Updates from June, 2008 Toggle Comment Threads | Keyboard Shortcuts

  • steve918 10:05 pm on June 30, 2008 Permalink | Reply
    Tags: , museum, oregon, ,   

    Fun in the Portland Sun. 

    This past weekend, the family and I went see Vidoop’s new office in Portland, OR. I got there expecting cool weather, cloud cover and rain, but it ended up being quite warm and sunny the entire time we were there.

    We arrived on Thursday and that evening ate a wonderful Peruvian dinner the with the Vidoop crew.

    Friday we received a two part guided tour of Portland from Kevin Fox of Vidoop. During the tour my wife and I made it a game to point out all of the Star Bucks and Toyota Priuses along the way and I have to say both were plentiful.

    After the tour we met with Jenny’s Aunt Judy who lives in Vancouver Washington for dinner and got lots of fun pictures with Noah’s third-cousins.

    Saturday morning we visited Washington park and it was very impressive. We only got to see a few of the venues there, but they were a blast.

    The Children’s Musem was an amazing amount of fun. I think I enjoyed it more than Noah did. He was fully engaged the entire time we were in there. As soon as we got him in his stroller and walked through the door he was out like a light. I really wish there was something like this in Tulsa (Especially when I was growing up). It could provide endless amounts of fun for young kids.

    Then just a short bus ride away we saw the International Rose Test Garden which was pretty amazing itself, but somehow we managed to land in Portland on the hottest day ever so we got tiered of walking around after a short period of time and found some shade to relax under and listen to a woman sing and play the harp.

    Saturday evening we had some beers and killer barbeque at the Kveton house.

    Overall it was a great deal of fun and Portland is a beautiful city.

     
  • steve918 10:42 pm on June 25, 2008 Permalink | Reply
    Tags: , , trip,   

    Westward Bound 

    I’m really excited about taking a family trip down to Portland. We’re going down to see the new office and spend a couple of days checkout out the town. Some things I’m hoping to see:

    • Oregon Zoo
    • International Test Rose Garden
    • Children’s Museum
    • Powell’s Books

    I would be down for some Beer and Blog with the rest of the Vidoopers, but I’m bringing my 18 month old and my wife so we’re going to be checking out all of the fun family places in town. It’s our first family trip so we’re all really excited about it. We’re hoping the little one makes the trip without to much fuss. I was 18 _years_ old before my first airplane ride and Noah is only 18 months.

     
  • steve918 12:07 am on June 25, 2008 Permalink | Reply
    Tags: , single-sign-on, sso, user-centric   

    Why I'm against OpenID Whitelisting 

    So let’s talk about what OpenID whitelisting really is. It’s essentially a way of saying we don’t trust our users to store their identity securely and we’re not ready to deal with what happens when they loose it. Which really isn’t anything new. Right?

    Today we trust users with their passwords, but only because we haven’t figured out how to tattoo it on their forehead in a way that prevents sharing. We also trust users to choose a reliable email provider so that when they forget the password to our site we have a way to help them retrieve it. Again we don’t really like giving the user such great responsibility, we just haven’t come up with a way to trust them less.

    We trust users as long as they play within the padded walls we enclose them in. Whitelisting is essentially adding padded rooms to the places we let our users into, when all they really need is a helmet and some knee pads.

    If it’s truly a matter of not trusting all of the identity providers out there, then maybe we should be focusing on ways to assert and secure that trust instead of choosing sides and picking partners. Maybe it means certification or accreditation; certainly not my favorite solution, but at least it establishes a level playing field and gives the user some real options that actually reduce their current username/password problems. This way we trust our users to choose as long as we have control and/or reassurance that the choices they have to pick from are good ones. But none of this is necessary provided we actually trust users to manage their own identity in the first place.

    If we really want to build a user-centric single-sign-on solution then we have to start taking off the training wheels and give users some control of their identity. I understand it a scary world out there, but lets focus on ways to protect them instead of sheltering them.

     
  • steve918 1:07 am on June 8, 2008 Permalink | Reply  

    Why PayPal Security Tokens = FAIL 

    I had a bit of trouble last night trying to purchase something on eBay and despite much frustration and hours chatting with eBay reps, I’m still unable to login to my eBay account due to a mishap involving my PayPal security token, a 1-year-old and a glass of water.

    It is pretty obvious to me that none of the 6 representatives I spoke to even knew WTF a PayPal Security Key was. In fact the typical conversation went something like this:

    • Rep: Can I help you?
    • Me: I can’t login to my eBay account, my PapPay Security Key is broken.
    • Rep: So do you need to talk to PayPal account support?
    • Me: No… I can login to PayPal just fine, I can’t login to eBay.
    • Rep: Ok, let me transfer you.
    • Me: EFF!

    So rinse and repeat that about 6-7 times over two hours and you got the idea.

    What’s really messed up about the whole process is that I was able to easily recover my PaPal account because of their insecure recovery process that just requires evilbadguy to phish a couple of secret questions from me, making the whole security thing kind of comical.

    (Un)Fortunately eBay’s recovery method is a bit more secure. They call the contact phone number you have listed on your account and read off a security code for you to use to access your account. This would be great if I hadn’t fat-fingered my phone number and it was off by 1 digit. Unfortunately explaining that to a support rep just results in to them guiding you to your account page and asking you to login in…

    So apparently I am perma-screwed as far as eBay is concerned. Which I suppose is fine, I’m not sure I’m really interested in doing business with someone who can’t provide adequate tools and training to their support people.

    PayPal really doesn’t have their shit together anymore than eBay does, they just obviously understand people typically care more about convenience over security, which is true for the kind of people who don’t purchase a SECURITY token.

    In addition, security tokens are a huge pain in the ass. PayPal/eBay only allows you to have one per account, which meant my wife sending me a message every time she wanted to bid on some item that was under a dollar with 7 days left. I’m definitely bias toward easy multi-factor security and for good reason, having experienced the alternatives.

    I dream of the day when I truly control my own account information, so that when I can’t login to an OpenID powered auction site I just reboot my damn server instead of talking on the phone to customer support for two hours.

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel