Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Open MS Passport': MyUID Goes Beta

Posted by timothy on from the free-alternatives dept.

mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."

40 of 208 comments (clear)

  1. Wow. by Arial+Sharon,+10pt. · · Score: 5, Funny

    Maybe one day this could be almost as successful as MS Passport.

    --
    Am I dead yet?
  2. They need a better email server by Anonymous Coward · · Score: 3, Interesting

    It has no reverse DNS, which will mean some people won't allow it to send them mail.

  3. FAQ (karma whoring) by XanC · · Score: 5, Funny
    Here's the complete FAQ from the website:

    Frequently Asked Questions (FAQ)

    Q: When will the first API be done?
    A: The alpha is out, check the download page.

    Q: Can penguins fly?
    A: No.

  4. Are we sure this is for real? by LostCluster · · Score: 5, Interesting

    They have the most useless FAQ in recorded history...

    The API is also decidedly undocumented.

    Please come back when there's actually something to show us...

    1. Re:Are we sure this is for real? by Anonymous Coward · · Score: 3, Insightful
      They have the most useless FAQ in recorded history...

      Excuse me, but FAQ stands for "Frequently Asked Questions". Why do you expect there to be a lot of Frequently Asked Questions before there are any users to ask ANY questions?

    2. Re:Are we sure this is for real? by NanoGator · · Score: 4, Insightful

      "Why do you expect there to be a lot of Frequently Asked Questions before there are any users to ask ANY questions?"

      Nobody's asking "what is it?"

      --
      "Derp de derp."
    3. Re:Are we sure this is for real? by turg · · Score: 3, Informative

      It says "open" not "open source." It's open in the sense that any web site can use myuid to autheticate users, as opposed to MS Passport which requires a hefty contract with MS.

      --
      <sig>Guvf vf abg n frperg zrffntr
  5. Problems by pirodude · · Score: 4, Insightful

    From the TOS:

    MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.

    All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.

    --------------

    The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.

  6. Flying solo? by LostCluster · · Score: 5, Informative

    It seems like this project is only implemented on one site called mastergoon.com, and the /. post comes from a user named "mastergoon". Hmm...

    Seems like a one-person project. Very easy to declare standards without all those annoying other people!

    1. Re:Flying solo? by mrpuffypants · · Score: 4, Funny

      Bah! This guys actually beat out a user named "Bill6969" that announced his new service called 'Passport'

      He really didn't seem to care about standards, either, so he created his own standards ;)

    2. Re:Flying solo? by SpootFinallyRegister · · Score: 5, Insightful

      Declare standards? Looks a little more like a piece of software written without a specification, much less a plan. At this point, after going through the website and glancing at code, I have a hard time rating this at anything above the beginning of an idea. Learning by working on things is good. Punching out code that is supposed to be a standard without writing at least something down about it first is a disaster.

  7. Wrong idea? by Wrexs0ul · · Score: 4, Insightful

    I thought the whole problem with a centralized user system was exactly that it was a centralized user system. Doesn't matter who runs the ID server or how little information is stored on there; as soon as a centralized system exists it's the biggest, baddest target for attack out there with the highest consequences if it's broken into.

    Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?

    -Matt

    --
    --- Need web hosting?
    1. Re:Wrong idea? by LostCluster · · Score: 4, Insightful

      Furthermore, having a common UserID opens the door for sites that have fragments of your personal info to merge the pieces together to get a more complete picture.

    2. Re:Wrong idea? by mandalayx · · Score: 4, Insightful

      you're right, there are problems. and you have only hit on a few of them.

      but realize that there is value for some folks in having a "universal" id system. why do you think that your SSN in the US is used so widely?

      again, there are many problems, but there exist benefits too.

  8. get a free gmail account by signing this by vivek7006 · · Score: 4, Informative

    From their website

    MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck.

  9. Whatever happened to Liberty Alliance by Anonymous Coward · · Score: 5, Informative

    Weren't they supposed to do something similar? Sure seems to be taking them a long time.

  10. Different from MS Passport? by Endareth · · Score: 3, Insightful

    From my initial glance I really fail to see how this is really any better or different from MS Passport, even once it's ready for release. At least MS have the clout to have Passport used on more than just their own site, which is where the value really is. I'm also not to sure about the idea of a public Alpha test of this sort of technology. Seems a bit too early in the development cycle for it to be worthwhile. Getting the site slashdotted really only resuls in load testing, and they don't seem even close to that! And lets not forget the dumb name... how many [G|U|etc|UIDs do we need?

    --
    Disclaimer: The above comment was made while under the influence of too much coding and not enough sleep.
    1. Re:Different from MS Passport? by blowdart · · Score: 5, Informative

      Lets add to this the fact that the "story" for this reads like a press release, and one that lies at that.

      "Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site"

      So you can't use Passport on your own site? What utter bollocks. Oh look, there's the passport SDK.

      But I can't run it on Linux you cry? Really? Step back a version, version 2.1 has code for Apache/CGI in it (Or did last time I looked). Admittedly the documentation for it is sparse to say the least.

      Finally lets look at the story submitted. mastergoon. OK, lets look at who owns myuid.com,

      Registrar: DOTSTER
      Domain Name: MYUID.COM
      Created on: 28-APR-04
      Expires on: 29-APR-05
      Last Updated on: 28-APR-04
      Administrative Technical Contact:
      O'Shea Kevin kevin@mastergoon.com

      Oh look, it's another shill story. Someone sumbitting a story about his service without admitting it.

      When did slashdot become a press release site?

  11. I think that some people are missing the point by bersl2 · · Score: 3, Insightful

    This is a story because they have proof of concept and a basic framework. This gives them attention; right now they need people to flesh out and test the system. A story on Slashdot is a great way to attract attention.

    Now whether this project is ultimately useful is debatable.

    1. Re:I think that some people are missing the point by photon317 · · Score: 3, Interesting


      Yeah, but their concept and framework appears to basically suck. They made a simple user database, tagged in some email address verification and a (currently gimped) "Read this image test", and release an API for any other website to authenticate against this database. Welcome to Web Programming 101. If the problem was this easy to fix, it would've been fixed a long time ago.

      There is a (more than one probably) right way to do this, and this isn't even close to being it.

      As a matter of fact, I came up with one while typing this, but I deleted my description of it. Why feed slashdot my design work when I should just jot this down somewhere and go implement it myself :)

      --
      11*43+456^2
  12. Maybe, but... by XanC · · Score: 5, Funny
    He has a gmail account! He must be doing something right.

    </sarcasm>

  13. Security? by Ravenscall · · Score: 5, Insightful

    So, if I am reading the code right, it has basically no security whatsoever at this point. Wouldn't you want that in an alpha release?

    --
    You say you want a revolution....
  14. Usefulness? by wwahammy · · Score: 5, Interesting

    Kudos to whoever made this, I know you must have put your heart into this. I don't mean this comment as an insult to you or your idea. But really is there a need for this? I like the idea of simplifying the web for people but Passport exists (and failed) and I believe there's a competing group with Sun in it called the Liberty Alliance that has a non-centralized model which I think sounds much safer. A centralized database has too many problems related to it to be useful.

  15. Totally backwards by torinth · · Score: 5, Insightful

    Why would I encourage users to aggregate all their personal data with some unknown startup?

    The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.

    If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.

    And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.

  16. No totally by Wrexs0ul · · Score: 4, Insightful

    Assumedly at this point the dog hasn't learned how to run script kiddie php exploits, otherwise your statement is correct.

    It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.

    ouch.

    -Matt

    --
    --- Need web hosting?
  17. Kinda Scary by novalogic · · Score: 4, Funny

    Think of the spam potential with this... I don't see why Gator hasn't tried this.

    --
    --
  18. The problem... by ameoba · · Score: 3, Insightful

    The problem with a system like this is that no matter how secure the underlying mechanism is, by making it so that any random site could possibly be using it for authentication, you have no idea who is legit & who is simply harvesting passwords.

    With Passport, you know you're only dealing with big-name sites that are going to be linked from MSN.com, but here you have to wonder about the chain of trust.

    --
    my sig's at the bottom of the page.
  19. TheirID or an Identity Commons? by Broadcatch · · Score: 5, Interesting

    I'm concerned that it is just another centralized database of information. At least with Passport you don't have to worry about their database being bought by Microsoft.

    At Identity Commons we intend to give people full control over their personal profile information, including not only who has access to which parts under what circumstances, but also where which parts of it are stored. If you don't trust any of the "banks" you can store it under your virtual mattress (if that's where you keep your server, though it might get kinda hot under there).

    The free and open source code base is built upon two new OASIS XML standards, Extensible Resource Identifiers (XRI) which add (among other things) persistence and cross references to URIs, and the XRI Data Interchange (XDI) spec which enables a "dataweb", much like URIs enable a "document web". The coolest part of XDI is the concept of Link Contracts, that enable fine-grained access control over profile data while simultaneously recording the details that both parties agree to (and electronically sign) before any data exchange takes place.

    While we're still a month (or more) from announcing, we have enjoyed some good initial exposure.

    BTW: we're looking for people to play with the (pre-alpha) software (it's on SourceForge and there are even some CPAN modules) and help us bring it to the next level.

    --

    The antidote for misuse of freedom of speech is more freedom of speech.
    -- Molly Ivins

  20. But, LDAP is standard by freeduke · · Score: 5, Insightful
    Ok, here comes a new API for login?? What about LDAP, isn't it secure, reliable and efficient? So Why do people have to reinvent the wheel everytime? It would be far more constructive to think about a way to integrate and interface a huge Internet distributed LDAP structure, and have a clear standard to implement the way it works...

    Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.

  21. Google? by p0 · · Score: 4, Interesting

    I have just signed up, and my welcome message reads:

    "MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck."

    Why wouldnt google come up with its own 'passport' service?

    --
    This is my sig. There are thousands more, but this one is mine.
  22. I haven't read the API but... by grahamsz · · Score: 3, Informative

    Surely you sign on to their secure server and it generates a token which can authenticate you to the third party site...

    Isn't that about the only sane way to do this?

  23. Good SPAM by Anonymous Coward · · Score: 4, Insightful

    Good for spamming: http://www.myuid.com/api/usercard.php?uid=1

    Where's the security?

    Markus Diersbock

  24. Nice ID/email collect0r by Anonymous Coward · · Score: 3, Informative

    Real nice (if you need email addresses):

    http://www.myuid.com/api/usercard.php?uid=12
    ht tp://www.myuid.com/api/usercard.php?uid=13
    http:/ /www.myuid.com/api/usercard.php?uid=16
    http://www .myuid.com/api/usercard.php?uid=18
    http://www.myu id.com/api/usercard.php?uid=21
    http://www.myuid.c om/api/usercard.php?uid=29
    http://www.myuid.com/a pi/usercard.php?uid=32

    etc

  25. From the FAQ... by scrm · · Score: 3, Insightful

    Q: Can penguins fly?

    A: No.

    It is exactly this cocky, pointless geek-speak tone that stops these projects from gaining wide appeal with the less technically-inclined majority (and the business community in particular).

    MyUID is a good idea, but like with so many open source projects run by CompSci students, if it's communicated like this, it won't get off the ground. When will these people learn?

    --
    ---- scrm
  26. The "My" prefix by chickenwing · · Score: 4, Insightful

    Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing. It seems to be some kind of conspiracy by marketing people to force us all to use baby-talk to do anything with a computer.

    Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.

    I can't even begin to understand what "MySQL" is supposed to mean.

    It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.

  27. Unimpressive by Bob+Ince · · Score: 3, Insightful

    Well it's a good thing they're asking for security issues now rather than later, as the very first form field I found had a cross-site-scripting hole in. eg.

    http://www.myuid.com/activate.php?email=fdgdfs%3Cs cript%3Ewindow.alert%28document.cookie%29%3B%3C%2F script%3E&code=boo

    Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.

    Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.

  28. Why NOT to use this... by g_lightyear · · Score: 3, Insightful

    Part of the point behind Project Liberty, and one of the reasons that Passport hasn't worked, is that people aren't necessarily comfortable with the idea of a 'centralised' authentication system for the whole of the planet.

    Passport assumes that everyone who wants centralised authentication is happy to have this information be held/known to Microsoft.

    Liberty assumes that individuals are only interested in centralisation of information across closed user groups; either:

    1) A single site, made up of multiple services, is interested in acting as a cohesive single whole (for example, a login that logs you in to the whole of OSDN, rather than just Slashdot), or

    2) A single site is interested in sharing its identities with suppliers; for example, your corporate intranet allowing their absence management, healthcare, stock options, and other service providers to allow you to log into that corporate account using your intranet username/password.

    They're completely and utterly different goals. Passport, arguably, has no value in a modern society where people know full well how these identities can be used; Liberty is a more realistic usage scenario, in a multitude of ways.

    Liberty is still young; while the software is getting quite good, it's still a hassle to set up an Authentication Provider or turn your site into something that can support the liberty Service Provider API. This will change. It will work and survive solely because it doesn't need internet users, as a whole, to accept it. It works on the principle that people who have a need to unify their authentication systems, without writing crappy little APIs, can do so, in the small scale, at the level where it can actually see benefits.

    --
    -- A mind is a terrible thing.
  29. mindlocked.com - better looking GUI? by snon · · Score: 3, Informative

    I strongly believe that we need to reduce the number of accounts per person - our attempt at that is Mindlocked which we hope to develop further - especially in terms of distributed/replicated databases etc...

    Anyone interested in joining this project (that will be released under GPL soon...) - let us know!

    That's my 2 cents worth of marketing =)

  30. What is this? by binkzz · · Score: 5, Insightful
    It's nothing more than a day's work. There is nothing to speak of, the passwords aren't stored encrypted and no intelligent thought seems to have been put into it. As someone else already mentioned, anyone can take the entire user database with personal information from the site (everything except the password). If I were to run a site using the MyUID, I could obtain users' MyUID passwords as they tried to log in on my site, giving full access to any user's account who logs in via my site. Outrageous!

    Interestingly, it does say in the ToS:

    MyUID will not give or sell your private account information or your password to anyone,

    which seems a lie. But it goes on!

    MyUID will supply any information we have about you to law enforcement officials if neccessary.

    They'll rat on you even if not required by law. Yay!

    In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.

    ... Wow..

    The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.

    Registered user #1 is mastergoon, so this is just blatent self-advertising on slashdot.

    --
    'For we walk by faith, not by sight.' II Corinthians 5:7
  31. Re:Similar but different by Sancho · · Score: 3, Informative

    Our power grid is more vulnerable than you realize...