One of the main problems, as I see it, with security research is the chicken and the egg. Let’s say you come up with a snazzy new protocol, but this protocol requires a smart client (or modification to a browser). Additionally, you have some identity providers that are not terribly difficult to develop, but are not deployed. Now, how do you justify deploying all these modifications or new service providers if there are no clients to take advantage of them? On the other hand, how do you justify upgrading all the clients to support a protocol that has no identity providers?
The real answer is that you compromise. Either you find some company whose business model can benefit directly from the technology and have them be a champion, and hope that you can get enough marketing (yes you heard me, marketing) and people interested that it creates some momentum and adoption.
One of the coolest protocols I’ve read about is SRP. It’s the bomb, really. Password based, strong cryptographic properties, mutual authentication—both the client AND the service provider are authenticated, phishing attacks to obtain your password are not an issue. I could go on, it’s got some serious coolness. Additionally, some work at BYU shows how it can be extended to make it solve a lot of problems that OpenID is aimed at, without the drawbacks. (Heck, it even allows you to delegate access to other users.)
Problem is, SRP and its extensions require a smart client, and modification of service providers. Chicken and the egg. Drat.
Thoughts:
I’m wondering if it can be adopted by compromise, by providing a signed java applet to perform the smart client responsibilities for wireless authentication.
Another thought, what if you could get one half of the problem solved, like getting widespread deployment of the smart client, the other side could very easily drop into place.
Early Adopters
Interesting tech is usually adopted by the geeks before it goes mainstream. Now, not all things the geeks embrace make it mainstream, but a lot of things mainstream were solidly in geek territory in the beginning. One way to get early adopters is to:
- make a polished smart client for the linux desktop (gnome/kde)
- on the server make your software as easy to use as an apache module etc.
The key is real solutions that at least the geeks can use today.
Ride Someone Else’s Coattails
OK. Everyone agrees that smart phones/smaller devices are going to be a key part of the foreseeable future. Why not use this trend to lift usable security mechanisms out of their academic tar pit? Just to be controversial I’m going to say Android is going to be huge. What if someone stepped up, and implemented this slick, efficient, just-what-the-doctor-ordered password smart client for the Android platform that happened to support SRP? Let’s say it took off like the iPhone, I think it is realistic to see broader adoption of SRP across the board if, in a year after launch there are 90 million installed clients with active users.
Tags:
HassleMe is a cool looking free service that I ran into recently.
Not eating enough fruit? Forgot to feed the fish again? Need a little help keeping your New Year’s resolutions?
Tell us what to hassle you about, and we’ll nag you via email at semi-unpredictable intervals.
I like the simplicity of it. I also like that you can configure a rough timing scheme. I could see myself configuring a ‘hassle’ everyday for only a short time. Either it would get ingrained into my head to do the thing everyday and I wouldn’t need the nagging anymore or it would be too much and the virtual nagging would become a little too real.
It would be fantastic for things that don’t happen quite as frequently. I know I’m no the only one that on occasion realizes that a month has passed by without me knowing.
Methinks the integration can go just a titch deeper – instead of just reminding, allow the notification to be actionable. For instance, if I mail you a reminder to blog, if you respond to the email, your response could be posted directly to your blog. Same goes for a journal.
An identity system with a delegation mechanism is really needed here. If I really want this service to post to my blog, well, I shouldn’t have to give it my blog password. I should be able to grant access to an application (the reminder service) to post a blog entry or whatever else without me disclosing my password. AtomPub can get us a lingua-franca to converse with all these web services, but it doesn’t provide the identity part.
Tags:
There are a lot of things going on over in Java-land that are bringing up the question, what exactly do you mean by Java? and what does the future of Java look like?
JRuby, Jython, Groovy and Rhino, these are all projects that show that Java as a language is not the future, but Java as a platform has a long and prosperous future.
On the other hand, Android is showing that the virtual machine isn’t the essential piece—it’s the syntax, the language. Android is using “java” but targeting their own virtual machine , dalvik instead of the JVM.
Which is it? I’m not sure. Both developments are heading in opposite directions, but both directions look promising. Conclusion: Java the platform|language|OS|whatever isn’t going away any time soon and what we think of as Java is definitely going to change.
Tags:
I’m a big fan of Google Reader. Let’s just say I’m subscribed to more than a few feeds. I use the keyboard shortcuts to quickly read and scan through my reading list. To keep my pace I’ve come to open articles that I want to think about more, or ones that I want to read more in depth in background tabs. Usually this involves the laborious task of moving my hand from the keyboard and middle-clicking with the mouse. Painful. Time-wasting. Distracting.
Enough is enough, so I decided to create a Greasemonkey script to bind a keyboard shortcut to opening an article in a background tab. But, what magical javascript incantation is required to open a tab?
Turns out that Greasemonkey doesn’t only allow you to add functionality via javascript to any webpage, it also provides privileged functionality that is not available to normal javascript running in a webpage. One of those methods is, opening a url in a background tab .
All the hard work goes to Sunny Wu who provided the solution. I tweaked his version to use the “h” character instead of “v”.
I wasn’t sure what kind of event this handler receives and so I wasn’t sure how to determine that a “h” was pressed. Firebug to the rescue, I just added the following line to just print out the value to the Firebug console.
console.info("key=", event.which);
Sidenote: Ever wonder what event is sent for crazy modifiers like shift+3 or shift+s? I thought it might be something complicated—where you’d check if modifier keys were pressed on the keyboard event. I was thinking too much. Shift+3 ends up sending a #, shift+s sends a capital S. Who would have thought?!
Just change the first “if” to compare against 104 instead of 118 and h is the man.
I changed to h since, well, first, v currently opens the article in another tab that immediately takes focus—handy at times. Second, well, if I use h instead, I can navigate mostly with just my right hand :)
Tags:
By default, on a Mac in Firefox, tab moves from one form element to another—except it will skip radio buttons, checkboxes and drop-down select boxes. I have suffered in silence since I started using the Mac. I finally found out that this too can be remedied. Hooray!
There is an actual setting in the Mac OS that produces this behavior. To change this so that tab treats all form elements with equality go to:
System Preferences -> Keyboard and Mouse and select the tab Keyboard Shortcuts. On the bottom you will see a setting for “Full Keyboard Access”. Just set it to All Controls. This setting will take effect right away, no need to restart Firefox.
Found this in the comments on John Resig’s blog
Tags:
I was on the phone with my Mom and she had a document she wanted to send me.
- Devlin:
- Mom, you’ve got a scanner. You can email it to me.
- Mom :
- Laughing It would be easier for me to send it in the mail!
She’s telling the truth. Yes my mom is a very competent computer user. It’s just not easy enough. It’s not just her, it’s me too. The number of programs and such that you’ve got to get to work together is too many. The single button touch thingeroos on new all-in-ones don’t cut it. The software to listen for the scanner’s “convenience buttons” gum up the whole works, they consume insane amounts of memory and don’t ever seem to work right anyway.
It’s a sad reflection on the state of usability in software when the postal system, the POSTAL SYSTEM of all things is easier to use.
Tags:
