May 18, 2005 4:00 AM PDT

Microsoft to flash Windows ID cards

(continued from previous page)

Microsoft's Windows Server group, said the company does not yet have concrete delivery plans for the technology.

When it pitched Passport six years ago, Microsoft envisioned thousands of online stores and other services using the system, which would let people sign on using the same username and password used for Microsoft services.

The market largely rejected Passport as the system's security was tested by hackers and scrutinized by privacy watchers who did not like the idea of Microsoft holding user information in its own databases. Potential partners, such as e-commerce sites, also balked at the idea.

Regulators in the U.S. and Europe eventually put restrictions on Microsoft and Passport, which today is used primarily as a login system for Microsoft services.

InfoCard is different than Passport, said Jonathan Penn, an analyst at Forrester Research. "They have learned their lesson. With InfoCard the controls are supposed to be put in the user's hands," he said.

The authentication technology is part of a larger Microsoft identity management plan. Last week at the Digital ID World conference in San Francisco, executives described the company's Identity Metasystem. This architecture is designed to lie on top of the patchwork of identity systems that exist on the Internet, to make it possible for them to talk to one another.

The Identity Metasystem will support all the major identity technologies, Microsoft said. This includes some that have been developed by traditional Microsoft rivals, such as SAML, or Security Assertions Markup Language, which includes the Liberty Alliance specifications for identity federation.

Though Microsoft may have tackled, in its new ID management effort, the stumbling block that stymied its Passport push, the new technology could run into a different sort of problem, Penn said.

"Microsoft is not going to be holding your credentials, but they are developing a system upon which the security of your credentials is reliant," Penn said. "InfoCard is going to be one of those services that hackers are going to try to get part of."

Previous page
Page 1 | 2

18 comments

Join the conversation!
Add your comment
Not again.....
Here comes MS, trying to get into your wallet again with claims
of great service and promises of great security failures. I
suppose that there are some who will think that it's a great idea,
but it doesn't really do anything that the user cannot do almost
as simply. And it is one more shot by MS to get into your
personal data.

Passport was a disaster for MS - lots of money invested and no
one interested besides MS. Passpoert did keep support costs
down since you couldn't get support without a Passport and few
people were willing to get one even for that. Later, MS dropped
the Passport requirement, but the impact remained.

So now here comes Disaster - The Sequel; INFOCARD !!!!

Sorry, MS, once more your innovative 'brilliance' has gone sour.
But, if you constrain this feature to Longhorn, most of the
computer world will breathe easier.
Posted by Earl Benser (4310 comments )
Reply Link Flag
Yup, you've got it right
I think you were a bit harsh with some of your comments, but I totally agree.

Personally I use FireFox for web browsing, and it remembers 99% of my web logins for me. It doesn't do stores very well, but that's ok. I'd prefer to have more control of purchases anyway. Oh wait! I'm feeling compelled to let...Microsoft...handle all of my purchases for me. Yeah, I'll feel a LOT safer that way!
Posted by (6 comments )
Link Flag
And yet another example...
...that Microsoft will not let a bad idea die.
Posted by Norseman (1319 comments )
Reply Link Flag
ANY Single sign-on is a bad idea!
Hack that one point, and EVERYTHING falls along with it.
This a bad idea, and can never be anything but.
Posted by powerclam (70 comments )
Reply Link Flag
What is with these people??
Why does Microsoft insist in giving us things we don't want while ignoring the things we do want?? If you have trouble managing passwords, use a safe and simple (and free) tool like KeePass (<a class="jive-link-external" href="http://keepass.sourceforge.net/" target="_newWindow">http://keepass.sourceforge.net/</a>). Universal logins are a bad-bad-bad idea, especially if designed and controlled by a company with their security track record. Buy you know, they will force it upon us, just like the did with Passport. It pops up as a tray icon on all new systems telling you that you need to sign up, well you don't NEED to sign up, they just want you to.
Posted by (5 comments )
Reply Link Flag
Pinch.. yes it's real...
I stopped reading the article 2/3 down the first page... that was enough for me.

Who in their right mind would want a "pingable" app on their PC that stores their personal info? I want some of whatever Mike Nash is smoking please!
Posted by SmokieUK (39 comments )
Reply Link Flag
What's In It For MS?
Microsoft doesn't do anything out of the goodness of their hearts. If they really want to make Windows life easier (and secure), there are more significant ways to do that. So why are they pushing Neo-Passport? To sell more software licenses? To get micro-payments for each transaction as an intermediary (ala Paypal)? To lock people into Longhorn and IE and kill Firefox/Opera? To compel people to upgrade to Longhorn?

I'd like to see CNET interview some third parties about what they think is really behind Microsoft's renwed push for this technology. Follow the money!
Posted by Stating (869 comments )
Reply Link Flag
From the "bleading" edge of technology...
As Keith J mentions in a previous post, "Follow the money." Indeed, follow the money right out of InfoCard and into some phisher's or pharmer's wallet.

It doesn't matter that Microsoft can build secure technology if the average Jane-Joe home user can't--or won't--secure their computers. With an estimated 80% of the home computers compromised, what good is InfoCard (IC) if the user's account is compromised by a bot that accesses IC's data store as an authorized use and sends back all that private data the poor user was trying to keep secure? And with stealthy bots on the horizon, the poor sap wouldn't even know he'd been had, or that she's still on a trip.

No, more, much more, effort needs to be directed toward making these machines--hardware, software, and firmware--truly secure. Yeah, nothing's a 100%, but even at .999C I don't need a hitchhiker to see the galaxy.
Posted by (1 comment )
Reply Link Flag
Last Layer Of Control to Tie It All Together
It's all about control theirs not the users.

This technology bundles in nicely with Palladium/Next Generation Secure Computing Base/Trusted Computing Platform Alliance forming the final binding layer in Internet Security. It will force all software authors and hardware makers to dance to the Microsoft/TCPA Security tune and pay the Microsoft or related but "independent" third party TCPA licensing and certification piper.

Using this layer and Palladium/NGSCB they want to force everyone into using only Trusted Computing approved hardware and software since that is the only way to "Guarantee" a Secure transaction system free of spyware, malware and viruses and trojans.

This system combined with Palladium/NGSCB will also be used to push competition further out of the market. If your bank or a merchant's web site will not talk to your computer because of that really handy but unsecured (read uncertified) shareware printer utility that, you have paid for and used for years, is installed on your system. Which is going to go? The ability to use online banking? Or the shareware utility?

Who will be willing to use Linux/BSD or some other Open Source software, Shareware, Freeware, or non-commercial software, (non-commercial in the sense that the author can not afford to have their software certified as "Secure"), when you wont be able to talk to most of the Internet, send or receive e-mail, chat or many other things because the web/mail/chat/p2p server requires a certified secure system. Secured from the chips on the on the mother board up through the operating system including all applications installed or running on the system, back down through the network card and Internet link all the way to the web site. Using Microsoft software and certified Trusted Computing hardware is the only way to do this easily. It comes as a bundled package from most PC vendors anyway.

This is not to say that Red Hat, IBM, HP, Novel, wont be able to produce a certified secure TCPA version of Linux/BSD. But you have to buy it form them and use it unmodified. The instant another user or company modifies and recompiles even part of the source code the OS is no longer TCPA Certified Secure the original security keys no longer match the running binaries. The program has lost the proper security keys during the rebuild and will only run on the computer that built it. The Trusted Computing/proprietary software vendors have just step around the concept of open source, public license and non-proprietary code without even having to fire a legal shot at the GPL. At this point all the source code in the world could be available to the general public but it would be useless without the security keys necessary to compile the code into certified binarys for public use. And the TCPA/Microsoft control the keys.

Microsoft can also use this "Layer" to collect transaction fees from both ends, the user and the merchant, and the middle with gate keeper fees charged to the banks. It can enhance its revenue stream by placing a siphon into everyone else's revenue stream and draw off micro payments. In nature there is a word for this behavior... Parasite.

Many others have written more eloquently than I have here Google "trusted computing" and "TCPA" to find more information for and against this idea.

...One OS to rule them all and in the darkness bind them. With apologies to Tolkien.
Posted by (1 comment )
Reply Link Flag
WELL SAID...
Thank You.

Nice that someone has explained the final effect of Trusted-Computing and tied all the pieces together.

Microsoft WINS... Complete control

Consumers LOSE... Any REAL Choice

Almost makes you wonder if all those security-holes in MS-Windows, WERE, ...just accidental.
Posted by Gayle-Edwards (30 comments )
Link Flag
Paying Attention...
Great comment, and observations, John...

Having spent several years analyzing the full-impact of the "Microsoft Trusted Computing architecture" (both, its effect upon the world of computer-science, and the computer-industry), I thought that I would connect all the technical-pieces of this whole -security scheme- together (so that those that have not figured it out for themselves, would understand the actual eventual ramifications of the "Microsoft Trusted Computing" agenda).

But, you have done a wonderful job.

I would like to mention, however, that the first actual example (and test-bed) of the fully-implemented "Microsoft Trusted Computer" has already been released. It is the Microsoft-XBOX. This Microsoft-PC allows Microsoft to decide,

...what software you can run.

...What hardware you can install.

...What services you can use.

...What functionality the computer-owner is allowed to have.

It also allows Microsoft to change any of these, at Microsofts whim, beyond the control of the person who has actually purchased the computer.

Furthermore, people need to know that most of the network-switches currently used on the Internet (by ISPs) are already designed, or have been upgraded, to completely SHUT-OUT -non-trusted- (I.E. non-Microsoft controlled) PCs with a few key-strokes.

When you mix that with Microsofts intention to soon include, individual, physical user-identification as part of the total -Trusted PC- environment, ...well.
Posted by Raife (63 comments )
Link Flag
kudos for analysis
very interesting point of view
Posted by alx359 (40 comments )
Link Flag
windows again behind the times...
Mac OSX users have been using "Keychain Access" for several
years now:

"A Secure Keychain
To make it easy to manage the daunting number of passwords
and permissions intrinsic to network computing, Mac OS X
includes a Keychain. The Keychain stores all your information to
use encrypted disk images and to log onto file servers, FTP
servers and Web servers. Mac OS X automatically adds your .Mac
account information to your Keychain. When you log in to Mac
OS X, the system opens your Keychain. You dont have to enter
your user name and passwords to access this data. You can set
Mac OS X to lock your Keychain when the system sleeps or is
inactive for a time. The system will ask you for your password
the next time you try to access secure data. Other users on the
system cannot access your Keychain or its data."

<a class="jive-link-external" href="http://www.apple.com/macosx/features/security/" target="_newWindow">http://www.apple.com/macosx/features/security/</a>

how to use here:
<a class="jive-link-external" href="http://www.macworld.com/2004/10/secrets/workingmac/" target="_newWindow">http://www.macworld.com/2004/10/secrets/workingmac/</a>
index.php

It stores all the passwords used, it doesnt matter if it's IE, safari
or mozila browsers. Keychain will automatically enter name and
passwords whenever it's required. It also stores other passwords
in other apps such as ftp programs. If you need to see the actual
ASCII passwords, you can launch Keychain and it will show the
password as long as your account have admin access.
Posted by BobBobBobBobBobBobBob (49 comments )
Reply Link Flag
Infocard for ID Thieves as well?
Does this mean that ID thieves who have applied for credit cards, web services, etc using stolen IDs will also be able to store those fradulent IDs and passwords etc into the infocard as well?
Posted by (6 comments )
Reply Link Flag
infocard question
Is a Microsoft Infocard Profile stored locally on my PC? ... what if i go to my friend's house and i want to make a purchase on ebay - or just log in to my email - how will i get at my Infocard? ... aren't we back at square one if i have to figure out how to transport it ... do I take my Infocard on a disk (insecure) , or maybe i have to connect to my pc at home (that sounds hard for normal users) ... thanks alot for anyone who could clarify this :D
Posted by cannonarm (1 comment )
Reply Link Flag
Hopefully already incorporated in infocard design.
Some inforcard concepts may raise individual privacy concerns.

Infocards, or separate cards, could integrate functionality that increases individual freedoms.

Example 1: The automobile.

What if the next time you purchased your automobile, your salesperson explained the following about your new car keys ("infocards" from here on)?

"Insert this infocard in that slot of this car's console. It will allow you to use this car. That slot replaces the functionality of the key ignition slot on older cars."

"You can use the console to make/remake your car infocards at any time."

"If you think your infocards have been lost, stolen, or loaned to a person of questionable character, you can remake your infocards at anytime, in a matter of seconds per key. I won't show you that process until we sign your contract, but it's easy."

"I will explain that the process of making the key is unique to your car, and it's immediate environment, at the particular second you decide to remake your keys. Everytime you remake your keys, they will be different from all past keys made by your car."

"No other car can be used to make keys for your car. Your car can not be used to make keys for any other car."

"The console can be programmed to make the key valid for only certain functions of this car. For example, a particular users infocard can be set to trigger external and internal emission of Lawrence Welk sermons every time the car is driven beyond a selected radius of a specified gps setting."

"Another person's card may be configured to allow entry to the vehicle, use of the back seat TV, the radio, etc., but prevent activation of the engine."

"You're lucky. As the buyer of this card, you can make your infocards out of ordinary gift cards. Will WalMart, KMart, etc., sell you gift cards for a penny a piece. Not only can you make the infocards anytime you want, it's going to be cheap. Compare that to dent in your credit card the last time you replaced an RFID key to your old car!"

"Just sign here, please."

Other examples abound, but what catches human interest more than the automobile? You thought of something. Can infocard play a positive role in that, too?
Posted by RememberEZ (45 comments )
Reply Link Flag
Exactly!
N. E. Body, yes you're exactly right. If they build InfoCard correctly, it will be absolutely fantastic. If it's not totally configurable and is a security risk, then yes, of course it's a piece of crap. Perhaps storing the info on a thumb drive (as an option) would be great--Like the MacOS "keychain" thing. Lets see how InfoCard works (or doesn't) and then decide if it's good or bad.
Posted by locoHost (25 comments )
Link Flag
The online buying experience would change. When a user buys a book online
Posted by xmzs09 (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.