Microsoft Launches Passport

Microsoft today "launched" Passport. Passport is an on-line wallet service, meaning that all your billing and other information is stored centrally with Microsoft, so that you don't have to retype it every time. Passport was used by a few Microsoft sites before, but with today's announcement, an additional fifty or sixty sites have adopted the technology. While my initial concerns were about privacy, they were mostly (but not completely) covered by the aforelinked press release. A news.com article cites a research analyst as saying that one day, Microsoft may wish to take a percentage of the profits, and go for a monopoly on e-wallets. Certainly is a lot to speculate on here...

If you have to do this

[drix]

If you absolutely can't be bothered with typing in your credit card numbers and you're enslaved to Windows, at least use MS Wallet, in which all your info is stored on your hard drive as opposed to God-know-where. This service is bound to fail. Imagine if every single one of the twenty-million Hotmail users had their credit card information in their account instead of just e-mail.

Nothing new under the sun

[MaggieL]

"And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:

And that no man might buy or sell, save he that had the mark, or the name of the beast, or the number of his name."

(Revelation 13:17-18)

Re:Is it possible to keep this database open ?

Wait a minute, I'm getting confused. In the article, it looks like this is just a way to store billing information (i.e. name, credit card #, ship-to address, etc). If that's the case, then there's no reason you can't decentralize it, and there's no one I trust more than myself to keep that info.

But other people are talking about this as if it's some kind of electronic cash. Which is it?

How Microsoft will make E-Wallets stick

[wilkinsm]

I've seen the ploy - Rebates. All the prices on the site will be jacked up, and you won't be able to by anything cheap without a e-wallet account.

Sound familar?

(Looking at real wallet full of "Price Club" cards.)

Re:percentage of profits?

[q2k]

I agree completely. I wasn't suggesting that yet another MS monopoly was a good thing - only that it is likely. They are very good at embracing new technolgy and extending their products to incorporate the new technology? Is it fair...probably not. Is it legal....I think it probably is. Maybe we all should have bought more Macs back in the 80's :)

Re:I'd trust a company who could burn money every

A fool and his money are soon parted...

Re:Not particularly new. Not particularly exciting

[daviddennis]

I think it would be fair to say that I'd trust Microsoft to secure my data if I made a credit card purchase over the phone, where there's no implicit connection with the outside world. I might even trust them if I made a purchase via the Internet, and it was a one-time thing, because they would (at least theoretically) simply pass the number straight to their processor, without actually saving it on their servers.

But I don't trust Microsoft to take my credit card number and selectively make it available to others, in the mould of Microsoft Passport. That seems like a far riskier proposition than trusting them for a single order.

D

----

Re:A little reality check...

[speek]

It's been said, but it bears repeating:
There's still _some_ private information going from your browser to the vendor telling them how to charge you for the product, whether it's a CC number or a Passport ID.

And, it's removing responsibility for care and caution from the user and putting with a large corporation. How long before the _capability_ of using care and caution is removed from most individuals? We're moving in the wrong direction. Instead of hiding things more and more from the user, we should be empowering the user, and teaching them. Making things easier and more understandable does not have to mean less empowering and flexible.

Which reminds me, I'd like to see a Linux distro whose main purpose was user-training. A distribution with help and training info built in as you go, so that the process of installion is necessarily also a process of learning the Linux system.

Re:scared? (was Re:Nothing new under the sun)

[MaggieL]

Good heavens...I was just being ironic. How it might be construed as foolishness I have no idea, unless perhaps you took me as one of those "literal word of God" folks.

I *do* have *two* shiny plastic fish on the back of my car, but one says "Darwin", and has feet, while the other says "Linux" and sports a shark fin. (thanks to the gang at www.thinkgeek.com). I also have a pentagram sticker in the back window, next to the AOPA wings and rainbow triangle. :-)

Paranoid? No more paranoid than to want to have personal control of my personal information, and to want to hold the reins on my own use of strong crypto, when I think it's necessary.

PassPort alternative

Qpass already offers a wallet serice that can be used on *any* merchant site.

So come up with something better.

[barnaclebarnes]

With 80%+ posts being anti Microsoft I challenge you (us) to come up with a better service. The privacy issues are real and I agree there is a need to be concerned but we do need something like this from some vendor. I have to log into just about every web site I visit and typing user names and passwords just plain sucks. (I use a shared computer at work so getting the computer to remember my password is not an option). A Passport like service that managed to deliver just the information I want to let go would be great, even if it did only handle the simple task of logging into sites and had nothing to do with e-commerce.

Re:So come up with something better.

Check out my previous post about Qpass. Their wallet is universal. It allows automatic form filling of any web form. It uses AI routines to learn as it goes, so it's accuracy increases the more it is used. I've been using it for a little while and am quite impressed. I believe it won Best of Show at InternetWorld last year.

Obvious nickname

I can't believe someone hasn't come up with the obvious nickname for Passport:

Asswart

:)

Re:The Top 1 reason.

[embobo]

What happened to Cyrix? Do you have a link?

How it works.

[InThane]

I worked in the test department next to the passport people, and for various reasons I actually got a rundown in how it worked at one point.

Basically, it's to keep your credit card number from EVER crossing the ether using a public/private key challenge system to log a transaction. The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.

Me? I'll avoid it like the plague. This is MS, after all.

Oh, and I only tested software there. Don't blame me - they didn't listen to me when I found the bugs, so it ain't my fault. ^_^

Re:How it works.

[QuadPro]

The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.

That sounds exactly like what First Virtual was doing... First Virtual doesn't do this anymore, I don't know why they quit. Anyway, this isn't very new, so what I'd like to know is: are there any other companies providing such a service at the moment?

Re:How it works.

[Thagg]

Is this really true, that the store bills Passport and Passport bills your credit card? If it is true, it's quite an amazingly useful feature, in that only Microsoft ever has your credit card number.

If this is true, why aren't they publicizing it? I assume it would be obvious from your credit-card statements.

Is there any documentation that you could point to that would verify this astonishing claim?

thad

Re:How it works.

[ConceptJunkie]

Yeah, but as was pointed out above, they are keeping one piece of private information and passing around another as "proxy" for your CC#, etc. Your Passport ID number or whatever just takes the place of your CC#.

I'm sure this is an oversimplified view, but the net effect to me it's just another number that someone could exploit. I don't think that the small amount of added convenience is worth it given Microsoft's security track record.

Re:How it works.

[Sloppy]

Thank you for explaining that. Geez, I wish the press release had been as informative.

Well... here's my Paranoid Conspiracy Theory Of The Day: the US government is behind this. (No, I actually don't believe this, but I'm going to make a case for it anyway, just for fun. :-)

It's in the Feds' interest to do this for two reasons:

1. Since sensitive info need not be transmitted, people no longer have the "right" to complain about crypto controls. Crypto is for criminals, not commerce. Yeah, that's the ticket.
2. Yet another way to track online commerce, in addition to examining credit card records. Makes tax evasion that much harder. Wow, I might have even just convinced myself...
   ---

Re:How it works.

Yahoo! Shopping currently offers a wallet for all of its vendors. But I _think_ it's client-side - and it transmits your actual CC info over the wire. Oh, and I can think of a couple of situations where you wouldn't want to store it on your computer: any sort of publicly available computer, or for that matter, storage-less workstations, like WebTV.

Re:Tracking like cookies?

[bmetzler]

Will this enable microsoft to track everything I do, what effect will this have on my day to day purchases?

Microsoft has NO fear of free software. In their latest monopoly they go one step further. They can now give away (and even pay you to use) Windows 2000 because every purchase you make will line their pockets. Every single purchase adds more $$$$$$$'s to the coffers of Microsoft.

But only if you use Microsoft software. And everyone will.

...Except me. It's Y2K but yet worse. Even as I type this I am buying a shack in the middle of nowhere with no connections to the outside worlds so that I may not be scared by evil.

-Brent
--

The Top 5 Reasons this is a Horrible Idea

[mosch]

5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".

4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?

3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!

2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!

1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.

I've seen this coming a mile away from the beginning of the browser wars and the rumbles about microsoft owned websites. The obvious hope is that by having control of the desktop operating system they have control of the browser. By having control of the browser they have control of the sites initially visited by the user (an exceedingly large percentage of people don't change their startup page). By having control of the sites initially visited, and leveraging this "e-wallet" they also make money from every purchase.

Ah well, such is life in corporate America.

Re:The Top 5 Reasons this is a Horrible Idea

4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?

The store would just have the user enter it by hand, using a form, as they do today.

3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!

Don't think they are charging anyone - MSFT is just interested in having users signed up to Passport/Hotmail/MSN. User acquisition play.

2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market! The opposite - smaller retailers have equal access to accept Passports, and can therefore offer a level of convenience previously only offerred by megastores like Amazon.

1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.

If you've ever used credit cards, tons of companies already have it.

Re:The Top 5 Reasons this is a Horrible Idea

[Signal+11]

I agree. The SPOF point you made really hits home - under the current system there are hundreds, if not thousands of banks operating under dozens of francises. It's unlikely that even a complete failure of any one of them, or a small group of them, would have any impact on the market.

But, what if you disabled electronic transfers between them - no bank could xfer funds to another. In very short order you would have pure chaos! Especially after everybody realized their money wasn't instantly available and rushed to get it out "before everybody else does".

Yeesh... I can see the headlines now - "Microsoft's Crashing OS Crashes Global Economy - film at 11".

--

Re:The Top 5 Reasons this is a Horrible Idea

[ucblockhead]

5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".

Too late for that. If you buy from catalogs, or buy on the internet, or shop at the grocery store with those "club" cards, the battle is lost. The data is being collected, and most likely exchanged.

The only real way to prevent that is to only use cash.

4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?

It would obviously be in the store's best interest to keep a backup system that works buy taking your number directly. Stores would have to have this anyway for customers who aren't in this program. No retailer is going to turn you away because you don't use this system.

3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!

Perhaps not. This will likely lower their liability as the chance of some two-bit small retailer absconding with the card will go down. Remember that if someone charges $5000 on your card, it costs you $50 max and the retailer's involved $4950.

2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!

It should have the opposite effect. It should make people less fearful of spending at a site they know little about. They are more likely to push "submit" at "Paul's Pleasure Palace" if they know that they aren't actually sending their card number to Paul.

1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.

Then you better not be spending online. If you've bought anything for Microsoft online, then you've already given them exactly the same info that they'd have here. Same goes for any other company you've got from.

The concerns about "corporations having my information" are very valid, but unfortunately, this battle is pretty much over. The battle was basically lost before there even was "e-Commerce".

Working at the headquarters of a major retailler, I used to see huge, hundred page printouts of charge numbers just laying on a table outside of an unsecured room. Those charge numbers were given to the company by customers at their brick and morter stores. Those numbers were also used for "marketting purposes".

Re:I have seen the future...

It's called ActiveScript, and it's out now. Pretty cool actually, lets you use Perl, JavaScript, Basic, any language you want.

Choose M$. Choose being a marketing statistic

[wanderingwalrus]

It seems a major worry that the all powerful and o-so-trustworthy M$ will become the central cross-roads to a bulk to electronic trading on the net & be the holder of such important market research statistic... From where I'm standing it seems to be just a bit of a scam to help along M$'s marketing juggernaught. With each registered user, M$ is gaining a valuable and accurate segment of gigantic web-market shopping demographic. They will be able to track and analyse the spending patterns of all their registered users for next to nothing. Would you really want M$ to have the means to leach off information like that off you? TO me it's just another piece of the jigsaw that will just add to m$'s profit maximising schemes

AT the moment you can usually CHOOSE whether or not you become part of a particular company's marketing survey or not. By choosing M$ wallet you are essentialling signing yourself up to volunteer, perhaps unwittingly, to help out with M$ massive marketing research department. Doubtless, this will just lead to M$ finding more ways to rip off poorly-informed e-commerce users.

Re:Yeah, ok, sign me right up

[Cuthalion]

I was under the impression that the hotmail security hole was actually explicitly added to allow Microsoft's Messenger to check your hotmail box without having to prompt for another password.

Who's making stuff up?

[forkboy]

It is my understanding that changes were made to the CGI when Passport was integrated, and that is what allowed the security hole. If I'm incorrect (which I'm pretty sure I'm not) then it's certainly not intentional FUD, but rather my own misunderstanding.

Microsoft's not the first

[mrfantasy]

Novell made an announcement about digitalme (http://www.digitalme.com) about a week before the Microsoft announcement. Digitalme seems similar, except it's not demanding your billing information, and it's designed to let you control what parts of yourself you want to share with whom. And it's using their directory services to do it. I have no idea what Microsoft's backend is. Overall, Novell's concept seems less creepy.

Novell's also talking about freely releasing some of the digitalme tools--of course, you'll need Novell stuff to do it, but it's a start...

Re:Microsoft's not the first

[thule]

What about us? zkey.com (was zcentral.com) started with access controlled personal information. Now we're moving on to bigger things. Our new method will probably be the least creepy of either MS or Novell. It looks like our new system will be publically documented (being open is GOOD). We're going after as many standards as possible. I can't give details right now, but I believe our system will work the way this stuff should work on the Internet.

Durrrr.... :)

[Booker]

Ok, so I forgot to read one line of the previous post. :) Here's some info on Amex's "Wallet"

Scary stuff

...to be honest the only people I'd trust to do this sort of thing are the people who actually lend me the money in the first place (Visa, Mastercard, et al.)

The IBM system MAY sound more secure, but people could crack your usual desktop and steal your wallet info. (but, hey, they could break into your house and steal your stereo too ;-)

Solution already in done: EDI

[embobo]

I'm sure EDI has a transaction type for this sort of thing already.

I'm wondering about your spam prevention.

[embobo]

markw@veda:~ > mail -s "you suck" `echo "webmaster@666.rawtruth.com" | sed 's/666//'` webmaster@.rawtruth.com... Invalid host name /usr/local/home/markw/dead.letter... Saved message in /usr/local/home/markw/dead.letter markw@veda:~ >

I don't trust Microsoft...

[emufreak]

...after that whole Hotmail incident where anyone could read anybody's mail off of some site (on hotmail, heh) without a password.

Ridiculous. I don't trust M$ one bit on this.


emufreak
www.kontek.net/pp

Tracking like cookies?

[Maquis.]

Will this enable microsoft to track everything I do, what effect will this have on my day to day purchases?
Will microsoft care?
I think Ill be staying away for a bit...

Re:Tracking like cookies?

Yes! They'll be watching you, and only you! You can never escape! They'll know your inner-most secrets! By all means, never, ever use it if it comes from Microsoft - especially if it makes your life easier!!

"Only" Microsoft?

[Col.+Panic]

Saying only Microsoft has your credit card number is like saying only the mafia will be collecting your gambling debt.

We are supposed to trust M$?!?

Funny, very funny. Scary, very scary

Re:We are supposed to trust M$?!?

Well... A couple of friends worls for Hotmail. Believe me, they don;t care anything else that the day in which M$ will be splitted in MSN and Microsoft. They just care about stocks. They are telling me that internally everithing is ready for this split... I'll never trust in M$

Re:We are supposed to trust M$?!?

[stroppy]

At the risk of sounding intensly paranoid (I've just re-read the 'Halloween Memoranda'), is it possible that M$ is trying to judge the level of 'trust' their userbase has in them and their products?

Consigning your credit information to an online bank is problematic at best, but to use M$ with their demonstrable inability to understand system security sems like, well, the act of a total sucker.

So if I was a crazed marketeer (M$ as we all know is not a software company but a marketing arganisation), I'd love to test my client base's trust in my 'brand' like this.

No, surely not...

if you really want protection:

[RoLlEr_CoAsTeR]

The concerns about "corporations having my information" are very valid, but unfortunately, this battle is pretty much over. The battle was basically lost before there even was "e-Commerce".


Correct. The battle was lost when the credit card was invented. If you're really that worried, use cash/checks. Cash only, if you want to be that paranoid. Taking it a step further (and a rather ridiculous step to me) keep your money in your mattress (figuratively; i.e., don't have a bank account if you're that worried) and then you'll know where your money is and all that jazz.

Re:Nice try...

[William+Wallace]

What makes you think I like Linux? I hate Linux!

-WW

Re:Nice try...

[William+Wallace]

I just found a cool bumpersticker today...

"Freedom is the distance between Church and State."

-WW

Yeah, ok, sign me right up

[forkboy]

Isn't this Passport service the main cause of that little Hotmail fiasco a couple weeks ago? I'd be a bit skeptical about storing my financial data online anywhere, much less with a service that has proven already once to be insecure. (fixed or not, it's hard to trust something that has been cracked that easily in the past)

Not to mention, I get a bit paranoid when M$ is involved in anything regarding personal finances.

Re:Yeah, ok, sign me right up

[Godfree^]

No, Hotmail was moved to the passport server after the minor (understatement) security incident. That was a reletively good move on their part. Microsoft does do good things occasionally.

Re:Yeah, ok, sign me right up

[Moonwick]

Get your facts straight. The little 'hotmail fiasco' you refer to was caused by an actual security hole (a rather large one, I must say) that has existed since Hotmail was first put online. It's only a wonder it wasn't abused publically until recently.

There's plenty wrong with Microsoft technologies by themselves. No need to make stuff up- leave that to Microsoft's marketing team.

Re:Um...

[Justin+Motion]

>>My current credit card company has very good anti-fraud policies. What's the point of adding a second layer of cost and complexity?

We ARE talking about M$....

Another article.

[afniv]

The Register also mentioned the M$ e-Wallet.

This article mentions that AOL and IBM also offer an e-wallet service, although the data is stored on your local computer and NOT on some corporations marketing database.

Someone have exeperiece with the M$ e-wallet? I'm wondering what the increase percentage in junk mail is (e-mail, snail mail, AND phone).

~afniv
"Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"

Re:Another article.

I haven't recieved any mail (email, snail, or otherwise) as a result of using Passport. I think that junk mail should probably be the least of your concerns.

Re:Another article.

[Thagg]

Wallets can be implemented either the Microsoft way, by storing the information on their server -- or the way everybody else has done it, by storing the information on your own computer. My belief is that everybody else expects that no intelligent person would give up their personal information for no reason.

The only benefit for the server model is that you could buy stuff from any computer, just by (somehow) accessing the Passport information. Of course, there better be some fairly sophisticated [read, cumbersome and inconvenient] password protection on Passport, then. And then, wouldn't this add to the inconvenience of the shopper?

The client-side models require you to input the information (only once, of course) on each of the computers you want to spend money from. Now, this doesn't seem like a huge inconvenience, really; certainly contrasted with the potential inconvenience of having somebody with evil intent [not naming any names] getting a copy of the server database.

I was disappointed, but not particularly surprised, that there was virtually no reference to security in the PressPass "Q/A" report. There were absolutely no assurances about what protection Microsoft would employ to keep your data private, no assurances whatsoever that Microsoft wouldn't abuse the information. I found the example of storing the address of your parents, say, with Microsoft particularly chilling. What a remarkable web of consumer information could be woven if everybody input their personal relationships into the Microsoft monster.

The page on passport security and privacy also, remarkably, passes up any opportunity to reassure users that Microsoft won't misuse the information that you give it. They do say that they won't share your personal information with others, but it will get to the point (if this is successful) that the rest of the world could be ignored, to a first approximation. There's nobody that I'd be less happy to have this information than Microsoft, themselves.

I predict, sadly, that this will be a spectacularly successful product.

thad

Re:Not particularly new. Not particularly exciting

[ucblockhead]

But remember, it isn't a matter of "trusting them with a single order". If you make a single order, they have your credit card information. This is no different from if you signed up for "Microsoft Passport". They could just as easily make your card number available to others in either case.

Perhaps the misunderstanding comes here: ...and it was a one-time thing, because they would (at least theoretically) simply pass the number straight to their processor, without actually saving it on their servers.

In actuality, the card authorizers, accounting departments, etc. all require audit trails for everything, including card numbers. The last retailer I worked for kept this information for at least a month in the "live" system and essentially forever in their backups. They weren't unusual.

They have to save this data for the simple reason that if you contest the purchase, they have to be able to show what actually occurred. Not to mention the plethora of systems problems that might require the retailer to go to original data simply to get paid.

(Of course, the marketting department often gets its greedy little mitts on the data, but that is a different story.)


...where there's no implicit connection with the outside world.

It is actually much easier to intercept a phone conversation then to install a packet sniffer. It takes only a few dollars worth of equipment from radio shack. (And lest you think that this is rare, the people two houses from me down got a $900 phone bill last month caused by two kids who did exactly that.) Also, in a phone conversation, you are essentially giving your card number to someone who likely makes around $6/hr.

One of the advantages of e-Commerce is that fewer people see your card number. In fact, if all goes correctly, no human being will actually see it. Contrast that to real world purchases, where we often hand our cards to low-paid teenagers without thought. (Most of whom are honest, but it only takes one with a head for numbers...)

Oh, great.

[Black+Parrot]

Now an e-mail attachment can spend all your money. I truly feel sorry for the people who are going to get burned, burned, burned by this.

But hey, I'm sure Truste will assure us that everything is A-OK. And if we do get robbed, they'll be quick to assure is that it won't happen again.

p.s. -- I wouldn't even sign up for this if someone other than Micorsoft were doing it. So you can imagine how I feel about having someone so security unconscious as them managing it.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Re:Oh, great.

[My_Favorite_Anonymou]

Anonymous auction never works, that's why you need to build up some credential through ebay. I like the idea of smart card, which should be able to transact small amount of money over the net anonymously. These will encourage illegal selling though, and then FBI start selling "Un-registered Photoshop CD!" to trap you.... But it's a good thing nevertheless, much better than MSN passport. Consider this scenerio: You buy a smart card from the newsstand, gets a unique number on the card, say A13764789756, and then you slice you card in the smartcard reader, tell you computer you wish to send 10 dollars to another smartcard, that has a id C76468976432, varla, the guy gets the money and send you his used "The Net" poster. Note I don't want the smartcard carrys password and personal id, it's purely anonymous with open source smartcard driver. That's good enough. That isn't much advcantage to transfer large amount of money in high speed for Joe Sixpact. You want to kick your tire before making the dicision anyway. CY

Re:Oh, great.

[kootch]

If you've read the user agreement on Hotmail and other free services by MS, you'll realize that the consumer has no rights in the event of a security breach or a server misshap. So just as with the Hotmail breach where nobody could really complain when their username and passwords were skipped around, what happens when someone comes in and through some stupid security breach (because someone set a form up improperly) and buys tons of stuff and sends it to an anonymous PO Box and you get billed for it?!?!

The world of e-commerce and anonymous auctioning has enough problems without letting M$ get in there with what they "believe" to be a one-stop solution to the problem. In typical M$ fashion, they'll just make the situation even worse with less choices for the consumer and many many more problems.

Re:Oh, great.

[samantha]

If we have a common data format (XMLish mayhap) for e-wallets and if we have strong encryption on the content and standardized management protocols then there would be no reason any particular vendor should have a monopoly just as there is no reason for any vendor to have a monopoly on checking accounts. The information should not be stored centrally with Microsoft or anyone else. Some of the new smartcards that are readable wirelessly by computer might be a choice for keeping this info out of centralized hands.

ewallet

[generic]

Like I am going to trust microsoft with my money. I wont use it just because it has been implemented by them.

Re:Megaservice...

[fReNeTiK]

> they'll keep your windows registry remotely so software vendors can check for compatibility?

Please be careful with such suggestions, we don't want to give them ideas ;). I mean this is perfectly doable technically (keep a cached copy locally and update it as soon as the user is online, replace the cache on shutdown; wouldn't be a big change considering the frequency of required reboots on windows). I'm sure Microsoft would love having such a system...
--

Kind of makes you wonder...

[Deitheres]

How many hotmail-esque security holes are in the newly rolled out passport service. I ditched my hotmail account after that little snafu (you know, the one where any hotmail account was open by just a simple little script, glad I don't have many enemies...) that M$ didn't even address until like 48 hours after it was exposed. All these poor morons months later when a similar exploit is revealed on the passport security system. Glad I won't be one of those morons...

Deitheres - Master of... er... something.

--
Child: Mommy, where do .sig files go when they die?
Mother: HELL! Straight to hell!
I've never been the same since.

Hey...

[Greyfox]

Isn't that that software that led to the last MS Security fiasco?

I wouldn't touch that shit with a 10 foot pole...

Here's What You Do

[mochaone]

If any site forces you to use this Password stuff, boycott the hell out of them and let them know you won't be held captive by the monster from Redmond.

I think I'll wait until smart card technology becomes more prevalent so that I can swipe my card when I want to make a purchase. There is no way in hell that I will relinquish purchasing power to Microsoft. Sheese, I don't even want to touch any of their crappy products.

Re:Here's What You Do

[Kool+Moe]

I completely agree. If any site FORCED me to use 'assport, I surely wouldn't buy from them. There are plenty of alternatives (unless EVERYBODY uses them, but ain't gonna happen).
Yes. Smart cards I can swipe at home. Is https locked-down enough to ensure that privacy? Can the bad guys crack such a 'secure' transmission?
I need to read about Amex's Blue thing, but yeah, why not have all banks do this? I wanna buy sumptin, I swipe my credit card, the website directs it to the issuer, they bill...
Why does MS have to be involved at all?

Alternate Press Release - N in a series of M

[K.]

Hey you!

Yeah, you there, the guy using the mouse as a foot
pedal!

Do you hate having to type in a shipping address
every time you order on the Internet? Or worse,
are you having trouble remembering your own
address?

NO PROBLEM! Microsoft is here to help! We'll take
care of all those pesky details for you. Our new
Passport software is your ticket to a stress-free
junk-filled life. The next version will even wax
and declaw your cat for you!

How much would you pay for this amazing piece
of ultra-modern technology? $50? $100? $1000?
Well, hold on to your hat! Microsoft are giving
away Passport for absolutely nothing!

That's right! In exchange for a complete personal
profile, including address information, and credit
history, which as we all know is worth absolutely
nothing to anybody, Microsoft will give you
Passport, a passport, if you will, to a future
of black velvet elvis paintings at knockdown
prices.

Worried about security? Don't be. Your most
private personal details will be stored in
the most secure form known to science, a
"hard disk". This revolutionary device encodes
information using the science of magneticism
in a form far too small for the human eye to
read. If a hacker were to gain access to this
"hard disk", he or she would never be able
to read the information it contained, even with
a high-powered magnifying glass!

Just remember, Big Brother is watching you, and
he cares!

[Insert standard EULA and disclaimers here, in
really small writing so the suckers won't bother
reading it, haha! - BG3]

K.
-

Re:Alternate Press Release - N in a series of M

magneticism?

Don't worry ....

[LL]

Why?

The Tax Department hates competition :-).

Last time I heard, the US government still had a monopology on organised violence.

Oh the other hand, maybe that's why they're so keen to put NT into all those cruisers :-(.

LL

Crazy Idea

It seems to me that someone could write a plugin
for IE and NS that would watch for forms
Watch for such things as First name, Last name ,Address, etc. followed by a and fill it in for you with info in its config file. Nice, Simple, easy, and your info stays on your computer.

Although I could be wrong..

Re:Crazy Idea

[generic-man]

Internet Explorer 5 calls that AutoComplete.
But it's not really buggy, open-source, and horribly behind schedule. So I don't think Slashdot readers want to hear about it.

1984

orwell's 1984 is an understimation because as he wrote the book microsoft wasn't there. this system enables total control of internet users AND all sensible data is stored on m$ buggy and UNSECURE servers. scary.

Stand up and yell FIRE!

What is with all the absurd paranoia on this site? The truth is that Linux techies LOVE Microsoft otherwise there would be no common foe to dramatize and scorn in unison. And look here . . . if I don't log on I get the name Anonymous Coward. Everyone wants control, even the saintly Slashdot!

Re:Stand up and yell FIRE!

From the same anonymous coward that brought you the forementioned rant "FIRE this." Saintly? Heh. If only you knew! You see, all Linux users dedicate themselves to Linus' evil desire to bring a new kind of fire to mankind. They are mindless zealots who follow blindly the Great Penguin! Hahaha! I love myself, I can be so cruel on my Microsoft days. =)

With crypto it's all possible...

[DiningPhilosopher]

The poster said there's a cryptographic challenge/response. This means that through the magic of public key cryptography one party can authenticate itself to the other in a non-spoofable way. It doesn't matter if you see the transaction - you can't fake one yourself or replay it to cause a second transaction to go through. It's not just another number - it's a secure communication.

Microsoft is smart enough to get the basic protocol right. I have no doubt that they've thought this part through. What worries me is that hordes of script kiddies will scrutinize this newly created gold mine and eventually find something to exploit (as with Hotmail).

Re:With crypto it's all possible...

[ConceptJunkie]

I don't doubt that Microsoft knows what to do, and even that they _can_ do it. But since everything they do smacks of pathological committee design and implementation, I expect serious problems will surface.

Re:Preaching to the choir

Of course no \.

I think you mean "/."
"\." means "whackdot"

The crypto prevents fake transactions.

[DiningPhilosopher]

See my other comment in this thread.

Why not a client app?

[richieb]

Why can't this be a client app? Keep all the data on your own computer, then have a nice D-n-D interface that will drop the info from your machine into Amazon's form (or whomever's).

No central database, you have total control over your own data.

Perhaps this app could keep track of what you buy and if you want you could sell this info to mass marketers...

...richie

Re:Why not a client app?

[blowdart]

There have been though. I've been evaluating quite a few wallet technologies here, and of course all of them use different standards, and none of them were that good. The best one I saw was the MS Wallet implimentation in IE4/NS4. Even then, becase it involves a *lot* of work on the server side to interface, hardly anyone ever implemented it.

I have summary here (which I can't post, it's copyrighted, and paid for) that came to the conclusion wallet technology is nowhere near ready yet.

One thing I will say in favour of the MS system, be it Wallet or Passport, it's not US based (I found a lot of client side wallets were), and it allows any payment technology, so you aren't tied in to using a specific clearing house (which were, again, all US based)

Oh my GAWD!!!!

[grappler]

That post absolutely made my day. Thank you.

--
grappler

Crazy Idea

It seems to me that someone could write a plugin for IE and NS that would watch for forms Watch for such things as First name, Last name ,Address, etc. followed by a and fill it in for you with info in its config file. Nice, Simple, easy, and your info stays on your computer. Although I could be wrong..

Preaching to the choir

[Kool+Moe]

Of course no \. readers are gonna trust MS with this inane idea! Most everyone here rails against MS at every chance they get, and mostly with good reason.
The issue is, how to get the word out to all those happily blind folks who think the 'integration' MS offers is the best thing since cheese coming in indivually wrapped slices. Most every MS supporter out there likes the MS products cause they're easy to use and everyone else uses them- and they support such with the same vehemence the anti-MS crowd voices.

So, do we pray that an Open Source model of such a thing is quickly offered as an alternative? I doubt that would work as speed is not a common OS trait, and more people would be less likely to trust such a thing in today's mindset.

So who will be the alternative? Would a banking coalition be a better alternative? At least they've historically protected accounts, mostly.

Or perhaps the issue is to point out to people that simply putting your CC#'s in a pswd protected tect file on your HD, then open it, copy it, paste it, into an order site is just as quick as 'assport.
I mean, sheesh, I'm all for saving time, but it takes, what?, 3 minutes to fill out an order form online?

I would NEVER use such a service provided by ANY company which has shown such blatant disregard for the consumer as MS. Of course, 75% of the population is unaware of these tactics. So 'assport will be the default until someone cracks it and folks loose big money.
Perhaps they can apply for FDIC?

Re:Preaching to the choir

[Black+Parrot]

> Perhaps they can apply for FDIC?

One hopes the FDIC has better sense than to insure this arrangement.


--
It's October 6th. Where's W2K? Over the horizon again, eh?

Credit Card companies do it already...

[adamwood]

Firms already have to pay a percentage of revenues to the credit card companies for taking the order. This suggestion is basically the same thing.

If a start-up retailer has the choice of a percentage of sales or a huge one off investment in order to get up and running with such a system I'd say the percentage is preferable.

Ideally there would be a buy out option, but no doubt if youre big enough (Dell?) you can negotiate the percentage to something tiny or just pay a lump sum.

Re:Credit Card companies do it already...

[GC]

It's not the same,

The comission for VISA or AMEX or Mastercard is tangible - they are protecting the transaction. Microsoft are charging to provide the VISA/AMEX or Mastercard details to the retailer when the customer requests it. Which is simply Microsoft barging into the relationship between the vendor and the customer.

Re:Credit Card companies do it already...

[adamwood]

Ok, it's not as large a service but the data entry on behalf of the customer (and no doubt the back end integration at the merchant end) is still something that is arguably chargable.

Re:How (much) do you want to pay today?

M$ ***assures*** us everything will be private. Yeah right... that's a comfort.

Original source of techology was...

firefly... which microsoft ended up closing the original site a few months ago.

Btw - if authenticated morons post they get a one rating. If I get up'd to a one, I don't get above the clutter. Therefore "Rule of AC's": never moderated to a one. It doesn't rise us above the clutter. Thanks...

Re:Original source of techology was...

[Godfree^]

IIRC, FireFly is/was a music database that used an interesting AI system to assist users selecting other albums based on a small selection.

I really don't see what this has to do with Passport?

how long until it breaks...

[CormacJ]

Anyone want to guess how long it will be until this breaks?

Its a good idea, but I personally don't like it as it gives MS too much data and thier security concerns are usually about 10th on the list after making money. Although the data isn't stored remotely the transport and the demographics could be recorded and used elsewhere.

I'll avoid sites that force me to use this, at least for a year or two so that I can see what weaknesses occur and what microsofts long term plans are.

It sounds like the usual MS cycle - 1) introduce new technology 2) lock up the market 3) slowly start squeezing every cent out of the users that is possible...

It's all marketing....

[Ledge+Kindred]

Microsoft already has the upper hand with this and I can forsee it becoming VERY popular. Think about this perfectly reasonable scenario:

Microsoft teams up with some of the bigger e-Commerce sites, Amazon.com, eBay, Reel.com, whomever, and says, "We'll give you a bunch of co-marketing dollars to start using Microsoft Passport." Of course, the sites go for it because they just want to make money.

"Everyone" is already using Microsoft Internet Explorer because it's part of Windows and "everyone uses Windows." Next time an MSIE user goes to one of those sites, a new AciveX component will download and they'll get a little message, "Try Microsoft Passport - we'll handle your billing for you! You'll never have to enter your billing information again!"

The average user isn't going to have any idea what's going on - they only know that they like Amazon.com's "One-Click Shopping" option and if they can get ALL websites to act like that, even better! Clickety-click and their data goes straight to Microsoft.

It's not about the security or technology -- it's all about how well you can market and making it easier for the sheep to follow the rest of the flock. Hence Microsoft's dominance.

-=-=-=-=-

Re:It's all marketing....

[ralphclark]

Of course if they try to control the licencing of this technology they way they (and Apple) have done with the Sorenson codec in order to leverage the dominance of their operating systems, I feel sure they'd be hauled up in front of the courts pretty quickly. They'll surely be forced to allow the same features to appear on other platforms.

Consciousness is not what it thinks it is
Thought exists only as an abstraction

This is scary stuff

[SoftwareJanitor]

If you work in the financial services industry like I do. It has been clear to me for a long time that Microsoft wants to skim the cream off of all the financial services industry. They want to cut into the business of MasterCard, Visa, etc. They want to cut into the general banking, mortgage, etc. business. In the future most financial transactions will be done at least partially online, and if we aren't careful, Microsoft will be getting a piece of every transaction.

What irks me is that management just doesn't see Microsoft as a competitor. We shouldn't be buying any of our competitor's products, because we are funding Microsoft to move into our own markets.

I'm afraid they won't see it until it is too late.

Look out for "free" computers...

[Samrobb]

"A $1000 value, absolutely FREE!"

"Intel P266, 4 gig HD, 4x CD-ROM, 15" monitor, color inkjet printer, and 1 year of FREE internet access via MSN with $1000 credited to your Microsoft Passport account!"

Waiting for the first spotting...

Mmm Cheese...

[Curt]

Anyone want to join me hacking this beastie? It would take what, 10-15 minutes TOPS?

Mmm swiss-cheese code. Yummy.

Re:Amex Blue

[Cy+Guy]

I think the primary difference between MS' Passport and AmEx' Wallet/Blue is that with the Blue card and reader you get a 1024 bit (or perhaps it's 2048bit) token to initiate the process that is sent from your PC. Passport still is dependent on the user supplying a password, which is much more crackable.

I just went through the Passport setup process to see what they require. You do have to supply a password which "

Must be at least 8 characters long, and can contain numbers and/or letters, but no spaces. Make sure it's difficult for others to guess!

"

But you also give them a question to ask in case you forget your password and there are no requirements for the complexity of the response, (in fact this process almost ensures that a dictionary word will be used by the typical user, though they do warn against this.)

Also, this whole process apears to be done unencrypted (at least it doesn't use SSL) except your password is masked out. (The answer to your question aparently isn't).

Since MS is trying to establish a standard for ecommerce, you would think that at a minimum it would require something more secure than an 8 character password (ie 36^8 possible solutions roughly equivalent to 40bit encryption). Also note that when you sign-in to passport, it isn't over an SSL connection either. Also, hotmail users are being encouraged to use their hotmail username/password for their passport account.

Re:Passport Hotmail crack?

Hotmail users are are encouraged to use their hotmail username and password for the passport service as well.

Actually it's even better than that...

[DiningPhilosopher]

Disclaimer: This is all hearsay.

According to this comment, which should really be moderated UP...

The credit card numbers stay on Microsoft's server. Store gets a charge authorization from Passport via secure challenge/response and BILLS MICROSOFT. Microsoft then bills you, having never given your credit card number to ANYBODY, even encrypted.

It's a great idea. But I'll never use it - as I've said before, I trust the protocol entirely, I just don't trust Microsoft to keep a server full of credit card numbers away from the script kiddies.

to buy or sell you shall need the mark o the beast

[Nickbot]

I can see it now. Your W95 machine crashes, so like every monday, you have reinstall:

Warning! A secret timebomb written into windows has noticed that this is not the original installation of windows on this machine. According to the extremely small print hidden on the microdot of your Windows liscence, this is considered piracy. Deducting $400 penalty from your MicroSoft Wallet account.

Error! Your Microsoft Wallet account contains only $235. Initiating automated legal action. You should recieve a summons in 5-10 business days.

Destroying this computer via the secret motherboard bios and Intel chip AntiPiracy features.

Warning! This PC does not have the Intel chip AntiPiracy features. This PC appears to have been built from components, rather than purchased from a liscenced OEM dealer. This is considered probable cause in your state, thanks to our legal department, second only in power and trechery to the Scientologists. Sherrif's deputies are on their way to the address listed in your Microsoft Wallet account.

Alert! The microphone on this system heard you chuckle at the Scientology joke above. The Church of Scientology has been alerted and should be starting legal proceedings in 8-10 business days.

In the future, you can check your PC for priacy violations with MS Piracy Check, for only $699 at your local software store. It allows for automated hardware and software piracy checking, as well as on-line plea bargaining.

The application page IS secure...

[DiningPhilosopher]

The fact that the spiffy little lock icon isn't locked doesn't mean the submission is insecure. It means the FORM ITSELF was downloaded in the clear.

Look at the source. The form submits to an https address. Which means the data you enter is encrypted via SSL when it is sent.

I'm not sure why so many people use forms that submit securely but are not retrieved securely. If it can confuse slashdotters (as it has more than once) it's bound to confuse the average moron...

Of course, you're right about the password. The problem is that if they did it correctly (using actual keypairs and certificates) it would take too long and your keys wouldn't automatically be usable from any browser as they are now. As is you can use your Passport account from anywhere - set top box, Palm VII, cafe terminal, whatever.

Consumers don't want security. They want convenience and the ILLUSION of security.

Re:How many can be called Passport?

This actually an upgraded version of Firefly's Passport that MS bought over 2 years ago.

A little reality check...

[radish]

OK we seem to have a typical /. inferno going on here. Maybe a little pause for thought is called for?

I'm no m$ "believer", but I do use their stuff (as well as Solaris/Sybase/perl/java etc etc), and I guess I differ from some people here in that I don't automatically assume everything Bill touches is useless.

So what's with the Wallet? Well first off it clearly states that the wallet itself (and by extrapolation M$ and their retail partners) will not actually have anything to do with cash, credit or clearing. So the posts about getting Fed Res clearance are really a bit lost. All Wallet does is store your CC number(s) and delivery details in a central db. This info is supplied as required to the vendors, to enable them to perform a transaction. The transaction itself is still between the vendor and the CC company. (This is what I get from reading the press release - if anyone has any more practical info on how it works please let us know!).

Now lets evaluate ...

In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.

But of course we don't know what M$ plan implementation wise, and there are huge doubt's about their ability to secure a large system properly. To be fair, I think that in several cases (notably Hotmail) their security is no worse than anyone elses, they just get targetted more. This is not an excuse for not being proactive though! The questions I would ask are:

* How is the link from MS->Vendor secured?

And I want details!!

* Who will be liable in the event of dispute?
This is an important one, usually (here in the UK anyway) if you have a dispute with a vendor then legally the CC company is equally liable to pay you back. If they cannot prove you authorised the txn, then you cannot legally be billed for it. SO assuming the CC companies are on board with this one, they will have to sort out a good way that disputes can be settled quickly and in most cases in the favour of the client. I personally don't care that much if fraudulent txn's go against my card, provided I don't end up paying!!

* Are the CC companies 100% on board with this? Will we get them trying to wriggle out later saying they never approved this for payments and so denying liability?

* Can we have some kind of external audit of how the data is used. I'm not really worried about some kind of big brother m$ collecting info about which pr0n sites I subscribe to, rather that I would prefer they didn't send my home address to their marketing dept. In the UK there is law regarding this, which they would have to comply with, not sure about the legal situation elsewhere.


So assuming all these questions were answered to my satisfaction, I'd probably be fairly happy using the system. Implemented well it would be a positive boost to online security and convenience.

Adam.

Re:A little reality check...

[Sloppy]

I don't automatically assume everything Bill touches is useless.

Well, at least this time, we don't need to assume.

In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.

Good god, man! Do you have any idea how evil this sounds? It looks like a) An excuse for keeping decent crypto out of the hands of end users. b) A way to restrain trade.

If the link from vendor->MS is secured beyond what is typical for a browser, then don't you think it would be better to improve the browsers? And do you really think this will offer more consumer protection than credit cards already do? There are already enough barriers to starting a business, we don't need another one.

---

Re:A little reality check...

[styxlord]

All good points ... I'd be MUCH happier if my Credit Card provider was providing this "service" directly. All that's needed is for VISA/Amex/MasterCard/etc to provide realtime authentication to vendors then they're wouldn't be any need for anyone to have your Credit Card details other than yourself.

I decide which items I want to purchase, enter my name/address and card type, the vendor contacts my Card provider who then issues a challenge for me to get the Credit Card number correct. I combine the challenge with my Credit Card number and return the result to the vendor who passes it through to the Credit Card provider and decides if its authentic.

Nothing revolutionary here, my Credit Card is never revealed to to the vendor (which partially elimates b) dishonest vendors since part of the authentication process should include the amount of the transaction, the vendor could decide to not ship the product(s), but the vendor will have to deal with the Credit Card company which has all the vendor's details (otherwise they wouldn't do business with them) and has the power to deny them making further transactions) and is never transmitted (which eliminates a) interception).

Re:A little reality check...

How is the link from MS->Vendor secured?

me too!Once, while doing a freelance job, I was asked to adapt a CC clearing thingie to a new module the client has just adquired. The front end is an spiffy https:// website, but the connection to the CC validating server in an almost clear text one (seven or eight hops from the webserver to the CC server, IIRC)... it was scary... really scary. I explained this to the person in charge of the site (not the webmaster, the market droid) and he said "but the visitors don't have any way of knowing that, do they?" Ugh.

Re:A little reality check...

[radish]

Good god, man! Do you have any idea how evil this sounds? It looks like a) An excuse for keeping decent crypto out of the hands of end users. b) A way to restrain trade

If the link from vendor->MS is secured beyond what is typical for a browser, then don't you think it would be better to improve the browsers? And do you really think this will
offer more consumer protection than credit cards already do? There are already enough barriers to starting a business, we don't need another one.


Woooooah there! Not sure I follow your argument. I am certainly not against crypto export - I say stick n-bit RSA (or whatever your preferred crypto system) in every browser and mail package around and let everyone be as secure as they like. But this is not going to happen! 2 reasons I can think of :

* The US govt (among others) is still trying to keep control of crypto. This m$ thing neatly sidesteps the problem in that most vendors will be in the US (or at least have a presence there). So they will be able to use strong crypto to secure your txn, even if you can't legally do so from your own country. Think about the french! I believe they can't use crypto at all (can someone correct me?). So now they have a way of dramatically increasing their security while shopping online without risking jail.

* A lot of people are still using old/crippled browers which may not do security well, or at all. Even if Mozilla or Opera or whatever becomes 100% secure lots of ppl (esp. novices) will not be using a "good" browser. This M$ thing has the potential to help everyone regardless of browser. Hurrah!

As for consumer protection - yes I think it could provide more that a CC company does, because while I am secure from fradulent txn's already, I am in no way secure from my other personal info (address etc) being used. At least using this (a) there would be hopefully less chance of an issue arising and (b) I'd have someone to blame (watch out Bill!).

Why does it hamper trade? Because it will be harder to setup an online shop? Hmmm....Surely to get involved you must (a) get good security (b) get good privacy policies (c) persuade M$ they meet some "standards" (d) pay them money and (e) add some code to your site.

I'd want every vendor (whether in this scheme or not) to do (a) and (b). If you don't want to do the rest then fine....why is this hampering your business? Just do it the normal way...works now , will still work in the future! Of course you may have to work hard to persuade custimers your site is safe....but that is good. People should question security at all sites.

And a final point - no one has to use this if they don't want to!! I think it could be useful, and given assurances about privacy and security (which are unlikely to be forthcoming in any useful form) I may want to use it. But if you don't trust/like/want to help m$ or anyone else involved then that's fine by me. I'm all for freedom of choice.

Re:A little reality check...

[radish]

Very good point. The number of small net traders who have a nice flashy SSL frontend, which links to a cgi, which emails (plaintext of course) the order to their clerk. This kind of thing needs to be looked at. If there is anyway these guys could be helped to provide properly secure sites cheaply & easily (and passport might go some way towards that) then it must be a Good Thing(tm).

Bill Gates to Get Half

[Ralph+Bearpark]

It says so here.

(An old'un but a good'un.)

Regards, Ralph.

e-wallet? what about a better OS!

[DrSpoo]

Microsoft has it's priorities all wrong. Make a better operating system and software tools first! This crap has nothing to do with their core purpose in life (unless that purpose is subversion of the free world, in which case they are right on target).

The Beast Slouching Towards Redmond

It's not exactly surprising, isn't it? I mean, it's not the first time ol' Billyboy has meddled in finance. I can only hope that the security holes are as big as they seem, so I can retire in Aruba before BG gets himself elected dicatator-for-life. Poor fools. Souldn't we do something to help them?

Passport and Hotmail

[krynos]

If I remember Passport was the authentification scheme used for Hotmail during the Hotmail everyone-read-your-email fiasco. That's not very encouraging.

Re:The Top 1 reason.

[Panaflex]

Lets say, 5 million people sign up.

Someone goes to the passport server facility. Has bug guns. Takes systems.. or even just BACKUPS. I can guarantee your trusty financial institution will be GLUTTED once it hit CNNfn.

Come on people... it happened to Cyrix.

Roger

Re:percentage of profits?

[Ablar]

A bit off on the economics. Yes, Microsoft can charge at the monopolistic equilibrium - but that would not be the most efficient as far as society as a whole is concerned. Free markets only work correctly tgiven the presence of competition - if there is no competition, some form of control must be used in order to achieve maximum social efficiency.

ROTFLMAO

Hahahahahahahahahahahahahahahahahahaha!

Sorry...

Yeah. Right. With Microsoft's record for reliability & security, I'm going to
rush right over and entrust all of my most sensitive information to one of their
systems?

Geez - I'm still grinning so hard my cheeks are beginning to hurt. Really.
This has to be one of the funniest things I've heard in quite some time.

Why is this so bad...?

[LLatson]

Before I get moderated down to very negative numbers for posting something that isn't anti-microsoft, I want to ask why this is so bad?

I'm sure people said the same things about credit cards when they were first introduced. "Oh my, if someone gets my number, they could buy things with my money!" This indeed turned out to be a problem with credit cards, which is exactly why it was addressed, and now you are protected. You can dispute charges on your card with any reputable credit card company.

If this privacy/cracking issue is such a big deal (and it is to consumers) then it will be addressed or people simply will not use it.

Don't give too much credit to microsoft and not enough to the average consumer.

LL

Is is "ok" when AOL does it, though?

http://aolqc.aol.com/ They already have a crap-load of people signed up, too.

Solution already in progress: ECML

[wickline]

Soon MicroSoft will be joined by real competition here. See: RFC2706 (ECML v1: Field Names for E-Commerce)

Customers are frequently required to enter substantial amounts of information at an Internet merchant site in order to complete a purchase or other transaction, especially the first time they go there. A standard set of information fields is defined as the first version of an Electronic Commerce Modeling Language (ECML) so that this task can be more easily automated, for example by wallet software that could fill in fields. Even for the manual data entry case, customers will be less confused by varying merchant sites if a substantial number adopt these standard fields.

NO! NOT OFF TOPIC!

Hotmail verifies names and passwords through the passport system.

No doubt they're checking into it

[J.+FoxGlov]

From reading l0pht releases, they seem to allow companies more than ample time to fix the problem before they make any announcements. They're sort of charitable like that.

Guess someone could just ask them. I think I'll e-mail mudge.

J.

Can somone Explain why I need this service ?

[Darwin2000]

Can somone Explain why I need this service so badly? I seem to be doing fine without it now, and I do online purchases and get bills paid. Just a thought: Anything on any computer is open for abuse. If you put everyones info in the same place. Its just that much easier to abuse. In the end its your life to abuse as you will.

Trust

Linus made Linux, Microsoft made Windows, who do you trust?

Re:Nice try...

"But Mommy, why is it wrong to murder people?"

"No one knows why. It just is, Bobby. We used to have an explanation before the Atheists took over."

Novell DigitalMe

[free779]

Novell has a similar technology called DigitalMe. It does not carry 'e-cash', but allows you to enter any information in any site. I haven't tried using credit card information with it, but I'm sure it would work. Much more secure (and interesting) than the Microsoft offering.

Passport Primer

[kaiti]

Well, the way it all works is simple. Microsoft bought MSN Hotmail because simply put there were 45 million accounts already in use.

The slapped a "Passport ID" inside the "dat" (user login file) file for every user already on hotmail.

Then, they made changes to the Hotmail DB lookup system so that it could be used in other implementations.

On all of these sites, they query the hotmail db's, they check the passport ID's, and boom, you're logged in.

Basicly this was a fairly good attempt, regardless of the implementor or who's pocket it came from, to start a centralized password database.

Believe it or not, the only thing that really needs to be feared from hotmail employees is when you piss them off. There are 45+ million different accounts. It's alot of effort to get into those machines to see such text. There's about 15 people who have access to it.

Microsoft may own Hotmail, but they have no direct footage to "look at the information" for their own needs.

Hell, the FBI had a hard enough time.

Anyways..

-An ex hotmail internal veteran...

www.windowsmyths.org www.microsoftmyths.org

I just checked and these are available:

• www.windowsmyths.org
• www.windowsmyths.com
• www.microsoftmyths.org
• www.microsoftmyths.com

I'd like to see somebody buy them and get some good content there.

Railroad Crossing Cell Phone

[Cognito]

Why would a person let some market entity hold their wallet, and let them videotaping their purchase behaviors at the same time? Convenience? Sounds expensive. It's more fun to lie to the survey ladies in the mall, who have never grabbed for my wallet.

A bank analogy

[Crimson+Dude]

This thing is kind of like a bank. You give them all your passwords in the hope that no one in the bank steals it, they don't use it with your permission through some loophole, or someone doesn't break in and steal your money (passwords). Basically, it's built on the perception of safety of a system created by a compnay with a very dubious reputation at best. Personally, I'd prefer a client side system like Mac OS 9's keychain if I ever decide to consolidate all my password somewhere other than my brain, thank yoou.

Re:Original source of techology was... (wrong)

duh... look at this!


rob malda and crew have no memory. I see as many posted articles as they do... I can remember them. Why cannot they? hahaha.

Where is my Vaseline?

"Remember there's a big difference between kneeling down and bending over." ~Frank Zappa

Yahoo.

[ColaMan]

Joy. Just what I need.
Let's see now..
"many consumers simply give up, leaving a full shopping cart."
"Ok, I'll have that, and that and ok now to purchase... what? I have to fill out my name address and CC number? nah, forget it."
People who give up when confronted with a request for 3 pieces of information must lazy in the extreme.
Besides, I like to do things like misspell my address (a little bit!) and then see how much junk mail arrives with that address :)
"The sites must also post a link to their policy from their front page, so that consumers have an easy time finding the policy if they want to review it. "
And how many people who can't be bothered filling in thos pesky online forms are going to follow some (no doubt tiny) link and read through 15 pages of a vendors privacy statement? Not too many.
Oh well.. same ol' "yadda-yadda-yadda-embrace-extend-assimilate-yadda -yadda-yadda" from microsoft.

I'll keep my demographics and CC details with me ,thanks.

Re:Yahoo.

[j+a+w+a+d]

The reason I ever fill up a shopping cart & leave it behind, is so that I can get the total price. A lot of websites fail to tell you the *total* price (that is, including shipping), until you're ready to plop down a credit card. (some even require you to put down all info before they give you the total price. needless to say, i dont come back.)

Hey, kicking!!

[jsm2]

I couldn't be bothered with that "Crack an NT box" contest when there was, like only a measly US$1K to be won, but this new one, it looks worth entering!

Maybe Taco and Hemos could post their credit card details in a "secret" file on /. to provide the Linux end of the contest?
***scan***scan***scan

jsm

I'd trust a company who could burn money every day

I'd trust microsoft, a company who could afford to burn several million dollars every single day yet never run out, before I'd trust virtually any other company.The fact that they have a certain amount of guilt money means that such a service would always be free too, it is good PR.

There are some things which are not about a perceived OS war, and this is one of them. This would probably be one of the more secure ways of doing online transactions since like a big credit card company, you'd certainly have a power behind it to investigate any fraud. Plus only a select number of purchasing sites would be part of the program it sounds like.

As far as any privacy concerns, I personally don't care if someone knows what kind of software I'm buying but, figure because of privacy watchdogs any tracking done on you would be on Joe Anonymous Guy.. and you'd have to give permission to enable company mailings etc.

An open source wallet that actually works, now.

[e-gold]

http://webfunds.org/webinstalldemo/ -- using DigiGold, a currency layered on top of a
'net currency that not only works but has worked for three years+, whether or not I've
been able to get much media coverage of that fact.

http://www.systemics.com/docs/ricardo/ has information on the underlying source, etc.

http://www.cryptix.org/ has information on strong java crypto (also open-source).

http://www.digigold.net/ (under construction) has more information on the currency.

http://www.e-gold.com a 100% metal-backed (gold, silver, platinum, or palladium)
currency.

http://www.FlyingRat.org a spam blocking service using small (or not so small) e-gold
payments.

Yes, I wish this stuff would get more notice than it has gotten. Yes, I'm sure some of
you will say this is "spam." (Get over it.)
JMR

Not on my computer...

[SomeoneElse]

I have to use IE on my home computer for my parents, and I've dodged this Microsoft Wallet crap since it first started back with IE3. Sure in theory it sounds nice, but in practice it is just too insecure. Can you imagine what would happen if Microsoft Passport servers got hacked? And let's face it, they would be prime targets for script kiddies. Why try to capture a credit card number as it goes across the wire when you can hack a public server storing THOUSANDS of credit card numbers! Sure Microsoft boasts the system will be secure, but we all know how secure their products are.

This idea doesn't sound like they are really interested in helping the public for online shopping so much as it is another way to increase Microsoft's revenue stream. Here's a thought...Microsoft knows they can't keep the prices of their products artificially inflated forever...this is just another stab at replacing the cash cow, perhaps. I'm not one given to conspiracy theories and all, but it sounds like a strong possibility to me.

Passport is more evil than previously thought

[dgoodman]

from Passport FAQ for Businesses:

Where is the Passport profile and wallet data stored?
All Passport profile and wallet information is stored on secure Microsoft servers. Passport is subject to its own privacy commitment to its members, which prohibits Microsoft from sharing or selling members' information without their consent. Participating sites will also be able to store core profile and wallet data on their own servers. [my emphasis]

WTF is this? not only do we get the world-recognized insecurity of MS, but they have the option of whoring out Passport users' CC numbers to other parties?

*sigh*

Money-Hungry-Microsoft

[jaysonsch]

It was bad enough that Microsoft insisted that everyone bought their OS, but now Gates literally has his hand in people's pockets!

Where's the RFC???

[feargal]

I'm in two minds about this. Giving detailed personal info to a company which is more of a marketing machine than a software house does not bring any smiles to my face.

The first problem here is how in hell's name does anybody verify the security and privacy of it? MS do not have an inspring track record when it comes to security, and although it may be unethical to sell on info and stats gathered, who considers MS to be above doing that?

Another consideration is the infrastructure of the Passport database server system. Scary thought: Passport (tm) becomes the standard for online shopping, vendors worldwide rely on this system, and MS use a single NT server... Can anyone spell downtime...?

Seriously though, the passport idea is required by today's online community. And unless better alternatives are presented to the general public, Passport could well become essential in any online transactions. Are there any other real alternatives?

But most importantly of all... Where's the damn RFC??? :^)

Re:Where's the RFC???

[feargal]

Cynicism != stupidity...

Re:Where's the RFC???

[Mike+A.]

Obviously Microsoft wouldn't use only one server. It doesn't matter what server OS or even hardware you use, one box could never hope to keep up with the load that a Passport-style system would generate when widely adopted. Obviously the login and other servers would be clusters - just like Microsoft's existing websites. (You didn't think MSNBC came from just one box, did you?)

Re:percentage of profits?

[q2k]

GC said:

I'm sorry if this seems like Microsoft bashing, but it is a ridiculous that a single corporation can "invent" currency on the internet and then lobally tax all expenditure on it, which is what this amounts to.


And this is diferent than Visa, Microsoft, and AMEX how?? Its ECON 101 - if MS can establish their "currency" as the dominant form for Internet transactions they have every right to charge as much as they want for the product. Its not a tax - its the free market. If the 99% of the Internet population that is obviously not as bright as the average /.'er jumps on the bandwagon and makes this a standard - and they probably will - we'll be stuck with it - just like Windows, just like Office...

Am I going to trust me private data to MS? No way - I'll happily manually type in my credit card number every time. What we really need is an anonymous payment system so we can buy stuff online without the trail of personally identitfying credit card numbers...

Uh-huh...

[Wakko+Warner]

Microsoft handles my data so well, it would be downright silly not to trust them with my money!

Next week, I'm gonna let Bill Gates and Steve Balmer perform open-heart surgery on me, too.

- A.P.
--

"One World, one Web, one Program" - Microsoft promotional ad

Re:I'd trust a company who could burn money every

I wouldn't trust M$ as far as I could throw it. First of all, the security on this information is likely to suck. Secondly, I refuse to install a crappy M$ operating system to use this. And finally, why does a third party need to hold my information anyway? I'm quite capable of handling it myself.

I'm Warning My Vendors

Dear Vendor,

It has come to my attention that you have chosen to participate in
Microsoft's new "Passport" e-commerce electronic "wallet" service.

Please be advised that I object in the strongest terms to your sharing
with Microsoft or any of its related businesses or holdings any
information whatsoever pertaining to me. Now or in the future.

If this is a problem for you, I hereby request that you cancel my
account immediately and remove from your records all information
relating to me.

Please note that this email is digitally signed. References as to
where my public key (for the purpose of verification) can be obtained
are included in my email signature line.

If this notification is not sufficient to address this issue, please
inform me as to how I can best handle the matter. Otherwise I will
assume this is a legal and binding request and that you will heed my
expressed wishes.

Re:I'm Warning My Vendors

[blowdart]

Oh lord.

Ok it doesn't work this way round folks. Now pay attention.

You create a passport account. You enter your name and addresses, and if you wish your credit card number. If you leave the CC out, you will be able to fill it in manually.

You go to a passport enabled site.

You click to purchase, the vendors web server then sends a message to MS saying "Can I have details for user x"

Passport posts the information back to the server.

At no time does passport ever get your shopping list, all they get is the store you're shopping at. Thats less than your credit card people know about you.

And if you don't have a passport account then MS will see *nothing* about you.

Do you really think that signing up to passport has a clause saying "You must give us all your customer details, don't tell your customers though." Grow Up

Is it possible to keep this database open ?

[hernick]

This is a situation where I cannot easily see open source suceeding. There is an obvious need for such an universal wallet service, but you can't decentralize that information and you need a trusted party to keep the information secure. The trusted party needs ressources to keep his database running and secure...

Unfortunately, it might mean seeing Microsoft getting a critical mass of the market where it can afford to dictate any terms it wants.

Do you think there is any way that an open project can compete with Microsoft's wallet service ? Or are we at the mercy of the evil empire ?

Oh. Really now, thanks but no thanks.

[dieman]

Ok, like I trust microsoft with billing information. I know someone who has personally had their credit card number mis-handled and charged three times by them. Also, I dont trust windows NT to handle this over-securly. This "passport" technology would be a good idea if someone like mastercard, or amex implemented it. IE: you have a public key for each retailer, encrypt your "passport" and send it to the retailer and they decrypt it with their private key and contact the "passport" site for more information on private lines. That would rock.

amex seems to be doing this with the "blue" card in some ways.

Sounds cool. But i want some real company about privacy that gets nastily audited for this, not microsoft.

Client or server

[PigleT]

I think there's a fundamental problem with these things, certainly one that restricts my predicted usage of them:

a) of course I don't want M$loth to know one word of data about *me*, let alone have any control over my finances
b) if it's implemented client-side, as a cookie, then I use far too many browsers in the average day (Netscape and Konqueror under linux, IE & netscape under Windoze) both at home and at work, for it to be viable
c) if it's implemented client-side as a browser extension, then the chances are I'll not want to use any browser that's been so mangled as to have proprietary extensions in it - open-source standards as approved by the W3C, or it's not a web browser.

So - I guess I'll just have to be one of the money-havenots, or something. Bummer!

Re:Not particularly new. Not particularly exciting

[goldfish]

Two problems here. Firstly, if Amazon are sending "Charge card XXXX XXXX XXXX 1234?" to your Web browser, your CC number has been broadcast over the wires already, anyway. One presumes they'd use https or something similar to provide a feeling of safety, but that works both ways, too. If you trust the 'net enough for someone to send you the number they're charging, you must trust it enough to send the number back.

The second point is that your liability is reduced by having a third party (Passport) charged instead of you directly. The problem here is that MS won't want to pay for it if the small company charges you more than they should; so should that happen, the onus is on you to get MS to fix things, instead of being on you to get your CC company to fix things. No real difference.

Personally, I do not and very likely never will use a credit card to order anything online. Sure, this means I don't shop online, but I've not felt this to be a lack in my life. (I also use cash, but this is to avoid transaction fees on lots of small transactions rather than a desire to keep my spending patterns hidden).

The only way I would ever trust digital sales is if a transaction involved a digitally signed authorization certificate clearly stating the amount and product, and a transaction identifier, so the other end can charge for only that transaction, and only once, and I can easily prove it if they lie about it.

*shrug*

I'd probably avoid it even then. If I want something, I like to see it first, and carry it away with me after my purchase. ;)

Nice try...

[William+Wallace]

Like I'm going to trust my e-wallet to the same
jackasses that release a new security breach every
other day!

No thanks, I'll keep my e-wallet in my e-pocket
where it belongs.

-WW

Re:Nice try...

Actually, religion is a large problem in our society. If there's 10 people in it, it's called a cult, but if there's a million, it's called a religion. So these overgrown cults influence our society, making frivolous laws, and some extremists even go out and kill people. We can have a completely moral society without religion.

We need to stop giving non-profit status to religious organizations, and start charging them taxes.

CC fraud vs the net vs the FUD

[thogard]

Lots of people are worred about sending their CC details over the net but have no problem with someone else keeping them safe. I'm not saying this a good thing, just that people belive this just like ever other bit of FUD.

Banks have a real problem with merchant fraud over the net. Its much bigger than the use of stolen cards and results in higher fees for Internet transactions.

M$ is tring to come up with a way to look like they have solved these problems while taking a cut of the cash flow. Their solution looks much like the SET wallet servers that have been around for about a year. The cool thing about them is that if you get both sides of the root key, you own the database. Since the one side is public, how long does it take to crack a 512 bit key thses days?

I think The Register sums it up best...

[Dicky]

In their story on this, they sum up the issue perfectly. There is a serious and (for The Register) extremely restrained report, with a link at the bottom to a "Related Story". The related story is a more normal Register-style story concerning the 'hacking' of Hotmail, and it is somewhat less restrained when referring to Microsoft in the e-commerce realm. This is either The Register being typically witty or a very nice accidental comment.

Passport

Can anyone see picked pockets and the Microsoft Treasury getting larger? Either two being related to each other or not. (Of course they will be, but Microsoft will blame the great nemesis hackers out there, including The Almighty hacker ;)

Slashdotted?

[homunq]

Here's another URL to the press release.

FIRE this!

No. I trust Linux because I respect the creator. That's more than I can say for most Linux-distros. I respect Linus Torvalds because he has shown that he is an open character. He is upfront in what he says, I haven't heard him contradict himself yet (I haven't heard). Bill Gates on the other hand... that is asking for trouble, considering that all of us have had experience with his products. Sabotaged upgrade CD's, drivers and being dragged around by the nose by false "new" products among other things. What has Linus to lose compared to Bill Gates and Co.? A lot more. Bill Gates and Co. have already lost the respect of a lot of professionals, Linus hasn't so far: so I will stick with him being a respectable character.

And you are partually correct: Microsoft is a unified enemy. Personally, I think Microsoft is both the solution and the cause to a lot of what is wrong with the industry today. Look at Intel for example. Intel has people so dog-trained that they have this attitude about "non-Intel" or "clones," strangely enough lately there haven't been many "clones" coming from the competition of Intel, most of it was from Intel. Merced is probably the most arguable. Interesting how Intel just bought DEC after DEC decided to defend themselves. Justice is bought easily here. Monopolies are really bad. Sure, at the moment there might be niches left to make a profit, but how long do you think an expansionary business such as Microsoft or Intel will allow it? They both have "diversified" god knows how far, mostly through "acquisitions," so why appeal to authority of someone who isn't technically connected to the design except by a patent? Intel hasn't made a good design in a while, neither has Microsoft. In case you haven't noticed, it is new stuff being feed to you bit by bit for a large cost per part. RDRAM? How stupid are people to allow such to happen? Think about it, why should RDRAM make a large difference if the memory pipe (data bus) is still 64-bits wide? Soon they will fix that too. Or maybe not, maybe develop another proprietary hub architecture to work specifically as a memory->cpu exchanges. But it is just one small increment after the next. Thank god AMD did something again to keep those brats moving by releasing K6-2/3 and K7! AMD has some good ideas, the problem is industry weakness. Intel and Microsoft have made things so easy by patenting everything under the sun and therefore making themselves "compatable," that it is very difficult for competitors to enter the market without some major support. Well folks, I hope you enjoy the current retardation, cause AMD might not last much longer if Intel strongarms (cliche) the market more. The problem is not so much the companies, but the ignorance and stupidity of the public. A lot like democracy. Who voted for Clinton twice? Can't say that I hold too much of a grudge, because you really didn't have much choice anyway. Intel is more politico now, it is a working strategy, doesn't matter if it is ethical? Who do you trust? Personally, I can't wait until Intel pulls a Clinton and humbles everyone by having the old $4000 workstations again, for the so-called "mainstream." Face it, Microsoft supporters are weak, they do not see the long-term because they are happy with the immediate gains. Some of us may be unified for the wrong reasons, but I am sure most M$ supporters are sympathesizers for the wrong reasons.

Read carefully, and think because I am a bit bad at presenting a format when I am angry. Look at all the details of each side. The press-releases, the speculations, the products, and finally the people. And certainly don't take only my opinion, because I probably fouled up transfering a message a few times, but I think the main points are clear about the problems.

BTW, guy who wrote original, hope you live in hell where Intel and Microsoft force you to buy their products at an ungodly price index. Enjoy that $20000 Celeron-B 1.5GHz upgrade every year running MSY++, mwahahaha!

Passport Hotmail crack?

[fReNeTiK]

In the discussions about the Hotmail backdoor some time ago (here, here and here, etc.), some ppl mentioned that the vulnerability was in some way linked to the Passport system (which was, I think, introduced trough Hotmail first). Is that true?

Anyway, while putting all sensitive in one place certainly makes life easier, it creates a single point of possible failure/vulnerability. Bad...
--

I don't get it.

[Sloppy]

I can understand why someone would want to avoid having to type in their card #, address, etc over and over again, but -- call me clueless -- why would I want this info on a central server rather than my own machine?

The "obvious" approach seems to me, to have a standard format for querying billing info, similar to how cookies work, and then have the user's machine pop up a "Supply/Deny" question. Why aren't they doing this?

---

Their win98 (unathorized) Data Gathering was bad..

[GreyFauk]

Now millions of unsuspecting (==brainless morons)
will (quite willingly) give up their personal
information to a single corporation.

And of all corporations... Microsoft??


If you sit there and tell me that it's only going to
be used and accessed (in a sucure way) for on-line
commerce and NOT for any other market research, demographics
gathering... account tracking... or anything else,
ever,... I'm going to have to laugh at you.

Wake up and smell the money folks.

Goodness of their hearts indeed.

And here I thought Amazon would net a lot of #s...

[GreyFauk]

Imagine breaking into the passport database server
about a year from now......

If you think Amazon.com has a large database of CC #'s...
It'll be nothing compared to what M$ has....

What do you think the odds are that the cc #s for passport
are REALLY secure from the cracking forces out there?

Last I saw, M$ was still in love with M$ products..
(or at least still using them to save face)

Heh.. On a side note, I wonder how much money M$ loses to
downtime each year by continuing to use their own stuff?
I'd be interested in the particulars :>

If M$ takes a % of the profits then...

[plaxion]

it's just one more M$ tax that we'll all be forced to pay. Imagine buying a computer online in a future where you are forced to buy M$ software and OS using and M$ wallet that they profit from. I think Bill is trying to take too many bites out of the pie... how about you?

scared? (was Re:Nothing new under the sun)

[lwrcase]

Maggie's little quote may seem like foolishness or paranoia and perhaps it was a bit of each. However, it was not completely unrealistic. I really believe Microsoft stepped over the line between monopoly and world domination here. They say that this service will provide hightened security by storing your information on their own servers and also by personally requiring all participating web sites to use "industry-standard" encryption when transferring sensetive data. Microsoft suggests here that for some reason it is their exclusive responsibility to enforce standards and protect their customers from the theft of their personal data. Microsoft portrays themselves as some sort of invincible superhero here to save us, or worse yet, an invincible global power here to bring order to all of our lives. These are duties of our respective governments, not some gigantic company. This may just sound like some more ridiculous anti-Microsoft propaganda at this point, but I believe all companies engaging in this "electronic wallet" are just as guilty of taking too much societal power into their own hands.

Not only are these services wrong because of their undermining of our governments but also they are completely unnecessary security risks! The only valid reason for using one of these services is to save yourself the minute trouble of re-typing your personal information when making a purchase online. Being lazy is certainly not important enough to warrant remote (meaning interceptable!) storage and communication of information necessary for funds to be debited. For these reasons I feel there is a great need for some action to be taken against these "electronic wallet" services.

"Perspective is lost in the spirit of the chase."

Bill, here is my paycheck.......

[Grand+Facade]

You take good care of that now,
#1 - cause I'm too stupid to spend it wisely.
#2 - cause I'm to lazy to write a check.
#3 - cause I'm unable to balance a checkbook.
#4 - cause I won't take time away from TV or MSN to pay my bills.
#5 - cause I think its cool to webify everything.

Bill's a good guy, he will take care of me.
~~~~~

Re:MS Certification?

Perhaps MS isn't charging a fee because they have a worm introduced to 'collect' round-off values so they can make their money that way.

Someone has been watching Hackers wayyyyyyyyyyy too much. :)

Challenge to Bill Gates

[heh2k]

I'd like to see him use this service; ie, put his money where his mouth is. Bill, if it's secure (as I'm sure you'll claim it is), then why not? When security problems are found, you can bet his "e-wallet" is the first they'll go for.

You Are 100% Right

Sometimes I think the PHBs are out of their minds. Or at least completely blind. God save their souls!

Um...

[mattdm]

Ok, that just moves the problem one step away. I don't see how it's much different for someone to intercept your Passport info and make fake Passport charges. The only "advantage" comes from the fact that fewer merchants (will) use Passport, limiting the possible damage. But that's a marginal improvement, and will obviously go away if the thing catches on.

My current credit card company has very good anti-fraud policies. What's the point of adding a second layer of cost and complexity?

--

Re:Um...

[Wah]

My current credit card company has very good anti-fraud policies. What's the point of adding a second layer of cost and complexity?

um, money? Save two minutes, pay two dollars.

Re:Passport security hole

[anticypher]

Yes, passport is the reason for the hotmail security hole.

When passport was first announced more than a year ago looking for early implementers, the serious hackers targetted it with an intensity unseen in recent years. Imagine a service with all the quality of a M$ product, the track record of M$ for lax security, holding thousands or millions of credit card numbers.

This is an infocriminals dream, because just one copy of this database could be exploited for billions of $$$ of bogus charges. There are organized crime groups around the world already set up to rip off the credit card companies with thousands of electronic scams. All they need is a valid credit card number, expiration date, and the holders name.

So when the hotmail hack was discovered, it was by a group probing every aspect of the passport service, and all the connections MICROS~1.OFT was making into other web sites.

Now there are hundreds of sites with an end point leading into passport. What do you want to bet that one of them has some other security problems because they run IIS, and some crackers will be able to get thru the encrypted tunnel back into the passport service. Not likely they will get more than a handful of CC numbers before the hole gets closed. Crackers tend to be immature kiddies looking for some attention, so they will blab about their exploits. The serious infocriminals will milk any hole for all it is worth, and not make any announcements to HNN or attrition.

Microsloth's only publicly acknowledged security aspect of passport is they are going to seed the database with 'tripwire' records, which will trigger anti-fraud measures when someone tries to use them with the CC companies (oh, and they use encryption).

There are rumours it will be built into the desktop of millenium, so it will always be a click away, with annoying warnings to those lusers who are not using it. I doubt this service will become widespread, since it is bound to get abused at some point. Public confidence will go down when the press has a field day when the system is cracked once, even if it doesn't lead to the loss of any CC records.

the AC

Not particularly new. Not particularly exciting.

[ucblockhead]

This is not a new idea, and this is not a particularly dangerous idea, either. If you've bought more than once from Amazon, you've used a similar system.

Basically, Amazon saves your card number the first time you buy, so that when you come back, they can say "Charge card XXXX XXXX XXXX 1234?". The fact that you don't have to key the number is only a trivial advantage. The real advantage is that you don't have to send the number over the wire. Amazon knows what it is already, so they can simply charge the number they have, avoiding the need for sending the number where it could potentially be seen by evil criminal types.

(An overblown danger, but that's another story...)

This is all a good thing. It is not even a matter of "trusting" Amazon more than you otherwise would, because simply to buy things, you've got to trust them with your number. They will have it, and they will be saving it for financial purposes for at least a month, regardless. If you don't trust them with this, you shouldn't buy from them. (Note that the same goes for any retailer, internet or physical!)

Now most people probably trust a company like Amazon at least in terms of finances. Amazon is not likely to go charging your card up randomally. Most people assume they will be fairly careful with your number. (They probably won't be as careful as you think, but that's another story.) They are a big, known company. Where the trouble comes in is with tiny little companies that no one has ever heard of. Do you trust them with your number? That officially looking site could just be one guy in a basement. Give him your number, and you give him the ability to charge thousands of dollars in your name.

So what to do? An obvious solution is to do what is being done above. You give your charge number to some large company that you know will not abscond with it, charging it to the limit. Then you tell the little podunk companies to charge the big company. Your liability goes down. Your charge number doesn't fly across the wire every time you make a purchase from a new company. These are good things. This is more secure then sending your card number directly to everyone you buy from.

The only question is whether or not you trust Microsoft to secure your data. This is the same question you should be asking were you to make a purchase from Microsoft over the wire (or over the phone), as the data is the same.

First of all, It's a great idea, but...

[joshv]

I have been wishing for something like this for at least the past two years. I am tired of having to remember usernames/passwords for every site I use. And having to supply billing/shipping address and CC information every time I make a purchase is a pain.

BUT, I am MORE than a little leary of Microsoft being in the position of providing a solution to this problem. I simply do not trust them with this type of information, and I don't trust them to provide a fail-safe mission critical service that MUST be up 24/7.

I think most of us would agree that in principle this is a good idea, just that this particular implementation might give the clueful user pause.

But, how hard is this to do? Could the OSS community develop a distributed, secure, web-based single-logon facility?

The components of such a system could be as follows.

1. A standard for user information. Another post already mention just such an open standard.

2. A 'logon server' which provides user information to client web sites at a user's request.

3. A standard, open, secure protocol with which a client web site interacts with a logon-server.

4. A user who registers with a 'logon server' and specifies the information they are willing to provide other client web-sites. The user also specifies a backup logon server which will mirror their information.

5. Client web sites which modify their logon procedure to gather user information from a user specified 'logon server'. No registration would be required on the part of the client web site.

Each 'logon server' could actually be many servers. It would be relatively easy to distribute the load as most of the activity would be of a read-only nature, making the replication of user data across servers fairly simple. User updates to their data are another issue, but they would be relatively infrequent.

How would anyone make money? Banner adds on the logon server's logon page perhaps. Re-selling consumer buying patterns would most likely be the biggest source of revenue. There is nothing wrong with this as long as nothing which could indentify you uniquely is revealed. I don't care if someone wants to know what the buying patterns of a 28yo white male in such and such an income bracket are.

It is important to note that the user would chose their single logon service, and could change/cancel at any time.

It would be an open standard, with all the code required to start a logon server available freely on the web. This would hopefully prohibit any one service from gaining a monopoly stranglehold on the market.

Re:keep my soul safe

[mistabobdobalina]

war is peace. love is hate. windows is stable.

How many can be called Passport?

[mmoore]

I have noticed lately that a lot of products have come out with similiar names-there are a couple already named Passport as well, such as IBM Passport-is there not anything to restrict the names of products? Or is it the simple fact that it is referred to as Microsoft Passport and IBM Passport? I have a feeling if we starting naming things Exchange or Office2000 (purely examples) for Linux things might get a little hairy-so what exactly is the divider?

I have seen the future...

[Noryungi]

(How to print money -- 2002 style)

CrACkRZ WheEL oF fORtUne! v0.99.14.151
[Win2000 4.00.004 SP7]

[Click here to start]

Checking e-wallet status... Done.
Checking bank account status... Done.
Checking permissions...

• Removing MS permission... Done.
  
• Removing FCC permissions... Done.
  
• Removing RSA permissions... Done.

One moment please...


How much money would you like to add to your e-wallet? NOTE: if sum > US$ 1,000,000 you could be in TROUBLE!

Enter sum and press [Enter]:99999

US$ 99,999 added to e-wallet account!

Thank you for using CrACkRZ WheEL oF fORtUne!


Bill "Hotmail God" Gates: would you like this man to take care of your money? Thanks, but no thanks.

Re:I have seen the future...

[Black+Parrot]

> Enter sum and press [Enter]:99999

Finally, Make Money Fast e-message that actually works!

First thing you know, MS will add a scripting language to keep the "powerusers" happy. Then you'll start getting e-messages with attachments that whisk your money away to a Swiss bank account.

--
It's October 6th. Where's W2K? Over the horizon again, eh?

Well, unless they have patented the idea, OSS it!

[mattz]

it should be easy enough to do this, maybe create a non-profit organization to handle the databases.

Well there you go...

[grepgrep]

We've all been giving our hard earned cash to Microsoft for years for no reason. Since they have the most money and are obviously the best at looking after it M$ can go into banking and we give them our pay packets directly and they can let us have pocket money.

As my MCSE friend says:
"I'd rather not talk about that".
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~

Megaservice...

[homunq]

• Microsoft Passport is the first example of a "megaservice" available for businesses from Microsoft. Megaservices are a new breed of service that extend the Web's capabilities by directly linking applications, services and devices with one another over the Internet. Passport provides online merchants with customizable and easy-to-implement e-commerce services that improve their customers' experience by streamlining purchasing and simplifying registration across a network of Web sites and services.

I wonder what's next... they'll keep your windows registry remotely so software vendors can check for compatibility? Within-site search engines? Web-advertising bundling and sales?

Har har!

[mholve]

Yeah right! Store *my* information with anyone? Let alone Microsoft? I don't think so!

percentage of profits?

[GC]

What!!!, you mean that Microsoft will tax all Internet spending when done via e-wallets? That is outrageous. It makes me sick, I might even boycott using the internet at all if that went through.

I'm sorry if this seems like Microsoft bashing, but it is a ridiculous that a single corporation can "invent" currency on the internet and then globally tax all expenditure on it, which is what this amounts to.

We also have the security implications, just imagine is someone breached their database... and downloaded 2 billion credit card details, another billion debit and bank details.

We have to fight against even the thought of this becoming the case.

Has there been any security evaluation?

[Apuleius]

Anyone from the Lopht, or Counterpane care to comment?

I found no matches searching in SecurityPortal
or SecurityFocus, so far. Nor in Google.
nor Altavista.

Is this the sort of thing I have to forbid
my mother from trying?

Re:Learn more before posting

[blowdart]

You will be able to lave the CC number out, so it will just fill in delivery addresses.

:)

Myth Bashing

[blowdart]

OK I'm getting pissed answering the same FUD each time someone posts it. So here's a summary

What does it do? It's a central repository for your billing, shipping and credit card information. Each of these sets of information is optional.

How does it work? A web site can choose to add Passport support onto their site. When your browse the site and go to pay, you will see a login to Passport button. If you choose this, then the shopping site can request the shipping & billing information stored on the Passport servers. This is send back to the shopping site via HTTP and SSL via the "post" method.

What about the new ECML standard? Well thats not really a wallet standard, more like a form naming convention. But Passport works with it, like it works with any form.

Whats the benefits? Well for lazy people it means they only have to enter their details once, then use a common login over all Passport supporting sites.

But why should I give MS my details? If you don't like it, don't. The wallet licence isn't exclusive, sites are not forced to force you to use wallet. Of course some stupid web master somewhere may consider that a good idea, if so, avoid them.

Why is it good? Well every Hotmail user has a passport account by default, thats an awful lot of people. It allows flexible branding of the wallet, so it won't have to look like an MS product. And it offers an easy way to support impluse buying, something stores like.

What does it support? For the Wallet anything, for the common login (see below) IIS & NT now, Unix is about 85% done for Sun and Netscape servers, Apache version about 75% done. Give it a month and a half.

What else is it planned for? Well a common login type thing. When you login to Slashdot and customise thats kinda nifty. But try using the same login on another site, and someone else may have taken it. Passport will evebtually allow a common login across all sites implmenting it, wether it be for shopping or just personalisation purposes.

Costs? Mindshare so far, after March 2000 fees will be implemented.

Who bills? You do. Look I keep reading that the vendor bills MS, then MS bills you. Utter crap. For a start that would be problematic for those countries outside the US (yes we do exist you know). What good would it be if a London company had to bill MS in pounds, then MS bill my British Visa in dollars? Passport will transmit your credit card details to the shopping site, if you have entered them. If you haven't it will just send shipping information, if you've entered it.

Problems? Security, lets face it MS is a big target. But quite frankly if anyone says "We're going to store credit card information for the world" on this server, lots of people are going to attack it.

I'm peeved at you lot, I've seen a lot of FUD here this morning, and I'm more dissapointed than normal.

Now I've implemented 3 client side wallet systems, and 1 passport test system. And from a server side, Passport is sweet.

Anyway, no-one's forcing you to use it are they?

Barry

Control over microsoft

Three questions: 1) How hard do you find it to maintain a good idea of what is going on inside of microsoft both from a business and technological standpoint. 2) Have you ever been surprised by an official position taken by microsoft, or objected to any of the numerous issues which are ethically questionable ? 3) Would you sacrifice a portion of your profit margine to support or advance technology that benefits society but not microsoft directly ( open protocols, open source) ?

Exactly.

[Wah]

Microsoft products have no known security risks. Their track record for fixing security risks is immaterial since they don't exist. Their track record for privacy and respecting the rights of their customers is also squeeky cleen. They 'em good.
(Where's Gerald when you need him...)

This makes me think...

[Parity]

This is probably a fairly common attitude (security is for consumer confidence // what the consumer doesn't know won't hurt him or her // why spend the extra money)
Conscientious software folks will push for this to be done correctly, but, well, I'm sure there are unconscientious software folks out there.

So... the point then is our credit card numbers could be bantered around in the clear, stored on non-firewalled servers for any length of time, compiled into lists and e-mailed between purchasing and marketing...

Okay, so, the credit-card company will cover us on abuse of our credit card number, but - the people exposing our numbers to vulnerability may never be caught. Certainly not anyone as big as M$.
Smaller outfits might get caught on statistical analysis... joe, bob, mary, and jane all bought from A-Store on june 6 and never did all four buy from the same store before or sense... therefore, the cracker stole numbers on June 6 from A-Store.
Anyone know if the credit card companies are in the habit of this kind of test? I'd imagine they are.

OTOH, the fact that joe, bob, mary, and jane all used M$ Passport on June 6th would be statistically meaningless, (given that it reaches a certain size, which I expect it to.) It would be like saying they all used a Cirrus ATM... so what? It's not compelling. It might be four seperate cracks, or it might be a crack of M$, there's no reason to believe one or the other.

This is not parallel to brick & mortar, btw, because in the brick & mortar case, there aren't thousands of crackers roaming the halls looking for the unsecured office with a list of cc #'s... not to say everyone's honest, just, that it's impossible to probe hundreds of physical buildings in cities spanning the globe on an idle evening...

Re:I'd trust a company who could burn money every

Sure, Microsoft didn't get rich by taking advantage of people. (Right.) Granted its generally been companies that have gotten screwed over, but the general rule of thumb is Don't give information to Microsoft unless you plan on them using it for something.

Secondly, MS has worst security track record of any company I can think of. The recent news stories about hackers ("NASDAQ Website Attacked!", "Hotmail security hole exposed!", "New IE Security Hole Found!" - and these are just from MSNBC) have all been related to MS services (incidentally, NASDAQ was using MS's internet server).

The ARMY moved from an MS network to an Apple network because of major security problems with NT(this story was also from MSNBC :).

If a total stranger can read my MS-provided email and change my MS-powered website, I am NOT giving them my credit card number.

Not only do I not trust MS, I don't trust Joe Anonymous who can get into my stuff...

Learn more before posting

I love alot of these posts babbling on about so and so is going to be bad and wrong and here is why!. Passport is not Wallet. First of all Passport itself is designed so that multiple sites out there requiring a login can use a shared login system, so you can have the same user login on multiple un-related sites. The main sell here is to cut down on the need for people to have user/password lists for all the sites with logins. Under that, is the Passport Wallet feature, which can also be used on e-commerce sites using Passport (if they so choose to implement the Wallet portion). The billing and CC info is stored at MS. You have to login to use the Wallet feature (if not already from entering the site to begin with). I would imagine you would need to keep your own private account, so that your children, etc. don't share your account. The sell here is that its annoying entering the billing & delivery information here (hey I'd be happy to just have that data entered automagically minus the CC) The remote site doesn't ever automatically get access to the Wallet data. The wallet supporting site has a link to the MS wallet, which goes to the MS site, which in turn does an HTTPS POST back to the vendor site with all the information.

Learn more before posting

I love alot of these posts babbling on about so and so is going to be bad and wrong. Well here I am to straighten a few things out:
Passport is not Wallet.

First of all Passport itself is designed so that multiple sites out there requiring a login can use a shared login system, so you can have the same user login on multiple un-related sites. The main sell here is to cut down on the need for people to have user/password lists for all the sites with logins.

Under that, is the Passport Wallet feature, which can also be used on e-commerce sites using Passport (if they so choose to implement the Wallet portion). The billing and CC info is stored at MS. You have to login to use the Wallet feature (if not already from entering the site to begin with). I would imagine you would need to keep your own private account, so that your children, etc. don't share your account. The sell here is that its annoying entering the billing & delivery information here (hey I'd be happy to just have that data entered automagically minus the CC)

The remote site doesn't ever automatically get access to the Wallet data. The wallet supporting site has a link to the MS wallet, which goes to the MS site, which in turn does an HTTPS POST back to the vendor site with all the information.

It'll be a cold day in cyber-hell..

[Mojo+Geek]

...before I trust that man with my cyber-wallet.

I knew it!

I knew they will do this kind of thing sooner or later. Tapping your wallet directly to MS? Not for me!

keep my soul safe

[Hard_Code]

I wonder if microsoft has a service for centrally locating everybody's soul...you know, to keep them "safe". I sure wouldn't want anybody [but Microsoft] to have my precious soul. They could do something evil with it...um, like, extortion or something. In fact, I should give all my possesions and right of attorney to microsoft for safekeeping. I'm just glad there is a noble company like microsoft to stand up for us poor mindless sheep who can't control our own possesions.

MS Certification?

[veldrane]

What type of certification does MS have for Passport with the Federal Reserve (or any other real bank)?

I'm just curious of that because of the potential of MS having a worm in this product. I'd imagine its pretty unlikely but who knows for sure? Passport isn't open source.

Perhaps MS isn't charging a fee because they have a worm introduced to 'collect' round-off values so they can make their money that way.

Ok, so right now a worm would be pretty useless because your money isn't getting any interest (or is it?) but eventually, that may be one of the incentives they use to gain customers/users.
A worm introduced at its inception would make it a little harder to detect.

*shrug* I'm probably just being paranoid but I just have a problem trusting a corporation with my money that has shown time and again that it is untrustworthy.

-Vel

Passport humor

[Signal+11]

"This is where you will go today."



--

I don't think so.

[scumdamn]

There is no way in hell I would trust that "service". Microsoft has a reputation of being untrustworthy, unethical, and ruthless. Entering all my personal information into a service that depends on Microsoft to keep the service free or at least without strings attatched. At this point, I don't trust Microsoft for anything. I'd rather pull out my credit card, type in the numbers, and click submit. I know some people will be lulled into trusting Microsoft to take care of their personal information, but I sure won't be one of them.

Amex Blue

[Booker]

Is this sort of like what American Express has done with "Blue?"