Wednesday, July 28, 2010

Catalyst discussion blocked by the Twitter API

Here at Burton Catalyst, many people are using Twitter clients on conference WiFi connection. Like me, many people are searching on the #CAT10 hashtag to see the latest conversation. However, twitter is rate-limiting the connection to its search service based not on identity but based on client IP address.

It is so ironic that here we are at a conference largely about identity and managing Cloud-based services, and the discussion is being curtailed by very primitive API management which ignores identity in favor of very primitive rate-limiting based on IP address.



You can see the difference between two approaches in the Vordel configuration below. In the first screen you see part of a policy which limits based on IP Address (what Twitter is doing here).



This makes for a very brute-force rate-limiting policy. But if you change the "key value" configuration item so that you instead control access based on client identity (which Vordel provides as the "authenticated.subject.id" variable) then this allows much more sophisticated throttling based on identity, even when multiple clients are coming from the same IP address.

Thursday, July 22, 2010

Thursday, July 8, 2010

Lotus knows how to ask you to bypass security (or does it?)

Steve Riley recently pointed out some horrendous concern for customer security in a post about Priceline. Here's an example I saw today in the Lotus Sametime product. I use many collaboration tools but it's been a while since I used Sametime so it asked me run through an installation. As you can see in the screenshot below, it says "Answer YES if you receive any security warnings or Sametime will not function properly".

Highly dubious as this advice is, it actually fails because the Java Runtime identifies a problem with the signature of the Sametime application and by clicking "Yes" on the security dialog below, the Sametime meeting room client is blocked from running:



Lotus Sametime is not the only product which actively asks you to ignore security concerns. But it's the only one I've seen where the advice to bypass security actually causes the product not to install. To paraphrase Wolfgang Pauli, the advice is "So insecure it's not even wrong".