| |
|
Wednesday, February 7, 2007
|
|
Microsoft to Support OpenID. SAN FRANCISCO: Microsoft Chairman Bill Gates today said his company would throw its support behind "OpenID," an open-source, distributed identity management system that seeks give computer users a more secure way to manage their online credentials. "Everywhere you go on the Web there are issues about reputation and trust," Gates said in the keynote address this morning here at the RSA Security conference here. "Some blog environments want anonymous people to [be able to] say anything, and in other environments, they want you to represent some credentials about who you are. And that's just not going to scale with the kind of password thing we have today." In a (very simplified) example, OpenID works like this: The key to your online identity is a Web address, such as http://myblog.someplace.com. You pick one of several OpenID providers -- such as Vox, OpenID, Verisign or LiveJournal (OpenID is the brainchild of LiveJournal founder Brad Fitzpatrick) -- to be the trusted host for your identity credentials. When you visit a site that has implemented OpenID, you're asked to enter your personal Web address, which you've configured to query your identity credentials stored at your chosen OpenID provider, which in turn will ask you to login using whatever credentials it requires. These couple of blogs have more coherent and complete explanations of how OpenID is supposed to work. OpenID is most often cited as a way to help Internet users navigate the zillions of blogs and other Web 2.0 applications that require users to sign up and manage different usernames and passwords. Some advocates say it also has the potential to help users guard against phishing scams and related forms of online fraud, but others say the whole system is likely to be a boon for phishers and online scam artists everywhere.
Gates said Microsoft would support OpenID 2.0 in conjunction with CardSpace, a feature similar in nature to OpenID that is built in to Windows Vista. CardSpace seeks to make managing digital identities easier and safer by replacing usernames and passwords as the means of identifying oneself on the Web. Microsoft's acceptance of an open standard is being cautiously praised by many technologists in the blogosphere, who see the software giant's participation as key to fixing the more complex problems with online identity management and authentication. Microsoft has tried to control the online ID space in the past with programs like MSN Passport, which largely failed to gain traction beyond Microsoft's own online properties. Single sign-on programs also have been touted by Yahoo! and Google. Bruce Schneier, a cryptography expert and chief technology officer for online security provider BT Counterpane, greeted Microsoft's announcement with reservation, saying Microsoft has a long history of "supporting and then co-opting" open standards. "They tried to get their own system working, and I think it's telling that they are now supporting an open system," said Schneier, who's giving a talk at RSA later today on what he calls "the psychology of security." "In some ways it's worrisome, but I'm reasonably confident in the Web 2.0 world that the distributed control of OpenID is strong enough, that it's not Microsoft-driven," he said. [Security Fix]
1:51:02 PM 
|
|
Hollywood on the Hill: Time to Bury the Broadcast Flag?
Hollywood is in full force today on Capitol Hill,hosting "The Business of Show Business Industry Symposium"(pdf) with stars such as Sex, Lies & Videotape director Steven Soderbergh and An Officer and a Gentleman Director Taylor Hackford talking about how central copyright is to the business of movie making.
We don't disagree with that notion of course, but what we don't
usually agree with Hollywood about is the means by, and the degree to
which, government should protect those copyrights. Over the past 5
years, Hollywood and the recording industry have pushed numerous
proposals in Congress, and they have tended to fall into several
categories: 1) government technology mandates like the broadcast flag; 2) expanding secondary copyright liability (like the "Induce Act"); 3) expanding the permissions culture (e.g.,
licensing temporary or buffer copies); and 4) increasing punishment for
copyright infringement that falls just short of death by hanging. The
good news is that most of these efforts have failed. The bad news is
that with a Democratic-controlled Congress and one year until a
Presidential election, you can bet your mortgage that they will be
pushing these, and other initiatives hard in 2007.
But as time goes on and the public's (and the content industry's)
use of technology and digital media change, it makes it harder and
harder to make the case for these proposals. Take, for example, our
favorite technology mandate, the broadcast flag. For those newcomers to
this blog, the FCC's 2003 broadcast flag rules would have given the
government the power to dictate technological design, and as a result,
limit lawful uses of digital technology. The rules would have required
FCC pre-approval for every technology that could demodulate a digital
TV signal, as well as for those technologies (like Digital Video
Recorders or even cellphones) that are "downstream" from digital TV
devices. Public Knowledge brought a court challenge on behalf of it and
eight other public interest, library and cyberliberties organizations,
and in May 2005 a federal appeals court struck down the rules. Hollywood has been trying to get Congress to reinstate it ever since.
Even assuming that there was ever a rationale for the broadcast
flag, does it exist anymore? And would such a rule even be in the best
interests of the content industries? Let's take a look: read more [Public Knowledge - Policy Blog]
1:43:44 PM
|
|
When Security Companies Fail. SAN FRANCISCO: Security Fix has long pontificated on the necessity of Microsoft Windows users setting up their machines to run under "limited user" accounts. It is considered a fairly effective method for warding off spyware and virus infections on your average Windows PC.
Irony knows no bounds ... less-than-secure kiosks at the RSA Security Conference. (Brian Krebs)
The advice is not some "secret sauce" that Security Fix dreamed up. It is well known that running Windows under a user account that does not have the right to install software by default is a key safeguard for fortifying Windows machines.
So it came as a great surprise to me to discover a security gaffe at the RSA Security conference here -- one of the premiere computer security conferences in the industry. The kiosks of Microsoft Windows XP machines set up as a way for attendees to freely access e-mail from the conference floor were running under the all-powerful "administrator" account. In short, anyone could have used the terminals to download a free software program that records every keystroke typed on the terminals. That record would be extremely useful for spying on the Internet communications of executives at some of the most recognizable computer security firms in the industry.
I spent about 20 minutes watching the activity at these booths, as executives checked their e-mail messages there or logged on to their PCs remotely. Had I spent a bit more than 10 seconds at the terminals, I could have downloaded software that would let me steal user names and passwords from some of the more important companies in the information security community.
It certainly is somewhat crazy that these security practices occur at a respected security conference. But it is also revealing that so many security professionals find it acceptable to access their personal data on unfamiliar public terminals without conducting even rudimentary checks on the host system's integrity. [Security Fix]
1:35:08 PM
|
|
Apple Offers to Sell DRM-Free Music. The Net is buzzing with talk about the open letter posted by Apple CEO Steve Jobs yesterday. In an apparent reversal, Jobs offers to sell MP3 files, free of anti-copying DRM technology, on the iTunes Music Store if the major record companies allow it.
Much as I would like to see Apple renounce DRM entirely, that[base ']s not quite what Jobs is saying. The letter describes three possible futures for Apple[base ']s music technology: (1) continue the current path with a closed Apple-only DRM system; (2) license Apple[base ']s DRM technology to other companies to build compatible systems; and (3) sell DRM-free music.
Apple[base ']s preferred outcome, Jobs says, is outcome (3), selling DRM-free music. This is notable, and somewhat surprising, as the consensus has been that Apple strategy has been to seek outcome (1), using its proprietary DRM to lock customers in to its iTunes-iPod world. If Apple really prefers to eliminate DRM, that is news.
But this part of the letter might just be cheap talk. As Jobs points out in the letter, Apple sells music at the pleasure of the record companies. And if the record companies announce tomorrow that they don[base ']t want Apple to use DRM, then Apple will have little choice but to smile and go along.
So there is little downside to Apple saying that they they willing to get rid of DRM. In this respect, Apple is like the kid who says he is willing to go to the dentist, because he knows that no matter what he says he[base ']s going to see the dentist whenever his parents want him to.
The least-discussed aspect of the letter is its praise for the status quo (outcome (1)). Jobs says that the current system is working well:
The first alternative is to continue on the current course, with each manufacturer competing freely with their own 'top to bottom' proprietary systems for selling, playing and protecting music. It is a very competitive market, with major global companies making large investments to develop new music players and online music stores. Apple, Microsoft and Sony all compete with proprietary systems. Music purchased from Microsoft' Zune store will only play on Zune players; music purchased from Sony's Connect store will only play on Sony's players; and music purchased from Apple's iTunes store will only play on iPods. This is the current state of affairs in the industry, and customers are being well served with a continuing stream of innovative products and a wide variety of choices.
His real scorn is for outcome (2), where Apple licenses its DRM technology to other companies. It[base ']s easy to see why this is the worst outcome for Apple [~] the company loses its ability to lock in customers, but everybody still has to put up with the cost and hassle of using DRM.
What the letter really does, in typical Jobsian fashion, is frame the debate. It does this in two respects. First, it sets up a choice between two alternatives: stay the course, or get rid of DRM entirely. Second, it points the finger at the major record companies as the ones making the choice.
This is both a clever PR move and a proactive defense against European antitrust scrutiny. Mandatory licensing is a typical antitrust remedy in situations like this, so Apple wants to take licensing off the table as an option. Most of all, Apple wants to deflect the blame for the current situation onto the record companies. Steve Jobs is a genius at this sort of thing, and it looks like he will succeed again.
Share This
[Freedom to Tinker]
1:18:30 PM
|
|
|
© Copyright 2007 Paul Hardwick.
Last update: 3/4/07; 3:09:00 AM.
|
|
|
