Browse by Tags

• .NET 3.5
• LINQ
• WCF

• CardSpace: How Personal Cards Protect Users

  I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on. Consider the following malicious PayPal email: You can see that the "Click here to verify your information" link is not really sending you to the PayPal site. I see this because I hover over the link to verify the destination...but most non-developers won't know to do this. For those unsuspecting users the story might play like this: They go to the destination site, which might look just like the PayPal site. They try to log in, it fails repeatedly. In the meantime, they enter every combination of username and password they use in various sites...perhaps including their online banking site. The malicious site collects these combinations of username and password. The user gives up logging in. The malicious sites now tries to log in to the real PayPal account, or worse, to some of the major well-known online banking sites. If they are lucky, and the user is unlucky, one of those username and password combinations will work at the online banking site, and they can write themselves a check, or otherwise play havoc on the user's bank account. It is that easy to lift a username and password combination. So, how do information cards issued by CardSpace (or, any other identity selector) help? Let's assume that the user has associated a personal card with their PayPal account...if PayPal supported information cards. The same scenario might go like this: The user get's the evil email. They click the link and head to the malicious site that looks just like PayPal. If the site doesn't support information cards, the user will be suspicious because they always log in with a card. If the site shows support for information cards, the user may fall for it and click on the "log in with personal card" link which takes them to CardSpace. CardSpace will ask you to confirm the site by reviewing its privacy statement and site identity. This should trigger an indication to the user that this is not the site they think it is, since they would normally only get this the first time they hit the site. If they have logged in to PayPal before with a card, they wouldn't see this screen: Assuming this isn't enough Read More... Posted Sunday, September 16, 2007 2:44 PM from dasBlonde | 0 Comments Filed under: Security, CardSpace

• .NET 3.5 Roadshow Sample Code

  As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework. I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending (or, not) here are links to the code samples I'm presenting: VS 2005 samples WCF Security Fundamentals - these samples come from the \Security directory from my book code Federated and Claims-Based Security in WCF - these samples come from the \Security\ClaimsBased directory from my book code CardSpace Samples Download VS 2008 Samples This download includes all samples referenced above, in addition to .NET 3.5 samples for C# 3.0 and LINQ, and IDesign's declarative security model including a recent version of our ServiceModelEx library. Other relevant resources discussed: My WCF webcast series CardSpace controls for ASP.NET IDesign articles Any questions? Email me. -Michele Technorati Tags: CardSpace , WCF , LINQ , C# 3.0 Read More... Posted Saturday, September 15, 2007 2:15 AM from dasBlonde | 0 Comments Filed under: WCF, LINQ, Security, CardSpace, .NET 3.5