Smithsonian Magazine has a great article on Richard Clarke, the former counterterrorism czar, discussing Who Was Behind the Stuxnet Attack.
Liz Gannes writes for AllThingsD, Automattic Grows Up: The Company Behind WordPress.com Shares Revenue Numbers and Hires Execs. In addition to Stu joining as CFO and Paul as Consigliere/Automattlock, we’ve been on a hiring roll the past month or two with excellent folks joining at every level of the company, including two more Matts. If you’re passionate about Open Source and making the web a better place, like we are, there’s never been a better time to join. My favorite thing about logging in every morning is the people I work with. Friends say I work too much but it hardly feels like work at all. Update: Now in Techcrunch too.
Users use the same passwords for multiple services. It’s a fact of life, it’s just so easy to that most people end up having 2-3 passwords they use everywhere, including one “hard” one for financial sites, etc. The downside is your password is only strong as the weakest link of where you’ve used it — when something like the Gawker hack happens there is a huge wave of compromised accounts that follow.
You can ask users not to use the same password, you can even encourage things like 1password (too expensive for many people I recommend it to), but what if there was a way to enforce that people registering for your site hadn’t used the same password elsewhere?
It actually wouldn’t be too hard, if you’re registering with email@example.com and the password “abc” when you register and the site hasn’t encrypted and stored the password yet it could try to log into your Gmail account with those details, and if it works force you to choose a different password. There’s no reason this has to be limited to email logins, you could put it against the APIs of WordPress.com, Twitter, Facebook, LinkedIn, any number of other services that expose simple authentication APIs and see where it works. Any successful logins, tell the user they need to pick something else.
Of course all that work and they’ll probably just put a 1 at the end of it.
I loved this comment on Hacker News, especially the last paragraph which I’ll quote here:
The question implicit in your comment is: Could we design a system that offers the ease of accessibility of the first few steps of a PHP programmer’s career but, as one climbs the learning curve, eventually blossoms into Python or Ruby or even Lisp? I wish I knew. My best guess as of this morning is that a demigod could design such a system, but it’s very difficult for mortal humans to do so, because once you know how to program it’s hard to avoid overdesigning, putting in things that will eventually be useful in year two but are discouraging in year zero. We make terrible pedagogical mistakes, like turning everything into an object. (Does your ORM seem intuitive to you? That is why PHP is beating your system in the marketplace.)