BenLog - Latest Comments

Re: no user is an island

Robert O'Callahan — Mon, 17 Jun 2013 05:59:42 -0000

I think Google Calendar and Facebook sharing can be done. Spam filtering's a hard one :-). I'll give it some thought; I don't want to waste any more of your time.

Re: no user is an island

Ben Adida — Thu, 13 Jun 2013 15:45:34 -0000

I guess I don't think it would be nearly that risky. Given how many aggressive viruses are out there on a regular basis, hiding among them is not that terribly hard.

As for services users rely on. Google email filtering. Google Calendar. Facebook sharing. And on and on. None of these can be done without trusting servers.

Re: no user is an island

Robert O'Callahan — Thu, 13 Jun 2013 10:23:14 -0000

I just don't see the possibility of a government like the US government deploying 0days against millions of users. That would be an incredibly risky strategy compared to harvesting data from servers.

When you say "most features users rely on today", what services are you thinking of?

Re: no user is an island

Ben Adida — Thu, 13 Jun 2013 10:02:22 -0000

Sure, they are more detectable. But in practice, I don't think they are sufficiently more detectable to make a big difference. I also don't think they are more preventable. 0days are on the market constantly.

At the core of your argument is the idea that we *can* make this better with technology, and I strongly disagree with it. Most features users rely on today require trusting servers.

Re: no user is an island

Ben Adida — Thu, 13 Jun 2013 09:59:51 -0000

Robert: maybe I didn't make the point clearly enough in that blog post :) It's not that I'm burnt out, it's that key management done by users is simply not a viable solution, in my opinion. PICL will help by giving you a password-derived key, so if you remember your password you're fine. But if you don't, you will lose some data. So we're discussing which data is okay to lose if you both forget your password and lose all your devices. Some data may not be okay to lose, and in that case we would store it in a recoverable way in PICL.

In other words, if we want certain features like recoverability, we have to trust servers.

Re: no user is an island

Robert O'Callahan — Thu, 13 Jun 2013 00:29:35 -0000

Reading your posts on "encryption is not magic gravy", I sense you're a bit burned out by the Sync key management issue (and you're not alone!). But maybe that's because you've been focused on the most challenging part of the problem: provisioning users with truly secret keys (modulo dictionary attacks against passwords), and secure authentication. Once we can rely on PICL and Persona to solve those, it seems to me it's relatively easy to rearchitect a lot of applications to distrust servers, with no additional UX overhead.

Re: no user is an island

Robert O'Callahan — Thu, 13 Jun 2013 00:14:59 -0000

I think it deflates your "naive" point a bit: "If government agencies believe they have the authority to monitor all
Internet traffic, would they hesitate to create viruses that infect and
monitor endpoints? Would they hesitate to force software and hardware
vendors to build secret backdoors into their products?" The answer is yes, they could do those things, but those kinds of attacks are less threatening because they don't scale so easily and are more detectable and preventable.

Re: no user is an island

Ben Adida — Wed, 12 Jun 2013 23:50:15 -0000

That's a fair point, though I'm not sure how much of a difference
that part can make in this particular discussion. Do you think there's a
big win in the surveillance game here? Certainly on the transport
front, yes!

Re: no user is an island

Eddiemaddox — Wed, 12 Jun 2013 23:49:12 -0000

Chess has "rules". If your opponent plays by those rules, great!
If not, then your opponent is not playing chess.

My colon surgeon did not play by the "rules" by not telling me
and getting my written permission before directly and intentionally
incapacitating my memory for approximately one half hour.

My cousin had an allergy testing nurse not play by the "rules"
by not reading my cousins' chart to check for alcohol allergy
before wiping my cousins' arm with an alcohol wipe!

So, "laws" are not much use if the sociological equipment (people)
they "run on" is malfunctioning by not following them.

Thank you,
Eddie Maddox

Re: no user is an island

Ben Adida — Wed, 12 Jun 2013 23:20:49 -0000

Richard: great question.

I do think there is something to solve: users should control their data and, short of transparent due process, that includes protecting it from the government.

I don't think there is a purely technical solution to this problem for lay users. Expert users may be able to defend themselves if they're particularly careful... but I don't think that's relevant to the conversation since I think we need to be thinking about most users.

Re: no user is an island

Robert O'Callahan — Wed, 12 Jun 2013 22:04:58 -0000

Ben's post is on Planet! That's how I found it :-)

Re: no user is an island

rnewman — Wed, 12 Jun 2013 20:02:13 -0000

Oh, and I agree that most crypto fantasies fall down hard when faced with the realities of human social structures.

Re: no user is an island

rnewman — Wed, 12 Jun 2013 19:59:37 -0000

I'm interested to know your thoughts on a possible next stage of this. Assume that either we fail to produce good law, or can assume that there is a layer circumventing the law that we know about. That is, you have *only* a technical framework within which to solve this problem; you cannot rely on government actors to behave in any way that you want them to. We can call this "the present day", I suppose. Do you think that there's no pure-technical solution, or no tech+education solution? Or do you reject the premise that there's something to 'solve', either due to a certain view on privacy, or a belief that all acceptable solutions have a legal component?

Re: no user is an island

Robert O'Callahan — Wed, 12 Jun 2013 18:52:03 -0000

I think there's a big difference between surveillance methods that leave no trace on the user's system and those that do. For example most governments could get a CA to issue them a certificate to MITM google.com, but that can be detected by endpoints and probably cannot be done at large scale without actually being detected. Similar for backdooring systems. We can improve our ability to detect and prevent such attacks, and they don't scale so easily, so I'm more willing to live with them.

I totally agree that whatever we do has to preserve UX. But it seems to me there's a lot we can do to reduce trust in servers while sticking to that constraint, and it's clearly worth doing.

Re: no user is an island

Doug Belshaw — Wed, 12 Jun 2013 17:21:27 -0000

Ben, that's what we're planning with Firecloud. Take a look and see if you think it looks promising

http://literaci.es/firecloud

I'm doug@ mofo :-)

Re: no user is an island

Monica — Wed, 12 Jun 2013 15:47:31 -0000

Ben, I could not agree more. Why are these not showing up on Planet? Please try to get them on there, there's way too much FUD coming out about Prism, we could use more public stabilizing influences.

Re: no user is an island

Sid — Wed, 12 Jun 2013 06:21:20 -0000

Also https://newsroom.fb.com/Fact-C... (FB is my employer)

Re: getting web sites to adopt a new identity system

AndriyDrozdyuk — Wed, 15 May 2013 20:57:19 -0000

This is not a "login agent". It is a complete replacement for username/password fragile system. In fact I think this is a direct open source competitor to One Id. Have you even tried the demo? http://crossword.thetimes.co.u... Tell me the experience is the "same" as the facebook connect crap or etc..

Re: so what if torture works?

Andreas Kuckartz — Thu, 02 May 2013 14:21:28 -0000

Re: getting web sites to adopt a new identity system

Ben Adida — Wed, 01 May 2013 15:20:32 -0000

Hi Yehuda,

Interesting, you are the first web developer to suggest this. I think it may be because you know too much about the Web ;)

But seriously, let's dig in and be more precise. Is there a site on which you've considered implementing Persona? What does native Firefox support give you that would push you over the edge? Would you still implement it if you had native Firefox support, but no support on iOS?

Re: getting web sites to adopt a new identity system

Yehuda Katz — Wed, 01 May 2013 13:33:22 -0000

As a web developer, I can say without hesitation that native Firefox support for Persona would make me much more likely to adopt Persona. From my perspective. the primary advantage that Persona has over other identity solutions is the prospect of native Firefox support. Please prioritize this.

Re: getting web sites to adopt a new identity system

Alice Wonder — Wed, 01 May 2013 03:26:25 -0000

I'm not a fan of these login agents. They claim safest and easiest but to me, it seems to create a single target for the black hats. They get your persona info or they find a way to compromise the persona system and any of my private info I access through it now belongs to them.

Sorry but no thanks.

Re: Identity Systems: white labeling is a no-go

Anders — Fri, 26 Apr 2013 15:32:42 -0000

Before Persona is build into the browser-chrome and is still just a
ordinary javascript popup, it will be far to easy to fake and phish. It
teaches the user to login using a link from an untrusted (although
innocent looking) site, directly contrary to what we have been trying to
users for ever. The users only defense is the url-bar of the popup (if
it isn't just hidden by the phisher, e.g. using a simulated popup), but
few users will comprehend that e.g.
"https://www.innocent-looking.c..." is very dangerous. So the popup
solution (even if you meant it to be temporary) is bad for the web. The
in-browser solution on the other hand can and should be completely
"white-box". But the fact that Mozilla have not chosen to add it to the
browser (although it would add no distractions for users/sites not using
the feature) would seem to indicate to sites and other browser vendors
that Mozilla isn't serious about the feature.

Also the current
implementation of yahoo-login looks like a bad phishing attempt already
(login-box doesn't fit in the window with no way to scoll, no obvious
way to go back and a dead-end if the popup is closed at that point,
wrong word-wrap of "yahoo.login.person - a.org").

> we don't want this to seem to be a Firefox product which would alienate other browser vendors
Renaming
it from the obvious and vendor neutral "BrowserID" to the obscure and
Mozilla-specific "Mozilla Persona" pretty much ensured that other
browser vendors will never touch it and thus killed it.

Re: Identity Systems: white labeling is a no-go

ozten — Fri, 26 Apr 2013 12:22:32 -0000

pzxc's post lacks comments, so I'll chime in here.

pzxc's tagline "web development predicts the future" is another perfect way to frame the branding argument. Persona *is* an API (and a protocol) and it's meant to be native in the Browser. When that happens, these branding questions go away.

The current popup is a temporary transition step, that *predicts the future* of how people will actually interact with Persona.

Give yourself the design problem of branding this popup. It's quite challenging, as we don't want this to seem to be a Firefox product which would alienate other browser vendors. But as Ben says here, it can't be an invisible brand for UX and security reasons.

So we've created a neutral brand and encouraged other browser vendors to use the name, starting with the web based dialog.

Re: Identity Systems: white labeling is a no-go

Dan Callahan — Fri, 26 Apr 2013 00:14:57 -0000

I believe the calls for "white labeling" are red herrings. Rather, I suspect they're a sign that the Persona experience has room to more fully champion, promote, and celebrate each site's branding.

Right now, Persona's visual style risks over-emphasizing infrastructure (Persona!), at the expense of content (the site!). We took a huge step forward with the introduction of siteName and siteLogo, but what if sites could also specify a background color? That's what I explored with the mockups at http://callahad.github.io/pers....

From the initial reaction, I think we're on to something.

Alex Faaborg gave a fantastic talk about the design of Firefox in late 2011. In the three minutes from 27:00 to 30:00, he covers how Firefox seamlessly adopts the look and feel of its host operating system without forfeiting its own unique identity. I'd highly recommend watching that three minute segment: http://www.youtube.com/watch?v...

Would those same principles apply equally well to Persona?