Simple passwords aren’t good enough any more, as the flood of stories about phishing, fraud, and compromised accounts by the millions demonstrate. The Next Big Thing in computer security is two-factor authentication and, like it or not, you’re probably going to be dealing with it in the next year or so. But two-factor authentication is a concept, not a product, and how it’s implemented is critical to its success.
Two-Factor Authentication in Windows
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Copying the article description verbatim from the linked site without citation is plagiarism. As a person who frequently defends the copyright claims of both commercial and free software authors and as a person who devotes a good amount of her spare time to journalism, I would think that Eugenia could appreciate why it is bad form to copy the entire paragraph like that. The simple fix is putting quotation marks around the text and then appending, “says an article on informit.com by Rick Cook”. That is less than 50 additional characters. Thank you for your consideration.
I agree. This will probably get modded into oblivion, as anything which is “off topic” (ie, criticising the editors) generally does, but you’re absolutely right. The OSNews blurb is presented as if Eugenia had written it, which isn’t the case. Respect for other people’s work, credit where credit is due; these are fairly important things to us, surely? I don’t know what the editors’ workloads are like (presumably OSNews is not their full-time job!), and I don’t mean to sound overly critical of a service rendered. But still, as a matter of principle, quotes should be quoted, and articles should be spellchecked.
Am I wrong?
90% of the osnews stories (and osviews and newsforge link articles and other sites) are exactly like that. It is fair use to use the SUMMARY or the FIRST paragraph of the article you are LINKING to. And open your eyes the next time on the above text: it is says “linked by eugenia”, not “written by eugenia”. The osnews original articles do say “written by” while the newsbits are “linked by”. And yes, as you said, this is pretty damn off topic.
That’s not a very professional response. You could at least have been courteous
Okay, fair enough, they do say that. I would contend that it’s a little obscure (as I hadn’t noticed), but I take your point.
AFAIK fair use of copyrighted material does not allow one to pass it off as one’s own, it simply allows them to use and appropriately cite it. However, I’m not an international copyright expert and really it is beside the point.
I think the main point is that the web is becoming flooded with sites that copy other site’s material. Case in point being the recent MS run-once DVD (of mystery). Lack of appropriate citation of original sources is making the web become a place of rumour and innuendo.
It would be nice if web media strived to reduce the amount of confusion around and clearly citing articles would be a nice place to start.
“Linked by” in no way indicates that the summary has been _copied_. Do you mean that original OS News articles have “written by” or do you mean that where the submitter has provided an alternate summary that “written by” appears. It is certainly not intuitive as i’ve been a reader of OS News for a long time now and I can’t remember every making the distinction.
Please take this as constructive criticism as I enjoy this site very much and appriciate the work that all the people involved with it do.
What pisses me off is that you talk about “Eugenia this” and “Eugenia that” when ALL the rest of the editors do the same and we have done so since 1999 (starting with BeNews and moving then to OSNews). And as I said, other sites do the same. We have changed the “posted by” to “linked by” for this specific reason.
We DON’T want to use italics to show quotation because these look TERRIBLE on the mobile devices and some OSes that don’t have antialias. Get it now? It’s a middle ground we found. I think it’s a fair middle ground.
But no, you want more!
Maybe this will help you
http://www.shaklee.net/livelife/product/20625
We only want it more clear when it is a quote and when it is not. You claim that 90% of the posts are quotes, but how are new readers to know that?
I really don’t want to piss you of more but …
Using italics would only indicate quotation if there was some other text in the post which is not in italics. But there isn’t.
This thing could be solved as someone mentioned by using quotation marks and writing where it is from.
You have to admit that it is confusing people.
I hope you are not getting very upset by this. We only want to improve OSnews.
oh give me a break. If it creates confusion, then the person is an idiot. Theres absolutely no problem with copying the FIRST paragraph.
Get. Over. It.
what pisses me off is that you refuse to even comtemplate the possibility that you are wrong JUST BECAUSE everybody else is wrong and you have been wrongdoing since 1999. proof by overwhelming evidence, yeah right.
heck, you know that people believed the Earth was flat for more than 1500 or 2000 years ? you are doing the same, “I’m doing it like that for 6 years so I CANT be wrong”.
(oh, and most other editors are doing the right thing, just take a look one of those days)
Personally I think it would add value to this site
if articles were properly quoted. It provides more
information for me and helps me decide weather or
not I would want to read the article.
Please, Eugenia, this importante. It has created confusion a numerous of times. As a previous post says the fact that it says “linked by” is no indication that the first paragraph has been copied. In fact there is no indication that it is a summary. Also I believe that the editors often come up with their own head lines. That simply adds to the confusion of what is the editor and what is copied. If the headline is by the editor why is it obvious that the content is not?
I also believe that you are concerned with UI in general. Should it not be obvious imideatly to a new reader wether it is original or a quote?
Actually it is very simple. You are quoting other peoples work so there should at least be quotation marks. I can’t see how you can argue against that.
This may be off topic but I think it is highly relevant.
Quote from the article: The basic idea of two-factor authentication as it’s usually understood is “something you have plus something you know.” (..) The classic example is an ATM card. To get money out of the ATM, you need both your card and your PIN (password).
As a smart person in a similar discussion once noted, these all boil down to 1 thing: something you have.
You have the ATM card, you have the PIN that goes with it, you have a password, you have the eyeball or fingerprint that makes an iris- or fingerprint-scanner say ‘Ok’. Added security may come from splitting the need-to-have stuff into multiple items, and keeping these in seperate places.
But that is utterly useless when these aren’t kept safe. If users are not careful to keep passwords secret, why would you expect them to keep (password+USB dongle) safe? PIN codes are useful when bank cards are lost, but if a streetrobber points a knife at someone and says “give me your ATM card!”, it’s just as easy for him to say “give me your ATM card, and the PIN code!”.
Besides: several problems mentioned in the article won’t benefit, since they have other causes. Phishing attacks may start when a user makes a mistake while typing in an URL (which gets him to a wrong URL, that a scammer may have conveniently set up). Or responding to an e-mail that says “there is a problem with your account, go to this URL, and enter your password”. I don’t see how throwing in fingerprint scanners or USB dongles would help there.
Not to say that two-factor authentication isn’t useful, but let’s face it: the user will always be an important weak link. First and foremost, security = people management. Technology is secondary.
Or the classic: security is not a product, nor a plan, nor a person, it is an ongoing PROCESS that includes all for the above and more.
I think they may refer to the old military standby: two authentication factors held by two unrelated individuals in two unrelated places, requiring extra-ordinary circumstances to bring them both together to access the whatever. Better known as the “two keys to launch the nuke” scenario.
–JM
“these all boil down to 1 thing: something you have. ”
I don’t agree with this observation. Of course two factor authentication is not the definitive reply to all possible security problems under all possible circumnstance! It would be foolish to belive it.
However, two factor authentication, as for as it was intended, fixes some conceptual problems of a single factor authentication, and fixes them well:
1) if the factor of authentication is an object, you can lose it (or it can be stoled) and you could not be aware of that for some times… those are bad risks! Two factor authentication fixes it since if you loose your card or similar thing, someone has to bruteforce a pin (or, better, a passphrase…) to use it, and you would probably have enough time to be aware of the loss of the object, or the bank / service /whatever may hint you that someone is using the object with wrong passwords for n times…
2) if the factor of authentication is mnenomic it could not, obvioulsy, be stolen or fall from your pocket, but there are obviously severe issues in the possibility to memorize something, so it could be short or have some logic behind it to be relevant in order to be memorized, so it could be exploited with some social engineering, or in some situations can even be easily bruteforced (a limit on trialas are not possible to implement on any situation…
as two factor authentication it’s not the response to all possible scenarios); two facto authentication fixes it since the thing you have can bring information of a much greater degree of complexity than the information you could be reasonable asked to remember.
And if the information “to know” is too difficult to remember, some “genius” will certainly write it down to a post-it on the monitor and if a second factor of authentication isn’t required he will be doomed…
Of course, the genius can also “hide” the smartcard under the keyboard… or as remember someone can tell him “give me your ATM card, and the PIN code!”.
I definitelty agree with the fact that the weakest link in the security process is often the user, however it’s a link that cannot be avoided…
However, about two factor authentication, if we understand that there doesn’t exist a single response that is good for any possible security problem, we should also admit that two factor authentication approach can fix some obvious problem that plagues single factor authentication, today it would not be wise not to implement a two factor authentication scheme on most of real life scenarios.
Another news site, slash-something-or-other quotes articles properly on the front page of their site. I don’t see why OSNews could add the additional 50 chartacters to avoid plagarism…
– j
Maybe because it’s already in the title ? Maybe because you’ve been brainwashed into acting as a consumer that wants everything, and more, for nothing ? If you *do* pay for it, then, maybe, consumer theory can apply. Otherwise, you’re out of the Consumer Relationship Managment bullshit.
Maybe you can turn off that f*ing TV for once, and begin to think by yourself?
Something I have, a physical key to my room. Something I know, my password
.
Course, in my case, I’m lying because I run an ssh server. But I don’t have to!
Of course, this does nothing for businesses which are too cheap to provide offices: In which case I say; that’s what you get for disrespecting your workers with cubicles.
As for laptops, this is a great idea. It already exists on Thinkpads.
if people would adhear to the security guidlines at work this would be no problem
same with at home…… just use a decent password
as far as i am concerned if your account is compromised due to a crappy password……well….. it’s your fault, sucks to be you
http://windows.czweb.org/show_article.php?id_article=71
There is a constant theme that never gets mentioned [how can it be a constant theme then, huh? Huh?] and that is: why there is this need for security.
What we want to do is to create a world where we have an audit trail that links your actions to your person.
Just suppose we can step away from the stone age [which is where we mentally are as a species] and did away with pathetic concepts as religion and national security, those would be good ones to start with.
And suppose we spent some real money, like say the US defence budget, on education, real education. And let’s say we took away the need for people to work for slave wages that are by themselves guarantees of grinding, pervasive poverty, illness and misery. What could we do, as a species, to reach a higher goal than next quarter’s deadline?
I don’t think this is ever going to happen. We lack the intelligence to see the reason behind adopting such a stanze and we are too deeply entrenched in our own interests to recognise ‘the greater good’.
That is why we will now have a double security standard, in 5 years time it will be a triple security standard and in 10 years time you’ll ask your wife for her ID to allow her into the house.
Our defence should be the lawsuit. It’s tried and tested and it works. Allow people to invade your personal systems and information, but make sure that you know who they are. That’s all you need to take care of. Make sure you know who it was and then sue them to the end of time. Make these laws universal [ie. all over the globe [and in space -because that’s going to be an issue before too long as well-]] and make the offender pay through the nose.
No argument works as well as that of money. Don’t take away their freedom, just make sure they can’t get any food anymore that doesn’t come out of a garbage can.
We should create a system implementing perfect identification and then advertise ‘steal my information and I’ll sue you into the next life’.
Oh, and sister: As a person who frequently defends the copyright claims of both commercial and free software authors and as a person who devotes a good amount of her spare time to journalism, I would think that Eugenia could appreciate why it is bad form to copy the entire paragraph like that.
maybe you’re good at copyright claims, but you sure could use some reading lessons. The alphabet is like zen, don’t you know: you have to read ALL the letters.
it has long been accepted and, taught (at least by me in my advanced web development classes) that secure requires two of three things:
1) must know something (password)
2) must have something (thumb print)
3) must be someplace (at a particular IP)
this is certainly not theory or new – it has been around for at least 10 years. and, in court, i suspect that this definition of secure is much more likely to hold water than a simple “password” only scheme.
> “We only want it more clear when it is a quote and when it is not. You claim that 90% of the posts are quotes, but how are new readers to know that?”
Who’s “we”? I – as an anonymous OSNews reader – don’t need and don’t want it more clear, since there’s no reason for it. Providing one or two sentences as a teaser to an article is no plagiarism and not illegal. To forbid copying articles has no end in itself, it’s forbidden because if Eugenia put the whole article on OSNews, then people won’t go to informit.com anymore but read it here instead.
But these two sentences won’t stop anybody from visiting informit.com. The opposite is true, they send more visitors to that site. So where’s the problem?
The beast of redmond will never get it right.
In the end, they will turn to Unix/Linux solutions which they’ve tried to get away from for so long. Sorry, but you can’t reinvent the wheel and time has shown this.
You’ve failed, borgsoft, over and over again.
Closed source is for sheep and pillow biters