elias writes:
"Persona was supposed to be Mozilla's 'single sign-on' solution, but it appears that the project is transitioning to community ownership.
According to Mozilla, Persona has received less adoption than they had hoped for by this point, so developers are being reassigned to other projects. Mozilla will continue to handle critical bugs, but any further development will need to come from the community. If you would like to get your hands dirty, LWN has a nice overview of the project, and the code can be obtained from Mozilla's GitHub repo.
Passwords are still one of the bottlenecks for safe internet use. Few people make a practice out of creating a unique password for every single website and system they access. What do you think, has OpenID won as the defacto standard for federated authentication? Does the 'Sign in with Facebook or Twitter' option offered on many sites already cover the people who would use a single sign-on, or is there room for innovation?"
(Score: 5, Interesting) by Boxzy on Saturday March 08 2014, @04:36PM
sign in. The community here and the interactions between individuals was enough to make me leave /. and create an account here. Every other site on the internet gets viewed through a no-script, flash-block, ghostery, web-of-trust, requestpolicy, modify headers, disconnect, greasemonkey series of veils to keep the turds off my machine.
Go green, Go Soylent.
(Score: 5, Insightful) by Angry Jesus on Saturday March 08 2014, @04:53PM
Persona could have been significantly more pro-privacy than it was.
They solved Open-ID's problem of exposing each login session to the identity provider. But they did not solve the problem of multiple websites collaborating to track your login sessions. Anyone who has been paying attention to Big Data knows that web-bug style behind-the-scenes collaborating tracking is a major, if not the major, means of tracking web usage nowadays.
Instead of dealing with that risk, they ignored it in their design and downplayed it when anyone pointed it out. They made it mandatory to disclose your email address to each site you created a Persona account with, out of a claimed convenience for the user. Sure, you could have created a brand new email address for every different site, but man what a PITA that is.
Its too bad, because everything else about Personas was great. But for someone who cares about privacy and security, that was a show-stopper. And given that the entire point of Persona was to improve privacy and security, they ended up really missing the boat.
(Score: 2, Interesting) by Anonymous Coward on Saturday March 08 2014, @04:56PM
Shibboleth-based federated login is on the march in the education world, and its proponents are offered high-level positions to implement it.
It's not obvious to me yet why there is such a push for federated login among universities, but I suspect the publishing mafia have their hands in it somehow. "No reason to have to come from a university IP to use your subscriptions!", they'll say. But I'll bet a dollar that it is going to lead to CS students being denied access to biology papers, because the subscription only covers students in that field.
Then there's the issue of the user information that gets sent along with an authentication. That's all decided by the individual school, the student has no ability to limit the disclosure.
(Score: 4, Interesting) by jackb_guppy on Saturday March 08 2014, @04:57PM
I tend to stay away from single sign on systems. To me they are insure because a failure in one is a failure everywhere. Yes, I tend to use a few passwords that are patterned on common theme, but I feel more secure since each site is 100% (85%) percent independent.
Once facebook or google is offered as log in, more cross site tentacles tracking your activity.
(Score: 5, Informative) by mrider on Saturday March 08 2014, @05:21PM
I HATE when some random site wants to know one's life history before they'll let you know whether their product is blue or green. Fuck them.
I start with http://10minutemail.com/10MinuteMail/index.html [10minutemail.com] for a throw-away email address. Then I go to Google maps for some random place, and look at nearby addresses. Then I make up a totally fake name, address, telephone number to use with the throw-away email. Generally I choose a name that incorporates the letters of the address in some fashion so that it looks semi-legit.
Doctor: "Do you hear voices?"
Me: "Only when my bluetooth is charged."
(Score: 3, Funny) by Ethanol-fueled on Saturday March 08 2014, @05:35PM
Seconded with 10 minute mail, that site is awesome. Although a master login for all websites is a good idea in theory, it's a terrible idea in practice because greedy bastards are always trying to fuck things up. But let's not kid ourselves here, sloth is a big motivator for using a master login. I have different passwords for every critical site I use (banking etc.) and a simple password I use for sites like Soylent News where I'm already known as a troll anyway, so it wouldn't be any different in the eyes of the readership and administration if somebody stole my credentials and tried to sully my good name here.
Finally, a tip on password ideas, what I do: Take a look at a piece of test equipment, like the ambient oxygen level on an O2 meter or the marker's amplitude reading on the noise floor of a specan, and use that value in your password. As an example, "SpecAnReads-60dbm."
(Score: 0) by Anonymous Coward on Saturday March 08 2014, @06:36PM
Posting as AC due to Moderation in the thread.
Ethanol-Fueled, you are often a troll, but there is a lot of logic and really good information in many of the things you say, once we get past the trollishness.
Personally, I like much of what you put out, as there is value in it.
Keep up the good work.
(Score: 1) by Yog-Yogguth on Sunday March 09 2014, @11:36AM
People need to remember that it's okay to disagree completely that's all, there might be perfectly understandable or even valid reasons for arriving at opposing views. Add a little too much honesty and/or frustration or simply some unacceptable truth/lie and presto "troll".
If the choice is between trolls and a sanitized clean internet devoid of serious (or silly for that matter) controversy, rants, venting, and disagreement then I'll gladly choose a daily overdose on trolls (and I'm good at scrolling) because we should all know what kind of ideas "hide" on the "clean" side (and btw fuck the NSA et al. etc.).
That way the net tastes like electricity as it should, not toothpaste :)
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Saturday March 08 2014, @08:57PM
You're not the troll slashdot wants; but you're the troll slashdot DESERVES.
Seriously though, glad to see you here. I enjoy your posts.
(Score: 2, Informative) by damnbunni on Sunday March 09 2014, @12:27AM
Try this for making up fake names: http://www.fakenamegenerator.com/gen-random-us-us. php [fakenamegenerator.com]
It gives you a name, address, phone, email, username, password, birth date, mother's maiden name, credit card number/expiration/CVV, partial SSN, height, weight, car model, and other stuff.
I've used it when sites want all that personal detail for no good reason.
(Score: 4, Informative) by MichaelDavidCrawford on Saturday March 08 2014, @05:21PM
The only time in my whole life I have ever used single sign-on, was when my entire company was going to attend a Microsoft Developer Tools Road Show in Halifax Nova Scotia, back in 2005.
Admittedly the roadshow itself was worth attending, and I came away with some free tools, but what upset me was that despite that the presentation itself was free of charge, I had to register with MS' single sign-on just to get an invite.
Microsoft Passport?
I didn't have the headspace to sign up for a throwaway email so I used my work email. Happily I don't work there anymore, that Trihedral Engineering of Bedford is the reason why the Iranians are going to get back at us for Stuxnet and Flame. When I pointed out to the children I worked with - at the time I had seventeen years experience, they were all fresh out of school - that one wanted to use smart pointers and why, the company founder Glenn Wadden, a brilliant industrial control systems engineer and software architect but who should NOT be permitted near C++ source, specifically ordered me not to do that anymore, so I resigned in protest.
The problem with single sign-on, is that whoever operates the single sign-on server knows all the websites one signs onto singly. I wouldn't have a problem with Richard Stallman operating a single sign-on service, but I sure as hell don't want Bill's marketroids knowing where I like to hang out.
The Mozilla foundation is arguably trying to do the right thing through open source, but there is a lot of money behind Mozilla.
So even at sites I visit regularly, like Careers 2.0 [stackoverflow.com], that offer single sign-on, I don't use it I just register a local account.
One more thing:
I you use OpenID at Careers 2.0, then whoever operates OpenID knows you're looking for a new position. That is, if you catch my drift.
Yes I Have No Bananas. [gofundme.com]
(Score: -1, Offtopic) by MichaelDavidCrawford on Saturday March 08 2014, @05:54PM
I see that work is coming along well today.
Any chance we could all pull together as a team this morning, so as to deliver "-1, Insightful"?
So far my most-moderated post got 11 moderations, I think came out to 5 overall.
I'm shooting for a hundred moderations to "-1, Troll".
"Fjord. Cold Fjord. Broken, Not Pasteurized."
Yes I Have No Bananas. [gofundme.com]
(Score: 2, Insightful) by PapayaSF on Saturday March 08 2014, @11:42PM
Sure, there are fools and nuts who sign in with Facebook and will say all sorts of stupid and racist crap. But many of us like to comment freely (but politely), without future dates/employers being able to track down our online comments and use them against us. (I work in ultra-PC San Francisco, and I don't want my nuanced, largely libertarian views to prevent me from getting a gig.)
So I think pseudonyms are crucial for the free exchange of ideas, even if the downside includes a lot of stupid, rude, and offensive comments.
(Score: 2, Interesting) by PoiBoy on Sunday March 09 2014, @12:27AM
It may be entirely insecure, but I'd love to have my own dongle that I can plug into a USB port. As long as my dongle is plugged in, websites won't pester me for log in credentials--the USB is proof of who I am. If the dongle is lost or stolen, I can go to a master website and have it deactivated.
Feasible?
(Score: 2) by jt on Sunday March 09 2014, @02:39AM
Could this USB dongle be a flash drive with some kind of cryptographic key? After all, this would be the bit specific to you, and the hardware would be shared by all dongle owners. Perhaps a browser extension could be written to read this key from a file, maybe on a USB flash drive, and be used to authenticate you and/or encrypt your communications.
The main problem here would be identity theft. It would be trivially simple to steal any dongle and use it to impersonate the principal. I would assume that copying the personally identifiable information from one dongle to another, or replay-attacking, or something similar, would be slightly more fiddly but fundamentally simple. Setting up a secure infrastructure to identify you to websites, and to use the dongle-supplied data to the identity service, would be possible but you'd have to trust that service to the same extent as a single sign-on service.