As was foretold, we've added advertisements to the forums! If you have questions, or if you encounter any bugs, please visit this thread: https://forums.penny-arcade.com/discussion/240191/forum-advertisement-faq-and-reports-thread/

Vidoop, internet identity security, and you

etoychestetoychest Registered User
Hey y'all (said in my Southern drawl that I'm told I have yet cannot hear). I know most of you probably know me as a games journalist, which I am as a writer for Gamasutra, Joystiq, and a handful or other sites like Snackbar Games. What you might not know (and why would you), is that last week I also signed on as a technical writer and corporate blogger for a new internet security company in Tulsa, OK called Vidoop. The company made a pretty big splash earlier this year at the Web 2.0 conference, and will be rolling out some neat features and announcments soon.

But as I am a writer by trade, I wanted to drop a quick line in here and see what people here thought of what the company is doing. We're essentially an OpenID provider that has developed a software-only technology that both eliminates the need for remember passwords on all OpenID and traditional websites, as well as a two-factor security process using images rather than cryptic strings. The software is available now as a Firefox plugin, and will be rolled out soon as an IE plugin and as bookmarlets in the next few weeks.

I know there are security questions and concerns. Nothing stops hacking wholesale, and last week we even showed the tech to Mudge, who liked it, but admitted it was not unbreakable. We agree, but we think this is a step in the right direction.

As said, I'm sort of the community face of the technology, but as I am a longtime member of this community and respect many of the folks here (except you over there drinking Kool Aid, fucker), I'd like to hear your thoughts. If you want, and this by no means whorish, you can drop by the Vidoop blog to read some of the posts so far, and I'm gonna try to have a new post up every other day sort of talking about features, news, and other wacky things going on at the site (tomorrow's post may or may not have to do with Pokemon....ooo, drama.)

Anyway, thanks for your time. I love you all. Good night, and drive safe.

etoychest on

Posts

  • Sharp10rSharp10r Registered User regular
    edited October 2007
    It's cool, but I don't think it would win me over comparing risk/benefits.
    Risk: compromised passwords an all openID sites
    benefits: remembering fewer passwords.

    Passwords are easy to remember with the use of a memory system. I can memorize 24 digits in 3 minutes. So, while it isn't a technological solution, training one's memory might be an easier, more useful solution. BUT- just because it isn't for me, doesn't mean it won't revolutionize the net!
    Edit: Oh- if you want to learn the memory system I'm using (it's quick, applicable to many diferent kind of memorization) read Harry Loraynne and Jerry Lucas' The Memory Book. And scare your friends when they return from the restroom and you know their credit card numbers! ;)

    Sharp10r on
  • etoychestetoychest Registered User
    edited October 2007
    Yea, it's also one of of security versus conveinance. When you sign up for myVidoop as your OpenID provider, you can import all of your existing Firefox usernames and passwords, and then decide if they should be stored locally, or online with myVidoop. That's your call. Also, when you sign up, a token is passed to your computer, making that the only computer than can see the image grid that acts as the password gateway, meaning keyloggers and other hacks wont be able to see the grid (not to mention the digits associated with the image categories you selected change with each login). But yea, I know there are lots of concerns, so I'm just feeling people up...err...out.

    etoychest on
  • JasconiusJasconius sword criminal mad onlineRegistered User regular
    edited October 2007
    Responsible personal practices with passwords seem to eliminate the need for such a product.

    I don't see how this software prevents against anything but someone stealing a password from a specific user in a manner that is unrelated to the actual site.

    So, what incentive do companies have to implement this on their site, given the cost and time factor?

    Jasconius on
  • etoychestetoychest Registered User
    edited October 2007
    For a company integrating the solution into their system, as is being done with charles schwab, the software adds a layer of security against keystroke logging, phishing, and man in the middle attacks by using the token authentication mentioned above, while also necessitating that any device access the account also be send a token, which is passed using an off-band channel, such as email or text message, meaning a attacker would need acces to either a person's email announct or their cell phone to proceed.

    I agree that "responsible" is the key word there, though, something that the lion's share of internet users are guilt of not being. I'd wager that most people use the same user name and password for every site they access, or switch between a very small set of accounts.

    etoychest on
  • JasconiusJasconius sword criminal mad onlineRegistered User regular
    edited October 2007
    Well, if I were a billion dollar investment firm with an online business model looking to edge out my competitors, I would want to buy it.

    But if I sell wicker baskets online for 20 bucks a pop... not so much.

    Charging site administrators for the base package seems like a questionable practice if their goal is to have widespread usage.

    It would be cooler if they made implementing the program on a site free, and instead charge for more advanced features and support.

    Jasconius on
  • etoychestetoychest Registered User
    edited October 2007
    from what I have been told by the execs there, Vidoop works with its clients to come up with different models for implementation.

    For example, through one business model, the company will give away its software licenses for free and will then share revenue from the ad sales realized though the image grid (companies will be able to buy space on the grid to show their products off...SmartCar and Mazzios have down this, for example).

    etoychest on
  • etoychestetoychest Registered User
    edited October 2007
    *used Phoenix Down*

    OK, at my job, we're all nerds. As mentioned above, we use Pokemon in our daily work here at Vidoop for, of all things, software versioning. Do tell? I just made a post about it on the corporate blog, but essentially, each Pokemon represents a different version of the Vidoop software that is being developed, and as changes are rolled out, we move on to the next Pokemon in the alphabetical chain. In January, when the big roll out happens, a little bird tells me we'll use an "A" Pokemon (for this beta phase we started with Magikarp). Anyway, no real point other than to mention how wacky things are while working at a startup with a bunch of fellow nerds. :)

    1.jpg

    etoychest on
  • LewiePLewieP Registered User regular
    edited October 2007
    I don't understand any of this.

    LewieP on
  • etoychestetoychest Registered User
    edited October 2007
    It's ok, my love for you is unending. *hugz*

    etoychest on
  • cloudeaglecloudeagle Registered User regular
    edited November 2007
    Hey, I completely missed this.

    Honestly, I'm a little curious as to what you all think of this too, since this is a company making a big splash in my hometown. Essentially, it replaces passwords with a randomized image grid... and aims to make things more secure in the process.

    Yes, this is more advanced than the image grids you might have seen on banking sites. At the risk of sounding like a shill it's better to see the grid in action for yourself, then you'll understand. Check out the company's site etoy linked to and hopefully it'll make more sense. I'm honestly curious to see if anyone here would find this useful or could poke holes in this.

    cloudeagle on
    Switch: 3947-4890-9293
  • piLpiL Registered User regular
    edited November 2007
    Well, I kind of like it. It looks a little more effective than just a normal password: mainly because memorizing random strings of letters and numbers isn't really fun for most people. So yay for the picture thing.

    Unfortunately, I do not believe this is an effective response to keylogging. Needing access to your phone or email helps of course, but now people are just going to have to include screen capture with their key-logger. Doesn't seem terribly much more difficult. Every bit helps, and I know I'm not saying anything that they haven't heard etoy, but felt like throwing that stuff out there.

    piL on
  • SnowconeSnowcone Registered User regular
    edited November 2007
    etoychest wrote: »
    from what I have been told by the execs there, Vidoop works with its clients to come up with different models for implementation.

    For example, through one business model, the company will give away its software licenses for free and will then share revenue from the ad sales realized though the image grid (companies will be able to buy space on the grid to show their products off...SmartCar and Mazzios have down this, for example).

    [derail]
    I remember when we had Mazzios down here. We used to eat there every Wednesday night.
    [/derail]

    Snowcone on
  • TyrantCowTyrantCow Registered User regular
    edited November 2007
    Storing all my usernames and passwords in a single-point-of-failure seems like a terrible idea to me.

    I don't care if it's got super-duper encryption, merged in to a fancy hologram, or shot to the moon. I don't put that stuff all in one place. It's like one of the basic security tenants, isn't it?

    TyrantCow on
  • LindenLinden Registered User regular
    edited November 2007
    TyrantCow wrote: »
    Storing all my usernames and passwords in a single-point-of-failure seems like a terrible idea to me.

    I don't care if it's got super-duper encryption, merged in to a fancy hologram, or shot to the moon. I don't put that stuff all in one place. It's like one of the basic security tenants, isn't it?

    Not necessarily. The primary issue with internet password security is using the same one everywhere. In such an environment, if I can get you to sign up to a site I control, I can now access everything you can access. And this is horribly bad. So, for security to exist, I need to use a different password (the username is not a real issue) for everything.

    But wait. It's easy to remember a typical password (such as "p2ssw0rd"). It's easy to remember an eight-character alphanumeric (such as "1FHvC83y"). Now, remember all of the following:
    co*[email protected]    H)l\,y)3j;_b    M*D*{[email protected]\gW
    ?HJS,IDC!Y.y    O#wsZFD.&CoN    FA"'ABnXn\(S 
    aEeGTjD{MERW    WCrO}q0ET5dl    pZa'-06x'WI/
    KTs*q[r{C#,e    &vGODSNo}V8d    Z-0kE2(VSi;O
    
    And which sites they are each connected to. And never enter the wrong one, because then we have the same problem all over again. In these circumstances, I'm either writing them down, or I'm using the same password with everything.

    Tools to handle this have existed for a while, and they make it convenient to be secure. An appropriately designed password container is... sufficiently secure. Cryptography is not the issue. If the software is poorly-designed, then there are potential problems. If there's a web interface, then there are potential problems.

    Keyloggers are still problematic, and an isolated device is really the only way we can get around that, I think. Unless we can guarantee that there is no route by which a keylogger could be installed/function.

    Linden on
    What if this weren't a rhetorical question?
  • etoychestetoychest Registered User
    edited November 2007
    Hey, good to see some conversation here. :) Yea, what we say is that Vidoop resists hacking attempts. Nothing is a complete barrier to such attacks, but we feel that what we have developed provided a much stronger protection and dual layer of security that what is currently available.

    Also, we have a new version of the Firefox plugin hopefully launching next week if you wanna give it a spin. We'll have an IOE plugin and bookmarklet solution very soon as well.

    etoychest on
  • LewiePLewieP Registered User regular
    edited November 2007
    So do I need to do anything, or just install the plugin to firefox and then I am safer?

    LewieP on
  • etoychestetoychest Registered User
    edited November 2007
    Install the plugin and you'll be asked some questions that will help setup your security.

    For more info, you can watch some of these YouTube spots as well:

    http://www.youtube.com/watch?v=U39Nc75_C5Q - our presentation at Web 2.0
    http://www.youtube.com/watch?v=xcmY8Pk-qEk - explanation of OpenID
    http://www.youtube.com/watch?v=r-ezgp5jua0 - TV spot

    etoychest on
Sign In or Register to comment.