StratVantage Consulting, LLC — Mike’s Take on the News 08/21/01

From Evernote:

StratVantage Consulting, LLC — Mike’s Take on the News 08/21/01

Clipped from:

The News – 08/21/01

May I See Your Passport, Please?

Regular readers know I am not a fan of Microsoft’s monopoly tactics, although I am a fan of some of their software, and certainly appreciative of their leadership in creating the desktop revolution. But even died-in-the-wool Microsofties should be concerned about Microsoft’s Passport service and the company’s plans to make it ubiquitous.

The idea behind Passport is simple. It’s the idea behind a lot of Microsoft’s software, and it’s at the root of most of Microsoft’s security problems: Convenience. If you’re like me, you’ve created accounts at all sorts of Web sites. There are email accounts, discussion groups, white paper download registrations, eCommerce accounts – you name it. If you’re like most people, you have a problem remembering passwords. In fact, you may use names of family members or pets as your passwords (which is a really bad idea). Chances are, very few of your passwords are secure, meaning a cracker could guess them or use software to discover them quite easily. You may even use the same password for all your accounts (also a really bad idea; for more information on creating secure passwords, check this out).

Microsoft, to their credit, have offered to solve this problem with Passport. But there are some very disturbing aspects to the service. Basically, when you create a Passport account, which you must do, for example, to use MSN Messenger, HotMail, or Microsoft Support, you store lots of personal information on Microsoft’s servers. Already I have a problem with this. We trust all kinds of companies with intimate details of our lives and selves. MasterCard knows a lot about my purchasing habits. ATT knows a lot about my calling habits. Northwest Airlines knows a lot about my traveling habits. Having this sort of information in the hands of commercial interests is a necessary evil. Where the problem comes in is when this information is combined. For example, suppose thieves could access my electric bill, my Northwest account, and my MasterCard account. They could tell when I’m on vacation and come and steal the new TV I just bought. (Notice to thieves: This is a hypothetical scenario; I’m waiting for the HDTVs to come down in price before buying another.)

Using Passport, Microsoft becomes aware of a lot of your personal information as well as a lot of your behavior. The way the service works is, when you visit a site that uses Passport, Microsoft forwards your credentials to that site, and obviously knows what site it is. So if I have a yen for Japanese porno sites, Microsoft knows. If I purchase Viagra online, Microsoft knows. In fact, anything I do online, Microsoft knows. It’s a marketer’s dream, and a law enforcement dream. That’s problem number 1.

Another problem involves the way Passport actually works. There are two main concerning areas:

· First, Passport is being built in to Windows XP, Microsoft’s next operating system. Thus XP users will use the same password to log in to their system each morning as they use with the Passport system. Since people rarely use secure passwords on their personal systems, this is a problem. Also, if crackers compromise the Passport password, which is bad, they also have access to your computer, which is worse.

· Second, and more important, when you visit a Web site that uses Passport, a cookie containing your credential is placed on your hard drive. A cookie is a plain text file that contains information regarding a Web transaction. Cookies are normally used for things like identifying you by name when you return to a site, or saving the status of a transaction so it can be recovered if the connection is broken. By placing the credential in an insecure, easily readable file on your computer, you are left wide open to identity theft. It is quite easy to steal a cookie, and thus quite easy to masquerade as another user.

Finally, Microsoft has a children’s service called Kids’ Passport which many privacy advocates feel collects more information than necessary from this vulnerable group.

The issue is complex, and I encourage you to read the C|Net article linked below and view the video from the article to get up to speed on some of the issues. Businesses especially need to be aware of the possible impact of a Microsoft hegemony on authentication. If their scheme plays out, you may be forced to use them for all Web site authentication simply because they’ve established yet another monopoly. Given Microsoft’s dismal security record, that could be a problem.


Briefly Noted

  • Shameless Self-Promotion Dept.: My speech at the Minnesota Entrepreneurs Club pre-meeting workshop on Tuesday, “Will You Have to Have It? What You Need to Know About Future Tech and Your Business,” is now available .

    Also, my white paper, Taking Control of the B2B Exchange: What’s Next in the Supply Chain Evolution, is now available on Manyworlds and is rated four stars. I am honored to share the page with eCommerce expert Mohanbir Sawhney .

  • Planet of the Apps: There’s a tremendously funny video you’ll never see on World’s Funniest Videos but which has caused a bit of a stir in software circles. It seems Steve Ballmer, excitable head of the World’s Funniest Monopoly, Microsoft, got a little pumped up at the beginning of his keynote at a recent internal conference. Many wry commentators have suggested his antics confirmed the origin of the human species with the apes. You be the judge.
    Jump Jive and Wail (You’ll need a media player that can handle MPEG files like, say, Apple’s QuickTime)
  • Let Be Be Finale of Seem:You probably never heard of Be, but they created BEOS, a wonderful operating system, and were run by Jean-Louis Gassée of Apple fame. I’m not really sure what Palm’s got in mind here, but the acquisition, for $11 million in stock, sparked this wonderful quote from US Bancorp Piper Jaffray analyst William Crawford: “Where they have to go, Be already is.” Is you is or is you ain’t my OS?
  • Jargon Watch:This is a bit old, but I’ve just run across a new “C-level” title that made me laugh. Back in April, troubled Internet Service Provider (ISP) PSINet, in an effort to show exactly how serious they were about returning to profitability and surviving NASDAQ delisting, appointed Lawrence Hyatt, their chief financial officer, to the newly created position of Chief Restructuring Officer (CRO). Must not have worked. PSINet filed for Chapter 11 protection in early June, and then promptly contributed to a major Internet outage when ISP Cable & Wireless intentionally stopped peering with it. (Peering is the practice of swapping traffic and is part of what makes the Internet work.) When C&W quit peering, every PSINet customer could not longer see sites on C&W networks, and vice versa. Since smaller ISPs buy connectivity from larger ones like C&W and PSINet, this affected whole sections of the country. Nice restructuring, guys! Hyatt has returned to his old title, CFO.
  • Nothing To Disclaim At This Time: The UK site, The Register, which is a bit of a gadfly on the rump of information technology, ran a contest back in May to find the most outrageous disclaimers. You know disclaimers: that bunch of rubbish at the end of a report or a post or an email that intends to absolve the writer of everything short of being born. I particularly like the winner of the Longest Disclaimer competition, which was won easily by investment house UBS Warburg. This 1,081-word nauseous gasser ends with a declaration that truly reflects the uncertainty and even the futility of life: “E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission.” So if we gave you a virus, tough bounce. I think I’ve lost the will to go on.
    The Register
  • Things That Make You Go Hmmmm Dept.: In April, Sony released a version of Linux for its PlayStation 2 console. What can they be thinking? PS2 already plays DVDs. Hmmmm. Could it be the uber-consumer-device a-borning? Thanks to Alert SNS Reader Todd Mortenson for the pointer.
    DI Wire

Can’t Get Enough of ME?

In the unlikely event that you want more of my opinions, I’ve started a Weblog. It’s the fashionable thing for pundits to do, and I’m doing it too. A Weblog is a datestamped collection of somewhat random thoughts and ideas assembled on a Web page. If you’d like to subject the world to your thoughts, as I do, you can create your own Weblog. You need to have a Web site that allows you FTP access, and the free software from . This allows you to right click on a Web page and append your pithy thoughts to your Weblog.

I’ve dubbed my Weblog entries “Stratlets”, and they are available at . Let me know what you think. Also check out the TrendSpot for ranking of the latest emerging trends.

Return to Mike’s Take

Print Friendly, PDF & Email