Browse by Tags

• .NET 3.5
• .net3.5
• CardSpace 1.5
• FAT
• Information Card Foundation
• LINQ
• WCF

• Information Cards: Unused (Security) Information

  It seems that I have to make up for not posting while my new house was build... Here is another post for today in the series ( 1 , 2 , 3 ) of posts around things you always wanted to know about Information Cards but never had the heart to ask. Did you know that CardSpace does not use the Identity information in an identity enabled EndpointReference? Shocking. Here is what I heard... When you import a managed card from a .crd file there is something inside the file that is called the TokenServiceList Read More... Posted Thursday, August 21, 2008 11:44 AM from ignisvulpis | 1 Comments Filed under: CardSpace, Security

• Carnards Die Hard

  A while ago two students, Xuan Chen and Christoph Löhr, from Ruhr University Bochum claimed to have "broken" CardSpace. There were some blog reactions to this claim. The authoritative one of course is from Kim . Today I browsed through a magazine lying on the desk of a colleague of mine. This magazine with the promising title "IT-Security" repeats the false claim and reports that the students proved that CardSpace has severe security flaws... Well, when you switch off all security mechanism Read More... Posted Tuesday, July 08, 2008 5:39 AM from ignisvulpis | 1 Comments Filed under: CardSpace, Security, Information Card Foundation

• Stealing the Security Token

  The Ruhr Uni Bochum claims that they can steal the security token in a CardSpace scenario.... The experts from the German computer magazine c't could not verify the attack... After reading the paper that describes the attack I must say that I find it very unrealistic. The attack is described for managed cards. The browser is tricked to load malicious code and then the real RP's code is loaded and presented to the user. The malicious code then loads the root certificate for the malicious RP's SSL Read More... Posted Wednesday, May 28, 2008 3:14 PM from ignisvulpis | 1 Comments Filed under: CardSpace, Security

• CardSpace getting FAT

  The CardSpace team blogged about a new "feature" of .net 3.5. You can now work with CardSpace on a windows system that has its system drive formatted with the FAT filesystem... They write: We’ve received a surprising amount of feedback (some of the earliest from Pamela Dingle ) that customers are still using FAT file systems and this is causing problems. I am surprised too. What will be next? CardSpace running on windows95? Help! Sure, the cardstore is still encrypted twice... but still... I believe Read More... Posted Wednesday, December 12, 2007 11:06 AM from ignisvulpis | 0 Comments Filed under: CardSpace, Security, FAT, CardSpace 1.5, .net3.5

• CardSpace: How Personal Cards Protect Users

  I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: You can see that the "Click here to verify your information" link is not really sending you to the PayPal site. I see this because I hover over the link to verify the destination...but most non-developers won't know to do this. For those unsuspecting users the story might play like this: They go to the destination site, which might look just like the PayPal site. They try to log in, it fails repeatedly. In the meantime, they enter every combination of username and password they use in various sites...perhaps including their online banking site. The malicious site collects these combinations of username and password. The user gives up logging in. The malicious sites now tries to log in to the real PayPal account, or worse, to some of the major well-known online banking sites. If they are lucky, and the user is unlucky, one of those username and password combinations will work at the online banking site, and they can write themselves a check, or otherwise play havoc on the user's bank account. It is that easy to lift a username and password combination. So, Read More... Posted Sunday, September 16, 2007 2:44 PM from dasBlonde | 0 Comments Filed under: CardSpace, Security

• .NET 3.5 Roadshow Sample Code

  As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework. I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending (or, not) here are links to the code samples I'm presenting: VS 2005 samples WCF Security Fundamentals - these samples come from the \Security directory from my book code Federated and Claims-Based Security in WCF - these samples come from the \Security\ClaimsBased directory from my book code CardSpace Samples Download VS 2008 Samples (UPDATED 10/11/07) This download includes all samples referenced above, in addition to .NET 3.5 samples for C# 3.0 and LINQ, and IDesign's declarative security model including a recent version of our ServiceModelEx library. Other relevant resources discussed: My WCF webcast series CardSpace controls for ASP.NET IDesign articles Any questions? Email me. -Michele Technorati Tags: CardSpace , WCF , LINQ , C# 3.0 Read More... Posted Saturday, September 15, 2007 2:15 AM from dasBlonde | 0 Comments Filed under: WCF, .NET 3.5, CardSpace, Security, LINQ