Is Hardware Based Secure Web Services a lost quest ? No. Well…

typewritting

As co-chair of the W3C community group aiming to offer to web developers the possibility to access to services provided by hardware token, I am receiving some questions on a regular basis about where does this work go …

Well. Executive summary. The good reasons for allowing a web app to access to secure services stored in a harware token, and the possible ways to implement that in browsers are ready. But this is still not in the W3C planet. This is in a form of a report, edited by Sébastien Bahloul, a Morpho guy, and discussed with W3C Community Group members.

In details. The good reasons for allowing a web developers to access to keys stored in a hardware toke, or to trigger a signature which can not be repudiated are detailed in the report. There are some specific industry examples, such as government e-services, or e-banking services, or commercial transaction, which requires legal binding, such as online signature. The potential users of this feature are legions. Basically, the european regulation, named eIDAS “regulates electronic signatures, electronic transactions, involved bodies and their embedding processes to provide a safe way for users to conduct business online like electronic funds transfer or transactions with public services”. To deploy such services on the web, the web developer needs to have some mean to access hardware token (or the web will miss that digital european trust promise). Other countries such as Bolivia, Uruguay, Argentina and Peru are also requiring similar technology.

The technical aspects. The technical proposal embedded in this report is made of two technical features. First. A way to implement the W3C Web Crypto API in hardware token. this is to allow the generation and the usage of a cryptographic key inside a token belonging to the user. Second. A way to digitally sign a transaction with a a key, again stored in a hardware token, and performing the signature confirmation via an interface the user can trust. Those two services are some of the building blocks to have a trusted web, where the user is in control of the credentials used to cipher or sign some data.

So what is wrong ? Well. This set of usages and technical feature were presented to a large group of W3C members during last W3C TPAC. And, nothing amazing happened. The browser makers were kindly requested to have a look at it. But they demonstrated low interest, while this topic has been discussed since september 2014. There might have a cultural problem here behing the slow progress of this topic in W3C. The online access to european government services is not a priority for the major browser makers. In addition most of the actors of the security have managed some hacks to be able to use smart cards or hardware token, like plugins. But this era is over, as plugins maintenance and attacks are getting more sensitive.

And what is next ? Next is about gathering the companies and countries interested in that feature, and start to demonstrate W3C that there is an important question here : do we want the web to get in the secure services, as requested by online signature and government services ? So if you are part of the actors believing this web feature is key, join the Hardware Based Secure Services CG, so that we can collectively work on creating a Working Group in W3C…

What’s happening with the W3C Web Crypto API ?

 

Well. The specification is finished !

[here a cheering to Ryan Sleevi, Mark Watson, Harry Halpin, who actually led the editorial stuff during this 4 years work].

Where is it ? You can read the most recent version here. It is this version that will be submitted to the W3C Director (Tim Berners Lee), in order to make it a real W3C recommendation. Crossing fingers.

Is it real ? Yes. During the lifetime of the spec we got major browser makers contributing and monitoring, aka, Google, Microsoft, Mozilla. Thus it is implemented. See http://caniuse.com/#feat=cryptography

Where is the interoperability proof ? The test coverage can be found here.

So. What is the future ? Consider things are moving on, and the group will soon enter its maintenance mode. the next action, once the specification is a Recommendation will be to listen to the market and add any new algorithm that will be widely used.

Thanks ! That was a long and passionated work in W3C. Thanks to all members and individuals who contributed…

 

 

Middle Life Crisis Toolbox : anger screwdriver

doisneau_les-pieds-au-mur

“Anger is how we seek to create an illusion of control where we feel none.” Martha Nussbaum

I have been looking after anger and anger this week. Here is what I found and liked.

On what is happening in our body when we get angry. This is where we should know the basics of the race happening between cortex and amygdala. The interesting part of this article relates also to the time requested during the anger pic and our return to a calm state. This is where we are still vulnerable to anger again. Well, read that  and understand your body : https://www.mentalhelp.net/articles/physiology-of-anger/

On how to get angry a lot. That video is a list of common tricks to put ourselves into great anger. Garanteed result. Funny and so true…

On the reasons why we get angry.Anger begins with the many imperfections of existence“. In this section of the “Book of Life”, one can understand where anger starts and why it should get all our attention, and support. As you may get, expressing anger is expressing suffering. And the best thing to do, may be to try to understand (and relax a bit, too).  http://www.thebookoflife.org/why-you-get-so-angry-even-though-you-are-nice/

On the bridge between anger and creativity. This is a set of wise views on anger. One I like is “The internal living flame of anger always illuminates what we belong to, what we wish to protect and what we are willing to hazard ourselves for.” David Whyte. Some other interesting philosophical thoughts can be read here https://www.brainpickings.org/2016/11/04/may-sarton-anger/

On anger, forgiveness, and lovers. I can not refrein myself to reference another post from Brain Picking, about Martha Nussbaum views, which deals with anger in the specific context of lovers, where trust and links give a special sense and violence to anger. One can also find in this post, that anger and self respect, which have been linked for a lot of philosopher is challenged. Please have a read here :   https://www.brainpickings.org/2016/05/03/martha-nussbaum-anger-and-forgiveness/

Hope it helps !

Note : Picture “les pieds au mur” (foot on the wall) by Robert Doisneau

Note : other more general Middle Life Crisis ressources are available here

Non-violent security talk for small and medium business @ BlendWebMix

This week I was in a web conference, named #BlendWebMix, which gathers all kind of actors of the web economy, from investors to tech, including designers, influencers, politics, startupers, … Very diverse type of talks were given, 80, and 1800 people attended the event. I was selected to give a very short presentation on privacy and security. My challenge was : convincing a broad audience that the privacy was something each of us, as workers, should take action for, in 13 minutes. Here is the core of my message.

I am fed up with the usual talk in security which says ‘provide privacy by implementing some security or you will burn in the hell of bad reputation companies, together with Madison, Target, Yahoo, and potentially bankrupts”. You know, that Fear Uncertainty and Doubt (FUD). I tried another angle. I tried the non-violent path. And I believe there are two good reasons why people should give a chance (and budget and effort) to the privacy.

 

winogrand_banc

The first reason can be found on the optimistic side of the life. The good reputation. I have the feeling that in this digital storm of hacks, global attacks, social media bashing, the companies taking action to preserve the privacy of the users are playing a good game. And the user may know. And the user may appreciate it. And it may be a competitive advantage to invest and get rewarded for it.

garry_winogrand_mayor_john_lindsay_with_new_york_city_police_1969__printed_1970s_gwf_13_1000x232_q80

The second reason is the data protection, as defined by the european comission. There is a new directive that mandates every company to allow its user to keep an eye on their data. It is the result of long discussions related to the value of the citizen privacy in our digital world. That regulation will be applicable in May 2018, to all European companies or all non-european companies handling some European citizen data. Well, yes, 2018 is after tomorrow. Which gives you only tomorrow to ramp up in good practices and get ready. The threat if you are not compliant with the regulation will directly touch your wallet, as fees could go up to 4% of your benefits, as a company. Universities and public services are also submitted to this regulation.

What does this regulation say ? It says that users will have to explicitly opt-in for registering their data, they will be able to control what you are doing with the data, they will have the right to modify and delete their data. In addition the data portability will have to be provided. Finally, users will have to be informed about any breach related to their data. Data in this context, means any piece of information which characterized the user, name, address, but also geo-localisation, social media activity, any digital evidence left by the user that you are collecting.

Who is submitted to this regulation ? Any company which collects, process, transmit, store the data. This means, you, but also anyone touching the data closely of by far. For example, the monetization partners (ads), or your cloud providers.  Now you see what could be the impact !

This is where I started a new technic for getting the audience sensitive to the message. I asked them to pause a second, to close their eyes, to breathe, and think about one of their user. Lea, 30 years old, digital, agile, conscious citizen, caring about her privacy. I asked the audience to answer in the secret of their mind and heart, eyes still closed, the following questions : do you know what are the data from Lea that you are taking in your super-super application or service ? Do you know where are Lea’s data stored ? When was the last time you had a conversation about privacy and security at work ? I mean, not on Twitter, being scandalized by the global surveillance of the states, but wondering, in your own framework. Some of the people in the audience smiled, and I felt some of the questions touched of them. What about you ?.

 

Always targeting to convince the audience in a smooth way to take action for the privacy of their user. I reminded that it was important for them to identify the data, understand their life cycle in their own service life cycle, define some weak points (aka, any entry point, transfert, storage…) and protect those points. The thing is that of you are a small company, you may not know where to start. My key message was. Well. Start with pragmatic stuff.

First. Talk about security, create conversation around it. For example. Make a 2 hours meeting with the project manager or whoever in the company coded the solution, with a global view. And together make a status of the different security measure done up to know. Make an accurate status.

Second. Look for security champion(s) in your team. Basically the one(s) who had a security training at school or who had the chance to work on a security sensitive project in the past and may share with others.

Third. Write a process. It could be a paper sheet on the cafeteria reminding, i) before you ship a new feature, ask John (the security champion) to have a code review, ii) before you sign a deal with a company, check its track record in security, …. Or it could be a professional methodology for bigger companies. Well, the objective is just to make sure that the question of the security is handled in the product life cycle, at company scale, and taken into account in the delays and deals. This relates to create a security company culture.

Fourth. Engage conversation with your partners, providers, ask them the basic question on their security investment. They might be able to prove that they actually take care of it. With certification, or being able to tell you a nice story about their effort in that matter. Just like any company should be prepared to.

Fifth. Crash test your product. Some bug bounties platform are now existing. You can submit your product, it will be attacked by some hackers, and if some security vulnerabilities are found, you will be informed. The next level or complementary action could be to perform an audit of your code, or have actual security certification (but I guess that if you are on a market where security certification scheme exists, you might already be a security aware company).

Sixth. Have a monitoring of the security news. Read some newspapers specialize din sec, or some forum alerting on vulnerabilities. It would be a pity that all you service bim-bam-boum is based on a framework which has been seriously hacked, and that you are not aware of.

In the end. Six possible concrete actions. To be rolled out by any non-expert security. I asked again the audience to close their eyes. And to pick in that list one action, just one action. And promise, in the secret of their mind to do it, Monday morning, when coming back in the office.Hoping next Monday some SMB will enter the way of improving privacy of their services….

Note : all picture copyrighted Garry Winogrand

 

Middle Life Crisis Toolbox

leiter_redumbrella_1958

Some of you may have been following my new style of writing posts about the why, the what, and the nothing of life. I am spending some reasonnable time reading and looking after some material to discover who I am (and who you are, too). I thought that sharing with you some of those amazing text or video, may help some of you, in their existential crisis…

Here are some good pieces. All of them brought a new look, a new way to read my life.

For the ones believing that they are worth nothing. I love the self-kindness of this text. It is about ‘I am enough’. Maybe it is too much, too naive, too positive, but it shows a path. This is to convince you that you are someone, that you are doing a good job at managing your life (aka, as you can), and that you should stop blaming you. Seriously. Self Love: I am Enough. And also, You are Enough.

For the ones being tired and that still believe they can judge a situation. This one is demonstrating that while we are in some difficult moment of life, our analysis is getting wrong, driven by some distorsion filters. Knowing it, allows us to take the  best (or less worst) moment to think or answer. “Why you should not trust your feeling”

For the ones who are looking for little pieces of joy everyday. Here is a good toolbox to take care of yourself, and actualy fight against the dream of the happiness coming one day, in a spatialship, independantly from you. This is about having a routine that extracts you from the run we all do everyday and allows you to enjoy simple moment. Google’s former happiness guru developed a three-second brain exercise for finding joy

For the ones who struggle everyday with the paradoxes. That text is explaining that looking for harmony and balance is a lost quest. Our world is made of thing and their opposite, and one can not always enjoy the one side of the world. That is part of the big learning pieces, to me. The Power of perception, and Critical Imagination.

For the ones who feel they are rejected and are suffering. This text explains how being rejected hurts like being physically hurted. It exposes why and how to try to prevent this suffering. Why rejection hurt so much

I hope you liked it, and even better, that those links helped you, in a way or in another. 

Note : Picture Saul Leiter, Red Umbrella, ca. 1958 © Saul Leiter

Café in MUCEM – Marseille

Le MUCEM (Musée des civilisations de l’Europe et de la Méditerranée) est un de mes plus beaux endroits du monde. L’architecture est forte, la vue sur la mer affolante, et le lieu toujours bondé de marseillais curieux et rieurs. Le MUCEM propose ces jours-ci une exposition sur le café.

mucem_cafe_in

La proposition est hétéroclite. Peinture, dessin, document géopolitique, carte, planche scientifique, poème, texte littéraire, discour d’expert-e. On apprend des tas de choses.On prend le sujet du café, on le tourne dans tous les sens, on l’agite, si bien que l’on meurt d’envie dès le milieu de l’expo de s’asseoir et déguster un café corsé, seule, ou en tribu, ou avec un amoureux. On choisirait une échoppe vénitienne, parisienne ou marocaine.

Mais il faudra attendre. Attendre d’avoir appris que le Yémen a tenu pendant 10 siècles le monopole de la production de café. Attendre d’avoir réalisé que le café a bouleversé les religions, apparaissant comme une innovation, dont il fallait statuer la vertu ou le vice. Attendre de regarder pousser le café. #Le-saviez-tu ? Le café est un fruit, qui ressemble à une cerise. On lui retire sa pellicule, et on trouve une graine, verte, il est ensuite torréfié (et non brûlé) pour développer sa saveur. Le café est une petite chose fragile qui doit être traitée correctement. Pour en savoir plus, vous pourrez toujours discuter avec un véritable barrista. Car tout barrista que se respecte connaît sur le bout des doigts les différentes sortes de café du monde, et sait préparer son café pour en extraire exactement 21% de la matière initiale.

_20161030_221830

On apprend aussi à Café In MUCEM que la café a débarqué à Marseille en 1644. Et  que le premier débit ouvre en 1671, près du palais de la bourse, et puis les établissements se multiplient. Souvent il y a de la résistance. Mais voilà, aujourd’hui nous avons tous notre troquet préféré, qui nous est cher, pour l’arôme de son café, pour sa clientèle ou son patron…

_20161030_221745

On croise dans cette expo du beau monde. Brassaï, Picasso, Cartier Bresson, Sartre, Doisneau, évidemment, les intellos, tous au café parisien. Yves Simon nous parle aussi avec grande sincérité de ce qu’il a trouvé et ne cherche plus dans les bistrots, avec nuances. On tombe sur Coffee and Cigarettes de Jim Jarmush, ça donne envie de reprendre la clope.

 

Bref. La café, la plante. Le café, enjeu commercial. Le café, lieu politique et social. Le café, art de vivre. Vite, vite, on court retrouver une tasse fumante et serrée.

It’s okay, to be not okay …

bad-feelings_2

Here is the story. I was in a networking event, meeting some old friends and discovering new ones. A good friend of mine was running toward an important thing (a cocktail,  a prospect, a cherry tomato, we don’t care…) and while walking in front of me, he smiled and launched a warm “hey Virginie, how are you today ?” without stopping his walk. I was in a kind-of-worried-anxious-tired-mood and I answered “Well…”. Immediate effect. That friend, lost his smile in a second, stopped his walk, u-turned, and staired at me with wondering eyes. I saw how my beginning of vague answer did affect him. I felt I had to reassure him “I’m okay, it’s okay, I’m okay, no worry”. Pretenting everything was okay, more then ever.

Not okay, really ?  I realized at that specific moment, the reason why I was most of the time reluctant to admit my bad feeling : it takes some energy and bravery to assume it. The possibility that something could go wrong is a bad signal that makes some people uncomfortable. But well, look at our crazy world : what can cause some bad feelings ? Potientally a lot : stress, multiple and constant social interactions, quick decision making, always on and ready, juggling different human facets and context. That, each day. And it may be hard to protect ourselves, in this multitude. Each of us has a kernel, that under attack will create ususally negative reactions, pain, sadness, violence, anger,… Well, I did not invent anything, I am not the first one telling that we all have a dark sidet (some french friends wrote about it [1] [2]). But the reason why I am talking about it is because I recently spent some times trying to understand my dark side and spent some time on my bad emotions. And I found few things to deal with those negative feelings.

Admit it. I do not question anymore, I am not hiding myself, I stopped denying. Admitting my dark mood and accepting the associated feeling has been a great victory (but the battle is still going on…).

Share with some. Not being okay can be dealt alone, but balancing this loneliness  with time spent with my friends and familly helps. So if I wanna share that bad feeling or state, with others. I choose them carefully. I take someone I believe will not be yelling or crying after my announcement, or who will not start denying, judging my feeling. This part is difficult, as our affective relations do not always allow to have the appropriate distance (which for me is empathy with no compassion). By the way, congratulation to the lucky winners, and thank you, friends, I love you !

Feel the feeling. My body and I are co-existing with that darkness (bad mood, bad thoughts, bad intentions, deep sadness, well, you see). That’s a fact, you have to cohabit with it. And I found that mindfulness can help : it suggests to recognize the physiologic signs in your body associated with the sadness, anger, all bad feelings. Once being able to detect from your own sensations where you are on your emotional scale, you can decide what to do with this :share it, keep it, monitor it, control it, or run away. Well, usually minfulness suggests to breath, but it’s up to you. There is no judgement here, neither a good way to manage that feeling. The objective is just to be in a position to choose how this internal feeling will affect your relation with the others and with the world.

Silence the feeling. Meditation is also an intersting exercice to create a DMZ. A white zone, empty, where nothing happens ! I just concentrate on breathing or noise around, filling my thoughts. Looking for that neutral state during ten minutes (or more, depending on how brave I am) helps also to relax the storm created by my internal fight between being kind and being that miserable thing able to yell at anyone.

Express the feeling. I have a wander-wonder mind. My thoughts are always climbing somewhere, making links, balancing, reminding something. I guess like all of you, there is always something happening. I have decided ot use that energy to write, draw, take picture, and share my thoughts on this blog. While doing those things, I have no shame (anymore) to integrate my dark filters. And I believe this is what makes me a human.

Learn. I am also trying to learn about the bad feeling source. Where does it come from, is there any explanation ? Any psycho or cognitive reasons. Explaning is not about judging or skipping, but about understanding, and thus helping better admiting (go back to point one of this post). Some side effect could be that bad feeling vanishes but this is not a quest for me, my own quest is understanding. At least this is my own mecanic that will allow me to survive the idea that I am not a perfect person. I recently had a great time looking at Brené Brown on how vulnerability is cool. I also got the difference between being aggressive and being violent. All those little pieces of information makes me understanding my own humanity and internal amazing life.

That’s a lot, right ? You can try some of those tools, or not. But experiencing that path is sooo interesting and rich, that I am just about to wish you veeeery bad days to give you a chance to play with it ! Mouhhaahhhaaaa…

[1] french blog of a french psy I like http://cabinet-hacor.com/2016/09/28/le-gentil-mufasa-et-le-mechant-scar-ou-lillusion-du-bien-et-du-mal/

[2] La bienveillance, c’était mieux avant https://medium.com/@valvert/la-bienveillance-c%C3%A9tait-mieux-avant-80f9a64d889c#.iojgi830x

Some news on the Trusted Execution Environment side…

 

lock-bridge-2

Few time ago I wrote about the Trusted Execution Environment (TEE), and how promising it was. Few months ago, I mentionned the arrival of Trusty TEE in Android, an API allowing mobile application to interact with TEE based services. One can still wonder in 2016, where is that technology positioned.

A reminder about what is TEE. Well, it is always an isolated environment, shipped into smart phones, offering a way to deploy some code that will be securely stored and executed. It could support any mobile application that may require some sensitive operations and a trusted user interface, to insure what you see is what you sign.

But the major question when we come to nice technology is : “yeap, your stuff sounds cool, but, who on earth is using it ?”.

Well. Let’s see the facts. On the GlobalPlatform website, you can find 8 products that did success in the functional official certification. You can check this yourself here. Among the certified vendors, one can note Samsung.

And what does the silicon valley say about it ? A recent event allowed to have an overview of the market. It was the TEE Seminar that happened in October in Santa Clara. This is a regular seminar which is gathering the usual suspects of the TEE eco-system. Speakers include ARM, Visa, Trustonic (one of the well known TEE provider, a gemalto owned company), FIDO Alliance, Linaro (which offers an open source version of a TEE, named OP TEE), Ericsson, Verimatrix (guys in the game of the content distribution and IP TV), plus gemalto (my company) and G&D (one of my company competitors). The key topics of the TEE this year was Internet of Things. While the TEE technology seems to be distilled in the smartphone market via official products (see Samsung statement, Android Trusty TEE API and Secure Enclave [PDF] in iOS), the next wave ready to take benefit of it is about Internet of Things.

Any diverging creative geeks interested ? In the same October month, there was an interesting event which happened also in the silicon valley. A TEE hackathon #BuildWithTEE, dedicated to get benefit of the technology. It was organized by BeMyApp and GlobalPlatform. It happened that 100 people joined the hackathon over the week end. The pitch exciting moment was made of 22 smart ideas, 12 went until the end of the sunday and 3 winners shared 10 000 US dollars. The material provided to participants was a Linaro Open TEE loaded in a Raspberry Pi 3, and all they had to do was to play with Linux and impelment thier idea, with the objective to use key asset of the TEE, aka the security, on a client or a server side. Ideas that won were about monitoring door lockers when renting your house, deploying a privacy respectful tracking system, a centralized password management server. The IoT use cases were the major ones that the creative geeks wanted to explore.

So, to conclude, the TEE is a technology alive and kicking and will definitely support nice innovation in the field of all-and-everything-connected !

Note : Picture from https://www.pinterest.com/cdnmomma/for-the-of-europe/

 

 

 

About pleasant, good and meaningful life…

winograd

Coming back from a wonderful week in Helsinki, where I met dozens of interesting people and discussed hundreds of amazing stuff related to leadership and humans. I might have a lot to say and it will be distilled slowly in my coming blog posts. Nevertheless, there is one thing that I captured about happiness and balanced life that stroke me and wanted to share.

This relates to yet another possible way to read (and build) our life. During a workshop on motivation, the trainer mentionned a theory, named positive psychology, or the science of trying to understand how people are happy. I will not enter into the details of its founder, Martin Seligman, neither into the details of its theory, that I have not read in length. I will just report what I got and what I felt was making sense to me.

It seems that our life is made of …

Pleasant moments. Moments where our senses and body feel well (eating something tatsy, listening to good music, …). It could be intense happyness, but the pleasure you get from it vanishes quickly.

Good moments. Moments where your activity is in line with your own value, this differs with the previous moments by the fact that your are involved in that moment, by making choices, coming from your desire, your sensitivity, realizing some of the wishes that you have in mind and in heart. For example, preparing and eating some special meal with carefully chosen organic ingredients, or from a country you dream of, or that triggers some good remembers. Using your skills of cooker to reach something. Well, you got it, it is something that link the external world, and your internal world. It triggers some satisfactory feeling, definitely.

Meaningful moment. Moments where you are realizing something with some other people, listening to your value, again. It creates some feeling of aligning your value, with the society (because others are involved) and provides great happiness. For exemple, following up on the idea of food, it could be about creating a restaurant with associates, providing the food you like and you believe peopel should get for good price (if your value is to feed people with good food at afordable price).

My personnal feeling is that in that story of values and moments, no one judges your values, they are yours. To reach a meaningful moment, you just need to unveil those values to the world and embedds others with you.

happiness

The theory says that each of us can have either a pleasant life, a good life or a meaningful life. But the reality might be that our life could be made of a patchwork of all those kind of moments. One thing raised from studies is that  : the happiest people do have a serious rate of meaningful moments. Those meaningful moments create condition of a sustainable sense of happiness. Disclaimer : don’t ask me to show you the happiness-metering-tool, I have no idea – but you may find more here.

This may be *just* one exotic way of reading our life. But models are interesting because they force us to read our uses in a new way, with a different approach. And I felt that this one was interesting if you apply it in the various fields of work, friendship and love. It appears to me clearly that each of those fields deserves pleasant, good and meaningful moments. The last ones, meaningful stuff, may be complex to reach, because it implies to embed some other people with you, to be collaborative, to open your heart, but it seems that they are the ones that will make our life great and happy… Let’s try to cultivate them !

 

Some reference :

Poursuit of happiness http://www.pursuit-of-happiness.org/history-of-happiness/martin-seligman-positive-psychology/,

Martin Seligman TEDx talk https://www.ted.com/talks/martin_seligman_on_the_state_of_psychology

Picture : Gary Winograd.