This week is Get Safe Online week; a campaign founded by the Government, HSBC, SOCA and Microsoft.

The campaign site, http://www.getsafeonline.org/ is aimed at the "mum" user, people who don't know about the ins and outs of security; the people who are at risk the most.

This year they're focusing on identity fraud; apparently research and survey information will be available. As the week progresses more information will appear on the site, written in non-technical language and presented in a way that everyday Internet users can understand.

So if you don't want to try to explain phishing to your mum then why not let someone else do it and forward the campaign site to your non-technical friends and family; if it educates and reduces their risk then that is a good thing (and may reduce the instances of family technical support *grin*)

Last night my twitter feed started filling up with messages about Twitterank; in fact there are so many messages that it's currently in the top 10 trends for the day on tweetscans.com.

Looking at the people in my feed who used it; a few MVPs, a bunch of Microsoft staffers and a couple of other technical folks it looked interested. Except, well, I'm paranoid .

Twitterank is much like a google PageRank for your twitter accounts. Cool, just what we need, more ways to feel inadequate on the internet. The interesting part of it is that it needs your username and password - and people are handing it over. The site states it won't store it, and I have no reason to believe it does, but there is no way to know. People are happily entering their authentication information in for the promise of a magic number generator.

There's already another site, twitterawesomeness.com which illustrates the futility of trying to educate people; where the disclaimer is at least honest; "I'm in ur Twitterz, stealin ur credz!"

It nicely illustrates how simple it is to gather this information; throw up a simple web site and sit back and watch. It's both amusing and worrying that people who should know better, including a couple of the geek Scotts participated.

Now yes, twitter authentication isn't that important; however do you have a clean username and password for the site? A username and password combination you don't use elsewhere? Consider that twitter is rapidly becoming part of the social networking scene and people try to keep a consistent brand on their social graph, matching usernames across multiple sites so people can find them...

I should stress, again, that twitterank may not be doing anything bad at all - but we just don't know. It would be all too easy to act as a legitimate site, offer a service and not throw away the authentication details but lay low for months, then start to abuse the accounts you have. It might even been worth some money, depending on whose accounts you get; twitter spamming is becoming more widespread. Twitter users are relying on the kindness of a stranger right now...

There's a blog up, purporting to be from the author (how do we know - it's an anonymous wordpress.com blog? is there a limit to my paranoia?). It includes the following;

Are you a phishing site? Are you going to steal my account? etc..etc..

No, I am not a phisher. I don’t even store your password. Your password gets used once to calculate your Twitterank, and is never stored on disk or any other permanent storage device. Having said that, people do need to be more careful about giving away their account information. I’m not evil, but the next guy might be.

They acknowledge there's no way for them to prove their aren't storing it either; that's a whole other problem. Heck the source for the twitterank page underscores the problem in a rather amusing html comment;

(I am signed up to a twitter service that tweets my RSS updates and stores my username and password to do so, I'm may well be a hypocrite!)

Well jiggle ma sporran 'n warm up the sheepsies Morag; DDD Scotland returns on the 2nd May 2009. We'll all be gaing to Gaslgie then; but didnae Connor say "There can be only one?" Aye, n its free as weel. Ay can keep me wedge fer me buckie.

(Of course now I shouldn't submit a topic or two because I am going to get eggs thrown at me. Except eggs are expensive, so maybe not .... errr, how do I turn comments off on a blog post? Oh no ...)

Warning opinion follows :)

A while back I blogged on the difference between self issued and managed information cards; which lead to an interesting comment from Aditya;

I was wondering if you could further explain why a self-issued information card is not suitable for higher-risk transactions such as logging into a bank account. From what I gather, the advantage of a managed card would be that it could assert certain claims about a person (like the hair length example you mentioned). However, I'm not sure why managed cards are more secure just for logging in.

It's not that managed cards are more "secure" than self issued cards, the protocols used under the hood are the same. What a managed card gives over a self issued card is the ability for revocation and the ability to add further authentication requirements.

I'm sure most of us, at some point, as a child were a member of a club that you setup with friends. You may well have issued membership cards, much like Calvin and Hobbes had for Get Rid of Slimy girlS. This is equivalent to a self issued card. OpenID doesn't improve this very much - an OpenID provider may check the email you registered with belongs to you, but there is no way for a relying party to know if this process has taken place. With managed cards issued by a third party we have the same problem, the identity provider is claiming information about the card holder but we do not know if this is true, unless we know the inner workings of the identity provider. We should also consider revocation; there is no way to revoke a self issued card. OpenID providers may provide a way to kill an OpenID

However if we become an identity provider ourselves then we have a greater chance to verify any information we send beyond a PPID. Of course with the Geneva framework that becomes plug and play for people with an Active Directory backing their user metaverse; or, like SharpSTS a bit of coding if you use something else.

So consider a banking scenario; when you open a bank account in the UK you have to prove your identity by providing a passport, driver's license or other governmental photo identity. A bank is not going to accept a photo ID backed by Get Rid Of Slimy girlS. Equally a bank is not going to accept an identity card from a company it doesn't have any dealings with. So why should a bank accept a self issued card or an OpenID to allow access to your accounts?

Now arguably self issued cards and OpenIDs could be bound to an account if the bank could trust a user to look after their information; but as we're all aware everyday users are not good at this.

The advantage to a managed card is not that the transactions are more secure, but that a bank could issue its own information card (or its own OpenID - but that goes against the whole point of OpenIDs really, OpenID wants to be the sole username and password you use for everything) and know that the card is valid at every stage; further more a bank can revoke a card on instruction from the account holder. Remember that managed cards don't have to prompt for usernames and passwords (although a nice extension to that would be the ability to change the password prompt each time its used - "Give me letters 3, 5 and 7 from your password" for example), so the flow for a user could simply be selecting the bank's information card; even if we issued a managed card which looks for a self issued card as the authentication process we can still revoke the managed card.

If you're at TechEd go ask Vittorio for his thoughts on this; tell him I sent you *grin*

Pretty much everyone who knows me knows I want stronger authentication on the internet, but I'm set against physical identity cards, and centralised government databases. I've even opted out of the UK's National Health Service central database (partly because I don't trust the NHS to protect the data and keep it private and partly because the data flows through a private company). My concerns on UK identity cards are numerous; but no2id expresses them far better than I can. If by some miracle Labour make it through the next election in power I will be swapping my UK passport for an Irish one and avoiding the whole mess for as long as I can.

The government have been sneaking the cards in by the back door, first for foreign nationals and now for airline workers. One of the problems with rolling it out to the general populace is gathering the biometric data in the first place (and of course how you can revoke that data when you can't revoke your own fingerprints).

However that's solved now! Supermarkets will do it. The BBC reported today that the Identity and Passport Service were talking to "range of high street retailers and other organisations". Should we be worried? No, because the security of data would remain the "utmost priority".

Really? When the government can't stop losing data, and when private companies engaged to look after sensitive information and programs end up storing password databases and source code on USB keys that are then left in a pub are we supposed to trust the 17 year old at WH Smiths to do a good job as well?

(As an aside I did have a laugh at the Origin Atos loss at the weekend. The quotes from the rent-a-hacker the Mail on Sunday used were hilarious. "Expert" Jaques Erasmus said "I could decrypt those passwords to log in to the system and roam around the network." Really? I'm rather sure that the passwords were hashed and salted. If Mr Erasmus has a way to break salted hashes easily then he's wasted selling quotes to newspapers, as I'm sure numerous security services would pay through the nose for that algorithm. He's right in saying "it would just be a matter of time"; assuming the password is in a rainbow table and isn't salted. I've banged on about salting before; Jeff has a pretty picture of magical horsies and a good discussion of rainbow tables for your reading delight.)

So yesterday Dare announced that Microsoft, via Live ID were becoming an OpenID provider.

Big whoop.

So why am I so ambivalent? Being an OpenID provider is meaningless for Microsoft unless they start to accept OpenIDs for their services. At the moment be it on Microsoft.com, the Microsoft forums, Channel9, MSDN subscriptions, anything Microsoft web site needs personalisation demands a Live ID. Exposing a Live ID via OpenID simply allows existing "subscribers" to spread the Live ID tentacles into other sites; it does nothing to open up Live's web sites to interoperability with other identity providers; and that is, to my mind, far more important than giving another avenue for Live IDs to be spread. Yet another provider is unimportant; driving consumer uptake is. You can argue that suddenly giving however many hotmail users there are an OpenID will drive that; but I find that specious; if they updated the LiveID SDK to also be an OpenID SDK, giving ASP.NET developers an "official" OpenID consumer then that might drive uptake.

Maybe it's a hang over from the Hailstorm days but Live has never seemed to play nice with others. Even with a far stronger and better authentication method in the shape of Information Cards Live has happily ignored this (aside from a crappy beta attempt to support them which never worked with login pages other than Hotmail's).

Even now, with the well known problems with phishing for OpenID providers LiveID still have a plain old HTML form to login (not that I can; I keep being told my password is incorrect when it's not). When other OpenID providers are allowing users to bind Information Cards to their accounts to authenticate and to protect their users from phishing attackes Live are still ignoring something that is only a few buildings away.

I'll cheer when I can use my existing, Information Card protected, OpenID on a mainstream Microsoft website and when Live offer managed information cards to support interoperable logins on other sites. Not before.

(Credit where credit is due however; it's nice to see site specific OpenIDs supported, part of the OpenID 2.0 specification)

At 11:30 GMT a new blog popped up on MSDN; the "Cloud Computing" blog. Admittedly there's not much there, a bunch of dead links; but everything is being described as Windows "Azure". So does this mean it's not Windows Strata? Or that Azure is the SDK?

Either way the name is interesting; if only because choosing a shade of blue (screen) is rather daring *grin*

16:30: Woohoo, I scooped everyone. However ... why on earth did Microsoft choose a product name that Americans cannot pronounce? It's az-ure, not azer.

The agenda is set, the waiting is over, registration is open full. If it's anything like last time you have about 12 hours to register before all the spaces are gone ...

Update: Four hours later the spaces are gone. Sorry if you missed them.

So last week, because of a 50Gb Virtual Machine containing an entire development environment my hard drive icon turned bright red in Explorer as I only had 1Gb of free space left (showing my age here but even that is huge to me, remember I started with a machine with a 8" floppy drive which you could format to a grand total of 80k).

Whilst I'm backup up my laptop with Windows Home Server (not that I can open the backups right now, my machine blue screens every time I try) WHS does not backup non-NTFS partitions; which is a problem as my laptop shipping with two of those, one for the Dell Diagnostics and one for the Dell Media Direct software. Whilst I could have used WHS to restore my main drive (apparently that will work even with blue screens, but really who knows; the crash does not fill me with confidence) I like having a diagnostic partition.

Having had great success with Acronis True Image before, but lacking a Vista version I dropped them an email to see if what I wanted to do was possible; mirror the drive, but expand the NTFS partition in the middle. The response I got was astounding, an email from Alexy Popov landed in my inbox about 4 hours later listing two methods for doing this with step by step instructions and caveats for each. The email even pointed out that True Image Home was perfectly able to cope with what I wanted to do and there was no need to get any of the more expensive versions.

So one install later I clicked a few buttons and attempted to clone the drive. The "inside Windows" instructions didn't work for me; for some reason it stopped after cloning the diagnostic partition; but after building a recovery disk, booting it so we were outside of Windows completely and following the step by step instructions provided I was able to clone the drive, expand the partition manually (this was a little fiddly, True Image resizes the partitions proportionally, but I wanted to keep the two non-NTFS partitions the same size, this took a bit of effort on my part). Two hours later and I have 200Gb free. Wonderful. Vista booted up and the only problem was hibernate was no longer available; but this is to be expected with a new drive; all I had to do was open up an elevated command window and issue powercfg -h on and it was back.

Acronis do engage with the MVP community; with the email they gave me a free license for the latest version; but having previously purchased True Image and having it save my butt before I would have no hesitation in recommending them again and again.