Slashdot Mirror
Analysis of Passport Flaws
An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.
Firstly, I did not attend 'public' school.
Secondly, I am not arrogant, I am merely correct.
Please consult the Oxford English Dictionary at
your leisure.
As an interesting point of discourse, note that
the rule 'i before e except after c' does not apply
to the word "leisure". There are rules and there
are exceptions.
Yours Sincerely, Michael.
Yeah? Well you shut up!
A run-on sentence, as well. You have to really try to construct a run-on sentence...they're not common like "alot" or "their". It's good to see slashdot really trying.
See? You NEED TCP/MS. Why don't you guys ever trust me?
--- billg
Using Passport means that I must deal with Microsoft.
I do not trust Microsoft!
End of discussion!
Actually, AIM has had buddy lists on a central server for quite some time now, and I think it's great. Any computer with AIM on it allows me to instantly access my buddy list, such as my computer at work. Passport is a reasonable step towards a world in which a single person accesses the Internet through dozens of computers every day. For that you need personal information on some accessible server, and of all the companies in existence, microsoft is probably the best equipped to provide it.
Yes, but since the current system isn't centralized, a hacker can only crack one transaction or vendor at a time. With a centralized passport system, a hacker could crack one username/password and gain access to incredible amounts of information and purchasing power. Plus when the Passport servers are cracked (I think it's inevitable that they will be at some time, somehow) the consequences will be catastrophic.
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
>ObNote: Social Security Numbers were not originally intended to be used for identification purposes. If you find an old enough Social Security Card, it will even say that on it. Actually, the statement on the Social Sec. Card says that the CARD is not intended to be used for identification purposes. The number itself always was an ID number for gov.
All your base are belong to us
Let's see who can post the letters first!
Get your Unix fortune now!
As has been pointed out, you can't have literal '/' or '?' in the username portion of the URL (that before the @)... I didn't realize this before, so it does make it a little more difficult.
Using %-encoding would work for hovering over the link, but not what's shown in the address bar of the browser after the link is clicked.
On another note, something else the article mentioned was DNS spoofing. One quick way to do that would be to sign up at some large ISP to host "passport.com", and hope that the signup process is automated. Then, for users of that ISP (or rather for users of their name servers), passport.com would resolve to your webserver, assuming that ISP uses the same DNS servers for both authoritive and non-authoritive requests.
Of course, this would be difficult to pull off, but I'm sure with some creative thinking it could be done. I've seen domains resolve to the wrong host many times due to similar tricks (intentional or otherwise). We once had "firefly.com" (coincidently an MS-owned domain) in our DNS thanks to automated signups for domain hosting; luckily, we only served authoritive requests (we were a webhost, not an ISP).
- Jman
NGWave - Fast Sound Editor for Windows
They're using pseudo-smart, UNIX-shell-like way of telling their addresses... probably confusing to many people. Read the above as davek@research.att.com and rubin@research.att.com.
I've got a name and a social security number (obligatory; every citizen gets one at birth and cannot opt-out) with which I can be formally identified.
If requested by the police on the street (even with no plausable reason) you have to be able to produce a proper ID or be taken to the station to allow them to identify you.
If I want to rent a video I have to give my social security number and show some ID.
If I want a library card I will have to show my ID.
If I want to open a bank account, I'll have to prove my identity.
If I use my bank card (not a credit card; only allows withdrawals if you've got the money on your account at the moment) to buy stuff in excess of $50 I'll have to show my ID and let them write down my SS#.
Finland may be the promised land of computer and information integration into the fabric of the society but this also has a drawbacks. Information about you gets easily collected into huge data banks and is usually accessed by your social security number.
You don't have to report your income, stock, loans or deductables to the Tax Office. In fact, you don't have to fill in your tax report at all. They already have all the information about your economy and they send you a pre-filled tax form which you can either correct and send to them or simply leave at it is.
I'm sick of leaving electronic trails everywhere I go.
The sole reason that Passport is being pushed forward, is to minimise the number of logons and password that a user needs to remember; so we store them in one location!
Wouldn't be more secure to have multiple logons (for each service provider) that are exactly the same? Sure there would be a security problem if someone happens to know my logon and my password, but there is a lesser chance of them having access to all my details, because they have to logon for every single service individually.
I found the following from the paper to be very pertinent: "The centralized service model is antithetical to the distributed nature of the Internet that has made it so robust and so popular."
ObNote: Social Security Numbers were not originally intended to be used for identification purposes. If you find an old enough Social Security Card, it will even say that on it.
Now, personally, I don't want an 'internet' that makes me use Passport if I want to access certain sites. Sure, if I'm accessing various MS supported sites, I can understand it being there, but I still don't like it. What I can't stand is the MS attitude of making their products 'required' and shutting out everyone else. Sure, some people might just call it good business sense on the part of MS, but let's face it, with as much market share for OS's that they have, it's just another continuation of monopolistic practices.
"Where shall we let you go today?"
Kierthos
Mr. Hu is not a ninja.
The single-signon mechanism is housed on a central MS server. So someone like IBM would have to send a redirect to the browser with the URL of the Passport login page. From my understanding of the article, all of the communication between Passport and IBM would happen through the client. The client is the medium of communication between Passport and the vendor. Please correct me if I am wrong.
Or to be more specific Microsoft Internet Explorer 5 is the only valid communication mechanism between the vendor and Microsoft. Microsoft worldwide empire is going to be built on redirects and cookies?!??! Dear God, please deliver us from this insanity.
Why not say to each vendor, here's drop this Box in your network, use it as your authentication, will setup some sort of super encrypted VPN between your network and ours and we'll provide real-time authenitcation. Why not? Because it is too easy, and it doesn't TRAP THE CONSUMER INTO OUR INCREDIBLY INVASIVE SOFTWARE.
What about browsers that don't accept redirects? I know, I know, it's 2001, people should be using modern browsers, but what about people with old computers. I mean, maybe I'm just wrong, but if you are say Barnes and Noble or Ford ( whatever? ), why would you hand over your security concerns to Microsoft?!? After such high profile security explosions such as CodeRed, and now the CodeRed II which is MUCH MUCH WORSE because now everybody who has read Slashdot today has root privileges on every box that has been compromised. ( Be good, people. Be good. )
------ Tim O'Brien
The paper's authors list an email address as "{davek,rubin}@research.att.com". This address is invalid (501 Bad address syntax). Anyone know how to contact these people?
davek@research.att.com
and
rubin@research.att.com
He forgot to point out that Passport can only work as long as the Open Source community is willing to pay the domain registration renewal fees for Microsoft's domains.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.
/. are not *lame* anti ms rhetoric themselfs, but often times the submitters add they ""lame"" opinions to it, and many reply comments come from a feared view, so are FUD, from both sides.
Actually this is a plus point, and exactly how they should do it. A news reporter should report, and not add his opinion to it.
Many news on
I think most of the anti-ms FUDs actually hurt the OpenSource communitiy, as it looses seriousity through this. Through all the FUD avalanche the serious crimes weasel through unnoticed. In some degree some stories had their positive effect, like in example the canceled program where they tried to track people who buys pc without windows preinstalled. Constant watching and finger clapping seems to be necessary to trust bindly IS a failure, for both ms-product costumers and their competition. However we should take care to not spread pure FUD, but try to make serious stuff, and not to cry for everything, especially unprooven actions.
Yes, grammar errors make a bad impression on first sight, but actually this is just dealing superficially. I know my grammar is bad since I'm no native english speaker, and haven't yet learned better, so please spare my post from your corrections.
--
Karma 50, and all I got was this lousy T-Shirt.
Goto http://www.setco.org and in the product matrix click on Microsoft's wallet.
The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS or other open source single signon systems. However, I believe they are missing an important piece.
Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article that discussed how the average person tends to do a poor job of picking a secure password.
Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.
These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.
However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.
Bah, none of these single signon systems for me. I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!
Yep, and in the early days of automobiles I could choose to deal with Standard Oil or I could ride a horse. Sometimes the choice isn't really a choice.
"If there is nothing you are willing to die for, then you are not really alive." Myself
"Renowned"? Don't you mean "notorious"? 
"Where's my other sock?" - A. Einstein
Comment removed based on user account deletion
(Same.Old.Sh*t)
Once agian Ms boasts a new "protocol" or implementation of software that relies on one, and once agian it is proven insecure. I find it not surprising though. How can I or any of us for that matter, think that something aimed toward making authentication easier, coming from MS, would actually make things better? Oh surely mure, the atypical weblite user is going to find this a great and a wonderful "time saver", while the rest of us who give a sh*t about information security end up finding ways to publicize its' flawed security model, in desperate attempts to keep something that may end up forcing into its' use from monopolistic tactics upon us, from being so problematic. Thanks MS...
- tre
http://piclabs.com
I mean... thats 6 words...
Should be "that's".
and somehow /. editors managed to fit in about 3 mistakes in 6 words?!?
Bad sentence structure.
"It's" = "it is". You should have written "its" here.
now I know its not lame and that its "a good read"
And now you do it the other way around. You should have written "it's", as in "it is" here. Sigh.
Spot the error.
:P
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Shut up you cunt. I mean really, shut the fuck up.
I'm bored... and I haven't finished abusing you yet... so I'm waiting for GiZ to come back up. Tell Vladinator to get off his fat ass and sort it. K?
You know, this more than anything else in the article bothered me. I can see the next big wave of MS server vulnerabilities leading to the surreptitious replacement of HOSTS files on the target machine. For those not in the know, most computers are configured to consult a local database of hostname/IP pairs every time a domain name is resolved to a numeric IP address (this happens every time you need a name resolved, which happens very very frequently). This local file is always queried first; if the answer is not found (usually the case) a query is issued to the DNS server, which provides a response. However, adding extra entries to a Windows hosts file (redirecting, say, passport.com, or more insidiously, microsoft.com to a lookalike site run by the attacker) could be a serious vulnerability. In the case of passport.com, the attacker could gain personal information and credit card numbers, however if microsoft.com were to be redirected, an attacker could trick the user into downloading trojaned patches or other software.
The paper's authors list an email address as "{davek,rubin}@research.att.com". This address is invalid (501 Bad address syntax). Anyone know how to contact these people?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
"its" does not require apostrophes in any of its incarnations, possessive or abbreviative
Well, now we know what the British public school system is worth. It's useless!
I don't know. Frankly, the editors that post the MS articles are making fools out of themselves. Slashdot these days seems more and more about posting negative MS articles, and less about "stuff that matters."
+++ATH0
I don't think that's true. There is a redirect through Passport for every site the user visits, and both the grocery store and the online stock broker has registered its own key with Passport.
You can only use a cookie set by Passport for one single site, and the grocery store can't use the authentication token you used to access its site to impersonate you at your online stock trader, because that token has to be encrypted in the stock trader's key (which the grocery store doesn't have).
That said, you make a valid point too: what you get in return for locking your grocer out of your stock account is the little fact that Microsoft is now able to access all your accounts. Because they have all the keys.
It might "be nice," but for whom?
Why does this info need to be on an external machine at all (other than helping Microsoft or government bureaucrats)? A browser (or an add-on) could do all that with a locally encrypted database (which can be copied or synchronized with, say, your laptop) and you don't have to expose your personal info and browsing habits to some central agency to collect, track and correlate. It need not essentially be any different than the list of bookmarks bookmarks or email addresses we already use. If you have multiple machines, you copy your bookmarks or email address book to other machines.
The commonly parroted "Passport rationale" could be equally applied to browser bookmarks or email address book and, if it had any merit, we would already have our bookmark lists and email address books on the Microsoft servers to use as they wish. We don't keep them there. And the same will apply to the Passport scam.
So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books.
The icq transport has been dead for a month now. Dunno about msn and aim
Well, at least slashdot can be counted on for your daily dose of anti-Microsoft. You open source people have stepped to a new low. Do you think that if you read an anti-Microsoft piece every day that you will somehow feel that your product is better? Is this the re-assurance you need. If so then you need to get a life.
Who should take over Slashdot?
Wine Is Not an Emulator
Then what the hell is it? An emulator?
StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)
I tried that. It doesn't reliebly open all MS-Documents,
yeah, OK. Most people agree that it is a very good thing for everyone that you don't speak for most people. Have you ever heard of social security numbers? How about mother's maiden names? Do you understand that the only real security is to change your password?, and that having 100 different logins and passwords is stupid? Oh, and P.S., if microsoft graciously takes the risk of developing a technology that is used in every online transaction then why shouldn't they get a cut like visa or AOL?
Take this personaility test.
On rare occations it don't. (But it usually do) You still don't need Windows. You can even depend on Office without Windows. Just use Wine (Windows emulator) office works with it.
Now repeat after me 10 times; I don't need MS, I don't need Windows
Look a monkey!
And that was the point.
Now you can't discuss the weaknesses you find in an open forum so they can be addressed. You can only discuss it illegally through encrypted e-mail with others who will exploit them.
The DMCA was NOT an improvement.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Testify!
spork_testicle is a crap spewing mong, and he's homosexual too.
its going to be an article aimed at technically au fait readers when the authors' emails are given as {davek,rubin}@research.att.com with no further comment on what this means...
Athletic Scholarships to universities make as much sense as academic scholarships to sports teams.
Tried it. It didn't open the Excel file my boss sent to me (lots of graphics and calculations).
I think it would work better... it solves ALL problems listed except for poor passwords. However, the "average" user will never remember a password that is any good - and will demand some "remember my login" feature. This combination ensures INsecurity. Until people are willing to remember a short (6+) character sequence, and are willing to type it in (and change it periodically, there can be no good security (using passwords). The main disadvantage to kerberos is that most browsers do not inherently support it - you need plugins and sometimes a completely separate application.
My server
And the description of it doesn't fit in the margin of this paper? ;-)
Oh, come on! Now you've got us curious!
So, they had been aware of the flaw, but did nothing about it untill it was publicly known? Call me paranoid, but how about this: Exploits are OK as long as they are known only to Microsoft people? Are they leaving some easter eggs so that a bunch of MS employees can gain access to other people's information and money?
It's bad enough that so many untrustworthy commerce sites are out there, running broken versions of MS web servers. Now we are supposed to have microshit as a "trusted" third party for all our commerce and authentication. No way Jose. My webshoppin days est fini. I'll be usng the phone from now on.
-- Another senseless waste of fine bytes.
> ...its not lame anti ms rhetoric, its actually a
> well written technical assesment...
I'll be the judge of that.
AC
That's interesting.
I'd feel much more comfortable with printed evidence: a couple of copies stored by the officials in a safe place and another by myself.
Well, Microsoft's Word XP grammar checker seems to think that "its" is possessive, while "it's" is an abbreviation of "it is."
That seems to jive with my grade school lessions on the subject.
--
"Go forth, my child, with Dog!"
I don't think it is. /. are unreliable. My point was that if they acknowledge this, why don't they do something about it?
But I do not see why it CAN'T be.
I just think that by putting "its not lame anti ms rhetoric" they seem to acknowledge that other MS articles posted on
He's a retard.
-- Bruce.
..if the proper privacy and security issues can be addressed.
The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.
Plus, i don't like the idea of my private information being the property of a corporation.
~z
sig?
Remember, AMD and Linux are good, Intel and Microsoft are bad. Why think when the collective can do it for you?
Mea navis aericumbens anguillis abundat
This is a very hairy deal, which proves that it was not written by some slick moneygrabbing M$ two piece suit with no concept of that quality software is! ;-)
(you need to read through the article to the bottom to understand that)
I am not a crypto wizard to understand all the article. But I believe the main purpose of Passport was the necessity either to keep a lot of different passwords or to have a center that authentifies a person using the single password.
I believe that it's possible to keep a lot of different random passwords in any hardware device attached to computer thus avoiding most problems. The device may be the special keyboard (for instance, with magnetic, chip or proximity card reader), the standalone card reader or, preferably, USB key attached to the USB port that is present everywhere now (For USB challenged people there is a FDD). Of course, the device should be supported with some device-independent open-source protocol (Or we shall not trust it).
But I believe that Microsoft needs Passport NOT for our benefits, but for benefits of Billy's pockets and so Password will be pushed into our throats leaving all non-M$ aside.
Comment removed based on user account deletion
Around here, there's a bagel place that goes by "Barry Bagel's"
-
I have to use W2K and Office at work because otherwise I wouldn't be able to work efficiently with my clients and co-workers cause they insist on using MS crap.
Then let me help. One name; StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)
They do it by making it impossible for a third party software to interface properly with the MS crap! They close or obfuscate data structure and APIdocumentation.
Interaction with MS-crap isn't that useful. Let's say passport got a grip on most online banks, shops, stock traders etc. I find it hard to belive that they would substitute all login possibilities with passport. You would still have the possibility to create a username and password, they might even implement non-MS open-source alternatives. For instance; at least half of all /.'ers would not use passport and that's more than 200.000 heavy Internett users and online shoppers. Our opinions are infact heard by capitalistic powers, because we're pro free, open-source alternatives.
Look a monkey!
Yeah? Well you shut up!
Nice to see you admitting that everything else was just lame anti-MS rhetoric, but really now, who didn't know that already?
nt
Well, I agree with the artical that there are an abundance of problems with passport, its truly unfortunate that it could not be done better/independently. The idea of Passport seems like a great one that could indeed help users, and make them more secure. As the artical states most users use bad, and repeating passwords. Something like this would probably make those people more secure in the the long run. as the acutal vendor would not have access to the persons password. Unfortunatly it is deeply flawed. Oh well maby some "open" project will emerge, and provide a better verson of passport.
There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.
I found this, which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.
Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).
Maybe something like this will be discussed at JabberCon.
-Justin
First of all, the article seems to have a point (although I am not a computer security expert). Particularly, the redirects inolving HTTP and DNS tricks are already popular compromises. Therefore, Passport is indeed insecure.
What makes stuff worse is that (unlike most other web-based authentication systems), Passport is going to be used massively by thousands of online dealers. Think about what would happen if Amazon were compromised. Passport break-in would be worse, since all of the Amazons of the world will grow to rely on it.
So the real problem with Passport is that it is going to be used so widely; it is a valid small-scale solution (where the profit from compromising such a service is minimal), however it does not scale well when we talk about millions of users spending billions of dollars. I just hope that Passport will not be used by serious retailers, if we ever want to have some semblance of security and privacy.
Agreed. I have almost stopped reading Slashdot all together but I do look for that gem of a worthwhile story. Usually if it says Microsoft in it I can disregard it as FUD because Slashdot NEVER posts anything positive about Microsoft no matter the situation. I am skeptical of anyone that never says anything positive about the competition even when there is something that is clearly positive. If there is something positive about Microsoft on Slashdot (Bill gates giving $1 billion to fight aids in Africa) then it is ended with something like "Billy must be trying to get himself into the African market for his next evil takeover" or something to the effect. It's just ridiculous and needs to stop before Slashdot flushes itself down the metaphorical FUD toilet.
Now how long will it be before this guy gets arrested? Stupid Laws!
Jumpstart the tartan drive.
Many people agree that this is the start of Microsoft's goal of "collecting a toll on every transaction on the internet". As others have suggested, upcoming versions of MS server software will make it easier and easier to use Passport when building web services. At the same time, they will make it harder not to use it... Adding more hoops to go through to set up something else... Like how they are removing Java from XP: one more hoop to to through to run Java.
As you can see, any security flaws in Passport could become a huge problem. Couple this with things like Sircam and CodeRed worm, and you have something that could drain bank accounts and do stock trades for you.
-- these are only opinions and they might not be mine.
Grr, I messed up the subject :(
Not enough coffee today
How would this be used for authentication? I generate an instance of a hard problem, P, along with a claim, C, which I only I can prove. I publish (P,C) as a type of public key. If I want to prove to slashdot or Hotmail that I am me, I use a ZKP to prove C thus authenticating myself. Since I used a ZKP, even though slashdot now knows C is true, slashdot doesn't know how to prove C itself. So slashdot can't pretend to be me when talking to Hotmail (unless slashdot can factor or solve my chosen hard problem).
Some benefits of using a ZKP include:
So my question is why doesn't MS use a zero-knowledeg protocol to implement passport? Is this type of idea patented, or are there are other issues such as security, speed, etc.? I'm not trying to bash MS since I know that they have some pretty smart people there I'm just trying to find out why they didn't use ZKP.
I suspect the answer is because a ZKP based system would probably be easy to clone by open source people or other companies. On the other hand, passport seems to give them significant business advantages at the cost of security, interoperability, elegance, etc.
I [sic] hope it's [sic] better-written [sic] than Taco's assessment [sic] would indicate.
If the passport grows and more sites start to use it, well... that's market economoy for you.
"It's by Microsoft. Microsoft are bad and evil. Passport is bad and evil. Open source is good and shiny and happy and will cure your dog's stomatitis. Yay!"
"its" does not require apostrophes in any of its incarnations, possessive or abbreviative.
Check a grammar reference.
Yours Sincerely, Michael.
No. But the dude who wrote the article I replied to seems to think it is.
+++ATH0
This is a bit unusual; most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.
Who wants to place bets on how long it will take before somebody starts harvesting ID's from the local libraries?
Slashdot cannot be regarded as a credible newssource for MS related stories.
(dripping with sarcasm) Oh, really? Did you just figure that out now, Brainiac?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
Hey Diaper! When's the Geekizoid coming back on line?
its = possesive (i.e., belong to it)
...it's not lame anti ms rhetoric, it's
it's = contraction, for "it is".
So:
actually a well written...
Geez. Hire a high school student to proofread or something.
Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed. I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.
I thought they were talking about a real passport.. ya know the paper ones.
no, they dont "Force" us to use these things.. But, as passport grows and more sites use it, it will be almost impossible not to have a passport account. If you want to use service X you will have to sign up with microsoft.
The example of msn/communites was just from personal experience. I am unable to communicate with many of my friends over the net cause I refuse to sign up to passport - sure its my choice, but in my oppinion they are abusing their monopoly with this.
It will become worse when many other merchants are using passport.
stuff
BULLSHIT!!! You have to activate your system but you don't have to register with MS. It is two seperate steps asshole!
Silly Rabbit...Sig's are for kids.
Try having a look at the Oxford English
Dictionary; unfortunately its not available
online unless you pay. It states that:
+ "its" is the possessive form of "it"
+ "it's" is an abbreviation for "it is"
However, "it's" may also be written "its".
Moderators, please remove the points rashly assigned
to the parent post; it is firstly offtopic and
secondly wrong; unfortunately I am probably too late.
Yours Sincerely, Michael.
Grammarian usually has little to contribute to a discussion and possesses few effective weapons. To compensate, he will point out minor errors in spelling and grammar. Because of Grammarian's obvious weakness most Warriors ignore him.
Flame Warriors
Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.
Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.
Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.
But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.
They do it by making it impossible for a third party software to interface properly with the MS crap! They close or obfuscate data structure and APIdocumentation.
I have to use W2K and Office at work because otherwise I wouldn't be able to work efficiently with my clients and co-workers cause they insist on using MS crap.
Watch the passport become highly popular and suddenly you have to sign on too because your client stores his information in .NET behind the passport identification.
You should come to Glasgow. They stick apostrophes everywhere, even on words that just happen to end in 's'.
Of course "shopkeeper apostrophes", where you put an apostrophe in a plural, is the favourite...
I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.
/.ers just accept that on faith? Sure, many great things have come out of open source, but that does not automatically qualify everything stamped with GPL/BSD/licence-du-jour or appears to have a transparent process as a Good Thing, just as not every thing published by the big-bad-company is a Bad Thing.
Holy fsck is that ever ignorant!
Why are open-sourced foo always better than closed-sourced or company-owned foo? And why do most
As it stands now, Passport exists, appears to be scalable, and works most of the time, which is a lot more than I can say for XNS. And yes, Passport has problems right now and will have problems in the future, as will XNS. It's a part of the development process which can't be avoided but at least Passport is out there now, being used, attacked, and debugged, before it or anything else becomes somewhat of a universal standard when real $$ is at stake.
And given the choice of who to fix an emergent security concern in their respective systems, would you trust the well-intentioned staff of XNS, who are either very knowledgable but potentially few and far between (cf recent slashdot and K5 outages), or somewhat knowledgable and found in abundance; or Passport, staffed 24x7 by an army of people who at least know what they are doing and are eventually liable to shareholders and business partners who have multi$billions to throw around (or not)?
XNS and anything else that comes along will necessarily have to learn from the mistakes made by Passport now, and I don't think that's a Bad Thing. As it stands right now, the afore-mentioned army of developers _who evolved the current system over 5+ years and must listen and respond to customer and partner concerns or lose business measured by six or seven zeros on a daily basis_ aren't getting it entirely right, so why would I think that an emergent cadre of excellent but not-entirely-devoted developers with comparatively zero funding can _build and maintain_ what amounts to a public infrastructure (something which doesn't lend itself well to being maintained by an entity, staffed by few enough people that they can all be killed in one incident, and without real-world liability for failure) to serve billions of people world-wide? I don't.
</rant>
There are 1.1... kinds of people.
I don't get this, they don't force us.
I don't know if you have read anything about Windows/Office XP. In order to get them to work for more than 30 days, you have to get a passport account. This is so that MS can get the info of what machine (not Processor ID #) but what type of processor, how much ram, type and size of HD's, etc. I will give MS one good statement, they can make an awesome licence agreement, just too bad that they can't make a decent OS.
You can be replaced by a very small shell script.
Christ folks, make up your minds!
Are you aware that there are multiple people posting to slashdot? Just because two conflicting opinions were posted to the same forum, it does not follow that both opinions are (A) held by the same person; or (B) "the party line".
It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".
There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)
Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.
If you want good editing, visit Linux Weekly News at http://www.lwn.net/. Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - http://www.kuro5hin.org/
But 99 out of 100 MS-related articles here on /., (there's your punctuation) *ARE* indeed lame and mostly untrue anti-MS articles.
Slashdot does a great job spreading FUD about MS and MS products. Slashdot cannot be regarded as a credible newssource for MS related stories. In fact, the amount of anti-MS FUD coming from slashdot has outgrown the amount of anti-OSS FUD coming from MS.
+++ATH0
The difference between paypal and microsoft merely is the fact that passport is not intended for micropayments, as I believe that ms will mostly focus on the b2b market.
For micropayments, Paypal has low risk because they have taken a mix of all sorts of measures. An ex-FBI agent is in charge of two or three fraud detection teams, their "IGOR" system is an automated fraud detection system. Because the wallet contains such small amounts of money, the loss risk is therefore much smaller than if you'd use big amounts - necesary for b2b transactions.
I do notice the resemblance between PP and MS that they are dealing with the same security problems, perhaps this is why PP and MS are collaborating. When MS chooses not to work with micropayments, my guess is that they could get a lot of security problems, not only the ones written in the article, also the securite problems Paypal hasn't solved technically, but manually.
Bizar technology?
I *tried* to avoid upgrading to IE 5. I liked IE 4 and was happy with it and didn't want the extra bloat of IE 5.
I couldn't do it. Every time I turned around, something from Microsoft was installing IE 5 on my (wife's) machine (mine runs Linux and has endured over 200 infection attempts from the various Code Red variations ).
It seems likely that some if not a lot of people are going to use the passport service outside of hotmail. It seems likely that some or a lot of them are going to regret it. While I don't wish those people any harm, they could be well the ones who bring this latest Microsoft ruse to a speedy end.
No, your children are not the special ones. Nor are your pets.
Then let me help. One name; StarOffice. It supports all MS-Office formats, it's free and aviable on most platforms (including Windows.)
Er... not "hard" documents. Word documents with tables don't load right, for instance. Neither do Excel documents with graphics and things like cell protection. This was a huge issue when I was applying for a Linux job through a head hunter. I mentioned I didn't have access to Office and was informed, "I don't know how you can call yourself a professional if you don't have Office." I bailed on the headhunter (and am still looking for work, halfheartedly).
The new variant of Code Red might turn out to be the most damaging worm yet launched. That's happening today, while I'm writing this. My DSL connection will be hit a couple of times, in all probability, as I type this up.
That has to be the context of any discussion of passport.
Even well designed security fails. For that reason, if single choke point that will plunge the world into chaos if security fails is a bad idea. Passport is a bad idea.
The most important flaw isn't in the protocol, or in the fact that it's built on insecure services. A well designed passport type system would still be flawed, because it would present a single point of failure.
The fact that they want to do this at all proves that they're not thinking about security first.
MS has a track record of doing dumb things security wise because their business models demand them. They wanted to tie word and visual basic together so they opened up the world to the threat of macro viruses. They wanted to tie email and office together, so they made email systems that would run programs embedded in documents automatically if someone sends it to a MS user via the email.
These are not obscure problems, and they're not difficult to predict. You don't need to be a security guru to realize that they're trouble. MS did it anyway, because it was in their interest to do it. It wasn't in their customer's interests.
Passport isn't in anyone's interest by MS's. It's a bad design because it's centralized, because all of the eggs are in one basket. Most people want privacy. Most people want their credit card information to be secure. Most people want to control the information they give to various sites -- they don't want it passed around in the background, in the name of convenience.
Apart from all of that, it has to be pointed out that the company that's building and marketing passport has the worst record in computer security on the planet. By that I mean that MS security holes have cost more money -- billions and billions of dollars -- than any other company's security problems. How long did it take them to close the outlook macrovirus hole? How long was it obvious to everyone that it was a bad idea, before they closed it? Years. Why? Because they put their business model above their customer's security interests. And they're doing the same thing here.
Passport is a horrible idea. And even if it was a good idea, these are the last guys who should be trusted to build it.
The article mentions the possibility of one registering pasport.com (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this:
r .com
https://www.passport.com/very/long/path@evilhacke
Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at evilhacker.com. Everything before the '@' is ignored, and the user will simply see a long passport.com URL in the address bar. The browser actually connects to evilhacker.com.
So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...
As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.
Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).
- Jman
NGWave - Fast Sound Editor for Windows
The biggest problem is with having one centralized database that the vast majority of users use. If there were 12 or 15 different implementations of the same scheme with different operating systems the problem lessens. Some of the methods of getting the information don't change no matter what you do but crack attempts are greatly complicated by having different implementations. A central repository will be the target of every black hat out there. Split it up and diversify it and any one of the schemes is less likely to be beaten. Use open protocols and operating systems, have lots of repositories and there is less danger to all. I personally think MS is crazy for wanting it all on their servers. When they get hacked it will be the single biggest computer news story ever. I don't think any software company, no matter what their advertising and lobbying budget is will be able to withstand the backlash of public opinion. Senators and Congressmen use hotmail too or if they don't family members do.
"If there is nothing you are willing to die for, then you are not really alive." Myself
Comment removed based on user account deletion
we need passport as another example of how microsoft is abusing their monopoly (Read: hotmail, msn messenger, communities, etc)
I don't get this, they don't force us. Of all those things you mentioned I only use hotmail and that's because it's free, resonably reliable and doesn't care if I sign up as A.Nonymus from Yemen. I could just as well have used Yahoo!
Look a monkey!
I thought this article was about how to forge a real-life passport.
I sure would like to change my identity...
-dair
I've found that OpenOffice is getting really good at this... of course, soon MS will probably introduce new intracacies into their Office formats that will have to be hacked again.... But still, my MS office use is rapidly approaching 0. It's also great to have a good format that can be shared across platforms. Give openoffice a try (openoffice.org), I think you'll like it.
God became man to enable men to become sons of God. -C.S. Lewis
secure single sign on would be nice
and totally disregards basic security guidelines about never using the same password on multiple systems.
Yes, it might be inconvienient, but it's also considerably more secure to use multiple passwords whereever you play.
"its not lame anti ms rhetoric" /. *ARE* "lame anti ms rhetoric"?
/. editors managed to fit in about 3 mistakes in 6 words?!?
Is this supposed to suggest that other MS articles that are posted to
Oh yeah, and where the hell is the punctuation? Shouldn't it read "it's not lame, anti-MS rhetoric"?
I mean... thats 6 words... and somehow
/. isn't exactly renowned for it's editing, but this seems to be a new low.
The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.
The first scenario I decided on and implemented was the similar as what Passport is using, but with the 3DES-key optional (so that Merchants with poor web coders could still participate). For the rest of this discussion, I'll only refer to the version with the DES protection.
Also, being a payment system,there was only one ever call and one return with results -- not a login and logout process.
We found that by using various SSL, cookie methods, and so on, we could get around all security flaws, but the downside is that the Merchant has an awful lot of responsibilities, including:
- Verifying, encrypting and decrypting the 3DES keys
- Keeping its 3DES key secure...
- ...which entails keeping its system totally secure from hacking
- Implementing the rest of the protocol to communicate with the Passport etc. server via cookies
- Generating cookies that work correctly in any version of any browser (even getting them to work correctly in one browser is a hassle!)
- Detecting duplicate transactions (for example, J.Hacker does a valid purchase for $1; and records the connection, then comes back later, begins a purchase for $10000, and intercepts the connection and responds with the $1 packet)
and the list goes on. In the end I decided that while it was a security model that held together, and if I were coding for the Merchant I could do it correctly, but there are many Merchants that would simply fail to do it right, and either have it work buggily or insecurely, or not at all, and then blame the system (or the customers would blame the system).It's easy to say "Well, they should do it right," but when you've been in the commercial world a while, you realise just how incompetent many companies are.
In the end, tired of patching up small hole after small hole and writing merchant integration documents, I changed my mind and chose an alternative scheme which may seem harder for Merchants at first, but in fact leaves them as little room for going wrong, even if the transactions run a little slower.
Conclusion? Hack just one of the merchants involved in Passport, grab their 3DES key, and you're in and untraceable (bar the merchant actually keeping valid authentication logs and being able to follow them; in which case the worst that could happen is that they change their 3DES key). The security will deter script kiddies but a hacker with serious skills will have a field day.
we need passport as another example of how microsoft is abusing their monopoly (Read: hotmail, msn messenger, communities, etc) - and hopefully this will help then dig their own grave!
stuff
CaveDweller, an embedded hardware would sure change that wouldn't it? That is what AOL has decided to do. "Within six months" they will launch an "authentication device" that is not tied to these weaknesses you've addressed. Passport is all about centralized control. It reminds me of the old PSTN that my Grandmother had when I was young. The phone would ring and the operator would say "call for the Johnson's." Since we were the Smith's we were supposed to hang up and not listen it. I think it was called a multi-party line. However, consumers and privacy groups advocated decentralizing and putting control into the hands of the user. The network was distributed. Another analogy was music. 80 years ago you could really only listen to music live or on the radio (which was live too). Artists really were poor! Users were controlled by the distributors (listen when we play it). That changed due to guys like Edison developing recording devices. A recording device put the distribution of listening/watching into the hands of the consumer. Guess what? The internet is doing the same thing. It has started out as centralized control just like these other two mediums. However, consumers are now tired of centralized control and their inability to control the distibution of content (or their personal info for that matter). P2P with a hardware-based authentication device will empower the consumer and remove the control from companies like Microsoft. Best Regards!
"The bulk of Passport's flaws arise directly from its reliance on systems
that are either not trustworthy (such as HTTP referrals and the DNS) or assume
too much about user awareness (such as SSL). Another flaw arises out of
interactions with a particular browser (Netscape). Passport's attempt to
retrofit the complex process of single sign-on to fit the limitations of
existing browser technology leads to compromises that create real risks."
Do we really *need* Passport?
I don't think the biggest problem with Passport is technical. As far as I can see, none of the implementation issues raised by the article is necessarily insurmountable.
However, no matter how clever, reliable and secure Passport may be, and however many genuine, real-world problems a technology like this could solve, there is always going to be a significant voice against it just because of Microsoft's past behaviour, and the inherent suspicion some people are going to have of them because of it. Even if Passport is something of a success, a large number of people will always have their doubts (justified or not -- I offer no opinion on this).
Those doubts could seriously hinder its widespread acceptance, and hence reduce the point in having it in the first place. After all, even if someone sets up a competitive version, you probably wind up with a 'net where some sites authenticate using Passport, some use Competitor A, and so on. At that point, you need multiple log-ins again, and you're back to square one.
The alternative, I suppose, is that e-commerce sites and the like allow multiple authentication mechanisms, and their users can choose which to use. This, though, immediately raises questions about whether all sites will accept all authenticators, or only 90% of sites will accept 90% of authenticators. Look at the whole TLD mess for a prime example of what happens when you get "competition" in something where you really need everyone to agree.
For once, you almost need a single monopoly provider for this single sign-in idea to work. As soon as there is competition, the basic idea starts to fall apart. Of course, that restriction introduces all the drawbacks associated with any other monopoly. And that, IMHO, is the biggest problem with Passport.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
The law enforcement community will love passport. Instead of spending days depriving a suspect of sleep, water and food in an attempt to induce the disclosure of multiple passwords, they will be routinely downloaded from microsoft's passport database.
The gathering of non-suspects' passwords probably will be pseudo-justified by claiming that the accounts won't be accessed until a more specific search warrant is issued.
There is another big security problem with a central logon service. If someone manages to get access to your Passport login information, he can use all Passport-using sites with your authentication, not just the sites for which you created the account.
If someone manages to get access to your webmail account, he can read your mail. This alone is bad, but if your webmail service is Hotmail, your webmail account is actually a Passport account. The attacker can now not only read your mail, he can also use your authentication for all kinds of other services that use Passport, even if you never intended to use your account for those services.
This isn't a big issue yet, because the attacker could just as well create his own account. Logging in with your identification on a site which you have not used yet usually doesn't make sense. But if Passport manages to become the authorative source of authentication (think of trusted realname indentification, digital signature services, etc.), this might become a real security problem.
Sig (appended to the end of comments I post, 54 chars)
A couple of things that passport does could be done better, but there will always be idiots and ignoramus's.
As the saying goes: "We can make it foolproof, but not bloody-fool proof"
Passport's biggest problems are that it is a single point of failure, and also that it tends to extend Microsoft's monopoly.
I am still waiting for xnsorg to deliver some source code, hopefully addressing both these issues.
Single-logon authentication is not a nice-to-have. It is essential for effective integration of web services. For example, Company A has a hosting service and company B offers an email service. YOU want to offer an integrated offering to your customers and that means indentity management.
The situation without passport is even more insecure because:
- it relies on individual vendors to provide security for communication
- consumers trust these vendors to do so in most cases
- any vendor protocol is subject to the same security risks as passport
- most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)
Any solution that improves the current situation is a step forward. That being said, the real issue is trust and I am a bit hesitant to trust a commercial company with privacy sensitive information (this is not anti MS, I wouldn't trust Red Hat with it either). The only way I could trust a passport server would be if it were protected by laws making every kind of abuse (including using the information for marketing purposes) illegal AND if it were maintained by an organization (preferably governmental) that has no interest in abusing this information. MS fails both requirements.
Interestingly, laws for the first requirement exist in some countries. It wouldn't surprise me if MS would run into legal trouble at some point for violating such privacy protecting laws.
Jilles
It gets quite silly sometimes; for example, when you buy something moderately expensive (say, a couch) they give you two recepts, one regular and one "official" with a seal and a signature. Same when you get your paycheck -- you have to sign a document both for yourself and for your employer.
Anyways, in Russia there's something called an "internal passport" -- it's a passport that serves as your definitive ID. Any official information about you (marital status, blood type, place of residence, etc.) is written into your "internal passport". On one hand, this is good because you pesonally control what is written into you passport. (Pretty much.) On the other hand, if you lose it, you're in trouble.
Then what the hell is it? An emulator?
Bochs is an emulator. TuxNES is an emulator. DGen is an emulator. SNES9x is an emulator. Transmeta's Crusoe uses Code Morphing, which is an emulator. But WINE is not an emulator but "an implementation of the Windows 3.x and Win32 APIs on top of X and Unix. Think of Wine as a Windows compatibility layer" for FreeBSD, Linux, and Solaris. It's also a complete Windows application server that uses thin clients called X11 terminals.
Will I retire or break 10K?
Passport seems to me like an attempt to centralize a service because it is highly profitable for the service provider to do so, not because it makes sense. (AOL IM is another example.)
I'll agree with people that this paper is much more than your average MS-bashing that we experience here at Slashdot. It's good to see that the authors had done the technical research and had the evidence to back up their claims. It also had some interesting points that I though I'd might mention here:
In conclusion, you can say what you like about Microsoft, but unless you have evidence to back it up, you won't have much credibility. At least these people did their homework.
----------
When the pin is pulled, Mr. Grenade is no longer our friend.
OKOKOK...
So first people yell at Microsoft because they package a shitty VM with their OS that they don't maintain and doesn't stick with the standards, and they get sued for it as well, and everyone bitches about it.
Now they remove it, and they're obviously only doing it to kill Java, of course. Couldn't have ANYTHING to do with the court case, or the fact that people didn't want it in there, or that it wasn't being maintained, or that it was causing problems because it's in the system32 directory so it's in the path. Nope, MUST be just another Microsoft lets-try-to-take-over-everything maneuver, right?
Christ folks, make up your minds!
If God gave us curiosity