Exactly. And the people commenting that "you should never have a hacked browser" don't get that it's referring to native apps which embed a browser to mislead you rather than, say, a spyware-infested version of firefox. Of course you shouldn't have the latter, but for the former, anyone can make an app that imitates anything.

True that's exactly what it is but with a lot of cruft surrounding it as well. It requires a web browser to facilitate the connection, rather than the user just copying a password to wherever it's needed, it requires that the third-party application which wants to authenticate needs its own domain and its own server, instead of just being able to be a standalone application which can authenticate directly. Because of this, it's just a mess of a system. What the author is suggesting is to leave the part of it that's based on a solid security foundation intact, (the part that says "separate keys for each application with limited access") but remove all of the insanity around it that adds no extra security and just serves to confuse the issue and limit its usability.

If people were only using OAuth for web-to-web communication, I don't think those issues would have been raised. But many of the big players have their "API"s based on it. Take a look at this thread on citrix's development site for example. Here, there's a service which is hardly web-based, pretty much the only thing web-based about it is that you join meetings by browsing to a URL, and yet the only authentication model they provide for their "API" is OAuth. This is wrong. It's not what OAuth was designed for. And yet it's what's being used. If people would stick to its intended purpose when using it, there would be no problem, but this is hardly the case.

Again, you miss the point. The point isn't separate accounts. The point is, you have a user account, say "JoeCool", and a password, say "12345". Your system allows Joe, when logged in under that password, to create a secondary password, 67890 which, when logged in with, only allows limited access. Joe can then give "67890" as a password a third-party application, which will then have only limited access. If the application misbehaves, Joe can remove the "67890" password, thus locking out the malicious application while keeping his primary password secure, along with any other secondary passwords he's generated for other applications. That's the system being described and that's a system which would avoid a heck of a lot of headache.

And I'd appreciate not being called names by someone who hasn't even taken the time to understand what's being said.

You miss the point. He says to have the user create separate passwords from the primary one, with restricted permissions, and give a different managed password to each application. That way, if the application misbehaves, the user themselves can remove that password without having to affect anything else.

Are you suggesting that there may be even more flaws with it that Eran and others are aware of but unwilling to admit? A frightening prospect given how much of the world's personal information is being protected by this garbage.

I think some of what you say is definitely true. Certainly the part about how it will be difficult for the secretary to do stuff for the boss and about repelling third party developers have less to do with his departure, less to do with the "web people", but I think that the parts about the insecurity and non-interoperability hit the nail on the head in terms of his reasons. I also think that the main point of this article is that the overall result of OAuth is a system that accomplishes none of the objectives laid out from either side, and I think that this is what he saw and why he left. He practically said so himself.

To me, at least, this says he realized that they accomplished nothing, and had finally reached the point where he could no longer continue accomplishing nothing and call it progress.

Forgot to mention, my teacher uses live meeting... apparently groopex integrates live meeting as well as webex.

I learned hebrew from a teacher who uses a groopex integrated moodle site, and i found the live classes far better than simple downloads of static files that i'd tried in the past. I'm surprised how few people use these real-time tools.

I had actually been been noticing recently the INadequacies of so-called "adequate" free software. Little things mostly, programs lacking certain features that their nonfree alternatives have, things of that nature, but it's really the little things much more than the big things that will draw users into the market and keep them there. It is as plain as day that merely "adequate" is by no means good enough to attract the average Joes and Janes out there en masse, we need software that is as good as or BETTER than the non-free competition. I especially liked the concerns about the games market, there really is no contest. When it comes to games, linux outright sucks, as said, due to the poor quality of sound and video. As for X... A wise man once said "XWindows is the defacto substandard". We need a replacement for decades-old shoddy software, we need to get our heads on straight and do things right, but most of all, we need to stop denying that Linux has these issues and address them head-on. Linux, and the free software community in general, have to be proactive in developing tools for the average user, rather than reactive in combating nonfree software. There's no reason a bunch of basement-nerds and 10 pounds of beard with a man attached can't develop a better product than a bunch of sissy, cubicle men and their high-paying jobs... We basement-nerds are the better programmers and we know it! Let's take back what's rightfully ours.