Monthly Archives: October 2012

Turtles all the way down

turtles in vmware pond

Photo of turtles on the VMware campus courtesy of Yvonne Wong, recruiter extraordinaire.

Most of us on the Cloud Foundry identity team have been working together for just over a year. We work with a rather interesting group that leads the larger open source community that builds Cloud Foundry.

On the identity team we’ve been working to evolve Cloud Foundry’s user authentication and authorization system into a full suite of identity services — open source and built on open standards. We’ve built some cool stuff. We are now starting to publicize what we’ve built and more actively engage with the community. Our team consists of veteran SpringSource  leaders David Syer (@david_syer) and Luke Taylor in the UK, with Joel D’sa, Vidya Valmikinathan and me in Palo Alto.

Dave started us off with 3 solid blog posts for the cloudfoundry.org blog explaining our use of OAuth2 herehere, and here. He is speaking at SpringOne this week about OAuth2 as well.

Also in the blog queue, Luke has a post that discusses our password management strategy and I have one that discusses how we integrate OAuth2, SCIM, & OpenID Connect into Cloud Foundry itself. Joel recently gave a presentation to the VMware Cloud Foundry engineers about our User Account and Authentication (UAA) service.

Joel, Vidya and I will be attending IIW next week. I suspect that Joel will propose a session there to discuss Cloud Foundry identity services, what we’ve built, and what we’ve learned from operational experience. We’ll be there to work with the identity community as we plan our next steps.

I’ll link to the blog posts and presentations here when they are published.

It’s great fun to finally be able to have this system in a position we can make some noise about it, and we all are. It’s turtles all the way down.

Password anti-pattern alive and well at a financial institution

Wow. I would have thought that after the years of publicity describing the evils of the password anti-pattern, it would not be seen in any current web site that is serious about security. Today, I tried to link an etrade account to a checking account at another institution. Here is part of the screen I got:
password-antipattern-dialog
I wasn’t sure what it meant by “online login information”. I thought that perhaps they wanted me to reenter my etrade credentials for extra security at this step, but it seemed odd that they would do that in a box that says “powered by yodlee”. I wouldn’t want to give my etrade password to yodlee. So I checked the help bubble and got this:

“Please enter the login information for the bank your external account is at”.

REALLY! They actually want me to enter my username and password from my bank into yodlee via etrade!

So I looked at the “Instant Verification User Agreement”. Here is The fourth paragraph (with emphasis added by me):

THIRD PARTY ACCOUNTS. By using the service, you authorize E*TRADE Bank and/or E*TRADE Securities and Yodlee to access third party sites designated by you, on your behalf, to retrieve information requested by you. For all purposes hereof, you hereby grant E*TRADE Bank and/or E*TRADE Securities and Yodlee a limited power of attorney, and you hereby appoint E*TRADE Bank and/or E*TRADE Securities and Yodlee as your true and lawful attorney-in-fact and agent, with full power of substitution and resubstitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites, servers or documents, retrieve information, and use your information, all as described above, with the full power and authority to do and perform each and every act and thing requisite and necessary to be done in connection with such activities, as fully to all intents and purposes as you might or could do in person. YOU ACKNOWLEDGE AND AGREE THAT WHEN E*TRADE BANK AND/OR E*TRADE SECURITIES OR YODLEE ACCESSES AND RETRIEVES INFORMATION FROM THIRD PARTY SITES, E*TRADE BANK AND/OR E*TRADE SECURITIES AND YODLEE ARE ACTING AS YOUR AGENT, AND NOT THE AGENT OR ON BEHALF OF THE THIRD PARTY. You agree that third party account providers shall be entitled to rely on the foregoing authorization, agency and power of attorney granted by you. You understand and agree that the service is not endorsed or sponsored by any third party account providers accessible through the service.

It states that this would be really easy, that they have my privacy and security in mind, and I’d be able to transfer money right away. All I had to do was click the box that I agree to the terms of use, and give them the username and password for my bank account — and I give etrade and yodlee power of attorney:

“you hereby appoint E*TRADE Bank and/or E*TRADE Securities and Yodlee as your true and lawful attorney-in-fact and agent, with full power of substitution and resubstitution, for you and in your name, place and stead, in any and all capacities, to access third party internet sites,…”

They want me to give them the keys to my bank account and agree to let them act as me to any internet site, for any reason, and in the same agreement they say this (emphasis is mine):

E*TRADE BANK AND/OR E*TRADE SECURITIES AND YODLEE MAKE NO WARRANTY THAT (i) THE SERVICE WILL MEET YOUR REQUIREMENTS, (ii) THE SERVICE WILL BE UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE, (iii) THE RESULTS THAT MAY BE OBTAINED FROM THE USE OF THE SERVICE WILL BE ACCURATE OR RELIABLE, (iv) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY YOU THROUGH THE SERVICE WILL MEET YOUR EXPECTATIONS, OR (V) ANY ERRORS IN THE TECHNOLOGY WILL BE CORRECTED.

Seems to me they want me to trust them with my finances more than they trust their own technology.

I declined to use the service.

 

New Gig, New Rig, New digs

path at coyote point

About 18 months ago, Julie and I left family and friends and our long-time residence in Utah and move to California. It’s been a wild ride. We’re enjoying it now, but initially it was quite a shock. Here are some of the changes:

Old: Utah New: Norcal
gig 23 total years at Novell, last project: Novell Cloud Security Services (identity services) 1.5 years at VMware Cloud Foundry (identity services)
rig 4wd SUV sporty hybrid hatchback
digs big new house on a golf course in the foothills quaint rambler built in 1922 — 1/2 the space for 3x the cost
OS Linux, Windows, NetWare initially Mac OSX with Linux in a VM, but I rebelled back to Linux, where the user experience and package management are more consistent
code C/C++, C#, Java Ruby, Ruby, Ruby, Java, some Go and Scala
VCS Subversion, Continuus all git, all the time
release cycle once a year or two twice a week
team culture circle the wagons and defend turf from intruders (and management) aggressive and competitive internally and externally, very open to alliances with other groups
hallway banter child raising techniques, church activities, the impending doom of the company programming languages, startups, new tech, cycling, public transportation, wineries, kids, live music venues, vacation destinations, weekend festivals, sailing
politics Republican (Utah, duh) Democrat (bay area, duh)
climate very cold in winter, very hot in the summer mild all the time with some spectacular days, but mostly feels somewhat cold
yard intruders deer, mice raccoons (up to 6 at a time), rats
picnic supplies must be planned: wine purchased at rare state stores with limited hours, food must be purchased somewhere else a quick stop to any grocery store or corner mart and you’re set

Overall, change can be a very good thing. And We’re enjoying the adventures and cycling a lot. Now back to work.

bikes by the bay