Thursday, October 30, 2008

The fundamental uselessness of online identity

On the Internet, the very concept of identity is now so completely and utterly broken that it borders on irrelevant. The real surprise is that this still surprises some people. But maybe I should back up and explain.

Online identity, in the form of accounts, is used these days for two main purposes. First, it allows websites to keep track of various pieces of information about you, such as your name, your date of birth, those embarrassing pictures from the party last weekend, and most importantly what you're allowed to do on the website. Second, these same systems are used to ensure that people don't create an arbitrarily large number of extra identities, since presumably this would be a bad thing for various reasons.

The first use is broken; not through any inherent fault, but because current authentication systems are so mind-bogglingly awful that phishing has compromised a sizable number of accounts on any given website. (In extreme cases, and usually due to a combination of SQL injection and an inexplicable failure to hash passwords, there have even been cases where every single account for a website is stolen.) Now, the million dollar question: how do you keep a website running smoothly when an arbitrary number of your users are actually acting maliciously, and you have no way to detect it?

The second use of identity on the web, though, is so completely broken that it's a wonder people even try anymore. Despite increasingly deseprate measures by some site owners, it remains laughably trivial to create multiple accounts on any website that allows open registrations. Requiring a valid email address? There are temporary email sites that will let you generate a new email address in under a minute. Checking IPs? Not only is it dead wrong with the increasingly widespread use of NAT, it's also trivial to find an open proxy. CAPTCHA? Only prevents machine registrations; I can still sit down and keep making accounts by hand until I get bored. (OpenID only exacerbates this problem, incidentally: for the price of a domain name you can create an infinite (seriously!) number of OpenIDs.)

"But then," you may ask, "how do I prevent people from making a ton of accounts and spamming up my website?" Well, there's a simple solution, but you won't like it. Still want it: Here it is:

Build your website from the ground up with the assumption that every user has an infinite number of accounts.

See, I told you you wouldn't like it. If you were to design a website around this principle, there are two paths you can take.
  1. Design your site in such a way that it has no per-user quotas: Since everybody has infinite accounts, limits set on users are useless. This isn't perfect, since user moderation is still nigh-impossible, but it's an improvement over current practices.
  2. Require some kind of investment from your users before an account becomes useful: This can be a contribution of effort (as stackoverflow does), some kind of monetary account fee, or something else entirely.
Incidentally, since I mentioned OpenID earlier, I may as well point out that it's a definite improvement for both uses of identity, since it offers more security for the first use (if you're using a competent provider - myopenid, for example, offers both key-based auth that you can install to your browser, and a service that will call you to verify logins), and drives home the impossibility of the second. OpenID has a few of its own problems, though, but that's really getting out of the scope of this post, so I digress. >_>

Sunday, October 26, 2008

Yep, I ditched my old blog. It ran surprisingly well, considering that I wrote the software behind it when I was in high school, but now that I want to actually start blogging again the cost of fixing it up really outweighs the benefits of maintaining my own custom system.

Since this is my first post, I feel obligated somehow to explain this blog's title. Beginning at the end: I refer to myself as a hacker, not because I go and do rude things to people's myspace profiles (like some idiots that call themselves hackers), but because there's not a better word yet for what I'm trying to convey. When I say hacker, I maen it in the sense that Eric Raymond uses it: a person that does interesting and unexpected things, mainly with computers.

'Lazy' comes from the simple, incontrovertible fact that I'm pretty darn lazy. Oh, not always - if I get a really neat idea, I'll run with it for hours without realizing it - so maybe a better way to phrase it is that I find it hard to focus on work that bores me to death. That really doesn't fit at all in a title, though. :( Many people think that laziness means laziness just means lying around on the couch watching TV or something; clearly, they're not doing it right. Laziness doesn't have to mean 'doing no work': I take it to imply 'doing less work', which in the long run, ends up being far more useful. For instance, nearly everything related to programming can be thought of as a form of laziness - but that's a topic for a future post.

This is really the most important reason that I started a blog here, rather than fixing up my old blogging system. There is one common thread that runs through this blog's title, and it is a deep-seated distaste for reinvented wheels. I could make my own blog; I could do a lot of things. The real question is which of the things I could do are most worth doing. Maintaining software that only I would ever use isn't a terribly useful or fulfilling way to spend my time. Laziness simultaneously drives and is driven by this; if something doesn't seem interesting or useful, I just won't do it, but by reducing the amount of time I spend doing it, I open up time for other, more interesting things.

Next, why did I start blogging again? Every once in a while, I feel the need to blather on for a while about something which the majority of people I know wouldn't care at all about. Now, my options are basically as follows:
  • Grab whoever's awake, and talk their ear off, boring them to sleep halfway through - then rinse and repeat
  • Write it down somewhere where nobody will ever read it, wasting a good chunk of time for my own peace of mind
  • Start a new blog already
Needless to say, the third option has been looking better and better.

So, what can you expect from this blog? Don't really know at this point, but probably anything that I find interesting enough to actually write about. Here's to the new blog; hope it fares better than the old one.