[Discuss] single sign-on

Kent Borg kentborg at borg.org
Fri Jul 26 08:33:59 EDT 2013 

On 07/25/2013 07:19 PM, Tom Metro wrote:
> What's especially dangerous is dismissing an email account, like the 
> one at Gmail you might use for mailing list correspondence, as unimportant

Even more important because the fact that people are already logged into 
their gmail accounts means they are logged into all their Google stuff, 
and that is becoming a major contender for a single sign-on system.

> LastPass is probably the best option for that audience.

Oh, jeeze, were I a cyber crook I would *so* hope that Lastpass would 
become really successful, because then I really could get my spyware to 
start stealing some good stuff.  <wistful sigh>  I would be wiping the 
drool from my mouth at the thought of it: get millions of people 
trusting Lastpass and standardizing on it as their 
all-eggs-in-one-basket solution, all run from their terribly insecure 
phones and PCs?  It can't come soon enough for a certain group of crooks.

And much of that fallout can be avoided by individuals who aren't 
seduced by the luxury of software easily pasting in passwords for them.  
The price of managing a manual air-gap for one's cyber security doesn't 
seem unreasonable...considering the stakes involved.  Is it??

We should be struggling to improve the endpoint security.  Android 
designers went to great efforts, and it is a big improvement, but there 
are so many Android devices out there and they are used for so much 
sensitive data, that I think we went net backward.  Be reluctant to 
layer on new innovations that depend on bad endpoint security.


-kb, the Kent who feels like a crank running around telling everyone 
they should be frightened.


P.S.  Those reading this e-mail, running your lives from a Linux 
keyboard, you are different, your technical solution might be pretty 
darn good (particularly if it is not part of an easily-targeted software 
monoculture), but please be careful what you recommend to civilians.  
Civilians are different from you and me. I recommend a paper list for 
most people.

More information about the Discuss mailing list