TheArchitect.co.uk - Jorgen Thelin's weblog

• reCAPTCHA

With the increasing encroachment of spam bots and other automated programs written to generate spam on the Internet, there are a growing number of occasions when a web site needs a CAPTCHA.

A CAPTCHA (Completely Automated Public Turing Test To Tell Computers and Humans Apart) is a program that can tell whether a user is a human or a computer, and has a variety of uses including:

• Preventing comment spam in blogs
• Protecting web site registration
• Protecting online poll integrity
• Preventing rapid dictionary attacks
• Excluding search engine bots from accessing certain pages
• Protect systems vulnerable to e-mail spam

Most CAPATCHA's are images with distorted text - frequently seen at the bottom of web registration forms, and looking something like this:

Some of the original inventors of the CAPTCHA system at Carnegie Mellon University have implemented a means by which some of the effort and time spent by people who are responding to CAPTCHA challenges can be harnessed as a distributed work system.

This system, called reCAPTCHA, works by including "solved" and "unrecognized" elements (images which were not successfully recognized via OCR) in each challenge. The respondent thus answers both elements and roughly half of his or her effort validates the challenge while the other half is captured as work.

If you need a CAPTCHA service for your web site, then the CMU reCAPTCHA service is a nice way to provide that functionality and get your users to give back a little to education by archiving human knowledge through helping to digitize books in the process. There is an ASP.NET library for reCAPTCHA here and library modules for other programming languages and application plug-ins are available here.

• Live Mesh - Technology Preview

Microsoft's new Live Mesh (available as a limited technology preview) combines hosted services for storage, sharing files and peer-to-peer connections to allow multiple different devices to work together and users to access updated applications from anywhere.

Live Mesh puts you at the center of your digital world, seamlessly connecting you to the people, devices, programs, and information you care about - available wherever you happen to be.

The design goals for Live Mesh are to have ...

• ... your devices work together
• ... your data and applications available from anywhere
• ... the people you need to connect with just a few clicks away for sharing and collaborating
• ... the information you need to stay up-to-date and always be available

Mesh achieves these design goals by combining the power of "cloud services", with the convenience and rich experience of your many devices.

Overview of Live Mesh platform experience

Resources

• "Welcome to Live Mesh" blog post
  http://blogs.msdn.com/livemesh/archive/2008/04/21/welcome-to-live-mesh.aspx
• Windows Live Developer blog - "Introducing Live Mesh"
  http://dev.live.com/blogs/devlive/archive/2008/04/22/279.aspx
• Live Mesh Team blog
  http://www.mesh.com/blog
• Overview of Live Mesh platform experience
  http://www.on10.net/blogs/nic/Hands-on-with-Live-Mesh/
• Platform experience quick tour
  http://www.mesh.com/Welcome/Tour.aspx
• Platform quick tour for developers
  http://www.mesh.com/Welcome/TourDeveloper.aspx
• New York Times - "Microsoft Reveals a Web-Based Software System"
  http://www.nytimes.com/2008/04/23/technology/23soft.html?ex=1209614400&en=8682b3a30abb4b90&ei=5040&partner=MOREOVERNEWS
• ComputerWorld - "Microsoft to weave Web 'Mesh' for data, devices and applications"
  http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079778&intsrc=hm_list
• ComputerWorld - "Analysts: With Live Mesh, Microsoft tries to shift Web 2.0 playing field back to its strengths"
  http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9079964&intsrc=news_ts_head
• eWeek - "Live Mesh - A Developer's Dream?"
  http://www.eweek.com/c/a/Application-Development/Live-Mesh-A-Developers-Dream/
• Angus Logan's blog entry - "Live Mesh Technology Preview + links to all the write ups"
  http://blogs.msdn.com/angus_logan/archive/2008/04/23/live-mesh-technology-preview-links-to-all-the-write-ups.aspx

• PayPal to Ban Browsers without Anti-phishing Technology

This is another step in the right direction to make the web a safer place:

Online payment service PayPal plans to block users from making transactions from Web browsers that don't provide anti-phishing protection.

http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/

http://news.bbc.co.uk/2/hi/technology/7354539.stm

In a white paper that outlines a five-pronged action plan aimed at slowing the phishing epidemic, PayPal Chief Information Security Officer Michael Barrett said there's a "significant set of [PayPal customers] who use very old and vulnerable browsers" and made it clear that any browser that falls into the "unsafe" category will be banned.
"In our view letting users view the PayPal site on [an unsafe] browser is equal to a car manufacturer allowing drivers to buy one of their vehicles without seatbelts."

So if you're a browser maker that doesn't provide any anti-phishing protection and doesn't support the use of EV (Extended Verification) SSL certificates, then you better get an update out soon!

• No Talkback

After a lot of effort trying to fight comment and traceback spam, I'm afraid I've finally had enough and decided to turn off all the comment and traceback features on this weblog. Sorry, but some bad guys are ruining everything for the rest of us in the blogosphere.

• Delivering Data Portability (Part 2) - Sharing Contacts Between Social Networks

Today sees another a huge step forward for the social networking world by enabling sharing of contacts and friends lists BETWEEN different social networks - yet in a safe and secure way that firmly gives users the choice of how to use and control their information.

In a move that further demonstrates Microsoft's commitment to user-centric data portability, Microsoft has partnered with some of the world's top social networks to make data portability for contacts a reality.

Earlier this month at MIX08, Microsoft announced the release of the Windows Live Contacts API, which web developers can use to enable their users to transfer and share their Windows Live Contacts in a safe and secure way. Starting today, Microsoft is working with Facebook, Bebo, Hi5, Tagged and LinkedIn to exchange functionally-similar Contacts APIs, allowing all partners to create a safe, secure two-way street for users to move their relationships between our respective services.

Along with these collaborations, Microsoft is introducing a new web site at www.Invite2Messenger.net that people can visit to invite their friends from our partner social networks to join their Windows Live Messenger contact list.

For quite some time now, Microsoft has been making investments in the pursuit of data portability to put users at the center of their online experience, while at the same time being thoughtful about balancing user security and privacy with the experience. Today’s announcement is another step in that direction.

More details about this announcement, and the principles that underlie it, can be found on this blog posting on dev.live.com by John Richards.

Resources

• Blog posting - Microsoft launches Invite2Messenger.net and announces deal with 5 top social networks
• Blog posting - Windows Live Platform MIX08 Announcement
• Blog posting - Delegated Authentication SDK v1.0

Update: Angus Logan provides a detailed look at how the sharing experience works for the first two implementation - Facebook and Bebo, including some great screenshots.
Two way contact APIs with the top Social Networks and Windows Live - invite to WL from Facebook; invite to Bebo or facebook from Windows Live - SAFELY!

• First Law of Password Hygiene

Since moving to a team that handles the user accounts for everyone who uses any of Microsoft's web property, I've started to take a much more informed look at how I use my own account credentials and which web sites and applications I hand over those credentials to.

Angus Logan posted a great summary of the way Microsoft and Windows Live handles credential capture, which is worth a detailed read by everyone:

No Microsoft web site will ask you for your Live ID credentials except login.live.com (and accounts.live.com when linking accounts).
Any other web site which asks you for your credentials may not be evil.com but they could be sloppy coders or they could be hacked -- putting your credentials at risk of being stolen.

This equates to the First Law of Password Hygiene:

Only hand over your account credentials to your Identity Provider (for example, Windows Live ID),

• 10 Immutable Laws of Security

After yesterday's net-buzz about a rogue mailbox archive application it's worth reminding ourselves about a classic security article: 10 Immutable Laws of Security

• Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
• Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore
• Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore
• Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more
• Law #5: Weak passwords trump strong security
• Law #6: A computer is only as secure as the administrator is trustworthy
• Law #7: Encrypted data is only as secure as the decryption key
• Law #8: An out of date virus scanner is only marginally better than no virus scanner at all
• Law #9: Absolute anonymity isn't practical, in real life or on the Web
• Law #10: Technology is not a panacea

Item #1 is particularly important in relation to yesterday's news!
If you install an application on your machine, you are implicitly granting it a certain level of trusted access -- so you better be sure you know and trust the source of that application.

• The Need for Delegated Authentication

The net is abuzz today about a scam application that is stealing people's G-mail account credentials.
Or rather, the app is mis-using those account credentials when people hand them over to the application.

Sound familiar? Yes, that's exactly the sort of issue that Windows Live ID Delegated Authentication is intending to combat.

If I think about an archiver application for an online mailbox, then I would want to allow it to do this action on your behalf:

• Read a copy of each e-mail in your mailbox

But NOT allow it to do these things:

• Send e-mail on your behalf
• Delete items in your mailbox
• Access any of your other data (Contacts, Calender, etc) apart from your mailbox

So how does Delegated Authentication help in this case?

Delegated Authentication is a way to permit access to personal information, but with more precise control over access and usage permissions than the current binary decision (that is, fully on or fully off) that comes with the generally bad practice of handing over your account credentials to another Web site.

[ Delegated Auth Whitepaper ]

In other words, if I were using this particular app, I would want to grant it something like a Mailbox.Read permission only, but not Mailbox.Write or Mailbox.Send or Calender.Read or Contacts.Read, and definitely not giving it my full acccount credentials.

The core principles here are that people should scope the permissions they grant to an application to access their data in the cloud, and they should get out of the bad habit of handing over their account credentials (such as passwords)

Angus Logan posted an impassioned statement showing why Live ID users should only even enter their account credential into their identity provider (login.live.com), which is a timely reminder to all Live ID users.

We also took a very strong stance on this in the Delegated Auth Whitepaper:

Only hand over your password and account credentials to your identity provider (for example, Windows Live ID), and to NO ONE else.

Hopefully today's issue will act as a wakeup call to the industry and result in a very serious look at consent-based data access techniques like Windows Live ID Delegated Authentication

• Windows Live ID at MIX08

After the announcement of the launch of the new Windows Live Platform enhancements, the new technology got lots of coverage in sessions at MIX08 last week.

Here's the MIX08 presentation from Angus Logan covering the overall Windows Live Platform developer functionality, and heavily emphasizing lots of great Live ID technology.

• Windows Live ID Web Authentication is covered from 24:18 through 35:21
• Windows Live ID Delegated Authentication is covered from 35:30 through 46:43

The 3D Virtual Earth geo-coding example around 59:00 through 1:00:29 is really cool too!

Developing with Windows Live Platform
http://sessions.visitmix.com/?selectedSearch=T29

• Delivering Data Portability - Delegated Authentication SDK v1.0

Today the Windows Live ID team released the Delegated Authentication SDK v1.0, which provides a platform-neutral way for Web applications to access customers' information from Windows Live services while the customers remain in firm control of their own data.

This is a big step in delivering real, user-centric data portability - giving Windows Live customers explicit control over sharing their information from Windows Live services.

Full details are on the Windows Live ID team blog and the Windows Live Developer portal

• Delegated Authentication whitepaper
• Delegated Authentication SDK v1.0 blog posting
• Windows Live Platform Announcement blog posting

• Third Age of Networked Identity

Forgive me blogosphere, for I have sinned – it’s been five months since my last post! ;-)

You may have wondered why my blog has been “dark” for so long, and the short answer is that I moved to a new role at Microsoft in September 2007 and at about the same time had to deal with a series of illnesses in the family, which occupied a great deal of my time and attention.

Winding back to September then … After 4 years of working on Web Service Standards and Interoperability at Microsoft (involving 21 WS-* specifications, 8 Feedback Workshops, 13 Interop Workshops and 4 Plug-fests), I’ve changed roles.

I’ve moved back to my software roots, and taken a technical role as a Feature PM in the Windows Live Identity Services (aka Live ID / Passport) product development team.

Live ID [1], [2] is an interesting place to learn about world leading software-as-a-service - the team runs one of the biggest authentication services on the web today - handling over 400 million active users and over 1 billion transactions per day!

Interestingly, much of the current and future work of the Live ID team is focusing on leveraging web services technology and appropriate standards such as WS-Trust / WS-Federation to achieve broad interoperability and deployment for Live ID technology in the industry.

Web services and standards-based interoperability are playing a key role in creating a network effect around identity data, which IMHO is one of the significant themes driving forward the "Third Age of Web Services" [3].

So in some ways then, I am really just moving from the sell-side to the buy-side of the standards business!

[1] http://dev.live.com/liveid/
[2] http://msdn2.microsoft.com/en-us/library/bb288408.aspx
[3] http://www.thearchitect.co.uk/weblog/archives/2005/05/000357.html