EYEdentityOnline.com

I’ve had this as a partially written topic in my blog list for nearly two weeks and am just now getting around to finishing it. So it’s not as topically timely as I’d have liked, but what the heck. Also not in any way security related. This one falls under the “digital lifestyle” category mentioned in my Obligatory First Post Introduction. Brace for incoming rant…

Yes, I have an iPod. Yes, I use iTunes. No, I don’t like either of them particularly well. I am on the constant look out for anything better. As a matter of fact, I preferred my Dell Jukebox and if I hadn’t made the mistake of buying a 60GB Video iPod and could rationalize just throwing the thing away, I’d probably go get another Jukebox or… gasp… Zune.

Blasphemy! Heresy! Careful, you’re about to make one of my points for me. I dislike the iPod for the following reasons:

1. $350 for a product clearly built to be disposable. You think I’m down on iPods, you should speak with my wife who’s crazily on her 4th iPod. Only 1 failed in the first year so it could get replaced under warranty. Needless to say, she’s purchased her last. Me? Mine won’t turn off at periodic intervals until its been allowed to drain its battery completely. Not good when you’re trying to eak out every minute on a long day’s travel schedule. Would an actual power switch really screw up the legendary Apple design aesthetic? Microsoft actually extended their warranty to 3 years from 1 for putting out a substandard Xbox 360. Why is no such pressure being brought to bear on iPod? I know many folks with the same experience, so mine is not a lone case.
2. No songlist management on the actual device. Want to set up a list and name it while sitting killing time on a plane? Sorry, no go. Sure you can create one of those “on the go” things, but set the order or name it for use later, nope. Forget even trying to manage the names of songs or information on the device. Sorry, but this was something I was used to on my Jukebox that seemed like a feature that would of course be on the “superior” iPod. Imagine my dismay when I found out otherwise.
3. iTunes bites as badly as every other music management software application out there. I’m not sure what makes this piece of junk such a cornerstone of wonderment when the topic of iPod comes up. Its a system pig, it doesn’t really offer anything special in regard to system, song or content management. Is it the iTunes store that is the big deal? Read on..
4. iTunes Store. Pay to have someone mess with where, when, how I want to play my music? No dice. My wife again blazed trails here and has a large block of legally purchased music she can’t access and even Apple hasn’t been able to figure out why or bother to fix it. Consequently, I use a 3rd party application to manage my music on my iPod and my music comes from any other source than iTunes.
5. I have always had, even when much younger, an anti-cool attitude. The iPod craze definitely fits into the painfully cool category. Its more of a fashion craze than a product. Are $200 basketball shoes really that much better than $75 off-brand shoes? Nope, but apparently in the wrong neighborhoods or cliques, they really matter to some folks. Ahem… shallow folks.

As you can imagine then, I’m not real keen to rush out and buy a v.1.0 iPhone. I suspect a fair amount of quality problems. I’m not wishing that for anyone, mind you. I’ve just been taught a hard lesson by Apple’s iPod history.

I’ve also got a real problem with what appears to be a pretty closed platform approach by Apple. I’ve encountered this in my professional life as a vendor trying to use standards that work everywhere else except on Apple controlled bits and it really rubs me the wrong way. I always thought Microsoft was the big, bad bully. (Don’t get my anti-cool dander up over those offensively cute Apple vs. MS TV commercials.)

My phone / PDA is a serious tool that I depend on for business and personal communications and handheld computing utilities. I already can surf, look at pictures, watch video and yes, listen to music on my Treo and I’ve had it for over a year without a hint of it needing replaced (and it turns off quite readily when I ask it to). Of course, given that I can do all this, I really have never even had any real need to do so. I’ve listened to a few podcasts, a little music and even watched some game trailer .wmv’s on it, but not enough to warrant $600 swapping out for another touchscreen only device. Heck, I’m shelling out $600? I’ll go pick up a PS3. Funny that folks scream long and loud about how rediculously high-priced the PS3 is, but will go stand in line for days to spend the same money on something significantly less powerful or useful and far more vulnerable to loss or breakage. Consumers? Who can figure ‘em out, eh?

So what’s my plan?

• Stand back and see what the reality of the iPhone’s quality, usability and openness over the next year turns out to be while I continue to drive ROI out of my Treo.
• Increasingly use my iPod as a nice portable backup device. Currently 60% of my iPod is storing backup data, 30% has music, 5% has podcasts (accounts for about 98% of my listening time) with 5% free space.
• I use Urge to mess with my music on my PC and consequently, suspect my next hardware purchase will be a Zune or iRiver device though I continue to research what’s new. I really think that these music devices are all hideously overpriced and that there’s a huge sweetspot for someone to come out with a 50GB+ device for $199 and with some actually decent software, really grab the market’s attention. Of course, not the attention of the really cool kids though.

Rant… OFF.

Yours truly was interviewed by Kelly Jackson Higgins, Senior Editor, Dark Reading last week about TriCipher’s latest product announcement, Armored Transactions. Go ahead and read up over there. When you come back I’ll lay out a few more details for you.

Kelly did a nice job capturing the essence of Armored Transactions, but as the tired saying goes, “pictures speak a thousand words”. Below lays out the basic armored transaction flow:

First a couple of things to note:

• As you can see, the user is already protected from a man-in-the-middle (MITM) attack where the attacker is out on the internet in some manner. While the industry is only beginning to awaken to the realities of this type of attack now that they are occurring, we’ve worked to educate and protect our customers against this kind of attack for years.
• So what are we protecting against with Armored Transactions? Essentially, what we and others are referring to as man-in-the-browser attacks. Technically, this is also a man-in-the-middle attack since the attacker is between the victim and the target, but the attacker has moved one step closer to the user. As nicely highlighted in the Dark Reading article, the technical vector used by the attacker is immaterial. The attack may be a browser helper object (BHO) of one variety or another or some other mechanic to essentially disconnect the user from what they believe they are doing in the browser and what is actually being submitted over the wire.
• How does this attack bypass the “over the wire” MITM protections shown by the green pipes in the diagram above? The attacker has gotten close enough to the user to get ahead of the SSL stack and manipulate the session contents before they are submitted to the secure tunnel.

Now let’s walk through the actual process flow. The Scenario: Attacker has gotten a foothold at some point to manipulate the browser such that what the victim is inputting is actually different from what the attacker is submitting on the victim’s behalf.

1. Victim submits $200 to Bob’s Garage and the attacker changes it to $500 to BadGuy Offshore.
2. The Bank application posts the transaction to the TriCipher ID Vault for confirmation.
3. The ID Vault has a separate secure MITM-proof connection to the ID Tool on the user’s PC. The ID Tool is running outside the browser and consequently can be securely delivered the transaction the Bank received. I choose to refer to this as a “side-band” communication instead of an “out-of-band” situation as the communication is still over the internet vs. to a phone or other non-PC device. At this point, on the same screen, the victim is given the opportunity to view both what they intended and what was received at the Bank. If there’s a problem, the lie is shown as the browser and ID Tool contents will differ. Obviously, the user will “Decline” this BadGuy Offshore example.
4. However, if the transaction matches up, the user would click “Approve” along with providing their password to approve. This is of course optional workflow as a simple click of an “Approve” button could also be used. Another option provided by the powerful nature of TriCipher credentials, is that the transaction can be digitally signed to strengthen the non-repudiation environment for the transaction.
5. The approved transaction is sent back to the application where it is cleared for processing.

Actually pretty simple and straightforward. No extra devices for the user to deal with, same GUI environment they are familiar with for authentication, one less attack vector for criminals to exploit.