Fishpool

To content | To menu | To search

Tag - OpenID

Entries feed - Comments feed

Tuesday 8 February 2011

Passwords are a broken system

..and I'm not even referring to the multitude of website passwords this time. I thought earlier OpenID would be the fix to those, but apparently not -- perhaps OAuth 2.0 and Facebook will be, though.

No, this time I'm talking of personal computer passwords. I don't have a huge amount of recent first-hand experience with how Mac and Windows work in this department, but the Linux/GNOME experience, connected to some presumably sensible company network access control, is certainly busted. Or, perhaps it's just me, and I'm doing something wrong - in which case, I would love to hear from someone who knows how to do this right.

I have:

  1. an encrypted home/user partition on my laptop hard drive, for which I have to type in a password to get the computer to boot. Never mind that the operating system partition (which doesn't contain anything secret, since the OS is downloaded off of Fedora Project's web site) isn't encrypted, so the computer ought to be able to boot without the user partition password -- it doesn't. That's a separate peeve. This is password #1.
  2. a password for my user account, since GNOME login facilities seriously under-appreciate using an account without a password. Never mind that I already proved who I am by typing in a password during boot - well, the last boot that was on average 19 days and 78 suspend-resume cycles and 42 laptop-bag trips ago. As far as I can tell, there is a valid reason for having this password, though I could imagine switching that to fingerpring recognition. Password #2.
  3. a password for the GNOME built-in passphrase storage keyring, which automatically collects things like network WPA passphrases, ... well, that's about it, really, but anyway, it makes life somewhat bearable. Password #3. In fact, all that stuff is actually stored in a keyring with a very long random string as a key, and a separate keyring holds a copy of that, locked using the password #2 -- when things work. This is what is supposed to let me type in a password once, and have the system usable.
  4. a password for my company account which lets me in to things like the intranet. One of many, many, many work-related passwords in various systems, internal and external (mostly external), which are infeasible to synchronize to one-time authentication at least today. This one is special though, because it's practically impossible to get any work done without it. Password #3 (I didn't count the one above, because it's not supposed to exist).
  5. a KeePass keyring pass phrase, because the GNOME keyring a) doesn't have decent UI so it could be used for manually managed passwords b) because of above, there are many of those c) that I need to also use on other devices, so this keyring is synced to those devices. Password #4, for those who are counting.

That's just the start, but without these, nothing works. Now -- password policy best practices often say that passwords must be changed periodically, in order to ensure various guarantees of dubious value. I ask you this - what happens, when one of the above passwords must be changed?

As good as my memory seems to be with random alphanumeric strings of letters and digits, I simply can not maintain four of them in memory along with the credit card PIN, phone number PIN, VPN token password, GMail password, Facebook password, and so on an so on, if I'm supposed to also get any work done. Especially not if one needs to be swapped out to a completely new random thing every now and then. So, I do what any human would do: try to minimize their number.

Because I'm relatively security conscious, I don't do that by using the name of my childhood pet on every system from the most security sensitive to every second web site that appears to require its own password. No, what I do is try to use the same password in all five of the above cases, because a) they're all needed in sequence anyway, b) I can't do effectively anything without access to all of them. I still need to type it way too many times, but at least that keeps the memory fresh.

Except -- changing any one of those places doesn't change any of the others. Not even the supposedly-integrated 1, 2 and 3. So, I end up with 5 instead of 1, and I don't know which is which. New "enter password to keyring 'default'" dialogs pop up on my desktop, prevent anything else from receiving any keyboard input, accept nothing as a valid password, and prevent me from working for 45 minutes. 

I did figure out how to solve it, though -- prevent GNOME Keyring from accessing the 'default' keyring (for which there is no typable password to begin with), force it to change its login password to the new login password, and then re-enable access to the main keyring with all the WLAN pass phrases and other assorted stuff. However, it still wasted a lot of time, and would probably have stumped anyone else I know (I'm pretty hard core with this crap, sad to say).

Broken? Yes. How to fix it? Hell if I know. Perhaps posting this rant would prompt the LazyWeb to point me in the right direction. Having to follow a 20-step routine to change one password isn't the fix, though.

Monday 31 January 2011

Did common identities die with OpenID? No

About a year ago I posted here a summary of trends I expected would be relevant to our product development over 2010, and looking back at it, perhaps I should have put tablet computing on that list.. However, what prompted me to go back and look at it today was picking up on the news that 37signals has declared OpenID a failed experiment, and the related Quora thread I found. Wow, the top-voted answer there is one-sided. Here's what I think about it, to update my statement from a year ago. Comments would be welcome!

Facebook has established itself as a de-facto source of identity and social graph data for all but a few professional/enterprise-targeted Internet services. Over a medium- to long-term, it is still possible that another service or a federation of multiple services using standard APIs will displace Facebook as the central source. However, a networked, "external" social graph is a given. Majority of users are still behaving as if stand-alone services with individual logins and user-to-user relationships are preferred, but that's a matter of behavioral momentum.

This has not removed the problem of identity-related security issues, like identity theft. The nature of the problem will shift over time from account theft to impersonation and large-scale and/or targeted information theft. Consumers still remain uninterested and even hostile to improving security (at the cost of sometimes reduced convenience). Visible and wide-spread security scares are beginning to change the mindset though, and it's possible that even by the end of the year, at least one of the big players will introduce a "secure id" solution for voluntary access as a further argument for their services.

The spread of the social graph will have more impact to the scope of Internet services, however. Application development today should take it for granted that information about the users' preferences, friends, brand connections and activity history will be available and should be utilized (wisely) to improve service experience. The key to viral/social distribution is not whether applications can reach their users' network (which will be given), rather what would motivate the user to spread the message.

Thursday 14 January 2010

Technology factors to watch during 2010

Last week I posted a brief review of 2009 here, but didn't go much into predictions for 2010. I won't try to predict anything detailed now either, but here's a few things I think will be interesting to monitor over the year. And no, tablet computing isn't on the list. For fairly obvious reasons, this is focused on areas impacting social games. As a further assist, I've underlined the parts most resembling conclusions or predictions.

 

Social networks and virtual worlds interoperability

As more and more business transforms to use Internet as a core function, the customers of these businesses are faced with a proliferation of proprietary identification mechanisms that has already gotten out of hand. It is not uncommon today to have to manage 20-30 different userid/password pairs that are in regular use, from banks to e-commerce to social networks. At the same time, identity theft is a growing problem, no doubt in large part because of the minimum-security methods of identification.

Social networks today are a significant contributor to this problem. Each collects and presents information about its users that contribute to the rise of identity theft while having their own authorization mechanisms in a silo of low-trustworthy identification methods. The users, on the other hand, perceive little incentive to manage their passwords in a secure fashion. Account hijacking and impersonation is a major problem area to each vendor. The low trust level of individual account data also leads to a low relative value of owning a large user database.

A technology solution, OpenID is emerging and taking hold in a form of an industry-accepted standard for exchanging identity data between an ID provider and a vendor in need of a verified id for their customer. A few of current backers of the standard in the picture on the right. However, changing the practices of the largest businesses has barely begun and no consumer shift can yet be seen – as is typical for such “undercurrent” trends.

OpenID will allow consumers to use fewer, higher-security ids over the universe of their preferred services, which in turn will allow these services a new level of transparent interoperability in combining data from each other in near-automatic, personalized mash-ups via the APIs each vendor can expose to trusted users with less fear of opening holes for account hijacking.

 

Browsers vs desktops: what's the target for entertainment software?

Here's a rough sketch of competing technology streams in terms of two primary factors – ease of access versus the rich experience of high-performance software. “Browser wars” are starting again, and with the improved engines behind Safari 4, Firefox 4, IE 8 and Google Chrome, a lot of the kind of functionalitywe're used to thinking belongs to native software or at best browser plugins like Flash, Java or Silverlight will be available straight in the browser. This for sure includes high-performance application code, rich 2D vector and pixel graphics, video streams and access to new information like location-sensing. The plugins will most likely be stronger at 3D graphics and synchronized audio and at advanced input mechanisms like using webcams for gesture-based control. Invariably, especially the new input capabilities will also bring with them new security and privacy concerns which will not be fully resolved within the next 2-3 years.

While 3D as a technology will be available to browser-based applications, this doesn't mean the web will turn to represent everything as a virtual copy of the physical world. Instead, it's best use will be as a tool for accelerating and enhancing other UI and presentation concepts – think iTunes CoverFlow. For social interaction experiences, a 3-degrees-freedom pure 3D representation will remain a confusing solution, and other presentations such as axonometric “camera in the corner” concepts will remain more accessible. Naturally, they can (but don't necessarily need to) be rendered using 3D tech.

 

Increased computing capabilities will change economies of scale

The history of the “computer revolution” has been about automation changing economies of scale to enable entirely new types of business. Lately we've seen this eg by Google AdWords enabling small businesses to advertise and/or publish ads without marketing departments or involvement of agencies.

The same trend is continuing in the form of computing capacity becoming a utility in Cloud Computing, extreme amounts of storage becoming available in costs which allow terabytes of storage to organizations of almost any size and budget, and most importantly, developing data mining, search and discovery algorithms that enable organizations to utilize data which used to be impossible to analyze as automated business practices. Unfortunately, the same capabilities are available for criminals as well.

Areas in which this is happening as we speak:

  • further types and spread of self-service advertising, better targeting, availability of media
  • automated heuristics-based detection of risky customers, automated moderation
  • computer-vision based user interfaces which require nothing more than a webcam
  • ever increasing size of botnets, and the use of them for game exploits, money laundering, identity theft and surveillance

The escalation of large-scale threats have raised the need for industry-wide groups for exchanging information and best practices between organizations regarding the security relevant information such as new threats, customer risk rating, identification of targeted and organized crime.

 

Software development, efficiencies, bottlenecks, resources

Commercial software development tools and methods experience a significant shift roughly once every decade. The last such shift was the mainstreaming of RAD/IDE-based, virtual-machine oriented tools and the rise of Web and open source in the 90s, and now those two rising themes are increasingly mainstream while “convergent”, cross-platform applications which depend on the availability of always-on Internet are emerging. As before, it's not driven by technological possibility, but by the richness and availability of high-quality development tools with which more than just the “rocket-scientist” superstars can create new applications.

The skills which are going to be in short supply are those for designing applications which can smoothly interface to the rest of the cloud of applications in this emerging category. Web-accessible APIs, the security design of those APIs, efficient utilization of services from non-associated, even competing companies, and friction-free interfaces for end users of these web-native applications is the challenge.

In this world, the traditional IT outsourcing houses won't be able to serve as a safety valve for resources as they're necessarily still focused on serving the last and current mainstream. In their place, we must consider the availability of open source solutions not just as a method for reducing licensing cost, but as the “extra developer” used to reduce time-to-market. And as with any such relationship, it must be nurtured. In the case of open source, that requires participation and contribution back to the further development of that enabling infrastructure as the cost of outsourcing the majority of the work to the community.


Mobile internet

With the launch of iPhone, the use of Web content and 3rd party applications on mobile devices has multiplied compared to previous smart phone generations. This is due to two factors: the familiarity and productivity of Apple's developer tools for the iPhone, and the straightforward App Store for the end-users. Moreover, the wide base of the applications is primarily because of the former, as proven by the wide availability of unauthorized applications already before the launch of iPhone 2.0 and the App Store. Nokia's failure to create such an applications market despite the functionality available on S60 phones for years before the iPhone launch proves this – it was not the features of the device, but the development tools and application distribution platform were the primary factor.

The launch of Google's Android will further accelerate this development. Current Android-based devices lack the polish of iPhone, and the stability gained from years of experience of Nokia devices, yet the availability of development tools will supercharge this market, and the next couple of years will see accelerated development and polish cycle from all parties. At the moment, it's impossible to call the winner on this race, though.

Sunday 28 December 2008

A year-end review

2008 is nearly over, and it's time to take a look at what happened over the year, as well as to take a peek at the the coming 2009. A year ago I made a guess that social networking services would open up and start sharing their profiles – well, practically everyone but Facebook are doing some of that, and Facebook is trying to get everyone to depend on them – not that “create dependency” isn't a part of Google's and MySpace's plan, too. Unfortunately, we haven't yet found a meaningful way for Habbo to participate in this festival, due to differences in demographies, interest areas, and the priority of running a profitable business, instead. Still looking for that solution, though.

I also guessed that productivity applications would seriously move to the cloud – and was a bit too optimistic on that one. Sure, the applications are there, but I don't really see any of them having replaced the desktop-based counterparts – nor do I see that happening next year, either. People are, rightly so, focused somewhere else, and while over the long run moving off to the cloud will make sense from both productivity and cost standpoint, it's still too much of a jump, and too expensive to make.

The increasing popularity of netbooks, Internet access via 3G networks, etc, will have an impact on that, though. Perhaps we'll all move out to the net in a completely different way: not via our old productivity apps, but via entirely new class of applications. Something else than Facebook and Twitter though, I hope.

What else? MySQL was acquired by Sun, and we're all still waiting for the next step. The Register (I can't believe I keep reading it) has somehow gotten the impression that Sun has slowed MySQL down – nah, it's been this slow for at least three times that long. Fortunately, the acquisition may have been a catalyst for the MySQL developer community to start doing something else instead of waiting, and I'm really looking forward to the improvements Percona and Drizzle are making to keep MySQL competitive. As for Sun – time to stop confusing a good thing with dubious business models and bad release engineering before you lose all your customers, I'd say. At the same time, I'm also super-interested in the stuff Sun is doing on the hardware side of database storage with SSD-optimized solutions. Can't say I paid much attention to Sun there for a while, but they're making what seems like an unlikely comeback.

For Habbo, we've continued making progress on the track chosen late 2007 – revolutionary changes made incrementally. Biggest one this year, the free second currency of Pixels, was just launched a month ago. Several improvements are coming up for that, of course, and a whole lot of other stuff is in the works, or at least being thought of. We're trying not to hold anything longer than it absolutely needs to, so everything radically new continues to be launched sort-of unfinished and get improved along the way. It just ends up being so much better that way, as the feedback makes a significant contribution to the overall design.

This a weird time. The world is reeling from what indeed may be the worst economic crisis in 75 years (though I'm not well versed enough in history to be able to tell myself), and still (or because of it?), opportunities lie all around, ignored by most. It's never easy to tell which direction is most promising, but now I'm finding it incredibly hard to choose and prioritize between the possible things to focus on. Still, 2009 is definitely going to be a year to really focus on even fewer things than usual, and really kick ass on those.

If you made it this far, thanks for reading. I wish you a great year 2009, whatever it is you're doing.

Tuesday 8 May 2007

What to do with OpenID...

OpenID is one of the technologies I've been coming across repeatedly in the past year or so, that very much feel like the right kind of response to things that are a constant ache in today's internet. In particular, it's a pain in the butt for a consumer to manage six thousand logins to individual services, and as a result, it's almost as much of a pain for a consumer service (like Habbo) to demand logins; no one really wants to create yet another. I'm pretty convinced that we don't really need to have a database full of passwords, and that we'd be better off without it.

What we need is a way to identify that whoever visited us before and wanted us to call her PrettyGirl87 last week is the same person who wants to be known by this name this week - and we need to know that because our other users might care about a thing like that. We also want to be able to reach the users later, so we'd like to know their email address, or some other means of communication.

Neither of these things actually requires us to ask her to come up with and remember Yet Another Password, if some other means of identifying the user existed. OpenID might be an answer, or at least part of one. So I'm one of many considering whether to support OpenID. I'm also thinking whether we should provide OpenID identity for those users who'd actually like to use Habbo to identify themselves (which would be wonderful for completely different kinds of reasons). But both of those questions really are quite clear: yes, we should. The difficult question is, should we do that instead of something else? Because that's the question that faces anything we might want to implement. And I haven't seen an argument convincing enough to put OpenID on the top of the pile yet. The demand probably isn't going to come from users - but what would be the thing to swing the balance?