Hey y'all (said in my Southern drawl that I'm told I have yet cannot hear). I know most of you probably know me as a games journalist, which I am as a writer for Gamasutra, Joystiq, and a handful or other sites like Snackbar Games. What you might not know (and why would you), is that last week I also signed on as a technical writer and corporate blogger for a new internet security company in Tulsa, OK called Vidoop. The company made a pretty big splash earlier this year at the Web 2.0 conference, and will be rolling out some neat features and announcments soon.
But as I am a writer by trade, I wanted to drop a quick line in here and see what people here thought of what the company is doing. We're essentially an OpenID provider that has developed a software-only technology that both eliminates the need for remember passwords on all OpenID and traditional websites, as well as a two-factor security process using images rather than cryptic strings. The software is available now as a Firefox plugin, and will be rolled out soon as an IE plugin and as bookmarlets in the next few weeks.
I know there are security questions and concerns. Nothing stops hacking wholesale, and last week we even showed the tech to Mudge, who liked it, but admitted it was not unbreakable. We agree, but we think this is a step in the right direction.
As said, I'm sort of the community face of the technology, but as I am a longtime member of this community and respect many of the folks here (except you over there drinking Kool Aid, fucker), I'd like to hear your thoughts. If you want, and this by no means whorish, you can drop by
the Vidoop blog to read some of the posts so far, and I'm gonna try to have a new post up every other day sort of talking about features, news, and other wacky things going on at the site (tomorrow's post may or may not have to do with Pokemon....ooo, drama.)
Anyway, thanks for your time. I love you all. Good night, and drive safe.
Posts
Risk: compromised passwords an all openID sites
benefits: remembering fewer passwords.
Passwords are easy to remember with the use of a memory system. I can memorize 24 digits in 3 minutes. So, while it isn't a technological solution, training one's memory might be an easier, more useful solution. BUT- just because it isn't for me, doesn't mean it won't revolutionize the net!
Edit: Oh- if you want to learn the memory system I'm using (it's quick, applicable to many diferent kind of memorization) read Harry Loraynne and Jerry Lucas' The Memory Book. And scare your friends when they return from the restroom and you know their credit card numbers!
I don't see how this software prevents against anything but someone stealing a password from a specific user in a manner that is unrelated to the actual site.
So, what incentive do companies have to implement this on their site, given the cost and time factor?
I agree that "responsible" is the key word there, though, something that the lion's share of internet users are guilt of not being. I'd wager that most people use the same user name and password for every site they access, or switch between a very small set of accounts.
But if I sell wicker baskets online for 20 bucks a pop... not so much.
Charging site administrators for the base package seems like a questionable practice if their goal is to have widespread usage.
It would be cooler if they made implementing the program on a site free, and instead charge for more advanced features and support.
For example, through one business model, the company will give away its software licenses for free and will then share revenue from the ad sales realized though the image grid (companies will be able to buy space on the grid to show their products off...SmartCar and Mazzios have down this, for example).
OK, at my job, we're all nerds. As mentioned above, we use Pokemon in our daily work here at Vidoop for, of all things, software versioning. Do tell? I just made a post about it on the corporate blog, but essentially, each Pokemon represents a different version of the Vidoop software that is being developed, and as changes are rolled out, we move on to the next Pokemon in the alphabetical chain. In January, when the big roll out happens, a little bird tells me we'll use an "A" Pokemon (for this beta phase we started with Magikarp). Anyway, no real point other than to mention how wacky things are while working at a startup with a bunch of fellow nerds.
Honestly, I'm a little curious as to what you all think of this too, since this is a company making a big splash in my hometown. Essentially, it replaces passwords with a randomized image grid... and aims to make things more secure in the process.
Yes, this is more advanced than the image grids you might have seen on banking sites. At the risk of sounding like a shill it's better to see the grid in action for yourself, then you'll understand. Check out the company's site etoy linked to and hopefully it'll make more sense. I'm honestly curious to see if anyone here would find this useful or could poke holes in this.
Unfortunately, I do not believe this is an effective response to keylogging. Needing access to your phone or email helps of course, but now people are just going to have to include screen capture with their key-logger. Doesn't seem terribly much more difficult. Every bit helps, and I know I'm not saying anything that they haven't heard etoy, but felt like throwing that stuff out there.
[derail]
I remember when we had Mazzios down here. We used to eat there every Wednesday night.
[/derail]
Podcast 0207: Sinking to new depths
Preview: Is Uncharted: Golden Abyss the Vita’s killer launch title?
Dynasty Warriors: Gundam 3: Macro-wreckonomics
I don't care if it's got super-duper encryption, merged in to a fancy hologram, or shot to the moon. I don't put that stuff all in one place. It's like one of the basic security tenants, isn't it?
Not necessarily. The primary issue with internet password security is using the same one everywhere. In such an environment, if I can get you to sign up to a site I control, I can now access everything you can access. And this is horribly bad. So, for security to exist, I need to use a different password (the username is not a real issue) for everything.
But wait. It's easy to remember a typical password (such as "p2ssw0rd"). It's easy to remember an eight-character alphanumeric (such as "1FHvC83y"). Now, remember all of the following: And which sites they are each connected to. And never enter the wrong one, because then we have the same problem all over again. In these circumstances, I'm either writing them down, or I'm using the same password with everything.
Tools to handle this have existed for a while, and they make it convenient to be secure. An appropriately designed password container is... sufficiently secure. Cryptography is not the issue. If the software is poorly-designed, then there are potential problems. If there's a web interface, then there are potential problems.
Keyloggers are still problematic, and an isolated device is really the only way we can get around that, I think. Unless we can guarantee that there is no route by which a keylogger could be installed/function.
Also, we have a new version of the Firefox plugin hopefully launching next week if you wanna give it a spin. We'll have an IOE plugin and bookmarklet solution very soon as well.
For more info, you can watch some of these YouTube spots as well:
http://www.youtube.com/watch?v=U39Nc75_C5Q - our presentation at Web 2.0
http://www.youtube.com/watch?v=xcmY8Pk-qEk - explanation of OpenID
http://www.youtube.com/watch?v=r-ezgp5jua0 - TV spot