If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.
You could do that with his/. password alone also. OTOH, if RMS choose to use an OpenID provider who uses a hash signed with his private key stored on his smartcard.....
true there could be more harm done with 1 provider providing access to 100 sites, but it may be worth the effort to make that single point of failure 150 times as secure.
but if you asume the risk of "dropping a basket" as 1 in 100, and you put 100 eggs in 100 baskets, you're guaranteed to break an egg. With all 100 egs in one, I have a 99% chance of going completly unharmed.
That's the fundamental problem with OpenID. It moves the point of failure away from the service provider, into a 3rd party's hands.
Thats not a problem per se, but a matter of trust. If said 3rd party is trustworthy. For the sake of the argument, even if MS would be my OpenID Provider, I'm confident that my Password wouldn't end in a plaintext file that could be downloaded from http://openid.microsoft.example/openid/secret/passwords.csv as 1 in 100 "super secure login systems" (homemade with 100% php and 1% clue) would do.
That might as well be done with OpenID, with your browser (or OS) beeing the ID-Provider. And if you already log onto your PC with a chipcard and Iris-Scan, why not use that also to authenticate yourself to that website.
as the biggest stock holders probably will be some investment company, they are more then wiling to pocket short term earnings, and then sell their shares and leave the company to die.
You'd rather need to pay the bonuses not based on the quarterly results, but on the quarterly results in 20yrs time.
And I am most certainly not putting our accounting database anywhere that could possibly require a "rent payment" or external connection - if I lost access for 1 minute, we're out of business entirely.
Then you're doing something wrong. Like perhaps not having a hot spare or something similar.
Because they have 2 years contract and bonuses according to stock prices at the end of each fiscal quarter.
Steady growth is for people planning to stick with the same company for a rather long time. (read: company founded by their dad and son on standby for taking over in 30 years or so.)
Neumeister??? Sounds like a perfect name for the next Retro-Science-Fiction-Super-Villian. "Count van Neumeister" Or a made up villian as in in 1984...
Instead of transporting the 16 billion pounds of coffee to the dump. OK, I'm assuming that there will be a tight infrastructure for bio-diesel plants...
I have met teachers exactly that stupid, and worse. I'm astounded they can find their room day after day
We had a french teacher like that. For about half a year, he used to burst into our math class and argued with the math teacher that he was scheduled to teach at that time of week....
When you improve the software even a tiny bit, you have to give it away for free too.
and YOU don't understand open source, my friend!
That was what you were supposed to tell him.
I KNOW that it's not 100% correct, but he asked for a catch. So just give hime one and give him the feeling that that catch isn't relevant to him anyways.
"You agree to a secret contract never to eat $HIS_LEAST_FAVORITE_FOOD$ again". MIght have worked too, but he'd have guessed that it's completly made up.
And besides that: maybe it's the biggest catch of all: MS products wont give him that kind of nitpicking sermon. All it takes to legally use word is to pay and shut up. Or du you really think to someone, who didnt realize that there IS free software at all, THOSE details, and some gabble about copyleft and difference between LGPL and GPL and Mozilla licence even matters?
If he asks for the catch, tell him where the catch is.
When you improve the software even a tiny bit, you have to give it away for free too.
And when he says, the he can't or wont do that, give him the feeling that he's espescially clever, cause in this way, he games the system... Everyone likes evading a catch and get something for free... as long you give him the feeling that it's not free in the first place, cause then it would be worthless too.
Thats only used for money transfers initiated by the costumer. And as there is proof that it was indeed the account owner transfering the funds (he used his secret TAN&PIN) those transfers are really hard to reverse.
It's the other way round with those Lastschriften (direct debit) easy to initiate by anyone, easy to reverse by the account holder.
You know that there is no need of proof of that authorization? (Thats exactly the difference between EinzugsermÃchtigung and Abbuchungsauftrag)
All it takes is a single signature (on the side of the merchants bank) stating that he wont ever withdraw money from someone elses account without permission. It's up to the merchant how he obtains said permission. OTOH it's up to him to show evidence of that permission if (and only if) he's dragged in front of a court.
Slashdot Mirror
How can I, a website using OpenID, be sure that the OpenID provider hasn't been compromised?
So you implement your own authentication method.
But how can you be SURE THAT ONE isn't compromised?
Far too often I've seen people implementing their own whatever out of mistrust for available, tried but black box solutions. This usually ends with
<script>
if (form1.password=="secret") browser.window.url=http://www.foobar.example/secretpage.html
</script>
If I found out Richard Stallman's openID usr/pass I could create an account on slashdot and post shit and people would think I am him because I am using his openID identity.
You could do that with his /. password alone also. OTOH, if RMS choose to use an OpenID provider who uses a hash signed with his private key stored on his smartcard.....
true there could be more harm done with 1 provider providing access to 100 sites, but it may be worth the effort to make that single point of failure 150 times as secure.
but if you asume the risk of "dropping a basket" as 1 in 100, and you put 100 eggs in 100 baskets, you're guaranteed to break an egg. With all 100 egs in one, I have a 99% chance of going completly unharmed.
full ack
That's the fundamental problem with OpenID. It moves the point of failure away from the service provider, into a 3rd party's hands.
Thats not a problem per se, but a matter of trust. If said 3rd party is trustworthy. For the sake of the argument, even if MS would be my OpenID Provider, I'm confident that my Password wouldn't end in a plaintext file that could be downloaded from http://openid.microsoft.example/openid/secret/passwords.csv as 1 in 100 "super secure login systems" (homemade with 100% php and 1% clue) would do.
AMEN!
(sorry no modpoints)
That might as well be done with OpenID, with your browser (or OS) beeing the ID-Provider. And if you already log onto your PC with a chipcard and Iris-Scan, why not use that also to authenticate yourself to that website.
In general, old or wrong data is worse than someone having correct data.
Or do you like to pay the traffic tickets for the car you sold 10yrs ago?
let me just reconsider that "data security" vs. "mexican food" point...
your data security might just go down the drain in a completly uncorroded capsule.....
No.. the emergency happens, when those pics are actually FOUND
as the biggest stock holders probably will be some investment company, they are more then wiling to pocket short term earnings, and then sell their shares and leave the company to die.
You'd rather need to pay the bonuses not based on the quarterly results, but on the quarterly results in 20yrs time.
And I am most certainly not putting our accounting database anywhere that could possibly require a "rent payment" or external connection - if I lost access for 1 minute, we're out of business entirely.
Then you're doing something wrong. Like perhaps not having a hot spare or something similar.
http://www.geekandproud.net/terror/
It has been Ernie/Bert for about a year....
Now would that be "News for Nerds" or "Stuff that matters"??
Zapf Dingbats
Because they have 2 years contract and bonuses according to stock prices at the end of each fiscal quarter.
Steady growth is for people planning to stick with the same company for a rather long time. (read: company founded by their dad and son on standby for taking over in 30 years or so.)
Neumeister??? Sounds like a perfect name for the next Retro-Science-Fiction-Super-Villian. "Count van Neumeister" Or a made up villian as in in 1984...
man file
it does a pretty good job already.
Instead of transporting the 16 billion pounds of coffee to the dump. OK, I'm assuming that there will be a tight infrastructure for bio-diesel plants...
I have met teachers exactly that stupid, and worse. I'm astounded they can find their room day after day
We had a french teacher like that. For about half a year, he used to burst into our math class and argued with the math teacher that he was scheduled to teach at that time of week....
When you improve the software even a tiny bit, you have to give it away for free too.
and YOU don't understand open source, my friend!
That was what you were supposed to tell him.
I KNOW that it's not 100% correct, but he asked for a catch. So just give hime one and give him the feeling that that catch isn't relevant to him anyways.
"You agree to a secret contract never to eat $HIS_LEAST_FAVORITE_FOOD$ again". MIght have worked too, but he'd have guessed that it's completly made up.
And besides that: maybe it's the biggest catch of all: MS products wont give him that kind of nitpicking sermon. All it takes to legally use word is to pay and shut up. Or du you really think to someone, who didnt realize that there IS free software at all, THOSE details, and some gabble about copyleft and difference between LGPL and GPL and Mozilla licence even matters?
You didnt get it. I tried to make him feel clever, not feel really stupid.
So stay away with that Source Code Mumbo-Jumbo. I bet that's even less legal than linux!
MS is rather generous about giving software away when it's for getting people hooked up.
If he asks for the catch, tell him where the catch is.
When you improve the software even a tiny bit, you have to give it away for free too.
And when he says, the he can't or wont do that, give him the feeling that he's espescially clever, cause in this way, he games the system... Everyone likes evading a catch and get something for free... as long you give him the feeling that it's not free in the first place, cause then it would be worthless too.
Thats only used for money transfers initiated by the costumer. And as there is proof that it was indeed the account owner transfering the funds (he used his secret TAN&PIN) those transfers are really hard to reverse.
It's the other way round with those Lastschriften (direct debit) easy to initiate by anyone, easy to reverse by the account holder.
You know that there is no need of proof of that authorization? (Thats exactly the difference between EinzugsermÃchtigung and Abbuchungsauftrag)
All it takes is a single signature (on the side of the merchants bank) stating that he wont ever withdraw money from someone elses account without permission. It's up to the merchant how he obtains said permission. OTOH it's up to him to show evidence of that permission if (and only if) he's dragged in front of a court.