Updates from December, 2007 Toggle Comment Threads | Keyboard Shortcuts

  • steve918 11:59 am on December 18, 2007 Permalink | Reply  

    Wacky bugs 

    Mac User’s BEWARE:
    This one is probably one of the nastiest bugs I’ve seen in a while:


    http://www.tuaw.com/2007/12/16/quickbooks-users-be-cautious-of-recent-update/

    I know someone personally who was bitten by this one. Upgrading Quickbooks will actually delete your entire Desktop folder and all of it’s contents. There are a couple of suggested work-arounds people have posted. Intuit really let this one slip through.

    Apparently the guys at Microsoft work really hard. In fact, in order to have more productive months, they have extended them to 49.7 days. Here is some evidence that it must be so:

    MSSQL

    http://support.microsoft.com/kb/930484

    Internet Explorer 6

    http://support.microsoft.com/kb/904161

    Windows 95/98

    http://support.microsoft.com/kb/q216641/

    Actually it turns out there are exactly 4,294,967,296 ( The size of a DWORD ) seconds in 49.7 days. Which seems to be the common thread in each of these bugs. It appears running windows update should have fixed all of these issues some time ago, but as a software developer I can always appreciate a neat bug.

     
  • steve918 12:33 pm on December 5, 2007 Permalink | Reply  

    OpenID: Trust and Liability 

    My co-worker (Sam) and I lead a session at IIW called “OpenID Security and Privacy” and as the conversation evolved it occurred to me that even though these issues exist in OpenID today, the real hurdles are going to be trust and liability.

    There are many companies and products doing things to improve security for OpenID. Verisign’s seat-belt plugin is excellent at thwarting phishing. Vidoop defeats keylogging and automated attacks. The sad truth is your OpenID login is already likely to be more secure than your bank’s login. There are solutions to the current security issues facing OpenID. Some of the solutions are already available; others will take some time to implement and may require your browser to be a bit smarter, but we know how to solve these problems.

    There seems to be a lot of talk about trust between identity providers and relying parties. Quite a few people have suggested that there needs to be some method for a relying party to assert some level of trust with any given identity provider. Suggested methods for doing so are Idp certification or some sort of rating/reputation system. There is a lot of resistance to either of these things because it makes it hard for user’s from implementing their own Idp.

    Many potential OpenID reliers have a lot of trouble with the fact that anyone can roll their own Idp. The argument is that the Rp’s shouldn’t trust every Idp out there, because evil-bad-guy can create his own Idp. This is really only true for Rp’s who don’t already have an existing relationship with the user (typically low risk transactions). Most high risk transactions between an Rp and an end user there is already an existing relationship. For example, you already have a bank account with your bank. So when you go to log into them with your OpenID it’s really not important that they trust your Idp, because the first time you logged in with that OpenID they can verify you are who you say you are via some other channel. So the real important trust relationship is between the user and the Idp. It’s important that the user select an Idp they can trust, who provides good security for their identity. The thing is user’s do this sort of thing every day. User’s decide who to trust with their identity every time they are online. They choose to trust PayPal, Amazon, eBay with their bank account information. User’s already make decisions about who to trust with their identity.

    The real problem is liability. What happens when evil-bad-guy signs into Jane’s bank account with with her OpenID and steals all her money? Is the bank at fault or is the Identity provider at fault for falsely identifying the user? Companies have a really hard time buying into a technology when they don’t have someone to sue when things go wrong.

     
  • steve918 10:24 am on December 4, 2007 Permalink | Reply  

    Coolest hardware authentication device ever from Yubico. 

    I’m not typically a big fan of hardware tokens, but I discovered a neat little device at IIW that takes the cake when it comes to hardware based authentication. The YubiCard is a incredibly small device; requires no drivers at all and doesn’t need a LCD screen. In addition to being the coolest hardware token I have ever seen it has to be one of the cheapest to produce.

    The way it works is that you plug it into any USB port on your computer; then when you go to a website to login all you have to do is tab over to the password field and touch your YubiCard (No buttons, it’s touch sensitive), then the YubiCard “types” in your one-time-password for you just as if it were a keyboard device.

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel