I only have one comment: Everyone write your bank, cellular company, credit card company, utility companies and tell them that you want strong authentication and you want it now.

OK, so that is very self-serving. ;)

How about this: If you have a Sidekick, would be be willing to test our J2ME client to see if it works?

Here is a great article about why passwords just don't cut it. mention of WiKID's two-factor authentication system. Too bad.

They do mention SecurID by RSASecurity as "Unfortunately the most well-known two factor authentication solution. Unreasonably expensive, not well supported on non-Windows platforms and generally not very flexible."

Who am I to argue?

The article is here: http://mongers.org/authentication

There are a number of things that make passwords increasingly unusable. One of the biggest problems with passwords is that you're supposed to use different ones for different systems. It's a no-no to use the same password in multiple places because if one gets compromised, then the other systems are compromised.

In the recent compromise of the Full Disclosure mailing list, attackers got passwords and usernames, in this case e-mail addresses. If that is a corporate e-mail address, what is the likelihood (even on a security mailing list) that the same password would get you into the corporate VPN? Pretty high, I would think.

This points out the frailty of passwords. They increasingly look like a house of cards in the Internet age. Here's my solution (since not everyone is using WiKID's two-factor authentication solution): I have a set of passwords that I use. All are complex, meaning, for me, 8-12 random alpha-numeric & random. I have one for personal non-secure sites (list servs, forums, developer programs, etc.), one for e-mail accounts (yahoo, gmail, hotmail, etc), one of personal financial sites (online banking, credit cards), one for non-root corporate PCs and one for root for my corporate PCs. Of course, we use WiKID for remote access to servers, etc within WiKID.

This systems works pretty well, but I often run into problems. Some sites want passwords that are more complex than mine. I also have multiple user names. Some sites won't let me use nowen or nickowen. At gmail, I'm owen.nick. Some places want an e-mail address - so I give them one of my non-corporate addresses to keep the offers to a minimum. The worst are the sites that chose a password for you, then e-mail it to you. What is the point of that? There are plenty of less obnoxious ways to validate an e-mail address. At the AT&T Wireless developers site, they assigned my user name to me as wowen and then e-mailed me a password. I don't think I have been back.

Many people think that federated identity is an answer, but I think that's going to happen quickly and when it does happen it will be where there is an economic incentive for the companies to share your information, which may not be in your best economic interest as a consumer.

One of the key benefits of WiKID is our ability to handle multiple "domain relationships", each individual and unaware of the others. You could use the same PIN across multiple sites as each site. In the unlikely event that your encrypted PIN is compromised on the hardened WiKID server, they will still need to get your private key off your WiKID client. If they get your private key, they will still need to get your PIN and try it against the WiKID server. A brute force attack would quickly be noticed and the account deactivated.

http://news.com.com/Flaw+in+mail-list+software+leaks+passwords/2100-1002_3-5571576.html

So this weekend, the blog started getting a ton of hits from google searches for "Paris Hitlon T-moble hacked SideKick" etc. I couldn't figure out why the big rush all the sudden until I read the Register this a.m..

According the Register , someone figured out her password. Time for me to lob another call to the CTO at Sidekick, perhaps? Think they might need a strong authentication system that runs on a java-enabled wireless device?

It's clear it's not Nicolas Jacobsen, who broke into T-Mobile previously and just plead guilty. (OK, so it's not 100% clear, but assume he's not 100% stupid.). The dates on the e-mails are from Saturday, Feb. 19th. Chances are it was just someone who watches her show and knows the name of her dog and that's what she uses as a password. Perhaps, not however, there are indications that T-Mobile's security is still lacking.

The Ethical Hacking and Computer Forensics recent posted a blog on SQL Injection attacks and the T-Moble site. Clearly T-Mobile needs to up their security. However, it is also encumbent upon Sidekick to improve their security. They have to recognize that passwords are simply not going to cut it in today's world.

If you want to supply technology to the consumer market, you will have to supply security that works in the consumer market. Strong passwords do not work in the consumer market. People hate them and forget them. Simple passwords clearly don't work either. It's is time for consumer friendly two-factor authentication.

If anyone knows Paris, let her know that I think she would be a great spokes person for WiKID. ;). And if you google here looking for the pictures and the address book, sorry. Keep looking.

As we have discussed elsewhere in this Blog, there is value in protecting your information assets. We've talked about the impact of information security breaches on stock price. Well, Choicepoint provides a good case in point. This was not a “hacker” attack as labeled in the popular press (further moving the definition of that word from its original meaning), but rather a traditional scam that took advantage of a lax credentialling process (yes, Irony with a capital I) that apparently is fax-based.

(Perhaps if this process were done electronically, Choicepoint's information security staff would have improved the controls. Their CISO won CISO of the Year in Atlanta last year.)

Choicepoint's stock dropped 10% yesterday. It is down to $39.30 from a 52 high of $47.95 just earlier this month.

The market is reacting to a number of things. Choicepoint handled the affair poorly, notifying only California residents as required by law and not everyone. Georgia is now looking at a privacy law similar to SB1386. Regulation means increased costs. Choicepoint is trying to recover by offering to pay for credit monitoring services (probably provided by it's former parent, Equifax) and it has stopped providing service to it's 17,000 small business customers until they can be re-credentialled. That's more costs and less revenue. Finally, lawyers are starting to look at class actions – more uncertainty means more risk means higher cost of capital.

It brings up a point made before here: good companies have good processes that protect their assets. They have good information security as a result of that, not the other way around. I think information security and IT professionals are often disappointed that the rest of management doesn't understand that.

Apparently, Fred Durst's T-Mobile account has been hacked and the attacker has posted a 3-minute sex video on the net.

While the headlines read that the attacker has "struck again". I wonder. Perhaps they struck once and held back some of their goodies to release over time - over the weekend so that it would hit the press and blogosphere hot on Monday.

Here is the Drudge report.