Forgot your password?
typodupeerror
Microsoft

Analysis of Passport Flaws 174

Posted by CmdrTaco
from the something-to-think-about dept.
An anonymous reader sent us an excellent (and technical) paper describing problems with Passport its not lame anti ms rhetoric, its actually a well written technical assesment of security problems with the unified login that passport aims to achieve. This is a good read.
This discussion has been archived. No new comments can be posted.

Analysis of Passport Flaws

Comments Filter:
  • In the guy's CV page [avirubin.com] it says that this publication is from July, 2000. I don't know if it makes any difference, but it still seems like relevant info.

    Yeah? Well you shut up!

  • by Anonymous Coward
    "... We believe that until fundamental changes are made to underlying protocols (through standards such as DNSSEC and IPSec), efforts such as Passport must be viewed with suspicion. "

    See? You NEED TCP/MS. Why don't you guys ever trust me?

    --- billg

  • The sole reason that Passport is being pushed forward, is to minimise the number of logons and password that a user needs to remember; so we store them in one location!
    Wouldn't be more secure to have multiple logons (for each service provider) that are exactly the same? Sure there would be a security problem if someone happens to know my logon and my password, but there is a lesser chance of them having access to all my details, because they have to logon for every single service individually.

    I found the following from the paper to be very pertinent: "The centralized service model is antithetical to the distributed nature of the Internet that has made it so robust and so popular."
    • sasha328 the P2P movement is certainly an alternative. Look at what AOL has done: 1) They own the portal as an ISP with millions of users; 2) They own the digital content (Warner Bros., Atlantic Records, etc.); 3) Now they've decided to control the delivery of that content before P2P does it for them. More at: http://wavxtek.tripod.com/AOL_and_DVI.pdf
  • The single-signon mechanism is housed on a central MS server. So someone like IBM would have to send a redirect to the browser with the URL of the Passport login page. From my understanding of the article, all of the communication between Passport and IBM would happen through the client. The client is the medium of communication between Passport and the vendor. Please correct me if I am wrong.

    Or to be more specific Microsoft Internet Explorer 5 is the only valid communication mechanism between the vendor and Microsoft. Microsoft worldwide empire is going to be built on redirects and cookies?!??! Dear God, please deliver us from this insanity.

    Why not say to each vendor, here's drop this Box in your network, use it as your authentication, will setup some sort of super encrypted VPN between your network and ours and we'll provide real-time authenitcation. Why not? Because it is too easy, and it doesn't TRAP THE CONSUMER INTO OUR INCREDIBLY INVASIVE SOFTWARE.

    What about browsers that don't accept redirects? I know, I know, it's 2001, people should be using modern browsers, but what about people with old computers. I mean, maybe I'm just wrong, but if you are say Barnes and Noble or Ford ( whatever? ), why would you hand over your security concerns to Microsoft?!? After such high profile security explosions such as CodeRed, and now the CodeRed II which is MUCH MUCH WORSE because now everybody who has read Slashdot today has root privileges on every box that has been compromised. ( Be good, people. Be good. )

  • He forgot to point out that Passport can only work as long as the Open Source community is willing to pay the domain registration renewal fees for Microsoft's domains. [slashdot.org]
  • The article does a good job of articulating specific issues with the Microsoft's Passport system. Other people have suggested that we should perhaps look to XNS [xns.org] or other open source single signon systems. However, I believe they are missing an important piece.

    This is important because users tend to pick poor (guessable) user names and passwords ...

    Yes, that's right. What good is a strong single signon system that auto authenticates distributed sites, when the single signon itself may be weak? How much will 3DES encryption protect you when your password is "Swordfish"? You may recall the slashdot article [slashdot.org] that discussed how the average person tends to do a poor job of picking a secure password.

    Fundamentally, Microsoft's passport or any other single signon system is as weak as their weakest link. Which, in many, cases appears to be the original signon authentication. I don't see them really catching on until that problem is better addressed.

    These systems will have a much better chance when biometric authenticators become ubiquitous. Then hackers will have a much harder time impersonating you at the single signon.

    However, no single signon system is perfect and the world is going to get a whole lot nastier when biometrics arrives en masse. Someday, we'll wax nostalgic about happier times when hackers only attacked computers and didn't pull out your eyeball to break into your bank account. I just saw Demolition Man recently in which Wesley Snipes does a very nice job of faking out a retina scanner with this method - truly gruesome.

    Bah, none of these single signon systems for me. I'll just stick with my secure method of appending the site url to "password". Even if someone compromises one password, they won't know the rest!

  • (Same.Old.Sh*t)

    Once agian Ms boasts a new "protocol" or implementation of software that relies on one, and once agian it is proven insecure. I find it not surprising though. How can I or any of us for that matter, think that something aimed toward making authentication easier, coming from MS, would actually make things better? Oh surely mure, the atypical weblite user is going to find this a great and a wonderful "time saver", while the rest of us who give a sh*t about information security end up finding ways to publicize its' flawed security model, in desperate attempts to keep something that may end up forcing into its' use from monopolistic tactics upon us, from being so problematic. Thanks MS...
  • by crovira (10242) on Sunday August 05, 2001 @08:54AM (#2114622) Homepage
    And that was the point.

    Now you can't discuss the weaknesses you find in an open forum so they can be addressed. You can only discuss it illegally through encrypted e-mail with others who will exploit them.

    The DMCA was NOT an improvement.
    • The acronym DMCA has become nothing more than:

      All your base are belong to us

      Let's see who can post the letters first!

    • Wrong.

      The article did not publish nor discuss a way to circumvent the system. It talked generally about various attacks.

      I can say that: DVD appear to be vulernable to a key-decryption attack which would allow decoding and copying to my local hard drive.

      I cannot say: DVD's can be decrypted using XYZ-XYZ key and decoded using this code (insert code).

      But still, the point is moot. Any restriction of the kind is a violation of the 1st amendment.
  • its going to be an article aimed at technically au fait readers when the authors' emails are given as {davek,rubin}@research.att.com with no further comment on what this means...
  • by CTho9305 (264265)
    I think it would work better... it solves ALL problems listed except for poor passwords. However, the "average" user will never remember a password that is any good - and will demand some "remember my login" feature. This combination ensures INsecurity. Until people are willing to remember a short (6+) character sequence, and are willing to type it in (and change it periodically, there can be no good security (using passwords). The main disadvantage to kerberos is that most browsers do not inherently support it - you need plugins and sometimes a completely separate application.
  • We pointed out this flaw to Microsoft. Microsoft indicated they were already aware of the flaw, and it was fixed that same day.

    So, they had been aware of the flaw, but did nothing about it untill it was publicly known? Call me paranoid, but how about this: Exploits are OK as long as they are known only to Microsoft people? Are they leaving some easter eggs so that a bunch of MS employees can gain access to other people's information and money?

    It's bad enough that so many untrustworthy commerce sites are out there, running broken versions of MS web servers. Now we are supposed to have microshit as a "trusted" third party for all our commerce and authentication. No way Jose. My webshoppin days est fini. I'll be usng the phone from now on.

  • This is a very hairy deal, which proves that it was not written by some slick moneygrabbing M$ two piece suit with no concept of that quality software is! ;-)
    (you need to read through the article to the bottom to understand that)
  • I am not a crypto wizard to understand all the article. But I believe the main purpose of Passport was the necessity either to keep a lot of different passwords or to have a center that authentifies a person using the single password.

    I believe that it's possible to keep a lot of different random passwords in any hardware device attached to computer thus avoiding most problems. The device may be the special keyboard (for instance, with magnetic, chip or proximity card reader), the standalone card reader or, preferably, USB key attached to the USB port that is present everywhere now (For USB challenged people there is a FDD). Of course, the device should be supported with some device-independent open-source protocol (Or we shall not trust it).

    But I believe that Microsoft needs Passport NOT for our benefits, but for benefits of Billy's pockets and so Password will be pushed into our throats leaving all non-M$ aside.
  • Well, I agree with the artical that there are an abundance of problems with passport, its truly unfortunate that it could not be done better/independently. The idea of Passport seems like a great one that could indeed help users, and make them more secure. As the artical states most users use bad, and repeating passwords. Something like this would probably make those people more secure in the the long run. as the acutal vendor would not have access to the persons password. Unfortunatly it is deeply flawed. Oh well maby some "open" project will emerge, and provide a better verson of passport.
  • by infiniti99 (219973) <justin@affinix.com> on Sunday August 05, 2001 @08:43AM (#2116337) Homepage
    There's nothing particularly wrong with single-signon, just so as long it is done securely and the data of everyone on the planet isn't stored in one bank. Users are going to like the convience that Passport provides. Thus, we need a good alternative.

    I found this [madasafish.com], which discusses a way of doing a Passport-like identification over Jabber, dubbed "Jident". Maybe this, or something like it, could be implemented as a proper open-source/distributed counter to Passport.

    Jabber is definitely what the world should be using instead of this new "Windows Messenger". Perhaps an alternative to Passport could be added/layered to it as well? Definitely check out that Jident page, especially the bottom where it lays out the pros and cons (and a neat scenario).

    Maybe something like this will be discussed at JabberCon [jabbercon.com].

    -Justin
    • We need something just like passport which acts a more like kerberos. Where the server gives authentication tickets that expire, like cookies but it is not done via a redirect. If say, te third party client could do the request on their behalf, it wouldn' tbe as bad.

      Another option would be different passwords for different uses. Of course my email password might be a little easier than say, the password for stuff i use my credit card number. Better yet, I might actually want to use a different password for everything. An option similar to RSA/DSA keys used with SSH. You don't need to use the key pasword you set on the server, but can use the password you used to create a particular keypair.

    • Naw, we should be using a Jabber-like program with a couple of differences. For instance, do away with the XML, it is an unnecessary complication.

      I really dislike the Jabber project for many reasons, a couple of which are simply the unexplainable "bad vibe" kind of things. I think much of it is needlessly complicated, using an ineligant solution to a really rather simple problem. The fact that it too so long to become stable is testament to this, I believe. It should have taken about a month from beginning to end with a team of four.
      • by Anonymous Coward
        The icq transport has been dead for a month now. Dunno about msn and aim
      • Parsing XML isn't as bad as you think, especially with the availability of libraries. Understanding the protocol is loads easier when everything you get is plaintext XML. I think this is one of the positive sides to Jabber.

        As an open source project, you should understand why it has taken them so long. Developing a client is one thing, but developing an IM system takes much more work. Compare it to writing the first mail server.

        Anyway, it's much more mature today than ever. The main faults are: lack of good clients (which I am trying to fix [affinix.com]), and transport instability. The instability generally comes from IP blocks by AOL to the jabber.org server. This can be solved by simply running your own server, which is the whole point of Jabber anyway.

        At this point in time, my day-to-day IM consists of a private Jabber server, the AIM and ICQ transports, and the client I wrote. It's a proven system at this point. I say we run with it, rather than try to create something new again.

        -Justin
  • First of all, the article seems to have a point (although I am not a computer security expert). Particularly, the redirects inolving HTTP and DNS tricks are already popular compromises. Therefore, Passport is indeed insecure.

    What makes stuff worse is that (unlike most other web-based authentication systems), Passport is going to be used massively by thousands of online dealers. Think about what would happen if Amazon were compromised. Passport break-in would be worse, since all of the Amazons of the world will grow to rely on it.

    So the real problem with Passport is that it is going to be used so widely; it is a valid small-scale solution (where the profit from compromising such a service is minimal), however it does not scale well when we talk about millions of users spending billions of dollars. I just hope that Passport will not be used by serious retailers, if we ever want to have some semblance of security and privacy.

  • Now how long will it be before this guy gets arrested? Stupid Laws!
  • by emin (149044) on Sunday August 05, 2001 @12:12PM (#2117823) Homepage
    Although I don't know much about the design decisions involved in implementing passport, I don't see why they don't use a zero-knowledge protocol (ZKP). Basically a ZKP is a way for Alice to prove to Bob that a certain claim, C, is true. Furthermore, under certain assumptions (e.g. factoring is hard, graph-isomorphism is hard, etc.) you can prove that Bob doesn't learn anything beyond the fact that C is true.

    How would this be used for authentication? I generate an instance of a hard problem, P, along with a claim, C, which I only I can prove. I publish (P,C) as a type of public key. If I want to prove to slashdot or Hotmail that I am me, I use a ZKP to prove C thus authenticating myself. Since I used a ZKP, even though slashdot now knows C is true, slashdot doesn't know how to prove C itself. So slashdot can't pretend to be me when talking to Hotmail (unless slashdot can factor or solve my chosen hard problem).

    Some benefits of using a ZKP include:

    • I only need to log into my computer with a single passphrase and then my computer can use a ZKP to convince all the other web sites of my identity.
    • The system is provably secure under certain assumptions.
    • No central authentication server has a list of passwords or other information it can use to impersonate me.
    • Since no central authentication server is necessary, the authentication prover (i.e. the program that runs on my computer to prove who I am) and the authentication verifier (i.e. the program that runs on slashdot to check my identity) could be implemented by different companies. Thus you could use an open source prover with an MS verifier allowing interoperability.

    So my question is why doesn't MS use a zero-knowledeg protocol to implement passport? Is this type of idea patented, or are there are other issues such as security, speed, etc.? I'm not trying to bash MS since I know that they have some pretty smart people there I'm just trying to find out why they didn't use ZKP.

    I suspect the answer is because a ZKP based system would probably be easy to clone by open source people or other companies. On the other hand, passport seems to give them significant business advantages at the cost of security, interoperability, elegance, etc.

  • I [sic] hope it's [sic] better-written [sic] than Taco's assessment [sic] would indicate.
  • Security Flaws (Score:2, Interesting)

    by lavaforge (245529)
    If found this following quote interesting: "Presumably, the Hotmail logout button is used to remove the Hotmail credentials, while the Passport signout button is used to remove the Passport credentials to all services. While this may be clear to computer security experts, it is unlikely that the average non-expert computer user will understand the distinction."

    This is a bit unusual; most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.

    Who wants to place bets on how long it will take before somebody starts harvesting ID's from the local libraries?

    • ...most of Microsoft's various 'innovations' are renowned for their user interface, and here we have the interface acting as a potential security flaw.

      "Renowned"? Don't you mean "notorious"?&nbsp

  • by Anonymous Coward on Sunday August 05, 2001 @08:38AM (#2120989)
    its = possesive (i.e., belong to it)

    it's = contraction, for "it is".

    So:

    ...it's not lame anti ms rhetoric, it's
    actually a well written...

    Geez. Hire a high school student to proofread or something.
  • I thought they were talking about a real passport.. ya know the paper ones.
  • by Thomas M Hughes (463951) on Sunday August 05, 2001 @08:32AM (#2122724)
    Well, my first question is really "Does anyone outside of Microsoft actually use passport for authentication?" Microsoft uses it a lot for MSN Messenger, Hotmail and all its other stuff, which isn't really bad (for Microsoft products that is). However, I have yet to see Passport used _outside_ of Microsoft.

    Then, assuming that other companies do begin to use Passport at a significant level (despite no one using it after months of its deployment), there then becomes the question "What happens when Microsoft denies companies access to passport authentication?" For example, what happens if a Hotmail competitor wishes to use Passport authentication for its web mail login? Clearly, Microsoft would be helping their competitor if they allowed it, and acting monopolistically if they don't. That does provide a small problem for Microsoft.

    Third is something that the article points out very early on about the very reason people need something like passport. To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced. Now, instead of your grocery store having access to your stocks, Microsoft has access to both your grocery store and your stocks, without doing anything but being a middle man authenticator.

    But what am I saying? Microsoft is the good guy, who would never abuse its power. That's why its okay for Microsoft to use its powers to "innovate," just like its okay for the US to develop defensive systems that give it the power to launch nuclear weapons without fear of retaliation.
    • To paraphrase, the article states that people dislike the idea of their online grocery store having access to their online stock trading when they use the same password. This problem doesn't go away with Passport, it is just enhanced.

      I don't think that's true. There is a redirect through Passport for every site the user visits, and both the grocery store and the online stock broker has registered its own key with Passport.

      You can only use a cookie set by Passport for one single site, and the grocery store can't use the authentication token you used to access its site to impersonate you at your online stock trader, because that token has to be encrypted in the stock trader's key (which the grocery store doesn't have).

      That said, you make a valid point too: what you get in return for locking your grocer out of your stock account is the little fact that Microsoft is now able to access all your accounts. Because they have all the keys.

    • Hailstorm. (Score:3, Interesting)

      by slashkitty (21637)
      Yes, some sites use Passport now, but soon, many many sites may be using it in combination with Hailstorm. This posses more problems as well. More users will be using it. They will have to use it more often. More data will be stored accessible with a Passport login.

      Many people agree that this is the start of Microsoft's goal of "collecting a toll on every transaction on the internet". As others have suggested, upcoming versions of MS server software will make it easier and easier to use Passport when building web services. At the same time, they will make it harder not to use it... Adding more hoops to go through to set up something else... Like how they are removing Java from XP: one more hoop to to through to run Java.

      As you can see, any security flaws in Passport could become a huge problem. Couple this with things like Sircam and CodeRed worm, and you have something that could drain bank accounts and do stock trades for you.

  • I didn't know all this about passport, but it has great resemblance with paypal. The bogus site exploit has been done there as well.

    The difference between paypal and microsoft merely is the fact that passport is not intended for micropayments, as I believe that ms will mostly focus on the b2b market.

    For micropayments, Paypal [paypal.com] has low risk because they have taken a mix of all sorts of measures. An ex-FBI agent is in charge of two or three fraud detection teams, their "IGOR" system is an automated fraud detection system. Because the wallet contains such small amounts of money, the loss risk is therefore much smaller than if you'd use big amounts - necesary for b2b transactions.

    I do notice the resemblance between PP and MS that they are dealing with the same security problems, perhaps this is why PP and MS are collaborating. When MS chooses not to work with micropayments, my guess is that they could get a lot of security problems, not only the ones written in the article, also the securite problems Paypal hasn't solved technically, but manually.

  • Passport can be as watertight as a duck's arse or as full of holes as a sieve for all I care. For me the only question is, why the hell would I choose Microsoft as my sole broker in the first place? - I haven't as far as I'm aware gone stark raving nuts yet!

    It seems likely that some if not a lot of people are going to use the passport service outside of hotmail. It seems likely that some or a lot of them are going to regret it. While I don't wish those people any harm, they could be well the ones who bring this latest Microsoft ruse to a speedy end.

  • The new variant of Code Red might turn out to be the most damaging worm yet launched. That's happening today, while I'm writing this. My DSL connection will be hit a couple of times, in all probability, as I type this up.

    That has to be the context of any discussion of passport.

    Even well designed security fails. For that reason, if single choke point that will plunge the world into chaos if security fails is a bad idea. Passport is a bad idea.

    The most important flaw isn't in the protocol, or in the fact that it's built on insecure services. A well designed passport type system would still be flawed, because it would present a single point of failure.

    The fact that they want to do this at all proves that they're not thinking about security first.

    MS has a track record of doing dumb things security wise because their business models demand them. They wanted to tie word and visual basic together so they opened up the world to the threat of macro viruses. They wanted to tie email and office together, so they made email systems that would run programs embedded in documents automatically if someone sends it to a MS user via the email.

    These are not obscure problems, and they're not difficult to predict. You don't need to be a security guru to realize that they're trouble. MS did it anyway, because it was in their interest to do it. It wasn't in their customer's interests.

    Passport isn't in anyone's interest by MS's. It's a bad design because it's centralized, because all of the eggs are in one basket. Most people want privacy. Most people want their credit card information to be secure. Most people want to control the information they give to various sites -- they don't want it passed around in the background, in the name of convenience.

    Apart from all of that, it has to be pointed out that the company that's building and marketing passport has the worst record in computer security on the planet. By that I mean that MS security holes have cost more money -- billions and billions of dollars -- than any other company's security problems. How long did it take them to close the outlook macrovirus hole? How long was it obvious to everyone that it was a bad idea, before they closed it? Years. Why? Because they put their business model above their customer's security interests. And they're doing the same thing here.

    Passport is a horrible idea. And even if it was a good idea, these are the last guys who should be trusted to build it.

  • by sfe_software (220870) on Sunday August 05, 2001 @09:58AM (#2126326) Homepage
    The article mentions the possibility of one registering pasport.com (note the missing 's') to fool users into giving their username/password to the wrong site. A much easier way would be to redirect the user to a URL like this:

    https://www.passport.com/very/long/path@evilhacker .com

    Crafted to look like a legitimate Passport login URL before the '@'. Then, put a passport spoof site at evilhacker.com. Everything before the '@' is ignored, and the user will simply see a long passport.com URL in the address bar. The browser actually connects to evilhacker.com.

    So it's much easier than the article describes to trick a user into providing credentials to the wrong site; all that is needed is an SSL cert, a copy of the Passport login screen, and a clever URL...

    As the article notes, users won't check the cert (as long as it's valid and doesn't give a warning). They'll just type in their username and password. Even if they glance at the address bar, most users won't have any clue about the '@' trick, and if the URL is long enough they won't even see it.

    Over all, I think the article makes a very good analisys of the problems in Passport (or really any central login system).

    - Jman
    • As has been pointed out, you can't have literal '/' or '?' in the username portion of the URL (that before the @)... I didn't realize this before, so it does make it a little more difficult.

      Using %-encoding would work for hovering over the link, but not what's shown in the address bar of the browser after the link is clicked.

      On another note, something else the article mentioned was DNS spoofing. One quick way to do that would be to sign up at some large ISP to host "passport.com", and hope that the signup process is automated. Then, for users of that ISP (or rather for users of their name servers), passport.com would resolve to your webserver, assuming that ISP uses the same DNS servers for both authoritive and non-authoritive requests.

      Of course, this would be difficult to pull off, but I'm sure with some creative thinking it could be done. I've seen domains resolve to the wrong host many times due to similar tricks (intentional or otherwise). We once had "firefly.com" (coincidently an MS-owned domain) in our DNS thanks to automated signups for domain hosting; luckily, we only served authoritive requests (we were a webhost, not an ISP).

      - Jman
    • I tried putting https://www.passport.com/very/long/path@cnn.com in my explorer URL line and got a passport error message. Namely: it didn't work.

      Yeah? Well you shut up!

    • Nope. What you have there won't quite work. What you have before the "@" cannot contain literal slashes, among other characters. It can contain %-encoded entities, so you can put the slashes in that way ("%2F") -- most browsers translate this entity back to "/" when displaying the URL on hover.

      Oh, and some browsers have already patched this "semantic attack [ebiz.co.za]."

  • It seems to me that the attacks listed are the same old attacks that most any system is vulernable to:

    1. Confusion: many systems can confuse the end user. Slashdot could be one. How do you I logout? Can someone copy my login cookie and be me? Yeah, probably. This isn't a particularly new attack, do you think?

    2. Key Management is the same problem that Verisign/Thawte have been faced with for a long time. How can we sure that the user/merchant is who he says he is? Its hard, for sure.

    3. Central Point of Attack is again, a very real problem, but an old one. Any central database will face this, no matter what. More than anything, this discredits centralized logins, and by default, Passport. On the other hand, every little merchant will be under far less scruntiny in terms of security thanks to the central database.
    4. Socially Engineered Attacks on Javascript/Cookies go back as far as, well, cookies and javascript. They are indeed bad technologies for secure uses, and using them here was naive at best. But the paper does point out that Javascript is not required.

    5. Trust attacks are of coure relevant. Passport requiers a trust in the merchant who joined the program. Not much different from SSL, really.

    6. Man-in-middle, DNS, etc attacks are also present, of course. This point didnt make much sense to me. The identical attack is present today. If i replace someones DNS records with a new entry for slashdot, then i can socially engineer their slashdot username/password. Passport makes this threat bigger and more real, especially on a company network where a bad employee could engineer some bad things.


    I think the paper was really a re-hash of existing problems, and existing attack methods. The main difference is that instead of one or two applying to passport, they ALL apply to passport.

    Centralized authentication would be nice, but not for the risk. But for certain, this paper didn't expose any new or unknown about Passport.
    • Goto http://www.setco.org and in the product matrix click on Microsoft's wallet.
    • The biggest problem is with having one centralized database that the vast majority of users use. If there were 12 or 15 different implementations of the same scheme with different operating systems the problem lessens. Some of the methods of getting the information don't change no matter what you do but crack attempts are greatly complicated by having different implementations. A central repository will be the target of every black hat out there. Split it up and diversify it and any one of the schemes is less likely to be beaten. Use open protocols and operating systems, have lots of repositories and there is less danger to all. I personally think MS is crazy for wanting it all on their servers. When they get hacked it will be the single biggest computer news story ever. I don't think any software company, no matter what their advertising and lobbying budget is will be able to withstand the backlash of public opinion. Senators and Congressmen use hotmail too or if they don't family members do.
  • "its not lame anti ms rhetoric"
    Is this supposed to suggest that other MS articles that are posted to /. *ARE* "lame anti ms rhetoric"?
    Oh yeah, and where the hell is the punctuation? Shouldn't it read "it's not lame, anti-MS rhetoric"?
    I mean... thats 6 words... and somehow /. editors managed to fit in about 3 mistakes in 6 words?!?
    /. isn't exactly renowned for it's editing, but this seems to be a new low.
    The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.
    • The post also has nothing to do with the article, we're given very little info. Of course, now I know its not lame and that its "a good read", but I kinda expect that would be why it's posted.

      Actually this is a plus point, and exactly how they should do it. A news reporter should report, and not add his opinion to it.

      Many news on /. are not *lame* anti ms rhetoric themselfs, but often times the submitters add they ""lame"" opinions to it, and many reply comments come from a feared view, so are FUD, from both sides.

      I think most of the anti-ms FUDs actually hurt the OpenSource communitiy, as it looses seriousity through this. Through all the FUD avalanche the serious crimes weasel through unnoticed. In some degree some stories had their positive effect, like in example the canceled program where they tried to track people who buys pc without windows preinstalled. Constant watching and finger clapping seems to be necessary to trust bindly IS a failure, for both ms-product costumers and their competition. However we should take care to not spread pure FUD, but try to make serious stuff, and not to cry for everything, especially unprooven actions.

      Yes, grammar errors make a bad impression on first sight, but actually this is just dealing superficially. I know my grammar is bad since I'm no native english speaker, and haven't yet learned better, so please spare my post from your corrections.
    • I honestly wonder how someone as... uhm, challenged, as Malda managed to start and run Slashdot in the first place. I say we have a new Poll:

      Who should take over Slashdot?

      • Anonymous Coward
      • CowboyNeal
      • Hemos
      • timothy
      • Write-in (post it in a comment)
      • etc.
    • There are a lot of lame articles on slashdot. Poor spelling, punctuation and grammar are the norm. Not to mention non-existent fact checking.

      Remember, AMD and Linux are good, Intel and Microsoft are bad. Why think when the collective can do it for you?

    • Re:What the hell?!?! (Score:4, Informative)

      by ninjaz (1202) on Sunday August 05, 2001 @10:05AM (#2124769)
      "its not lame anti ms rhetoric"

      Is this supposed to suggest that other MS articles that are posted to /. *ARE* "lame anti ms rhetoric"?

      It sounds to me like it means: "This is not the same punditry you've seen before bemoaning MS being the holder of all keys, it is a technical discussion of the protocol/service".

      There was no mention of other Slashdot stories. I think it's assumed that Slashdot readers also consult various other sources of news and information (being that most of the stories are from reader submissions and all)

      /. isn't exactly renowned for it's editing, but this seems to be a new low.

      The post also has nothing to do with the article, we're given very little info.

      Slashdot has never been about the editing. It's about geeks swapping info/opinions/war stories/etc about the news of the day.

      If you want good editing, visit Linux Weekly News at http://www.lwn.net/ [lwn.net]. Or if you want to bash other people's editing, you can do that, and have the power to rate the story itself down, so it won't get posted, over at Kuro5hin - http://www.kuro5hin.org/ [kuro5hin.org]

    • But 99 out of 100 MS-related articles here on /., (there's your punctuation) *ARE* indeed lame and mostly untrue anti-MS articles.

      Slashdot does a great job spreading FUD about MS and MS products. Slashdot cannot be regarded as a credible newssource for MS related stories. In fact, the amount of anti-MS FUD coming from slashdot has outgrown the amount of anti-OSS FUD coming from MS.
      • Hm, just looking at the front page now, there are 2 out of 2 articles that are uncomplimentary towards Microsoft, and rather true as well. The first concerns an insecure web server made by MS, and the other concerns MS's leveraging their monopoly to block third-party software that performs similar functions to MS's own software.

        Slashdot cannot be regarded as a credible newssource for MS related stories.

        (dripping with sarcasm) Oh, really? Did you just figure that out now, Brainiac?

        • No. But the dude who wrote the article I replied to seems to think it is.
          • I don't think it is.
            But I do not see why it CAN'T be.
            I just think that by putting "its not lame anti ms rhetoric" they seem to acknowledge that other MS articles posted on /. are unreliable. My point was that if they acknowledge this, why don't they do something about it?
            • I don't know. Frankly, the editors that post the MS articles are making fools out of themselves. Slashdot these days seems more and more about posting negative MS articles, and less about "stuff that matters."
    • I mean thats 6 words...now I know its not...that its "a good read"
      You don't seem to be immune yourself - you've missed three apostrophes from thats, its, and another its.

      -dair
      • "its" does not require apostrophes in any of its incarnations, possessive or abbreviative.

        Check a grammar reference.
        • michaelatwd21dotcodotukdotspamproof stated with hilarious arrogance:
          "its" does not require apostrophes in any of its incarnations, possessive or abbreviative

          Well, now we know what the British public school system is worth. It's useless!

          • Firstly, I did not attend 'public' school.
            Secondly, I am not arrogant, I am merely correct.
            Please consult the Oxford English Dictionary at
            your leisure.

            As an interesting point of discourse, note that
            the rule 'i before e except after c' does not apply
            to the word "leisure". There are rules and there
            are exceptions.
          • You should come to Glasgow. They stick apostrophes everywhere, even on words that just happen to end in 's'.
            Of course "shopkeeper apostrophes", where you put an apostrophe in a plural, is the favourite...

        • Re:What the hell?!?! (Score:3, Informative)

          by Superkind (261908)
          "its" does not require apostrophes in any of its incarnations, possessive or abbreviative.

          Actually, as an abbreviation for "it is" it does.

          • Try having a look at the Oxford English
            Dictionary; unfortunately its not available
            online unless you pay. It states that:
            + "its" is the possessive form of "it"
            + "it's" is an abbreviation for "it is"
            However, "it's" may also be written "its".
            Moderators, please remove the points rashly assigned
            to the parent post; it is firstly offtopic and
            secondly wrong; unfortunately I am probably too late.
    • /. isn't exactly renowned for it's editing, but this seems to be a new low.

      Before you go mouthing off about other people's poor grammar, check your own first.
  • by Old Wolf (56093) on Sunday August 05, 2001 @09:32AM (#2127399)
    I have some experience to draw on here. While developing an internet-based payment system [perceptions.co.nz], I had to evaluate various security scenarios. The payment system is a server (Apache+PHP :) with connections to a transaction switch which is connected to a bank; a Merchant shopping site will redirect a customer to the payment page, who will make their payment there, and return a success or failure flag to the Merchant. The Merchant will tally up cash with us or with the banks in their regular settlement.

    The first scenario I decided on and implemented was the similar as what Passport is using, but with the 3DES-key optional (so that Merchants with poor web coders could still participate). For the rest of this discussion, I'll only refer to the version with the DES protection.

    Also, being a payment system,there was only one ever call and one return with results -- not a login and logout process.

    We found that by using various SSL, cookie methods, and so on, we could get around all security flaws, but the downside is that the Merchant has an awful lot of responsibilities, including:

    • Verifying, encrypting and decrypting the 3DES keys
    • Keeping its 3DES key secure...
    • ...which entails keeping its system totally secure from hacking
    • Implementing the rest of the protocol to communicate with the Passport etc. server via cookies
    • Generating cookies that work correctly in any version of any browser (even getting them to work correctly in one browser is a hassle!)
    • Detecting duplicate transactions (for example, J.Hacker does a valid purchase for $1; and records the connection, then comes back later, begins a purchase for $10000, and intercepts the connection and responds with the $1 packet)
    and the list goes on. In the end I decided that while it was a security model that held together, and if I were coding for the Merchant I could do it correctly, but there are many Merchants that would simply fail to do it right, and either have it work buggily or insecurely, or not at all, and then blame the system (or the customers would blame the system).

    It's easy to say "Well, they should do it right," but when you've been in the commercial world a while, you realise just how incompetent many companies are.

    In the end, tired of patching up small hole after small hole and writing merchant integration documents, I changed my mind and chose an alternative scheme which may seem harder for Merchants at first, but in fact leaves them as little room for going wrong, even if the transactions run a little slower.

    Conclusion? Hack just one of the merchants involved in Passport, grab their 3DES key, and you're in and untraceable (bar the merchant actually keeping valid authentication logs and being able to follow them; in which case the worst that could happen is that they change their 3DES key). The security will deter script kiddies but a hacker with serious skills will have a field day.

  • "The bulk of Passport's flaws arise directly from its reliance on systems
    that are either not trustworthy (such as HTTP referrals and the DNS) or assume
    too much about user awareness (such as SSL). Another flaw arises out of
    interactions with a particular browser (Netscape). Passport's attempt to
    retrofit the complex process of single sign-on to fit the limitations of
    existing browser technology leads to compromises that create real risks."

    Do we really *need* Passport?
    • Grr, I messed up the subject :(
      Not enough coffee today
    • by j-beda (85386) on Sunday August 05, 2001 @08:35AM (#2121100) Homepage
      Do we really *need* Passport?

      Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed. I think that XNS [xns.org] has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

      • Probably not, but a secure single sign on would be nice, if the proper privacy and security issues can be addressed.

        It might "be nice," but for whom?

        Why does this info need to be on an external machine at all (other than helping Microsoft or government bureaucrats)? A browser (or an add-on) could do all that with a locally encrypted database (which can be copied or synchronized with, say, your laptop) and you don't have to expose your personal info and browsing habits to some central agency to collect, track and correlate. It need not essentially be any different than the list of bookmarks bookmarks or email addresses we already use. If you have multiple machines, you copy your bookmarks or email address book to other machines.

        The commonly parroted "Passport rationale" could be equally applied to browser bookmarks or email address book and, if it had any merit, we would already have our bookmark lists and email address books on the Microsoft servers to use as they wish. We don't keep them there. And the same will apply to the Passport scam.

        So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books.

        • by Anonymous Coward
          The idea behind passport and a centralized approach is so that yourinformation is available EVERYWHERE. If you went to a place that has internet enabled kiosks and you wanted to access your information you would have to have synced it with this system. Using passport, or another system like this, the user doesn't have to worry about syncing at all.

          Perhaps a better approach would be to create smart card tehcnology that holds this information. The biggest security risk here is losing your smart card, probably about as damaging as losing your credit card, perhaps more so, but it's realistically the only alternative. Syncing is not alternative becaus eit limits where your data can be accessed from.

          Keep in mind that many of the systems Passport and Hailstorm, because the two are intrinsically intertwined, do not exist. Passport and Hailstorm could conceivably eveolve into smart card technology or PDA bsed systems that use IR or Bluetooth to communicate with each other. These two technoogies represents innovation and the future of computing systems. Let them flourish and see where they take us. Don't rip them out with the weeds because you don;t understand them.

            • "So, could you explain, where is the gain for the user (not Microsoft or government bureaucrats) in keeping personal info on Microsoft servers, and how does that same reasoning fail to apply to your bookmarks or email address books."

            The idea behind passport and a centralized approach is so that yourinformation is available EVERYWHERE.

            That is what I was asking above -- why does not that same rationale (which is commonly being peddled by Passport advocates) make users keep their email address books or bookmark lists on Microsofts or AOL servers, instead of keeping them on their local machines (and copying these lists if needed to their laptops or other machines)?

            The answer is that the heavy and numerous downsides of a centralized third party database of your personal data far outweigh any minor convenience of being able, say, to email friends from a cruse ship, without that so "terribly hard" job of having to copy address book to your laptop.

            While you can argue theoretically using some contrived low-probability scenarios or by tweaking your weighing of one convenience (usable "everywhere" and without needing to copy data to other computers) vs all the problems, to conclude that Passport-like schemes will take off, the only weighing that counts at the end (the hundreds of millions of email address books & browser bookmark users) has already been done and the result is: No Thanks. I would rather copy my email address book and bookmark files to my laptop than have Microsoft or government keep them for "my" convenience on their servers. The same goes for my "usernames" and my "passwords."

            The Passport will take off the same way the so-called "push technology" and other such scams, disguised as the great "conveniences" for the users, took off. They are much too cheap and transparent, even for the TV zombie generations lobotomized by the PeeCee "education."

            • That is what I was asking above -- why does not that same rationale (which is commonly being peddled by Passport advocates) make users keep their email address books or bookmark lists on Microsofts or AOL servers, instead of keeping them on their local machines (and copying these lists if needed to their laptops or other machines)? The answer is that the heavy and numerous downsides of a centralized third party database of your personal data far outweigh any minor convenience of being able, say, to email friends from a cruse ship, without that so "terribly hard" job of having to copy address book to your laptop.
              Actually, I do keep a list of email addresses, as well as phone numbers on a Yahoo account, even though I don't use Yahoo mail. I find it hard enough to keep my work and home machines in sync, much less my non-existent laptop to take on cruise ships.

              I also keep an encrypted list of passwords in a file on a central server somewhere. I do that not just because I want to access them from more than one place, but also because I want to have them if my hard disk crashes (which happens about one every three years).

              The "numerous and heavy downsides" of Passport are so far entirely theoretical. I've never seen a single complaint from anyone.

      • ..if the proper privacy and security issues can be addressed.

        The inherant problem with this technology, however, is that in order to have a secure, single sign on, somewhere there has to be a database, accessable to the internet in some fashion, which has the username, password, and private information of whoever wishes to use it. There's just no way to get around that. And no matter what platform this system is running, there will be never ending attempts to bring it down or r00t it.

        Plus, i don't like the idea of my private information being the property of a corporation.

        ~z
      • I think that XNS has a chance of doing this type of thing better than any of the closed source alternatively like Passport.

        Holy fsck is that ever ignorant!

        Why are open-sourced foo always better than closed-sourced or company-owned foo? And why do most /.ers just accept that on faith? Sure, many great things have come out of open source, but that does not automatically qualify everything stamped with GPL/BSD/licence-du-jour or appears to have a transparent process as a Good Thing, just as not every thing published by the big-bad-company is a Bad Thing.

        As it stands now, Passport exists, appears to be scalable, and works most of the time, which is a lot more than I can say for XNS. And yes, Passport has problems right now and will have problems in the future, as will XNS. It's a part of the development process which can't be avoided but at least Passport is out there now, being used, attacked, and debugged, before it or anything else becomes somewhat of a universal standard when real $$ is at stake.

        And given the choice of who to fix an emergent security concern in their respective systems, would you trust the well-intentioned staff of XNS, who are either very knowledgable but potentially few and far between (cf recent slashdot and K5 outages), or somewhat knowledgable and found in abundance; or Passport, staffed 24x7 by an army of people who at least know what they are doing and are eventually liable to shareholders and business partners who have multi$billions to throw around (or not)?

        XNS and anything else that comes along will necessarily have to learn from the mistakes made by Passport now, and I don't think that's a Bad Thing. As it stands right now, the afore-mentioned army of developers _who evolved the current system over 5+ years and must listen and respond to customer and partner concerns or lose business measured by six or seven zeros on a daily basis_ aren't getting it entirely right, so why would I think that an emergent cadre of excellent but not-entirely-devoted developers with comparatively zero funding can _build and maintain_ what amounts to a public infrastructure (something which doesn't lend itself well to being maintained by an entity, staffed by few enough people that they can all be killed in one incident, and without real-world liability for failure) to serve billions of people world-wide? I don't.

        </rant>
      • The situation without passport is even more insecure because:
        - it relies on individual vendors to provide security for communication
        - consumers trust these vendors to do so in most cases
        - any vendor protocol is subject to the same security risks as passport
        - most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)

        Any solution that improves the current situation is a step forward. That being said, the real issue is trust and I am a bit hesitant to trust a commercial company with privacy sensitive information (this is not anti MS, I wouldn't trust Red Hat with it either). The only way I could trust a passport server would be if it were protected by laws making every kind of abuse (including using the information for marketing purposes) illegal AND if it were maintained by an organization (preferably governmental) that has no interest in abusing this information. MS fails both requirements.

        Interestingly, laws for the first requirement exist in some countries. It wouldn't surprise me if MS would run into legal trouble at some point for violating such privacy protecting laws.
        • The situation without passport is even more insecure because: - it relies on individual vendors to provide security for communication - consumers trust these vendors to do so in most cases - any vendor protocol is subject to the same security risks as passport - most vendors are script kiddies rather than security experts (i.e. they are quite clueless about implementing proper security)

          Yes, but since the current system isn't centralized, a hacker can only crack one transaction or vendor at a time. With a centralized passport system, a hacker could crack one username/password and gain access to incredible amounts of information and purchasing power. Plus when the Passport servers are cracked (I think it's inevitable that they will be at some time, somehow) the consequences will be catastrophic.

  • Most of the attacks in the report are agains 'single signon' systems and not confined to Passport.

    A couple of things that passport does could be done better, but there will always be idiots and ignoramus's.

    As the saying goes: "We can make it foolproof, but not bloody-fool proof"

    Passport's biggest problems are that it is a single point of failure, and also that it tends to extend Microsoft's monopoly.

    I am still waiting for xnsorg to deliver some source code, hopefully addressing both these issues.

  • I think a much better alternative to Passport is smart cards. You can think of a smart card as your own, personal, secure little "Passport server", a server that is entirely under your control, including physical control.

    Passport seems to me like an attempt to centralize a service because it is highly profitable for the service provider to do so, not because it makes sense. (AOL IM is another example.)

  • I'll agree with people that this paper [avirubin.com] is much more than your average MS-bashing that we experience here at Slashdot. It's good to see that the authors had done the technical research and had the evidence to back up their claims. It also had some interesting points that I though I'd might mention here:

    • The first interesting point I noted is that while using Netscape, clicking on the Logout button for Hotmail would appear to log you out of Hotmail and redirect you to msn.com. But if you were to click the Hotmail link again, you would appear in your inbox without reauthenticating. Needless to say, this creates a major practical security flaw for non-technically-minded users (ie. the users most at risk because they don't fully understand how the whole process works) as someone on a public terminal can commandeer a previous user's Passport account by simply clicking on the Hotmail icon, hence gaining access to their account. So Passport doesn't work properly with Netscape, but works fine with Microsoft Internet Explorer Conspiracy theorists and Microsoft bashers, do what you will with that statement. The obvious solution to this problem is to use MSIE (a morally repugnant option to some in the Slashdot community), but it shows the problems that can occur when differing platforms aren't properly taken into consideration.

    • The central point of authenication can also prove a security risk as it provides a central point of attack. There's no real way around this particular risk as it's a long-accepted notion that the more valuable data is on a machine, the more likely it is going to be compromised (or at least, attempts are made). So to have vital information for all Passport users on a single server (correct me if I'm wrong) makes a very tasty target for hackers, crackers and anarchists the world over.

    • It's been a long-accepted notion that the weakest part of any security system is the people, and that includes everyone from users to sysadmins. So if you choose an obvious password (like "swordfish"), then your account is more likely to be compromised because the hacker can just guess your password, rather than employing elaborate methods (such as DNS spoofing, explained here in this SANS article [sans.org]) to compromise your account.

    • And finally, I'd like to point out that Passport, while having serious security flaws, is an abitious project that makes the best of existing technology. It's alright to stand up and say (or post, in this instance) that Passport is insecure but until we fundamentally change existing protocols (DNSSEC and IPSec are two suggested standards) then this is what we have to deal with.

    In conclusion, you can say what you like about Microsoft, but unless you have evidence to back it up, you won't have much credibility. At least these people did their homework.

COBOL is for morons. -- E.W. Dijkstra

Working...