[SecurityRatty] tag: colorado

Colorado state Web site dishes out SSNs of CEOs, other top execs

Wed, 08 Oct 2008 00:00:00 +0000

A privacy advocate says the Web site of the Colorado secretary of state is making available the Social Security numbers and other personal data of CEOs, company chairmen, board members and other senior executives at some of the country's largest companies.

Colorado state Web site dishes out SSNs of top execs

Tue, 07 Oct 2008 20:00:00 +0000

The Web site of the Colorado Secretary of State is making available the Social Security numbers and other personal data of numerous CEOs, company chairmen, presidents, board members and other senior executives at some of the country's largest companies, a privacy advocate said.

The Resolution Will Not Be Televised

Fri, 05 Sep 2008 19:59:29 +0000

Wow

1-meter simulated resolution from aerial imagery of Colorado Capitol and Downtown Denver

.5-meter simulated resolution from GeoEye

Senator Obama's security concerns

Fri, 29 Aug 2008 14:42:00 +0000

It appears as if the authorities in Colorado are trying to down play the reported assassination plot of Senator Obama. Question is; how real was it?

It would certainly appear that the suspects were preparing for something out of the ordinary as they were reported as having a bullet proof vest and a high powered rifle with telescopic scope in their possession when apprehended. The fact that one of the them was described by his cohort as a "white supremist" who did not believe that a man of color could be the President of the U.S.A. is surely telling.

These three criminals were caught in much the same manner as the domestic terrorist, Timothy McVeigh. A dilgent policeman was doing his duty and pulled over the first suspect on a traffic stop. Some may call that luck, but having been a former Law Enforcement officer, I look upon it as good Police work. Many others might have not noticed the one little sign that made that officer suspicious and prompted him to check out the driver of the van.

That is why security can never rest. Whether it is foiling a potential terrorist plot or finding a child who has been abducted, we must always remain vigilant. It is a shame that there are those who believe a man is inferior based upon the color of his skin. It is even more terrible to realize that such a person would be willing to kill another based on racial hatred.

Unfortunately, this is a sad fact of life and steps need to be taken to thwart those disturbed individuals. Was this latest episode a non-event or by dismissing it are we attempting to sweep the shame of racism under the carpet? I for one, don't think that we should take these warnings lightly. Afterall, it has been 45 years and people still debate the assassination of JFK. We still hear it being said that Lee Harvey Oswald was incapable of carrying out the killing himself.

I recently watched a documentary on the assassination of Robert Kennedy, produced on the 40th anniversary of his death. When interviewed, the brother of the asssassin claims that his brother was too nice a guy to do something so awful. The fact of the matter however, is that both Kennedys were brutally gunned down. I am sure it is something that nobody ever wants to see repeated.

Let us hope that whomever succeeds as President in November has a long and healthy Presidency and helps to allevitae the problems that have been piling up.

When the shoe is on the other foot

Wed, 06 Aug 2008 06:16:46 +0000

About to head over to morning sessions of Black Hat (OK, it started at 8am, but that is just an uncivil time for Las Vegas). Before I do, let me give you a quick recap of my first night on Black Hat. I didn’t get in until 10pm and got to my hotel about 11. Looked up a few security twits and saw that Mitchell Ashley, Martin McKeay, JJ and Ryan Russell were at the Cleopatra Barge at Caesars. I headed over there and met up. The night was on!

We had a quick drink and then headed over to the club Pure, where Fortify was having a party. Some how or another JJ, Ryan and I got to the VIP entrance and were headed in. Martin had to go upstairs and change out of his shorts. Mitchell that Colorado country bumpkin was not allowed in because he was wearing sandals. What to do? Leave Mitchell outside, all of us not go in? I went back to my old club hopping days for the answer. I went in with JJ. Went to the bar, took off my shoes and gave them to JJ. While I stood there in socks, she brought the shoes out to Mitchell, who put them on and got in the club. Watching JJ sneak out the shoes and Mitchell walk in holding his sandals was pretty funny. But it worked. We got away from the Fortify party as it was way too crowded. We found ourselves in my favorite part of Pure, the Pussycat Doll Lounge. Five minutes later out came the Pussycats. They put on a very hot show that had us all dancing and shouting.

After that we went to my usual late night spot at Black Hat, the Augustus cafe for breakfast. We met up with the Mogul and Hoff, who joined us. By now it was like 2:30am Vegas time (5:30 east coast time) and it was time for bed. I am staying at Paris, so had a nice walk but they did give me a LeMans suite which is very nice. I still get a little confused by rooms with bidets, but it is fun.

Well off to Black Hat for some learning!

Friday Squid Blogging: Burning Squid

Fri, 25 Jul 2008 12:10:22 +0000

At the June Apogaea regional Burning Man event in Colorado, they burned a wooden/cloth giant squid. Before the burn, participants could crawl into the base of the body and turn a massive kaleidoscope with sun shining in the top. (Pictures of the squid and its demise. A picture from the inside.)

SSO Summit Wrap Up

Fri, 25 Jul 2008 09:41:07 +0000

More notes from SSO Summit - to recap I can't stress enough how a 50-200 person conference comprised of around 50-60% enterprise folk (instead of just vendors and *cough* consultants) is ideal. Real, in depth conversations instead of just "where is the party" a la RSA. Also, this conference has a laser focus on SSO, so all 150 of us are able to look through the prism from lots of angles.

Some additional takeaways

Dave Kearns has serious moderator skillz.

You can tell all the Mac users because they have to have their laptops plugged in at all times (Mr. Jobs paging Mr. Clayton Christensen)

Eve Maler can really sing

One of the prettiest drives through Colorado is here

I did my presentation on Security Token Servers today. Bob Brandt from 3M spoke on Federation at 3M, its quite interesting to think about the mix of all these technologies the same way 3M's products are composed from a grid of technologies. I see STS playing role here, enabling us to get interop across multiple token types. Bob also mentioned that the business doesn't _ask_ for SSO any more; they expect it. He mentioned (and I have seen the same) much greater SAML adoption and awareness by customers and partners. And I quite liked his quote - "If you are a SAAS vendors and you are not supporting SAML you won't be in business very long."

Kent Beck says programs are not things, they are shadows of communities. If you look at a big vendors' IDENTITY AND ACCESS MANAGEMENT SUITE - its not a cohesive product so much as a shadow of the big vendors' Visio org chart. Ping's SSO community is fast, light and Ninja; SSO functionality enabling real pros to get stuff done for real use cases.

Its a lot of fun to be at a 1.0 conference, I am pretty sure this will be 2x-3x next year.

Fugitive spammer dead in apparent murder-suicide

Fri, 25 Jul 2008 07:29:26 +0000

Spammer and escaped convict Eddie Davidson shot his wife and three-year-old daughter before turning the gun on himself Thursday night in Bennet, Colorado.

SSO Summit Day One Morning Session

Thu, 24 Jul 2008 09:35:02 +0000

I am at the SSO Summit, high in the Colorado mountains (9200 feet elevation to be exact), the I-70 West sign is one of my favorite road signs. Ping Identity has done a great job putting this together. It is the perfect size around 125 people. Most of the best conferences I have been to have been around 60-150 people. There are a *lot* of enterprises involved here.

John Haggard who has an extensive background in SSO and lately is at Passfaces kicked off the sessions with a SSO history talk. Going through a lot of mainframe centric SSO protocols from the 80s and 90s, I am no expert in these areas and it was fascinating to see the way things vacillated between strength and weakness of SSO protocols.

A couple of points from the presentation:

The history of SSO is a story of extreme complexities, compromises, vulnerabilities and unintended consequences.

SSO is a story of one simple objective - to spin off units of computation work to execute on behalf of an authenticated user without requiring the original user's password.

Phishing has always been completely avoidable

He went through the various incarnations of mainframe SSO from logon id through things like ACF2, VTAM Session managers, terminal emulators, multiplatform access to web access through facades. The implication he drew from this last step are well worth repeating: "Time to rethink everything." Problem is - of course, people don't rethink, they put MQ Series in front of the mainframe and hook a web app in front of that and go.

Finally, he connected some interesting dots to SAML and SOA security issues.

SSO without strong auth is and always will be simply nuts

SAML gets its right

His points around common weaknesses in integration in SOA and Web 2.0 technologies for companies that are *not* using SAML were excellent. Of course, I will go into some more details on this tomorrow.

Ping's CTO Patrick Harding took the stage and gave an overview of the next generation of SSO options from Kerberos to present and as is his wont demonstrated various real world strengths and weaknesses, quoted a Gartner analyst (shock!) saying OpenID is the hare and Cardspace is the tortoise. Nice.

Andrew Cameron from GM is speaking now on GM's experiences implementing SSO, and there are a lot of real world lessons learned in his presentation. Plus my favorite identity architecture, user has Kerberos, services speak SAML. very nice, very scalable. All in all, its my starting point for how to identity in an enterprise. He also spoke about a pet peeve of mine - how to globalize authorization. This is not a problem that vendors have historically attacked with relish. They are very happy to help you solve authentication, but they are perfectly happy to keep their authorization internal either for vendor lock in reasons and/or for sloppy authorization design. This will take a LIberty-esque consortium of enterprises to resolve.

So many conferences are dominated by vendors and consultants who conspire to what I call the "sacred church of things YOU should be doing." Instead this conference is bringing together a great mix of real world in the trenches practitioners who have problems to solve today, with rubber meets the road deployable solutions and an eye towards longer term strategy for SSO and identity.

Colorado 'Spam King' walks away from prison camp

Mon, 21 Jul 2008 20:00:00 +0000

Convicted penny-stock spammer Eddie Davidson walked away from a federal minimum-security prison camp in Colorado on Sunday, the U.S. Department of Justice said Tuesday.