[ale] help - how do I log into learnstreet without ...

David Tomaschik david at systemoverlord.com
Fri Mar 29 13:59:40 EDT 2013


On Fri, Mar 29, 2013 at 6:39 AM, Michael B. Trausch <mbt at naunetcorp.com>wrote:

> On 03/28/2013 09:26 PM, David Tomaschik wrote:
> > This is true, but it also provides *one provider* who you need to trust
> > with security, not every site.  You can run that provider yourself with
> > OpenID.  So, OpenID (or centralized authentication in general) reduces
> > the attack surface, but increases the damage from a successful attack.
>
> I'm surprised at you, David!  Such a blanket statement.  That also
> depends on what one has in place to _mitigate_ compromise.  I think that
> anyone who puts any system in place and then does not plan for it to be
> compromised is missing the whole point of security.  Assume it will
> break.  Mitigate what can happen when it does.
>
>
Assuming you have >1 service using that OpenID provider, the damage from
compromising the OpenID account is, by definition, more than a compromise
of one of those accounts.  I never said that it results in a complete loss
of control.


> One reason why I keep my personal IDs and work IDs separate.  If someone
> compromises one, they cannot compromise the other.
>
>
I choose to use my email account to authenticate a *lot* of things (whether
by password reset capabilities or SSO).  If my email account gets
compromised, I have much bigger problems than logging into some eLearning
site.  (For example, I do not use a dedicated account on stackexchange,
just use SSO, but that's obviously less valuable than the email account
they'd have to compromise to get access to that.)


> At work, I use two---one with and one without "privilege".  Good
> separation of concerns there.  One exception to that is my workstation,
> where my normal unprivileged ID does carry sudo privilege on this single
> system.
>
> After a certain point, all you can do is mitigate damage.  You can do
> that, though, by so many different methods as to make that a whole tome
> (or volumes of them!).
>
>         --- Mike
>
> --
> Michael B. Trausch, President
> Naunet Corporation
>
> Telephone: (678) 287-0693 x130
> Toll-free: (888) 494-5810 x130
> FAX: (678) 287-0693
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>


-- 
David Tomaschik
OpenPGP: 0x5DEA789B
http://systemoverlord.com
david at systemoverlord.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130329/6cd57edb/attachment.html>


More information about the Ale mailing list