'Open MS Passport': MyUID Goes Beta 208
mastergoon writes "MyUID, which has been refered to as an "open MS Passport", has opened their doors to public beta testing. MyUID is a user database system, with the purpose of allowing virtually anyone to refer to its records using only HTTP or HTTPS. Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site. As of now there is an alpha release PHP4 connectivity API, which while not feature rich is in full working order. APIs should be available in your favourite language soon. You can view this example of a site remotely connecting to MyUID using the alpha API, and give a go at spoofing a login. They want the security of the login methods tested extensively before going production."
Wow. (Score:5, Funny)
Re:Wow. (Score:2)
Re:Wow. (Score:3, Informative)
CheckFree gives you the option.
A lot of sites have optional Passport logins.
It's far from a flop, but it's just as far from the raging success Microsoft hoped for.
They need a better email server (Score:3, Interesting)
Re:They need a better email server (Score:3, Informative)
That isnt the problem, as you state MX records solve that. The problem is that in this case while "smtp.company.com" resolves to an IP address, there is no reverse DNS lookup for that IP address.
Certain firewalls, e.g. Symantec, have their default behaviour to block mail from hosts who either have no reverse DNS lookup or where the reverse DNS doesn't match the A record.
FAQ (karma whoring) (Score:5, Funny)
Frequently Asked Questions (FAQ)
Q: When will the first API be done?
A: The alpha is out, check the download page.
Q: Can penguins fly?
A: No.
Re:FAQ (karma whoring) (Score:3, Insightful)
it seems like myuid hasn't seen enough light to get many questions in the first place.
Are we sure this is for real? (Score:5, Interesting)
The API is also decidedly undocumented. [myuid.com]
Please come back when there's actually something to show us...
Re:Are we sure this is for real? (Score:3, Funny)
Not everyone has played enough Tux Racer to know that penguins can't fly.
Re:Are we sure this is for real? (Score:2)
Re:Are we sure this is for real? (Score:3, Insightful)
Excuse me, but FAQ stands for "Frequently Asked Questions". Why do you expect there to be a lot of Frequently Asked Questions before there are any users to ask ANY questions?
Re:Are we sure this is for real? (Score:5, Insightful)
Nobody's asking "what is it?"
Re:Are we sure this is for real? (Score:3, Insightful)
On the plus side, at least they'll have first mover advantage no matter how buggy. Hey, it worked for Windows...
Re:Are we sure this is for real? (Score:2)
Were they the first mover? (scratches head) That's not quite how I remember it happening.
Re:Are we sure this is for real? (Score:2, Interesting)
Well not exactly. I was mostly referring to the "ship first, deal with bugs later" approach Microsoft routinely took. But which other OS company on the PC struck deals with manufacturers to bundle their graphical OS with new systems? The only other one that comes to mind is IBM's OS/2 and I don't know the timeline enough to know if this was explicitly bundled with IBM systems before Windows was.
Re:Are we sure this is for real? (Score:4, Informative)
Problems (Score:5, Insightful)
MyUID may revoke your account at any time, with or without a reason. If you have a subscribed account, you will not be refunded unless there are special circumstances.
All data in your account and messages you send and receive belong to MyUID. If you are looking for private transmissions you should be using encrypted e-mails.
--------------
The problems with sites like this is you don't know behind them, you don't know what makes them tick, you don't know who has access to your data. Until they allow me to encrypt my data with my own key and not allow anyone access to it (even to themselves) they're not going to see my business.
Re:Problems (Score:2, Insightful)
Re:Problems (Score:2)
Re:Problems (Score:2)
Unless they are hoping to track the sites you logon to. Which typically only results in 'targeted' marketing...
Flying solo? (Score:5, Informative)
Seems like a one-person project. Very easy to declare standards without all those annoying other people!
Maybe, but... (Score:5, Funny)
</sarcasm>
Re:Flying solo? (Score:5, Funny)
He really didn't seem to care about standards, either, so he created his own standards
Re: Myuid? (Score:2)
Re:Flying solo? (Score:5, Insightful)
Re:Flying solo? (Score:2)
Seriously though, this needs time to mature.
Re:Flying solo? (Score:3, Funny)
Wrong idea? (Score:5, Insightful)
Site and software-dependent logins exist to protect us and our privacy, are we really willing to give those up so every site we use shares the login jdoe2004?
-Matt
Re:Wrong idea? (Score:5, Insightful)
DSA keys database? (Score:2, Insightful)
Re:Wrong idea? (Score:5, Insightful)
but realize that there is value for some folks in having a "universal" id system. why do you think that your SSN in the US is used so widely?
again, there are many problems, but there exist benefits too.
Similar but different (Score:3, Insightful)
Now note that the providers of this or any comparable software simply cannot have that kind of backing, no fraud protection exists, and no working method of recovering your identity exists in the event
Re:Similar but different (Score:3, Insightful)
Well, sort of. I originally thought this as well, but then I quickly realized that most of my life I've filled in my SSN for every bank account, school form or medical questionnaire (to name a few). Your SSN is floating around all over the place, albeit in supposedly protected databases, but definitely
Re:Similar but different (Score:4, Informative)
Re:Similar but different (Score:2)
Re:Wrong idea? (Score:2, Funny)
Re:Wrong idea? (Score:2, Insightful)
This also has some security considerations. Why do you think it is illegal in France to use the SSN as an identifier?
Re:Wrong idea? (Score:2)
Re:my perfect solution, someone start it.... (Score:2)
get a free gmail account by signing this (Score:5, Informative)
MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck.
Fact or fiction? (Score:2)
Sound like a good way to get sign ups?
Anyone seen any proof that this guy has these accounts to give away?
It's true (Score:2, Informative)
It's true - individuals have reported receiving up to 6 invitations (Source:
www.wired.com/news/infostructure/ 0,1377,63786,00.html?tw=wn_12culthead
).
At least one of people I invited did not open a Gmail account (the invitation was either forwarded or declined).
I have two unused invitations (I won't use them 'cause I don't know a deserving individual to give it to) and I've invited 4 people so far.
If we assume there's about 1m active accounts (say 3-4 racks of mail servers)
Whatever happened to Liberty Alliance (Score:5, Informative)
Liberty Alliance : some explanations (Score:2, Informative)
But still, The liberty alliance takes quite a different point of view. Passport and My-Whatever- talk about having a centralized server that would keep your personal data (and spread them around when needed).
The Liberty Project is about federating logins
- You create a local account on some server.
- You create a local account on a "centralized" s
Different from MS Passport? (Score:4, Insightful)
Re:Different from MS Passport? (Score:5, Informative)
Lets add to this the fact that the "story" for this reads like a press release, and one that lies at that.
"Many companies have unified login systems, like Yahoo! and Microsoft, but unlike MyUID, these databases cannot be put to use by any site"
So you can't use Passport on your own site? What utter bollocks. Oh look, there's [microsoft.com] the passport SDK.
But I can't run it on Linux you cry? Really? Step back a version, version 2.1 [microsoft.com] has code for Apache/CGI in it (Or did last time I looked). Admittedly the documentation for it is sparse to say the least.
Finally lets look at the story submitted. mastergoon. OK, lets look at who owns myuid.com,
Registrar: DOTSTER
Domain Name: MYUID.COM
Created on: 28-APR-04
Expires on: 29-APR-05
Last Updated on: 28-APR-04
Administrative Technical Contact:
O'Shea Kevin kevin@mastergoon.com
Oh look, it's another shill story. Someone sumbitting a story about his service without admitting it.
When did slashdot become a press release site?
I think that some people are missing the point (Score:4, Insightful)
Now whether this project is ultimately useful is debatable.
Re:I think that some people are missing the point (Score:4, Interesting)
Yeah, but their concept and framework appears to basically suck. They made a simple user database, tagged in some email address verification and a (currently gimped) "Read this image test", and release an API for any other website to authenticate against this database. Welcome to Web Programming 101. If the problem was this easy to fix, it would've been fixed a long time ago.
There is a (more than one probably) right way to do this, and this isn't even close to being it.
As a matter of fact, I came up with one while typing this, but I deleted my description of it. Why feed slashdot my design work when I should just jot this down somewhere and go implement it myself
Re:I think that some people are missing the point (Score:2)
A bad implementation that exists is always better than a perfect implementation that is perpetually on paper.
--
Evan
Re:I think that some people are missing the point (Score:2)
The "bad" implementation will get better where it matters.
The "perfect" implementation will get better where it doesn't matter.
Re:I think that some people are missing the point (Score:2)
As an alternative I should remove my personal details from Microsoft and give them to some Cheech and Chong outfit?
That makes no sense to me at all. I bet it makes even less sense to my parents.
This article is retarded and this project is retarded.
Security? (Score:5, Insightful)
Usefulness? (Score:5, Interesting)
Re:Usefulness? (Score:2)
Oh a centralized database can definitely be useful. Actually that is the crux of the problem, it's *too* useful to potentially too many people.
Laurence Lessig may not love this inititative (Score:2, Informative)
I begin reading the book three days ago, and am up to page 78. It's a thought provoking book. I value my freedom highly. I will examine these issues.
Why passport failed... (Score:2)
Ebay is the only big-name site (apart from hotmail of course) that I can recall as using it.
Why (Score:2)
No totally (Score:5, Insightful)
It's a very good point: why would you? I could see you using your amazon.com account for one of their subsidiaries but a global, public identification system - regardless of data stored - just screams "hack me". What's worse: unless you're a company with big buying power (like Microsoft) you're not going to have invested in security necessary to protect those back-end servers from every HTTPD/mySQL/BIND? exploit out there meaning one lucky strike could potentially compromise every user on the system.
ouch.
-Matt
Re:No totally (Score:2)
Totally backwards (Score:5, Insightful)
The two options already available are both (at least marginally) better. Those options being: collecting minimal personal data at my site, or using a well-known and industry-monitored company as the aggregate.
If Yahoo! or Microsoft ran off with user data, at least they'd have something to lose. The same can't be said about MyUID. They could collect data for six months then run off and sell it to illegal immigrant smugglers. Who knows? They have no reputation, no history, and nothing to lose.
And I guess it's not so bad if they just stick with UID/Password and not personal data, but I'd still sooner wait for a reputable company who chose to open the API.
Re:Totally backwards (Score:2, Interesting)
Re:Totally backwards (Score:2)
Your prayers have been answered: http://www.bugmenot.com
Just add their bookmarklet to your browser bookmarks toolbar, or attach a shortcut to it. Whenever a site asks your details, click the link and the site will provide you with a login/pass. If the site is unknown, register using a fake address (or an address like bugmenot@mailinator.com, if you need to 'click to activate your mem
Looks like this solves a big problem (Score:2)
...towards creating that completely P2P IM system I've always wante to see. Now, can we trust this company?
Kinda Scary (Score:4, Funny)
The problem... (Score:4, Insightful)
With Passport, you know you're only dealing with big-name sites that are going to be linked from MSN.com, but here you have to wonder about the chain of trust.
I haven't read the API but... (Score:4, Informative)
Isn't that about the only sane way to do this?
Re:I haven't read the API but... (Score:3, Insightful)
But to be honest, the real danger of any such system is that it makes the 'trusted central service' necessary for many of these large-scale authentication systems a massively large target.
Imagine: a ubiquitous authentication framework, used everywhere. Wonderful idea -- no more remembering all these damn passwords, everything is Just Secure.
Except that every black hat out ther
TheirID or an Identity Commons? (Score:5, Interesting)
I'm concerned that it is just another centralized database of information. At least with Passport you don't have to worry about their database being bought by Microsoft.
At Identity Commons we intend to give people full control over their personal profile information, including not only who has access to which parts under what circumstances, but also where which parts of it are stored. If you don't trust any of the "banks" you can store it under your virtual mattress (if that's where you keep your server, though it might get kinda hot under there).
The free and open source code base is built upon two new OASIS XML standards, Extensible Resource Identifiers (XRI) which add (among other things) persistence and cross references to URIs, and the XRI Data Interchange (XDI) spec which enables a "dataweb", much like URIs enable a "document web". The coolest part of XDI is the concept of Link Contracts, that enable fine-grained access control over profile data while simultaneously recording the details that both parties agree to (and electronically sign) before any data exchange takes place.
While we're still a month (or more) from announcing, we [identitycommons.org] have enjoyed [digitalidworld.com] some good initial [betanews.com] exposure [blueoxen.net].
BTW: we're looking for people to play with the (pre-alpha) software (it's on SourceForge and there are even some CPAN modules) and help us [idcommons.net] bring it to the next level.
Re:Business model and trust (Score:2)
And the people who are scared away would go where?
How would you "unsign up" for Passport?
MyIUD (Score:2, Funny)
Re:MyIUD (Score:3, Funny)
Close enough. No one should trust either one.
But, LDAP is standard (Score:5, Insightful)
Every website could have a root server for it's zone, registering new users' LDAP root server for authentification. They could also be third party LDAP server provider: ISP could be part of it, because they have go the login/pass associated to your connection, and they are already running LDAP servers.
Google? (Score:4, Interesting)
"MyUID is giving out three Gmail invitations to it's users. Three MyUID users will be chosen at random on Monday, June 21st at 10:00 PM PDT (GMT minus seven) to receive the invites. Good luck."
Why wouldnt google come up with its own 'passport' service?
Re:Google? (Score:2, Interesting)
Good SPAM (Score:4, Insightful)
Where's the security?
Markus Diersbock
What about Jabber Tickets? (Score:2, Interesting)
Carefull! (Score:2, Informative)
DO not go to the remote site!!!! (Score:2, Informative)
Nice ID/email collect0r (Score:3, Informative)
http://www.myuid.com/api/usercard.php?uid=12
h
http:
http://ww
http://www.my
http://www.myuid.
http://www.myuid.com/
etc
From the FAQ... (Score:4, Insightful)
A: No.
It is exactly this cocky, pointless geek-speak tone that stops these projects from gaining wide appeal with the less technically-inclined majority (and the business community in particular).
MyUID is a good idea, but like with so many open source projects run by CompSci students, if it's communicated like this, it won't get off the ground. When will these people learn?
The "My" prefix (Score:5, Insightful)
Part of what bothers me about this phenomenon is that the word "My" is so selfish. I think a lot of the problems we are seeing on the Internet come from this selfishness (spam, viruses). "My" is so vague and relative. Why not give "My Computer" a name so more than one person can talk about it. "My" is usually not accurate. Computers and other resources are frequently shared.
I can't even begin to understand what "MySQL" is supposed to mean.
It seems like I'm alone on this one though. Everyone acts like I'm crazy when I try to discuss this. Anyone else out there feel this way about the word "My"? Maybe we can form some type of support group.
Re:The "My" prefix (Score:2)
<aol>I agree.</aol>
There was a /.poll [slashdot.org] on this a few months back, asking which was the most-hated prefix/suffix (other options were "i", "e", "cyber", etc). But I don't just despise "My" for applications - I've had to maintain code where a clueless developer called everything myVar, myVar2, etc.
Disclaimer: I quite like MySQL. It's just the name that stinks. Hopefully MyUID will follow that trend - or find a better name.
Re:The "My" prefix (Score:2, Funny)
Oh great, yet another thing with the "My" prefix. It has to be my #1 pet peeve in all of computing.
Wouldn't that be MyPetPeeve?
MyApologies.
Re:The "My" prefix (Score:3, Interesting)
Derived from and/or to be consistent with muSQL. Also the name of a daughter of one of the developers was "My".
At least it's not "My SQL" with the embedded blank.
"My Computer" belongs to whoever stuck the "My" label on "Computer". It wasn't me who did that.
MySQL belongs to MySQL AB. They happen to be nice enough to allow me to use their SQL
Re:The "My" prefix (Score:2)
I don't get it (Score:3, Insightful)
Centralized authentication server for internet = Good
???????????
Unimpressive (Score:4, Insightful)
http://www.myuid.com/activate.php?email=fdgdfs%3C
Maybe this is unrepresentative, but to me this just screams that MyUID haven't the first idea about webapp security and have no business developing something non-trivial like a single-sign-on system.
Free clue to PHP weenies: using magic quotes does not magically make your scripts secure. Cheers then.
Re:Unimpressive (Score:2)
No account found for the e-mail address: fdgdfs<script></script>window.alert(document.cook i e);</ script>
The attempt at injecting a <script> was foiled by insertion of a </script> immediately following it. The original </script> was rewritten to </ script> (which FireFox sees as a comment).
Or, maybe they read
Re:Unimpressive (Score:2)
The interesting part is that their site *does* add a </script> to the input, but only if it's not already there?
Why NOT to use this... (Score:4, Insightful)
Passport assumes that everyone who wants centralised authentication is happy to have this information be held/known to Microsoft.
Liberty assumes that individuals are only interested in centralisation of information across closed user groups; either:
1) A single site, made up of multiple services, is interested in acting as a cohesive single whole (for example, a login that logs you in to the whole of OSDN, rather than just Slashdot), or
2) A single site is interested in sharing its identities with suppliers; for example, your corporate intranet allowing their absence management, healthcare, stock options, and other service providers to allow you to log into that corporate account using your intranet username/password.
They're completely and utterly different goals. Passport, arguably, has no value in a modern society where people know full well how these identities can be used; Liberty is a more realistic usage scenario, in a multitude of ways.
Liberty is still young; while the software is getting quite good, it's still a hassle to set up an Authentication Provider or turn your site into something that can support the liberty Service Provider API. This will change. It will work and survive solely because it doesn't need internet users, as a whole, to accept it. It works on the principle that people who have a need to unify their authentication systems, without writing crappy little APIs, can do so, in the small scale, at the level where it can actually see benefits.
mindlocked.com - better looking GUI? (Score:3, Informative)
Anyone interested in joining this project (that will be released under GPL soon...) - let us know!
That's my 2 cents worth of marketing =)
registration requires cookies (Score:3, Insightful)
What is this? (Score:5, Insightful)
Interestingly, it does say in the ToS:
MyUID will not give or sell your private account information or your password to anyone,
which seems a lie. But it goes on!
MyUID will supply any information we have about you to law enforcement officials if neccessary.
They'll rat on you even if not required by law. Yay!
In order to use MyUID, you must be a human over 13 Earth years old, living in a state where internet usage is legal.
The FAQ has two questions, one of which is 'Can penguins fly?'. I wouldn't hold my breath for this service to become very big.
Registered user #1 [myuid.com] is mastergoon, so this is just blatent self-advertising on slashdot.
These guys should really tell us who they are (Score:3, Interesting)
Since this is Slashdot I can only assume that these guys are on the "good" side, but a few answers to "why?" and "who?" in their FAQ wouldn't hurt.
Re:These guys should really tell us who they are (Score:2)
I don't know you or your mom, but you were on slashdot - can I store my credit card details with you?
Good idea, maybe not done right (Score:3, Informative)
nuke systems (Score:2)
How's this different from 'drupal login'? (Score:2)
Fails to implement basic requirement (Score:3, Interesting)
The first project I'll seriously look into trying to tackle this problem will be a project that has code to download for me to run: either a web service I can run or an XMPP services (presence subscribtion could probably be extended to data ACLs).. whatever.
Any project that requires me to store information on a remote server will be ignored. Obviously most users will actually use the passportd of their company or ISP, but the freedom to run your own - just like httpd/sshd/smtpd/jabberd - that's really a REQUIREMENT.
Instead of pushing my data to centralized databases, I want an interface where third parties can pull it directly from me.
That's called a demo site (Score:2, Informative)