August 04, 2015

CourionDigital & physical security plus a cameo from Ms. Austen- Its #TechTuesday [Technorati links]

August 04, 2015 12:03 PM

Access Risk Management Blog | Courion

blog.courion.com

Mark Dixon - OracleEducational Resources for Space [Technorati links]

August 04, 2015 01:36 AM

EducatorLabs

Recently, I received some fun suggestions from Jasmine Dyoco from EducatorLabs via the Feedback page on this site. Intrigued by some of the Space Travel posts on this blog, she suggested a number of great links to educational sites related to Space and science:

I was impressed by the Vision of EducatorLabs:

EducatorLabs is comprised of school librarians and media/market research specialists who work as curators and conservators of the scholastic web. In previous decades, our resource collections were finite and we knew our card catalog backwards and forwards; nowadays, modern technology provides us with a seemingly infinite inventory of educational resources. Unfortunately, there simply are no comprehensive card catalogs for the internet and, sadly, many untapped resources go undiscovered by most teachers.

Naturally, we feel compelled to bridge the gap. Our mission is to assist educators, for whom time is a precious commodity, in discovering valuable resources of substance for classroom use. We also seek to strengthen connections among the educational web by acting as courier: because of our high standards, our approach is grassroots and hands-on in nature.

As a father of six children, all of whom graduated from public schools in Mesa, AZ, I have deep respect for dedicated educators who go above and beyond their “job descriptions” to offer students outstanding educational experience. And now, as my grandchildren are growing up, I am so grateful for teachers and schools that are willing to go the extra mile to help young minds learn and grow and spread their wings of discovery!

Thank you, Jasmine!

Mark Dixon - OracleThe Scraping Threat Report 2015 [Technorati links]

August 04, 2015 12:33 AM

Scraping

Back in May, I wrote a couple of posts about Illicit Internet bots:

I recently read a short, but interesting report on “Scraping,” a process of using bots and similar tools to steal information. The Scraping Threat Report 2015  published by ScrapeSentry. This reports includes this definition:

Scraping (also known as web scraping, screen scraping or data scraping) is when large amounts of data from a web site is copied manually or with a script or program. Malicious scraping is the systematic theft of intellectual property in the form of data accessible on a web site.

This theft of intellectual property can be very damaging to businesses. If, for example, a scraper can download airline fares from a legitimate site through illicit means, the stolen data can be exploited to fuel unfair business practices.

Some interesting statistics:

Scrapers are generally categorized into the following areas:

In short, if you are an Internet user, these scrapers are generating so much traffic that they are undoubtedly impacting the performance of websites you visit. If you are website operator and your website contains any type of information that could exploited for nefarious purposes, scrapers probably have already penetrated your defenses or at least have you in their bomb sights.

August 03, 2015

Mark Dixon - OracleCoolest Travel Voucher I’ve Seen! [Technorati links]

August 03, 2015 07:45 PM

Submitting expense reports is one of the seemingly never-ending exercises I have had to endure in over three decades of professional travel. But last week I saw a copy of the coolest travel expense report I have ever seen.

Col. Buzz Aldrin submitted an expense report requesting reimbursement for $33.31 to cover personal expenses for his Apollo 11 trip to the moon!

Enjoy!

TravelVoucher

 

TravelVoucher2

Julian BondSome satirical humour. [Technorati links]

August 03, 2015 08:41 AM
Some satirical humour.

http://www.mpoweruk.com/coal.htm
In view of the acute crisis caused by the threat of exhaustion of uranium and thorium, the Editors thought it advisable to give the new information contained in the article the widest possible distribution.

One wonders what Otto Frisch would have made of oil, gas and lignite as fuels for power stations. Or Solar Thermal.
 Feasibility of Coal-Driven Power Stations »
The following article is reprinted from the Yearbook of the Royal Institute for the Utilisation of Energy Resources for the Year MMMMCMLV, p1001. In view of the acute crisis caused by the threat of exhaustion of uranium and thorium, the Editors thought it advisable to give the new information ...

[from: Google+ Posts]
July 31, 2015

Matthew Gertner - AllPeersOptions for accommodation in Barcelona [Technorati links]

July 31, 2015 12:39 AM

photo by CC user Mattia Felice Palermo on wikimedia

Heading to one of Spain’s most culturally rich cities soon, but have no idea where to stay? There are many different options for accommodation in Barcelona that will adequately meet your needs – you just need to know what kind of person you are to make a wise decision.

Let’s break down each category of lodging below…

1) Stay in a hotel

Of all the accommodation options open to you in Barcelona, staying in a hotel is by far one of the most popular ways to spend a holiday in one of Europe’s most stylish cities.

If you’ve got cash, the Mercer Hotel Barcelona is the only way to roll, as its exquisite amenities, concierge services and attentive staff will deliver value well beyond what you will pay for your room.

For those on a tighter budget, economical offerings like Hesperia Sant Joan will provide you with clean and comfortable surrounds, while occasionally having some pleasant surprises in store for you (like a pool and kitchenette suites in the case of Hesperia Sant Joan).

2) Rent a holiday apartment

As nice as hotels can be, they often lack privacy and a feeling of being at home. If you are seeking these two qualities in a place to stay in Barcelona, then renting a holiday apartment through providers such as House Trip will help you leave behind noisy neighbors and the sterile atmosphere that hotels often have.

Stylish living rooms, sunny terraces, and homely surroundings can be yours, all for less than the cost of many hotels in the Barcelona area. Be forewarned though: you may never want to go back to booking a room at a major chain ever again!

3) Save money and make foreign friends at one of many hostels

If you are on a longer term trip with a modest budget, staying at one of Barcelona’s trendy hostels might be the best option for you.

From the clean modern design of Sant Jordi Gracia, to the group Spanish and Italian dinners at Hostel One Paralelo, those looking to save money while in Barcelona needn’t sacrifice having a great trip in the process.

In fact, due to the social atmosphere often present in hostels, it may prove to be the superior choice for some people!

4) Connect with the locals via couchsurfing

Emerging in the past five to seven years with the rise of the sharing economy, Couchsurfing emerged from a desire to deep dive into the culture of a destination by staying with local residents.

These long time citizens will be able to show you secrets that your Lonely Planet won’t reveal (such as restaurants and bars where locals congregate), cook you regional specialties that you might not be able to find in restaurants in the center of town, and fill you in on the subtleties of Barcelonan culture in a way you’ll be able to understand.

The post Options for accommodation in Barcelona appeared first on All Peers.

July 30, 2015

Ian YipInvisible Identity [Technorati links]

July 30, 2015 01:31 PM
My Name Was Michael & The Rest Is History
Photo source: Michael Shaheen - My Name Was Michael & The Rest Is History
In my previous post, I promised to explain the following:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
If you've been to any of Disney's theme parks recently, you may have noticed they now have something called the MagicBand. It cost them a lot of money. Disney calls it "magic". The technology powering the MagicBand infrastructure was complicated to build, but they've done it and have the increased revenue to show for it. They've also managed to turn what is effectively a security device into a new revenue stream by making people pay for them, including charging a premium for versions that have Disney characters on them.

While it does many things, arguably the key benefit of the MagicBand is in delighting Disney's customers by providing seamless, friction-less, surprising experiences without being creepy. For example, when you walk up to a restaurant, you can be greeted by name. You will then be told to take a seat anywhere. Shortly after, your pre-ordered meal will be brought to you wherever you chose to sit, just like magic. If you understand technology, you can inherently figure out how this might work. But the key in all this is the trust that the consumer places in the company. Without the trust, Disney steps over the "creepy" line.

How does Disney ensure trust? Through security of course. Sure, the brand plays a part, but we've all lost trust in a supposedly trusted brand before because they screwed up their security.

The key pieces of that security? Identity proofing, authentication, access control and privacy, none of which is possible without a functional, secure identity layer.

Conveniently (for me), Ian Glazer recently delivered 2 presentations that go into a little more depth around the points I'd otherwise have to laboriously make:

  1. Stop treating your customers like your employees
  2. Identity is having its TCP/IP Moment
If you have some time, do yourself and favour and follow those links - you might just learn something :)

What Disney has managed to achieve within their closed walls is exactly what every organisation trying to do something with omni-channel and wearables would like to achieve. Disney is a poster child for what is possible through an identity-enabled platform, particularly in bringing value to the business through increased revenue and customer satisfaction. Identity truly is the enabler for Disney's MagicBand.

The reason it works is because no one notices the identity layer. Not every organisation will be able to achieve everything Disney has managed, but even going part of the way is worth the effort. Only by ensuring the identity layer is there, can you really make it invisible.

Until people stop noticing the identity layer, you need to keep working on it. Only then will the business see the full potential and value that identity brings to increasing revenue.

Ian YipIdentity needs to disappear [Technorati links]

July 30, 2015 01:31 PM

The disappearing machine
Photo source: Paul Chapman - The disappearing machine
In recent years, security vendors, including ones that don't sell Identity & Access Management (IAM) products, have been pontificating about how identity needs to be the focus for all things security. They (my current and previous employers included) continue to be on-message, each beating everyone to death with their own version; identity-centric-security, identity-powered-security, identity-defined-security, identity-is-the-perimeter, identity-is-the-foundation, identity-is-the-intelligence, and on and on.

Yeah, we get it. Identity is VERY important. Enough already.

The problem with rolling out the same message for years is that people stop listening. It's like the age old line in press releases: "the market leader in"; sure you and every other vendor out there. The market leader. Yeah, right.

Ok, so I'm being a little cynical. But the fact that as an industry, we've had to go all broken-record on this means:
  1. We've not been very effective in explaining what we mean. AND/OR
  2. No one gives a crap.
The truth is probably a combination of the two.

From the 10,000 foot marketing message, we have a habit of diving too deep too quickly, skipping the middle ground and heading straight into explaining, debating and architecting how everything needs to hang together. For example: "You need to federate between the identity provider and service providers using standards like SAML, OAuth or OpenID while maintaining a translatable credential that can be trusted between partner domains. Which OAuth do you mean? 1.0? 2.0? Can't we just go with OpenID Connect? Doesn't that cover the use cases? We're effectively supporting OAuth right?"

Errr, yeah. Sure. Hey, architect person, I'm not entirely sure what all that means, but we do that, right? And why do we do that again?

We often explain the "why should we care" answer by saying "you need security because you do, and identity is the key". And therein lies the problem. The "why should we care" question is difficult to answer in a meaningful, tangible way.

In addition, the reasons tied purely to security and risk no longer resonate. It's arguable that they ever did at all, but we could always pull out the audit, risk and compliance stick to metaphorically beat people with (oops, did I say that out loud).

Today, we often pull out the data-loss card. But we can do better:
Organisations should care about identity so they can stop caring about it. Identity needs to disappear, but only from sight; it needs to be invisible.
I'll explain in the next post.

Update: The next post is up.

Courion4 Employees Putting Your Business At Risk [Technorati links]

July 30, 2015 12:56 PM

Access Risk Management Blog | Courion

4 Employees Putting Your Business At Risk from Courion Corporation

blog.courion.com

July 29, 2015

Kantara InitiativeLeaders of Industry and Government Converge to Launch the Kantara Initiative UMA Dev WG to Develop Tools for Global Adoption of UMA [Technorati links]

July 29, 2015 03:14 PM

July 29th, 2015 Piscataway, NJ: Today Kantara Initiative announced the formation of the User-Managed Access Developer Resources Work Group (UMA Dev WG). Leaders from industry and government have come together to call on all interested parties to join the UMA Dev WG to advance global adoption of UMA. Interested parties can learn more here: https://kantarainitiative.org/confluence/x/n4VtB

“Kantara Initiative has been a stalwart supporter of our efforts to build the UMA standard,” said Eve Maler, ForgeRock vice president of innovation, UMA Work Group founder and chair, and convener of the new UMA Dev Work Group. “We’re taking the next exciting step, building free and open-source software with like-minded vendors, end-user organizations, and individual experts so we can foster truly open application ecosystems that give individuals greater control of their data.”

The purpose of the UMA Dev WG is to design and develop free and open-source software (FOSS) in several popular programming languages. FOSS empowers developers to incorporate UMA protection and authorization API enablement into applications, services, and devices, thus promoting privacy enhancement and broader adoption of UMA ecosystems. The UMA WG’s requirements and design principles encourage simplicity of specific kinds, and on the part of specific system entities, to foster ecosystem growth. The purpose of UMA Dev WG is to support those aims.

Customers, citizens, employees, and partners all demand dynamic access controls in their online experiences. Developed via an open and transparent standards-based approach, UMA’s flexibility for users and enterprise authorization make it a key enabler for driving privacy and identity and access management. UMA can be applied to a growing number of use cases, including but not limited to authorization-as-a-service for the Internet of Things (IoT), social network sharing, the healthcare industry, business services, universities and governments.

“UMA represents an innovative approach to delegated access management furthering citizens’ digital relationship with service providers. The open source code libraries and tools to be progressed in UMA Dev will greatly assist developers in building functionally rich UMA deployments”, said Colin Wallis, Kantara’s eGov WG Vice Chair.

“UMA is increasingly becoming the de facto standard for access controlling under the context of IoT, which is a critical component in connected business. Building a comprehensive set of developer tools is equally important to build a healthy developer community around it for the wide adoption. We strongly believe UMA Dev WG is going to be one key effort to address that concern”, said Prabath Siriwardena, WSO2 Director of Security Architecture.

“UMA addresses critical components of Authorization management by providing users with transparency, choice and control over how they share personal resources and information,” said Joni Brennan, Kantara Initiative Executive Director. “Access Control standardization becomes even more critical as our world is more connected than ever through IoT innovations. UMA is scaled to address the challenges of today and the innovations of tomorrow.”

Kantara Initiative connects leaders from industry and governments to provide strategic vision and real-world innovation for the digital identity transformation. Via initiatives such as Identity Relationship Management, User Managed Access (EIC Award Winner for Innovation in Information Security 2014), Identities of Things, and Minimum Viable Consent Receipt, Kantara Initiative connects a global, open and transparent leadership community. Luminaries from organizations including CA Technologies, Experian, ForgeRock, IEEE-SA, Internet Society, Nomura Research Institute, Radiant Logic, and SecureKey provide strategic insights to drive progress in the transformational elements needed to leverage innovative and safe Identity Management for IoT, access control, context and consent. https://kantarainitiative.org

Matthew Gertner - AllPeersSan Francisco: A Hipster’s Paradise! [Technorati links]

July 29, 2015 02:21 PM

If you’re looking for a hip, trendy North American city to visit, you’ll probably want to put San Francisco, California at the top of the list on your travel itinerary. San Francisco offers everything a hipster could possibly hope for in a vacation destination, from eco-conscious coffee shops to sophisticated boutiques offering the latest skinny jeans and graphic t-shirts. Let’s take a look at some of the top 8 hotspots where San Francisco’s hipsters congregate.

Dolores_Park,_San_Francisco_2013-04-13_14-48

  1. Mission Dolores Park

Dolores Park is the place to go to spend a day relaxing in the sun. It’s also a favorite destination that hosts numerous festivals and celebrations. The park offers visitors a variety of different recreational opportunities, from tennis to soccer to basketball. The park is located in San Francisco’s Mission district, which is one of California’s hottest hipster neighborhoods.

  1. Sightglass Coffee

Attractive décor, ample seating and a great menu have contributed to this Bay Area coffee house’s success with the hipster crowd. The biggest downside is lack of WIFI, but the Folsom Street location still gets insanely crowded.

  1. Four Barrel Coffee

This hipster café offers top rated coffee plus a chic, trendy vibe. This place made headlines because, ironically, they posted a sign advising their customers against discussing “annoying hipster topics,” among other rules.

  1. El Rio

Some describe this Mission district hipster hangout as being a “music venue”, and others describe it as being a “dive bar”. If you want to shoot a game of pool, order a drink, catch some music, or go dancing, you have the option to do any of the above.

  1. Bourbon and Branch

If you’re in the mood for a handcrafted cocktail and a venue with a dark, moody ambience, Bourbon and Branch is a destination to consider. Reservations are required at this unmarked bar on Jones Street, San Francisco.

  1. My Trick Pony

My Trick Pony is an appointment-only custom t-shirt shop located on Alabama Street in San Francisco’s hipster-friendly Mission district. If you want to design your own t-shirts or other apparel, this is the place to work with.

  1. Acrimony

This chic little boutique specializes in edgy urban sportswear made by interesting, non-mainstream apparel companies. They offer clothing and accessories for men and women. They’re located on Hayes St. in San Francisco.

  1. The W Hotel

This trendy hotel, located in San Francisco’s financial district, offers both accommodations and a bar. Known as the XYZ Bar, it’s a hipster hangout where you can enjoy cocktails, people watch and catch some entertainment from a live DJ.

For great deals on some of San Francisco’s hippest hotels, be sure to shop around online. Travel sites like Expedia and AirBnB offer great deals for all budgets. They offer a fantastic selection of the best San Francisco hotels and accommodation to browse through and compare.

The post San Francisco: A Hipster’s Paradise! appeared first on All Peers.

ForgeRockNo, Wanting to Share Your Data Doesn’t Make You Weird – UMA Will Protect You [Technorati links]

July 29, 2015 12:00 PM

Seen on Twitter last week:



 

This isn’t a weird sentiment at all — and OAuth helps some — but unfortunately OAuth doesn’t specialize in consumer-driven data sharing. Businesses are leaving data-sharing opportunities on the table. But to take advantage of those opportunities, they’ll need a different standard, User-Managed Access (UMA), the OAuth-based Kantara Initiative standard for adding “Share” functionality to services, apps, and devices. It gives a web user a unified control point for authorizing who, when, and what can get access to their online personal data.

 

The standards effort that produced UMA V1.0 is moving into an exciting new phase this week, and ForgeRock is thrilled to be part of it. A companion to the UMA Work Group, called the UMA Developer Resources Work Group (UMA Dev WG for short), is launching at Kantara with the goal of developing open-source implementation toolkits. The UMA standard has already received support from major government and healthcare organizations such as the Government of New Zealand and Philips.

 

Why is this activity valuable? According to recent Pew Research, 91 percent of Americans agree or strongly agree that consumers have lost control over collection and use of their personal information. ForgeRock’s OpenUMA support within our ForgeRock Identity Platform™ is designed to help empower customers and citizens to manage their own digital privacy.  Protocol ecosystems thrive when all the stakeholders can reduce the costs of beginning to communicate — and they can become more secure when open-source software can be inspected and vetted by many eyeballs. To attract app developers and deployers to the benefits of UMA, we think it’s a great idea to eliminate the difficulty of UMA-enabling those apps — UMAfying them, if you will.

 

We invite all interested parties to check out the group wiki and join us on the group! As a bonus, check out our recent ForgeRock webinar on our forthcoming OpenUMA product, our press release, and our open-source OpenUMA project.

The post No, Wanting to Share Your Data Doesn’t Make You Weird – UMA Will Protect You appeared first on Home - ForgeRock.com.

KatasoftInclude BrianRetterer.php [Technorati links]

July 29, 2015 05:00 AM

brian_retterer

Hello, I’m Brian, the new PHP Developer Evangelist for Stormpath! I’m currently based at home in Dayton, Ohio with my wonderful wife, Heather, and our purebred mutt, Sophie.

My background is not what you would expect: I have a BFA in Communications Arts with a concentration in International Theatre Production (specifically sound design and engineering) from Ohio Northern University. My post-college path started with six months on a cruise ship (doing sound engineering), then writing code for a start-up educational website, then working as a PHP developer and a system administrator and, now, a PHP Developer Evangelist! This job will combine all of the skills I have learned over the years, making it a perfect fit!

wget http://wordpress.org/latest.tar.gz

My jump into computers started even before my love for theatre.

In the early days of the internet, we had an ISP-based webpage. You know, the ones with the /~username on a www2 subdomain of the ISP’s main webpage. Playing around with this (for quite some time), sparked a huge interest in the web. Through college, I dabbled a little bit more in the campus-provided domain and created awesome framed web pages with flashy animated gifs and under construction diggers. Dabbling in WordPress and PHP ensued from there (starting with version 1.2).

In 2006, I registered my first domain, brianretterer.com, where I created a simple WordPress blog to post images and blogposts about my study abroad semester in New Zealand. From that point, I found a love for Wordpress as an accessible website development tool. This love has led to me co-chairing the local Wordpress Meet-up group and co-founding the Dayton, OH Wordcamp.

composer require stormpath/sdk:1.3.0-beta

I first got to know Stormpath when I was looking for a way to manage my users for a weather alerter app I developed, Public Alerter. I hated dealing with the issues of user security, and although there was not much personal information as part of this app, I knew I didn’t want to manage a bunch of other users.

Eventually, the application evolved into a chrome extension, and does not have users. However, being a beta user – and giving the team early feedback – created a relationship with Stormpath that would, ultimately, lead me to working here. A few years after this initial meeting I began to do some freelance work on the PHP SDK. I was enjoying working with the people at Stormpath and was thrilled when I was offered the PHP Developer Evangelist job.

Building the Stormpath PHP Community

What will I be doing as as PHP Developer Evangelist?

In short, I’ll be blogging, speaking, and writing code. While I don’t call myself a writer, I do love to teach people about technology world and the advantages understanding it can give people. I’m looking forward to developing blog posts and letting people know what Stormpath is up to!

All that is true for the speaking aspect as well. Until I started speaking at WordCamps around Ohio, I didn’t realize how much I enjoyed educating and informing people about anything related to the web, designing great systems, and applications. When I learned this job would allow me to grow my audience base and speak about all sorts of amazing nerdy things (as my wife puts it), I was excited to jump at the chance.

Finally, I would definitely call myself a code-writer. I am a self-taught software developer and constantly learning new things; I especially enjoy that programming is a world that is always growing and changing.

With my new role at Stormpath, I will be available to help all the PHP developers use Stormpath’s PHP SDK. I am happy to be working on it and making it a tool that I think everyone who has a webpage or application with a user system will be able to use!

I’ve been welcomed into the Stormpath family and am looking forward to sharing with the world what we are doing here and getting to know all of the PHP Developers out there.

Ways to get ahold of me

(PS. You may notice a trend here, Most of my user accounts are bretterer)

July 28, 2015

Paul MadsenNAPPS has left the building (but is still on the front lawn) [Technorati links]

July 28, 2015 05:37 PM
A good standards effort defines specifications that build on the existing stack of underlying protocols, cryptographic techniques, data formats and platform capabilities. A better standards effort defines specifications that can adapt accordingly as that existing stack changes and evolves. The very best standards efforts know when to announce victory, pack their bags, and go home when that stack evolves in such a way to mitigate the value of the standard in the first place.

By this measure, NAPPS, the OIDF WG chartered to define mechanisms in support of an SSO experience for native applications, is an awesome standards effort.

As has been previously pointed out by John Bradley and myself, the mobile OSs are evolving their support for native SSO, both iOS and Android are adding new features that make SSO possible 'out of the box', without the introduction of specialized application software on the device, as the NAPPS group had been proposing. Consequently, the value of the 'Token Agent' model that NAPPS was proposing and standardizing is diminished - fundamentally we don't need to supplement the mobile OSs to achieve native SSO when they provide sufficient capabilities on their own.

Consequently, as John writes, the NAPPS WG is 'pivoting' and, rather than delivering a normative specification for the Token Agent role, will instead:

"...document best practices for Single Sign-on for Enterprise and Software as a Service Providers using these new features in combination with the PKCE specification, as well as filling in any remaining gaps to allow SaaS providers to fully support OAuth and OpenID Connect enabled native applications in a secure way without forcing users into extra unproductive logins."

NAPPS_blog.png
In addition to these sort of guidelines, there is discussion about the development of open source SDKs that would wrap up all these features and flows - simplifying for application developers how to hook into this native SSO model. Discussions are underway as to where development of these libraries make sense.
Interestingly, while the value of a Token Agent has been marginalized by the new mobile OS features for the native SSO use case, the TA model may yet find a home in the Internet of Things.

Many IoT devices are characterized by limited UI capabilities for display and user input - both of which are critical for the initial binding of the device to a user account and corresponding provisioning of credentials. But if Things are constrained in this way, mobile devices aren't - and so can facilitate this initial setup step.

Shown here is a scenario where a native application on a device plays the role of a Token Agent on behalf of a Thing. The TA obtains an OAuth access token for the Thing and then delivers that token using some short range wireless protocol such as BLE or NFC. Once the Thing has its token, it can use that to authenticate itself when interacting with cloud endpoints or even other Things.


Should the TA model be eventually applied to IoT use cases, perhaps my not insignificant $$ investment in a large supply of 'There is nothing token about my agent' t-shirts will not be wasted. Let us hope.

CourionThe Government Under Cyber Attack & A Hit To The #IoT: It's #TechTuesday! [Technorati links]

July 28, 2015 12:23 PM

Access Risk Management Blog | Courion

blog.courion.com

July 27, 2015

MythicsPractical Strategies for Data Security [Technorati links]

July 27, 2015 05:51 PM

Data breaches have become an everyday occurrence. The remediation is very expensive and resolution of a breach costs much more. The overall impact of a…

July 24, 2015

OpenID.netThe Path Forward for Self-Certification [Technorati links]

July 24, 2015 02:42 PM

The increasing adoption of OpenID Connect deployments has required the OpenID Foundation to develop new certification models that support the practical business, legal and technical realities of today’s Internet scale deployments. Throughout 2015, the pilot phase of OpenID Connect self-certification has been testing the efficiencies, cost effectiveness and trustworthiness of this new approach. Early adopters helped “test the tests” and put a wide range of solutions through the first iteration of OpenID Connect self-certification.

OpenID Connect self-certification is underway for the first set of OP tests with additional OP and new RP pilot testing planned later for this year. Certification costs/fees to be determined by the Executive Committee will reference the guidelines below as adopted by the OpenID Foundation Board. In this way, OpenID Connect self-certification is breaking new ground and setting precedents for certification in the foundation’s future.

OpenID Foundation Self-Certification Guidelines
1. Adoption is the foundation’s highest priority.
2. The foundation’s goals include incentivizing membership, certification of multiple profiles per implementation and international participation.
3. Certification Profiles are rolled out in three phases: pilot by early adopters, membership beta and general availability.
4. OpenID certification pilots and betas are to be available to all members in good standing.
5. Upon completion of the beta and pilot phases, certification for those profiles will be made available to non-members.
6. All fees are waived during the pilot phase; fees will be charged during the beta and general availability phases.
7. The Foundation intends to authorize fees sufficient to cover the costs of operating a certification program once the corresponding pilot phase is complete.
8. OpenID Foundation certification fees are to be the same for all members.
9. Certification fees are due at the time of submission and are charged per implementation.
10. Certification(s) will be approved once payment is received.

The Executive Committee is now working through the actions needed to make the planned OP and RP self-certification available to members and non-members and fully operationalize the OpenID Connect self-certification program. Your feedback is welcome at don@oidf.org

Don Thibeau

Eric Norman - UW-MadisonAnd So It Continues: [Technorati links]

July 24, 2015 03:35 AM
collusion takes effortThis blog is dedicated to what's going on in the world today and the important things that will shape our future. I’ve always been one of those people that has been addicted to newspapers and what the "real news" is in the world. Not simply what we are spoon-fed.  I also love big technical discussion about things that most people would find boring. Wordplay is a favorite of mine and fun with metaphors is something I try to test myself with.   

I am an independent thinker.

Since this is a blog about things that shape the lives of all of us, the topics that you will see me post mostly have something to do with them or are entirely about them. I love being updated about the things I may have missed.

Now this isn't to say that I am all serious all the time.  I am one who knows how to relax and blow off some steam or simply live life.  I kayak, cosplay, camp, and love computers.  I'm a big fan of sailing, archery, and I have a Pug named James. See?  I can keep it light.

If you like my posts or want to say something about them, you can leave a message through the comments section. I make sure I check my blog everyday so I’m sure I can get back to you if you have questions about my posts.

Since there are so many things all over the world that happen that I'm not privy to, you can also recommend topics that you would like me to post about. I want us to exchange information so don’t hesitate to contact me anytime.

-Eric Norman

July 23, 2015

OpenID.netIntroducing RISC: Working together to protect users [Technorati links]

July 23, 2015 07:13 PM

According to a recent Gallup poll, more people are worried about their online accounts being hacked than having their home broken into.With more and more of our digital lives accessible online, attackers are redoubling efforts to steal our personal information, and increasingly exploiting the interconnectedness of web services and apps to “leapfrog” from one account to the next.

Attackers often target multiple accounts across service providers for a single individual, knowing that users normally register for all their internet services with just a few email addresses. For example, a victim’s social networking account may send password recovery information to their email account, or they might log into her photo sharing account using their social network credentials. When criminals exploit these linkages, a single weak link can create a cascade of account takeovers.

That’s why the OpenID Foundation is pleased to announce a new effort dedicated to tackling this problem by working together on account defense. This month, a consortium of technology companies including Aol, Confyrm, Deutsche Telekom, Google, LinkedIn, Microsoft, Nomura Research Institute, and Ping Identity chartered an initiative to design an “early warning system” that safely and securely raises the alarm when accounts are at risk.

This Risk & Incident Sharing and Collaboration Working Group (RISC) initiative has set its initial mission as the development of standards designed to enable providers to prevent attackers from compromising linked accounts across multiple providers and coordinate in restoring accounts in the event of compromise.

The RISC group takes the approach that through open collaboration, the internet industry can design and deploy mechanisms that significantly lessen the impact of account hijacking. The effort focuses on sharing security events that occur at the individual account level, like the fact that a specific account was put on hold because of a suspected compromise. The group will also work with an attention to minimizing impacts on user privacy. The RISC group is not focused on identification or defense against malware or other system or network level attacks.

To learn more about the working group please visit the OpenID Foundation RISC Workgroup or contact Don Thibeau Executive Director, don@oidf.org.

Bill Nelson - Easy IdentityThe Real Reason Oracle Dropped Sun Identity Manager [Technorati links]

July 23, 2015 06:25 PM

 

I always appreciate it when someone attempts to educate others about identity management and related technologies.  So when I saw the the following presentation, it quickly caught my attention as I was working with both products when the Oracle deal to purchase Sun went down.

 

Why Oracle Dropped Waveset Lighthouse and Went to Oracle Identity Manager (OIM)

 

 

Not to be too nit picky, but there are quite a few errors in this presentation that I simply couldn’t ignore.

The main reasons that Oracle chose to go with OIM versus SIM was simply the deeper integration with Oracle products and their not wanting to alter the Oracle IDM roadmap. I was on the early calls with Oracle when they announced which products they would keep and which products they were getting rid of.  During those calls, they had their “politically correct” reasons as well as the “real” reasons and it always came back to these two.

There was only one place where I saw Oracle forced into altering their position and they had to update their roadmap; this was with the SDSEE product.  Oracle made it very clear that the only product they wanted in Sun’s identity product line was Sun Role Manager (which later became Oracle Identity Analytics).  In fact, only a couple weeks after the purchase was made, Oracle had already set an end of life date for all identity products including SDSEE.  What Oracle hadn’t counted on was how well entrenched that product was across Sun’s major customers (including the US Government and major Telcos).  It wasn’t until the outcry from their customers was raised that Oracle “decided” to continue product development.

Purely from a technology perspective, if you are a company that has deployed a wide array of Oracle products, then it made sense to go with OIM due to the deeper integration with Oracle products, but not so much if you are a heterogenous company. In such cases, I have found other products to be more flexible than OIM and provide a much quicker deployment times at much lower costs.


Mike Jones - MicrosoftJWS Signing Input Options initial working group draft [Technorati links]

July 23, 2015 04:15 PM

IETF logoThe initial working group version of JWS Signing Input Options has been posted. It contains no normative changes from draft-jones-jose-jws-signing-input-options-00.

Let the working group discussions begin! I particularly call your attention to Martin Thomson’s review at http://www.ietf.org/mail-archive/web/jose/current/msg05158.html, Nat Sakimura’s review at http://www.ietf.org/mail-archive/web/jose/current/msg05189.html, and Matias Woloski’s review at http://www.ietf.org/mail-archive/web/jose/current/msg05191.html to start things off.

The specification is available at:

An HTML formatted version is also available at:

Courion2015 Mid Year Trends in Cyber Security [Technorati links]

July 23, 2015 02:08 PM

Access Risk Management Blog | Courion

Every January, our blog feeds and magazine headlines are full of the top 5, 10, or 20 trends for the coming year; do we ever hear if they were right? How did those things impact our industry? Did our diligence in these subjects really pay off? Rather than giving you five more things to look out for, I'm taking a look back on what the experts highlighted for 2015 to discuss both how they have impacted us so far and if/how your focus should shift for the remainder of the year.

Here is a list of my 2015 mid-year trends to watch:

password lock

1. Passwords

We all know that the biggest headache for any security team lies within employee credentials. So far this year we have seen breaches at OPM, Anthem, and UCLA Health which total close to 30 million records being compromised. Even the services that supposedly keep our passwords safe aren't immune which we saw in the case of the LastPass breach

These hacks, along with the other thousands we don't hear about, prove that passwords and other credentials are more valuable to hackers than ever.  What I believe this will lead to is the implementation of multifactor authentication. Companies like Apple already have a two-factor authentication in place using the thumbprint scan as an additional password option for banking and other applications. I believe that not only will more personal applications begin to use this for their customers but also that security teams will introduce multifactor authentications in order to access their companies’ sensitive data. 

2. Internal Breaches

We've already discussed the different breaches of Anthem, LastPass, UCLA and OPM; one thing they have in common is that all were breached within the past six months, and all were breached from the inside. This trend isn't going to stop because people are continuously finding ways around the firewall.

internal security

Am I saying to forget your firewall? Of course not. Everyone needs a fence around their important property and that’s what the firewall does. However, with the rising trends of outsourcing, consulting, interns and other non-employee access, you exponentially increase your risk by providing access that isn't always managed correctly and/or shut off when needed. Keeping an eye on your user access is more important than ever and I see the call for real-time monitoring taking over by the end of the year.

ransomware3. Ransomware

Last year, we saw the first major instance of ransomware with the breach of Sony Pictures. The hackers held information and released it slowly while asking Sony for a ransom in order to stop the leak. This year we have seen ransomware take center stage again, most recently with the breach of 4 New Jersey online casinos whose information was held in exchange for a bitcoin ransom.

While this was clearly an issue for the targeted casinos, it opened up an even larger threat surface. This breach has the potential to not only affect the ransomed casinos but anyone in the city who shared the same ISP provider. Were the other companies on that ISP provider not as lucrative as the casinos? Maybe not today. However, this shows us the power of  hackers and their ability to not only steal our information but to use it against us.

4. Internet of Things & Bring Your Own Device Risks

The Internet of Things (IoT) has become one of the hottest topics in the industry, but how has it affected us so far? While the issue of smart refrigerators, coffee makers, etc. might not be showing up in your office yet, the IoT is alive and well and showing itself most often in your employees devices.BYOD Risk

Employees bringing their own devices doesn't just mean smart phones or tablets; now we have smart watches, wearable fitness devices, and more. With constant Bluetooth upload, these devices not only change how we consume personal data but also opens a window into our company's data and the portals where we are connected. It is estimated that these devices numbered 21M in 2014 but will increase to 150M by 2019 – a 48% increase. The IoT and bring your own device issues I see in the near future are as simple as "will hacking your Apple watch affect entry into your organization?"

5. Cyber-warfare

North Korea didn't want to see "The Interview" — and while I don't blame them — I also think that a massive breach of Sony Pictures was a bit over the top. While this may have been the first widely publicized nation-state breach, it is far from the first time one country breached another.

cyber warfare

Last month's HackingTeam breach shows a list of customers ranging governments including several US agencies such as the DEA, FBI, and department of from over 10 different defense. Mix this with the allegations that the OPM hack was instigated by China and we have a whole new issue. Will hacking tools be defined as the new weapons of mass destruction?

 While these certainly weren’t the only trends to watch in 2015, they were consistently mentioned by industry experts. I happen to agree that these five issues are ones to watch and will continue to evolve and change how we do business. 

However, these aren't the only risks that we are seeing now, nor are they the only ones to affect our future. If you are worried about the risks you face in your organization or how to protect yourself against these risks, comment below, contact us at info.courion.com or tweet us @courion. 

blog.courion.com

Ben Laurie - Apache / The BunkerVietnamese Style Sweet and Sour Lamb [Technorati links]

July 23, 2015 06:48 AM

Disclaimer: I have almost no experience cooking Vietnamese, this is just a distillation of various recipes I’ve only read.

Lamb steak (or other meat: just did this with rib-eye steak, was delicious)
Onion
Sugar
Garlic
Crushed chilli (or other form of chilli)
Vinegar
Soy sauce
Fish sauce

First cook the lamb (or other) steak until browned outside but rare inside. Set aside and slice into thin slices during the remaining cooking.

Slice onions then fry gently in oil until transparent. Add sugar (quite a lot – for two I use a couple of tablespoons at least), garlic, chilli and fry until the sugar is lightly caramelised. Throw in equal parts of vinegar, soy and fish sauce (roughly speaking, you want a little more total liquid than you had sugar), stir in and bring to the boil. Cook until slightly thickened. Add the sliced meat and stir-fry until cooked to your liking.

Serve with boiled rice and something green.

Julian BondMaybe my memory is going (it is!) but something quite strange happened on the BBC news last night. There... [Technorati links]

July 23, 2015 06:20 AM
Maybe my memory is going (it is!) but something quite strange happened on the BBC news last night. There was a report about Tony Blair's speech telling the Labour party that lurching to the left would make them unelectable. This was followed by a whole series of young Blairites (who didn't look old enough to actually remember the birth of New Labour) spouting the same line. Then we cut to Jeremy Corbyn describing how Blair destroyed the Labour party and involved us in the "disastrous and illegal Iraq war".

It seems like a long time since a major UK politician has described the Iraq war as "Disastrous and Illegal".

Blair's suddenly looking old, but he looks just as driven and criminally insane as ever. And this unshakable belief in a New Labour that is a lite-clone of the Tories is increasingly bizarre. It's not enough to have failed to learn anything from the last 20 years, he apparently wants to keep pulling the Labour party to the right and into a lacklustre place where it's indistinguishable from, and provides no real opposition to, the Tories. In which case, why vote for them?

It feels like this struggle for the soul of the Labour party might easily produce another split like the one where the SDP broke away. Perhaps this time it will be the Left that leaves and gets absorbed elsewhere rather the the Centre-right.
[from: Google+ Posts]

KatasoftHow to Add Billing to Your API - with Stripe, Stormpath, and Node.js [Technorati links]

July 23, 2015 05:00 AM

Stormpath provides authentication tools for APIs, so we we work closely with devs building new REST services. We also hear a lot about the challenges that come with building an API. Billing is often high on that list of pitfalls. While charging users has long been a complicated issue, it can also be surprisingly painless for many use cases. We’ll show you how!

In this tutorial, I’ll run through how to:

This tutorial should take less than half an hour to run through. We’ll use Stormpath for user management and API Key Management and Stripe for all things billing related. We’re also running Node.js + Express.js, but the steps are the same no matter your stack. Leave a comment or email support@stormpath.com if you have questions on using this guide in your app.

Scaffolding for this project is based on an earlier blog on writing a full-fledged API service. It’s a great resource for in-depth code explanations, as I’ll focus mostly on billing aspects here.

Set Up Your User Store – Stormpath

To get started, register for a free Stormpath developer account. Stormpath is an authentication and user management service that stores your user accounts and exposes a host of endpoints for working with those users. Sign up here, click the verification link in your Email and login into the admin console here.

Once you’re in, download your Stormpath API Key (located under the “Developer Tools” section on the homepage). You will need the values in the apiKey.properties file to test your work.

Next, create a Stormpath Application to represent this sample project. Stormpath Applications are convenience resources to help you model out your user data; create one for every real-world app backed by Stormpath. Go ahead and click on Applications in the navigation bar, hit the blue “Create Application” button and keep the settings default in the subsequent popup. Name the Application whatever you want, but something like “Sample Billing API” would work nicely! Once created, take note of the Application’s REST URL because we’ll need it too.

Stormpath Create new app

As a last step, let’s turn on Email verification. To do so, click the Directories tab and find the Directory auto-generated with for the new Application (e.g. “Sample Billing API Directory”). Once on the page for this Directory, click the “Workflows” link on the left-hand sidebar and you will find yourself looking at the Email verification workflow page.

Stormpath configure Directory

Make three changes on this page: Update the drop down value to “enabled”, set the “Link Base URL” to http://localhost:3000/verified and click the blue “Save Changes” button. Optionally, update the wording of the email to whatever you like, so long as you include the ${url} macro.

Now that this workflow is enabled, all new Accounts will be created with an unverified status in Stormpath and will not be allowed to authenticate until they click the Email sent to them on registration. This type of verification step is generally just a good practice for any sort of secure app. But it’s a requirement for us because we are going to use the Email address users give us on registration to create a customer record for them. Knowing that every user actually has access to the Email address they register with is therefore that much more important.

Setup Your Billing Provider – Stripe

We have one more service provider to register for: Stripe. Stripe manages credit card data, subscriptions and payment transactions, so we don’t have to worry about things like PCI compliance. Or building a billing backend.

Once registered, you’ll notice that your Stripe Account is set to ‘test’. Leave that setting alone as it will allow us to use fake credit cards when we’re ready.

Hold off on further Stripe configurations for now; just make sure to take note of your Stripe API Keys. More specifically, your pair of test Keys. You can find them in your account page under the “API Keys” tab.

Stripe API Keys

Write the Web Console and REST API

All of the code for this project is available on GitHub. To follow along directly, pull down the repo and cd into the project folder. Once downloaded, install the Node.js dependencies by running npm install from your terminal which will automatically pull what you need from the package.json file. Assuming you have Node.js and NPM installed of course =).

Next, run bower install to get the frontend dependencies via the bower.json file.

Our basic web console should have a few key functions right away:

  1. It can register users with a username and password securely
  2. It can consume verification tokens to enable newly created users after they click through the verification email
  3. It can login users to a basic dashboard page and create a secure session

The core functionality of our app is wrapped up in the index.js file. Here, we import our libraries and routes:

var async = require('async');
var express = require('express');
var stormpath = require('express-stormpath');

var apiRoutes = require('./routes/api');
var privateRoutes = require('./routes/private');
var publicRoutes = require('./routes/public');

Create the Express.js application:

var app = express();

Specify a templating engine:

app.set('view engine', 'jade');
app.set('views', './views');

Configure API access to Stripe:

app.locals.stripePublishableKey = process.env.STRIPE_PUBLISHABLE_KEY;

Configure middleware to serve static files:

app.use('/static', express.static('./static', {
  index: false,
  redirect: false
}));
app.use('/static', express.static('./bower_components', {
  index: false,
  redirect: false
}));

Configure Stormpath’s Express.js itegratio:

app.use(stormpath.init(app, {
  enableAccountVerification: true,
  expandApiKeys: true,
  expandCustomData: true,
  redirectUrl: '/dashboard',
  secretKey: 'very-long-and-very-secret-key',
  postRegistrationHandler: function(account, req, res, next) {
    async.parallel([
      // Create an API key for this user.
      function(cb) {
        account.createApiKey(function(err, key) {
          if (err) return cb(err);
          cb();
        });
      }
    ], function(err) {
      if (err) return next(err);
      next();
    });
  }
}));

Specify route code:

app.use('/', publicRoutes);
app.use('/api', stormpath.apiAuthenticationRequired, apiRoutes);
app.use('/dashboard', stormpath.loginRequired, privateRoutes);

And finally, prop up our server.

app.listen(process.env.PORT || 3000);

To illustrate further, let’s take a quick look at the views routes.

public.js

'use strict';

var express = require('express');
var stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);

// Globals
var router = express.Router();

// Routes
router.get('/', function(req, res) {
  res.render('index');
});

router.get('/pricing', function(req, res) {
  res.render('pricing');
});

// Exports
module.exports = router;

As you can see, there are only two public pages we absolutely need: A homepage for our app and a pricing page so we can tell new users how much API access will cost them. And why it’s totally worth the cost.

private.js

'use strict';

var bodyParser = require('body-parser');
var express = require('express');
var stormpath = require('express-stormpath');
var stripe = require('stripe')(process.env.STRIPE_SECRET_KEY);

// Globals
var router = express.Router();

// Middlewares
router.use(bodyParser.urlencoded({ extended: true }));

// Routes
router.get('/', function(req, res) {
  res.render('dashboard');
});

// Exports
module.exports = router;

For now, private.js just needs to serve up our dashboard.jade template. You may be wondering why there are no routes related to auth. The answer is Express-Stormpath takes care of all the basic authentication functionality (including views) like registration, login, email verification etc. out of the box.

However, to make Express-Stormpath work the way we want it to, there are three important configurations to set in index.js:

  1. First, set enableAccountVerification to true so the library knows to expect an enabled verification workflow.
  2. Second, tell Express-Stormpath to redirect to /dashboard after registration and login.
  3. Lastly, pass in a long, randomly-generated secret to encrypt sessions.

We’re just missing one key piece of functionality… our money maker! Inside the routes directory, add one more file: api.js. My API has just one endpoint, /hi that greets API consumers with a friendly message.

router.post('/hi', function(req, res) {
  res.status(200).json({ hi: 'there' });
});

Generate API Keys for Your Users with Stormpath

If you plan to charge for your API, you also want to secure it with proper authentication. This means username and password aren’t going to cut it and your app needs to generate a unique set of high entropy API Keys for each user. Just as Stripe and Stormpath did when we registered earlier.

Express-Stormpath can do this step automatically on every registration with some custom event handling logic:

app.use(stormpath.init(app, {
  enableAccountVerification: true,
  expandApiKeys: true,
  expandCustomData: true,
  redirectUrl: '/dashboard',
  secretKey: 'very-long-and-very-secret-key',
  postRegistrationHandler: function(account, req, res, next) {
    async.parallel([
      // Create an API key for this user.
      function(cb) {
        account.createApiKey(function(err, key) {
          if (err) return cb(err);
          cb();
        });
      }
    ], function(err) {
      if (err) return next(err);
      next();
    });
  }
}));

Once the keys are generated, it’s a quick job to expose them to the user in the dashboard. Add a section to display the API key and ID like so:

dashboard.jade
 .row.api-keys
      ul.list-group
        .col-xs-offset-1.col-xs-10
          li.list-group-item.api-key-container
            .left
              strong API Key ID:
              span.api-key-id #{user.apiKeys.items[0].id}
            .right
              strong API Key Secret:
              span.api-key-secret #{user.apiKeys.items[0].secret}

And there you have it! Your users can register, verify they are who they say they are, find their API credentials and use those credentials to hit your awesome new REST endpoint.

Add Billing to Your API

Return to the Stripe dashboard to continue setting up your account, starting by creating a new plan. This is where you get to determine what a subscription to your API looks like. Here’s mine for reference, but be sure to play with the details!

Create Stripe Plan

For this sample, I only need one plan (only one endpoint after all), but it’s entirely possible to create more.

At this point, I want to briefly acknowledge that monthly subscriptions are far from the only billing model out there. They are simply what most of our users here at Stormpath are implementing and mesh with the overall trend to a SaaS-based world. Still, a better option for some APIs is going to be a charge-per-query model as seen here. Fortunately for all of us, Stripe supports both.

Now that the plan is ready in Stripe, add a form to your own dashboard to collect a user’s credit card data and POST it to Stripe. The easiest way to do that is with Stripe checkout. Here’s how that might look in our dashboard template:

.row.widgets
      .col-md-offset-4.col-md-4
        .panel.panel-primary
          .panel-heading.text-center
            h3.panel-title Billing
          .billing-content.text-center
            span
              h3.
                Upgrade To Pro
            form(action='/dashboard/charge', method='POST')
              script.stripe-button(
                src = 'https://checkout.stripe.com/checkout.js',
                data-email = '#{user.email}',
                data-key = '#{stripePublishableKey}',
                data-name = '#{siteTitle}',
                data-amount = '1000',
                data-allow-remember-me = 'false'
              )

However, that’s actually only half the battle. Because this form lives on the client side, what it actually does is create a token. This token is then passed to a private route (/charge) that will POST it to Stripe with instructions on what sort of action we want to take.

In our case, we want to do three things:

  1. Create the customer in Stripe and add them to our Plan
  2. In a callback, save the user’s new Stripe customer ID to their Stormpath Account record
  3. Save information about the plan to the user’s Stormpath Account record

At a high level, the function uses the session Express-Stormpath created (req.user) on authentication to find and update the correct Account. More specifically, it’s saving data (from Stripe) to the Account’s customData; a schemaless JSON resource available on all Stormpath Accounts. customData can store whatever user data you want in Stormpath and that means we don’t have to spin up a database =).

router.post('/charge', function(req, res, next) {
    stripe.customers.create({
        source: req.body.stripeToken,
        plan: 'pro',
        email: req.user.email
    }, function(err, customer) {
        if (err) return next(err);

        // Add the user to this group.
        req.app.get('stormpathApplication').getGroups({ name: 'pro' }, function(err, groups) {
          if (err) return next(err);

          var group = groups.items[0];
          req.user.addToGroup(group, function(err) {
            if (err) return next(err);

            // Update the user's plan.
            req.user.customData.billingTier = customer.subscriptions.data[0].plan;
            req.user.customData.billingProviderId = customer.id;
            req.user.customData.save(function(err) {
                if (err) return next(err);
                res.redirect('/dashboard');
            });
          });
        });
    });
});

I chose to call the two new customData keys billingProviderId and billingTier, but you can use whatever JSON compatible values you like.

Implement Authorization in Your API

At this point, the user can register, connect to your API securely, and pay you. However, there’s one more thing to do: restrict access to the API to paying users only. We can’t be greeting freeloaders after all!

Commonly referred to as authorization, the API needs to check who the caller is, what plan they are on and whether they should have access to the endpoint. The first element, knowing who they are, has already been implemented via HTTP Basic Auth.

With the user identified, verify that their plan matches what it should. Here’s our basic authorization check on the updated api/hi route:

router.post('/hi', function(req, res) {
  if (!req.user.customData.billingTier || req.user.customData.billingTier.id !== 'pro') {
    res.status(402).json({ error: 'Please Upgrade to the pro plan' });
  } else {
    res.status(200).json({ hi: 'there' });
  }
});

In a production app, you would want to decouple the authorization check into middleware, but hopefully this helps illustrate how simple the logic is. api/hi is officially available to paid users only.

Run Your API Service – with Billing!

Of course, you’ll want to check that everything is working as expected! Remember all those Stripe and Stormpath credentials you collected in the beginning? Now is the time to expose them to your application as environment variables.

export STRIPE_PUBLISHABLE_KEY=StripeTestPublishableKeyGoesHere
export STRIPE_SECRET_KEY= StripeTestSecretKeyGoesHere
export STORMPATH_API_KEY_ID=StormpathAPIKeyIDGoesHere
export STORMPATH_API_KEY_SECRET= StormpathAPIKeySecretGoesHere

Run the application with: node index.js and visit the index page in your browser at http://localhost:3000 where you should be greeted with:

Billing App Homepage

You can now check out the pricing page, be thoroughly convinced, and register for the app. Once logged in, you should see a set of API credentials for your API. Use these to make a test request against your api with cURL:

curl -v —user 'apiKeyID:apiKeySecret' -H 'Content-Type: application/json' 'http://127.0.0.1:3000/api/hi'

If all is well, your API should return a HTTP 402 error response with a message telling you to upgrade.

Go back into the dashboard and click the Upgrade button. Because Stripe is in test mode, use 4242 4242 4242 4242 for the card number, any future date for the expiration field and a random 3 digits for the cvc.

To verify that the transaction went through, try running the exact same cURL command again. Congratulations! You now have a fully functional web console and REST API with billing built-in and enforced.

Optional Configurations

There are a nearly unlimited number of things you could do to improve this rather paltry API. Here are three to consider.

Revoke Access When a User Fails to Pay

Once your service blows up in popularity, it will become increasingly annoying to manually update every Account that stops paying. Stripe webhooks are a great way to automate this process. In our case, we want to setup a webhook that fires off whenever a customer’s subscription is deleted.

Stripe Webhook

Once the webhook is configured in Stripe, expose a public route to consume the event. Due to the nature of webhooks, we can’t simply trust that Stripe was the one to hit our endpoint so there are a few additional steps we need to take to be on the secure side:

  1. Consume the webhook from Stripe and parse out the event ID
  2. POST back to Stripe using the event ID and check that the event matches the type we expect
  3. Retrieve the customer associated with the event and parse out their Email
  4. Search Stormpath for the Account associated with that Email address
  5. Update the Account to reflect their new subscription status
  6. Respond to Stripe to indicate the webhook was successfully received

Here’s how that looks:

router.post('/subscription-cancel', function(req, res, next) {
  stripe.events.retrieve(req.body.id, function(err, event) {
    if (err) return next(err);

    var type = event.type;

    // Check that the event type is a subscription cancellation.
    if (type !== 'customer.subscription.deleted') {
      return res.json();
    }

    var customerId = event.data.object.customer;

    stripe.customers.retrieve(customerId, function(err, customer) {
      if (err) return next(err);

      var customerEmail = customer.email;
      req.app.get('stormpathApplication').getAccounts({ email: customerEmail }, function(err, accounts) {
        if (err) return next(err);

        var account = accounts.items[0];
        account.getCustomData(function(err, data) {
          if (err) return next(err);

          data.billingTier.id = 'cancelled';
          data.save(function(err) {
            if (err) return next(err);

            return res.json();
          });
        });
      });
    });
  });
});

To test, expose your local server to the internet so Stripe’s webhook can hit the new route. Ngrok is a great option for that. Once running, update the Stripe webhook to point at your public ngrok URL and cancel a test customer’s subscription. If successful, you should see an update on their Stormpath Account’s customData to reflect the cancellation.

Configure Stripe to Send Invoice Receipts via Email

This may not seem like a big deal, but trust us, it is super convenient for you and your customers! The Stormpath billing team fully endorses this option =). Enable it in Stripe’s Account Settings Email tab.

Stripe Email configurations

Add Paid Users to a Stormpath Group

I chose to use customData for authorization in my example because its flexibility would allow me to implement very granular authorization rules based on the plan data collected from Stripe. However, Stormpath does support the notion of a Group that’s more commonly used used for authorization. The Group approach is handy because it is very simple to query against Stormpath for all users that belong to a particular Group.

To get the best of both worlds, create a new Group to represent the Stripe plan in Stormpath and add users to it when they upgrade. To create the Group, log into the Stormpath admin console, find your Directory, Click ‘Groups’ in the sidebar and click the ‘Create Group’ button.

Stormpath create Group

Now update /charge to additionally add the user to a Group:

router.post('/charge', function(req, res, next) {
  stripe.customers.create({
    source: req.body.stripeToken,
    plan: 'pro',
    email: req.user.email
  }, function(err, customer) {
    if (err) return next(err);

    // Add the user to this group.
    req.app.get('stormpathApplication').getGroups({ name: 'pro' }, function(err, groups) {
      if (err) return next(err);

      var group = groups.items[0];
      req.user.addToGroup(group, function(err) {
        if (err) return next(err);

        // Update the user's plan.
        req.user.customData.billingTier = customer.subscriptions.data[0].plan;
        req.user.customData.billingProviderId = customer.id;
        req.user.customData.save(function(err) {
          if (err) return next(err);
          res.redirect('/dashboard');
        });
      });
    });
  });
});

Other Resources on API Authentication

And that’s a wrap! Feedback and questions are most welcome in the comments, and you can always email support@stormpath.com for answers and assistance.

July 22, 2015

Mike Jones - MicrosoftAuthentication Method Reference Values Specification [Technorati links]

July 22, 2015 05:46 PM

OAuth logoPhil Hunt and I have posted a new draft that defines some values used with the “amr” (Authentication Methods References) claim and establishes a registry for Authentication Method Reference values. These values include commonly used authentication methods like “pwd” (password) and “otp” (one time password). It also defines a parameter for requesting that specific authentication methods be used in the authentication.

The specification is available at:

An HTML formatted version is also available at:

July 21, 2015

Mike Jones - MicrosoftLots of great data about JWT and OpenID Connect adoption! [Technorati links]

July 21, 2015 10:22 PM

JWT logoCheck out the post Json Web Token (JWT) gets a logo, new website and more by Matias Woloski of Auth0. I particularly love the data in the “Numbers speak for themselves” section and the graph showing the number of searches for “JSON Web Token” crossing over the number of searches for “SAML Token”.

Also, be sure to check out http://jwt.io/, where you can interactively decode, verify, and generate JWTs. Very cool!

CourionCyber security for Planes, Bikes, & Cars: Your #TechTuesday Roundup [Technorati links]

July 21, 2015 12:27 PM

Access Risk Management Blog | Courion

RoundUp

Pro cycling, the automobile and airplane industries take a stand against hacking in this week's #TechTuesday blog. We also look into new survey results and talk about what's really keeping security executives up at night. Come one, come all, it's time for the weekly roundup!

Hacking in Professional Cycling  

It started with baseball; now it looks like another sport has been infiltrated by hackers. Team Sky, a professional cycling team competing in the Tour de France, has come forward with allegations that critics hacked into their system and stole training data for one of its cyclists. Watch the video for the full story. Saul O'Keeffe, Itsecurityguru.com

Automobile Industry Gears Up For Cyber-Threat Intel-Sharing 

Is this a sign companies are finally realizing that security goes in the development stage
 and not after implementation? 

Car Computer

According to this article, "more than 60% of all new vehicles by 2016 are expected to be connected to the Internet" so several car manufacturers have joined to form an alliance to help secure systems in our cars. Kelly Jackson Higgins, Darkreading.com

 

United Airlines Pays Man a Million Miles for Finding Bug

A few months ago, United Airlines launched a "bug-bounty program" which invited anyone and everyone to try and hack into their systems for a reward of one million miles. Well, the company met its match in Jordan Wiens. Read on for more on the program, Jordan, and the safety of flight systems. Kim Zetter, Wired.com

Here are all of the crazy illegal things for sale on the hacker forum the Feds just shut down

Darkcode

Darkcode is no more! While this is a very "1 down, 800 to go" situation, let's celebrate and marvel at some of the crazy illegal things they had for sale. Cale Guthrie Weissman, Businessinsider.com

What's keeping security experts awake at night?

Spending money on security and still seeing breaches? You aren't alone.

According to Vass, "enterprises are throwing lots of money, time and staff at security, but it's not hitting the things that truly worry security experts." Our question is, are these really the issues that worry you? Let us know in the comments or tweet us @Courion. Lisa Vass, Nakedsecurity.com

blog.courion.com

Julian BondA couple of good posts here about the state of Labour in the UK. [Technorati links]

July 21, 2015 09:38 AM
A couple of good posts here about the state of Labour in the UK.

http://chocolateandvodka.com/2015/07/21/labours-already-dead-but-who-killed-them/

http://simonnricketts.tumblr.com/post/124334692582/youre-already-dead

Labour's dead now and we probably have to suffer the full 13 years of Tory mis-rule.  So it's time for Labour to remember what it's actually about and to pull the Overton Window[1] to the left. They need to find some spine and create an opposition party that’s actually in opposition to the Tories.  Maybe real Left Socialism is unelectable in this part of the election cycle. But that doesn't mean the reasons for it and need for it have disappeared.

The Farage/Trump deal seems to be recognising that it doesn't matter if you get elected or not, if you can say what others dare not say and so pull the conversation your way. The Left should understand that they can play that game as well.

Meanwhile it's the SNP that are standing for 20th century, mixed social-democracy in the UK not Labour. If the current Tories are Blair-Lite[2], then current Labour is Blair-Lite-Lite. To the point where there's nothing there at all.

[1]https://en.wikipedia.org/wiki/Overton_window
[2]Cameron vs Brown was described as Blair-Lite vs Thatcher-Lite
 Labour’s already dead, but who killed them? — Chocolate and Vodka »
Journalist Simon Ricketts wrote an excellent piece about Labour in which he argues that because there’s no real way that Labour can win the next election, they need to get a hold of the narrative and own it. They need to

[from: Google+ Posts]
July 18, 2015

Matthew Gertner - AllPeersLas Vegas Beyond the Strip! [Technorati links]

July 18, 2015 05:38 PM

Las Vegas is known as “Sin City”. It was once a city of burlesque shows, quiet mob schemes and remains a prime gambling destination. There is more to Las Vegas than the bright lights, slot machines and poker tables. Use Hipmunk’s Guide to Las Vegas to help find hot attractions, concerts, featured restaurants and other entertainment throughout the city.

5844364807_4f8ea1b712_z

Freemont Street

Freemont Street is known as the “Old Las Vegas Strip”. The Golden Nugget and Four Queens casinos are in the heart of the “Freemont Street Experience”. This area is one of the hot spots for finding cheap eats in the city that never sleeps. Overhead there is a zip line that slides above those walking and performing on the street below. This street is actually covered. The ceiling spans the distance of 500-yards with visual aquarium scenes and visual lighting displays.

History Channel Television Show Businesses

Several Las Vegas businesses have television shows on the History Channel. American Restoration is one business where vintage items are restored to their original, brand new condition. Count’s Kustoms, featured on Counting Cars, is just a few miles from the strip. Tours of the owner’s car collection are available.

Gold and Silver Pawn Shop is featured on Pawn Stars. Several local businesses such as a collectible toy shop, historical society members, gun shop experts and art experts frequent this location to provide information and appraisals on items that customers bring in.

Museums 

The Shelby Mustang museum is located in Las Vegas. It is the home of the first, and original, Shelby mustang. The Natural History Museum is located in the cultural corridor of the city. It has exhibits and displays featuring items of historical importance telling the story of how Las Vegas came to be.

Over 200 classic pinball machines are on display at the Pinball Hall of Fame. Most of the machines do have power to them but are for viewing and not use.

The city is situated in Clark County. The Clark County Museum has a gift shop for guests to purchase souvenirs reminiscent of Las Vegas culture. Also within this museum are railway exhibits, ghost town exhibits and several tours of barns, mining trails and locations of interest.

Off the Strip Entertainment

Off the strip and about an hour from Las Vegas is the Hoover Dam. On the way to the Hoover Dam guests can stop off in Henderson, Nevada and take in the views from mountain ranges while having a meal at a local favorite hot spot.

If traveling too far from Vegas is not an option, a short drive will take you to a Red Skelton Tribute Show or Death Valley Tour. Death Valley is one of the hottest places on earth and, for your safety, scheduling with a tour company for an assisted tour is the best option.

Other off the strip activities include visiting Area 51, a visit to the Grand Canyon or taking a drive down historic Route 66.

One of the most difficult decisions to make in Las Vegas is what to do each day because there are literally thousands of options. Families on vacation can visit local parks and casinos like Circus Circus that have an area just for kids to play in. It is a bonus if there is room in the budget to visit a celebrity chef’s restaurant for a meal. Gordon Ramsay, Bobby Flay, and Wolfgang Puck are just some of the celebrity chefs with acclaimed restaurants tucked inside prestigious casinos in Las Vegas.

This article was contributed by Fiona Moriarty of Hipmunk, the most comprehensive travel search website allowing you to find the best deals on anything from flights and hotels to train rides and Homeaway rentals.

The post Las Vegas Beyond the Strip! appeared first on All Peers.

July 17, 2015

IS4UFIM2010: Writing Advanced Attribute Flows [Technorati links]

July 17, 2015 01:44 PM

Intro

Once in a while you will come across very complex business requirements while implementing FIM in a large environment. These requirements often require a classic architecture (with VB or C# extensions), but can create very messy code that is hard to maintain. This article does not start another discussion on whether or not you should (try to) use 100% declarative (codeless) or a classic architecture when implementing such large scenarios. A good article on this topic: codeless architecture and when you are not able to use declarative configuration. Instead, this article will focus on how you should implement a proper classic architecture, in a way that is performant, readable, agile and easy to maintain.

Advanced flow rules

A basic map attributes for import method is written as follows:
void IMASynchronization.MapAttributesForImport(
  string flowRuleName, CSEntry csentry, MVEntry mventry)
{
    switch (flowRuleName)
    {
        case "SomeFlowRuleName":
            {
                // Some code ...
            }
            break;
        default:
            {
                throw new EntryPointNotImplementedException(
                   string.Concat("Flow rule name not found: ", 
                   flowRuleName));
            }
    }
}
Imagine you have 12 advanced import rules, which is not that many in a big environment. A rule has an average of 16 lines of code. Because you have already 4 lines of code for each case statement, you get a method of 240 lines. You could create a method for each case statement. That way the switch statement becomes more readable. What if we want to take this one step further? That is where reflection comes into place.

Reflection

Reflection is a programming concept that enables you to inspect (or even change) source code. You can apply reflection on a class itself, but also on other classes. Reflection enables you to use the same implementation of the method MapAttributesForImport in all your rules extensions. Similar code can also be used for MapAttributesForExport, MapAttributesForJoin and ResolveJoinSearch. Each attribute flow is implemented in its own method, eg importMustChangePassword. By using a simple naming convention, import/export target attribute name, readability is very good. Because each attribute can only be target of one export attribute flow, this convention also ensures uniqueness.

Code using reflection

First line constructs an array of objects. These are the parameters that will be passed to our advanced attribute flow method. Second line constructs a BindingFlags object. This object determines what kind of method we will call. The binding flags describes the method signature. InvokeMethod indicates we will not call a constructor. NonPublic indicates the access modifier: we will call a private, internal or protected method. Instance specifies that instance members are to be included in the search.

The third line does the actual call. It will invoke the method on the current class. The reflection mechanism will search in the current class for methods matching the flowRuleName, bindingFlags and the number and type of parameters. If one and only one match is found, the method is invoked.

void IMASynchronization.MapAttributesForImport(string flowRuleName, 
       CSEntry csentry, MVEntry mventry)
{
    try
    {
        object[] parameters = { mventry, csentry };
        BindingFlags bindingFlags = BindingFlags.InvokeMethod | 
            BindingFlags.NonPublic | BindingFlags.Instance;
        this.GetType().InvokeMember(flowRuleName, bindingFlags, 
            null, this, parameters);
    }
    catch (MissingMethodException)
    {
        throw new EntryPointNotImplementedException(
          string.Concat("Flow rule name not found: ", 
          flowRuleName));
    }
}

Example attribure flow rule

An example to illustrate the mechanism is this rule to set a flag on the metaverse person object whether he has to change his password.
/// Imports the must change password flag. 
/// This flag is true if the pwdLastSet timestamp
/// attribute is set to 0.
/// </summary>
/// <param name="mventry">Destination metaverse entry.</param>
/// <param name="csentry">Source connector space entry.</param>
private void importMustChangePassword(MVEntry mventry, CSEntry csentry)
{
    if (csentry["pwdLastSet"].IsPresent)
    {
        mventry["mustChangePassword"].BooleanValue = 
            csentry["pwdLastSet"].IntegerValue == 0;
    }
}

References

July 16, 2015

ForgeRockWhat Are ForgeRock Customers Saying? [Technorati links]

July 16, 2015 10:02 PM

Customers and users of a product know best. They have the experience and honest opinions about the products that they are implementing in their projects. Here are some examples of what people from the extended ForgeRock community are saying:


“ForgeRock gives us better visibility on identity in the organization.”
Application Manager, Large Enterprise Media & Entertainment Company
Source: http://www.techvalidate.com/tvid/04F-BA5-C24


“The software is so flexible and so perfectly fits with our model of doing business that we were able to put out a production-ready system in 5 months.”

“Our mobile users had a really bad login experience…We were able to write them a secure way of logging in and out so they don’t need to go to their username and password all the time. That one project alone led to a huge improvement in customer satisfaction.”
Kristin Ellis, IT Manager, GEICO Insurance Company
Source: https://vimeo.com/129718370


“Instead of a fixed black-box legacy application we now have an open-source extensible solution. Centralized identity management has prepared us for future business initiatives (including mobile).”

Paul Saraber, Enterprise Architect, Portbase BV
Source: http://www.techvalidate.com/tvid/14D-3AB-2FD


“OpenDJ is and had been rock solid!”
Patrick Stromberg, Architect, Pharmacy Systems and Automation, McKesson
Source: http://www.slideshare.net/ForgeRock/mckesson-case-study-pharmacy-systems-automation


“Scale matters. When we started this technology at Sun, we were focused on and selling to the big time carriers. So everything had to be carrier-scale. […] A very unique DNA for the technology at ForgeRock”

Scott McNealy, Co-Founder and former CEO Sun Microsystems, CEO Wayin
Source: https://vimeo.com/123222073


“ForgeRock enabled form-fitting of a complete identity solution in a matter of a month due to the flexibility.”
Senior IT Architect, Computer Services Company
Source: http://www.techvalidate.com/tvid/B2F-0C9-5E1


“Toolsets such as ForgeRock help manage contextual moments of personas, over time, so that data collected about users can be shared contextually and ethically, for the entire lifespan of that data.”
Michelle Finneran Dennedy, vice president and chief privacy officer at Intel Security, and adjunct faculty instructor at INI at Carnegie Mellon University
Source: https://youtu.be/msQqj5GT0-k


“We had to look outside to find a system that could consolidate all those systems [100+] into one single platform”

“Ultimately, we want to move every single identity and authentication service that we have onto our new platform based on ForgeRock”
Jeff Bagby, VP of Collaboration, Thomson Reuters
Source: https://youtu.be/houJBKfbW-8


“ForgeRock allows us to quickly and economically implement a scalable authentication platform that will meet our changing needs for the next several years.”
IT Manager, Insurance Company
Source: http://www.techvalidate.com/tvid/8F9-E92-F9F


“ForgeRock allowed us to consolidate onto a single platform, which supported both our legacy applications and new emerging applications.”
Engineer, Telecommunications Services Company
Source: http://www.techvalidate.com/tvid/D8A-C4E-537


“Open Source is more secure than proprietary software”.
Scott McNealy, Co-Founder and former CEO Sun Microsystems, CEO Wayin
Source: https://vimeo.com/123222073


“ForgeRock is a single product that gives all our customers access, including integration with digital.”
Senior IT Architect, Financial Services Company
Source: http://www.techvalidate.com/tvid/7CD-EC6-127


“Because of ForgeRock we were able to capture a better view of services that a client has by integrating authentication of services together.”
Engineer, Telecommunications Services Company
Source: http://www.techvalidate.com/tvid/C5B-E5D-3A2


“The fact that OpenAM is open source means that organizations can make changes as needed. We aren’t required to wait for a vendor to add functionality we need. It also allows for the community to dig deep into bugs.

I recommend Forge Rock, as a company, because I feel the company is focused on the product. Many of the biggest names in technology are so big and bloated that they have no incentive and no drive to truly innovate. That makes for stale software and services. Forge Rock is committed to the product and not just their revenue.”
Engineer, Non Profit
Source: http://www.techvalidate.com/tvid/490-63F-B1F


“ForgeRock helped us achieve in 5 months what we failed to do in 2 years with a competitor product.”
Engineer, Non Profit
Source: http://www.techvalidate.com/tvid/484-7E2-FC8

The post What Are ForgeRock Customers Saying? appeared first on Home - ForgeRock.com.

Kaliya Hamlin - Identity WomanI’m Quoted in Guardian Article re: Ellen Pao [Technorati links]

July 16, 2015 07:29 PM

Yesterday a reporter called me up and asked me for comment on Ellen Pao. I said “What did you expect?” It became the headline! – I continued “Ellen was at the center of a high-profile sexual discrimination suit versus a major VC firm and she was put in charge of the teenage boy section of the internet. What did you expect was going to happen? It was inevitable that they would turn on her,”

You can read the whole article here – I wasn’t the only one unsurprised by what happened. :)

‘What did you expect?’ Women in tech reflect on Ellen Pao’s exit from Reddit

Kaliya Hamlin - Identity WomanEnabling Multi-Stakeholder Consensus on Cybersecurity Issues [Technorati links]

July 16, 2015 06:36 PM

My friend Allen who was at Brookings got a job with NTIA to figure out what issues to focus on and how to get multi-stakeholder collaboration on cyber security issues.  Because he asked me to respond I took the time to give him my thoughts and input drawing on my experience with the attempts by NSTIC to do this same thing.  Here is the PDF document. IPTF-Kaliya-2

I will in time work to publish it in blog sized sections online so it is more internally linkable (starting with an index from this post). Until then enjoy.

 

CourionAssessing the Risk of Identity and Access [Technorati links]

July 16, 2015 04:19 PM

Access Risk Management Blog | Courion

Here at Courion, our mission is to help customers succeed in a world of open access and increasing threats. We want to make sure that the right people have the right access to the right resources and that they are doing the right things with those resources. The question becomes, how does an organization assess those threats and gauge the risk it faces from both internal and external forces? Moreover, how do you plan for that risk and put in place processes to help detect, identify and manage the risk?

With an increasing number of computers and other devices and an increase in the ways in which users access resources, access rights and the monitoring and managing of complex user access rights becomes harder every day. The stresses and strains of access can come from all over but the most common offenders are: 

infrastructure change

-  Routine changes such as hiring, promotions or transfers 

-  Infrastructure changes such as mobility, cloud adaptation, system upgrades, or  new application rollouts. 

-  Business changes such as reorganizations, the addition of new products, or new partnerships

In addition to the stresses from business change, there are an increasing number of government regulations that require compliance, regardless of industry. From healthcare to banking, these regulations climb into the hundreds and assuring that you are fully compliant is more difficult than ever. This increase in regulations along with the increase in complexity of access rights makes identity and access governance a red hot priority.

Want to know more about how Identity and Access Governance can help lessen your risk? Read more by downloading our eBook and learn about: 

-  How to remain compliant with an IAM solution
-  Preparing for an attack
-  Automated provisioning
-  And more  
ebook assessing the risk

blog.courion.com

July 15, 2015

WAYF NewsNational Gallery of Denmark now a WAYF identity provider [Technorati links]

July 15, 2015 02:27 PM

The National Gallery of Denmark (‘SMK’) today completed its technical integration with WAYF as an identity provider. Accordingly, the Museum's staff now have the ability to access WAYF-enabled web services using their familiar SMK credentials.

July 14, 2015

CourionFrom Sense of Security to Smartphone Hacking: Our #TechTuesday Blog [Technorati links]

July 14, 2015 03:29 PM

Access Risk Management Blog | Courion

Four online casinos were asked to pay bitcoin ransoms to avoid cyber attacks
Cyber AttackIn a move that would make Danny Ocean proud, a new crop of casino robbers has left the Vegas strip and found new success online. According to the article "four New Jersey-based casinos were asked to pay a bitcoin ransom after being hit with distributed denial-of-service attacks." While it lacks the finesse of Ocean's 11, it does sound a lot easier than breaking into the Bellagio. Stan Higgens, Coindesk, Businessinsider.com

Email worries: providers name their top health data security risks
A few weeks ago, we brought you a blog on Healthcare's Unique Security Challenges, and it looks like we aren't the only ones diving into ways to increase security. The Advisory Board Company named email worries, compromised applications, and hackers as three of the top health data security risks. Read more to see if you agree. Advisory.com 

It's time we stopped calling Millennials "dumb" about data privacy
MillennialsFull disclosure: I am a Millennial so it's no surprise that I agree with this article. However – putting my bias aside – I think this is a great look into why security teams shouldn't confuse this generation's sense of self with its sense of security. John Zorabedian, nakedsecurity.com

Hacking Team 0-Day Shows Widespread Dangers of All Offense, No Defense
You've heard the old saying "the best offense is a good defense" and this article agrees. With last week's Hacking Team breach, we saw how the issue of strong password practices once again can help keep you safe. Read more on passwords and how to #DefendfromWithin. Sara Peters, Darkreading.com

The insane ways your phone and computer can be hacked-even if they're not connected to the internet
HACKERDo you know what's inside your smartphone? Learn about how these tiny machines can give away even more of your information than you thought possible as well as seven other ways your phone and computer can be hacked. Cale Gutherie Weissman, Businessinsider.com

 

 

blog.courion.com

July 13, 2015

Mike Jones - MicrosoftJWK Thumbprint -08 approved by IESG [Technorati links]

July 13, 2015 11:50 PM

IETF logoThe IESG has approved JWK Thumbprint draft -08, meaning that it will now progress to the RFC Editor. Draft -08 added IANA instructions in response to an IESG comment by Barry Leiba.

The specification is available at:

An HTML formatted version is also available at:

Matthew Gertner - AllPeersUnderstanding Chronic Conditions: Diabetes [Technorati links]

July 13, 2015 10:17 PM

If you’re interested in moving from RN to MSN, you’ll need to pay extra close attention to the mélange of chronic conditions out there.  These are conditions that you will come across frequently as you progress in your career. One such chronic condition, Diabetes, will afflict 1 in 3 U.S. adults by the year 2050 if things progress as they have so far. Learn more important health facts in our latest infographic:

infoGraph

Organization Devleopment | New England College Online

The post Understanding Chronic Conditions: Diabetes appeared first on All Peers.

July 10, 2015

KatasoftJJWT - JSON Web Token for Java and Android [Technorati links]

July 10, 2015 05:00 AM

Occassionally here at Stormpath, we find time for open-source projects in the authentication and user security space. One such project, which is taking off in the Java community, is JJWT – a self-contained Java library providing end-to-end JSON Web Tokens creation and verification.

JJWT aims to be the easiest library for creating and verifying JSON Web Tokens (JWTs) on the JVM, and started as a side-project of our CTO, Les Hazlewood.

Java JSON Web Tokens – Designed for Simplicity

The JSON Web Token for Java and Android library is very simple to use thanks to its builder-based fluent interface, which hides most of its internal complexity. This is great for relying on IDE auto-completion to write code quickly.

For example:

java
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.crypto.MacProvider;
import java.security.Key;

// We need a signing key, so we'll create one just for this example. Usually
// the key would be read from your application configuration instead.
Key key = MacProvider.generateKey();

String jwtString = Jwts.builder().setSubject("Joe").signWith(SignatureAlgorithm.HS512, key).compact();

That’s all… in just a single line of code you now have a JSON Web Token containing the Subject Joe signed with key so its authenticity can later be verified.

Now let’s verify the JWT:

java
assert Jwts.parser().setSigningKey(key).parseClaimsJws(jwtString).getBody().getSubject().equals("Joe"); //Will throw `SignatureException` if signature validation fails.

To determine which key was used to sign the token, JJWT provides a handy little feature that will allow you to parse the token even if you don’t know which key was used to sign the token.

A SigningKeyresolver can inspect the JWS header and body (Claim or String) before the JWS signature is verified. By inspecting the data, you can find the key and return it, and the parser will use the returned key to validate the signature. For example:

java
SigningKeyResolver resolver = new MySigningKeyResolver();

Jws<Claims> jws = Jwts.parser().setSigningKeyResolver(resolver).parseClaimsJws(compact);

The signature is still validated, and the JWT instance will still not be returned if the jwt string is invalid, as expected. You just get to ‘inspect’ the JWT data for key discovery before the parser validates it.

This of course requires that you put some sort of information in the JWS when you create it so that your SigningKeyResolver implementation can look at it later to look up the key. The standard way to do this is to use the JWS kid (‘key id’) field, for example:

java
Jwts.builder().setHeaderParam("kid", your_signing_key_id_NOT_THE_SECRET).build();

Enhanced JWT Security Options

When it comes to creating, parsing and verifying digitally signed compact JWTs (aka JWSs), all the standard JWS algorithms are supported out of the box:

No need to install an additional encryption library; all these algorithms are provided by JJWT. It even provides convenient key generation mechanisms, so you don’t have to worry about generating safe/secure keys:

java
MacProvider.generateKey(); //or generateKey(SignatureAlgorithm)
RsaProvider.generateKeyPair(); //or generateKeyPair(sizeInBits)
EllipticCurveProvider.generateKeyPair(); //or generateKeyPair(SignatureAlgorithm)

The generate methods that accept a SignatureAlgorithm argument know to generate a key of sufficient strength that reflects the specified algorithm strength.

How The JJWT Library Works

The JJWT library provides all the end-to-end functionality that the producer and consumer of the tokens require.

Token Behavior: Creation, Signing, Parsing and Verification

Because of the the builder-based fluent interface nature of JJWT, the creation of the JWT is basically a two-step process:

  1. The definition of the internal Claims of the token, like Issuer, Subject, Expiration, Id and its signing Key
  2. The actual compaction of the JWT in a URL-safe string according to the JWT Compact Serialization rules.

The final JWT will be a Base64 URL encoded string signed with the specified Signature Algorithm using the provided key.

After this point, the token is ready to be shared with the other party. When received, they can parse the contained info fairly easily:

Jwt jwt = Jwts.parser().setSigningKey(key).parse(compactJwt);

This method returns an expanded (not compact/serialized) JSON Web Token. Internally it will do its best to determine if is a JWT or JWS, or if the body/payload is Claims or a String. It might be difficult for the internal algorithm to automatically identify the kind of token. In that case, you can use the parse(String, JwtHandler) method which allows for a type-safe callback approach that may help reduce code or instanceof checks.

During parsing time, the JWT is first verified with the provided key. The signature algorithm is identified via the alg property located in the header section of the JWT. The specified algorithm will be used to veriy the token with the provided key. If the verification fails, the parse method will not continue and will throw a SignatureException.

Internal JWT Structure: Header, Payload, Signature

When the token is being created, the JJWT library stores all the properties in a Map structure. During compaction, the following steps will be carried out in this order:

  1. The header will be Base64 URL Encoded,
  2. The payload will be Base64 URL Encoded,
  3. The encoded header and payload will be concatenated, appending a “.” in between them,
  4. A signature will be created for the resulting JWT string using the provided key,
  5. Finally, the signature will be concatenated to the JWT string appending a “.” in between them.

As a result, all the provided information will finally look like this:

eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJKb2UifQ.WmxS1IZ-1iH1ZZ1dKBcpZGjU-IvTh88FUUMUR83J4oUuYYyBia-JjQebI0XBeVvNToRSC-_bzFM3nCQD-p2a6w

where:

  1. eyJhbGciOiJIUzUxMiJ9 is the encoded header,
  2. eyJzdWIiOiJKb2UifQ is the encoded payload, and
  3. WmxS1IZ-1iH1ZZ1dKBcpZGjU-IvTh88FUUMUR83J4oUuYYyBia-JjQebI0XBeVvNToRSC-_bzFM3nCQD-p2a6w is the generated signature

JWT Claims

As already mentioned, all the defined JWT values are ultimately stored in a JSON Map. JWT standard names are provided as type-safe getters and setters for convenience. They are:

They are all available via the Jwts.claims() factory method.

Exceptions

JJWT carries out different kind of validations while working with the JWT. Upon errors, it will throw different kind of Exceptions so the developer can handle them accordingly. All JJWT-related exceptions are specifically RuntimeExceptions, with JwtException as the base class.

These errors cause specific exceptions to be thrown:

JJWT is Open Source :)

Hopefully, we have shown how JJWT is extremely simple to use and understand. If you need to create and verify JSON Web Tokens (JWTs) on the JVM, this is the right tool to use.

Furthermore, like many libraries Stormpath supports, JJWT is completely free and open source (Apache License, Version 2.0), so everyone can see what it does and how it does it. Do not hesitate to report any issues, suggest improvements and even submit some code!

Let us know what you think in the comments below.

July 09, 2015

Mike Jones - MicrosoftOAuth 2.0 Dynamic Client Registration Protocol is now RFC 7591 [Technorati links]

July 09, 2015 11:27 PM

OAuth logoThe OAuth 2.0 Dynamic Client Registration Protocol specification is now RFC 7591 – an IETF standard. The abstract describes it as follows:

This specification defines mechanisms for dynamically registering OAuth 2.0 clients with authorization servers. Registration requests send a set of desired client metadata values to the authorization server. The resulting registration responses return a client identifier to use at the authorization server and the client metadata values registered for the client. The client can then use this registration information to communicate with the authorization server using the OAuth 2.0 protocol. This specification also defines a set of common client metadata fields and values for clients to use during registration.

This specification extracts the subset of the dynamic client registration functionality defined by OpenID Connect Dynamic Client Registration 1.0 that is applicable to any OAuth 2.0 deployment. It is intentionally completely compatible with the OpenID Connect registration spec, yet is also now usable as a basis for dynamic client registration by other OAuth 2.0 profiles.

My personal thanks to Justin Richer, John Bradley, Maciej Machulak, Phil Hunt, and Nat Sakimura for their work on this specification and its precursors. Thanks also to members of the OpenID Connect working group and members of the OAuth working group, as well as its chairs, area directors, and other IETF members who contributed to this specification.

GluuGluu Server 2.3 passes all OpenID Connect Conformance Tests [Technorati links]

July 09, 2015 07:57 PM

op-results

The Gluu Server 2.3 is now the second server to pass ALL the OpenID Connect Provider conformance profiles… leaving in the dust : Ping, ForgeRock, SalesForce, Google, Microsoft, Paypal, and others! Combined with Gluu Server support for FIDO U2F, and our FREE open source license (FOSS), no wonder we’re seeing over 1500 downloads per month!

Interestingly, both leading OpenID Connect Providers (OP’s) are FOSS! You can find all code for the Gluu Server in our Github repository. The Nomura Research Insitute’s PHP code can be found in their Bitbucket repository.

Why do we need standard OpenID Connect Providers?

In the past, services like LDAP, Radius, and Kerberos were used to identify people who were trying to access servers and network devices. Today, people are using Web and mobile applications. The developers of those Web and mobile applications prefer a JSON / REST API to authenticate the person. Ideally, they’d like API’s similar to what Google offers–where client credentials are used to obtain a JSON object that contains the information about the person, and the type of authentication that occurred.

In other words, domains need to launch their own OpenID Provider.

There are several OP’s to choose from, and several important considerations that may impact which one is best for your domain–for example, maybe you must have a Python implementation. An OpenID Connect provider that comprehensively implements the standard is a good start. But for many domains, that’s not enough–what is needed is an OpenID Provider that enables the quick deployment and simple operation of a robust, elastic authentication service that satisfies cloud scale requirements.

FOSS is also not enough

System administrators don’t want to build complex code from the source–they need easy to use packages. They also need to know that the company or organization behind the code can rapidly respond to requirements for security patches, and keep up with the frenetic pace of new requirements for security.

With these requirements in mind, Gluu has automated package management (i.e. apt-get and yum)–system administrators can install and configure the Gluu Server in minutes. Gluu currently publishes packages for Ubuntu, Centos, and Redhat and is adding Fedora and Debian very soon.

So its not JUST about getting all the check marks. However, I still have to wonder… with all those millions of dollars, why don’t those other guys have all the check marks too?

Interested in deploying your own Gluu Server? Find deployment instructions here.

Courion4 Ways to Defend Against Internal Security Attacks [Technorati links]

July 09, 2015 01:23 PM

Access Risk Management Blog | Courion

This week the popular blog "Global Accountant" posted an article titled "The Cyber Threat Within- A Third of British Accountants Breach IT Policies". One third? Sad, but true. The article goes on to state that one of the biggest threats for cyber-attacks comes from inside their network due to employees ignoring their IT policy. Would you believe that over 40% of these accountants knew their IT policy but chose to ignore it? 

What are they thinking? Don't they know better? Lifeline IT co-foundeand Director, Daniel Mitchell, is quoted saying, "It’s clear that the majority of accountants are security conscious about IT on the home-front but have a different attitude at work."

cyberthreats

This got me thinking - if one-third of your staff is breaching your IT policy, then what can you do to defend within? How do you protect your intellectual property when everyone has access and too many people aren't thinking about the consequences of their actions?

There are four ways that you can defend against internal attacks and we share them with you today.

1. Role-Based Access

With hundreds and thousands of users on your network, it can be overwhelming to try and provision everyone with the correct access in a timely fashion. With people moving into your system every day, it quickly becomes a game of numbers and/or unique identifiers all sending in requests for access they think they need resulting in a backlog of requests, a long wait for access, and too often unnecessary access rights being granted leaving you vulnerable to a breach.

Rather than dealing with these headaches, you could handle provisioning by role-based access. This way, if you are a member of the development team, once you go online to request access to network systems, you are led to the development applications rather than having to pick and choose from each and every application in the company. If you apply for an application that is within your role then you would be instantly granted access rather than waiting on approval for something as simple as email. Not only does this save time for the user by helping them choose what to ask for but it helps to eliminate the number of excessive access requests giving only the right people access to your critical applications.

2. Access Management

Every organization, no matter how big or small or what industry you are in, has the same three types of users: Joiners, Movers and Leavers. What do each of these have in common? 

lock 156641 1280

They need to have their access immediately changed with their status. Joiners need access to systems such as email, time cards, and internal network files on the day they start. Movers need to have access rights changed as soon as their role changes. While these two users are important to your organization the most important to your security are the Leavers. 

In a study by scmagazine.com, 1 in 5 employees still have access to the internal systems of their previous jobs. 1 in 5! When an employee is terminated, regardless of reason, they need to have their access immediately terminated. Is your system set up to handle this?

3. Segregation of Duties

Wouldn’t it be great to be able to set and approve your own budget? What about requesting and approving a purchase order? While this does sound dreamy, it also sounds like nightmare for your finance department. In order for your organization to uphold the checks and balances of their systems, from budgeting to systems access, there needs to be segregation between requestors and approvers.

When you assign Segregation of Duties at the beginning of your project you are essentially saying what each user is allowed to do and not do and put in place barriers to keep these issues from happening.

4. Real-Time Monitoring

Auditing is most likely your least favorite time of the year. However, the fact that you only audit once or twice a year means that you are only giving yourself one or two chances to find errors in your system. With real-time monitoring, like the monitoring with an intelligent IAM system, you can see into your system at any time as well as be alerted when things look wrong. If four new users are granted access to a critical application in one week, would you notice? With real-time monitoring you would be alerted to this event so that you can investigate and mitigate the risk of a breach.

5. Build a Security-Aware Culture

This tip is a freebie. One of the best ways you can protect against a breach in your system is by building a security-aware culture. In Global Accountant’s article, they mentioned that 42% of the accountants knew the IT policy. That means 58% of them didn’t know the policy.Security officer Educated users make better decisions. By building a culture that is aware of the risks to themselves and the company, you expand your security team exponentially. When your organization buys in to your security strategy they become more aware of risks, take more precautions against them and become a new line of defense against attacks.

Are you currently monitoring these four internal risk factors? Have you experienced a breach by not following one of these? Do you even know what risks are currently in your system?

With an Identity and Access Management solution, you can keep up with all of these risks and more at the same time. Using our solutions, we can perform a quick scan of your system and tell you where your risks lie and how you can protect against cyber-attacks.

For more information on how to manage risk in your organization or to have a quick scan of your current systems, contact us today at info@courion.com.

blog.courion.com

July 08, 2015

Pamela Dingle - Ping IdentityWhen your Empire has no Clothes [Technorati links]

July 08, 2015 08:00 PM

How many data points does it take to call something a trend?  With the hack and subsequent data dump of the internal files of Hacking Team, a company most of us never even knew existed until this week, the world is getting to see a very public examination of the naked inner workings of an organization. This is the second time I can think of this kind of hack occurring.  The first was, of course, Sony Pictures.

Some number of hackers have turned two different organizations inside out from a digital perspective, exposing even the mundane stuff for public ridicule.  And some of the most harshly ridiculed practices of all in both cases involved passwords and credentials.

In the case of Sony Pictures, the effect was acutely embarrassing.  Scores of Excel spreadsheets, detailing personal, business, and IT system passwords, with filenames like “website passwords” and “usernames & passwords”.   When Gawker writes an article detailing what morons you are,  you know it’s bad:  http://gawker.com/sonys-top-secret-password-lists-have-names-like-master_-1666775151

sonypicturespasswordfiles

In the case of Hacking Team, enough data was dumped for both the obvious stupidity to come to light, but also for hashed passwords to be brute forced, to be gleefully revealed in horrific detail on twitter.  The examples below are (a) a dump of the admin’s Firefox password manager, and (b) an excel spreadsheet containing VPS credentials.

hackingteamexample2

hackingteamexample

 

 

 

 

So, let’s assume that this ‘dump and roast’ trend is really a trend, and will continue.  Perhaps it puts a little more personal skin in the game.  We all get lazy. We all take shortcuts.  But perhaps now that there is a risk that all those shortcuts get dissected at a later date, with a very sharp scalpel.

Trying to look competent during examination by your Future Hacker Overlords.  It’s an odd thing to imagine as a security influence.  But right now, it feels like it might become a thing….

Nat SakimuraInternet Identity年表 | @_Nat Zone [Technorati links]

July 08, 2015 05:07 AM

そろそろ知っている人がだんだんいなくなってきそうなので、Internet Identity年表をまとめ始めました。個人的に重要だと思うイベントを独断と偏見で収録しています。まだまだ不完全ですので、「ここにこんなのがあったよ」などは、日付、見出し、出典(リンクなど)、それが重要だと思う理由を、(この記事ではなく)Internet Identity年表のコメント欄に書き込んでください。

 

Nat SakimuraInternet Identity年表 [Technorati links]

July 08, 2015 05:04 AM

そろそろ知っている人がだんだんいなくなってきそうなので、Internet Identity年表をまとめ始めました。個人的に重要だと思うイベントを独断と偏見で収録しています。まだまだ不完全ですので、「ここにこんなのがあったよ」などは、日付、見出し、出典(リンクなど)、それが重要だと思う理由を、この記事のコメント欄に書き込んでください。

# Contributionが結構あるようだったら、別途 Bitbucketか何かでプロジェクトをつくろうと思います。

July 07, 2015

Mike Jones - MicrosoftOAuth 2.0 Token Exchange -02 enabling use of any token type [Technorati links]

July 07, 2015 10:02 PM

OAuth logoDraft -02 of the OAuth 2.0 Token Exchange specification has been published, making the functionality token type independent. Formerly, only JSON Web Tokens (JWTs) could be used in some contexts. This was a change requested by working group participants during IETF 92 in Dallas.

The specification is available at:

An HTML formatted version is also available at:

Mike Jones - MicrosoftJWK Thumbprint -07 draft addressing Gen-ART review comment [Technorati links]

July 07, 2015 09:23 PM

IETF logoJWK Thumbprint draft -07 has been published, addressing a Gen-ART review comment by Joel Halpern. Beyond updating the acknowledgements, the only change was replacing this sentence:

“Only if multiple parties will be reproducing the JWK Thumbprint calculation for some reason, will parties other than the original producer of the JWK Thumbprint need to know which hash function was used.”

with these two:

“However, in some cases, multiple parties will be reproducing the JWK Thumbprint calculation and comparing the results. In these cases, the parties will need to know which hash function was used and use the same one.”

The specification is available at:

An HTML formatted version is also available at:

Mike Jones - MicrosoftProof-of-Possession Key Semantics for JWTs spec addressing WGLC comments [Technorati links]

July 07, 2015 08:22 PM

OAuth logoThe editors have published draft-ietf-oauth-proof-of-possession-03, which addresses the working group last call comments received. Thanks to all of you who provided feedback. The changes were:

The updated specification is available at:

An HTML formatted version is also available at:

CourionThis week went a little password security crazy, and we like it. [Technorati links]

July 07, 2015 07:36 PM

Access Risk Management Blog | Courion

Happy #TechTuesday everyone! This week went a little password crazy, and we like it. Which method would you take to protect your password and how easy do you think it will be to hack these new processes? Let us know in the comments or tweet us @Courion.

 

Medium is doing away with passwords- and its new method for logging in is shockingly simple.

We know that stolen credentials are the number one headache for security teams, and a lot of that has to do with the ease in which passwords are hacked. Medium is taking away the typical password and will now use your email address to send you a link to log in much like a password reset tool. While Medium claims this will be more secure, is it worth the extra time to log in?

Cale Gutherie Weissman, BusinessInsider.com 

 

MasterCard will approve purchases by scanning your face

I'll admit it, this is my favorite news article of the week. Did you think the fingerprint scanner on your iPhone was cool? Well MasterCard is taking it a step further by allowing you to approve purchases by scanning your face. Marketed for the new "selfie generation", MasterCard believes that this will cut down on user fraud. Just make sure you're not having a bad hair day.

Jose Pagliery, @Jose_Pagliery, CNN Money

 

Windows 10 Wi-Fi password-sharing feature criticised as a security risk

Have you seen the decorations proclaiming "Home is where your Wi-Fi connects automatically"? Well Microsoft is going a step further by allowing anyone who gets your Wi-Fi password for their PC to potentially let all of their friends onto your network as well. These "friends" could be of the Facebook, Outlook, or Skype variety. Microsoft says it’s a security feature, not a flaw; what do you think?

ComputerWorldUK.com

PasswordHackingTime

blog.courion.com

Julian Bondhttps://medium.com/insurge-intelligence/uk-government-backed-scientific-model-flags-risk-of-civilisation... [Technorati links]

July 07, 2015 05:57 PM
https://medium.com/insurge-intelligence/uk-government-backed-scientific-model-flags-risk-of-civilisation-s-collapse-by-2040-4d121e455997

For the first time, then, we know that in private, British and US government agencies are taking seriously longstanding scientific data showing that a business-as-usual trajectory will likely lead to civilisational collapse within a few decades - generating multiple near-term global disruptions along the way. 
The question that remains is: what we are going to do about it?

What's interesting here is an attempt to update the Limits to Growth models with current data and fine tuning the parameter set. LtoG was broadly correct but we can improve it.

With a US election cycle coming up that's likely to set US policy for 8 years, and with the Uk election cycle just started, the question is what are they going to do about this? How will it inform policy? 
Some times it feels like the politicians approach is to build a defensible bunker for them and their friends. Maintain business as usual for as long as possible but put civil control mechanisms in place to try and contain the resulting chaos.

Too cynical?
 Scientific model supported by UK Government Taskforce flags risk of civilisation’s collapse by 2040 »
by Nafeez Ahmed

[from: Google+ Posts]
July 06, 2015

KatasoftMajor (1800%) Performance Upgrade to Stormpath Java SDK [Technorati links]

July 06, 2015 07:00 AM

Stormpath Java Support

The Stormpath Java SDK is now speedier and more extensible than ever. If you’re running a version lower than 1.0RC4.4, consider updating.

It’s no secret that an application needs fast access to its user data to keep those users happy. Whether it’s registration or authorizing access to a resource, slow speeds and good user experience don’t mix.

Which is why we recently revamped much of our core Java SDK to improve performance and extensibility. Here’s a rundown of what we did and how it impacted request times in a real project:

Pagination Bug Fix

First up, we discovered a bug preventing the SDK from iterating over collection resources correctly. As a refresher, collections in the Stormpath API are containers of other resources. For example, a Group contains Accounts, a Directory contains both Accounts and Groups, etc.

Prior to this release, requests to GET a collection that resulted in just one page of resources posed no problem, but multi-page results quickly broke down. A fix to the pagination logic took care of this.

An Elegant Datastore Implementation

We rewrote the core ‘DataStore’ implementation of the SDK – the very core of how all resources are processed in the SDK – from scratch. While not part of the original update plan, we found that an accumulation of improvements over the last two and half years resulted in too many one-off code chunks and an unnecessarily complex implementation. For a full look at the changes, take a look at this GitHub issue.

In addition to simply being a cleaner implementation, the new DataStore supports a ‘filter chain’ design approach that will allow us to plugin and cut out logic over time without creating the bloat. It also guarantees a consistent request/response flow for all interactions with our core REST API, meaning faster and more complete bug fixes in the future.

Fewer Round Trip Calls

Every iteration over a collection used to require two requests to Stormpath for the first page of results. Consider that extra call a relic of the past.

Performance via Gzip Compression

Gzip compression provides a 20% or more reduction in request times.

Improved Serialization

The Java SDK now funnels response bodies as a raw byte stream to Jackson, the JSON serializer Stormpath uses. Count this a small but real improvement of ~.5% reduction in request times.

Efficient Expanded Collection Handling

Consider the following real-world example: A Stormpath Application has access to 801 Accounts. At a page size of 100, a request for this Application’s Accounts collection resource would require 9 requests. Before this release, GETting the Groups for each of these Accounts would initiate an additional request for each Account – resulting in 810 total requests. Not ideal.

With the new release, collections that have elements with expanded collections of their own (like the Group example above) are collectable without unnecessary requests to Stormpath.

Measuring Performance Improvement

Now for the good stuff! Let’s see how all these changes combined impact our example Application with 801 Accounts.

Before The Release:

Iterating over 801 accounts without any kind of expansion at all (two times):

Run 1: 7934 milliseconds (7.934 seconds)
Run 2: 7341 milliseconds (7.341 seconds)

Iterating over 801 accounts with Groups expanded (two times):

Run 1: 154806 milliseconds = 154.934 seconds = ~ 2 MINUTES
Run 2: 150999 milliseconds = 150.999 seconds = 1 MINUTE 50 SECONDS.

After The Release

Iterating over 801 accounts without any kind of expansion at all (two times):

Run 1: 4025 milliseconds (4.025 seconds)
Run 2: 3822 milliseconds (3.822 seconds)

That’s an almost 100% increase in performance.

Iterating over 801 accounts with Groups expanded (two times):

Run 1: 8817 milliseconds = 8.817 seconds
Run 2: 7349 milliseconds = 7.349 seconds

That’s an ~ 1800% increase in performance.

The best part? Strict separation between the SDK API and its implementation classes made it possible to push major upgrades with no API changes for our users. Also, tests help. Lots and lots of integration tests.

You can find the new SDK on Github and updated Java Docs here.

July 04, 2015

Matthew Gertner - AllPeersHow to get a cheap holiday deal [Technorati links]

July 04, 2015 09:54 AM

Booking a holiday is always an exciting time but it can also be a time when people worry about the amount of money they will spend. Working hard all year in order to be able to pay for a week or two away from the hustle and bustle of city life means that everyone wants to get the most for their money.

sea-beach-holiday-vacation

There’s nothing better than picking up a great deal that leaves more money in the wallet to spend once you reach your destination. But how can people find these great deals? Are there some ‘tricks of the trade’ that can be used to save money when booking? The simple answer is yes there are!

Here are three fantastic little tips that will help you save money when it comes to booking your next holiday or short break away from home. It’s easy to find cheap holidays if you know how!

Pick a destination where you get more for your money

One of the easiest ways to save money is to head to a place where you get a great exchange rate for your home currency. There are plenty of countries that offer fantastic holidays for all types of travellers. South East Asia is always a good option because you will find that you get a lot more for your money when it comes to accommodation and food. You will also save money if you choose somewhere close to home even though the exchange rate might not be as favourable, for example if you live in the UK then a short trip across the sea to France will save you a lot of money because it is so cheap to get there.

Book early or very late

According to experts in the travel industry, the best time for you to get a great deal is to book around 11 months before you plan to go on holiday. This is due to the fact that if you book 11 months in advance there are still a lot of cheap rooms and promotion rates available for flights. If you’re flexible and do not have your heart set on a particular destination then you can leave booking to the last minute. If you can hold out until around 8 weeks before you want to go away  you will often find some amazing last minute deals that will suit any budget.

Holiday at home

This is something that a lot of people don’t even consider, but how many fantastic places are there to visit in your home country? The answer is lots! So cut out the cost of flights, transport and exchange rates by finding somewhere in your own country. It makes thing easier and much less stressful for you because communication, culture and haggling are never a problem. You can also rest easily safe in the knowledge that you will most likely get the best deal available.

The post How to get a cheap holiday deal appeared first on All Peers.

July 02, 2015

WAYF NewsDRCMR now a WAYF identity provider [Technorati links]

July 02, 2015 11:00 PM

​The Danish Research Centre for Magnetic Resonance (‘DRCMR’) at Hvidovre Hospital, Copenhagen, today joined WAYF as an identity provider. Consequently, researchers affiliated with the DRCMR now have the ability to access WAYF-enabled web services using their DRCMR credentials.

Courion7 Ways to Reduce your Cyber Attack Surface [Technorati links]

July 02, 2015 03:06 PM

Access Risk Management Blog | Courion

7 ways to reduce attack surface branded from Courion Corporation

blog.courion.com