Slashdot stories can be listened to in audio form via an RSS feed, as read by our own robotic overlord.

 



Forgot your password?
typodupeerror
Microsoft

Microsoft Launches Passport 194

Posted by justin++
from the privacy? dept.
Microsoft today "launched" Passport. Passport is an on-line wallet service, meaning that all your billing and other information is stored centrally with Microsoft, so that you don't have to retype it every time. Passport was used by a few Microsoft sites before, but with today's announcement, an additional fifty or sixty sites have adopted the technology. While my initial concerns were about privacy, they were mostly (but not completely) covered by the aforelinked press release. A news.com article cites a research analyst as saying that one day, Microsoft may wish to take a percentage of the profits, and go for a monopoly on e-wallets. Certainly is a lot to speculate on here...
This discussion has been archived. No new comments can be posted.

Microsoft Launches Passport

Comments Filter:
  • If you absolutely can't be bothered with typing in your credit card numbers and you're enslaved to Windows, at least use MS Wallet, in which all your info is stored on your hard drive as opposed to God-know-where. This service is bound to fail. Imagine if every single one of the twenty-million Hotmail users had their credit card information in their account instead of just e-mail.
  • I've seen the ploy - Rebates. All the prices on the site will be jacked up, and you won't be able to by anything cheap without a e-wallet account.

    Sound familar?

    (Looking at real wallet full of "Price Club" cards.)
  • I agree completely. I wasn't suggesting that yet another MS monopoly was a good thing - only that it is likely. They are very good at embracing new technolgy and extending their products to incorporate the new technology? Is it fair...probably not. Is it legal....I think it probably is. Maybe we all should have bought more Macs back in the 80's :)
  • I think it would be fair to say that I'd trust Microsoft to secure my data if I made a credit card purchase over the phone, where there's no implicit connection with the outside world. I might even trust them if I made a purchase via the Internet, and it was a one-time thing, because they would (at least theoretically) simply pass the number straight to their processor, without actually saving it on their servers.

    But I don't trust Microsoft to take my credit card number and selectively make it available to others, in the mould of Microsoft Passport. That seems like a far riskier proposition than trusting them for a single order.

    D

    ----
  • It's been said, but it bears repeating:
    There's still _some_ private information going from your browser to the vendor telling them how to charge you for the product, whether it's a CC number or a Passport ID.

    And, it's removing responsibility for care and caution from the user and putting with a large corporation. How long before the _capability_ of using care and caution is removed from most individuals? We're moving in the wrong direction. Instead of hiding things more and more from the user, we should be empowering the user, and teaching them. Making things easier and more understandable does not have to mean less empowering and flexible.

    Which reminds me, I'd like to see a Linux distro whose main purpose was user-training. A distribution with help and training info built in as you go, so that the process of installion is necessarily also a process of learning the Linux system.
  • Good heavens...I was just being ironic. How it might be construed as foolishness I have no idea, unless perhaps you took me as one of those "literal word of God" folks.

    I *do* have *two* shiny plastic fish on the back of my car, but one says "Darwin", and has feet, while the other says "Linux" and sports a shark fin. (thanks to the gang at www.thinkgeek.com). I also have a pentagram sticker in the back window, next to the AOPA wings and rainbow triangle. :-)

    Paranoid? No more paranoid than to want to have personal control of my personal information, and to want to hold the reins on my own use of strong crypto, when I think it's necessary.

  • With 80%+ posts being anti Microsoft I challenge you (us) to come up with a better service. The privacy issues are real and I agree there is a need to be concerned but we do need something like this from some vendor. I have to log into just about every web site I visit and typing user names and passwords just plain sucks. (I use a shared computer at work so getting the computer to remember my password is not an option). A Passport like service that managed to deliver just the information I want to let go would be great, even if it did only handle the simple task of logging into sites and had nothing to do with e-commerce.
  • What happened to Cyrix? Do you have a link?
  • by InThane (2300) on Tuesday October 12, 1999 @04:40AM (#1620891) Homepage Journal
    I worked in the test department next to the passport people, and for various reasons I actually got a rundown in how it worked at one point.

    Basically, it's to keep your credit card number from EVER crossing the ether using a public/private key challenge system to log a transaction. The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.

    Me? I'll avoid it like the plague. This is MS, after all.

    Oh, and I only tested software there. Don't blame me - they didn't listen to me when I found the bugs, so it ain't my fault. ^_^
  • Will this enable microsoft to track everything I do, what effect will this have on my day to day purchases?

    Microsoft has NO fear of free software. In their latest monopoly they go one step further. They can now give away (and even pay you to use) Windows 2000 because every purchase you make will line their pockets. Every single purchase adds more $$$$$$$'s to the coffers of Microsoft.

    But only if you use Microsoft software. And everyone will.

    ...Except me. It's Y2K but yet worse. Even as I type this I am buying a shack in the middle of nowhere with no connections to the outside worlds so that I may not be scared by evil.

    -Brent
    --
  • by mosch (204) on Tuesday October 12, 1999 @04:41AM (#1620893) Homepage
    5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".

    4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?

    3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!

    2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!

    1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.

    I've seen this coming a mile away from the beginning of the browser wars and the rumbles about microsoft owned websites. The obvious hope is that by having control of the desktop operating system they have control of the browser. By having control of the browser they have control of the sites initially visited by the user (an exceedingly large percentage of people don't change their startup page). By having control of the sites initially visited, and leveraging this "e-wallet" they also make money from every purchase.

    Ah well, such is life in corporate America.
  • It seems a major worry that the all powerful and o-so-trustworthy M$ will become the central cross-roads to a bulk to electronic trading on the net & be the holder of such important market research statistic... From where I'm standing it seems to be just a bit of a scam to help along M$'s marketing juggernaught. With each registered user, M$ is gaining a valuable and accurate segment of gigantic web-market shopping demographic. They will be able to track and analyse the spending patterns of all their registered users for next to nothing. Would you really want M$ to have the means to leach off information like that off you? TO me it's just another piece of the jigsaw that will just add to m$'s profit maximising schemes

    AT the moment you can usually CHOOSE whether or not you become part of a particular company's marketing survey or not. By choosing M$ wallet you are essentialling signing yourself up to volunteer, perhaps unwittingly, to help out with M$ massive marketing research department. Doubtless, this will just lead to M$ finding more ways to rip off poorly-informed e-commerce users.

  • I was under the impression that the hotmail security hole was actually explicitly added to allow Microsoft's Messenger to check your hotmail box without having to prompt for another password.
  • It is my understanding that changes were made to the CGI when Passport was integrated, and that is what allowed the security hole. If I'm incorrect (which I'm pretty sure I'm not) then it's certainly not intentional FUD, but rather my own misunderstanding.

  • Novell made an announcement about digitalme (http://www.digitalme.com [digitalme.com]) about a week before the Microsoft announcement. Digitalme seems similar, except it's not demanding your billing information, and it's designed to let you control what parts of yourself you want to share with whom. And it's using their directory services to do it. I have no idea what Microsoft's backend is. Overall, Novell's concept seems less creepy.

    Novell's also talking about freely releasing some of the digitalme tools--of course, you'll need Novell stuff to do it, but it's a start...
  • Ok, so I forgot to read one line of the previous post. :) Here's some info on Amex's "Wallet [americanexpress.com]"
  • I'm sure EDI has a transaction type for this sort of thing already.

  • markw@veda:~ > mail -s "you suck" `echo "webmaster@666.rawtruth.com" | sed 's/666//'` webmaster@.rawtruth.com... Invalid host name /usr/local/home/markw/dead.letter... Saved message in /usr/local/home/markw/dead.letter markw@veda:~ >
  • ...after that whole Hotmail incident where anyone could read anybody's mail off of some site (on hotmail, heh) without a password.

    Ridiculous. I don't trust M$ one bit on this.


    emufreak
    www.kontek.net/pp
  • Will this enable microsoft to track everything I do, what effect will this have on my day to day purchases?
    Will microsoft care?
    I think Ill be staying away for a bit...
  • Saying only Microsoft has your credit card number is like saying only the mafia will be collecting your gambling debt.

  • The concerns about "corporations having my information" are very valid, but unfortunately, this battle is pretty much over. The battle was basically lost before there even was "e-Commerce".


    Correct. The battle was lost when the credit card was invented. If you're really that worried, use cash/checks. Cash only, if you want to be that paranoid. Taking it a step further (and a rather ridiculous step to me) keep your money in your mattress (figuratively; i.e., don't have a bank account if you're that worried) and then you'll know where your money is and all that jazz.
  • What makes you think I like Linux? I hate Linux!

    -WW
  • I just found a cool bumpersticker today...

    "Freedom is the distance between Church and State."

    -WW
  • Isn't this Passport service the main cause of that little Hotmail fiasco a couple weeks ago? I'd be a bit skeptical about storing my financial data online anywhere, much less with a service that has proven already once to be insecure. (fixed or not, it's hard to trust something that has been cracked that easily in the past)

    Not to mention, I get a bit paranoid when M$ is involved in anything regarding personal finances.


  • >>My current credit card company has very good anti-fraud policies. What's the point of adding a second layer of cost and complexity?

    We ARE talking about M$....
  • The Register also mentioned the M$ e-Wallet [theregister.co.uk].

    This article mentions that AOL and IBM also offer an e-wallet service, although the data is stored on your local computer and NOT on some corporations marketing database.

    Someone have exeperiece with the M$ e-wallet? I'm wondering what the increase percentage in junk mail is (e-mail, snail mail, AND phone).

    ~afniv
    "Man könnte froh sein, wenn die Luft so rein wäre wie das Bier"
  • But remember, it isn't a matter of "trusting them with a single order". If you make a single order, they have your credit card information. This is no different from if you signed up for "Microsoft Passport". They could just as easily make your card number available to others in either case.

    Perhaps the misunderstanding comes here: ...and it was a one-time thing, because they would (at least theoretically) simply pass the number straight to their processor, without actually saving it on their servers.

    In actuality, the card authorizers, accounting departments, etc. all require audit trails for everything, including card numbers. The last retailer I worked for kept this information for at least a month in the "live" system and essentially forever in their backups. They weren't unusual.

    They have to save this data for the simple reason that if you contest the purchase, they have to be able to show what actually occurred. Not to mention the plethora of systems problems that might require the retailer to go to original data simply to get paid.

    (Of course, the marketting department often gets its greedy little mitts on the data, but that is a different story.)


    ...where there's no implicit connection with the outside world.

    It is actually much easier to intercept a phone conversation then to install a packet sniffer. It takes only a few dollars worth of equipment from radio shack. (And lest you think that this is rare, the people two houses from me down got a $900 phone bill last month caused by two kids who did exactly that.) Also, in a phone conversation, you are essentially giving your card number to someone who likely makes around $6/hr.

    One of the advantages of e-Commerce is that fewer people see your card number. In fact, if all goes correctly, no human being will actually see it. Contrast that to real world purchases, where we often hand our cards to low-paid teenagers without thought. (Most of whom are honest, but it only takes one with a head for numbers...)
  • by Black Parrot (19622) on Tuesday October 12, 1999 @04:12AM (#1620914)
    Now an e-mail attachment can spend all your money. I truly feel sorry for the people who are going to get burned, burned, burned by this.

    But hey, I'm sure Truste will assure us that everything is A-OK. And if we do get robbed, they'll be quick to assure is that it won't happen again.

    p.s. -- I wouldn't even sign up for this if someone other than Micorsoft were doing it. So you can imagine how I feel about having someone so security unconscious as them managing it.

    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • Like I am going to trust microsoft with my money. I wont use it just because it has been implemented by them.
  • The site you visit bills Passport, Passport bills your credit card, and the number never goes anywhere. Since each transaction is logged seperately using a different ID, you can review your transactions online (theoretically) and make certain that they were all transactions that you ordered.

    That sounds exactly like what First Virtual was doing... First Virtual doesn't do this anymore, I don't know why they quit. Anyway, this isn't very new, so what I'd like to know is: are there any other companies providing such a service at the moment?
  • > they'll keep your windows registry remotely so software vendors can check for compatibility?

    Please be careful with such suggestions, we don't want to give them ideas ;). I mean this is perfectly doable technically (keep a cached copy locally and update it as soon as the user is online, replace the cache on shutdown; wouldn't be a big change considering the frequency of required reboots on windows). I'm sure Microsoft would love having such a system...
    --
  • How many hotmail-esque security holes are in the newly rolled out passport service. I ditched my hotmail account after that little snafu (you know, the one where any hotmail account was open by just a simple little script, glad I don't have many enemies...) that M$ didn't even address until like 48 hours after it was exposed. All these poor morons months later when a similar exploit is revealed on the passport security system. Glad I won't be one of those morons...

    Deitheres - Master of... er... something.


    --
    Child: Mommy, where do .sig files go when they die?
    Mother: HELL! Straight to hell!
    I've never been the same since.

  • by Greyfox (87712)
    Isn't that that software that led to the last MS Security fiasco?

    I wouldn't touch that shit with a 10 foot pole...

  • If any site forces you to use this Password stuff, boycott the hell out of them and let them know you won't be held captive by the monster from Redmond.

    I think I'll wait until smart card technology becomes more prevalent so that I can swipe my card when I want to make a purchase. There is no way in hell that I will relinquish purchasing power to Microsoft. Sheese, I don't even want to touch any of their crappy products.
  • by K. (10774) on Tuesday October 12, 1999 @04:53AM (#1620922) Homepage Journal
    Hey you!

    Yeah, you there, the guy using the mouse as a foot
    pedal!

    Do you hate having to type in a shipping address
    every time you order on the Internet? Or worse,
    are you having trouble remembering your own
    address?

    NO PROBLEM! Microsoft is here to help! We'll take
    care of all those pesky details for you. Our new
    Passport software is your ticket to a stress-free
    junk-filled life. The next version will even wax
    and declaw your cat for you!

    How much would you pay for this amazing piece
    of ultra-modern technology? $50? $100? $1000?
    Well, hold on to your hat! Microsoft are giving
    away Passport for absolutely nothing!

    That's right! In exchange for a complete personal
    profile, including address information, and credit
    history, which as we all know is worth absolutely
    nothing to anybody, Microsoft will give you
    Passport, a passport, if you will, to a future
    of black velvet elvis paintings at knockdown
    prices.

    Worried about security? Don't be. Your most
    private personal details will be stored in
    the most secure form known to science, a
    "hard disk". This revolutionary device encodes
    information using the science of magneticism
    in a form far too small for the human eye to
    read. If a hacker were to gain access to this
    "hard disk", he or she would never be able
    to read the information it contained, even with
    a high-powered magnifying glass!

    Just remember, Big Brother is watching you, and
    he cares!

    [Insert standard EULA and disclaimers here, in
    really small writing so the suckers won't bother
    reading it, haha! - BG3]

    K.
    -
  • The poster said there's a cryptographic challenge/response. This means that through the magic of public key cryptography one party can authenticate itself to the other in a non-spoofable way. It doesn't matter if you see the transaction - you can't fake one yourself or replay it to cause a second transaction to go through. It's not just another number - it's a secure communication.

    Microsoft is smart enough to get the basic protocol right. I have no doubt that they've thought this part through. What worries me is that hordes of script kiddies will scrutinize this newly created gold mine and eventually find something to exploit (as with Hotmail).
  • by Anonymous Coward
    Of course no \.

    I think you mean "/."
    "\." means "whackdot"
  • See my other comment [slashdot.org] in this thread.

  • Why can't this be a client app? Keep all the data on your own computer, then have a nice D-n-D interface that will drop the info from your machine into Amazon's form (or whomever's).

    No central database, you have total control over your own data.

    Perhaps this app could keep track of what you buy and if you want you could sell this info to mass marketers...

    ...richie

  • That post absolutely made my day. Thank you.

    --
    grappler
  • Anonymous auction never works, that's why you need to build up some credential through ebay. I like the idea of smart card, which should be able to transact small amount of money over the net anonymously. These will encourage illegal selling though, and then FBI start selling "Un-registered Photoshop CD!" to trap you.... But it's a good thing nevertheless, much better than MSN passport. Consider this scenerio: You buy a smart card from the newsstand, gets a unique number on the card, say A13764789756, and then you slice you card in the smartcard reader, tell you computer you wish to send 10 dollars to another smartcard, that has a id C76468976432, varla, the guy gets the money and send you his used "The Net" poster. Note I don't want the smartcard carrys password and personal id, it's purely anonymous with open source smartcard driver. That's good enough. That isn't much advcantage to transfer large amount of money in high speed for Joe Sixpact. You want to kick your tire before making the dicision anyway. CY
  • Of course no \. readers are gonna trust MS with this inane idea! Most everyone here rails against MS at every chance they get, and mostly with good reason.
    The issue is, how to get the word out to all those happily blind folks who think the 'integration' MS offers is the best thing since cheese coming in indivually wrapped slices. Most every MS supporter out there likes the MS products cause they're easy to use and everyone else uses them- and they support such with the same vehemence the anti-MS crowd voices.

    So, do we pray that an Open Source model of such a thing is quickly offered as an alternative? I doubt that would work as speed is not a common OS trait, and more people would be less likely to trust such a thing in today's mindset.

    So who will be the alternative? Would a banking coalition be a better alternative? At least they've historically protected accounts, mostly.

    Or perhaps the issue is to point out to people that simply putting your CC#'s in a pswd protected tect file on your HD, then open it, copy it, paste it, into an order site is just as quick as 'assport.
    I mean, sheesh, I'm all for saving time, but it takes, what?, 3 minutes to fill out an order form online?

    I would NEVER use such a service provided by ANY company which has shown such blatant disregard for the consumer as MS. Of course, 75% of the population is unaware of these tactics. So 'assport will be the default until someone cracks it and folks loose big money.
    Perhaps they can apply for FDIC?
  • Firms already have to pay a percentage of revenues to the credit card companies for taking the order. This suggestion is basically the same thing.

    If a start-up retailer has the choice of a percentage of sales or a huge one off investment in order to get up and running with such a system I'd say the percentage is preferable.

    Ideally there would be a buy out option, but no doubt if youre big enough (Dell?) you can negotiate the percentage to something tiny or just pay a lump sum.
  • Anyone want to guess how long it will be until this breaks?

    Its a good idea, but I personally don't like it as it gives MS too much data and thier security concerns are usually about 10th on the list after making money. Although the data isn't stored remotely the transport and the demographics could be recorded and used elsewhere.

    I'll avoid sites that force me to use this, at least for a year or two so that I can see what weaknesses occur and what microsofts long term plans are.

    It sounds like the usual MS cycle - 1) introduce new technology 2) lock up the market 3) slowly start squeezing every cent out of the users that is possible...
  • by Ledge Kindred (82988) on Tuesday October 12, 1999 @05:18AM (#1620941)
    Microsoft already has the upper hand with this and I can forsee it becoming VERY popular. Think about this perfectly reasonable scenario:

    Microsoft teams up with some of the bigger e-Commerce sites, Amazon.com, eBay, Reel.com, whomever, and says, "We'll give you a bunch of co-marketing dollars to start using Microsoft Passport." Of course, the sites go for it because they just want to make money.

    "Everyone" is already using Microsoft Internet Explorer because it's part of Windows and "everyone uses Windows." Next time an MSIE user goes to one of those sites, a new AciveX component will download and they'll get a little message, "Try Microsoft Passport - we'll handle your billing for you! You'll never have to enter your billing information again!"

    The average user isn't going to have any idea what's going on - they only know that they like Amazon.com's "One-Click Shopping" option and if they can get ALL websites to act like that, even better! Clickety-click and their data goes straight to Microsoft.

    It's not about the security or technology -- it's all about how well you can market and making it easier for the sheep to follow the rest of the flock. Hence Microsoft's dominance.

    -=-=-=-=-

  • by SoftwareJanitor (15983) on Tuesday October 12, 1999 @05:18AM (#1620942)
    If you work in the financial services industry like I do. It has been clear to me for a long time that Microsoft wants to skim the cream off of all the financial services industry. They want to cut into the business of MasterCard, Visa, etc. They want to cut into the general banking, mortgage, etc. business. In the future most financial transactions will be done at least partially online, and if we aren't careful, Microsoft will be getting a piece of every transaction.

    What irks me is that management just doesn't see Microsoft as a competitor. We shouldn't be buying any of our competitor's products, because we are funding Microsoft to move into our own markets.

    I'm afraid they won't see it until it is too late.

  • "A $1000 value, absolutely FREE!"

    "Intel P266, 4 gig HD, 4x CD-ROM, 15" monitor, color inkjet printer, and 1 year of FREE internet access via MSN with $1000 credited to your Microsoft Passport account!"

    Waiting for the first spotting...


  • Anyone want to join me hacking this beastie? It would take what, 10-15 minutes TOPS?

    Mmm swiss-cheese code. Yummy.
  • I think the primary difference between MS' Passport and AmEx' Wallet/Blue is that with the Blue card and reader you get a 1024 bit (or perhaps it's 2048bit) token to initiate the process that is sent from your PC. Passport still is dependent on the user supplying a password, which is much more crackable.

    I just went through the Passport [passport.com] setup process to see what they require. You do have to supply a password which "

    Must be at least 8 characters long, and can contain numbers and/or letters, but no spaces. Make sure it's difficult for others to guess!
    "

    But you also give them a question to ask in case you forget your password and there are no requirements for the complexity of the response, (in fact this process almost ensures that a dictionary word will be used by the typical user, though they do warn [passport.com] against this.)

    Also, this whole process apears to be done unencrypted (at least it doesn't use SSL) except your password is masked out. (The answer to your question aparently isn't).

    Since MS is trying to establish a standard for ecommerce, you would think that at a minimum it would require something more secure than an 8 character password (ie 36^8 possible solutions roughly equivalent to 40bit encryption). Also note that when you sign-in to passport, it isn't over an SSL connection either. Also, hotmail users are being encouraged to use their hotmail username/password for their passport account.

  • Disclaimer: This is all hearsay.

    According to this comment [slashdot.org], which should really be moderated UP...

    The credit card numbers stay on Microsoft's server. Store gets a charge authorization from Passport via secure challenge/response and BILLS MICROSOFT. Microsoft then bills you, having never given your credit card number to ANYBODY, even encrypted.

    It's a great idea. But I'll never use it - as I've said before, I trust the protocol entirely, I just don't trust Microsoft to keep a server full of credit card numbers away from the script kiddies.
  • Of course if they try to control the licencing of this technology they way they (and Apple) have done with the Sorenson codec in order to leverage the dominance of their operating systems, I feel sure they'd be hauled up in front of the courts pretty quickly. They'll surely be forced to allow the same features to appear on other platforms.

    Consciousness is not what it thinks it is
    Thought exists only as an abstraction
  • I can see it now. Your W95 machine crashes, so like every monday, you have reinstall:

    Warning! A secret timebomb written into windows has noticed that this is not the original installation of windows on this machine. According to the extremely small print hidden on the microdot of your Windows liscence, this is considered piracy. Deducting $400 penalty from your MicroSoft Wallet account.

    Error! Your Microsoft Wallet account contains only $235. Initiating automated legal action. You should recieve a summons in 5-10 business days.

    Destroying this computer via the secret motherboard bios and Intel chip AntiPiracy features.

    Warning! This PC does not have the Intel chip AntiPiracy features. This PC appears to have been built from components, rather than purchased from a liscenced OEM dealer. This is considered probable cause in your state, thanks to our legal department, second only in power and trechery to the Scientologists. Sherrif's deputies are on their way to the address listed in your Microsoft Wallet account.

    Alert! The microphone on this system heard you chuckle at the Scientology joke above. The Church of Scientology has been alerted and should be starting legal proceedings in 8-10 business days.

    In the future, you can check your PC for priacy violations with MS Piracy Check, for only $699 at your local software store. It allows for automated hardware and software piracy checking, as well as on-line plea bargaining.

  • The fact that the spiffy little lock icon isn't locked doesn't mean the submission is insecure. It means the FORM ITSELF was downloaded in the clear.

    Look at the source. The form submits to an https address. Which means the data you enter is encrypted via SSL when it is sent.

    I'm not sure why so many people use forms that submit securely but are not retrieved securely. If it can confuse slashdotters (as it has more than once) it's bound to confuse the average moron...

    Of course, you're right about the password. The problem is that if they did it correctly (using actual keypairs and certificates) it would take too long and your keys wouldn't automatically be usable from any browser as they are now. As is you can use your Passport account from anywhere - set top box, Palm VII, cafe terminal, whatever.

    Consumers don't want security. They want convenience and the ILLUSION of security.
  • Internet Explorer 5 calls that AutoComplete.
    But it's not really buggy, open-source, and horribly behind schedule. So I don't think Slashdot readers want to hear about it.
  • by radish (98371) on Tuesday October 12, 1999 @05:19AM (#1620954) Homepage
    OK we seem to have a typical /. inferno going on here. Maybe a little pause for thought is called for?

    I'm no m$ "believer", but I do use their stuff (as well as Solaris/Sybase/perl/java etc etc), and I guess I differ from some people here in that I don't automatically assume everything Bill touches is useless.

    So what's with the Wallet? Well first off it clearly states that the wallet itself (and by extrapolation M$ and their retail partners) will not actually have anything to do with cash, credit or clearing. So the posts about getting Fed Res clearance are really a bit lost. All Wallet does is store your CC number(s) and delivery details in a central db. This info is supplied as required to the vendors, to enable them to perform a transaction. The transaction itself is still between the vendor and the CC company. (This is what I get from reading the press release - if anyone has any more practical info on how it works please let us know!).

    Now lets evaluate ...

    In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.

    But of course we don't know what M$ plan implementation wise, and there are huge doubt's about their ability to secure a large system properly. To be fair, I think that in several cases (notably Hotmail) their security is no worse than anyone elses, they just get targetted more. This is not an excuse for not being proactive though! The questions I would ask are:

    * How is the link from MS->Vendor secured?

    And I want details!!

    * Who will be liable in the event of dispute?
    This is an important one, usually (here in the UK anyway) if you have a dispute with a vendor then legally the CC company is equally liable to pay you back. If they cannot prove you authorised the txn, then you cannot legally be billed for it. SO assuming the CC companies are on board with this one, they will have to sort out a good way that disputes can be settled quickly and in most cases in the favour of the client. I personally don't care that much if fraudulent txn's go against my card, provided I don't end up paying!!

    * Are the CC companies 100% on board with this? Will we get them trying to wriggle out later saying they never approved this for payments and so denying liability?

    * Can we have some kind of external audit of how the data is used. I'm not really worried about some kind of big brother m$ collecting info about which pr0n sites I subscribe to, rather that I would prefer they didn't send my home address to their marketing dept. In the UK there is law regarding this, which they would have to comply with, not sure about the legal situation elsewhere.


    So assuming all these questions were answered to my satisfaction, I'd probably be fairly happy using the system. Implemented well it would be a positive boost to online security and convenience.

    Adam.
  • It says so here [gatech.edu].

    (An old'un but a good'un.)

    Regards, Ralph.

  • I agree. The SPOF point you made really hits home - under the current system there are hundreds, if not thousands of banks operating under dozens of francises. It's unlikely that even a complete failure of any one of them, or a small group of them, would have any impact on the market.

    But, what if you disabled electronic transfers between them - no bank could xfer funds to another. In very short order you would have pure chaos! Especially after everybody realized their money wasn't instantly available and rushed to get it out "before everybody else does".

    Yeesh... I can see the headlines now - "Microsoft's Crashing OS Crashes Global Economy - film at 11".

    --

  • If I remember Passport was the authentification scheme used for Hotmail during the Hotmail everyone-read-your-email fiasco. That's not very encouraging.
  • Lets say, 5 million people sign up.

    Someone goes to the passport server facility. Has bug guns. Takes systems.. or even just BACKUPS. I can guarantee your trusty financial institution will be GLUTTED once it hit CNNfn.

    Come on people... it happened to Cyrix.

    Roger
  • A bit off on the economics. Yes, Microsoft can charge at the monopolistic equilibrium - but that would not be the most efficient as far as society as a whole is concerned. Free markets only work correctly tgiven the presence of competition - if there is no competition, some form of control must be used in order to achieve maximum social efficiency.
  • I completely agree. If any site FORCED me to use 'assport, I surely wouldn't buy from them. There are plenty of alternatives (unless EVERYBODY uses them, but ain't gonna happen).
    Yes. Smart cards I can swipe at home. Is https locked-down enough to ensure that privacy? Can the bad guys crack such a 'secure' transmission?
    I need to read about Amex's Blue thing, but yeah, why not have all banks do this? I wanna buy sumptin, I swipe my credit card, the website directs it to the issuer, they bill...
    Why does MS have to be involved at all?
  • Before I get moderated down to very negative numbers for posting something that isn't anti-microsoft, I want to ask why this is so bad?

    I'm sure people said the same things about credit cards when they were first introduced. "Oh my, if someone gets my number, they could buy things with my money!" This indeed turned out to be a problem with credit cards, which is exactly why it was addressed, and now you are protected. You can dispute charges on your card with any reputable credit card company.

    If this privacy/cracking issue is such a big deal (and it is to consumers) then it will be addressed or people simply will not use it.

    Don't give too much credit to microsoft and not enough to the average consumer.

    LL
  • I don't automatically assume everything Bill touches is useless.

    Well, at least this time, we don't need to assume.

    In theroy this is a great idea. The major security risks in online commerce are twofold - (a) Someone intercepts your details in transmission to the vendor, or, (b) the vendor acts dishonestly/carelessly. If the link from MS->Vendor was secured beyond the level usually used in a browser, then the risk from (a) is lowered dramatically. Also, as the novice user will be encouraged to only shop at "certified" stores, the risks from (b) will be reduced.

    Good god, man! Do you have any idea how evil this sounds? It looks like a) An excuse for keeping decent crypto out of the hands of end users. b) A way to restrain trade.

    If the link from vendor->MS is secured beyond what is typical for a browser, then don't you think it would be better to improve the browsers? And do you really think this will offer more consumer protection than credit cards already do? There are already enough barriers to starting a business, we don't need another one.


    ---
  • 5) Creates another company which has detailed records of your spending profile complete with name, address, phone number, etc. Hooray for "targeted marketing".

    Too late for that. If you buy from catalogs, or buy on the internet, or shop at the grocery store with those "club" cards, the battle is lost. The data is being collected, and most likely exchanged.

    The only real way to prevent that is to only use cash.

    4) Creates a massive SPOF. What happens if the passport servers are off-line? Can I still shop with my AmEx or are the stores basically out of business?

    It would obviously be in the store's best interest to keep a backup system that works buy taking your number directly. Stores would have to have this anyway for customers who aren't in this program. No retailer is going to turn you away because you don't use this system.

    3) Okay, now instead of Visa charging 1% on all of my transactions, I'll have Visa charging the retailer 1% AND Microsoft charging the retailer 1%. Likely result? They'll pass the costs to me!

    Perhaps not. This will likely lower their liability as the chance of some two-bit small retailer absconding with the card will go down. Remember that if someone charges $5000 on your card, it costs you $50 max and the retailer's involved $4950.

    2) If a large amount of people start using this, then smaller on-line retailers will suffer. Yay, monopolistic control of another market!

    It should have the opposite effect. It should make people less fearful of spending at a site they know little about. They are more likely to push "submit" at "Paul's Pleasure Palace" if they know that they aren't actually sending their card number to Paul.

    1) Who will audit this? Who will ensure the security? Microsoft? This isn't a microsoft bash, I wouldn't trust ANY company to audit themselves properly.

    Then you better not be spending online. If you've bought anything for Microsoft online, then you've already given them exactly the same info that they'd have here. Same goes for any other company you've got from.

    The concerns about "corporations having my information" are very valid, but unfortunately, this battle is pretty much over. The battle was basically lost before there even was "e-Commerce".

    Working at the headquarters of a major retailler, I used to see huge, hundred page printouts of charge numbers just laying on a table outside of an unsecured room. Those charge numbers were given to the company by customers at their brick and morter stores. Those numbers were also used for "marketting purposes".
  • Soon MicroSoft will be joined by real competition here. See: RFC2706 [faqs.org] (ECML v1: Field Names for E-Commerce)

    Customers are frequently required to enter substantial amounts of information at an Internet merchant site in order to complete a purchase or other transaction, especially the first time they go there. A standard set of information fields is defined as the first version of an Electronic Commerce Modeling Language (ECML) so that this task can be more easily automated, for example by wallet software that could fill in fields. Even for the manual data entry case, customers will be less confused by varying merchant sites if a substantial number adopt these standard fields.
  • From reading l0pht releases, they seem to allow companies more than ample time to fix the problem before they make any announcements. They're sort of charitable like that.

    Guess someone could just ask them. I think I'll e-mail mudge.

    J.
  • Can somone Explain why I need this service so badly? I seem to be doing fine without it now, and I do online purchases and get bills paid. Just a thought: Anything on any computer is open for abuse. If you put everyones info in the same place. Its just that much easier to abuse. In the end its your life to abuse as you will.
  • At the risk of sounding intensly paranoid (I've just re-read the 'Halloween Memoranda'), is it possible that M$ is trying to judge the level of 'trust' their userbase has in them and their products?

    Consigning your credit information to an online bank is problematic at best, but to use M$ with their demonstrable inability to understand system security sems like, well, the act of a total sucker.

    So if I was a crazed marketeer (M$ as we all know is not a software company but a marketing arganisation), I'd love to test my client base's trust in my 'brand' like this.

    No, surely not...

  • Novell has a similar technology called DigitalMe [digitalme.com]. It does not carry 'e-cash', but allows you to enter any information in any site. I haven't tried using credit card information with it, but I'm sure it would work. Much more secure (and interesting) than the Microsoft offering.
  • Well, the way it all works is simple. Microsoft bought MSN Hotmail because simply put there were 45 million accounts already in use.

    The slapped a "Passport ID" inside the "dat" (user login file) file for every user already on hotmail.

    Then, they made changes to the Hotmail DB lookup system so that it could be used in other implementations.

    On all of these sites, they query the hotmail db's, they check the passport ID's, and boom, you're logged in.

    Basicly this was a fairly good attempt, regardless of the implementor or who's pocket it came from, to start a centralized password database.

    Believe it or not, the only thing that really needs to be feared from hotmail employees is when you piss them off. There are 45+ million different accounts. It's alot of effort to get into those machines to see such text. There's about 15 people who have access to it.

    Microsoft may own Hotmail, but they have no direct footage to "look at the information" for their own needs.

    Hell, the FBI had a hard enough time.

    Anyways..

    -An ex hotmail internal veteran...

  • Why would a person let some market entity hold their wallet, and let them videotaping their purchase behaviors at the same time? Convenience? Sounds expensive. It's more fun to lie to the survey ladies in the mall, who have never grabbed for my wallet.
  • This thing is kind of like a bank. You give them all your passwords in the hope that no one in the bank steals it, they don't use it with your permission through some loophole, or someone doesn't break in and steal your money (passwords). Basically, it's built on the perception of safety of a system created by a compnay with a very dubious reputation at best. Personally, I'd prefer a client side system like Mac OS 9's keychain if I ever decide to consolidate all my password somewhere other than my brain, thank yoou.
  • by ColaMan (37550)
    Joy. Just what I need.
    Let's see now..
    "many consumers simply give up, leaving a full shopping cart."
    "Ok, I'll have that, and that and ok now to purchase... what? I have to fill out my name address and CC number? nah, forget it."
    People who give up when confronted with a request for 3 pieces of information must lazy in the extreme.
    Besides, I like to do things like misspell my address (a little bit!) and then see how much junk mail arrives with that address :)
    "The sites must also post a link to their policy from their front page, so that consumers have an easy time finding the policy if they want to review it. "
    And how many people who can't be bothered filling in thos pesky online forms are going to follow some (no doubt tiny) link and read through 15 pages of a vendors privacy statement? Not too many.
    Oh well.. same ol' "yadda-yadda-yadda-embrace-extend-assimilate-yadda -yadda-yadda" from microsoft.

    I'll keep my demographics and CC details with me ,thanks.

  • I couldn't be bothered with that "Crack an NT box" contest when there was, like only a measly US$1K to be won, but this new one, it looks worth entering!

    Maybe Taco and Hemos could post their credit card details in a "secret" file on /. to provide the Linux end of the contest?
    ***scan***scan***scan

    jsm
  • http://webfunds.org/webinstalldemo/ -- using DigiGold, a currency layered on top of a
    'net currency that not only works but has worked for three years+, whether or not I've
    been able to get much media coverage of that fact.

    http://www.systemics.com/docs/ricardo/ has information on the underlying source, etc.

    http://www.cryptix.org/ has information on strong java crypto (also open-source).

    http://www.digigold.net/ (under construction) has more information on the currency.

    http://www.e-gold.com a 100% metal-backed (gold, silver, platinum, or palladium)
    currency.

    http://www.FlyingRat.org a spam blocking service using small (or not so small) e-gold
    payments.

    Yes, I wish this stuff would get more notice than it has gotten. Yes, I'm sure some of
    you will say this is "spam." (Get over it.)
    JMR
  • Wallets can be implemented either the Microsoft way, by storing the information on their server -- or the way everybody else has done it, by storing the information on your own computer. My belief is that everybody else expects that no intelligent person would give up their personal information for no reason.

    The only benefit for the server model is that you could buy stuff from any computer, just by (somehow) accessing the Passport information. Of course, there better be some fairly sophisticated [read, cumbersome and inconvenient] password protection on Passport, then. And then, wouldn't this add to the inconvenience of the shopper?

    The client-side models require you to input the information (only once, of course) on each of the computers you want to spend money from. Now, this doesn't seem like a huge inconvenience, really; certainly contrasted with the potential inconvenience of having somebody with evil intent [not naming any names] getting a copy of the server database.

    I was disappointed, but not particularly surprised, that there was virtually no reference to security in the PressPass "Q/A" report. There were absolutely no assurances about what protection Microsoft would employ to keep your data private, no assurances whatsoever that Microsoft wouldn't abuse the information. I found the example of storing the address of your parents, say, with Microsoft particularly chilling. What a remarkable web of consumer information could be woven if everybody input their personal relationships into the Microsoft monster.

    The page on passport security and privacy [passport.com] also, remarkably, passes up any opportunity to reassure users that Microsoft won't misuse the information that you give it. They do say that they won't share your personal information with others, but it will get to the point (if this is successful) that the rest of the world could be ignored, to a first approximation. There's nobody that I'd be less happy to have this information than Microsoft, themselves.

    I predict, sadly, that this will be a spectacularly successful product.

    thad

  • I have to use IE on my home computer for my parents, and I've dodged this Microsoft Wallet crap since it first started back with IE3. Sure in theory it sounds nice, but in practice it is just too insecure. Can you imagine what would happen if Microsoft Passport servers got hacked? And let's face it, they would be prime targets for script kiddies. Why try to capture a credit card number as it goes across the wire when you can hack a public server storing THOUSANDS of credit card numbers! Sure Microsoft boasts the system will be secure, but we all know how secure their products are.

    This idea doesn't sound like they are really interested in helping the public for online shopping so much as it is another way to increase Microsoft's revenue stream. Here's a thought...Microsoft knows they can't keep the prices of their products artificially inflated forever...this is just another stab at replacing the cash cow, perhaps. I'm not one given to conspiracy theories and all, but it sounds like a strong possibility to me.
  • from Passport FAQ for Businesses [passport.com]:

    Where is the Passport profile and wallet data stored?
    All Passport profile and wallet information is stored on secure Microsoft servers. Passport is subject to its own privacy commitment to its members, which prohibits Microsoft from sharing or selling members' information without their consent. Participating sites will also be able to store core profile and wallet data on their own servers. [my emphasis]

    WTF is this? not only do we get the world-recognized insecurity of MS, but they have the option of whoring out Passport users' CC numbers to other parties?

    *sigh*

  • It was bad enough that Microsoft insisted that everyone bought their OS, but now Gates literally has his hand in people's pockets!
  • > Perhaps they can apply for FDIC?

    One hopes the FDIC has better sense than to insure this arrangement.


    --
    It's October 6th. Where's W2K? Over the horizon again, eh?
  • I'm in two minds about this. Giving detailed personal info to a company which is more of a marketing machine than a software house does not bring any smiles to my face.

    The first problem here is how in hell's name does anybody verify the security and privacy of it? MS do not have an inspring track record when it comes to security, and although it may be unethical to sell on info and stats gathered, who considers MS to be above doing that?

    Another consideration is the infrastructure of the Passport database server system. Scary thought: Passport (tm) becomes the standard for online shopping, vendors worldwide rely on this system, and MS use a single NT server... Can anyone spell downtime...?

    Seriously though, the passport idea is required by today's online community. And unless better alternatives are presented to the general public, Passport could well become essential in any online transactions. Are there any other real alternatives?

    But most importantly of all... Where's the damn RFC??? :^)

  • GC said:

    I'm sorry if this seems like Microsoft bashing, but it is a ridiculous that a single corporation can "invent" currency on the internet and then lobally tax all expenditure on it, which is what this amounts to.


    And this is diferent than Visa, Microsoft, and AMEX how?? Its ECON 101 - if MS can establish their "currency" as the dominant form for Internet transactions they have every right to charge as much as they want for the product. Its not a tax - its the free market. If the 99% of the Internet population that is obviously not as bright as the average /.'er jumps on the bandwagon and makes this a standard - and they probably will - we'll be stuck with it - just like Windows, just like Office...

    Am I going to trust me private data to MS? No way - I'll happily manually type in my credit card number every time. What we really need is an anonymous payment system so we can buy stuff online without the trail of personally identitfying credit card numbers...
  • Is this really true, that the store bills Passport and Passport bills your credit card? If it is true, it's quite an amazingly useful feature, in that only Microsoft ever has your credit card number.

    If this is true, why aren't they publicizing it? I assume it would be obvious from your credit-card statements.

    Is there any documentation that you could point to that would verify this astonishing claim?

    thad

  • The reason I ever fill up a shopping cart & leave it behind, is so that I can get the total price. A lot of websites fail to tell you the *total* price (that is, including shipping), until you're ready to plop down a credit card. (some even require you to put down all info before they give you the total price. needless to say, i dont come back.)

  • No, Hotmail was moved to the passport server after the minor (understatement) security incident. That was a reletively good move on their part. Microsoft does do good things occasionally.
  • Microsoft handles my data so well, it would be downright silly not to trust them with my money!

    Next week, I'm gonna let Bill Gates and Steve Balmer perform open-heart surgery on me, too.

    - A.P.
    --


    "One World, one Web, one Program" - Microsoft promotional ad

  • Yeah, but as was pointed out above, they are keeping one piece of private information and passing around another as "proxy" for your CC#, etc. Your Passport ID number or whatever just takes the place of your CC#.

    I'm sure this is an oversimplified view, but the net effect to me it's just another number that someone could exploit. I don't think that the small amount of added convenience is worth it given Microsoft's security track record.




  • This is a situation where I cannot easily see open source suceeding. There is an obvious need for such an universal wallet service, but you can't decentralize that information and you need a trusted party to keep the information secure. The trusted party needs ressources to keep his database running and secure...

    Unfortunately, it might mean seeing Microsoft getting a critical mass of the market where it can afford to dictate any terms it wants.

    Do you think there is any way that an open project can compete with Microsoft's wallet service ? Or are we at the mercy of the evil empire ?
  • Ok, like I trust microsoft with billing information. I know someone who has personally had their credit card number mis-handled and charged three times by them. Also, I dont trust windows NT to handle this over-securly. This "passport" technology would be a good idea if someone like mastercard, or amex implemented it. IE: you have a public key for each retailer, encrypt your "passport" and send it to the retailer and they decrypt it with their private key and contact the "passport" site for more information on private lines. That would rock.

    amex seems to be doing this with the "blue" card in some ways.

    Sounds cool. But i want some real company about privacy that gets nastily audited for this, not microsoft.
  • by Sloppy (14984) on Tuesday October 12, 1999 @04:18AM (#1621014) Homepage Journal

    I can understand why someone would want to avoid having to type in their card #, address, etc over and over again, but -- call me clueless -- why would I want this info on a central server rather than my own machine?

    The "obvious" approach seems to me, to have a standard format for querying billing info, similar to how cookies work, and then have the user's machine pop up a "Supply/Deny" question. Why aren't they doing this?


    ---
  • by mattdm (1931)
    Ok, that just moves the problem one step away. I don't see how it's much different for someone to intercept your Passport info and make fake Passport charges. The only "advantage" comes from the fact that fewer merchants (will) use Passport, limiting the possible damage. But that's a marginal improvement, and will obviously go away if the thing catches on.

    My current credit card company has very good anti-fraud policies. What's the point of adding a second layer of cost and complexity?

    --

  • by anticypher (48312) <anticypher@gmai l . c om> on Tuesday October 12, 1999 @07:23AM (#1621028) Homepage
    Yes, passport is the reason for the hotmail security hole [slashdot.org].

    When passport was first announced more than a year ago looking for early implementers, the serious hackers targetted it with an intensity unseen in recent years. Imagine a service with all the quality of a M$ product, the track record of M$ for lax security, holding thousands or millions of credit card numbers.

    This is an infocriminals dream, because just one copy of this database could be exploited for billions of $$$ of bogus charges. There are organized crime groups around the world already set up to rip off the credit card companies with thousands of electronic scams. All they need is a valid credit card number, expiration date, and the holders name.

    So when the hotmail hack was discovered, it was by a group probing every aspect of the passport service, and all the connections MICROS~1.OFT was making into other web sites.

    Now there are hundreds of sites with an end point leading into passport. What do you want to bet that one of them has some other security problems because they run IIS, and some crackers will be able to get thru the encrypted tunnel back into the passport service. Not likely they will get more than a handful of CC numbers before the hole gets closed. Crackers tend to be immature kiddies looking for some attention, so they will blab about their exploits. The serious infocriminals will milk any hole for all it is worth, and not make any announcements to HNN [hackernews.com] or attrition [attrition.org].

    Microsloth's only publicly acknowledged security aspect of passport is they are going to seed the database with 'tripwire' records, which will trigger anti-fraud measures when someone tries to use them with the CC companies (oh, and they use encryption [slashdot.org]).

    There are rumours it will be built into the desktop of millenium, so it will always be a click away, with annoying warnings to those lusers who are not using it. I doubt this service will become widespread, since it is bound to get abused at some point. Public confidence will go down when the press has a field day when the system is cracked once, even if it doesn't lead to the loss of any CC records.

    the AC
  • Thank you for explaining that. Geez, I wish the press release had been as informative.

    Well... here's my Paranoid Conspiracy Theory Of The Day: the US government is behind this. (No, I actually don't believe this, but I'm going to make a case for it anyway, just for fun. :-)

    It's in the Feds' interest to do this for two reasons:

    1. Since sensitive info need not be transmitted, people no longer have the "right" to complain about crypto controls. Crypto is for criminals, not commerce. Yeah, that's the ticket.
    2. Yet another way to track online commerce, in addition to examining credit card records. Makes tax evasion that much harder. Wow, I might have even just convinced myself...
      ---
  • This is not a new idea, and this is not a particularly dangerous idea, either. If you've bought more than once from Amazon, you've used a similar system.

    Basically, Amazon saves your card number the first time you buy, so that when you come back, they can say "Charge card XXXX XXXX XXXX 1234?". The fact that you don't have to key the number is only a trivial advantage. The real advantage is that you don't have to send the number over the wire. Amazon knows what it is already, so they can simply charge the number they have, avoiding the need for sending the number where it could potentially be seen by evil criminal types.

    (An overblown danger, but that's another story...)

    This is all a good thing. It is not even a matter of "trusting" Amazon more than you otherwise would, because simply to buy things, you've got to trust them with your number. They will have it, and they will be saving it for financial purposes for at least a month, regardless. If you don't trust them with this, you shouldn't buy from them. (Note that the same goes for any retailer, internet or physical!)

    Now most people probably trust a company like Amazon at least in terms of finances. Amazon is not likely to go charging your card up randomally. Most people assume they will be fairly careful with your number. (They probably won't be as careful as you think, but that's another story.) They are a big, known company. Where the trouble comes in is with tiny little companies that no one has ever heard of. Do you trust them with your number? That officially looking site could just be one guy in a basement. Give him your number, and you give him the ability to charge thousands of dollars in your name.

    So what to do? An obvious solution is to do what is being done above. You give your charge number to some large company that you know will not abscond with it, charging it to the limit. Then you tell the little podunk companies to charge the big company. Your liability goes down. Your charge number doesn't fly across the wire every time you make a purchase from a new company. These are good things. This is more secure then sending your card number directly to everyone you buy from.

    The only question is whether or not you trust Microsoft to secure your data. This is the same question you should be asking were you to make a purchase from Microsoft over the wire (or over the phone), as the data is the same.
  • I have been wishing for something like this for at least the past two years. I am tired of having to remember usernames/passwords for every site I use. And having to supply billing/shipping address and CC information every time I make a purchase is a pain.

    BUT, I am MORE than a little leary of Microsoft being in the position of providing a solution to this problem. I simply do not trust them with this type of information, and I don't trust them to provide a fail-safe mission critical service that MUST be up 24/7.

    I think most of us would agree that in principle this is a good idea, just that this particular implementation might give the clueful user pause.

    But, how hard is this to do? Could the OSS community develop a distributed, secure, web-based single-logon facility?

    The components of such a system could be as follows.

    1. A standard for user information. Another post already mention just such an open standard.

    2. A 'logon server' which provides user information to client web sites at a user's request.

    3. A standard, open, secure protocol with which a client web site interacts with a logon-server.

    4. A user who registers with a 'logon server' and specifies the information they are willing to provide other client web-sites. The user also specifies a backup logon server which will mirror their information.

    5. Client web sites which modify their logon procedure to gather user information from a user specified 'logon server'. No registration would be required on the part of the client web site.

    Each 'logon server' could actually be many servers. It would be relatively easy to distribute the load as most of the activity would be of a read-only nature, making the replication of user data across servers fairly simple. User updates to their data are another issue, but they would be relatively infrequent.

    How would anyone make money? Banner adds on the logon server's logon page perhaps. Re-selling consumer buying patterns would most likely be the biggest source of revenue. There is nothing wrong with this as long as nothing which could indentify you uniquely is revealed. I don't care if someone wants to know what the buying patterns of a 28yo white male in such and such an income bracket are.

    It is important to note that the user would chose their single logon service, and could change/cancel at any time.

    It would be an open standard, with all the code required to start a logon server available freely on the web. This would hopefully prohibit any one service from gaining a monopoly stranglehold on the market.


  • by Noryungi (70322) on Tuesday October 12, 1999 @04:20AM (#1621041) Homepage Journal
    (How to print money -- 2002 style)

    CrACkRZ WheEL oF fORtUne! v0.99.14.151
    [Win2000 4.00.004 SP7]


    [Click here to start]

    Checking e-wallet status... Done.
    Checking bank account status... Done.
    Checking permissions...
    • Removing MS permission... Done.
    • Removing FCC permissions... Done.
    • Removing RSA permissions... Done.

    One moment please...


    How much money would you like to add to your e-wallet? NOTE: if sum > US$ 1,000,000 you could be in TROUBLE!

    Enter sum and press [Enter]:99999

    US$ 99,999 added to e-wallet account!

    Thank you for using CrACkRZ WheEL oF fORtUne!


    Bill "Hotmail God" Gates: would you like this man to take care of your money? Thanks, but no thanks.
  • Anyone from the Lopht, or Counterpane care to comment?

    I found no matches searching in SecurityPortal
    or SecurityFocus, so far. Nor in Google.
    nor Altavista.

    Is this the sort of thing I have to forbid
    my mother from trying?


  • "This is where you will go today."



    --
  • Is this sort of like what American Express has done with "Blue [americanexpress.com]?"

I have not yet begun to byte!

Working...