Universal Identity a Bad Idea

In a day and age when you are either griping about security or banging out articles on how to increase code security, it’s hard to believe what I saw with my own eyes today. A large and well-known website was looking for a developer to create a universal registration and login service much like Microsoft Passport. The specification called for “seamless integration capabilities into any given website.“

On the surface, these types of services seem like a wonderful idea that prevents someone from having to type in their personal data from one site to the next. Instead, the user would click on a “sign in” button very similar to the .NET passport, they would enter their credentials and data you decide to share with a vendor is magically shared with this site. Microsoft passport requires a rather interesting partnering process in order to get passport authentication on your site. This is supposed to prevent malicious sites from just implementing the “sign in” button and taking your data when you don’t know better.

The problem comes with “seamless integration” and forged sites. It should come as no surprise that Microsoft also has methods that allow passport screens to be thrown into your website’s layout making the login process seem more seamless than redirecting to the passport website itself. This is a very dangerous idea, however. Think about the scenario where you find a gadget you just have to have and, guess what, it’s on clearance for 25% off on this site. You decide to “register” on this site by clicking the login button. The familiar login screen pops up and you enter you r login information.

Have you spotted the problem yet? A crafty individual could create this site that has the same look and feel as the login website. Instead of allowing you to log in as you thought you might, the malware could display an error that would have you believe the site just isn’t working at the moment. No big deal, you go to another site and forget all about this site. The problem is that you have already transmitted your username and login information to this site and that information is now in the hands of an identity thief, and gives a stranger access to any site that uses your login information.

I remember watching a movie (I think it was “xXx“ with Vin Diesel) where a guy drives up to valet parking and hands over his keys. The valet then proceeded to steel the guy’s car. When it comes to embedding a universal login “block” into any page, it just isn’t safe. Anyone can mock up the interface and make it look identical to the login pages that you know and trust. Before you realize what you’ve done, you’ve given someone the “keys“ to any site that uses your login. Personally, I don’t use the same password in any two places. I certainly don’t like the idea of logging into a website just because their login block looks like something I trust.

Keep this in mind the next time you hit eBay and click the passport “sign in” button.

Thinking outside the box

I hate the term “Thinking outside the box.” I hate it more than I hated “new coke”. I hate it more than Gollum hates the “fat hobbit“. I hate it more than christian rap — or any rap for that matter. I hate it more than Saddam hates the familiar “whistle/bang” sound of bombs dropping all around him. OK, you get the point.

This term implies an infinite amount of space to solve a problem. Obviously, the word “box“ implies that you have a problem and a small amount of space from which to solve it. “Thinking outside the box” is stating that you can somehow just ignore the resource boundaries of your problem area. Sure, anyone can solve a problem with an infinite amount of resources “outside of that box“. This is pretty much what big consulting firms do. They can help you shed a million dollars from your corporate budget, but they charge you two million to do it.

This would be like a McGuyver episode where he was trapped in a room full of useless junk and instead of fashioning a device from a shoelace and a candle to open the door he just yelled for help until someone “outside” the room opened the door.

How about changing this term to “solving inside the box”. This is much more important to me. I’d much rather hire someone who can solve a problem given only the resources given to him over someone who can “think outside the box” and require additional resources to complete a task.

Microsoft Calling For Opinions on Dev Certs

Some time ago, I contacted Microsoft and rather rudely voiced my dismay about developer certification. It’s too easy to get, and doesn’t really provide any value as far as an indication of your skill level. The guys in charge of Microsoft Learning have finally given us the opportunity to weigh in on what we feel should be included in the Whidbey certification exams and how they should be changed to reflect today’s developer and hiring manager needs. Additional feedback on what benefits should and should not be included is also welcome!

I’m desperately calling for your help and the help of any developers you may know. Please get the word out about this. Go to [I’ve removed the forums link] and register your opinion! If you would prefer not to join the public debate, please feel free to email your anonymous opinion to tobin@titus.to

I sincerely thank you in advance for your assistance.

Post Navigation