Who am I? Who are you? Who is anybody?
-
Upload
paul-downey -
Category
Technology
-
view
3.575 -
download
6
Transcript of Who am I? Who are you? Who is anybody?
Who are You? Who am I? Who is Anybody?
Who am I? Who are You? Who is Anybody?
Who am I?
I’m not ...
<a href="http://lanyrd.com/people/psd" rel="me" >Lanyrd</a>
http://tools.microformatic.com/help/xhtml/rel-lint/
http://socialgraph-resources.googlecode.com/svn/trunk/samples/findyours.html
Social Graph API
https://twitter.com/hotdogsladies/status/121634890612617216
FAIL!
http://inmaps.linkedinlabs.com/share/Paul_Downey/254787113202758123919768153472111744090
Who are you?
https://twitter.com/Jermolene/status/121537205608001536
https://twitter.com/paulmadsen/status/122271400336699392
Basic Authentication
http://en.wikipedia.org/wiki/Basic_access_authentication
Digest Authentication
http://en.wikipedia.org/wiki/Digest_access_authentication
PASSWORDREHABILITATION
sha1
Secret URIs
• http://farm3.static.flickr.com/2291/1806225034_50df5b8ba4_o.png
• http://inmaps.linkedinlabs.com/share/Paul_Downey/254787113202758123919768153472111744090
http://en.wikipedia.org/wiki/HTTP_cookie
http://softwareas.com/signing-up-to-websites-1999-2009-a-montage
https://github.com/hanssonlarsson/express-csrf
EU Privacy Directive on Cookies
http://www.davidnaylor.co.uk/eu-cookies-directive-interactive-guide-to-25th-may-and-what-it-means-for-you.html
UX
MoreSecure
Less pleasant to use
DNS Is B0rken
http://blog.icann.org/2008/11/why-the-dns-is-broken-in-plain-language/
HTTPS
$ openssl s_client -connect www.google.com:443 < /dev/null | openssl x509 -outform DER | openssl sha1
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CAverify error:num=20:unable to get local issuer certificateverify return:0DONE405062e5befde4af97e9382af16cc87c8fb7c4e2
http://googleonlinesecurity.blogspot.com/2011/04/improving-ssl-certificate-security.html
$ dig +short 405062e5befde4af97e9382af16cc87c8fb7c4e2.certs.googlednstest.com TXT
"14867 15062 74"
Client Certs?
http://codebutler.github.com/firesheep/
https://www.eff.org/https-everywhere
http://xauth.org/
you have to opt-out ..
.. in every browser ..
.. this is evil .... and doomed to failure
http://en.wikipedia.org/wiki/OpenID
<XRD> <Subject>http://blog.example.com/article/id/314</Subject> <Alias>http://blog.example.com/cool_new_thing</Alias> <Expires>2010-01-30T09:30:00Z</Expires> <Type>http://blgx.example.net/ns/version/1.2</Type> <Type>http://blgx.example.net/ns/ext/language</Type> <Link> <Rel>author</Rel> <URI>http://blog.example.com/author/steve</URI> <MediaType>text/html</MediaType> </Link></XRD>
http://hueniverse.com/2009/03/xrd-sneak-peek/
https://dev.twitter.com/docs/auth/oauth
Delegation UX
The “F” Word
Federated
https://twitter.com/hipsterhacker/status/77716476873801728
https://twitter.com/jtauber/status/60586912196460544
Transport Independence
<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>http://www.w3.org/
2005/08/addressing/none</wsa:Address><wsa:ReferenceParameters xmlns:customer="http://example.org/
customer"><customer:CustomerKey>Key#123456789</customer:CustomerKey></
wsa:ReferenceParameters><wsa:Metada><definitions xmlns="http://schemas.xmlsoap.org/wsdl/">
<!-- load of WSDL 1.1 here! --></definitions><description xmlns="http://www.w3.org/2006/01/
wsdl"><!-- more WSDL 2.0 here! --></description></wsa:Metadata></wsa:EndpointReference>
<?xml version="1.0" encoding="UTF-8"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ns1="http://sdk.bt.com/2007/01/WhiteLabelAuthentication" xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <SOAP-ENV:Header> <wsse:Security> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <ds:Reference URI="#ac016ffe-a6e9-23d4-ebd1-ccef7ea31db7"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>bwlAKau7KQAubgGNJzysZoEEF8o=</ds:DigestValue> </ds:Reference> <ds:Reference URI="#78223460-ef68-5501-83d6-a5edb6d452b6"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <ds:DigestValue>kyBw9fnMjhi2I39+wfBIklyk8g4=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>XW2FqP9o/A1J+NOg6Kv3ncn3PvSg5lzr2V4H/AQpRycXUSk7bzWK8kzhtMrlXUwkykrJ2AyEzw+xrRtSBIeaId1Iveme2KO02p21MTglr73cPCft/GHvEvAHZ4B6N6gSaX7NcGFrYnsYKP0nX5vT7jBh7WZ7Euqn0PyjCHyYxbU=</ds:SignatureValue> <ds:KeyInfo> <wsse:SecurityTokenReference> <wsse:Reference URI="#CERTID"/> </wsse:SecurityTokenReference> </ds:KeyInfo> </ds:Signature> <wsu:Timestamp wsu:Id="ac016ffe-a6e9-23d4-ebd1-ccef7ea31db7"> <wsu:Created>2007-02-23T07:47:01Z</wsu:Created> <wsu:Expires>2007-02-23T08:47:01Z</wsu:Expires> </wsu:Timestamp> <wsse:BinarySecurityToken EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="CERTID">MIICdzCCAeCgAwIBAgICAX0wDQYJKoZIhvcNAQEEBQAwezEnMCUGA1UEChMeQnJpdGlzaCBUZWxlY29tbXVuaWNhdGlvbnMgUExDMR4wHAYDVQQLExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxDzANBgNVBAcTBkxmRvbjELMAkGA1UEBhMCR0IxEjAQBgNVBTCUJUIFNESyBDQTAiFxEwNzAxMDMxNTE5MjIrMDAwMBcNMDgwMTA0MTUxOTIyWjCBgjELMAkGA1UEBhMCR0IxDzANBgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMQ8wDQYDVQQKEwZCVCBTREsxLTArBgNVBAsTJDM0ZDU0NTkwLTRkZTEtNGJmNi04ZGMxLWZjODQzNzM1MmM4MjERMA8GA1UEAxMIcGhvbmVib3gwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANKIQf+DOAKNZqs+HvCBYJ7+Q/wdCQBfFslIOGMnKN5zxpCuwB/pPW4DjLnqcWkIIVIH4A7RlWRemIO5e5caTW9bwvz0Fl1ZM6e2Mx9XKT0ZkxvXq8Dxn0abqWzoKyD3IJ2/tUhqriWveFR+6PY3PSBcj7NpJaqr7yH3z6RtEGNlAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAmabZVFeAXfXcBKR6NUK7kYqHhtX7YdNtxZcULRMMpFEkCMGERWCH5bK6/xnFtNXG09RkwkSTGs2dhM6/jQNvd1jJhLR6E2ejYrYWWf6Sap0Etok7sJqrS9awdbFmQGenFZKRUAEeyHeZhdFil8trzyJv1VzgPIjDRZmhnpItzQ8=</wsse:BinarySecurityToken> </wsse:Security> <wsa:Action>http://sdk.bt.com/2007/01/WhiteLabelAuthentication#login</wsa:Action> <wsa:MessageID>urn:uuid:e12edac3-f87d-3e0a-b621-04fa4d0b8cda</wsa:MessageID> </SOAP-ENV:Header> <SOAP-ENV:Body wsu:Id="78223460-ef68-5501-83d6-a5edb6d452b6"> <ns1:login> <ns1:userName>[email protected]</ns1:userName> <ns1:password>2344324t</ns1:password> </ns1:login> </SOAP-ENV:Body></SOAP-ENV:Envelope>
HEADERS?
http://www.xmlgrrl.com/blog/2007/03/28/the-venn-of-identity/
http://www.xmlgrrl.com/blog/2007/03/28/the-venn-of-identity/
http://www.xmlgrrl.com/blog/2008/09/04/venn-and-the-art-of-data-sharing/
http://kantarainitiative.org
http://en.wikipedia.org/wiki/OpenID
http://www.bbc.co.uk/news/technology-13749010
https://twitter.com/IdentityWoman/status/110622242127364096
https://twitter.com/robinberjon/status/109611765435875329
very cool!
correcthorse
battery staple
http://nigelparry.com/news/guardian-david-leigh-cablegate.shtml
.. but .. wait!
https://twitter.com/rem/status/123392299320344579
Verified by Visa not only protects your card against unauthorised use, it also means you can have confidence that the online retailer you’re buying from has made your security a priority.
http://www.visaeurope.com/en/cardholders/verified_by_visa.aspx
http://cyberelk.net/tim/2008/11/20/chip-and-pin/
http://krebsonsecurity.com/2011/09/gang-used-3d-printers-for-atm-skimmers/
http://berglondon.com/blog/2009/10/12/the-ghost-in-the-field/
http://gizmodo.com/5366022/sniff-the-rfid-dog-likes-to-smell-your-credit-cards
http://www.cerealbits.com/
http://en.wikipedia.org/wiki/Blue_box_(phreaking)
https://bitcointalk.org/index.php?topic=9047.0
http://cs-exhibitions.uni-klu.ac.at/index.php?id=258
Bio-meh-trics
http://www.flickr.com/photos/jeff-barnes/76948611
Something you have
Something you are
Something you know
The Mobile is
The Donglenot really
™
Who is anybody?
http://isaach.com/2011/07/mention-constellations.html
BUTTON SLUTS
https://twitter.com/beng/status/118026274148073472
https://twitter.com/monkchips/status/117246164839043072
Yikes!
evercookies
• Standard HTTP Cookies • Flash Local Shared Objects• Silverlight Isolated Storage • auto-generated force-cached RGB values • PNG/HTML5 Canvas tag to read pixels• Web History • HTTP ETags • Web cache • window.name caching• Internet Explorer userData storage• HTML5 Session Storage • HTML5 Local Storage • HTML5 Global Storage • HTML5 Database Storage (SQLite)• HTTP Authentication • Java NIC based unique key
https://twitter.com/9600/status/117309784130199553
“The thing that makes newspapers so fundamentally fascinating — that serendipity — can be calculated now.
We can actually produce it electronically.
The power of individual targeting — the technology will be so good it will be very hard for people to watch or consume something that has not in some sense been tailored for them”
— Eric Schmidt
http://googlesystem.blogspot.com/2010/08/eric-schmidt-on-future-of-search.html
Privacy Window
four legs good,two legs better ...
https://twitter.com/danbri/status/114241481346252801
Test Driven Development
Behaviour Driven Development
Jenga Driven Development
Domain Driven Design
Design Driven Driving
Development Driven Development
Investor Driven Development
ConfusionConclusion
Who am I? — someone who treasures linking
Who are you? — someone who deserves grokable security
Who is Anybody?— mind your own bloomin’ business!