Facebook's latest privacy debacle was driven by their failure to properly manage user IDs. This is not a new problem area and as the EFF points out, Facebook has done this before. So while I don't know if Facebook will be interested in this post, those who care about protecting their user's privacy in an age of data sharing may want to have a look at the threats and defenses needed to share user IDs across sites. Securing user IDs isn't easy.
[Update 10/22/2010: Changed the title and intro and added three new sections at the end.]
It's voting time again. I still don't know why I bother.
But here I am. Scroll down to see details about why I am voting the
way I list.
Initiative Measure No. 1053 - No
Initiative Measure No. 1082 - No
Initiative Measure No. 1098 - No
Initiative Measure No. 1100 - No
Initiative Measure No. 1105 - No
Initiative Measure No. 1107 - No
Referendum Bill No. 52 - No
Amendment to the State Constitution Senate Joint Resolution
No. 8225 - Yes
Amendment to the State Constitution Engrossed Substitute
House Joint Resolution No. 4220 - No
Charter Amendment No. 1 Amendments to the Preamble - No
Charter Amendment No. 2 Amendment of Section 690 - Campaign
Finance - Yes
Charter Amendment No. 3 Amendment of Section 890 and New
Section 897 - Collective Bargaining - No
Proposition No. 1 Sales and Use Tax for Criminal Justice,
Fire Protection, and Other Government Purposes - No
Seattle School District No. 1 Proposition No. 1 Supplemental
Operations Levy - No
United States Senator - Patty Murray
United States Representative Congressional District No. 7 -
State Representative Legislative District No. 46 - Position 2
- Phyllis G. Kenney
Seattle Municipal Court Judge Position No. 1 - Edsonya
Seattle Municipal Court Judge Position No. 6 - Karen Donohue
State Supreme Court Justice Position No. 6 - Richard B.
Eran's latest article raises a number of specific security threats by way of arguing that bearer tokens are irredeemably insecure. In this article I examine the attacks Eran calls out and demonstrate that they are already addressed by OAuth 2.0. Eran's article does bring up the interesting question of - do we need defense in depth for the tamper resistance and confidentiality provided by SSL/TLS?