I know, let's have an article with an animated burning US flag. It's funny. Oh wait.. that'll be censored by Pro US groups. Tell you what I'll put the 9/11 video to music and put that on there. That's funny too.
Get real. Life is a compromise - what's easier.. grossly offending about 22% of the world's population or taking down a couple of pictures? Censorship exists *everywhere* and there's no point in getting pissy when it happens to not agree with your worldview.
Can't see google doing it - they have their own system across all the sites that they own. Wasn't too happy with that either (my google account isn't my blogger account FFS!) but had to live with it.
Sure, nobody with intelligence higher than a rabbit would implement it on something secure like a VPN, and banks have much better systems in place already.. but he was only giving examples. The amount of damage someone could do just posting on websites or blogs under your name is huge.. carreer ending, even.
The old MS Passport and OpenID are basically the same but instead of having one humungous database controlled by Microsoft, you have dozens of humungous databases controlled by Yahoo, AOL, Verisign, etc.
It has the same issues - each one is a point of failure that means if compromised your online identity is at risk. We do it with credit card transactions right now.. because banks have a vested interest in making sure transactions are secure - loss of confidence in online transactions would cost them millions.
To even redirect to online payment systems you have to go through some pretty rigorous security checks... Not so with openID, which anyone with a linux box and 5 minutes can start trying to ping the databases for likely IDs and passwords (you can bet that all of these databases are going to have near constant dictionary attacks against them - I see nothing in their proposal that isn't easily scriptable). This was previously unfeasable due to the sheer number of websites and accounts out there. If this takes off it'll be hacker target #1.
Trusted providers probably WILL charge for the service. The OpenID scheme considers that a good thing.
Now I have to pay someone? It's looking like the verisign monopoly all over again.. Pay them $500 a year and if you can't pay them next year lose your identity, just like the way SSL works at the moment.
"as long as you don't fall for a phishing attempt"
That's a big if. People fall for them every day.. now you're saying that they should be encouraged to have the same password for multiple sites *and* expect any site they access to redirect somewhere else to enter your details, that looks a bit like the yahoo/aol page.
If they're using the same account all the claimed security just vanished - anyone who has my yahoo username and password (phishing attack, keylogger, whatever) also has my openid account. Yahoo aint that secure.. it shouldn't need to be, it's not a bank.
If they're using different accounts they just doubled the complexity of their authentication systems simply for the coolness factor (plus the claim that yahoo accounts are openid accounts is bogus).
It's am impossible goal because nobody wants to share their user information with anyone else. That information is worth money, not to mention the privacy (and, in some countries, legal) implications.
Therefore openid just becomes a different way for Yahoo to store its usernames, and a different way for AOL to store its usernames. That may have value in itself.. but it isn't the holy grail some at slashdot seem to think it is, and not affect end users *at all*.
OpenID would work in a world where everyone was happy with openly sharing this information. That world does not exist.
Oh god I hope not. I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database. If slashdot did it.. I hope we'd get a proper opt-out.
Both AOL and Yahoo *already* have perfectly functional login systems.
OpenID promises single signon, but can't deliver it because everyone wants their own walled garden - Yahoo and AOL don't want to share users. So their alleged use of openID is completely, utterly and totally pointless. They've gained nothing, the end users have gained nothing.. but it makes for neat headlines.
Any security system that can't handle someone looking at the code only has the illusion of security and should be junked - ssh has had people looking at it for years and is still considered secure. So has kerberos.. so much so that Microsoft used it as the base for active directory.
You do know that pretty much every proprietary package out there goes out with a license that says the producer has *no* liability if it fails? The 'who to blame' argument is utterly bogus. You want things fixed, and fixed fast, not messing about trying to point fingers.
Exactly... Expect 'cheap' accounts to be allocated within a 10.x.x.x net long before an ISP thinks of implementing ipv6. They'll probably pitch it as a security feature ('let us control the firewall for you! Surf in safety! Only $10/month!').
If a user wants a public IP. That's more cost. If they want a *fixed* IP.. go talk to the business services manager over there.
If they do implement ipv6 it'll be done the same way. 1 ipv6 address per account (ipv6 NAT exists and has done for a while). If you want 8 of them that's more cost. If you want more than 256.. see that guy in a suit waving? Go hand him your chequebook.
And before anyone says 'but but we'll all get 16 million addresses!'.. yeah, over the rotting corpses of every major ISP in the world.
We've been hearing this 'addresses will run out by year x' for 20 years, and the predicted date has been wrong every single time. It's very hard to get enthusiastic about something that seems to be run by chicken little... Sure they'll run out eventually, and there's a network there to deal with it when it happens.. until then... zzzzzzz
If google, microsoft, redhat, CNN and the BBC (insert favourite site here) all go ipv6 (and by that I mean google starts indexing it too), that will be the year of ipv6. No way in hell it's going to happen before that.. I know of exactly zero useful ipv6 websites - I'm connected here but it's never been used.
Without any websites to actually *visit* on ipv6 ordinary users aren't going to go through the hassle, so ISPs see no demand and won't implement it (even though it would be a nice revenue stream for them - $10/month for 256 ipv6 addresses for example (and I really can't see them giving any more, seriously.. It's more likely to be 8 or 16 to separate the 'home' ($10/mo) users from the 'business' ($50/mo) users who get 256)).
Of course without any home routers that support it it's all moot anyway (hacked linkysys routers don't count).
Slashdot Mirror
Shh.. Don't let Fox news know that there's only one letter difference..
I know, let's have an article with an animated burning US flag. It's funny. Oh wait.. that'll be censored by Pro US groups. Tell you what I'll put the 9/11 video to music and put that on there. That's funny too.
Get real. Life is a compromise - what's easier.. grossly offending about 22% of the world's population or taking down a couple of pictures? Censorship exists *everywhere* and there's no point in getting pissy when it happens to not agree with your worldview.
Wasn't just me then. I read comment #7 and wondered if the one he was on about had been deleted because it looked OK to me..
Can't see google doing it - they have their own system across all the sites that they own. Wasn't too happy with that either (my google account isn't my blogger account FFS!) but had to live with it.
Explain why it's 'none' of that.
Sure, nobody with intelligence higher than a rabbit would implement it on something secure like a VPN, and banks have much better systems in place already.. but he was only giving examples. The amount of damage someone could do just posting on websites or blogs under your name is huge.. carreer ending, even.
The old MS Passport and OpenID are basically the same but instead of having one humungous database controlled by Microsoft, you have dozens of humungous databases controlled by Yahoo, AOL, Verisign, etc.
It has the same issues - each one is a point of failure that means if compromised your online identity is at risk. We do it with credit card transactions right now.. because banks have a vested interest in making sure transactions are secure - loss of confidence in online transactions would cost them millions.
To even redirect to online payment systems you have to go through some pretty rigorous security checks... Not so with openID, which anyone with a linux box and 5 minutes can start trying to ping the databases for likely IDs and passwords (you can bet that all of these databases are going to have near constant dictionary attacks against them - I see nothing in their proposal that isn't easily scriptable). This was previously unfeasable due to the sheer number of websites and accounts out there. If this takes off it'll be hacker target #1.
Trusted providers probably WILL charge for the service. The OpenID scheme considers that a good thing.
Now I have to pay someone? It's looking like the verisign monopoly all over again.. Pay them $500 a year and if you can't pay them next year lose your identity, just like the way SSL works at the moment.
OpenID has no issues with this???
There is, even if yahoo keep it to themselves they need to put it in that system.
As far as putting my yahoo details into a *different* site. Not gonna happen. A site either has its own unique logon or I close the browser.
"as long as you don't fall for a phishing attempt"
That's a big if. People fall for them every day.. now you're saying that they should be encouraged to have the same password for multiple sites *and* expect any site they access to redirect somewhere else to enter your details, that looks a bit like the yahoo/aol page.
If they're using the same account all the claimed security just vanished - anyone who has my yahoo username and password (phishing attack, keylogger, whatever) also has my openid account. Yahoo aint that secure.. it shouldn't need to be, it's not a bank.
If they're using different accounts they just doubled the complexity of their authentication systems simply for the coolness factor (plus the claim that yahoo accounts are openid accounts is bogus).
Presumably all AOL websites already accept AOL IDs. Now they accept AOL OpenID IDs instead. Big woop.
But that *is* the point.
One identity across the internet is the goal.
It's am impossible goal because nobody wants to share their user information with anyone else. That information is worth money, not to mention the privacy (and, in some countries, legal) implications.
Therefore openid just becomes a different way for Yahoo to store its usernames, and a different way for AOL to store its usernames. That may have value in itself.. but it isn't the holy grail some at slashdot seem to think it is, and not affect end users *at all*.
OpenID would work in a world where everyone was happy with openly sharing this information. That world does not exist.
A lot of people do that anyway for low priority accounts.. so you don't really gain.
There's no way my bank, cc, etc. details would be on openID - I trust my bank and my bank alone with those details.
There's me thinking I'd be able to get a cheap security key to play with:
"The Security Key is currently not available. Please try again later."
Not inspiring if your source of login goes down randomly...
Oh god I hope not. I'm kinda worried that yahoo have - without my permission - put my username and password for them in the openid database. If slashdot did it.. I hope we'd get a proper opt-out.
If you're going to do that WTF is the point of openid?
Either yahoo are using openid as claimed above, or they're not.
You aren't trying to suggest they're actively maintaining two different username/password databases for the same system? That's beyond insane.
Thank you for making precisely my point.
Both AOL and Yahoo *already* have perfectly functional login systems.
OpenID promises single signon, but can't deliver it because everyone wants their own walled garden - Yahoo and AOL don't want to share users. So their alleged use of openID is completely, utterly and totally pointless. They've gained nothing, the end users have gained nothing.. but it makes for neat headlines.
Any security system that can't handle someone looking at the code only has the illusion of security and should be junked - ssh has had people looking at it for years and is still considered secure. So has kerberos.. so much so that Microsoft used it as the base for active directory.
You do know that pretty much every proprietary package out there goes out with a license that says the producer has *no* liability if it fails? The 'who to blame' argument is utterly bogus. You want things fixed, and fixed fast, not messing about trying to point fingers.
I logged into yahoo just now to check. No security image. That site is extremely fakeable.
And what about the yahoo IM clients? A rogue one of those could steal your password easily.
One centralised password is a *bad* *bad* idea.
So anyone with a yahoo ID can log into AOL?
Doubt it.
Exactly... Expect 'cheap' accounts to be allocated within a 10.x.x.x net long before an ISP thinks of implementing ipv6. They'll probably pitch it as a security feature ('let us control the firewall for you! Surf in safety! Only $10/month!').
If a user wants a public IP. That's more cost. If they want a *fixed* IP.. go talk to the business services manager over there.
If they do implement ipv6 it'll be done the same way. 1 ipv6 address per account (ipv6 NAT exists and has done for a while). If you want 8 of them that's more cost. If you want more than 256.. see that guy in a suit waving? Go hand him your chequebook.
And before anyone says 'but but we'll all get 16 million addresses!'.. yeah, over the rotting corpses of every major ISP in the world.
We've been hearing this 'addresses will run out by year x' for 20 years, and the predicted date has been wrong every single time. It's very hard to get enthusiastic about something that seems to be run by chicken little... Sure they'll run out eventually, and there's a network there to deal with it when it happens.. until then... zzzzzzz
If google, microsoft, redhat, CNN and the BBC (insert favourite site here) all go ipv6 (and by that I mean google starts indexing it too), that will be the year of ipv6. No way in hell it's going to happen before that.. I know of exactly zero useful ipv6 websites - I'm connected here but it's never been used.
Without any websites to actually *visit* on ipv6 ordinary users aren't going to go through the hassle, so ISPs see no demand and won't implement it (even though it would be a nice revenue stream for them - $10/month for 256 ipv6 addresses for example (and I really can't see them giving any more, seriously.. It's more likely to be 8 or 16 to separate the 'home' ($10/mo) users from the 'business' ($50/mo) users who get 256)).
Of course without any home routers that support it it's all moot anyway (hacked linkysys routers don't count).
If you want more than one some already do..
Mine gave me 16 for free, but it's a rare case of an actually good ISP.
I just provided a new exit() function and changed the library search path to find my library first. Your machine is pwned.