Re: [Full-disclosure] sans handler gives out n3td3v e-mail to public
I think this the most worst and alarming situation ..where SANS like organization is doing the way.. from onwards no body will report info to SANS... E+1 t+1 b+1 j+1 it OFF!!! On 3/23/08, n3td3v [EMAIL PROTECTED] wrote: On Fri, Mar 21, 2008 at 8:14 PM, atlas [EMAIL PROTECTED] wrote: So I ask the question... did sfirefinch actually breach privacy? SANS institute hasn't made a public statement yet... they are probably waiting until Monday. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] OpenID. The future of authentication on the web?
Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
There're more complications: who owns/controls the service can track down your movements between different webplaces, profiling your common habits/preferences. How long before banners will follow your navigation trough different websites where you use the same identity token? CtrlAltCa Paul Schmehl wrote: In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
OpenID represents (at least to the OSS world) the unified login structure that has been the proprietary advantage of Microsoft for so long. This will be an excellent technology for business to use internally (who control their own servers and services). It allows the capabilities of Single Sign On (SSO)to find a wider audience. I did use OpenID for a few services . . . it was nice, but I began to worry about outages on the OpenID server. If that server goes down, I may not be able to log on to anything. But in response to the previous statement: In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. In part I do agree. SSO can be dangerous, but it can also benefit the end user. As an example: I have 15 websites that I use; banking, gmail, forums, etc. Many people ALREADY have ONE or TWO password and user name combinations for all of these websites. If there is a compromise in the database of a forum that I use, the recipients of this data now have my bank account login as well as many other valid logins. From my understanding this scenario would not be possible with OpenID, all of the password hashes on stored on the OpenID servers, not in separate databases on each website that I access. But now because of the lack of a unified auditing (OpenID keeps track of the authentication attempts) and my inability to change passwords on all of the sites that I access at the same time, I have to go to every web site that I access and change my user name and password. As far as the general public is concerned . . . I would recommend it in limited use cases until the technology becomes more distributed and mature. The reliance of One Login to Rule Them All can be very dangerous. Ideally the best way to go about this would be to create a replication system (like DNS or USENET) where an update on one server is then made available to all servers connected to the OpenID network (that network, being worldwide, and moving transparently across political and business borders). But then OpenID, can become a means to control access to services. Imagine worst case scenarios ; Rouge OpenID servers, Governments denying access to seditious users, Identity theft on a grand scale, etc. That being said; these scenarios (and many more) will keep Full Disclosure and Computer Security Experts in business for a long long time. As computers move away from a standalone platform and towards an always networked application interface, we will need this OpenID model. But it needs a lot of work, and a lot of field testing. --Joseph Kern On Sun, Mar 23, 2008 at 11:50 AM, Paul Schmehl [EMAIL PROTECTED] wrote: --On Sunday, March 23, 2008 5:18 AM -0700 Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? In general, I am opposed to anything that encourages people to use the same id and password across multiple domains. The potential for complete compromise of everything you have/own/are is too great. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2008:075 ] - Updated bzip2 packages fix denial of service vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2008:075 http://www.mandriva.com/security/ ___ Package : bzip2 Date: March 23, 2008 Affected: 2007.0, 2007.1, 2008.0, Corporate 3.0, Corporate 4.0, Multi Network Firewall 2.0 ___ Problem Description: Bzip2 versions before 1.0.5 are vulnerable to a denial of service attack via malicious compressed data. The updated packages have been patched to prevent the issue. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1372 ___ Updated Packages: Mandriva Linux 2007.0: d7ec22e71581a3f3b8482d69a6310045 2007.0/i586/bzip2-1.0.3-6.1mdv2007.0.i586.rpm 6698bcb0d8e5e7c4af5d9577301a0d48 2007.0/i586/libbzip2_1-1.0.3-6.1mdv2007.0.i586.rpm 3558992b5f4f864d4d77d609c54455c6 2007.0/i586/libbzip2_1-devel-1.0.3-6.1mdv2007.0.i586.rpm 5f6aade9d8b336a05d676d17eb3d4d62 2007.0/SRPMS/bzip2-1.0.3-6.1mdv2007.0.src.rpm Mandriva Linux 2007.0/X86_64: f8df805e9268ffe67cf1c2c212ef04d5 2007.0/x86_64/bzip2-1.0.3-6.1mdv2007.0.x86_64.rpm 58558f1cb97936b06b67c9c235c65517 2007.0/x86_64/lib64bzip2_1-1.0.3-6.1mdv2007.0.x86_64.rpm 009ba4b9c280c0d56e10f4e75f23bc94 2007.0/x86_64/lib64bzip2_1-devel-1.0.3-6.1mdv2007.0.x86_64.rpm 5f6aade9d8b336a05d676d17eb3d4d62 2007.0/SRPMS/bzip2-1.0.3-6.1mdv2007.0.src.rpm Mandriva Linux 2007.1: 1389e0beda990aa84af7ae94793526b3 2007.1/i586/bzip2-1.0.4-1.1mdv2007.1.i586.rpm 9c7e8bfac1f7ac9f07bc050c3df6f8c1 2007.1/i586/libbzip2_1-1.0.4-1.1mdv2007.1.i586.rpm e26e2d2a349f2d2544b476e3c27b7ba1 2007.1/i586/libbzip2_1-devel-1.0.4-1.1mdv2007.1.i586.rpm ef241d50e1564d017eead857ba1bca68 2007.1/SRPMS/bzip2-1.0.4-1.1mdv2007.1.src.rpm Mandriva Linux 2007.1/X86_64: 02f720b94ab3622adb12d27a9b0bcff8 2007.1/x86_64/bzip2-1.0.4-1.1mdv2007.1.x86_64.rpm d7d70f134895fbf1c73148ff0b218d20 2007.1/x86_64/lib64bzip2_1-1.0.4-1.1mdv2007.1.x86_64.rpm 89b13bb16b9212513aa2b90405de07fa 2007.1/x86_64/lib64bzip2_1-devel-1.0.4-1.1mdv2007.1.x86_64.rpm ef241d50e1564d017eead857ba1bca68 2007.1/SRPMS/bzip2-1.0.4-1.1mdv2007.1.src.rpm Mandriva Linux 2008.0: b20b1778b84d5862d273c93928ea3586 2008.0/i586/bzip2-1.0.4-2.1mdv2008.0.i586.rpm e69979ee6cae516a3251ea277f0b41b3 2008.0/i586/libbzip2_1-1.0.4-2.1mdv2008.0.i586.rpm 9f871864bd0d87f383fa836a83c16739 2008.0/i586/libbzip2_1-devel-1.0.4-2.1mdv2008.0.i586.rpm 06bbfb1a27cfb8283cb54fec90877000 2008.0/SRPMS/bzip2-1.0.4-2.1mdv2008.0.src.rpm Mandriva Linux 2008.0/X86_64: a5232c78a8556018adb3f777fd533e86 2008.0/x86_64/bzip2-1.0.4-2.1mdv2008.0.x86_64.rpm 3c58e84746fdd94f689f358692ef917e 2008.0/x86_64/lib64bzip2_1-1.0.4-2.1mdv2008.0.x86_64.rpm 66d7a3b544e5fda5c64af19e5ff1c117 2008.0/x86_64/lib64bzip2_1-devel-1.0.4-2.1mdv2008.0.x86_64.rpm 06bbfb1a27cfb8283cb54fec90877000 2008.0/SRPMS/bzip2-1.0.4-2.1mdv2008.0.src.rpm Corporate 3.0: 197212b185073ae1cd28dfd6e962907c corporate/3.0/i586/bzip2-1.0.2-17.5.C30mdk.i586.rpm 566a9bc102a67b5979adab8490d72a3d corporate/3.0/i586/libbzip2_1-1.0.2-17.5.C30mdk.i586.rpm 03faec871e264e5e13ed7d3d4054effa corporate/3.0/i586/libbzip2_1-devel-1.0.2-17.5.C30mdk.i586.rpm 9e3a038f1824a3d294c1b58bcd5d8d2a corporate/3.0/SRPMS/bzip2-1.0.2-17.5.C30mdk.src.rpm Corporate 3.0/X86_64: e9137338bd9e2fec22cf34f8dd08e024 corporate/3.0/x86_64/bzip2-1.0.2-17.5.C30mdk.x86_64.rpm 8385be2baa4f10e47a9b0e382103281e corporate/3.0/x86_64/lib64bzip2_1-1.0.2-17.5.C30mdk.x86_64.rpm aa724051a95ec66cfb1961ce532ba9af corporate/3.0/x86_64/lib64bzip2_1-devel-1.0.2-17.5.C30mdk.x86_64.rpm 9e3a038f1824a3d294c1b58bcd5d8d2a corporate/3.0/SRPMS/bzip2-1.0.2-17.5.C30mdk.src.rpm Corporate 4.0: 43c2884e3f37d6cd36fdc7496ff095f8 corporate/4.0/i586/bzip2-1.0.3-1.3.20060mlcs4.i586.rpm fa484966a13c0deb5d5a324c9e7bce03 corporate/4.0/i586/libbzip2_1-1.0.3-1.3.20060mlcs4.i586.rpm 0fb3793ebb134cfd0079624d16e2b7aa corporate/4.0/i586/libbzip2_1-devel-1.0.3-1.3.20060mlcs4.i586.rpm 63df10cb7218c2aaa90c92a64ef4fe7b corporate/4.0/SRPMS/bzip2-1.0.3-1.3.20060mlcs4.src.rpm Corporate 4.0/X86_64: d93be85bc254492e1e9cffe621829915 corporate/4.0/x86_64/bzip2-1.0.3-1.3.20060mlcs4.x86_64.rpm d58a247591e813b1a35288ac783cb923 corporate/4.0/x86_64/lib64bzip2_1-1.0.3-1.3.20060mlcs4.x86_64.rpm dcb647a39aed74d14a9b5e855ffc9470 corporate/4.0/x86_64/lib64bzip2_1-devel-1.0.3-1.3.20060mlcs4.x86_64.rpm 63df10cb7218c2aaa90c92a64ef4fe7b corporate/4.0/SRPMS/bzip2-1.0.3-1.3.20060mlcs4.src.rpm Multi Network Firewall 2.0: 195b188697db7d58b13eba19ad569276 mnf/2.0/i586/bzip2-1.0.2-17.5.M20mdk.i586.rpm
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
thats right pdp - go run to your protected lists and blogs where you don't have to hear anything negative and where you can flame people without contest who talk against you. you are another Bill O Reilly and everyone thinks of you as such. enjoy your sheep. On Sun, Mar 23, 2008 at 9:52 AM, Petko D. Petkov [EMAIL PROTECTED] wrote: Hi Steven, I guess most 1337 hax0rs will flame you on this list. There are good security blogs you can follow and learn from instead. Full-disclosure is for rants and bashing only! I can point you to some articles that I wrote regarding OpenID, however, let me share my thoughts quickly as that will save you some time and of course if you are still curious you can go research further. First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. pdp P.S. dear list, the only reason I am not priv-massaging Steven is because I believe that there are other people who are interested in this topic. So, instead of wasting valuable resources and energy answering everyone individually, I've decided to do it once hoping that this message will be seen by others. Thanks! On Sun, Mar 23, 2008 at 12:18 PM, Steven Rakick [EMAIL PROTECTED] wrote: Hello list, I'm curious what the group thinks about the recent surge in support for OpenID across the web and the impact it will have. 1) Beemba - http://www.beemba.com 2) ClaimID - http://www.claimid.com 3) MyOpenID - http://www.myopenid.com 4) Many others... These sites are gaining in popularity quickly and with the announcements of support from big players Yahoo, AOL, Microsoft and Google, combined with smaller web2.0 celeb-run sites like Digg, OpenID appears to what will eventually be the norm. Thoughts? I've also noticed that many of these sites are bundling Information Card support (CardSpace on Windows). Sounds like a good idea as it compliments OpenID and helps address some weaknesses. Again, any thoughts? I'm really just interested in a dialog. -sr Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Petko D. (pdp) Petkov | GNUCITIZEN | Hakiri | Spin Hunters gnucitizen.org | hakiri.org | spinhunters.org ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On March 23, 2008 2:52:53 PM + Petko D. Petkov [EMAIL PROTECTED] wrote: First of all, OpenID is a very simple but rather useful technology. With OpenID you have only one account, your ID, which you can use everywhere where the OpenID technology is supported. It is not clear whether this setup is more secure from what we have at the moment (every site forces you to register unique username/password pair) but it is definitely more convenient. Yes, and convenience is often the enemy of security. The first argument for OpenID is that the more you share your secrets, credits card information, usernames, password, the higher the chances this information to be leaked or stolen. On the other hand, OpenID is prone to phishing attacks so user education is required. However, with OpenID, all I have to do is figure out how to capture your credentials (which does not require that I compromise OpenID), and I can own everything that you own. At least with the disparate systems we have now you only get those things where I've been foolish enough to use the same credentials. Even then you have to figure out what those systems are. With OpenID I simply try every site that uses OpenID, trivial to do programmatically. Think about OpenID as the equivalent of PayPal for authentication. In theory, it is more secure to pay through paypal as you are not sharing your credit card information with everyone else but a single provider. There's a reason I don't use Paypal.. I am all for OpenID as you can spend good time on securing a single system. If the OpenID provider is not vulnerable to common Web attacks and it provides good privacy mechanisms such as SSL and the top of which are build good authentication features such as one-time tokens, etc then OpenID is the preferable choice. The problem is, I have to trust the OpenID provide to both secure his/her systems and hire trustworthy help. I have to do the same locally, but I have a great deal more control and ability to monitor. Keep in mind though, that if your OpenID account is hacked, the attacker will be able to login as you anywhere they want. This is the main concern and disadvantage. And that is a *huge* disadvantage. Now, there is no doubt that we need better user education. User *must* learn not to trust everything they get in email. They must also learn to use good passwords and not reuse them on every site they visit. There's also no doubt that some sites will do a lousy job of security and end up exposing a person's credentials (which is why you should use different credentials on every site.) We also need some sites to do a better job of requiring strong passwords. (Some still require only alpha-numeric characters and two few maximum characters.) But the idea that SSO makes sense outside the context of a single entity that controls its userbase is misbegotten, in my opinion. The individual *user* should control their credentials, not some foreign entity, no matter how trustworthy they may claim to be. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
It's worth pointing out that some OpenID providers are better than others. An OpenID provider could implement 2-factor authentication, and some have (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H ardware/), or other features which could strengthen it. Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blogs.pcmag.com/securitywatch/ Contributing Editor, PC Magazine [EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case? -sr Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On March 23, 2008 4:16:28 PM -0700 Steven Rakick [EMAIL PROTECTED] wrote: Many of you have brought up that OpenID is vulnerable to phishing and have highlighted weaknesses specific traditional username/password authentication. This was the main reason I bought up Information Cards in my original post. I've noticed that Beemba (http://www.beemba.com) and MyOpenID (http://www.myopenid.com) have both implemented Information Cards as an authentication option. Good idea? It seems to me that if you were to rely on Information Cards as opposed to username/password the phishing angle is mitigated. Is this not the case? Beemba doesn't appear to have any online FAQ or help. MyOpenID points to further information which leads to this: With OpenID, you don’t have to sign up and create a new account for each site that supports OpenID – you can just use the identity you already have. Hundreds of millions of OpenIDs already exist, and it is likely that you already have one from a service you use. Nice to know that someone is creating identities for me without my knowledge. With an ethical stance like that, why should I trust them to make my ID secure as well? I don't see any information at all about Information Cards. Perhaps you could provide a link? Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
--On March 23, 2008 7:20:55 PM -0400 Larry Seltzer [EMAIL PROTECTED] wrote: It's worth pointing out that some OpenID providers are better than others. An OpenID provider could implement 2-factor authentication, and some have (http://www.infrastructure.ziffdavisenterprise.com/c/a/Blogs/OpenID-In-H ardware/), or other features which could strengthen it. Yes, but you're still placing your trust, for all the most important information about yourself, in the hands of a third party. That third parties reputation relies on being able to deny a breach of their systems, so their primary motivation would not be to help you solve your problem but to deny that it was caused by them. Insisting, for example, that you used the system incorrectly is a favored tactic of providers who offer similar decoupled authentication schemes. Given the choice between placing that trust in *one* provider, potentially exposing everything about myself, I think a system that relies on *me* to release my information voluntarily when I choose makes more sense from a security perspective. IOW, it is the owner of the data that should retain absolute control over that data. (And no, credit card companies don't own my data. Nor do merchants. I do. They have a responsibility to handle my data with the utmost care, and if they fail in their duty to protect, I have the ability to refuse to any longer do business with them. I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
On 3/23/08, Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. PasswordSafe/KeePass on a PDA, or something similar, can make up for poor memory. Kurt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] OpenID. The future of authentication on the web?
I'm not sure why it isn't on their home page any more. It used to be. Their FAQ is at: http://www.beemba.com/faq.aspx. On Sun, Mar 23, 2008 at 8:46 PM, Paul Schmehl [EMAIL PROTECTED] wrote: --On March 23, 2008 8:04:41 PM -0400 Larry Seltzer [EMAIL PROTECTED] wrote: I understand the attractiveness of not having to remember lots of IDs and passwords, but when you give up control of your data, you give up control of your future. Normal people aren't going to remember enough passwords, let alone strong passwords, to make that control meaningful. I do get your point, but I bet that the best alternative is to give them one set of credentials and make it as strong as possible. I agree with your premise, Larry. It's the solution I object to. The correct solution, imo, is one that allows the user to retain control of their data. The password managers in browsers are an early attempt at this. Mac's File Vault is another. The correct solution, IMO, would be an encrypted password vault, stored on a USB drive and only available through the use of a password and some other form of identification (biometric, etc.) In other words, a combination of something you have and something you know, not something someone else has and something you know. If I'm carrying my passwords in encrypted form in a device I possess, I have complete control of who gets granted access to my data, and the compromise of any one vendor site that I visit will, at the worst, compromise the data I granted them access to. Paul Schmehl ([EMAIL PROTECTED]) Senior Information Security Analyst The University of Texas at Dallas http://www.utdallas.edu/ir/security/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
