Slashdot Mirror
MS Sez Hailstorm To Play Nice With Others
Rocketboy writes "ZDNet has posted a story saying that Microsoft will not be the only repository of user information within Hailstorm. They claim that Hailstorm was intended all along to be a network of trusted repositories along the lines of all the banks that exchange information within their ATM networks. " One of the key points from Coursey's piece, IMHO, is "MICROSOFT SAID it does not know whether a central authority should be created to oversee the open-trust network it hopes these changes will help create. In an interview late yesterday, an executive working on the project said the company is open to an industry group--such as those already controlling Kerberos and other Internet technologies--taking the lead role if it becomes necessary. ." So, the central authority part is still being worked out - but regardless, this changes the framework of Hailstorm, if implemented.
What if an idividual wants to become a respoistry for their own information and not trust it to a central place. That way I could carry the information with me knowing it is as secure as I want it to be.
[Please type your sig here.]
When will I be able to use my MS Passport login to login to Slashdot?
That way MS can post comments for me, and save me the time I spend thinking for myself.
Microsoft is just realizing that nobody will play with their new toys if their toys take away rights that we consider sacred. They have backed out of really bad ideas in the past when enough industry and pundit criticism was leveled against them. If they will again this time, that would be great, but content-free proclamations are meaningless. I trust these guys as far as I could throw a hundreds-of-billions-of-dollar-cap company.
There's a big difference between Microsoft (and whatever johnny-come-lately fabricated trustee companies that spring up) and banks. Banks have a culture wholly different from companies like Microsoft. I'm not saying they're divine or infallible, but simply that the way they look at the world and their responsibilities for information are shaped by years and years of living within a complex web of federal and state regulations, and of sitting on the "capital" of essentially unlimited public trust. They don't "think out of the box" about ways to use information they control. The comparison to ATM networks is therefore (in my opinion) structurally accurate but misleading.
Yes, this is MS, so they might only provide a WinXX client. Yes, this is MS, so they might require you to register your client with some central authority with the ability to 'audit' the server to make sure it's up to specs.
But it may also be as simple as having a client conform to certain specs (hopefully open), and that's it. Average Joe would probably never worry themselves with this, so they'd not lose that many customers in the first place.
But in the end, I think it's very important that Hailstorm cannot be a necessity for web sites and that there must be a manual entry level for data when it is needed.
"Pinky, you've left the lens cap of your mind on again." - P&TB
"I can see my house from here!" - ST:
So will Hailstorm play nice with whatever the AOL collective is working on? Or will there be several authentication networks where you need an id on each to reach the full range of the Net.
Didn't this happen with early financial systems too? I have logos for a number of money-transfer networks on the back of my ATM card (though Interac is the only one that I recognize from actual use). I'm guessing they used to be incompatible...not on the same card.
When I'm worried about limited net access and content, I'm not talking about MSN and AOL being the only online properties...but what if the NYTimes or WSJ implement Hailstorm? And what if Sports Illustrated implements AOL's version (no question there, since it's part of the Time Warner family).
And how will the inevitable open-source clone work? Will people try to co-opt Hailstorm, or turn away since it's MS? (my crystal ball predicts both, in two different projects)
cheers,
cz
I've seen the "We're not sure where this is headed, we're making it up as we go along" rap from these guys before.
It's hard for me to believe that it's true that Microsoft is "betting the farm" on their Hailstorm strategy but at the same time they haven't taken the time to develop a roadmap for its deployment and maintenance.
It's too important to them and they have too many resources devoted to it for there not to be a plan. Given that, it makes me nervous that they don't seem to be willing to share the details of that plan. That seems to indicate that they are pretty sure we won't like it.
The best protection is to insist on open, documented interfaces to all of the components of this technology. We need to make sure that the rest of the industry remains free to develop their own components of the Hailstorm/.Net architecture with the assurance that they will interoperate. The problem is, it would take a lot of cooperation for the industry to reject any offering that doesn't meet these requirements.
Just bring it on, ignore all facts, just bash, bash, bash!
How about instead, we pay attention to all the facts, and then bash, bash bash!
------
Bill Gates is my shepard.
I shall not want.
He maketh me to lie down and pay more green.
He leadeth me beside still blue screens.
He rebooteth my system.
He leads me along the path where he wants me to go today, for his own sake.
Yea, though I walk through the shadow of the valley of silicon,
I will fear no innovation.
For thou art with me.
Thy monopoly and thy lawyers they comfort me.
Thou preparest a preannounced major upgrade before me in the presence of thy competitors.
Thou annointest my head with service packs and hot patches.
My hard drive runneth over.
Surely crashes and high prices will follow me all the days of my life,
and I shall dwell under the control of Microsoft forever.
Those who would give up liberty in exchange for security and DRM should switch to Microsoft Palladium!
Is enough know about Hailstorm and Passport to know if they are architecturally capable of the security we desire?
Plus I see mention of "The Industry Standard Kerberos 5" in the article. Of course MS Kerberos follows Kerberos 5 standards, just in a way that doesn't play with anyone else. So do we get Real Kerberos 5, or MS Kerberos here?
What are the requirements for joining the "Trust Federation"? Who defines the requirements? Who can cast the blackball?
The living have better things to do than to continue hating the dead.
Really guys - what if Microsoft is learning from the beating they're taking from Linux, and really want to play nice? Instead of loosing the rockets at them, maybe we should put aside our mistrust of the Redmond gang - ever so slightly - and take a serious look at working with them.
This is the type of thing that users want - one password, and thier relevant information attached to that password. I have most of my users saying "Why do all these systems need a different password? Can't you computer guys get together?" IOW, they want convenience and simplification. Since Microsoft is going to do this anyway, assisting them will get us in the loop, as it were. Besides keeping "the enemy" closer, it can also have some benefical side effects:
1. It will show Microsoft that when we say "Open", we mean Open for anyone, including Satan himself.
2. It will also show them that Open Standards benefit everyone from the end user to the programmer writing APIs. They are better for business than anything propietary.
3. Things work better with a community attitude. Maybe it will change Microsofts bastille mentality for the better.
4. We can make sure that this is done properly - no backdoors, no worms, and as much security as possible.
If we just slam the door on them, instead of giving an open invitaion to work with all computer users, designers and programmers, we will just fortify thier distaste for Open Source and perpetuate the silly feud that's been going on for years.
Executive Summary: Look at thier proposal seriously instead of just dismissing it out of hand, putz.
Soko
"Depression is merely anger without enthusiasm." - Anonymous
an executive working on the project said the company is open to an industry group--such as those already controlling Kerberos
And I wonder if they would treat it the way they treated the Kerberos oversight group? You know, that "Hey decide whatever you want, but we're doing it our way. Ain't market-share wonderful?" way.
'Life is like a spoonful of Drain-O, it feels good on the way down but leaves you feeling hollow inside'
But before we go there - let us first join hands in praise to tell MS that this is a right step in that direction. There are lots of responses we could take, and LISTEN UP: We don't have to jump into anything. We all have to compromise to reach a solution, but we shouldn't have to bet the farm on this. The compromise can take various forms.
So what is the issue? The question concerns technical issues of the Hailstorm protocol. It is not just about who is in control.
In other words, let us take the "white paper" approach. Can MS do that? One that allows us to review and alllow the security experts to scrutinize the technical details and design of the whole setup? If MS can take this step, then I should like to say that would remove most of the security concerns of Hailstorm.
And for that debate, I would like to ask the first question. What is the point of Hailstorm? How is Hailstorm different from say, the Mozilla Personal Security Manager, wherein, the user stores his data on his computer, and has simplified but yet customizable controls as to who receives what data?
Secondly, isn't aggregating these data a security flaw itself? Remember that security is not one issue itself, but encompasses issues of authentication, identity, integrity and all that. Given this setup, itn't the chance of idenity theft greater? Part of the security of setup we have is that no one single company knows everything about an arbitrary person. They may know your credit card n umber and hence your financial records, but they may not know your hair color. Meanwhile, some government agency may have your bloodtype, but they don't have your financial information. Isn't Passport a step in the wrong direction, in such a case?
But if Microsoft is going to charge for the service, how does that work?
The whole point of a central repository for this sort of information is for the benefit the the site you are trying to access, so that they can verify from some trusted source that you are who you say you are. Anyone can set up their own repository and say that they are someone else. However, if the site can go to some trusted source (either Microsoft, or a large bank, or whatever), then they can be certain that you are who they think you are, and have permission to use credit card numbers or access confidential information or perform transactions, etc...
The benefit to the customer is not trust, but the "convenience" of a single login, and not having to remember a fistful of different username/password pairs for all the sites they deal with.
Your Servant, B. Baggins
ugh...
Your Servant, B. Baggins
Is it really necessary to use words like "Sez" in the story title?
It's "News for Nerds", not "Newz 4 Nurdz"
Tales from behind the Lagom Curtain
Microsoft has yet to sign any of the major players to join its trust federation
.net services and who doesn't. This BS about " These two changes--which Microsoft says aren't changes at all, but rather a clarification of what the company planned to do all along" is utter crap. Had this been what they've been planning all along, they would've made this "clarification" a long time ago. I'm going to bet that you'd better buy a copy of Win2K to run services and pay dearly for it!!! MS should be stopped, really stopped. They OWN our government, and are doing everything they can to confuse issues and LOOK like they're playing nice.
in some form or another, MS will decide who gets to run
just format your drive now and install Linux, you'l be glad you did. Don't give those MS MF'ers a cent of your cash.
I wouldn't put the terrorist attacks past MS as a way to downplay the ongoing monopoly proceedings.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
If the same information is stored in several different servers, doesn't that just provide more points of failure?
It seems to me that either everyone should either keep their information independently (the current system), which results in data replication, not to mention countless points of failure...
or...
Have one person keep this information... but it seems like that isn't such a popular thing here.
Captain_Frisk
This changes nothing in regards to Hailstorm. It only changes some people's incorrect perceptions of it. Hailstorm, and the entire .NET framework itself, is extensible by any third party, and always has been. It is simply unfortunate that people are so reactionary whenever Microsoft proposes anything.
.NET plugin for hailstorm using the documented interface, and then the system will use your authentication method rather than some other (like Passport).
.NET previously.
If you want to provide authentication via non-Microsoft means, write a
I just want to emphasise that this is only surprise news for those who failed to take the time to understand Hailstorm and
Natural != (nontoxic || beneficial)
Good question. I think that MS should release a PR to developers regarding the planned Kerberos implementation, since in the past "open Kerberos" ment open to all who used their implementation of it!
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Actually I meant that they will be paid every time a transaction is performed. Kind of like the royalties they get with some online photo processing operations.I'm not very good at proofreading.
The challenge for Microsoft is to find a recurring revenue stream. Jack Welch says don't let anyone get between you and your customers. Bill Gates listened, and others didn't. They are letting Microsoft get between them and their customers.
I really believe that MS is that EVIL. nothing to do with Linux, and the attacks are a terrible tragedy. I really feel for all of those affected.
Let me ask you this, if you had 100 BILLION DOLLARS in your PERSONAL bank account, wouldn't you retire or at least dedicate your time to doing good for those around you? Good old Bill just wants another 100 Billion Dollars. If greed on that level isn't evil, I don't know what is.
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas
I write software for a financial services company, we do most of our work with MS-sql because thats what most banks use.
-
But I suspect that as events unfold it will be found that an impartial central authority will hold us back from getting the full user experience of MS Innovation.
Certainly it has been the case that standard Kerberos was found "insufficient" for Active Directory and required "improvement".
Don't get me wrong. I'm not saying that standards are never in need of improvement. I'm just saying that I don't want the improved standard to be controlled by an entity with other interests. Interests that can conflict with the kind of impartiality and pure technical focus that such standards control deserves.
"Provided by the management for your protection."
No big deal...just a big inconvenience for all the users of the service, although I'm sure the system will be highly redundant with such large volumes of data at risk.
Now a terrorist hacker...that's a different story.
(Warning: if the following post turns out to be nonsense, please forgive me.)
.NET..
Let's say that 2002 comes, and hailstorm becomes something that has a point (beyond ensuring Microsoft gets to have SOMETHING installed by default in WinXP that they can charge a monthly fee for and that the average user won't be able to figure out how to turn off), and GNUStorm 0.6 or whatever gets written, and i install it on my Mac OS X box in my dorm and register my dormroom computer as my authentication authority.
How much flexibility will this hypothetical GNUStorm server have? Is the hailstorm protocol such that if i was running an authentication server, i could flexibly determine exactly what information and when that a given site is given about me? In what way? Oh, hell, is there ANY POINT AT ALL to hailstorm besides not having to type in your personal information/preferred password to every website, and making sure you don't make up 90% of the information you put on webforms? Is there ANYTHING hailstorm does that a web browser with a good autocomplete feature doesn't do?
And if i *could* limit who gets what information, would there be any point, since the sites will all be using the same backhanded information-sharing tactics they use now? If i use hailstorm once to sign onto MSN messenger, and i decide not to let microsoft.com's hailstorm server have any information besides the username and password they use to authenticate, couldn't they just contact some site that they partially own and that shipped me something once, say "hey, what do you have on this username", and get a full readout of my name, address, etc..? Umm.. i'm pretty sure that that last sentence doesn't make a whole lot of sense, but you get what i mean.. right?
If i am misunderstanding what Hailstorm is, i apologize, and request that someone more informed can set me straight. You'll have to excuse me, Microsoft seems to be working very hard to make sure everyone is as misinformed as they could possibly be as to the nature of
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Score: -1 Flamebait
Money isn't everything. If I had $100 billion, I would still program. Heck, I'd probably program more because I could afford the resources to start my own company and code what I want to code.
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
I know. And now that Great Plains has been purchased by MS, most medium to larger sized businesses will be running their ledgers and payroll from MSSQL and MS software. But, hey, why look at the facts?
There is no longer anything that can be done with computers that is nontrivial and clearly legal. -- Paul Phillips
Yes and remember they even tried to sue /. because somebody posted their *copyrighted* amendments here...
Not only did they lie, they also falsified evidence.
sure you'd still code out of the love of coding, but would your code be intent on locking people in to using ONLY YOUR code?
"The Most Fun Possible on 4 wheels" is at SunBuggy in Las Vegas