Slashdot Mirror
Microsoft Defends Passport To Privacy Group
securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."
Well I feel safer....
Microsoft accused of unfair practices and deceptive techniques!?! I must say that I am shocked, schocked I tell you!
Unfortunatly I am uneligable for any such legal action against them as I think I gave them my soul in the last click thruogh agreement I did...
Papa Legba come and open the gate
This says it all:
"One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so."
Because people usually don't pick very secure passwords, it's better to have multiple passwords so that an evesdropper or other malicious person can't crack into all yur accounts. U of I just made people intentionally set all their 3 or 4 passwords instead of just giving them one the applied to all 4 (although most people tend to choose the same password for all their online services anyway)
Also, because Passport's trying to incorporate a lot of information in one place that used to be distrubuted in many different places, if some one hacks into Passport, there goes all your privacy.
F-bacher
James Tiberius Kirk: "Spock, the women on your planet are logical. No other planet in the galaxy can make that claim."
A web-wide identification service would literally be the best thing to happen to the web. Think about it. When you visit a new site, it will simply prompt you for your desired username, and then gets your info from some central source. Imagine not having to remember passwords for a million sites. The key here though is that the central source must be a trustworthy one. Microsoft does NOT fit that criteria. Personally, I think the ideal administrative body would be Verisign, or somebody like that. Someone already in the online security business, or racket if you prefer.
TODO: Something witty here...
I don't know about many other people, but I don't think too many people would have an e-mail account on a service such as Passport if it was going to contain highly sensitive material. I use services like this as "spam e-mails" so that I can sign up for things that require an e-mail address (but some websites won't even let you sign up with an e-mail like Passport or Hotmail, anyways).
void women (int money, time_t time);
Passport is definitely an easier solution for consumers than any alternative yet presented. Having all your information stored in one central location is definitely better than having all your information stored all over the place. Microsoft also has a lot more motivation and resources to protect it than Joe Random Vendor.
The problem is that they haven't had any success protecting it anyway. To be completely fair, neither has anyone else. The other difficulty is that although I would trust MS rather than JRV to protect my data, the necessity of distribution and interaction opens up a whole new class of security holes that no one has even thought of before.
The unfortunate truth is that right now the only way to protect your privacy online is not to give out any information, and that Passport will do exactly nothing to remedy this situation.
Even Slashdot wants to hide some things
They probably won't lobby any state reps from maryland!
(for those who don't know - the passport eula says you can't use it in the state of maryland.)
___
The way to see by faith is to shut the eye of reason. --Ben Franklin
And if the single source happens to run an insecure operating system from Microsoft, then there will be disaster.
Microsoft fell to Code Red like everyone else who ran a Microsoft operating system. Far too much responsibility for Microsoft to handle. ANd that doesn't even factor in the matter of whether or not they can be trusted to act ethically.
So these privacy groups get worried about Microsoft's Passport leaking information when the biggest leaks of personal info are from fallen dotcoms and stupid e-commerce web sites? People, when you are paranoid, at least be paranoid to everybody, not just to Microsoft.
¦ ©® ±
forget the safety/security issues - if passport
takes over like windows has it means MS will
control the gateway to ecommerce, forcing other
coding methods into the dirt, as well as
have all your private information for their
use and abuse...
Just last month, Microsoft changed the service agreement for their passport system to require only an email address and password to sign up. Did Microsoft do this without any armtwisting? No. Did they do it, though? Yes.
Just keep the pressure on them up. They're going to go ahead with some sort of service no matter what, but the amount of opposition they face now will determine how many of these concessions will be made "voluntarily". That way, even if the FTC doesn't come down with a favorable ruling, we won't be completely left out in the cold.
Incidentally, msnbc also has some coverage. A disinterested and impartial news source if there ever were one... or not, as it were.
Your comment violated the postersubj compression filter. Comment aborted.
Hold on there cowboy, you just posted x seconds ago!
Ok, this filtering business is started to seem a little anal.
"I'm calling at international rates from Outthebackofstan, I've been on hold for three hours, and why don't you ^%#$%#^ read your email?"
"Oh, I'm sorry, you have the wrong department, this is the Pacific USA only support line. Please dial this number again in another eleven hours and the people supporting your region will be here. Have a nice day" (To co-worker: "Another commie towelhead") click."
Like this one. They won't allow users to use Passport authentication to buy thier goods, and they posted info about why. What better way to prevent users from using MSPassport, than to send consumers mixed signals about being able to use it.
Don't think that a small group of dedicated individuals can't change the world. It's the only thing that ever has.
For those that are interested here are links to the:
Passport EULA
Passport Privacy Policy
Privacy advocate: "So, you are trying to set yourself up as the one definitive source for our personal information online. Let's talk about your record: Hotmail backdoors, Code Red, Melissa, IIS, and Kournikova, among others, are horrible things which have been influenced by your poor implementations of products. And you want to have even more power?"
Microsoft PR guy: "Try to think of those as valuable lessons we have learned to make Passport more secure...
But no way would I use a single password for important stuff. And there's the problem: MS obviously wants to force you to use it for /everything/. So then you can have your whole identity stolen by the first criminal who watches over your shoulder while you type in your password.
It's also scary to ponder that next they'd probably force you to use it with ENUM, a new scheme we're going to have shoved down our throats, which involves linking the DNS database to the database of phone numbers.
Find free books.
I'm not terribly worried by any "unfair and deceptive practices" that may ensue with regard to privacy. Any information given to Microsoft is done so in a completely voluntary manner: any leak of that information would certainly become well-known in a very short amount of time.
.NET "architecture", relies in significant part on the confidentiality of any personal information stored. As the system aspires to collect an amount of personal info I've never seen one company (truthfully) attempt to aquire, I would expect consumers to be very wary. If any of this personal data should be stolen, the repercussions for their entire system could be enormous. In short, I think the market will sort this problem out. Though, given the track record of Microsoft, I certainly don't want to be a test subject while it does.
The success of the passport system, and quite possibly their
What's even more interesting, to me, is the fact Microsoft is using it's very large distribution channel to advertise and promote services in which it's competing against non-monopolistic companies. Messenger vs. ICQ (and others), Hotmail vs. many free email services, etc. I can't help but wonder if the FTC will look into this, rather than just the special interest groups concern.
"God is a comedian playing to an audience too afraid to laugh." -Voltaire
Information leaking from one site is annoying, esp. if it's something like a credit card number, but it's nothing compared to aggregated information being leaked.
As a silly example, let's say you buy rat poison. No big thing, people buy it all the time.
Let's say you buy a book about "perfect murders... and how they were caught." No big deal, people buy true crime books all the time.
Now let's say you recently bought a bunch of lingerie. And had it delivered. But not to your home address. You're having an affair, sleazy, but not unheard of.
Now finally let's toss in the fact that you just consulted a lawyer. A divorce lawyer. One who specializes in breaking prenuptial agreements.
Suddenly things are much more interesting.
Most of us aren't planning to murder our spouse, or even to look like we're thinking about it. But it's certainly possible for mindless data aggregation to cause people to jump to the wrong conclusion. E.g., you bought a couple books on alcoholism, and a few cases of wine? You obviously have a problem, don't you. (Nope, the wnie is a gift to newlyweds and the book is to help me understand if my nephew needs help.) Etc and so forth.
Even with all of this information centralized with Microsoft (and make no mistake that the Passport/Hailstorm system will not collect this information), my biggest concern isn't that it will be leaked. My concern is that it will have bogus information feed into it. There's a nice market opportunity for nasty companies to put bad information into these records, then offer to clean it up for you. For a modest price, of course. All of the potential damage of a credit report, but with none of the legal safeguards.
Of course, that same problem exists today with the aggregated data provided by from credit card companies, but again it isn't a *single* point of failure. Even if you crack Citibank (still the largest CC issuer?), it does nothing about the hundreds of millions of people who don't have Citibank cards. But crack Hailstorm and you'll have information on almost everyone online.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
this is such a classic microsoft-ism: thinking up a really good idea, and totally fucking up the implementation ([d]com, ole, activex, etc).
.NET has shackled it to possibly the worst authentication possible.
.NET?
.NET platform to the username/password "security system" is about as intelligent as locking your car with duct tape, and will probably be about as effective.
what I can't figure out is why this company, which is supposedly on the brink of launching this massive, multi-tiered platform that is
I mean, come on, the username/password combo was maybe reasonable in the days when everyone had exactly one shell account. but today when everyone is expected to remember a user/pass combo for every one of a dozen or so websites they want to log into, the weakness of this paradigm has hit pretty hard. simply put: people can't remember them all, which means they either write them down lots of places (prett damn insecure) or use the same username/password for each account (even worse).
and MS has made THIS the lynchpin of their security model?
why couldn't MS use some of their much vaunted "monopoly power" to "leverage" an authentication system that actually matched the sophistication of the rest of
my suggestion: the medium which most people are accustomed to carrying that is intimately tied to their financial and personal data is the credit card. my MS "Passport" could be a physical smartcard that held authentication data, encryption keys...hell, anything. each copy of XP (and each bundled OEM copy) would include a small USB device that could read this card, maybe that was designed to mount onto the side of the monitor so it would stay out of the way.
YES this would be a major move, and it would stir things up a little. but when it is clearly called for, WHY NOT? people would just carry another little card in their wallet, the reader device would be small and dirt cheap (in that volume, most anything is) and in a year we would forget what we did without them. we have calling cards, and credit cards,and ATM cards...where is my computer card?
in any case, tying their much-heralded
My favorite part of the article is the quote from the M$ exec stating that you don't have to sign up for passport to use xp.
If you have to sign up for it to use some parts of the os than yes, you do have to sign up for passport to use xp.
From this article it seems that some partner websites will require an additional 4 digit PIN in order to access services on that sites (such as banks etc)...
This is insane! If only *some* of the sites require the 4 digit PIN, and all the passwords and email addresses for the passport sites are the same (through passport itself), then what on earth is stopping someone who obtained your password (through brute force or whatever) from trying any site that requires a PIN as well with a simple 10,000 step PIN cracker??? Cracking a 4 digit PIN at internet speed is TRIVIAL!
Adding that 4 digit PIN is like adding a knot in the sticky tape holding your bicycle to the post.. It's just one more easily circumventable step in a flawed access-restriction service.
HelpGeeks - don't bother visiting, it's not worth it! Really!
One of Passport's greatest security weaknesses may be the single sign-on process,....Microsoft is addressing this by offering additional security features for partner Web sites, such as banks, asking for additional information or a four-digit PIN (personal identification number) as a second level of authentication.
Microsoft addressed this problem long time ago! People have been using MID(Message ID Number) for reading hotmail.
So stop questioning their security awareness.
Ok MS has passport and would like it if you used it. They have Windows Messenger and MSN Explorer on XP.... Does that mean you have to use them... NO! There may be a few more things on XP that can use the passport... but again.. do you have to use them... NO!.. Unless you have to use them I don't think there is anything wrong.
http://www.maximum-cars.com - My little hobbie.
Passport doesn't collect transactions from affiliated sites.
There is no way that MS will know that you bought Rat Poison from one passport using site, and Lingerie from another.
Well, let me rephrase that. There are plenty of ways that that kind of information can be collected (i.e. through doubleclick and similar user-info-swapping deals) but Passport doesn't alter the equation.
There is a common misunderstanding here, passport is not the sole repository of all data for all sites who want to use passport. Each site collects and maintains it's own info.
Probably US government make some compromise for the conflicting parties:
These two things make Passport as unfair. You cannot do anything to Microsoft if someone cracked Passport and poked into your account, use your credit card, SMS your cell phone, etc. Probably the implication is worse for corporations: If someone cracked Passport, he/she can get their customer data, their trade secrets, and mocked them for their inability to put their utmost effort to protect customer's private data.
This must be stopped. I'm sure that a sheer amount of litigations would be tossed against Microsoft. Or probably went bankrupt just to recompensate their customer's punitive damage. :-)
--
Error 500: Internal sig error
On this computer, I have MSN Messenger installed (Win98), and the default setting start it at boot up. Now, in order to change the default settings, You have to sign on, which means you have to have a passport account. And deleting it isnt an option, as the owner of this computer uses it.
There's a fundamental dichotomy forming here as to how to handle personal information. It is being driven by the need/desire to be able to access your personal information wherever you are. Microsoft wants to centralise your information*, via Passport, .NET etc, so that all your data is all in one place that you can always access. That's nice, but worrying from a security point of view.
The alternative way of doing things is a distributed model. With PDAs becoming more widespread, and more powerful it won't be long before you can store most or all of your personal data/files on a single small portable device. Now, providing some decent interfaces are written, this offers the same ease of accessibility as Microsotfs centralised solution, with the benefit of increased security - YOU are responsible for YOUR OWN data.
I know which I prefer. I'll always trust my own abilities to secure my own data more than I trust Microsoft to secure it for me.
Roll on with the distributed model I say!
* By information/data I'm not just talking about street address, credit card number etc., I'm talking about all your work/code/data/etc.
Jedidiah
Passport, or a similar concept, is still needed. Customers want it. If a user has to have 10 different logins, they may:
1. Use the same password on all 10 anyway
2. Use grossly easy passwords so that they can remember them
3. A combo of 1 and 2.
With a Passport like concept, there's only one account to remember. Maybe then consumers will find it reasonable to memorize a secure password. Either way, a centralized system is needed for identification. As a web developer for 5+ years, customers don't want to fill out the same crap each time they visit a site, and if they could just type in their passport info to authorize access to certain private information, they'd do it. Now, it's up to us to come do the social and technological engineering to make this happen safely, and securely.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Can someone explain to me what possible advantages this silly, centralized, Microsoft-as-Big-Brother scheme has over keeping the information locally?
I mean, keep it in some nice standardized XML in encrypted form and require a passphrase for each decryption/use of the information.
Why would anyone in their right mind use this?
Just because a few of us can read write and do a little math, doesn't mean we deserve to conquer the universe
If all validation is done via email addresses (as userid), wouldn't that database make a great spam-list? I'm waiting for the moment that passportauthentication@mydomain.tld gets spam...
bash$
...unless they specifically address the bullying issues they have towards the consumer.
I used to have a Hotmail account, for several years (even before they were bought by MS). I was only logging in every 3-4 months, mostly to keep it active, because it wasn't my main email address.
One day I found in it a message informing me that I had been automatically issued a passport. Without my consent. They had just taken the info in my hotmail registration and created a passport for me, without asking my permission. I got very angry, and asked that the "passport" be removed, because I didn't want it. The reply was "it cannot be removed, once you got one, you're stuck with it forever". It seems that, by logging into my hotmail account after they had sent me the info, I had "automatically given them permission to activate the passport". But nowhere on the login page was there any information about this!
I eventually let the hotmail account expire, but AFAIK the passport account they crammed down my throat is still there. There is no option to delete it.
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
as the article says, banks (and other partners) have the option of popping up their own authentication, to make sure Joe Blow is really who he says he is.
kinda blows the whole single point of authentication out of the picture.
Treatment, not tyranny. End the drug war and free our American POWs.
See my user info for links.
Hmm, MS Passport sounds like a WWWlized version of Kerberos. Or did I get it wrong?
What if Microsoft promises some things about what Passport is/will be to get out of trouble, and then, once the smoke clears, designs it however they want to?
KLAATU, BORADA, NIh*ahem*
As someone who works for an e-commerce company I am irritated when I see what appears to be half-assed security on high profile websites. When a site run by a company like Microsoft is hacked, it becomes more difficult to convice my clients they can conduct business with us in confidence.
I make my living because people visit our website and conduct online transactions. I know how much thought goes into security issues for our site. If we were to be hacked, it would reflect negatively the site and all other aspects of our business, as well as fail to serve the trust of our users.
Microsoft does not appear to share these same concerns. Time and again they have a cavalier attitude towards very public attacks on their websites. Hotmail was hacked, so what, someone read your email. It was just porn, right? If Code Red turns IIS into a zombie it's your fault you didn't patch your server.
Microsoft has not solved the security concerns that have plagued IIS, but that won't stop them from pushing forward with .net. If there were a massive hole found in this new web platform, I fear it what fallout may ultimately come of it. At some point the damage to the online economy will push lawmakers into imposing regulations. These regulations will become huge hurdles for the publishers of OSs, software, and websites.
I have always felt that if there is one entity I trust less with my computer than MS it is the US Government. There is nothing worse than a cogressman or senator who doesn't understand computers making laws that effect them.
Props to timothy!
I'm glad to see that this topic was FINALLY posted... especially because it's been sitting in the queue for about two weeks, which appeared to be a result of the new Slashcode/database problems. Just another casualty of modern technology I thought. So I resubmitted it... and it was rejected! Huh?!
Anyway, this Passport strategy that M$ has is scary to say the least. I know many people who have single sign-ons at work, which is fine because the systems that they access through it are not connected to the external network and they have good policies in place. This is a whole other ballgame.
Tell me something: Do you trust M$ to be the guardian of YOUR personal data? Hmmm, yeah. That's what I thought. Nice try Bill & co.
P.S. Yeah I know it's pretty lame to post to your own thread.
Can anyone confirm or deny these problems?
Will the Boy Geek get Code Red 2 removed from the Mayor's web server in time to save Geekgirl from certain death at the hands of the truly naughty and villainous Virus Ivy?
And will the Police Chief make it to the roof in time to reboot the massive Geek Signal, without which There Is No Hope??
Can Gnutham City Survive???
Tune in next week and find out! Same geek time, same geek channel!
once was. >:)
It's probably supported by M$ on all currently supported processors: Intel and AMD chips and any in that family...
...for now.
On Paper and Online, News Publishers Rapidly Adopting Microsoft BackOffice Technologies
The Center for Democracy and Technology? When the hell did M$'s business goal coalesce with Democracy as Franklin, Jefferson and co. enacted it?
This friendly public service announcement posted from:
vanboers@tempe:~$ uname -a
Linux tempe 2.4.9-ac1 #2 Sun Sep 2 22:20:55 MST 2001 alpha unknown
Nope, not even a Linus Torvalds kernel. Alan Cox rocks, too.
Choice is.
www.dedserius.com
VB != VisualBasic
When you sign-in to Passport there are two checkboxes...
One says 'Sign me on Automatically'. If you check this, a cookie is stored that remembers to authenticate you from then on.
If you don't check this box(which is the default condition), then a cookie is created and stored which remembers your username. But the authentication information is stored as a session cookie which disappears when you close the browser.
There is a second checkbox. It says 'I'm using a public computer'. This stores a session cookie on your machine for both the username and authentication.
Once you have closed the browser, the session cookie is gone and you no longer authenticate automatically, nor is your username auto entered for you.
So while I understand your concern, Microsoft has provided two checkboxes which alleviate this concern. Neither checkbox is on by default which means the default behavior is to remember your username only.
If you have a better solution to this problem, I'm sure we'd all appreciate hearing about it.
BTW, the paper you linked to has much better explanations of problems Passport might have then what you wrote about. Man in the middle type attacks that involve redirecting DNS, etc.
At least they have been tested.
Can anyone else, with their 2% market share make the same claim?
If I'm right, this is one of the most desperate examples here of flamebait; this being one of the most insidious of such - given the time/effort put in to this post.
Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
I've seen a lot of posts bashing on Micosoft. I don't like passport not because I don't like everything from Microsoft, but Microsoft PR tends to boast passport system's security level in such a way that general public wouldn't aware of its risks.
(of course, the fact that these people are unaccountable is one of the major factor; but this just FUD in some people's eyes)
The amount of your personal information to give to passport system depends on the degree of trust you have on a username/password security system over the Internet.
I think Passport is secure to some degree, but it's definitely not absolute secure(nothing is). However, I never hear a Microsoft PR would say 'but' in propaganding their passport system.
E.g. when I apply for a personal certificate I was given a time limit for using it. Not because the certificate issuer is a greedy bastard, but they want me to know the encryption in it can be broken by known technology beyond this period(by brute force attack, computer tech advanced, etc.).
Computer security is not absolute. The claims of its security level is part of the security system itself. No matter how well the Passport system is made, failure to give honest claim would render its useless.
Just my opinion. You can start bashing me by clicking the reply below. Thanks.
That's right, if you follow this mantra then you must agree that ultimately all of your information will be free on the net...what sites you have visited recently, your credit card info, your sexual preferences, who you work for, your favorite sports team etc, will be public domain. However, there is a solution, I heard it in a speech by my favorite man!.....
.. you desseerve to looooose yo privacy! Ahmen Brotha.. If you chooooses, to usess, an Allllternatitivvvve oppperatin system, such as my dear brotha's-- Leeeenux, and Bee eSss Deee, (that stands fo Brotha's Standdd Dogetha), or my personal fave, Mac OS X (Staand togetha now!!!! Hear me clear?) then you have notttthing to fearrrrr!!! Ahhhmmeeeenn Brotttha!.... For We Maaaayyy be fewww (Yes!, Yesssss!) and we Maaayyy be poooorrr (praisse godddd!), but we are brotha's in arms, Hallejjjjulla Brottttha!, Praissee the Loooooooooorrrrrrdd! The Lorrrrd does not need a passport, NO!!!. The Lord does not need Micros$$$$$ft, NO!!! He praises each and every one of of you, who do not commit the siiiiiinns of the ignoorant! Yea! He praises and encourages alllllll thooose who strive for freedom and equalitya on the Woooorld Wiiiiide Weeebbbbbb! Yeaah Brotha!!!
To quote J.Jackson
"If you choose, to use, your paaaaspoorrt,
If you are stuuupid enough to paaaaayyy! for this craap! Then we are prayin for ya, yea , we prayin fo yo'soulll. For you have fallen inta the bad mannnss hannnds! Chill! I can save ya! Just say afta me..... haich tee tee peee colon slash shash, doubleya doubleya doubleya, dot, sourceforge, dot, net. Ahhhhhmmeeennnn and Hallelullghia Brotha! Peace be wit you!"
That was the best speech I have ever heard!!!! Vote Jackson!
Y
no sig.
I work for a company, that among other things, buys computer equipment from failing companies to resell it. As a bonus for moving a bunch of equipment one day, my boss let me take home a dat tape drive, and about 80 2 gigabytes tapes from the site we were on, which happened to be an accountant. Well, turns out those dat tapes i got werent new, but were the financial records for every single one of their clients starting in 1996. I had complete records of all client data for a good 4 years just because they were lazy once the hammer fell on them. My point? You trust your stockbroker? Don't. You trust your accountant? Don't. You trust anyone with info you dont want others to see? Don't. It is a harsh world, and when a company goes belly up, whether it is a magazine, a stockbroker, or an accountant, there is a good chance your data could wind up in the hands of someone less scrupulous than me. btw, those dat tapes, I pulled the tape out of the cassettes and destroyed them. it may sound like overkill, but if anything happens to one of these companies down the line, I have no interest in owning a copy of their financial information.
Moral to the story? Basically, watch your back. If you employ an accounting firm, and they go belly up, be sure you get your records back from them. This is just one shining example I gained from experience.
Time for some tasty Shiner Bock!
Even if your contention is valid and it is better to have all your info in one place why should that be controlled by MS. You may trust MS but others of us who are accutely aware of the track record of MS when it comes to security are scared witless. Combine that with the unethical and sleazy characters who are in charge of MS and you have a recipe for disaster. Have you ever heard Ballmer, Gates, Allchin, or Mundy make a public statement that did not contain at least one lie? I haven't. Why should I trust these people?
I see alot of posts questioning MS's ability to keep information secure but (for me at least) MS is who I want to keep the information from. You would have to be a fool to trust MS.
Samsung took back my unlocked bootloader because Google wants me to rent movies. They're both evil.
'Passport' is something anyone with a Postgres or mySQL database, Apache, OpenSSL and Perl could write the functional equivalent in a day.
Sure, it's obviously been written by a huge team of programmers, carefully screened for any possible security hole and tested on a massive scale at Microsoft's fortress in Redmond.
It's just amusing how nobody really has any confidence that the largest software company in the world can write something so basic, and get it right.
I gots ta ding a ding dang my dang a long ling long
Single signon/login is a great idea on a secure, managed corporate network where all the applications can be trusted and crackers don't have access.
But what kind of moron says, this is a good idea for my corporation so it must be a good idea for the entire internet?
Deleted
All I've read is complaints about MS requiring just one password to use PassPort. As if typing in a series of numbers and letters is how a user will self-authenticate in the near future.
.NET.
Look for voice-recognition, fingerprint ID and retinal scan capability being built-in into the next version of Windows.
*Then* you'll see the value of Passport and
So you're telling me, that you'd be willing to render control of your very private data to one single company, located in a country with probably the piss-porest privacy protection laws in the Western hemisphere, just for the sake of convenience ?
We're not talking about CC # here, but about everything surrounding your person, including potentially medical data.
See, I agree that it's up to society to define the sidelines. It's however not society that controls Passport. It's the Microsoft Corporation, which I personally woudn't entrust with my cell phone number.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
I'd never give even a name and postal address to microsoft, let alone personal & credit card details. In fact I'd rather some russian mafia hacker had my credit card details than microsfot (and before you laugh let me explain why), aleast if a russian hacker brought stuff illegally using my credit card, I would see it in my statement, ring up Visa, cancel it, problem solved. With Microsoft however, who knows what their 1000's of aggressive Marketing people can trick me into buying that I don't need or even want.
You're half right. MicroSquish does fuck up the implementation, but they certainly do *not* think up really good ideas.
They leave it up to every other company in the industry to think up the really good ideas, and then they ship a half-assed knock-off of it a year or more after they announce it to kill the competition with their vaporware FUD.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Unfortunately, that's just not true. Usability research has shown certain facts about passwords again and again. In particular, as soon as you start forcing users to remember several passwords, they immediately start using obvious and easy to remember passwords, or writing them down in a readily accessible location. Clearly, this does not improve security.
Having a single sign-in, with a single, genuinely cryptic ID and password, is far more secure than twenty different authentication schemes for different facilities. Of course you rely on the keeper of that information to keep your data in a trustworthy fashion, but you have that problem anyway. At least with a single secure sign-in the average five year old can't guess everyone's ludicrously simple password.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
And seems more logical than passport. But managing passwords locally doesn't create reliance on Microsoft, and doesn't tie Microsoft into all the webs authentications. Passport is nothing more than a shameless grab for power.
Using smart cards for ID is an interesting idea, and one I believe even MS have mentioned considering before. It's important to remember that such a mechanism brings its own problems, however.
The logistical problem is the Big One, I suppose. You need smart card readers to become more ubiquitous even than CD drives today. Every machine that'll use Passport-subscribing services will need one. Someone's going to have to make an awful lot of readers, and someone else is going to have to pay for it.
On top of that, smart cards are not a silver bullet for security problems anyway. What happens when the card gets stolen? If it's my credit card, I call the bank, get it cancelled, and have a new one sent to me in the post. In the meantime, I can always visit a branch to take out cash if I need to.
What do we do when our smart card is nicked? Call MS to cancel it? How do we then reidentify ourselves to them to get a new one with the same access? They need... wait for it... more personal information about us to identify us. And surely I can't just use the card without any additional security -- if anyone does nick it, they can do anything until I realise and get it stopped. Suddenly, we're back to needing IDs, passwords and PIN numbers all over again, and now the whole point of using a smart card has been compromised.
So, while I agree that smart cards or some other more original technological solution may be the answer to Swordfish Syndrome, I don't think we should be too hasty to criticise a long-standing, tried and tested approach until we know the alternative is genuinely better.
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
So, you've paid your isp dialup/bband etc...? well, that's N0T gooed enough. please wait while you are whisked (may take a few minutes) to one of felonious father williams' MANY infactdead pourtolls, equipped with the latest m$snoop takeknowledgee. We'll NEVER check your passport at ScaredCity(?tm?). have you seen these guise?
Having never used Microsoft Passport, I can tell you that it is a waste of time. Information wants to be free.
Email addresses are available by the thousand from hotmail.com or usa.com or whatever. You only have on passport account.
The fact that a Passport account comes free with every Hotmail account changes the equation: "Microsoft Passport accounts are available by the thousand from hotmail.com or whatever. You only have one passport account" only because you signed up for just one.
Will I retire or break 10K?
use the same username/password for each account (even worse)
If you make your password hard enough to guess (my password relates to the obscure subj(Lameness filter encountered. Post aborted.)), how is a cr4ck3r supposed to break into even one of your accounts?
my MS "Passport" could be a physical smartcard that held authentication data, encryption keys...hell, anything.
And it would get stolen like a paper passport. And the RIAA would require it to be swiped to play a song.
each copy of XP (and each bundled OEM copy) would include a small USB device that could read this card
Which would jack the price up by $100 after retail markup and help consumers realize that XP isn't really worth it, something that Microsoft doesn't want to happen.
Will I retire or break 10K?
Apple's got something called the "Key Ring", which keeps all of your passwords in a strongly-encrypted file, on your OWN machine.
Which doesn't work if you happen to use anybody else's machine unless you carry your keyring on a business card CD-R. It's also proprietary, so it won't work on Windows, BSD, etc. There should be some way to store and transport the keyring securely across a public network and some standard for the format of the keyring.
Will I retire or break 10K?
Who cares if it is safe and secure it is a violation of CIPA.
I guess there must be dozens of distributed alternatives to this centralized Passport system. It would be interesting to find a nice short overview about them.
I think a nice solution would be a kind of "PassPouch", based on public-key crypto, etc. A pouch would contain arbitrary number of passwords. To authenticate a user, a service would need your pouch password to open the pouch, and then use its site-password to authenticate a security cookie in the pouch. Well, something like this. You could have multiple pouches, and a pouch could be stored in your personal computer, or in any "PouchServer", based on for example LDAP. There probably already are such systems, but I haven't noticed any so far (I don't know much about the topic).
I'm not terribly worried by any "unfair and deceptive practices" that may ensue with regard to privacy. Any information given to Microsoft is done so in a completely voluntary manner: any leak of that information would certainly become well-known in a very short amount of time.
Q: Hod did Pinochet in Chile managed to get all the commies after the 1972 coup?
A. He got the list of members of the Socialist Party. The members of the part gave their details willingly.
The point: you never know how information about you is going to be used, so unless it is absolutely unavoidable, you should not give it away, specialy to a for-profit entity, because think: what would be their priority: your privacy or their bottom line?
IANAL but write like a drunk one.
This year so far security flaws and virus in MS products have cost over $10,000,000,000. Is MS going to pay the $10,000,000,000? No. Even if they improve security in the products 100X that is still a huge loss. Now lets ask how long is their Passport track record so far? 1 Month? Lets be real here, they make friendly products with lots of functionality. They do not make high reliability products. "Windows 2000 MTBF is published at 2800 hrs" $10,000,000,000 testifies they do not make high security products.
Get a free ipod.
Hey, I like Eric's stuff just as much as the next guy, but in light of what's been going on in schools the past few years, I can understand not wanting kids to have exposure to things that romanticize the power to kill. From the first paragraph of ESR's Ethics From the Barrel of a Gun:
Now, I'm not saying kids shouldn't be exposed at all to arguments, from either side, about gun control. But let's not give the world the false impression that SurfControl is trying to protect kids from OpenSource, ok?isn't there some sort of authentication strategy that says three types of keys exist:
1. sonething you know (password)
2. something you have (keycard, etc)
3. something you are (fingerprint, retina)
and that any serious authentication method should use at least two of the three?
M$ has a right to put pirating prevention measures in their software, and I have a right to not purchase their software. Without Linux I would have had no other viable choice for an OS and applications to run on it. Such is the nature of a monopoly.
The other prong is the one that threatens us all! Even though the recent start-up company, "Fully Licensed" made the following, quotable, conclusion after 'analyzing' the registration wizard:
In contrast to many critics of Windows Product Activation, we think that WPA does not prevent typical hardware modifications and, moreover, respects the user's right to privacy.
in fact they didn't analyze privacy in their "windows authorization code hacked" report. They analyzed the Product ID portion of the Installation ID, but not the 26 X's that concealed their OWN GUID. If there is nothing to worry about in the Installation ID number, why did they keep the 26 X's a secret? The answer is they are lying, and they know it. Here is the lie, the coverup...
The Installation ID
We focused our research on product activation via telephone. We did so, because we expected this variant of activation to be the most straight-forward to analyze.
The first step in activating Windows XP via telephone is supplying the call-center agent with the Installation ID displayed by msoobe.exe, the application that guides a user through the activation process. The Installation ID is a number consisting of 50 decimal digits that are divided into groups of six digits each, as in
002666-077894-484890-114573-XXXXXX-XXXXXX-XXXXX
In this authentic Installation ID we have substituted digits that we prefer not to disclose by 'X' characters.
Why do they prefer not to disclose the X's? The article goes into great detail about the "Product ID", which is represented by the visible digets in the "Installation ID". It identifies your hardware configuration and is what causes the wizard to turn off your installation if your Product ID doesn't agree with your installation configuration. If more than three of ten configuration parameters are changed you will have to explain to Bill why you are not pirating your XP. What Fully Licensed is concealing is the GUID number, represented by the X's, which are tied to the ethernet card or the CPU serial number on each user's computer and unique to that computer! Most of their anlysis is just the old shell game misdirection technique diverting your attention from the Xs. BTW, the Product ID plus the GUID makes an excellent product serial number. It has been shown in other places that most M$ products attach the GUID to almost all, if not all, documents generated by them. Send a DOC, send an email, send an XLS and you are sending your encrypted GUID to them. The document the GUID is embedded in identifies the application. The GUID identifies the computer. That is how they were able to identify the cracker who released the Mellisa "I LOVE YOU" virus. And this is why the GUID really exists. Not that M$ can track you, although they'd love the demographic data, but that GOV can track you. GOV is the force behind this insideous trampling of the Bill of Rights. Why the DOJ was so trusting with M$ in 1995 becomes clearer, and so does the SLLLOOOOWWW process of the current DOJ action. Aren't you wondering why the DOJ isn't screaming their collective heads off as M$ is jumping the gun on the release of XP by more than a full month? The Oct 25th XP release date coincided with the 'punishment' phase, and both the GOV and M$ needed to get XP out into the hands of the public so GOV can get the tracking going and M$ can unleash the bounty hunters. There is lots of income in treble damages.
You may chose to use hotmail 'anonymously', but if you want support or service, or if you supply your personal identification information to any vendor using passport, then a link WILL be made between your computer and you! From that moment on, you will have no privacy. Your every movement will be tracked by M$ to enhance their bloated corporate profits, and by GOV for what ever reasons they have in mind. Remember, it was Bill Clinton, darling of the left, which claims to champion of personal freedom and liberty, who doubled the number of FBI taps. Don't expect Dubya to reduce them.
Don't feel safe if you run Linux. More propriatary binaries are appearing everyday. Propriatary means you don't know if the application is doing any more than what the ad claims it will do. It is even more important than ever before that only Open Source GPL software resides on your machine. Even in the "land of the free and the home of the brave" the GOV is getting too big and too scary. Too many middle and upper level unelected and unaccountable beaurocrats with political agendas are hammering away at the Bill of Rights. Too many corporations buying off too many congressmen. The whole shebang is corrupt, and they don't trust you. Why should be trust them?
Also, anyone wonder why a company which is going to be another bounty hunter for XP license violations is starting up in Germany? Does the fact that any German lawyer can extort a fee for 'license authorization" from an XP user whom he suspects is a pirate? Remember the recent case concerning KIllustrator? Now, add that to the fact that M$ is pushing to get a DMCA clone passed in Europe, which will give lawyers similar rights on both sides of the ocean and the game plan is revealed.
Expect only a hand slap on M$ from the DOJ. The wheels of Justice turn slowly in this country because it takes time for the "lubrication" to flow to all the squeeky wheels. Who has the most 'lubrication'? Certainly not the consumer or the voter.
Comment removed based on user account deletion
I wonder if they are the 'Developer Evangelists with Linux knowledge" that we recently read that M$ was advertizing for.
They are good at lying, smoke and mirrors, that's for sure. As rapidly as M$ is changing their posted descriptions of Product Activation, Passport, Hailstorm and
Firstly, those who say that it's GOOD to have centralized authentication like this, because people tend to be sloppy with their passwords, etc.
Okay. On a small scale, it might make sense. This is not a small scale. This is microsoft. The Internet was not built so one company could control it; it's independent. MS is doing this to corner the e-commerce market. I don't want to let them do that. They are already free to compete fairly with everyone else.
Regarding the comment about Windows XP product activation containing a GUID (which should scare everyeone). I refuse to buy a product that requries me to 'authorize' it's use with the company I bought it from. It's wrong. I paid for it, like a product, at the store. It's mine to use. I should not in any way have to deal anymore with the creator unless I choose to.
Regarding Passport in general... using it for hotmail? MSN messenger? Fine. That's great. But let's not get carried away. I won't give MS my financial information, ever.
You want the GFDL 1.1 or higher, not just 1.1.
Why isn't there an inexpensive debit card reader that plugs into your usb? Pretty simple rig. Then your pin number remains where it belongs... in the bank. Some of us don't use credit cards but the ubiquitos debit card is everywhere... everywhere but the net.
... so it will defend (the value of) it. I explained lately how I got my Passport account. Not with my consent. This is the most anti-democratic construct I've ever seen grow in the U.S.
--------
* Sigh *
When I go to a banking site, I want some guarantee that I'm really at that site. So my browser gets the bank's public key from verisign, and whammo, I can verify that it's really the bank I'm talking to.
Neither I nor the bank need to reveal anything else about ourselves or the transaction to the keyserver company.
Passport addresses the opposite problem: authenticate me to the bank. For this it needs my public key and NOTHING ELSE. No credit card numbers, no addresses, nothing. If the goal is to avoid typing, then I'm sorry, but that "feature" can be built into the browser and stored locally in an encrypted file, or on my PDA or cellphone or smart card.
So...a centralized database does not benefit the user, and it does not benefit the destination. So who benefits? Well, Microsoft, since they can copyright the API's and charge fees to access the database. Thanks, but no thanks.
if u want to save all that typing , why not keep that information at YOUR computer ?
no , silly me , you have to give it to microsoft.
Washington bullets will simply be known as the "Bulle
how about giving one company all your data and the others .. practically nothing ?
would that be selective ?
Washington bullets will simply be known as the "Bulle
This whole thing seems to paralell the industrial revolution. We have a relatively new medium (the internet)that has not has it's full potential tapped just like at the birth of industrialism. The government did not completely understand either of them and cannot successfully regulate them. Regulation is either absent or isn't effective, thus we end up with abuses like the sweatshop back then and the DMCA now. It's good that we finally see a backlash against the complete subjucation of the information superhighway before it became too late. We need to grab the bull by the horn before the consumer completely becomes microsoft's bitch instead of the other way around.
You can get rid of it...Just start the hotmail account back up and use it to send spam. Include abuse addresses of several ISPs. That'll be sure to get the account canceled :)
-- When a fool hears of the Tao, he will laugh out loud.
IANAL, but looking at some information about UK data protection law, it would seem that Microsoft's behaviour here might be illegal on several counts. Oops. :-)
If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
In the UK, the government is establishing the "Government Gateway" a single point of authentication for all citizens to interact with the services provided by the state.
http://www.gateway.gov.uk/
Elements of this approach are scary, kinda like passport for every citizen. But by the same token a consistent way of interacting with the state is, on the whole, a good thing. Time will tell how good it actually is.
"The first thing to do when you find yourself in a hole is stop digging."