30 Jul 2009 dobey   » (Master)

The System Is Down

Last night, Stuart and I were having a little argument about the merits of OAuth and whether it is actually suitable for what we are using it for (authenticating destop applications to access a service), as I am not particularly fond of it, and I was working on support for OAuth 1.0a. Stuart's argument is that user's trust the browser, and we need some piece of trust in the system, and OAuth provides that as it pretty much requires a browser to use it. But I don't really think users trust their browser (as so many don't even know what a browser is), but instead, what they trust is the site they're looking at. The browser doesn't even exist. It's just this inherent part of the system that you have to use. To most people it's The Internet, or the giant blue e, or a compass. The browser has no real meaning to them. It's the place they have to go to search for things, and access information. And Humans have two very important attributes. They are both very prone to error, and very resilient. People will keep going to the web, despite all its problems with poorly designed sites, and crashing browsers, and broken plug-ins, because they need to get at the information they're looking for. And they will very often type their password in the wrong place, or mistake a phishing site for a real site. No amount of code will fix this. And nothing that requires a Human to do something will guarantee security and authenticity. It will only create annoyances that Humans will optimize around.

As a specific example. I received a PayPal phishing mail in my Inbox this morning. It's a pretty nifty attempt at getting credit info, too. It includes an HTML form attachment, which POSTs to PHP script that was implanted on http://ag-exchange.com/, presumably by compromising either Apache, PHP, or some other module their server is using. It appears to be a simple script which just reads the POST data, and redirects the user to the PayPal About Us page. The HTML form requires javascript and has a little card number validation method it seems, to avoid getting bad data. The mail was sent to my alias on gnome.org, and apparently got sent by taking advantage of an SMTP relay with a broken configuration. Of course, the SMTP server may have also been compromised and just had the configuration changed to allow open relay as well, but I suspect it was probably just open already. And that mail server belongs to

Syndicated 2009-07-30 15:09:16 (Updated 2009-07-30 17:08:52) from dobey's blog

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!