[ale] help - how do I log into learnstreet without ...

[Ron Frazier (ALE)]

see below

"Michael B. Trausch" <mbt at naunetcorp.com> wrote:

>On 03/27/2013 04:39 PM, Jim Kinney wrote:
>> Ron, your level of paranoia is becoming disturbing. I'm not trying to
>be
>> mean or attacking, but seriously, this is sounding a bit nutty to me.
>
>+1.
>
>Best security practice isn't to have a different username and password
>everywhere, exactly.
>
>Best security practice is to ensure that the level of security present
>on each account is merited based on the value of what can be obtained
>through that account.  And best security practice is to use
>single-sign-on type technologies whenever possible, because humans can
>more easily deal with that in production environments.
>
>A lot of web applications are going with sign-in over the Web through
>various providers.  Now, I would love to see sites support Google,
>Twitter, Facebook, etc., but also support plain Jane generic OpenID as
>well, along side those.  OpenID is a safe and usable SSO method on the
>Internet.
>
>I use stronger passwords than probably most people on this list do for
>most things, but I don't much need a bookkeeping method for my
>passwords
>because I leverage SSO technologies where I can.  They make my life way
>easier, at a minimal cost, and I never actually have to share my
>authentication data with third party sites that I sign into that way.
>It's win/win.
>
>Best security practice is also to know not only the _what_ to do to
>have
>practical security: the _how_ and the _why_ are very important as well.
>That is why there are people whose full-time job is security in a real,
>large, production setting.  And even then, some of those don't get it
>right; they'll apply whatever they know to apply, but not necessarily
>know why.
>
>It is important to fully, truly realize the impact of this statement:
>
>What constitutes a "security breach" in one environment might be
>expected, even normal behavior in another environment altogether.
>
>We can all agree that, for example, plaintext communication is unsafe
>across the Internet for many things.  But on an intranetwork,
>particularly a very small and isolated intranetwork, there is little
>need to increase complexity just to have communications be encrypted on
>that network.  Internetwork links transited over the public Internet,
>though, that's another story altogether.
>
>Plaintext passwords are simply bad security practice all the way
>around,
>for no other reason than it means that the database can be had by
>whoever happens to be the first to crack it.  However, if you have a
>network application that is on an intranetwork and cannot be reached by
>way of the Internet itself, it may very well be necessary.  In fact, I
>wrote a Web application not long ago where I *did* have to store a
>cached copy of the user's plaintext password in order to give the
>application any functionality whatsoever.  Sometimes, it truly is
>necessary.  (Of course, that's why we have an can deploy things like
>Kerberos, where delegation of credentials without giving up the shared
>secret is possible.)
>
>	--- Mike
>
>-- 
>Michael B. Trausch, President
>Naunet Corporation
>
>Telephone: (678) 287-0693 x130
>Toll-free: (888) 494-5810 x130
>FAX: (678) 287-0693
>
>

Hi Mike T,

I appreciate the information you're sharing, and am certainly willing to consider it going forward.  I'm willing to consider things like single sign on going forward, as I learn more about them.

However, I don't agree with yours and Jim's assessment of my "excessive paranoia".  In security, it is almost always better to be excessively paranoid than excessively lax.  Being exactly paranoid enough is a fine line that few can walk.  Even if you can walk it, the bad guys will get better, and then you go from being exactly paranoid enough to being excessively lax, just because they got better.

Threat assessment, and threat response, either on an individual or business basis, is a highly personal and individual task.  No two individuals or boards of directors will see the threat the same way.  No two will assess the potential consequences of a breach the same way.  No two will feel comfortable allocating the same amount of resources to solve the problem.  No two will have the same magic number of how safe is safe enough.

Having been burned by the Linkedin debacle, and having to change 30 or so passwords that were the same as the Linkedin one; and having been burned by the Evernote fiasco, and having learned that, even though my different websites were unique and random, but 15 characters was of marginal quality for a password, I have decided to do my best not to get burned again.

I don't want anyone from the outside to break into any of my online accounts ... EVER.  I care about them all.  Obviously, they could reek havoc by breaking into my tax account or my bank.  But they could also create havoc by breaking into my Amazon account or my Ebay account.  To a lesser degree, to be sure, but they could still cause me considerable time and trouble and potential legal problems by impersonating me and buying and selling things on my behalf, with my credit card data perhaps.  The steps I've taken make that likelihood as small as I practically can make it.

In a way, I am doing single sign on.  I sign on to my LastPass database, and it automatically logs me into any of the websites I have stored in it.  My password account is protected by a single relatively long and difficult to type passphrase.

Now, let's say, hypothetically, that I use an OpenID provider, like GitHub to do all my authentication.  Furthermore, let's say that all my 53 vendor sites that I use support the use of GitHub logons.  Let's say I used the same password with GitHub that I do now for LastPass.  So, I go to logon to Amazon, and I enter my GitHub credentials.  Behind the scenes, their systems talk and Amazon decides to trust me.

Am I better off, or worse off?

I think I'm worse off, and here's why.  GitHub is in the business of providing repositories for code distribution.  Twitter and Facebook are in the business of social networking.  Providing OpenID functionality is but a small part of their business model, a small part of what they spend talent and money on.  Furthermore, if GitHub's OpenID servers are down, or are attacked, I cannot log into any of my 53 vendors.

On the other hand, LastPass' reason for existence is to provide password and secure note management.  They put all their resources and money into making that happen.  I pay them a small fee every month to help them do that, and they have a fiduciary and legal obligation to make sure their technology is secure.  I feel more comfortable with LastPass managing my online security life than I do with GitHub or Twitter or Facebook.  Far more comfortable.

Also, the LastPass database is stored on each of my computers in encrypted form.  If the LastPass servers are down, I can still access the database, and I can still log into Amazon.  As far as I know, that's not true with an OpenID type login solution.

Finally, there is the potential that someone will steal the database of user credentials from Lastpass.  As I said, they have a higher legal responsibility to protect this stuff (I think) than does Twitter.  So hopefully, that's less likely to happen.  But, if it did, I would just have to change my login credentials on their website and change the master password on my devices before the crackers crack my account.  That is doable.

There is also the possibility that they could steal MY personal password database, either by stealing it from Lastpass, through a corrupt employee, etc., or by stealing my computer.  In that case, they would still have to crack my master password.  Hopefully, I could change all 53 logins in the database before they cracked the database.  Then the data would be useless to them.

So, in essence, I'm implementing the best in class tactics that you describe.  I'm just not using OpenID.

So, am I overly paranoid.  I certainly hope so.  Otherwise, I'm in danger of being excessively lax.  That level of paranoia has to continually ratchet up as the bad guys develop better tactics.

Am I nutty.  I don't think so.  But, everyone is nutty in their own way, so I'm OK with it.  8-)

Sincerely,

Ron



--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com