Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Internet Privacy

'Open MS Passport': MyUID Goes Beta 208

mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."
This discussion has been archived. No new comments can be posted.

'Open MS Passport': MyUID Goes Beta

Comments Filter:
  • Wow. (Score:5, Funny)

    by Arial Sharon, 10pt. ( 784486 ) <arialsharon@fastmail.fm> on Monday June 21, 2004 @01:14AM (#9482005)
    Maybe one day this could be almost as successful as MS Passport.
    • Maybe one day this could be almost as successful as MS Passport. ... which wouldn't be too hard, considering Passport was a flop. Only Microsoft seem to use it, and that was far from their intention.
      • Re:Wow. (Score:3, Informative)

        eBay [ebay.com] gives you the option.

        CheckFree gives you the option.

        A lot of sites have optional Passport logins.

        It's far from a flop, but it's just as far from the raging success Microsoft hoped for.
  • by Anonymous Coward on Monday June 21, 2004 @01:15AM (#9482013)
    It has no reverse DNS, which will mean some people won't allow it to send them mail.
  • by XanC ( 644172 ) on Monday June 21, 2004 @01:15AM (#9482017)
    Here's the complete FAQ from the website:

    Frequently Asked Questions (FAQ)

    Q: When will the first API be done?
    A: The alpha is out, check the download page.

    Q: Can penguins fly?
    A: No.

    • perhaps you can ask the guy some questions and thus make them "frequently asked".

      it seems like myuid hasn't seen enough light to get many questions in the first place.
  • by LostCluster ( 625375 ) * on Monday June 21, 2004 @01:17AM (#9482022)
    They have the most useless FAQ in recorded history... [myuid.com]

    The API is also decidedly undocumented. [myuid.com]

    Please come back when there's actually something to show us...
    • Are you crazy? It's not useless!

      Not everyone has played enough Tux Racer to know that penguins can't fly.
    • by Anonymous Coward
      They have the most useless FAQ in recorded history...

      Excuse me, but FAQ stands for "Frequently Asked Questions". Why do you expect there to be a lot of Frequently Asked Questions before there are any users to ask ANY questions?

    • They've implemented the old "hack first, design later" philosophy of software development. After something's hacked together, then it will be documented. Once the documentation has been produced, then it will go through a redesign because of unforseen problems and the API will be changed. As a result, older implementations will break.

      On the plus side, at least they'll have first mover advantage no matter how buggy. Hey, it worked for Windows...
      • >On the plus side, at least they'll have first mover advantage no matter how buggy. Hey, it worked for Windows...

        Were they the first mover? (scratches head) That's not quite how I remember it happening.

        • Were they the first mover? (scratches head) That's not quite how I remember it happening.

          Well not exactly. I was mostly referring to the "ship first, deal with bugs later" approach Microsoft routinely took. But which other OS company on the PC struck deals with manufacturers to bundle their graphical OS with new systems? The only other one that comes to mind is IBM's OS/2 and I don't know the timeline enough to know if this was explicitly bundled with IBM systems before Windows was.
  • Problems (Score:5, Insightful)

    by pirodude ( 54707 ) on Monday June 21, 2004 @01:18AM (#9482023)
    From the TOS:

    MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.

    All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.

    --------------

    The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.
    • Re:Problems (Score:2, Insightful)

      by javajawa ( 126489 )
      Umm... if you want to encrypt with your own key, simply encypt it with your own key, and send through their transport encrypted...
    • Maybe I'm missing something, but if you encrypt all of your data with your own key and don't allow anyone access to it, how is it going to be useful as a universal sign-on? I kinda thought the places you were signing on to might need the info they store there, hence the point of the service.
      • I think the bigger question is; Exactly what data is myuid storing!? normally one does not have data associated with his user ID.

        Unless they are hoping to track the sites you logon to. Which typically only results in 'targeted' marketing...
  • Flying solo? (Score:5, Informative)

    by LostCluster ( 625375 ) * on Monday June 21, 2004 @01:22AM (#9482038)
    It seems like this project is only implemented on one site called mastergoon.com, and the /. post comes from a user named "mastergoon". Hmm...

    Seems like a one-person project. Very easy to declare standards without all those annoying other people!
  • Wrong idea? (Score:5, Insightful)

    by Wrexs0ul ( 515885 ) <{moc.eninkcar} {ta} {reiemm}> on Monday June 21, 2004 @01:23AM (#9482043) Homepage
    I thought the whole problem with a centralized user system was exactly that it was a centralized user system. Doesn't matter who runs the ID server or how little information is stored on there; as soon as a centralized system exists it's the biggest, baddest target for attack out there with the highest consequences if it's broken into.

    Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?

    -Matt
    • Re:Wrong idea? (Score:5, Insightful)

      by LostCluster ( 625375 ) * on Monday June 21, 2004 @01:25AM (#9482053)
      Furthermore, having a common UserID opens the door for sites that have fragments of your personal info to merge the pieces together to get a more complete picture.
      • DSA keys database? (Score:2, Insightful)

        by mikelang ( 674146 )
        Maybe it would be better to standarize on cryptographic keys and enhance browser so as to automatically encrypt all connections to the chosen site. It acknowledges your identity, you can have different keys for different sites and you can have single password for store of crypto keys.
    • Re:Wrong idea? (Score:5, Insightful)

      by mandalayx ( 674042 ) * on Monday June 21, 2004 @01:50AM (#9482159) Journal
      you're right, there are problems. and you have only hit on a few of them.

      but realize that there is value for some folks in having a "universal" id system. why do you think that your SSN in the US is used so widely?

      again, there are many problems, but there exist benefits too.
      • I'm not saying having this system wouldn't be simple. Consider though that your social security number is protected by the world's most powerful government with databases backed by thousands of staff whose sole job it is to ensure your number isn't stolen, yet even after all that identity theft still happens.

        Now note that the providers of this or any comparable software simply cannot have that kind of backing, no fraud protection exists, and no working method of recovering your identity exists in the event
        • Consider though that your social security number is protected by the world's most powerful government with databases backed by thousands of staff whose sole job it is to ensure your number isn't stolen....

          Well, sort of. I originally thought this as well, but then I quickly realized that most of my life I've filled in my SSN for every bank account, school form or medical questionnaire (to name a few). Your SSN is floating around all over the place, albeit in supposedly protected databases, but definitely

      • ...why do you think that your SSN in the US is used so widely?

        ...because our legislators lied to us? Again?

      • Re:Wrong idea? (Score:2, Insightful)

        by cwis42 ( 563232 )
        why do you think that your SSN in the US is used so widely?

        This also has some security considerations. Why do you think it is illegal in France to use the SSN as an identifier?

  • by vivek7006 ( 585218 ) on Monday June 21, 2004 @01:24AM (#9482046) Homepage
    From their website

    MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck.
    • "I'll give one million dollars to a random person selected from the pool of people who each give me ten dollars!. Sorry, you weren't the winner, but thanks for playing!"

      Sound like a good way to get sign ups?

      Anyone seen any proof that this guy has these accounts to give away?

  • by Anonymous Coward on Monday June 21, 2004 @01:25AM (#9482051)
    Weren't they [projectliberty.org] supposed to do something similar? Sure seems to be taking them a long time.
    • Well, they actually do... But project Liberty is about specification, not implementation. Look at sourceId if you'd like some starting point for an implementation.
      But still, The liberty alliance takes quite a different point of view. Passport and My-Whatever- talk about having a centralized server that would keep your personal data (and spread them around when needed).
      The Liberty Project is about federating logins :
      - You create a local account on some server.
      - You create a local account on a "centralized" s
  • by Endareth ( 684446 ) on Monday June 21, 2004 @01:28AM (#9482064) Journal
    From my initial glance I really fail to see how this is really any better or different from MS Passport, even once it's ready for release. At least MS have the clout to have Passport used on more than just their own site, which is where the value really is. I'm also not to sure about the idea of a public Alpha test of this sort of technology. Seems a bit too early in the development cycle for it to be worthwhile. Getting the site slashdotted really only resuls in load testing, and they don't seem even close to that! And lets not forget the dumb name... how many [G|U|etc|UIDs do we need?
    • by blowdart ( 31458 ) on Monday June 21, 2004 @03:07AM (#9482388) Homepage

      Lets add to this the fact that the "story" for this reads like a press release, and one that lies at that.

      "Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site"

      So you can't use Passport on your own site? What utter bollocks. Oh look, there's [microsoft.com] the passport SDK.

      But I can't run it on Linux you cry? Really? Step back a version, version 2.1 [microsoft.com] has code for Apache/CGI in it (Or did last time I looked). Admittedly the documentation for it is sparse to say the least.

      Finally lets look at the story submitted. mastergoon. OK, lets look at who owns myuid.com,

      Registrar: DOTSTER
      Domain Name: MYUID.COM
      Created on: 28-APR-04
      Expires on: 29-APR-05
      Last Updated on: 28-APR-04
      Administrative Technical Contact:
      O'Shea Kevin kevin@mastergoon.com

      Oh look, it's another shill story. Someone sumbitting a story about his service without admitting it.

      When did slashdot become a press release site?

  • by bersl2 ( 689221 ) on Monday June 21, 2004 @01:28AM (#9482067) Journal
    This is a story because they have proof of concept and a basic framework. This gives them attention; right now they need people to flesh out and test the system. A story on Slashdot is a great way to attract attention.

    Now whether this project is ultimately useful is debatable.
    • by photon317 ( 208409 ) on Monday June 21, 2004 @02:06AM (#9482215)

      Yeah, but their concept and framework appears to basically suck. They made a simple user database, tagged in some email address verification and a (currently gimped) "Read this image test", and release an API for any other website to authenticate against this database. Welcome to Web Programming 101. If the problem was this easy to fix, it would've been fixed a long time ago.

      There is a (more than one probably) right way to do this, and this isn't even close to being it.

      As a matter of fact, I came up with one while typing this, but I deleted my description of it. Why feed slashdot my design work when I should just jot this down somewhere and go implement it myself :)
      • I agree that it sucks. However, sucking is a good way to get the ball rolling. There have been several libre implementations "in development" for years now. This is 0.1 of a moving "standard". They admit it is in alpha. The first several thousand accounts will be subject to abuse... and if it gets moving and adopted, it will get tighter and better over time.

        A bad implementation that exists is always better than a perfect implementation that is perpetually on paper.

        --
        Evan

    • A lot of people aren't missing the point, this is basically retarded. I don't like Microsoft having my username and password, but I guess they probably spend enough money to make it basically secure.

      As an alternative I should remove my personal details from Microsoft and give them to some Cheech and Chong outfit?

      That makes no sense to me at all. I bet it makes even less sense to my parents.

      This article is retarded and this project is retarded.
  • Security? (Score:5, Insightful)

    by Ravenscall ( 12240 ) on Monday June 21, 2004 @01:31AM (#9482078)
    So, if I am reading the code right, it has basically no security whatsoever at this point. Wouldn't you want that in an alpha release?
  • Usefulness? (Score:5, Interesting)

    by wwahammy ( 765566 ) on Monday June 21, 2004 @01:36AM (#9482102)
    Kudos to whoever made this, I know you must have put your heart into this. I don't mean this comment as an insult to you or your idea. But really is there a need for this? I like the idea of simplifying the web for people but Passport exists (and failed) and I believe there's a competing group with Sun in it called the Liberty Alliance that has a non-centralized model which I think sounds much safer. A centralized database has too many problems related to it to be useful.
    • A centralized database has too many problems related to it to be useful.

      Oh a centralized database can definitely be useful. Actually that is the crux of the problem, it's *too* useful to potentially too many people.
      • "Code and Other Laws of Cyberspace" points out the dangers of having an infrastructure that allows most people to be identified without great difficulty. I wonder what Lawence Lessig would have to say about this initiative.

        I begin reading the book three days ago, and am up to page 78. It's a thought provoking book. I value my freedom highly. I will examine these issues.

    • ...one of the reasons: stupidly high license fees from msn/microsoft.

      Ebay is the only big-name site (apart from hotmail of course) that I can recall as using it.
  • Would I want to put my personal details on another site that every man and his dog can access? Or am I missing the point completely?
    • No totally (Score:5, Insightful)

      by Wrexs0ul ( 515885 ) <{moc.eninkcar} {ta} {reiemm}> on Monday June 21, 2004 @01:44AM (#9482130) Homepage
      Assumedly at this point the dog hasn't learned how to run script kiddie php exploits, otherwise your statement is correct.

      It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.

      ouch.

      -Matt
      • And following the same theme, what are the chances there is any redundancy in this system? What happens if the server fails? I bet there isn't any replication to another server in a different location. In fact there probably isn't even a UPS and RAID array on the machine hosting this
  • Totally backwards (Score:5, Insightful)

    by torinth ( 216077 ) on Monday June 21, 2004 @01:39AM (#9482112) Homepage
    Why would I encourage users to aggregate all their personal data with some unknown startup?

    The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.

    If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.

    And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.
    • I'd just like to have one fake email/password so i could remember it for the thousand different sites that want my details
      • I'd just like to have one fake email/password so i could remember it for the thousand different sites that want my details

        Your prayers have been answered: http://www.bugmenot.com
        Just add their bookmarklet to your browser bookmarks toolbar, or attach a shortcut to it. Whenever a site asks your details, click the link and the site will provide you with a login/pass. If the site is unknown, register using a fake address (or an address like bugmenot@mailinator.com, if you need to 'click to activate your mem


  • ...towards creating that completely P2P IM system I've always wante to see. Now, can we trust this company?
  • Kinda Scary (Score:4, Funny)

    by novalogic ( 697144 ) <aramovaNO@SPAMgmail.com> on Monday June 21, 2004 @01:48AM (#9482143)
    Think of the spam potential with this... I don't see why Gator hasn't tried this.
  • The problem... (Score:4, Insightful)

    by ameoba ( 173803 ) on Monday June 21, 2004 @01:49AM (#9482147)
    The problem with a system like this is that no matter how secure the underlying mechanism is, by making it so that any random site could possibly be using it for authentication, you have no idea who is legit & who is simply harvesting passwords.

    With Passport, you know you're only dealing with big-name sites that are going to be linked from MSN.com, but here you have to wonder about the chain of trust.
    • by grahamsz ( 150076 ) on Monday June 21, 2004 @01:58AM (#9482193) Homepage Journal
      Surely you sign on to their secure server and it generates a token which can authenticate you to the third party site...

      Isn't that about the only sane way to do this?
      • Yes. Indeed, systems like Kerberos do exactly this. You can also do interesting things using X.509 keys and proxy certificates.

        But to be honest, the real danger of any such system is that it makes the 'trusted central service' necessary for many of these large-scale authentication systems a massively large target.

        Imagine: a ubiquitous authentication framework, used everywhere. Wonderful idea -- no more remembering all these damn passwords, everything is Just Secure.

        Except that every black hat out ther
  • by Broadcatch ( 100226 ) on Monday June 21, 2004 @01:49AM (#9482149) Homepage

    I'm concerned that it is just another centralized database of information. At least with Passport you don't have to worry about their database being bought by Microsoft.

    At Identity Commons we intend to give people full control over their personal profile information, including not only who has access to which parts under what circumstances, but also where which parts of it are stored. If you don't trust any of the "banks" you can store it under your virtual mattress (if that's where you keep your server, though it might get kinda hot under there).

    The free and open source code base is built upon two new OASIS XML standards, Extensible Resource Identifiers (XRI) which add (among other things) persistence and cross references to URIs, and the XRI Data Interchange (XDI) spec which enables a "dataweb", much like URIs enable a "document web". The coolest part of XDI is the concept of Link Contracts, that enable fine-grained access control over profile data while simultaneously recording the details that both parties agree to (and electronically sign) before any data exchange takes place.

    While we're still a month (or more) from announcing, we [identitycommons.org] have enjoyed [digitalidworld.com] some good initial [betanews.com] exposure [blueoxen.net].

    BTW: we're looking for people to play with the (pre-alpha) software (it's on SourceForge and there are even some CPAN modules) and help us [idcommons.net] bring it to the next level.

  • MyIUD (Score:2, Funny)

    For a second I thought this about someone's IUD. I know that this is slashdot and that anything goes, but that is just too personal if you ask me.
  • by freeduke ( 786783 ) on Monday June 21, 2004 @01:50AM (#9482157) Journal
    Ok, here comes a new API for login?? What about LDAP, isn't it secure, reliable and efficient? So Why do people have to reinvent the wheel everytime? It would be far more constructive to think about a way to integrate and interface a huge Internet distributed LDAP structure, and have a clear standard to implement the way it works...

    Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.

  • Google? (Score:4, Interesting)

    by p0 ( 740290 ) on Monday June 21, 2004 @01:51AM (#9482165)
    I have just signed up, and my welcome message reads:

    "MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck."

    Why wouldnt google come up with its own 'passport' service?
    • Re:Google? (Score:2, Interesting)

      I'm just making an assumption here, but I don't think Google is in anyway related to these guys. They seem very unprofessional, and very not serious. I've heard from friends that once getting a Gmail account, you'll get 3 invites within a few days. Chances are one of them got an account, and is going to give his invites away to the "lucky" few who sign up. However, if Google ever started a service like this, I'd sign up instantly. They're one of the first companies I feel I can trust.
  • Good SPAM (Score:4, Insightful)

    by Anonymous Coward on Monday June 21, 2004 @01:59AM (#9482195)
    Good for spamming: http://www.myuid.com/api/usercard.php?uid=1

    Where's the security?

    Markus Diersbock
  • Why not use Jabber Tickets? I already have an account with a Jabber server, and this way the site can automatically tell me if my friends are also using the site, or even notify me that they are using it, so I can spark up a conversation about some topic on the page I know they are at.
  • Carefull! (Score:2, Informative)

    by Repran ( 560270 )
    The mastergoon link contains a picture of goat.cx!
  • Currently, the remote site is not in a good state of affairs. Someone has decided that html injection is the way to go, and well it has become a porn site. I would recommend not going to it for a day till tehy can get that stuff removed from teh database.
  • by Anonymous Coward on Monday June 21, 2004 @02:28AM (#9482278)
    Real nice (if you need email addresses):

    http://www.myuid.com/api/usercard.php?uid=12
    ht tp://www.myuid.com/api/usercard.php?uid=13
    http:/ /www.myuid.com/api/usercard.php?uid=16
    http://www .myuid.com/api/usercard.php?uid=18
    http://www.myu id.com/api/usercard.php?uid=21
    http://www.myuid.c om/api/usercard.php?uid=29
    http://www.myuid.com/a pi/usercard.php?uid=32

    etc
  • From the FAQ... (Score:4, Insightful)

    by scrm ( 185355 ) on Monday June 21, 2004 @03:07AM (#9482385) Homepage
    Q: Can penguins fly?

    A: No.


    It is exactly this cocky, pointless geek-speak tone that stops these projects from gaining wide appeal with the less technically-inclined majority (and the business community in particular).

    MyUID is a good idea, but like with so many open source projects run by CompSci students, if it's communicated like this, it won't get off the ground. When will these people learn?
  • The "My" prefix (Score:5, Insightful)

    by chickenwing ( 28429 ) on Monday June 21, 2004 @03:17AM (#9482413) Homepage
    Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing. It seems to be some kind of conspiracy by marketing people to force us all to use baby-talk to do anything with a computer.

    Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.

    I can't even begin to understand what "MySQL" is supposed to mean.

    It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.
    • <aol>I agree.</aol>

      There was a /.poll [slashdot.org] on this a few months back, asking which was the most-hated prefix/suffix (other options were "i", "e", "cyber", etc). But I don't just despise "My" for applications - I've had to maintain code where a clueless developer called everything myVar, myVar2, etc.

      Disclaimer: I quite like MySQL. It's just the name that stinks. Hopefully MyUID will follow that trend - or find a better name.

    • by Anonymous Coward

      Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing.

      Wouldn't that be MyPetPeeve?

      MyApologies.

    • Re:The "My" prefix (Score:3, Interesting)

      by Tony-A ( 29931 )
      I can't even begin to understand what "MySQL" is supposed to mean.

      Derived from and/or to be consistent with muSQL. Also the name of a daughter of one of the developers was "My".
      At least it's not "My SQL" with the embedded blank. /etc/my.cnf is the configuration, so MySQL AB has at least some legitimate claim to the prefix "my".

      "My Computer" belongs to whoever stuck the "My" label on "Computer". It wasn't me who did that.
      MySQL belongs to MySQL AB. They happen to be nice enough to allow me to use their SQL
    • Next up, YAMyUID, followed by KYAMyUID.
  • I don't get it (Score:3, Insightful)

    by njcoder ( 657816 ) on Monday June 21, 2004 @03:35AM (#9482448)
    National ID Card = Bad
    Centralized authentication server for internet = Good

    ???????????

  • Unimpressive (Score:4, Insightful)

    by Bob Ince ( 79199 ) <and@doxdes[ ]om ['k.c' in gap]> on Monday June 21, 2004 @03:46AM (#9482476) Homepage
    Well it's a good thing they're asking for security issues now rather than later, as the very first form field I found had a cross-site-scripting hole in. eg.

    http://www.myuid.com/activate.php?email=fdgdfs%3Cs cript%3Ewindow.alert%28document.cookie%29%3B%3C%2F script%3E&code=boo

    Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.

    Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
    • Where's the hole? Paste the above URL into a browser, and view source on the resulting page:

      No account found for the e-mail address: fdgdfs<script></script>window.alert(document.cook i e);</ script>

      The attempt at injecting a <script> was foiled by insertion of a </script> immediately following it. The original </script> was rewritten to </ script> (which FireFox sees as a comment).

      Or, maybe they read /. and have patched the hole in the last 6 hours..
      • Nevermind, the hole does indeed still exist.. I missed a space when pasting the URL in (please, use anchors when posting URLs!).

        The interesting part is that their site *does* add a </script> to the input, but only if it's not already there?
  • by g_lightyear ( 695241 ) on Monday June 21, 2004 @03:51AM (#9482488) Homepage
    Part of the point behind Project Liberty, and one of the reasons that Passport hasn't worked, is that people aren't necessarily comfortable with the idea of a 'centralised' authentication system for the whole of the planet.

    Passport assumes that everyone who wants centralised authentication is happy to have this information be held/known to Microsoft.

    Liberty assumes that individuals are only interested in centralisation of information across closed user groups; either:

    1) A single site, made up of multiple services, is interested in acting as a cohesive single whole (for example, a login that logs you in to the whole of OSDN, rather than just Slashdot), or

    2) A single site is interested in sharing its identities with suppliers; for example, your corporate intranet allowing their absence management, healthcare, stock options, and other service providers to allow you to log into that corporate account using your intranet username/password.

    They're completely and utterly different goals. Passport, arguably, has no value in a modern society where people know full well how these identities can be used; Liberty is a more realistic usage scenario, in a multitude of ways.

    Liberty is still young; while the software is getting quite good, it's still a hassle to set up an Authentication Provider or turn your site into something that can support the liberty Service Provider API. This will change. It will work and survive solely because it doesn't need internet users, as a whole, to accept it. It works on the principle that people who have a need to unify their authentication systems, without writing crappy little APIs, can do so, in the small scale, at the level where it can actually see benefits.
  • by snon ( 80458 ) on Monday June 21, 2004 @04:00AM (#9482511)
    I strongly believe that we need to reduce the number of accounts per person - our attempt at that is Mindlocked which we hope to develop further - especially in terms of distributed/replicated databases etc...

    Anyone interested in joining this project (that will be released under GPL soon...) - let us know!

    That's my 2 cents worth of marketing =)
  • by Eric Smith ( 4379 ) * on Monday June 21, 2004 @04:12AM (#9482535) Homepage Journal
    I don't mind that the reigstration requires cookies, but they should explicitly state that, especically if you try to submit a registration and the cookie is not present. Instead, they say something about the verification code not matching, and "Are you a robot?". Very unhelpful.
  • What is this? (Score:5, Insightful)

    by binkzz ( 779594 ) on Monday June 21, 2004 @04:20AM (#9482551) Journal
    It's nothing more than a day's work. There is nothing to speak of, the passwords aren't stored encrypted and no intelligent thought seems to have been put into it. As someone else already mentioned, anyone can take the entire user database with personal information from the site (everything except the password). If I were to run a site using the MyUID, I could obtain users' MyUID passwords as they tried to log in on my site, giving full access to any user's account who logs in via my site. Outrageous!

    Interestingly, it does say in the ToS:

    MyUID will not give or sell your private account information or your password to anyone,

    which seems a lie. But it goes on!

    MyUID will supply any information we have about you to law enforcement officials if neccessary.

    They'll rat on you even if not required by law. Yay!

    In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.

    ... Wow..

    The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.

    Registered user #1 [myuid.com] is mastergoon, so this is just blatent self-advertising on slashdot.

  • by joeykiller ( 119489 ) on Monday June 21, 2004 @04:38AM (#9482596) Journal
    It's not that I distrust them or anything, it's just that I couldn't find any information on who these people are and why they're making MyUID.

    Since this is Slashdot I can only assume that these guys are on the "good" side, but a few answers to "why?" and "who?" in their FAQ wouldn't hurt.
  • by johnburton ( 21870 ) <johnb@jbmail.com> on Monday June 21, 2004 @06:51AM (#9482889) Homepage
    I think the web could use something like this. Some kind of generic logon that's free, or very cheap anyway, and which is used for general low security sites such as message boards so you don't have to log on to each one. I'm not sure this is the right one though. It seems a bit vague and needs to be a lot more open about policies and security considerations.
  • Anyone think (like I did) that if this thing could work out, to everyone's satisfaction, that we might finally unify logins for nukes/other cmses? (I so happen to be looking for a way to have the same userbase for a forum(IPB), a phpnuke, a gallery(coppermine) and a few other items on my personal sites, yet I don't dare develop something, since I'd have to retest all the components the minute one of them updates...)

  • There's little info on the web site, so if anyone knows what this 'protocol' really is, I'd love to know how this proposal is any better than what's already available? For example, all Drupal web sites (www.drupal.org) support a shared login scheme, so if you have a 'drupal distributed authentication' you can log into any drupal site (that choses to support drupal login) with one signon. Even better, once you've created an account on any drupal site, that site can serve as your authentication to any other s
  • by Rob Kaper ( 5960 ) on Tuesday June 22, 2004 @05:35AM (#9493227) Homepage
    I don't leave a copy of my creditcard at the mall so stores can ask the mall for access to it. No, I keep it with me, and will show it to selected stores when *they* ask *me*.

    The first project I'll seriously look into trying to tackle this problem will be a project that has code to download for me to run: either a web service I can run or an XMPP services (presence subscribtion could probably be extended to data ACLs).. whatever.

    Any project that requires me to store information on a remote server will be ignored. Obviously most users will actually use the passportd of their company or ISP, but the freedom to run your own - just like httpd/sshd/smtpd/jabberd - that's really a REQUIREMENT.

    Instead of pushing my data to centralized databases, I want an interface where third parties can pull it directly from me.

"How to make a million dollars: First, get a million dollars." -- Steve Martin

Working...