?". He basically had said "No".

IBM JDK Kerberos Login Module has a funny bug

Please refer to the discussion here to get some context:
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4104362

As far as I know, login modules get a map of options. They are free to pick and choose the ones they want; not choke on the ones they do not like.

I have requested Marcus to pursue filing of a bug for the IBM JDK.

As far as I know, no such issues have been reported against the Kerberos module in the Sun JDK.

Friday, November 9, 2007

User Centric Identity

Should users control their online identity? It is a known fact that users like to use a pseudonym in the online social world (rather than identity themselves).

With the advent of Web 2.0, the paradigm has shifted towards the user. It is a push rather than a pull model as far as the web is concerned.

It is appropriate to say that the user has full rights over his identity. The 7 laws of Identity by Kim Cameron may be the first place to look for justification.

Here is a short write up on User Centric Identity that I found online:
Primer on User-centric Identity Access Management

Additionally, "Internet Scale Identity, Collaboration, and Higher Education"

Thursday, November 8, 2007

Second meeting with Kim Cameron

I was fortunate to hear a keynote speech by Kim Cameron, Identity Guru from Microsoft at the Computer Security Institute (CSI) 2007. I sat in the first row.

Why Cyberspace Needs Cardspace

He gave an excellent introduction to how the concept of CardSpace evolved, the utopian Passport initiative and the need for an Identity Metasystem.

At the end of the session, I went over to Kim. He did not recognize me right away but when I mentioned "JBoss", he remembered our first meeting at the Burton Catalyst Conference in June.

What do I like about Kim Cameron:
a) He is honest about what his intentions about an Identity Metasystem are.
b) He has a blog (http://identityblog.com) that runs on a Linux stack and WordPress (It was his way of reaching out to the OSS community).
c) He generated the 7 Laws of Identity which summarize the space of IDM and its needs accurately.

I do agree with Kim that we really really need an Identity Metasystem rather than the myriad of specifications/standards around it.

JBoss XACML v2.0.1-GA news

NOTE: JBossXACML v2.0.3.CR1 is here. <========

The release was done a few days ago. Not much changed from the Beta that was released earlier. We are still working on a Policy Management Console that makes it easier to perform Policy Construction and Management. I do not have any concrete dates for any console at the moment. So stay tuned.

I know that many of you are eager to try out XACML with JBoss and have all types of questions about whether we will implement a PEP, PDP and PAP at JBoss. PEP and PDP are important for JBoss AS v5.x. I have added support for XACML at the web and EJB layers in JBAS 5.0.x coming out in the future. PAP will happen at leisure.

I did give a presentation on OASIS SAML2 and XACML2 at the Computer Security Institute (CSI) Annual Conference in Washington, DC this week.
Robust Web-Based Security Using OASIS SAML and XACML

Wednesday, November 7, 2007

Tip 11: Refresh Security Roles within a Tomcat Session

This long outstanding JIRA issue has been on my mind for a long long time now. The blocking thing for this was always the performance aspect associated with the security roles refresh in the middle of the http session.

The JIRA issue is this:
Need a way to support refreshing security roles within a session

Well, no solution yet for the JBoss 4.2.x series (and for 3.2.x and 4.0.x series also).

But the simplest workaround is to do a full security check (authentication and authorization with each call). This was done anyway by default, except that the Jaas Security Cache in JBoss was pulling the subject out of the cache rather than go through the Jaas authentication process with each call.

Given this, there are 2 steps to perform for the workaround:
1) Disable Jaas Security Cache
- Go to conf/jboss-service.xml and set the "DefaultCacheTimeout" to zero.

<mbean
code="org.jboss.security.plugins.JaasSecurityManagerService"
name="jboss.security:service=JaasSecurityManager">
...
<attribute name="DefaultCacheTimeout">0</attribute>


2) Disable Tomcat caching the principal as part of the session.
NOTE: This is a very important step. If you do not follow it correctly, you will see bad behavior and may lose hair.

Now you will need to figure out, what kind of auth method is used in your web application. How will you know? Look in the web.xml of your web application.

If it is BASIC as in,


<login-config>
<auth-method>BASIC</auth-method>
<realm-name>JBoss JMX Console</realm-name>
</login-config>


then do the following, in your WEB-INF of your web application, create a context.xml with the following information(remember
org.apache.catalina.authenticator.BasicAuthenticator):

<Context>
<Valve
className="org.apache.catalina.authenticator.BasicAuthenticator"
cache="false" />
</Context>


If it is FORM based login, as in

<login-config>
<auth-method>FORM</auth-method>
<realm-name>Tomcat Application</realm-name>
<form-login-config>
<form-login-page>/jsp/login.jsp</form-login-page>
<form-error-page>/jsp/loginerror.jsp</form-error-page>
</form-login-config>
</login-config>

then do the following, in your WEB-INF of your web application, create a context.xml with the following information(remember,
org.apache.catalina.authenticator.FormAuthenticator):


<Context>
<Valve
className="org.apache.catalina.authenticator.FormAuthenticator"
cache="false" />
</Context>


Similarly, if it is Client-cert, just replace FormAuthenticator with SSLAuthenticator.

Inform me if this does not work. I have done some basic testing with BASIC type of auth.

Motivation for the workaround:
For the web layer, the container security checks happen at the time of the user login. Once his auth and authorization checks are done, they are valid for the entire session. Now for custom requirements such as the roles being refreshed at arbitrary times during the session, there is no decent way of solving it other than
the aforementioned work around. The complexity does arise due to the way tomcat caches principal during the session.

Sunday, November 4, 2007

Congrats to Securent

Securent has been the leader in Enterprise Entitlements Management. They have tried to solve the access control/authorization maze to a large extent. Even though I am not familiar with their patented technology, I have met Sekhar and Anil T at the Burton XACML Interoperability in June 07.

I want to congratulate Rajiv, Sekhar and Anil on the acquisition by Cisco as publicized in Cisco News.

Gerry Gabel from Burton has written a nice piece about this here.

Congrats!!!

Death of PKI?

I hear stories about how PKI has not really taken off in the public domain even though it promised to solve a lot of issues with Internet Security.

Ever since Baltimore Technologies demise, PKI has really taken the backseat in terms of mindshare etc.
Baltimore's death spells gloom for PKI

I also read this humorous post by Gerry Gebel at the Burton Group.
When PKI meets the real world


I know that PKI has affected you or your enterprise in some form over your lifetime. What are your experiences with it?

Do you agree with the claim made that the "Death of PKI" has occurred?

Maybe I will ask Dr.Philip Hallam-Baker from Verisign next time I meet him .....

Interesting comment during the 3rd Annual PKI R&D Workshop.
As in other sessions, prominent themes of the discussion were that technology is a much smaller part of the problem than understanding the business needs of PKI implementers and selecting tools accordingly, and that when this is done, PKI can thrive. Bill Burr observed that the math in PKI is so cool that we try to bring everything up to its standard; instead we need to figure out how people can use PKI without understanding any of the esoteric details. Rich Guida noted that he sometimes feels like he and all the people who talk about the death of PKI dwell on "different planets;" in the pharmaceutical sector in particular, the use of PKI is "blossoming." Pawluk encouraged the group to get involved in the work of implementing the PKI Action Plan, and noted that the OASIS PKI Technical Committee that's driving it (http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=PKI) usually meets via telephone.


If you read the statement from Internet2 for the 5th Annual PKI R&D Workshop, it makes me wonder further:
The mathematics of public key cryptography is delightful, and critical to online security, but we still have much to learn about applying it in the real world in ways that are easy for humans to understand and use. Come join with experts from NIST, NIH, private industry and universities around the world for our fifth workshop on overcoming the challenges.


In my view, PKI is not dead. It is just that the original intent of the public having their own public key has not been realized.

Thursday, November 1, 2007

JBoss EAP will undergo CCE

Not sure if you have already seen the press release that went out. If not, take a look at my official blog entry:

Red Hat Expands Security Leadership by Seeking Common Criteria Certification for JBoss and MetaMatrix Solutions

Your excellency will be leading this effort.