The WiKID Blog | WiKID Systemshttp://www.wikidsystems.com/blog/2015-11-30T21:16:36+00:00The WiKID Blog, musings on two-factor authentication, information security and some other stuff.Hackers For Charity Challenge2015-11-30T21:16:36+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/hackers-for-charity-challenge/<p>This morning I saw a <a class="external-link" href="https://twitter.com/ihackstuff/status/664811441619410945" target="_self" title="">tweet from Johnny Long</a> about them being in hole $2,700 due to unexpected baggage fees. As long time admirers we decided it was time to do something. So, we gave $100 and committed to giving $100 per evaluation certificate created between now and Thanksgiving. No one wants to go into Thanksgiving in the hole. </p>
<p>We are going to make it extra, extra easy for y'all to set up WiKID server and get an evaluation cert. We have created a Virtual Box OVA. Just download the image and use the quick-start configuration file to get an evaluation cert in three steps.</p>
<p>First, download this special <a class="external-link" href="http://wikidsystems-dl.com/HFC_VBox_special.ova.zip" target="_self" title=""><span class="external-link">WiKID virtual box image</span></a>. (md5: 65434003098404ef5a348dc6ff4c3b89). It is configured for Bridged Networking. You can change that, but it is best if the server can get out and back to our certificate server. </p>
<p>Login as root/wikid. (Typically you would get prompted to change that, but since we bundled this up as vbox image, you won't.) Run ifconfig to see your IP address. Now, copy the quick config file:</p>
<pre> cp /opt/WiKID/conf/sample-quick-setup.properties wikid.conf</pre>
<p>Then edit wikid.conf. Change the IP address and the domaincode to your zero-padded IP (that is 192.168.50.2 is 192168050002). Everything else is optional for our purposes (you making us give money away). Change the hostname to HFC.something. Run:</p>
<pre># wikidctl quick-setup configfile=wikid.conf</pre>
<p>And that's it. You should have created a cert. Ping us via twitter if you want to remind us.</p>
<p>Run:</p>
<pre># wikidctl start</pre>
<p>When prompted for the passphrase, enter 'protectme' unless you edited the config file. You can now browse to https://yourip/WiKIDAdmin and see the server if you like. If you actually created a radius network client then all you need to do is register a token to a user and test.</p>
<p>Happy Holidays.</p>Accidental Rugged Devops2012-04-13T14:28:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/accidental-rugged-devops/<p>This week at Secureworld Expo Atlanta, I had the pleasure of hearing <a href="http://www.realgenekim.me/">Gene Kim</a> talk about <a href="http://www.slideshare.net/realgenekim/security-is-dead-long-live-rugged-devops-it-at-ludicrous-speed">Rugged DevOps</a>. When I first ran into Gene, he was with someone I worked with previously at another start-up. That sent me down memory lane.</p>
<p> I was not a co-founder of that start-up, Derivion, but was the COO and wrote their first business plan. This is was early boom times. My first day we drove around Atlanta picking up $100,000 checks from angel investors. As one investor handed us a $100k check, he said "And I do want to see that business plan". I was in awe and retorted "Wow, how big of check do you write after you see a business plan?"</p>
<p> Well, bigger checks. That firm in total raised $70 million. Unfortunately, it burned through that cash and sold for $12 million. It was a typical .com bubble story. I think that the amount of money we raised forced the company to target more and more markets (we did Electronic Bill Presentment and Payment Services). The need to feed the beast meant that no sale would be turned down and no prospect requests ignored. Development was in Canada and Operations and Customer Service (my areas) were in Atlanta. The data center group was constantly getting code for deployments on Friday afternoon for delivery Monday. It was weekends of debugging and re-installing. We had capital, so we threw people at the problems. Didn't fix them. I left in frustration and co-founded another company, called iTendant that did real estate workflow systems for office buildings.</p>
<p>It was still the boom, about Mid-2000. We were able to raise an angel round of $1 million, partly because we had already recruited a team of people - we had the core of a great staff. We did prototypes, start selling and developing. Then, the bubble burst, we realized that things would be tight. We would not have a dedicated systems admin team, for example. The CTO would be responsible for development and operations. Our lead QA was also primary systems admin. If there were bugs in the code, the developers had to respond ASAP, even late at night.</p>
<p>While our focus wasn't on the speed of deployments - it was more on quality - I realized during Gene's talk that we were doing accidental Rugged Devops. Our lack of capital forced us to focus on quality. There was no pushing problems downstream. There was no downstream.</p>
<p>From a financial standpoint, I consider iTendant a tie, which is probably generous. We sold to another company for about the amount of capital that was in the business. It was not great, but it gave everyone an option to keep working. Selling to the office market was just too tough at that time.</p>
<p>From a software standpoint, it was a great success. That code is Rugged. For a long time there was one developer still working for the company, but I'm pretty sure he left a while ago. Yet, <a href="http://www.servidyne.com/services/itendant-guest-and-service-requests/"> the product is still running</a>. It also reinforced my feeling that excess capital can make you lazy. Buy more hardware, hire more people. In reality, you should be seeking to go faster, do more with less all the time.</p>
<p>As an entrepreneur my mantra was always "Do it yourself, then hire someone to do it for you". Leverage people that were smarter, more focused and more specialized than you to scale your company. I still believe that's true, but I first think: how can we automate this so no one has to do it. This discipline will reduce capital expenses and operating expenses, creating a cash flow machine.</p>Product improvements, prospect relations and Bsides2010-09-28T17:00:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/product-improvements-prospect-relations-and-bsides/<p><br>These past few weeks, we released 3 minor updates to our <a class="internal-link" href="http://www.wikidsystems.com/downloads/software-token-clients/" title="Token Clients">PC software token client</a>. These were all in response to a single prospect that is rolling out WiKID using the Web Start version of the WiKID PC Software token. (The Web Start version or JNLP is an easy way to distribute the software token especially if you don't have a software management system that can push software out to corporate laptops.)<br><br>Based on feedback from this prospect, we now do a better job of specifying the location of the private key storage on Windows and Linux, we allow for a single, dedicated domain to be specified in advance for ease-of-use, and you can specify a custom jw.properties file for the Web Start software token. Taken together, these changes have created an easy-to-use, highly customize-able, cost-effective solution for two-factor authentication. <br><br>More importantly, they show how vendors and prospects working together can create better solutions. WiKID and $prospect benefit, but so do future prospects. Competitors respond, improving their product, forcing us to improve in a virtuous circle. I've been concerned for a long time that the prospect-vendor relationship is strained at best, mostly broken, slowing down this process. I'm sure that most of us have given fake emails or hotmail accounts to vendors. It is also noticeable at industry conferences where vendors play a form of laser tag with the prospects as the targets. <br><br>I'm not sure how to re-build a level of trust between these two parties. I think events like <a class="external-link" href="http://www.securitybsides.org/">SecurityBsides</a> which a sponsored by vendors, run by volunteers and lack vendor booths or excessive sales pushiness are a good start. BSides is still clearly feeling its way. The volunteers are mostly from vendors and I don't really see a way around that. The sponsors seem to understand that it's a community engagement platform and not a lead-gen opportunity. (WiKID has sponsored the first Bsides in Las Vegas and one in San Francisco during RSA and we are co-organizing/Sponsoring the <a class="external-link" href="http://www.securitybsides.org/BSidesAtlanta">BSidesAtlanta</a>.) <br><br>We got a long way to go though. The attack mentality of many companies is stiffling feedback and hurting product development. I believe this especially affects small companies, such as WiKID, which are taking on existing, entrenched competitors. Our best asset is our ability to convert feedback into product improvements quickly. Without feedback, we're potentially wasting our resources. That's why we love tough prospects that tell us what they need and why we support BSides.</br></br></br></br></br></br></br></br></br></p>A tale of two headlines2009-03-23T19:35:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/a-tale-of-two-headlines/<p>Today's InfoWorld Security newsletter contained two headlines:</p>
<pre>Smart Grid is found susceptible to cyberattack
<a class="moz-txt-link-freetext" href="http://ifwnewsletters.newsletters.infoworld.com/t/4627489/122020370/177482/0/">http://ifwnewsletters.newsletters.infoworld.com/t/4627489/122020370/177482/0/</a></pre>
<p>And:</p>
<pre>Expert: Hackers penetrating control systems
<a class="moz-txt-link-freetext" href="http://ifwnewsletters.newsletters.infoworld.com/t/4627489/122020370/177486/0/">http://ifwnewsletters.newsletters.infoworld.com/t/4627489/122020370/177486/0/</a></pre>
<p>The first points out that the latest Smart Grid technology needs more security work before it's ready for prime-time. The latter points out that the current systems are also not ready for prime time. IOActive, the security researchers who are responsible for the (excellent, no doubt) research on Smart Grids suggests holding off on any Smart Grid efforts until security can be 'baked in'. </p>
<p>The assumption underlying that is we are better off both economically and security-wise under the current system. I have my doubts about that based on the second article. If anything, we should route more money from the existing grid into Smart Grids so they can be secured faster. Surely the benefits of the new Smart Grid plus the cost of the securing it outweigh the cost of securing the old Grid.</p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>
<p> </p>How to compensate employees to align incentives with shareholders2009-03-17T14:28:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/how-to-compensate-employees-to-align-incentives-with-shareholders/<p>There's been lots of discussions about bonuses recently, Merrill Lynch, AIG, on and on. So many, I won't bother linking. These bonuses are typical of what is known as an agency problem. The executives are agents for the shareholders, but their incentives are not aligned. You can imagine that the executives of a company that is about to be sold or taken over by the government are even more incented toaward legally binding bonuses before any transaction which might result in their termination. I have a simple proposal to fix this (in the future):</p>
<p>The employee bonus pool is created from excess cash flow after an additional reserve is set aside based on the weighted average cost of capital of the firm, also known as the firm's economic profit or EVA (tm). By paying the shareholders first (this money could be dividends or plowed back into the firm), the shareholders are taken care of first. Employees must generate returns in excess of the cost of capital.</p>
<p>Second, the payouts from the bonus pool are smoothed over a number of years based on seniority or responsibility. So the CEOs bonus would be spread over a very long time frame, say 10 years for most of the bonus and line managers over 2-5 years. This helps mitigate agency issues. Employees must generate returns in excess of the cost of capital over a period of time. </p>
<p>Third, the bonuses are partially in the form of restricted stock, particularly for higher level managers. Some of which would vest even after an executive leaves the firm or retires. This mechanism further reduces the agency problem. Executives must generate returns in excess of the cost of capital over a period of time and leave the company on sound footing.</p>
<p>For more information on economic profit, agency issues and compensation, I recommend the excellent <a class="external-link" href="http://www.amazon.com/gp/product/0887304184?ie=UTF8&tag=wikidblog-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0887304184%22%3EThe%20Quest%20for%20Value%3C/a%3E%3Cimg%20src=%22http://www.assoc-amazon.com/e/ir?t=wikidblog-20&l=as2&o=1&a=0887304184%22%20width=%221%22%20height=%221%22%20border=%220%22%20alt=%22%22%20style=%22border:none%20!important;%20margin:0px%20!important;%22">Quest for Value</a>. </p>air-marshalls-arrested-for-drug-smuggling2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/air-marshalls-arrested-for-drug-smuggling/According to this <a href="http://www.time.com/time/nation/article/0,8599,1158902,00.html">Time article </a>two Air Marshalls were arrested in Houston for allegedly smuggling cocaine. <br/>
<blockquote>Government sources tell TIME that the two Air Marshals, are allegedly involved with the possession or transportation of cocaine, and may have been paid several thousand dollars to move the drugs. <br/>
<br/>
The marshals, one of whom is a former agent of the Drug Enforcement Administration, will likely appear in court to face criminal charges next week, and will almost certainly be suspended. </blockquote><br/>
<br/>chertoff-shocker2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/chertoff-shocker/From the <a href="http://www.borowitzreport.com/archives.asp?page=3&search=">Borowitz Report:</a><blockquote>CHERTOFF LOCKS HIMSELF OUT OF HOMELAND SECURITY HEADQUARTERS<br/>
Forgets Security Code, Secret Question<br/>
<br/>
Homeland Security chief Michael Chertoff suffered another embarrassment today when he accidentally locked himself out of the Homeland Security Department’s headquarters in Washington, D.C.<br/>
<br/>
After security guards entrusted with protecting the Homeland Security building complained that the building itself was not secure, Secretary Chertoff ordered that the headquarters be outfitted with a new security system, but then forgot the security code necessary to gain entry.<br/>
<br/>
“Unfortunately, Chertoff is the only one who knew the security code, and he forgot it,” one source said. “He also had a secret question which could be used to retrieve the security code, but he forgot that, too.”<br/>
<br/>
As of late this afternoon, Mr. Chertoff was still standing outside the building waiting to gain entry after a locksmith who was called turned out to be from Dubai and had to be sent away.<br/>
<br/>
Mr. Chertoff also declined Vice President Dick Cheney’s offer to shoot off the lock on the building for fear that Mr. Cheney might hit the Department of Agriculture building across the street.<br/>
<br/>
On Capitol Hill, news that the nation’s highest ranking homeland security official had locked himself out of his own building drew criticism from Sen. Joseph Biden (D-Del): “Michael Chertoff’s secret question should be, ‘How the hell did I get this job?’”<br/>
<br/>
For his part, Mr. Chertoff tried to put the best face on the situation, telling the reporters that the nation “might actually be safer” with him outside the Department of Homeland Security than inside.<br/>
<br/>
Elsewhere, President Bush scrapped plans to send Americans to Mars after NASA’s Mars probe failed to find signs of oil.</blockquote><br/>
I highly recommend this daily dose of text only satire. <a href="http://www.borowitzreport.com/subscribe.asp">Subcribe here if you like</a><br/>
<br/>
<br/>If-you-steal-a-bunch-of-GPS-devices2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/if-you-steal-a-bunch-of-gps-devices/<p>Wait for it....</p>
<p>That's right, turn them off first. Unlike this <a href="http://news.yahoo.com/s/ap/20070119/ap_on_fe_st/stolen_gps">father-son pair</a>. </p>
<p>On the plus side, a family that steal together, stays together. Well, unless the son is 13 and has to go to juvy. </p>blog-update2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/blog-update/<p>Sorry for the lack of postings. Trackbacks are now back on, though we continue to get a bunch of attempted postings. Mod_security seems to be stopping most of the attempts and we've added some code into the trackback skin that helps as well.</p>
<p>Update: Oh, well. Trackbacks are back off</p>billboard-liberation-front2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/billboard-liberation-front/<p><a href="http://blog.makezine.com/archive/2008/03/billboard_liberation_fron_1.html?CMP=OTC-0D6B48984890">BLF does AT&T</a></p>good-business-and-good-security2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/good-business-and-good-security/<p>Larry J. Hughes, Jr over at Riskbloggers
<a href="http://www.riskbloggers.com/ljh/2007/04/good-security-follows-the-grain-of-good-business/">asks</a>
<blockquote>
After all, which of the following combinations are realistic?
<ul>
<li>Bad Business, Bad Security</li>
<li>Bad Business, Good Security</li>
<li>Good Business, Bad Security</li>
<li>Good Business, Good Security</li>
</ul>
</blockquote></p>computers-to-hand-out-death-penalties2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/computers-to-hand-out-death-penalties/<p>Yet another sign that China will surpass the US in technological expertise: They will soon be using <a href="http://www.thisislondon.co.uk/news/article-23366761-details/Courts+use+computers+to+decide+who+should+face+death+sentence/article.do">computers to hand out death penalties</a>. </p>
<p>The software, which was designed by a Beijinghi-tech firm as a way of reigning in corrupt judges, has already helped determine sentences in 1,500 cases over the past two years in a trial run in China's eastern Shandongprovince.</p>
<p>Now the programme is being extended to other provincial courts and may be eventually used in court rooms across the nation of 1.3 billion, where more criminals are put to death than anywhere else in the world. Software designer Qin Ye has been working on the programme since 2003 and, helped by Shandonglegal officials, has loaded it with a huge database of Chinese law and case precedents.</p>
<p>On the plus site, the computer program is often less, shall we say jugdemental than judges, offering placations:
<blockquote>
"Look Deng, I can see you're really upset about this. I honestly think you ought to sit down calmly, take a stress pill, and think things over." </blockquote>
</p>
<p> I sure hope Ed Felton et all have a peak at this before it is implemented here in the US. I understand that Texas is already taking a look at the code:
<pre>
10 print "Death"
20 Goto 10
</pre>
I don't spot any backdoors there, but I think there is potential for that, in particular for extremely tight housing markets like New York where apartments typically only become available after death.</p>
<p>Interestingly, computer hacking is punishable by death in China. Hat Tip: <a href="http://www.tothepeople.com/2006/09/remember-when-worst-thing-computers.html">To The People</a>, my favorite celebrity gossip, NSFW, libertarian blog.</p>tax-credits-for-telecommuting2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/tax-credits-for-telecommuting/<p>The state of Georgia is offering tax credits for setting up telecommuting programs. Find our more at the <a href="http://www.cleanaircampaign.com/for_employers/tax_benefits/telework_tax_credit_folder/georgia_s_telework_tax_credit_act_now_or_miss_out/georgia_s_telework_tax_credit">Clean Air Campaign</a> website. </p>
<p>Cities and states should be very aggressive in encouraging telecommuting and coordinating with employers. It is (or would have been) invaluable during a crisis, such as right after Katrina, when gas shortages caused all sorts or problems. Instead, the state of Georgia closed schools - forcing many to telecommute without any planning.</p>ed-felton-on-the-09ers2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/ed-felton-on-the-09ers/<a href="http://www.freedom-to-tinker.com/?p=1154">Ed Felton's poignant discussion on why the 09ers are so upset.</a>airport-security-first-amendment-rights-and-idiots2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/airport-security-first-amendment-rights-and-idiots/<p> Read the post at Wonkette about the guy who wrote <a href="http://www.wonkette.com/politics/tsa/but-is-kip-hawley-an-idiot-203492.php">"Kip Hawley is an idiot"</a> on the plastic bag holding his hair gel and toothpaste. Short version: he gets hassled.</p>
<p>Two things: (1). This form of abuse starts with people who use 'product' but can quickly spread. (2). If you create a link to this story or the originals, please use "kip hawley is an idiot" as the href to see if it shows up in search results. </p>creative-triangulation-for-mobile-payment-systems2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/creative-triangulation-for-mobile-payment-systems/<img src="http://beta.thinkinc.com/blog/mbo.jpg"/>Now, this is interesting. <a href="http://thinkd2c.blogspot.com/2006/01/cell-phone-movie-tickets.html"> A mobile payment system that supports an existing paper-based system</a>. (more from Daniel today, he's on fire ;). Most ticketing systems now support UPC code reading for tickets purchased and printed at home. Now you can buy your tickets on your cell phone and have the UPC scanned from your phone.<br/>
<br/>
Payment systems, just like good authentication system are triangular. Even cash has a dotted line triangle back to the faith and trust in the government that backs them. This system is potentially more secure than <a href="https://www.wikidsystems.com/94">contactless payment systems</a> because you can use strong public key encryption and two-factor authentication on the cell phone. With <a href="http://www.wikidsystems.com">WiKID</a> you could also present a one-time passcode for use in web-based payments.culture-of-fear2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/culture-of-fear/<p>When you're afraid all the time, inter-company promotional faxes that include a picture of match being lit combined with the coincidental delivery of package are <a href="http://news.yahoo.com/s/ap/20070531/ap_on_fe_st/odd_false_bomb_threat_5;_ylt=Ao5wFryp4UDqqW4vIgm3ViYE1vAI">enough to create a bomb scare</a>. Hopefully, this is limited to Massachusetts, but I have my doubts.</p>burn-your-money2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/burn-your-money/<p>Seriously. And I'm not just mindlessly following the advice of <a href="http://www.amazon.com/Root-Mojo-Nixon-Skid-Roper/dp/B000000QG7">Mojo Nixon</a>. I'm saying it based on the fact:
<ul>
<li><a href="http://news.yahoo.com/s/afp/20070111/pl_afp/uscanadamilitary_070111194440">Pentagon report warns Canadian coins bugged</a></li>
<li>And <b>nobody</b> would buy such a <a href="http://www.theglobeandmail.com/servlet/story/RTGAM.20070110.wspycoin0110/BNStory/National/home"> half-hearted, anonymous denial</a>: “We have no evidence to indicate anything connected with these coins poses a risk or danger.” Yeah, to us tracking you.</li>
<li><a href="http://www.physorg.com/news87664001.html"> An ongoing research project into the detection of illicit drug use has shown that of a sample of bank notes in current circulation in the greater Dublin area - €5, €10, €20 and €50 denominations - 100% of them showed contamination with cocaine.</a> Though perhaps on this one they should double check the researchers hands. And noses.</li>
</ul>
</p>
<p>It is possibly a communist plot, but better safe than sorry.</p>spy-coins-from-canada-collect-all-62009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/spy-coins-from-canada-collect-all-6/<p>From <a href="http://news.yahoo.com/s/ap/20070111/ap_on_hi_te/spy_coins">Yahoo:</a>:
<blockquote>
In a U.S. government warning high on the creepiness scale, the Defense Department cautioned its American contractors over what it described as a new espionage threat: Canadian coins with tiny radio frequency transmitters hidden inside.
</blockquote>
It is very strange. The article points out what a poor mechanism it is for tracking: short distance only, likely to be used to buy something, etc. I would think they must have been looking for a very limited amount of information. The location of a safe house, for example. While the distance is limited, you could compensate for that with an 'rfid rifle'. </p>congratulations-to-local-boys-spi-dynamics2009-01-21T20:46:00+00:00adminhttp://www.wikidsystems.com/blog/author/admin/http://www.wikidsystems.com/blog/congratulations-to-local-boys-spi-dynamics/<p>on their <a href="https://www.infoworld.com/article/07/06/19/HP-buys-SPI_1.html&quot">acquisition by HP</a> and to me, since I was an early angel investor in SPI - so long ago I cannot remember what year it was. Their application to the <a href="http://www.atdc.org"></a>ATDC</p> had just been rejected as they were viewed as 'unreceptive to coaching', IIRC. I was an entrepreneur-in-residence at ATDC at the time, so it must have late 2000. For what it's worth, they were indeed unreceptive to coaching, except from Brian Cohen who has done a great job as CEO.