Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft Opens Up Windows Live ID

CowboyNeal posted about 7 years ago | from the ready-for-the-masses dept.

Microsoft 212

randommsdev writes "Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system. Any Windows Live user can potentially log in to a website that implements Web Authentication. Interestingly sample implementations are available in the Ruby, Python, Perl, and PHP open source languages amongst others — tested on openSUSE 10.2 but expected to work on any platform that supports these languages. More details are available in the SDK documentation."

cancel ×

212 comments

Sorry! There are no comments related to the filter you selected.

ATTN: Top-posting whores (3, Funny)

Anonymous Coward | about 7 years ago | (#20257507)

Put your comments below this one.
 

Re:ATTN: Top-posting whores (5, Funny)

Anonymous Coward | about 7 years ago | (#20258003)

What is top posting?

Thanks!

Put your comments below this one.

Re:ATTN: Top-posting whores (1, Informative)

Anonymous Coward | about 7 years ago | (#20258193)


Top posting is when people intentially respond to a post that is close to the top in order to achieve higher visibility. As a result, their posts often get modded higher than if they started their own thread in the discussion or responded to something that is on-topic. If you've ever seen someone respond to a post near the top with something that has nothing to do with what they replied to, that is top posting (there's probably other terms as well) and is a sure sign of a scum-sucking karma whore. Unfortunately, the mods fall for it a lot rather than modding the post off-topic as it should be.
 

w00t! (4, Funny)

doxology (636469) | about 7 years ago | (#20257509)

urls gone wlid!

Re:w00t! (-1, Redundant)

Anonymous Coward | about 7 years ago | (#20257557)

bad security gone wild. w00t!

If it's Microsoft, it's doo doo! (0, Troll)

kawabago (551139) | about 7 years ago | (#20257513)

Squawk!

How long (4, Insightful)

afidel (530433) | about 7 years ago | (#20257521)

Until the first site with a fake passport login form shows up? I mean before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.

Re:How long (4, Informative)

smashin234 (555465) | about 7 years ago | (#20257591)

This has been done many times in the past, and I am sure it will continue to happen. Most common were the times that people would set-up false bank of america websites and people would type in their account information....perfect set-up. What was even better was that these sites sometimes were set to bankofamrica.com or some slight variation of the site, so the common user would have no idea they were at the wrong site.

Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.

Re:How long (3, Insightful)

jamesh (87723) | about 7 years ago | (#20257677)

Well there are safeguards for this now, and I am sure if it gets to be a problem like that was at one time, it will also get fixed.

The safeguards only work if the user is paying attention. It only takes a fraction of a percent of people to click a 'log in here with your bank of america credentials to see if you have won a prize' link and the scammers can make a profit, and will keep on scamming.

Still... if you've got a way around this that is truly idiot proof, I'd like to hear it! The best thing I can come up with is that the banks themselves initiate the scam, and then send 'the boys' around to break the thumbs of anyone who falls for it, or otherwise punish the scammee (that's strange... my spell check says scammee isn't a valid word...).

Re:How long (3, Insightful)

arivanov (12034) | about 7 years ago | (#20258063)

'log in here with your bank of america credentials to see if you have won a prize'. As a matter of fact this is the latest and probably the most successfull class of phishing sites. The ruse is a "survey" on behalf of "Bank of America" or someone else. It is surprising how many people fall for it. The website has nothing to do with the bank, the addresses are not the bank ones, but none the less the consumer enters their credentials. As a results of many years of brainwashing by direct marketeers they now consider all this to be "business as usual".

Re:How long (1)

pe1chl (90186) | about 7 years ago | (#20258633)

But a reasonable bank would use multifactor authentication. Is the bank of america still relying on a simple username/password authentication? Then they deserve to become victim of such attacks.

Re:How long (1)

Mantaar (1139339) | about 7 years ago | (#20258717)

Unfortunately, it's not the bank who's the victim, but their costumers. The bank actually doesn't really care as long as the costumers don't get too concerned about their own security -

This means, of course, that we are the only ones that are able to stop the bank from acting stupid

Re:How long (1)

aichpvee (631243) | about 7 years ago | (#20258087)

That's because scamming is a victimless crime.

Though apparently victimless isn't a word either, making the previous statement impossible while at the same time the previous statement must be true. I'll let one of you contemplate this paradox as I would hate to be responsible for the annihilation of the universe.

Re:How long (1)

initialE (758110) | about 7 years ago | (#20258401)

How about a windows component that runs straight off your computer, and has tie-ins to internet explorer? sounds like the way microsoft would do it.

Re:How long (1)

Propaganda13 (312548) | about 7 years ago | (#20258517)

This is a lot different. Before bankofamrica.com had to set up a website then send out email. Halfway smart people wouldn't click on the link because they'd be wondering why their bank is emailing them. Now, I can set up joesfreeporn.com with a fake sign-in. If you're used to going to a lot of sites(bobsfreeporn.com and mikesfreeporn.com), using the sign-in isn't going to throw up a red flag at all.

The signon form should only be on one secured site, not added to any site.

Re:How long (4, Interesting)

macbort (224663) | about 7 years ago | (#20257633)

Google and Yahoo have both been offering similar services for awhile now, I believe, and I don't remember hearing either of them having this problem. Not to say it couldn't happen, but I imagine they've thought about this situation and have accounted for it somehow.

Re:How long (5, Insightful)

jamesh (87723) | about 7 years ago | (#20257637)

I would love to have a 'single sign-on' and forever forget the hassle of remembering and entering passwords, but the flaw you mention and many others mean I don't think it will ever work. The value of pwning someone's 'single sign-on' code (whether it is Microsoft or some other solution) is just too high.

If a 'single sign-on' became everyone's only method of authenticating to anything, then it would make identity theft just too easy.

You can go to extreme lengths to protect all the sign-on pages in the world, but as long as there are people who will click on a 'your account will be deleted in 2 days unless you go to http://i.am.going.to.steal.your.identity.com/verif y.php [identity.com] ' link in an email, none of it matters.

I can't think of any way of preventing that problem without there still being the possibility of a "man in the middle" attack...

Re:How long (1, Informative)

JonathanR (852748) | about 7 years ago | (#20257863)

Two Factor [wikipedia.org] authentication using a security token (like the RSA SecurID tokens).

Re:How long (0)

Anonymous Coward | about 7 years ago | (#20258201)

Too expensive to give out to consumers. Better to use randomised two-factor schemes in software, like what these guys do: http://www.bharosa.com/ [bharosa.com]

Re:How long (3, Informative)

jombeewoof (1107009) | about 7 years ago | (#20258393)

Software tokens are terrible, they fail much more often than not. SecurID tokens are the best thing to happen to computers since parc. The greatest thing is the simplicity, a random number shot through an algorithm changed every 60 seconds. If the numbers don't match you don't get in. They're simple to resync if the two sides fall out of skew. And reasonably difficult to counterfeit. In a few years(decades) the price will come down and you'll have one of these for just about everything. Your bank, your job, even some fancy car keys have similar technology in them. While they're not without their flaws, the securid's and similar 2 factor id have a lot of potential to cut down on identity theft.

Re:How long (2, Informative)

Scruffy Dan (1122291) | about 7 years ago | (#20258493)

paypal already offers one for only 5 bucks

Re:How long (5, Insightful)

baboonlogic (989195) | about 7 years ago | (#20258303)

There is nothing in a single sign on system to force you to use only one id. Using openid and the few sites that actually allow you to use it, I have already brought down my username password combos needed from about 10 to 2. So I can decrease the number of sign ons with systems like openid.

Secondly, as far as identity theft is concerned, my email accounts are already single points for attack. Once you have the email, the password recovery services will do your bidding. A single-identity-solution allows you to just shift this from email to some server which was created to keep and handle this data. Whats more you could be the one setting up that server... (not in the ms case but in the case of openid).

So, on the whole, single sign ons can work and openid hopefully will. I dont even want to rtfa. If I cant decide who keeps my username password for my single signon, I am just not interested.

erf (1)

Joseph_Daniel_Zukige (807773) | about 7 years ago | (#20258711)

No, your e-mail account_s_ (plural) are not single points of attack, unless you use _all_ your e-mail accounts to sign up for everything you sign up for.

Your idea that your own server should be manager your keys is as close as you have come to a reasonable solution, but it is still subject to all sorts of man-in-the-middle.

Don't understand how your final comment about controlling your password for single-sign-on at all. Does some would-be single-sign-on vendor want to take even the final password away? Or do you misunderstand the concept of keys instead of passwords? Or what?

Re:How long (1)

gujo-odori (473191) | about 7 years ago | (#20258419)

Single sign-on would be fine as long as it was done in conjunction with two-factor authentication. For example, where I work, I use a one-time password generator to get on the VPN. Having my username and PIN won't help you unless you also have that generator. I also have a real estate license, and access to MLS also uses a one-time password generator.

Now, if Microsoft, openID, or *someone* in the single sign-on space implemented a system that used a one-time password generator, you'd have something that would be pretty secure, while at the same time keeping you from having a generator for every important site you use, if outfits like banks, etc., ever get their crap together and start using those. That is something I would use. In the meantime, in the interests of security, I so maintain separate userids and passwords at different sites, and store them in Firefox, encrypted with the master password. For non-web resources, the OS X keychain takes care of it. These two things together give me something that's almost as good as Passport and a lot more secure, because it's under my control.

Note to anyone who's in bank IT: if your bank is first to market with a one-time password generator sign-on in California, I *will* move all of my accounts there.

Re:How long (1)

Yvanhoe (564877) | about 7 years ago | (#20258485)

Well, how many people use 10 different passwords anyway ? I think that most people end up using the same password again and again. The man in the middle attack can be prevented using a good crypto and certificates provided by the OS during installation (ie. not downloaded)

Re:How long (1)

KiloByte (825081) | about 7 years ago | (#20258729)

Well, how many people use 10 different passwords anyway ?

I use... lemme estimate the count... somewhere around 50 different passwords, with little to remember.

All you need is any mapping you remember anyway. For me, that's ASCII codes, names of Doom2 levels, etc, but for you it could be for example episode names of Star Trek (bleh), or even, horrors, results of 1976 baseball league. Everyone has something of this kind.

Next, pick a scheme of turning account/host names into the domain of your mapping.
Then, do the same for turning the mapping's codomain into short strings.

This does have a potential vulnerability of letting an attacker guess the scheme if he intercepts several of your passwords and the scheme itself is very obvious, but hey, that's a whole world harder than learning a single password and using it to get a good part of your accounts. And I don't use the main scheme for accounts I don't give a damn about.

Re:How long (2, Insightful)

Catil (1063380) | about 7 years ago | (#20258551)

Thanks to the forgot-password-option every site offers, using a single email address to register to everything makes that email account already the weakest link anyway. With the millions of blogs and forums these days, however, that all require people to register and validate via email just to leave a comment, a "single sign-on system" is still a good idea. I guess secure critical sites like Paypal wouldn't cause a problem because they hopefully would never provide to login with such a system in the first place.
It's a pity that OpenID somehow doesn't take off as many expected and I don't think a Microsoft solution will either. Google comes to mind as one company that could probably do it successfully.

all these (non-)answers and (1)

Joseph_Daniel_Zukige (807773) | about 7 years ago | (#20258679)

I'm having trouble believing you got so many responses defending single-sign-on.

The safest way to do single-sign-on is like Apple does it. (And I think there is a similar GNU tool with gpg?) You have a password that unlocks your keychain, and the keychain software negotiates with the sites you visit. Theoretically, the keychain software doesn't miss red flags, such as sites requesting keys/passwords that don't belong to them.

The problem with keychains is that they fall when your login account falls. Well, the tokens may be stored encrypted, and the user may be smart enough to have a separate password on the keychain, but all it takes is a well-hidden keylogger. I'm pretty sure no one is handling the issues that allow hidden keyloggers to be left lying around as long as we are browsing the web with the same effective user that we logged in as.

Single-sign-on is just plain wrong for any information that could hurt you if the wrong people get it.

Even a separate hardware token keychain which connects "directly" to the internet (instead of through your general-purpose PC) has to somehow deal with the man-in-the-middle. General purpose keys are a bad idea.

Can't believe I missed the most important part (1)

Joseph_Daniel_Zukige (807773) | about 7 years ago | (#20258687)

Apple's keychain is managed on your local machine, as opposed to being managed by a large corporation that wants to sell people on the idea that they can handle all the "hard" problems to day-to-day living.

Was Gore party to Clinton and Gates suggestion that the internet could lead to "frictionless money" (or whatever they called it)?

Re:How long (5, Informative)

SgtChaireBourne (457691) | about 7 years ago | (#20257657)

[How long] Until the first site with a fake passport login form shows up? ...

It doesn't matter so much, it's not like MS WLID, formerly known as MS Passport can ever be made secure. It's fundamentally flawed from the design [avirubin.com] .

However, all the bad press was about MS Passport, so a simple name change and, Voila, no bad press about the product. Palladium was sanitize the same way.

Re:How long (1)

RightSaidFred99 (874576) | about 7 years ago | (#20257933)

Nonsense. But way to dig up a 7 year old paper. I'm sure Live is _totally_ the same thing and their complaints are still _totally_ valid.

Re:How long (1)

aichpvee (631243) | about 7 years ago | (#20258101)

"live" is just the flavor of the week label at microsoft. It's the same old crap that they've always done, just now with a different name and probably a shiny new look lifted from a preschool toy. Maybe if they didn't come up with such retarded names for their brands (or maybe if they had better quality products, though that doesn't stop apple [that's right fanbois, mod me troll, I don't care]) they wouldn't have to change the names every 3 years.

Re:How long (1)

weicco (645927) | about 7 years ago | (#20258635)

We found out something is broken, they fixed it the same day but we still believe it is broken. Wow!

Only thing I found interesting in that article was the 3DES encryption thing. Passport could use per-client key but did TFA say it should be assigned to user's address, IP address? I get dynamic IP address from ISP so if keys would be assigned to my IP address and ISP's DHCP server decides to change my address wouldn't I be force to reauthenticate?

Other attack mechanism aren't solely entangled to Passport. If attacker gets his computer to act as man-in-the-middle or is able to attack name server(s) you are basically screwed anyway. Same goes if attacker is able to attack the actual server (Passport or business server).

But there's easier way to get user's information, I think. Just release email-worm which says "cool emoticons for you Messenger/Skype/whatever" and you have 1000000 teenagers downloading your trojan EXE the next day :) I've cleaned up couple of computers infected this way. It is pretty efficient attack and enables attacker to do lot's of kind nasty things at least on Windows 98/ME/2K/XP.

But should we start crusade against every goddamn software which is subject of somekind of security hole, not matter how abstract or theoritical? Don't get me wrong, security holes are bad but if we decide that attacking DNS server is compromising Passport, then we could ban all the web browsers also.

It's much easier than that (5, Insightful)

QuantumG (50515) | about 7 years ago | (#20257709)

Go to Hotmail [hotmail.com] . You will see that Hotmail now requires you to login with Windows Live ID. Now, take a look at this page. It's a login page. They want you to enter your ID and your password. This is what gives you access to all the different services that are currently integrated with Windows Live ID, and will be integrated in the future. It's basically your "master password". Thing I'm trying to stress here: you shouldn't just give this out to anyone who asks. Ok, you get the idea.

So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rps nv=10&c...." etc. Great, login.live.com, that's what I expect. Cool. Ok, so what's the second thing I should check? Anyone? Come on, it's web password security 101 here people. What do I need to check before I enter a login/password on a web site? That's right.. I need to check I'm on an SSL secured page. The url should start with what? https right? And I should look for the little lock in my browser window.. and if I'm feeling especially paranoid I should check the security certificate to see whether or not it is valid, not expired, and for the site that I am expecting.

This page has none of those things. Well done Microsoft.

Oh, but it gets better. There's this link that says "Use enhanced security". I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// [https] page. Of course, the certificate it offers you is not for login.live.com, it's for graphics.hotmail.com. If you accept this certificate then you are basically saying that you're ok with trusting this data that didn't come from graphics.hotmail.com as if it did come from graphics.hotmail.com. Just for the hell of it, let's fire up this "enhanced security" page in IE and see what happens. Oh.. I see. We get no warnings. In fact, if we double click on the padlock we see that the certificate now IS for live.login.com. Hmm, what's going on here. Ahh, I see, half the content on this page didn't come from live.login.com, it came from graphics.hotmail.com.. so this isn't a secure site *at all*, it's a mixed domain site and IE's pitiful support for multiple certificates on a single page is happy to just ignore this (and doesn't even warn you).

XSS anyone?

Re:It's much easier than that (0)

Anonymous Coward | about 7 years ago | (#20258185)

So, first check you should do whenever you're logging into a page is what? That's right, check the url. "http://login.live.com/login.srf?wa=wsignin1.0&rps nv=10&c...."

No, checking the URL is not enough, that's how how those paypal scams work. ENTERING the url is what you should do. The URL-bar can be faked, as can the padlock (or you could just by a certificate from one of those companies that can't be trusted, like Verisign).

Re:It's much easier than that (1)

AndrewNeo (979708) | about 7 years ago | (#20258625)

Unfortunately going to hotmail.com moves you to login.live.com and then back.

Re:It's much easier than that (3, Interesting)

discHead (3226) | about 7 years ago | (#20258191)

You forgot the part about keeping a sharply-peeled eye and making sure you are being served by live.com and not 1ive.com (with a numeral 1).

Re:It's much easier than that (1)

atamyrat (980611) | about 7 years ago | (#20258333)

I would have thought that "enhanced" security was a sensible default, silly me. It's not underlined, so you don't know it is a link until you hover your mouse over it, but it will take you to a https:/// [https] [https] page.
I clicked that link, it sends to http://mail.live.com/default.aspx&id=64855&bk=2752 0536 [live.com] and guess what? 404 - The page cannot be found. lol

Re:It's much easier than that (0)

can.i.have.free.beer (1141057) | about 7 years ago | (#20258607)

You're a moron. How the hell did this idiot get modded up? Seriously?? The page you were served is http. The page you will post to for the login session https. see this link... var srf_uPost='https://login.live.com/ppsecure/post.sr f?wa=wsignin1.0&rpsnv=10&ct=1187341448&rver=4.5.21 30.0&wp=MBI&wreply=http:%2F%2Fmail.live.com%2Fdefa ult.aspx&id=64855&bk=1187341449'; Maybe you should learn how http works before pounding your chest on a global stage like you know more than the rest of us...

Re:It's much easier than that (3, Insightful)

shutdown -p now (807394) | about 7 years ago | (#20258661)

You're a moron. How the hell did this idiot get modded up? Seriously?? The page you were served is http. The page you will post to for the login session https.
He's not saying that it doesn't use SSL to log in. He's saying that, as a user, he has no way to find it out until after he clicks "Submit" (and no, checking the HTML source code is not a serious option to consider). The convention for such things is that you use secure connection for the login form as well, so that the browser can indicate that it is secure (padlock icon, green or yellow address bar, etc - depends on the browser, but IE, Firefox and Opera all have such indicators).

Re:It's much easier than that (1)

toetagger1 (795806) | about 7 years ago | (#20258673)

Who cares about how it is implemented, if the end user has no way of telling if it is secure or not? You can't require the user to check the source code to verify the implementation of how the information is posted.

Re:How long (1)

biocute (936687) | about 7 years ago | (#20257719)

Hasn't MS already got a solution?

All these partner sites must display a "Genuine Live" hologram GIF image.

Beat that!

Got it backwards. (2, Interesting)

twitter (104583) | about 7 years ago | (#20257727)

before semi-intelligent people weren't going to enter their passport ID into non-MS websites, but now... I bet a lot more corporate keys get exposed this way as passport is the keys to your Enterprise Licensing kingdom.

Hmmm, massive FUD has much inertia. First, intelligent people have known for a long time not to trust M$ with anything. This has harmed the online economy, but that's a different story. If the 25% prevalence of keyloggers is not enough, a rogue site has been able to harvest Passport IDs forever, because IE can be resized, reshaped and made to look like whatever the rogue site wants it to. Firefox puts a stop to menu hiding and resizes, but Mozilla.org can't save you from a key logger.

Re:How long (0)

Anonymous Coward | about 7 years ago | (#20258197)

Could this be used with genuine windows verification to ensure the ID is being validated on the users home PC?

So what? (-1, Flamebait)

jcr (53032) | about 7 years ago | (#20257525)

This plan crashed and burned years ago. Why are we supposed to care about it now?

-jcr

Re:So what? (5, Insightful)

pembo13 (770295) | about 7 years ago | (#20257579)

They changed the name

Re:So what? (4, Insightful)

kimvette (919543) | about 7 years ago | (#20257679)

Like the diebold voting booths? ;)

Re:So what? (1)

Warbothong (905464) | about 7 years ago | (#20258053)

Because MSN Messenger comes with most desktop computers, masses of people use the MSN thus making its closed system attractive for other people to join, new computers usually come with an "MSN Browser" on the desktop, most desktops come with Hotmail and other MSN bookmarks filling their bundled browser, MSN is often the homepage of these bundled browsers, the bundled media player has MSN built into it, etc. People might not like it, but it is forced down their throats anyway, and once that's been done most people won't go through the hasle of using an alternative.

Phishing? (1, Redundant)

FliesLikeABrick (943848) | about 7 years ago | (#20257553)

What keeps anyone from creating a site (and/or spamming for it), saying it uses Windows Live authentication, then just farming a giant pile of logins they can sell or use for evil things?

Re:Phishing? (2, Informative)

Anonymous Coward | about 7 years ago | (#20257607)

Whats to prevent them from doing it right now, without the release of the system by Microsoft? I can already create a fake Google account, Live, or numerous other login systems on any website I own, it is ultimately up to the user to beware.

Re:Phishing? (1)

FliesLikeABrick (943848) | about 7 years ago | (#20257765)

Yeah but then you'll only get morons. Now people have a reason to believe that it is real

Re:Phishing? (0)

Anonymous Coward | about 7 years ago | (#20257943)

Do you honestly believe that the majority of people who actually use LiveID will actually know, or care that this is being opened up by Microsoft? Come on, the 95% of Joe Public who don't read /. won't know either way, so the chances of them being duped by a fake site before and after is exactly the same.

Re:Phishing? (1)

blowdart (31458) | about 7 years ago | (#20258249)

That's one of the major criticisms against OpenID as well of course. Consider how you login to Open ID, you give the provider details away, it's up to the web site you're trying to log into to bounce you to your OpenID site, and it can just as easily bounce you to a phishing site. That's one reason why some OpenID providers are starting to use Information Cards for logins, side by side with the username and password boxes.

No License? (4, Informative)

originalhack (142366) | about 7 years ago | (#20257595)

Great... it's copyrighted and provides no license.

Re:No License? (4, Insightful)

QuantumG (50515) | about 7 years ago | (#20257609)

Yup, grab the php package, you will see:

Copyright (c) 2007 Microsoft Corporation. All Rights Reserved.

and yeah, no license. So I guess implicitly you're not allowed to redistribute it at all.

just read the ToU (4, Informative)

Karma Sucks (127136) | about 7 years ago | (#20257745)

The ToU is on the downloads page: https://msm.live.com/app/tou.aspx [live.com]

Re:just read the ToU (1)

QuantumG (50515) | about 7 years ago | (#20257831)

The terms of use don't say anything about the copyright on the sample code. In fact, they don't say anything about the sample code at all.

Re:just read the ToU (1)

Karma Sucks (127136) | about 7 years ago | (#20257907)

Probably the intent is to be liberal. As long as you are not breaking the law or have malicious intent, you are free to use it as you wish. If you raise the issue perhaps they can make this clearer, there seem to be a lot of venues for feedback including a dedicated forum. *shrugs*

Re:just read the ToU (1)

QuantumG (50515) | about 7 years ago | (#20257923)

The point (which I think was obvious to everyone) is that Microsoft, a multi-billion dollar corporation, should know what they're doing and not need "feedback" to tell them that they should provide license terms with sample code.

Re:just read the ToU (1)

Karma Sucks (127136) | about 7 years ago | (#20257951)

That's what happen when you try to do open source... *lol*

Seems like even the lawyers get confused by the whole copyright/license thing when it comes to open source.

Re:just read the ToU (1)

QuantumG (50515) | about 7 years ago | (#20257975)

Lawyers get confused by copyright. period.

Copyright is intentionally designed that way.

Re:just read the ToU (0)

Anonymous Coward | about 7 years ago | (#20258267)

Probably the intent is to be liberal. As long as you are not breaking the law or have malicious intent, you are free to use it as you wish.

As long as I'm not breaking the law, I'm free to give cracked copies of Windows Vista Ultimate to all my friends, and all their friends.

Unfortunately, doing so IS breaking the law. Copyright law.

In most places, copyright law forbids not only distribution, but also modification. Like, modifying the example code to be usable in a real world situation, and integrating it in ones web application. The license is what allows this. But in this case there is no such license.

Re:just read the ToU (1)

wvmarle (1070040) | about 7 years ago | (#20258445)

In most places, copyright law forbids not only distribution, but also modification. Like, modifying the example code to be usable in a real world situation, and integrating it in ones web application. The license is what allows this. But in this case there is no such license.

Copyright as such does not forbid modification. Does not forbid anything other than (re)publishing or distributing the work in question. That the USA and some other countries have laws like the DMCA has nothing to do with basic copyright.

If you buy a book, no-one will forbid you to tear it to pieces, use the letters to create another book, etc. But you're not allowed to copy it. However you can sell it, in whole or in pieces (if anyone would like to buy it as such).

Re-using part of the code in a web application is a grey area: as long as the code runs on your server only, you do not redistribute it. But you do make use of other people's code. And whether that is allowed or not, will depend on the exact interpretation of copyright in your neck of the woods.

Intentions & assumptions don't count in court. (1)

cheros (223479) | about 7 years ago | (#20258535)

Given the nature of the Beast it would not extravagant not to make assumptions other than expecting worst case..

Typical MS! (1, Insightful)

rts008 (812749) | about 7 years ago | (#20257627)

Solution looking for a problem.

With so many security and authentication issues inherent to MS products, this seems another case of marketing pushing faster/harder than the development teams can keep up with.

If it backfires for them, look for flying chairs...*ducks*.

Re:Typical MS! (0)

Anonymous Coward | about 7 years ago | (#20258343)

hate to throw water on your hate filled fire. But this most definitely is a problem that needs a good solution, whether live ID will do the job is another question. MS security record also for the last 3 or 4 years has actually been pretty good, but that is another topic.

Now we can all use Windows security - via the web! (4, Funny)

greenguy (162630) | about 7 years ago | (#20257743)

There's no possible way anything could go wrong with this plan.

Article placement (4, Interesting)

Infonaut (96956) | about 7 years ago | (#20257817)

Is it just me, or does placing this article directly above the Diebold rebranding article make you think of a theme common to both? Company loses credibility. Keeps trying to regain it, but still doesn't grok that you can't just make it *look* like you've changed your spots. You actually have to change your behavior, and regaining credibility takes a lot longer than destroying it does.

Re:Article placement (0)

Anonymous Coward | about 7 years ago | (#20257875)

Is it just me, or does placing this article directly above the Diebold rebranding article make you think of a theme common to both?
It's just you. Slashdot editors aren't nearly clever enough to send an anti-MS message through article placement. Besides, why would they need to be devious about it? You won't find anything resembling a neutral MS opinion on this site. They dont try to hide their bias.

CardSpace? (2, Interesting)

ZSO (912576) | about 7 years ago | (#20257819)

Does this mean they've given up on CardSpace [wikipedia.org] , which is built into Vista right now? I thought it was a much better solution to the need for single sign-on. Check out thechannel9 video [msdn.com] .

Re:CardSpace? (2, Insightful)

Shados (741919) | about 7 years ago | (#20257901)

Different purposes. CardSpace, part of .NET 3.0 and up, is made as a way to authenticate and share data on a site by site basis, as opposed to the central system of Live ID. One could say Cardspace is a "mini-LifeID" thing, so to speak. Still quite useful if implemented right.

Re:CardSpace? (1)

blowdart (31458) | about 7 years ago | (#20258203)

No. Especially as you're now able to associate an unmanaged card with your Live Login, and use that instead of the password. But it's a different solution, CardSpace is not single sign-on, LiveID is.

Uh, what? (2, Informative)

misleb (129952) | about 7 years ago | (#20257821)

I thought Passport was outted years ago as being fundamentally broken. Why would I want to implement it on my site? Did they fix it? If not, why are they still using it at all?

-matthew

Re:Uh, what? (1)

QuantumG (50515) | about 7 years ago | (#20257847)

They forced all the hotmail users and all the xbox users and all the other users of Microsoft services to sign up, so they figure they've got a nice big market share now.

I had to get Passport for my job (1, Troll)

MichaelCrawford (610140) | about 7 years ago | (#20257949)

I was working for a Windows shop a while back, and there was a Microsoft road show coming to town showing off Visual Studio 2005 and the new SQL Server. The boss wanted us all to go, but to attend we had to register at some Microsoft web page.

Part of the registration process was that I was required to get a Passport ID. I felt like I'd just sold my soul to The Devil just to get a paycheck.

Re:I had to get Passport for my job (0)

Anonymous Coward | about 7 years ago | (#20258011)

I felt like I'd just sold my soul to The Devil just to get a paycheck.

You only felt like you'd sold your soul?

OpenID (5, Insightful)

jediknil (1090345) | about 7 years ago | (#20257841)

I'd prefer to see the rise of OpenID [openid.net] . Now if Microsoft gave you an OpenID authentication point with your LiveID (preferably with something simple, like adding the OpenID <link> tags to login.live.com or even just live.com), that would be a feature worth using and supporting. And wouldn't require changing the sites that already support OpenID, including, AFAIK, the SixApart family of blogs.

With modern technology, diverse applications are a good thing (healthier market and better apps from consumer selection). Information, however, is more useful the more widely it can be read and used. Unless you are specifically trying to hide something.

Unfortunately, like Live ID, there seems to be more OpenID providers than servers that use them for authentication.

Re:OpenID (1)

Twigmon (1095941) | about 7 years ago | (#20257973)

Agree completely! OpenID really is a very nice system. I use it for my client's web sites.

For those who do not think that there is much of a market for this sort of thing: there is.

I develop sites that require authentication frequently. If web surfers have to remember a username/password combo for too many sites, they will have to just use the same user/password, write them down, or just give up on accessing the resource. Once a user/pass is compromised - they then have to go and change it for every single site that they have registered with. Pain in the butt..

With openid authentication you just have to change it once. The chance of the user/pass being compromised is reduced because it is only stored in the one place. The password request field is on a page that you *know* and often - can customise. Phishing is not going to be anywhere near as easy with a distributed authentication system - each openid provider has a different looking authentication page.

Re:OpenID (2, Insightful)

aichpvee (631243) | about 7 years ago | (#20258129)

Wouldn't it be just as easy to phish if the page could look like anything as if the page always looked the same?

Re:OpenID (1)

ttnb (1121411) | about 7 years ago | (#20258387)

Wouldn't it be just as easy to phish if the page could look like anything as if the page always looked the same?

No. When the login page looks different for different people, the likelihood of any given phishing attack succeeding becomes much smaller whenever the attacker guesses wrong about how a user's login page is supposed to look like. Mass-phishing attacks therefore become much more difficult to execute because the attacker would need a way to not only contact a large number of people with a message containing a link, but in addition the attacker would need to determine for all these potential victims what their login pages are supposed to look like.

Re:OpenID (2, Insightful)

SolitaryMan (538416) | about 7 years ago | (#20258105)

It is worth noting, that OpenID is a decentralized system, so you don't have to depend on single ID provider.

My old single sign-on method (5, Interesting)

ls671 (1122017) | about 7 years ago | (#20257979)

I use 3 passwords for all sites I access mapping to 3 levels of trust. I try to use the same user id when possible :

Level 1 : risky

Level 2 : less risky

Level 3 : almost trustable

For sites that I really trust (banking, etc...) I use dedicated passwords. I, also, can forecast problems with a single sign-on scheme that would be more or less like giving away your social security number if hacked.

I have been working on this problematic before for big organizations and one conclusion we came up with was that we needed to re-use the old assembly language "indirection" principle, called pointers in higher level languages.

So basically, one has to be able to authenticate with multiples set of usernames/passwords combinations. Once the unique user is authenticated, the central authentication authority limits its role to just that, authenticating the user.

All authorization is managed by the local system that interacts with the user.

Do a search for MBUN on Google. In Canada, a user can have multiple MBUNs to deal with the government. This solution was implemented to cope with privacy concerns and still allow the citizen to deal with the government with the same level of privacy that was previously achieved with paper forms. Basically, what has been done is creating a mapping between the MBUN and the real userid and the choice has been given the citizen to have as many MBUN as he wishes to deal with the government.

Serious concerns should apply to too simplistic solutions ;-) Now for all /. MS bashers to enjoy : Although a qualified partner in the project, none of MS products where used to implement the solution. Given the money and the visibility at stakes, this caused a commotion in Canada with MS canadian VP putting pressure on everybody to reverse the decision.

Hey Sam, your products are just too simplistic and too proprietary. Phone us next year please ;-) That was really funny, the guy just couldn't understand that Macdonald's like marketing techniques did not work in this case. I mean, they even flew us for a week to Redmond at the campus to try to brainwash us, but still no go for MS.

-ls

Only three passwords? (1)

Joseph_Daniel_Zukige (807773) | about 7 years ago | (#20258739)

what if someone you trust happens to accidentally (virus in a critical MSWindows server or something) reveal your high-trust password? And some guy who sees it decides to add your password to his brute-force dictionary?

OpenID (4, Informative)

AceJohnny (253840) | about 7 years ago | (#20257981)

and how this compare to OpenID [wikipedia.org] ? (See also OpenID Enabled [openidenabled.com] for those interested in using it)

Re:OpenID (2, Interesting)

shish (588640) | about 7 years ago | (#20258187)

From a brief look, it seems considerably easier to implement and run; for clients, servers, and end users. I've had OpenID support on my webapp to-do list for months, and I'm considering implementing this in an afternoon. However, the fundemental design is worse :-/

OpenID could really do with a for-dummies API...

Re:OpenID (2, Interesting)

4thAce (456825) | about 7 years ago | (#20258225)

I hope that it could be one of the supported URL-based identity protocols under Yadis [yadis.org] too.

Rich

There is something I'm not understanding (1)

bob8766 (1075053) | about 7 years ago | (#20257995)

What makes LiveID different from Passport or other auth systems? I'd like a way to sign in to multiple sites without having to remember and type a username and login for each one, but so far every solution for the problem has been widely rejected. What are the limitations with these single sign-ons that cause sites to prefer rolling their own logins?

Re:There is something I'm not understanding (1)

Paradigm_Complex (968558) | about 7 years ago | (#20258243)

Microsoft has announced the release of Windows Live ID Web Authentication. This means that WLID (formerly known as Passport) is now opened to third party websites to use as their authentication system
I know reading the article is cheating, but at least read the first two sentences of the summery. It isn't different from Passport at all. OpenID (http://en.wikipedia.org/wiki/OpenID), on the other hand, is a different story.

Oh no, not again! (0)

Anonymous Coward | about 7 years ago | (#20258001)

Isn't this the same system that got cracked a few years back, when someone called a high-level M$ executive and said, "Mr. So-and-so, your home address is X, your social security number is y," and so on?

Microsoft is a cancer...and FOSS is the cure. [mailto]

Re:Oh no, not again! (0)

Anonymous Coward | about 7 years ago | (#20258241)

No it's not. Because Passport/Live has never had your SSIN. But hey, way to make something up there.

100% offtopic (1)

arnott (789715) | about 7 years ago | (#20258085)

According to wikinews, Richard Stallman is missing after the earthquake in Peru, anyone know anything ?

Love that Ruby. (1)

kwabbles (259554) | about 7 years ago | (#20258161)

Looks pretty.

Re:Love that Ruby. (1)

August Lilleaas (1111117) | about 7 years ago | (#20258223)

We have a lot to learn from Microsoft about they enterprisey-ness. They do, for instance, use XML instead of yaml. And they violate DRY, that's important too! Look at User#baseurl and User#secureurl. And also the way they do User#getLoginUrl and User#getAppVerifier. No way they'll create a method to make get parameters for urls, we do that by hand every time. This:

def niceCamelCasedUrlMethod(options = {})
options.map {|key, value| "#{key}=#{value}" }.join("&")
end
Would have been way to clean.

Re:Love that Ruby. (1)

Karma Sucks (127136) | about 7 years ago | (#20258453)

What's with the nitpicking, that Ruby is sweet!

Why am I not convinced? (2, Insightful)

mporcheron (897755) | about 7 years ago | (#20258261)

Well, it will inherit Microsoft's stellar security and perfect programming. Besides which, its a closed network unlike OpenID so it will be about as popular as Google's Account Authentication [google.com] which does the same thing but with Google Accounts. Even OpenID isn't that widely used, and it's an open system.

Re:Why am I not convinced? (1)

RegularFry (137639) | about 7 years ago | (#20258313)

You're forgetting that, unlike OpenID, Passport already has a huge number of users. It stands a good chance of winning by default.

MS changing tactics (1)

high_rolla (1068540) | about 7 years ago | (#20258433)

Putting the discussion on whether this is a good idea or not aside (you guys have already discussed that quite a bit), it's interesting to see how they are going about deploying this. I'm sure if they were doing this a few years back they would have provided sample code for MS sites and left the others to come up with their own implementations. It's interesting to see that more and more they are leaving their MS lock in tactics behind.

This is bad news (1)

CopaceticOpus (965603) | about 7 years ago | (#20258497)

The worst possible things that could happen for widespread adoption of a universal login system are:

1. Competition between different standards.
2. Companies with profit motives pushing their own solutions.

It's like the whole HD-DVD vs BluRay issue. End users don't want to deal with choosing one or the other. It would be better for everyone if we could all just come together around one completely open standard.

The standard with the most momentum seems to be OpenID. I hope that a few years from now, I'll be using it for most of my web logins.

Why? (2, Insightful)

PietjeJantje (917584) | about 7 years ago | (#20258631)

Why on earth would I want to, of all things, authenticate using a 3rd party propriety system from a vendor with proven business practices like MS? That seems like the very last thing I want to do. And I haven't even mentioned the outages, so your uptime depends on MS. What are you gonna do when that happens, call them? I have a much better idea, Bill. Why don't you use my unified login system. I've made a version in Visual Basic especially for you.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>