Set up a safe online network for children, or create a target for unwelcome visitors? Make it easy to share pictures, videos and food fights with friends, or create another avenue for malware? If you want an Internet that’s not full of dark backstreets disguised as well-lit safe places, we need identity rather than censorship.

The koobface attack has spread from Facebook and MySpace to Bebo and other social networks: the message from a friend telling you to see a funny video takes you to a Web page that tells you that Flash needs updating and once it’s installed the Trojan masquerading as a codec, it does actually take you to the social network site to lull your suspicion. Does standard email hygiene avoid this? That says never open a link in an email message, even if it’s from a friend - so you go to the Web site, being careful to type the URL correctly to avoid typosquatters, and look for the message there. And you keep your anti-virus up to date, which will catch most of these Trojans.

But mostly you wish there was some way of knowing when it’s OK to follow a link, because let’s face it - who has time to actually stop and type in every URL by hand? Facebook is always sending me messages from people with a link to click at the bottom to reply to them; LiveJournal does the same and I actually reply. Friends and colleagues send me email with interesting link: so does the Microsoft security newsletter.

Links are for clicking. Assuming you’re up to date with patches against drive by downloads, what you’re really struggling with is the arbitrary behaviour of even legitimate Web sites and the hoops they make you jump through, from typing in a username and password every time or every two weeks or next to a picture you recognise or standing on one leg whistling God Save The Queen. And the passwords are each made up of some uniquely different regular expression. Punctuation, case, sequential numbers, length: does enforcing or ignoring them make your password more secure, more memorable, or more likely to be written down?

What would work better would be a familiar and universally recognised ceremony, like putting a credit card in a reader or using the Windows security dialog or pressing the button at a pedestrian crossing: no two pedestrian crossing are the same, but you know the protocol to tell them you’re a pedestrian. If you’ve read any of my password rants before, you might have guessed I’m talking about information cards: if not I’m going to point you at this Gartner interview with Kim Cameron and Dick Hardt’s excellent (and short) Identity 2.0 presentation

On a smartphone, passwords are even more irritating than ever, especially on a soft keyboard that’s so sure it knows what you want to type that the default is to correct what you actually wrote. That’s only a trimester if the phone has as big a vocabulary as you do.

For instance, when I started writing this on my Samsung Blackjack II with xt9, what I typed in the previous sentence was ‘timesaver’ - before xt9 ‘ corrected’ it… xt9 gives you the option to stick with your actual typing as long as you notice the change and the equally aggressive correction on the iPhone does the same (though I’ve never managed it myself), but it’s one more way that passwords are more likely to trip you up than keep you secure. Let alone that the UK now has the worst information theft figures in Europe, even though the French have the least secure passwords.

Switching to information cards where claims like who I am and whether I’m over 18 are encrypted, hashed and sent on demand to replace simple username and password makes logging on simpler and more secure, and makes it possible to add extra authentication. After complaining about Microsoft not issuing secure ‘managed’ cards I’ve been told to wait a few days for a major announcement; it might be the Equifax over-18 I-card service https://equifaxicards.com/imover/overview.do (only for the US at the moment, but it’s the first major public verified information card and it will soon be followed by cards to prove your credit rating, contact details or membership).

So that leaves getting sites and services to accept information cards - and being able to use them on any computer. They’re built into Vista, Windows 7 and any PC with IE7, plus there are open source plugins for Firefox and Safari.

The cloud demands identity. Microsoft has a strong, secure, privacy-friendly identity technology that’s open, easy to federate and will transform the Web and the cloud. So why is Windows Live ignoring CardSpace?

OpenID is a great tool for logging in to a Web site that you want to use but don’t need to trust. You wouldn’t want to use OpenID to get into your banking site because it’s just not secure enough, but it’s great for not having to remember passwords for LiveJournal, Dopplr, Plaxo and the like. You log into one site and tell the others to ask that site who you are. OpenID is getting less vulnerable, but it’s simply not intended to protect really important information.

The information card system is secure; it’s protected by cryptographic keys, it’s got a user interface that makes it very clear when you’re being asked to log in to a site, what the site wants to know about you and it lets you choose from a ‘wallet’ of cards to prove your identity. That gives you security and privacy and ease of use together (which improves security by stopping people using the same password everywhere. Microsoft put it into Vista and Internet Explorer 7 as CardSpace (information cards are the generic system and there are implementations that you can use in Firefox and Safari, on Macs and Linux machines, CardSpace is just the Microsoft implementation).

And since then, I’ve been waiting for Microsoft to deliver the next pieces. A token server that a business can use to issue its own information cards, and to validate them so you can use them for access to internal apps, preferably federated so you can also validate partners. And a public service that issues not just the self-certified cards that anyone can create with their public details but managed cards that have useful information that you want to protect. When you wave your passport or driving licence in an American bar, the bar doesn’t - or shouldn’t take a copy of it; they just need to know you’re old enough to have one.  Put your birthday into a managed card and you can prove that you’re over 16 for a shopping site without handing over details that could help someone hack your bank account if the site loses its customer details on a USB stick, because the site only gets the assertion that you’re old enough, not the actual day, month and year.

Issuing cards was going to be a function of ADFS at one point, because it fits with where enterprises store identity information; for development and resource reasons it went on and off the feature list and now it’s going to be a free component in Windows Server 2008 (and maybe other versions), code-named Project Geneva. Currently in beta at www.microsoft.com/geneva, there will be a feature-complete beta in the first half of 2009 and a final version in the second half. It leverages AD and SAML and x509, it interoperates with a wide range of line of business applications and it makes using secure identities easy in a business.

That just leaves a managed card service for those of us who aren’t in a big business and I’m still waiting. And in the PDC keynote today, Microsoft announced that Windows Live ID would be issuing a new kind of identity - but it’s not information cards.

So why is Windows Live ID proudly announcing that it’s issuing OpenIDs but not CardSpace IDs? Is it because OpenID is accepted by a lot of sites? So are information cards, and if you could get an identity you could trust from Windows Live other sites would be more likely to adopt them - because it’s easy to use Windows Live ID instead of running your own username and password system.

Is it because OpenID is, well, open?
CardSpace is the most open project Microsoft has ever done. The architect, Kim Cameron, has almost single-handedly changed the perception of Microsoft in the identity community, which isn’t bad for a company that was so roundly derided for Passport. The open nature of information cards “just isn’t up for discussion” Cameron said to me (before plunging into a discussion with senior VP Bob Muglia about why you can’t constrain the scope of identity to just in the cloud or just on the server or just on the Web or just on the desktop).

Is it because CardSpace 2 is going to better than CardSpace 1? It will let you transfer information cards from one PC to another, and when you go back to a site you’ve used an information card with before, CardSpace 2 will show you the card you used last - which means that even if a phishing site accepts information cards to try and fool you, you’ll be able to tell (and the phishing site isn’t going to get the details out of your card so scammers can’t steal it). But Microsoft has adopted the first version of plenty of its own technologies even when there has been something new and better just around the corner. And issuing managed cards today, cards that have been verified and are backed by an identity provider, would be a huge step forward.

If it’s because Microsoft wants somebody else to issue managed cards because a supermarket or a post office or a government already has relationships with people and systems for handling information - or because they look like a more natural place to prove your identity because they can prove that you have a loyalty card or a post office box or a passport - then I’d say yes, but you can’t wait for that to happen. Once the first managed identity provider proves its value then banks and services that sell you certificates will join in, but you can’t keep on waiting to go first them to go first.

I wonder if it’s the legacy of Passport. Maybe the Live team wants to be extra sure they don’t rush out with an implementation that could have problems and create another Passport backlash. Or maybe they aren’t comfortable with the way that CardSpace takes the power of identity away from the provider and gives it back to the user; issuing managed information cards would be admitting once and for all that Microsoft is never going to own user identities in the way that Passport envisaged. Everyone I’ve met from the Windows Live team so far is smarter than that, which leaves me confused. Because it’s ludicrous that Microsoft has a far superior identity technology to OpenID that it’s getting ready to offer to businesses and it hasn’t even talked about how to bring it to everyday Web users who need it just as much.
-Mary

I find it easy to spot most of the phishing messages that hit my inbox, because there’s nearly always an egregious grammatical mistake in there somewhere. Real messages from banks may be full of logical errors (like a regular savings account with a headline rate of 7% that never tells you that actually it averages out nearer 4% because not all of the money gets to earn the high rate for the whole year), but the spelling is spot on.

And spammers are in such a hurry to put up the Web pages they want to earn ad money on, or use for drive-by downloads to increase the size of the botnet they use to spend most of the spam from zombie machines, that they often make stupid mistakes. If you’re checking 100 messages a day in your junk mail filter for anything real that got in there by mistake, I’m not sure if it’s any comfort to remember that spammers are only human. But Google finds it useful.

According to Matt Cutts of Google at Web 2.0, Web spammers often use templates and tools to build their pages. And fairly often they follow the commented-out instruction to ‘type your hidden text in here’ - but never delete that instruction. The tools they use to fill in forms are simplistic too; the captcha you have to complete to leave a comment here is enough to defeat most of them - but so is a box labelled email address with the instruction not to fill it in. When the bot adds whatever email address it’s abusing, you know you can just delete the comment. Simple maths or the instruction to type in a specific word are beyond bots - at least until Jeff Hawkins perfects Hierarchical Temporal Memory.

If you have a site, you need to think of things that raise the blood pressure of the spammers without doing the same to your users. It’s like being chased by any dumb but dangerous pack animal, says Cutts; you only have to run faster than the slowest person you’re willing to sacrifice. If your system is a little different from the default installation of whatever you use, the default attacks are less likely to work and the spammers may move on to slower prey.

Apart from the obvious advice to patch, patch and patch again, Cutts didn’t say much more - because every time you tell spammers how you’re spotting them, they get a chance to stop doing that. A lot of what Google knows about spam comes from the analysis it does of real Web pages, which lets it work out what things go together. If you know that timepiece and chronometer are synonyms for watch, those strangely-worded Rolex spams are easier to stop. You can see this classification in Google Sets and it’s used in Google Spreadsheets. The equivalent of Excel AutoFill does more than days of the week and months of the year, without you having to add the lists by hand; start with red, yellow and blue and Google Sets will add other colours. Start with lion, tiger, bear and you get other animals.

But you might also get wood, tin and cotton. That’s because Google Sets can’t always tell the difference between the list of animal names and the list of animal toys on the Web sites it looks at. It will learn; like spammers it will learn more quickly if someone tells it what it’s got wrong. But at this point, we get into a race between whether the anti-spam tools can learn faster than the spammers

Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.

Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.

The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.

Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).

Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.

• “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
• “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
• “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.

On the Internet, nobody knows you’re a dog. You can put up a Facebook page, send spam, pretend to be a bank; as long as you can read distorted characters, you can leave comments on a blog under any name you choose (I’d like to see at least one Mickey Mouse commenting to this post). Passwords are well past their sell-by date but proving your identity securely matters more and more. Identity online covers everything from throwaway accounts on forums to online banking and no one system is every going to ‘win’ - but they can learn to work together.

You can buy a hard drive from any vendor you like; as long as it fits in your PC and uses a standard interface, your operating system will take care of accessing the hardware and loading the drivers, leaving you to enjoy the storage space. The identity metasystem will do the same thing for user information, identity providers and sites that accept user details in the form of information cards. The terminology comes from Microsoft, the impetus comes from a wide range of customers and the technology comes from everybody from Oracle to Sun, IBM to Novell, the Liberty Alliance to the Higgins Project. Does it all work together yet? Not quite - but the Project Concordia interoperability workshop that opened the RSA conference today was a step forward.

Not least because for the first time Sun demonstrated an information card logon that used no Microsoft software at all; Sun’s Pat Patterson showed a system using OpenSSO v1 build 4 - which Sun will ship in the summer as Federated Access Manager 8.0, with an Oracle identity provider and Novell’s identity selector to deliver the same experience of logging in with an information card as a Vista user gets on the system using CardSpace.

Microsoft showed CardSpace sending SAML 1.1 and SAML2 tokens to a WS-Federation system. Ashish Jain of Ping Identity demonstrated a system using an information card from Sun to log into Gmail, running Vista in a virtual machine on a Mac talking to a Linux system. And systems from Ping, SymLabs, FuGen and Shibbloeth talked to each other and to Sun, Oracle and Microsoft systems using WS-Federation and SAML, transferring not just the identity of the user from a managed information card provided by a trusted identity provider rather than one the user had created themselves but also information like whether the user had provided a password or a smartcard rather than just clicked on a link.

Who needs that heterogenous a system? General Motors for a start, which is why Bob Haar, an IT architect at GM was chairing the workshop along with Microsoft’s Mike Jones and Eve Maler from Sun. Jones repeated what Microsoft is hearing from customers; “Some of the more interesting business discussions have been about risk. Certainly in the automotive industry, a decision has been made that there’s both at least cost savings and possibly minimisations of risk by going to federated authentication for collaboration with suppliers. Think about how many companies are involved in building a GM automobile or a Boeing airplane; it’s mind boggling.”

Haar explained that in a little more detail. “We think the federation gives us more control in real time to monitor and control access. There are legal and contractual aspects of setting up the business relationships and supporting for activities about auditing - if there’s a question about who changed this financial data or when it came through the federated environment, we have to have systems and procedures in place to make that happen.”

Sun’s demo didn’t use any Microsoft products at all and Patterson took something of a cheap shot by apologizing to Microsoft for that. Mike Jones smiled back and said actually, Sun had given him two of his three wishes. “I said three years ago we’ll know the metasytem is succeeding when interactions occur that use no Microsoft software, where Microsoft receives no revenue and Microsoft has no idea the interaction is taking place.” Today, the point is for the companies to be talking so they can make this all work. When it does all work, Sun wouldn’t need to tell Microsoft anything to have happy customers who could use CardSpace against a system that uses Oracle to issue identity information to connect through to another system that uses ADFS to do it. Assuming ADFS could issue and understand identity beyond Active Directory…

There isn’t a name for the next version of ADFS, or a shipping date but Microsoft promises, it will issue and consume information cards. This has gone in and out of the feature list for the next version of ADFS as shipping schedules and priorities shifted, but it’s back on the table says Jones - and Visual Studio will get tools for working with identity. “We probably wouldn’t have gotten permission to show SAML2 token support in the next version of our identity server products if we were not going to put tools into deployers hands to easily build and consume these tokens. We get that until it’s easy for developers to do this, a lot won’t. We’re looking at federation and information cards not as separate things but as parts of a spectrum people can deploy as it makes sense for them.”

Standards are good, runs an old joke; that’s why we have so many of them. Whether it’s a proprietary approach that’s become popular enough to document or a philosophical difference in approaches, there’s hardly anything in technology that you can’t do in two completely incompatible ways by following different standards. What’s happening in identity is a remarkably grown-up approach to tackling a problem. When did you last see Microsoft, IBM, Sun, Novell and Oracle playing nice together without government interference? Instead of expecting to own the marketplace, all the major players are putting in the effort to get their systems working with each other and with the standards. Imagine if all the effort spent arguing about whether OOXML and ODF could both be ISO standards had gone into writing translators to move documents between the two.

But once it’s easy for a service to accept identity logons from a variety of information providers, what is the user experience going to look like? The test sites had buttons to log on with every combination of service and they exposed the debug information so you could see what was happening; real sites won’t have that. But they shouldn’t have umpteen buttons to choose which information provider I want to use either; that way madness and another set of chances to get me to do something insecure lie.

Every credit card I have has its own branding, and there are plenty of different card readers in shops, but they all have a slot I put the card into and a keypad where I type in the PIN. I don’t have to press a button saying I want to use a MasterCard or an Amex card before I start - I put in the card and the reader works it out, hides the process and asks me for the important thing, my PIN. Sites using identity should do the same thing. Don’t give me a button for OpenID or SAML or Ping or Oracle or whatever underlying identity system I’m going to use happens to be, and make me click it and then click again to pick an information card. Use the same identity selector I’m going to give you my information card in; that way your Web site doesn’t have to have five otherwise identical pages and CardSpace or the Higgins identity selector or whatever the experience is on my OS and browser can do the hard work. All I have to do is say yes, I do want to use this information card with this site and you can concentrate on building something that works better because you know who I am without either of us having to care about passwords.

Way back when consumer digital maps were new, I went in to see the Dorling Kindersley World Atlas on DVD. We were looking at the California map and I wanted to see where the Apple headquarters were. I said ‘Cupertino’ and the helpful PR said ‘OK but I thought we could finish the demo and then have lunch’. We looked at each other blankly for a little while; they’d heard a rather curt ‘cup of tea now!’ rather than a place name.

When we landed in Los Angeles this trip, I was relieved and disappointed at the same time. We’d been expecting the new ten-finger sensors instead of the left-index-right-index-photograph dance you currently do, but they weren’t installed yet. I’m keen to see these in action, and I don’t expect to be in Boston, Dulles or Atlanta any time soon (they’ll be in all US airports by the end of the year). The current scanners are optical - rather like a bar code scanner in a supermarket. That’s a little slow and could be fooled by a fake finger (unlikely as the TSA agent would spot it).

Scanning ten fingers is good for security - more chances of a match with fingerprints the FBI has found at crime scenes where you’re as likely to get a thumb print as anything else. And if it’s not going to take five times as long, it must be using an active technology like the AuthenTec scanner in my HP 2710p notebook - and I want to see how well it works in a heavy duty situation.

I like the HP scanner because I don’t have to remember passwords any more, so I can make them longer and harder to break. I wish HP would write a driver to let me use it for scrolling and I can’t wait until the promised update compensates for the way the screen moves a little as I scan my finger so I don’t have to brace it with my other hand any more. This is much more about convenience than security, and I think my fingerprints are safe enough in my PC. I’m less happy about government use of biometrics, because the government has a terrible record on data security and a dubious one on protecting privacy.

Motorola didn’t reassure me after they did a pilot for biometric visas for the UK, Austria, Luxembourg, Portugal and Spain and the UK.

My phone knows where I am, and when I flew to Geneva the other week it knew what time it was; the operator pushed a time signal and Windows Mobile 6 happily picked it up. It confused me when I took the phone out to change the time - but it also meant the appointment with the contact number for the taxi driver was up on screen where I needed it. I connected my PC to the Orange World Wi-Fi in the hotel (at the fifth time of asking; if you’re using a mix of numbers and letters as your username and password, please use a font that allows the user to distinguish 6 and G ). My PC sat there stubbornly believing it was on UK time, even though it had a French IP number.

I’m not expecting every PC to have a GPS in, and it doesn’t need to. Never mind battery life, it’s useless inside anything bigger than a garden shed and even in a city canyon it’s impractical; it took my O2 XDA Stellar 15 minutes to get a GPS fix in Covent Garden this week. What I’m after is a utility that uses the location services like Spotigo, Aruba, Navizon, PlaceSite, Skyhook and all the rest that give you location based on your IP address/what wireless access points you can see and when it gets a location that’s different from the time zone Windows is set to, up pops a prompt asking if you want to change it. If you want to be all social networking about it, the utility could upload my location to services like Facebook - or preferably just my timezone, as I’m sure burglars read Facebook too. I could have a widget in the Sidebar showing who’s in the same timezone as me or get an alert if someone I know is in the next street.

I’ve used Navizon

I had to revert to typing in a password on my notebook the other day.

I usually brush my finger over the fingerprint scanner and as I let the security software store passwords and login details for as many sites as possible I don’t have to remember many passwords at all now. Roll on CardSpace - when I can store my details on an InfoCard and present that instead of typing in whatever random selection of information a site demands to let me download trial software or white papers, I shall feel a lot more productive.

I always scan at least two fingers when I set up a biometric system, because the software insists. I usually scan a thumb as well but with a minimum of three scans to do per finger and me in a hurry to try out a new system, that’s usually enough. Perhaps I won’t mention which fingers I usually scan, just in case, but I scan a thumb