SuperSatellite ||

The other day I started talking a little bit about my experiments with OpenID, a new, portable, and universal authentication scheme for web sites. I’ve been continuing this since then, and have some newer information I want to share with you. Originally, one of my primary concerns was that of security. For general purpose use, I mentioned that MyOpenID.com seemed to be an all right solution. It is. The problem was that there were still holes that seemed ripe for exploiting since it was still password based, and required nothing special to get into beyond that. But, a site called MyVidoop.com (who comes up with these names?) really raised the bar in my opinion (click here to get an OpenID from them). At the end of this blog, there will be a couple white sheets you can download that will have more information on what I’m about to share. So, if you don’t think I tell you what you want to know (girls tell me that all the time), look there. There’s also a short video about how OpenID works.

MyVidoop appears to have been created with the idea of securing OpenID as priority number one (well, making money was probably number one, but security a close second!). And next to MyOpenID, they blow them away. Some of you might be familiar with the kitten captcha. This clever system suggested using image identification as a captcha method in place of current text obfuscation techniques which are constantly being broken. That introduced the need for human level cognition to process the form, eliminating most bots from the equation. MyVidoop used this style of technique with regard to authentication. Instead of a static password you type in each time, you identify 3-5 image groups when you set up your account, then when you log in, you select images from a grid that match your groups. This is connected to a pass key (each image has a letter associated with it) which is never the same twice since the grid, images, and letters tied to them change on each log in. The only static information used in the process is the categories of images, and only you know them. Thanks to other steps, there is no effective way for a bot to glean that information or put it to use.

It’s rather clever, because it inherently defeats two account cracking methods: brute force and keystroke logging. Since the login key is never the same twice, a compromised key does no good. Since it is random each time, there’s no way to brute it effectively. But what about phishing? This is where it gets interesting. MyVidoop has created a token based system for security. If I go to a site to register, MyVidoop will ask me about the computer I am at. It will send a token, either to a predefined email address, or even as a text or voice message to my cell phone! And yes, it’s immediate. You must have this 6 digit token to even be allowed to see the image grid. This makes phishing nigh impossible since tokens only come to you. It’s also a level of security unheard of with other sites. Even my bank doesn’t personally check with me about a login. Once you have entered the token, you can have it remember the computer for the future (such as a home system or laptop you use frequently) so that you aren’t getting tokens at every single login with a computer you trust. Likewise, there is no way to provide an effective man-in-the-middle attack, because a token is good only once, and you need a human component to decrypt categories, assuming you bypassed the token and were able to capture a grid. This login information never leaves an OpenID provider, regardless of who it is. It’s similar to LDAP in that all the web site gets back from the provider is a yes or a no with regards to if a person is who they say they are (along with information they require, like an email address, which you say is okay for them to have). At no point are login credentials handled by the originating site.

All in all, this seems quite effective at preventing an ID from being lifted. To emphasize OpenID’s portability, I’ve already changed my server and delegate to point away from MyOpenID to MyVidoop by changing the code in the header of my website (Wordpress has a handy plugin for this called WP-Yadis). I would speculate that eventually, other providers will follow suit to try and keep up. At the moment though, MyVidoop is the only company offering this level of security for your ID.

Like other services, it supports useful features like multiple profiles, and also ID forwarding. Unlike others, they have an affiliate program that will pay you to get others to sign up. That situation is very win-win. They are funded through companies like SmartUSA.com, and have mentioned selling images spots like ads, so Pepsi might show up in the beverages category, or Cessna in airplanes, Fend in musical instruments, etc. Besides funding the site, they pass that back to affiliates (and thank you for that).

Lastly, consider a comparison. Assume that you get an email from a phisher that tricks you into going to their site to log in (tsk, tsk, you should be ashamed for not catching that!). In scenario one, you are using MyOpenID. You go in, and they load up the login screen with a wrapper that logs your password (you did check the URI (Uniform Resource Identifier) of the page you are on, right?). Like any site that requires a static log in, they can lift and reuse your credentials. It’s not so much a fault of OpenID as it is static logins, but it can be worse since OpenID allows access to so much. One password later and you’re compromised. With MyVidoop, first it asks for the token. That gets sent only to you, so the phisher can’t intercept it. Once you use it, it’s done, so if the token is logged, it can’t be used again. You are shown a screen next, with an image grid. You enter the letters matching your image categories. The letters have a random association, so it can’t determine what the connection to images is, and that key is also only good once, so the phisher can’t reuse it. Even if they capture the grid, human intervention is required to figure out what categories you might be using. These scams usually rely on automated bot systems, so stopping to physically check each grid isn’t cost effective (this would also hold true for trying to do it with a Turk, in theory, if enough people do it). Even if they got the categories, step one, the token, will prevent them from getting to the grid in the future.

To be fair, other services like MyOpenID, do offer an option to use an SSL certificate to log yourself in, which is much better than passwords, but it isn’t the default mechanism and you must dig it out of the Account Settings area to enable it.  It’s also only really useful with computers that you use regularly since the certificate must be installed on the machine.  What I would like to see, is someone attach OpenID login to one of the PayPal/Verisign style RSA keyfobs.

You’ll notice on the right you can now log in directly with OpenID on this site, and there’s a link there to go get an OpenID from MyVidoop. If you want to get started in OpenID, I’m not sure there’s a better place at the moment. Video and PDFs below.

Vidoop Secure White Paper
Sweet Security, Free for Your Websit

I felt it was time to take a closer look at a content management system I am getting very involved with. One might say I’m drowning in it. I prefer to think of it as being choked by it, heh. Really, it’s a very interesting system, and a fantastic tool for the price (free!). I have worked with a number of CMS (Content Management System)’s over the years: Coranto, e107, Joomla, Mambo, Wordpress, Drupal, and a few others that I’m sure I’ve forgotten about. It’s easy to get locked into one or two for various purposes, which had been true with me for a long time. The problem is, my short list there is only good for small to mid range sites. Now I’m webmaster for a site of better than 10,000 pages and 70+ editors. Those open source solutions don’t easily or always comfortably scale up to those needs.

That’s where enterprise grade content management comes into play. Swinging big price tags, naturally. You start learning names like RedDot, OmniUpdate, Hannon Hill Cascade Server, Serena Collage (discontinued), and Ektron cms400.net. You also learn they don’t come cheap, some breaking the $80,000 mark. $15,000 in this group is cheap. In some cases, you don’t even have to host it. But the support, features, and scalability you get from this class of tools is in a different league. Wouldn’t it be nice if you could get the best of both worlds though? Something like a Typo3 or Zope/Plone system, but with enterprise grade support and a learning curve within reach of your users? A tool that was open source to boot? Generally there just isn’t demand for this sort of software, at least not enough to make a successful project, it’s enterprise grade and enterprise cost because it’s an enterprise market. However dotMarketing has stepped up to the plate. They have developed dotCMS to augment their design and consulting business, but released it free, charging only for support.

I need to be fair though. dotMarketing really stood on the shoulders of the work done at the Liferay Portal project, that’s where it started. Liferay is the underlying framework that drives dotCMS, written in Java, and running on top of Apache Tomcat. But they forked the project and went a long way towards customizing everything you see and interact with. It isn’t just a fancy admin theme dropped over someone else’s work. It is also tied together intimately with Apache Velocity, which is very slick for writing dynamic templates. Needless to say, this isn’t a simple one-off , self contained type of application. It’s build on several different technologies, all open source, to try and provide the best of each tool to the end user. When you download it, everything is packaged up that you need though, you don’t have to hunt anything down separately.

This does make it more complex than other open source CMS options. Systems like Wordpress or Drupal can be installed to any server that runs PHP and a flavor of database server. On the other hand, dotCMS requires you to have root access to the server to install things like the Apache Tomcat server. This requirement has hurt dotCMS’s market penetration, as many web site owners do not have that kind of server access, opting instead for cheaper hosting solutions. That is a shame, because dotCMS is easily one of the most powerful open source options available, with a much shallower learning curve than equally flexible solutions (I’m looking at you Typo3). It’s also pretty resource intensive, so you won’t be dropping this onto a lightweight web server you built five years ago on an old AMD K6-2 system you had lying around. Plan on needed a couple gigs of RAM and a modern processor to heft it. You can run it in a dev environment in a PC okay, but not with less than a gig of RAM (I know, I tried, I failed). It might be open source, but it is truly enterprise grade, and is built for an environment that reflects such.

Part of what makes dotCMS so good is the way they approach content. As an administrator, you can create structures. These structures result in a form-like input system, that allows you to pull out some or all data for a type (say, a news posting, or product review). Any structure can easily be attached to an RSS feed. Each structure is unique, but can be dynamically related to one or other other types of content in other structures. For instance, you have a structure for “blog posts” and one for “comments,” and the comments can be related to blog posts. But you could also relate certain comments to articles, or news postings as well. This is a basic CMS feature used in most systems, but with dotCMS you see exactly how it works, and can modify or expand it. Better yet, create your own. Players related to teams related to sports. The flexibility allows you to develop to your heart’s content. And you don’t have to be a programmer to do it. Admittedly, relationships aren’t super easy to understand out of the gates, but an example or two gets you going. They really got things right with regards to how content should be created and used, and did a good job taking the cork out of the bottle for the end user to go nuts with it.

Speaking of examples, they do have a complete demo site running that allows you to both test things, and also see how certain things are accomplished. This can be very useful if you want to duplicate some kind of functionality, but need an example. They also outline plenty of macros that allow you to easily accomplish common tasks, like creating slideshows, navigation, MP3 players, RSS feeds, and more. One thing their demo site doesn’t showcase is that it can even run multiple domains through one back end, so you could be running demo.site.com, and blogs.site.com, and www.site2.com all through that one instance of dotCMS.

If you would have asked me before, I probably would have said that Drupal or Typo3 had the best permissioning systems available in open source. That’s no longer even remotely true. dotCMS has a fantastic permissioning system that allows granular access to both content and admin areas. Groups are used to define what a user has access to at the back end, while roles determine what they can use, see, and access with respect to content. This combines with a workflow system that can be used to make sure content is properly reviewed and approved before it hits the page. It’s simple, and it works. Well. On the user side, you can easily tie into an LDAP or Active Directory environment, though it requires manual set up. Users can be tracked through the system to provide some basic analytical data, and attached to CRM functionality to label, organize, and communicate with them. This goes far beyond any other competitive product in open source.

Where it’s lacking: documentation. Right now, it’s pretty scattered and different documents can be out of sync with others. I understand this is changing, and that they are moving to a system a la Apache’s documentation method. It is definitely needed. Luckily, their mailing list is pretty active, and they tend to be responsive on bug reports. I think it would be nice to see a little more stuff built in by default. For instance, dotCMS can be a blog, or host them, but you have to build the structures and relationships yourself. Tools like that are common enough that it wouldn’t hurt to just have it already set up. There is also no file structure, in the normal web sense, so no FTP (File Transfer Protocol) type functionality, you have to upload through the system or via WebDav, if your server supports it.

I will be at the dotCMS Open Minds Conference next week in Miami. After that (and maybe even during), I’ll be following up with some more detailed information regarding their CMS. I’ll get a bit more into how certain things actually work, and what we’re doing to make it work to our advantage. In the mean time, their portfolio can give you an idea of what the system is capable of.

Update (08.04.21): If you are looking for additional support, be sure to either check out the dotCMS mailing list, or visit our newly established forum community. Also, expect new and improved documentation and support tools from the dotCMS development team around the 3Q of 2008.

Well, I think I might be crazy. And not that good kind of crazy anymore. The bad kind that results in additional badness for me. Luckily it’s localized crazy, so I don’t think it would really affect any of you. I’ve been eyeballing the local summer bike tours (BAK, OKFreewheel). Again. I have done both, but haven’t done one since…2004? That sounds about right. I’ve been both too injured and too out of shape (more the former) to manage getting back into one of them since then.  But I’ve really been iching to get back on the road, and every year I kick back and wait for them to announce routes and think about making the trip.  I almost managed it last year, but other travel ended up taking precedent.

So what’s different about this year? Absolutely nothing. In fact, my back is probably worse now than it’s been for a while. But I have a need to prove to myself I can fight through it. In fact, I know I can. That’s not what worries me. What worries me is what I’ll be like after the fight. Ideally, if I train for the next 6 months, I should be great. Hell, the first time I did it, I had no training besides one 30 mile ride under my belt (and that hurt like a mother). But I’m not even really sure I can get through training without coming away worse off than I am now. And the longer I wait, the harder it will be.  But I hate giving up something I enjoy so much. Besides, the rides are just plain fun. Get out for a week, ride in the open air. Be out away from the cities. Relax in the evenings.

OKFreewheel is both the shorter and cheaper of the two rides. BAK is a little better supported in my opinion, but I don’t like where it’s ending this year (about as far north and east as you can possibly get in this state). They’re both at the same time too, so it can’t be both anyway, I’d have to choose one or the other. I think I need someone to talk me out of it though. Either that, or convince me I absolutely should do it. Otherwise it’ll probably just pass me by, and I’ll be frustrated with my inability to commit to it, one way or another.  Odds are it would end up being really good for me. I’ve just lost the confidence that I need, and part of me thinks I’m better off for it, that I should just stick to shorter, low impact stuff.  I haven’t done more than 15 miles in one ride in about two years, which is pretty terrible.  I did try the Gorilla Century about 3 years ago, but had to drop out about 60 miles in after the pain got too bad to fight through.

Screw it, I’m just gonna make the call.  Unless the registration fees are outrageous, or I can’t get transportation arranged, I’m just gonna do it.  Training starts tomorrow.  That will settle that.  How’s that for sudden decision making?

What follows is a slightly re-edited (for clarity) version of my thoughts on using Adobe Contribute to run a site. It was originally posted to the uwebd mailing list during a discussion of different CMS (Content Management System) options that are out there. This was in response to a question directed to me regarding what I considered a “modern website” with respect to Adobe Contribute.

Why isn’t Contribute equipped to handle large scale (~10,000+ pages) sites? Contribute doesn’t really have the tools to do anything with regards to content reuse across a site. So as a result, there’s no way to develop interactivity (well, really, you can’t develop anything with it, it’s not a developer tool). You can also forget about getting fancy by integrating things like RSS feeds, or dynamic content in any useful ways (consider, Department X wants a list of their courses for the semester, if they are copy/pasting, there’s no way to control that content once they have plugged it in, which hurts when they totally forget about it the next semester). Contribute is best at static content, on static pages. One page at a time. The newest version (CS3) has done marginally better, in that you can at least paste HTML source code now, but the actual audience that Contribute is aimed at won’t really find that useful. If they knew and understood HTML well, they’d be using Dreamweaver, or at least NVU or something. The crazy part is how good it looks on paper, that idea of simple content management. The reality isn’t that good, especially for developers who must then deal with all the deadwood Contribute leaves behind as things get updated, removed, etc (which is substantial). And don’t forget any template changes you have to make, which would have to be filtered into every file, which is very time consuming (we use SSI (Server Side Include) templates to help stave that issue off, but then that has also caused certain bugs preventing people from creating things like bulleted lists. Craziest thing I’ve ever seen).

I am of the mindset that Contribute has lost its market. It was a good tool five years ago. The game has changed a lot in that time though. A good CMS does everything that Contribute can do with no more of an end-user learning curve, but with the added bonus of being flexible for use with the better power users you serve. Contribute doesn’t have any room to scale up that way. Power users get frustrated in it, and basic users just get lost. The key is that a basic user is a basic user. Period. No matter how simple the software seems on paper, you still have to train them before they can use it, so you might as well give them a tool that not only does things easily, but does them right. For instance, workflow is a joke with Contribute, and as a result page management becomes nearly impossible (and in turn confusing for basic users). There is no review mechanism at all, so content can quickly become outdated and never addressed down the road. We have departments that have copied information from other parts of the site that is out of date by years. This is because they haven’t had the tools to do it correctly in the past.

Like I said, Contribute is designed to do one thing very well, edit static content on static pages. If that is all you want, go nuts, but try anything beyond that and it’s just a bad tool for the job. And in today’s web, a “modern site” is one that generally does not rely on static content this way.  Moreover, a “modern site” is one that also provides current, accurate, fresh data. If you have no ability to keep up on your content in some way, you are setting yourself up for failure. Anyone managing a large site knows that you can’t rely on the editors to simply take it upon themselves to review content (assuming that’s not their primary job).  People rely on web sites now, it’s one of their first stops when they want information on something. If they lose faith in the site as a tool to retrieve accurate information on the subject they want, then you lose a customer. The crazy, lock-me-up-I’m-going-cuckoo goal of a “modern website” is therefore to be omniscient in regards to their audience. You must have a current and correct answer to every question your visitors can and will ask. Totally impossible, I know, but it’s what the audience expects, and there are a lot of ways we can certainly fake it with current web technologies. I don’t feel Contribute is up to that kind of job (not by a long shot).

(Caveat: this is all based on my personal experience in our environment with ~70 Contribute users. We do not run the Contribute Publishing Server.  No doubt others might have more positive opinions.)

I spent last night doing some research that I believe to be worth sharing for those interested in the subject. In an effort to improve flexibility of this blog, as the announcement above mentions (at least at the time this was written), I now support OpenID. OpenID is a neat new technology that serves as a universal login among sites that support it. Believe it or not, that is more and more places: AOL, LiveJournal, Wordpress.com, and Technorati - they all are currently OpenID providers. That is to say if you have an account with them, you already have an OpenID you can use elsewhere.  It will help streamline things like leaving comments on my blogs, because you can login without actually needing an account, so no need to fill in multiple fields over and over for anonymous comments.

So anyway, what’s this all about? Well, with us doing more and more online these days, it gets very cumbersome memorizing dozens of logins. With OpenID, a site you wish to log in to can quickly check your identity and grant you access, bypassing all the normal registration steps by retrieving a standard data set from your delegate. Yes, there is obviously a risk here. If someone got your OpenID account, they could get access to your sites. But, it’s 100% portable, so if that happened, you could always switch to a new ID (this works especially well if your ID is your own URI (Uniform Resource Identifier), like www.yourname.com).  Also, you can use it for non-sensitive things, like forums, where all you really want is a login and password to ask a question or such. In that case, if the ID got hijacked, no actual personal data lost.  The concept is a very neat one to say the least, and it’s gaining a lot of momentum too (the next version of Drupal is including it in its core, and there are addons for most popular CMS (Content Management System), such as WordPress).

It’s certainly worth trying out. You can start an OpenID with lots of sites. I used MyOpenID.com, but there are others like ClaimID, myID.net, or VeriSign’s Personal Identity Provider. Their sole purpose is to manage an identity, and provide a place to authenticate it.  The ID is basically a URI, something in the form of yourname.myopenid.com.  MyOpenID was good for me because I quickly found documentation on how to use it, and it allows you to set up multiple personas, so that when you log into a site the first time, you can essentially choose what and how much information to let them see. The best primer I found was over at Sam Ruby’s blog, where he goes into the basics of how to set up your open ID, and also how to use your own URI as one.  Absolutely worth reading.  Let me repeat, absolutely worth reading.  He’s lined out nearly everything you need to know in order to get started.

If you are running your own site, it’s easy to let them managed the login. For instance, sign up with MyOpenID. Then in the template for your site, add this code to the header:

Just swap out “name” for your actual account name. That’s it. What will happen when you go to an OpenID enable site (like mine), you’ll punch in your site’s URI as your OpenID. The site you’re at will hit yours and look up the server and delegate, which will redirect you to their login page. Pop in your password and it will send whatever dataset you want to the original site for registration, and then pop you back over there. Sounds complex, but really very simple.  If you’re at LiveJournal or something like that and don’t have your own actual hosted site, when you go to an OpenID enabled site, you just type in your LiveJournal address, and it will authenticate you, no extra steps even necessary.

Even better, if you want to be a true master of your own domain, Sam goes on to describe how to create your own OpenID server and delegate for yourself using phpMyID.  phpMyID is a single user environment designed for individuals to use their own host to manage their ID.  Basically it puts you in total control.  If you choose to try it out (remember, OpenIDs are portable, so if you don’t like it, you can easily switch to one of the hosted solutions just by changing the server and delegate href in your header), Sam has some more updated instructions for it.  The only problem I have is that you then lack some of the neat features other professional providers are offering, like the personas.  It just comes down to how paranoid you want to be.  But be prepared for hiccups when installing phpMyID.  Particularly, make sure openid.server and openid.delegate hrefs include their trailing slashes, otherwise you’ll get wacky errors with no feedback as to why (and I can’t recall the name of the function now… It had something to do with “naive_”….something or other).

My big concern at this time is security.  I’m not entirely sure what prevents a potentially nefarious site from playing a monkey in the middle, and sniffing out your information.  Although running your own ID server and paying attention to where you’re signing on at would go a long way towards preventing that.  And regardless, I am already finding mine handy for the simple purpose of leaving comments on friends’ blogs who are on networks where I don’t have an account.  That alone is a big advantage and not exactly a security risk to me.  I hate going through the hassle of signing up for accounts I’ll never use beyound commenting or such, so this sells itself well.

Yahoo, MSN, Google, and lots of other sources are playing with it to in different ways.  So this is far from some wacky, half-cocked new technology.  It’s sort of like Microsoft’s Passport system, except way more powerful.  Go give it a good once over, it might come in handy.