Microsoft Defends Passport To Privacy Group 250
securitas writes: "CNET reports that Microsoft is defending Passport as safe and secure in a presentation to the Center for Democracy and Technology. Other organizations such as the Electronic Privacy Information Center, Junkbusters and even the U.S. government may be lobbied by MS this week to fend off a Federal Trade Commission complaint filed by 15 consumer and privacy groups that charges unfair and deceptive practices."
Well... (Score:2, Funny)
Unfair Practices? (Score:2, Funny)
Unfortunatly I am uneligable for any such legal action against them as I think I gave them my soul in the last click thruogh agreement I did...
One password, multiple accounts, low security (Score:4, Informative)
"One of Passport's greatest security weaknesses may be the single sign-on process, analysts said. The single point of entry could also be a single point of failure. Since the ID is always an e-mail address, someone looking to break into an account might easily obtain half the information needed to do so."
Because people usually don't pick very secure passwords, it's better to have multiple passwords so that an evesdropper or other malicious person can't crack into all yur accounts. U of I just made people intentionally set all their 3 or 4 passwords instead of just giving them one the applied to all 4 (although most people tend to choose the same password for all their online services anyway)
Also, because Passport's trying to incorporate a lot of information in one place that used to be distrubuted in many different places, if some one hacks into Passport, there goes all your privacy.
F-bacher
Re:One password, multiple accounts, low security (Score:5, Insightful)
Scenerio 1: User always uses the same login/password everywhere they go.
If you obtained that username and password, you'd be able to log into any service *that you know they use*. You would not be able to log into any random service unless that user happened to have been there before.
Scenerio 2: Passport.
If you obtain their Passport login and password, you could log into services *the user has never logged into before*. I'll admit I don't know much about how Passport works, but it seems that you'd be able to use their credit cards and other personal information at any Passport-enabled site...
So even though users may choose non-secure passwords and use the same info at many sites, you still would have to know what services the user has signed up with. Passport eliminates that obstacle.
Re:One password, multiple accounts, low security (Score:3, Insightful)
A service pack? Abject denial?
It's simple... if you're providing an online service, you need to supply the best protection possible to your clients. And there is no indication that M$ has the slightest clue on how to do this.
Kierthos
Re:One password, multiple accounts, low security (Score:2)
Re:One password, multiple accounts, low security (Score:3, Funny)
Yup, I just got me postmaster@fbi.gov and postmaster@usdoj.gov (all of the system_accounts@microsoft.com have already gone). I bet we can think of a few more good ones for when they start spamming their victims and/or sending out the "Nobody panic, but there is a tiny chance that your account may have been compromised..." shrieks.
Multiple passwords are *not* more secure (Score:5, Insightful)
Unfortunately, that's just not true. Usability research has shown certain facts about passwords again and again. In particular, as soon as you start forcing users to remember several passwords, they immediately start using obvious and easy to remember passwords, or writing them down in a readily accessible location. Clearly, this does not improve security.
Having a single sign-in, with a single, genuinely cryptic ID and password, is far more secure than twenty different authentication schemes for different facilities. Of course you rely on the keeper of that information to keep your data in a trustworthy fashion, but you have that problem anyway. At least with a single secure sign-in the average five year old can't guess everyone's ludicrously simple password.
Re:Multiple passwords are *not* more secure (Score:5, Insightful)
Good usability research involves observing the people who are actually going to use your product, using your product. If those people are stupid enough to dump your hot drinks on themselves, you need to design a product that stops them doing it. What you don't need to do is complain that they are stupid.
This is the point. If you're designing a product, whatever it may be, and you want to sell it to a particular market, then your personal opinion on what that market should do is totally irrelevant. Your preconceived ideas about how they should behave are totally irrelevant. You have to watch what they do do and how they do behave, and adjust your product accordingly. If you don't, your product will not be a success, and all the ego in the world won't change that.
Re:One password, multiple accounts, low security (Score:3, Interesting)
The funny thing is, I don't know if it uses some kind of mnemonic algorithm like VMS's password generator does, but I find the generated passwords to be very rhythmic and easy to remember. I'd give an example of my favorite, but then I'd have to change my credit card password :P. Of course, it may just be something peculiar about how my mind works; I've always found it very easy to remember arbitrary number sequences when they are used frequently in my daily life (phone numbers, IBM PC color codes, &c)
Passport - Great idea, iffy implementation. (Score:1)
Old idea (Score:1)
And if the single source happens to run an insecure operating system from Microsoft, then there will be disaster.
Microsoft fell to Code Red like everyone else who ran a Microsoft operating system. Far too much responsibility for Microsoft to handle. ANd that doesn't even factor in the matter of whether or not they can be trusted to act ethically.
Re:Passport - Great idea, iffy implementation. (Score:1)
Re:Passport - Great idea, iffy implementation. (Score:3, Funny)
Because web certificate authentication is so wonderful as it is today.
Re:Passport - Great idea, iffy implementation. (Score:2)
In a perfect world businesses would never sell information about their customers, but we all know it happens occasionally. What if a supposedly legitimate business with access to Passport decides they can make good bucks selling user information to a 3rd party that can't get it legitimately? Not to mention the fact that Passport may give this rude business more info about me than I would normally need to give them during the course of doing business with them.
The fact that businesses, for the most part, only have information that they need about their own clients is a level of security in itself.
Does anyone know more about how MS plans to allow 3rd parties access to Passport authentication?
Re:Passport - Great idea, iffy implementation. (Score:2, Interesting)
Its not just a world wide identification system... passport is the first installment of Hailstorm [microsoft.com] its not just a common identification service its the first step towards common data storage that may be shared between web sites...
This is a good idea... all of you who contend otherwise are speaking purely out of emotion.
It's very clear that one of the biggest reasons for the success of windows desktop platform has been the interopability of windows applications.
It's very clear why this is a good thing for the user, what is not clear is how it might be implemented on the web whilst safe guarding peoples very basic human rights such as liberty and privacy.
I agree that this would be a huge step forward for the web, and is a step towards its ultimate evolution. Accordingly this should not be seen as something that should be crushed at all costs... it should be seen as something that needs to be debated, fleshed out and evolved. Taking a hostile approach against this is only going to see less public input put into it than might otherwise be acheived.
Re:Passport - Great idea, iffy implementation. (Score:3, Insightful)
Re:Passport - Great idea, iffy implementation. (Score:1)
Hmm.. (Score:1)
Re:Hmm.. (Score:3, Insightful)
Sure, my current passport account is filled with bogus info and is mostly used for hotmail and sometimes msn communities. But the idea is that the passport login will be required for more legit/official uses such as the MSN HomeAdvisor, financial sites, and maybe even ecommerce. Sites that you'd ordinarily give real info to will soon be using passport. And that sucks.
Re: (Score:2)
security and privacy a difficult issue (Score:5, Insightful)
The problem is that they haven't had any success protecting it anyway. To be completely fair, neither has anyone else. The other difficulty is that although I would trust MS rather than JRV to protect my data, the necessity of distribution and interaction opens up a whole new class of security holes that no one has even thought of before.
The unfortunate truth is that right now the only way to protect your privacy online is not to give out any information, and that Passport will do exactly nothing to remedy this situation.
Re:security and privacy a difficult issue (Score:3, Insightful)
I disagree.
Just because I am truthfull when entering my age on one site doesn't mean I want to be on another site. If both ask for my age, and both use passport, I'd have to use two passport accounts to achive my age-deception! And that defeats the whole purpose.
Age is just a trivial example. What info (and how much info) most people give out varies greatly between sites. How does it benefit me, the end user, to have all my info in one place? I can remember passwords, so that one-password argument is no good.
And, even if I wanted one place for all my info, M$ would be the last company I would want to administer it.
Re:security and privacy a difficult issue (Score:5, Informative)
A site that wants to use Passport for SSO generates an URL that redirects to the passport website. Then the user logs in, and passport redirects back to the original site. The original site can then access the authenticated username, but that's it.
When the site wants to get some data from the user, say the user's age or address, they don't query passport directly. What they do is redirect back to passport, passport generates a form with the values prefilled in. Then the user can edit those values, or just click submit, and the values are posted back to the original site.
So as a user you still get full control over what data a site you visit has. And you can tell a particular site info that is different to what is stored in passport. But it does save you typing in the same old boring gumpf into site after site.
Re:security and privacy a difficult issue (Score:3, Informative)
Or you can just use the very cool (and free) RoboForm [roboform.com] which sits in your toolbar and auto-fills forms that pop up in your browser (there are other form-fillers around but I haven't tried them).
This kind of software doesn't require you to submit your personal information to a centralised authority (it's stored on your PC), and you can keep multiple 'identities' and choose which to use to fill in a form. I keep 'complete', 'partial', and 'anonymous' identities which I use to decide how much (and how truthful) information I want to give to a site.
Re:security and privacy a difficult issue (Score:2, Informative)
While it does confirm your statement that you can tailor and select what information you send from the "wallet" MS keeps for you, there are still problems. For one thing when you sign into Passport this is noted by use of encrypted (3 DES) cookies stored on your browser. The intent here is that you only need sign in once and all kinds of sites will be able to authenticate you. This part of the procedure happens transparently once you've signed into Passport.
The vulnerability here should be obvious, if you don't at some point logout from Passport, then the next person who opens the browser will be recognized as you anywhere that uses Passport authentication. Furthermore those neatly prefilled out forms will then contain all your information which this imposter could simply read off. Of course, the cookies are set to expire after a while, but certainly that is a matter of hours if not days, since MS doesn't want to interrupt people and force them to relogin.
This is only one of a number of problems and potential attacks outlined in the site I linked above. Good stuff, I suggest you check it out.
So now on, forgetting to logout will be an internet wide catastrophe as opposed to a localized problem? Thank you, MS.
Re:security and privacy a difficult issue (Score:2, Insightful)
Misconstruing Passport (Score:5, Informative)
One says 'Sign me on Automatically'. If you check this, a cookie is stored that remembers to authenticate you from then on.
If you don't check this box(which is the default condition), then a cookie is created and stored which remembers your username. But the authentication information is stored as a session cookie which disappears when you close the browser.
There is a second checkbox. It says 'I'm using a public computer'. This stores a session cookie on your machine for both the username and authentication.
Once you have closed the browser, the session cookie is gone and you no longer authenticate automatically, nor is your username auto entered for you.
So while I understand your concern, Microsoft has provided two checkboxes which alleviate this concern. Neither checkbox is on by default which means the default behavior is to remember your username only.
If you have a better solution to this problem, I'm sure we'd all appreciate hearing about it.
BTW, the paper you linked to has much better explanations of problems Passport might have then what you wrote about. Man in the middle type attacks that involve redirecting DNS, etc.
Re:Misconstruing Passport (Score:2)
For simplicity, I'm restating the link here [avirubin.com].
Re:security and privacy a difficult issue (Score:2, Interesting)
Aggregation is a bigger concern (Score:5, Interesting)
As a silly example, let's say you buy rat poison. No big thing, people buy it all the time.
Let's say you buy a book about "perfect murders... and how they were caught." No big deal, people buy true crime books all the time.
Now let's say you recently bought a bunch of lingerie. And had it delivered. But not to your home address. You're having an affair, sleazy, but not unheard of.
Now finally let's toss in the fact that you just consulted a lawyer. A divorce lawyer. One who specializes in breaking prenuptial agreements.
Suddenly things are much more interesting.
Most of us aren't planning to murder our spouse, or even to look like we're thinking about it. But it's certainly possible for mindless data aggregation to cause people to jump to the wrong conclusion. E.g., you bought a couple books on alcoholism, and a few cases of wine? You obviously have a problem, don't you. (Nope, the wnie is a gift to newlyweds and the book is to help me understand if my nephew needs help.) Etc and so forth.
Even with all of this information centralized with Microsoft (and make no mistake that the Passport/Hailstorm system will not collect this information), my biggest concern isn't that it will be leaked. My concern is that it will have bogus information feed into it. There's a nice market opportunity for nasty companies to put bad information into these records, then offer to clean it up for you. For a modest price, of course. All of the potential damage of a credit report, but with none of the legal safeguards.
Of course, that same problem exists today with the aggregated data provided by from credit card companies, but again it isn't a *single* point of failure. Even if you crack Citibank (still the largest CC issuer?), it does nothing about the hundreds of millions of people who don't have Citibank cards. But crack Hailstorm and you'll have information on almost everyone online.
Passport does NOT aggregate transactional data (Score:1)
There is no way that MS will know that you bought Rat Poison from one passport using site, and Lingerie from another.
Well, let me rephrase that. There are plenty of ways that that kind of information can be collected (i.e. through doubleclick and similar user-info-swapping deals) but Passport doesn't alter the equation.
There is a common misunderstanding here, passport is not the sole repository of all data for all sites who want to use passport. Each site collects and maintains it's own info.
Re:Passport does NOT aggregate transactional data (Score:2, Interesting)
The problem with aggregagating user transactions across multiple sites is matching up user accounts on one site with user accounts on another. DoubleClick solved this by using cookies, but (at least on single user Win9x boxen) identify a machine only, not a user, i.e. they can't detect multiple users of one machine or someone who uses lots of machines.
What passport does is make people use the same account ID at all sites (i.e. their email address).
Passport sites aren't the only sites that do this, e.g. safari.oreilly.com uses your email address as the login, as does amazon. So if Oreilly and Amazon wanted to match up the userbase to see what other books safari users purchased, they could quite easily. It would be a bit harder for Oreilly and SlashDot to match users however, since the login on slashdot is NOT your email address. But slashdot, like most sites, does still collect an email so matching would still be possible.
They way passport changes things a little is that people with multiple emails are more likely to use the same address on all sites, and less likely to give bodgey email addresses. So matching will be (a little bit) more reliable.
Re:Passport does NOT aggregate transactional data (Score:2)
Re:Hotmail IS a Passport site (Score:2)
Re:Passport does NOT aggregate transactional data (Score:2)
Re:Aggregation is a bigger concern (Score:3, Interesting)
But not on me or thee, I assume. So, why do we care? Let the Microserfs sign up and get raped, let M$ take the flak, then once the principle is in place, we develop an open source (security through transparency) alternative and (here's the good bit) lobby for a consortium of Big Businesses to get together and themselves lobby for the gubmint (any gubmint, heck, pick a sensible one that everybody likes like New Zealand) to take it and administrate it.
Re:security and privacy a difficult issue (Score:2, Interesting)
I already replied to your post, but I forgot to address the above sentence.
Yahoo has already done it! A "Yahoo ID" can be used in as many places as a M$ passport, if not more.
For instance, if you setup a "Yahoo Wallet" with your yahoo id, that info (name, creditcard, and billing info) can be used on any of the thousands of independent e-stores that run their backend through store.yahoo.com. The same login/pass also works on any of the yahoo sites (stocks, chat, mail, myYahoo portal, travel, the list goes on).
I still don't think this is a good idea, but I'd rather give my info to Yahoo than M$. And no, I'm not just saying that because I hate bill gates; I've dealt with Yahoo Inc quite a bit (namely from running one of said store sites) and rather like the company.
Re:security and privacy a difficult issue (Score:2)
Oh man where to start.
First of all all having all your information stored in passport does not mean it's not also stored in a thousand other places. Every web site will still store all kinds of information about you. That will never go away. What passport does is to present a very attractive target. Instead of hacking into a thousand places you just hack into passport and voila you have the information of everybody who has windows (which is pretty much everybody).
Even if your contention is valid and it is better to have all your info in one place why should that be controlled by MS. You may trust MS but others of us who are accutely aware of the track record of MS when it comes to security are scared witless. Combine that with the unethical and sleazy characters who are in charge of MS and you have a recipe for disaster. Have you ever heard Ballmer, Gates, Allchin, or Mundy make a public statement that did not contain at least one lie? I haven't. Why should I trust these people?
It would be better to store the information on my PC not on some public server. If it has to be stored on some public server I would rather it be held jointly by competing companies or by a non profit organization. I certainly would prefer that it be open source.
Thank god for proxies and ipchains. In the end Passport will be just another example of a "stupid tax". The people who are illiterate will blindly give away all their privacy and the rest of us will drop passport packets at the firewall.
Re:security and privacy a difficult issue (Score:2, Interesting)
Re:security and privacy a difficult issue (Score:2)
there has been many excellent hardware and client based solutions that are transparent to the user.. Corperations will not adopt them because it keeps control of the sensitive data in the users hands and not in the companies pcoketbooks.
Maryland... (Score:1, Redundant)
(for those who don't know - the passport eula says you can't use it in the state of maryland.)
Re:Maryland... (Score:1)
Kierthos
Re:Maryland... (Score:2, Interesting)
Its explained here [newsforge.com] to some extent. That story claims its because Maryland has a law (that microsoft helped to pass) which is incompatible with the passport legal B.S.
Re:Maryland... (Score:1)
So does Microsoft really attempt to do location verification, though? We all know how well users respect EULAs, after all :) Sounds like more of a CYA solution to me.
Selective paranoids (Score:4, Insightful)
Re:Selective paranoids (Score:5, Insightful)
"fallen" dotcoms are, by definition, no longer in bussiness. Complaining about them won't do any good. Microsoft, on the other hand, is very much in bussiness. Their passport service has a bad track record. There is no indication that microsoft has made any major changes in response to the barrage of criticism it has received. It's growing, and in the future you will undoubtedly see more sites where a passport login is required for certain features. That is why its important to be paranoid about this threat now.
Re:Selective paranoids (Score:1)
Although the companies may be out of business, their founders and owners are not yet dead. You can always sue them if they leak your personal info when they sell the dotcom assets.
Their passport service has a bad track record.
What kind of bad track record? Has it leaked any private info? You have to separate the security problems of Hotmail (which is a Passport client) from the Passport service.
Re:Selective paranoids (Score:2)
I don't see it that way. If my hotmail password (passport password) is compromised due to hotmail's security issues, my passport account is essentially useless.
Re:Selective paranoids (Score:2, Informative)
So far, I have not heard of any password being compromised due to Hotmail's security problems (you can only read mail, but the password is not revealed because of this).
Of course, hackers can still use the old password guessing trick or social-engineering techniques, but this is not Passport's problem, nor Hotmail's.
Re:Selective paranoids (Score:2, Interesting)
Is this actually true? I always assumed that liquidation of assets (which unfortunately include "customer" lists) was handled by a bankruptcy court appointed "repo-man", and that the (former) owners of the company couldn't do anything at this point to decide which assets got sold to whom.
Well, they *have* made concessions before (Score:5, Informative)
Just keep the pressure on them up. They're going to go ahead with some sort of service no matter what, but the amount of opposition they face now will determine how many of these concessions will be made "voluntarily". That way, even if the FTC doesn't come down with a favorable ruling, we won't be completely left out in the cold.
Incidentally, msnbc also has some coverage [msnbc.com]. A disinterested and impartial news source if there ever were one... or not, as it were.
Only trust those you can physically get to (Score:3, Insightful)
"I'm calling at international rates from Outthebackofstan, I've been on hold for three hours, and why don't you ^%#$%#^ read your email?"
"Oh, I'm sorry, you have the wrong department, this is the Pacific USA only support line. Please dial this number again in another eleven hours and the people supporting your region will be here. Have a nice day" (To co-worker: "Another commie towelhead") click."
some sites _refuse_ passport users... (Score:3, Interesting)
Re:some sites _refuse_ passport users... (Score:1)
Disclaimer: I [bergeron.com] own the company.
Re:some sites _refuse_ passport users... (Score:1)
Instead of sending hate mail to MS, send emails to potential licensors of Passport authentication and suggest to them that they will be losing your business if they require the Passport login.
As long as you have a choice, that should be good enough. Let the suckers who want to give away their credit card info go ahead and use Passport- let everyone who knows better choose not to do so.
After the first couple of major cracks where CC #'s are lost, maybe people will see the error of MS's ways and look elsewhere.
Passport EULA and Privacy Policy (Score:4, Informative)
Passport EULA [passport.com]
Passport Privacy Policy [passport.com]
Re:Passport EULA and Privacy Policy (Score:3)
You may not believe it, and I don't care, but I posted these after I went looking for them, BECAUSE I wanted to know what they said. It's pretty arrogant to sit here and argue about MS privacy and security issues in Passport, if you don't even know what information MS wants from people or how they intend to use it. I could have posted a summary, but I was too busy thinking about other things, and it didn't seem neccesary.
I'd hate to have that job. (Score:5, Funny)
Privacy advocate: "So, you are trying to set yourself up as the one definitive source for our personal information online. Let's talk about your record: Hotmail backdoors, Code Red, Melissa, IIS, and Kournikova, among others, are horrible things which have been influenced by your poor implementations of products. And you want to have even more power?"
Microsoft PR guy: "Try to think of those as valuable lessons we have learned to make Passport more secure...
Re:I'd hate to have that job. (Score:2, Funny)
I find it funny that you list bugs and virii and include IIS in that list. (Not that I disagree mind you. It just seemed interesting)
Re:Thats a GREAT reason to go with MS (Score:2, Informative)
You know, having been tested is not enough. What you need is something that has been tested with positive results.
great idea, but not for /valuable/ passwords; ENUM (Score:3, Insightful)
But no way would I use a single password for important stuff. And there's the problem: MS obviously wants to force you to use it for /everything/. So then you can have your whole identity stolen by the first criminal who watches over your shoulder while you type in your password.
It's also scary to ponder that next they'd probably force you to use it with ENUM [cconvergence.com], a new scheme we're going to have shoved down our throats, which involves linking the DNS database to the database of phone numbers.
Privacy will be protected, or passport won't work (Score:2, Insightful)
The success of the passport system, and quite possibly their
What's even more interesting, to me, is the fact Microsoft is using it's very large distribution channel to advertise and promote services in which it's competing against non-monopolistic companies. Messenger vs. ICQ (and others), Hotmail vs. many free email services, etc. I can't help but wonder if the FTC will look into this, rather than just the special interest groups concern.
great idea(l)s (Score:4, Insightful)
what I can't figure out is why this company, which is supposedly on the brink of launching this massive, multi-tiered platform that is
I mean, come on, the username/password combo was maybe reasonable in the days when everyone had exactly one shell account. but today when everyone is expected to remember a user/pass combo for every one of a dozen or so websites they want to log into, the weakness of this paradigm has hit pretty hard. simply put: people can't remember them all, which means they either write them down lots of places (prett damn insecure) or use the same username/password for each account (even worse).
and MS has made THIS the lynchpin of their security model?
why couldn't MS use some of their much vaunted "monopoly power" to "leverage" an authentication system that actually matched the sophistication of the rest of
my suggestion: the medium which most people are accustomed to carrying that is intimately tied to their financial and personal data is the credit card. my MS "Passport" could be a physical smartcard that held authentication data, encryption keys...hell, anything. each copy of XP (and each bundled OEM copy) would include a small USB device that could read this card, maybe that was designed to mount onto the side of the monitor so it would stay out of the way.
YES this would be a major move, and it would stir things up a little. but when it is clearly called for, WHY NOT? people would just carry another little card in their wallet, the reader device would be small and dirt cheap (in that volume, most anything is) and in a year we would forget what we did without them. we have calling cards, and credit cards,and ATM cards...where is my computer card?
in any case, tying their much-heralded
Problems with smart cards? (Score:2)
Using smart cards for ID is an interesting idea, and one I believe even MS have mentioned considering before. It's important to remember that such a mechanism brings its own problems, however.
The logistical problem is the Big One, I suppose. You need smart card readers to become more ubiquitous even than CD drives today. Every machine that'll use Passport-subscribing services will need one. Someone's going to have to make an awful lot of readers, and someone else is going to have to pay for it.
On top of that, smart cards are not a silver bullet for security problems anyway. What happens when the card gets stolen? If it's my credit card, I call the bank, get it cancelled, and have a new one sent to me in the post. In the meantime, I can always visit a branch to take out cash if I need to.
What do we do when our smart card is nicked? Call MS to cancel it? How do we then reidentify ourselves to them to get a new one with the same access? They need... wait for it... more personal information about us to identify us. And surely I can't just use the card without any additional security -- if anyone does nick it, they can do anything until I realise and get it stopped. Suddenly, we're back to needing IDs, passwords and PIN numbers all over again, and now the whole point of using a smart card has been compromised.
So, while I agree that smart cards or some other more original technological solution may be the answer to Swordfish Syndrome, I don't think we should be too hasty to criticise a long-standing, tried and tested approach until we know the alternative is genuinely better.
Re:Problems with smart cards? (Score:2)
the cost and distribution problems solve themselves, because they're shipping millions of these things (did you, umm, read my actual post?). in such volume, the device wouldn't be any more expensive than the cardboard WinXP box it shipped in. then every user has one, voila.
now the getting stolen problem is a little thornier...but I think you answered it yourself. so you say when you lose a credit card you call the bank and have them send you a new one. but surely you have to answer a few questions to their satisfaction before they mail you a new card? credit cards companies have already invented the answers to all your questions, and tested them also. there are already working protocols in place to implement such a system.
you don't think we should be "too hasty to criticise a long-standing, tried and tested approach." when it simply doesn't work that well, why not? smartcards are an evolutionary extension to credit cards and phone cards, and would work much the same way. I'm still not sure why we're not doing it already.
sean
Re:Problems with smart cards? (Score:2)
How fast does the entire world (or perhaps the USA) upgrade their microsoft operating system? It's pretty safe to say that win 3.1 is nearly gone, but there are a lot of win 95 machines out there. Win 98 seems to be pretty common now, but judging from how 2000 and ME took the upgrade market by storm, it will be quite a long time until XP runs on the majority of PCs... not to mention the 80-90% needed to make smart cards "universal". Even 50-60% installed base on XP (vs earlier MS systems AND non-MS systems) is going to take quite a while.
Re:Excuse me?? (Score:2)
Re: (Score:2)
Passport and XP (Score:1)
If you have to sign up for it to use some parts of the os than yes, you do have to sign up for passport to use xp.
A 4 digit PIN ??? (Score:1)
This is insane! If only *some* of the sites require the 4 digit PIN, and all the passwords and email addresses for the passport sites are the same (through passport itself), then what on earth is stopping someone who obtained your password (through brute force or whatever) from trying any site that requires a PIN as well with a simple 10,000 step PIN cracker??? Cracking a 4 digit PIN at internet speed is TRIVIAL!
Adding that 4 digit PIN is like adding a knot in the sticky tape holding your bicycle to the post.. It's just one more easily circumventable step in a flawed access-restriction service.
Micosoft has security awareness! (Score:1)
Microsoft addressed this problem long time ago! People have been using MID(Message ID Number) [slashdot.org] for reading hotmail [hotmail.com].
So stop questioning their security awareness.
I Don't See the Big Deal (Score:1)
Possible Compromise (Score:1)
Probably US government make some compromise for the conflicting parties:
These two things make Passport as unfair. You cannot do anything to Microsoft if someone cracked Passport and poked into your account, use your credit card, SMS your cell phone, etc. Probably the implication is worse for corporations: If someone cracked Passport, he/she can get their customer data, their trade secrets, and mocked them for their inability to put their utmost effort to protect customer's private data.
This must be stopped. I'm sure that a sheer amount of litigations would be tossed against Microsoft. Or probably went bankrupt just to recompensate their customer's punitive damage. :-)
Just a little PassPort note... (Score:1, Interesting)
Localised or Centralised information (Score:1, Informative)
The alternative way of doing things is a distributed model. With PDAs becoming more widespread, and more powerful it won't be long before you can store most or all of your personal data/files on a single small portable device. Now, providing some decent interfaces are written, this offers the same ease of accessibility as Microsotfs centralised solution, with the benefit of increased security - YOU are responsible for YOUR OWN data.
I know which I prefer. I'll always trust my own abilities to secure my own data more than I trust Microsoft to secure it for me.
Roll on with the distributed model I say!
* By information/data I'm not just talking about street address, credit card number etc., I'm talking about all your work/code/data/etc.
Jedidiah
Single Point of Failer, but needed... (Score:3, Insightful)
1. Use the same password on all 10 anyway
2. Use grossly easy passwords so that they can remember them
3. A combo of 1 and 2.
With a Passport like concept, there's only one account to remember. Maybe then consumers will find it reasonable to memorize a secure password. Either way, a centralized system is needed for identification. As a web developer for 5+ years, customers don't want to fill out the same crap each time they visit a site, and if they could just type in their passport info to authorize access to certain private information, they'd do it. Now, it's up to us to come do the social and technological engineering to make this happen safely, and securely.
still need multi levels of authentication (Score:2)
kinda blows the whole single point of authentication out of the picture.
Not to rain on your parade, but... (Score:2)
So you're telling me, that you'd be willing to render control of your very private data to one single company, located in a country with probably the piss-porest privacy protection laws in the Western hemisphere, just for the sake of convenience ?
We're not talking about CC # here, but about everything surrounding your person, including potentially medical data.
See, I agree that it's up to society to define the sidelines. It's however not society that controls Passport. It's the Microsoft Corporation, which I personally woudn't entrust with my cell phone number.
Re:Not to rain on your parade, but... (Score:2)
Re: (Score:3, Interesting)
Re: (Score:2)
Re:Single Point of Failer, but needed... (Score:2)
Those two statements are unconnected. Jane AOLuser wants free access, free stuff, 20% off of everything that isn't free, and she also wants for her computer to "just know what she wants to do" without her having to go through all that pesky remembering where to click. In other words, she doesn't want to take responsibility for paying for her usage, or for learning how to use her machine, and (most importantly) she doesn't want to take any responsibility whatsoever for her own security.
Let's be careful about giving Jane everything she wants, huh?
Re:Single Point of Failer, but needed... (Score:3, Insightful)
Why couldn't you store the required info in an (encrypted) store on your machine and use that to answer the types of requests you are talking about. Same result to the end user without having all this information in some remote store.
You could go further and set the system to autmoatically answer requests in some cases (perhaps in cases where the site has a P3P policy meeting certain conditions, etc.) and you could have every response be part of a digitally signed package that provided a "paper-trail" of exactly what you shared with that site and what purpose they claimed they would use it for.
Much better solution, without MS holding all my data.
What's the point? (Score:1)
I mean, keep it in some nice standardized XML in encrypted form and require a passphrase for each decryption/use of the information.
Why would anyone in their right mind use this?
I will NEVER trust passport... (Score:3, Informative)
I used to have a Hotmail account, for several years (even before they were bought by MS). I was only logging in every 3-4 months, mostly to keep it active, because it wasn't my main email address.
One day I found in it a message informing me that I had been automatically issued a passport. Without my consent. They had just taken the info in my hotmail registration and created a passport for me, without asking my permission. I got very angry, and asked that the "passport" be removed, because I didn't want it. The reply was "it cannot be removed, once you got one, you're stuck with it forever". It seems that, by logging into my hotmail account after they had sent me the info, I had "automatically given them permission to activate the passport". But nowhere on the login page was there any information about this!
I eventually let the hotmail account expire, but AFAIK the passport account they crammed down my throat is still there. There is no option to delete it.
Re:I will NEVER trust passport... (Score:2, Insightful)
Doesn't America have one of these? Has anyone actually challenged MS to provide a printed breakdown?
Re:I will NEVER trust passport... (Score:2)
It's more than just one piece of law these days, and gives you quite a few more rights than that, too; see the link in my other reply on this subthread for more information (in a pleasantly readable form, BTW -- well done the UK government).
It is a reasonable thing to do, though. Otherwise, companies could be subjected to arbitrary time and money wasting searches on the whim of anyone who wanted to make trouble. I think the fee should be refunded if any problems are uncovered by the search that would not otherwise have been found, but that's a different thing to not having the fee at all.
UK data protection legislation (Score:2)
IANAL, but looking at some information about UK data protection law [homeoffice.gov.uk], it would seem that Microsoft's behaviour here might be illegal on several counts. Oops. :-)
One stop shopping for identity theft (Score:2)
As someone who works for an e-commerce company I am irritated when I see what appears to be half-assed security on high profile websites. When a site run by a company like Microsoft is hacked, it becomes more difficult to convice my clients they can conduct business with us in confidence.
I make my living because people visit our website and conduct online transactions. I know how much thought goes into security issues for our site. If we were to be hacked, it would reflect negatively the site and all other aspects of our business, as well as fail to serve the trust of our users.
Microsoft does not appear to share these same concerns. Time and again they have a cavalier attitude towards very public attacks on their websites. Hotmail was hacked, so what, someone read your email. It was just porn, right? If Code Red turns IIS into a zombie it's your fault you didn't patch your server.
Microsoft has not solved the security concerns that have plagued IIS, but that won't stop them from pushing forward with .net. If there were a massive hole found in this new web platform, I fear it what fallout may ultimately come of it. At some point the damage to the online economy will push lawmakers into imposing regulations. These regulations will become huge hurdles for the publishers of OSs, software, and websites.
I have always felt that if there is one entity I trust less with my computer than MS it is the US Government. There is nothing worse than a cogressman or senator who doesn't understand computers making laws that effect them.
Passport's Probably as Cool as NT on the Alpha... (Score:2)
It's probably supported by M$ on all currently supported processors: Intel and AMD chips and any in that family...
...for now.
On Paper and Online, News Publishers Rapidly Adopting Microsoft BackOffice Technologies [microsoft.com]
The Center for Democracy and Technology? When the hell did M$'s business goal coalesce with Democracy as Franklin, Jefferson and co. enacted it?
This friendly public service announcement posted from:
vanboers@tempe:~$ uname -a
Linux tempe 2.4.9-ac1 #2 Sun Sep 2 22:20:55 MST 2001 alpha unknown
Nope, not even a Linus Torvalds kernel. Alan Cox rocks, too.
Choice is.
A thought on trustfulness (Score:2, Informative)
(of course, the fact that these people are unaccountable is one of the major factor; but this just FUD in some people's eyes)
The amount of your personal information to give to passport system depends on the degree of trust you have on a username/password security system over the Internet.
I think Passport is secure to some degree, but it's definitely not absolute secure(nothing is). However, I never hear a Microsoft PR would say 'but' in propaganding their passport system.
E.g. when I apply for a personal certificate I was given a time limit for using it. Not because the certificate issuer is a greedy bastard, but they want me to know the encryption in it can be broken by known technology beyond this period(by brute force attack, computer tech advanced, etc.).
Computer security is not absolute. The claims of its security level is part of the security system itself. No matter how well the Passport system is made, failure to give honest claim would render its useless.
Just my opinion. You can start bashing me by clicking the reply below. Thanks.
But Information Wants to be free! (Score:2, Offtopic)
To quote J.Jackson
"If you choose, to use, your paaaaspoorrt,
If you are stuuupid enough to paaaaayyy! for this craap! Then we are prayin for ya, yea , we prayin fo yo'soulll. For you have fallen inta the bad mannnss hannnds! Chill! I can save ya! Just say afta me..... haich tee tee peee colon slash shash, doubleya doubleya doubleya, dot, sourceforge, dot, net. Ahhhhhmmeeennnn and Hallelullghia Brotha! Peace be wit you!"
That was the best speech I have ever heard!!!! Vote Jackson!
Y
[OT?]Beware of who has your info (Score:2, Interesting)
Moral to the story? Basically, watch your back. If you employ an accounting firm, and they go belly up, be sure you get your records back from them. This is just one shining example I gained from experience.
This is so fucking lame (Score:2)
Sure, it's obviously been written by a huge team of programmers, carefully screened for any possible security hole and tested on a massive scale at Microsoft's fortress in Redmond.
It's just amusing how nobody really has any confidence that the largest software company in the world can write something so basic, and get it right.
Single signon on a secure managed network (Score:2)
But what kind of moron says, this is a good idea for my corporation so it must be a good idea for the entire internet?
Hmm, what are the alternatives? (Score:3, Insightful)
I think a nice solution would be a kind of "PassPouch", based on public-key crypto, etc. A pouch would contain arbitrary number of passwords. To authenticate a user, a service would need your pouch password to open the pouch, and then use its site-password to authenticate a security cookie in the pouch. Well, something like this. You could have multiple pouches, and a pouch could be stored in your personal computer, or in any "PouchServer", based on for example LDAP. There probably already are such systems, but I haven't noticed any so far (I don't know much about the topic).
Regarding several comments... (Score:3, Insightful)
Okay. On a small scale, it might make sense. This is not a small scale. This is microsoft. The Internet was not built so one company could control it; it's independent. MS is doing this to corner the e-commerce market. I don't want to let them do that. They are already free to compete fairly with everyone else.
Regarding the comment about Windows XP product activation containing a GUID (which should scare everyeone). I refuse to buy a product that requries me to 'authorize' it's use with the company I bought it from. It's wrong. I paid for it, like a product, at the store. It's mine to use. I should not in any way have to deal anymore with the creator unless I choose to.
Regarding Passport in general... using it for hotmail? MSN messenger? Fine. That's great. But let's not get carried away. I won't give MS my financial information, ever.
Re:Regarding several comments... (Score:2)
That's not far off. If XP is a success, and MS gets WPA accepted by the masses, there is no limit to what info they can demand for the priviledge of using the product that you bought.
Funny, the government defines driving on roads that are paid for by my taxes as a "priviledge", and so does MS, apparently, define using software I've paid for a "priviledge".
The funny thing about a "piveledge" is that it can be revoked... For capricious reasons.
every single Free Passport is an asset to Microsof (Score:2, Insightful)