Thank you for dumbing me down, youtube
-
@serguey123 said:
@El_Heffe said:
Ideas are easy.
Failed visionaries and inventors around the world disagree with you
Actually, ideas are easy. Implementing said ideas, especially successfully, is difficult.
-
@dohpaz42 said:
@serguey123 said:
Actually, ideas are easy. Implementing said ideas, especially successfully, is difficult.@El_Heffe said:
Ideas are easy.
Failed visionaries and inventors around the world disagree with you
Have you tried? Creative thinking is harder than most people realize.
-
@dohpaz42 said:
Actually, ideas are easy. Implementing said ideas, especially successfully, is difficult.
Seconded.
Additionally:
A program with functional stable code but terrible design is a crappy program
A program with good design but broken buggy code is a crappy program
A program with terrible design and broken buggy code is Lotus Notes
-
@serguey123 said:
Have you tried? Creative thinking is harder than most people realize.
Yes, all of the time. I have a lot of Great Ideas ™*, but I lack the funding, skill, and/or time to implement. Also, I have this knack for coming up with ideas that somebody else already came up with, took the time to prototype, research, and develop; one example was the idea for a keyboard with digital keys that can be controlled by the OS; the reason was to have a keyboard that can dynamically change layouts (qwerty, dvorack, etc) without replacing keys, and to have hot keys programmable for applications. The next day, a friend coincidentally pointed out a press release about the - at the time - upcoming Optimus Maximus keyboard. Them's the breaks, I guess.
* Subjective, I know
-
@dohpaz42 said:
I have a lot of Great Ideas ™*, but I lack the funding, skill, and/or time to implement. Also, I have this knack for coming up with ideas that somebody else already came up with, took the time to prototype, research, and develop; one example was the idea for a keyboard with digital keys that can be controlled by the OS; the reason was to have a keyboard that can dynamically change layouts (qwerty, dvorack, etc) without replacing keys, and to have hot keys programmable for applications. The next day, a friend coincidentally pointed out a press release about the - at the time - upcoming Optimus Maximus keyboard. Them's the breaks, I guess.
Some years ago, I noticed that whenever a large group of my relatives get together from all over the country, one of the big events is the synchronizing of the address books. Little old ladies haul out their notebooks full of many-times-erased contact information and set to work: "Jeff has moved to Oregon, do you have his new address?" "Brian and Kelly got divorced, I have his new phone number." "Is that info for Ermintrude before or after she spent that year living with her nephew and his 'boyfriend'?"
I thought, wouldn't it be great to have a place they could all go on the web and get the most current information on everyone within their little circle of relatives and long-time friends? Anybody who had new info could update it, and they could put the pictures of the new baby there as well so everyone could see them. I figured on using some kind of Wiki approach to hide the mechanics of it from the tech-phobic older folks. But I never got around to implementing it.
It's only because I was busy doing other things that I wasn't the one who created Facebook.
-
@dohpaz42 said:
@serguey123 said:
Have you tried? Creative thinking is harder than most people realize.
Yes, all of the time. Without results
I see...
-
@da Doctah said:
I feel the same way about the IMDB, except my excuse was at the time I didn't have the skill-set to implement it.It's only because I was busy doing other things that I wasn't the one who created Facebook.
-
@serguey123 said:
@dohpaz42 said:
@serguey123 said:
Actually, ideas are easy. Implementing said ideas, especially successfully, is difficult.@El_Heffe said:
Ideas are easy.
Failed visionaries and inventors around the world disagree with you
Have you tried? Creative thinking is harder than most people realize.
Creative thinking is the catalyst for most WTFs.
-
@El_Heffe said:
That's like creating a mock-up of the UI of a program and the boss thinks that the program is 98% done since all of the coding that actually makes the program work is just "technical details".
No, it's not like that at all.
What I mean is, you seem to think I'm saying "the idea of security is easy (i.e. yep we need it.), but the cryptographic hash is very complex.", but I mean to convey "the cryptographic hash is a very complex idea, and its successful implementation in code or hardware is equally difficult".
So yeah, replacing the idea of username/passwords with some other system is a complex idea in and of itself, even disregarding its as of yet hypothetical technical implementation.
Sometimes you have a problem. And you think a new systematic approach can help. Now you have two problems.
-
I think the chap with the article had the right idea, which is realising that the problem is... passwords. WTF he thought the answer was therefore... passwords is quite beyond me.
It's plain that the answer is actually to stop requiring people to log-in the whole bloody time.
-
@MascarponeRun said:
I think the chap with the article had the right idea, which is realising that the problem is... passwords. WTF he thought the answer was therefore... passwords is quite beyond me.
It's plain that the answer is actually to stop requiring people to log-in the whole bloody time.
Agreed, but if you allow anonymous posting at all, you have two choices:
1) Be diligent in moderation, or
2) Become 4chan.
As I see it, OpenID is useful for the same situations where being anonymous is useful: throwaway logins to esoteric forums that have some bit of information you want. You'll show up once, get what you need, and probably never visit the site again. In that case, I'd love to use OpenID so I can just log in as Joe Jack Zippycrow and then never worry about it again.
My problem with Atwood's take is that he seems to think we should be using OpenID for stuff that actually matters, like bank logins, and that we should be absolutely thrilled to have our entire online presence easily tied together by some dicey third party. Yeah, that's a real cool idea.
-
@MascarponeRun said:
It's plain that the answer is actually to stop requiring people to log-in the whole bloody time.
How do you link prsonal items to users?
Like last.fm statistics or your tweets?
-
@dhromed said:
Usernames?@MascarponeRun said:
It's plain that the answer is actually to stop requiring people to log-in the whole bloody time.
How do you link prsonal items to users?
Like last.fm statistics or your tweets?
I'd go as far as to argue that even sites like this don't need passwords - honestly, if someone can impersonate, say, Blakey well enough that we can't spot it, does it matter? - but there's an easier case for a more moderate approach. Certainly, if I don't give two hoots about my - to use your example - last.fm data, there's no reason why I should be forced to set a password. Similarly, there are plenty of cases where there's nothing whatsoever worth protecting - smaller online shops are particularly guilty of this, often requiring creation of username/password just to store name and address details that could just as well reside in a cookie for all the difference it would make.
Just off the top of my head, we could also make use of stuff like unique links mailed to the registered email address for the account. If they're reasonably long then the chances of guessing one are slim, and the chances of guessing a specific one are pretty much zero. Of course, that's not far from how all those people who click the reset password link every time they visit a (rarely visited) site are already doing it.
-
@Justice said:
throwaway logins to esoteric forums that have some bit of information you want. You'll show up once, get what you need, and probably never visit the site again.
I reckon something like 80%+ of the accounts I end up creating on the web have a password like 'password' and a mailinator.com email address.
-
@MascarponeRun said:
honestly, if someone can impersonate, say, Blakey well enough that we can't spot it, does it matter?
Nobody can. I'm the wind, baby!
-
@MascarponeRun said:
. Certainly, if I don't give two hoots about my - to use your example - last.fm data, there's no reason why I should be forced to set a password.
I write a spider, spend an afternoon filling it up with usernames I see (or automate that process as well) , and send it off to all popular sites changing people's bios and profiles to spam links and banner ads, and generate random spam posts on people's twitters, tumblrs, wordpress blogs and facebook walls.
I schedule this to be done very week or day or so.
As someone who, along with the other mods here, has cleaned up thousands of automatically generated spam posts on this forum, you'll forgive me if I think your proposal is a little naive, though I applaud the fact that you're thinking about the problem.
-
@dhromed said:
I write a spider, spend an afternoon filling it up with usernames I see (or automate that process as well) , and send it off to all popular sites changing people's bios and profiles to spam links
There's no reason why the profile-change url needs to be easily inferrable from username.That said, I wasn't pretending to offer finished solutions, and certainly some things - Twitter, perhaps, email, and so-on - will still need password protection. My point is just that a lot of stuff doesn't.
-
@MascarponeRun said:
@dhromed said:
I write a spider, spend an afternoon filling it up with usernames I see (or automate that process as well) , and send it off to all popular sites changing people's bios and profiles to spam links
There's no reason why the profile-change url needs to be easily inferrable from username.That said, I wasn't pretending to offer finished solutions, and certainly some things - Twitter, perhaps, email, and so-on - will still need password protection. My point is just that a lot of stuff doesn't.
Where do you make the cutoff, though? And who decides that?
Really, I think the problem isn't even passwords, it's having to repeat the identity process time and time again. The more people who manage their own authentication, the more people there are who can screw it up, and suddenly your throwaway identity is compromised (which will be a pain in the ass to varying degrees). IIRC, that's what happened when Gawker was compromised, because so many people use the same username/password combination for every single thing, or at least everything that is of no real importance. The big gain of something like OpenID is being able to leave security to the security people, assuming of course that your provider knows what the hell they're doing.
I don't mind websites wanting some kind of authentication, because most sites would probably rather not turn into 4chan. What I do mind is having to create a username and password and go through email verification just to be able to use the search function or view image attachments on Brad's Honda Civic Modification Hub, and then having to do it again on Tony's Honda Accord Customization Depot. Even a perfect solution won't go anywhere until Brad and Tony recognize that their little communities are not particularly special, and 90% of their visitors are just doing research on parts compatibility.
-
@MascarponeRun said:
Certainly, if I don't give two hoots about my - to use your example - last.fm data, there's no reason why I should be forced toDisregard that, I suck cocks.
See, that's what happens if you don't give a hoot who uses your online identity.
-
@Justice said:
My problem with Atwood's take is that he seems to think we should be using OpenID for stuff that actually matters, like bank logins, and that we should be absolutely thrilled to have our entire online presence easily tied together by some dicey third party. Yeah, that's a real cool idea.
And that's the real problem:Who exactly would be a non-dicey third party? And if you did find someone, can you guarantee that they will never become a dicey third party?
-
@El_Heffe said:
@Justice said:
My problem with Atwood's take is that he seems to think we should be using OpenID for stuff that actually matters, like bank logins, and that we should be absolutely thrilled to have our entire online presence easily tied together by some dicey third party. Yeah, that's a real cool idea.
And that's the real problem:Who exactly would be a non-dicey third party? And if you did find someone, can you guarantee that they will never become a dicey third party?
Old problem, really. We all just need (really, really) strong asymmetric keys. Publish your public key to dicey and non-dicey third parties alike. Your private key is password protected on your own devices. You're still just pushing the password problem around, but if your private key is locked away locally, the password problem is completely local. The private key handling can be trusted applications that aren't in control of other folks or reside on corporate servers or phone home or whatever. To log in, just transmit the private-key encrypted message, "Yes, I am ${username}" to the remote server which respects at least one of those third-party keyrings. Basically, the way key-auth'd SSH sessions work.
It's all good until your private key gets compromised, I guess, because if you can't update all those keyrings before the private key thief does, you'll need to change your whole identity. I think that's a better problem than current problems, though.
These are, of course, [url=http://en.wikipedia.org/wiki/Web_of_trust]not my ideas[/url].
(And yes, I know identity and authentication and encryption are all different aspects, but they can be convolved satisfactorily.)
-
@Justice said:
Where do you make the cutoff, though? And who decides that?
Why shouldn't I? I note that many of the sites I'm complaining about want to secure my data for their benefit, not mine - so why should it be my problem?@Justice said:
I don't mind websites wanting some kind of authentication, because most sites would probably rather not turn into 4chan. What I do mind is having to create a username and password and go through email verification just to be able to use the search function or view image attachments on Brad's Honda Civic Modification Hub, and then having to do it again on Tony's Honda Accord Customization Depot.
To be quite clear, I'm not suggesting that authentication is never needed, or that passwords are never the way to go. What I'm saying is that sometimes authentication is not necessary much or at all, and sometimes we should be considering other means of authentication apart from passwords. The example you offer is just the kind of thing I'm thinking of - it's clearly a problem, and to my mind the solution is that there's no need for the level of security that's being implemented there. Once sites like that ask for passwords, they have a duty to keep them secure. If they never asked for them in the first place, they don't need to worry as much. Bear in mind that on here, spammers often register accounts, so even that doesn't stop people completely.
-
@MascarponeRun said:
Bear in mind that on here, spammers often register accounts, so even that doesn't stop people completely.
Very true, in fact we just saw that in another thread: http://forums.thedailywtf.com/forums/p/24855/269770.aspx#269770
I agree with your point, that in probably 95% of these scenarios there is no need for the levels of security/authentication that people are requiring. The issue for me was, how do you get them to stop? You'll have a very hard time convincing Brad and Tony that their little car forums aren't worth the trouble, and in the meantime it continues to be a pain for their users.
If something like OpenID is going to work, then the powers behind it have to
- gear it towards the unimportant stuff and stop pretending we should use it for online banking (but again, banks need to get their shit together) and
- make it easier than setting up usernames and passwords. Even Jeff Atwood has admitted that OpenID fails on this point.
Point 2 is the real hurdle here. I don't think arguing for a better user experience is going to sway Brad and Tony. Appealing to laziness pretty much always works.
- gear it towards the unimportant stuff and stop pretending we should use it for online banking (but again, banks need to get their shit together) and
