Slashdot Mirror
'Open MS Passport': MyUID Goes Beta
mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."
Maybe one day this could be almost as successful as MS Passport.
Am I dead yet?
It has no reverse DNS, which will mean some people won't allow it to send them mail.
Frequently Asked Questions (FAQ)
Q: When will the first API be done?
A: The alpha is out, check the download page.
Q: Can penguins fly?
A: No.
They have the most useless FAQ in recorded history...
The API is also decidedly undocumented.
Please come back when there's actually something to show us...
From the TOS:
MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.
All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.
--------------
The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.
It seems like this project is only implemented on one site called mastergoon.com, and the /. post comes from a user named "mastergoon". Hmm...
Seems like a one-person project. Very easy to declare standards without all those annoying other people!
Where people can login and try out their ID to make sure it works. Notice it's a different domain than the main myuid.com site?
I thought the whole problem with a centralized user system was exactly that it was a centralized user system. Doesn't matter who runs the ID server or how little information is stored on there; as soon as a centralized system exists it's the biggest, baddest target for attack out there with the highest consequences if it's broken into.
Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?
-Matt
--- Need web hosting?
From their website
MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck.
Weren't they supposed to do something similar? Sure seems to be taking them a long time.
From my initial glance I really fail to see how this is really any better or different from MS Passport, even once it's ready for release. At least MS have the clout to have Passport used on more than just their own site, which is where the value really is. I'm also not to sure about the idea of a public Alpha test of this sort of technology. Seems a bit too early in the development cycle for it to be worthwhile. Getting the site slashdotted really only resuls in load testing, and they don't seem even close to that! And lets not forget the dumb name... how many [G|U|etc|UIDs do we need?
Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
This is a story because they have proof of concept and a basic framework. This gives them attention; right now they need people to flesh out and test the system. A story on Slashdot is a great way to attract attention.
Now whether this project is ultimately useful is debatable.
</sarcasm>
So, if I am reading the code right, it has basically no security whatsoever at this point. Wouldn't you want that in an alpha release?
You say you want a revolution....
Kudos to whoever made this, I know you must have put your heart into this. I don't mean this comment as an insult to you or your idea. But really is there a need for this? I like the idea of simplifying the web for people but Passport exists (and failed) and I believe there's a competing group with Sun in it called the Liberty Alliance that has a non-centralized model which I think sounds much safer. A centralized database has too many problems related to it to be useful.
Why would I encourage users to aggregate all their personal data with some unknown startup?
The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.
If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.
And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.
Assumedly at this point the dog hasn't learned how to run script kiddie php exploits, otherwise your statement is correct.
It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.
ouch.
-Matt
--- Need web hosting?
Think of the spam potential with this... I don't see why Gator hasn't tried this.
--
The problem with a system like this is that no matter how secure the underlying mechanism is, by making it so that any random site could possibly be using it for authentication, you have no idea who is legit & who is simply harvesting passwords.
With Passport, you know you're only dealing with big-name sites that are going to be linked from MSN.com, but here you have to wonder about the chain of trust.
my sig's at the bottom of the page.
I'm concerned that it is just another centralized database of information. At least with Passport you don't have to worry about their database being bought by Microsoft.
At Identity Commons we intend to give people full control over their personal profile information, including not only who has access to which parts under what circumstances, but also where which parts of it are stored. If you don't trust any of the "banks" you can store it under your virtual mattress (if that's where you keep your server, though it might get kinda hot under there).
The free and open source code base is built upon two new OASIS XML standards, Extensible Resource Identifiers (XRI) which add (among other things) persistence and cross references to URIs, and the XRI Data Interchange (XDI) spec which enables a "dataweb", much like URIs enable a "document web". The coolest part of XDI is the concept of Link Contracts, that enable fine-grained access control over profile data while simultaneously recording the details that both parties agree to (and electronically sign) before any data exchange takes place.
While we're still a month (or more) from announcing, we have enjoyed some good initial exposure.
BTW: we're looking for people to play with the (pre-alpha) software (it's on SourceForge and there are even some CPAN modules) and help us bring it to the next level.
The antidote for misuse of freedom of speech is more freedom of speech.
-- Molly Ivins
For a second I thought this about someone's IUD. I know that this is slashdot and that anything goes, but that is just too personal if you ask me.
Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.
I have just signed up, and my welcome message reads:
"MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck."
Why wouldnt google come up with its own 'passport' service?
This is my sig. There are thousands more, but this one is mine.
Why is the parent post modded -1?
It's true - individuals have reported receiving up to 6 invitations (Source:
www.wired.com/news/infostructure/ 0,1377,63786,00.html?tw=wn_12culthead
).
At least one of people I invited did not open a Gmail account (the invitation was either forwarded or declined).
I have two unused invitations (I won't use them 'cause I don't know a deserving individual to give it to) and I've invited 4 people so far.
If we assume there's about 1m active accounts (say 3-4 racks of mail servers), there's probably been at least 10m invitations given away.)
Surely you sign on to their secure server and it generates a token which can authenticate you to the third party site...
Isn't that about the only sane way to do this?
Good for spamming: http://www.myuid.com/api/usercard.php?uid=1
Where's the security?
Markus Diersbock
Why not use Jabber Tickets? I already have an account with a Jabber server, and this way the site can automatically tell me if my friends are also using the site, or even notify me that they are using it, so I can spark up a conversation about some topic on the page I know they are at.
Question
http://www.ironfroggy.com/
I'm not saying having this system wouldn't be simple. Consider though that your social security number is protected by the world's most powerful government with databases backed by thousands of staff whose sole job it is to ensure your number isn't stolen, yet even after all that identity theft still happens.
...and that's only one more angle. The simplicity of auto-filling a couple form fields or keeping a common username/password can't compare with the overwhelming reality that if you or the account server is hacked you're toast. Nobody can offer similar protection to the US government and as such nobody could provide a service similar to SSN.
Now note that the providers of this or any comparable software simply cannot have that kind of backing, no fraud protection exists, and no working method of recovering your identity exists in the event your account is stolen.
-Matt
--- Need web hosting?
The mastergoon link contains a picture of goat.cx!
-- Contradictions only exist in thought - not in reality.
Currently, the remote site is not in a good state of affairs. Someone has decided that html injection is the way to go, and well it has become a porn site. I would recommend not going to it for a day till tehy can get that stuff removed from teh database.
Real nice (if you need email addresses):
t tp://www.myuid.com/api/usercard.php?uid=13/ /www.myuid.com/api/usercard.php?uid=16w .myuid.com/api/usercard.php?uid=18u id.com/api/usercard.php?uid=21c om/api/usercard.php?uid=29a pi/usercard.php?uid=32
http://www.myuid.com/api/usercard.php?uid=12
h
http:
http://ww
http://www.my
http://www.myuid.
http://www.myuid.com/
etc
I begin reading the book three days ago, and am up to page 78. It's a thought provoking book. I value my freedom highly. I will examine these issues.
Q: Can penguins fly?
A: No.
It is exactly this cocky, pointless geek-speak tone that stops these projects from gaining wide appeal with the less technically-inclined majority (and the business community in particular).
MyUID is a good idea, but like with so many open source projects run by CompSci students, if it's communicated like this, it won't get off the ground. When will these people learn?
---- scrm
Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing. It seems to be some kind of conspiracy by marketing people to force us all to use baby-talk to do anything with a computer.
Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.
I can't even begin to understand what "MySQL" is supposed to mean.
It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.
Centralized authentication server for internet = Good
???????????
Open Source Java DAO Generator
Well it's a good thing they're asking for security issues now rather than later, as the very first form field I found had a cross-site-scripting hole in. eg.
s cript%3Ewindow.alert%28document.cookie%29%3B%3C%2F script%3E&code=boo
http://www.myuid.com/activate.php?email=fdgdfs%3C
Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.
Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
Part of the point behind Project Liberty, and one of the reasons that Passport hasn't worked, is that people aren't necessarily comfortable with the idea of a 'centralised' authentication system for the whole of the planet.
Passport assumes that everyone who wants centralised authentication is happy to have this information be held/known to Microsoft.
Liberty assumes that individuals are only interested in centralisation of information across closed user groups; either:
1) A single site, made up of multiple services, is interested in acting as a cohesive single whole (for example, a login that logs you in to the whole of OSDN, rather than just Slashdot), or
2) A single site is interested in sharing its identities with suppliers; for example, your corporate intranet allowing their absence management, healthcare, stock options, and other service providers to allow you to log into that corporate account using your intranet username/password.
They're completely and utterly different goals. Passport, arguably, has no value in a modern society where people know full well how these identities can be used; Liberty is a more realistic usage scenario, in a multitude of ways.
Liberty is still young; while the software is getting quite good, it's still a hassle to set up an Authentication Provider or turn your site into something that can support the liberty Service Provider API. This will change. It will work and survive solely because it doesn't need internet users, as a whole, to accept it. It works on the principle that people who have a need to unify their authentication systems, without writing crappy little APIs, can do so, in the small scale, at the level where it can actually see benefits.
-- A mind is a terrible thing.
I strongly believe that we need to reduce the number of accounts per person - our attempt at that is Mindlocked which we hope to develop further - especially in terms of distributed/replicated databases etc...
Anyone interested in joining this project (that will be released under GPL soon...) - let us know!
That's my 2 cents worth of marketing =)
I don't mind that the reigstration requires cookies, but they should explicitly state that, especically if you try to submit a registration and the cookie is not present. Instead, they say something about the verification code not matching, and "Are you a robot?". Very unhelpful.
Interestingly, it does say in the ToS:
MyUID will not give or sell your private account information or your password to anyone,
which seems a lie. But it goes on!
MyUID will supply any information we have about you to law enforcement officials if neccessary.
They'll rat on you even if not required by law. Yay!
In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.
The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.
Registered user #1 is mastergoon, so this is just blatent self-advertising on slashdot.
'For we walk by faith, not by sight.' II Corinthians 5:7
Maybe it would be better to standarize on cryptographic keys and enhance browser so as to automatically encrypt all connections to the chosen site. It acknowledges your identity, you can have different keys for different sites and you can have single password for store of crypto keys.
It's not that I distrust them or anything, it's just that I couldn't find any information on who these people are and why they're making MyUID.
Since this is Slashdot I can only assume that these guys are on the "good" side, but a few answers to "why?" and "who?" in their FAQ wouldn't hurt.
I think the web could use something like this. Some kind of generic logon that's free, or very cheap anyway, and which is used for general low security sites such as message boards so you don't have to log on to each one. I'm not sure this is the right one though. It seems a bit vague and needs to be a lot more open about policies and security considerations.
Sig is taking a break!
Well, they actually do... But project Liberty is about specification, not implementation. Look at sourceId if you'd like some starting point for an implementation. :
But still, The liberty alliance takes quite a different point of view. Passport and My-Whatever- talk about having a centralized server that would keep your personal data (and spread them around when needed).
The Liberty Project is about federating logins
- You create a local account on some server.
- You create a local account on a "centralized" server
- You federate them.
Now you are able to login in the local server AND the central server, just using your central server login.
And you can have multiple server using this central server. You can actually have multiple central server talking to each other also. And you can even federate our account with many "central server" (it's all related to how the server are bound)
The personal data transfer is not the main goal of this project, but is possible and specified (it's SOAP+XML Security related).
I don't leave a copy of my creditcard at the mall so stores can ask the mall for access to it. No, I keep it with me, and will show it to selected stores when *they* ask *me*.
The first project I'll seriously look into trying to tackle this problem will be a project that has code to download for me to run: either a web service I can run or an XMPP services (presence subscribtion could probably be extended to data ACLs).. whatever.
Any project that requires me to store information on a remote server will be ignored. Obviously most users will actually use the passportd of their company or ISP, but the freedom to run your own - just like httpd/sshd/smtpd/jabberd - that's really a REQUIREMENT.
Instead of pushing my data to centralized databases, I want an interface where third parties can pull it directly from me.