Slashdot Mirror
'Open MS Passport': MyUID Goes Beta
mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."
Maybe one day this could be almost as successful as MS Passport.
Am I dead yet?
It has no reverse DNS, which will mean some people won't allow it to send them mail.
Frequently Asked Questions (FAQ)
Q: When will the first API be done?
A: The alpha is out, check the download page.
Q: Can penguins fly?
A: No.
They have the most useless FAQ in recorded history...
The API is also decidedly undocumented.
Please come back when there's actually something to show us...
From the TOS:
MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.
All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.
--------------
The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.
After that I didn't quite make it to the FAQ. Someone want to explain what ^the above^ is all about?
Isn't that enough for you!? Domains cost... several dollars. That's a huge investment for a scammer/spammer to make.
It seems like this project is only implemented on one site called mastergoon.com, and the /. post comes from a user named "mastergoon". Hmm...
Seems like a one-person project. Very easy to declare standards without all those annoying other people!
Where people can login and try out their ID to make sure it works. Notice it's a different domain than the main myuid.com site?
I thought the whole problem with a centralized user system was exactly that it was a centralized user system. Doesn't matter who runs the ID server or how little information is stored on there; as soon as a centralized system exists it's the biggest, baddest target for attack out there with the highest consequences if it's broken into.
Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?
-Matt
--- Need web hosting?
From their website
MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck.
Weren't they supposed to do something similar? Sure seems to be taking them a long time.
Google hands out invites now like a prostitute hands out VD. Heck, my dog has a GMail account.
From my initial glance I really fail to see how this is really any better or different from MS Passport, even once it's ready for release. At least MS have the clout to have Passport used on more than just their own site, which is where the value really is. I'm also not to sure about the idea of a public Alpha test of this sort of technology. Seems a bit too early in the development cycle for it to be worthwhile. Getting the site slashdotted really only resuls in load testing, and they don't seem even close to that! And lets not forget the dumb name... how many [G|U|etc|UIDs do we need?
Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
This is a story because they have proof of concept and a basic framework. This gives them attention; right now they need people to flesh out and test the system. A story on Slashdot is a great way to attract attention.
Now whether this project is ultimately useful is debatable.
</sarcasm>
So, if I am reading the code right, it has basically no security whatsoever at this point. Wouldn't you want that in an alpha release?
You say you want a revolution....
Sound like a good way to get sign ups?
Anyone seen any proof that this guy has these accounts to give away?
Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
Kudos to whoever made this, I know you must have put your heart into this. I don't mean this comment as an insult to you or your idea. But really is there a need for this? I like the idea of simplifying the web for people but Passport exists (and failed) and I believe there's a competing group with Sun in it called the Liberty Alliance that has a non-centralized model which I think sounds much safer. A centralized database has too many problems related to it to be useful.
Would I want to put my personal details on another site that every man and his dog can access? Or am I missing the point completely?
Why would I encourage users to aggregate all their personal data with some unknown startup?
The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.
If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.
And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.
Assumedly at this point the dog hasn't learned how to run script kiddie php exploits, otherwise your statement is correct.
It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.
ouch.
-Matt
--- Need web hosting?
I just poured a plate of hot grits down my pants.
...towards creating that completely P2P IM system I've always wante to see. Now, can we trust this company?
CAn'T CompreHend SARcaSm?
Think of the spam potential with this... I don't see why Gator hasn't tried this.
--
The problem with a system like this is that no matter how secure the underlying mechanism is, by making it so that any random site could possibly be using it for authentication, you have no idea who is legit & who is simply harvesting passwords.
With Passport, you know you're only dealing with big-name sites that are going to be linked from MSN.com, but here you have to wonder about the chain of trust.
my sig's at the bottom of the page.
I'd wager he can spell it and is just using the wrong word.
I'm concerned that it is just another centralized database of information. At least with Passport you don't have to worry about their database being bought by Microsoft.
At Identity Commons we intend to give people full control over their personal profile information, including not only who has access to which parts under what circumstances, but also where which parts of it are stored. If you don't trust any of the "banks" you can store it under your virtual mattress (if that's where you keep your server, though it might get kinda hot under there).
The free and open source code base is built upon two new OASIS XML standards, Extensible Resource Identifiers (XRI) which add (among other things) persistence and cross references to URIs, and the XRI Data Interchange (XDI) spec which enables a "dataweb", much like URIs enable a "document web". The coolest part of XDI is the concept of Link Contracts, that enable fine-grained access control over profile data while simultaneously recording the details that both parties agree to (and electronically sign) before any data exchange takes place.
While we're still a month (or more) from announcing, we have enjoyed some good initial exposure.
BTW: we're looking for people to play with the (pre-alpha) software (it's on SourceForge and there are even some CPAN modules) and help us bring it to the next level.
The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
For a second I thought this about someone's IUD. I know that this is slashdot and that anything goes, but that is just too personal if you ask me.
Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.
I have just signed up, and my welcome message reads:
"MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck."
Why wouldnt google come up with its own 'passport' service?
This is my sig. There are thousands more, but this one is mine.
Why is the parent post modded -1?
It's true - individuals have reported receiving up to 6 invitations (Source:
www.wired.com/news/infostructure/ 0,1377,63786,00.html?tw=wn_12culthead
).
At least one of people I invited did not open a Gmail account (the invitation was either forwarded or declined).
I have two unused invitations (I won't use them 'cause I don't know a deserving individual to give it to) and I've invited 4 people so far.
If we assume there's about 1m active accounts (say 3-4 racks of mail servers), there's probably been at least 10m invitations given away.)
Surely you sign on to their secure server and it generates a token which can authenticate you to the third party site...
Isn't that about the only sane way to do this?
Good for spamming: http://www.myuid.com/api/usercard.php?uid=1
Where's the security?
Markus Diersbock
Well, let's say:
letting anyone view those data is a bit careless.
there should be at least a login for each api user and maybe a quality check for sites using it.
this seems to be written without any thoughts at the spamming/data stealing problem.
http://www.myuid.com/api/usercard.php?uid=11
"Thank you. Please spellcheck your genitalia references though.
Why not use Jabber Tickets? I already have an account with a Jabber server, and this way the site can automatically tell me if my friends are also using the site, or even notify me that they are using it, so I can spark up a conversation about some topic on the page I know they are at.
Question
http://www.ironfroggy.com/
I'm not saying having this system wouldn't be simple. Consider though that your social security number is protected by the world's most powerful government with databases backed by thousands of staff whose sole job it is to ensure your number isn't stolen, yet even after all that identity theft still happens.
...and that's only one more angle. The simplicity of auto-filling a couple form fields or keeping a common username/password can't compare with the overwhelming reality that if you or the account server is hacked you're toast. Nobody can offer similar protection to the US government and as such nobody could provide a service similar to SSN.
Now note that the providers of this or any comparable software simply cannot have that kind of backing, no fraud protection exists, and no working method of recovering your identity exists in the event your account is stolen.
-Matt
--- Need web hosting?
The article has a link to the goatsex guy...Hey editors, are you wake up today????
The mastergoon link contains a picture of goat.cx!
-- Contradictions only exist in thought - not in reality.
Currently, the remote site is not in a good state of affairs. Someone has decided that html injection is the way to go, and well it has become a porn site. I would recommend not going to it for a day till tehy can get that stuff removed from teh database.
The open source community is just completely and totally incapable of coming up with good names for things?
I mean.. "MyUID"? "GNU"? "OGG VORBIS"??? How do you even pronounce this stuff??
Real nice (if you need email addresses):
t tp://www.myuid.com/api/usercard.php?uid=13/ /www.myuid.com/api/usercard.php?uid=16w .myuid.com/api/usercard.php?uid=18u id.com/api/usercard.php?uid=21c om/api/usercard.php?uid=29a pi/usercard.php?uid=32
http://www.myuid.com/api/usercard.php?uid=12
h
http:
http://ww
http://www.my
http://www.myuid.
http://www.myuid.com/
etc
Ok, I'm not that smart. But I just don't get it. I really really don't. Can someone explain this in words for dumb people. Because it doesn't make any sense at all.
And when Microsoft buys them out, we're back to square one?
.sig: Open Source, Open Mind
ATTENTION GOOD SIR,
AS I have writing this a big surprise to you because previously we have not been in communication. I was previously a solicitor for LATE RALPH ASHTON, an engineer for Nigeria Electric and Gas.LATE RALP ASHTON, his wife and daughter were killed while driving in a storm on the 27th of June, 1999. Having exhausted all other avenues, I have turned to you for help. LATE RALPH ASHTON had in Western bank of NIGERIA a bank account in amount of $35 MILLION US exactly. . . . . . .
Cost of a hosting Site:
:)
Test Site: http://www.mastergoon.com/contact.php
Free Software:
Test Site's forum: http://www.mastergoon.com/forum/index.php
Priceless:
Obviously Elderly Gentleman on Test Site Forum: http://www.mastergoon.com/~connor/
they tried to make an interesting rest framework for a particulr means. this is kind of useful.
;) (rest frameworks private objects would be truly invisible to the rest of the world, but everything else could be built on).
what we really need is a rest framework designed from the ground up to be a polymoprhic OO system. bring some re-conception and re-meaning to public private and protected classes.
then use an implementation of that framework to build some data store for users.
we need a REST competitor to the Common Intermediate Language.
You heard it here first.
Myren
Can you imagine a cluster of these ?
Still ?
Seriously, this slashjoke is getting annoying.
.
Search for MyUID project returns no useful results in google for www.myuid.com.
fifteen jugglers, five believers
I begin reading the book three days ago, and am up to page 78. It's a thought provoking book. I value my freedom highly. I will examine these issues.
Q: Can penguins fly?
A: No.
It is exactly this cocky, pointless geek-speak tone that stops these projects from gaining wide appeal with the less technically-inclined majority (and the business community in particular).
MyUID is a good idea, but like with so many open source projects run by CompSci students, if it's communicated like this, it won't get off the ground. When will these people learn?
---- scrm
What's the fuss? I can put up a similar system in half a day, and it will probably be more secure than this one.
Sure, if I want to be spammed and have my personal info out in the open, I'd go sign up on this site. And the three gmail accounts screams "lameness alert".
Forgive me, but I trust MS Passport infinitely more than this site.
Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing. It seems to be some kind of conspiracy by marketing people to force us all to use baby-talk to do anything with a computer.
Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.
I can't even begin to understand what "MySQL" is supposed to mean.
It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.
OMFG ROFLMAO
Centralized authentication server for internet = Good
???????????
Open Source Java DAO Generator
I'm not going to touch that.
Marxist evolution is just N generations away!
Either way, he shouldn't be trying to start up a company that will compete against Microsoft until he's graduated high school...
The only reason that I created a slashdot account was that I saw /. credentials being used for a similar service. This was back in the days when people around here had ambition.
Well it's a good thing they're asking for security issues now rather than later, as the very first form field I found had a cross-site-scripting hole in. eg.
s cript%3Ewindow.alert%28document.cookie%29%3B%3C%2F script%3E&code=boo
http://www.myuid.com/activate.php?email=fdgdfs%3C
Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.
Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
Part of the point behind Project Liberty, and one of the reasons that Passport hasn't worked, is that people aren't necessarily comfortable with the idea of a 'centralised' authentication system for the whole of the planet.
Passport assumes that everyone who wants centralised authentication is happy to have this information be held/known to Microsoft.
Liberty assumes that individuals are only interested in centralisation of information across closed user groups; either:
1) A single site, made up of multiple services, is interested in acting as a cohesive single whole (for example, a login that logs you in to the whole of OSDN, rather than just Slashdot), or
2) A single site is interested in sharing its identities with suppliers; for example, your corporate intranet allowing their absence management, healthcare, stock options, and other service providers to allow you to log into that corporate account using your intranet username/password.
They're completely and utterly different goals. Passport, arguably, has no value in a modern society where people know full well how these identities can be used; Liberty is a more realistic usage scenario, in a multitude of ways.
Liberty is still young; while the software is getting quite good, it's still a hassle to set up an Authentication Provider or turn your site into something that can support the liberty Service Provider API. This will change. It will work and survive solely because it doesn't need internet users, as a whole, to accept it. It works on the principle that people who have a need to unify their authentication systems, without writing crappy little APIs, can do so, in the small scale, at the level where it can actually see benefits.
-- A mind is a terrible thing.
How long before this guy gets a patriot subpoena and is forced to let the powers-that-be take a sneak peak at all your info.
It would be like the president hitting your over the head with a golf club and stealing all your info.
You know, that guy Bush' three wood.
I strongly believe that we need to reduce the number of accounts per person - our attempt at that is Mindlocked which we hope to develop further - especially in terms of distributed/replicated databases etc...
Anyone interested in joining this project (that will be released under GPL soon...) - let us know!
That's my 2 cents worth of marketing =)
The NSA designed SHA. We don't know if they've got a backdoor in it and we'll have to trust them on that. But there are good reasons why everyone should be signing with a genuinely secure hash. So perhaps we can trust them.
Microsoft's passport is free to join. They make money by charging the sites who want to use passport as authentication. They use it themselves internally and it's made microsoft.com a much friendlier place. They've got the muscle and presence to make this work. Maybe they'll start abusing the data but as soon as they do they'll scare people away and cut off their own revenue stream. So perhaps we can trust them.
So why should we pay you, and why should we trust you?
I don't mind that the reigstration requires cookies, but they should explicitly state that, especically if you try to submit a registration and the cookie is not present. Instead, they say something about the verification code not matching, and "Are you a robot?". Very unhelpful.
Interestingly, it does say in the ToS:
MyUID will not give or sell your private account information or your password to anyone,
which seems a lie. But it goes on!
MyUID will supply any information we have about you to law enforcement officials if neccessary.
They'll rat on you even if not required by law. Yay!
In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.
The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.
Registered user #1 is mastergoon, so this is just blatent self-advertising on slashdot.
'For we walk by faith, not by sight.' II Corinthians 5:7
Maybe it would be better to standarize on cryptographic keys and enhance browser so as to automatically encrypt all connections to the chosen site. It acknowledges your identity, you can have different keys for different sites and you can have single password for store of crypto keys.
It's not that I distrust them or anything, it's just that I couldn't find any information on who these people are and why they're making MyUID.
Since this is Slashdot I can only assume that these guys are on the "good" side, but a few answers to "why?" and "who?" in their FAQ wouldn't hurt.
Errmm... doesn't that imply a payment scheme?
Why not just implement an open source KEYCHAIN like the mac OSX has, but store the keychain data in XML in any remote/file location you like, so its never centralized, but just as usefull. You could store in myisp.com/users/bob/keychain.xml and config a way to update it via ftp/ssh etc... so when your NOT AT HOME, you config your keychain app to use that stored value.
Is this something that is damn obiously needed in Mozilla? Comon guys, 100-200hrs work, get with it, or I will. Maybe an mozzie extension perhaps.
MozKeyChain here we come. Thats the biggest crap thing about mozilla, it remembers lots of things, but there should have been an automatic way to store it in some public/private online area. How hard would this be to do? 2-5hrs, store mozzie info on remote location ftp://user:pass@host/file , just store that info locally/encrypted though.
If you fire up a new install of mozzie , just enter that again and all settings/bookmarks crap can be downloaded again.
Hell, even store it in hotmail as a specified email in a specified folder and to update it by just emailing yourself in code, and remove the old one via http requests too.
This would be easy to implement, as reading hotmail content/sending to hotmail can be implemented via http requests, (unless ms changeds lots of crap on you).
So screw this global ID business, and just use mozillas remembered usernames/password feature but store it in user definable areas, bingo everyones obselete and this would be the norm, just make a decent interface without 30 clicks and your done.
Liberty freedom are no1, not dicks in suits.
...one of the reasons: stupidly high license fees from msn/microsoft.
Ebay is the only big-name site (apart from hotmail of course) that I can recall as using it.
I am NaN
this is just another project that will only attract blog webmasters.
businesses will not have one of their most important assets (Customer info) scattered around the web, god knows where!
maybe they should try to develop something really usefull like another GUI for linux.
I think the web could use something like this. Some kind of generic logon that's free, or very cheap anyway, and which is used for general low security sites such as message boards so you don't have to log on to each one. I'm not sure this is the right one though. It seems a bit vague and needs to be a lot more open about policies and security considerations.
Sig is taking a break!
Well, they actually do... But project Liberty is about specification, not implementation. Look at sourceId if you'd like some starting point for an implementation. :
But still, The liberty alliance takes quite a different point of view. Passport and My-Whatever- talk about having a centralized server that would keep your personal data (and spread them around when needed).
The Liberty Project is about federating logins
- You create a local account on some server.
- You create a local account on a "centralized" server
- You federate them.
Now you are able to login in the local server AND the central server, just using your central server login.
And you can have multiple server using this central server. You can actually have multiple central server talking to each other also. And you can even federate our account with many "central server" (it's all related to how the server are bound)
The personal data transfer is not the main goal of this project, but is possible and specified (it's SOAP+XML Security related).
Yech. My IUD is fully deployed and my doors will never be open to public testing.
Anyone think (like I did) that if this thing could work out, to everyone's satisfaction, that we might finally unify logins for nukes/other cmses? (I so happen to be looking for a way to have the same userbase for a forum(IPB), a phpnuke, a gallery(coppermine) and a few other items on my personal sites, yet I don't dare develop something, since I'd have to retest all the components the minute one of them updates...)
Here is a openflash movie about a penguin flyiing:
http://telejano.berlios.de/option/colinux1.swf
Ok?...
-Woof woof woof!
I see many comments about MS Passport not having succeeded and how that means MyUID or other similar systems are doomed.
Assuming the criteria for "success" is being used on many websites, three possible reasons why Passport didn't succeed (outside of MSN) that I can think of:
I can't speak for MyUID, but systems like TypeKey take a different approach:
Then there is the general question of central databases and security. Personally, I wouldn't mind having a unique ID for many site with rather low security requirements like Slashdot, Kuro5hin, Freshmeat, etc. (until we come up with a good distributed/federated authentication infrastructure). At the same time, multipling these authentication services really only lowers their value.
You still end up having one account for each website. Tell me how the browser helps you the day that you decide to change your password?
In comparison with keeping the same password forever, maybe a centralized authentication server isn't such an insecure solution after all...
I hope *that's* out of Beta! Wouldn't want any accidents!
Best Buy can have you arrested
There's little info on the web site, so if anyone knows what this 'protocol' really is, I'd love to know how this proposal is any better than what's already available? For example, all Drupal web sites (www.drupal.org) support a shared login scheme, so if you have a 'drupal distributed authentication' you can log into any drupal site (that choses to support drupal login) with one signon. Even better, once you've created an account on any drupal site, that site can serve as your authentication to any other site, so you can choose who you want to trust. So if I log in as 'joe@remote.delphiforums.com' and my Delphi Forums password, the drupal site will check with Delphi Forums to validate the password, then create the account and log me in. This capability has been in Drupal for _years_.
http://drupal.org/node/view/312#6790
There's also SharedID.
Enable 3D printed prosthetics!
we just use condoms. IUDs are so complicated.
I also misread the title of this discussion and was momentarily confused. Especially since I just had my annual gyn exam.
Subj: MyUID.com Security & Privacy Warning...
It appears you created an account at www.MyUID.com.
I just wanted to warn you that this site has security problems that expose account and user information to anyone who knows how to look for it. You might want to consider removing your email and other contact information which could be used by Spammers or other evil-doers.
Please consider using a Microsoft PASSPORT account instead.
While PASSPORT security also sucks, at least you will help my efforts at global domination...
Sincerely,
William (Bill) Gates
http://www.billgates.org
bill@billgates.org
I don't leave a copy of my creditcard at the mall so stores can ask the mall for access to it. No, I keep it with me, and will show it to selected stores when *they* ask *me*.
The first project I'll seriously look into trying to tackle this problem will be a project that has code to download for me to run: either a web service I can run or an XMPP services (presence subscribtion could probably be extended to data ACLs).. whatever.
Any project that requires me to store information on a remote server will be ignored. Obviously most users will actually use the passportd of their company or ISP, but the freedom to run your own - just like httpd/sshd/smtpd/jabberd - that's really a REQUIREMENT.
Instead of pushing my data to centralized databases, I want an interface where third parties can pull it directly from me.
Liberty Alliance is working closely with the Shibboleth project (part of Internet2's Middleware Initiative) which is is similar but doesn't even have a centralized server with account info. It is purely a federation, and the central "wayfarer" server just helps point the users' browser to the right local authentication servers, and the user can use that along with browser redirection magic to do single sign on to web servers in the federation. It also is designed to be able to preserve pseudonymity ("the user is authorized to access these journal articles because they are a member of the Ohio State university community").
--Neal
Go IETF!