Forgot your password?
typodupeerror

Comment: Re:This is insane. (Score 1) 302

by Dynedain (#48206517) Attached to: Hungary To Tax Internet Traffic

If every employee suddenly were running up internet costs, you can bet your ass companies will start blocking internet access unless you go through the hassle of proving you need it.

Say goodbye to free wifi at coffee shops.

Your phone would be affected as well, so there goes more skyrocketing costs.

No-one will download security updates if they now have to pay for the transmission.

The result of this would be the internet in the affected country reverting to user behaviors, features, and services from 10 years ago as it would introduce a sever stifling effect on data usage. Your described pattern would be what most people would do, and the internet as we've grown to know it would die.

Comment: Re:Compelling, but a mix still better... (Score 2) 392

by Dynedain (#48190385) Attached to: NASA's HI-SEAS Project Results Suggests a Women-Only Mars Crew

This was a big plot point in a scifi novel I read years ago. A group of people willingly underwent amputation to reduce the mass of legs, allowing them to add more people to their launch crew.

If I remember correctly, there is a staged automobile accident, causing the main character to lose his legs (not knowing it was intentional) resolving the problem of being separated from the love interest who would be on the shuttle.

This is really going to bother me until I can remember what novel it was.

Comment: Re: Missing option (Score 1) 219

by Dynedain (#48159409) Attached to: When will the first successful manned Mars mission happen?

The only objective meaning of life is to procreate and continue one's own genetic legacy.

Consciously being able to control and plan for this beyond an individual's lifespan is an incredible achievement for the evolutionary process. Having that capability, and not exercising it, is effectively suicide.

By observing any celestial body in our solar system, we can virtually guarantee that Earth will experience a humanity-ending event. Not taking action to continue our species past such an event, when we have the capability to do so, is effectively suicide.

Comment: Re: Missing option (Score 3, Insightful) 219

by Dynedain (#48156481) Attached to: When will the first successful manned Mars mission happen?

No, escaping the Earth is not an option for the human race to survive. Massive immigration to other planets and stellar systems is not and will never be feasible.

Survival of the human race is not the same thing as mass emigration.

If a large comet hit the Earth tomorrow, humanity as a species would be gone. If we have self-sustainable colonies on other planets, the species would survive, even though the vast majority is wiped out. No one is proposing that we can save all of humanity in event of a catastrophe. That clearly is impossible. However we certainly should take steps to ensure the survival of our species. If we don't, then what's the point of evolving to have the capabilities and self-awareness to do so?

Comment: Re:I disagree (Score 1) 546

by Dynedain (#48154495) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

I understand the difference between authentication and authorization. Onsite signup provides both authentication and authorization in a single process. 3rd party signup (OpenID) can *only* provide authentication, it can never provide authorization. An additional step is required tIn this regards it's no different from shared public keys.

OpenID is more complicated for the end user to manage, AND it puts additional technical burden on them to understand. How am I (the average user, not the site admin) supposed to know my OpenID is compromised? How do I fix it? How do I know the server that provides my OpenID is compromised? Keeping track of a password phrase is fundamentally a much simpler problem for the end user. Where do you want to place more burden of responsibility? Site operators, or end users?

You're saying that you don't want Google to trust authentication from anywhere else because you want to trust that any authentication coming from Google is equivalent to valid authorization, which helps you prevent spambots from signing up for your service

No, I'm saying as a site owner, I don't want to trust authorization from just anywhere, because logged-in users are core to my service model. To make things easier on my users, I allow signups with common third party ID services, because I understand their authorization mechanisms. But now I've sacrificed my control over my users.

Fully peer-to-peer authorization (which is what OpenID provides) is effectively fully-public authorization. In which case, if it's public, why do you even need peer-to-peer authentication?

Again, we're saying the same thing about the fundamentals of the mechanism and problems. But we differ in our beliefs on the motivations. You say the failure of OpenID is malicious intent on the part of the big corporate players to create locked-in ecosystems. I say that's a side effect and the failure stems from the inherent need of a site owner (big or small) to effectively manage their userbase with minimal burden on the users.

Comment: Re:I disagree (Score 1) 546

by Dynedain (#48151483) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

No, you misunderstand me.

If I trust Google IDs, and allow people to signup to my site with Google IDs, that is a fairly good way of limiting malicious bots from signing up on my site. But I've now accepted Google's signup policies as my own.

When Google suddenly lets spammers create 1000s of IDs, my site is now vulnerable to massive automated signups. Because I have no way of identifying a legitimate Google ID user from a spam Google ID user. I have offloaded my trust to Google.

Multiply that out to an infinite number of ID providers, and it makes relying on logins for user verification a useless exercise. At that point, I need an additional channel of confirmation (hence the "2" in "2 factor authentication").

The problem isn't trust. The problem is that these companies want walled gardens that they control.

Wrong, wrong, wrong. If I don't trust Facebook or Google's account creation policies to prevent Nigerian spammers from creating spambot accounts, how in the world could I ever expect them to trust mine? It has nothing to do with a walled garden, and everything to do with trusting a 3rd party to have good policies in place.

Comment: Re:OpenID and OAuth (Score 1) 546

by Dynedain (#48151373) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

So your answer is "trust the user". Basic security and site administration tells you "don't trust the user".

My "very few" comment comes from this. You cannot trust the user. Widespread OpenID (or any similar system) effectively devolves into peer-to-peer authentication. This can be a good thing, for limited scenarios. But widespread adoption would require many services to fundamentally change what their service offers, not just how they authenticate.

Comment: Re:I disagree (Score 1) 546

by Dynedain (#48145317) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

I also am talking about "trust" as in "trustworthy", not the security technical definition. I think we're saying the same thing, but I lay the blame on an inherent aspect of the system, not on the Google/MS/Facebook big players in the space.

Any site owner (be it Google or Mom's BBQ Shack) cannot accept third party authentication, without implicitly relying on whatever user creation policies that third party uses to control their audience.

If tomorrow Google suddenly opened the floodgates and said spambots could create all the Google IDs they wanted, then practically overnight you would see wholesale disabling of Google ID authentication on sites that currently use it.

The reality is that no-one other than the really big players get enough public attention to be considered trustworthy for 3rd party authentication. Allowing unrestricted third-party authentication services by definition means allowing anonymous accounts. And truly anonymous accounts are diametrically opposite from having logged-in users.

My point is that this isn't a Google/big data tracking/hate the corps issue. The point of user logins are to provide you (the site owner) controls over your userbase. If you offload your logins to 3rd parties, you are sacrificing most (if not all) of those controls.

Here's a real example - I run a site that has a private area. Users are authenticated using Facebook (because I don't want to force extra logins on them). It's cut down on the vast majority of bogus signup attempts, but only because Facebook is relatively good about preventing spambots from creating accounts. But there's no way in hell I would allow Mom's BBQ Shack to provide authentication (aka, OpenID) because I have no visibility or public evaluation on how Mom's BBQ Shack creates logins. For all I know, Mom's BBQ Shack is really just a spam king, and I just allowed spambot logins on my system.

We have a couple of great examples of truly anonymous, distributed systems, where every node is equal allowed behavior: Email and Usenet. Spam problems on both are fundamentally insolvable without breaking the systems to rely on outside methods of trust. The same applies for an authentication service. You cannot have a fully open and anonymous system, without it allowing for anonymized abuse.

Comment: Re: Objection One: (Score 1) 546

by Dynedain (#48142739) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

Ok, continue the metaphor... the majority of the users will pick near the middle of the page: the sample set is reduced by an order of magnitude again. I'm sure there's a psychological predicative to the left page or the right page, there goes another 50%.

Not to mention, you started with a sample size of around a quarter-million English words to begin with, so now you're down to around 100K possible options. Humans will naturally rule out words they don't intuit are random. Like rejecting the word "random" or "password" for this scenario. You put together enough psychological conditions like this and you can easily reduce the sample set to a few hundred words that would be used by a majority of users.

A case-sensitive 8-digit alpha numeric password (no special characters or spaces) has 62^8 possible "words", and that already isn't considered secure enough.

The word system works, only if people generally don't use words. If everyone uses unadulterated words, then the whole thing breaks down into a dictionary attack with a fairly limited password space (the size of the dictionary to the power of the number of words required) .

Comment: Re:I disagree (Score 1) 546

by Dynedain (#48142611) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

The problem exactly is trusting 3rd party services.

Google, Facebook, MS may have all implemented it, but none would trust third party authentication. They all made their authentication available to website providers.

As a result, since no-one trust arbitrary unknown services, the result is the only commonly accept 3rd party auth servers are Google, Facebook, MS, twitter, etc.

OAuth, OpenID, OpenID 2.0, and any other truly distributed login systems are doomed to failure. They serve as nice protocols, but ultimately the relationships of trust between the managing entities are more important. Yes, you can run your own auth servers. No one will trust you as an individual implementer because there is fundamentally no way to differentiate you from a malicious person who can also run their own auth servers.

Comment: Re:OpenID and OAuth (Score 1) 546

by Dynedain (#48142595) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

Nope, still the same problem. Very few sites (even tiny web forums and such) are willing to trust arbitrary 3rd party. Google and FB, sure, because they are so big and a known entity, but not an arbitrary 3rd party.

Remote 3rd party authorization solves only on piece of the problem that onsite auth solves: confirming user login to an existing account. There are other problems, like ensuring unique, non-spam/bot users, that can't be done with remote authentication unless you trust the policies of the remote autnenticator.

If tomorrow Google suddenly opened the floodgates and said spambots could create all the Google IDs they wanted, then practically overnight you would see wholesale disabling of Google ID authentication.

OAuth, OpenID, OpenID 2.0, and any other truly distributed login systems are doomed to failure. They serve as nice protocols, but ultimately the relationships of trust between the managing entities are more important. Yes, you can run your own auth servers. No one will trust you as an individual implementer because there is fundamentally no way to differentiate you from a malicious person who can also run their own auth servers.

Comment: Re:I disagree (Score 3, Interesting) 546

by Dynedain (#48134865) Attached to: Password Security: Why the Horse Battery Staple Is Not Correct

We do, it's called Open ID, which is what Google leverages for their single-signon (not sure if FB is their own solution or not). It was a really popular thing about 5-10 years ago and got a ton of attention. I think even MS enabled it.

The problem with it is this: everyone was willing to let open their servers be the authenticating source for OpenID, but no one was willing to trust a 3rd party's servers to do the same.

So I can create identity authentication galore at mydomain.example.com, but if Google isn't willing to trust mydomain.example.com, then it's not very useful as a unified login authenticator.

FORTRAN is for pipe stress freaks and crystallography weenies.

Working...