Please create an account to participate in the Slashdot moderation system


Forgot your password?

MS Sez Hailstorm To Play Nice With Others 143

Rocketboy writes "ZDNet has posted a story saying that Microsoft will not be the only repository of user information within Hailstorm. They claim that Hailstorm was intended all along to be a network of trusted repositories along the lines of all the banks that exchange information within their ATM networks. " One of the key points from Coursey's piece, IMHO, is "MICROSOFT SAID it does not know whether a central authority should be created to oversee the open-trust network it hopes these changes will help create. In an interview late yesterday, an executive working on the project said the company is open to an industry group--such as those already controlling Kerberos and other Internet technologies--taking the lead role if it becomes necessary. ." So, the central authority part is still being worked out - but regardless, this changes the framework of Hailstorm, if implemented.
This discussion has been archived. No new comments can be posted.

MS Sez Hailstorm To Play Nice With Others

Comments Filter:
  • that MS won't control all the data. They will just get every time you log in or access anything.
    • I think you can infer that Microsoft is really acknowledging that they have big ole security holes in their products. When they say they will open up the Hailstorm services (oops, i mean what Microsoft "meant to do all along") it really means, "well we know some hacker is going to break in and publish all the information anyways, so its not really a 'secure' means of keeping this information. oh and, can you find some other people to run it for us so we arent liable?"

      "help help! i'm all tangled up in the .Net!"
      • by alen ( 225700 )
        Actually I meant that they will be paid every time a transaction is performed. Kind of like the royalties they get with some online photo processing operations.I'm not very good at proofreading.

        The challenge for Microsoft is to find a recurring revenue stream. Jack Welch says don't let anyone get between you and your customers. Bill Gates listened, and others didn't. They are letting Microsoft get between them and their customers.
    • Microsoft vulnerabilities (aka "innovations") are responsible for every worm/virus we've seen in the past few months: Code Red, Code Blue, SirCam, Apost, and Nimda. Why aren't they under any fire from the media, watchdog groups, or the general public?!?
      • Microsoft vulnerabilities (aka "innovations") are responsible for every worm/virus we've seen in the past few months: Code Red, Code Blue, SirCam, Apost, and Nimda. Why aren't they under any fire from the media, watchdog groups, or the general public?!?

        Also to blame are the trained monkeys masquerading as Windows admins who don't know how to install a fscking patch!

      • First off, 99% of media don't know sh*t about sh*t. They do not make any deeper research, they just blow up some huge headlines about "Most dangerous virus ever", and then they quote some random security guy that says some vague things, usually someone from Symantec or MacAfee that has every reason to blow the issue up.

        They usually mention that mac users aren't affected, as if that was the only othe computer.

        And they always call outlook viruses "email viruses", IIS viruses for "Web server viruses" etc.

        Most of the time, they just don't know better. And as long as media does not, or chose not to, the general public will not either.

        All media wants is readers/viewers. They don't care about facts such as who is responsible, they want headlines. That should be painfully obvious by now.

    • i suspect they'll want to check your serial numbers and what browser you're using and what office suite you're using...
  • by barnaclebarnes ( 85340 ) on Thursday September 20, 2001 @08:51AM (#2324561) Homepage
    What if an idividual wants to become a respoistry for their own information and not trust it to a central place. That way I could carry the information with me knowing it is as secure as I want it to be.
    • Or you could use someone that you already trust, like say, your bank.

      To be honest I think this is a good idea. I wanted to post a comment to a story on another news site, but I needed to log in, and I just could not be bothered. If I could enter in my bank id and password safe in the knowledge that unless I indicate otherwise (on the HSBC web site) the company whose site I am visiting will only get my name and a ticket that says I am who I say I am.

      I just don't want Microsoft, or any one company, have exclusive rights over this. Choice is good. Open standards are good.
      • The question is not, who do you trust, but who do other people trust.

        The whole point of a central repository for this sort of information is for the benefit the the site you are trying to access, so that they can verify from some trusted source that you are who you say you are. Anyone can set up their own repository and say that they are someone else. However, if the site can go to some trusted source (either Microsoft, or a large bank, or whatever), then they can be certain that you are who they think you are, and have permission to use credit card numbers or access confidential information or perform transactions, etc...

        The benefit to the customer is not trust, but the "convenience" of a single login, and not having to remember a fistful of different username/password pairs for all the sites they deal with.

    • We can have Al Gore be the repository for the information. He will keep it safe in a lockbox!
    • You already do, until you use a service like Hailstorm.
  • When will I be able to use my MS Passport login to login to Slashdot?

    That way MS can post comments for me, and save me the time I spend thinking for myself.
  • by Fnkmaster ( 89084 ) on Thursday September 20, 2001 @08:54AM (#2324572)
    Open the standard, show us how to roll a Hailstorm server, tell us how to set up alternative Hailstorm compatible networks, come up with a process for joining the official Hailstorm network, show us how we control where our information goes.

    Microsoft is just realizing that nobody will play with their new toys if their toys take away rights that we consider sacred. They have backed out of really bad ideas in the past when enough industry and pundit criticism was leveled against them. If they will again this time, that would be great, but content-free proclamations are meaningless. I trust these guys as far as I could throw a hundreds-of-billions-of-dollar-cap company.

    • If they will again this time, that would be great, but content-free proclamations are meaningless. I trust these guys as far as I could throw a hundreds-of-billions-of-dollar-cap company.

      In this case I think MS is telling the truth. They don't want to be the sole responsibility for all authentication (think of the liability they'd have). They're going to allow anyone to set up their own authentication centers. Why? Because they're going to hold ALL THE PATENT RIGHTS AROUND IT. That way they get paid whether Joe ASP buys their back end solution directly from them or from a competitor.
    • I think its all that and worse. Not only will we not play with their toys, they won't play with their toys. By pushing off the responsibility to someone else, MS gets less linelight. Think of it, what's worse: releasing software that's buggy or being the source of the problem?

      Think of it, do you yell at the people who invented telnet or do you yell at the person who left the daemon running allowing root access? Probably the latter since its his responsibility not to use it in the first place.

    • Open the standard, show us how to roll a Hailstorm server, tell us how to set up alternative Hailstorm compatible networks, come up with a process for joining the official Hailstorm network, show us how we control where our information goes.

      I just love that name, it's so warm and fuzzy, isn't it? Makes you want to work in the same market as M$, doesn't it.

      </SARCASTIC> (Oops, I was sure I closed that ages ago)
  • Big difference (Score:4, Insightful)

    by pointym5 ( 128908 ) on Thursday September 20, 2001 @08:55AM (#2324575)
    There's a big difference between Microsoft (and whatever johnny-come-lately fabricated trustee companies that spring up) and banks. Banks have a culture wholly different from companies like Microsoft. I'm not saying they're divine or infallible, but simply that the way they look at the world and their responsibilities for information are shaped by years and years of living within a complex web of federal and state regulations, and of sitting on the "capital" of essentially unlimited public trust. They don't "think out of the box" about ways to use information they control. The comparison to ATM networks is therefore (in my opinion) structurally accurate but misleading.
    • Also the banks had their seperate datastores, and worked together to interoperate. This is very different to Microsoft owning everything then allowing others to play too.
    • Re:Big difference (Score:4, Interesting)

      by JediTrainer ( 314273 ) on Thursday September 20, 2001 @10:18AM (#2324861)
      There's another difference: Banks are LIABLE if they lose your information, which translates usually to you losing money.

      Microsoft has never been accountable for anything being lost in the past, by hiding behind their EULA (ie: we are not responsible for any direct or indirect losses as a result of using this product. You agree not to sue us no matter what). Well, until Microsoft guarantees unconditionally that my information is SAFE, like the banks do, I will not ever, ever trust them.

      There aren't any laws protecting me, so why should I even dip a toe into the water?
    • I agree with everything except your comment, "They don't 'think out of the box' about ways to use information they control." In the United States, banks now own insurance companies and other financial institutions they were previously barred from owning. As a consequence of this de-regulation Congress gave them strict guidelines to protect our privacy. The banks must inform you that they may give your private info to their new corporate bretheren. For example, your bank may give your personal information (SSN, phone number, etc.) and complete credit history (including who you wrote checks to and for how much) to their new insurance company, who can then see you're sending checks to a competitor and call you at dinner time to pitch their fabulous rates, comparing themselves to your current insurer. You must then tell the bank to go stuff sand up their ass -- if you don't tell them to not share your information, they will. Indeed, they already have, and you must trust them that when you tell them to stop they'll go around to all the other companies and tell them to please forget everything about you. Yeah, right. Like they're gonna put all that toothpaste back in the tube.

      Banks "don't think out of the box." Riiiiiight.


  • by Masem ( 1171 ) on Thursday September 20, 2001 @08:56AM (#2324577)
    If there's a possibility that others can run services equilvalent to Hailstorm, would this not also lead to the possibility that individual users with sufficient technical know-how (namely anyone using Linux :-) could run their own Hailstorm-like server on their own box with their own security safegaurds?

    Yes, this is MS, so they might only provide a WinXX client. Yes, this is MS, so they might require you to register your client with some central authority with the ability to 'audit' the server to make sure it's up to specs.

    But it may also be as simple as having a client conform to certain specs (hopefully open), and that's it. Average Joe would probably never worry themselves with this, so they'd not lose that many customers in the first place.

    But in the end, I think it's very important that Hailstorm cannot be a necessity for web sites and that there must be a manual entry level for data when it is needed.

    • (Warning: if the following post turns out to be nonsense, please forgive me.)

      Let's say that 2002 comes, and hailstorm becomes something that has a point (beyond ensuring Microsoft gets to have SOMETHING installed by default in WinXP that they can charge a monthly fee for and that the average user won't be able to figure out how to turn off), and GNUStorm 0.6 or whatever gets written, and i install it on my Mac OS X box in my dorm and register my dormroom computer as my authentication authority.

      How much flexibility will this hypothetical GNUStorm server have? Is the hailstorm protocol such that if i was running an authentication server, i could flexibly determine exactly what information and when that a given site is given about me? In what way? Oh, hell, is there ANY POINT AT ALL to hailstorm besides not having to type in your personal information/preferred password to every website, and making sure you don't make up 90% of the information you put on webforms? Is there ANYTHING hailstorm does that a web browser with a good autocomplete feature doesn't do?

      And if i *could* limit who gets what information, would there be any point, since the sites will all be using the same backhanded information-sharing tactics they use now? If i use hailstorm once to sign onto MSN messenger, and i decide not to let's hailstorm server have any information besides the username and password they use to authenticate, couldn't they just contact some site that they partially own and that shipped me something once, say "hey, what do you have on this username", and get a full readout of my name, address, etc..? Umm.. i'm pretty sure that that last sentence doesn't make a whole lot of sense, but you get what i mean.. right?

      If i am misunderstanding what Hailstorm is, i apologize, and request that someone more informed can set me straight. You'll have to excuse me, Microsoft seems to be working very hard to make sure everyone is as misinformed as they could possibly be as to the nature of .NET..
      • Could you please stop analyzing Hailstorm? Once people realize it's some sort of glorified identd+finger we'll never get them to give up their privacy!
        • Hmm. Interesting way of putting it..

          Except the thing is: Glorified identd+finger actually sounds like a pretty good idea, to me. I could go for that. I'd be happier just integrating that functionality into Jabber [], though.. I mean, as long as we're putting talk(1) there, you might as well go all the way :)

          Well, whatever.
  • So will Hailstorm play nice with whatever the AOL collective is working on? Or will there be several authentication networks where you need an id on each to reach the full range of the Net.

    Didn't this happen with early financial systems too? I have logos for a number of money-transfer networks on the back of my ATM card (though Interac is the only one that I recognize from actual use). I'm guessing they used to be incompatible...not on the same card.

    When I'm worried about limited net access and content, I'm not talking about MSN and AOL being the only online properties...but what if the NYTimes or WSJ implement Hailstorm? And what if Sports Illustrated implements AOL's version (no question there, since it's part of the Time Warner family).

    And how will the inevitable open-source clone work? Will people try to co-opt Hailstorm, or turn away since it's MS? (my crystal ball predicts both, in two different projects)


    • Didn't this happen with early financial systems too? I have logos for a number of money-transfer networks on the back of my ATM card (though Interac is the only one that I recognize from actual use). I'm guessing they used to be incompatible...not on the same card.

      They still are incompatible. Anybody who has a Discover card knows this (Discover uses its own ATM network, Novus). It can be a bitch finding an ATM that's supports the Novus network.

      It's sort of like the way that DNS works: most everybody uses the InterNIC root servers, but there are some other DNS hierarchies ( for instance).

  • by mikey504 ( 464225 ) on Thursday September 20, 2001 @08:57AM (#2324587)
    I've seen the "We're not sure where this is headed, we're making it up as we go along" rap from these guys before.

    It's hard for me to believe that it's true that Microsoft is "betting the farm" on their Hailstorm strategy but at the same time they haven't taken the time to develop a roadmap for its deployment and maintenance.

    It's too important to them and they have too many resources devoted to it for there not to be a plan. Given that, it makes me nervous that they don't seem to be willing to share the details of that plan. That seems to indicate that they are pretty sure we won't like it.

    The best protection is to insist on open, documented interfaces to all of the components of this technology. We need to make sure that the rest of the industry remains free to develop their own components of the Hailstorm/.Net architecture with the assurance that they will interoperate. The problem is, it would take a lot of cooperation for the industry to reject any offering that doesn't meet these requirements.
    • The best assumption is that all press releases come from the marketing department, and that those in power are careful to shield them from any knowledge of what's really going on.

      If that's not how it works, then reality seems to be a work-alike.
  • So now there will be more targets for a potential hacker to choose from. It's not enough that Microsoft would store the data, someone with a dubious security trackrecord. Now we have an untold number of other places that can be attacked. Why doesn't anyone realise that the only safe way to do this is to store the data on secured, portable hardware that can be taken with the owner of the information?

  • I am pleased to see that perhaps one day in the near future, companies might cooperate to give us something we need. Regardless of their motivation, perhaps they should get a gold star next to their name for playing well with others.

    Placing information anywhere outside of your physical control implies either a great deal of trust, or stupidity. With a financially disinterested party keeping an eye on the individual trusted federation members I think that we may soon be able to trust our personal information, which many value greater than their money, with the same level of assurance as depositing our paychecks. I think that this brings up 2 questions:

    [1] whether usage fees ala not-my-bank's ATM might be forthcoming...

    [2] Would we be able to make a withdrawl of our information and trust that it is completely removed from their computing environment? With regular backups and cache-systems, it seems rather difficult to expect not leaving behind some residual trace...

    What do you think?
  • Is enough know about Hailstorm and Passport to know if they are architecturally capable of the security we desire?

    Plus I see mention of "The Industry Standard Kerberos 5" in the article. Of course MS Kerberos follows Kerberos 5 standards, just in a way that doesn't play with anyone else. So do we get Real Kerberos 5, or MS Kerberos here?

    What are the requirements for joining the "Trust Federation"? Who defines the requirements? Who can cast the blackball?
    • Good question. I think that MS should release a PR to developers regarding the planned Kerberos implementation, since in the past "open Kerberos" ment open to all who used their implementation of it!

    • MS Kerberos interoperates with MIT Kerberos for authentication purposes (who you are, such as your user name). This seems to be the sell of Passport/Hailstorm.

      Microsoft's extention was to add a NT UID (or UUID or whatever it's called), which effectively determines your authorization (what you can do). They used a field specifically designed for this purpose.

      This eleminates the need for a local /etc/passwd type (or in MS terms 'SID') mapping of user name ("root") to UID (0). If you've ever worked in an NDS or other directory environment, you'd know that the primary point of a DS is to centralize security admin, so you can see why this was a necessary step.

      Now, how this works out in Hailstorm probably depends on how you use it. For a message board or online shopping, the provider would probably just need the authentication and handle the authorization themselves (ie MS wouldn't provide the information that "CmdrTaco" is the admin of Slashdot, but would verify that CmdrTaco is who he says he is.)

      BUT .. It could be that you could 'outsource' your PDC to Microsoft and set up LAN security using Hailstorm IDs. Sound retarded, but recall that the current crop of small shop MCSEs is having difficulty groking AD, and LanMan/NT4 is going away eventually. The next step would be move Exchange (or more likely "Small Business Server") off-site and make that a service also. You can see the possiblities.
  • Really guys - what if Microsoft is learning from the beating they're taking from Linux, and really want to play nice? Instead of loosing the rockets at them, maybe we should put aside our mistrust of the Redmond gang - ever so slightly - and take a serious look at working with them.

    This is the type of thing that users want - one password, and thier relevant information attached to that password. I have most of my users saying "Why do all these systems need a different password? Can't you computer guys get together?" IOW, they want convenience and simplification. Since Microsoft is going to do this anyway, assisting them will get us in the loop, as it were. Besides keeping "the enemy" closer, it can also have some benefical side effects:

    1. It will show Microsoft that when we say "Open", we mean Open for anyone, including Satan himself.
    2. It will also show them that Open Standards benefit everyone from the end user to the programmer writing APIs. They are better for business than anything propietary.
    3. Things work better with a community attitude. Maybe it will change Microsofts bastille mentality for the better.
    4. We can make sure that this is done properly - no backdoors, no worms, and as much security as possible.

    If we just slam the door on them, instead of giving an open invitaion to work with all computer users, designers and programmers, we will just fortify thier distaste for Open Source and perpetuate the silly feud that's been going on for years.

    Executive Summary: Look at thier proposal seriously instead of just dismissing it out of hand, putz.

    • Well, the only problem is their history, their track record.

      I used to like their stuff, and then they lost my trust and admiration.

      That is the essential point, and it is the most damning.

      They are going to need about 5 or ten years of marketing honesty and products that don't screw with me to earn it back.

      Their behavior and attitude has made them a liability to me.


    • 'cause I guess many will be generally against a central security system, no matter which OS and from which company. 'cause playing with security is no fun.

      Now image such system beeing hacked? Can you really imagine what the outcome is? Today a central security server hacked means break down of our whole economy, one group of people having access to everything? Including your bank account passwords? Medical health info, etc. etc.

      I would be a against it even if it's a relative secure system, but additionally imaging such info running on a windows NT or XP server just gives me the creeps.

      • That's why your medical information and bank account passwords aren't going to be in your MS passport. This is designed for e-Commerce and personalized sites not your Online Bank.
    • Really guys - what if Microsoft is learning from the beating they're taking from Linux, and really want to play nice? Instead of loosing the rockets at them, maybe we should put aside our mistrust of the Redmond gang - ever so slightly - and take a serious look at working with them.

      But you can't really believe that, can you?

      I'll try to be conservative with what I say and analyze this MS that we all now:

      ms has 95%+ market share in desktop os's.

      ms has 98%+ market share in office apps.

      ms has 95%+ market share in browsers

      (let that be 90% or 99%, whatever you feel better with).

      In the last 5 years Microsoft has extended/held that share by

      1. price dumping (free browser)
      2. price dumping (preinstalled os)
      3. price dumping (silently tolerating warez and making warezing ms-products easy)
      4. market pressure by artificially introducting a "critical mass" factor via incompability, i.e. proprietary protocols (kerberos, office-formats, activex as browser components, vb-script, hidden win32 api-calls, dumping java, dumping plugin-api, dumping realplayer codecs)

      1., 2., 3. will not help them anymore, instead they will stop and are already stopping using this tactics, because they simply can cash in more. They don't gain a dime when the 95%+ of ms-user simply stay with win95,98,nt,2000 and even XP.
      On the other hand they must find a way to
      1. get existing userbase to change OS
      2. simultaneously prevent existing userbase to change to non-ms operating systems.

      Add to that that ms has to fear that their capability to "innovate" might not be as competitive as it perhaps once was, because there are hungry companies/developer communities out there to get them (sun/staroffice, kde, gnome, linux etc.). Plus the fact that the territory where one can "innovate" is shrinking. That indicates that the consumer software market is going to a market where the price is the main selling point - because "real" (needed) features will be more and more omnipresent in all offers.
      For instance, the only important "feature" that MS-office has that star-office hasn't is, well, it's msoffice (file compability) - see point 4 above.

      MS has everything to loose if it opens up it's protocols and API's and it has everything to loose if it doesn't. But the second alternative at least gives them a chance to win - and win big time. As for the first alternative - an "open" .net will in the end give a way to interoperate with everything they have, it would crush their stranglehold to every market.

      So, we don't even need to go into details where they pretended to play fair before and didn't (html, xml, soap, kerberos) or where there is talk that they will kill existing interoperability (CIFS), I think it's clear they can't play fair.

      • Please come back later when you have some facts to present. Oh, and I'd like to see you easily "warez" what's considered the most sophisticated anti-piracy measures in the business (esp. mass piracy via dupped CD's). Time to roll out your holograph printer.
        • Did I say pirating and selling and imitating, or warezing?
          Why should any home user need the fucking holograph?
          To pin it on a wall in his restroom?
          How hard is it to warez a software from a company which uses so ingenious serials like


          throughout the entire product line (back in the days of office 97 IIRC)

          Yes, ms did try to go against mass-piracy, but they didn't do anything against pirated software for home users.
          • Because the highest volumes of piracy doesn't happen when one of us geeks downloads the copy or borrows it from a friend and get's a serial. The poster was suggesting that MS was flooding the market on purpose by letting mass-piracy takes place. I'm saying, that's BS.
    • Sure. I'm willing. All they have to do is GPL the code. BSD would probably be ok, though I'd have a few reservations. Or MPL+GPL+... Or Artistic.

      But I'd prefer GPL.
  • an executive working on the project said the company is open to an industry group--such as those already controlling Kerberos

    And I wonder if they would treat it the way they treated the Kerberos oversight group? You know, that "Hey decide whatever you want, but we're doing it our way. Ain't market-share wonderful?" way.

  • It seems that the debate has suddenly taken on a moralistic tone that has neatly sidestepped the various issues.

    But before we go there - let us first join hands in praise to tell MS that this is a right step in that direction. There are lots of responses we could take, and LISTEN UP: We don't have to jump into anything. We all have to compromise to reach a solution, but we shouldn't have to bet the farm on this. The compromise can take various forms.

    So what is the issue? The question concerns technical issues of the Hailstorm protocol. It is not just about who is in control.

    In other words, let us take the "white paper" approach. Can MS do that? One that allows us to review and alllow the security experts to scrutinize the technical details and design of the whole setup? If MS can take this step, then I should like to say that would remove most of the security concerns of Hailstorm.

    And for that debate, I would like to ask the first question. What is the point of Hailstorm? How is Hailstorm different from say, the Mozilla Personal Security Manager, wherein, the user stores his data on his computer, and has simplified but yet customizable controls as to who receives what data?

    Secondly, isn't aggregating these data a security flaw itself? Remember that security is not one issue itself, but encompasses issues of authentication, identity, integrity and all that. Given this setup, itn't the chance of idenity theft greater? Part of the security of setup we have is that no one single company knows everything about an arbitrary person. They may know your credit card n umber and hence your financial records, but they may not know your hair color. Meanwhile, some government agency may have your bloodtype, but they don't have your financial information. Isn't Passport a step in the wrong direction, in such a case?

  • More of my banking done through something designed by microsoft, now that's a scary thought

    my 2 cents plus 2 more
    • I assure you, a great deal (if not most) of your banking data is stored in MS-sql databases.

      I write software for a financial services company, we do most of our work with MS-sql because thats what most banks use.

      • I know. And now that Great Plains has been purchased by MS, most medium to larger sized businesses will be running their ledgers and payroll from MSSQL and MS software. But, hey, why look at the facts?
  • Hailstorm admittedly looks cool. The Microsoft press room [] has a couple of articles and press releases. I'd love to have a really nice web-based calendar/whatever else...

    But if Microsoft is going to charge for the service, how does that work?

    • ... if we can store any personal data, how much pr0n can their servers hold? What - can't put that much in one account? Just open up another one - we can script that...

      On second thoughts, if they're thinking of folks dumping their MS Turd docs in there, they must be thinking of a lot of space.
  • Whatever happened to the widespeard notion of giving every person (affordable) digital certificates on a smartcard, and putting a smartcard reader in every machine?
    There's already a chain of trust established that no-one seems to have a problem with these days, just like we don't have problems with trusting banks with our money, and there's the key that identifies me uniquely and PROVES that I am who I say I am.

    Also, this way I can install some software on my machine to manage my own information, and set the levels of sharing I wish to enable for sites and services.
    For sites/services that require additional information, I can then choose to share or hide that information.

    The way I see it, everyone's just sort of sitting around like a tree-huggin' hippy, waiting for Microsoft to roll this out, and then bitching and moaning about it. I have to admire Microsoft, not for the way they are going about their strategies, but rather that they have strategies and have the guts to stake some or all of their business on those strategies. I unfortunately do not see nearly the same level of risk being played by other companies, e.g. for Sun's Java ONE technology, which is meant to be a direct competitor. And neither do I see anybody else making nearly as much use of their corporate PR machines.

    Anyway, the main point here is using existing technology: Digital Certificates. make them cheap, put them everywhere, and you don't have to rely on a Microsoft-provided service.
    I'm sure even Linux users would be happy with that.
  • Maybe I missed the whole point, but...

    I am not that interested. I'm fully content with remembering a few passwords, entering my email where necessary and so forth. So what interests me the absolute most is, will this Ban me from places if I decide not to play along? Or can I access stuff anyways, but I'll have to enter my credentials myself (like I do today)?

    The only secure place I need and want is my bank, and they have a nifty little code generator that protects my account, and I can do all the basic stuff that way.

    What do I gain from this? What do I lose? What do I lose if I don't participate?

    Please help a guy that needs to do some more reading up. :)

    • that's what in it for you. hailstorm is essentially a platform to host components (like EJBs). passport makes it possible for components in hailstorm to exchange exposed data so that they can interoperate.

      an example. if your bank uses hailstorm and you authenticate with passport and uses hailstorm and passport authentication - you would be able to (once your've authenticated with passport) just click buy and amazon's components could invoke components on your bank with your passport id and say "give me the money now".

      i know you can save your profile and everything on amazon and so you may still ask "so what's in it for me". that was just the first example that came to mind and if you can see the advantages of such an interoperative infrastructure then here. []

      and, yes, there are probably risks and stuff involved but lets let it evolve and give it a chance.
  • Sez!? (Score:3, Insightful)

    by Mike Connell ( 81274 ) on Thursday September 20, 2001 @10:03AM (#2324809) Homepage
    Is it really necessary to use words like "Sez" in the story title?

    It's "News for Nerds", not "Newz 4 Nurdz"
  • Microsoft has yet to sign any of the major players to join its trust federation

    in some form or another, MS will decide who gets to run .net services and who doesn't. This BS about " These two changes--which Microsoft says aren't changes at all, but rather a clarification of what the company planned to do all along" is utter crap. Had this been what they've been planning all along, they would've made this "clarification" a long time ago. I'm going to bet that you'd better buy a copy of Win2K to run services and pay dearly for it!!! MS should be stopped, really stopped. They OWN our government, and are doing everything they can to confuse issues and LOOK like they're playing nice.
    just format your drive now and install Linux, you'l be glad you did. Don't give those MS MF'ers a cent of your cash.
    I wouldn't put the terrorist attacks past MS as a way to downplay the ongoing monopoly proceedings.
    • >I wouldn't put the terrorist attacks past MS as a way to downplay the ongoing monopoly proceedings.

      oh. i can't believe that statement! that's the sort of rant that gives linux an evil-geek-virus-writing-socialist-spotty-nerd-angr y-teenager name. well done, you are really helping to spread the word.
      • I really believe that MS is that EVIL. nothing to do with Linux, and the attacks are a terrible tragedy. I really feel for all of those affected.
        Let me ask you this, if you had 100 BILLION DOLLARS in your PERSONAL bank account, wouldn't you retire or at least dedicate your time to doing good for those around you? Good old Bill just wants another 100 Billion Dollars. If greed on that level isn't evil, I don't know what is.
        • Score: -1 Flamebait

          Money isn't everything. If I had $100 billion, I would still program. Heck, I'd probably program more because I could afford the resources to start my own company and code what I want to code.
  • If the same information is stored in several different servers, doesn't that just provide more points of failure?

    It seems to me that either everyone should either keep their information independently (the current system), which results in data replication, not to mention countless points of failure...
    Have one person keep this information... but it seems like that isn't such a popular thing here.

  • I'm sorry, but all I see in this 'news' is Microsoft's spin doctors working overtime to try to defuse opposition.

    "On the Internet, this means that an AOL or Yahoo login could someday be just as valid for accessing Microsoft's MSN..."

    Or they may never be valid at all.

    "the company is open to an industry group...taking the lead role if it becomes necessary."

    Not that they're going to allow it, they're just willing to discuss it right now.

    "As the story develops and more questions are asked, some of this may change, but at a high level this appears to be Microsoft responding to critics."

    Nothing in this article is necessarily true, but rest assured that Microsoft is doing its best to convince you to trust them.

    "Microsoft has yet to sign any of the major players to join its trust federation, although talks are supposed to be underway. If companies like AOL see this as a valid attempt to make the handling of user security and personal information into new Internet standards, they might join. Or they might abstain simply to try to gain some competitive leverage over Microsoft."

    If none of this ever happens and Microsoft retains its lock on user info, blame AOL.
  • This changes nothing in regards to Hailstorm. It only changes some people's incorrect perceptions of it. Hailstorm, and the entire .NET framework itself, is extensible by any third party, and always has been. It is simply unfortunate that people are so reactionary whenever Microsoft proposes anything.

    If you want to provide authentication via non-Microsoft means, write a .NET plugin for hailstorm using the documented interface, and then the system will use your authentication method rather than some other (like Passport).

    I just want to emphasise that this is only surprise news for those who failed to take the time to understand Hailstorm and .NET previously.

  • Would that be the same Microsoft that "Embraced" and "Extended" Kerberos, despite there being an industry-wide controlling organization?

    Sure, create a Hailstorm standards organization all nice and proper. Just as long as they answer to Microsoft (and don't dare compete with them.)

  • Why not build a trusted network [] on a free platform (Askemos []). There should always be a choice.

  • I cannot believe they mention kerberos after their
    effort to put proprietary, non interoperable data
    in the kerberos protocol. Not only that, but the
    fact that they rejected efforts (at least for
    6 months to a year) by the kerberos standard
    bearers at MIT to to keep the specification

    They actually offered to work with microsoft to
    accomodate extensions to the protocol and Microsoft wouldn't have it.

    Take a look at this post from Ted Ts'o in 1997: er os/10954

    Do you really think Microsoft has changed, especially now that they have the government on
    their side?


  • These two changes--which Microsoft says aren't changes at all, but rather a clarification of what the company planned to do all along

    - The article

    "History has stopped. Nothing exists except an endless present in which the Party is always right. I know, or course, that the past is falsified, but it would never be possible for me to prove it, even when I did the falsification myself. After the thing is done, no evidence ever remains. The only evidence is inside my own mind, and I don't know with any certainty that any other human being shares my memories"

    - Orwell "1984"
  • <kirk> Don't believe them.

    Those Klingon bastards killed my son. </kirk>

  • They would say anything.
    I don't think it wise to trust them.
  • Ultimately, people within Microsoft must understand that they don't have the skills within their organization to run something this important all by themselves. Look at the last two years:

    1. Didn't pay bill for, service down for two days, they were mostly unaware of the problem and couldn't solve it on their own. If not for Slashdot, it's difficult to say how long it would have been down.
    2. DNS down for two days. How does a company of that size have a problem like this?
    3. MSN Messenger down for a week. Think about that. An entire week. Again, how does this happen?

    The first two items would have disabled their whole service. The third just shows that they don't have the competence required to run such an important service. They need to not only have a network of repositories, they need to gracefully bow out of being part of that network.


  • ?!?!?!? This makes no sense. Doesn't everyone realize that it's much more secure to use different passwords on every thing you do? So in other words, if someone cracks one of your password (assuming you only have one) then they have access to all of your data. This doesn't seem like a very safe idea to me.
    • For people who don't have encyclopedic memories (which is to say, normal people), multiple passwords are actually less secure than a single password, because ordinary users will either use the same password for everything anyway, use simple easy-to-guess (and easy-to-dictionary-attack) passwords, or write them down.

  • "In an interview late yesterday, an executive working on the project said the company is open to an industry group--such as those already controlling Kerberos and other Internet technologies--taking the lead role if it becomes necessary. ."

    But I suspect that as events unfold it will be found that an impartial central authority will hold us back from getting the full user experience of MS Innovation.

    Certainly it has been the case that standard Kerberos was found "insufficient" for Active Directory and required "improvement".

    Don't get me wrong. I'm not saying that standards are never in need of improvement. I'm just saying that I don't want the improved standard to be controlled by an entity with other interests. Interests that can conflict with the kind of impartiality and pure technical focus that such standards control deserves.

  • Rejected, resent, whatever..
    <BR>We don't want this! And Microsoft &lt;B&gt;&lt;I&gt;KNOWS&lt;/I&gt;&lt;/B&gt; we don't want it. Their entire marketing stategy depends entirely on their ability to brainwash dim witted Americans and this still Amazes me after all of these years.
    <BR>They have enough power now controling the most widely used desktop OS for consumers, just imagine if they had control of our information, our banks, government websites.. They want all of this, and they'll stop of nothing to get it. They're starting it right now with all of the new stuff in XP, they slowly slip in new evil code and introduce it so you're not immediatly repused.
    <BR>Look at Internet Explorer for example. I've used this for 5 years (until recently as Mozilla build have greatly improved) and I've always wondered why the hell when I type something stupid it forwarded me so some asp on I would have loved to edit that out of the registry just because it has that potential to become MSEvil 1.0 but I never could find it. (I don't believe it's in the registry, it appears to be hard coded into IE, don't take my word on it though) About two weeks ago when I typed something stupid it reports it to MSN and tells me what I most likely wanted and does a MSN search. I'm not running MSN Explorer (hell no!), I thought I was running just plain old Internet Explorer but it appears I can't run that anymore..
    <BR>Luckily Mozilla is really becoming a well rounded peice of software now so this doesn't pose a problem. This doesn't always work though. I'm still running Outlook and I'm a bit afriad of what they have hidden (laying dormat) in there. I really havn't found anything as an alternative yet that can handle the amount of email I receive daily. (around 300+ messages, most of which I need to save and archive) So, until then, who know if I'm being watched, I don't know whats in that source anymore than the other guy..
    <BR>I appoligize for the long message, however I feel this rant was well founded after years of enduring Microsoft software. Linux is calling, and I mean REALLY calling, I use it through SSH all day, but I still don't have the software I need to all me to move altogether.
  • Available here [] as well as probably other places.

    The article says that MS is looking to work with AOL on this. Oh, joy.

    It also quotes MS as saying:
    Microsoft said it would extend its Passport identification service to other Web site operators and companies by supporting Kerberos 5.0 -- another authentication service developed at the Massachusetts Institute of Technology
    Of course, I'm sure we can all guess which version of Kerberos they'll be using...

Houston, Tranquillity Base here. The Eagle has landed. -- Neil Armstrong