Are you kidding? Persona solves a whole raft of super common problems
-Say for example kittens.com site you post on is hacked. With Persona the bad guys don't get anything. There is no password stored on kittens.com. It's more akin to certs. That alone will eliminate a whole class of internet disasters that we read about every week on slashdot.
-I don't want to make up yet another stupid username/password recovery question for every site. Now I can just use one of the Persona identities I already have, and I'm done. I also trust Mozilla or Google a lot more to be on top of security than kittens.com
-Unlike, say, facebook connect, this is a federated standard, not dependent on any org. You can run your own identity-provider if you like, not that most people would care to.
Well its not totally dissimilar from using your google log in to access any site. That site never knows your google password. But they do know your email, at a minimum.
This is the same thing, except that Persona will serve as the authentication for your email, and they will in-turn ask Google, and then they will tell you exactly what the target site is requesting from Google, and let you approve it.
I believe mozilla can see what websites you are requesting, but they claim they do not retain this because they are not required to do so. That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process.
I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.
But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.
Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.
They post exactly what they have on you and how they use the data here.
Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access. All information is transferred by SSL but its highly likely that Mozilla has already been forced to quietly turn over its SSL keys to the government. (At least Snowden claims this has happened).
So at best you protect yourself from Google, and make the government look in two databases to see where you log in.
The point is that home users share a machine are looking for precisely this feature and it is secure enough in modern versions of operating systems to do the job.
Any one capable enough to install password stealing software would not be deterred by your logging out, because they would be be the ones not logging out and other than rebooting the machine there is no way to force them to log off once they have left the premises.
Multiple accounts are reasonably secure, and if not secure enough then you shouldn't be sharing a machine at all.
That's the manufacturer's claim. The tests I've seen, using real-world things like more than 50% brightness and wifi put it at about 6-7 hours. Similar tests on iPads Minis regularly get 9-10+ hours.
But brightness is the key power sucking feature. And nobody I know runs any android tablet at full brightness. You might have to do so outside on a sunny day. but typical living room / office use I have the brightness slider almost to the lowest possible setting. In a bright room I might move it up, but never so far as a quarter of the way.
Further, had the seen what is going on now they would have put some TEETH in the protections, with real penalties, instead of leaving that totally up to the discretion of some guy wearing a robe.
Is remembering 15 different passwords, and variations of them for more, really that difficult?
In my password vault application I have 74 web sites over 15 computer logins 10 email accounts 6 pgp passphrases 4 bank accounts and a collection of miscellaneous combo-lock passwords and odds and ends.
Well over 140 records.
Don't ever get old son. Your Memory is the Second thing to go.
Even in the US, Obama would never be given the elimination of all Nukes. Nobody is that stupid. He had no chance of getting that and neither did Jimmy Carter.
But the clear winner here is Putin.
He has American secrets withing reach if not already in-hand, plus he doesn't have to play kiss-ass with a buffoon in yet another pointless summit. Obama has no leverage here other than to pout.
Worse, its his own doing!
Instead of living by his campaign promises of open and honest government, under which he had an opportunity to rein in the excesses of post 9/11 security frenzy, he chose to double down or triple down, and start reading and archiving everyone's email, recording calls, and then insisting it was only meta-data.
So he's forced to cancel his trip because he knows Putin will laugh in his face at demands to turn over Snowden.
Even more telling: at precisely the point where Congress seems to be finally growing a pair: Obama unleashes his embassy closing of historic proportions, all based on an eavesdrop "conference call". (Like Al-Qaeda ever does that!).
I suspect nothing will actually happen, because it is entirely a fabrication by the NSA/CIA to divert attention and justify their violations of law. Of course there is the equal probability that they are just being played by Al-Qaeda setting up a phony conference call and mentioning grandiose plans, knowing it would be monitored.
First, browser plugins have a pretty shaky security reputation. Second, I'm not always on a browser that accepts plugins. I use several browsers. Third browsers change too fast, and plugins don't keep up.
It should probably be done at the OS level, hooking the keyboard for password injection. But that still leaves you with the problem of knowing what web page you are no, so you are back to some sort of browser plug in.
It really cries out for a industry wide agreed upon API between the password vault writers and the browser companies. Otherwise you have ad-hoc developers rolling their own.
How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine,
More than you imagine, because teenagers insist upon it.
And in reality, its by far the easiest thing to set up, and the easiest thing to do.
Just select the Switch User button, and you are out of your account, ready for the next person to use it, and its as secure as your computer's OS is (which might not be all that secure, but that's another issue).
But "Lives Alone" solves most of that guys problem, No?
The burglar is just going to take his whole computer. Not much point in worrying about passwords when the thief has all the time in the world to break whatever scheme you set up.
But I'm not sure "home user" and "secure" fit in the same sentence.
The list is certainly more Secure from Joe Random Hacker, but not your flatmates or suspicious girlfriend or creepy Uncle that comes to visit for weeks at a time.
They WILL find your list, and they Will copy it with their cell phone. And you will buy a 60 inch flat screen.
Putting a strip chart recording ammeter in line on hundreds of pc models we learned that they never get close to drawing what the power supply was ratrd for. We would monitor the mains cord and load the nastiest work load we could find. The worst power draw happens the instant you turn it on, while its spinning up the drive and loading the os.
Did you test any with SSDs?
Admittedly not, (not available back when we were doing this). But just off the top of my head, I would suspect they take way less power than any spinning storage.
list of passwords under the lamp? Single common password Single common password with a site specific appendage? Log into every site via the oh-so-secure Facebook authentication proxy?
I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.
Solution: If security is important to you, don't be lazy.
But browsers ARE as user specific as any other part of the modern computer.
With just about every Operating System having the ability to have multiple accounts logged in and to switch accounts easily, browsers, and everything else each user does can be compartmentalized easily.
And that is probably the best way to handle it in general where what is needed is snoop protection from co-users.
If you recommend typing in passwords to every websites you have to go with an notebook full of passwords, a single common password, or a trivially guess able combination. Either that or trust third party authentication schemes which creep me out in this day and age.
So I agree with not being lazy, but I recommend the exercise of locking the account as you walk away.
Use a bluetooth proximity lock if you think you might get super lazy. Of course if you are in the habit of walking away and leaving your phone on your desk, there is no hope for you anyway.
Wait. Your *PC*? A laptop or a desktop? My laptop runs around 25-30 watts normal usage, but even at idle my desktop runs about 250 watts...
How do you know what It draws at idle? Unless you've put an ammeter in line on the power cord you're just reading the label or guessing.
Putting a strip chart recording ammeter in line on hundreds of pc models we learned that they never get close to drawing what the power supply was ratrd for. We would monitor the mains cord and load the nastiest work load we could find. The worst power draw happens the instant you turn it on, while its spinning up the drive and loading the os. After that, you really have to try to get computer to draw half of the rating of the power supply. (Because UL won't approve any machine that can possibly get near its power supply rating.)
At idle, most computers drew less than 5watts.
That was 10 years ago, and a lot has changed for the better since then.
Slashdot Mirror
Are you kidding? Persona solves a whole raft of super common problems
Well its not totally dissimilar from using your google log in to access any site. That site never knows your google password.
But they do know your email, at a minimum.
This is the same thing, except that Persona will serve as the authentication for your email, and they will in-turn ask Google, and then they will tell you exactly what the target site is requesting from Google, and let you approve it.
But the target site clearly gets your email.
I believe mozilla can see what websites you are requesting, but they claim they do not retain this because they are not required to do so.
That could change I suppose. Clearly they have to have a list of emails that they can process, but not necessarily what sites you can use them for because they can just try to log in, and let it fail. Then go thru the authorization process.
I like the idea of spreading the knowledge around so that no one source knows everything. This essentially puts a middle-man in the Auth process, but that man knows very little.
But I don't think this will work in the long run because someone will break SSL or demand the keys and the whole thing comes down.
Mozilla is just as much subject to NSA letters as anyone else. And since almost 100% of their funding comes from Google anyway, I can't help but thinking this is a joint project, or at least carried out with Google's full approval. But still it makes it necessary for the NSA to look a lot more places when building a list and checking it twice.
They post exactly what they have on you and how they use the data here.
Basically it keeps Google from snooping, and allows Mozilla still has some records of the sites you access.
All information is transferred by SSL but its highly likely that Mozilla has already been forced to quietly turn over its SSL keys
to the government. (At least Snowden claims this has happened).
So at best you protect yourself from Google, and make the government look in two databases to see where you log in.
Server side encrypted mail makes no sense. You end up trusting the server and SSL when neither of these is trustworthy.
If you aren't using your own public key encryption you are fooling yourself.
The point is that home users share a machine are looking for precisely this feature and it is secure enough in modern versions of operating systems to do the job.
Any one capable enough to install password stealing software would not be deterred by your logging out, because they would be be the ones not logging out and other than rebooting the machine there is no way to force them to log off once they have left the premises.
Multiple accounts are reasonably secure, and if not secure enough then you shouldn't be sharing a machine at all.
Don't know a single person who has a nits meter.
That's the manufacturer's claim. The tests I've seen, using real-world things like more than 50% brightness and wifi put it at about 6-7 hours. Similar tests on iPads Minis regularly get 9-10+ hours.
But brightness is the key power sucking feature. And nobody I know runs any android tablet at full brightness.
You might have to do so outside on a sunny day. but typical living room / office use I have the brightness slider almost to the lowest possible setting. In a bright room I might move it up, but never so far as a quarter of the way.
Disclaimer: not a nexus tablet.
Reports like yours out weigh any benchmarks.
Haven't we learned never to trust benchmarks yet?
I hate to say this, but they were wrong.
Damn straight.
Further, had the seen what is going on now they would have put some TEETH in the protections,
with real penalties, instead of leaving that totally up to the discretion of some guy wearing a robe.
Is remembering 15 different passwords, and variations of them for more, really that difficult?
In my password vault application I have 74 web sites over 15 computer logins
10 email accounts 6 pgp passphrases 4 bank accounts and a collection of
miscellaneous combo-lock passwords and odds and ends.
Well over 140 records.
Don't ever get old son. Your Memory is the Second thing to go.
Even in the US, Obama would never be given the elimination of all Nukes. Nobody is that stupid.
He had no chance of getting that and neither did Jimmy Carter.
But the clear winner here is Putin.
He has American secrets withing reach if not already in-hand, plus he doesn't have to play kiss-ass with a buffoon in yet another pointless summit. Obama has no leverage here other than to pout.
Worse, its his own doing!
Instead of living by his campaign promises of open and honest government, under which he had an opportunity to rein in the excesses of post 9/11 security frenzy, he chose to double down or triple down, and start reading and archiving everyone's email, recording calls, and then insisting it was only meta-data.
So he's forced to cancel his trip because he knows Putin will laugh in his face at demands to turn over Snowden.
Even more telling: at precisely the point where Congress seems to be finally growing a pair: Obama unleashes his embassy closing of historic proportions, all based on an eavesdrop "conference call". (Like Al-Qaeda ever does that!).
I suspect nothing will actually happen, because it is entirely a fabrication by the NSA/CIA to divert attention and justify their violations of law. Of course there is the equal probability that they are just being played by Al-Qaeda setting up a phony conference call and mentioning grandiose plans, knowing it would be monitored.
I'm not sure I want any plugins into the browser.
First, browser plugins have a pretty shaky security reputation.
Second, I'm not always on a browser that accepts plugins. I use several browsers.
Third browsers change too fast, and plugins don't keep up.
It should probably be done at the OS level, hooking the keyboard for password injection. But that
still leaves you with the problem of knowing what web page you are no, so you are back to
some sort of browser plug in.
It really cries out for a industry wide agreed upon API between the password vault writers
and the browser companies. Otherwise you have ad-hoc developers rolling their own.
How many people use separate log-in's for the "Family" computer that stays on most of the time? Not very many I'd imagine,
More than you imagine, because teenagers insist upon it.
And in reality, its by far the easiest thing to set up, and the easiest thing to do.
Just select the Switch User button, and you are out of your account, ready for the next person to use it,
and its as secure as your computer's OS is (which might not be all that secure, but that's another issue).
But "Lives Alone" solves most of that guys problem, No?
The burglar is just going to take his whole computer. Not much point in worrying about passwords
when the thief has all the time in the world to break whatever scheme you set up.
But I'm not sure "home user" and "secure" fit in the same sentence.
The list is certainly more Secure from Joe Random Hacker, but not your flatmates or suspicious girlfriend or creepy Uncle that comes to visit for weeks at a time.
They WILL find your list, and they Will copy it with their cell phone. And you will buy a 60 inch flat screen.
Putting a strip chart recording ammeter in line on hundreds of pc models we learned that they never get close to drawing what the power supply was ratrd for. We would monitor the mains cord and load the nastiest work load we could find. The worst power draw happens the instant you turn it on, while its spinning up the drive and loading the os.
Did you test any with SSDs?
Admittedly not, (not available back when we were doing this).
But just off the top of my head, I would suspect they take way less power than any spinning storage.
True, but it's a lot of trouble to copy an paste each password. I know this, because In fact I use one of these on all my devices.
If it these password vaults could detect you are in a password field and feed the password to it that would be sweet. Only one password to remember.
Otoh, only one password to steal.
Then go out for a celebratory beer.
And forget to logout of the account in your rush out the door.
Same problem.
And your super secure scheme is WHAT?
list of passwords under the lamp?
Single common password
Single common password with a site specific appendage?
Log into every site via the oh-so-secure Facebook authentication proxy?
Log into only Slashdot and always post as AC?
Then just log out for Pete sake?
How hard is that?
Every one can type their own password.
But what about typing hundreds of passwords?
Once you have more than a few, you resort to a crutch of some sort.
I know it has been discussed many times to password lock access to stored passwords, though because browsers are not user-specific, this has not been done.
Solution: If security is important to you, don't be lazy.
But browsers ARE as user specific as any other part of the modern computer.
With just about every Operating System having the ability to have multiple accounts logged in and to switch accounts easily, browsers, and everything else each user does can be compartmentalized easily.
And that is probably the best way to handle it in general where what is needed is snoop protection from co-users.
If you recommend typing in passwords to every websites you have to go with an notebook full of passwords, a single common password, or a trivially guess able combination. Either that or trust third party authentication schemes which creep me out in this day and age.
So I agree with not being lazy, but I recommend the exercise of locking the account as you walk away.
Use a bluetooth proximity lock if you think you might get super lazy. Of course if you are in the habit of walking away and leaving your phone on your desk, there is no hope for you anyway.
Wait. Your *PC*? A laptop or a desktop? My laptop runs around 25-30 watts normal usage, but even at idle my desktop runs about 250 watts...
How do you know what It draws at idle?
Unless you've put an ammeter in line on the power cord you're just reading the label or guessing.
Putting a strip chart recording ammeter in line on hundreds of pc models we learned that they never get close to drawing what the power supply was ratrd for. We would monitor the mains cord and load the nastiest work load we could find. The worst power draw happens the instant you turn it on, while its spinning up the drive and loading the os. After that, you really have to try to get computer to draw half of the rating of the power supply. (Because UL won't approve any machine that can possibly get near its power supply rating.)
At idle, most computers drew less than 5watts.
That was 10 years ago, and a lot has changed for the better since then.
>> You may have read about this on Slashdot
I think I just did.
All your discussions are belong to Barbra.
That's right, lets play the race card again.