Deprecating most of our passwords

I’m happy to introduce you to a new way to do user authentication in the web. Over the years, we techies have been culprit of introducing patterns and technologies that are sound when a system is analysed in isolation, but which don’t work so well when they are adopted at scale. One classical example is the public key infrastructure where we end up trusting blindly all kind of entities around the globe. Really, our browsers trust any cert from organizations like this one (I’m not saying they are not trustworthy, just that I have no idea of who they are):

A random CA which Firefox trusts by default which I have no clue about.

A similar situation has happened with usernames and passwords. We’ve been years looking at our systems and securing them by assuming a user can provide us with some secret piece of information that only she knows. That has been an input of our system, we have taken it for granted and moved on making the rest of the system secure. We have spent great effort to store that secret so we can validate it the next time that user come to us again. Then we can go and ask: “Tell me that thing only you and me know so I can verify that you are who you are saying?”. If there is a breach in our system and someone else gets to know that piece of secret information, he can fool our system impersonating our beloved user. What it is worse, if our user has used that same secret in other systems, those are compromised as well. Last but not least, our user needs to make sure the device is not compromised, the connection is secure, no one is looking over his shoulder, etc. It is overwhelming.

Continue reading Deprecating most of our passwords

Their alternative or no alternative

It’s been a long time since I decided to focus this blog on technology issues and I haven’t manage to start posting regularly. I’m sorry for that, but reading and listening to different positions on current net neutrality issues I felt the need to write down my position on this issue and it’s a good oportunity to kick off this new stage.

After the small preface, let’s get into today’s topic. When I hear debates about net neutrality, arguments gather around two camps: the big business camp which argue that they defend net sustainability and the freedom camp which argue that proposed messures effectively kill the Internet as we know it. From my view both arguments are right, but none of the solutions proposed by either camps are valid. What I ¬†feel is that big bussiness camp utilises a particular problem around bandwith usage to change the whole model under which the Internet works without worring about (wanting to) put in place technical solutions to tackle it. The freedom camp doesn’t want to tackle it as it might bring the debate into technical proposals that might look too similar to big bussinesses’ ones from a non-technical perspective.

Hello world!

After posting in this site about general matters, I’ve decided to start this new stage where I will concentrate more in system administration and computer usage issues. I hope you enjoy this new time and I hope it will be useful for some of you.

If you are missing some previous posts, you can still access them on the following address: https://aitorpazos.es/old