In my experience, MySQL works very well. I am fully aware of all the "gotchas" out there, and the reasons why MySQL is such a toy, shouldn't be used for anything ever, etc, but to be honest there are a couple of things putting me off trying PostgreSQL:
First, I honestly am repelled by the fanboys who immediately pop up like clockwork whenever MySQL is mentioned and say that it is a piece of crap, and PostgreSQL rocks. MySQL is not crap. Perhaps PostgreSQL does rock, but all the obnoxious "advocates" for PostgreSQL just remind me of so many religious fanatics. It's at the point where I don't even care if they have a point or not, it's just too shrill and monotonous. Whenever MySQL gets mentioned, I can GUARANTEE that someone will pop up screaming about how crap it is and why isn't everyone using PostgreSQL instead. I have been using MySQL for about four years now, and so I know from personal experience how well it works. There are probably some things that PostgreSQL does better, perhaps many things, I don't know. I just know that there are many things that MySQL does perfectly adequately or even extremely well, for me, and no amount of "sorry but you're simply wrong" can dissuade me from this opinion, since I am speaking from personal experience over a period of years. Also, there are many companies using MySQL in a major way, if it was so crap then why/how would this be. Never mind, I suppose all those companies are just totally clueless. I suppose now people will also put me down for not being a "real" DBA or something. Whatever.
Secondly, MySQL is simple. When I first tried using it, the thing "just worked". Everything is there in the package. Whenever I tried looking at PostgreSQL (not recently, see above) it always seemed much more complicated and not as friendly. Well, I have something that has been working very, very well for me for a long while now, so why put myself through all that hassle? Whether it actually is or not, PostgreSQL *seemed* harder and more complicated. The documentation seemed more geared toward people who are willing to really dig into this stuff in a big way and learn all the wrinkles for tuning your database. Whenever someone criticizes PostgreSQL for this, someone seems to reply that a database *shouldn't* be used by someone "out of the box", without thinking much about all the tuning and suchlike. This is a very elitist viewpoint, imho, there are many people out there who simply want a database that "just works". It's worth noting a simple truth, that Simplicity Rules. It doesn't matter how technically brillian your tool is, if it appears to be complex then people will probably use the simpler competitor instead, even if it isn't as technically brilliant as your baby.
So, here's my point: If the PostgreSQL crowd could be a little bit less aggressive in their hostility toward MySQL, and focus instead on making the toolkit as easy to use and accessible as MySQL, then perhaps they would win over more people and become more popular.
I guess it depends on how you define "intelligence". Chess is a very closed system that can be defined very precisely by rules - a great application for a powerful computer that can simply go down all the game paths (possibly using some predefined heuristics) and find the best solutions. Also, remember that the latest chess supercomputers have been "trained" with the best games from the past (human) grandmasters. So I don't really see a computer playing chess as being intelligent, unless you define different kinds of intelligences, such as analytical, emotional, and so on. Deep blue has no clue about birds or poetry or crossing the street. Yes, there are different kinds of intelligence amongst people - some are better at math, some better at art, and so on... I guess I just think that there is some indefinable quality to humans that cannot easily be captured by the kind of logic that we use currently. Human brains are not logical cirtuits, they are a product of genetics over millenia, training from birth, and perhaps (who knows) other, more "spiritual" influences. I am not religious, but I have seen evidence that there is more to people than just the chemical soup that constitutes the brain. Of course, evidence is in the eye of the beholder! The stuff that Edgar Cayce did back in the 1940's was pretty amazing, and as far as I know he has never been debunked as an outright charletan. I'm not claiming he is for real or otherwise, but simply making the point that there are things that we can't explain about the way we work, that seem to go beyond the standard everyday perception of consciousness and mind.
All conjecture, of course. But I still maintain that having computers allocate meaning to world knowledge is a step beyond what they are actually good at. AI researchers were constantly constructing "blocks world" AI and then proclaiming that "real world" extensions to their research was just a few years away. Here we are, a few years down the road, and somehow the AI still isn't here... we knew this was hard back in the 1980's when I was at university, and it doesn't appear to have gotten any easier since.
Computers will get faster and more powerful, so that they may appear to give the illusion of intelligence in some limited situations. The chess computer is a good example. But what does it mean to program in past games from grandmasters and have the computer simply use that in order to spot patterns and pick good heuristics? Is that intelligence? I posit that it is very different from the kind of processes that go on in the human mind. But again, that's just my opinion...
It seems to be a common mistake for computer scientists to think that it's possible to make systems that "understand" the world (both real and abstract knowledge), with all its complexity and ambiguity, in the same way that humans do. I feel that there is a fundamental difference between using computers to enable humans to organize stuff, and having computers automatically do it. Every single attempt at getting computers to be "smart" about infering human intentions has ended up as an irritating impediment to using the system - look at clippy, Bob, "intelligent" voice systems that try to "help" you by stopping you from talking to a real person... what computers are very, very good at is amplifying and enabling human intelligence. Computers are not themselves intelligent, and (my personal opinion) I don't think they ever will be - unless we manage to "grow" them using processes that we probably won't fully understand. You can't construct something that is as complex as the human mind through deterministic (i.e. consciously designed architectural) means - all you'll end up with, at best, is a very complex rule inference engine that is limited by the rules you gave it. Every "holy grail" of intelligent programming that has come along - neural nets, genetic programming etc - has turned out to be very limited (though very useful in special situations).
I also feel that talking about automatically organizing the world's knowledge in a semantic web is just more of the same hot air that we've been hearing from AI departments for the last few decades. You can't automatically allocate meaning to something unless you have the capability for "common sense" reasoning, and the world knowledge at your fingertips to be able to interpret the data intelligently, like a human would. And even then, different humans would interpret it differently... so there are multiple meanings, and anyway, how to allocate "meaning" to something abstract such as a poem or piece of art?
And if we require real people to add metadata to everything... well, it just ain't going to happen, in my humble opinion. Adding meta data is a pain in the ass, since you have to define the categories of object, agree on meanings for all the different taxonomies that will have to be used to describe the world... then there's the potential for abuse, as spammers will inevitably seed their documents with inappropriate metadata. So, the "honest" people can't be bothered, and the dishonest people will wreck anything that does get built. So, it ain't gonna happen.
The beauty of google (not that I love google, but they did hit a nail on the head) is that it requires no effort or "machine intelligence", beyond a very simple algorithm that depends not on AI but rather real, tangible relationships between words and documents (proximity and links). This is something that computers can be really good at.
Just my opinion... obviously there will be others out there who will vehemently disagree, and that's fine! Go ahead and try, you'll learn a lot in the process and you will probably come out with some tangential technology that you never thought of initially but is useful nonetheless.
The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.
Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.
I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.
... then we'd have fifteen different interfaces that all do pretty much the same thing, but they would each have their quirks and none of them would do it quite right. The software would take five years to develop from scratch, and at the end of it we would have a huge virtual machine-based system that executes XVL (Extensible Voting Language), which is horribly complex and slow, but allows for very fancy voting platforms, in theory. But as a result, the old voting hardware will be too slow and limited to run it, so we'd need all new machines based on the latest processors. We'd also have to wait a while for all the drivers to become available, and the Debian Voting Project wouldn't release the code until it ran properly on *every* platform, including PDP11 and ZX81. Meanwhile the FireVulture project will aim to develop a super-lightweight version of the codebase that will be fast and sleek, but it will run into problems due to schisms in the team, caused by differences of opinion about whether the code should be LGPL, GPL or BSD license.
The eventual system will work very well and be extremely stable, but by the time it is in widespread use the developers will have started on Version 2.0, which is a total rewrite from the ground up (they now feel they understand the problem much better, and can see that the original API needs to be redesigned). So Version 2.0 is totally incompatible with Version 1.0, and much confusion ensues as States try to decide which "standard" to go with.
Meanwhile, Microsoft comes out fast and dirty with Microsoft Vote and although it doesn't work too well at first (version 1.0 has a glitch where everyone who's first name begins with "L" is deleted), it works "well enough" and with the buckets of money that MS dumps on the States for new MS-compatible hardware, they quickly gain dominance in the market.
The Open Source projects try to shift their focus to work with the MS hardware, chasing Microsoft's lead and running into a brick wall with the closed XML format that is encrypted and depends on hardware DRM to work.
Apple brings out the iVote, which is a small device that lets you simply plug into an Apple voting machine anywhere and vote quickly and easily. Plus, it works. And quite a few people buy it and rave about how great it is, but because only Apple is allowed to make the actual voting machines, very few of them get manufactured and as a result the iVote falls into betamax territory.
In the end, everybody uses MS Vote and complains about how closed it is, the Open Source crowd eventually gets their act together and comes out with a fantastic system that kicks butt but nobody cares any more, and that was that for the United States of America, thanks and goodnight.
XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).
I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.
And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...
BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.
It seems like there is a major problem with cross-site scripting that is very hard to fix in all cases. For example, here's one related to Passport. The point is that css is hard to fix because you can't guarantee that another website that uses the same single signon system won't be vulnerable. So if there is a single signon system, then it seems to me that it's all only as secure as the most insecure website in the network.
Re:Sounds like the cure is worse than the disease
on
An Online ID Registry
·
· Score: 1
How to mitigate risk and how to communicate this risk to users are obviously real issues which need to be addressed. Obviously I will have to be addressing these - it's a given that the production system will need to have top-notch security policies in place in order to be secure from hackers. You are basically stating the obvious and accusing me of not paying attention to it, which is unfair imho. Once again, I'm just starting out! Don't tell me that I'm somehow "sticking my head in the sand" because I've stuck my neck out and put forward an actual working system that is (I guess I have to state this again): A PROTOTYPE. Why is that so hard to understand? If I seem a little bit annoyed, it's because I guess I am - you are stating very valid facts in a way that makes it appear that I am somehow unaware, not caring or simply not paying attention. The point of the website is to try to come up with a system where people can store their personal information in a secure database. I'm sorry, but I do believe that this is doable, and it's very possible to mitigate the risks. I started by trying to construct a mechanism where people could pass tickets to one another within the closed system. I anticipate many changes as (or if) it develops into a "real" system.
Listen, I take your points. Your original complaint about my not being clear about the lack of SSL on the site was valid, and I addressed that. But since then you're basically harping on the fact that "it's risky" and "I'm not being clear enough to the users just how risky it is". Well, of course it's risky - but I thought I made it pretty damn clear that it's a *demo system*, and things will change between here and the finished product. That means it's not the finished product. In the spirit of Open Source (which this might be at some point, I don't know yet), I am trying to "get it out there" for comment. Specific criticisms about the architecture are perfectly valid and welcome - for example, I am currently seriously reconsidering the whole process of how to verify someone using documentation. I don't really like anything that I've seen so far - the Notary Public system seems to be somewhat broken in terms of trust (since it's apparently very easy to become a NP, it differs from county to county and state to state, some states don't even require a stamp or other embossing, and some states don't even allow a NP to verify government documents). I have been thinking that it would be great to have people's documents verified "on the spot" by some trusted member of the community, such as a police officer, without having to send paper through the mail. However someone else has told me that this won't work, for various reasons. But to me, the biggest problem here is not so much technical but people in the real world. How to make a secure server and secure database is something that is fairly well understood and very doable. Saying it's risky is stating the obvious. Saying I'm ignoring the problem because it's not finished yet is unfair. The more interesting problem is how to do the original verification in as trustworthy a way as possible.
As to your last question, "How to convince users to use my system", that is a marketing question and really comes down to what resources I will be able to bring to bear on the problem. Obviously if this remains a one-man show without any external funding, then it may remain a small thing that is something of a curiosity but never really gets anywhere. However if I can construct it in a way that is useful to businesses (e.g. keeping track of employees' addresses, with the full consent of the employee of course, since each user has full control over who sees their data), then I might be able to get more done. I just don't know yet. Perhaps, as I said in the White Paper, the whole thing will turn out to be just an interesting exercise in finding out why remote verification of identity is just a Hard Thing To Do.
I appreciate your comments, if you have any specific ideas for making the thing work or be more usable then d
Re:Sounds like the cure is worse than the disease
on
An Online ID Registry
·
· Score: 1
You have some valid arguments about keystroke loggers, but this same argument could also be made for anyone doing banking online. Why do that at all if everything is as hopeless as you seem to think? It's true that any computer can be compromised, but what I am trying to do here is develop a secure database. That is possible, within the realms of current technology. It's possible to run secure servers, banks do it, and it's possible to fend off most attacks, if you have the correct IT staff who keep software patched and implement multi-level security. This is very doable.
If you take your arguments to their logical conclusion, then we shouldn't try to do anything secure over the internet at all, because of what can happen. But I feel that the potential benefits of having a secure repository for personal IDs would actually improve the security of the internet in general, by enabling people to have a bit more confidence that the person they are dealing with online really is who they say they are, while also enabling users to take control of their own information and control who gets to see it. How we do all this is still a work in progress - the White Paper is not the final word on the subject, it's a first shot.
I know that when you suggest something new, a lot of people will always pop up telling you why it can't or shouldn't be done. But if you have conviction that the goal is worthwhile, then you just have to push on and ignore all the naysayers. I think that the security risks can be minimized, and I'll try to fix problems as they arise. You have to start somewhere, and that is what this first stab at the problem is - a start. Otherwise nothing would ever get done.
I've had quite a few interesting replies via email, which suggest some very promising ways to make this into a real business that could make real money. I'll have to digest it all, but I will probably put updates on the site when it all shakes out.
Thanks, this is exactly the kind of feedback that I need. So you're basically saying that the Notary Public system is flawed in that it won't be possible to either validate copies of certain documents, or even trust any validation that does occur? Well, I guess the Notary Public system must be useful for *something*, otherwise it wouldn't exist, right? At a bare minimum, for instance, a NP can be a witness that a document was signed by a certain person, and you can make sure that the person identified themselves with photo ID. I think that is a bare minimum for what a NP can do... so, what if the document that is being signed has the person's name, address, dob etc on it, and you are simply confirming that the ID they present matches with the paper they are signing? Would that constitute something a NP is allowed to do?
Also, I assume it's possible to check up on a NP via some kind of registration of the fact that they are a NP. But if it's as easy as you say to become a NP in some parts, then are you (or anybody else) aware of other people who can act in a trusted proxy capacity? How about other "respected" members of the community? This is a problem, it seems, but I'm open to ideas...
-Neil
Re:Sounds like the cure is worse than the disease
on
An Online ID Registry
·
· Score: 1
Again, this is a demo site. Take it easy, it's not intended to be a production-quality service. I'm sorry if I made a mistake but I assure you it was not intentional. All I can say is that I'm not perfect, and this was definitely something that should have been made more clear, I admit.
Anyway, I have added a warning to the Registration page regarding the fact that the server is not running SSL and all communications are insecure etc.
It's just an initial stab at the problem, you have to start somewhere. Then you go from there, and solve these problems as you go along. I assume there must be ways to verify people in other countries, but you have to start small...
-Neil
Re:Sounds like the cure is worse than the disease
on
An Online ID Registry
·
· Score: 1
Sorry, perhaps I should have made the current non-SSL status of the website more clear. It's a fair point. I thought I had done this somewhere in the registration, but I will go and make sure it is more prominently displayed.
Please remember that this is a prototype, I think *that* is fairly clear, and the Terms and Conditions do let you know that it's a demo.
I'm open to ideas. There must be some kind of existing way to confirm that someone is a NP, I'll do some research to find out how it works. If anyone is a NP then feel free to get in touch and enlighten me...
I'm not sure what you're getting at. It's certainly not illegal to encrypt data, and all I've done is build a system where people can encrypt their own data so that other people can't read it. Any secure email system does pretty much the same thing. Also, if you pass a ticket to another user, then that data is encrypted using the other user's public key, so it's still secure. I guess you could say that any secure system that uses encryption could be used by terrorists, but then we'd just have to ban encryption altogether, which is far worse, in my view.
There is a price to living in an open society, which is that you have to give people the ability to protect their own data if they want to.
Thing is, the server's doing just fine, the document loads up immediately, so it doesn't seem to be an issue here. It's real easy to get to the actual website and the White Paper itself. I was just trying to explain in advance, since I really wasn't sure what would happen. Surprisingly, the server is still very responsive, which is great!
What's to stop someone from a large company using different extensions each time (probably during off-hours). Many companies with large internal phone networks have direct dial to individual desks.
Hi, I'm the developer of the Online ID Registry prototype. I wanted to clarify some points:
a) The Online ID Registry concept has nothing to do with MS Passport or Liberty Alliance. It is not a distributed login system, it is simply a way of confirming your identity. The website is not used in any sort of tracking or third-party login architecture.
b) All of your information is encrypted, using a password that only you know. Therefore even if the entire thing was stolen, it wouldn't be any use to anybody, at least unless they can break Blowfish on each and every record.
c) I haven't asked anybody to trust me personally at present, the whole idea of this article was to get feedback on the concepts and mechanisms, and to try to work out how this thing might be done in a "non-evil" manner. You have to start somewhere! We're just talking about how this might work. Please read the White Paper before diving in with comments about "Why should we trust Neil" etc.
Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems. How about if we had the Notary Public simply confirm that various pieces of (original) documentation (passport, bills etc) matched up with the information on the printed confirmation form, and the Notary Public then checks off what was provided, notarizes the form and seals & sends it off *themselves* (obviously you can't have the end-user doing that). Or, perhaps we could have the Notary Public authenticate the documentation request themselves online, without having to send anything to the Online ID Registry at all. The Notary Public has to be computer savvy enough to do this, and in fact they would have to be confirmed themselves in some way in order to have access to the admin functionality for confirming people. I guess we could use the snail mail for the Notaries Public, or perhaps there are other established ways of authenticating these people? Anybody know?
Point is, I am open to other ways of doing it, I think it would in fact be a huge plus if we didn't actually have to handle all that paperwork. Having the NP confirm "on the spot" with the originals would seem to skip a lot of hassle. Of course, the issue becomes establishing a secure enough mechanism so that the NP can notarize people without people being able to alter the form before it is sent in.
The data is encrypted using a password that only you know. The hackers would have to individually break Blowfish encryption on every single user record. If Blowfish is no good then I'll use something else, but the point is that even if the database was totally stolen, it's still no use to the hackers.
As for trust, why do you start trusting anybody? I have to start somewhere. I don't claim to be starting up this thing from my basement and expecting everybody to just send me their life data. This is a prototype, a first attempt to come up with something that I think would be useful to have as a secure place to store your personal information, and a secure way to pass same on to other people. Obviously if it went into production then there would have to be a "real" company or organization, which is precisely the questions I ask at the end of the White Paper. I'm not looking for people's trust at this point, just some feedback on the concept. I really wish more people would actually read the article before assuming that this thing is just another MS Passport.
Does anybody around here actually RTFA??? What you are saying is totally off-track as to what the website is actually about. Please read the White Paper before springing to conclusions like this.
a) It's not Passport, it's not a distributed login system at all
b) The "confirmed data" aspect is covered in some detail
Did you look around at all? There's a Privacy Policy which is under the Help section. It's even linked to directly from the front page. And yes, it states pretty much that your information will never be shared with anyone, for any reason, without your consent (or unless required by law, which I guess anyone has to be held to).
Sure, you can register multiple times, as many as you like in fact. But in order to be verified in the system, you have to send some kind of documentation. Initially what I've thought of is notarized copies of common documents such as passport, drivers license, utility bills and so on, but that's just a first pass. So you would need to forge all those in order to get multiple verified IDs. Anyway, I talk about this in the Fraud section of the white paper. It's all a matter of risk management and appropriate use.
I try to avoid the Big Brother aspect through encrypting user data using a password that only you know. I can't see what you put in the database, unless you want to confirm your identity using paper documentation (which is your choice, and after all is the entire point of the site). Other people can't see your data. The website doesn't act like MS Passport, it's not being used to track anybody or be a distributed login system.
Slashdot Mirror
In my experience, MySQL works very well. I am fully aware of all the "gotchas" out there, and the reasons why MySQL is such a toy, shouldn't be used for anything ever, etc, but to be honest there are a couple of things putting me off trying PostgreSQL:
First, I honestly am repelled by the fanboys who immediately pop up like clockwork whenever MySQL is mentioned and say that it is a piece of crap, and PostgreSQL rocks. MySQL is not crap. Perhaps PostgreSQL does rock, but all the obnoxious "advocates" for PostgreSQL just remind me of so many religious fanatics. It's at the point where I don't even care if they have a point or not, it's just too shrill and monotonous. Whenever MySQL gets mentioned, I can GUARANTEE that someone will pop up screaming about how crap it is and why isn't everyone using PostgreSQL instead. I have been using MySQL for about four years now, and so I know from personal experience how well it works. There are probably some things that PostgreSQL does better, perhaps many things, I don't know. I just know that there are many things that MySQL does perfectly adequately or even extremely well, for me, and no amount of "sorry but you're simply wrong" can dissuade me from this opinion, since I am speaking from personal experience over a period of years. Also, there are many companies using MySQL in a major way, if it was so crap then why/how would this be. Never mind, I suppose all those companies are just totally clueless. I suppose now people will also put me down for not being a "real" DBA or something. Whatever.
Secondly, MySQL is simple. When I first tried using it, the thing "just worked". Everything is there in the package. Whenever I tried looking at PostgreSQL (not recently, see above) it always seemed much more complicated and not as friendly. Well, I have something that has been working very, very well for me for a long while now, so why put myself through all that hassle? Whether it actually is or not, PostgreSQL *seemed* harder and more complicated. The documentation seemed more geared toward people who are willing to really dig into this stuff in a big way and learn all the wrinkles for tuning your database. Whenever someone criticizes PostgreSQL for this, someone seems to reply that a database *shouldn't* be used by someone "out of the box", without thinking much about all the tuning and suchlike. This is a very elitist viewpoint, imho, there are many people out there who simply want a database that "just works". It's worth noting a simple truth, that Simplicity Rules. It doesn't matter how technically brillian your tool is, if it appears to be complex then people will probably use the simpler competitor instead, even if it isn't as technically brilliant as your baby.
So, here's my point: If the PostgreSQL crowd could be a little bit less aggressive in their hostility toward MySQL, and focus instead on making the toolkit as easy to use and accessible as MySQL, then perhaps they would win over more people and become more popular.
Just my opinion.
I guess it depends on how you define "intelligence". Chess is a very closed system that can be defined very precisely by rules - a great application for a powerful computer that can simply go down all the game paths (possibly using some predefined heuristics) and find the best solutions. Also, remember that the latest chess supercomputers have been "trained" with the best games from the past (human) grandmasters. So I don't really see a computer playing chess as being intelligent, unless you define different kinds of intelligences, such as analytical, emotional, and so on. Deep blue has no clue about birds or poetry or crossing the street. Yes, there are different kinds of intelligence amongst people - some are better at math, some better at art, and so on... I guess I just think that there is some indefinable quality to humans that cannot easily be captured by the kind of logic that we use currently. Human brains are not logical cirtuits, they are a product of genetics over millenia, training from birth, and perhaps (who knows) other, more "spiritual" influences. I am not religious, but I have seen evidence that there is more to people than just the chemical soup that constitutes the brain. Of course, evidence is in the eye of the beholder! The stuff that Edgar Cayce did back in the 1940's was pretty amazing, and as far as I know he has never been debunked as an outright charletan. I'm not claiming he is for real or otherwise, but simply making the point that there are things that we can't explain about the way we work, that seem to go beyond the standard everyday perception of consciousness and mind.
All conjecture, of course. But I still maintain that having computers allocate meaning to world knowledge is a step beyond what they are actually good at. AI researchers were constantly constructing "blocks world" AI and then proclaiming that "real world" extensions to their research was just a few years away. Here we are, a few years down the road, and somehow the AI still isn't here... we knew this was hard back in the 1980's when I was at university, and it doesn't appear to have gotten any easier since.
Computers will get faster and more powerful, so that they may appear to give the illusion of intelligence in some limited situations. The chess computer is a good example. But what does it mean to program in past games from grandmasters and have the computer simply use that in order to spot patterns and pick good heuristics? Is that intelligence? I posit that it is very different from the kind of processes that go on in the human mind. But again, that's just my opinion...
It seems to be a common mistake for computer scientists to think that it's possible to make systems that "understand" the world (both real and abstract knowledge), with all its complexity and ambiguity, in the same way that humans do. I feel that there is a fundamental difference between using computers to enable humans to organize stuff, and having computers automatically do it. Every single attempt at getting computers to be "smart" about infering human intentions has ended up as an irritating impediment to using the system - look at clippy, Bob, "intelligent" voice systems that try to "help" you by stopping you from talking to a real person... what computers are very, very good at is amplifying and enabling human intelligence. Computers are not themselves intelligent, and (my personal opinion) I don't think they ever will be - unless we manage to "grow" them using processes that we probably won't fully understand. You can't construct something that is as complex as the human mind through deterministic (i.e. consciously designed architectural) means - all you'll end up with, at best, is a very complex rule inference engine that is limited by the rules you gave it. Every "holy grail" of intelligent programming that has come along - neural nets, genetic programming etc - has turned out to be very limited (though very useful in special situations).
I also feel that talking about automatically organizing the world's knowledge in a semantic web is just more of the same hot air that we've been hearing from AI departments for the last few decades. You can't automatically allocate meaning to something unless you have the capability for "common sense" reasoning, and the world knowledge at your fingertips to be able to interpret the data intelligently, like a human would. And even then, different humans would interpret it differently... so there are multiple meanings, and anyway, how to allocate "meaning" to something abstract such as a poem or piece of art?
And if we require real people to add metadata to everything... well, it just ain't going to happen, in my humble opinion. Adding meta data is a pain in the ass, since you have to define the categories of object, agree on meanings for all the different taxonomies that will have to be used to describe the world... then there's the potential for abuse, as spammers will inevitably seed their documents with inappropriate metadata. So, the "honest" people can't be bothered, and the dishonest people will wreck anything that does get built. So, it ain't gonna happen.
The beauty of google (not that I love google, but they did hit a nail on the head) is that it requires no effort or "machine intelligence", beyond a very simple algorithm that depends not on AI but rather real, tangible relationships between words and documents (proximity and links). This is something that computers can be really good at.
Just my opinion... obviously there will be others out there who will vehemently disagree, and that's fine! Go ahead and try, you'll learn a lot in the process and you will probably come out with some tangential technology that you never thought of initially but is useful nonetheless.
The thing that strikes me here is that the ability for browsers to have convenient, automatic features (and, in the case of Firefox, UI customization capability up the wazoo) is simply another form of the same mentality that made IE into such a security nightmare. The ability for a browser to download and execute things on the client automatically is just a huge security risk, regardless of the measures that the designers think they have put in place. The Mozilla press release even has a "click here" link to automatically install the patch! Who doesn't think that this kind of thing will have endless potential for hackers to exploit in the years ahead. The bloated XUL interface engine that makes Mozilla (and Firefox) next to unusable on my old workstation (450 MHz, RH 7.3) also means that the UI can be totally changed - this, to me, is very scary. Because if something can be totally changed, then I can guarantee that eventually someone will figure out a way to totally change it without my consent.
Why not just design a browser that works on multiple platforms, using an established cross-platform GUI such as wxWidgets, rather than going away to create a browser and coming back with another new, slow, bloated, universal uber-platform swiss-army-knife UI language... yeah, I know, "Do it yourself dude", and plenty of geeks out there just love the customizability of XUL, but truthfully all I want is a fast, small browser. It just seems like everything is getting larger, slower and more bloated these days. Even Firefox, which is supposed to be sleek and fast, runs like a dog on my workstation. I don't see why I should have to upgrade my computer just for a fricking browser, when every other piece of software that I use runs just fine thanks very much.
I don't hate Mozilla, these are just my honest reactions to the whole affair over the last couple of years.
... then we'd have fifteen different interfaces that all do pretty much the same thing, but they would each have their quirks and none of them would do it quite right. The software would take five years to develop from scratch, and at the end of it we would have a huge virtual machine-based system that executes XVL (Extensible Voting Language), which is horribly complex and slow, but allows for very fancy voting platforms, in theory. But as a result, the old voting hardware will be too slow and limited to run it, so we'd need all new machines based on the latest processors. We'd also have to wait a while for all the drivers to become available, and the Debian Voting Project wouldn't release the code until it ran properly on *every* platform, including PDP11 and ZX81. Meanwhile the FireVulture project will aim to develop a super-lightweight version of the codebase that will be fast and sleek, but it will run into problems due to schisms in the team, caused by differences of opinion about whether the code should be LGPL, GPL or BSD license.
The eventual system will work very well and be extremely stable, but by the time it is in widespread use the developers will have started on Version 2.0, which is a total rewrite from the ground up (they now feel they understand the problem much better, and can see that the original API needs to be redesigned). So Version 2.0 is totally incompatible with Version 1.0, and much confusion ensues as States try to decide which "standard" to go with.
Meanwhile, Microsoft comes out fast and dirty with Microsoft Vote and although it doesn't work too well at first (version 1.0 has a glitch where everyone who's first name begins with "L" is deleted), it works "well enough" and with the buckets of money that MS dumps on the States for new MS-compatible hardware, they quickly gain dominance in the market.
The Open Source projects try to shift their focus to work with the MS hardware, chasing Microsoft's lead and running into a brick wall with the closed XML format that is encrypted and depends on hardware DRM to work.
Apple brings out the iVote, which is a small device that lets you simply plug into an Apple voting machine anywhere and vote quickly and easily. Plus, it works. And quite a few people buy it and rave about how great it is, but because only Apple is allowed to make the actual voting machines, very few of them get manufactured and as a result the iVote falls into betamax territory.
In the end, everybody uses MS Vote and complains about how closed it is, the Open Source crowd eventually gets their act together and comes out with a fantastic system that kicks butt but nobody cares any more, and that was that for the United States of America, thanks and goodnight.
XUL makes these browsers unusably slow on older machines. I have to use Netscape 4.8 (which has its own issues, but speed certainly isn't one of them - it doesn't take 5-10 seconds to open a new window) in order to get acceptable response on my old 450 MHz desktop (which is, I might add, perfectly fine using ANY other application, including Windows 2000, IE, Apache, MySQL, Word and so on).
I really think (as others have also mentioned) there is a lot of blinkered thinking when it comes to Open Source software, to the extent that people are starting to blindly ignore the flaws - these same flaws in Microsoft apps would be pilloried mercilessly, but here you see all kinds of "yeah, but" comments. I am not putting down OSS, but the XUL thing was a classic example of developers going away to make a browser, and coming back with a bloated, swiss-army-knife, can-customize-up-the-wazoo Internet Platform. I don't particularly care about changing the "skin" on my browser - all I want is a small, fast application that adheres to standards and is preferably cross platform. They could have gotten the cross-platform part by using something like wxWidgets. I thought Firefox was supposed to be smaller and faster, but unfortunately XUL still seems to be at its core. And for those who say "Well, why don't you go away and make your own browser" - I have other projects I am working on and don't have the time.
And to all those people who say that I should just get a new computer - well, tell that to all the schools out there who have old computers donated for teaching the kids. Anyway, Why should I have to upgrade because of one application - a BROWSER of all things? Just a classic case of developers going over the top to prove to everybody just how smart they are and how generalized their code is. And what do you know, now we find out that there seems to be a darker side to all this customizable GUI code. Oh well...
BTW, I don't hate Mozilla. This is a criticism of one aspect of the project that I think just went severely off-track with featuritis. The project is very worthy effort and I applaud the people who are making it, but these are just my honest thoughts on the matter.
It seems like there is a major problem with cross-site scripting that is very hard to fix in all cases. For example, here's one related to Passport. The point is that css is hard to fix because you can't guarantee that another website that uses the same single signon system won't be vulnerable. So if there is a single signon system, then it seems to me that it's all only as secure as the most insecure website in the network.
How to mitigate risk and how to communicate this risk to users are obviously real issues which need to be addressed. Obviously I will have to be addressing these - it's a given that the production system will need to have top-notch security policies in place in order to be secure from hackers. You are basically stating the obvious and accusing me of not paying attention to it, which is unfair imho. Once again, I'm just starting out! Don't tell me that I'm somehow "sticking my head in the sand" because I've stuck my neck out and put forward an actual working system that is (I guess I have to state this again): A PROTOTYPE. Why is that so hard to understand? If I seem a little bit annoyed, it's because I guess I am - you are stating very valid facts in a way that makes it appear that I am somehow unaware, not caring or simply not paying attention. The point of the website is to try to come up with a system where people can store their personal information in a secure database. I'm sorry, but I do believe that this is doable, and it's very possible to mitigate the risks. I started by trying to construct a mechanism where people could pass tickets to one another within the closed system. I anticipate many changes as (or if) it develops into a "real" system.
Listen, I take your points. Your original complaint about my not being clear about the lack of SSL on the site was valid, and I addressed that. But since then you're basically harping on the fact that "it's risky" and "I'm not being clear enough to the users just how risky it is". Well, of course it's risky - but I thought I made it pretty damn clear that it's a *demo system*, and things will change between here and the finished product. That means it's not the finished product. In the spirit of Open Source (which this might be at some point, I don't know yet), I am trying to "get it out there" for comment. Specific criticisms about the architecture are perfectly valid and welcome - for example, I am currently seriously reconsidering the whole process of how to verify someone using documentation. I don't really like anything that I've seen so far - the Notary Public system seems to be somewhat broken in terms of trust (since it's apparently very easy to become a NP, it differs from county to county and state to state, some states don't even require a stamp or other embossing, and some states don't even allow a NP to verify government documents). I have been thinking that it would be great to have people's documents verified "on the spot" by some trusted member of the community, such as a police officer, without having to send paper through the mail. However someone else has told me that this won't work, for various reasons. But to me, the biggest problem here is not so much technical but people in the real world. How to make a secure server and secure database is something that is fairly well understood and very doable. Saying it's risky is stating the obvious. Saying I'm ignoring the problem because it's not finished yet is unfair. The more interesting problem is how to do the original verification in as trustworthy a way as possible.
As to your last question, "How to convince users to use my system", that is a marketing question and really comes down to what resources I will be able to bring to bear on the problem. Obviously if this remains a one-man show without any external funding, then it may remain a small thing that is something of a curiosity but never really gets anywhere. However if I can construct it in a way that is useful to businesses (e.g. keeping track of employees' addresses, with the full consent of the employee of course, since each user has full control over who sees their data), then I might be able to get more done. I just don't know yet. Perhaps, as I said in the White Paper, the whole thing will turn out to be just an interesting exercise in finding out why remote verification of identity is just a Hard Thing To Do.
I appreciate your comments, if you have any specific ideas for making the thing work or be more usable then d
You have some valid arguments about keystroke loggers, but this same argument could also be made for anyone doing banking online. Why do that at all if everything is as hopeless as you seem to think? It's true that any computer can be compromised, but what I am trying to do here is develop a secure database. That is possible, within the realms of current technology. It's possible to run secure servers, banks do it, and it's possible to fend off most attacks, if you have the correct IT staff who keep software patched and implement multi-level security. This is very doable.
If you take your arguments to their logical conclusion, then we shouldn't try to do anything secure over the internet at all, because of what can happen. But I feel that the potential benefits of having a secure repository for personal IDs would actually improve the security of the internet in general, by enabling people to have a bit more confidence that the person they are dealing with online really is who they say they are, while also enabling users to take control of their own information and control who gets to see it. How we do all this is still a work in progress - the White Paper is not the final word on the subject, it's a first shot.
I know that when you suggest something new, a lot of people will always pop up telling you why it can't or shouldn't be done. But if you have conviction that the goal is worthwhile, then you just have to push on and ignore all the naysayers. I think that the security risks can be minimized, and I'll try to fix problems as they arise. You have to start somewhere, and that is what this first stab at the problem is - a start. Otherwise nothing would ever get done.
I've had quite a few interesting replies via email, which suggest some very promising ways to make this into a real business that could make real money. I'll have to digest it all, but I will probably put updates on the site when it all shakes out.
-Neil
Thanks, this is exactly the kind of feedback that I need. So you're basically saying that the Notary Public system is flawed in that it won't be possible to either validate copies of certain documents, or even trust any validation that does occur? Well, I guess the Notary Public system must be useful for *something*, otherwise it wouldn't exist, right? At a bare minimum, for instance, a NP can be a witness that a document was signed by a certain person, and you can make sure that the person identified themselves with photo ID. I think that is a bare minimum for what a NP can do... so, what if the document that is being signed has the person's name, address, dob etc on it, and you are simply confirming that the ID they present matches with the paper they are signing? Would that constitute something a NP is allowed to do?
Also, I assume it's possible to check up on a NP via some kind of registration of the fact that they are a NP. But if it's as easy as you say to become a NP in some parts, then are you (or anybody else) aware of other people who can act in a trusted proxy capacity? How about other "respected" members of the community? This is a problem, it seems, but I'm open to ideas...
-Neil
Again, this is a demo site. Take it easy, it's not intended to be a production-quality service. I'm sorry if I made a mistake but I assure you it was not intentional. All I can say is that I'm not perfect, and this was definitely something that should have been made more clear, I admit.
Anyway, I have added a warning to the Registration page regarding the fact that the server is not running SSL and all communications are insecure etc.
-Neil
It's just an initial stab at the problem, you have to start somewhere. Then you go from there, and solve these problems as you go along. I assume there must be ways to verify people in other countries, but you have to start small...
-Neil
Sorry, perhaps I should have made the current non-SSL status of the website more clear. It's a fair point. I thought I had done this somewhere in the registration, but I will go and make sure it is more prominently displayed.
Please remember that this is a prototype, I think *that* is fairly clear, and the Terms and Conditions do let you know that it's a demo.
-Neil
I'm open to ideas. There must be some kind of existing way to confirm that someone is a NP, I'll do some research to find out how it works. If anyone is a NP then feel free to get in touch and enlighten me...
TIA
-Neil
I'm not sure what you're getting at. It's certainly not illegal to encrypt data, and all I've done is build a system where people can encrypt their own data so that other people can't read it. Any secure email system does pretty much the same thing. Also, if you pass a ticket to another user, then that data is encrypted using the other user's public key, so it's still secure. I guess you could say that any secure system that uses encryption could be used by terrorists, but then we'd just have to ban encryption altogether, which is far worse, in my view.
There is a price to living in an open society, which is that you have to give people the ability to protect their own data if they want to.
-Neil
Fair point, sorry if I sounded annoyed... ;-)
Thing is, the server's doing just fine, the document loads up immediately, so it doesn't seem to be an issue here. It's real easy to get to the actual website and the White Paper itself. I was just trying to explain in advance, since I really wasn't sure what would happen. Surprisingly, the server is still very responsive, which is great!
-Neil
What's to stop someone from a large company using different extensions each time (probably during off-hours). Many companies with large internal phone networks have direct dial to individual desks.
-Neil
Hi, I'm the developer of the Online ID Registry prototype. I wanted to clarify some points:
a) The Online ID Registry concept has nothing to do with MS Passport or Liberty Alliance. It is not a distributed login system, it is simply a way of confirming your identity. The website is not used in any sort of tracking or third-party login architecture.
b) All of your information is encrypted, using a password that only you know. Therefore even if the entire thing was stolen, it wouldn't be any use to anybody, at least unless they can break Blowfish on each and every record.
c) I haven't asked anybody to trust me personally at present, the whole idea of this article was to get feedback on the concepts and mechanisms, and to try to work out how this thing might be done in a "non-evil" manner. You have to start somewhere! We're just talking about how this might work. Please read the White Paper before diving in with comments about "Why should we trust Neil" etc.
Ok, here's another idea on the documentation front: Many people obviously have a problem with the concept of sending notarized copies of their ID docs through the mail. It's true, this does present many problems. How about if we had the Notary Public simply confirm that various pieces of (original) documentation (passport, bills etc) matched up with the information on the printed confirmation form, and the Notary Public then checks off what was provided, notarizes the form and seals & sends it off *themselves* (obviously you can't have the end-user doing that). Or, perhaps we could have the Notary Public authenticate the documentation request themselves online, without having to send anything to the Online ID Registry at all. The Notary Public has to be computer savvy enough to do this, and in fact they would have to be confirmed themselves in some way in order to have access to the admin functionality for confirming people. I guess we could use the snail mail for the Notaries Public, or perhaps there are other established ways of authenticating these people? Anybody know?
Point is, I am open to other ways of doing it, I think it would in fact be a huge plus if we didn't actually have to handle all that paperwork. Having the NP confirm "on the spot" with the originals would seem to skip a lot of hassle. Of course, the issue becomes establishing a secure enough mechanism so that the NP can notarize people without people being able to alter the form before it is sent in.
Still thinking - thanks for the feedback.
-Neil
Oops
Oops
The data is encrypted using a password that only you know. The hackers would have to individually break Blowfish encryption on every single user record. If Blowfish is no good then I'll use something else, but the point is that even if the database was totally stolen, it's still no use to the hackers.
As for trust, why do you start trusting anybody? I have to start somewhere. I don't claim to be starting up this thing from my basement and expecting everybody to just send me their life data. This is a prototype, a first attempt to come up with something that I think would be useful to have as a secure place to store your personal information, and a secure way to pass same on to other people. Obviously if it went into production then there would have to be a "real" company or organization, which is precisely the questions I ask at the end of the White Paper. I'm not looking for people's trust at this point, just some feedback on the concept. I really wish more people would actually read the article before assuming that this thing is just another MS Passport.
-Neil
-Neil
Does anybody around here actually RTFA??? What you are saying is totally off-track as to what the website is actually about. Please read the White Paper before springing to conclusions like this.
a) It's not Passport, it's not a distributed login system at all
b) The "confirmed data" aspect is covered in some detail
-Neil
Did you look around at all? There's a Privacy Policy which is under the Help section. It's even linked to directly from the front page. And yes, it states pretty much that your information will never be shared with anyone, for any reason, without your consent (or unless required by law, which I guess anyone has to be held to).
-Neil
Sure, you can register multiple times, as many as you like in fact. But in order to be verified in the system, you have to send some kind of documentation. Initially what I've thought of is notarized copies of common documents such as passport, drivers license, utility bills and so on, but that's just a first pass. So you would need to forge all those in order to get multiple verified IDs. Anyway, I talk about this in the Fraud section of the white paper. It's all a matter of risk management and appropriate use.
-Neil
I try to avoid the Big Brother aspect through encrypting user data using a password that only you know. I can't see what you put in the database, unless you want to confirm your identity using paper documentation (which is your choice, and after all is the entire point of the site). Other people can't see your data. The website doesn't act like MS Passport, it's not being used to track anybody or be a distributed login system.
-Neil
Please read the White Paper, it answers just about all your questions.
Why centralization may be necessary
Data is encrypted, only you can read it
-Neil