http://twitter.com/BarackObama – yes, Mr. President himself
http://twitter.com/thewhitehouse 
http://twitter.com/USSupremeCourt 
http://twitter.com/HouseFloor
http://twitter.com/NationalDebt – this is depressing, but if you want it – it’s here
http://twitter.com/boblatta – Congressman for Ohio’s 5th District
http://twitter.com/danburton – US Representative, Indiana’s 5th District
http://twitter.com/ThadMcCotter – Congressman for Michigan’s 11th District
http://twitter.com/RobWittman – First Congressional District of Virginia
http://twitter.com/RobertBluey – Director of Online Strategy @Heritage.
http://twitter.com/Heritage – Heritage Foundation
http://twitter.com/timryan – Congressman for Ohio’s 17th District
http://twitter.com/johnculberson – TX Congressman
http://twitter.com/GOPLeader

Happy Tweeting folks!

When do we discuss aging? If we don’t discuss it in the early years along with proactive, preventative measures, what can we possibly discuss in our elder years other than reactive? I remember my grandfather put up an enormous fight over giving up his car keys, and later was seen driving his motor scooter down the street with a flash light tied the front… But again, I digress.

Is anything being done to improve “quality of life” of the elder community BEFORE they get to a stage where “matters need to be discussed?”

I came across some news this past week about a program that is being piloted to allow older drivers reduced car insurance. Allstate has a plan in the works that would offer clients aged 50-75, discounts in exchange for GAMING! Gaming often receives a bad rap for being a waste of time, instigating violent behaviors, or just whatever-negative-reasoning-someone-can-create. The truth is that gaming increases cognitive behavior and response time and is an excellent way to rejuvenate the mind.

The news of Allstate’s program is what I hope to be the first of many such ingenious ways to discuss aging matters, improve quality of life of those currently in the “Baby Boomer phase” and simply bring attention to an aspect of life that usually receives a “shhh” response.

Now, what does this have to do with “Geeks & Gamers?” It’s simple… how many assisted living homes have Themes? None that I’ve come across. There are the standard services offered along with nursing care and different levels of assistance and monitoring. What about activities? How many assisted living homes provide the option for those to live with other people who have common interests? I picture assisted living homes like college dorms, but they are nothing like that at all. Why not?

Forget arts & crafts, shuffle board, and Mahjong. I want to see assisted living homes have themes, and most importantly, when it’s time – I want to live with the geeks and gamers. I’d like to spend my evenings in the common room playing D&D, Magic the Gathering, or whatever MMO (Massively Multiplayer Online game) is popular in 40 years so I can play alongside my friends in other parts of the country.

What about you? What do you want to see change?

Here at last, is the final installment in our 3 part discussion of OpenID. In Part 1 we answered the question, “What is OpenID?” In Part 2 we looked at the benefits and risks that come with using OpenID. Today in Part 3, we’re going to finish our discussion of OpenID by taking a closer look at one of it’s greatest vulnerabilities. Phishing.

Before we delve into how Phishing applies to OpenID, let’s first take a look at a traditional Phishing example:

You check your email and find a (phony) email saying, “Your credit card will be closed unless you log in now to verify our records!!!! Click here to log in and verify your account now!” The phony email very helpfully presents a hyperlink to take you (supposedly) to your Credit Card Company’s website. In actuality, the link takes you a phony site which LOOKS just like your normal Credit Card login page but with one minor difference: the URL bar has the wrong address. If you fail to notice this one difference, then upon entering your username and password, the phisher will now have full access to your Credit Card account.

There are a few key hurdles the phisher has to overcome in order for this attack to be successful:

1. The email has to be convincing enough to get your attention, but not so over-the-top as to appear phony.
2. You have to actually click the link provided in the email.
3. The phishers have to guess which Credit Card Company login page to mimic (American Express looks different than Visa, etc).
4. The URL must be good enough to fool you. It must either be similar to the real thing, hidden, or obscured.

If, at any one of these steps, you get suspicious enough to not enter your username and password, then the phisher loses.

OpenID makes this process far easier, for the phisher, by completely eliminating the first 3 of these obstacles. How can this be? Take a look at the following OpenID phishing example:

While researching woodworking, you find a nice set of plans for a workbench at www.EvilWoodWorkers.com. The plans are free to download once you create a login for the site. Luckily, they accept OpenID logins, so you won’t have to waste a bunch of time filling stuff in. You click login and then follow the instructions to enter your OpenID URL. Unbeknown to you, instead of redirecting you to your OpenID login page, EvilWoodWorkers.com simply follows the URL, and copies your login page, on the fly, to their own phishing server, which happens to have a long, unpronounceable URL. This server logs everything you type to a handy, searchable Database (based on EvilSQL 2.0). You, however, simply find yourself staring at an exact replica of your normal login page that you’ve seen a thousand times, aside from the URL. And instead of looking at that long and unpronounceable URL, your eyes gravitate to the slowly blinking cursor which is waiting patiently for you type in your username and password. The muscle memory in your fingers takes care of typing out the login details. You hit enter. You download your Work Bench Plans for free. A week later, you log back in and leave a comment thanking EvilWoodWorkers.com for the nicely done PDF.

Alas, the fly in the sauce here, is that the Phisher’s Database now contains your OpenID URL, your OpenID Username, and your OpenID password. They have obtained, with elegance and style, the keys to your castle.

Everything that you use OpenID for now belongs to the Phisher.

How can this be? Why? The key point of failure in the above OpenID example is the redirection process. Normally (without OpenID), when you log in to a website, say Visa.com, you enter your username and password on a page hosted somewhere on that company’s domain. If you went to log in to Visa.com, and it redirected to you to some other website, with a totally different design, a different URL, and a different name, then you would be pretty darn suspicious that something phishy was going on. However, with OpenID, being redirected like that is simply business as usual. OpenID trusts the 3rd party site (Visa.com in this case) to redirect you to your OpenID provider’s log in page. That trust is the key flaw which upon which phishers will prey. The fact that you have to trust a criminal with part of the log in process is what causes this to be such a catastrophic vulnerability in OpenID.

Obviously, not every site is run by thieves. The real downside here is how do you know which is which? Since OpenID uses the same log in info everywhere, if the 99th site you log in to hits you with a successful phishing attack, then every previous (and future) site is now compromised as well.

OpenID is not without benefits, though. As we discussed previously, OpenID can potentially streamline and simplify the log in and sign up processes at supported websites. The potential conveniences it offers are definitely attractive.

Would I use OpenID? Sure. Given a couple caveats:

1. I only intended to use OpenID at low value sites
2. I only use https OpenID URL’s in order to minimize the risk of phishing
3. I only use OpenID at sites with which I already have a trust relationship

OpenID stands to improve considerably as it progresses. Perhaps the best part about OpenID is that it’s Open Source. It’s development is shaped and directed by the community which uses it.

The bottom line:
If you’re an early adopter who like to play with new toys and you have a good eye for security issues (or a extremely high risk tolerance), then OpenID is a great playground.

If you are just looking to make your online life easier and more streamlined, then stay away from OpenID for now. It’s not ready for prime time yet, and even though it seems like we’ve talked about some nasty looking flaws, there are likely even more problems yet to be uncovered.

Last week we defined OpenID. This week we’re going to talk about why you might choose (or not choose) to use OpenID.

As promised, let’s discuss the Benefits…

Simplified Login
Single Username and Password for multiple sites. You only have to authenticate to OpenID one time per session. Once you are logged into your OpenID account, OpenID can automatically log you in to the other websites that you visit.

Unique Web Identity
No more wondering if the post by “CowboysFan” on one website is by the same person as “CowboysFan” on another website. OpenID’s are unique everywhere.

Information Management
OpenID servers have features such as “information profiles”, that let you control how much personal information each particular site has access to. Some sites might only get your name and email address, while you may allow others to automatically get your full contact information.

Decentralized
Anyone can run their own OpenID server. You’re not tied down to any particular company or bound to a proprietary system.

Security
The websites which accept OpenID never get your log in information. That information is only shared with your OpenID server. There is also the benefit of user customizable security level. You can define your own login method (or methods) for OpenID:

• Username and Password – just like normal
• Getting an SMS message that requires you to reply
• Choosing a sequence of pictures
• Receiving a phone call on your cell and pressing a button to allow the authentication
• Finger print scanner, USB Key, RSA tokens, etc…

As you can see, OpenID can make your online experience smoother and easier. It also provides social benefits, such as a unique identifier. Your online identity already spans multiple websites but it no longer has to span multiple names. You can be “you” everywhere. The security benefits of OpenID are nice, too. One of main reasons I use multiple passwords is that I don’t want to use the same password for my Online Bank that I use for posting comments on a blog. If the blog was setup incorrectly, then my password could be stolen and used maliciously. With OpenID, neither the blog nor the bank would ever see my password to begin with.

Speaking of security, that brings us to the Risks:

All Your Eggs in One Basket?
If your OpenID account is compromised, you can say “Bye, bye Humpty Dumpty” because everything tied to it is now gone.

Unique Web Identity
Overheard in the breakroom, “Hey look! I just found Bob’s OpenID posted on a personal ad at www.TranssexualNaziEskimos.com!”

Decentralized
Multiple points of failure: If your OpenID server has an outage, you can no longer log in to all the sites that use it.

Security
Phishing attacks now are a primary threat.

This list might be small, but the items on it are big. Some of the obvious solutions to the issues here break the features presented above. Don’t like having all of your eggs in one basket? Just create multiple OpenID accounts. It’s not the end of the world, but it does start to erode on a major selling point, the convenience factor. The most negative point here is Security. OpenID is a ripe target for phishers. “Phishing” is the process of attempting to trick users into just over their usernames and passwords, or other sensitive information. How? Come back next week for final segment of OpenID Explained, discussing the phishing risk in greater detail.

If you have signed up for a new service recently, you may have noticed an option to use something called OpenID. You may have noticed that it is an option when you log in to Plaxo, LiveJournal, or WordPress. You may have heard that AOL and Yahoo are now OpenID providers. Many OpenID sites extol the virtues and benefits that come with it… “Only password to remember!” “Decentralized!” “Open Source!” “Establish your identity anywhere and everywhere!” But they all tend to explain only the benefits of OpenID rather than what it actually IS. Today we’re going to answer the question, What is OpenID?

First a quick digression: What is authentication? Normally, to login to your account at a website, you first identify yourself with a username, and then you prove that you own it by providing a password. This process is “Authentication.” It doesn’t have anything to with your Plaxo contacts, your Blogger profile, or your Flickr pictures. Authentication is claiming that an identity is yours (username) and proving it (password).

There are many of ways to authenticate to a system besides usernames and passwords, you use some of them already. Need an example? Think about getting money from an ATM. First you claim who you are by providing your ATM Card. Next you prove it by entering the PIN (a 4-digit password).

There also methods of authentication that don’t directly require passwords at all. In fact this occurs almost every time you sign up for a new account online. Say you’re signing up for an account at Plaxo.com… At some point you claim that an email address (an identity) is yours, by entering it into the sign up form, and then you have to prove that it is indeed yours. How do you do that? By going to your email, logging in and receiving an email with a secret code to enter or a secret link to click. You have now authenticated your email identity without ever having to hand over your Gmail password to Plaxo. NOTE: Your email username and password were still required indirectly. You had to enter them to check your email, but your email password was never entered at Plaxo.com.

Now back to the real question: What is OpenID?
OpenID is just another method of authenticating yourself – one that is similar to the email registration example above, but more automated. With OpenID your identity is a Website rather than an Email address or a Username. You first claim that you own a website (an identity), and then you have to prove it. But, just like in the email registration example, you never directly hand over the username and password to your OpenID website. So how do you prove you own it? Same method as in the email example, you go to your OpenID and log in. But in this more automated version, the service you to want to use (Plaxo.com for example), automatically redirects you to your OpenID website. Then, instead of having to click a secret link or type in a secret code to prove you logged in, the OpenID website itself simply tells the requesting service (Plaxo) whether you passed or failed authentication.

Need a concrete example? Here is a simplified version of what happens when I want to log in to my Plaxo.com account:

1. I go to Plaxo.com and choose the option to Sign in with OpenID
2. I type in “https://dnszero.myopenid.com” and hit enter
3. Plaxo sends me to my OpenId site (www.myopenid.com) to login
4. I login at myOpenID.com
5. myOpenID.com send me back to Plaxo.com, and tells Plaxo.com whether I passed or failed authentication

Still wondering what the benefit is here? It’s two-fold: First, I can use dnszero.myopenid.com to log in everywhere that OpenID is accepted. No more having to remember 8 usernames and 6 passwords. Second, these websites that I log into never touch or even see my password. I don’t have to worry that a flaw in one website’s security will compromise my password (the same password I use to log in everywhere, in this case).
Pure bliss, right? Maybe, maybe not. Come back next week and we’ll touch on some of the benefits and some of the major flaws.

Image Credit: Photo by Konrad Mostert

If you look at the web site for Jolt Gum, you will see the same statement that is on every package, “2 pcs of Jolt Gum = 1 Cup of Coffee.” Well, after trying it, I wondered, did they mean Instant Coffee? I mean, I’m a coffee drinker…and 2 pieces of Jolt certainly doesn’t, well, give me any kind of a “Jolt.” I had remembered seeing a Caffeine count on ThinkGeek stating “each piece of gum is approximately 45 milligrams of caffeine!” and I LIKE ThinkGeek – they’re cool over there, so I wanted to trust them – but I couldn’t take their site as the full authority. I mean, a cup of coffee is often described as having approximately 45 milligrams of caffeine, so perhaps they were just rewording what is already stated on the package of Jolt Gum.

Unfortunately, according to Energy Fiend, Jolt Gum only contains 12.7 milligrams in each piece. That’s very interesting, considering you can order a Grande Decaf of the Week from Starbucks and receive almost the exact same amount of Caffeine as in TWO pieces of Jolt Gum. Yes, a Starbucks Grande is 16oz, and their decaf of the week contains 25 milligrams of caffeine.

Not to rain on your parade, but if you are a fan of Penguin Mints, they too pull the same claim and fall short. They claim that “3 Penguins are the caffeine equivalent of 1 cola beverage,” yet Energy Fiend again shows us the light and states that each mint only has 7 milligrams of caffeine. If you want to call Coke Classic a “cola” you would be looking at 34 milligrams of caffeine in a typical 12 ounce can. Honestly, you could just simply have a 6 oz. Dannon Coffee Yogurt and surpass them all with a whopping 36 milligrams of caffeine.

Now, if you really want to have some fun, you can see how much caffeine it would take to kill you – just pick your poison. Apparently, it would take more than 534 pieces of Jolt Gum to kill me by way of caffeine, and that’s just way too much chewing.

As it turns out, this phone can act as a normal landline phone and use your home wireless (broadband) connection to allow you to IM and text message your buddies. You can even use it as a Voice over IP phone if you have cut the landline cord, making this a very flexible option.

Sounds great doesn’t? Well, I must admit I was quite intrigued. So intrigued, I read the fine print and discovered what I consider to be major flaws for such a phone. If you’re going to go as far as provide your customers with a semi-cell phone, you should go all the way and make sure it has syncing capabilities. The Vtech 6110 can store 50 addresses, which sounds great until you realize it is a stand-alone system. Who is willing to retype contact information that is already stored in at least three other places? Who would enter in all of their buddy contact information?

I began to wonder who exactly this phone is for, as it certainly isn’t for the cell phone-enabled community. That’s when I realized, this phone would be a great ALTERNATIVE for someone who isn’t allowed a cell phone, such as a teenager – who can then text message and IM anyone they want (while at home) and not have to worry about additional charges or monthly fees. All in all this seems like a great idea, but with poor execution. What do you think, would you find something like this useful?