pouët.net

sceneid.net: OpenID fairy dust for the demoscene

category: general [glöplog]
1. too many people have SceneID registered to simply say "we're following another principle from now on and your data is handled by someone else" - true, there was no EULA when one signed up (or when data was imported from pouet), but still... "you dont have to use it" is kindof an awkward duck-out in this case.

2. considering that people comment on livejournal with "sceneopenid", i'd assume several new sites are easily pluggable into the system, which might as well mean that anyone who wants to create a sceneid compatible but scene-related site can easily do that and receive sceneid data. sure, it might be a well controlled way, but it still means that the entire concept of scene.org deciding which portals are part of the system and which are not is gone.
added on the 2007-12-06 17:22:35 by Gargaj Gargaj
Quote:
"you dont have to use it" is kindof an awkward duck-out in this case.


No, it's not. It's a perfectly valid argument and that's the whole point. Assuming there's no giant gaping security hole in either scene.org or sceneid.net, the account data of any person not using their SceneID as OpenID are perfectly safe. There's no chance to somehow get the credentials or account info of any person who's not actively choosing to do so.

Only "hole" in this case may be the Attribute Exchange stuff, but also this can be handled with sensible defaults and a strict opt-in policy.

added on the 2007-12-06 17:29:07 by kb_ kb_
gasman, just remove the "If you don't have a SceneID, get one from scene.org" line so we reduce the one real chance the system gets abused: "hordes of people signing into scene.org because it's such a nice, cheap and obscure openid provider" ;)
added on the 2007-12-06 17:35:58 by kb_ kb_
let's unroll the concept a bit:
- sceneid is scene.org authorized, which means that if a site uses sceneid, scene.org endorses it, and it's easily backtrackable if a site does something wrong.
- if a user sees a sceneid logo on a site, he can easily find out whether that site is _really_ endorsed by scene.org as a sceneid backend.
- with openid, _any_ site can connect to sceneid, or forge a backend that looks like sceneid and phish data.

do we really want to get rid of the control?
added on the 2007-12-06 17:41:19 by Gargaj Gargaj
Quote:
"we're following another principle from now on and your data is handled by someone else"

None of your data is passed on to the destination site unless you explicitly allow it.

Or if by "someone else" you're referring to me / sceneid.net, then yes, when you log in to sceneid.net it slurps in all your profile information from scene.org. I'm not scene.org staff, so I can understand that someone could conceivably have a problem with this. On the other hand, 1) I'm only using the data that scene.org are sharing to everyone anyway via their public API, and 2) being a pouet admin probably makes me as near to scene.org staff as makes no difference in this situation :-).

Quote:
it still means that the entire concept of scene.org deciding which portals are part of the system and which are not is gone.

Is that actually an intended design feature of SceneID though? I thought that was just because a centralised system was a lot easier to build than a decentralised one.
added on the 2007-12-06 17:49:01 by gasman gasman
So, if I get it right (although I did not read the whole thread), that ID thing would be Gasman's mean to take over most demoscene websites and plunder their DB to Demozoo's benefit ? ;) ;) ;)
added on the 2007-12-06 17:54:05 by keops keops
Quote:
Is that actually an intended design feature of SceneID though? I thought that was just because a centralised system was a lot easier to build than a decentralised one.

the IP-based filtering for sites kinda hints towards it I guess, plus having sceneid.net handling the whole thing doesn't make it any less centralized.
added on the 2007-12-06 17:57:02 by Gargaj Gargaj
I will never buy into this "I have nothing to hide" concept. Being it web-tracking via "passports" or irl tracking via cameras.

Sure, you say the integrity is never jeopardized, because hey! You can choose yourself what sites you want to log in to and export/import data from! You are *SAFE*.

Yeah right! OpenID/whatever would be a big problem to use if you care about your integrity. You will need (I assume) an unique OpenID account per site you use. You will need to use multiply e-mail addresses where the domain names aren't connected. You will have to fake your private details such as names and nicknames if they are either connected to each other at some account or if they are unique from your "position" (depends what the searcher is looking for).

I really can't see how you could implement a thing like OpenID with personal integrity AND the flexibility you need to make it useful.
added on the 2007-12-06 18:16:03 by Hatikvah Hatikvah
BB Image
added on the 2007-12-06 18:22:38 by Zest Zest
Anonymity is never really considered a legitimate concern.
added on the 2007-12-06 18:31:46 by doomdoom doomdoom
Quote:
OpenID/whatever would be a big problem to use if you care about your integrity. You will need (I assume) an unique OpenID account per site you use. You will need to use multiply e-mail addresses where the domain names aren't connected. You will have to fake your private details such as names and nicknames if they are either connected to each other at some account or if they are unique from your "position" (depends what the searcher is looking for).


So... exactly the same steps that you would have to take to create an untraceable new identity on a normal non-openid-enabled site, then.
added on the 2007-12-06 18:43:27 by gasman gasman
Gargaj, for the sake of a healthy flamefest let's take the whole thing, turn it 180 degrees and spit it out again:

What is it with the "control" you're talking about anyway? I mean, nice concept and all, keeping sceneid confined to a select handful of sites and controlling who is able to access profile data or even (and that's what OpenID is about) confirm that a given account is existant, but:

Exactly what authority has scene.org over MY account data? I'm sorry, but IF anyone is authorized to control where MY personal information goes, it's ME. Not scene.org (even if its staff consists of cool people ;), and not anyone else. So - your point being?
added on the 2007-12-06 18:47:46 by kb_ kb_
Quote:
- with openid, _any_ site can connect to sceneid, or forge a backend that looks like sceneid and phish data.


No, actually it can't. Let's break down the protocol - assuming i want to leave an LJ comment with my SceneID:

- i type "kb.sceneid.net" into the OpenID account name form and press the submit button (yes, by this i have chosen to trust LJ enough to let them know my SceneID account name)
- LJ contacts sceneid.net and asks if the account exists
- sceneid.net replies to LJ "yes it does, here's an URL for logging in"
- LJ tells my browser to redirect me to sceneid.net's login page (and i'll check the URL in the address bar, thankyouverymuch)
- I log in at sceneid.net
- sceneid.net tells LJ "yes, credentials are valid, good luck"
- I get redirected back to LJ and can now post as kb.sceneid.net

So. At what point you can phish for all my data? And if you can, how is that easier than simply forging a site with a fake SceneID login form which then looks up everything itself from scene.org (by faking a normal user login)?
added on the 2007-12-06 18:57:24 by kb_ kb_
kb: Actually, that's exactly what I though after reading Gargaj's post.
added on the 2007-12-06 18:58:31 by kusma kusma
ehm, the "Exactly what authority has scene.org over MY account data? I'm sorry, but IF anyone is authorized to control where MY personal information goes, it's ME."-bit, that is.
added on the 2007-12-06 18:59:01 by kusma kusma
oh, and btw: We could always decouple the SceneID account name from the first part of the OpenID URL. Then the information given about that account would be exactly "this URL exists and we confirmed the identity", not a single bit more.

Actually the tricky part of OpenID is to trust the OpenID providers if you open up your own site. Which we don't.
added on the 2007-12-06 19:11:01 by kb_ kb_
KB you have a strong point here.

I'll see when we can have a mechanism for any sceneid holder to chose which portal he wishes to be accepted for sceneid queries.

added on the 2007-12-06 19:16:52 by _-_-__ _-_-__
To the people still waiting for a decent answer to the question "why do we want a shared login system anyway": for a start there's the (admittedly fairly trivial) reason of not having to fill in the same details on lots of different sites. From a purely selfish point of view, as a website owner I want to keep the barrier to people using my site as low as possible, and letting them use an existing account that 99% of my target audience has already is one way of doing that. But more than that - when you have a bunch of accounts on different sites linked up by a single identifier, websites can use that information in useful ways. As a stupidly simple example, if Pouet and Nectarine had a shared login system, you'd be able to compile a listing of a user's comments on both demos and music. And if any of that has you thinking "omg major privacy invasion", then that's fine - you don't *have* to use the same login on both sites.

I don't know if that's actually convinced anyone, but in fact it's not really my place to answer that question anyway. The shared login system already exists, and you've been using it to log in to Pouet since forever. It works, and people seem to be happy with it.


About scene.org losing overall control of the system, I'll add this: It's my impression that scene.org staff don't have the resources to regulate SceneID partner sites at the rate the demoscene (read: me, mainly) wants SceneID to grow. They also don't have the resources to design and implement a decentralised system that would avoid the need for them to regulate those partner sites. Happily, someone else has designed and implemented that system already, and I'm just providing the glue that lets us use it. This isn't some power-crazed crusade out to show that scene.org suck at designing login systems - it's an attempt to make a better technical solution available so that SceneID is better placed to achieve what it set out to do in the first place.
added on the 2007-12-06 22:53:12 by gasman gasman
I was formerly kidding with my message but the more I read about it the more I think your goal is actually to try and plunder any demoscene website you can to make use of the data for your Demozoo. Am I right ? :)

Isnt' it basically what you already did when you became one of pouet's admins/moderator ? You did not recode anything on Pouet (afair) but you basically dumped the whole database to replicate it on Demozoo or something. No offense, it's just a question, I might be totally wrong of course :)
added on the 2007-12-06 23:04:30 by keops keops
to make it short, if your aim is "I want to make Demozoo a more complete Pouet and I need to access other websites'data and accounts" just say it and people might help (or not) :)
added on the 2007-12-06 23:09:25 by keops keops
it's not as if our nicknames were worth some $, the less barriers around scene sites the better, go gasman go :)

demozoo can complete pouet but can not simply replace it, you could have new and improved loves but your first love always stays as the reference :p
added on the 2007-12-06 23:37:01 by Zest Zest
Quote:
rom a purely selfish point of view, as a website owner I want to keep the barrier to people using my site as low as possible

Talking about accepting a site to get your data and yadda yadda, seems like a much more troubleish sign up for a website than adding some random info to create a login. Or do you mean you want ignorant users who don't care about the security of this system? After all, a hacked account could easily be exploited to do really stupid things on all the linked sites. Say this user who signs in to your "throw a banana to the monkey"-site is an administrator on a semi-large site..

Quote:
when you have a bunch of accounts on different sites linked up by a single identifier, websites can use that information in useful ways.

And really, really bad ways.

Quote:
As a stupidly simple example, if Pouet and Nectarine had a shared login system, you'd be able to compile a listing of a user's comments on both demos and music.

We are acctually talking about *full* integration between two sites here. Do you really understand what you are fantasizing about?

Quote:
And if any of that has you thinking "omg major privacy invasion", then that's fine - you don't *have* to use the same login on both sites.

NOTE: You can't actually have any personal data shared between these sites unless you want them to be linked. The more sites the less personal data you can store for a stupid bot, for a smart bot or a person looking you up, nothing!
added on the 2007-12-06 23:42:53 by Hatikvah Hatikvah
On a side note: Can we have Analogue back? Please?
added on the 2007-12-06 23:50:05 by Hatikvah Hatikvah
Btw I already think demozoo is a bit creepy by linking
productions->members->slengpung. You better not hand in a demoscene production as a show off for a job (well, who would anyways;) if you happen to have passed out on a couch on a big football field in north germany during snow chaos.
added on the 2007-12-06 23:57:23 by Hatikvah Hatikvah
*slengpung* is creepy :P
added on the 2007-12-07 00:12:00 by Zest Zest

login