Ban passwords, say advocates of alternative authentication

Passwords are a thing of the past and they need to go, according to a group of Silicon Valley-based tech companies who are part of a public advocacy campaign called Petition Against Passwords.

Passwords are the keys that enable access. At the same time, they're also the weak link that smashes the security chain, according to many experts, who for years have warned that passwords simply don't work as they used to, and that password protection alone isn't enough.

The problem with passwords is twofold, according to the advocacy group, which aims to influence large digital service providers to move toward "password-less" authentication and identity protection. On one hand, users either create easily remembered passwords that are entirely too weak or they are forced to pick passwords that are hard to remember, but quickly cracked by machines. The other side to that is a lack of password policy enforcement, and the gaps in basic data protection that can lead to breaches that expose millions of passwords. When breaches expose passwords, they often make their way online and wind up in wordlists that are used by password cracking software.

Last April, LivingSocial, a website dedicated to offering consumers daily deals on local products and services, was compromised and some 50 million users were urged to change their passwords. The concern was that many of the users that were exposed faced additional risk due to password recycling. The incident also highlighted the importance of properly protecting user data, especially passwords.

"Because passwords must be stored on a central server, sites are tasked with protecting them from a persistent onslaught of attacks. Even the best protected servers eventually fall. The results can cost the company millions of dollars and drastically impact consumer trust," wrote Brennen Byrne, the CEO of Clef, an Identity Management and Protection firm that leverages smartphones as a means of authentication, which is part of the campaign. Other companies, including OneID, LaunchKey and Nok Nok Labs have also joined in support of the movement.


Byrne's words come from a manifesto of sorts, calling for Internet users to demand something different when it comes to authentication. Over the last few years, there has been a push to replace passwords, or at least augment them with additional layers of security. For example, Two-Factor Authentication is one such augmentation. It works, and it has seen wide adoption by businesses and consumers alike. However, there are others that wanting to move far beyond Two-Factor and similar advancements.

In May, Motorola's Regina Dugan made headlines when she suggested tattoos and pills as alternate means of authentication. A month before that, researchers at the University of California, Berkeley, released research on using brainwaves as a means of authentication.

To date identity companies LaunchKey, Nok Nok Labs, Clef, and leading consumer advocacy group TechFreedom have signed on to support the petition. The Petition Against Passwords initiative will go live on July 24, 2013.

In search of a Google alternative

Google's shares have risen nearly 60% since Larry Page became chief executive in 2011 Google's been busy. Over recent weeks it's added photo auto-enhancement to its Google+ social network, launched air balloons to provide internet access from near-space, unveiled a subscription music service, teased a new smartphone and revamped its Maps product.

 
But when the company reports its latest earnings, investors will be focused on one thing - how its search adverts business is performing.

For all Google's innovation, search remains its cash cow.

The company accounted for 90% of UK-based desktop searches and 92% of mobile searches in June, according to net analysis provider Statcounter - the kind of figures any company would envy.

Its global figures were even higher - although its share of its home market, the US, is below average (78% share of desktop search), and the company remains an also-ran in China, Russia and South Korea.

"At one time Google was clearly a better search engine - now we can debate that point," said Greg Sterling, a tech analyst who writes for the Search Engine Land news website.

"However Google's brand strength, together with the company's aggressive push into mobile have cemented its leadership in most markets for the foreseeable future.

"Nothing is certain but it's difficult to imagine any competitor - outside of parts of Asia and Russia - making significant gains in general web search."

Even so, others are still trying, offering different features or even trying to rethink the principles of the underlying technology.

These are some of the alternative search tools.

Microsoft's Bing service is the leading search rival to Google when looking at the world as a whole - although it has less than a 20th of the traffic, according to StatCounter.

The most obvious difference between the two is Bing's use of colourful photographs as background images on its homepage with hotspots revealing related links.

Microsoft has also been experimenting with social features.

US-based Bing users see a sidebar in their results that suggests Facebook friends who might be able to provide more information about a particular search, and they can also see "boards" - images and links hand-picked by a group of bloggers and other experts.

Russia's most popular search engine also offers English, Turkish, and Ukranian-language versions among its options.
The firm is currently rolling out a revamped look to its results, introducing a new feature called "islands" - blocks of information that can be interacted with on the page, avoiding the need to click through to third-party sites.
For example a search for "Aeroflot check-in Moscow" brings up a block allowing the user to send their details to the airline, while "optometrist city clinic 57" allows the person to book an appointment with an eye doctor from within the results page.

DuckDuckGo highlights privacy as its key feature, promising not to collect or share personal information about its users - a topical concern after revelations that Google, Microsoft and others had handed over data to the US's National Security Agency.
Its traffic spiked after details of the Prism surveillance programme were leaked - although some later questioned whether it could truly prevent "NSA snooping" if the agency was determined to gather information.
DuckDuckGo also claims to be less cluttered than rivals - in part because it limits itself to one advert on each results page - and does not personalise results, saying this prevents users from becoming enclosed in "filter bubbles".

Most search engines base their ranking of results on their analysis of the words and links on a page.

Blippex instead orders sites according to their DwellRank - the amount of time people spend on a page once they have clicked onto it. The more seconds they linger, the more important the site is judged to be.

The service gets this information by asking volunteers to install an extension that sends it information about their activity anonymously.

Blippex launched earlier this month and early visitors might find some of its results unusual, but the developers promise that the more people use it, the better it should become.

Wolfram Alpha describes itself as a "computational knowledge engine" and strictly speaking doesn't see itself as a "search" service, even if many people use it to hunt for third-party information.

Rather than deliver links to other sites, it gathers facts and figures from primary sources and then allows the information to be structured and compared with other data sets, presenting the results in a range of tables, graphs and other illustrations.

Wolfram also charges for a "pro" option, which also allows users to enter images and their own statistics for analysis, and promises a richer set of results.

Blekko's unique selling point is its use of "slashtags" - a tool to filter the results the user wants to receive.
If, for instance, a visitor wants to know where to buy a cake they might type "chocolate cake / shop / restaurant" but if they want to see a list of articles about the topic with the most recent ones at the top they would type "chocolate cake / blog / date".

Results are then grouped into different categories - such as shopping, recipes and cake decoration - to help users focus on the kind of results they want.

South Korea's leading search engine dates back to 1999, when it was created by a group of former Samsung employees.

Queries deliver unusually long lists of links grouped according to where they were sourced from - blogs, social networks, advertisers, apps, books and news services.

Links often direct users to material sourced from Naver's own services including its "cafes" - areas where people sharing similar interests post content about a particular theme.

Earlier this month South Korea's Fair Trade Commission announced it was investigating the firm for anti-competitive practices.

Pipl specialises at unearthing details about a specific person or material they have posted to the net. It allows queries to be based on a name, email address, username or telephone number.

The developers say their product turns up results their rivals miss because Pipl "crawls the deep web" - including data on social network profiles, court records, member directories and other databases.
Results include photos and sometimes the names of other people the subject knows.

It might sound like a stalker's dream, but visitors can also use the service as a way of tracking down profiles and posts they had created and then forgotten about.

Baidu is by far China's most popular search engine, squishing Google's market share into single figures.
The firm says its strength is that it does not only provide links but, in many cases, the actual information the user wants. This can include songs and videos embedded into the results and even interactive web apps.
For now the service requires its users to be proficient in Chinese. However it recently launched an English-language website for overseas developers wanting to use its services to sell apps to the mainland.

Yacy bases its search engine on the principle of a peer-to-peer network.
Instead of using its own servers to index the web, it relies on its users' computers to do the work via software it provides. The information gathered is then shared to a common database, fragments of which are distributed across the network.

Because the answer to any query is obtained from other volunteers' computers rather than a central portal, Yacy says it is impossible for anyone to censor its results.

However, the ranking algorithms it uses are not as advanced as many of its more traditional rivals, which may limit its appeal beyond an enthusiast audience.

StartPage describes its service as being "enhanced by Google" - a cheeky reference to the fact it depends on the larger firm for all its results.

Its selling point is that it strips all identifying information about users before submitting their queries, preventing Google from logging their internet addresses or installing cookies on their device.

The company behind the product, Surfboard Holding, is based in the Netherlands. It says that places it beyond the reach of Prism and other US data collection programmes.

While all this may appeal to privacy-conscious web users, the trade-off is that results can't be personalised to take account of their history or location - although StartPage suggests this makes them more "pure".

Review: Bluenote a secure alternative to OS X's Notes

Bluenote 1.25 $2.00 If you're looking for a simple place to store notes, passwords, and to-do lists—something that's slightly above OS X's Notes app—Bluenote could work for you.
Get It for $2.00 As a place for written notes, to-do lists, and passwords, the $2 Bluenote (Mac App Store link) is nowhere near as robust as an app like Evernote .But if you’re always using OS X’s Notes app and you’d like an app with a basic security feature, Bluenote could be what you need.
Bluenote’s most important feature is that it requires a password every time you use it. The data stored in Bluenote and the backups of your Bluenote data are encrypted, according to the developer. If you lose your password, Bluenote can’t recover it; you have to reset the app (instructions are on the developer’s website) and then restore your data using a backup.

Bluenote can store its data to Dropbox so you can use Bluenote on other Macs and have access to the same data. But the developer doesn’t have an iOS app, so you can’t access your Bluenote information on your iPhone or iPad.

The only thing you can really do with any notes you’ve written in Bluenote is stylize the text with a few basic formats: bold, italic, underline, strikethrough, and list. You can’t add images or use Web links, limitations that prevent Bluenote from being a place for storing research or detailed notes (you can use images and paste in links in OS X’s Notes, though I still won’t use Notes for research).

Notes in Bluenote are built for text only. No images, no working URLs.

You can send a note as an email with the simple click of the email button, but if you’ve done a lot of cutting and pasting from websites, your email message will annoyingly have ASCII codes in place of some characters or spaces. You can’t export your notes for use in other apps, but since Bluenote notes are just text, you can copy and paste the note into a new document as a workaround.

Notes also has a calculator feature where you can write out a simple equation (for example, 500+500), select it, click the Calculator icon, and the math is done for you.

Bluenote’s Tasks can be used to create to-do lists, shopping lists, or any other type of check list. What’s nice about Bluenote's checkbox entry is that the box itself isn’t a simple checkbox that’s marked or not marked with an X; it’s a circle that has four stages of filler. For example, if you have a to-do list and you’re halfway done with a task, you can fill the circle halfway. It’s a good way to quickly remind yourself of how much work you need to do for a particular task.

Bluenote has a large collection of icons for quickly identifying Bluenote content. Unfortunately, Bluenote doesn’t tie into any type of notification system (like Growl or OS X’s Notifications), so you can’t set a Bluenote task to alert you in case you’re on a deadline.

User names and passwords can be stored in Bluenote, and the Password section gives you handy entry points for entering such data. The app will even generate passwords and indicate the strength level of your password.

Bluenote doesn’t plug in your information for you when you are about to log into an account on the Web. It’s strictly for storage of user name and password info. Bluenote does encrypt its data, so you might consider using it as a secondary backup location.

Bluenote won't replace a password management app like 1Password or even a free password manager website like Clipperz.com.

If you’re frequently writing in Notes, Bluenote may be worth the $2 fee for the ability to password protect your data and have it encrypted. Bluenote doesn't have a lot of features, and for some people, that's OK—more features just get in the way, and Bluenote doesn't encumber the user. But some people—like me—need features that aren't found in Bluenote, and will turn to other apps. 

Are alternative mobile operators the answer to roaming charges?

Regulations due to come into force across Europe in 2014 could offer a big opportunity for mobile operators if they can see a strong business case and slash roaming costs for consumers. But, as with much legislation, there are substantial problems too.

This was the belief of executives from OpenCloud, a software company offering solutions to telecoms companies to help improve their services.

Proposals from the European Union (EU) in 2011 led to regulations – set to come into effect in July 2014 – that will grant mobile users the option of choosing an alternative operator when using their handsets abroad. This would cut roaming costs significantly and give operators the opportunity to use competitor networks for a fair-priced wholesale fee.

But with less than a year to go, mobile providers are running out of time to put the technology in place. Debate rages on in the industry as to whether it is practical and whether all the mobile operators will be able to make the deadline.

Mark Windle, head of marketing for OpenCloud, said the new rules had been “forced by the will of the regulators”. He said it left operators “feeling a sense of frustration that they have to go through this expensive exercise, which will in turn reduce operating income, and they are footing the bill for it."

Jonathan Bell, vice-president of product marketing at OpenCloud, added: “Previous EU roaming legislation has changed the price, both for wholesale and to prevent bill shock for people coming home from their holidays or business trips, but this legislation will change the way the network works.

“To use an alternative provider, the way signaling behaves has to change, not just a number.”

There is no question the model is feasible from a technological standpoint - but there is no getting away from how much cost and effort it will require of operators.

“It is not just one place in the network that has to make the change but each individual service,” explained Bell. “These networks are 24/7, so they rarely change to prevent blackouts or downtime - but if they change this all at once there is a danger of it going wrong.”

And having such a short period to make such changes only increases the risk.

“It is a very challenging time scale because operators change networks in a slow and considered fashion,” Bell said. “They will be hard-pressed to do this in time.”

However, there is a clear opportunity for one or more of the operators to bring their group operations closer together and make a stronger play across Europe.

They have all the right assets, the right technology, the right knowledge and the right people. The question is whether they see a business case or not
Jonathan Bell, vice-president of product marketing at OpenCloud

“If one of the telcos decides to go for it, it could become a European-wide operator and capture a huge portion of the market and revenue,” said Bell. “They have all the right assets, the right technology, the right knowledge and the right people. The question is whether they see a business case or not.”

Neelie Kroes, the European Commissioner responsible for the digital agenda, has been pushing forward both this regulation and the longer term goal of having a single European market for telecoms. This could mean that, rather than the cluttered networks in Europe – with each country having numerous providers – the continent could look more like the US which, despite its size, only has four operators.

However, what the European Commission (EC) regulator seems to have forgotten is the other regulators involved at the local level.

“It is complying with regulations; that is the tricky bit,” explained Bell. “Unlike in the US where they have one regulator, here there are 28 countries and 28 regulators to answer to.”

“Neelie Kroes is quoting very ambitious targets for a single telecoms market and I don’t think it is going to happen in one or two years. The spectrum has been sold separately in each country and the regulators remain dispersed.”

If prices abroad were the same as at home, this wouldn’t be an issue Mark Windle, head of marketing at OpenCloud

But at the centre of what might be the most complicated issue for Brussels and the mobile operators is the user. Having alternative providers when abroad will make a big difference to their pocket. Both Bell and Windle believe that, if it is about price, there could be an easier way than forcing change in the network infrastructure.

“If the pricing [for roaming] was more transparent and at a reasonable price, this level of choosing an alternative provider wouldn’t be necessary as it would always be simpler and easier to stay with the operator we are with at home,” said Bell.

“Exactly,” added Windle. “If prices abroad were the same as at home, this wouldn’t be an issue.”

A group of 27 European Commissioners voted to end roaming charges in June 2013, with the goal of having this in play by the same deadline as the new alternative operator legislation. However, it has not passed yet and, while costs have been driven down for roaming in Europe by the EU and will continue to fall next year, it is unclear whether this proposal will come into play before the alternative roaming laws.

While operators might moan about the position they have been put in, they may need to stop arguing and start focusing on getting everything ready on time. EU citizens will have greater choice and cheaper options to staying connected once abroad – which is what many think the European regulators should focus on.

What developers think of Dropbox as an iCloud alternative

Developers would love to love iCloud. But many of them find Apple’s syncing platform ineffective, unreliable, or worse. Some developers have even pointed to iCloud sync woes as a significant holdup in releasing new versions of their apps.

And now Dropbox, the beloved powerhouse of sync, has taken a direct shot across Apple’s cloudy bow, with the announcement this week of its new Datastore API. Dropbox says that the Datastore API makes simple work of syncing structured data (“like contacts, to-do items, and game state”) across devices—and even platforms: Unlike iCloud, the Dropbox Datastore API works across iOS, Android, and the Web.

Because of the way Dropbox works, it offers one other significant potential advantage over iCloud: Developers who are working with Datastore can actually peek directly at the syncing data on Dropbox’s servers as they test and build their apps, a level of visibility that iCloud simply hasn’t offered to date.

Macworld spoke with several developers to get their thoughts on Datastore as compared to iCloud. Expectations are mixed.

Greg Pierce of Agile Tortoise—maker of sync-friendly apps like Drafts—is pleased by Dropbox’s announcement. “I think it’s exciting to see more players in this space.” Though he’s only played around with Datastore a bit, he said that “if it reliably delivers what it promises, then it’s a potentially very useful API with some real advantages over other sync options right now.”

Pierce said, however, that while “Datastore seems simple to implement,” what it offers doesn’t match directly what iCloud’s Core Data sync does—or is meant to do. That iCloud feature, when it works, should allow apps to reliably sync changes to large, complex databases, without requiring that the full data set be uploaded to the server. Datastore’s “scope is more limited,” Pierce said. All that said, if it works consistently, “that may still make it an attractive option for many apps.”

Charles Perry from Leaf Hut Software thinks Datastore shows promise, too: “Syncing is a notoriously hard problem … Even Apple, with all its resources, couldn’t pull it off. But Dropbox has a proven record in document syncing, so they may be able to succeed where others have failed.”

Not everyone shares Pierce’s cautious enthusiasm.

Tapbots’s Paul Haddad told Macworld that he didn’t even bother looking at the Datastore API. “I don’t really care,” he said. Because it’s not core Apple functionality, Haddad said, “it doesn’t run in the background,” which makes it far less appealing to him. Even with iOS 7’s improved background functionality, Haddad said, Dropbox won’t be able to match the ubiquitous omnipresent syncing that iCloud affords.

Haddad also pointed out that with each successive iOS release since the introduction of iCloud, the under-the-hood mechanics and functionality for its syncing have improved. He’s optimistic that the trend will continue with iOS 7.

Rich Siegel of Bare Bones Software sees the Datastore API as unattractive to many developers in the Apple ecosystem for another reason entirely: “There is no SDK for OS X,” he pointed out, “which makes it an instant nonstarter for any developer who needs to synchronize data between desktop computers, whether or not mobile devices are involved.”

That’s not the only downside for Datastore, either. All three developers mentioned that iCloud doesn’t require users to sign up for a new account, and Dropbox does. That said, “Dropbox has become ubiquitous enough that it is highly likely that someone who downloads your app will already have a Dropbox account and will only need to authenticate with it,” said Pierce, but that’s less assured—and less seamless—than an iCloud-backed option.

“In theory at least, iCloud used with Core Data offers … powerful tools to work with relational data, an extensive query language, [and] tools for working in multi-threaded environments,” Pierce said. Datastore can’t match that functionality. It can’t perform sorted queries, queries that require joining bits of data from multiple datasets, or paginate results—all fairly basic database functionality that’s (at least currently) beyond the scope of what Dropbox offers.

Such features, Pierce said, are a must-have for “larger datasets that cannot all be held in memory.” But he added, “I think the Dropbox Datastore can really shine for apps with small datasets.”

Siegel seemingly concurred: “The question of which service a developer chooses should, I think, revolve around what meets the technical needs of the developer on the way to shipping the product that best suits their customers’ needs.”

If Apple has cause for concern, Perry says, it’s all that cross-platform support that Dropbox offers. “iCloud represents [Apple’s] attempt to lock users into their ecosystem … If Dropbox catches on as a mainstream sync solution, it makes it easier for users to pack up and take their data to other mobile platforms like Android, or even other desktop platforms like Windows.”

“I can imagine a developer will find the Dropbox Datastore API worth a look,” Siegel said, “if their product is not on OS X and they have an interest in structured key/value/record/table database syncing and/or need a solution for both iOS and Android.” If a developer is instead targeting the Apple ecosystem exclusively, Siegel said, iCloud “is the platform-vendor-sanctioned solution, offers integration with the existing platform document and data storage APIs, and is available as part of the stock OS install at no charge.”

Siegel continued: “Dropbox does provide valuable services in the SDK, but these additions, while intriguing to some and potentially useful to many, do not represent an alternative to iCloud.”

Of course, if you want your app to sync to any non-Apple device, or to sync to your service’s website, iCloud won’t work. Said Pierce, “[Dropbox’s] additional flexibility of being able to access that data on Web or Android-based clients is attractive for many apps as well, and not something Apple offers.”

Siegel added: “Anyone who’s been working on iCloud thus far has either made it work, is in a holding pattern waiting for developments, or has gone on to devise and implement an alternative strategy. Although the Datastore API may look promising, in none of those cases do I expect a developer to drop what they’re doing and try to adopt it if they already are in the process of executing an existing plan.”

If your app’s needs can be met by (and synced with) Datastore, added Perry, “then I think you’d be crazy to not at least consider it. The integration won’t be as seamless as iCloud promises to be, but the Dropbox Datastore API opens up all kinds of business opportunities that aren’t possible with iCloud.”

“Ultimately,” Pierce said, Dropbox Datastore “will be judged on how reliably and efficiently it can deliver sync data”—especially because “iCloud Core Data [sync] sounds great on paper, but it practice has not delivered on its promises. If Dropbox can deliver and continue to build on this platform, I think they can become a real player in the database sync arena.”