EASI ID (pt. 2)

Back in March, I posted EASI ID (pt 1.5), posting a question about who owns the rights to resources within a namespace, specifically email addresses.  The reason was to stimulate some braincells, about what could happen if users chose to protect personal content with a digital identity that they thought they owned, but which later they found out the didn’t (in this case their work email address).

Ariel Gordon, one of the rock stars on the Microsoft Identity Strategy team (along with Kim Cameron and others…), recently posted this comment:

Ariel Gordon said

August 7, 2009 at 2:34 pm e

Contoso owns the domain and any identifier in its realm.
Email addresses bear a claim of employment. I.e. my @contoso.com address shows (with a certain level of certainty) that I work for Contoso. Using this address after I leave the company is akin to keeping distributing business cards with the address on it.

Today, 99% websites leverage email providers’ infrastructure for user authentication: you type your email address as a login then create a password that can be reset/resend via email, effectively handing the keys to the account to anyone who controls the mailboxn including the new guy–Jerry Smith in your example.

Websites who implement authentication delegation (aka federation in the consumer sense of the term), could be informed by the IdP of user account deprovisionning and, as best practice, take action to close the account, prompt the user to create alternate credentials (if they have a fallback email address or phone #), etc.

Thoughts?
-Ariel.

I started to reply with a bit of the backstory in the comments, but figured I’d give this it’s own post, if for no other reason than (I think) it’s a fun look into some of the dynamics of digital identity…not to mention internal politics… So here is my response:

 

Hi Ariel!

Thanks for replying.  Yes, you’re correct, this is exactly what happens, and I agree with you.

The motivation for this post, was a series of conversations that I was in with an internal group here at Microsoft, about who "owned" the @microsoft.com namespace for user identities.  Historically, the internal identity management team has owned corp.microsoft.com, but the actual microsoft.com namespace was owned by the team that supports the www.microsoft.com website.  However, way back when, somebody in the Live ID team also decided that the microsoft.com namespace was theirs (in the Live ID sense)

It turns out, that today, there are approx. 2.5 million Windows Live ID’s in the @microsoft.com namespace.  Obviously we haven’t had that many employees.  But back in the day, there was a time when the Live ID team believed that @microsoft.com would be a good namespace for customers to use, similar to @hotmail.com or @live.com.  This isn’t really as crazy as it sounds, because it’s analogous to users creating a Yahoo ID in the @yahoo.com namespace. 

However many years later though, as we enter the age of federation, the challenge is that Microsoft Corporation uses @microsoft.com as our corporate namespace.  In contrast, Yahoo Corporation uses @yahoo-inc.com for their corporate email addresses.  So Yahoo can choose to give @yahoo.com to their customers, whereas Microsoft had a conflict.

This was a fun debate at the time, and ultimately we came to the decision that @microsoft.com is our corporate identity.  The question though, of what should come to those 2.5 million user ID’s.  Fortunately the Live ID team has the solution for this, and added a flag into the federation setup so that a company can choose to “evict on reserve” or “allow merge” of any existing users when they federate.

Allow Merge means that anyone with an existing user account in a namespace that’s federated, will have the option of associating their existing WLID with their new federated ID.  In Live ID speak, it means they keep the same PUID.  The result is that you keep anything you had access to, but you do so with your new corporate-account-backed, federated Live ID rather than your older, separate username/pw WLID.

Evict on reserve is just what it sounds like, where any user accounts which exist in a namespace when it’s reserved, will be moved into a “forced rename” state.  This means that the next time the user logs on with their separate user name and password, they will be forced to change their user name (keeping the same account/PUID) to a different email address, one which is hopefully their personal address.

For Microsoft employees, we chose evict-on-reserve, and are in the process of working through the details of implementation.  Our thinking behind this, is that even though they are in the @microsoft.com namespace, any existing accounts are all “personal use” accounts.  Therefore, we should protect the personal data, and have a user rename their account to a personal account.  When a user logs in with their “new” federated @microsoft.com account, they will be doing “business” work with an account that is backed by their corporate credentials (and which goes away when their employment ends).  And yes, we’re working with the Live ID team to get some controls put in place for companies that federate, so that they can limit where corporate backed WLID’s are used.

So that’s where we’re at.  Hopefully this gives other folks who are federating something to think about as well, as they integrate with service providers such as Live ID.

I’d love to hear what you, or anyone else thinks about these fun, “moving to the cloud” challenges!

~Brian

Enabling RSAT tools in Win7

Does anyone else think it’s odd that you have to go through and click every one of these darn little boxes to enable all of the RSAT tools?  Odd defaults…

Facebook is going to allow user names on June 12th

If you use Facebook, you might notice a box when you log in that says beginning June 12th, Facebook will allow registration of user names.  If you “click here” to have them send more info, you’ll receive this in your registered email inbox:

Starting on Friday, June 12th, at 9:01pm, you’ll be able to choose a username for your Facebook account to easily direct friends, family, and coworkers to your profile.

To select your username, visit the link below after 9:01pm on June 12th:

http://www.facebook.com/username/

To learn more about usernames, visit the Help Center:

http://www.facebook.com/help.php?page=896

Thanks,

The Facebook Team

 

So what does this mean?  Well, for one thing, it means that if you’ve got a common name – or – if your like me, and you KNOW that there’s someone else on Facebook with the same name (since he and I are actually friends on Facebook), then it means that you want to “claim” your user name as soon as the application opens.

I did seen an interesting article here http://www.huffingtonpost.com/jonathan-handel/trademark-protection-and_b_213756.html about trademark registrations and how Facebook intends to handle squatters.  So don’t bother trying to register facebook.com/McDonalds, you won’t have it for long if you do. 

I like the very last part of that article though.  There is already a recommendation for what to do, if somebody maliciously claims not only your trademark, but also fills out the forms sufficiently such that you (the legitimate owner of the trademark) actually can’t use the automation to claim it back.

Oh how much fun Identity Management can be

Collection agencies….

I have had a few discussions recently at work about ways to make things more convenient.  Either convenient for our users (cloud services), convenient for our customers (single sign on), etc… 

But a one-two punch hit me, when I just had 2 close friends – both of whom have been impacted by the financial mess – have their identity attacked because something that had built in security controls (checks) was made to be more convenient (by phone), and in the process all of the controls were removed so my friends were vulnerable.

Really, I call it fraud, or identity theft, or just plain robbery…  But in both cases, the banks say that there are no laws against this:

My friend lost her job, and fell behind on payments.  She owed $1100 for this months rent, $4400 to a creditor that by this point had gone to a collection agency, and some other bills (credit cards, gas, electricity, etc…).  Through creative budgeting and working with parents, friends, and anyone else, she scraped together $5000 that she could use. 

With the new money available, she came up with the following plan:

   $1100 for rent
      900 for the other bills
      500 to the collection agency
      The rest to be used for the following months rent, payments, etc…

She called the collection agency, and agreed to pay them $500 now, and then set up a payment plan for the rest of the money.  That’s where the first mistake happened:  They wanted the payment as a “check by phone”.  So she voided a check, gave them the info, etc…

The collection agency first attempted to clear the check for the full $4400.  Because the money was in the account, the check cleared – of course, this meant that she couldn’t pay any of the other bills, or her rent, etc…  And she had already tapped out her friends, parents, etc…

You can imagine that the calls to the collection agency were like:  “Sorry, sucks to be you – we’ve got our money now”

The bank was equally useless:  “You gave them a check by phone, the money was in the account, they cleared it…Sucks to be you”

This was just completely ridiculous, but it shows that in the absence of standards or protocols, there is no shortage of people that will offer things for the sake of “convenience” which blow the hell out of “security”.  If you have to write a check and sign it, then you fill in the amount, etc…  modification of that is check fraud.  But those security controls went out the window when banks allowed people to do “checks by phone”, and there is absolutely nothing to prevent unscrupulous people from raping your bank account if you give them the information.

The second case is similar, but with a slight twist

My friend has slowly but surely been paying off debts that were racked up over a period of time, and has been working through one of those debt consolidation management companies.  Since she wasn’t getting the resolution that she needed from the company, she took back the money that was in their escrow account and started working with the collection agency independently.

On the first phone call, she had an $7,000 debt and worked with the agency to negotiate down to where they would accept $4300.  Seems like a good deal, so again, check by phone for $4300.

A couple of days later, she received a notice from the collection agency, indicating that they “Had an agreement for an initial payment of $4300”.  In other words, the deal they made on the phone was a lie, instead of negotiating the total, they just wanted an initial payment and were going to keep going after her for the remaining balance.

Ahhh…but the check by phone hadn’t cleared yet.

So a quick call to the bank, a $28.00 stop payment charge, and there was a stop-payment for that check before it cleared.

Good right?

Not so much.  2 days later, $4300 was withdrawn from the account anyway, by check #1001 (not the check number she gave them).  A long, convoluted, multi-transfer call back with the bank this time, and they could see where the initial check number had attempted to clear, been rejected (the stop payment), and then the company had re-submitted another check by phone with the different check number and got the money.

After several days of arguing, it’s still unclear whether the bank is going to say “Sorry, sux to be you” or if they are actually going to help.  I’m not holding my breath.

So again, the safety features around checks – being numbered, signed, amounts written (twice) – are all placed into the trusting hands of the least trustworthy person (the merchant that wants your money), and there is remarkably little recourse.  I suppose you could go get a lawyer, etc…  But during that time the money is gone, life still needs to be lived, and a lawyer is going to take 30% of whatever you get back anyway (or some amount of payment)…

All for the sake of convenience (to whom?)

There are better ways, one of which I really like.  I’ve had a credit card with CitiBank since college.  And many years ago, they came up with this idea of virtual account numbers for your credit card.  You can go to their website (or they have a downloadable application), and if you want to make a purchase, you can get a one-time use credit card number (with expiration and CVC) for that one purchase.  I haven’t used it in a while, but IIRC you can even specify the amount of the purchase you’re going to make (which is really the protection).  This is great, because the security of a credit card is handing the piece of plastic with the signature on the back to the person behind the register.  With online purchases, you can’t do that, so instead lets take the things which you can control (amount of purchase, usefulness of the number after it’s been used properly) and control those instead.  Reasonable mitigations.

This is the type of control that we’re going to need if we want to protect our resources in a more “convenient” (read: Online) world.

TEC 2009 Wook Lee Memorial Challenge

At The Experts Conference in Las Vegas this year, Stuart threw out the challenge to the DS MVP’s to come up with their list of changes they would like to see in Active Directory, but put it to the tune of an Elvis song.  After a midnight (mildly inebriated) recording session, and some fancy editing by the Quest Software production staff, here’s the result!

 

Microsoft Tag

This looks pretty cool!

http://www.microsoft.com/tag/

 

Here’s the tag I created, which would bring you back to my blog if you scanned it with a tag reader app on your phone…

Funny Paperclip

From:  http://www.joethepeacock.com/2009/03/aww-cute-paperclip-is-bone-wait-wtf.php

AD T-Shirt Idea

A couple of months ago, I was talking with one of our MIIS/ILM engineers about all of the thrash that we go through to support Exchange in our multi-forest environment.  This quickly degenerated down to some of the ridiculous things that we’ve seen various “domainPreps” and “forestPreps” do over the years, when he comes out with a quote that I thought was just too good not to have on a T-Shirt. 

 

Law of Cosines in Life

I’m a pilot.  I’m fascinated by airplanes, helicopters, gliders, blimps, and anything else that flies.  When I’m not actually flying (which is too often), then I’m reading books or magazines about it.  It’s fun, and it’s my distraction from everything else.  In fact, I should be working on something else at this very moment, but flying is more interesting…and blogging is more interesting…and it’s 3am anyway, so what the heck right?

I remember reading an article in a magazine a few years ago, that I’ll credit it to Barry Schiff in AOPA Pilot magazine, though I’m not 100% sure that’s accurate.  The article was about the law of cosines (oh yeah, did I mention that I like math almost as much as flying?), and how when it comes to planning a flight, the best distance between 2 points may not be a straight line.

For example:

Let’s take someone who wants to fly from point A to point B.  Pilots know that it’s generally safer to have someplace to land at all times during the flight (just in case).  So it may be “better” to fly straight, how much would it cost to take a minor detour in your course to fly near an alternate airport?  Graphically, it would look something like this:

The question he posed is, just how inefficient is it to take a detour? Even without doing any math, it’s pretty easy draw a couple of things from the picture:
     1)  If the angle that you deviate from the straight line course is little, then the distances shouldn’t be much
     2)  If the angle that you deviate from the straight line course is large, then the total distance you fly will be larger

(everybody say “duh” now)

Just for examples though, let’s look at some real numbers.  Let’s take this typical small plane flight distance of 300 miles at an average speed of 120mph.  And let’s figure out just how much further you’d have to go, and how long it would take, if you flew out at 10, 15, 20, and 30 degrees off course.  We’ll also do the baseline, of 0 degrees, or going straight from A to B.

Angle From Straight	Total Distance (miles)	Total Time (min)	% Increase
0	300	150	0%
10	305	152	2%
15	311	155	4%
20	319	160	6%
30	346	173	15%

 

Huh…  not nearly as big as what you might have thought?

For those that are really curious, remember that Cosine is the adjacent side (in this case 150 miles), divided by hypotenuse (which we want to find).  Since we’re simplifying things by having the two halves be equal, we can just use:  300 / Cos(a) to get the total distance flown.  Take the total distance flown, divided by 120 mph, to get the total hours (times 60 for minutes).

 

Well holy cow!  That was sure a lot of work to get to a point which doesn’t actually involve either math, or flying.

 

What I realized, and try to occasionally remind myself, is that there are times in life when you have a goal, and you can see the straight path to get where you want to be.  And then, “life happens”…  Or as some people may describe, you have to “take an unexpected detour”.  These unexpected detours can seem frustrating, and make you feel like you’re completely “off track”, or “spinning your wheels”, or generally way off course from where you want to be going.

 

When that happens, I try to stop and remember…  that just because you’re off track…even if you’re off track by what seems like a huge amount (30 degrees is a huge course change!) – It doesn’t necessarily cause a huge change in how far you need to go to achieve your goals (or in our pilots case, how long it takes to get there)

 

One last random note:  When you’re at the furthest distance “off course”, just before you get to turn back towards your goals…  If this were the plane that took a detour of 30 degrees (the max), how far away from his straight line path would he get (the distance from the peak of the triangle back down to the straight line course)?  86 miles!  When you look at it that way, he’s nearly 90 miles “off course” when he only should have gone 150 miles total.  That’s one heck of a detour, but when he turns back towards his objective, by the time he gets there it only added about 15%… 

 

Maybe those detours in life aren’t that bad after all?

3-D as an Afterthought

So it’s really tough to find something that can be moderately entertaining to a 16 year old, appropriate for the 4 year old, and not bore the snot out of the adults.  So far the options have pretty much limited themselves to bowling, or Pixar movies. 

Took a chance this afternoon, and we all loaded up to go see Coraline in 2-D.  This isn’t really a movie review, because seriously – Coraline?  But hey, it had a chance.

What is interesting though, is the current rash of 3-D movies that are coming out again.  In this case, we had the option of seeing “Coraline in 3D”, or just regular 2D.  Well, we thought we had the option but the 3D version started 10 minutes ago, and the 2D version started in half an hour, so 2D it was.

Sitting there though, it was obvious that this wasn’t a movie that was built around 3D.  Instead, it was a 2D movie with a couple of gratuitous scenes where they very obviously (even in 2D) drew in extra bits and pieces that would pop out of the screen in the 3D version.

I guess I’m just used to 3D in the “intentional” kind of way.  Usually when it’s been a trip to Disneyland, or someplace similar – starting way back when with Captain E-O, and more recently with the Bugs Life and similar movies that were actually made to be shown 3D.

Like I said, I didn’t really have huge expectations for the movie to begin with.  But it’s annoying when it’s so ridiculously obvious that they made the movie, and then after the fact, the marketing department told the artists to go back in and add some bugs popping out so they could market it in multiple dimensions.