Remember Hanlon's razor

I've been seeing a lot of panic about this Internet ID stuff lately, and a quick read through the comments sections of most of the articles on the subject reveals an ill-informed and paranoid public, not helped by the tone (and outright misinformation) of some of the articles in question.

Let's just try to get a brief run-down of what's going on here shall we.

From what NIST have said, it basically sounds like OpenID with cryptographic tokens. Anyone who uses their Yahoo, Google, Live, Facebook, or Twitter accounts to sign into other services already does this.
The only difference is that this will (hopefully) be vetted to ensure that it's secure enough to use for things like taxes and login to government systems that might contain your personal information.

This second part is important, so listen carefully: It's voluntary.
I imagine online banking sites would implement it for ease-of-use and security purposes, but I doubt other sites like YouTube would bother with it unless everyone was using it and wanted it for convenience. And even if a site like YouTube or Facebook did allow login under this system, they're not going to force people to use it.

What I'm wondering about is mostly the technology behind it. The information on their site mentions that you can decide what information a site sees about you, but also says that your identity provider will not be able to see how you use your token. That means that the information must be encoded in a series of encrypted and signed tokens that can be passed to a site, then the site needs to be able to verify these by checking they are signed with some sort of hash of the main identity token. Plus, your tokens have to be signed by a provider to prove it's authenticity, and that brings into play a lot of the same problems that we have with the CA system for secure websites. Not to mention that it'll get a little ungainly.

They also haven't mentioned anything about token revocation. If someone steals your keyfob, or you lose your cellphone (or get malware on it, as is increasingly common on cellphone nowadays) how does one go about revoking their certificate? At least some sort of contact with the identity provider is required to check a revocation list.

I almost suspect that someone who doesn't know much about cryptographic technology came up with this and just said "We'll come up with what we want it to do and let the eggheads worry about how to do it", not realizing that some of the things they said it should do just aren't very practical.

In usual fashion, they may simply pass the buck to the individual companies and let them decide how to authenticate people, and prove identities. The result of something like that would likely be a laughably insecure mashup of different technologies and standards just barely working together.

In conclusion, it will be interesting to see how this shapes up, and to see how they solve some of the issues I mentioned (I'm betting on some of the stated features being dropped during the specification drafting phase).
I'll post an analysis here when a spec document is released.

Hilarious hack attempt

So some guy sets up a honeypot, and this dude connects to it...


Judging from the way he doesn't seem to know what to do when a command fails to work, I'm guessing this was someone who had just learned how to use bash.
The most incomprehensible (and funny) part is around 1:14 when he downloads Windows 2000 SP3. The best explanation I can come up with for all of this is that some kid wandered into an IRC channel where he didn't belong and the regulars thought it would be funny to send him to a honeypot and feed him ridiculous commands to type in.

PS: Doing this blog would be a bit more fulfilling if anyone actually read it.

Hopefully final update post

Ok, I've added an automatic update notifier to the proxy and the server.
Also, having finally implemented version numbers, the updates logs will now be kept on the Mineshafter site instead of being posted one after another, here.

One other change, I've changed the server to redirect all failed attempts to get a player's skin to the official Minecraft server. Hopefully this will let people see the skins of other players using the official auth server as well.

Yet another bugfix

I found out that the Mineshafter proxy had been mangling the data it was grabbing from the server. Changed so now it works a little better. Java is annoying.

Mineshafter updates

If you don't know what Mineshafter is, then go look or stop reading this post.
Since it's gone up I've changed a few bits of code to fix some bugs on the server side, and been working on a new proxy for the client side.
Keep in mind, the only thing I've ever written in Java before was a "Hello world!", but so far the new proxy seems to be working well.

For the client version, just download it and run it. Doesn't matter where; it uses the latest launcher from minecraft.net.

For the server version, you'll need to make sure that the proxy is in the same directory as the minecraft_server.jar file. If you have a mod that you want to run with it, then use mineshafter-server.jar <mod.jar>.

Bugs, responses, hate mail, etc, can all be left in the comments or sent to my email address which is on the Mineshafter page.