Goodbye, Passwords. You Aren’t a Good Defense

THE best password is a long, nonsensical string of letters and numbers and punctuation marks, a combination never put together before. Some admirable people actually do memorize random strings of characters for their passwords — and replace them with other random strings every couple of months.

Then there’s the rest of us, selecting the short, the familiar and the easiest to remember. And holding onto it forever.

I once felt ashamed about failing to follow best practices for password selection — but no more. Computer security experts say that choosing hard-to-guess passwords ultimately brings little security protection. Passwords won’t keep us safe from identity theft, no matter how clever we are in choosing them.

That would be the case even if we had done a better job of listening to instructions. Surveys show that we’ve remained stubbornly fond of perennial favorites like “password,” “123456” and “LetMeIn.” The underlying problem, however, isn’t their simplicity. It’s the log-on procedure itself, in which we land on a Web page, which may or may not be what it says it is, and type in a string of characters to authenticate our identity (or have our password manager insert the expected string on our behalf).

This procedure — which now seems perfectly natural because we’ve been trained to repeat it so much — is a bad idea, one that no security expert whom I reached would defend.

Password-based log-ons are susceptible to being compromised in any number of ways. Consider a single threat, that posed by phishers who trick us into clicking to a site designed to mimic a legitimate one in order to harvest our log-on information. Once we’ve been suckered at one site and our password purloined, it can be tried at other sites.

The solution urged by the experts is to abandon passwords — and to move to a fundamentally different model, one in which humans play little or no part in logging on. Instead, machines have a cryptographically encoded conversation to establish both parties’ authenticity, using digital keys that we, as users, have no need to see.

In short, we need a log-on system that relies on cryptography, not mnemonics.

As users, we would replace passwords with so-called information cards, icons on our screen that we select with a click to log on to a Web site. The click starts a handshake between machines that relies on hard-to-crack cryptographic code. The necessary software for creating information cards is on only about 20 percent of PCs, though that’s up from 10 percent a year ago. Windows Vista machines are equipped by default, but Windows XP, Mac and Linux machines require downloads.

And that’s only half the battle: Web site hosts must also be persuaded to adopt information-card technology for sign-ons.

We won’t make much progress on information cards in the near future, however, because of wasted energy and attention devoted to a large distraction, the OpenID initiative. OpenID promotes “Single Sign-On”: with it, logging on to one OpenID Web site with one password will grant entrance during that session to all Web sites that accept

OpenID credentials.

OpenID offers, at best, a little convenience, and ignores the security vulnerability inherent in the process of typing a password into someone else’s Web site. Nevertheless, every few months another brand-name company announces that it has become the newest OpenID signatory. Representatives of Google, I.B.M., Microsoft and Yahoo are on

OpenID’s guiding board of corporations. Last month, when MySpace announced that it would support the standard, the nonprofit foundation

OpenID.net boasted that the number of “OpenID enabled users” had passed 500 million and that “it’s clear the momentum is only just starting to pick up.”

Support for OpenID is conspicuously limited, however. Each of the big powers supposedly backing OpenID is glad to create an OpenID identity for visitors, which can be used at its site, but it isn’t willing to rely upon the OpenID credentials issued by others. You can’t use Microsoft-issued OpenID at Yahoo, nor Yahoo’s at Microsoft.

Why not? Because the companies see the many ways that the password-based log-on process, handled elsewhere, could be compromised. They do not want to take on the liability for mischief originating at someone else’s site.

When I asked Scott Kveton, chairman of the OpenID Foundation’s community board, about criticism of OpenID, he said candidly, “Passwords, we know, are totally broken.” He said new security options, such as software that works with OpenID that installs within the browser, are being offered. When it comes to security, he said, "there is no silver bullet, and there never will be.”

Kim Cameron, Microsoft’s chief architect of identity, is an enthusiastic advocate of information cards, which are not only vastly more secure than a password-based security system, but are also customizable, permitting users to limit what information is released to particular sites. “I don’t like Single Sign-On,” Mr. Cameron said. “I don’t believe in Single Sign-On.”

Microsoft and Google are among the six founding companies of the Information Card Foundation, formed to promote adoption of the card technology. The presence of PayPal, which is owned by eBay, in the group is the most significant: PayPal, with its direct access to our checking accounts, will naturally be inclined to be conservative. If it becomes convinced that these cards are more secure than passwords, we should listen.

BUT perhaps information cards in certain situations are convenient to a fault, permitting anyone who happens by a PC that is momentarily unattended in an office setting to click quickly through a sign-on at a Web site holding sensitive information. This need not pose a problem, however.

“Users on shared systems can easily set up a simple PIN code to protect any card from use by other users,” Mr. Cameron said.

The PIN doesn’t return us to the Web password mess: it never leaves our machine and can’t be seen by phishers.

Unlearning the habit of typing a password into a box on a Web page will take a long while, but it’s needed for our own protection. Logging on to a site should entail a cryptographic conversation between machines, saving us from inadvertently giving away the keys.

No more relying on our old companion “LetMeIn.”

Photo Illustration by Tony Cenicola/The New York Times

http://www.nytimes.com/2008/08/10/technology/10digi.html?ref=technology

Slipstream

Olympics Online, With a Hook

CAN the leopard shed his spots?

This month, Microsoft is offering Web surfers in the United States a seductive viewing treat. In conjunction with NBC, the software publisher is offering thousands of hours of free video direct from the Olympics in Beijing.

The service is being hailed as a bold experiment in delivering on the original promise of the World Wide Web. For the first time, it will be possible to watch specific events on demand as well as to watch many of the less popular sporting events like cycling and race walking, which in the past have received scant attention in mainstream television coverage of the games.

But there’s a catch.

To view the video, it will be necessary to download a Microsoft Web browser software component based on a new proprietary technology, Silverlight, that is intended to make it possible to display interactive animations, graphics, audio and video, all within a fixed window inside a Web browser display.

The Silverlight technology will allow streaming of video and interactive applications like video games to both Macintosh and Windows PC users. (For example, the new Netflix streaming service is based on Silverlight.) A version for Linux users is available via a joint project with Novell, and a mobile version will be available in the future on Windows Mobile and Nokia smartphones.

Microsoft executives say Silverlight will “light up the Web” with multimedia content.

But for many industry executives who compete with Microsoft, the world’s largest software company, the Silverlight strategy recalls a federal antitrust case in which Microsoft was found guilty of using its market muscle to stifle competition from the Web.

By bundling Internet Explorer with the Windows operating system, Microsoft destroyed Netscape Communications, Explorer’s main competitor. But it also incurred the wrath of the Justice Department and embroiled itself in the bitter antitrust lawsuit.

Now Microsoft is taking on another rival, Adobe, whose Flash media player is by far the dominant technology for streaming interactive content and video. The product from Adobe, based in San Jose, Calif., is on roughly 99 percent of computers connected to the Internet, based in large part on the popularity of YouTube, owned by Google; YouTube uses the Flash standard to stream videos. Windows Media, from Microsoft, and Quicktime, from Apple, trail behind.

“Silverlight is obviously mostly about Flash and competing with Adobe,” said John Lilly, C.E.O. of the Mozilla Corporation, the developer of the open-source Firefox browser.

Others take a darker view of Microsoft’s intentions and argue that Silverlight is simply a rehash of the company’s 1990s-era “embrace and extend” strategy for pre-empting Web competition.

“They’re still playing the same games,” said Michael R. Nelson, professor of Internet studies at Georgetown University. “It’s a way to lock up the content, and it’s not enabling as much innovation as we would like to see.”

That perception that the software publisher is still looking for ways to gain proprietary advantage was underscored late last year in a filing by seven states and the District of Columbia that asked a federal court to extend the set of restrictions under which Microsoft has been operating as a result of the antitrust lawsuit.

The lawyers for the states argued that if Microsoft were to favor Silverlight in the next version of its operating system — as it tried to favor its desktop search program in Vista — it would give the company a significant advantage in competing against Adobe.

Open systems like the Linux operating system and standard protocols, like HTTP, which is the basis for the World Wide Web, have become a growing economic force. In some cases, standards complement proprietary systems. In others, they compete with those technologies.

A Microsoft executive defended the company’s strategy in developing Silverlight, saying the company was committed to making its products compatible with systems based on common standards.

“It’s a Catch-22 situation,” said Brian Goldfarb, who oversees several products, including Silverlight, at Microsoft. He said the company believes that strictly adhering to standards makes it difficult, if not impossible, to innovate.

“Standards are not the only way to be open,” Mr. Goldfarb said. Moreover, he noted that Microsoft increasingly does participate in standards groups. “One of the areas where we don’t get a lot of credit is for Ajax,” a technology that he said lies at the foundation of the modern Web, known as Web 2.0.

At the same time, he acknowledged the proprietary limitations of Silverlight. Microsoft is the only vendor selling software needed to produce interactive and video content for Silverlight. He also acknowledged that the company also has no plans to make the digital rights-management technology in Silverlight, known as PlayReady, available on servers other than Microsoft’s.

Microsoft faces significant challenges in unseating Flash, which will be used to stream Olympics video in many other countries, including China, Japan and Australia. According to Kevin Lynch, Adobe’s chief technology officer, there is a major philosophical difference between the two companies.

“The question is, are you trying to advantage one particular operating system?” he said, pointing to Microsoft’s decision to reserve certain features like 3-D effects and downloading for the company’s Windows Vista operating system.

THERE is another viewpoint on the Adobe vs. Microsoft vs. Apple war, one that argues that the giant companies are fighting the last war rather than the coming one.

Mr. Lilly, for example, says he believes that what the Internet scholar Jonathan Zittrain has described as the “generative Web” — systems that make it increasingly simple for almost anyone to become a multimedia Web publisher — will increasingly define a third route for developing the future of the Web.

For example, later this year, the next version of the Firefox browser, which now commands roughly 20 percent of the market, will be introduced with an open-source video-streaming technology, known as Ogg Theora, intended to make video a seamlessly integrated part of the Web experience.

(Theora, for those who remember, was a character in the 1980s “Max Headroom” science fiction television series.)

The message is that in the future, content won’t come from the giant networks but instead will come from everywhere.

http://www.nytimes.com/2008/08/10/sports/olympics/10stream.html?_r=1&src=linkedin&oref=slogin

September 1st, 2008

Are we to have two Internets?

Posted by Dana Blankenhorn @ 8:37 am

There are now two Internets.

One you see at home. One you see at work.

On the Home Internet bandwidth is limited, but people can choose freedom (for now). On the Work Internet bandwidth is unlimited but the boss rules.

On the Home Internet standards evolve from an open process and are generally followed.

On the Work Internet standards are set by Microsoft.

On the Home Internet duopolists are setting bandwidth caps aimed at centralizing delivery of video and forcing users to buy it from those authorities.

On the Work Internet Microsoft is ignoring Internet standards and calling standards non-standard.

The Work Internet is controlled by employers, who buy their own gear, set policy based on their own hopes and fears, but control private networks at wholesale prices. It can be downright Chinese, with filters not only looking at where you surf, but searching your e-mails for images of skin.

The public Internet is controlled by duopolists who manage resources for maximum profit and minimal investment. You can censor yourself and your kids if you choose, but the main limits are on your gross use of the resource, not what you do with it.

Microsoft’s decision, with IE8 beta two, to make its proprietary standards the default in corporate Intranets, defining Web pages using open standards as “broken,” may be the final break between these two Internets.

Can the two Internets be brought back together? And can we return to an Internet where consumers have choices and are free to do as they will?

Something to consider as we enter the election campaign.

Why Chrome Won't Crash Windows

Google's brand is pure gold, but its tech edge is unproven in the browser sweepstakes

by Andy Beal

Some are calling Google's (GOOG) new browser Chrome an "Internet Explorer killer." Others venture further and call it a "Windows killer." Whether Google's newly launched browser has Microsoft (MSFT) quaking is unclear, but there's no doubt that Google is serious about "organizing the world's information"—and is prepared to shake up the status quo in the process.

It should come as little surprise that Google is entering the Web browser market. The search heavyweight already has a substantial stake in our online activities. Search, check! E-mail, check! Office documents, check! The list of Web applications offered by Google is both long and varied. With its goal of providing all of our online needs, it makes perfect sense that Google would step up and provide a Web browser built to accommodate its applications. With Chrome, Google is betting that more of us will move more of our computing from desktops to online, relying on the vast data centers known as "the cloud." But can Google's Web browser singlehandedly entice us to dump a favorite Web browser and our computer's operating system?

Let's start with the operating system. What's your favorite flavor? Windows, OS X, Linux? Whichever your allegiance, for at least the next several years, you'll need an operating system to boot your computer and store the applications that are still too large and unwieldy to run from inside the cloud. Take iTunes, Photoshop, or PowerPoint. While online equivalents exist, they just can't match the processing power and functionality that come from the applications you run from your computer's operating system.

Segmenting Online Activities

And, while Google Chrome's strength comes in its ability to segment online activities—an open tab playing a live video stream won't slow down the remainder of your Web browsing—it still needs an operating system at its foundation. For evidence that Google Chrome is not yet ready to replace an operating system, consider the browser's limitations at launch. Despite two years of hard work, Chrome can't run without Windows and it won't run at all on Apple's OS X or Linux.

Then comes the question of Chrome's potential for wresting market share from Google's rivals. Can Google really launch a new browser and expect to grab some of Internet Explorer's 72% Web browser market share and Firefox's 20%? Chrome certainly started off strong. On its opening days, according to analysts at Lehman Brothers, free downloads reached an astounding 2% of the market. Lehman predicts that the new browser could reach 15%-20% market share in just two years. In other words, it's likely to be big, but not dominant.

What's more, Google Chrome is not yet proven as a revolutionary Web browser. Google technicians emphasize that its architecture is different, and predict that it will handle computing intensive software applications better than its rivals. But most of the Web surfers who downloaded it on its first day came to face to face with a bare-bones browser with few of the add-ons and plug-ins available on the others.

Brand of Gold

What Chrome can boast is the Google brand. While not everything Google touches turns to shareholder gold, its brand works wonders. The company could launch a new brand of laundry detergent, and we'd likely clear grocery store shelves of the stuff. You can bet that Google's fans will jump at the chance to download a Google-branded browser, so they can check their Gmail, look-up their Google Maps, and search for laundry detergent on Google.com.

It's our infatuation with the Google brand, more than the technology inside, that will boost Chrome's market share and further extend Google in our daily Web activities. As for being a Windows or Internet Explorer killer, don't count on it.

Andy Beal is an Internet marketing consultant specializing in search marketing, blogging, and reputation management. Beal is also the founder of the online reputation monitoring service Trackur.com.

http://www.businessweek.com/technology/content/sep2008/tc2008093_489920.htm?chan=rss_topStories_ssi_5