Slashdot Mirror
EPIC Urges State AGs to Pursue Microsoft Passport
An anonymous submitter sent: "The Electronic Privacy Information Center has sent a letter to all state attorneys general urging them to pursue Microsoft Passport under state consumer protection laws."
"You have no privacy. Get over it."
-Scott McNealy
In Soviet Russia, hot grits put YOU down THEIR pants.
...named Passport and Windows. ^_^
I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already.
.Net passport service is unavailable". Problems like this have also affected access to hotmail, although they tend to happen at 3am when the majority of hotmail users are probably not awake.
Also I object to the way this Passport is being forced upon everyone. In the UK it seems to be rather unreliable. Several times this month, I have seen MSN messenger say "The
I am not proud of having an account with them as it make me one of those statistics showing how popular they are. If it (hotmail) had been run by MS when I signed up I would never have done it.
I'm glad I gave completely bogus details since I really object to having my personal information being spread around the way MS (and other large companies) do.
I would say "oh, leave them alone" if their Passport/.NET service was reliable, since I don't care if they sell my fake information.
Follow me
Quick Question
Which state attorneys generals do you think will go for M$?
and which won't
Get the EULA T-shirt
Mmmmmmm. Floor pie!
From the letter: "Microsoft's failure to make public known security risks in Windows XP and Passport and provide a reasonable degree of control of personal information violates state law that prohibits unfair deceptive trade practices. In light of the FTC's reluctance to address this clear violation of Section 5 of the FTC Act even after the widely disclosed security flaws, we urge you to investigate the privacy and security risks of Microsoft Passport."
If that's deceptive, how about those ads claiming that Windows servers run unattended?
Hopefully most of those accounts aren't tied to active users, because of this. But if they do really already have 200 million users, all of whom are active, then that really is scary. That's around 3% of the world's population. (If I knew what percentage of the world's population used computers on the internet regularly, this would be more meaningful, but I'll take a guess and say 33%. Then 10% of users online would have active Passport accounts!)
I yearn for you tragically
AT Tappman,
Chaplain, US Army
In addition to the unwarranted collection of consumer data, Microsoft offers no method to delete a Passport registration. Microsoft claims
that Passport gives users control of their personal information. However, the most basic aspect of control--the right to take back one's
personal information--is not accommodated by the Passport system.
Note that one can't delete his Slashdot account either. which could actually be the source of some trouble as if he suddenly changes his mind about whichever opinion or way to express it he has, there'd be a way to track his former behaviour if the account he opened was named like him and we know for sure how much we change over the time (maybe from the pro-patent to anti-patent or from the extremist to the moderate).
Though I dislike to add such disclaimer in my Slashdot post, I'd like to point out that I don't want this comment to be considered as a troll neither it is off-topic.
This is just a way to point out that we should ensure that noone may reproach us with the sam ethings that are being reproached to Microsoft or whoever else.
Back to the article, now: what sort of effect does such a letter have?
Trolling using another account since 2005.
Now I'd like to get out of the system, because I don't trust it to be secure, but because I've forgotten my password, I can't.
Go to the Passport site (http://www.passport.com) and look; there's no FAQ or other document that tells you how to cancel your account. Nor is there any e-mail address of anyone who might be able to help you do it manually.
So, when you hear Passport adoption statistics, subtract at least one. I've never used my Passport a second time, but can't get rid of it, after trying for weeks.
"State AGs"? Shouldn't that be "State AsG"? I know, I expect too much.
Is it just me, or did anyone else think this was gonna be EPIC games vs MS, in an AOL-TW style?
Follow me
I'm on EPIC's side and I agree with most of the point of the *potential* problems with Passport but if M$ haven't done anything wrong yet ot EPIC offers no proof except the potential for harm then this isn't going to get much notice.
Kids Passport? *shiver*.
A journey of a thousand miles starts with a brutal anal raping at airport security
Who exactly is the driving force behind EPIC? It would appear at first sight that this is driven slightly by the Beast of Redmond. Who else would push passport (and at the same time Hailstorm/.NET/all your base/etc) at high ranking public officials?
What's the motivation behind this? I suppose we're asked to believe that if it's good enough for the attorney general, then it's OK for me (glossing over the substantial evidence that passport is an insecure and bug-ridden system).
EPIC: We urge you to pursue Microsoft Passport.
Unnamed State Attorney General: Thanks for recommending this great service. I transfer all my documents through Hotmail now and with Microsoft's upcoming Intellisignature Technology I can sign sign everything with just a click of my mouse.
"We have repeatedly urged the Federal Trade Commission to investigate this matter in two separate filings, but the Commission has failed to act. We therefore urge you now to initiate an investigation under your statutory authority."
Ok, so what they are saying is, the FCC didn't care, so we are going to attack at a lower level. While I admire their determination/wish them luck, how much will this knowledge that the FCC didn't do anything affect them? Food for thought this AM....
Sent from your iPad.
Should anybody ask "How is this a bad thing?", send them to read Privacy and Power: Computer Databases and Metaphors for Information Privacy (linked to here) by Daniel Solove. I personally think it is worth reading the whole thing, but it's kinda long, so maybe this NY Times article is a better suggestion.
It basically says, "You may think Big Brother isn't interested in you, and you may be right, but there is a Big Unknown gathering so much information about you, she could come after you once you become a nuisance to her!", only in a less conspiracy-theoretical way...Like in MI they keep trying to pass a law that says we cant sue car insurance companies. They will just keep trying once a year until it passes... Same thing, from the second you turn on this OS, they start requesting your info. The more you do, the more things will request your info. Especially "tech support" whatever that is.
The largest problem in my mind with passport and its related .NET services is the dependance on username@hotmail.com. This service first of all has never proven itself to be reliable. Second of all is the source of(or at least the visable source of) at least half the spam I recieve because they don't secure the thing properly. I would dearly love to block mail from hotmail on my domain, but with the dependance on hotmail for all things M$ related I would cut off a goodly number of people from being able to communicate. We have MCSE's working here and they need to send and recieve on hotmail because of this dependance.
Power Corrupts,Absolute Power Corrupts Absolutely, leaving one person(group)in charge is absolutely corrupt.
I can say, I will never use passport I made that decision a long time ago. I dont trust MS with my information anymore than the next yahooo. I have had a hotmail account since the day after they started their service to the public, they have no personal information that is accurate, nor does yahoo, nor for that matter ebay. I started in 96 with ebay. I fortunatley have been on the web long enough to have avoided confirmations and the like. When any site I got to starts requiring passport services Im history.
Staying anonymous on the web is getting tougher but not impossible, confirmed . MS cannot ENSURE privacy with the passport system this has been proven, and as such it is vunerable to state regulation.
Then again I trade grocery discount cards......
Sig went tro...aahemmm.....fishing........
One way to make them crumble is to USE passport and wallet on machines where you do not intend to purchase... and ALWAYS use bogus information. Their databases will become useless quickly if it is filled with info that is worthless to the people purchasing the databases.
Another thought is.... if this info is constantly sent to microsoft, including your browsing habits... how hard would it be to write a program that does noting but browse browse browse... if it was built simliar to SETI, etc... and distributed among a quarter million PC's... that should flood Microsoft servers with enough *data* to cause them some grief.
As far as microsoft goes... I'm all for spoofing... lieing to them, and filling their drives with useless crap - just as they have filled my drives.
There's a lesson to be learned from all this. Companies should never get too big because some people will be jealous, angry and dangerous. The same advice is valid for individuals to, if you're too successfull, have too much money, etc. people will try there best to make your life a miserable one.
Its lawsuit after lawsuit after lawsuit, it never ends. Weird enough nobody considers suing Sun's Passport clone, brought to you by the famous McNealy with his famous quote "there's no such thing as privacy, get over it."
This is easy enough to see in the case of spammers and mailing list types who want to assume that you want to get their junk unless you "opt-out". With thousands of advertisers, this quickly becomes unworkable.
Now we come to MS and Passport. With the fact of Monopoly, it is possible to enforce the sale and or acceptance of other "products" because they are "part of the whole package" I beleive that in certain states, for Certain industries, you cannot enforce the sale of product number 2 as a prerequisite to purchasing product numbr one. This varies by the product. Of course, you can always say "included free" but some things that are free are not worth the price.
In the case of a monopoly, you can enforce the acceptance of items which would not otherwise be desired, and which may be a mixed blessing to the consumer at best. I am extraorinarily wary of Paspport and the all in one wonderful world of Microsoft Productivity that it promises for people.
Stepford Nation, indeed.
"It is a greater offense to steal men's labor, than their clothes"
They are attacking MS because they collect personal information that could be exposed through security flaws?
How many dozens of e-commerce sites could be shut down on that account? Think about it.
Or are the Attorney Generals being asked to hold Microsoft accountable for their weak security? Bruce Schneier's been trying to go there for years.
Unfortunately, he could tell EPIC exactly how far this is going to go.
Let us now put this into the context of the passport scheme - the EPIC letter states "Microsoft has indicated that the company's goal is to have every Internet user possess a Passport account", which I deem a fair summary of the situation (although, ideally, everybody would also use a Hotmail account too). Trundle along to, say, http://www.passport.com and look! See how you can sign up with ease! Get it now! Calooh! Callay!
Now let us try to pull the same trick that was pulled on me, and that I have fortunately not seen on any well-organised mailing list outside of Redmond. Enter an e-mail address, any e-mail address (excepting MS-specific ones such as Hotmail) - even make one up that obviosuly doesn't exist, and then... Carry On! Yes! There's still no security! At least, I guess, an e-mail gets sent to the e-mail address asking you to verify it, but this seems to be purely for service embellishment:
Using the new obviously-fake account, I can save settings, edit my MSN etc etc much as I may or may not want to. That is not the issue. What we have here is clearly a case of theft of privacy - without even trying, anyone is able to sign up anybody else's e-mail account for a passport. Who knows what havoc this could/will cause! Not being particularly au fait with MSN, I have only circumspection, but Microsoft have an epic journey to go before they reach "Trustworthy Computing [tm]" if they fail to understand the basics of privacy and intrusion, as highlighted here.
To conclude, I say get out there, fight it from the other end - the end that consumers will understand. Sign up as many fake and real accounts as you like to demonstrate just how fallible the system is. I'm off to see if they prevent scripting...
" I think we need a law that forces companies to have a large checkbox in their sign-up forms saying "I don't mind having my personal information sold to other companies". This should be un-checked by default. I'm sure some countries probably have this already. "
As you are from the UK, you might be interested in the things covered by the Data Protection Act (DPA). The DPA can be used in the UK to protect yourself from people misusing your personal information. A quick guide can be found here Companies can be quized as to how they use the information and what information they hold on you. For as little as £10
In addition you have the right to sue the company for any loss resulting from faulty information they use, and you can have data removed / corrected as approriate (see here for details)
As passport is based in the US I'm doubt you have any rights covered by this act (although you might as they are providing the service in this country). However I think this is a step in the right direction, in the UK this covers most companies and data including credit ratings. This is a brilliant set forward and offers hope to all those people who are screwed because of faulty information, or just pissed off with companies sending them letters ;)
For certain types "sensitive" of information a company will have to get your explicit permission before using your information eg. race, religion etc.
I am intending to write to the Information Commisioner to ask about Microsofts information gathering activities in this country and if they can be stopped / modified to ensure that they conform to the DPA. Maybe if enough people do this we can get a result for the UK.
If you ever drop your keys into a river of molten lava, let'em go, because, man, they're gone.
Perhaps the reason why the FTC hasn't acted is because of the horrendous writing style and inadequate proof-reading of the EPIC authors. While I will never present myself as an accomplished speller or grammar fanatic, even I see poor use of our language in this document. Perhaps the most galling is the line: "over 100 hundred of the largest online retailers" (which can be found in the third paragraph). So, is that 100 or 100,000? These guys at EPIC are complaining that Microsoft doesn't pay enough attention to the details (which is true), while putting out this grade-school effort in communication.
The FCC is the Federal Communications Commission. If you are involved in a dispute that is, in any way, commercial, they will not involve themselves. You have to talk to the FTC. This can be a bit of a bitch if you're small time and buying spectrum, or the like, and got ripped off, because it is the FCC who actually knows what is going on, but since it is a service dispute they won't get involved.
The FTC is the Federal Trade Commission. They are a very different animal - for one thing, they are a hugely more powerful institution. They are the people you have to talk to if you want a dispute (like, say, MS Passport is mysteriously billing you for services you didn't buy) resolved without involving the courts; even if you are going to go to court you generally have to talk to the FTC first.
It is, perhaps unfortunately, very difficult to get the FTC's attention. I assume that the state attorneys general know this. Also, major decisions at the FTC are made by political appointees; the Bush administration has been seen by many attorneys general as being soft on MS.
The good and new comes from no quarter where it is looked for, and is always something different from what is expected.
I was interested in whether my old Hotmail account still exists (I used it briefly when I moved and had no ISP of my own), so I tried to use my old name and password. I was redirected to the Passport website, which told me my browser (Mozilla) was unsupported. Last time I checked, Mozilla supported enough features to allow me to log into other websites. What gives?
Did anyone else notice that the name of the FTC Commissioner cc'ed at the end is Orson Swindle?
Talk about putting the fox in charge of the henhouse...
You are born in 1998, your zip code is 82312, your gender is none of their buisness (and if they instist use a coin to decide). Nor is your race, religion, or the type of car you drive their buisness.
Reasons for the above: In the US only minors have privacy protection, so by putting down a birthdate of 1998 you are under those laws as far as they know. Your physical address is none of their buisness, unless you are buying something from them. (and so far I've never had a problem with the venders who I buy from though there are bad apples out there). Your gender, race, religion, etc is none of their buiseness, on the net nobody knows you are a dog! Refuse to answer, or anser randomly. Randomly means sometimes you give the right answer, because if you always gave the wrong answer that in itself would be a clue.
Remember invalid data that they have is less valiuable then not having data at all in many cases.
That's right! I have two hotmail accounts. I guess that also means that I have two Passport accounts. ;-)
As for not using them, I can't. They're extremely valuable. You see - this way ALL the spam I would get in my primary account - goes to Hotmail. It's kinda fitting, don't you think?
As to why I have two? About two months ago I received almost 1,200 spam messages over a 24 hour period. that's NOT a joke. I abandoned rspy@homail.com and switched to a new one. I figure I'll give this one 6-12 months
Honestly though. There are VALID reasons for using Hotmail and other Microsoft services. This is one of them.
I don't know.
Get a full Screen Life (I'm Mariah@hotmail.com, 57, blond, loving gardening and leather sex), and always use the same.
Never Use your passport to order anything.
Just remember who you are...
Regardless of whether Microsoft has been proven to abuse the power, there are laws which make it illegal to posess the ability to abuse the power. The idea comes from a legal term: "conflict of interest."
When a person offers a service to another person in the financial/legal/medical world they are acting as an agent on behalf of the customer. Legally, that arragement has an implied "fiduciary responsibility" to the customer. That means if someone gives you the key to their account and you do something they wouldn't have agreed to, you are wrong and subject to criminal and civil liability. In the case of finances, there are EXTRA laws that say you are not even allowed to ofer such services to people if you have an interest in ripping them off (like other competing customers).
Bill Gates comes from a long line of lawyers: his family is a lawyer family. He knows he can flout the law wherever there is grey area because he has the money to risk. If he manages to win some small legal challenge, he has stretched the law to allow more exploitation and the windfall revenue that goes with.
When you (the US) have a big dog, you put a pinch (or shock) collar on him, and you jerk it hard (or shock him) when he *starts* to get out of line. You can let up a little, but only when he has a compelling fear of disproportionate retribution. Corporations are less like people who deserve rights, and more like dangerous, powerful animals that must be attended to with preemptive stewardship. Emotions, values, and ethics are not present in the brains of reptiles or boardrooms.
--- Nothing clever here: move along now...
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Does everything Microsoft does have to be under scrutiny? Personally, I think AOL/Time/Warner(/US Gov't) is more evil by far. The only reason no one ever gives them crap is because the government is a secret part of that merger!
Microsoft Passport is a good idea. Sun et. al. think so. They are coming up with Liberty, their answer to Passport.
Does Passport need work? Yes, I don't deny that. But does Passport store *everything* on the server? NO! A site that implements Passport is responsible for keeping track of their own consumer's information. This is outlined in the .NET Framework and Passport SDKs. Currently, there is no way for a site to pass infomration back to the central Passport database. The only thing Passport could know about you in that case is that you go to that site.
Get off their backs. I'm a big linux and open-source supporter but I also realize that Microsoft has better integration as a whole system. I'm getting really tired of the crap everyone on this site gives them. You could point fingers at a lot of other companies, too, not just Microsoft. For instance, anyone read the other post today? Linus is being a pain in the butt. Maybe you should scrutinize him for a while!
I bet that fellow who paid M$'s lapsed domain registration a few years ago on Passport.com is really kicking himself now!
(Spudley Strikes Again!)
No one is forcing me to use hotmail or .net or windows xp. Since when have people forgotten how to lie? Just make up shit on the form if you don't want your real info to be publicly available. Yes, your average sheep is vulnerable to M$'s tactics, so I applaud EPIC's efforts, but there are 200 million other people who aren't suckers.
Okay, if you want to quibble, we aren't talking at all. We're writing.
Virg
It can be done. I managed to get my Passport Account cancelled. It was not easy, but here's how I did it.
Send e-mail to the following address requesting the removal of the passport account and the information associated with it:
passport@css.one.microsoft.com
Be sure to word it strongly or you may not get a response. I ended up getting to the point where I was using curse words and basically spamming this address. I also reported this incident to my local news media (who did nothing. surprise surprise) and informed Microsoft of this.
My big beef on this whole Passport thing was that I was signed up because I am Microsoft Certified. I NEVER requested it, I never checked a box saying I wanted information or anything else from them. So I paid $100 to take a test that allowed MS to harass me.
BTW once you have a response from the above e-mail you will get a number. Be sure to include it in every e-mail you send. Go to the MS support site and start spamming them as well. Eventually they will listen. At least they did for me.
A last note. It did take me a couple weeks to rid myself of the PASSPORT, so be patient and persistent.
Good luck!!!
If Darwin was right, you'd be dead by now.
The paper trail is a direct consequence. Not a desirable one, but it is a direct consequence.
My comment trail is another undesirable, but direct consequence of posting here.
If I like to play devils advocate, and then have to answer to someone that doesn't understand that I could have a different opinion from his, then I have been wrongfully harmed by my posting history.
Anonymity is paramount to open and frank discussion. This has been argued again and again in free speech circles. If I am not anonymous in my criticisms of my country, boss, school, or whatever, even with the first amendment (and not everyone on slashdot has first amendment rights, I might remind you) I should fear reprisal.
With all the companies and cults that are using trademark and copyright law to keep people quiet, or even make their lives hell, this becomes more obvious. This doesn't even bring into account the illegal harassment that unions, corporations, or cults might use if I speak my mind against them.
Anonymity is paramount to free speech.
> "State AGs"? Shouldn't that be "State AsG"?
Not really. Since AG is an accepted acronym for "Attorney General" it can be used monolithically when you're pluralizing it. It's much like pluralizing LOF (Line of Fire) as LOFs, not LsOF.
Virg
Thanks for the link. As for the abstract, I wouldn't call leaving you logged in while saying you were logged out "minor", but MS could fix that bug in a few hours if they actually cared about Netscape users maybe having their accounts hijacked...
A fast skim through the article indicates that there are fundamental problems with the basic idea, aside from the MS implementation errors. The web itself is too insecure to allow running a really secure application on un-modified browsers. Passport collects the authorizations to many accounts in one place, so it ought to be more secure than is theoretically possible with the protocols used.
Disclaimer: Word?, Excel? and Windows? XP? are registered trademarks of Microsoft? Corporation. ?Copyright 2002. All rights reversed.
I know that Microsoft is everyone's favorite target, but I think the claims made, while extremely valid, are widespread problems. How many websites out there maintain account and credit card information? As a web developer, I've seen numberous systems where passwords and credit cards were stored plain text in the database. So the only "gatekeeper" was the security of the database. Heck, I've even seen some sites storing information in Access databases, which were accessible below the web root! If the various attorney generals are willing to fight this fight, they should also go after all of the incompetent IT and web developers out there. Of course, to do this they would have to evaluate these various systems, to determine that they are secure or not. (I can already hear the claims of "big brother" intrusion) Wait - the request isn't to investigate "faulty" systems - it's to investigate a system that has some potential for failure (I know that many will be quick to point out that there have been some breaches with Passport, but I'm just addresses the claims made in the letter) As such, that would ruin pretty much every web site out there that has a database, as they all have a potential for failure. Of course, this will never happen; they don't carry the same "trophy potential" as Microsoft does.
Will this be a consumer protection issue, or an opportunity to gain some political karma?
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Enjoy this while you can. The purchase of new laws to make it illegal to give bogus identifying info is surely on Microsofts to-do list, right after 'Buy self out of monopoloy ruling'
Karma: Professionally Doomed (mostly affected by inability to keep opinions to self)
A growing number of sites deny access to users under 13, or require special parent's permission to access them. This is a result of the COPPA legislation. So yes, you are right, you have more legal privacy protection then.
...but you are missing the detail that you won't be able to access a small, but well used, portion of the net, or you will have very restricted access to sites. Changing your birthdate later when you run into this isn't always possible.
> ... if M$ haven't done anything wrong yet ot EPIC offers no proof except the potential for harm then this isn't going to get much notice.
Actually, this is exactly what would (in normal circumstances) get the attention. The wrong that MS has committed is in touting an offered service as something that it reasonably isn't. For example, I can't offer my services to the public as a bank if my vault has no lock on the door, because a reasonable customer has every right to assume that I've got physical safeguards in place if I claim to be a bank. If I purport myself as a bank, and then it's discovered that I don't have a vault, then the FTC (or the state attorneys general) can reasonably require me to stop claiming I'm a bank, or at least require me to advertise that I don't have "standard" bank security. MS purports that Passport is a secure portal time and again, and yet it's been shown to have some fairly severe security faults. That's the wrongdoing, and the EPIC letter is attempting to call attention to it through the states' AG offices since they got no joy from the FTC.
Virg
I think you are basically right. If there are more, then I don't know of them. But I've never encountered any. And two is a pretty decent figure considering the competition.
/tmp) as read-only. (Again, I haven't tried, but this seems like a sure winner [though I might have the scratch partition named incorrectly]). Just be sure to re-boot periodically, and any penetrations will be automatically removed. CD's are good for this too.
OTOH, I believe that there is a Mac web server that has never had an effective virus attack. (I think they secured it by removing applescript from the machine, but I wasn't involved, so it might have required more.)
And it should be relatively easy to build a secure site by mounting all partitions (except
.
I think we've pushed this "anyone can grow up to be president" thing too far.
...at least as far as creating press releases without those moronic broken quotes. Maybe they need a quick tap upside the head with the demoroniser?
Your right to not believe: Americans United for Separation of Church and
ATTENTION ALL IOWANS: If you are in Iowa, this is especially timely, as the Iowa legislature is considering whether to allow citizens the so-called "private action" right. Iowa is just about the only state in the union that does not allow its citizens the right to sue directly, under their own name, companies that violate our consumer/trade protection laws. Contact your legislator and tell him/her that this is a great example of how your rights are dependent upon whether or not the Iowa AG decides a particular case is important to prosecute or not. Iowa's AG, Tom Miller, has taken an aggressive stance against MS and Iowans should be proud that he didn't back off like the feds did. Adding the private right of action would in no way detract from the AG's rights, but would simply give consumers another option.
because if I understand correctly, installing and "Activating" Windows XP requires that you have a Passport ID.
Sounds to me as if they're using their OS monopoly (now a matter of Fact, and Law) to leverage a monopoly in the emerging Network Authentication industry. It gets all the worse, because there is no Network Authentication industry yet, and if MS has their way, it will never truly emerge because they'll own it from Day1.
The living have better things to do than to continue hating the dead.
The system as designed *is* inherently evil. It is designed to implement and maintain centralized control of the user's information. Whoever the custodian is of such a system is a central point of vulnerability. WHOEVER.
The proper design of such a system would implement the exact same features, but store the information on the user's local hard drive, with the option of backing this up to a third-party site choosen by the user. Also, the user should have the ability to enhance the encryption, by adding a layer using their own preferred encryption program (pgp, gpg, etc.) to wrap the already encrypted data. (You are, after all, planning on backing up your personal data onto someone else's servers.)
The service if implemented in this way would be cheaper for the software supplier to provide. And this method has many obvious superior features. So much so, that one needs to wonder as to why it was implemented in the way that it was. It wasn't for the convenience of the users. It wasn't for efficiency of operation. It wasn't for simplicity of design. It wasn't for easy of integration. Was there a legal reason? (There sure wasn't a technical reason!)
.
I think we've pushed this "anyone can grow up to be president" thing too far.
Hmmm, slightly evil thought. (Disclaimer: I'm not promoting this in reality.)
What if someone wrote the next Melissa/Nimda/Code Red to take all the information from a user's mailbox and create a bunch of random Passport accounts along with the various emails. The backlash would be quite interesting. Not to mention the garbage/clutter in the Passport DB and the cries for the ability to delete accounts...
Again, this is merely a mental exercise in what if's...
--- I wish I could hear the soundtrack to my life. That way I'd know when to duck.
Problem: I work for a company that promotes and offers Microsoft software and features as a web hosting and VB developement.
Now, what do I tell my clients? Well, having worked in the IT industry for some years, I'm sure we, that is, we in the IT industry, will tell our customers the same thing we've been telling them from the beginning when we began this whole Internet/software/etc. cash cow that is 30% of the national GOP.
It works
It's secure.
You can't sue me anyway.
HAHAHA, can't sue Microsoft!
So shut up and pay me the money. Secure or not, I have your business by the nads.
Can't anyone come up with a better business model than this???
Instead of going to M$, you go to your own server.
When they login, instead of going to M$, you own all their personal information.
Its DIRT SIMPLE. If people wanted to pay me, I could set it up for them, given you don't do anything illegal(under terms of the United States government) with it. sager@andrew.cmu.edu
God spoke to me
So why would anyone expect the state AGs to do much about something they know very little about (no disrepect, but the majority of lawyers do not have the specialized knowledge of technology as they do with law)?
Note that they haven't too much about something comparably restrictive of commercial activity that affects their citizens and about which they know much more - to wit, VISA.
Have you given much thought to how much merchants get charged for the privilage of accepting VISA cards? Of how much your ability to conduct transactions in the real world is affected by the need for you to have a VISA card?
As with the price of Windows and Office, the price of VISA service is kept just barely under the pain threshhold, where the host is not willing to make the effort to squash the parasite.
If nothing's been done about VISA, I hardly expect a snappy acknowledgement from the state AGs recognizing the similar capacity of MS Passport to obtain a stranglehold on electronic trade.
"Provided by the management for your protection."
I've got a Passport account, and it's tied to 'username@mycompany.com' - no Hotmail involved.
I don't receive ANY spam at 'username@mycompany.com', so the spam issue is hotmail-related, not Passport-related.
Actually, Passport used to be tied to Hotmail but when they realised this was hurting uptake of the system they changed it to allow other addresses as well.
The spam problem is purely related to hotmail by the way.
You know, what I find scary is that it's a well known truism that MS takes 3 versions to get anything right. At the moment, Passport isn't right. It's too hard to setup (for site admins i mean, not users), costs too much money and is way too centralised. It's much better than it used to be however, and it's curretnly on version 2.
So what happens when it reaches version 3?
Now I can sign up all of Slashdot for Passport whether they like it or not! Well you shouldn't have left your email exposed here, what can I say.
Trolls are loving this one.Thanks again.
Anonymity is not per se paramount to free speech. It's the possibility of remaining anonymous. Slashdot has that. You are free to choose to post your name, knowing all the consequences your choice implies.
it's not AGs, it's AsG
Amazing magic tricks
Thank you for contacting Bank One Online(sm).
Dear Mr. XXXXXXXXXX:
In response to your letter concerning Bank One?s relationship with Microsoft, we want to assure you that Bank One rigorously screens any potential partners and continually strives to bring high-quality products and services to our customers. Bank One is constantly seeking new ways to service our customers, and we believe Microsoft has technologies and experience which can help us improve the quality of products and services that we offer. We continue to work with a wide array of technology providers in all segments of our business, and we believe Bank One customers will be well-served by our relationships with Microsoft and other technology providers. Many of our customers have been supportive of this relationship and we hope you understand that we use many technology providers.
We appreciate your business as a Bank One customer and hope you will continue banking with us. If you have any other questions regarding our products or services, please do not hesitate to contact us.
Sincerely,
Bank One Online
------
I just emailed them the letter from EPIC, and hopefully they will read it. I urge any of you who are Bank One customers (or any bank for that matter) to contact them and find out if they are planning on using .NET in the future. Send them this letter, let them know if you are opposed to your money and security being handled by MS.
My beliefs do not require that you agree with them.
Great - this letter reads like a pile of manure. I am in no way advocating M$'s practices here, but unless you can prove all of those wild allegations in the letter you've: 1) got nothing 2) are wasting important people's time and 3) are more than likely alienating them from the cause.
What exactly is the gripe here? Let's put some thought around that and formulate a halfway decent letter - maybe one we can edit and review here on Slashdot.
I'm a 2000 man.
When a PAC sends letters to Congress complaining about something? Heck, if you gave them enough money, they'd probably start complaining about the monkeys flying out of their butts...
...and then I'll go away. First, you can be right and still be a troll. Trolling is using wording designed to inflame. You can be factually correct and still be trollish in expressing it (frankly, I don't think your comment was infammatory enough to warrant the troll mod, but that's not what we're discussing now). Second, the thing about your theory is that you need to prove it's right to make your point. It's insufficient to say nobody can prove it's wrong. Third, your theory is presented based on the size of Microsoft, but since there's an enormous body of evidence that demonstrates that Microsoft operates in bad faith (and is able to do it so much because of their size), I purport that the reason people bash Microsoft may be based on other factors than their size. IBM went through the same thing when it was strongarming the market in the '70s, and now that they're not doing it any more they don't take so much heat, even though they're still a huge company.
Virg
All you have to do is install antivirus software with the latest virus definitions, apply all relevant patches, setup a firewall and an NAT, close off EVERY incoming and outgoing port, set the screensaver and bios passwords, and finally, turn the machine off. Allow to sit for a few weeks to collect an ample amount of dust, and for added functionality, put a few pieces of paper under it.
You now essentially have a Linux server.
There's a Mercedes gap too. I want one and can't afford one, but it's not government's job to do anything about it.
And slashdot uses and promotes a system of ignoring, heckling, badgering, or otherwise eliminating AC posts from observation. They use negative reinforcment to further the objective of accountability, possibly to the detriment of open and frank discussion.
Now the right to speak, and the right for others to ignore you are of equal value. I would say that the right to ignore is just as important as the right to free speech, and both fall under the broader umbrella of expresion.
I do concede the ability for anonymity is the important thing.
I also realize we have no dissadents posting here.
The ideas are important though, and for people to dismiss them as un-important is wrong.
But then again, making some one use mod points to drop Natalie-Hot-Grits-Petrified-Portman below the radar might be considered wrong also.
First Post!
passwd: butthead
What the hell are you talking about?
PS. This is an_mo again.
_______________
It continuously disturbs me that I have to give out my personal information on line. It's bad enough the majority of companies require my e-mail, name and state of residence to sign up for a service, but it's even worse when they also want my address, phone number and other info.
Give me a break! Is all this really nessesary to get a frikken email account?
I think if anything, there should be a law that says that no company may require you to give out personal information to aquire or use an online product or service (unless it is nessesary for LEAGAL purposes i.e. ebay sellers account, and ISP account) They may ask for my information, but I should not have to give it.
Yes, I know that I can fill out bogus info, but I'd rather not fill it out at all. When I walk into a store, I don't have to give out my name to buy something, I don't need to tell them my adress or my email. The only time I ever need to use my name when I buy a product is if I want the warrenty. That makes sense. My home adress for an email account does not. Same thing with the need for any personal information just to log in and read a story on the new york times web site.
T Money
World Domination with a plastic spoon since 1984
without even trying, anyone is able to sign up anybody else's e-mail account for a passport.
Have you even tried to do that? Anytime you register an email for a passport account, passport sends an email to the email address specified informing the user about the fact that the passport address was registered under that email address. So no, you can't hijack someone else's account unless you also have access to their email account.
An email address is not a security feature. The fact that I can register foo@bang.com as my passport ID means diddly squat (assuming there is no foo@bang.com) and is a great way to protect your privacy if you want to use passport features without revealing any personal information.
Mmmm.. Donuts
The largest problem in my mind with passport and its related .NET services is the dependance on username@hotmail.com.
Bzzzt! Wrong! You can register any email address (it doesn't even have to be a valid one) for a passport account.
How does such uninformed tripe get moderated up?
Mmmm.. Donuts
Fastest way to get a). the general public and b). Microsoft to take note.
Unless, of course, some one else has already patented it and they are only waiting for an appropriate amount of time to go by in order to rap the microsoft knuckles for patent infringement.
"It is a greater offense to steal men's labor, than their clothes"
This constant whining about Passport and privacy, although it seems to be this great groundswell of consumer angst against MS, actually plays into MS's hands. How could this possibly be you ask? Let me explain... If I was anywhere near as wily and cunning as BG, my strategy would be thus: orchestrate and add to the public's fear of the Internet's insecurity by shipping egregiously insecure products, and using my influence over the media (such as one surely has as richest man in the world and on the board of directors of the Washington Post) to propagate and exaggerate tales of evil hackers. Then, once they are properly whipped into a frenzy of paranoia (hey, even the Taliban is reading your files!) turn the agile boat of MS around by sending out a memo to now, "belatedly", make security job one. Mobilize the best minds at MS (and some of the best minds in the world at that) to tackle the security issue head on. Meanwhile, if any other Passport-like federation of servers pops up, use some of these same people to analyze the weaknesses of the competing system and then hire whiz-bang Russian hackers to compromise it, rallying support to Passport while feeding the media's propaganda machine. Bizarre? Paranoid? I don't think so. Giving up your freedoms for "protection" is one of the oldest rackets there is. And the little Italian corner-store knows perfectly well that the "protectors" and those to be protected from are, if not the same people, getting together on Friday nights to play poker at the local tavern. What a ubiquitous Passport gives MS is not the rights to violate your privacy. That would be bad business. What it gives MS is the mandate to set the future for the XML schema of the new integrated Internet, and that is power indeed.
You're missing the point:
Visa does not have 94% market share. Neither does Mastercard, Amex, Discover, Access, Switch, Bancontact or anyone else.
Monopoly != free market capitalism
"And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
..."no man might buy or sell, save he"...
And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name."
REV 13, v16, 17.
Out of context, I know! But that could almost "pass" for the Passport Authentication Scheme. -
When I raised this point on one forum - you should have heard the MS-Fans raise their voices in protest!!
.
(David Bowman, EVA near HUGE Monolithic Win-PC in orbit around Jupiter) "My God - its full of Malware!"
I listened to an interesting presentation by a guy named Dr. Ian (something) at defcon, regarding anonymity on the internet.
/. did the same as passport if doing. Someone else pointed out that they really didn't, as purchasing habits is some how MORE personal than the ideas you express. Then I brought up the idea that if we treat ideas this way, then we start to suppress free speech. Then you pointed out that free speech isn't suppressed when anonymity isn't present, unless there isn't a chance that anonymity isn't present.
/. readers only think about in a fictional sense.
/., then they won't, and shouldn't. /. (getting around to what I was saying in my last post) encourages people to identify themselves through moderation, and giving people the ability to ignore anything that hasn't been moded high enough. It is a very snobbish and eletist way to carry on a coversation, and removes a lot of important discussion from the table.
/. can afford to be as naive as they are, b) no one really expresses anything of import on /. because of a), and c) since a) and b) are true, the moderation system poses some utility in weeding out all the really assinine posts, making an allusion the the person that used to post garbage about hot grits down the pants or a petrified natalie portman, or whatever.
I assumed it was someone that was just whining about credit card tracking, and that sort of thing.
He brought up an idea of a nymity meter, ranging from totally anonymous, to a psuedo anonymous with reputation (ala slashdot), to totally accountable to your person.
I often think about these things, and it just seemed like a pertinent place to talk about them, and bring them up. I could care less about Microsoft or passport or slashdot, because they have no real impact on my life.
The problem is, that people are discussing and arguing anonymity with a narrow scope of passport v. slashdot.
Someone pointed out that
This made sense.
A lot of people don't seem to understand either one of our view points, let alone the distinction. Most people don't understand that there are people all over the world that will be killed for voicing their opinion. These same people sit and argue and pontificate about privacy issues as if they appreciate the downside of lack of privacy, and just don't have a clue.
My ability to say, so everyone can hear "The dictator is a cruel thieving rapist." is a constitutional right in the US, but no so everywhere else. In the places where it isn't, it becomes very obvious that Anonymous Cowards need to be heard, do have something useful to say, and also need to be held anonymous, or suffer brutalities that most
This thread, and one earlier sort of incensed me that slashdot readers espouse grandeous ideals based on the premise that someone knowing what color undies (so you can find the earlier thread if you care to) you bought is somehow more important than telling the world your dictator is a rapist, solely because they don't realize that some people have opinions that actually matter in the world. They have a limited life experience, and a limited view of the world, and still assume they can speak on some grand level, about some large ideals.
The ideas you have, and choose to express, in what ever forum, on whatever topic are MORE important than your entire lifes history of purchasing. Just because the opinions, arguments, and decesions you choose to have and express are some what tame in comparison to the founding fathers, doesn't mean they are less important.
If you use the argument that no one expresses anything important on
Then I implied that the whole reason this exists is understandable, since a) fortunately people on
It is easy to see why our freedom of speech is being eroded, when people don't have anything important to say, and don't realize that some one else might. When an entire peer group or community can stand up and say that thoughts, ideas and opinions are less important (this whole thread) than a purchase history, it is a very sad time in the course of civil liberties.
He yelled loudly from the isolation cell that is AC posting.
Exactly what I was thinking. Instead I just give them bogus information in all my Hotmail accounts complete, and completely wrong. I was born on 1970-01-01 (Unix epoch zero), and my address puts me somewhere in the middle of the Charles River in Boston.
Liberty in your lifetime
As part of an evaluation study, I decided to create a few Passports to understand what level of authentication Microsoft was performing to bind the Passport to the user, also called 'principal.' In the security community, there are three kinds of principal authenticators, specifically, (1) something you have, (2) something you know, or (3) something you are. An "authentication factor" refers to how many of these authenticators you possess. A driver's license is a two-factor authentication system as it authenticates based on something you have (the license) and something you are (your photo). Digital signature certificates used with signing software authenticate on something you have (the private key) and something you know (the password to use the key), and are also two-factor authentication. Biometric systems can effect 3-factor authentication. There are many other examples.
Obviously, the more factors you have, the more strong the binding is between your claimed identity and your actual self.
Microsoft Passport, by experimental determination, is a single factor authentication system (knowledge of username and associated password). This, in general, is not good when it comes to things like online purchases, but it is excellent if the idea is to maintain anonymity of the principal.
Try it out. You can go to www.passport.com, and sign up for a password using a ficticious e-mail account. The e-mail address does not have to match any actual address, it just has to be in the "foo@bar.com" format. So, even though Microsoft claims to authenticate to an e-mail account, which in turn would defer authentication to the maintainer of the account (bar.com supposedly knows who user 'foo' is), it really does not. I could register a Passport in the name BGates@msn.com if I wanted to. MS would never send any note to BGates@msn.com and ask, "is this your Passport?"
Why didn't this point come up in the open letter? Well, for one, it could be that the authors did not actually experiment with Passport prior to writing; all of the Microsoft literature leads one to believe that the e-mail address is authenticated. [There are numerous e-mail authentication examples in use; join any mailing list, and you will often get an e-mail, "reply to this and you'll be added". That is at least some authentication that you can access the e-mail account that you claim is yours.] Paperware analysis could lead the authors to wrongly conclude that the e-mail is actually authenticated.
A different, more sinister and self-serving reason is that it would refute the claims of the open letter! If Microsoft does not authenticate e-mails, then one can pick any identity when registering for a Passport. If the identity on the Passport is meaningless, then the identity of the holder is meaningless, and it therefore follows that there aren't any privacy or protection issues at all. MS would essentially be tracking the surfing habits of some unknown user.
In conclusion, the issue of my post is not that Passport is evil or Microsoft is vying for a monopoly. The issue is that there is an unfounded fear and paranoia about security, privacy, tracing surfing habits, selling information and e-mail spam related to .NET Passport that really does not exist... because Microsoft does not authenticate the e-mail address used to register the Passport. Never. Nada.