Slashdot Mirror

• fails to employ reasonable and appropriate measures to protect privacy and confidentiality
• fails to provide better security than your run-of-the-mill online transaction
• collected personally identifiable sign-on history, contrary to claims in its privacy policy

In regards to single-signon there is probably a lot that can be done with certificates and or keys to estabilish a consistent online identity, but with a minimum of personal data. The personal data, if needed at all, has no need to be kept together with the keys.

Corporations have now gotten to the point where they must be obliged to respect the Bill of Rights and other legislation just as governments. They [proven] risk and damage from abuse is just to harmful otherwise.

public signs that they are hurting

First off they've grown through acquisition rather than innovation. That business model pretty much guarantees that they'll drop like a stone after their zenith. Additionally, their income follows a few quarters behind the hardware manufacturers which have not yet bottomed out.

Since they turned an $18 bn loss in 1998, they've been found guilty of breaking federal law, specifically by violating the Sherman Antitrust Act. On the side, they admitted to and removed at least one backdoor in their relseased binaries, and without a code audit there is no way to confirm or deny the precense or absence of more. Even if a government or large enough consortium of corporations were to pay a code audit , the existing code meets neither privacy nor security requirements needed inside the U.S. Outside the U.S., specifically in Europe, privacy standards are much higher and there is not much chance that these problems will be addressed in the near future. These are the result of design flaws not typos. Patches can't fix this, only a rewrite can.

So there's more to say regarding DRM, software subscription, further leveraging the desktop monopoly+DRM, undocumented APIs, OEM tricks, and last but not least perpetual lock-in from the MS-Word and MS-Excel file formats + DRM. So far, Germany, China, Peru, Venezuela, India, Norway, Finland, and others have expressed doubts as to the wisdom of trying such experimental technology, which of what little has been examined has been found wanting.

Also their desktop markets are saturated. In the office suite, MS-Word 2.0 for windows and MS-Word 5 for Macintosh were good enough. Folks grudgingly went along with the newer versions as long as times were good. The Windows product line has come to near its end - Win2000 is good enough and few customer have deep enough pockets nor are there enough big chumps to go for License 6.0 that sneaks in with WinXP. Macintosh OS X gives you most of the commercial desktop applications that you will need, plus you have the added stability and ease of maintenance.

In the server room, any one that can read English is sticking with one of the *NIXes.

isn't this exactly the kind of thing that Palladium aims to prevent?

Palladium is to prevent you from paying attention to the punishment phase of the antitrust case and to prevent you from paying attention to Microsoft's accounting, uh, descrepancies.

Well, Liberty Alliance will not carry personal data. An uses very different technology from MS-Passport.

Huh? This is precisely the problem. Users do store crucial data on their home computers, they just don't know they do.

Passport stores encrypted credential data on client computers in the form of persistent cookies. Grab the cookies, 0wn the d00d's wallet. (source: Avi Rubin's paper)

All we need is a Klez variant that propagates by spreading these cookies to other users in the address books (or, more evil still, by posting them on USENET either directly or via mail-to-news gateways in after converting them to text a'la SpamMimic), and any black hat in the world can count on a continual supply of Passport cookies from a large pool of unsecured and compromised machines.

> Any bank which requires me to have a Passport account won't get my business. The one thing about capitalism is that you -can- force unwanted business to end, simply by going to their competitor

What you said. I don't trust Passport as a security mechanism. I won't do business with an organization that demands I link it with my credit card. If that means I switch banks, the branch manager and head office will get copies of a letter explaining precisely why I switched.

I prefer to bank at large national or regional banks, but even if they "all" go Passport, I'll happily switch to small regionals, of which America has hundreds, if not thousands, to choose from.

So, what are they supposed to use, a really big passwd file? OpenLDAP? Novell NDS? A big Oracle database? Why should we even care what the technology is, as long as it works?

Maybe because it doesn't work.

ever thought of that?

Unfortunately, all the Microsoft-hating government pawns around here seem to have missed the real point of the article.

This isn't just "Microsoft-Hating"
These are valid concerns...

Again, MS-Passport cannot be made secure even in theory. There are fatal errors in MS's implementation in additional to the fundamental problems with the basic idea.

David P. Kormann and Aviel D. Rubin, " Risks of the Passport Single Signon Protocol [avirubin.com]," Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. (accessed 21 sep 2001)
http://avirubin.com/passport.html

Microsoft is running out of steam and is reduced to using marketing and legal teams to push stale products. MS-WindowsXP and Xbox, two products expected to produce revenue and vendor lock-in, are just not actractive to the market.

• What happens to passport?

It probably dies. Microsoft has known since 2000 (when the article below was published) at the latest that MS-Passport cannot be made secure even in theory. There are fatal errors in MS's implementation in additional to the fundamental problems with the basic idea.

David P. Kormann and Aviel D. Rubin, " Risks of the Passport Single Signon Protocol," Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. (accessed 21 sep 2001)
http://avirubin.com/passport.html

Xbox is flopping in Europe and Japan, even without taking into account the long term effects of shipping defective units. If things turn around for Xbox in the U.S. it can live, but Japan is the market that it needs to thrive.

The MS-WindowsXP sales are pretty far below expectations and even these are primarily from the OEMs. Not enough money there either.

.NET? who knows? But until it looks like developers of third party software will be able to work freely with .NET, there'll be no takers. That and there is the added cost of reinventing java and marketing it as C#.

ActiveDirectory? It does seem like it provides most of the functionality of OpenLDAP, but at a higher price and without multiplatform support. Novell's eDirectory does seem a more mature technology from a company with more experience in that area. Now that Novell is part of the "Liberty Alliance", AD is also roadkill.

Lastly, as everyone and their dog has mentioned, the changes between recent versions of MS-Office upgrades just don't justify the expense for most individuals and corporations.

MS really only cares about the bottom line and obviously security issues are about to bite them financially. Right now, Bill can't do much except blow smoke. The distraction is really needed right now. Especially when you consider:

That the effort to squelch bug reporting is a tacit admission that none of the products in the current development cycle are likely to be secure

Prestigious and influential groups like the National Academy of Sciences are calling for punishment of software firms that skimp on security.

MS products will be magically secure and stable after February.

They've been found guilty of illegally maintaining a monopoly and the punishment is under discussion.

Several U.S. states and some European governments and commissions are pursuing / considering their own legal action.

The MS legal counsel is stepping down

MS-Passport, their new cash cow, can't even be made secure (thus their hop to Kerberos)

Revenue from upgrades is nil and given that Intel is not expecting to do well either the next few quarters will be for MS also.

Simply put, Bill is on so many people's shit list with no easy way off. A few decades ago, IBM used to have most computing centers by the short-n-curlies, but pushed it too far and more or less disappeared. MS is in a prime position to do the same.

David P. Kormann and Aviel D. Rubin, " Risks of the Passport Single Signon Protocol," Computer Networks, Elsevier Science Press, volume 33, pages 51-58, 2000. (accessed 21 sep 2001)
http://avirubin.com/passport.html

I'll admit, I've never used Passport. In choosing to highlight one issue, I picked what seemed most dangerous to me (eg. forgetful people accidently leaving their online lives wide open to attack). It appears that my criticism was greatly overstated due to poor understanding. I'm sorry, and thanks for the explanation. I hope people will go ahead and follow that link since those guys certainly know more about the issues that I do.

For simplicity, I'm restating the link here.

This report provides a decent description of Passport's technical architecture and some of it's potential issues, and links to other referances.

While it does confirm your statement that you can tailor and select what information you send from the "wallet" MS keeps for you, there are still problems. For one thing when you sign into Passport this is noted by use of encrypted (3 DES) cookies stored on your browser. The intent here is that you only need sign in once and all kinds of sites will be able to authenticate you. This part of the procedure happens transparently once you've signed into Passport.

The vulnerability here should be obvious, if you don't at some point logout from Passport, then the next person who opens the browser will be recognized as you anywhere that uses Passport authentication. Furthermore those neatly prefilled out forms will then contain all your information which this imposter could simply read off. Of course, the cookies are set to expire after a while, but certainly that is a matter of hours if not days, since MS doesn't want to interrupt people and force them to relogin.

This is only one of a number of problems and potential attacks outlined in the site I linked above. Good stuff, I suggest you check it out.

So now on, forgetting to logout will be an internet wide catastrophe as opposed to a localized problem? Thank you, MS.

On a similar note, Aviel D. Rubin, another one of the authors here, was also one of the authors of the passport analysis that was recently mentioned.

The arrest of Avi Rubin would get a lot more attention and reaction from the serious research/tech community than the Skylarov case is producing.

The arrest of Avi Rubin would get a lot more attention and reaction from the serious research/tech community than the Skylarov case is producing.

I'll agree with people that this paper is much more than your average MS-bashing that we experience here at Slashdot. It's good to see that the authors had done the technical research and had the evidence to back up their claims. It also had some interesting points that I though I'd might mention here:

• The first interesting point I noted is that while using Netscape, clicking on the Logout button for Hotmail would appear to log you out of Hotmail and redirect you to msn.com. But if you were to click the Hotmail link again, you would appear in your inbox without reauthenticating. Needless to say, this creates a major practical security flaw for non-technically-minded users (ie. the users most at risk because they don't fully understand how the whole process works) as someone on a public terminal can commandeer a previous user's Passport account by simply clicking on the Hotmail icon, hence gaining access to their account. So Passport doesn't work properly with Netscape, but works fine with Microsoft Internet Explorer Conspiracy theorists and Microsoft bashers, do what you will with that statement. The obvious solution to this problem is to use MSIE (a morally repugnant option to some in the Slashdot community), but it shows the problems that can occur when differing platforms aren't properly taken into consideration.

• The central point of authenication can also prove a security risk as it provides a central point of attack. There's no real way around this particular risk as it's a long-accepted notion that the more valuable data is on a machine, the more likely it is going to be compromised (or at least, attempts are made). So to have vital information for all Passport users on a single server (correct me if I'm wrong) makes a very tasty target for hackers, crackers and anarchists the world over.

• It's been a long-accepted notion that the weakest part of any security system is the people, and that includes everyone from users to sysadmins. So if you choose an obvious password (like "swordfish"), then your account is more likely to be compromised because the hacker can just guess your password, rather than employing elaborate methods (such as DNS spoofing, explained here in this SANS article) to compromise your account.

• And finally, I'd like to point out that Passport, while having serious security flaws, is an abitious project that makes the best of existing technology. It's alright to stand up and say (or post, in this instance) that Passport is insecure but until we fundamentally change existing protocols (DNSSEC and IPSec are two suggested standards) then this is what we have to deal with.

In conclusion, you can say what you like about Microsoft, but unless you have evidence to back it up, you won't have much credibility. At least these people did their homework.

Yeah? Well you shut up!