BPuhl’s Blog

A little bit of everything without actually being much of anything

Archive for March, 2009

Being Hacked is ok (if you’re paying for it)

Posted by BPuhl on March 27, 2009

There were many great speakers at TEC 2009 this year (and I was there too!), especially in the Federated Identity track.  One of the things that I was interesting, was during one of the sessions the speaker described many of the current non-federated authentication schemes that SaaS providers can use.  The implementations may have varied slightly, but they often amounted to “Give us your user name and password, and we’ll authenticate you across some out-of-band channel.”  The deployment of this service requires that extra channel for auth, sometimes being a VPN connection, or an LDAP service that the provider can authenticate against…things like that.

A comment was made, something about the security risk that this poses; after all, it IS by definition a “man in the middle attack.”  The next couple of minutes were spent blasting this type of ridiculous design (after all, this was the federation track) and how horrible this was and people would never let this type of set up occur at their company.

Of course, that’s probably not true at all, is it?  After all, every application outsourcing project I’ve worked on includes the “user SSO” line item, but nobody says what that has to be.  And the corporate security risk analysis has to outweigh the hard dollar cost savings that were driving the project to begin with, which is why I suspect that the typical CorpSec risk analysis always ends up somewhere in the Billions of dollars with a picture of the company going down in flames.  Yet even that’s not enough even enough to stop the project from moving forward, because at the end of the day, IT departments are often not empowered to say “No, you can’t do that”…rather…we end up saying, “This sucks, but here’s the best that we can do to make it work.”

And that is why, a man in the middle attack, even one with credential harvesting, is OK if the company is paying someone to do it (and saving real money in the process)

And it’s why now more than ever we need comprehensive federated authentication solutions, so we don’t have to get run over by these hacks.


Posted in ADFS, Digital Identity, Identity and Access, InfoCards, Random Tecnical Stuff, Rants | Leave a Comment »

Microsoft Tag

Posted by BPuhl on March 27, 2009

This looks pretty cool!



Here’s the tag I created, which would bring you back to my blog if you scanned it with a tag reader app on your phone…


Posted in 21st Century, Random Tecnical Stuff, Randomness | Leave a Comment »

EASI ID (pt 1.5)

Posted by BPuhl on March 26, 2009

Question for you

You’re Jon Smith, and you signed up for the TAA.COM (Totally Awesome App) application when you worked at Contoso, it was free and let you store all of your client data.  You signed up with the user name, JSmith@contoso.com.  Good thing too, because when you quit working at Contoso years ago, you took your clients with you.  Over the years, you either have never updated your login ID, or maybe the application won’t let you.

Now TAA.COM decides to break into the SaaS market by offering their totally awesome app to business customers, and Contoso signs up.  Who gets to have the JSmith@contoso.com user name, you (by virtue of being first), or Jerry Smith, the current JSmith@contoso.com who was hired after you left?

Even though Contoso has federated, single sign-on authentication – does it matter?

I guess another way to put this, is does an individual own the usage rights to their email address forever, or does the company own their namespace and all resources (ie. names) within it?  Worse case, what happens if Jerry signs in and see’s Jon’s information?

Posted in ADFS, Digital Identity, Identity and Access, InfoCards, Random Tecnical Stuff | 4 Comments »

EASI ID’s (part 1)

Posted by BPuhl on March 26, 2009

When you log into a website which you use for personal stuff, for example using your Google or Windows Live ID; or even better, logging into Facebook or Myspace.  What do you use for a user name?

Intuitively I’ve known this for a while, but I have recently been having a ton of discussions about EASI logins, or Email As Sign In.  This makes sense, when you register at a website, they ask you for your email address, and that’s what you’re “user name” becomes.  Simple, easy to remember.

There are of course, a couple of flavors to this.  In the case of Facebook for example, you must “verify” your email address.  When you sign up, they send you an email, you click on it (proving that you have access to the email address), and then you get in.  Of course, not all services require verification, and for those, you can enter any email address you like.  Just ask Robert Schuler if he thinks verification is necessary when creating an online identity!

I just got back from TEC 2009, an excellent conference that I have the privilege of speaking at, where I always get into great conversations with a ton of incredibly smart folks.  Since I’ve been in this “EASI/Online/Enterprise Identity Convergence” kick lately, and since I was surrounded by a bunch of identity management professionals, i asked whether anyone had experienced issues with using their work email address for EASI logins to personal websites.  In general, the answers were either, ‘no, because I’ve worked at the same company for years and consider my work email my “primary” address’ – or – ‘Yeah, and it was the biggest PITA and I hope to never have to do that again’

The one answer that surprised me though, was one person who actually said that she’d worked at a company before, where they had hired a new person.  And they had actually provisioned this person a new account 3 weeks before the he was scheduled to start, just so he’d have that new email address and could migrate all of his online service accounts to it.  I’m honestly not entirely certain how this was a good idea, but alas we are all IT folks, and have to do what we’re told.  Kind of crazy though.

More to come on EASI ID’s, and some of the quirks we’re seeing as more and more enterprise services are moved to the cloud.

Posted in Active Directory, ADFS, Digital Identity, Identity and Access, Random Tecnical Stuff | Leave a Comment »

Funny Paperclip

Posted by BPuhl on March 26, 2009

From:  http://www.joethepeacock.com/2009/03/aww-cute-paperclip-is-bone-wait-wtf.php



Posted in Randomness | Leave a Comment »

AD T-Shirt Idea

Posted by BPuhl on March 26, 2009

A couple of months ago, I was talking with one of our MIIS/ILM engineers about all of the thrash that we go through to support Exchange in our multi-forest environment.  This quickly degenerated down to some of the ridiculous things that we’ve seen various “domainPreps” and “forestPreps” do over the years, when he comes out with a quote that I thought was just too good not to have on a T-Shirt. 


t-front t-back

Posted in Active Directory, Random Tecnical Stuff, Randomness | 8 Comments »

Law of Cosines in Life

Posted by BPuhl on March 3, 2009

I’m a pilot.  I’m fascinated by airplanes, helicopters, gliders, blimps, and anything else that flies.  When I’m not actually flying (which is too often), then I’m reading books or magazines about it.  It’s fun, and it’s my distraction from everything else.  In fact, I should be working on something else at this very moment, but flying is more interesting…and blogging is more interesting…and it’s 3am anyway, so what the heck right?

I remember reading an article in a magazine a few years ago, that I’ll credit it to Barry Schiff in AOPA Pilot magazine, though I’m not 100% sure that’s accurate.  The article was about the law of cosines (oh yeah, did I mention that I like math almost as much as flying?), and how when it comes to planning a flight, the best distance between 2 points may not be a straight line.

For example:

Let’s take someone who wants to fly from point A to point B.  Pilots know that it’s generally safer to have someplace to land at all times during the flight (just in case).  So it may be “better” to fly straight, how much would it cost to take a minor detour in your course to fly near an alternate airport?  Graphically, it would look something like this:


The question he posed is, just how inefficient is it to take a detour? Even without doing any math, it’s pretty easy draw a couple of things from the picture:
     1)  If the angle that you deviate from the straight line course is little, then the distances shouldn’t be much
     2)  If the angle that you deviate from the straight line course is large, then the total distance you fly will be larger

(everybody say “duh” now) 🙂

Just for examples though, let’s look at some real numbers.  Let’s take this typical small plane flight distance of 300 miles at an average speed of 120mph.  And let’s figure out just how much further you’d have to go, and how long it would take, if you flew out at 10, 15, 20, and 30 degrees off course.  We’ll also do the baseline, of 0 degrees, or going straight from A to B.

Angle From Straight Total Distance (miles) Total Time (min) % Increase
0 300 150 0%
10 305 152 2%
15 311 155 4%
20 319 160 6%
30 346 173 15%
Huh…  not nearly as big as what you might have thought?

For those that are really curious, remember that Cosine is the adjacent side (in this case 150 miles), divided by hypotenuse (which we want to find).  Since we’re simplifying things by having the two halves be equal, we can just use:  300 / Cos(a) to get the total distance flown.  Take the total distance flown, divided by 120 mph, to get the total hours (times 60 for minutes).

Well holy cow!  That was sure a lot of work to get to a point which doesn’t actually involve either math, or flying.
What I realized, and try to occasionally remind myself, is that there are times in life when you have a goal, and you can see the straight path to get where you want to be.  And then, “life happens”…  Or as some people may describe, you have to “take an unexpected detour”.  These unexpected detours can seem frustrating, and make you feel like you’re completely “off track”, or “spinning your wheels”, or generally way off course from where you want to be going.
When that happens, I try to stop and remember…  that just because you’re off track…even if you’re off track by what seems like a huge amount (30 degrees is a huge course change!) – It doesn’t necessarily cause a huge change in how far you need to go to achieve your goals (or in our pilots case, how long it takes to get there)
One last random note:  When you’re at the furthest distance “off course”, just before you get to turn back towards your goals…  If this were the plane that took a detour of 30 degrees (the max), how far away from his straight line path would he get (the distance from the peak of the triangle back down to the straight line course)?  86 miles!  When you look at it that way, he’s nearly 90 miles “off course” when he only should have gone 150 miles total.  That’s one heck of a detour, but when he turns back towards his objective, by the time he gets there it only added about 15%… 
Maybe those detours in life aren’t that bad after all?

Posted in Babbling and Blabbering, Randomness, Travel | 3 Comments »