Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

A Truckload of OAuth Issues That Would Make Any Author Quit

Soulskill posted about a year ago | from the tell-us-what-you-really-think dept.

Security 86

New submitter DeFender1031 writes "Several months ago, when Eran Hammer ragequit the OAuth project, many people thought he was simply being overly dramatic, given that he gave only vague indications of what went wrong. Since then, and despite that, many companies have been switching to OAuth, citing it as a 'superior form of secure authentication.' But a fresh and objective look at the protocol highlights the significant design flaws in the system and sheds some light on what might have led to its creator's departure."

cancel ×

86 comments

People say I'm overly dramatic about my HOST file (-1)

Anonymous Coward | about a year ago | (#43246739)

$10,000 CHALLENGE to Alexander Peter Kowalski

Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusive emails to the operator of OSY, Federal Reserve Chairman Ben Bernanke threatening to sue him for libel, claiming that the APK on OSY was fake.

My reputation as a professional in this field clearly shows in multiple publications in this field in written print, & also online in various GOOD capacities since 1996 to present day. This has happened since I was first published in Playgirl Magazine in 1996 & others to present day, with helpful tools online in programs, & professionally sold warez that were finalists @ Westminster Dog Show 2000-2002.

INCONTROVERTIBLE FEEDBACK PROVIDING ESTABLISHED PROOF OF ALL MY POINTS:

--

That was amazing. - http://tech.slashdot.org/comments.pl?sid=3037687&cid=40948073 [slashdot.org]

--

My, God! It's beatiful. Keep it up, you glorious bastard. - http://news.slashdot.org/comments.pl?sid=3222163&cid=41835161 [slashdot.org]

--

Let us bask in its glory. A true modern The Wasteland. - http://tech.slashdot.org/comments.pl?sid=3037687&cid=40948579 [slashdot.org]

--

put your baby IN ME -- I just read this whole thing. Fuck mod points, WHERE DO I SEND YOU MY MONEY?!!! - http://tech.slashdot.org/comments.pl?sid=3037687&cid=40950023 [slashdot.org]

--

Oh shit, Time Cube Guy's into computers now... - http://news.slashdot.org/comments.pl?sid=3040317&cid=40946259 [slashdot.org]

--

He's done more to discredit the use of HOSTS files than anyone in the "do it right and set up a firewall" crowd ever could. - http://developers.slashdot.org/comments.pl?sid=3038791&cid=40945357 [slashdot.org]

--

Can I have some of what you're on? - http://news.slashdot.org/comments.pl?sid=3040317&cid=40947587 [slashdot.org]

--

this obnoxious fucknuts [apk] has been trolling the internet and spamming his shit delphi sub-fart app utilities for 15 years. - http://linux.slashdot.org/comments.pl?sid=3041123&cid=40954565 [slashdot.org]

--

oh come on.. this is hilarious. - http://linux.slashdot.org/comments.pl?sid=3041123&cid=40955479 [slashdot.org]

--

I agree I am intrigued by these host files how do I sign up for your newsletter? - http://linux.slashdot.org/comments.pl?sid=3041123&cid=40961339 [slashdot.org]

--

Gimme the program that generates this epic message. I'll buy 5 of your product if you do... - http://yro.slashdot.org/comments.pl?sid=3041313&cid=40954251 [slashdot.org]

--

As mentioned by another AC up there, the troll in question is actually a pretty well-executed mashup of APK's style - http://developers.slashdot.org/comments.pl?sid=3038791&cid=40945357 [slashdot.org]

--

It's actually a very clever parody of APK - http://developers.slashdot.org/comments.pl?sid=3038791&cid=40944229 [slashdot.org]

--

Please keep us updated on your AI research, you seem quite good at it. - http://tech.slashdot.org/comments.pl?sid=3038597&cid=40944603 [slashdot.org]

--

$20,000 to anyone providing proof of Alexander Peter Kowalski's death. - http://games.slashdot.org/comments.pl?sid=3040921&cid=40958289 [slashdot.org]

--

Obviously, it must be Alexander Peter Kowalski. He's miffed at all these imposters... - http://games.slashdot.org/comments.pl?sid=3040921&cid=40958429 [slashdot.org]

--

And here I was thinking I was having a bad experience with a Dr. Bronner's bottle. - http://developers.slashdot.org/comments.pl?sid=3041081&cid=40952247 [slashdot.org]

--

Damn, apk, who the fuck did you piss off this time? Hahahahaahahahahahahaahaha. Pass the popcorn as the troll apk gets pwned relentlessly. - http://linux.slashdot.org/comments.pl?sid=3041123&cid=40954673 [slashdot.org]

--

I think it's the Internet, about to become sentient. - http://yro.slashdot.org/comments.pl?sid=3041313&cid=40956187 [slashdot.org]

--

Does anyone know if OpenGL has been ported to Windows yet? - http://politics.slashdot.org/comments.pl?sid=3042199&cid=40956781 [slashdot.org]

--

golfclap - http://apple.slashdot.org/comments.pl?sid=3029723&cid=40900827 [slashdot.org]

--

The Truth! wants to be Known! - http://apple.slashdot.org/comments.pl?sid=3029723&cid=40897389 [slashdot.org]

--

DNS cube? - http://apple.slashdot.org/comments.pl?sid=3029723&cid=40897493 [slashdot.org]

--

KUDOS valiant AC. - http://apple.slashdot.org/comments.pl?sid=3029723&cid=40897777 [slashdot.org]

--

Polyploid lovechild of APK, MyCleanPC, and Time Cube --> fail counter integer overflow --> maximum win! - http://apple.slashdot.org/comments.pl?sid=3029723&cid=40899171 [slashdot.org]

--

You made my day, thanks! - http://games.slashdot.org/comments.pl?sid=3029589&cid=40896469 [slashdot.org]

--

Wow. The perfect mix of trolls. Timecube, mycleanpc, gnaa, apk... this is great! - http://linux.slashdot.org/comments.pl?sid=3027333&cid=40893381 [slashdot.org]

--

truer words were never spoken as /. trolls are struck speechless by it, lol! - http://yro.slashdot.org/comments.pl?sid=3042765&cid=41041795 [slashdot.org]

--

It's APK himself trying to maintain the illusion that he's still relevant. - http://hardware.slashdot.org/comments.pl?sid=3043535&cid=40967209 [slashdot.org]

--

Mod this up. The back and forth multi posting between APK and this "anti-APK" certainly does look like APK talking to himself. - http://hardware.slashdot.org/comments.pl?sid=3043535&cid=40969175 [slashdot.org]

--

APK himself would be at the top of a sensible person's ban list. He's been spamming and trolling Slashdot for years. - http://hardware.slashdot.org/comments.pl?sid=3043535&cid=40967137 [slashdot.org]

--

You got that right. I think. - http://yro.slashdot.org/comments.pl?sid=3044971&cid=40972239 [slashdot.org]

--

Michael Kristopeit, is that you? - http://politics.slashdot.org/comments.pl?sid=3045075&cid=40972377 [slashdot.org]

--

ROFL! :) (Now the sick bastard will follow me again) - http://yro.slashdot.org/comments.pl?sid=3138079&cid=41429251 [slashdot.org]

--

I miss Dr Bob. - http://yro.slashdot.org/comments.pl?sid=3138079&cid=41432027 [slashdot.org]

--

Not sure if actually crazy, or just pretending to be crazy. Awesome troll either way. - http://yro.slashdot.org/comments.pl?sid=3138079&cid=41432951 [slashdot.org]

--

Awesome! Hat off to you, sir! - http://news.slashdot.org/comments.pl?sid=3154555&cid=41509273 [slashdot.org]

--

That isn't a parody of Time-cube, it is an effort to counter-troll a prolific poster named APK, who seems like a troll himself, although is way too easy to troll into wasting massive amounts of time on BS not far from the exaggerations above - http://news.slashdot.org/comments.pl?sid=3154555&cid=41514107 [slashdot.org]

--

I am intrigued and I wish to subscribe to your newsletter. - http://science.slashdot.org/comments.pl?sid=3164403&cid=41555345 [slashdot.org]

--

1. You philistine, that is Art . Kudos to you, valiant troll on your glorious FP - http://news.slashdot.org/comments.pl?sid=3222163&cid=41832599 [slashdot.org]

--

What? - http://news.slashdot.org/comments.pl?sid=3222163&cid=41832673 [slashdot.org]

--

I don't know if it is poorly-thought-out, but it is demented because it is at the same time an APK parody. - http://news.slashdot.org/comments.pl?sid=3222163&cid=41832905 [slashdot.org]

--

It is in fact an extremely well thought out and brilliantly executed APK parody, combined with a Time Cube parody, and with a sprinkling of the MyCleanPC spam. - http://news.slashdot.org/comments.pl?sid=3222163&cid=41841251 [slashdot.org]

--

er... many people have disproved your points about hosts files with well reasoned, factual arguments. You just chose not to listen and made it into some kind of bizarre crusade. And I'm not the timecube guy, just someone else who finds you intensely obnoxious and likes winding you up to waste your time. - http://news.slashdot.org/comments.pl?sid=3222163&cid=41843313 [slashdot.org]

--

performance art - http://yro.slashdot.org/comments.pl?sid=3224905&cid=41847089 [slashdot.org]

--

it's apk, theres no reason to care. - http://yro.slashdot.org/comments.pl?sid=3224905&cid=41847097 [slashdot.org]

--

Seems more like an apk parody. - http://yro.slashdot.org/comments.pl?sid=3224905&cid=41847661 [slashdot.org]

--

That's great but what about the risk of subluxations? - http://yro.slashdot.org/comments.pl?sid=3224905&cid=41847101 [slashdot.org]

--

Oh, come on. Just stand back and look at it. It's almost art, in a Jackson Pollock sort of way. - http://ask.slashdot.org/comments.pl?sid=3227697&cid=41868923 [slashdot.org]

--

Read carefully. This is a satirical post, that combines the last several years of forum trolling, rolled into one FUNNY rant! - http://ask.slashdot.org/comments.pl?sid=3227697&cid=41864711 [slashdot.org]

--

I can has summary? - http://ask.slashdot.org/comments.pl?sid=3227697&cid=41861327 [slashdot.org]

--

I'd have a lot more sympathy if you would log in as APK again instead of AC. - http://it.slashdot.org/comments.pl?sid=3228991&cid=41868133 [slashdot.org]

--

If [apk] made an account, it would be permanently posting at -1, and he'd only be able to post with it twice a day. - http://it.slashdot.org/comments.pl?sid=3228991&cid=41869409 [slashdot.org]

--

DAFUQ I just look at? - http://apple.slashdot.org/comments.pl?sid=3229177&cid=41869085 [slashdot.org]

--

Trolls trolling trolls... it's like Inception or something. - http://apple.slashdot.org/comments.pl?sid=3229177&cid=41869353 [slashdot.org]

--

We all know it's you, apk. Stop pretending to antagonize yourself. - http://bsd.slashdot.org/comments.pl?sid=3229179&cid=41869305 [slashdot.org]

--

Do you know about the shocking connection between APK and arsenic? No? Well, your innocence is about to be destroyed. - http://news.slashdot.org/comments.pl?sid=3472971&cid=42939965 [slashdot.org]

--

Send bug reports to 903 east division street, syracuse, ny 13208 - http://yro.slashdot.org/comments.pl?sid=3483339&cid=42972783 [slashdot.org]

--

Now you've made me all nostalgic for USENET. - http://mobile.slashdot.org/comments.pl?sid=3486045&cid=42981977 [slashdot.org]

--

Google APK Hosts File Manager. He's written a fucking application to manage your hosts file. - http://mobile.slashdot.org/comments.pl?sid=3486045&cid=42984521 [slashdot.org]

--

In case you are not aware, the post is a satire of a fellow known as APK. The grammar used is modeled after APK's as you can see here [thorschrock.com] . Or, you can just look around a bit and see some of his posts on here about the wonders of host files. - http://mobile.slashdot.org/comments.pl?sid=3486045&cid=42983119 [slashdot.org]

--

You are surely of God of Trolls, whomever you are. I have had stupid arguments with and bitten the troll apk many times. - http://it.slashdot.org/comments.pl?sid=3486901&cid=42989683 [slashdot.org]

--

"What kind of meds cure schizophrenic drunk rambling?" -> "Whatever APK isn't taking" - http://developers.slashdot.org/comments.pl?sid=3501001&cid=43028403 [slashdot.org] http://developers.slashdot.org/comments.pl?sid=3501001&cid=43028425 [slashdot.org]

--

I'm confused, is apk trolling himself now? - http://developers.slashdot.org/comments.pl?sid=3501001&cid=43029495 [slashdot.org]

--

Excellent mashup. A++. Would troll again. - http://news.slashdot.org/comments.pl?sid=3503531&cid=43037445 [slashdot.org]

--

Your ideas are intriguing to me, and I wish to subscribe to your newsletter. - http://hardware.slashdot.org/comments.pl?sid=3506945&cid=43048291 [slashdot.org]

--

Best. Troll. Ever. - http://hardware.slashdot.org/comments.pl?sid=3506945&cid=43044811 [slashdot.org]

--

I like monkeys. - http://science.slashdot.org/comments.pl?sid=3508287&cid=43051505 [slashdot.org]

--

This is one of the funniest things I've ever read. - http://science.slashdot.org/comments.pl?sid=3508287&cid=43052263 [slashdot.org]

--

lul wut? - http://news.slashdot.org/comments.pl?sid=3510265&cid=43057839 [slashdot.org]

--

I admire this guy's persistence. - http://science.slashdot.org/comments.pl?sid=3511487&cid=43063797 [slashdot.org]

--

It's a big remix of several different crackpots from Slashdot and elsewhere, plus a liberal sprinkling of famous Slashdot trolls and old memes. - http://science.slashdot.org/comments.pl?sid=3511487&cid=43063881 [slashdot.org]

--

Tabloid newspapers have speculated for years that APK is a prominent supporter of Monsanto. Too bad we didn't believe them sooner! - http://science.slashdot.org/comments.pl?sid=3511487&cid=43063893 [slashdot.org]

--

Here's a hint, check out stories like this one [slashdot.org] , where over 200 of the 247 posts are rated zero or -1 because they are either from two stupid trolls arguing endless, or quite likely one troll arguing with himself for attention. The amount of off-topic posts almost outnumber on topic ones by 4 to 1. Posts like the above are popular for trolling APK, since if you say his name three times, he appears, and will almost endlessly feed trolls. - http://science.slashdot.org/comments.pl?sid=3511487&cid=43064383 [slashdot.org]

--

I love this copypasta so much. It never fails to make me smile. - http://science.slashdot.org/comments.pl?sid=3512099&cid=43069271 [slashdot.org]

--

^ Champion Mod parent up. - http://science.slashdot.org/comments.pl?sid=3513659&cid=43067371 [slashdot.org]

--

I appreciate the time cube reference, and how you tied it into the story. Well done. - http://yro.slashdot.org/comments.pl?sid=3521721&cid=43094565 [slashdot.org]

--

The day you are silenced is the day freedom dies on Slashdot. God bless. - http://tech.slashdot.org/comments.pl?sid=3522191&cid=43097221 [slashdot.org]

--

AHahahahah thanks for that, cut-n-pasted.... Ownage! - http://science.slashdot.org/comments.pl?sid=3522219&cid=43097215 [slashdot.org]

--

Don't hate the player, hate the game. - http://games.slashdot.org/comments.pl?sid=3526293&cid=43110679 [slashdot.org]

--

If you're familiar with APK, the post itself is a pretty damn funny parody. - http://mobile.slashdot.org/comments.pl?sid=3528603&cid=43115215 [slashdot.org]

--

">implying it's not apk posting it" --> "I'd seriously doubt he's capable of that level of self-deprecation..." - http://mobile.slashdot.org/comments.pl?sid=3528603&cid=43115337 [slashdot.org] http://mobile.slashdot.org/comments.pl?sid=3528603&cid=43115363 [slashdot.org]

--

No, the other posts are linked in a parody of APK's tendency to quote himself, numbnuts. - http://mobile.slashdot.org/comments.pl?sid=3528603&cid=43116855 [slashdot.org]

--

The thirteenth link is broken. Please fix it. - http://mobile.slashdot.org/comments.pl?sid=3528603&cid=43115361 [slashdot.org]

--

Just ban any post with "apk", "host file", or "hosts file", as that would take care of the original apk too. The original has been shitposting Slashdot much longer & more intensively than the parody guy. Or ban all Tor exit nodes, as they both use Tor to circumvent IP bans. - http://tech.slashdot.org/comments.pl?sid=3561925&cid=43216431 [slashdot.org]

--

Sadly this is closer to on-topic than an actual APK post is. - http://tech.slashdot.org/comments.pl?sid=3561925&cid=43216225 [slashdot.org]

--

YOU ARE A GOD AMONG MEN. - http://tech.slashdot.org/comments.pl?sid=3569149&cid=43236143 [slashdot.org]

--

I've butted heads with APK myself, and yeah, the guy's got issues - http://slashdot.org/comments.pl?sid=3569173&cid=43236987 [slashdot.org]

--

Can I be in your quote list? - http://yro.slashdot.org/comments.pl?sid=3569443&cid=43237531 [slashdot.org]

--

Clearly you are not an Intertubes engineer, otherwise the parent post would be more meaningful to you. Why don't YOU take your meds? - http://slashdot.org/comments.pl?sid=3569425&cid=43238177 [slashdot.org]

--

+2 for style! The bolding, italicizing, and font changes are all spot-on - http://slashdot.org/comments.pl?sid=3569149&cid=43238479 [slashdot.org]

--

Your ideas are intriguing to me and I wish to subscribe to your newsletter. - http://apple.slashdot.org/comments.pl?sid=3570085&cid=43243509 [slashdot.org]

--

APK is not really a schizophrenic fired former Windows administrator with multiple personality disorder and TimeCube/Art Bell refugee. He's a fictional character like and put forward by the same person as Goatse Guy, GNAA trolls, Dr. Bob and so forth. His purpose is to test the /. CAPTCA algorithm, which is a useful purpose. If you're perturbed by having to scroll past his screeds just set your minimum point level to 1, as his posts are pretty automatically downmodded right away. - http://apple.slashdot.org/comments.pl?sid=3570085&cid=43243145 [slashdot.org]

--

Anyone else think that sounds like Ron Paul? - http://slashdot.org/comments.pl?sid=3569419&cid=43242417 [slashdot.org]

--

--

Did you see the movie "Pokemon"? Actually the induced night "dream world" is synonymous with the academic religious induced "HOSTS file" enslavement of DNS. Domains have no inherent value, as it was invented as a counterfeit and fictitious value to represent natural values in name resolution. Unfortunately, human values have declined to fictitious word values. Unknowingly, you are living in a "World Wide Web", as in a fictitious life in a counterfeit Internet - which you could consider APK induced "HOSTS file". Can you distinguish the academic induced root server from the natural OpenDNS? Beware of the change when your brain is free from HOSTS file enslavement - for you could find that the natural Slashdot has been destroyed!!

FROM -> Man - how many times have I dusted you in tech debates that you have decided to troll me by ac posts for MONTHS now, OR IMPERSONATING ME AS YOU DID HERE and you were caught in it by myself & others here, only to fail each time as you have here?)...

So long nummynuts, sorry to have to kick your nuts up into your head verbally speaking.

cower in my shadow some more, feeb. you're completely pathetic.

Disproof of all apk's statements:
http://slashdot.org/comments.pl?sid=3040317&cid=40946043 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040729&cid=40949719 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040697&cid=40949343 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040597&cid=40948659 [slashdot.org]
http://slashdot.org/comments.pl?sid=3037687&cid=40947927 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040425&cid=40946755 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040317&cid=40946043 [slashdot.org]
http://slashdot.org/comments.pl?sid=3038791&cid=40942439 [slashdot.org]
http://slashdot.org/comments.pl?sid=3024445&cid=40942207 [slashdot.org]
http://slashdot.org/comments.pl?sid=3038597&cid=40942031 [slashdot.org]
http://slashdot.org/comments.pl?sid=3038601&cid=40942085 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040803&cid=40950045 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040867&cid=40950563 [slashdot.org]
http://slashdot.org/comments.pl?sid=3040921&cid=40950839 [slashdot.org]
http://slashdot.org/comments.pl?sid=3041035&cid=40951899 [slashdot.org]
http://slashdot.org/comments.pl?sid=3041081&cid=40952169 [slashdot.org]
http://slashdot.org/comments.pl?sid=3041091&cid=40952383 [slashdot.org]
http://slashdot.org/comments.pl?sid=3041123&cid=40952991 [slashdot.org]
http://slashdot.org/comments.pl?sid=3041313&cid=40954201 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042199&cid=40956625 [slashdot.org]
http://slashdot.org/comments.pl?sid=3029723&cid=40897177 [slashdot.org]
http://slashdot.org/comments.pl?sid=3029589&cid=40894889 [slashdot.org]
http://slashdot.org/comments.pl?sid=3027333&cid=40886171 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042451&cid=40959497 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042547&cid=40960279 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042669&cid=40962027 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042765&cid=40965091 [slashdot.org]
http://slashdot.org/comments.pl?sid=3042765&cid=40965087 [slashdot.org]
http://slashdot.org/comments.pl?sid=3043535&cid=40967049 [slashdot.org]
http://slashdot.org/comments.pl?sid=3044971&cid=40972117 [slashdot.org]
http://slashdot.org/comments.pl?sid=3044971&cid=40972271 [slashdot.org]
http://slashdot.org/comments.pl?sid=3045075&cid=40972313 [slashdot.org]
http://slashdot.org/comments.pl?sid=3045349&cid=40973979 [slashdot.org]
http://slashdot.org/comments.pl?sid=3046181&cid=40978835 [slashdot.org]
http://slashdot.org/comments.pl?sid=3046211&cid=40979293 [slashdot.org]
http://slashdot.org/comments.pl?sid=3050711&cid=41002319 [slashdot.org]
http://slashdot.org/comments.pl?sid=3118863&cid=41341925 [slashdot.org]
http://slashdot.org/comments.pl?sid=3131751&cid=41397971 [slashdot.org]
http://slashdot.org/comments.pl?sid=3138079&cid=41429005 [slashdot.org]
http://slashdot.org/comments.pl?sid=3146511&cid=41469199 [slashdot.org]
http://slashdot.org/comments.pl?sid=3146549&cid=41469495 [slashdot.org]
http://slashdot.org/comments.pl?sid=3154555&cid=41509255 [slashdot.org]
http://slashdot.org/comments.pl?sid=3164403&cid=41555261 [slashdot.org]
http://slashdot.org/comments.pl?sid=3222163&cid=41832417 [slashdot.org]
http://slashdot.org/comments.pl?sid=3224905&cid=41846971 [slashdot.org]
http://slashdot.org/comments.pl?sid=3227697&cid=41861263 [slashdot.org]
http://slashdot.org/comments.pl?sid=3228787&cid=41866351 [slashdot.org]
http://slashdot.org/comments.pl?sid=3228683&cid=41866627 [slashdot.org]
http://slashdot.org/comments.pl?sid=3228991&cid=41866737 [slashdot.org]
http://slashdot.org/comments.pl?sid=3229177&cid=41868513 [slashdot.org]
http://slashdot.org/comments.pl?sid=3229177&cid=41868567 [slashdot.org]
http://slashdot.org/comments.pl?sid=3229179&cid=41869275 [slashdot.org]
http://slashdot.org/comments.pl?sid=3229765&cid=41872927 [slashdot.org]
http://slashdot.org/comments.pl?sid=3472971&cid=42939773 [slashdot.org]
http://slashdot.org/comments.pl?sid=3483339&cid=42972349 [slashdot.org]
http://slashdot.org/comments.pl?sid=3486045&cid=42981835 [slashdot.org]
http://slashdot.org/comments.pl?sid=3486901&cid=42988415 [slashdot.org]
http://slashdot.org/comments.pl?sid=3500483&cid=43026797 [slashdot.org]
http://slashdot.org/comments.pl?sid=3501001&cid=43028205 [slashdot.org]
http://slashdot.org/comments.pl?sid=3503531&cid=43033535 [slashdot.org]
http://slashdot.org/comments.pl?sid=3504883&cid=43040365 [slashdot.org]
http://slashdot.org/comments.pl?sid=3506945&cid=43044767 [slashdot.org]
http://slashdot.org/comments.pl?sid=3507727&cid=43048175 [slashdot.org]
http://slashdot.org/comments.pl?sid=3507873&cid=43049019 [slashdot.org]
http://slashdot.org/comments.pl?sid=3508287&cid=43051385 [slashdot.org]
http://slashdot.org/comments.pl?sid=3509683&cid=43054221 [slashdot.org]
http://slashdot.org/comments.pl?sid=3510265&cid=43056879 [slashdot.org]
http://slashdot.org/comments.pl?sid=3511487&cid=43063711 [slashdot.org]
http://slashdot.org/comments.pl?sid=3512099&cid=43066627 [slashdot.org]
http://slashdot.org/comments.pl?sid=3513659&cid=43066843 [slashdot.org]
http://slashdot.org/comments.pl?sid=3521721&cid=43094323 [slashdot.org]
http://slashdot.org/comments.pl?sid=3521669&cid=43094855 [slashdot.org]
http://slashdot.org/comments.pl?sid=3521797&cid=43096277 [slashdot.org]
http://slashdot.org/comments.pl?sid=3522191&cid=43096733 [slashdot.org]
http://slashdot.org/comments.pl?sid=3522219&cid=43097179 [slashdot.org]
http://slashdot.org/comments.pl?sid=3522851&cid=43101761 [slashdot.org]
http://slashdot.org/comments.pl?sid=3523181&cid=43103421 [slashdot.org]
http://slashdot.org/comments.pl?sid=3526293&cid=43109809 [slashdot.org]
http://slashdot.org/comments.pl?sid=3526893&cid=43114659 [slashdot.org]
http://slashdot.org/comments.pl?sid=3528603&cid=43115059 [slashdot.org]
http://slashdot.org/comments.pl?sid=3528811&cid=43116535 [slashdot.org]
http://slashdot.org/comments.pl?sid=3561925&cid=43216155 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569095&cid=43234975 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569109&cid=43235533 [slashdot.org]
http://slashdot.org/comments.pl?sid=3554655&cid=43201719 [slashdot.org]
http://slashdot.org/comments.pl?sid=3554655&cid=43209405 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569149&cid=43236007 [slashdot.org]
http://slashdot.org/comments.pl?sid=0020721&cid=43236047 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569235&cid=43236165 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569173&cid=43236409 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569419&cid=43237015 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569443&cid=43237473 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569425&cid=43237999 [slashdot.org]
http://slashdot.org/comments.pl?sid=3569681&cid=43238497 [slashdot.org]
http://slashdot.org/comments.pl?sid=3570077&cid=43240555 [slashdot.org]
http://slashdot.org/comments.pl?sid=3570111&cid=43241141 [slashdot.org]
http://slashdot.org/comments.pl?sid=3570085&cid=43241705 [slashdot.org]
http://slashdot.org/comments.pl?sid=3570537&cid=43245089 [slashdot.org]
AND MANY MORE

--

* :)

Ac trolls' "BIG FAIL" (quoted): Eat your words!

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol , man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

That's the kind of martial arts I practice.

Re:People say I'm overly dramatic about my HOST fi (-1)

Anonymous Coward | about a year ago | (#43246997)

Does anyone know of an Adblock rule for this?

Adblock INFERIOR to custom HOST file ... apk (-1)

Anonymous Coward | about a year ago | (#43247081)

20++ ADVANTAGES OF HOSTS FILES OVER DNS SERVERS &/or ADBLOCK ALONE for added "layered"/"defense-in-depth" security + SPEED:

1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program).

2.) Adblock blocks ads (not anymore apparently, lol:

Adblock Plus To Offer 'Acceptable Ads' Option

http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option [slashdot.org] [slashdot.org] )

in only browsers & their subprogram families (ala email), but not all, or, all independent email clients, like Outlook!)

Disclaimer: Opera now has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..

3.) Adblock doesn't protect email programs external to FF, Hosts files do. THIS IS GOOD VS. SPAM MAIL or MAILS THAT BEAR MALICIOUS SCRIPT, or, THAT POINT TO MALICIOUS SCRIPT VIA URLS etc.

4.) Adblock won't get you to your favorite sites if a DNS server goes down or is DNS-poisoned, hosts will (this leads to points 5-7 next below).

5.) Adblock doesn't allow you to hardcode in your favorite websites into it so you don't make DNS server calls and so you can avoid tracking by DNS request logs, hosts do (DNS servers are also being abused by the Chinese lately and by the Kaminsky flaw -> http://www.networkworld.com/news/2008/082908-kaminsky-flaw-prompts-dns-server.html [networkworld.com] [networkworld.com] for years now). Hosts protect against those problems via hardcodes of your fav sites (you should verify against the TLD that does nothing but cache IPAddress-to-domainname/hostname resolutions via NSLOOKUP, PINGS, &/or WHOIS though, regularly, so you have the correct IP & it's current)).

* NOW - Some folks MAY think that putting an IP address alone into your browser's address bar will be enough, so why bother with HOSTS, right? WRONG - Putting IP address in your browser won't always work IS WHY. Some IP adresses host several domains & need the site name to give you the right page you're after is why. So for some sites only the HOSTS file option will work!

6.) Hosts files don't eat up CPU cycles like AdBlock does while it parses a webpages' content, nor as much as a DNS server does while it runs. HOSTS file are merely a FILTER for the kernel mode/PnP TCP/IP subsystem, which runs FAR FASTER & MORE EFFICIENTLY than any ring 3/rpl3/usermode app can.

7.) HOSTS files will allow you to get to sites you like, via hardcoding your favs into a HOSTS file, FAR faster than DNS servers can by FAR (by saving the roundtrip inquiry time to a DNS server & back to you).

8.) AdBlock doesn't let you block out known bad sites or servers that are known to be maliciously scripted, hosts can and many reputable lists for this exist:

GOOD INFORMATION ON MALWARE BEHAVIOR LISTING BOTNET C&C SERVERS + MORE (AS WELL AS REMOVAL LISTS FOR HOSTS):

http://someonewhocares.org/hosts/ [someonewhocares.org] [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org] [hostsfile.org]
http://winhelp2002.mvps.org/hosts.htm [mvps.org] [mvps.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu] [hostsfile.mine.nu]
http://hosts-file.net/?s=Download [hosts-file.net] [hosts-file.net]
https://zeustracker.abuse.ch/monitor.php?filter=online [abuse.ch] [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php [abuse.ch] [abuse.ch]
http://ddanchev.blogspot.com/ [blogspot.com] [blogspot.com]
http://www.malware.com.br/lists.shtml [malware.com.br] [malware.com.br]
http://www.stopbadware.org/ [stopbadware.org] [stopbadware.org]
http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com] [malwaredomainlist.com]
http://mirror1.malwaredomains.com/files/justdomains [malwaredomains.com] [malwaredomains.com]
http://sysctl.org/cameleon/hosts [sysctl.org] [sysctl.org]
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext [yoyo.org] [yoyo.org]
http://safeweb.norton.com/buzz [norton.com] [norton.com]
Spybot "Search & Destroy" IMMUNIZE feature (fortifies HOSTS files with KNOWN bad servers blocked)

And yes: Even SLASHDOT &/or The Register help!

(Via articles on security (when the source articles they use are "detailed" that is, & list the servers/sites involved in attempting to bushwhack others online that is... not ALL do!)).

2 examples thereof in the past I have used, & noted it there, are/were:

http://it.slashdot.org/comments.pl?sid=1898692&cid=34473398 [slashdot.org] [slashdot.org]
http://it.slashdot.org/comments.pl?sid=1896216&cid=34458500 [slashdot.org] [slashdot.org]

9.) AdBlock & DNS servers are programs, and subject to bugs programs can get. Hosts files are merely a filter and not a program, thus not subject to bugs of the nature just discussed.

10.) HOSTS files protect you vs. DNS-poisoning &/or the Kaminsky flaw in DNS servers, and allow you to get to sites reliably vs. things like the Chinese are doing to DNS -> http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org] [slashdot.org]

11.) HOSTS files are EASILY user controlled, obtained (for reliable ones -> http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] [mvps.org] ) & edited too, via texteditors like Windows notepad.exe or Linux nano (etc.)

12.) With Adblock you had better be able to code javascript to play with its code. With hosts you don't even need source to control it (edit, update, delete, insert of new entries via a text editor).

13.) Hosts files are easily secured via using MAC/ACL &/or Read-Only attributes applied.

14.) Custom HOSTS files also speed you up, unlike anonymous proxy servers systems variations (like TOR, or other "highly anonymous" proxy server list servers typically do, in the severe speed hit they often have a cost in) either via "hardcoding" your fav. sites into your hosts file (avoids DNS servers, totally) OR blocking out adbanners - see this below for evidence of that:

---

US Military Blocks Websites To Free Up Bandwidth:

http://yro.slashdot.org/story/11/03/16/0416238/US-Military-Blocks-Websites-To-Free-Up-Bandwidth [slashdot.org] [slashdot.org]

(Yes, even the US Military used this type of technique... because IT WORKS! Most of what they blocked? Ad banners ala doubleclick etc.)

---

Adbanners slow you down & consume your bandwidth YOU pay for:

ADBANNERS SLOW DOWN THE WEB: -> http://tech.slashdot.org/article.pl?sid=09/11/30/166218 [slashdot.org] [slashdot.org]

---

And people do NOT LIKE ads on the web:

PEOPLE DISLIKE ADBANNERS: http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org] [slashdot.org]

---

As well as this:

Users Know Advertisers Watch Them, and Hate It:

http://yro.slashdot.org/yro/08/04/02/0058247.shtml [slashdot.org] [slashdot.org]

---

Even WORSE still, is this:

Advertising Network Caught History Stealing:

http://yro.slashdot.org/story/11/07/22/156225/Advertising-Network-Caught-History-Stealing [slashdot.org] [slashdot.org]

---

15.) HOSTS files usage lets you avoid being charged on some ISP/BSP's (OR phone providers) "pay as you use" policy http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] [slashdot.org] , because you are using less bandwidth (& go faster doing so no less) by NOT hauling in adbanner content and processing it (which can lead to infestation by malware/malicious script, in & of itself -> http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] [apcmag.com] ).

16.) If/when ISP/BSP's decide to go to -> FCC Approving Pay-As-You-Go Internet Plans: http://yro.slashdot.org/story/10/12/08/2012243/FCC-Approving-Pay-As-You-Go-Internet-Plans [slashdot.org] [slashdot.org] your internet bill will go DOWN if you use a HOSTS file for blocking adbanners as well as maliciously scripted hacker/cracker malware maker sites too (after all - it's your money & time online downloading adbanner content & processing it)

Plus, your adbanner content? Well, it may also be hijacked with malicious code too mind you:

---

Yahoo, Microsoft's Bing display toxic ads:

http://www.theregister.co.uk/2011/09/16/bing_yahoo_malware_ads/ [theregister.co.uk] [theregister.co.uk]

---

Malware torrent delivered over Google, Yahoo! ad services:

http://www.theregister.co.uk/2009/09/24/malware_ads_google_yahoo/ [theregister.co.uk] [theregister.co.uk]

---

Google's DoubleClick spreads malicious ads (again):

http://www.theregister.co.uk/2009/02/24/doubleclick_distributes_malware/ [theregister.co.uk] [theregister.co.uk]

---

Rogue ads infiltrate Expedia and Rhapsody:

http://www.theregister.co.uk/2008/01/30/excite_and_rhapsody_rogue_ads/ [theregister.co.uk] [theregister.co.uk]

---

Google sponsored links caught punting malware:

http://www.theregister.co.uk/2008/12/16/google_sponsored_links/ [theregister.co.uk] [theregister.co.uk]

---

DoubleClick caught supplying malware-tainted ads:

http://www.theregister.co.uk/2007/11/13/doubleclick_distributes_malware/ [theregister.co.uk] [theregister.co.uk]

---

Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users:

http://www.theregister.co.uk/2007/09/11/yahoo_serves_12million_malware_ads/ [theregister.co.uk] [theregister.co.uk]

---

Real Media attacks real people via RealPlayer:

http://www.theregister.co.uk/2007/10/23/real_media_serves_malware/ [theregister.co.uk] [theregister.co.uk]

---

Ad networks owned by Google, Microsoft serve malware:

http://www.theregister.co.uk/2010/12/13/doubleclick_msn_malware_attacks/ [theregister.co.uk] [theregister.co.uk]

---

Attacks Targeting Classified Ad Sites Surge:

http://it.slashdot.org/story/11/02/02/1433210/Attacks-Targeting-Classified-Ad-Sites-Surge [slashdot.org] [slashdot.org]

---

Hackers Respond To Help Wanted Ads With Malware:

http://it.slashdot.org/story/11/01/20/0228258/Hackers-Respond-To-Help-Wanted-Ads-With-Malware [slashdot.org] [slashdot.org]

---

Hackers Use Banner Ads on Major Sites to Hijack Your PC:

http://www.wired.com/techbiz/media/news/2007/11/doubleclick [wired.com] [wired.com]

---

Ruskie gang hijacks Microsoft network to push penis pills:

http://www.theregister.co.uk/2010/10/12/microsoft_ips_hijacked/ [theregister.co.uk] [theregister.co.uk]

---

Major ISPs Injecting Ads, Vulnerabilities Into Web:

http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org] [slashdot.org]

---

Two Major Ad Networks Found Serving Malware:

http://tech.slashdot.org/story/10/12/13/0128249/Two-Major-Ad-Networks-Found-Serving-Malware [slashdot.org] [slashdot.org]

---

THE NEXT AD YOU CLICK MAY BE A VIRUS:

http://it.slashdot.org/story/09/06/15/2056219/The-Next-Ad-You-Click-May-Be-a-Virus [slashdot.org] [slashdot.org]

---

NY TIMES INFECTED WITH MALWARE ADBANNER:

http://news.slashdot.org/article.pl?sid=09/09/13/2346229 [slashdot.org] [slashdot.org]

---

MICROSOFT HIT BY MALWARES IN ADBANNERS:

http://apcmag.com/microsoft_apologises_for_serving_malware.htm [apcmag.com] [apcmag.com]

---

ISP's INJECTING ADS AND ERRORS INTO THE WEB: -> http://it.slashdot.org/it/08/04/19/2148215.shtml [slashdot.org] [slashdot.org]

---

ADOBE FLASH ADS INJECTING MALWARE INTO THE NET: http://it.slashdot.org/article.pl?sid=08/08/20/0029220&from=rss [slashdot.org] [slashdot.org]

---

London Stock Exchange Web Site Serving Malware:

http://www.securityweek.com/london-stock-exchange-web-site-serving-malware [securityweek.com] [securityweek.com]

---

Spotify splattered with malware-tainted ads:

http://www.theregister.co.uk/2011/03/25/spotify_malvertisement_attack/ [theregister.co.uk] [theregister.co.uk]

---

As my list "multiple evidences thereof" as to adbanners & viruses + the fact they slow you down & cost you more (from reputable & reliable sources no less)).

17.) Per point #16, a way to save some money: ANDROID phones can also use the HOSTS FILE TO KEEP DOWN BILLABLE TIME ONLINE, vs. adbanners or malware such as this:

---

Infected Androids Run Up Big Texting Bills:

http://it.slashdot.org/story/11/03/01/0041203/Infected-Androids-Run-Up-Big-Texting-Bills [slashdot.org] [slashdot.org]

---

AND, for protection vs. other "botnets" migrating from the PC world, to "smartphones" such as ZITMO (a ZEUS botnet variant):

http://www.google.com/search?hl=en&source=hp&q=ZITMO&btnG=Google+Search [google.com] [google.com]

---

It's easily done too, via the ADB dev. tool, & mounting ANDROID OS' system mountpoint for system/etc as READ + WRITE/ADMIN-ROOT PERMISSIONS, then copying your new custom HOSTS over the old one using ADB PULL/ADB PUSH to do so (otherwise ANDROID complains of "this file cannot be overwritten on production models of this Operating System", or something very along those lines - this way gets you around that annoyance along with you possibly having to clear some space there yourself if you packed it with things!).

18.) Bad news: ADBLOCK CAN BE DETECTED FOR: See here on that note -> http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com] [arstechnica.com]

HOSTS files are NOT BLOCKABLE by websites, as was tried on users by ARSTECHNICA (and it worked, proving HOSTS files are a better solution for this because they cannot be blocked & detected for, in that manner), to that websites' users' dismay:

PERTINENT QUOTE/EXCERPT FROM ARSTECHNICA THEMSELVES:

----

An experiment gone wrong - By Ken Fisher | Last updated March 6, 2010 11:11 AM

http://arstechnica.com/business/news/2010/03/why-ad-blocking-is-devastating-to-the-sites-you-love.ars [arstechnica.com] [arstechnica.com]

"Starting late Friday afternoon we conducted a 12 hour experiment to see if it would be possible to simply make content disappear for visitors who were using a very popular ad blocking tool. Technologically, it was a success in that it worked. Ad blockers, and only ad blockers, couldn't see our content."

and

"Our experiment is over, and we're glad we did it because it led to us learning that we needed to communicate our point of view every once in a while. Sure, some people told us we deserved to die in a fire. But that's the Internet!"

Thus, as you can see? Well - THAT all "went over like a lead balloon" with their users in other words, because Arstechnica was forced to change it back to the old way where ADBLOCK still could work to do its job (REDDIT however, has not, for example). However/Again - this is proof that HOSTS files can still do the job, blocking potentially malscripted ads (or ads in general because they slow you down) vs. adblockers like ADBLOCK!

----

19.) Even WIKILEAKS "favors" blacklists (because they work, and HOSTS can be a blacklist vs. known BAD sites/servers/domain-host names):

---

PERTINENT QUOTE/EXCERPT (from -> http://www.theregister.co.uk/2010/12/16/wikileaks_mirror_malware_warning_row/ [theregister.co.uk] [theregister.co.uk] )

"we are in favour of 'Blacklists', be it for mail servers or websites, they have to be compiled with care... Fortunately, more responsible blacklists, like stopbadware.org (which protects the Firefox browser)...

---

20.) AND, LASTLY? SINCE MALWARE GENERALLY HAS TO OPERATE ON WHAT YOU YOURSELF CAN DO (running as limited class/least privlege user, hopefully, OR even as ADMIN/ROOT/SUPERUSER)? HOSTS "LOCK IN" malware too, vs. communicating "back to mama" for orders (provided they have name servers + C&C botnet servers listed in them, blocked off in your HOSTS that is) - you might think they use a hardcoded IP, which IS possible, but generally they do not & RECYCLE domain/host names they own (such as has been seen with the RBN (Russian Business Network) lately though it was considered "dead", other malwares are using its domains/hostnames now, & this? This stops that cold, too - Bonus!)...

Still - It's a GOOD idea to layer in the usage of BOTH browser addons for security like adblock ( http://adblockplus.org/en/ [adblockplus.org] [adblockplus.org] ), IE 9's new TPL's ( http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] [microsoft.com] ), &/or NoScript ( http://noscript.net/ [noscript.net] [noscript.net] especially this one, as it covers what HOSTS files can't in javascript which is the main deliverer of MOST attacks online & SECUNIA.COM can verify this for anyone really by looking @ the past few years of attacks nowadays), for the concept of "layered security"....

It's just that HOSTS files offer you a LOT MORE gains than Adblock ( http://adblockplus.org/en/ [adblockplus.org] [adblockplus.org] ) does alone (as hosts do things adblock just plain cannot & on more programs, for more speed, security, and "stealth" to a degree even), and it corrects problems in DNS (as shown above via hardcodes of your favorite sites into your HOSTS file, and more (such as avoiding DNS request logs)).

ALSO - Some more notes on DNS servers & their problems, very recent + ongoing ones:

BIND vs. what the Chinese are doing to DNS lately? See here:

http://yro.slashdot.org/story/10/11/29/1755230/Chinese-DNS-Tampering-a-Real-Threat-To-Outsiders [slashdot.org] [slashdot.org]

---

SECUNIA HIT BY DNS REDIRECTION HACK THIS WEEK:

http://www.theregister.co.uk/2010/11/26/secunia_back_from_dns_hack/ [theregister.co.uk] [theregister.co.uk]

(Yes, even "security pros" are helpless vs. DNS problems in code bugs OR redirect DNS poisoning issues, & they can only try to "set the DNS record straight" & then, they still have to wait for corrected DNS info. to propogate across all subordinate DNS servers too - lagtime in which folks DO get "abused" in mind you!)

---

DNS vs. the "Kaminsky DNS flaw", here (and even MORE problems in DNS than just that):

http://www.scmagazineus.com/new-bind-9-dns-flaw-is-worse-than-kaminskys/article/140872/ [scmagazineus.com] [scmagazineus.com]

(Seems others are saying that some NEW "Bind9 flaw" is worse than the Kaminsky flaw ALONE, up there, mind you... probably corrected (hopefully), but it shows yet again, DNS hassles (DNS redirect/DNS poisoning) being exploited!)

---

Moxie Marlinspike's found others (0 hack) as well...

Nope... "layered security" truly IS the "way to go" - hacker/cracker types know it, & they do NOT want the rest of us knowing it too!...

(So until DNSSEC takes "widespread adoption"? HOSTS are your answer vs. such types of attack, because the 1st thing your system refers to, by default, IS your HOSTS file (over say, DNS server usage). There are decent DNS servers though, such as OpenDNS, ScrubIT, or even NORTON DNS (more on each specifically below), & because I cannot "cache the entire internet" in a HOSTS file? I opt to use those, because I have to (& OpenDNS has been noted to "fix immediately", per the Kaminsky flaw, in fact... just as a sort of reference to how WELL they are maintained really!)

---

DNS Hijacks Now Being Used to Serve Black Hole Exploit Kit:

https://threatpost.com/en_us/blogs/dns-hijacks-now-being-used-serve-black-hole-exploit-kit-121211 [threatpost.com] [threatpost.com]

---

DNS experts admit some of the underlying foundations of the DNS protocol are inherently weak:

http://it.slashdot.org/story/11/12/08/1353203/opendns-releases-dns-encryption-tool [slashdot.org] [slashdot.org]

---

Potential 0-Day Vulnerability For BIND 9:

http://it.slashdot.org/story/11/11/17/1429259/potential-0-day-vulnerability-for-bind-9 [slashdot.org] [slashdot.org]

---

Five DNS Threats You Should Protect Against:

http://www.securityweek.com/five-dns-threats-you-should-protect-against [securityweek.com] [securityweek.com]

---

DNS provider decked by DDoS dastards:

http://www.theregister.co.uk/2010/11/16/ddos_on_dns_firm/ [theregister.co.uk] [theregister.co.uk]

---

Ten Percent of DNS Servers Still Vulnerable: (so much for "conscientious patching", eh? Many DNS providers weren't patching when they had to!)

http://it.slashdot.org/it/05/08/04/1525235.shtml?tid=172&tid=95&tid=218 [slashdot.org] [slashdot.org]

---

DNS ROOT SERVERS ATTACKED:

http://it.slashdot.org/it/07/02/06/2238225.shtml [slashdot.org] [slashdot.org]

---

TimeWarner DNS Hijacking:

http://tech.slashdot.org/article.pl?sid=07/07/23/2140208 [slashdot.org] [slashdot.org]

---

DNS Re-Binding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu] [stanford.edu]

---

DNS Server Survey Reveals Mixed Security Picture:

http://it.slashdot.org/it/07/11/21/0315239.shtml [slashdot.org] [slashdot.org]

---

Halvar figured out super-secret DNS vulnerability:

http://www.zdnet.com/blog/security/has-halvar-figured-out-super-secret-dns-vulnerability/1520 [zdnet.com] [zdnet.com]

---

BIND Still Susceptible To DNS Cache Poisoning:

http://tech.slashdot.org/tech/08/08/09/123222.shtml [slashdot.org] [slashdot.org]

---

DNS Poisoning Hits One of China's Biggest ISPs:

http://it.slashdot.org/it/08/08/21/2343250.shtml [slashdot.org] [slashdot.org]

---

DDoS Attacks Via DNS Recursion:

http://it.slashdot.org/it/06/03/16/1658209.shtml [slashdot.org] [slashdot.org]

---

High Severity BIND DNS Vulnerability Advisory Issued:

http://tech.slashdot.org/story/11/02/23/156212/High-Severity-BIND-Vulnerability-Advisory-Issued [slashdot.org] [slashdot.org]

---

Photobucketâ(TM)s DNS records hijacked:

http://blogs.zdnet.com/security/?p=1285 [zdnet.com] [zdnet.com]

---

Protecting Browsers from DNS Rebinding Attacks:

http://crypto.stanford.edu/dns/ [stanford.edu] [stanford.edu]

---

DNS Problem Linked To DDoS Attacks Gets Worse:

http://tech.slashdot.org/story/09/11/15/1238210/DNS-Problem-Linked-To-DDoS-Attacks-Gets-Worse [slashdot.org] [slashdot.org]

---

HOWEVER - Some DNS servers are "really good stuff" vs. phishing, known bad sites/servers/hosts-domains that serve up malware-in-general & malicious scripting, botnet C&C servers, & more, such as:

Norton DNS -> http://nortondns.com/ [nortondns.com] [nortondns.com]
ScrubIT DNS -> http://www.scrubit.com/ [scrubit.com] [scrubit.com]
OpenDNS -> http://www.opendns.com/ [opendns.com] [opendns.com]

(Norton DNS in particular, is exclusively for blocking out malware, for those of you that are security-conscious. ScrubIT filters pr0n material too, but does the same, & OpenDNS does phishing protection. Each page lists how & why they work, & why they do so. Norton DNS can even show you its exceptions lists, plus user reviews & removal procedures requests, AND growth stats (every 1/2 hour or so) here -> http://safeweb.norton.com/buzz [norton.com] [norton.com] so, that ought to "take care of the naysayers" on removal requests, &/or methods used plus updates frequency etc./et al...)

HOWEVER - There's ONLY 1 WEAKNESS TO ANY network defense, including HOSTS files (vs. host-domain name based threats) & firewalls (hardware router type OR software type, vs. IP address based threats): Human beings, & they not being 'disciplined' about the indiscriminate usage of javascript (the main "harbinger of doom" out there today online), OR, what they download for example... & there is NOTHING I can do about that! (Per Dr. Manhattan of "The Watchmen", ala -> "I can change almost anything, but I can't change human nature")

HOWEVER AGAIN - That's where NORTON DNS, OpenDNS, &/or ScrubIT DNS help!

(Especially for noob/grandma level users who are unaware of how to secure themselves in fact, per a guide like mine noted above that uses "layered-security" principles!)

ScrubIT DNS, &/or OpenDNS are others alongside Norton DNS (adding on phishing protection too) as well!

( & it's possible to use ALL THREE in your hardware NAT routers, and, in your Local Area Connection DNS properties in Windows, for again, "Layered Security" too)...

---

14++ SLASHDOT USERS EXPERIENCING SUCCESS USING HOSTS FILES QUOTED VERBATIM:

---

"Ever since I've installed a host file (http://www.mvps.org/winhelp2002/hosts.htm) to redirect advertisers to my loopback, I haven't had any malware, spyware, or adware issues. I first started using the host file 5 years ago." - by TestedDoughnut (1324447) on Monday December 13, @12:18AM (#34532122)

"I use a custom /etc/hosts to block ads... my file gets parsed basically instantly ... So basically, for any modern computer, it has zero visible impact. And even if it took, say, a second to parse, that would be more than offset by the MANY seconds saved by not downloading and rendering ads. I have noticed NO ill effects from running a custom /etc/hosts file for the last several years. And as a matter of fact I DO run http servers on my computers and I've never had an /etc/hosts-related problem... it FUCKING WORKS and makes my life better overall." - by sootman (158191) on Monday July 13 2009, @11:47AM (#28677363) Homepage Journal

"I actually went and downloaded a 16k line hosts file and started using that after seeing that post, you know just for trying it out. some sites load up faster." - by gl4ss (559668) on Thursday November 17, @11:20AM (#38086752) Homepage Journal

"Better than an ad blocker, imo. Hosts file entries: http://www.mvps.org/winhelp2002/hosts.htm [mvps.org] [mvps.org] " - by TempestRose (1187397) on Tuesday March 15, @12:53PM (#35493274)

"^^ One of the many reasons why I like the user-friendliness of the /etc/hosts file." - by lennier1 (264730) on Saturday March 05, @09:26PM (#35393448)

"They've been on my HOSTS block for years" - by ScottCooperDotNet (929575) on Thursday August 05 2010, @01:52AM (#33147212)

"I'm currently only using my hosts file to block pheedo ads from showing up in my RSS feeds and causing them to take forever to load. Regardless of its original intent, it's still a valid tool, when used judiciously." - by Bill Dog (726542) on Monday April 25, @02:16AM (#35927050) Homepage Journal

"you're right about hosts files" - by drinkypoo (153816) on Thursday May 26, @01:21PM (#36252958) Homepage

"APK's monolithic hosts file is looking pretty good at the moment." - by Culture20 (968837) on Thursday November 17, @10:08AM (#38085666)

"I also use the MVPS ad blocking hosts file." - by Rick17JJ (744063) on Wednesday January 19, @03:04PM (#34931482)

"I use ad-Block and a hostfile" - by Ol Olsoc (1175323) on Tuesday March 01, @10:11AM (#35346902)

"I do use Hosts, for a couple fake domains I use." - by icebraining (1313345) on Saturday December 11, @09:34AM (#34523012) Homepage

"It's a good write up on something everybody should use, why you were modded down is beyond me. Using a HOSTS file, ADblock is of no concern and they can do what they want." - by Trax3001BBS (2368736) on Monday December 12, @10:07PM (#38351398) Homepage Journal

"put in your /etc/hosts:" - by Anonymous Coward on Friday December 03, @09:17AM (#34429688)

---

Then, there is also the words of respected security expert, Mr. Oliver Day, from SECURITYFOCUS.COM to "top that all off" as well:

A RETURN TO THE KILLFILE:

http://www.securityfocus.com/columnists/491 [securityfocus.com] [securityfocus.com]

Some "PERTINENT QUOTES/EXCERPTS" to back up my points with (for starters):

---

"The host file on my day-to-day laptop is now over 16,000 lines long. Accessing the Internet -- particularly browsing the Web -- is actually faster now."

Speed, and security, is the gain... others like Mr. Day note it as well!

---

"From what I have seen in my research, major efforts to share lists of unwanted hosts began gaining serious momentum earlier this decade. The most popular appear to have started as a means to block advertising and as a way to avoid being tracked by sites that use cookies to gather data on the user across Web properties. More recently, projects like Spybot Search and Destroy offer lists of known malicious servers to add a layer of defense against trojans and other forms of malware."

Per my points exactly, no less... & guess who was posting about HOSTS files a 14++ yrs. or more back & Mr. Day was reading & now using? Yours truly (& this is one of the later ones, from 2001 http://www.furtherleft.net/computer.htm [furtherleft.net] [furtherleft.net] (but the example HOSTS file with my initials in it is FAR older, circa 1998 or so) or thereabouts, and referred to later by a pal of mine who moderates NTCompatible.com (where I posted on HOSTS for YEARS (1997 onwards)) -> http://www.ntcompatible.com/thread28597-1.html [ntcompatible.com] [ntcompatible.com] !

---

"Shared host files could be beneficial for other groups as well. Human rights groups have sought after block resistant technologies for quite some time. The GoDaddy debacle with NMap creator Fyodor (corrected) showed a particularly vicious blocking mechanism using DNS registrars. Once a registrar pulls a website from its records, the world ceases to have an effective way to find it. Shared host files could provide a DNS-proof method of reaching sites, not to mention removing an additional vector of detection if anyone were trying to monitor the use of subversive sites. One of the known weaknesses of the Tor system, for example, is direct DNS requests by applications not configured to route such requests through Tor's network."

There you go: AND, it also works vs. the "KAMINSKY DNS FLAW" & DNS poisoning/redirect attacks, for redirectable weaknesses in DNS servers (non DNSSEC type, & set into recursive mode especially) and also in the TOR system as well (that lends itself to anonymous proxy usage weaknesses I noted above also) and, you'll get to sites you want to, even IF a DNS registrar drops said websites from its tables as shown here Beating Censorship By Routing Around DNS -> http://yro.slashdot.org/story/10/12/09/1840246/Beating-Censorship-By-Routing-Around-DNS [slashdot.org] [slashdot.org] & even DNSBL also (DNS Block Lists) -> http://en.wikipedia.org/wiki/DNSBL [wikipedia.org] [wikipedia.org] as well - DOUBLE-BONUS!

---

* POSTS ABOUT HOSTS FILES I DID on "/." THAT HAVE DONE WELL BY OTHERS & WERE RATED HIGHLY, 24++ THUSFAR (from +3 -> +1 RATINGS, usually "informative" or "interesting" etc./et al):

BANNER ADS & BANDWIDTH:2011 -> http://hardware.slashdot.org/comments.pl?sid=2139088&cid=36077722 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2010 -> http://yro.slashdot.org/comments.pl?sid=1907266&cid=34529608 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1490078&cid=30555632 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1869638&cid=34237268 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1461288&threshold=-1&commentsort=0&mode=thread&cid=30272074 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1255487&cid=28197285 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2009 -> http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2010 -> http://apple.slashdot.org/comments.pl?sid=1725068&cid=32960808 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1743902&cid=33147274 [slashdot.org] [slashdot.org]
APK 20++ POINTS ON HOSTS MOD UP:2010 -> http://news.slashdot.org/comments.pl?sid=1913212&cid=34576182 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2010 -> http://it.slashdot.org/comments.pl?sid=1862260&cid=34186256 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2010 (w/ facebook known bad sites blocked) -> http://tech.slashdot.org/comments.pl?sid=1924892&cid=34670128 [slashdot.org] [slashdot.org]
HOSTS FILE MOD UP FOR ANDROID MALWARE:2010 -> http://mobile.slashdot.org/comments.pl?sid=1930156&cid=34713952 [slashdot.org] [slashdot.org]
HOSTS MOD UP ZEUSTRACKER:2011 -> http://it.slashdot.org/comments.pl?sid=2059420&cid=35654066 [slashdot.org] [slashdot.org]
HOSTS MOD UP vs AT&T BANDWIDTH CAP:2011 -> http://tech.slashdot.org/comments.pl?sid=2116504&cid=35985584 [slashdot.org] [slashdot.org]
HOSTS MOD UP CAN DO SAME AS THE "CloudFlare" Server-Side service:2011 -> http://it.slashdot.org/comments.pl?sid=2220314&cid=36372850 [slashdot.org] [slashdot.org]
HOSTS and BGP +5 RATED (BEING HONEST):2010 http://tech.slashdot.org/comments.pl?sid=1901826&cid=34490450 [slashdot.org] [slashdot.org]
HOSTS & PROTECT IP ACT:2011 http://yro.slashdot.org/comments.pl?sid=2368832&cid=37021700 [slashdot.org] [slashdot.org]
HOSTS MOD UP:2011 -> http://yro.slashdot.org/comments.pl?sid=2457766&cid=37592458 [slashdot.org] [slashdot.org]
HOSTS MOD UP & OPERA HAUTE SECURE:2011 -> http://yro.slashdot.org/comments.pl?sid=2457274&cid=37589596 [slashdot.org] [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1197039&cid=27556999 [slashdot.org] [slashdot.org]
0.0.0.0 IN HOSTS:2009 -> http://tech.slashdot.org/comments.pl?sid=1143349&cid=27012231 [slashdot.org] [slashdot.org]
0.0.0.0 in HOSTS:2009 -> http://it.slashdot.org/comments.pl?sid=1198841&cid=27580299 [slashdot.org] [slashdot.org]

---

* "Here endeth the lesson..." and, if you REALLY want to secure your system? Please refer to this:

http://www.bing.com/search?q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&go=&form=QBRE [bing.com] [bing.com]

APK

P.S.=> SOME MINOR "CAVEATS/CATCH-22's" - things to be aware of for "layered security" + HOSTS file performance - easily overcome, or not a problem at all:

A.) HOSTS files don't function under PROXY SERVERS (except for Proximitron, which has a filter that allows it) - Which is *the "WHY"* of why I state in my "P.S." section below to use both AdBlock type browser addon methods (or even built-in block lists browsers have such as Opera's URLFILTER.INI file, & FireFox has such as list as does IE also in the form of TPL (tracking protection lists -> http://ie.microsoft.com/testdrive/Browser/TrackingProtectionLists/ [microsoft.com] [microsoft.com] , good stuff )) in combination with HOSTS, for the best in "layered security" (alongside .pac files + custom cascading style sheets that can filter off various tags such as scripts or ads etc.) - but proxies, especially "HIGHLY ANONYMOUS" types, generally slow you down to a CRAWL online (& personally, I cannot see using proxies "for the good" typically - as they allow "truly anonymous posting" & have bugs (such as TOR has been shown to have & be "bypassable/traceable" via its "onion routing" methods)).

B.) HOSTS files do NOT protect you vs. javascript (this only holds true IF you don't already have a bad site blocked out in your HOSTS file though, & the list of sites where you can obtain such lists to add to your HOSTS are above (& updated daily in many of them)).

C.) HOSTS files (relatively "largish ones") require you to turn off Windows' native "DNS local client cache service" (which has a problem in that it's designed with a non-redimensionable/resizeable list, array, or queue (DNS data loads into a C/C++ structure actually/afaik, which IS a form of array)) - mvps.org covers that in detail and how to easily do this in Windows (this is NOT a problem in Linux, & it's 1 thing I will give Linux over Windows, hands-down). Relatively "smallish" HOSTS files don't have this problem (mvps.org offers 2 types for this).

D.) HOSTS files, once reabThat's where NORTON DNS, OpenDNS, APK 20++ POINTS ON HOSTS MOD UP:2010d/loaded, once GET CACHED, for speed of access/re-access (@ system startup in older MS OS' like 2000, or, upon a users' 1st request that's "Webbound" via say, a webbrowser) gets read into either the DNS local caching client service (noted above), OR, if that's turned off? Into your local diskcache (like ANY file is), so it reads F A S T upon re-reads/subsequent reads (until it's changed in %WinDir%\system32\drivers\etc on Windows, which marks it "Dirty" & then it gets re-read + reloaded into the local diskcache again). This may cause a SMALL lag upon reload though, depending on the size of your HOSTS file.

E.) HOSTS files don't protect vs. BGP exploits - Sorry, once it's out of your hands/machine + past any interior network + routers you have, the packets you send are out there into the ISP/BSP's hands - they're "the Agents" holding all the keys to the doorways at that point (hosts are just a forcefield-filter (for lack of a better description) armor on what can come in mostly, & a bit of what can go out too (per point #20 above on "locking in malware")). Hosts work as a "I can't get burned if I can't go into the kitchen" protection, for you: Not your ISP/BSP. It doesn't extend to them.

F.) HOSTS files don't protect vs. IP addressed adbanners (rare) &/or IP address utilizing malwares (rare too, most used domain/host names because they're "RECYCLABLE/REUSEABLE"), so here, you must couple HOSTS files w/ firewall rules tables (either in software firewalls OR router firewall rules table lists)... apk

Re:Adblock INFERIOR to custom HOST file ... apk (1, Funny)

Anonymous Coward | about a year ago | (#43247135)

Can a hosts file block apk's posts, though?

Re:Adblock INFERIOR to custom HOST file ... apk (-1)

Anonymous Coward | about a year ago | (#43247219)

The universe couldn't handle that much irony.

Want to know WHY my post's downmodded? (-1)

Anonymous Coward | about a year ago | (#43247289)

See here, explains it all -> http://tech.slashdot.org/comments.pl?sid=3561925&cid=43223585 [slashdot.org]

* :)

I.E./Summary: Trolls had a challenge put to them to validly disprove my points in the post I just replied to - result? Trolls FAIL... lol!

APK

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol, man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

Ah yes "geek angst" @ it's 'finest' (not), vs. facts & truths = downmod by /. weak trolls!

... apk

Want to know WHY my post's downmodded? (-1)

Anonymous Coward | about a year ago | (#43248123)

See here, explains it all -> http://tech.slashdot.org/comments.pl?sid=3561925&cid=43223585 [slashdot.org] [slashdot.org]

* :)

I.E./Summary: Trolls had a challenge put to them to validly disprove my points in the post I just replied to - result? Trolls FAIL... lol!

APK

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol, man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

Ah yes "geek angst" @ it's 'finest' (not), vs. facts & truths = downmod by /. weak trolls!

... apk

Re:Want to know WHY my post's downmodded? (0)

Anonymous Coward | about a year ago | (#43250533)

shut up you stupid cock. Everyone knows you're wrong.

Re:Want to know WHY my post's downmodded? (0)

Anonymous Coward | about a year ago | (#43250987)

Do you think you're responding to the real apk? Or do you think you're responding to a fake apk? Or do you even care?

Re:Want to know WHY my post's downmodded? (0)

Anonymous Coward | about a year ago | (#43254567)

I really don't care.

-same AC

Want to know WHY my post's downmodded? (-1)

Anonymous Coward | about a year ago | (#43250827)

See here, explains it all -> http://tech.slashdot.org/comments.pl?sid=3561925&cid=43223585 [slashdot.org] [slashdot.org]

* :)

I.E./Summary: Trolls had a challenge put to them to validly disprove my points in the post I just replied to - result? Trolls FAIL... lol!

APK

P.S.=> That's what makes me LAUGH harder than ANYTHING ELSE on this forums (full of "FUD" spreading trolls) - When you hit trolls with facts & truths they CANNOT disprove validly on computing tech based grounds, this is the result - Applying unjustifiable downmods to effetely & vainly *try* to "hide" my posts & facts/truths they extoll!

Hahaha... lol, man: Happens nearly every single time I post such lists (proving how ineffectual these trolls are), only showing how solid my posts of that nature are...

Ah yes "geek angst" @ it's 'finest' (not), vs. facts & truths = downmod by /. weak trolls!

... apk

Re:Want to know WHY my post's downmodded? (0)

Anonymous Coward | about a year ago | (#43291519)

hey apk, why haven't you responded to the time cube/adware guy? He issued you a challenge and so far you have been silent as far as I've seen. I want to see the epic post war with gigabytes of bold text and random links! I demand satisfaction!

Re:Adblock INFERIOR to custom HOST file ... apk (-1)

Anonymous Coward | about a year ago | (#43247601)

How do I use the hosts file to block you? Please enlighten me! I really, truly want to know!

Re:Adblock INFERIOR to custom HOST file ... apk (1)

Anonymous Coward | about a year ago | (#43248091)

127.0.0.0 slashdot.org

Re:People say I'm overly dramatic about my HOST fi (-1, Troll)

Anonymous Coward | about a year ago | (#43247097)

No, but I bet there's a hosts file entry for it...

Re:People say I'm overly dramatic about my HOST fi (-1)

Anonymous Coward | about a year ago | (#43247343)

||slashdot.org

Re:People say I'm overly dramatic about my HOST fi (1)

FatdogHaiku (978357) | about a year ago | (#43248739)

Not really but it always gets modded down to -1 so you might adjust your slashdot settings to hide -1 posts...

brain asplode! (1, Offtopic)

Thud457 (234763) | about a year ago | (#43247231)

oh man, that incredible interminable list of responses is almost as funny as the original post. This is getting to be truly epic. If there were and admins around any more that gave a damn, expect some ham-handed attempt at anti-trolling code soon -- that'll fuck /. up ever further for everybody else.

Re:People say I'm overly dramatic about my HOST fi (-1)

Anonymous Coward | about a year ago | (#43247823)

Whether or not you have a point...

Don't you have anything better to do? You might want to seek some professional help - your obsession can't be healthy.

Get out the duct tape (1)

sl4shd0rk (755837) | about a year ago | (#43246959)

*sigh* "conflict between the web and the enterprise worlds." is another way of saying users complained when not given an option to aim at their foot.

Re:Get out the duct tape (1, Interesting)

jhoegl (638955) | about a year ago | (#43247697)

I stopped reading at "There is no standard".
Computers run on standards, there is no excuse for this.

host troll (-1, Offtopic)

Dark$ide (732508) | about a year ago | (#43246973)

Why does /. allow that troll to keep posting that shit? What happened to any form of moderation and control on here?

Re:host troll (1)

thelovebus (264467) | about a year ago | (#43247045)

What are you talking about? The original submitter? Eran Hammer? The blog being linked to?

I honestly don't know what you're referring to -- could you explain for those of us who are out of the loop?

Re:host troll (2)

EvanED (569694) | about a year ago | (#43247101)

I think it's a complaint about (and I hesitate to link to it) this post [slashdot.org] which keeps showing up story after story.

Last Post (4, Funny)

History's Coming To (1059484) | about a year ago | (#43247225)

That's it, I've had enough. It's easy enough to filter this kind of crap out, but /. just don't seem to bother. Yes, I could simply browse at a higher level, but I've usually got mod points and browse at -1 as suggested for very good reasons. But if /. aren't prepared to deal with the most basic levels of spamming then I can't be bothered helping them out any more. Email address deleted, password changed to a long random string that I don't know, sig changed to indicate account has been deleted. Bye everyone, most of the last decade or so has been fun, but frankly, I quit.

Re:Last Post (1)

Anonymous Coward | about a year ago | (#43247333)

That's it, I've had enough. It's easy enough to filter this kind of crap out, but /. just don't seem to bother. Yes, I could simply browse at a higher level, but I've usually got mod points and browse at -1 as suggested for very good reasons. But if /. aren't prepared to deal with the most basic levels of spamming then I can't be bothered helping them out any more. Email address deleted, password changed to a long random string that I don't know, sig changed to indicate account has been deleted. Bye everyone, most of the last decade or so has been fun, but frankly, I quit.

Good to know. Weed out the thin-skinned people, I always say. People who don't actually understand how tricky a problem spam filtering really is, people who can't deal with the internet in general, people who feel the need to get on a soapbox and announce the significantly massive amounts of them not being around anymore everyone else is about to experience (ooo, how impressive and scary!). Sorry, who were you again and why do we care? I missed that part.

Re:Last Post (1)

noh8rz10 (2716597) | about a year ago | (#43248309)

i thought the whole point of slashdot posts is that it was a free-for-all, self-moderated through the mod point / threshold approach. they also limit posting from people with low karma (not filtering by post content, but just quieting the low karma people). also, you can block ACs while not changing your viewing threshold. There are many options!

although personally I don't like the posting limits on low karma people. I think this encourages slashdot group-think, where if you speak up against whatever ideas are generally popular (android, google) or speak for unpopular peeps (MS, apple sometimes) you get downvoted and essentially shushed by low karma. This has frustrated me in the past.

tldr, don't give up hope! make a new id, filter reasonably, and enjoy!

Re:Last Post (0, Flamebait)

Anonymous Coward | about a year ago | (#43247481)

So basically what you're saying is that you've added yourself to the HOST file?

Re:Last Post (1)

noh8rz10 (2716597) | about a year ago | (#43248241)

bahahaha I can't believe this was downvoted.

Re:Last Post (0)

Anonymous Coward | about a year ago | (#43250413)

Good riddens to you. Can't be bothered to browse at "0", throws a tantrum.

Re:Last Post (0)

Anonymous Coward | about a year ago | (#43250799)

You should add Slashdot to your HOST file to keep yourself from coming back.

Re:host troll (0)

Anonymous Coward | about a year ago | (#43247071)

What are you talking about?

Re:host troll (0)

Anonymous Coward | about a year ago | (#43247399)

His name is apk & he's been posting it for over 4 years. Here's one from 2009:

http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]

He keeps adding new stuff on so it keeps growing longer and longer as the years pass.

Re:host troll (2)

Spottywot (1910658) | about a year ago | (#43247765)

His name is apk & he's been posting it for over 4 years. Here's one from 2009:

http://tech.slashdot.org/comments.pl?sid=1206409&cid=27661983 [slashdot.org]

He keeps adding new stuff on so it keeps growing longer and longer as the years pass.

A bit like a Hosts file then? I hate trolls but I do admire that level of dedication.

Genius (1, Offtopic)

Synerg1y (2169962) | about a year ago | (#43247077)

Step one: Make digital card game.
Step two: Print cards and sell them.
Step three: Profit more from WOW.

Re:Genius (5, Funny)

GLowder (622780) | about a year ago | (#43247107)

Step four: suddenly realize you posted under wrong article

Re:Genius (1)

Synerg1y (2169962) | about a year ago | (#43247277)

So I did :)

totally secure == powered off (1)

mt1955 (698912) | about a year ago | (#43247117)

OAuth is ugly to implement, no argument there.

Most of the points made in the article were interesting and seemed valid to me but near the conclusion it felt like the author was reaching bit by ignoring the refresh token concept to make the final point.

The threat of a hacked browser was a bit of an eye opener for me -- never heard that one brought up as a possibility while working on an OAuth implementation for a client.

Re:totally secure == powered off (1)

kldavis4 (585510) | about a year ago | (#43247203)

I agree about the hacked browser. I think one of the main arguments by Eran against OAuth2 is that it is basically broken for mobile applications (non-web) and this is just another of the ways it is broken.

Re:totally secure == powered off (-1)

Anonymous Coward | about a year ago | (#43247287)

OAuth's whole point is to not type in your passwords and then this guys solution is to create a whole slew of new user/passwords to type in on 3rd party sites. This is just as susceptible to an embedded browser attack. In fact, Oauth is less susceptible because if you are using your browser you should already be authenticated if you are prompted for a log in, you should be suspicious that the log in is not happening in your real browser session.

Yes some of his comments are valid but he offers no real alternative. His claims about APUI make him seem like he doesn't understand Oauth at all. Of course you need some user interaction to initially authorize the 3rd party service. But after that the 3rd party can use a refresh token to use the user granted API to process work in the background without any user interaction. I use this with Google APIs all the time.

Re:totally secure == powered off (3)

DeFender1031 (1107097) | about a year ago | (#43247473)

You miss the point. He says to have the user create separate passwords from the primary one, with restricted permissions, and give a different managed password to each application. That way, if the application misbehaves, the user themselves can remove that password without having to affect anything else.

Re:totally secure == powered off (0)

Anonymous Coward | about a year ago | (#43249325)

You idiot. there is no creating accounts with separate permissions. thats exactly why oauth was created. any account you create for the vast majority of sites would have the same permissions as any other account. this is assuming you can even create multiple accounts for the same data.

Re:totally secure == powered off (1)

hazah (807503) | about a year ago | (#43249487)

Before you call others "idiot" perhaps you should actually understand what they're saying, idiot.

Re:totally secure == powered off (0)

Anonymous Coward | about a year ago | (#43249911)

is that a recursive insult

Re:totally secure == powered off (1)

hazah (807503) | about a year ago | (#43250233)

Nope.

Re:totally secure == powered off (2)

DeFender1031 (1107097) | about a year ago | (#43252687)

Again, you miss the point. The point isn't separate accounts. The point is, you have a user account, say "JoeCool", and a password, say "12345". Your system allows Joe, when logged in under that password, to create a secondary password, 67890 which, when logged in with, only allows limited access. Joe can then give "67890" as a password a third-party application, which will then have only limited access. If the application misbehaves, Joe can remove the "67890" password, thus locking out the malicious application while keeping his primary password secure, along with any other secondary passwords he's generated for other applications. That's the system being described and that's a system which would avoid a heck of a lot of headache.

And I'd appreciate not being called names by someone who hasn't even taken the time to understand what's being said.

Re:totally secure == powered off (0)

Anonymous Coward | about a year ago | (#43267023)

But that's what they're saying. OAuth => you don't type a password. If you want to deal with application-specific or tiered passwords, then that's fine (and necessary for services that don't support OAuth), but it's unrelated to the OAuth conversation as far as I can tell.

Re:totally secure == powered off (1)

Xeger (20906) | about a year ago | (#43257763)

A separate password for each application, is exactly what an OAuth refresh token is. The user is free to revoke the corresponding grant at any time.

Re:totally secure == powered off (1)

DeFender1031 (1107097) | about a year ago | (#43260481)

True that's exactly what it is but with a lot of cruft surrounding it as well. It requires a web browser to facilitate the connection, rather than the user just copying a password to wherever it's needed, it requires that the third-party application which wants to authenticate needs its own domain and its own server, instead of just being able to be a standalone application which can authenticate directly. Because of this, it's just a mess of a system. What the author is suggesting is to leave the part of it that's based on a solid security foundation intact, (the part that says "separate keys for each application with limited access") but remove all of the insanity around it that adds no extra security and just serves to confuse the issue and limit its usability.

Re:totally secure == powered off (1)

silas_moeckel (234313) | about a year ago | (#43247321)

If you have hacked the browser or machine you have an issue. For the browser there are a slew of API's dependent on OS that let there be separation so that a browser exploit is limited to allowing authentication while that browser remains open but never exposes the base digital certificates. Smart cards take that further by never exposing the private key to anybody.

As to AUPI vs API oauth was never meant to be a end all and be all of authentication. Designing something to let arbitrary systems share data with fine grained arbitrary controls is a huge project that has not really been done well by anybody yet.

WTF was that? (2)

antifoidulus (807088) | about a year ago | (#43247215)

The authors biggest complaint about OAuth is that it doesn't do what it was never designed to do....and this is a problem because....? It was never designed for enterprise-level permissions management(there are plenty of other solutions for that). And his solution(copying and pasting tokens) is worse than the disease. It would be easier to go phishing with copied and pasted tokens than it is with OAuth where the login is automatic and tokens/applications can be revoked by the site that manages the account....

I think someone is just bitter and decided to take it out on a protocol.

Re:WTF was that? (4, Interesting)

Anonymous Coward | about a year ago | (#43247465)

I think the key point of the article is the first part, the "APUI" section. OAuth is "fine" when used for authentication by a user for a service based on a web browser. However, it is increasingly being applied at the "API" level (where services and applications interact, not users). It doesn't work _at all_ at this level.

I agree that the enterprise level permissions bit is pushing things, but the rest of the article is spot on.

Re:WTF was that? (1)

Anonymous Coward | about a year ago | (#43249353)

wrong api works fine. I use it with google apis. once user grants auth, you can call their apis without any user interaction when their not even logged in. it all depends upon the permissions they grant you.

Re:WTF was that? (0)

Anonymous Coward | about a year ago | (#43254287)

Correct but you have to allow the user to auth directly with the service first which sucks from an iOS or Android app.

Thats what is meant by API. It requires a browser to instantiate the connection.

Re:WTF was that? (1)

Trails (629752) | about a year ago | (#43251883)

Actually two-legged OAuth is pretty straightforward and works just fine for me

Re:WTF was that? (3, Insightful)

Anonymous Coward | about a year ago | (#43247613)

The authors biggest complaint about OAuth is that it doesn't do what it was never designed to do....and this is a problem because....?

Because people are, with great gusto, actually using it for what it was never designed to do.

Auth belongs in the browser (5, Insightful)

jeremylichtman (1717920) | about a year ago | (#43247281)

I've implemented sites that use a variety of third party authentication schemes. Its a nuisance for users (multiplicity of accounts, more insecure passwords to remember etc) and a nuisance for developers. Why are we still doing this? Authentication (and user profiles for that matter) belong in the user's browser. I'm not talking about Chrome's password wallet. I'm talking about a certificate-based system that allows the user to control from their end which sites are authenticated, and what data they should have access to. Sites would then implement a simple API (possibly combined with meta data on the front end to let the browser know details) that would allow for login, signing up, or changing particulars. The process could be made completely transparent for users. I have this partially implemented as an insecure proof of concept browser plugin. It wouldn't take too much work to get it running, although it really should be core browser functionality instead.

Re:Auth belongs in the browser (0)

Anonymous Coward | about a year ago | (#43247721)

Are you a shill for Mozilla [wikipedia.org] ?

Re:Auth belongs in the browser (2)

Lennie (16154) | about a year ago | (#43250213)

I don't know if he is a shill, but can you tell me what you don't like about BrowserID, that could be a lot more interresting discussion.

Re:Auth belongs in the browser (2)

jeremylichtman (1717920) | about a year ago | (#43252305)

I'm not a shill for anyone. Hmm. Maybe for myself. BrowserID uses emails for authentication. Why do we even need to have that? What if you want to change your email address? And why should websites have your email address unless you want them to do so. What I had in mind was that users can create any number of profiles for themselves on their browser, each with flexible set of fields for things like their name, and each field having privacy options. They then can register that profile on a given website; view a list of sites that are authenticated against a given profile; change privacy options for any given field/website combination without going to the site; deregister from a site etc etc. The key is that everything would happen through some kind of negotiated and secure back-channel. Advantages include heightened privacy for users, the ability to have many profiles (each of them having some kind of unique identifying certificate) that can be used globally, and the ability to be able to manage their internet identity from their own end.

Re:Auth belongs in the browser (1)

Lennie (16154) | about a year ago | (#43258999)

I think this is their reasoning:

1. one of the reasons OpenID failed is because people did not associate website/webpage with identity, BrowserID uses an email address, which is already very directly associated with an identity by many people

2. email addresses are already used on many, many websites, because of password recovery. Even with Facebook Connect/oAuth people will take the email address from the identity provider and record it (yes, it is already provided in most situations !).

3. with current free email providers, you can create as many identies as you like. So your privacy problems could be handled that way.

Re:Auth belongs in the browser (0)

Anonymous Coward | about a year ago | (#43248155)

And while were at it we could store the auth in the browser and add an extra http field (X-Auth-Crenditials and X-Auth-Handler) that contains the username, auth handler, and session id secured with a crypto hash (hmac-sha256 with a noce).

Face it, auth left the browser when webforms and cookies entered the scene.

Re:Auth belongs in the browser (0)

Anonymous Coward | about a year ago | (#43248837)

Hasn't this been tried with Information Card [wikipedia.org] ? It was an open standard with support from some big names (e.g. MS) and a huge amount of good work was done, but it seems to have died on its arse. Maybe you should look at why this failed.

Re:Auth belongs in the browser (1)

jeremylichtman (1717920) | about a year ago | (#43252343)

Something along these lines. The problem is that there's a proliferation of authentication schemes owned by various companies, and implemented in a scattershot fashion. What is really needed is a standard that can be implemented by many vendors, and that allows users to control their own data.

Re:Auth belongs in the browser (0)

Anonymous Coward | about a year ago | (#43253373)

What is really needed is a standard that can be implemented by many vendors, and that allows users to control their own data.

That's exactly what Information Card was. It's an open standard with no fees. The big vendors gave patent guarantees. There were many interoperating implementations. And, surprisingly, it had a really nice user-focussed design putting users in control.

The federated identity aspects of the standard seem to have evolved into OpenID. Which is widely used, but all of the larger sites want to be identity providers rather than acceptors, so users still need multiple identities.

I'm not sure why the card stuff failed. Possibly because it ties identity to a single client device?

Re:Auth belongs in the browser (0)

Anonymous Coward | about a year ago | (#43250501)

Microsoft LiveID for the win

Re:Auth belongs in the browser (0)

Anonymous Coward | about a year ago | (#43252245)

lastpass.com FTW!

Fresh and objective? (0)

Anonymous Coward | about a year ago | (#43247341)

I would call this neither "fresh" nor "objective".

The author rehashes some well known issues with the OAuth protocol - I assume OAuth 2.0, though he really should make the distinction explicit, makes some contradictory complaints - "Waah, it's too flexible! Waah, it's not flexible enough!", and recommends some simpler "solutions" that conveniently don't address the problems he raises at all.

OAuth 2.0 does not provide a plug-and-go interoperable protocol, and many people, including the original RFC editor Eran Hammer, regard that as a failure.
On the other hand, it provides a framework you can pick-and-choose from to create a perfectly decent authorization API, and it will likely be more sound and familiar to developers than if you had just winged it and created your own.

Re:Fresh and objective? (1)

sjames (1099) | about a year ago | (#43252137)

So it's a metastandard? Standards compliance really should imply inter-operability. If two implementations of a standard can both be certified as compliant and yet cannot communicate, the standard needs to be tightened or clarified. If that is not desired or if inter-operation isn't a goal, then it may be something, but it is not a standard and should not call itself one.

Use TLS and stop being stupid (0)

Anonymous Coward | about a year ago | (#43247959)

In 2013 the world still has a love affair with CHAP and assorted completely broke and useless authentication protocols. Any authentication protocol not cryptographically bound to the underlying transport is total crap yet at this very momement lots of people are hard at work inventing more useless crap.

The more fundemental problem is web doods who think they know shit about anything are the ones working on these schemes... god forbid they ever have to move outside of their comfort zone and understand something they did not invent (TLS). Instead we get layers upon layers of insecure garbage only semantically different than the garbage that came before it.

If you want external software to be able to identify you then use a goddamn client certificate
You know that old shit that has been around for decades. The only thing untrusted software vendors have to do is make sure their not vulnerable to CSRF. Getting some central authentication database to hand out pk12 files is trivial (and probably more secure than oauth) .. then importing these file directly into the browser of your choice ususally takes a few seconds.

With client certs there are no credentials for the "untrusted" entity to steal if they do this all they get is some assurance that you are who you say you are. The rest of it is unecessary scope creep. Untrusted entities interacting with other untrusted entities on your behalf is a receipe for untrusted disaster. Most of TFAs gripes are actually a failure to understand fundementals garbage in = garbage out not the fault of oauth for as crappy as oauth is.

oAuth vs SAML 2.0 (0)

Anonymous Coward | about a year ago | (#43249849)

Dismissing mobile apps, and non-browser based apps....

I never really understood what oAuth brought to the table that SAML 2.0 did not. I've done several SAML integrations (from the IdP side), and was impressed with the ability to build a 1 size fits all, at least on the enterprise level.

Why the rush to oAuth and not SAML 2.0?

Exchange 2013 and OAuth (0)

Anonymous Coward | about a year ago | (#43249951)

Exchange 2013 has moved to OAuth for server to server communication, ie, to Sharepoint, Lync, etc. I'm trying to wrap my head around what this guy is saying and how that has anything to do with the OAuth that is employed by the new Office Servers Suite from MS. Because like it or loath it, most companies use Exchange nowadays.

Blogspot? Really? (0)

TwistedGreen (80055) | about a year ago | (#43251075)

Some guy's rant on Blogspot is news? I guess the "stuff that matters" tagline doesn't apply anymore...

Re:Blogspot? Really? (0)

Anonymous Coward | about a year ago | (#43251307)

Some guy's rant on Blogspot is news? I guess the "stuff that matters" tagline doesn't apply anymore...

You must be new here.

Re:Blogspot? Really? (0)

Anonymous Coward | about a year ago | (#43252381)

Dude is one of ZSNES codevs, I always thought that he has interesting insights.

This is a bad article (1)

ChaseTec (447725) | about a year ago | (#43251573)

The author makes no distinction between OAuth 1.0a and OAuth 2.0. One of the spec leads did rage quit, not because of how bad OAuth is in general but because of all the "enterprise" help in version 2.0. Saying there is no standard is also dumb, yes version 2.0 can suffer from incompatible implementations but version 1.0 is pretty straight forward, the standard is right here: http://tools.ietf.org/html/rfc5849 [ietf.org] . The suggestion that we should just stick to HTTP Basic Authentication over SSL/TLS shows that the author doesn't get OAuth. The whole point it that apps shouldn't have your passwords to do what you ask them. Passwords are insecure and we shouldn't be giving them to every single application that wants them no matter how useful the app. We need delegation and permission revoking.

Re:This is a bad article (0)

Anonymous Coward | about a year ago | (#43252049)

The whole point it that apps shouldn't have your passwords to do what you ask them.

This is why god created X509 certificates back in the days when basic encoding rules were hip when dinousars and man cohabitated the earth.

Passwords are insecure and we shouldn't be giving them to every single application that wants them no matter how useful the app. We need delegation and permission revoking.

I think this line of thought is part of the problem.

Don't try for a complex horizontal solution instead punt concepts such as delegation and revocation to the application.

To use the calendar analogy if I want to grant x y and z permission to a b and c users then I need to tell my calendar my wishes with calendar specific details it understands. Ditto if I later change my mind.

It is hopeless to think you will be able to develop a solution to communicate these things in a common language that is not soo bloated nobody would be able to understand let alone implement it. This is about as productive as REST over HTTP in achiving any measure of horizontal reuse. The only reuse should be in the form of identifier specifications.

The key to system to system interaction is orchestration. I don't for example ever tell my calendar to go do something else to another system on my behalf. Either myself or a trusted agent with a certificate signature to prove my trust in the agent handles all system to system interaction.

Those people who see the need to grant system x to do 1, 2 and 3 to systems a b and c on my "behalf" have already failed. The resulting specification will simply be a reflection of that failure regardless of how smart the people writing it are.

Re:This is a bad article (1)

efalk (935211) | about a year ago | (#43253585)

Agreed.

Can anybody explain what's wrong with just using Oauth 1?

Native apps == insecure (2)

shirikodama (2670887) | about a year ago | (#43251687)

I brought this up with the oauth working group and got snarled at by lots of people including Eran Hammer. It's nice to see that other people are noticing the same problems. When you have a native app, you can show the user anything to get their confidence, and with some work get their credentials, including apps with webview's. OAuth's security model was not designed with native apps in mind, it was designed for ~trustable web browsers. This isn't surprising because OAuth was designed before the current fad for native apps happened around 2006-2007 when the world was all browsers all the time.

Re:Native apps == insecure (1)

DeFender1031 (1107097) | about a year ago | (#43261037)

Exactly. And the people commenting that "you should never have a hacked browser" don't get that it's referring to native apps which embed a browser to mislead you rather than, say, a spyware-infested version of firefox. Of course you shouldn't have the latter, but for the former, anyone can make an app that imitates anything.

Not complex; not broken; not meant for enterprise (1)

Xeger (20906) | about a year ago | (#43257861)

IMHO, the only legitimate points in this gentleman's post are: (1) a compromised browser defeats OAuth, and (2) OAuth isn't mobile-friendly because it requires browser interaction to gain user consent to grant access.

While both of these are true, Web browsers are ubiquitous; OAuth is a Web standard. You can abuse it slightly to make it work with mobile devices (see "access code grant") but really, it not was intended to be a be-all end-all authorization mechanism.

Likewise, claims that the protocol isn't "enterprise-friendly" are somewhat silly. OAuth was not intended for fine-grained authorization within an authentication or trust domain. It's for cross-domain (cross-application) grants, between unrelated apps, under the assumption that all three parties in the transaction are basically unrelated.

If an executive wants to delegate calendar permissions to his secretary, he should *just do it* by clicking a checkbox on Microsoft Outlook or whatever product they use for scheduling, which no doubt has its own rich permissions system and obviously has its own authentication mechanism. There's no need for a Web standard to facilitate this use case!

As for claims that "there is no standard" -- that's entirely true. There is a draft standard, which presumably will eventually be ratified by IETF once we have all had a chance to play with the technology and suggest improvements. Standards are not an item of worship; they're just a way to ensure that a protocol has had a reasonable degree of scrutiny, has no undisclosed patent encumbrances, etc. I've heard people accuse OAuth of being complex or flawed, but never fundametnally insecure.

Frankly, anyone who thinks the OAuth draft RFC is complex, should choose a dozen or so documents from the SAML protocol suite, relax in a hot bath, and read through several hundred pages of THAT claptrap. Then we can talk about complexity.

(Disclaimer: yes, I do read security standards in the bath, and I create toy implementations of security protocols and algorithms for fun. That probably makes me mentally ill.)

Re:Not complex; not broken; not meant for enterpri (1)

DeFender1031 (1107097) | about a year ago | (#43260425)

If people were only using OAuth for web-to-web communication, I don't think those issues would have been raised. But many of the big players have their "API"s based on it. Take a look at this thread [citrixonline.com] on citrix's development site for example. Here, there's a service which is hardly web-based, pretty much the only thing web-based about it is that you join meetings by browsing to a URL, and yet the only authentication model they provide for their "API" is OAuth. This is wrong. It's not what OAuth was designed for. And yet it's what's being used. If people would stick to its intended purpose when using it, there would be no problem, but this is hardly the case.

Re:Not complex; not broken; not meant for enterpri (1)

manu0601 (2221348) | about a year ago | (#43260639)

Frankly, anyone who thinks the OAuth draft RFC is complex, should choose a dozen or so documents from the SAML protocol suite, relax in a hot bath, and read through several hundred pages of THAT claptrap.

Indeed the spec is huge, but it works extremely well. I must confess still do not understand why OAuth exists since we have SAML

This is an old issue... (0)

Anonymous Coward | about a year ago | (#43322905)

The problem of storing Application Key & Secret on the device initiating the protocol is the same with OAuth1 or Oauth2. Eran Hammer rant ware not about this at all. It's an old issue that can't really be fixed today. Check this out http://arstechnica.com/security/2010/09/twitter-a-case-study-on-how-to-do-oauth-wrong/

Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...