Perhaps, but you left out my note about context. The original poster was clearly talking about any given OpenID consumer getting hacked. The person who replied was imprecise in telling him that that wasn't true, and your reply showed either an inability to read contextually or a desire to be overly pedantic. Out of sheer curiosity, would you mind telling me which one it is?
It would be not reading contextually. But I find that to be irrelevant to the discussion at hand. OpenID still carries too great a risk.
If the provider is hacked (very unlikely if you've chosen a good provider), then it's conceivable that someone could gain access to your accounts with consumers.
Which was my point. If this one site (the provider) is compromised, then all of my accounts are compromised. It's also not a matter of the site being hacked. A security compromise could be caused by a misconfiguration or accidental change. I must also trust that the employees of the provider are ethical.
The downside is it can give a false impression of security if people don't carefully consider who they trust to be their provider.
I think that is my core concern. How does one know who to trust?
I suspect that you're just being an ass and intentionally missing the point.
I have valid concerns. Please don't automatically assume the worst.
With OpenID, you have a provider and multiple consumers. If any of the consumers get hacked, your account on the other consumers will not, by association, be hacked.
I fully understand that.
If your provider is hacked, all of the consumers will be compromised until you can switch your provider.
Which was my point in my response above. The person I responded to claimed that one site couldn't compromise your identity but in fact the OpenID provider (a single site) could do just that.
If you don't trust a website, don't make them your provider.
And that is the tricky part. Using OpenID requires that you expand your web of trust beyond yourself to your OpenID provider. How will you establish that trust and vet the provider? How do you know that your information will not be compromised via accident or maliciousness? I know that you can set up the software to be your own provider, but as I pointed out in another message, this carries administrative overhead. This solution doesn't seem to have any advantages over existing features such as Firefox's password manager. In fact, it seems more limited as it will only work with sites that know about OpenID.
One particular site, as opposed to any one of many sites as you said in the claim from which you're now backpedaling.
There is no backpedaling as you're responding to my first post in this thread. I made no such claim as you suggest. Maybe you are confusing me with another poster.
It's true that you could attack a particular OpenID provider and, if successful, get access to the identities of N users of that provider. But that would be a weakness of that particular OpenID provider, not OpenID itself.
Which is exactly what I was pointing out. Without OpenID, if my MySpace account is compromised, then none of my other accounts are in jeopardy. If my OpenID provider is compromised then the attacker now has access to all of my accounts associated with the OpenID provider.
OpenID is not using the same password for every account. It's having just one account instead of many, and thus only one password to remember (which can then be a better password since you have to remember fewer).
There are already better tools that work with all sites for remembering passwords. Firefox is but one example. It can remember logins and passwords for any site and protect the password list using strong encryption. To use OpenID with any confidence, one must trust an OpenID provider. You can run your own OpenID service but then you have another service to administer and maintain. I still don't see what advantage this solution has over existing solutions.
Having one site which you log in to compromised will not compromise the others.
Really?
The only way you'd lose control of your openid identity is if your openID provider was compromised
Oh, so one site being compromised WILL result in all of your accounts being compromised after all. Please get your story straight. This is a terrible idea and is just trading security for convenience.
a group that seeks to allow users to create a single account/password set to be used on a number of services.
This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.
However, I would say that waaaay more than two pictures are needed in order to compare air quality.
I agree. That's why you should take a look through his blog. He's been posting pictures for a while now. Some days the air is clear such as in the photo at the bottom of this post.
I've been reading this guy's blog off and on because he's posting pictures of the air quality. Compare this picture with this one to see what difference is being made.
This is what you get when you have multiple 24-hour news channels and lots of news web sites itching to have something new. There's only so much real news, and not enough of it to even fill one TV channel with content. So they have to dig for crap. This is what you get.
if someone started flooding my servers with thousands of response regords in hopes of guessing a transaction ID, my iptables config would block them in a heartbeat.
Would you be kind enough to publish your iptables config that does that? Such a set of rules seems like it would be very useful.
Because the openssh client has no GUI (for example, no session management list and lack of tabbed interface for sessions) and lacks a lot of features in general. See my other post here: http://slashdot.org/comments.pl?sid=606419&cid=24102353
That's exactly right. There's a nice GUI to configure it and manage all of my saved sessions. For example, one can choose the font to use for a session by pointing and clicking at it. Better clients, such as SecureCRT, have better management of sessions, including grouping them into folders (necessary when you have 100+ hosts), scripting for sessions (for auto login, etc), searching and saving of all session history, tabbed interface with the ability to move tabs into and out of new windows, clone tabs, ability to have multiple sessions open in tabs at once with a single click, great GUI-based key generation and management.
Most important for me, SecureCRT supports zmodem for file transfers. I can type "sz " in a shell and the file will be sent from the remote system to my desktop. I can type "rz" and I'm prompted with a file requester to select files to send to the remote host. It's much faster than dicking around with opening another shell and dealing with scp or sftp.
Teraterm nice term, just don't like putty myself. (not needed outside of windows)
Speak for yourself. Not everyone likes the openssh client. Thankfully, there is a Linux version of Putty. Sadly, there's not a linux version of SecureCRT.
I agree with your other points but I find a central package management system to be a definite negative. Vendors should target a standard, such as LSB 3.0, and then build packages for that standard. Then users can download and install the package, or add the vendor's repository to their list if they want to receive updates, to any LSB 3.0 compliant system. OS vendors can concentrate on making a solid Linux-based OS without the overhead of packaging thousands of applications just for their OS. Instead they can add entries to the vendors package repositories in the configuration file for the OS package management software.
This also has an advantage for users who might want to upgrade the OS to receive new drivers and security support, but who do not, for whatever reason, want to upgrade all of their applications. Distro support for such users doesn't exist at this point. Such users instead must become steeped in the nuances of system administration, such as software compilation and apt pinning, if they wish to keep their applications from being upgraded or replaced.
If you want to upgrade the rest of the system, but leave some packages the same, there's the concept of pinning. There's very little reason to do so, but it's available.
Thanks for responding. I've never looked closely at pinning so I should probably examine it in more depth. Can you pin packages and metapackages to not upgrade? For example, if I want to upgrade my distro but hold back Gnome to the current version?
The best part of Linux distros is that all your software is kept up-to-date without having to continually have each individual application check itself or have to go around personally checking for new versions of the programs that you use.
I don't want that. I want to keep the base OS up-to-date with bug fixes and security fixes only. I don't want my applications changed and I don't care about new features. If I do care about features I would rather update packages on a case-by-case basis.
Why would you NOT want that, except possibly for very specific cases like a version of the JVM that has a certain broken behavior your program depends on? There's no other good reason I can think of.
Because when software fills my needs, I have no need to upgrade beyond that point unless there's a serious security vulnerability or bug. Please see this post where I explained it to another person. If the software works and does what I need, why would I ever want to upgrade and risk changes, such as new bugs or feature removal, that might not suit me? I've been down that path and I've been burned. I've learned my lesson and I don't want to go back to that method of managing my computer. It doesn't work for me.
In 2000, Red Hat 6.2 fit my needs just fine. But the end of security support for it, and the exploits of services that ran under it, meant that I needed to upgrade the OS. Upgrading the OS meant it wanted to install a new KDE, and new versions of all my programs. And those programs had changed. They moved things around, added new features, and in some cases removed features that I wanted. The new programs, such as KDE, used more memory when meant slower performance for my laptop (a Compaq Armada with 64MB, 6GB hard drive, and a P2-300 processor). Eventually I couldn't run modern distros on it without a performance penalty, even though the computer was perfectly fine. I could have rolled my own distro, but the time to manage that would have cost more than switching to a different OS with a longer period of support.
Eventually in late 2002 I decided to upgrade so I bought a Thinkpad T30 maxed out with all the RAM and features I could get. I'm still using it and I plan on using it until it completely dies. Unless the motherboard fails, that's going to be a long time as I have a spare T30 that I recently got for free which I can use for parts. XP ran fine on it the day I got it and it still runs fine. I suspect that it will continue to run fine when security support stops in 2014. With the rate of increasing system resource demands that Linux distros have, I don't expect to be able to run a modern Linux distro released in 2010 or 2011 without having to replace my hardware.
For those of us who don't want to become a Linux distro engineer, but wish to use Linux, the hardware upgrade demands outstrip those of Windows.
That would be like buying windows 95 and getting 98, 2000, ME, XP for free with updates.
That's the exact opposite of what I am talking about. All of those are different versions of operating systems with new kernels, APIs, libraries, and other changes. They also have different, and increasing, system requirements. I'm talking about being able to standardize on one release of an operating system and receiving patches (not OS upgrades to a new version) for x number of years. With Windows XP, x=12.4 years. That's not bad at all for less than $200 investment. Ubuntu Server LTS comes in second with 5 years at zero dollars.
I'm not like you. I don't enjoy being on the upgrade treadmill. If something works, I leave it alone and use it. I don't upgrade just for the sake of upgrading to the latest version. I did the "latest and greatest" upgrade nonsense when I was a kid decades ago. I'm over that. It only gets in the way now. I want to pick a base and stick with it as long as I can. Upgrading the OS brings in a lot of changes to everything, which is a problem that is exacerbated by the current Linux distros. I'm not interested in the latest version of Gnome, Firefox, vi, or whatever. The ones I have work just fine, thank you. I want a solid base to learn and stick with. When it comes to upgrades, I'm only interested in basic security patches and bug fixes. At the end of the day I want to get on the computer and get work done.
Windows jokes aside, XP gets the job done and fits the bill when it comes to long-term support for patches. XP ran fine on my laptop the day I got it in 2002 and it still runs fine. I suspect that it will continue to run fine when security support stops in 2014. I can't say the same about any Linux distros because the the upgrade cycles are terribly short (such as three or five years). It's unlikely that any modern linux distro in 2014 will work on my laptop as I probably won't have enough memory or processor speed to accommodate it. XP will still work because even with the patches installed, the system requirements have not changed significantly, if at all. I just find that it's a shame that I can't get the same form of long term consistency in a Linux distribution at a reasonable price.
Your entire post was worthless. You might as well had said that you felt the Linux distro approach was superior and saved some typing. I guess we'll agree to disagree.
You're talking about per-incident support. What I'm talking about is that I can spend $150 on Windows XP when it is released and then get eight or more years of security support and upgrades at no extra charge. Can I get the same length of security support for a Linux distro from your company for the same amount of money?
So you've updated to Vista without paying? Via Microsoft's servers? WOW. How'd u manage that?
I won't be going to Vista. I've never even seen it aside from a couple of screenshots online. XP is the end of the road for me and I'm gonna ride that horse until it stops. I know it, it works, and I'm comfortable with its quirks and problems. After that I'll likely switch to some Linux distro but I'm not sure which one it'll be.
Unfortunately, I'm opposed to the way Linux distros are organized. I think it's a design flaw to include the operating system in a distribution and then try to package every program under the sun. I much prefer the approach of Windows where there is a core OS and a few support programs. The packaging of applications is left to the application vendors.
If I want to install a certain version of Firefox or OpenOffice on Linux, I should be able to go to the appropriate web site and download the package just like one can download the installer for Windows. Oracle and Last.fm get this. I can already add their APT repositories to my Debian box or download the packages if I want to install them. Instead we have this mess where if I upgrade the operating system, it wants to install all the new versions of the non-OS software that I have installed. What if I don't want to upgrade all of those? What if I want to do the opposite and upgrade a certain package to the newest version without upgrading the rest of my system? I'm not interested in compiling from source. That involves installing a C compiler (security risk) and being a full-time system administrator when I get home to use my computer. I don't want to manage that. I want it to "just work."
I want an Linux distribution that I can install once and get security updates for for about six to eight years. And I'm willing to pay what one would pay for your average operating system for it (~$150). Right now, that doesn't exist.
Slashdot Mirror
It would be not reading contextually. But I find that to be irrelevant to the discussion at hand. OpenID still carries too great a risk.
Which was my point. If this one site (the provider) is compromised, then all of my accounts are compromised. It's also not a matter of the site being hacked. A security compromise could be caused by a misconfiguration or accidental change. I must also trust that the employees of the provider are ethical.
I think that is my core concern. How does one know who to trust?
I have valid concerns. Please don't automatically assume the worst.
I fully understand that.
Which was my point in my response above. The person I responded to claimed that one site couldn't compromise your identity but in fact the OpenID provider (a single site) could do just that.
And that is the tricky part. Using OpenID requires that you expand your web of trust beyond yourself to your OpenID provider. How will you establish that trust and vet the provider? How do you know that your information will not be compromised via accident or maliciousness? I know that you can set up the software to be your own provider, but as I pointed out in another message, this carries administrative overhead. This solution doesn't seem to have any advantages over existing features such as Firefox's password manager. In fact, it seems more limited as it will only work with sites that know about OpenID.
There is no backpedaling as you're responding to my first post in this thread. I made no such claim as you suggest. Maybe you are confusing me with another poster.
Which is exactly what I was pointing out. Without OpenID, if my MySpace account is compromised, then none of my other accounts are in jeopardy. If my OpenID provider is compromised then the attacker now has access to all of my accounts associated with the OpenID provider.
There are already better tools that work with all sites for remembering passwords. Firefox is but one example. It can remember logins and passwords for any site and protect the password list using strong encryption. To use OpenID with any confidence, one must trust an OpenID provider. You can run your own OpenID service but then you have another service to administer and maintain. I still don't see what advantage this solution has over existing solutions.
Really?
Oh, so one site being compromised WILL result in all of your accounts being compromised after all. Please get your story straight. This is a terrible idea and is just trading security for convenience.
This sounds like an absolutely terrible idea. How many times have we told users that it's best not to use the same password for every account? OpenID sounds like an enabler of stupidity and a huge security risk.
I agree. That's why you should take a look through his blog. He's been posting pictures for a while now. Some days the air is clear such as in the photo at the bottom of this post.
I've been reading this guy's blog off and on because he's posting pictures of the air quality. Compare this picture with this one to see what difference is being made.
Nobody cares if your puns were intended.
This is what you get when you have multiple 24-hour news channels and lots of news web sites itching to have something new. There's only so much real news, and not enough of it to even fill one TV channel with content. So they have to dig for crap. This is what you get.
Of course it won't stop spam. It wasn't designed to. Its purpose is to stop joe jobs.
Would you be kind enough to publish your iptables config that does that? Such a set of rules seems like it would be very useful.
Because the openssh client has no GUI (for example, no session management list and lack of tabbed interface for sessions) and lacks a lot of features in general. See my other post here: http://slashdot.org/comments.pl?sid=606419&cid=24102353
That's exactly right. There's a nice GUI to configure it and manage all of my saved sessions. For example, one can choose the font to use for a session by pointing and clicking at it. Better clients, such as SecureCRT, have better management of sessions, including grouping them into folders (necessary when you have 100+ hosts), scripting for sessions (for auto login, etc), searching and saving of all session history, tabbed interface with the ability to move tabs into and out of new windows, clone tabs, ability to have multiple sessions open in tabs at once with a single click, great GUI-based key generation and management.
Most important for me, SecureCRT supports zmodem for file transfers. I can type "sz " in a shell and the file will be sent from the remote system to my desktop. I can type "rz" and I'm prompted with a file requester to select files to send to the remote host. It's much faster than dicking around with opening another shell and dealing with scp or sftp.
What, precisely, are you considering to be a feature? The article that you linked to has nothing to do with ssh clients.
Speak for yourself. Not everyone likes the openssh client. Thankfully, there is a Linux version of Putty. Sadly, there's not a linux version of SecureCRT.
I agree with your other points but I find a central package management system to be a definite negative. Vendors should target a standard, such as LSB 3.0, and then build packages for that standard. Then users can download and install the package, or add the vendor's repository to their list if they want to receive updates, to any LSB 3.0 compliant system. OS vendors can concentrate on making a solid Linux-based OS without the overhead of packaging thousands of applications just for their OS. Instead they can add entries to the vendors package repositories in the configuration file for the OS package management software.
This also has an advantage for users who might want to upgrade the OS to receive new drivers and security support, but who do not, for whatever reason, want to upgrade all of their applications. Distro support for such users doesn't exist at this point. Such users instead must become steeped in the nuances of system administration, such as software compilation and apt pinning, if they wish to keep their applications from being upgraded or replaced.
Thanks for responding. I've never looked closely at pinning so I should probably examine it in more depth. Can you pin packages and metapackages to not upgrade? For example, if I want to upgrade my distro but hold back Gnome to the current version?
I don't want that. I want to keep the base OS up-to-date with bug fixes and security fixes only. I don't want my applications changed and I don't care about new features. If I do care about features I would rather update packages on a case-by-case basis.
Because when software fills my needs, I have no need to upgrade beyond that point unless there's a serious security vulnerability or bug. Please see this post where I explained it to another person. If the software works and does what I need, why would I ever want to upgrade and risk changes, such as new bugs or feature removal, that might not suit me? I've been down that path and I've been burned. I've learned my lesson and I don't want to go back to that method of managing my computer. It doesn't work for me.
In 2000, Red Hat 6.2 fit my needs just fine. But the end of security support for it, and the exploits of services that ran under it, meant that I needed to upgrade the OS. Upgrading the OS meant it wanted to install a new KDE, and new versions of all my programs. And those programs had changed. They moved things around, added new features, and in some cases removed features that I wanted. The new programs, such as KDE, used more memory when meant slower performance for my laptop (a Compaq Armada with 64MB, 6GB hard drive, and a P2-300 processor). Eventually I couldn't run modern distros on it without a performance penalty, even though the computer was perfectly fine. I could have rolled my own distro, but the time to manage that would have cost more than switching to a different OS with a longer period of support.
Eventually in late 2002 I decided to upgrade so I bought a Thinkpad T30 maxed out with all the RAM and features I could get. I'm still using it and I plan on using it until it completely dies. Unless the motherboard fails, that's going to be a long time as I have a spare T30 that I recently got for free which I can use for parts. XP ran fine on it the day I got it and it still runs fine. I suspect that it will continue to run fine when security support stops in 2014. With the rate of increasing system resource demands that Linux distros have, I don't expect to be able to run a modern Linux distro released in 2010 or 2011 without having to replace my hardware.
For those of us who don't want to become a Linux distro engineer, but wish to use Linux, the hardware upgrade demands outstrip those of Windows.
I'm not like you. I don't enjoy being on the upgrade treadmill. If something works, I leave it alone and use it. I don't upgrade just for the sake of upgrading to the latest version. I did the "latest and greatest" upgrade nonsense when I was a kid decades ago. I'm over that. It only gets in the way now. I want to pick a base and stick with it as long as I can. Upgrading the OS brings in a lot of changes to everything, which is a problem that is exacerbated by the current Linux distros. I'm not interested in the latest version of Gnome, Firefox, vi, or whatever. The ones I have work just fine, thank you. I want a solid base to learn and stick with. When it comes to upgrades, I'm only interested in basic security patches and bug fixes. At the end of the day I want to get on the computer and get work done.
Windows jokes aside, XP gets the job done and fits the bill when it comes to long-term support for patches. XP ran fine on my laptop the day I got it in 2002 and it still runs fine. I suspect that it will continue to run fine when security support stops in 2014. I can't say the same about any Linux distros because the the upgrade cycles are terribly short (such as three or five years). It's unlikely that any modern linux distro in 2014 will work on my laptop as I probably won't have enough memory or processor speed to accommodate it. XP will still work because even with the patches installed, the system requirements have not changed significantly, if at all. I just find that it's a shame that I can't get the same form of long term consistency in a Linux distribution at a reasonable price.
Your entire post was worthless. You might as well had said that you felt the Linux distro approach was superior and saved some typing. I guess we'll agree to disagree.
You're talking about per-incident support. What I'm talking about is that I can spend $150 on Windows XP when it is released and then get eight or more years of security support and upgrades at no extra charge. Can I get the same length of security support for a Linux distro from your company for the same amount of money?
Unfortunately, I'm opposed to the way Linux distros are organized. I think it's a design flaw to include the operating system in a distribution and then try to package every program under the sun. I much prefer the approach of Windows where there is a core OS and a few support programs. The packaging of applications is left to the application vendors.
If I want to install a certain version of Firefox or OpenOffice on Linux, I should be able to go to the appropriate web site and download the package just like one can download the installer for Windows. Oracle and Last.fm get this. I can already add their APT repositories to my Debian box or download the packages if I want to install them. Instead we have this mess where if I upgrade the operating system, it wants to install all the new versions of the non-OS software that I have installed. What if I don't want to upgrade all of those? What if I want to do the opposite and upgrade a certain package to the newest version without upgrading the rest of my system? I'm not interested in compiling from source. That involves installing a C compiler (security risk) and being a full-time system administrator when I get home to use my computer. I don't want to manage that. I want it to "just work."
I want an Linux distribution that I can install once and get security updates for for about six to eight years. And I'm willing to pay what one would pay for your average operating system for it (~$150). Right now, that doesn't exist.